Oversight is the critical governance function provided by top management relating to information protection and it is fundamental to proper operation of a protection program. It is the job of oversight to assure that proper duties to protect are put in place, that the management measures the effectiveness of the protection program in fulfilling those duties, and that management adapts the protection program to meet those duties.
Laws: Laws and regulations define the legally mandated duties to protect associated with jurisdictions. All laws of all jurisdictions in which an enterprise operates have to be considered in order to make prudent determinations as to duty to protect.
Owners: The owners are the ones hurt by bad management decisions and they need to assure that their investment is not lost by electing proper boards of directors. For public companies there are regulatory assurances to support the public owners so that they don't have to get involved in the details of selections in order to reasonably protect their investments, but this lack of direct control by owners is often reflected in the frauds we see in the world. Owners of privately held firms are directly responsible for the disposition of their assets and for proper protection and they directly suffer from poor decisions in this regard.
Board:The board of directors is legally and morally responsible to assure that the CEO and other officers are doing their jobs and have the ability to define additional duties to protect in keeping with their responsibilities. They also have oversight responsibility to act on behalf of the shareholders to assure that the shareholder value is protected.
Auditors:Auditors are tasked with providing independent and objective feedback to the shareholders, board of directors, CEO, and others on the effectiveness of the protection program in fulfilling the duties to protect within the risk tolerance parameters set by management.
CEO: The CEO is responsible for day-to-day control over the enterprise and as part and parcel of this responsibility, for protecting shareholder value, for identifying the duties to protect, for assuring that those duties are carried out, and for measuring the performance of those duties to allow adequate control to improve situations that warrant improvement and keep costs as low as possible without undertaking inappropriate levels of risk.
In concert these elements comprise the oversight function of the enterprise information protection.