Managerial Primer for Assuring Information Security
Overview:
Most entities actively seek maximizing stakeholder return on investments and fostering superior customer relations to sustain creation justification. With information technologies considered indispensable to providing processing efficiency, communication expediency and information reliability for stakeholders and customers; entities need to adequately safeguard information assets, since they have measurable value. To accomplish this security necessity, management normally needs a governance framework that enables organizational alignments, judicious resource allotments, risk management, value delivery and performance measurements.
Instituting and/or sustaining information security governance (ISG) requires comprehensive planning and organizing; robust acquisitions and implementations; effective delivery and support; as well as continuous monitoring and evaluation to address the myriad of managerial, operational, and technical issues that can thwart satisfying an entity’s mission. Consequently, “information security requires a balance between sound management and applied technology.” Sound management enables assuring adequate asset safeguarding, while applied technology can introduce efficiencies for addressing potential external or internal threats. Planning and organizing is imperative to managerial cohesiveness. ISG usually occurs at different organizational strata, with team leaders reporting to and receiving direction from their managers, with managers reporting up to an executive, and the highest-level executive conferring with and receiving direction from the entity’s oversight committee. Information that indicates deviation from targets will usually include recommendations for action requiring endorsement by the entity’s oversight layer. Transparently, this approach is ineffective unless strategies, objectives and goals have first been developed and deployed within the entity’s organizational structure.
Acquisitions and implementations are necessary for adequate information security. To realize the information security strategy, information security solutions need to be identified, developed or acquired, as well as implemented and integrated into business and IT processes seamlessly. During an information security product or service acquisition and implementation cycle, changes and maintenance may be required to sustain continued service quality for impacted systems or processes. Within an entity’s organizational structure, providing acceptable service delivery necessitates the installation of an effective support system. Information security service delivery and support may range from operational protection deployment to crisis response training. However, assessing changes in, and maintenance of, existing systems are critical security service components contributing to delivering value. Required information protection changes and maintenance can be induced through various problems encountered by users or deliberate attacks on the established information security architecture.
Usually, a formal ISG program is required to promote information assets safeguarding. ISG programs should ensure the Control Objectives for Information and related Technology (COBIT) framework confidentiality, integrity, availability, compliance, and reliability information criteria are not compromised through gaps in controls. Therefore, the information security program and associated systems, processes and activities need to be regularly assessed for quality and compliance with defined requirements. Monitoring and evaluating information security drives assurances provided or obtained through due care and due diligence as well as enables managerial fiduciary oversight expectations fulfillment. Whether ISG is considered a distinct governance classification supporting entity governance or a subset of information technology governance (ITG), safeguarding IT normally mandates addressing responsibilities separation and ‘protection-of-information-assets’ to ensure managerial due diligence. Typically, safeguarding information assets translates into ensuring resources are acquired, utilized and disposed of in accordance with proper procedures and approvals. If ISG is misaligned with entity-governance and ITG; financial, legal, operational and reputational risks can escalate beyond demarcated tolerance levels. In fact, a functional entity’s very existence may be dependent on how well it safeguards assets utilized in achieving the adopted organizational mission.
Why should you Attend: Information and associated technologies continue to advance toward diverse distributed configuration environments for entering, processing, storing, and retrieving data. The magnitude of changes occurring can be clearly seen in the explosion of linked IT infrastructures connected to cloud computing service providers and mobile computing devices. Consequently, the impact of such decentralization has increased the need for effective safeguarding of information assets.
Foundationally paraphrasing from Title 44, Chapter 35, Subchapter III, Section 3542(b)(1) of the United States Code; the term “information security” is defined as the protecting of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Correspondingly, information security is typically a complex and dynamic safeguarding subject. Given the descriptive attributes normally associated with information security, IT auditors usually have a vast array of sub-topics to contemplate when performing information assets protection (IAP) related audits, reviews, or agreed-upon procedures.
Information security design, deployment and assurance require dedication to continuous improvement to ensure optimum effectiveness and efficiency. Whereby, conformation of compliance with legislation, regulations, policies, directives, procedures, standards, and rules enable asserting ‘superior’ information security governance (ISG). Nonetheless, monitoring and evaluating the current state of implemented controls may take a variety of forms; including control self-assessments and IT audits. Furthermore, an IT auditor may not be the individual who executes an entity’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civil and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.
Areas Covered in the Session:
- Forces impacting information security governance.
- Principles and practices for performing information security audits.
- Sound strategic and tactical information risk considerations.
- Three tiers of enterprise governance are examined in terms of their:
- Content
- Meaning
- Implementation factors
- Responsibilities
Who Will Benefit:
- Audit Committee Members
- Risk Management Managers
- External Auditors
- Internal Auditors
- Chief Executive Officers
- Chief Information Officers
- Compliance Managers
- Chief Information Security Officers
- Information Technology professionals
- Control Self-Assessment personnel
