Posted by: Robert Davis
Accountability, Acquire and Implement, Asset Management, Availability Management, COBIT Domains, Control Objectives for Information and related Technology, Deliver and Support, Due Diligence, Fiduciary Responsibility, Framework, Information Assets Protection, Information Security Governance, Information Security Management, ISG, Key Performance Indicators, Monitor and Evaluate, Plan and Organize, Risk Management, Security Frameworks, Value Delivery
Instituting and/or sustaining ISG requires comprehensive planning and organizing; robust acquisitions and implementations; effective delivery and support; as well as continuous monitoring and evaluation to address the myriad of managerial, operational, and technical issues that can thwart satisfying an entity’s mission. Consequently, “[i]nformation security requires a balance between sound management and applied technology.” Sound management enables assuring adequate asset safeguarding, while applied technology can introduce efficiencies for addressing potential external or internal threats.
Planning and organizing is imperative to managerial cohesiveness. ISG usually occurs at different organizational strata, with team leaders reporting to and receiving direction from their managers, with managers reporting up to an executive, and the highest-level executive conferring with and receiving direction from the entity’s oversight committee. Information that indicates deviation from targets will usually include recommendations for action requiring endorsement by the entity’s oversight layer. Transparently, this approach is ineffective unless strategies, objectives and goals have first been developed and deployed within the entity’s organizational structure.