eBook excerpt: Assuring Information Security – Part IV

Usually, a formal ISG program is required to promote information assets safeguarding.  ISG programs should ensure the Control Objectives for Information and related Technology (COBIT) framework confidentiality, integrity, availability, compliance, and reliability information criteria are not compromised through gaps in controls.  Therefore, the information security program and associated systems, processes and activities need to be regularly assessed for quality and compliance with defined requirements.  Monitoring and evaluating information security drives assurances provided or obtained through due care and due diligence as well as enables managerial fiduciary oversight expectations fulfillment.

Whether ISG is considered a distinct governance classification supporting entity governance or a subset of information technology governance (ITG), safeguarding IT normally mandates addressing responsibilities separation and ‘protection-of-information-assets’ to ensure managerial due diligence.  Typically, safeguarding information assets translates into ensuring resources are acquired, utilized and disposed of in accordance with proper procedures and approvals.  If ISG is misaligned with entity-governance and ITG; financial, legal, operational and reputational risks can escalate beyond demarcated tolerance levels.  In fact, a functional entity’s very existence may be dependent on how well it safeguards assets utilized in achieving the adopted organizational mission.