Posted by: Robert Davis
Accountability, Acquire and Implement, Adaptive Systems, Asset Management, Assurance Services, Availability Management, COBIT, COBIT Domains, Control Environment, Control Objectives, Control Objectives for Information and related Technology, Deliver and Support, Due Diligence, Fiduciary Responsibility, Framework, Information Assets Protection, Information Security Governance, Information Security Management, ISG, Key Performance Indicators, Monitor and Evaluate, Performance Measurement, Plan and Organize, Risk Management, Strategic Alignment, Value Delivery
1.3 Entity Employees
“The first line of defense from insider threats is the employees themselves.” – Software Engineering Institute (SEI)
Stakeholders expect managerial personnel to run the entity in accordance with accepted business practices, while maintaining compliance with applicable laws and regulations. An appropriate managerial tone should be established and communicated throughout the entity, including explicit moral guidance regarding expected behavior. For IAP, the onus certainly resides with the entity to take adequate precautions when employing individuals and to ensure that, regardless of motive, individuals are reasonably prevented from abusing IT resources.