Revisiting the Safeguarding of Information Assets – Part VII

Generally, determining an entity’s legal mandates exceeds the security function’s ambit. Nonetheless, overseeing applicable legally required control composition, implementation and evaluation are occupational security imperatives.  To reduce potential negative effects of cross-compliance as well as multiple-compliance, management should seek assurance that relevant statutory, regulatory, and contractual requirements are adequately defined and documented for each information system.  As suggested in Enterprise Security: The Struggle to Manage Security Compliance for Multiple Regulations; although SOX, HIPAA, GLBA, and PIPEDA are prominent managerial legal topics, these are not the only mandates compelling entities to demonstrate compliance.

Source

Commission on Guidelines. Information Asset Protection Guideline. Alexandria, VA: ASIS International, 2007. http://www.asisonline.org/guidelines/guidelinesinfoassetsfinal.pdf (accessed April 21, 2008).

Hurley, Jim. Enterprise Security: The Struggle to Manage Security Compliance for Multiple Regulations. Cupertino, CA: Symantec Corporation, 2004.

Revisiting the Safeguarding of Information Assets – Part VI

Regulatory agencies are generally designed to operate with minimum executive or legislative supervision. Theoretically, a commission of experts is more suitable for regulating an industry’s activities than legislative or executive oversight committees. Usually, regulatory agencies are empowered with executive, legislative, and judicial functions, and their regulations have the force of law.

Simultaneous compliance with multiple legal mandates can create unique challenges for most entities. Selectively, potential compliance hurdles include distinct internal management groups pursuing equivalent goals; diverse audit perspectives, priorities, and requirements; as well as confusion resulting from redundant controls. For instance, cross-compliance with the Foreign Corrupt Practices Act (FCPA), Sarbanes Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) may generate muddled responses regarding the importance of certain security controls for a U.S. based ‘publicly held’ corporate conglomerate.

Revisiting the Safeguarding of Information Assets – Part V

Categorically, security implies protection while privacy implies confidentiality.  Laws and regulations have been enacted throughout the world addressing either or both areas as well as intellectual property and contracts.  Compliance with laws and regulations are considered essential to avoid legal prosecution risks that may impose various penalties and fines if an employee or organizational formation is convicted for breaching proclaimed unacceptable behavior.  For most entity’s, this means systematizing standard practices that cover the regulatory spectrum and decreasing legal compliance complexity.

Source

Davis, Robert E. IT Auditing: An Adaptive Process.Mission Viejo, CA: Pleier Corporation, 2005. CD-ROM.

Ross, Ron, Stu Katzke, Arnold Johnson, Marianne Swanson, Rogers George, and Gary Stoneburner. NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems. Rev. ed. Washington, DC: Government Printing Office, 2007. http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf (accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part IV

An entity’s management should, and in several countries do, have a legal responsibility to implement an adequate internal control system for preventing, detecting, and conditionally correcting errors, mistakes, omissions, irregularities and illegal acts. Similar to the legal requirement for maintaining a ‘system of internal accounting controls,’ some technology related laws and regulations only address the system of privacy controls for specific information assets; thereby, leaving other information security control systems at management’s discretion.

Source

Davis, Robert E. IT Auditing: Irregular and Illegal Acts.Mission Viejo,CA: Pleier Corporation, 2006. CD-ROM.

Revisiting the Safeguarding of Information Assets – Part III

IT safeguarding has generated considerable debate within the audit and management communities since the deployment of computers for performing transaction processing. Specifically, the merits of IT auditor involvement in financial statement audits and managements’ fiduciary ISG responsibilities have consistently created abstraction polarity when government enacted legal mandates impacting entity-centric financial control requirements are the issue for positively asserting design and/or operational effectiveness.

IT controls should be immersed throughout an entity’s adopted ISG framework. Descriptively, structural IT control envelops all the means utilized by an entity to direct, restrain, govern and monitor its various activities. Therefore, designing IAP IT control objectives reflecting compliance with laws and regulations should be a generally accepted management responsibility. Furthermore, leveraging technology controls to support ISG compliance should also be an accepted management practice.

Revisiting the Safeguarding of Information Assets – Part II

Considering fiduciary tenets and accepting ISG utilizes a top-down approach for legal requirements compliance, if the entity’s executive management has an established or enforceable fiduciary duty then organizational personnel are expected to adhere to and sustain the defined obligation. Consequently, employees are primarily controlled through policies and procedures that support compliance with laws and regulations. Employees that value compliance usually hold honesty and integrity as desirable personal traits or fear noncompliance repercussions. However, if an entity’s culture continually encourages or accepts objectives achievement over ethical behavior eventually legal dilemmas ensue that can damage reputations as well as create financial losses. Therefore, an entity’s management should implement technology related control self-assessment procedures that assure adherence to legal obligations.

Revisiting the Safeguarding of Information Assets – Part I

Information Security Governance (ISG) normally addresses creating and implementing a ‘system of security controls’ that enable ethical and/or legal managerial responsibilities fulfillment for information assets protection (IAP). Ethically, management must protect an entity’s information assets from potential external and internal threats that may compromise confidentiality, integrity, and availability (C-I-A) in order to preserve organization, presentation, and utilization value. Legally, within an entity’s information security control system, explicitly or implicitly, management as a fiduciary agent is responsible and accountable for deploying controls that prevent, deter, detect and/or correct privacy breaches mandated by laws and regulations. Furthermore, laws and regulations may also mandate C-I-A requirements be implemented within an entity; with managerial fiduciary responsibilities and accountabilities.

Source

Brotby, Krag W. Information Security Governance: Guidance for Boards of Directors and Executive Management. 2nd ed. Rolling Meadows, IL: IT Governance Institute, 2006. http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997 (accessed April 21, 2008).

Risk Management: Is it just another set of business buzzwords? – Part VIII

IT policies, directives, standards, procedures, and rules should be deployed based on assessed effectiveness and efficiency in addressing managements risk appetite. Deployed controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. IT control policies and directives can be considered high-level governance documentation while standards, procedures, and rules can be considered detail-level governance documentation. Normally, oversight committees and executive management utilize high-level governance documents to provide general control direction. Whereby, lower-level management converts high-level governance documents into detail-level IT governance documents assisting in ensuring control objective achievement. Developing and implementing IT governance design effectiveness and efficiency can be a multidirectional, interactive, iterative, and adaptive process.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VII

Management should establish standards as baselines for measuring quantity, weight, extent, value, or quality.  Standards can be considered specific goals or objectives against which performance is compared.  Selection of points where performance will be measured is critical to effective standards.  Employee accountability affects responsibility for meeting standards.  Consequently, responsibility for a standard should be directly correlated to activity responsibility.  Without accountability, standards become ineffective measurement tools.

Procedures establish methods for accomplishing an activity, through specific performance, while simultaneously complying with prescribed policies. Prior to determining procedures, processes should be identified and classified to determine control objective impact. In order to create an adequate IT governance framework, management must understand and document operational procedures.

Rules are specific and detailed guides that confine and restrict behavior. Comparatively, rules are the simplest operational plan. A rule requires a specific action to be taken regarding a given situation. For example, “This building is a smoke free environment. Violators will be dismissed without exception.”

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VI

Controlling and monitoring activities attempting to ensure acceptable risk responses include:

• Policies
• Directives
• Standards
• Procedures
• Rules

Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions.  For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.

Directives serve or intend to guide, govern, or influence actions or goals.  Furthermore, directives should be considered orders or instructions.  When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee.  Internal or external central authorities may issue directives as well as individuals.  For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing.  Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention.  Directives should receive the same due diligence as policies and procedures.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.