IT Governance, Risk, and Compliance


May 25, 2013  11:51 PM

Revisiting the Safeguarding of Information Assets – Part XIX



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Since contracts, transactions and disputes relating to information assets can involve parties, actions and evidence in multiple distinct jurisdictions, it may be advantageous for entities to clarify existing rules or presumptions regarding the laws pertinent to IAP.  Additionally, assuming disputes related to IAP may involve complex factual situations as well as parties — with actions and evidence that can span multiple jurisdictions — it may be necessary to develop non-judicial means, including arbitration, for resolving issues.

Source:

Gelbstein, Ed and Jovan Kurbalija. Internet Governance: Issues, Actors and Divides. Geneva: DiploFoundation and Global Knowledge Partnership, 2005. http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=641 (accessed April 21, 2008).

May 25, 2013  11:43 PM

Revisiting the Safeguarding of Information Assets – Part XVIII



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Intellectual property laws address something produced by the mind, of which the ownership or right to usage is legally protected. Intellectual property can denote knowledge-based assets as well as capital, including information or data that can result in intellectual capital extending to ideas, designs and innovations howsoever expressed or recorded. Intellectual capital is designated intangible for such items as product innovation, customer loyalty, employee morale, patents and trademarks.

Source:

Allen, Steve. Safeguarding Proprietary Information the Protection of Intangible Assets. Business Defence Europe, Summer 2001.

Commission on Guidelines. Information Asset Protection Guideline. Alexandria, VA: ASIS International, 2007.  http://www.asisonline.org/guidelines/guidelinesinfoassetsfinal.pdf (accessed April 21, 2008).


May 20, 2013  12:56 AM

Revisiting the Safeguarding of Information Assets – Part XVII



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Data privacy laws dictate adherence to trusts and obligations associated with any information connected to an identified or identifiable data subject. Personal data privacy generally refers to information that can be associated with a specific individual, or that has identifying characteristics that might be combined with other information or data to identify a specific individual. Sensitive personal data may include items classified as individual preferences, habits, racial or ethnic origin as well as financial or medical condition.

Source:

ISACA. “Privacy.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling   Meadows, IL: ISACA, September 2005. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571  (accessed May 3, 2008).

Shackelford, Kerry. “eSAC: Privacy Principles.” ITAudit, July 1, 2002. http://www.theiia.org/ITAuditArchive/index.cfm?act=ITAudit.archive&fid=464 (accessed April 22, 2008).


May 17, 2013  1:49 AM

Revisiting the Safeguarding of Information Assets – Part XVI



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Security laws can decree the required degree of protection for property, usually based on governmental interest. Specifically, information security laws may outline control measures to prevent unauthorized access to devices that process sensitive data. Inclusively, directed data control measures can encompass peripheral equipment considered important for compliant protection. Consequently, IT resources should be integrated with an approach that repels potential compromises in applicable data treatment edicts for the defined subject matter.


May 12, 2013  4:48 PM

Revisiting the Safeguarding of Information Assets – Part XV



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Information systems may be of a public or private nature, and contain elements protected by various data security, data privacy, or intellectual property laws. Property classification into public and private categories is based on ownership. If the property is owned by the government or a political division thereof, it is typically classed as public property; however if the property is owned by an individual, a group of individuals, a corporation, or some other business association, it is normally classified as private property. Property type impacts due care expectations and legal requirements.


May 9, 2013  9:41 PM

Revisiting the Safeguarding of Information Assets – Part XIV



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Information systems related due care dictates appropriate data security due diligence activities. Interpretively, an entity’s information systems should represent resources committed to collecting data, processing transactions, and communicating operational results within defined legal limits. An entity’s management, through deployed governance, “must ensure due diligence is exercised by all individuals involved in the management, use, design, development, maintenance or operation of information systems.” Therefore, managerial due care and due diligence enables compliance with IAP legal requirements. Managerial due care redresses activity responsibility, whereby due diligence includes continuously promoting compliance. For instance, IAP legal compliance procedures should be set by top management and continually promoted by example.

Source:

Davis, Robert E. IT Auditing: IT Governance. Mission Viejo, CA: Pleier Corporation, 2006. CD-ROM.

ISACF. Framework. In COBIT: Governance, Control and Audit and Related Technology. 3rd ed. Rolling  Meadows, IL: ISACF, 2000.


May 5, 2013  7:14 PM

Revisiting the Safeguarding of Information Assets – Part XIII



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Prescriptively; utilizing security, privacy and intellectual property clauses in contractual agreements may aid in clarifying expectations as well as reduce adverse outcomes in post-facto legal disputes. Parties to information asset related contracts should consider documenting terms for:
• signing non-disclosure agreements;
• granting the right-to-audit contractor controls;
• limiting the right-to-access specific information;
• processing the return or destruction of all records at contract termination;
• ensuring implementation of audit trails to closely monitor how information is handled;
• utilizing encryption technology that allows only authorized individuals to view decrypted data;
• addressing approval by applicable government oversight agencies of any subcontracting arraignments; and
• identifying and separating personal and/or confidential information being handled under a contract from other data held by the contractor.

Source:

Hillier,  Peter J. “Transborder Data Flow – Intruding on Privacy?” knowledgeleader.com.  (August 2006). http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/TFTransborderDataFlowIntrudingonPrivacy!OpenDocument&NWeekly
(accessed April 21, 2008).


May 2, 2013  10:18 PM

Revisiting the Safeguarding of Information Assets – Part XII



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Complicating laws and regulations alignment are trans-border communication requirements regarding information protection and confidentiality. The potentially costly task of obtaining data delivery consent from all affected parties may be the only enabling trans-border information flow baseline. Contractually, equivalent protection usually can only be furnished when the sender enters into a written agreement with the trans-border recipient, whereby the recipient affirmatively agrees to abide by the higher information processing mandates of the sender or recipient; such as the E.U.–U.S. (Department of Commerce) Safe Harbor Agreement regarding the E.U. Privacy Directive on Data Protection.

Source:

Gelbstein, Ed and Jovan Kurbalija. Internet Governance: Issues, Actors and Divides. Geneva: DiploFoundation and Global Knowledge Partnership, 2005. http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=641 (accessed April 21, 2008).

Hillier, Peter J. “Transborder Data Flow – Intruding on Privacy?” knowledgeleader.com. (August 2006). http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/TFTransborderDataFlowIntrudingonPrivacy!OpenDocument&NWeekly (accessed April 21, 2008).


April 28, 2013  12:08 PM

Revisiting the Safeguarding of Information Assets – Part XI



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

As long as multiple regulatory agencies have government supported agendas, variances can exist that induce comprehensive legal compliance reviews. Primary to multiple decrees control is a thorough analysis of what is required and ensuring quality documentation supporting legal compliance efforts. For example, prerequisite evidentiary requirements may insist on a recorded compliance methodology to justify reducing expected judicial sentencing.

Managements response to applicable laws and regulations vary based on legal, operational and technological alignment interpretations.  However, an entity’s ISG legal compliance system should include:

  • Risk assessments
  • Appropriate authority
  • Adequate resource allocations
  • Policies to prevent or detect illegal acts
  • Standards to prevent or detect illegal acts
  • Procedures to prevent or detect illegal acts
  • Personnel screening correlated to program goals
  • Program training at all employee levels
  • Non-retaliatory internal reporting systems
  • Incentives to motivate employee compliance
  • Discipline to promote employee compliance
  • Responsibilities assignments at all employee levels
  • Program effectiveness audits, monitoring, evaluations and reporting
  • Incidence prevention procedures deployment for similar repeat violations
  • Incidence response procedures deployment for equivalent repeat violations

Source:

Apgar, Chris. “Complying with multiple regulations and contending with conflicts.” Search400.com, September 6, 2005.  http://search400.techtarget.com/tip/0,289483,sid3_gci1122854,00.html (accessed April 21, 2008).

U.S. Sentencing Commission. “Chapter 8 – Part B – Remedying Harm from Criminal  Conduct, and Effective Compliance and Ethics Program §8b2.1.” In Federal Sentencing Guidelines for Organizations. Washington, DC: Government Printing Office, 2007. http://www.ussc.gov/2007guid/8b2_1.html (accessed May 7, 2008).


April 25, 2013  8:08 PM

Revisiting the Safeguarding of Information Assets – Part X



Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks

Even when compliance requirements extend internationally, managerial responsibility to prevent and detect illegal acts continues without regard to organizational formation origin.  Given this fiduciary obligation, an entity’s management typically utilizes policies, directives, procedures, standards, rules, validation and monitoring as control conduits to obtain reasonable assurance that security related illegal acts are prevented or detected on a timely basis.

Institutionalized ISG defines the information assets safeguarding perimeter inside which an entity should operate.  Whereas, legal compliance management ensures structural boundary segments are sturdy and the entity consistently fulfills its mission within externally imposed demarcation lines.  Aligning ISG with legal compliance management allows an entity to enhance cultural ethics while concurrently reducing judicial risks.  Predicatively, laws will continue to be enacted and the regulatory environment will become more complex due to unacceptable conduct remediation.  Consequently, entities will continue to be compelled to demonstrate compliance with legal mandates — especially laws governing data retention and privacy — that can differ by hemisphere, country, province, county, city, as well as industry.  In this increasingly complex regulatory environment, most entities should balance their focus on compliance imperatives without diminishing anticipated response quality to governmental edicts.

Source:

Apgar, Chris. “Complying with multiple regulations and contending with conflicts.” Search400.com, September 6, 2005.  http://search400.techtarget.com/tip/0,289483,sid3_gci1122854,00.html (accessed April 21, 2008).

Booz, Allen, and Hamilton. Convergence of Enterprise Security Organizations. N.p.: The Alliance for Enterprise Security Risk Management, 2005. http://www.issa.org/Downloads/ConvergenceStudyNov05.pdf (accessed April 21, 2008).


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: