IT Governance, Risk, and Compliance


May 20, 2011  9:54 PM

Effective Employment Practices for Protecting IT – Part V



Posted by: Robert Davis
Conduct Code, Due Care, Due Diligence, Employment Practices, Information Assets Protection, Misappropriation of Assets, Safeguarding Assurance

Stepwise, due care infers activity responsibility; whereby due diligence infers activity continuality. Often considered the ‘prudent person’ rule for professionals, discerning individuals engage due care to ensure everything rationally possible is done to aid in operating an entity utilizing sound, legitimate and ethical practices. Consequently, prudent persons are diligent in exerting due care.

When professional due care and due diligence are applied to an entity’s human resources recruitment efforts; hiring practices should render reasonable assurance that a potential employee’s competency, reliability, and integrity are aligned with the position’s responsibilities. Furthermore, at the activity-level, an entity’s standard human resources practices should consistently demonstrate recruiting the most qualified individuals – with emphasis on training background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior.

View Part I of the Effective Employment Practices for Protecting IT series here

May 17, 2011  9:18 PM

Effective Employment Practices for Protecting IT – Part IV



Posted by: Robert Davis
Conduct Code, Due Care, Due Diligence, Employment Practices, Information Assets Protection, Misappropriation of Assets, Safeguarding Assurance

Usually, it is easier to purchase an automated solution addressing IT control practices than to change an entity’s culture. Nevertheless; even the most secure system will not achieve a significant degree of protection if utilized by “ill-informed, untrained, careless or indifferent personnel.” Thus, all entity employees should be instructed in practicing due care and due diligence of information assets. Furthermore, a well structured IT function, staffed with appropriately qualified individuals, forms the foundation for high-quality performance and is the basis for providing positive safeguarding assurance to interested parties.

View Part I of the Effective Employment Practices for Protecting IT series here


May 13, 2011  8:48 PM

Effective Employment Practices for Protecting IT – Part III



Posted by: Robert Davis
Conduct Code, Due Care, Due Diligence, Employment Practices, Information Assets Protection, Misappropriation of Assets

The threat of insiders to data should not be underestimated. If an entity is to be successful in preventing security breaches, it must have effective policies that minimize the chance of hiring or promoting individuals with low levels of honesty, especially for positions of trust. Supporting this perspective is the realization that persons with high technical skills and organizational process knowledge pose the greatest threat to an entity. Coupled with inadequate controls, persons with access to an entity’s internal network could potentially disrupt or corrupt vital services as well as gain access to unauthorized confidential information. In addition, misappropriation of assets, though often not material to the financial statements, can nonetheless result in substantial losses if an employee has the Incentive/Pressure, Opportunity and/or Attitude/Rationalization to commit an illegal act.

View Part I of the Effective Employment Practices for Protecting IT series here


May 10, 2011  7:56 PM

Effective Employment Practices for Protecting IT – Part II



Posted by: Robert Davis
Conduct Code, Due Care, Due Diligence, Employment Practices, Information Assets Protection, Misappropriation of Assets

Stakeholders expect managerial personnel to run the entity in accordance with accepted business practices, while maintaining compliance with applicable laws and regulations. An appropriate managerial tone should be established and communicated throughout the entity, including explicit moral guidance concerning expected behavior. Whereby, the onus certainly resides with the entity to take adequate precautions when employing individuals and to ensure that, regardless of motive, individuals are reasonably prevented from abusing IT resources.

View Part I of the Effective Employment Practices for Protecting IT series here


May 6, 2011  10:09 PM

Effective Employment Practices for Protecting IT – Part I



Posted by: Robert Davis
Conduct Code, Due Care, Due Diligence, Employment Practices, Information Assets Protection, Misappropriation of Assets

Based on extensive research by various knowledge leaders, the greatest harm or disruption to IT-based information services emanates from intentional or unintentional actions of internally employed individuals. Frequently, information systems experience disruption, damage, loss or other adverse impacts due to the well-intentioned actions of employees authorized to use or maintain IT objects. Therefore, securing reductions in harm or disruption to furnished IT services mandates emphasizing and periodically reemphasizing defined rules of behavior to individuals employed by the entity.


May 3, 2011  9:33 PM

Right-sizing IT Controls – Part VIII



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Control System, Governance Tree, Internal Control Systems, IT Controls, IT Governanace, IT Management, Risk Management, Roles and Responsibilities

Deploying key IT governance practices enhance an entity’s ability to meet control objectives for cost, functionality, and quality. Yet, regardless of the IT control techniques and automated tools available, the best possible means of regulating entity activity is, and always has been, selection of high-quality employees that value ethical conduct. If entities are organizational formations providing good people a place to work, then the best path to right-sizing IT controls is supplying diligent subordinates with justified resources needed to achieve their specific IT control goals.

View Part I of the Right-sizing IT Controls series here


April 29, 2011  8:28 PM

Right-sizing IT Controls – Part VII



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Control System, Governance Tree, Internal Control Systems, IT Controls, IT Governanace, IT Management, Risk Management, Roles and Responsibilities

An entity’s controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. Consequently, IT policies, directives, standards, procedures, and rules should have a one-to-one or one-to-many correspondence with the assessed effectiveness and efficiency in addressing managements risk appetite. Within this context, IT control policies and directives are commonly considered high-level governance documentation while standards, procedures, and rules are commonly considered detail-level governance documentation. Since IT managers plan, direct, and support technology deployments; an IT manager’s duties should include establishing departmental policies, procedures, and standards for ensuring the right-sizing of IT controls.

View Part I of the Right-sizing IT Controls series here


April 26, 2011  8:53 PM

Right-sizing IT Controls – Part VI



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Governance Tree, Internal Control Systems, IT Controls, IT Governanace, IT Management, Risk Management, Roles and Responsibilities

The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality.

View Part I of the Right-sizing IT Controls series here


April 22, 2011  8:16 PM

Right-sizing IT Controls – Part V



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Governance Tree, Internal Control Systems, IT Controls, IT Governanace, IT Management, Roles and Responsibilities

IT organization is implemented to prevent chaos and assist in identifying processes for objective achievement. The organizing process transforms the entity plan into controllable areas and includes:

  • Identification and classification of activities for departmentalization
  • Activities grouping based on efficient usage of available resources
  • Delegating authority necessary to perform defined activities
  • Aligning departmental groupings, horizontally and vertically, through authority-activity relationships and information systems

View Part I of the Right-sizing IT Controls series here


April 19, 2011  8:27 PM

Right-sizing IT Controls – Part IV



Posted by: Robert Davis
Control Environment, Control Evaluation, Control Processes, Governance Tree, Internal Control Systems, IT Controls, IT Governanace, IT Management, Roles and Responsibilities

Processes modify system elements deployed to assist in achieving IT program goals. When pursuing identification, process maps are a standard method to document all pertinent system information. Developmentally, process maps should include data, timing, methods, personnel, material, equipment, environment, inputs, outputs, and other relevant factors. Subsequently, each identified IT process must be defined to enable event expectation and causation analysis.

While documenting entity processes, internal as well as external responsibilities should be examined for synchronization to the IT mission. Depending on the control environment; control processes can range from top-heavy responsibility concentration with inaccurate measurements and employee opposition to widespread responsibility with accurate measurements and no employee opposition. Entity-IT organizational alignment determination, with processes identified, permits inefficient or ineffective IT units consolidation and/or elimination.

View Part I of the Right-sizing IT Controls series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: