Management should establish standards as baselines for measuring quantity, weight, extent, value, or quality. Standards can be considered specific goals or objectives against which performance is compared. Selection of points where performance will be measured is critical to effective standards. Employee accountability affects responsibility for meeting standards. Consequently, responsibility for a standard should be directly correlated to activity responsibility. Without accountability, standards become ineffective measurement tools.
Procedures establish methods for accomplishing an activity, through specific performance, while simultaneously complying with prescribed policies. Prior to determining procedures, processes should be identified and classified to determine control objective impact. In order to create an adequate IT governance framework, management must understand and document operational procedures.
Rules are specific and detailed guides that confine and restrict behavior. Comparatively, rules are the simplest operational plan. A rule requires a specific action to be taken regarding a given situation. For example, “This building is a smoke free environment. Violators will be dismissed without exception.”
Controlling and monitoring activities attempting to ensure acceptable risk responses include:
Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions. For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.
Directives serve or intend to guide, govern, or influence actions or goals. Furthermore, directives should be considered orders or instructions. When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee. Internal or external central authorities may issue directives as well as individuals. For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing. Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention. Directives should receive the same due diligence as policies and procedures.
Quantifying the probability and business impact of potential threats
Providing an economic balance between threat impact and countermeasure cost
Normally, the IT Threat Assessment precedes the IT Vulnerability Assessment. However, Vulnerability Analysis results can identify relevant threats and Threat or Opportunity Analysis results can identify relevant vulnerabilities. The Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management business risk model categories can be mapped into IT risk analysis. For example, usually risk identification, description, and estimation are respectively included as asset valuation, action plan, and risk evaluation sub-processes.
The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality. Quantitative risk calculations include:
Exposure Factor = Percentage of asset lost caused by identified risk
Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
Annualized Loss Expectancy (ALE) = SLE X ARO
Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
Similar to business risk management, IT risk management is a continuous process that should be interlaced into the fabric of an entity. IT risks directly impact an entity’s ability to provide goods and/or services at an acceptable price. Inherently, computer hardware and software as well as personnel present potential risks to an entity achieving business objectives.
Through appropriate management, risks can be accepted, reduced, or transferred; however, IT related risk can never be completely eliminated. Minimally, IT governance risk management should address strategic alignment, value delivery, resource management, and performance measurement. Depending on the circumstances, entity and IT governance domain characteristics may overlap or have distinctiveness, yet IT controls continuity and stability can be sustained even when governance domain characteristics are mutually inclusive.
An entity’s business risk management framework should be a strategic axial enabled to accept diverse strategy spokes. Proactively, business risk management should represent the process whereby an entity methodically addresses risks attached to activities with the objective of achieving sustained benefit within each activity and across the activities portfolio.
Through project collaboration the Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management promote the following risk management process:
Risk management is not an issue any ‘going concern’ should consider a platitude used to demonstrate effective leadership. Those responsible for governance within an enterprise must be, without reservation, administrators dedicated to appropriately handling the risks that their organization encounters. In particular, the risks associated with information and related technology must be comprehensively identified and appropriately managed based on careful consideration of the impact and likelihood of the projected occurrence of detrimental events. It is in this arena that organizational risk management commonly fails to accurately portray the environmental landscape enabling resource optimization of initial investments and operational maintenance for IT.
Based on my careful analysis of the factors associated with information reliability, there is a medium-to-high inherent risk of a researcher conveying unreliable information through citing Wikipedia material due to inadequate identity management issues. Contextually, according to About.com, “In most cases, you should stay away from Internet information that doesn’t list an author… If the author is named, you will want to find his/her web page to:
• Verify educational credits
• Discover if the writer is either published in a scholarly journal
• Verify that the writer is employed by a research institution or university”
To provide an appropriate answer to this foundational question regarding Wikipedia an assessor must take into consideration the primary traits of reliability. Therefore, as previously stated in Wikipedia: An assessment from a user’s perspective – part 1 as well as documented in IT Auditing: Assuring Information Assets Protection, minimally, information contained within technology can be considered reliable when completeness, accuracy and validity attributes are independently verifiable as well as user neutral. In other words, information reliability requires representational faithfulness to ensure assertions and supporting purported events are in agreement.
Wikipedia is often been presented as a great research resource; however it is also a public forum, where any authorized user can make a declaration or an assertion. “If you find an article that provides relevant information for your research topic, you should take care to investigate the source to make sure it is valid and reliable. [Academically, this] is an essential step in maintaining sound research ethics.” Thus, an important question concerning any published work classified as encyclopedic material is: How valid and reliable is documented information?
This blog provides content regarding IT Governance, Risk, and Compliance topics. Occasionally, readers will receive suggestions enabling organizational enhancements to IT managerial principles and practices consistent with generally accepted international standards.