IT Governance, Risk, and Compliance


March 16, 2013  3:40 PM

Risk Management: Is it just another set of business buzzwords? – Part VII



Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management Information System, Operating Style, Risk Management, Threat Management

Management should establish standards as baselines for measuring quantity, weight, extent, value, or quality.  Standards can be considered specific goals or objectives against which performance is compared.  Selection of points where performance will be measured is critical to effective standards.  Employee accountability affects responsibility for meeting standards.  Consequently, responsibility for a standard should be directly correlated to activity responsibility.  Without accountability, standards become ineffective measurement tools.

Procedures establish methods for accomplishing an activity, through specific performance, while simultaneously complying with prescribed policies. Prior to determining procedures, processes should be identified and classified to determine control objective impact. In order to create an adequate IT governance framework, management must understand and document operational procedures.

Rules are specific and detailed guides that confine and restrict behavior. Comparatively, rules are the simplest operational plan. A rule requires a specific action to be taken regarding a given situation. For example, “This building is a smoke free environment. Violators will be dismissed without exception.”

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

March 14, 2013  1:10 AM

Risk Management: Is it just another set of business buzzwords? – Part VI



Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management Information System, Operating Style, Risk Management, Threat Management

Controlling and monitoring activities attempting to ensure acceptable risk responses include:

  • Policies
  • Directives
  • Standards
  • Procedures
  • Rules

Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions.  For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.

Directives serve or intend to guide, govern, or influence actions or goals.  Furthermore, directives should be considered orders or instructions.  When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee.  Internal or external central authorities may issue directives as well as individuals.  For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing.  Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention.  Directives should receive the same due diligence as policies and procedures.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.


March 8, 2013  10:41 PM

Risk Management: Is it just another set of business buzzwords? – Part V



Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management Information System, Operating Style, Risk Management, Threat Management

Usually, IT risk analysis has four primary goals:

  • Identifying assets and their associated values
  • Identifying vulnerabilities and threats
  • Quantifying the probability and business impact of potential threats
  • Providing an economic balance between threat impact and countermeasure cost

Normally, the IT Threat Assessment precedes the IT Vulnerability Assessment. However, Vulnerability Analysis results can identify relevant threats and Threat or Opportunity Analysis results can identify relevant vulnerabilities. The Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management business risk model categories can be mapped into IT risk analysis. For example, usually risk identification, description, and estimation are respectively included as asset valuation, action plan, and risk evaluation sub-processes.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

 


March 7, 2013  1:54 AM

Risk Management: Is it just another set of business buzzwords? – Part IV



Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management Information System, Operating Style, Risk Management, Threat Management

The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels.  An IT risk assessment should be considered a key risk management practice area.  When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses.  Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality.  Quantitative risk calculations include:

  • Exposure Factor = Percentage of asset lost caused by identified risk
  • Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
  • Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
  • Annualized Loss Expectancy (ALE) = SLE X ARO
  • Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.


March 2, 2013  4:38 PM

Risk Management: Is it just another set of business buzzwords? – Part III



Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management Information System, Operating Style, Risk Management, Threat Management

Similar to business risk management, IT risk management is a continuous process that should be interlaced into the fabric of an entity.  IT risks directly impact an entity’s ability to provide goods and/or services at an acceptable price.  Inherently, computer hardware and software as well as personnel present potential risks to an entity achieving business objectives.

Through appropriate management, risks can be accepted, reduced, or transferred; however, IT related risk can never be completely eliminated.  Minimally, IT governance risk management should address strategic alignment, value delivery, resource management, and performance measurement.  Depending on the circumstances, entity and IT governance domain characteristics may overlap or have distinctiveness, yet IT controls continuity and stability can be sustained even when governance domain characteristics are mutually inclusive.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.


February 28, 2013  2:50 AM

Risk Management: Is it just another set of business buzzwords? – Part II



Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management System, Operating Style, Risk Management, Threat Management

An entity’s business risk management framework should be a strategic axial enabled to accept diverse strategy spokes. Proactively, business risk management should represent the process whereby an entity methodically addresses risks attached to activities with the objective of achieving sustained benefit within each activity and across the activities portfolio.

Through project collaboration the Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management promote the following risk management process:

1. Identify Strategic Objectives

2. Perform Risk Assessment

2.1 Risk Analysis

2.1.1 Risk Identification

2.1.2 Risk Description

2.1.3 Risk Estimation

2.2 Risk Evaluation

3. Provide Risk Reporting

4. Decision (determine risk appetite)

5. Document Risk Treatment

6. Provide Residual Risk Reporting

7. Perform Monitoring

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.


February 23, 2013  6:44 PM

Risk Management: Is it just another set of business buzzwords? – Part I



Posted by: Robert Davis
Administrative Control, Asset Management, Business Continuity, Continuity Management, Crisis Management, Decision Making, Due Care, Due Diligence, Enterprise Governance, Event Management, Incident Management, Information Technology, IT, IT Management, Management System, Operating Style, Risk Management, Threat Management

Risk management is not an issue any ‘going concern’ should consider a platitude used to demonstrate effective leadership.  Those responsible for governance within an enterprise must be, without reservation, administrators dedicated to appropriately handling the risks that their organization encounters.  In particular, the risks associated with information and related technology must be comprehensively identified and appropriately managed based on careful consideration of the impact and likelihood of the projected occurrence of detrimental events. It is in this arena that organizational risk management commonly fails to accurately portray the environmental landscape enabling resource optimization of initial investments and operational maintenance for IT.


February 21, 2013  4:11 AM

Wikipedia: An assessment from a user’s perspective – Part VI



Posted by: Robert Davis
Adaptive Systems, Assurance Services, Attestation, Control Evaluation, Control System, Due Care, Educational Institutions, Internal Control System, Logical Security, Non-profit, Open Source, Operating Style, Quality Assurance Program, Security Risks, Trust Management

Based on my careful analysis of the factors associated with information reliability, there is a medium-to-high inherent risk of a researcher conveying unreliable information through citing Wikipedia material due to inadequate identity management issues. Contextually, according to About.com, “In most cases, you should stay away from Internet information that doesn’t list an author… If the author is named, you will want to find his/her web page to:
• Verify educational credits
• Discover if the writer is either published in a scholarly journal
• Verify that the writer is employed by a research institution or university”

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Davis, Robert E. (2008). IT Auditing: Assuring Information Assets Protection. Mission Viejo: Pleier. CD-ROM.

Fleming, Grace (2012), “Internet Research Tips: Finding Reliable Internet Sources,” About.com, < http://homeworktips.about.com/od/researchandreference/a/internet.htm >, accessed September 17, 2012.

KnowThis.com, “Research Validity and Reliability,” < http://www.knowthis.com/principles-of-marketing-tutorials/marketing-research/research-validity-and-reliability/ >, accessed September 17, 2012.

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-ma…

U.S. GAO. (2002). Assessing the Reliability of Computer-Processed Data. Rev. ed. Washington, D.C.: Government Printing Office.


February 17, 2013  12:02 AM

Wikipedia: An assessment from a user’s perspective – Part V



Posted by: Robert Davis
Adaptive Systems, Assurance Services, Attestation, Control Evaluation, Control System, Due Care, Educational Institutions, Internal Control System, Logical Security, Non-profit, Open Source, Operating Style, Quality Assurance Program, Security Risks, Trust Management

To provide an appropriate answer to this foundational question regarding Wikipedia an assessor must take into consideration the primary traits of reliability. Therefore, as previously stated in Wikipedia: An assessment from a user’s perspective – part 1 as well as documented in IT Auditing: Assuring Information Assets Protection, minimally, information contained within technology can be considered reliable when completeness, accuracy and validity attributes are independently verifiable as well as user neutral. In other words, information reliability requires representational faithfulness to ensure assertions and supporting purported events are in agreement.

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Davis, Robert E. (2008). IT Auditing: Assuring Information Assets Protection. Mission Viejo: Pleier. CD-ROM.

Fleming, Grace (2012), “Internet Research Tips: Finding Reliable Internet Sources,” About.com, < http://homeworktips.about.com/od/researchandreference/a/internet.htm >, accessed September 17, 2012.

KnowThis.com, “Research Validity and Reliability,” < http://www.knowthis.com/principles-of-marketing-tutorials/marketing-research/research-validity-and-reliability/ >, accessed September 17, 2012.

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-ma…

U.S. GAO. (2002). Assessing the Reliability of Computer-Processed Data. Rev. ed. Washington, D.C.: Government Printing Office.


February 14, 2013  1:45 PM

Wikipedia: An assessment from a user’s perspective – Part IV



Posted by: Robert Davis
Adaptive Systems, Assurance Services, Attestation, Control Evaluation, Control System, Due Care, Educational Institutions, Internal Control System, Logical Security, Non-profit, Open Source, Operating Style, Quality Assurance Program, Security Risks, Trust Management

Wikipedia is often been presented as a great research resource; however it is also a public forum, where any authorized user can make a declaration or an assertion. “If you find an article that provides relevant information for your research topic, you should take care to investigate the source to make sure it is valid and reliable. [Academically, this] is an essential step in maintaining sound research ethics.” Thus, an important question concerning any published work classified as encyclopedic material is: How valid and reliable is documented information?

Sources:

Davis, Robert E. (2010). IT Auditing: An Adaptive System. Available from http://www.lulu.com/product/ebook/it-auditing-an-adaptive-system/18809075

Davis, Robert E. (2008). IT Auditing: Assuring Information Assets Protection. Mission Viejo: Pleier. CD-ROM.

Fleming, Grace (2012), “Internet Research Tips: Finding Reliable Internet Sources,” About.com, < http://homeworktips.about.com/od/researchandreference/a/internet.htm >, accessed September 17, 2012.

KnowThis.com, “Research Validity and Reliability,” < http://www.knowthis.com/principles-of-marketing-tutorials/marketing-research/research-validity-and-reliability/ >, accessed September 17, 2012.

OneName Corporation. Requirements for a Global Identity Management Service. W3C Workshop on Web Services. Retrived from: http://www.w3.org/2001/03/WSWS-popa/paper57

TechTarget.com. http://searchunifiedcommunications.techtarget.com/definition/identity-ma…

U.S. GAO. (2002). Assessing the Reliability of Computer-Processed Data. Rev. ed. Washington, D.C.: Government Printing Office.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: