IT Governance, Risk, and Compliance


May 15, 2009  6:48 PM

Electronic Commerce – Part I



Posted by: Robert Davis
B2B, B2C, B2E, B2G, Business-to-Business, Business-to-Consumer, Business-to-Employee, Business-to-Government, E-commerce, Electronic Commerce, Internet

With an ever-increasing number of organizations and individuals relying on the Internet to exchange confidential and sensitive information, adequate message security continues to be a technological management concern. Serviceable standard electronic commerce (E-commerce) models include Business-to-Business (B2B), Business-to-Consumer (B2C), Business-to-Employee (B2E), and Business-to-Government (B2G) architectures. In order to programmatically manage E-commerce related IT security risks, management must designate an information assets protection perimeter. Axiomatically, the primary purpose of establishing a security perimeter is to provide a defined ambit for entity-centric policies and safeguards. However, with the advent of E-commerce, erecting layered protective barriers that preserve IT configurations can introduce a tactical security quagmire.

May 12, 2009  3:25 PM

Developing Objectives – Part IV



Posted by: Robert Davis
Accountability, Behavioral Management, Benchmarking, Goals, IAP, Information Asset Protection, Information Security Governance, Information Security Management, ISG, ISM, Management by Objectives, MBO, Planning Committee, Resource Allocation, Responsibility

MBO is a participative behavioral approach to managing employees. One of the primary MBO assumptions is that employees prefer to work hard once they are provided with employer expectations. Intuitively, sustaining accepted expectations necessitates employees believe stated intentions are achievable. Therefore, MBO imposes consideration and incorporation of employee views concerning objectives to enable effective and efficient information assets protection processes.

“View Part I of the Developing Objectives series here


May 7, 2009  11:14 PM

Developing Objectives – Part III



Posted by: Robert Davis
Accountability, Behavioral Management, Benchmarking, Goals, IAP, Information Asset Protection, Information Security Governance, Information Security Management, ISG, ISM, Management by Objectives, MBO, Planning Committee, Resource Allocation, Responsibility

A system for disseminating information security management objectives is considered fundamental to obtain employee commitment. One way to communicate entity-centric information security objectives is clear and concise policies. Information security management‘s role in policy formulation includes considering the control environment, risk assessments, information, communication, and activities. Though policies are an important means to convey expected behavior, even more critical is determining the effectiveness of adopted IT safeguarding objectives. Effectiveness evaluation requires measurement against established information security standards. Consequently, ratiocinative information security standards must be designed and implemented.

“View Part I of the Developing Objectives series here


May 4, 2009  6:32 PM

Developing Objectives – Part II



Posted by: Robert Davis
Accountability, Behavioral Management, Benchmarking, Goals, IAP, Information Asset Protection, Information Security Governance, Information Security Management, ISG, ISM, Management by Objectives, MBO, Planning Committee, Resource Allocation, Responsibility

Within behavioral management theory, entity leaders have alternative approaches available to accomplish information assets safeguarding objectives development — including participative, consultative, free rein, and autocratic models. Participative behavioral management emphasizes consideration and incorporation of employee views in decisions, while maintaining managerial decision authority. Consultative behavioral management stresses consideration of employee views, without incorporation, while maintaining managerial decision authority. Free rein management allows employees to make their own decisions concerning subject matters. Lastly, autocratic management underscores dictating decisions to employees. Based on empirical evidence, most entities currently prefer deploying a participative approach to managing entity-centric objectives development.

Setting objectives and establishing processes to accomplish designed objectives is a managerial responsibility. Tactically, the manager responsible for a plan’s implementation should set objectives with advice obtained from the entity’s planning committee, top-level executives and line subordinates. To this end, the Management by Objectives (MBO) methodology normally drives employee consensus building. However, an entity’s planning committee and top-level executives may be too removed from daily information security operations to yield reasonable objectives. Furthermore, line subordinates may have limited knowledge concerning organizational intricacies to permit adopting recommended information security objectives. Therefore, a security manager may have to rely on evaluating generally accepted information security frameworks to develop entity-centric objectives.

“View Part I of the Developing Objectives series here


April 30, 2009  7:20 PM

Developing Objectives – Part I



Posted by: Robert Davis
Accountability, Behavioral Management, Benchmarking, Goals, Management by Objectives, MBO, Planning Committee, Resource Allocation, Responsibility

There exist various theories regarding managing employees. Behavioral management theorists believe leadership traits are not genetic. Thus, leaders assume distinct behaviors that can be studied and applied according to individual perceptions of assigned responsibility. When an individual is consigned leadership, managerial responsibility for the assignment’s duration is implied, if not explicitly stated.


April 27, 2009  6:25 PM

Measuring Delivery Value – Part IV



Posted by: Robert Davis
Continuous Process Improvement, CPI, Information Security Governance, Information Security Infrastructure Management, Information Security Processes, Information Security Service Management, ISG, ISIM, ISSM, IT Security Infrastructure, IT Security Services, Key Performance Indicators, KPI, Performance Measurement, Safeguarding Investments

Performance measurement is a control activity. Measurement techniques are the means for effective information security performance monitoring. “Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection.” KPIs provide the critical measuring technique for aligned objectives and goals. Adequate KPIs permit comparative analysis for assessing resource deployment and utilization success. When processes are evaluated within the pre-established context, KPIs enable rapid resource mobilization, substitution and/or elimination for organizational objectives fulfillment.

“View Part I of the Measuring Delivery Value series here


April 23, 2009  6:41 PM

Measuring Delivery Value – Part III



Posted by: Robert Davis
Continuous Process Improvement, CPI, Information Security Governance, Information Security Infrastructure Management, Information Security Processes, Information Security Service Management, ISG, ISIM, ISSM, IT Security Infrastructure, IT Security Services, Performance Measurement, Safeguarding Investments

Information security service management can include financial and non-financial indicators to enable performance assessments. However, selected indicators must represent a mathematically measurable quality. An adopted KPI should have an established target, associated with a completion date and a path for improvement. Furthermore, an adequate KPI enables determination of the degree of change from the current state to future expectations. For instance, an information security goal might address access privileges. Consequently, considering the current state requires comparison to accepted standards for performance measurement, the “time to grant access privileges” KPI would specify whether the measurement duration is in minutes, hours or days. Reflecting the established time basis, a target for the KPI can be derived. Therefore, “reduce time to grant access privileges by four percent per year” communicates a clear target that employees should understand and undertake specific actions to accomplish.

One of the managerial challenges for process-driven entities is integrating ‘leading indicators’ into KPIs. Similar to leading economic indicators, information security leading KPIs enable swift conditional service delivery responses to ‘code red’ impact alerts. If leading indicators are properly implemented, management can preemptively adjust a process (or processes) before the expiration date on achieving an expected outcome.

“View Part I of the Measuring Delivery Value series here


April 20, 2009  7:42 PM

Measuring Delivery Value – Part II



Posted by: Robert Davis
Continuous Process Improvement, CPI, Information Security Governance, Information Security Infrastructure Management, Information Security Processes, Information Security Service Management, ISG, ISIM, ISSM, IT Security Infrastructure, IT Security Services, Safeguarding Investments

Procedurally, once information security management has analyzed the entity-centric mission, identified stakeholders, and defined objectives; goals must be established with appropriate performance indicators for status assessments. “Practical information security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align safeguarding initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators [(KPIs)] tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.”

KPIs are utilized to measure achievements through comparative analyses. Information accuracy and consistency are rudimentary to measurement reliance. If KPIs are going to reliably convey activity status, management must accurately define and consistently measure expectations. That is, activity calculation inputs must be understood and accepted by those accountable for expected performance until revision notification.

“View Part I of the Measuring Delivery Value series here


April 17, 2009  5:56 PM

Measuring Delivery Value – Part I



Posted by: Robert Davis
Continuous Process Improvement, CPI, Information Security Governance, Information Security Infrastructure Management, Information Security Processes, Information Security Service Management, ISG, ISIM, ISSM, IT Security Infrastructure, IT Security Services

Considering adamant demands for continuous process improvements, focus on overall information protection and delivery value in terms of enabled services has become a managerial necessity. Information Security Service Management is a set of processes enabling and potentially optimizing IT security services for an entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management. Consequently, information security service level management should be considered quality of service administration permitting demonstrable process improvement contributions. Measuring, monitoring and reporting on information security processes assist in ensuring organizational objectives are achieved.


April 14, 2009  1:08 AM

Measuring Performance – Part IV



Posted by: Robert Davis
CE, Control Environment, Information Security Governance, Information Security Management, ISSM, IT Security Program, ITSM, Key Performance Indicators, KPI, Safeguarding Investments, Service Delivery and Support, Service Level Agreement, Service Management, SLA

Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection. Individually, measurement techniques are the means for effective IT security performance monitoring. Collectively, IT security services financial management and maturity modeling are powerful high-level tools for assessing the achievement of objectives and goals.

“View Part I of the Measuring Performance series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: