IT Governance, Risk, and Compliance


April 9, 2009  7:10 PM

Measuring Performance – Part III

Robert Davis Robert Davis Profile: Robert Davis

IT security maturity modeling can measure the established control environment and controls within processes. Typically, the defined maturity modeling scale addresses entity-centric processes from an ad hoc to an optimized level. Specifically, a robust maturity model furnishes high-level guidance that aids in appreciating what is required for productive IT safeguarding. Furthermore, an entity-centric service maturity model equips management with the ability to position information assets protection on the maturity scale. Beneficially, after identifying critical IT processes and related controls, maturity modeling enables gaps in capabilities to be identified and presented to management through benchmarking, while illuminating necessary service improvements. Action plans can then be developed to bring identified processes within the desired IT security services target level.

Benchmarking (also known as “best practice benchmarking” and “process benchmarking”) is a process primarily employed for strategic management, in which entities evaluate various aspects of active processes in relation to best practices, usually within their designated business sector. This then allows an entity to develop plans on how to adopt accepted best practices, typically with the intent of improving some facet of performance. Benchmarking may be a singular event, but is commonly treated as a repetitious process in which entities continually seek to challenge their practices.

“View Part I of the Measuring Performance series here

April 6, 2009  8:15 PM

Measuring Performance – Part II

Robert Davis Robert Davis Profile: Robert Davis

Financially-related information is generated to establish cost-oriented steering towards achieving entity-centric objectives and goals. Generally, aggressive expenses administration and accurate costs redistribution improve financial resources availability. However, the IT security financial management process for service delivery and support should redress entity-centric cost accounting requirements.

Financial budgeting is the generally accepted means to quantify forecasted activity for a program. Through subsequent utilization, program budgeting provides the ability to determine the cost effectiveness of an entire IT security program or single process. Judicious financial management requires devising financial measures, allocating direct and indirect total and per unit costs for producing services, evaluating costs saved or avoided and benefits generated. Budgeted technical support should have a direct correlation with the service operating plan to avoid under or over allocation of resources. Consequently, variances within the budget should be performed to monitor spending. In addition, IT security management should review cost-benefit analyses to verify appropriate expenditure justifications.

“View Part I of the Measuring Performance series here


April 3, 2009  7:22 PM

Measuring Performance – Part I

Robert Davis Robert Davis Profile: Robert Davis

Though IT security service management can include a plethora of indicators, adequate service value measurement is not demonstrated in the sheer number of indicators considered. Practical IT security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align security initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize IT configuration expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.


March 31, 2009  9:36 PM

Control Assessments – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Arguably, data security is the most significant domain supporting information reliability. Entity oversight committees should monitor control activities for on-going relevance and effectiveness as well as responses to information security recommendations. If installed systems are inadequately protected, data may not be properly processed. An entity’s IT employees need to bring a fundamental understanding of operational requirements and security to their respective professional duties to ensure sustained confidentiality, integrity, and availability are achieved through appropriate consideration of control assessment results.

“View Part I of the Control Assessments series here


March 28, 2009  8:20 PM

Control Assessments – Part III

Robert Davis Robert Davis Profile: Robert Davis

Information security managers should prepare for audits utilizing control self-assessments to verify compliance with laws, regulations, policies and procedures. It is always a sound idea to strategically plan annual control self-assessments. Beneficially, information security practice testing assists in evaluating designed processes and validates deployed controls are functioning as intended. Following a cyclic approach to control self-assessments cannot guarantee clean audit reports. It will, however, aid in ensuring the security department is briefed on governance expectations.

There are a few traditional events that occur once a year, some are considered cheerful, while others are considered dreadful. Regarding IT audits, enlighten security managers approach the assurance process as a periodic assessment of the way business is conducted throughout the year that enables obtaining an extraneous view of the current state of IAP controls from knowledgeable professionals. IAP managers that normally encounter difficulties during audits are those that adopt an adversarial posture. IT auditors are not storm troopers sent to dismantle departmental efficiency, and security managers that build communication firewalls and ‘honeypots’ based on a perceived organizational threat premise have misinterpreted generally accepted IT audit objectives.

“View Part I of the Control Assessments series here


March 24, 2009  7:11 PM

Control Assessments – Part II

Robert Davis Robert Davis Profile: Robert Davis

Management needs to understand the status of the entity’s IT systems to decide what safeguarding mechanisms should be deployed to meet business requirements. When IAP monitoring is built into the entity’s operating activities, and process performance is reviewed on a real-time basis; control degradation can easily be ascertained for expeditious remediation. Characteristically, productive monitoring activities dynamically adapt to environmental factors with each control assessment being performed according to an authorized plan reflecting the evaluation type, assurance level, and information classification.

Monitoring and evaluating the current state of implemented controls may take a variety forms, including control self-assessments and IT audits. Furthermore, an IT auditor may not be the individual who executes an entity’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civil and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.

“View Part I of the Control Assessments series here


March 19, 2009  7:56 PM

Control Assessments – Part I

Robert Davis Robert Davis Profile: Robert Davis

For most entities, information and related technologies compliance management is critical to survival as well as success. As with other organizational programs, security compliance does not occur through managerial intent transmissions from a remote planet in some distant galaxy far, far away. Typically, an entity’s oversight committee and subordinate management periodically evaluate the effectiveness of an information assets protection (IAP) program’s responsiveness to recommendations, control and monitoring activities as well as the ability to prevent or detect irregular and illegal acts. Consequently, information security managers should continually seek to improve IAP controls.


March 16, 2009  7:01 PM

Physical Token Protection – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Regarding provisioning physical authentication mediums, an entity’s deployed access control process should clearly define the way encoded identification is delivered to users — within the context of promoting adequate confidentiality, integrity and availability. Specifically, the process to dispense tokenized authentication attributes to users should employ a different delivery channel than the physical item. When physical items are tokenized prior to individual assignment or usage, security management should ensure the identification mechanism remains dormant and protected until the authentication verification enabler reaches the intended owner empowered with activation and usage rights.

As suggested in COBIT Security Baseline: An Information Security Survival Kit; depending on the country, state or industry, information asset usage is subject to various laws and regulations. These laws and regulations need to be known and obeyed to enable appropriate IT security. Domains covered by such rules include privacy, information retention, minimal system protection requirements as well as attestation requirements. Consequently, physical tokenized access items should receive the same protection consideration as other entity information assets.

“View Part I of the Physical Token Protection series here


March 12, 2009  6:41 PM

Physical Token Protection – Part III

Robert Davis Robert Davis Profile: Robert Davis

As a corollary requirement, when considering physical tokens, functionality is directly related to capabilities. Consequently, physical token appropriateness should be evaluated based on the set of attributes applicable to the existing set of activities and their specific properties. In other words, determining physical token functionality is a characteristic association ensuring the quality of hardware and/or software products utilized for accessing objects meet intended purpose expectations throughout their life cycle. Adequate physical token functions are those that satisfy stated or implied criteria of users and management. These value drivers emanate from business and governance domain perceptions, where the former is typically focusing on functionality and delivery velocity, while the latter tends to emphasize cost-efficiency, return on investment and compliance.

“View Part I of the Physical Token Protection series here


March 9, 2009  6:56 PM

Physical Token Protection – Part II

Robert Davis Robert Davis Profile: Robert Davis

Information asset usability implies availability to perform requested services as well as transparency. Determining physical token usability necessitates assessing relevant and pertinent services for the access process as well as secure user delivery in a timely, correct, and consistent manner. Whether access control is outsourced to a third party or is maintained internally, the time frame for processing of each user security administration operation should be defined and agreed to by the entity’s representatives through a service level agreement (SLA) that aligns with corresponding service objectives and goals. For example, if providing timely user provisioning is established as a goal, user resets for critical applications should be responded to within the SLA specified time period. Where a SLA does not stipulate the response time, a best practice standard should be adopted and sustained by management to monitor performance achievement.

“View Part I of the Physical Token Protection series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: