Generally, three unique elements are required for adequate information security architectures: people, processes and technology. For most entities, designing and operating adequate safeguards is an extremely complex process requiring a total compliance commitment from every employee empowered to access information assets. Absence of any one of the information security architectural components can create a weak link in safeguarding information assets and hinder security control usefulness.
Technological and non-technological policies, directives, procedures, standards and rules can assist in preventing as well as detecting IT security breaches. However, in the final analysis, it is sustained employee ethics and integrity that determine entrusted asset safety.
Protection-of-information-assets reflect the development and deployment of security controls to support ISG. Commonly, protection-of-information-assets require implementing:
- Logical Access Controls
- Network Infrastructure Security
- Physical Access Controls
- Risk Analysis Processes
- Environmental Controls
- Confidentiality Life Cycle Controls
Based on assessed risk, once information security management ratifies information resources protection requirements, information security baselines can be developed and deployed. Safeguarding baselines vary depending on asset sensitivity, criticality, and/or impact. However, minimally, information assets should be protected against misuse, abuse and destruction. When implemented, information assets protection baselines can be expressed as technical, operational and managerial standards applicable throughout the entity.
Responsibilities separation commonly employs segregation-of-functions and segregation-of-duties methodologies. Segregation-of-functions is the construction of individual work units – such as divisional, departmental or sectional organizational groups – to achieve management’s intentions while simultaneously complying with generally accepted control principles. In contrast, segregation-of-duties is the delineation of employee responsibility assignments within a defined work unit to achieve management’s intentions while simultaneously complying with generally accepted control principles. As a basic tenet for adequate control, segregation-of-functions and segregation-of-duties supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Consequently, responsibilities separations are designed and deployed organizational controls that enable ISG to prevent, detect, and/or deter errors, mistakes, omissions, irregularities as well as illegal acts.
The appropriate functional responsibilities separation in a computer system requires defining IT and operational user work units considering control context. Segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity.
Processing centralization, through IT, does not relieve management from separating duties within operational and technical departments. Complete segregation-of-duties within a department is generally more feasible in large rather than small entities. Large entities tend to follow rigid norms and are conductive to high specialization-of-duties, detail labor division, lavish and elaborate administration, and minimal personal interaction. Contrastingly, small entities are characterized by flexible norms and have low specialization-of-duties, broad span-of-control, exiguous and simplistic administration, and extensive personal interaction.
Various control techniques can be activated selectively or collectively to enforce segregation-of-functions and segregation-of-duties, including:
- Role Identification
- User Authentication
- Transaction Authorization
- Information Access
- Asset Custody
Explicitly or implicitly, safeguarding assets is an inescapable fiduciary obligation bestowed on managers; whether the entity exists for-profit or not-for-profit. Fiduciary duties are an inherent managerial responsibility correlated to accountability that can be conveyed through legislation, regulation, or expectation. Foundationally, an operating entity’s very existence is usually heavily dependent on how well employees safeguard assets utilized in fulfilling the organizational mission. Assumption for safeguarding assets should span the entity’s total tangible and intangible resources. Specifically, information and associated technologies are assets requiring appropriate investments in protective measures to retain intrinsic value.
Safeguarding IT resources usually requires an information security governance (ISG) framework rendering essential information asset coverage. An entity’s management can adopt the Information Systems Audit and Control Association’s (ISACA’s) Control Objectives for Information and related Technology (COBIT) framework, promulgated by the Information Technology Governance Institute, to ensure adequate ISG and/or the International Organization for Standardization (ISO) 27002 methodology. If the COBIT framework is selected for assisting in deploying entity-centric ISG, there are four IT resources classifications: people, information, applications, and infrastructure. Within the COBIT resource category, people attributes include staff skills, plan awareness and productivity, organization, acquisition, delivery, as well as supporting and monitoring information systems and services. Information encompasses utilizable objects, structured and non-structured data, and presentation formats. Applications are deemed the sum of manual and programmed procedures. Whereas, the infrastructure is defined as hardware, operating systems, configuration systems, facilities, and support structure.
With IT considered indispensable for providing processing efficiencies, communication expediency and information reliability, entities should govern safeguarding information assets through an ISG program. To accomplish this security necessity, management normally needs a governance framework enabling organizational alignment, adequate resource allotments, risk management, value delivery and performance measurement. Whether information security governance is abstractively viewed as a distinct governance classification supporting entity governance or a subset of information technology governance, safeguarding IT normally mandates addressing responsibilities separation and ‘protection-of-information-assets’ to assure managerial due diligence.