Posted by: Robert Davis
CISA, CISM, COBIT, Information Asset Protection, Information Security Governance, Information Security Management, ISACA, IT Controls, Security Frameworks
Explicitly or implicitly, safeguarding assets is an inescapable fiduciary obligation bestowed on managers; whether the entity exists for-profit or not-for-profit. Fiduciary duties are an inherent managerial responsibility correlated to accountability that can be conveyed through legislation, regulation, or expectation. Foundationally, an operating entity’s very existence is usually heavily dependent on how well employees safeguard assets utilized in fulfilling the organizational mission. Assumption for safeguarding assets should span the entity’s total tangible and intangible resources. Specifically, information and associated technologies are assets requiring appropriate investments in protective measures to retain intrinsic value.
Safeguarding IT resources usually requires an information security governance (ISG) framework rendering essential information asset coverage. An entity’s management can adopt the Information Systems Audit and Control Association’s (ISACA’s) Control Objectives for Information and related Technology (COBIT) framework, promulgated by the Information Technology Governance Institute, to ensure adequate ISG and/or the International Organization for Standardization (ISO) 27002 methodology. If the COBIT framework is selected for assisting in deploying entity-centric ISG, there are four IT resources classifications: people, information, applications, and infrastructure. Within the COBIT resource category, people attributes include staff skills, plan awareness and productivity, organization, acquisition, delivery, as well as supporting and monitoring information systems and services. Information encompasses utilizable objects, structured and non-structured data, and presentation formats. Applications are deemed the sum of manual and programmed procedures. Whereas, the infrastructure is defined as hardware, operating systems, configuration systems, facilities, and support structure.
With IT considered indispensable for providing processing efficiencies, communication expediency and information reliability, entities should govern safeguarding information assets through an ISG program. To accomplish this security necessity, management normally needs a governance framework enabling organizational alignment, adequate resource allotments, risk management, value delivery and performance measurement. Whether information security governance is abstractively viewed as a distinct governance classification supporting entity governance or a subset of information technology governance, safeguarding IT normally mandates addressing responsibilities separation and ‘protection-of-information-assets’ to assure managerial due diligence.