IT Governance, Risk, and Compliance » Control Environment

eBook excerpt: Assuring Information Security – Part XV

Robert Davis — Thu, 31 Jan 2013 02:33:12 +0000

Usually, it is easier to purchase an IT solution addressing IAP than to change a culture. However; even the most secure system will not achieve a significant degree of protection if utilized by “ill-informed, untrained, careless or indifferent personnel.” A well-structured information security function, staffed with appropriately qualified individuals, forms the foundation for high-quality performance and is the basis for providing positive IAP assurance to interested parties.

* * * * *

Post Note: Assuring Information Security maybe previewed at the following webpages:

http://www.amazon.com/Assuring-Information-Security-Assurance-ebook/dp/B008CKIIW2

https://itunes.apple.com/us/book/assuring-information-security/id595544134?mt=11

http://www.smashwords.com/books/view/177753

http://www.diesel-ebooks.com/item/SW00000177753/Davis-Robert-E.-Assuring-Information-Security/1.html

http://www.kobobooks.com/ebook/Assuring-Information-Security/book-AYSytKvQ1kmC309Q-dL5Qg/page1.html?s=qoyo_k_kHECzPG2dJeKZBA&r=8

eBook excerpt: Assuring Information Security – Part XIV

Robert Davis — Sat, 26 Jan 2013 01:02:37 +0000

With respect to IAP, the information security function should:

establish processes for provisioning user accounts
ensure all entity positions are reviewed for sensitivity level
document procedures for friendly and unfriendly terminations
install mechanisms for holding users responsible for their actions
verify user access is restricted to information assets consistent with ‘least privilege’ principles
retain signed human resources statements documenting appropriate background screenings for positions which individuals are employed
monitor whether crucial functions are divided among different individuals to disable the necessary authority or access that could result in irregularities or illegal acts
evaluate whether crucial functions are divided among different individuals to disable the necessary authority or access that could result in irregularities or illegal acts

eBook excerpt: Assuring Information Security – Part XIII

Robert Davis — Thu, 24 Jan 2013 01:54:10 +0000

1.3 Entity Employees

“The first line of defense from insider threats is the employees themselves.” – Software Engineering Institute (SEI)

Stakeholders expect managerial personnel to run the entity in accordance with accepted business practices, while maintaining compliance with applicable laws and regulations. An appropriate managerial tone should be established and communicated throughout the entity, including explicit moral guidance regarding expected behavior. For IAP, the onus certainly resides with the entity to take adequate precautions when employing individuals and to ensure that, regardless of motive, individuals are reasonably prevented from abusing IT resources.

eBook excerpt: Assuring Information Security – Part XII

Robert Davis — Sat, 19 Jan 2013 16:35:51 +0000

If management views an IAP program as a methodology for achieving information systems goals and objectives, the adopted processes can enable a series of assessments defining control usefulness and control deployment; while conjunctively correlating effectiveness and efficiency directly linked to managerial and employee responsibility, accountability, and authority. Beneficially, regarding an entity’s direction and purpose; when responsibility, accountability, and authority are properly tailored, communication efficiency is improved through reductions in entropy and misunderstanding. Furthermore, management’s deployed IAP controls monitoring assists in ensuring the established fiduciary relationship with stakeholders is fulfilled. As an entity integrated resource, IT should be deployed as managerially required and with a sufficient level of formality, coverage, and control completeness to allow IAP monitoring.

eBook excerpt: Assuring Information Security – Part XI

Robert Davis — Thu, 17 Jan 2013 00:01:44 +0000

Roles and responsibilities assignment for providing adequate IAP is typically considered critical to effective and efficient IT security. However, depending on the entity, IAP management roles and responsibilities may focus solely on IT security or IT and business security. Roles and responsibilities define relationships among individuals within the entity and have a major impact on control objective achievement. IAP management responsibilities commonly include:

Planning – The security manager should assist in setting objectives and in establishing specific achievable operational goals to accomplish these objectives (Action Plan). Furthermore, management should evaluate the operational goals selected (Goal Achievement Indicators) and the techniques considered necessary to achieve them (Performance Achievement Indicators).
Organizing – The security manager should acquire and manage resources reflective of the entity’s control environment. To enable available resources integration requires knowledge of the entity’s organizational structures, strategies, systems, skills, personnel, super-ordinate goals and styles.
Coordinating – Human resources are normally required to achieve personnel goals and objectives enabling expected job performance. However, the best planning, organizing, directing and controlling will avail nothing unless capable and sufficient personnel are applied to tasks through a security manager’s active participation in employment practices.
Directing – A security manager’s responsibility is to be proactive, not just simply reactive, regarding information security. Additionally, a security manager should create and maintain communications and sustain assigned personnel momentum toward defined goals achievement within the entity’s control environment.
Controlling – Normally the security manager is responsible for security controls establishment, measurement systems, and performance appraisals. The security manager’s options for control emphasis mixture range between dynamic resources redirection and fine tuning organizational processes.

eBook excerpt: Assuring Information Security – Part X

Robert Davis — Sat, 12 Jan 2013 17:59:02 +0000

Classically, managers are individuals assigned to and functioning at various responsibility, accountability, and authority levels. Top-level managers are usually responsible for overall entity direction, accountable to stakeholders, and have the authority to establish measurable and achievable high-level goals ensuring adopted high-level objectives attainment. Middle-level managers are responsible and accountable for programs or activities coordination. Simultaneously, these managers are accountable upward regarding entity goals and objectives achievement, and responsible downward as top-level management representatives. At the lower level management spectrum, managers are generally considered supervisors. Supervisors are usually responsible for daily operations as well as direct interaction with assigned employees for creating, sustaining, or terminating processes. Furthermore, supervisors are normally accountable to middle-level management for assigned responsibilities.

eBook excerpt: Assuring Information Security – Part IX

Robert Davis — Thu, 10 Jan 2013 03:33:19 +0000

In fulfilling addressable COBIT information criteria, an IAP program should include processes and steps for assessing tangible as well as intangible property. The distinction between tangible and intangible is the physical nature of the property. Properties having a physical existence — such as buildings and fire extinguishers — are tangible; and properties having no physical existence — such as patent rights and computer programs — are intangible. Acquired or created information, with ownership rights, should be classified as an intangible asset. Intangible assets may have explicit or implicit legal protection and retention mandates imposed by governmental entities. Thus, as with other intangible assets, an entity’s management should provide adequate safeguards to preserve information value as well as comply with applicable information related laws, regulations and standards to fulfill their fiduciary responsibilities. Consequently, roles for information value delivery and support should be clearly documented for accountability determination.

eBook excerpt: Assuring Information Security – Part VIII

Robert Davis — Sat, 05 Jan 2013 16:52:32 +0000

1.2 IAP Management

“Applying similar management practices to [i]nformation security management is unavoidable as the security environment keeps on increasing in complexity and insecurity.” – Security Governance.net

Typically, the primary purposes for information systems are reliable, effective data collection, processing, and dissemination. Information systems should incorporate procedures specifically designed to achieve management’s objectives through adequate control measures. An entity’s management therefore should consider IAP a required service ensuring relevant information criteria delivery and support. As suggested by the COBIT framework, an entity’s information delivery and support should integrate effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability criteria.

eBook excerpt: Assuring Information Security – Part VII

Robert Davis — Thu, 03 Jan 2013 01:35:16 +0000

Compliance demonstrates acceptance of expected behavior. Legal compliance is an essential management fiduciary responsibility; however it is not enough to ensure an adequate control environment. Derivatively, an entity’s established information control environment must achieve dynamic homeostasis or risk managerial chaos. Therefore, ISG should be installed to convey managements’ control environment attitude, awareness, and actions. In particular, ISG management should ensure an adequate IAP program is deployed. For example, regarding potential repercussions, management’s failure to commit sufficient resources addressing IT security risks may adversely affect deployed controls by permitting improper changes to computer objects, or permitting unauthorized transaction processing negatively impacting business decisions.

eBook excerpt: Assuring Information Security – Part VI

Robert Davis — Sat, 29 Dec 2012 05:48:07 +0000

Dynamic homeostasis is steady state achievement by a relatively open system. This condition is the result of receiving input from outside the system that is at least equal to the sum of system output and resource expenditure. Thus, a for-profit entity must earn profits in the long run to continue as a functional concern and to grow. In fact, all organizational units are open systems to a degree because none can operate without some interaction with the surrounding environment.

Control planning allows forecasting future organizational direction and relevant influences as well as deriving the best strategy for accomplishing control objectives (considering the entity’s strengths, weaknesses and foreseeable trends). Furthermore, the control planning process translates strategy into measurable and operational plans as well as retranslating operational plans into policies, procedures, directives, standards, and rules. Management’s environmental risk assessments can determine control implementation criticality.