Control Self-assessment

Control Assessments - Part IV

Arguably, data security is the most significant domain supporting information reliability. Entity oversight committees should monitor control activities for on-going relevance and effectiveness as well as responses to information security recommendations. If installed systems are inadequately protected, data may not be properly processed. An entity’s IT employees need to bring a fundamental understanding of operational requirements and security to their respective professional duties to ensure sustained confidentiality, integrity, and availability are achieved through appropriate consideration of control assessment results.

“View Part I of the Control Assessments series here“

Control Assessments - Part III

Information security managers should prepare for audits utilizing control self-assessments to verify compliance with laws, regulations, policies and procedures. It is always a sound idea to strategically plan annual control self-assessments. Beneficially, information security practice testing assists in evaluating designed processes and validates deployed controls are functioning as intended. Following a cyclic approach to control self-assessments cannot guarantee clean audit reports. It will, however, aid in ensuring the security department is briefed on governance expectations.

There are a few traditional events that occur once a year, some are considered cheerful, while others are considered dreadful. Regarding IT audits, enlighten security managers approach the assurance process as a periodic assessment of the way business is conducted throughout the year that enables obtaining an extraneous view of the current state of IAP controls from knowledgeable professionals. IAP managers that normally encounter difficulties during audits are those that adopt an adversarial posture. IT auditors are not storm troopers sent to dismantle departmental efficiency, and security managers that build communication firewalls and ‘honeypots’ based on a perceived organizational threat premise have misinterpreted generally accepted IT audit objectives.

“View Part I of the Control Assessments series here“

Control Assessments - Part II

Management needs to understand the status of the entity’s IT systems to decide what safeguarding mechanisms should be deployed to meet business requirements. When IAP monitoring is built into the entity’s operating activities, and process performance is reviewed on a real-time basis; control degradation can easily be ascertained for expeditious remediation. Characteristically, productive monitoring activities dynamically adapt to environmental factors with each control assessment being performed according to an authorized plan reflecting the evaluation type, assurance level, and information classification.

Monitoring and evaluating the current state of implemented controls may take a variety forms, including control self-assessments and IT audits. Furthermore, an IT auditor may not be the individual who executes an entity’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civil and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.

“View Part I of the Control Assessments series here“

Control Assessments - Part I

For most entities, information and related technologies compliance management is critical to survival as well as success. As with other organizational programs, security compliance does not occur through managerial intent transmissions from a remote planet in some distant galaxy far, far away. Typically, an entity’s oversight committee and subordinate management periodically evaluate the effectiveness of an information assets protection (IAP) program’s responsiveness to recommendations, control and monitoring activities as well as the ability to prevent or detect irregular and illegal acts. Consequently, information security managers should continually seek to improve IAP controls.

How Does Management Support Deploying IT Governance?

Depending on your abstraction level, IT governance can be viewed as a framework, methodology, or technique. As a framework, IT governance enables a “system of controls” assisting in assuring organizational goals and objectives are achieved effectively and efficiently. As a methodology, IT governance furnishes a description of the role entity direction and controls play in achieving information systems objectives. Lastly, as a technique, IT governance provides processes and steps that can generate superior financial and/or reputational returns for stakeholders.

If you view IT governance as a framework for assisting in organizational governance, then structurally, IT governance should be implemented as an organizational program with objectives, goals, policies, procedures, standards, and rules designed to accomplish management’s intentions. To drive controls, IT governance should subsequently receive ‘significant program’ status because other program results are directly impacted by IT governance effectiveness results — such as control self-assessment (CSA) and quality control (QC) programs. Furthermore, efficiency of controls should be obtained through models available to assist in deploying IT governance; including The Institute of Internal Auditors’ Systems Auditability and Control (SAC) framework and the Information Systems Audit and Control Association’s Control Objectives for Information and related Technology (COBIT) framework.

Alternatively, if you perceive IT governance as a description for achieving information systems objectives, the adopted IT governance methodology should provide management with a series of assessments defining control usefulness and control deployment — with IT governance effectiveness and efficiency directly related to management’s responsibility, accountability, and authority structure demonstrated. Management usually is concerned with the cost of controls and the benefits that can be derived from controls deployment and utilization while achieving an entity’s strategic direction. Hence, understanding IT governance roles are considered key to managing information systems.

If, however, you assume IT governance provides financial and/or reputational benefits, potential stakeholders are presumed to rely upon governance elements prior to investing their time, talent, and/or money. Therefore, ascertaining IT objectives effectiveness and efficiency, through monitoring, is rudimentary to sound business practices for satisfying stakeholder expectations. In this regard, effectiveness and efficiency evaluation requires measurement against established standards. The performance measures should be established when standards are created or adopted. Techniques utilized for IT governance implementation include capability maturity modeling, budgeting, benchmarking, and gap analysis. Supporting the belief that IT governance is a financial enhancement technique, the Center for Information Systems Research (CISR) has suggested that organizations with exceptional IT governance have higher profits than organizations with inferior governance, given the same strategic objective. Based on financial opportunity, with an organization’s reputation enhanced through demonstrated profitability when employing IT governance, new stakeholders may be attracted to the organization as a corollary benefit.

Whatever your perspective may be, the importance of effective and efficient IT governance cannot be overlooked in the current global high technology environment. Considering what is at stake politically, economically and technically for most organizations; usually justifying IT governance deployment based on one viewpoint narrows suitability and expected benefits. In the final analysis, combining the discussed individual abstraction levels may be the most appropriate support for implementing IT governance.