Information Security Management

Revisiting the Safeguarding of Information Assets – Part II

Considering fiduciary tenets and accepting ISG utilizes a top-down approach for legal requirements compliance, if the entity’s executive management has an established or enforceable fiduciary duty then organizational personnel are expected to adhere to and sustain the defined obligation....

Revisiting the Safeguarding of Information Assets – Part I

Information Security Governance (ISG) normally addresses creating and implementing a ‘system of security controls’ that enable ethical and/or legal managerial responsibilities fulfillment for information assets protection (IAP). Ethically, management must protect an entity’s information...

eBook excerpt: Assuring Information Security – Part XV

Usually, it is easier to purchase an IT solution addressing IAP than to change a culture.  However; even the most secure system will not achieve a significant degree of protection if utilized by “ill-informed, untrained, careless or indifferent personnel.”  A well-structured information...

eBook excerpt: Assuring Information Security – Part XIV

With respect to IAP, the information security function should:

• establish processes for provisioning user accounts
• ensure all entity positions are reviewed for sensitivity level
• document procedures for friendly and unfriendly terminations
• install...

eBook excerpt: Assuring Information Security – Part XIII

1.3 Entity Employees

“The first line of defense from insider threats is the employees themselves.” – Software Engineering Institute (SEI)

eBook excerpt: Assuring Information Security – Part XII

If management views an IAP program as a methodology for achieving information systems goals and objectives, the adopted processes can enable a series of assessments defining control usefulness and control deployment; while conjunctively correlating effectiveness and efficiency directly linked to...

eBook excerpt: Assuring Information Security – Part XI

Roles and responsibilities assignment for providing adequate IAP is typically considered critical to effective and efficient IT security.  However, depending on the entity, IAP management roles and responsibilities may focus solely on IT security or IT and business security.  Roles and...

eBook excerpt: Assuring Information Security – Part X

Classically, managers are individuals assigned to and functioning at various responsibility, accountability, and authority levels.  Top-level managers are usually responsible for overall entity direction, accountable to stakeholders, and have the authority to establish measurable and achievable...

eBook excerpt: Assuring Information Security – Part IX

In fulfilling addressable COBIT information criteria, an IAP program should include processes and steps for assessing tangible as well as intangible property.  The distinction between tangible and intangible is the physical nature of the property.  Properties having a physical existence -- such...

eBook excerpt: Assuring Information Security – Part VIII

1.2 IAP Management

“Applying similar management practices to [i]nformation security management is unavoidable as the security environment keeps on increasing in complexity and insecurity.” – Security...