IT Governance, Risk, and Compliance » ISSM

Business Continuity and IT Availability – Part VIII

Robert Davis — Tue, 26 Jul 2011 20:04:12 +0000

Directly, an entity’s DRP has a significant affect on the viability of IT and information security governance programs. Indirectly, IT and information security governance programs may impact stakeholder assessed entity value. Regardless of organizational formation — corporation, partnership, co-operative, or agency — management has a generally accepted duty to plan and enact strategies permitting the entity’s survival under less than idealistic conditions. Literally, adequate business continuity management (BCM) requires securing assets that offset catastrophic events. Therefore, management should ensure ‘best practices’ DRP is deployed within the IT and information security governance frameworks as well as visibly communicate commitment expectations for sustaining a sound and effective continuity program.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part VII

Robert Davis — Fri, 22 Jul 2011 17:35:49 +0000

Through establishment and deployment of an emergency management program, top-level personnel can send a clear message to everyone in the entity that business continuity and disaster recovery control responsibilities are taken seriously. If properly institutionalized, lower-level personnel will endeavor to understand germane aspects of the entity’s continuity systems, and how they operate, as well as their own roles and responsibilities within the control program.

Within the confidentiality, integrity, and availability (C-I-A) triad; pertinent financial and non-financial information relating to external or internal events, as well as daily activities, should be identified, captured, and communicated properly and in a timely manner to decision makers. When required, established entity communication channels should permit authorized information flows throughout the organizational structure, with all relevant internal and external data reliably conveyed to intended recipients.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part VI

Robert Davis — Tue, 19 Jul 2011 20:04:26 +0000

Considering the interconnectivity of national economies through computer networks, entities are more vulnerable than ever to the possibility of technical difficulties disrupting business at any point in the communication chain. From flood or fire to computer-virus or denial-of-service, disasters can affect information assets crucial to conducting business locally, regionally, and globally.

To enable beneficial IT and information security service delivery and support (as with all processes) appropriate objectives, goals, policies, procedures, standards and rules are required. Specifically, utilizing standards for ITSM usually generates benefits the moment an entity decides to rely on a business continuity service provider. For example, using a publicly available, generally accepted, standard as the basis for a SLA between the entity and disaster recovery service partners will normally generate fewer disputes and lower costs.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part V

Robert Davis — Fri, 15 Jul 2011 02:44:20 +0000

Managerial concerns normally include: excessive business costs, forgone business opportunities, and potential revenue losses. When a business interruption occurs, restored information assets may affect operational effectiveness and efficiency. Potentially, the IT function’s costs could escalate beyond tolerable limits, while user departments experience a general productivity and/or critical resource loss disabling pursuing business opportunities as well as economical revenue generation. Specifically, errors in data back-up, storage, maintenance, retention and restoration may interfere with fulfilling organizational continuity and availability objectives. For example, many entities rely on available information to provide feedback on divisional and departmental performance. Errors in restored information could reduce management’s ability to evaluate performance and take appropriate corrective action; thus diminishing program, system and process monitoring effectiveness.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part IV

Robert Davis — Tue, 12 Jul 2011 21:32:25 +0000

Where accepted as a managerial responsibility, an adequate ISG program should have security professionals participating in system life cycle design, acquisition, testing, and maintenance phases to ensure business continuity as well as availability requirements are appropriately incorporated, that selected contingency configuration items function as intended and that deployed service restoration features are not compromised during maintenance.

As synthesized sub-frameworks, Information Technology Service Management (ITSM) and Information Security Service Management (ISSM) promote entity information technology and information security units actively identifying services customers need; then focusing on planning and delivering defined services to meet availability as well as continuity requirements. Internally and externally; IT and/or information security units should manage accepted service-level agreements (SLAs) to meet agreed-upon service restoration targets.

“View Part I of the Business Continuity and IT Availability series here“

Measuring Delivery Value – Part IV

Robert Davis — Mon, 27 Apr 2009 18:25:27 +0000

Performance measurement is a control activity. Measurement techniques are the means for effective information security performance monitoring. “Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection.” KPIs provide the critical measuring technique for aligned objectives and goals. Adequate KPIs permit comparative analysis for assessing resource deployment and utilization success. When processes are evaluated within the pre-established context, KPIs enable rapid resource mobilization, substitution and/or elimination for organizational objectives fulfillment.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value – Part III

Robert Davis — Thu, 23 Apr 2009 18:41:22 +0000

Information security service management can include financial and non-financial indicators to enable performance assessments. However, selected indicators must represent a mathematically measurable quality. An adopted KPI should have an established target, associated with a completion date and a path for improvement. Furthermore, an adequate KPI enables determination of the degree of change from the current state to future expectations. For instance, an information security goal might address access privileges. Consequently, considering the current state requires comparison to accepted standards for performance measurement, the “time to grant access privileges” KPI would specify whether the measurement duration is in minutes, hours or days. Reflecting the established time basis, a target for the KPI can be derived. Therefore, “reduce time to grant access privileges by four percent per year” communicates a clear target that employees should understand and undertake specific actions to accomplish.

One of the managerial challenges for process-driven entities is integrating ‘leading indicators’ into KPIs. Similar to leading economic indicators, information security leading KPIs enable swift conditional service delivery responses to ‘code red’ impact alerts. If leading indicators are properly implemented, management can preemptively adjust a process (or processes) before the expiration date on achieving an expected outcome.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value – Part II

Robert Davis — Mon, 20 Apr 2009 19:42:38 +0000

Procedurally, once information security management has analyzed the entity-centric mission, identified stakeholders, and defined objectives; goals must be established with appropriate performance indicators for status assessments. “Practical information security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align safeguarding initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators [(KPIs)] tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.”

KPIs are utilized to measure achievements through comparative analyses. Information accuracy and consistency are rudimentary to measurement reliance. If KPIs are going to reliably convey activity status, management must accurately define and consistently measure expectations. That is, activity calculation inputs must be understood and accepted by those accountable for expected performance until revision notification.

“View Part I of the Measuring Delivery Value series here“

Measuring Delivery Value – Part I

Robert Davis — Fri, 17 Apr 2009 17:56:48 +0000

Considering adamant demands for continuous process improvements, focus on overall information protection and delivery value in terms of enabled services has become a managerial necessity. Information Security Service Management is a set of processes enabling and potentially optimizing IT security services for an entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management. Consequently, information security service level management should be considered quality of service administration permitting demonstrable process improvement contributions. Measuring, monitoring and reporting on information security processes assist in ensuring organizational objectives are achieved.

Measuring Performance – Part IV

Robert Davis — Tue, 14 Apr 2009 01:08:28 +0000

Selective measurement utility is realized when a critical few indicators permit accurate and timely information for decision-making and, by extension, appropriate information assets protection. Individually, measurement techniques are the means for effective IT security performance monitoring. Collectively, IT security services financial management and maturity modeling are powerful high-level tools for assessing the achievement of objectives and goals.

“View Part I of the Measuring Performance series here“