IT Governance, Risk, and Compliance » Management Information System

Risk Management: Is it just another set of business buzzwords? – Part VIII

Robert Davis — Thu, 21 Mar 2013 01:02:03 +0000

IT policies, directives, standards, procedures, and rules should be deployed based on assessed effectiveness and efficiency in addressing managements risk appetite. Deployed controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. IT control policies and directives can be considered high-level governance documentation while standards, procedures, and rules can be considered detail-level governance documentation. Normally, oversight committees and executive management utilize high-level governance documents to provide general control direction. Whereby, lower-level management converts high-level governance documents into detail-level IT governance documents assisting in ensuring control objective achievement. Developing and implementing IT governance design effectiveness and efficiency can be a multidirectional, interactive, iterative, and adaptive process.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VII

Robert Davis — Sat, 16 Mar 2013 15:40:08 +0000

Management should establish standards as baselines for measuring quantity, weight, extent, value, or quality. Standards can be considered specific goals or objectives against which performance is compared. Selection of points where performance will be measured is critical to effective standards. Employee accountability affects responsibility for meeting standards. Consequently, responsibility for a standard should be directly correlated to activity responsibility. Without accountability, standards become ineffective measurement tools.

Procedures establish methods for accomplishing an activity, through specific performance, while simultaneously complying with prescribed policies. Prior to determining procedures, processes should be identified and classified to determine control objective impact. In order to create an adequate IT governance framework, management must understand and document operational procedures.

Rules are specific and detailed guides that confine and restrict behavior. Comparatively, rules are the simplest operational plan. A rule requires a specific action to be taken regarding a given situation. For example, “This building is a smoke free environment. Violators will be dismissed without exception.”

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VI

Robert Davis — Thu, 14 Mar 2013 01:10:44 +0000

Controlling and monitoring activities attempting to ensure acceptable risk responses include:

Policies
Directives
Standards
Procedures
Rules

Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions. For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.

Directives serve or intend to guide, govern, or influence actions or goals. Furthermore, directives should be considered orders or instructions. When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee. Internal or external central authorities may issue directives as well as individuals. For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing. Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention. Directives should receive the same due diligence as policies and procedures.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part V

Robert Davis — Fri, 08 Mar 2013 22:41:01 +0000

Usually, IT risk analysis has four primary goals:

Identifying assets and their associated values
Identifying vulnerabilities and threats
Quantifying the probability and business impact of potential threats
Providing an economic balance between threat impact and countermeasure cost

Normally, the IT Threat Assessment precedes the IT Vulnerability Assessment. However, Vulnerability Analysis results can identify relevant threats and Threat or Opportunity Analysis results can identify relevant vulnerabilities. The Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management business risk model categories can be mapped into IT risk analysis. For example, usually risk identification, description, and estimation are respectively included as asset valuation, action plan, and risk evaluation sub-processes.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part IV

Robert Davis — Thu, 07 Mar 2013 01:54:36 +0000

The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality. Quantitative risk calculations include:

Exposure Factor = Percentage of asset lost caused by identified risk
Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
Annualized Loss Expectancy (ALE) = SLE X ARO
Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part III

Robert Davis — Sat, 02 Mar 2013 16:38:44 +0000

Similar to business risk management, IT risk management is a continuous process that should be interlaced into the fabric of an entity. IT risks directly impact an entity’s ability to provide goods and/or services at an acceptable price. Inherently, computer hardware and software as well as personnel present potential risks to an entity achieving business objectives.

Through appropriate management, risks can be accepted, reduced, or transferred; however, IT related risk can never be completely eliminated. Minimally, IT governance risk management should address strategic alignment, value delivery, resource management, and performance measurement. Depending on the circumstances, entity and IT governance domain characteristics may overlap or have distinctiveness, yet IT controls continuity and stability can be sustained even when governance domain characteristics are mutually inclusive.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Critical Incident Response Elements – Part IV

Robert Davis — Mon, 03 Aug 2009 18:16:31 +0000

Managing an appropriate security incident response is typically a crucial business requirement. To enable effective management, a security MIS should correlate data to intended usage to determine security failure repercussions. Considering the primary contingency management objective is providing solutions through understanding of risk, an adequate IT security incident response depends on timely, reliable information to assess risks and subsequently apply resources.

“View Part I of the Critical Incident Response Elements series here“

Critical Incident Response Elements – Part III

Robert Davis — Thu, 30 Jul 2009 18:25:34 +0000

There exist various theories concerning managing employees during a crisis scenario. Nevertheless, security incident response tactics should be viewed as a unique application of contingency management theory that can be coupled with sound risk management practices to enable appropriate situational resolution. Contingency management practitioners assume finding and applying relevant available resources suitable for a circumstantial answer to a managerial concern will render the appropriate solution to an incident. Conjoined, risk management incorporates a systematic approach for identifying risk and defining the impact on an entity’s ability to provide goods and/or services. Therefore, security incident response applicability can be found in availability, responsibility, and authority contingency management attributes directed toward addressing ‘at risk’ information assets.

“View Part I of the Critical Incident Response Elements series here“

Critical Incident Response Elements – Part II

Robert Davis — Mon, 27 Jul 2009 20:31:17 +0000

By definition, an entity’s management information system (MIS) represents an aggregation of personnel, computer hardware and software, as well as procedures that process data in order to generate utilizable information for decision-making. Data elements, activity, function operation, and system are the pyramided classifications that delineate information requirements. Dialectally, an entity’s security MIS can become the catalyst for providing superior incident resolution through timely and reliable incident response data when the notification process is properly designed.

Gathering evidence that inappropriate or malicious activity has occurred is a control objective for threat management. Information security threat management controls should be configured to identify inappropriate or malicious activity within a computing environment. Since absolute computer security is impossible, management must classify misuse based on organizational impact. Categorically, security misuse can be designated as intentional or unintentional. In this regard, when constructing intentional misuse information asset records, field titling should address incident descriptions such as exploited vulnerability details (including unauthorized reading, modification, or destruction of data); as well as affected information assets and attack sources.

“View Part I of the Critical Incident Response Elements series here“

Critical Incident Response Elements – Part I

Robert Davis — Thu, 23 Jul 2009 16:53:59 +0000

Information technology is completely secure when resources are utilized and accessed as intended under all circumstances. Through delegation, every entity manager assumes responsibility for maintaining an adequate control system that safeguards assets. However, information security managers are typically charged with responding to intrusions negatively impacting organizational information assets. Thus, security incursions transform information security managers into chief threat firefighters directing resources to extinguish security breach flames. To competently perform this security service, two critical incident response elements are necessary: information and organization.