IT Governance, Risk, and Compliance » Methodology

Supporting ISG Deployment – Part V

Robert Davis — Thu, 17 Sep 2009 19:15:47 +0000

What ever your perspective may be, the importance of effective and efficient ISG cannot be overlooked in the current global high technology environment. Considering what is at stake for most entities, when security is compromised, usually justifying ISG deployment based on one viewpoint narrows managerial suitability and expected benefits. In the final analysis, combining the discussed individual abstraction level may provide the most appropriate support for institutionalizing ISG.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment – Part IV

Robert Davis — Mon, 14 Sep 2009 18:19:24 +0000

If, however, you assume ISG provides financial and/or reputational benefits, potential stakeholders are presumed to rely upon governance elements prior to investing their time, talent, and/or money. Therefore, ascertaining the effectiveness and efficiency of entity-centric information security objectives, through adequate monitoring, is rudimentary to sound business practices for satisfying stakeholder safeguarding expectations. In this regard, effectiveness and efficiency evaluation requires measurement against established standards. The performance measures should be established when standards are created or adopted. Techniques utilized for ISG implementation include: maturity modeling, budgeting, benchmarking, and gap analysis. Base on the perceived opportunity for enrichment, with provable risk reductions, publicized superior ISG deployment may attract additional investors.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment – Part III

Robert Davis — Thu, 10 Sep 2009 21:01:48 +0000

Alternatively, if you perceive ISG as a descriptive prescription for achieving managerial objectives, the adopted ISG methodology should provide security assessments defining strategic, tactical, and operational risks. Management usually is vigilant regarding the cost of controls and the benefits that can be derived from controls deployment and utilization, while achieving an entity’s strategic direction. Concurrently, auditors are concerned with the impact of information security controls on an entity’s internal control system. To redress cost-benefit, strategic direction as well as control impact issues, ISG effectiveness and efficiency directly related to managerial responsibility, accountability, and authority structure should be demonstrated through appropriate measurement tools. Therefore, at the methodological root, understanding ISG roles are considered crucial to managing secure processes.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment – Part II

Robert Davis — Tue, 08 Sep 2009 18:56:07 +0000

If you envision ISG as a framework servicing entity and ‘IT governance‘, then structurally, ISG should be implemented as an organizational program with objectives, goals, policies, procedures, standards, and rules designed to accomplish management’s intentions. To drive safeguarding controls, ISG should receive ‘significant program’ status because other entity and IT programs are directly impacted by ISG effectiveness. Furthermore, efficiency of controls should be obtained through models available to assist in deploying ISG.

“View Part I of the Supporting ISG Deployment series here“

Supporting ISG Deployment – Part I

Robert Davis — Thu, 03 Sep 2009 20:04:13 +0000

Traversing to and aligning with potential ‘Governance Tree‘ third-tier abstraction levels; information security governance (ISG) can be viewed as a framework, methodology, or technique. Framing ISG enables a “system of controls” assisting in assuring organizational goals and objectives are achieved effectively and efficiently. Methodologically, ISG furnishes descriptive details of the role direction and controls play in achieving entity-centric objectives. Lastly, as a technique, ISG provides processes and steps that can generate superior financial and/or reputational returns for stakeholders.

How Does Management Support Deploying IT Governance?

Robert Davis — Mon, 09 Feb 2009 20:02:07 +0000

Depending on your abstraction level, IT governance can be viewed as a framework, methodology, or technique. As a framework, IT governance enables a “system of controls” assisting in assuring organizational goals and objectives are achieved effectively and efficiently. As a methodology, IT governance furnishes a description of the role entity direction and controls play in achieving information systems objectives. Lastly, as a technique, IT governance provides processes and steps that can generate superior financial and/or reputational returns for stakeholders.

If you view IT governance as a framework for assisting in organizational governance, then structurally, IT governance should be implemented as an organizational program with objectives, goals, policies, procedures, standards, and rules designed to accomplish management’s intentions. To drive controls, IT governance should subsequently receive ‘significant program’ status because other program results are directly impacted by IT governance effectiveness results — such as control self-assessment (CSA) and quality control (QC) programs. Furthermore, efficiency of controls should be obtained through models available to assist in deploying IT governance; including The Institute of Internal Auditors’ Systems Auditability and Control (SAC) framework and the Information Systems Audit and Control Association’s Control Objectives for Information and related Technology (COBIT) framework.

Alternatively, if you perceive IT governance as a description for achieving information systems objectives, the adopted IT governance methodology should provide management with a series of assessments defining control usefulness and control deployment — with IT governance effectiveness and efficiency directly related to management’s responsibility, accountability, and authority structure demonstrated. Management usually is concerned with the cost of controls and the benefits that can be derived from controls deployment and utilization while achieving an entity’s strategic direction. Hence, understanding IT governance roles are considered key to managing information systems.

If, however, you assume IT governance provides financial and/or reputational benefits, potential stakeholders are presumed to rely upon governance elements prior to investing their time, talent, and/or money. Therefore, ascertaining IT objectives effectiveness and efficiency, through monitoring, is rudimentary to sound business practices for satisfying stakeholder expectations. In this regard, effectiveness and efficiency evaluation requires measurement against established standards. The performance measures should be established when standards are created or adopted. Techniques utilized for IT governance implementation include capability maturity modeling, budgeting, benchmarking, and gap analysis. Supporting the belief that IT governance is a financial enhancement technique, the Center for Information Systems Research (CISR) has suggested that organizations with exceptional IT governance have higher profits than organizations with inferior governance, given the same strategic objective. Based on financial opportunity, with an organization’s reputation enhanced through demonstrated profitability when employing IT governance, new stakeholders may be attracted to the organization as a corollary benefit.

Whatever your perspective may be, the importance of effective and efficient IT governance cannot be overlooked in the current global high technology environment. Considering what is at stake politically, economically and technically for most organizations; usually justifying IT governance deployment based on one viewpoint narrows suitability and expected benefits. In the final analysis, combining the discussed individual abstraction levels may be the most appropriate support for implementing IT governance.