IT Governance, Risk, and Compliance

Mar 24 2009   7:11PM GMT

Control Assessments – Part II

Robert Davis Robert Davis Profile: Robert Davis

Management needs to understand the status of the entity’s IT systems to decide what safeguarding mechanisms should be deployed to meet business requirements. When IAP monitoring is built into the entity’s operating activities, and process performance is reviewed on a real-time basis; control degradation can easily be ascertained for expeditious remediation. Characteristically, productive monitoring activities dynamically adapt to environmental factors with each control assessment being performed according to an authorized plan reflecting the evaluation type, assurance level, and information classification.

Monitoring and evaluating the current state of implemented controls may take a variety forms, including control self-assessments and IT audits. Furthermore, an IT auditor may not be the individual who executes an entity’s information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civil and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.

“View Part I of the Control Assessments series here

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: