Governance and Internal Controls for Cutting Edge IT

Governance and Internal Controls for Cutting Edge IT

KAREN F. WORSTELL
Copyright Date: 2013
Published by: IT Governance Publishing
Pages: 133
https://www.jstor.org/stable/j.ctt5hh56p
  • Cite this Item
  • Book Info
    Governance and Internal Controls for Cutting Edge IT
    Book Description:

    In Governance and Internal Controls for Cutting Edge IT, Karen Worstell explains strategies and techniques to guide IT managers as they implement cutting edge solutions for their business needs. Based on practical experience and real-life models, she covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control, particularly in the context of the COBIT 5 framework and affiliated standards.This book will enable you to: Optimize your resources by making the most of the potential benefits, and being aware of the potential risks, of your IT provision, Improve your stakeholder relationships by enhancing your service management and delivery through the application of appropriate standards.Apply security and control methods that are suitable for your business. Maximize the opportunities that are presented by compliance legislation and regulations. Manage your data storage, data recovery and data migration, particularly in the context of the Cloud, Ensure business continuity in the face of an incident, and implement strategies to cover the risk of business interruption when using the Cloud.

    eISBN: 978-1-84928-453-0
    Subjects: Technology, Business

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. ABOUT THE AUTHOR
    (pp. 5-6)
  3. ACKNOWLEDGEMENTS
    (pp. 7-9)
  4. Table of Contents
    (pp. 10-11)
  5. INTRODUCTION
    (pp. 12-29)

    My entire professional career, as well as that of my husband, has been in information security, risk, and controls. For the better part of 30 years, we found ourselves in countless discussions with management of various organizations, enumerating risks and recommendations to protect company reputation, information, business capability, and adoption of emerging technology. Readers of this book will relate to the typical management discussion scenario: imprecision about the exact nature of the risk and its probability of occurrence, and lack of definition about the costs associated with an acceptable level of mitigation. It is subjective opinion to describe what could...

  6. CHAPTER 1: CUTTING EDGE IT
    (pp. 30-51)

    Technology enabled organizations may seize opportunity either in exploiting new technology that holds great promise, or delivering on innovation to delight the customer. Perhaps the business opportunity is one involving a new line of business, or an adjustment associated with a move, merger, or acquisition. What happens with IT? Often the IT organizational reality is delayed or underwhelming deployments, and the culprit is an unknown baseline of capability.

    A baseline of capability documents existing processes, assets, resources, and skills throughout the IT function in an enterprise. It gathers information pertaining to IT’s ability to satisfy the needs of the business...

  7. CHAPTER 2: GOVERNANCE
    (pp. 52-62)

    Governance is the means by which IT and the business establish present and future goals for IT, to ensure IT is a strategic enabler of the business, delivering quantifiable business value on its investments. The moves to outsource and Cloud Computing makes governance even more critical than in a traditional environment.

    In general terms, corporate governance of IT involves evaluating, directing, and monitoring the usage of IT. This spans the planning, design, development, deployment, operation, management, and application of IT to meet the needs of the business. It involves ensuring that the capability being delivered aligns with the needs of...

  8. CHAPTER 3: LEGISLATIVE AND REGULATORY COMPLIANCE CONCERNS
    (pp. 63-72)

    A critical input to the IT strategy and governance are the policies and requirements for business legal and regulatory compliance. ISO/IEC 27001:2005 Clause 4.2.1(b) 2 is a mandatory clause for any organization seeking ISO27001 certification (or to meet the intent of ISO27001) and it states:

    “Define an ISMS (Information Security Management System) policy in terms of the characteristics of the business, the organization, its location, assets and technology that takes into account business and legal or regulatory requirements, and contractual security obligations.”

    It clarifies that the ISMS policy is a superset of the information security policy. The ISMS fits well...

  9. CHAPTER 4: GETTING THE BUSINESS CASE RIGHT
    (pp. 73-92)

    Not since the advent of the commercialization of the Internet has so much computing capability become available, and for such an attractive price. For every enterprise CIO charged with reducing the cost of utility computing, for every startup that cannot afford up-front investment in machine-room/data center computing power, Cloud Computing beckons.

    The business case for Cloud Computing is well-documented: it is green, it is pay-on-demand for only the services needed. At a first glance, it is hard to think of concrete reasons why one would not embrace Cloud Computing for its sheer efficiency. The purpose of this section is to...

  10. CHAPTER 5: SERVICE LEVEL MANAGEMENT
    (pp. 93-95)

    According to ITIL®, the primary objective of service management is to ensure that “the IT services are aligned to the business needs and actively support them.” IT supports the business, but also acts as a change agent for business transformation.

    Service management is critical to successful change in adopting new technology for cutting edge IT. The lifecycle Plan-Do-Check-Act is elegantly simple as a high-level process, as defined in the ISO quality standards including ISO20000 (Information Technology – Service Management). Service management does not begin with operations after technology deployment, but is part of the earliest planning and design stages to...

  11. CHAPTER 6: SECURITY AND CONTROL APPROACH
    (pp. 96-105)

    Security is indeed the chief enemy of mortals. We humans are made to overcome challenges, solve problems, and forge ahead. In the history of classic IT security, where the emphasis is on confidentiality, integrity, and availability, necessary practices and controls meant longer, slower, more expensive – but not necessarily better. Further, the implementation of improved controls (at the expense of “sexier” IT projects most often) have not resulted in a permanent improvement in the security status because the threat to electronic information assets in every arena is rapidly expanding, creating a frustratingly rapid (upward) moving bar.

    Security is notoriously hard...

  12. CHAPTER 7: DATA MANAGEMENT
    (pp. 106-115)

    At the end of the first half of 2012, there were 562,854,336 records disclosed to unauthorized parties from 3,190 reported incidents across all industries since the ChoicePoint incident in 2005. It is not unusual for an individual to have multiple records breached, multiple credit cards reset on account of fraud, and to have multiple offers of credit monitoring services. Thirty-seven percent of those records were because of:

    Unintended disclosure – Sensitive information posted publicly on a website, mishandled, or sent to the wrong party via e-mail, fax, or mail.

    Physical loss – Lost, discarded, or stolen non-electronic records, such as...

  13. CHAPTER 8: BUSINESS CONTINUITY AND RECOVERY
    (pp. 116-119)

    Business continuity are the activities performed in an organization to ensure that business functions during and after disruptive events. These can include localized events that require a work group relocation, up to regional disruptions. It requires investment and attention at the executive level to ensure a crisis response that is aligned with business strategy. This business strategy alignment is crucial, according to industry professionals such as John DiMaria. “The biggest challenge to pervasive Business Continuity Management (BCM) comes from those organizations who fail to fully understand the gap between recovery objectives and their recovery capability, and what that means to...

  14. CHAPTER 9: SECURE IT-ENABLED ORGANIZATIONS
    (pp. 120-125)

    Good controls enable cutting edge IT, creating business value. When IT and the business units operate on the basis of a well-defined well-understood control model, it actually makes IT more efficient, more productive, and defect free. It establishes process between IT and the business and enables leadership to have flexibility within well-defined parameters.

    The example at a well-known mobile telecommunications company proved this point in the year leading up to the filing deadline for Sarbanes–Oxley 404 for accelerated filers. In 2003, the company attempted to deploy an CRM package on October 31st, the beginning of the sales season (most...

  15. BIBLIOGRAPHY
    (pp. 126-128)
  16. ITG RESOURCES
    (pp. 129-132)