Information security governance
Monica Ford
CIS 438 Information Security Legal Issues
Professor Tremblay
June 2, 2018 Information Security Governance
The increasing complexity of the business environment has necessitated the need for businesses to utilize the available data to improve their practices so that they can be able to achieve business goals and objectives. Data is obtained from different platforms, and it comes in different forms and organizations are looking out for the most appropriate approaches that they can employ the use of technology and innovation to enhance the value of the data they are gathering (Safa, Von Solms & Furnell, 2016). With the increasing cyber-threat challenges, organizations are on the lookout to implement
…show more content…
The strategic direction of the organization allows for identifying the data needs of the organization and appropriately aligning them with the available resources to meet the set goals (Galliers & Leidner, 2014). Planning is a critical component of setting out the strategic direction of the management. Oversight is also a crucial role that the senior management is mandated to spearhead. Evaluating whether the strategic plan is appropriately aligned with the designed activities and whether the indicators reveal that the organization is headed in the right direction is critical. In this case, the senior management plays a critical role in decision-making processes that inform the next course of action for the organization. Accountability is also a critical task that needs to be addressed by the management. The implementation of information security is costly, and there is the need for the appropriate use of the available resources if the set goals and objectives are to be achieved. Accountability helps in enhancing the transparency which allows the organization stakeholders to be entirely in support of the system to be …show more content…
The various components of the organization need to be adequately addressed so that a reliable information system can be put in place (Soomro, Shah & Ahmed, 2016). Setting out the organization structure is crucial as it determines the governance structure that is put in place and the level of effectiveness that is achieved. The delegation of roles and responsibilities in the new governance structure is also an essential factor to be considered for the appropriate accomplishment of tasks. Policy formulation is required to provide direction. Compliance standards set to facilitate adherence by individuals. Setting out a risk management plan is also necessary to allow for a strategy for handling any possible challenges that may be experienced. There is also need for measuring and reporting performance to identify the progress. Most critically is setting out the strategic plan for the organization which sets out the method of implementation and plan for success in the long
The theme of this book is how businesses in today’s world use ever-improving technology to collect data, convert it into information and business intelligence, and combine this information and intelligence with the knowledge of the workers to help make the best decisions they possibly can for the benefit of the company and the customers. Throughout the book, there are discussions on the different ways that technology can help a business with this process. When going into detail about the various information systems, this book also brings into
The Department of Commerce (DOC) is required to implement an Information Security Continuous Monitoring (ISCM) Program as mandated by the Office of Management and Budget (OMB) Memorandum 14-03. The memorandum requires Federal agencies to manage information security risk on an ongoing basis. This document provides a high-level DOC-wide strategic plan for maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Otherwise known as information security continuous monitoring or ISCM, this strategic plan promotes informed and actionable risk management decisions; empowers leaders and improves organizational accountability; simplifies regulatory compliance through integrated
Assess the adequacy and effectiveness of the organization’s IS security policy. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to be applicable to all information systems:
The framework provides a roadmap for the implementation, evaluation and improvement of information security practices. An important feature of the information security governance framework is that it defines the roles of different members of an organization. The framework specifies what corporate executives, senior management, and CIOs/CISOs should do. The framework is also flexible enough to apply to different business models. The framework benefits are it identifies cornerstone security practices that nearly all organizations are following and makes recommendations where in an organization the responsibility falls. Some disadvantages to BSA's framework is that it is still a work in progress and it still needs to develop useful metrics that enable managers to quantify the return on investments in information security and the effectiveness of information security programs and measures (BSA).
Members of the Emergency Management Team or Team Coordinators will instruct all individuals to evacuate at Rally Point “X” located behind the church through word of mouth.
After the information system is installed, the IS security controls must be monitored and assessed on a continuous basis. Continuous monitoring ensures the security controls in place are effective. In this step, there are five tasks. The first task requires managers to determine the security impact based on the threat environment. The second task is conducting assessments on certain security controls as outlined in their Continuous Monitoring Strategy. The third task is correcting discrepancies found in the assessment. The fourth task requires updating the Security Authorization package based on the previous results. The fifth task requires the appropriate officials to make a risk determination and acceptance by reviewing the reported security
An effective information security program should include, periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. Policies and procedures should be based on risk assessments, cost effective reduced information security risk, and it should ensure that the information security is addressed throughout the entire life cycle of each and every organizational information system. Subordinate plans for providing sufficient information security for groups of the information system, facilities, networks, or information systems.
Information Management/Information Technology (IM/IT) governance is an important aspect for many organizations that consists of various major components. The importance of this governance is associated with its contribution to making business decisions more accurately and timely. For health care organizations, IM/IT governance is a significant in helping them to deal with the challenges in the health system. These organizations are experiencing overarching challenges in delivering high-performing and sustainable health system on the basis of significant growth in demand. Since these organizations are not supported by a solitary comprehensive IM/IT arrangement, each organization is responsible for its own governance of these systems ("Health Sector Information Management", 2011). Consequently, every healthcare organization is responsible for taking the necessary steps to ensure that its IM/IT strategic plan has viable elements that to enhance the quality of care services and programs.
Today, businesses both large and small face immense cyber threats and must continuously evolve to
Webster characterizes "policy" as a "high-level overall plan embracing the general goals and acceptable procedures". It is, by and large acknowledged that an organization's information security policies should be the premise of its information security program. Particularly in case of global organizations, the requirement for sensible policies and the issues intrinsic in creating them are exceptionally critical. This paper serves as a dialog of some of the most common data security strategy-related matters that are common to global organizations and offer some approaches to resolving them.
Structure is vital in shared governance where expertise and knowledge serve as guides to actions. It requires a commitment to the organizational mission and the profession of the organization. The practices must be structured within the rules of the employer and the laws that govern the industry. It also requires consistency in definitions, standardization, and the design of the governance with regular evaluations of performance levels.
In order to effectively implement security governance, the Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. This framework, which is described in the document “Information Security Governance: Call to Action,” defines the responsibilities of (1) the board of directors or trustees, (2) the senior organizational executive (i.e., CEO), (3) executive team members, (4) senior managers, and (5) all employees and users. This important document can be found at the Information Systems Audit and Control Association (ISACA) Web site at www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997.
There were a number of factors that contributed to the breach, which had they been addressed or had corresponding mitigation responses in place, would have reduced the likelihood that the breach would have taken place, or at a minimum reduce the impact of the attack. These items range from policy related issues, technology implementations, and security management and maintenance. Although I believe a number of these areas were in the process of being addressed, based on the information gathered regarding the details of the incident, it appears that it was still in many areas insufficient and would not have prevented an incident even if there had been more time available to perform the implementations.
RentMyCar’s mission is to provide high-quality, low-cost, hassle free car rentals to everyone. The peer-to-peer (P2P) business model adopted by RentMyCar provides the firm a competitive advantage over other car rental companies. However, it is important, that RentMyCar not only conveys accurately the company’s intention, but also in a way that is meaningful to every stakeholder. Thus RentMyCar will make this vision make accessible by separating the movement into three major steps: launch, scale, and expand. During the launch phase RentMyCar will build and leverage strategic partnerships to quickly generate brand and credibility. RentMyCar will acquire initial customers by propagating the brand via these partners, however the launch phase will be restricted to the tristate area New York, Massachusetts and Connecticut. During the scale phase, RentMyCar will then leverage social media and digital marketing to generate leads for new customers and manage complex customer relationships across a variety of channels; both digital and traditional. By segmenting existing customer groups based on newly discovered needs and buying patterns RentMyCar will maximize its profits and revenues. Additionally, RentMyCar will also scale its operations to other states on the east coast. RentMyCar will then achieve economies of scale by rolling its service to other states of the country while focusing on efficiency of its operations.
An ongoing awareness program shall be established and maintained in this company to ensure that staff awareness is refreshed and updated as necessary.