Conceptualization of the role of auditing in Information Security Governance Frameworks.
Abstract
Auditing aims to provide a well-informed assurance over information security efforts. The present work tries to understand the role of auditing from an Information Security perspective by reviewing three Information Security Governance Frameworks. An initial view of auditing from various literature is first constructed to understand the expected purpose of Auditing. This initial understanding then guides the assessment of frameworks. The frameworks are also evaluated based on the aspects of governance they address, the organizational structures they suggest and how well the audit process is integrated within the whole ISG framework. Finally, conclusions are drawn about the relative merits and demerits of the frameworks and how well they address the requirements of auditing.
Keywords
Information Security Governance, Auditing, Performance Measurement
Introduction
Information Security deals with the Confidentiality, Integrity and Availability of organizational data to facilitate business decisions. Information Security breaches inflict significant monetary and reputational damage to organizations. Thus, ensuring business information security becomes a matter of great importance at the board level. Therefore organizations must view Information security from a governance perspective.
Information security research was initially focused on technical aspects of security such as secure
In this paper I will be discussing some of the benefits of having frameworks for information security management. What each of the frameworks of information security are, their pros and their cons. Which major perspectives to consider in information security management and framework choice. What organizational factors should be considered in framework choice? I will also attempt to come up with a better framework for information security.
In shaping a new security policies, it is essential to have a full understanding of all aspects of the internal network and services to be protected from both internal and outside threats. An article by Solms & Solms (2004) outlines several criteria in developing information security. First, a governing body must be formed to ensure all sensitive data is secured and provide due
In the academic world, numerous information security (InfoSec) and risk management (RM) models are present. The value of these models differs, particularly in respect to internal and external soundness. Appropriately, countless security researchers and specialists seek increased understanding on the convolutedness of information assurance (IA). To a degree, this need may be motivated by industry demand and application. InfoSec is an enduring matter for many businesses. Therefore, the aim of this research is to offer an assessment of InfoSec and RM theories and to identify the areas in need of further research.
It is quite unfortunate that most companies’ management only deals with the administrative, marketing and sales, and the production part of the company business, but felt the IT operations should be left solely to the IT personnel. In the long run, according to this chapter, the information security aspect of the company will suffer and remain underdeveloped because of lack of attention. However, if there is any security breach or attack, the top management will be the first point of contact. The top management will be held accountable and responsible for not adhering to the business practices.
Limitations of Research: Considering all the studies this paper also has limitations. Since Information security management is prominently growing area, the guidelines maybe unstable and quick changes can happen. However the loss can be overcome if the organization maintains its security policies in clear and update them timely.
Ideally however, a business monarchy would be established, clearly defined security policies would be put in place along with information security education, training and awareness to every employee in the organization and some investment would be made in the IT structure whereby the server might be accessible at the organization itself as well as in the Finance Commission’s offices. Lastly, another alternative would be to establish IT governance within the organization and give invest in education, training and awareness of information security to all employees involved with the organization whether directly or indirectly.
The framework provides a roadmap for the implementation, evaluation and improvement of information security practices. An important feature of the information security governance framework is that it defines the roles of different members of an organization. The framework specifies what corporate executives, senior management, and CIOs/CISOs should do. The framework is also flexible enough to apply to different business models. The framework benefits are it identifies cornerstone security practices that nearly all organizations are following and makes recommendations where in an organization the responsibility falls. Some disadvantages to BSA's framework is that it is still a work in progress and it still needs to develop useful metrics that enable managers to quantify the return on investments in information security and the effectiveness of information security programs and measures (BSA).
We have completed our risk assessment as requested by management. The following report will take you through our completed risk matrix, narratives about the risks and controls, and provide a summary of our findings. The areas covered
In this paper I will discuss the three main area of accountability regarding information security and provide an example of each area. The tree main areas of accountability regarding information security include:
Information governance [IG] is an approach that employs multiple activities and technologies effectively within an organization. This policy incorporates more than traditional records management as multiple departments are involved in its implementation. An established information governance policy is necessary to reduce accompanying jeopardies and expenses. According to the 2005 Second Annual Data Breach Industry Forecast, after 62 percent of consumers reported they had received at least two data breach notifications involving separate incidents in the past two years, perhaps surprisingly the most frequent response was inaction. [1] This may be an indication that a stronger IG is necessary for some organizations. With the expanded use of cloud and other budding future technologies, more breaches are likely to increase. There are several steps an organization can take implement an effective IG policy..
In order to effectively implement security governance, the Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. This framework, which is described in the document “Information Security Governance: Call to Action,” defines the responsibilities of (1) the board of directors or trustees, (2) the senior organizational executive (i.e., CEO), (3) executive team members, (4) senior managers, and (5) all employees and users. This important document can be found at the Information Systems Audit and Control Association (ISACA) Web site at www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997.
With our ever growing reliance on computers for almost everything, proper IT management has never been more important. Without good IT oversight almost any imaginable disaster can occur. In this essay I will take a look at the role IT managers play in their company’s support and strategic infrastructures, the necessity for good IT governance and two organizations that failed at IT governance.
The way Information Assurance works is by analyzing information contained on Network Systems, then assigning the information into corresponding threat level classifications. These classifications will be based on the following factors; “what potential value does the information hold to an organization?” and “would the subsequent release of said information cause damage to an organization and how much?” Once these evaluations have been done an organization can move on to the next step, addressing vulnerabilities of Network Systems that contain critical information. As the vulnerability assessment takes place weaknesses that are discovered should be discussed amongst security administrators. The overall outcome of this would be to patch security flaws in the system to better protect assets. At the same time administrators analyze the potential cause and effect of a potential breach in security. While in a perfect world all vulnerabilities would be addressed and fixed, but with the ever evolving technology of the 21st century and the intellect of those individuals who look to abuse their knowledge to gain unauthorized access to systems. The reality is that vulnerabilities (i.e. loopholes, exploits, etc.) will always exist it is just a matter of who finds it. The most important part of the Information Assurance process is this, eliminate all known vulnerabilities while conducting analysis to reduce
Information is one of an organization’s most valuable assets. Defense of information assets is necessary to establish and develop trust between the institution and its clients, provide
The Gartner Information Security Governance Model is most suitable for Inventure Foods type of business. It protects the information resources appropriately and efficiently given the company’s limited resources and overstretched personnel. The most important reason why we choose the Gartner Model is that it provides the blueprint for a complete security program and tells management the order about how to implement these security segments. Another reason is that the Gartner Information Security Governance Model is designed for companies that do not require high levels of security such as Inventure Foods. Additionally, Gartner Information Security Governance Model can be integrated as part of Inventure Food’s overall policy. Furthermore, the Gartner Information Security Governance Model is more about protecting the information resources efficiently and effectively beyond just the IT