Objectives of the Presentation
Why should you Attend
- Forces affecting ISG
- Information security principles
- Information security practices
- Sound strategic and tactical information risk considerations
- Three tiers of enterprise governance examination
- Effectiveness measurement techniques
Instituting and sustaining information security governance (ISG) requires comprehensive planning and organizing; robust acquisitions and implementations; effective delivery and support; as well as continuous monitoring and evaluation to address the myriad of managerial, operational, and technical issues that can thwart satisfying an enterprise's declared mission. Consequently, information security requires an adaptive balance between sound management and applied technology. Sound management enables assuring adequate asset safeguarding while applied technology can introduce efficiencies for addressing potential external or internal threats.
Information security design, deployment, and assurance require dedication to continuous improvement to ensure optimum effectiveness and efficiency. Whereby, confirmation of compliance with legislation, regulations, policies, directives, procedures, standards, and rules enable asserting superior ISG. Nonetheless, monitoring and evaluating the current state of implemented controls may take a variety of forms; including control self-assessments and information technology (IT) audits. Furthermore, an IT auditor may not be the individual who executes an organization's information security internal control review (ICR). However, an IT auditor may subsequently assess an ICR for effectiveness and/or efficiency. In the regulatory arena, a negative finding, coupled with prompt corrective actions can mitigate civilly and criminal enforcement penalties, thereby potentially reducing or avoiding legal risks.
At the end of this session, the speaker will handle your specific questions and address any challenges you have/had regarding assuring information security.
Who will Benefit
- ISG social responsibility
- Data protection management
- Alternative ISG frameworks
- Organizational structure considerations
- ISG effectiveness measurement
- Information security culture
- Audit Committee Members
- Risk Management Managers
- External Auditors
- Internal Auditors
- Chief Executive Officers
- Chief Information Officers
- Compliance Managers
- Chief Information Security Officers
- Information Technology Professionals
- Control Self-Assessment Personnel
Planning and organizing are essential to organizational cohesiveness. ISG usually occurs at different organizational strata, with team leaders reporting to and receiving direction from their managers, with managers reporting up to an executive, and the highest-level executive conferring with and receiving instruction from the entity's oversight committee. Information that indicates deviation from targets will usually include recommendations for action requiring endorsement by the entity's oversight layer. Transparently, this approach is ineffective unless strategies, objectives, and goals are first developed and deployed within the entity's organizational structure.
Acquisitions and implementations are necessary for adequate information security. There is a need for information security solution identification, development or acquisition, as well as implementation and integration of business, and IT processes seamlessly to realize the information security strategy. During an information security product or service acquisition and implementation cycle, changes and maintenance may be required to sustain continued service quality for impacted systems or processes.
Within an enterprise's organizational structure, providing acceptable service delivery necessitates the installation of an effective support system. Information security service delivery and support may range from operational protection deployment to crisis response training. However, assessing changes in, and maintenance of, existing systems are critical security service components contributing to delivering value. Required information protection changes and maintenance inducement can occur through various problems encountered by users or deliberate attacks on the established information security architecture.
Usually, a formal ISG program is required to promote information assets safeguarding. ISG programs should ensure the Control Objectives for Information and related Technology (COBIT) framework confidentiality, integrity, availability, compliance, and reliability information criteria compromise does not occur through gaps in controls. Therefore, the information security program and associated systems, processes and activities need to be regularly assessed for quality and compliance with defined requirements. Monitoring and evaluating information security drives assurances provided or obtained through due care and due diligence as well as enables managerial fiduciary oversight expectations fulfillment.
Whether ISG is considered a distinct governance classification that supports entity governance or a subset of information technology governance (ITG), safeguarding IT normally mandates addressing responsibilities separation and ‘protection-of-information-assets' to ensure managerial due diligence. Typically, safeguarding information assets translates into ensuring resources are acquired, utilized and disposed of by proper procedures and approvals. If ISG misalignment exists among entity governance and ITG; financial, legal, operational and reputational risks can escalate beyond demarcated tolerance levels. In fact, a functional entity's very existence may be dependent on how well it safeguards assets utilized in achieving the adopted organizational mission.