Governance and Internal Controls for Cutting Edge IT
()
About this ebook
In Governance and Internal Controls for Cutting Edge IT, Karen Worstell explains strategies and techniques to guide IT managers as they implement cutting edge solutions for their business needs. Based on practical experience and real-life models, she covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control, particularly in the context of the COBIT 5® framework and affiliated standards.
Karen Worstell
Karen Worstell has worked in information security and risk management for more than 25 years, in a range of business sectors. She is currently the Managing Principal of W Risk Group LLC, a professional services practice that enables organizations to manage risk and address myriad standards. Karen has held leadership roles on a number of advisory boards, and is a respected writer on information security.
Related to Governance and Internal Controls for Cutting Edge IT
Related ebooks
Information Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsThe Basics of IT Audit: Purposes, Processes, and Practical Information Rating: 4 out of 5 stars4/5Agile Information Security: Using Scrum to Survive in and Secure a Rapidly Changing Environment Rating: 0 out of 5 stars0 ratingsInformation Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis Rating: 0 out of 5 stars0 ratingsCloud Security and Governance: Who's on your cloud? Rating: 1 out of 5 stars1/5Information Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsData Governance: Governing data for sustainable business Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5CISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5Nine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Managing Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsSecure Your Business: Insights to Governance, Risk, Compliance & Information Security Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsData Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratingsIT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsIT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5IT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsData Protection and Compliance: Second edition Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsCompliance by Design: IT controls that work Rating: 5 out of 5 stars5/5Third-Party Risk Management A Complete Guide - 2019 Edition Rating: 5 out of 5 stars5/5IT GRC A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsEnterprise Risk Management Applications A Complete Guide Rating: 0 out of 5 stars0 ratingsISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5Data Privacy Complete Self-Assessment Guide Rating: 5 out of 5 stars5/5Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratings
Business For You
The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Real Artists Don't Starve: Timeless Strategies for Thriving in the New Creative Age Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5
Reviews for Governance and Internal Controls for Cutting Edge IT
0 ratings0 reviews
Book preview
Governance and Internal Controls for Cutting Edge IT - Karen Worstell
Resources
INTRODUCTION
The charm of history and its enigmatic lesson consist in the fact that, from age to age, nothing changes and yet everything is completely different.
Aldous Huxley
What is the Cloud and Cutting Edge IT?
My entire professional career, as well as that of my husband, has been in information security, risk, and controls. For the better part of 30 years, we found ourselves in countless discussions with management of various organizations, enumerating risks and recommendations to protect company reputation, information, business capability, and adoption of emerging technology. Readers of this book will relate to the typical management discussion scenario: imprecision about the exact nature of the risk and its probability of occurrence, and lack of definition about the costs associated with an acceptable level of mitigation. It is subjective opinion to describe what could go wrong, the probability it will go wrong, and how much exactly would need to be done to prevent loss. Therefore, it was quite the interesting experience to be on the receiving end of the risk discussion when we decided that we would begin implementing a personal family disaster plan. It makes sense: we live in a seismically active region with a dormant volcano, surrounded by water with one road for ingress and egress. As we collected proposals and bids for creating a sense of self-reliance in the event of a major seismic event, we realized, This is crazy! What are the chances that this would really happen? This is ridiculously expensive!
Then we had a good laugh at the irony of our reaction.
I share this personal vignette to illustrate a point: as risk and control professionals, we are collectively in the position of trying to predict exposure and to mitigate it to healthy levels. It is not an easy task for the prognosticator or the receiver of the news. Looking back 20 years, it wasn’t easy to evaluate risk and visualize a control framework in anticipation of distributed computing, it wasn’t easy when the Internet was commercialized, it wasn’t easy for the Y2K event, and it is not easy for Cloud Computing. It is much harder now in the second decade of the 21st century. As risk and control professionals, we must constantly be evaluating new ways to streamline what we do because the hamster wheel of pain
for reducing IT risk in this rapidly emerging world of IT opportunity is not slowing down.
For example, Cloud Computing has dominated the discussion of cutting edge IT for much of the last decade. Cloud Computing in all its various forms brings benefits of enterprise computing capability without the commitment and investment required by in-house
computing capabilities: expertise of specialized people, hardware, software licenses, power, floor tiles, third-party contracts, and so forth. Arguably, Cloud Computing provides a layer of abstraction between the core business focus of an enterprise, and the nuts-and-bolts operations of the IT necessary to make it work. It also brings with it risk and control issues that, as of writing, are not well understood by business management and are not resolved.
The stakes are higher than they have ever been for IT. Of all the external factors that could influence the success of a company, technology is the most critical. Market factors, globalization, people skills, socioeconomics, and regulatory factors are all taking a back-seat to the recognized impact that technology can have upon the competitiveness and opportunity of the enterprise based upon IBM’s study involving more than 1,700 chief executive officers. This is unprecedented. The opportunities perceived in Cloud Computing models are just a part of the reason that technology is front of mind for executives: the realization of the opportunity and impact of IT has brought its criticality into focus.
Technology is the backbone of life in developed nations. Electricity, water, food distribution, transportation, accessibility to information and data, finance, and telecommunications would be seriously disrupted if the information technology infrastructure were to be unavailable. But executives’ focus on technology goes beyond assuring its availability. The evolution of technology, the disruptive nature of its influence on society and business, and the opportunity available to those who are able to seize it and exploit it fuels innovation and imagination and drives new business and social benefit.
In this competitive, dynamic, technology-rich field of opportunity, risk and control professionals find themselves increasingly on the horns of a dilemma. Managing risk has more unknowns, and due diligence for the protection of sensitive information assets is not fully understood by adopters. Coming quickly on the heels of Cloud Computing adoption are technology opportunities (and associated challenges) such as social business, crowdsourcing, bring–your-own-device mobile computing, consumerization of IT, big data, and the Internet of Things. These opportunities, and others, are individually and collectively a representation of cutting edge IT.
Every chief information officer (CIO) and chief information security officer (CISO) has experienced the balancing act of budget, legacy IT, and the seductive apparent promise of cutting edge IT. As a community, we have been behind the power curve in this balancing act since computing emerged from its glasshouse.
At the same time, the threat environment surrounding information systems has never been more opportunistic. While each organization will need to evaluate risk individually, the need for a streamlined approach to managing risk to responsible levels has never been greater. The community of risk and control professionals simply cannot keep up with the technology appetite, rate of change, and exploding threats affecting information systems. Organizations will need to change their overall approach to risk and controls for adopting cutting edge IT, or face becoming road kill on the information superhighway.
Companies often, either willfully or ignorantly, underestimate the need and cost of doing business when it comes to IT, and, to use a cliché, implementing any IT, let alone cutting edge IT, without the appropriate and expedient attention to risk and controls is a dog that just won’t hunt.
My personal experience at sticker shock for family disaster readiness has not diminished professional commitment: be ready to demonstrate due diligence to a standard of care appropriate for one’s business. This is a core message of this book.
There are many excellent publications focusing on the principles and techniques for security and controls for IT. ISACA® publishes a risk and control framework as the newly released COBIT 5® for governing and managing the investment in IT and this allows for any relevant standard, such as the ISO20000 and ISO27000 series, to be incorporated as appropriate for the enterprise. The purpose of this book is to offer perspective, strategies, and some techniques that will give IT and business management a jumpstart for success when faced with business drivers that demand cutting edge IT solutions. This book is a supplement to the many existing frameworks, standards, controls, and guidelines available today.
A Growing Gap
The inspiration for this text was born from a career of riding IT transformational waves, and of trying to avoid being the spoiler
in those campaigns. As IT transitioned from mainframe to distributed computing, my program group in Boeing’s Research and Technology unit experimented with multiple computing models such as DCE, CORBA, and OSI. We worked to understand the proper technical constructs for protecting information systems that were rapidly moving from the established, well-understood monolithic model. In the early 1990s, a colleague at Boeing demonstrated the ability for unauthorized macro execution within a new product from Microsoft® called Excel®. Three years later, the Concept. A macro virus for Word® was discovered in the wild.
A hypothetical security risk had just become reality. In 1995, the commercialization of the Internet, and the advent of the Mosaic browser from CERN, generated significant interest for what it could do for us, but the evaluation of what it could do to us was, again, difficult to put into words. It was very hard to have the discussion about potential things that could go wrong outside of the security profession. Budgets were not yet allocated to keep pace with the rate of change to security requirements and emerging threats that came with distributed computing and the Internet.