Rating: 0 out of 5 stars
0 ratings
Ebook152 pages4 hours
Governance and Internal Controls for Cutting Edge IT
Rating: 0 out of 5 stars
()
About this ebook
In Governance and Internal Controls for Cutting Edge IT, Karen Worstell explains strategies and techniques to guide IT managers as they implement cutting edge solutions for their business needs. Based on practical experience and real-life models, she covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control, particularly in the context of the COBIT 5® framework and affiliated standards.
Author
Karen Worstell
Karen Worstell has worked in information security and risk management for more than 25 years, in a range of business sectors. She is currently the Managing Principal of W Risk Group LLC, a professional services practice that enables organizations to manage risk and address myriad standards. Karen has held leadership roles on a number of advisory boards, and is a respected writer on information security.
Related to Governance and Internal Controls for Cutting Edge IT
Related ebooks
Information Security Auditor: Careers in information security The Basics of IT Audit: Purposes, Processes, and Practical Information Rating: 4 out of 5 stars4/5Agile Information Security: Using Scrum to Survive in and Secure a Rapidly Changing Environment Rating: 0 out of 5 stars0 ratingsInformation Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis Rating: 0 out of 5 stars0 ratingsCloud Security and Governance: Who's on your cloud? Rating: 1 out of 5 stars1/5Information Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsData Governance: Governing data for sustainable business Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5CISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5Nine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Managing Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsSecure Your Business: Insights to Governance, Risk, Compliance & Information Security Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsData Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratingsIT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5FISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsIT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5IT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsData Protection and Compliance: Second edition Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsCompliance by Design: IT controls that work Rating: 5 out of 5 stars5/5Third-Party Risk Management A Complete Guide - 2019 Edition Rating: 5 out of 5 stars5/5IT GRC A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsEnterprise Risk Management Applications A Complete Guide Rating: 0 out of 5 stars0 ratingsISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5Data Privacy Complete Self-Assessment Guide Rating: 5 out of 5 stars5/5Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratings
Business For You
The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Real Artists Don't Starve: Timeless Strategies for Thriving in the New Creative Age Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5
Related podcast episodes
How To Succeed With Privacy By Design 0% found this document useful#60 What is ISO 27017: Controls for Cloud Services 0% found this document usefulThe Foolproof Way To Pass The CIPPE Exam In 2 Weeks 0% found this document usefulHow To Overcome Challenges Every DPO Faces 0% found this document usefulCyberWire Pro Interview Selects: Jaclyn Miller from NTT, Ltd. 0% found this document usefulCISA’s Small Business Security Guidance and Listener Questions 0% found this document usefulTodd Beebe: Beyond IT vs. OT, The Common Ground for Securing Any Environment 0% found this document usefulMollie Breen: Accelerating OT Security, Reliability and Efficiency 0% found this document usefulThe Front Lines of Ethical Hacking and Infosec with Steve Walbroehl of Halborn 0% found this document usefulChris Bihary: Tapping Into Packet Level Data in OT 0% found this document usefulDebbie Gordon: Practicing Cybersafety Through Simulated Environments 0% found this document usefulRinki Sethi: From Analyst to CISO and Board Member 0% found this document useful
Related articles
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster” PC Pro MagazineArticle
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster”
Apr 10, 2022
6 min readCyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL Inc.Article
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL
Sep 21, 2016
Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate
2 min readManaging the Risks of Digital Lending Business TodayArticle
Managing the Risks of Digital Lending
Feb 18, 2022
TECHNOLOGY HAS BEEN the crux of the Indian banking system and the advent of Covid-19 has fuelled the shift of business models from ‘physical’ to ‘digital’. The journey of innovation, which started with internet banking and digital means of payments,
6 min readData Compliance Checklist MarketingArticle
Data Compliance Checklist
May 15, 2019
People had a lot to say about Google’s January AU$80 million fine for breaching the General Data Protection Regulation (GDPR) – and rightly so. It was the first time a tech giant suffered a financial penalty under the GDPR. The fine served as a signa
3 min readData Security Standards Linux FormatArticle
Data Security Standards
Aug 24, 2021
A lot of engineers like to rail against standards as pointless box-checking and in some cases they are. Especially when it comes to things like PCI-DSS. Fundamentally, any engineer can look at PCI-DSS and say honestly that it’s obvious, and that all
1 min readCybersecurity Firm Fireeye Says Was Hacked By Nation State TechLife NewsArticle
Cybersecurity Firm Fireeye Says Was Hacked By Nation State
Dec 12, 2020
3 min readTop Eight Cybersecurity Predictions For 2022-23 NZBusiness and ManagementArticle
Top Eight Cybersecurity Predictions For 2022-23
Jul 20, 2022
3 min readWhy Is Data Protection Important To Small Businesses Parents in BizArticle
Why Is Data Protection Important To Small Businesses
Jan 24, 2022
3 min readVulnerability Assessments PC Pro MagazineArticle
Vulnerability Assessments
Jan 7, 2021
3 min readPrivacy: The Price Of Trust Inc.Article
Privacy: The Price Of Trust
Aug 17, 2021
How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend
1 min readUnderstanding The Weight On Security Leaders' Shoulders, And How To Shift It NZBusiness and ManagementArticle
Understanding The Weight On Security Leaders' Shoulders, And How To Shift It
Jul 20, 2022
4 min readWhy Leaders Need To Take A Risk-based Approach To Data Security NZBusiness and ManagementArticle
Why Leaders Need To Take A Risk-based Approach To Data Security
Jul 21, 2021
5 min readThe Role Of AI In Cybersecurity NZBusiness and ManagementArticle
The Role Of AI In Cybersecurity
Apr 18, 2023
4 min readBRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration The European Business ReviewArticle
BRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration
Jul 31, 2023
In today's corporate landscape, the relationship between Information Technology (IT) and security departments often mirrors a tangled web, marked by conflicting objectives and strained interactions. Yet, as digitalisation accelerates across all secto
5 min readHow A Zero Trust Approach Protects Your People And Your Data NZBusiness and ManagementArticle
How A Zero Trust Approach Protects Your People And Your Data
Oct 19, 2022
3 min readHow Do You Know You Are Okay? NZBusiness and ManagementArticle
How Do You Know You Are Okay?
May 27, 2019
2 min readDETER, DETECT, DELAY: Thwarting The Digital Intruders The European Business ReviewArticle
DETER, DETECT, DELAY: Thwarting The Digital Intruders
Nov 25, 2021
6 min readEverything You May Have Wanted to Know About Ethical/Whitehat Hackers TechfastlyArticle
Everything You May Have Wanted to Know About Ethical/Whitehat Hackers
Oct 21, 2020
5 min readCybersecurity Made Simple: Taming The Password The European Business ReviewArticle
Cybersecurity Made Simple: Taming The Password
Mar 1, 2022
8 min read“Why Are The Stupid Rules There In The First Place? Because Someone Had To Tick A Compliance Box” PC Pro MagazineArticle
“Why Are The Stupid Rules There In The First Place? Because Someone Had To Tick A Compliance Box”
Jul 9, 2022
I hate passwords with a vengeance. In the main because they are so badly abused, from a security perspective, by so many people. I’m not just talking about the person on the Clapham omnibus who keeps their passwords simple and shared between multiple
7 min readDiagnosis: We Have Pii And Ip… Now What? The European Business ReviewArticle
Diagnosis: We Have Pii And Ip… Now What?
Oct 2, 2023
5 min readWeb App Security Linux FormatArticle
Web App Security
Jun 29, 2021
8 min readTop Four Tips To Stay Secure NZBusiness and ManagementArticle
Top Four Tips To Stay Secure
Apr 18, 2023
2 min readBusinesses Were Not Prepared For The Pandemic, Warns IBM Chief Executive Evening StandardArticle
Businesses Were Not Prepared For The Pandemic, Warns IBM Chief Executive
Sep 7, 2020
4 min readIBM Boss: Big Companies Were Not Prepared For The Pandemic Evening StandardArticle
IBM Boss: Big Companies Were Not Prepared For The Pandemic
Sep 4, 2020
Sreeram Visvanathan is the new chief executive of IBM UK and Ireland. The 53 year-old is from Bangalore in India and previously led IBM’s global Public Sector team. In the middle of London Tech Week, he talked to the Evening Standard about the future
4 min readIn Conversation with Rajesh Dhuddu Global Head, Blockchain & Metaverse Practice, Tech Mahindra TechfastlyArticle
In Conversation with Rajesh Dhuddu Global Head, Blockchain & Metaverse Practice, Tech Mahindra
Nov 1, 2022
6 min readWhy We Need To Fear The Risk Of AI Model Collapse Evening StandardArticle
Why We Need To Fear The Risk Of AI Model Collapse
Dec 17, 2023
4 min readThe Weakest Link Facility ManagementArticle
The Weakest Link
Jun 24, 2018
7 min readEverything You Should Know About Cybersecurity Automation TechfastlyArticle
Everything You Should Know About Cybersecurity Automation
Jun 1, 2021
6 min readData Protection: Lightening The Load Of Compliance The European Business ReviewArticle
Data Protection: Lightening The Load Of Compliance
Sep 25, 2021
7 min read
Reviews for Governance and Internal Controls for Cutting Edge IT
Rating: 0 out of 5 stars
0 ratings
0 ratings0 reviews
Book preview
Governance and Internal Controls for Cutting Edge IT - Karen Worstell
Resources
INTRODUCTION
The charm of history and its enigmatic lesson consist in the fact that, from age to age, nothing changes and yet everything is completely different.
Aldous Huxley
What is the Cloud and Cutting Edge IT?
My entire professional career, as well as that of my husband, has been in information security, risk, and controls. For the better part of 30 years, we found ourselves in countless discussions with management of various organizations, enumerating risks and recommendations to protect company reputation, information, business capability, and adoption of emerging technology. Readers of this book will relate to the typical management discussion scenario: imprecision about the exact nature of the risk and its probability of occurrence, and lack of definition about the costs associated with an acceptable level of mitigation. It is subjective opinion to describe what could go wrong, the probability it will go wrong, and how much exactly would need to be done to prevent loss. Therefore, it was quite the interesting experience to be on the receiving end of the risk discussion when we decided that we would begin implementing a personal family disaster plan. It makes sense: we live in a seismically active region with a dormant volcano, surrounded by water with one road for ingress and egress. As we collected proposals and bids for creating a sense of self-reliance in the event of a major seismic event, we realized, This is crazy! What are the chances that this would really happen? This is ridiculously expensive!
Then we had a good laugh at the irony of our reaction.
I share this personal vignette to illustrate a point: as risk and control professionals, we are collectively in the position of trying to predict exposure and to mitigate it to healthy levels. It is not an easy task for the prognosticator or the receiver of the news. Looking back 20 years, it wasn’t easy to evaluate risk and visualize a control framework in anticipation of distributed computing, it wasn’t easy when the Internet was commercialized, it wasn’t easy for the Y2K event, and it is not easy for Cloud Computing. It is much harder now in the second decade of the 21st century. As risk and control professionals, we must constantly be evaluating new ways to streamline what we do because the hamster wheel of pain
for reducing IT risk in this rapidly emerging world of IT opportunity is not slowing down.
For example, Cloud Computing has dominated the discussion of cutting edge IT for much of the last decade. Cloud Computing in all its various forms brings benefits of enterprise computing capability without the commitment and investment required by in-house
computing capabilities: expertise of specialized people, hardware, software licenses, power, floor tiles, third-party contracts, and so forth. Arguably, Cloud Computing provides a layer of abstraction between the core business focus of an enterprise, and the nuts-and-bolts operations of the IT necessary to make it work. It also brings with it risk and control issues that, as of writing, are not well understood by business management and are not resolved.
The stakes are higher than they have ever been for IT. Of all the external factors that could influence the success of a company, technology is the most critical. Market factors, globalization, people skills, socioeconomics, and regulatory factors are all taking a back-seat to the recognized impact that technology can have upon the competitiveness and opportunity of the enterprise based upon IBM’s study involving more than 1,700 chief executive officers. This is unprecedented. The opportunities perceived in Cloud Computing models are just a part of the reason that technology is front of mind for executives: the realization of the opportunity and impact of IT has brought its criticality into focus.
Technology is the backbone of life in developed nations. Electricity, water, food distribution, transportation, accessibility to information and data, finance, and telecommunications would be seriously disrupted if the information technology infrastructure were to be unavailable. But executives’ focus on technology goes beyond assuring its availability. The evolution of technology, the disruptive nature of its influence on society and business, and the opportunity available to those who are able to seize it and exploit it fuels innovation and imagination and drives new business and social benefit.
In this competitive, dynamic, technology-rich field of opportunity, risk and control professionals find themselves increasingly on the horns of a dilemma. Managing risk has more unknowns, and due diligence for the protection of sensitive information assets is not fully understood by adopters. Coming quickly on the heels of Cloud Computing adoption are technology opportunities (and associated challenges) such as social business, crowdsourcing, bring–your-own-device mobile computing, consumerization of IT, big data, and the Internet of Things. These opportunities, and others, are individually and collectively a representation of cutting edge IT.
Every chief information officer (CIO) and chief information security officer (CISO) has experienced the balancing act of budget, legacy IT, and the seductive apparent promise of cutting edge IT. As a community, we have been behind the power curve in this balancing act since computing emerged from its glasshouse.
At the same time, the threat environment surrounding information systems has never been more opportunistic. While each organization will need to evaluate risk individually, the need for a streamlined approach to managing risk to responsible levels has never been greater. The community of risk and control professionals simply cannot keep up with the technology appetite, rate of change, and exploding threats affecting information systems. Organizations will need to change their overall approach to risk and controls for adopting cutting edge IT, or face becoming road kill on the information superhighway.
Companies often, either willfully or ignorantly, underestimate the need and cost of doing business when it comes to IT, and, to use a cliché, implementing any IT, let alone cutting edge IT, without the appropriate and expedient attention to risk and controls is a dog that just won’t hunt.
My personal experience at sticker shock for family disaster readiness has not diminished professional commitment: be ready to demonstrate due diligence to a standard of care appropriate for one’s business. This is a core message of this book.
There are many excellent publications focusing on the principles and techniques for security and controls for IT. ISACA® publishes a risk and control framework as the newly released COBIT 5® for governing and managing the investment in IT and this allows for any relevant standard, such as the ISO20000 and ISO27000 series, to be incorporated as appropriate for the enterprise. The purpose of this book is to offer perspective, strategies, and some techniques that will give IT and business management a jumpstart for success when faced with business drivers that demand cutting edge IT solutions. This book is a supplement to the many existing frameworks, standards, controls, and guidelines available today.
A Growing Gap
The inspiration for this text was born from a career of riding IT transformational waves, and of trying to avoid being the spoiler
in those campaigns. As IT transitioned from mainframe to distributed computing, my program group in Boeing’s Research and Technology unit experimented with multiple computing models such as DCE, CORBA, and OSI. We worked to understand the proper technical constructs for protecting information systems that were rapidly moving from the established, well-understood monolithic model. In the early 1990s, a colleague at Boeing demonstrated the ability for unauthorized macro execution within a new product from Microsoft® called Excel®. Three years later, the Concept. A macro virus for Word® was discovered in the wild.
A hypothetical security risk had just become reality. In 1995, the commercialization of the Internet, and the advent of the Mosaic browser from CERN, generated significant interest for what it could do for us, but the evaluation of what it could do to us was, again, difficult to put into words. It was very hard to have the discussion about potential things that could go wrong outside of the security profession. Budgets were not yet allocated to keep pace with the rate of change to security requirements and emerging threats that came with distributed computing and the Internet.
Enjoying the preview?
Page 1 of 1