free page hit counter
Click the banner for the site map of NoticeBored.com, the information security awareness service
IT governance resources

DRAFT NIST SP 800-100

General IT governance links

Recommended reading Keep up with IT governance entries on the NoticeBored Blog.

Click the book to buy it through Amazon

 

Recommended reading IT Governance - How top performers manage IT decision rights for superior results by Peter Weill and Jeanne W. Ross of MIT (~$23 from Amazon) is based on academic studies of IT governance. Read our book review here or check out this precis by the authors on an Australian CIO magazine site.

 

 

An IT Process Institute (ITPI) research report characterizes differences in the controls infrastructures that distinguish high- from low-performing IT departments. There is a clear link between the quality of an organization’s change management controls and its performance, and some interesting correlations with specific controls e.g. monitoring for authorized/unauthorized and successful/unsuccessful changes; having firm consequences for those who intentionally make unauthorized changes; formal processes and automation of configuration management. These in turn suggest potential metrics such as percentages of changes that are authorized and successful; percentage of unauthorized change incidents that lead to disciplinary action; and percentage of configuration information that is accurate and complete.

A neat presentation and webcast by George Spafford brought out the value of integrating IT security processes with general IT operations, risk, change and configuration management, and through to business strategy, through ITIL IT service management.

ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world . ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally. It is supported by a comprehensive qualifications scheme, accredited training organisations, and implementation and assessment tools.” The guidelines may not be free but they will certainly help when designing your company’s IT service management procedures. A library of ITIL papers is available from the ITILportal (site access demands free registration). The Office of Government Commerce published an official report about its public consultation on the proposed refresh of ITIL, with the following comment: “Since adoption and implementation of ITIL or any other best practice really is a change management issue of cultural shift, ITIL needs to discuss this more and provide guidance on the management and achievement of cultural acceptance, adoption and championship of ITIL. Specific cultural issues should also be located within each process where there is a benefit to do so.” Let’s hope they promote security awareness more strongly as part of the security element within ITIL ...

The McKinsey Quarterly asks “Who’s accountable for IT? Business leaders, that’s who.” [access requires free registration]. Business and IT managers need to align with organizational objectives, and business managers should be held accountable for getting good value from their IT investments.

We have published a case study expounding the business value of implementing ISO/IEC 27002 on our IsecT website. The case reveals some surprising linkages between information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere.

ReportLine, ComplianceLine, SilentWhistle and Shareholder.com are examples of commercial services handling calls from customers’ employees who wish to blow the whistle on dishonest/unethical behavior, fraud, health and safety breaches, HIPAA/data protection breaches and related matters. The Government Accountability Project and BlowTheWhistle support those blowing the whistle on wrongdoing affecting public bodies.

A factsheet from the UK Institute of Directors advises non-executive directors on (a) how to go about asking questions to the Board or other managers about IT strategy and security; and (b) the types of question worth asking. [Our favorite is “Has your business assessed the risk of getting a reputation for slackness in security?”!]

Defining and promoting your information security policies through security awareness, training and education activities are essential for Sarbanes-Oxley compliance. A review of your information security policies is one of the first steps in a SOX audit. If the auditors then ask how management can be sure that employees comply, are you ready for them? Tools such as SecureAware can certainly help ...

The ITSM Portal examined a wide variety of governance frameworks and methods in the context of IT service management and IT governance.

Information Security Governance - A Call to Action advises organizations to incorporate information security into corporate governance efforts. “... executives must make information security an integral part of core business operations. There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.”

Logica CMG reports on the relevance of information security to corporate governance, backed by a research study of UK plcs.

IT Governance is a best practice framework for managing IT and information security; IT Governance is also a policy-centric consultancy business that supports organizations seeking to deploy best practice information security and project management solutions. The founder of the company is the author of “IT Governance: a Manager’s Guide to Information Security and BS 7799/ISO 17799”, the Open University textbook on the subject.

OCEG (Open Compliance and Ethics Group) is a not-for-profit organization developing a framework for integrating governance, compliance, risk management and integrity into all business processes, thereby helping clients reduce costs and improve business performance. OCEG is driving adoption of the framework through a multi-industry, multi-disciplinary coalition, with a community to exchange information, tools and feedback for the continual improvement of the framework.

Governance in general

Recommended site, well worth a visit The European Corporate Governance Institute has a fabulous website giving access to an excellent collection of governance codes/regulations and papers from around the world.

The Governance Focus blog covers governance very broadly and gives a fascinating insight into what’s happening in the field. Well worth a look.

A white paper from US CEO forum The Business Roundtable gives an overview of their position on corporate governance. They recommend that every publicly owned corporation should have a committee that addresses governance issues [but then confuse the matter by discussing the nominating committee - appointing suitable Board members is only one part of corporate governance].

Two weeks before British vehicle manufacturer MG Rover finally went into administration, tough questions were being asked of its Chairman and directors regarding some ‘unusual’ business transactions. Corporate governance is the core issue. We will probably never know the full picture.

Click the book to buy via Amazon

 

Enron - anatomy of greed: the unshredded truth from an Enron insider” by Brian Cruver (~$25 from Amazon). The author recounts his experience of working for Enron in its final few months. A highly personal view of what it was like to work in the high-pressured environment that eventually led to the demise of Enron in a spectacular governance failure.

 

The Sunday Times reported that American International Group, the world’s largest insurance group, is investigating accounting errors that could total $3 billion. The group is being scrutinized by by the US authorities over claims that deals artificially inflated its financial strength.

Personal data vendor ChoicePoint Inc. and its executives are being sued by shareholders as a result of an information security incident. News of the security breach led to a sharp fall in the company’s share price and subsequently the class-action lawsuit. It is alleged that data protection was known to be inadequate, the company knew it was selling data to illegal enterprises, security breaches had occurred twice before and more than half a million people had been exposed to the threat of identity theft. This case reminds us that senior executives are increasingly being held accountable for sound governance of their companies.

IT/development project governance is a subset of IT governance, itself a subset of corporate governance. There is an enormous volume of information on the web about governing and managing IT/development projects (just try Googling phrases such as IT.project.governance or IT.project.management). Project governance guidance from the Tasmanian State Government states the principle that “ultimate responsibility and accountability for the project must be clearly defined and accepted at an appropriately high level within the organisation. The appropriate level is that which has discretionary control over the bulk of the resources that will be expended in the project process.”

Boards of Directors are well informed on their governance responsibilities by papers from the professional institutions, many of which emphasize information security. The IT Governance Institute publishes “Information security governance: guidance for boards of directors and executive management”, “Board briefing on IT governance” (now in its second edition) and a paper about using the balanced scorecard to report on IT governance. In a similar vein, the Canadian Institute of Chartered Accountants poses 20 Questions Directors Should Ask About IT, the International Federation of Accountants has “Enterprise governance: getting the balance right”. Deloitte has a small collection of papers on corporate governance and accountability. The Institute of Internal Auditors published a position paper on “Internal auditing’s role in sections 302 and 404 of U.S. Sarbanes-Oxely Act of 2002” while the National Association of Corporate Directors has “Information security oversight: essential board practices”. Securing cyberspace is Business Roundtable’s contribution to the debate. With so much august information to read, directors must find it difficult to find time to actually govern their corporations.

The OECD (Organisation for Economic Co-operation and Development) has its Principles of corporate governanc and an older paper Guidelines for the security of information systems and networks: towards a culture of security.

Related NoticeBored links collections

Computer audit, IT-related fraud, risk management, accountability/roles and responsibilities, compliance, IT Operations and information security management

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
NB homeLinks collection > Governance >

Copyright © 2008 IsecT Ltd. and licensors