Governance and Internal Controls for Cutting Edge IT
()
About this ebook
In Governance and Internal Controls for Cutting Edge IT, Karen Worstell explains strategies and techniques to guide IT managers as they implement cutting edge solutions for their business needs. Based on practical experience and real-life models, she covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control, particularly in the context of the COBIT 5® framework and affiliated standards.
Karen Worstell
Karen Worstell has worked in information security and risk management for more than 25 years, in a range of business sectors. She is currently the Managing Principal of W Risk Group LLC, a professional services practice that enables organizations to manage risk and address myriad standards. Karen has held leadership roles on a number of advisory boards, and is a respected writer on information security.
Related to Governance and Internal Controls for Cutting Edge IT
Related ebooks
The Basics of IT Audit: Purposes, Processes, and Practical Information Rating: 4 out of 5 stars4/5Information Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsInformation Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsFISMA and the Risk Management Framework: The New Practice of Federal Cyber Security Rating: 0 out of 5 stars0 ratingsIT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsManaging Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsData Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratingsCISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Agile Information Security: Using Scrum to Survive in and Secure a Rapidly Changing Environment Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Compliance by Design: IT controls that work Rating: 5 out of 5 stars5/5ISO 38500 A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsIT Asset Management Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsIT Risk Management Process A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsIT Audit A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsSarbanes-Oxley Compliance Using COBIT and Open Source Tools Rating: 4 out of 5 stars4/5ISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5IT Governance The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsRMF A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsThird-Party Risk Management A Complete Guide - 2019 Edition Rating: 5 out of 5 stars5/5CGEIT A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsRisk Management Framework: A Lab-Based Approach to Securing Information Systems Rating: 2 out of 5 stars2/5Information technology audit The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsIT Governance A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsPrivacy Impact Assessment A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsIT GRC A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsIS Auditor - Process of Auditing: Information Systems Auditor, #1 Rating: 0 out of 5 stars0 ratingsData Retention A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratings
Business For You
Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5Money. Wealth. Life Insurance. Rating: 5 out of 5 stars5/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Grant Writing For Dummies Rating: 5 out of 5 stars5/5Suddenly Frugal: How to Live Happier and Healthier for Less Rating: 3 out of 5 stars3/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5Financial Words You Should Know: Over 1,000 Essential Investment, Accounting, Real Estate, and Tax Words Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Summary of J.L. Collins's The Simple Path to Wealth Rating: 5 out of 5 stars5/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Buy, Rehab, Rent, Refinance, Repeat: The BRRRR Rental Property Investment Strategy Made Simple Rating: 5 out of 5 stars5/5How to Get Ideas Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5Capitalism and Freedom Rating: 4 out of 5 stars4/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5Leadership and Self-Deception: Getting out of the Box Rating: 4 out of 5 stars4/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5
Reviews for Governance and Internal Controls for Cutting Edge IT
0 ratings0 reviews
Book preview
Governance and Internal Controls for Cutting Edge IT - Karen Worstell
Resources
INTRODUCTION
The charm of history and its enigmatic lesson consist in the fact that, from age to age, nothing changes and yet everything is completely different.
Aldous Huxley
What is the Cloud and Cutting Edge IT?
My entire professional career, as well as that of my husband, has been in information security, risk, and controls. For the better part of 30 years, we found ourselves in countless discussions with management of various organizations, enumerating risks and recommendations to protect company reputation, information, business capability, and adoption of emerging technology. Readers of this book will relate to the typical management discussion scenario: imprecision about the exact nature of the risk and its probability of occurrence, and lack of definition about the costs associated with an acceptable level of mitigation. It is subjective opinion to describe what could go wrong, the probability it will go wrong, and how much exactly would need to be done to prevent loss. Therefore, it was quite the interesting experience to be on the receiving end of the risk discussion when we decided that we would begin implementing a personal family disaster plan. It makes sense: we live in a seismically active region with a dormant volcano, surrounded by water with one road for ingress and egress. As we collected proposals and bids for creating a sense of self-reliance in the event of a major seismic event, we realized, This is crazy! What are the chances that this would really happen? This is ridiculously expensive!
Then we had a good laugh at the irony of our reaction.
I share this personal vignette to illustrate a point: as risk and control professionals, we are collectively in the position of trying to predict exposure and to mitigate it to healthy levels. It is not an easy task for the prognosticator or the receiver of the news. Looking back 20 years, it wasn’t easy to evaluate risk and visualize a control framework in anticipation of distributed computing, it wasn’t easy when the Internet was commercialized, it wasn’t easy for the Y2K event, and it is not easy for Cloud Computing. It is much harder now in the second decade of the 21st century. As risk and control professionals, we must constantly be evaluating new ways to streamline what we do because the hamster wheel of pain
for reducing IT risk in this rapidly emerging world of IT opportunity is not slowing down.
For example, Cloud Computing has dominated the discussion of cutting edge IT for much of the last decade. Cloud Computing in all its various forms brings benefits of enterprise computing capability without the commitment and investment required by in-house
computing capabilities: expertise of specialized people, hardware, software licenses, power, floor tiles, third-party contracts, and so forth. Arguably, Cloud Computing provides a layer of abstraction between the core business focus of an enterprise, and the nuts-and-bolts operations of the IT necessary to make it work. It also brings with it risk and control issues that, as of writing, are not well understood by business management and are not resolved.
The stakes are higher than they have ever been for IT. Of all the external factors that could influence the success of a company, technology is the most critical. Market factors, globalization, people skills, socioeconomics, and regulatory factors are all taking a back-seat to the recognized impact that technology can have upon the competitiveness and opportunity of the enterprise based upon IBM’s study involving more than 1,700 chief executive officers. This is unprecedented. The opportunities perceived in Cloud Computing models are just a part of the reason that technology is front of mind for executives: the realization of the opportunity and impact of IT has brought its criticality into focus.
Technology is the backbone of life in developed nations. Electricity, water, food distribution, transportation, accessibility to information and data, finance, and telecommunications would be seriously disrupted if the information technology infrastructure were to be unavailable. But executives’ focus on technology goes beyond assuring its availability. The evolution of technology, the disruptive nature of its influence on society and business, and the opportunity available to those who are able to seize it and exploit it fuels innovation and imagination and drives new business and social benefit.
In this competitive, dynamic, technology-rich field of opportunity, risk and control professionals find themselves increasingly on the horns of a dilemma. Managing risk has more unknowns, and due diligence for the protection of sensitive information assets is not fully understood by adopters. Coming quickly on the heels of Cloud Computing adoption are technology opportunities (and associated challenges) such as social business, crowdsourcing, bring–your-own-device mobile computing, consumerization of IT, big data, and the Internet of Things. These opportunities, and others, are individually and collectively a representation of cutting edge IT.
Every chief information officer (CIO) and chief information security officer (CISO) has experienced the balancing act of budget, legacy IT, and the seductive apparent promise of cutting edge IT. As a community, we have been behind the power curve in this balancing act since computing emerged from its glasshouse.
At the same time, the threat environment surrounding information systems has never been more opportunistic. While each organization will need to evaluate risk individually, the need for a streamlined approach to managing risk to responsible levels has never been greater. The community of risk and control professionals simply cannot keep up with the technology appetite, rate of change, and exploding threats affecting information systems. Organizations will need to change their overall approach to risk and controls for adopting cutting edge IT, or face becoming road kill on the information superhighway.
Companies often, either willfully or ignorantly, underestimate the need and cost of doing business when it comes to IT, and, to use a cliché, implementing any IT, let alone cutting edge IT, without the appropriate and expedient attention to risk and controls is a dog that just won’t hunt.
My personal experience at sticker shock for family disaster readiness has not diminished professional commitment: be ready to demonstrate due diligence to a standard of care appropriate for one’s business. This is a core message of this book.
There are many excellent publications focusing on the principles and techniques for security and controls for IT. ISACA® publishes a risk and control framework as the newly released COBIT 5® for governing and managing the investment in IT and this allows for any relevant standard, such as the ISO20000 and ISO27000 series, to be incorporated as appropriate for the enterprise. The purpose of this book is to offer perspective, strategies, and some techniques that will give IT and business management a jumpstart for success when faced with business drivers that demand cutting edge IT solutions. This book is a supplement to the many existing frameworks, standards, controls, and guidelines available today.
A Growing Gap
The inspiration for this text was born from a career of riding IT transformational waves, and of trying to avoid being the spoiler
in those campaigns. As IT transitioned from mainframe to distributed computing, my program group in Boeing’s Research and Technology unit experimented with multiple computing models such as DCE, CORBA, and OSI. We worked to understand the proper technical constructs for protecting information systems that were rapidly moving from the established, well-understood monolithic model. In the early 1990s, a colleague at Boeing demonstrated the ability for unauthorized macro execution within a new product from Microsoft® called Excel®. Three years later, the Concept. A macro virus for Word® was discovered in the wild.
A hypothetical security risk had just become reality. In 1995, the commercialization of the Internet, and the advent of the Mosaic browser from CERN, generated significant interest for what it could do for us, but the evaluation of what it could do to us was, again, difficult to put into words. It was very hard to have the discussion about potential things that could go wrong outside of the security profession. Budgets were not yet allocated to keep pace with the rate of change to security requirements and emerging threats that came with distributed computing and the Internet.