Scribd Logo
Upload

Welcome to Scribd!

  • IT Security Governance

    Uploaded by

    Rubab Iqbal
    51 views3 pages

    Original Title

    IT Security Governance.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    51 views3 pages

    IT Security Governance

    Uploaded by

    Rubab Iqbal

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Information Security Governance:

    IT security governance is the system by which an organization directs and controls


    IT security. IT security governance should not be confused with IT security
    management. IT security management is concerned with making decisions to
    mitigate risks; governance determines who is authorized to make decisions.
    Governance specifies the accountability framework and provides oversight to
    ensure that risks are adequately mitigated, while management ensures that
    controls are implemented to mitigate risks. Management recommends security
    strategies. Governance ensures that security strategies are aligned with business
    objectives and consistent with regulations.
    It is the process of establishing and maintaining a framework to provide assurance
    that information security strategies are aligned with and support business
    objectives, are consistent with applicable laws and regulations through adherence
    to policies and internal controls, and provide assignment of responsibility, all in an
    effort to manage risk.
    It can be defined as, structures, processes, and relational mechanisms for guidance
    and control or literature uniformly identifies it as an organizational skills of great
    importance for alignment and organizational value achievement through
    information technology.

    Why Information Security Governance is Needed

    Financial payoffs

    IT is expensive

    IT is pervasive

    New technologies

    IT governance is critical to learning about IT value

    Not just technical - integration and buy-in from business leaders is needed for
    success

    Senior executives have limited bandwidth, especially at large institutions, so they


    can't do it all

    Governance patterns depend on desired behaviors

    Top revenue growth - decentralized to promote customer responsiveness and


    innovation

    Profit - centralized to promote sharing, reuse and efficient asset utilization

    Multiple performance goals - blended centralized and decentralized governance

    Major Security Risks:


    Risk is defined as the possibility that an event will occur, which will impact an
    organization's achievement of objectives. There are many forms of risk in an
    organization, including IT risk, financial risk, operational risk, network security risk,
    and personnel risk. To address risks more effectively, organizations may use a risk
    management approach that identifies, assesses, manages, and controls potential
    events or situations.
    Among other things, the goal of effective risk management is to ensure that each
    risk is identified, documented, prioritized, and mitigated whenever possible.
    Because all organizations face risk, whether positive (i.e., opportunities) or negative
    (i.e., events that hinder company processes), the challenge for auditors is to know
    when risk will occur and the impact it will have on the organization.
    The risk assessment process begins with the identification of risk categories. An
    organization most likely will have several risk categories to analyze and identify
    risks that are specific to the organization. Examples of risk categories include:

    Technical or IT risks.

    Project management risks.

    Organizational risks.

    Financial risks.

    External risks.

    Compliance risks.

    The growing vulnerability of an IT risk specifically Information Security (InfoSec) risk


    has become the major attention in most global information security survey
    conducted
    by
    Public
    Accountant
    (Ernst
    and
    Young,
    2013,
    2014;
    PricewaterhouseCoopers, 2014). Among InfoSec risk area that the respondent place
    top priorities are business continuity and disaster recovery, cyber risks and cyber
    threats, data leakage and data loss prevention, information security transformation,
    and compliance monitoring (Ernst & Young, 2014). The purpose of Information
    Security is to protect and preserve the confidentiality, integrity, and availability of
    information. It may also involve protecting and preserving the authenticity and
    reliability of information and ensuring that entities can be held accountable (ISO
    27000).

    Following are the most likely sources, or causes, of security breaches and what
    businesses can, and should, do to protect against them.
    1.
    2.
    3.
    4.
    5.
    6.

    Disgruntled Employees
    Careless or Uninformed Employees
    Mobile Devices
    Cloud Applications
    Unpatched or Un-Patchable Devices
    Third-party Service Providers

    You might also like