Posts Tagged ‘Processes’
The following article was posted by my peer and fellow Security Consultant John Kyriazoglou , CICA, M.S, B.A(Honours), on the International Cyber Threat Task Force website
The most critical assets, in the 21st century, for the private and public enterprises, for organizations in general, for the global society, and for the economy (local, national, international) are not of physical nature (equipment, machines, installations, plants), or of financial nature (money, credit or other financing instruments), or of computer software nature.
The most critical assets are the knowledge and ideas (concepts) that exist in the brains of people, which are stored in computerized systems (personal and corporate), in the modern business environment.
The computer technology and related infrastructure, the information systems, the network backbone (intranet, extranet, metropolitan, Internet, etc.) and related media technologies give everyone, within a given organizational environment, direct access to what is going on: within the given organization, in the industrial sector to which it belongs, and in the general economy and market in which it operates.
All these technological components, broadly Information Technology (IT) and the related Information Systems (IS) which operate within its realm enable the modern private and public corporation and/or organization to accrue the following benefits (indicative only):
(1) Quicker and more effective information for decision-making at all levels,
(2) Increased competition in all services of the firm,
(3) Improved production processes and procedures, and
(4) Higher quality in products and services offered by information systems to customers (and citizens) and society in general.
Given the rate of development of the information processing and computer manufacturing technologies and processes, a rate without a precedent in the history of man-kind, it is possible now for organizations to transfer almost all of their daily business operations to be carried out by integrated information systems.
These systems are like medical drugs, either strengthening the organization, or enabling it to cure or resolve a particular problem or operating malfunction.
But, using the drug analogy, if these systems are not used in a disciplined manner, they can create havoc and many times bring about not the expected results and even catastrophe.
These integrated information systems must therefore operate within a business environment which is ruled by the rules, policies, regulations and instructions of a corporate governance framework and a related information technology governance framework.
As Negroponte has said (see Nicholas Negroponte: “Being Digital”, Alfred A. Knopf, N. York, U.S.A., 1995): “The next decade will see cases intellectual property abuse and invasion of our privacy. We will experience digital vandalism, software piracy and data thievery”.
This has definitely been proven correct. Security incidents and other acts of electronic and computer-based crimes are on the rise (as per www.cert.org and other security-related sites).
And as the famous Kevin Mitnick has said (see book by Kevin. D. Mitnick and William L. Simor: “The Art of Deception”, Wiley, 2002): “Valuable information must be protected no matter what forum it takes or where it is located. An organization’s customer list has the same value whether in hard-copy form or an electronic file at your office or in a storage box. Social engineers always prefer the easiest to circumvent, least defended point of attack. A company’s offsite backup storage facility is seen as having less risk of detection or getting caught. Every organization that stores any valuable, sensitive, or critical data with third parties should encrypt their data to protect its confidentiality”.
Also IT auditing will enhance the qualities of information (effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability) according to ISACA (www.isaca.org).
The answer for managers and leaders of organizations is to plan for this new operating environment with the proper tools, methodologies and resources.
Never forget that because organizations differ, their control needs also will differ. For example, all groups need change management, but how it’s implemented will depend on the enterprise. Delving into the work instruction level, access controls are needed, but how they are handled on a mainframe vs. a Windows network will vary. The point is that you will need to tune your policies, procedures and work instructions not only to meet the spirit of the controls but also to be feasible in the context of your organization.
In almost all types of organizations, both private and public, corporate controls denote the set of policies, procedures, techniques, methods, and practices to manage and control their business operations.
Within this corporate controls governance framework Information Technology controls (or IT controls) are specific actions, usually specified by policies, procedures, practices, etc., performed by persons, hardware or software with the main objective to ensure that specific business objectives are met.
The overall guiding aim of IT controls relate to the secure processing, confidentiality, integrity, and availability of data and the overall management of the IT function of the organizations.
IT controls are commonly described in two categories according to various sources (www.isaca.org, www.theiia.org, www.itpi.org): IT General Controls and IT Application Controls.
IT General Controls are those controls that are applicable to all IT activities (systems, services, issues, processes, operations, etc.) and data for a given organization or IT systems environment. They include controls over such areas as the strategy for IT, systems development, data center operations, data base and data communications infrastructure, systems software support and maintenance, IT security, and ready-made application systems acquisition, development and maintenance.
IT Application Controls are those controls that are appropriate for transaction processing by individual computerized subsystems, such as financial accounting, personnel administration, customer sales, inventory control, payroll or accounts payable, etc.
They relate to the processing and storing of data in computer-based files by individual IT applications and help ensure that business transactions occurred, are authorized, and are completely and accurately recorded, stored, processed, and reported.
Benefits of the existence of IT Controls to business include:
(1) Understand and control the associated risks of IT systems.
(2) Improve the process of designing, implementing and auditing new and existing IT systems.
(3) Increase management’s aptitude to achieve operational goals. With well-controlled, integrated and robust IT systems, you can gain a comparative advantage in a competitive environment, whilst ensuring that information is relevant, accurate and timely.
(4) Ensure high standards within your IT systems.
—————————————————————————————————–
For more information on IT Controls, see the book: ‘IT STRATEGIC AND OPERATIONAL CONTROLS’
PRINTED VERSION: www.itgovernance.co.uk/products/3066
E-BOOK FORMAT VERSION: www.itgovernance.co.uk/products/3067
CUSTOMIZABLE IT AUDIT PROGRAMS AND CHECKLISTS (WORD FORMAT): www.itgovernance.co.uk/products/3143
AVAILABLE AT THE PUBLISHER, AMAZON and other major bookstores world-wide
Author: John Kyriazoglou (jkyriazoglou@hotmail.com)
Publisher: IT Governance Publishing
ISBN: 9781849280617
Pages: 686
Format: Softcover
Published date: 2 September 2010