Governance and Internal Controls for Cutting Edge IT
()
About this ebook
In Governance and Internal Controls for Cutting Edge IT, Karen Worstell explains strategies and techniques to guide IT managers as they implement cutting edge solutions for their business needs. Based on practical experience and real-life models, she covers key principles and processes for the introduction of new technologies and examines how to establish an appropriate standard of security and control, particularly in the context of the COBIT 5® framework and affiliated standards.
Karen Worstell
Karen Worstell has worked in information security and risk management for more than 25 years, in a range of business sectors. She is currently the Managing Principal of W Risk Group LLC, a professional services practice that enables organizations to manage risk and address myriad standards. Karen has held leadership roles on a number of advisory boards, and is a respected writer on information security.
Related to Governance and Internal Controls for Cutting Edge IT
Related ebooks
IT Governance: Guidelines for Directors Rating: 0 out of 5 stars0 ratingsCISA Certified Information Systems Auditor Study Guide Rating: 5 out of 5 stars5/5Outsourcing IT: A governance guide Rating: 3 out of 5 stars3/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5Managing Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsIT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsInformation Security Auditor: Careers in information security Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Third-Party Risk Management A Complete Guide - 2019 Edition Rating: 5 out of 5 stars5/5IT Governance A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCompliance by Design: IT controls that work Rating: 5 out of 5 stars5/5Internal Control A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsIT Risk Management Process A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCOSO Internal Control-Integrated Framework A Complete Guide Rating: 0 out of 5 stars0 ratingsIT Governance The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsIT GRC A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsISO 38500 Complete Self-Assessment Guide Rating: 2 out of 5 stars2/5IT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCGEIT A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCOBIT 5 A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCGEIT The Ultimate Step-By-Step Guide Rating: 2 out of 5 stars2/5Continuous Auditing A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsEnterprise Risk Management Applications A Complete Guide Rating: 0 out of 5 stars0 ratingsKey Risk Indicator A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsITGC Second Edition Rating: 0 out of 5 stars0 ratingsInternal Control A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsHardening by Auditing: A Handbook for Measurably and Immediately Improving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsISO IEC 27002 2013 A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsAudit Data A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratings
Business For You
On Writing Well, 30th Anniversary Edition: An Informal Guide to Writing Nonfiction Rating: 4 out of 5 stars4/5How to Grow Your Small Business: A 6-Step Plan to Help Your Business Take Off Rating: 3 out of 5 stars3/5Money. Wealth. Life Insurance. Rating: 5 out of 5 stars5/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Buy, Rehab, Rent, Refinance, Repeat: The BRRRR Rental Property Investment Strategy Made Simple Rating: 5 out of 5 stars5/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5The Opposite of Spoiled: Raising Kids Who Are Grounded, Generous, and Smart About Money Rating: 5 out of 5 stars5/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5Financial Words You Should Know: Over 1,000 Essential Investment, Accounting, Real Estate, and Tax Words Rating: 4 out of 5 stars4/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5How to Get Ideas Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Grant Writing For Dummies Rating: 5 out of 5 stars5/5Insurance for Dummies Rating: 5 out of 5 stars5/5Lying Rating: 4 out of 5 stars4/5Ultralearning: Master Hard Skills, Outsmart the Competition, and Accelerate Your Career Rating: 4 out of 5 stars4/5First-Time Home Buyer: The Complete Playbook to Avoiding Rookie Mistakes Rating: 5 out of 5 stars5/5It Takes What It Takes: How to Think Neutrally and Gain Control of Your Life Rating: 4 out of 5 stars4/5How to Think Like a Lawyer--and Why: A Common-Sense Guide to Everyday Dilemmas Rating: 4 out of 5 stars4/5High Conflict: Why We Get Trapped and How We Get Out Rating: 4 out of 5 stars4/5
Reviews for Governance and Internal Controls for Cutting Edge IT
0 ratings0 reviews
Book preview
Governance and Internal Controls for Cutting Edge IT - Karen Worstell
Resources
INTRODUCTION
The charm of history and its enigmatic lesson consist in the fact that, from age to age, nothing changes and yet everything is completely different.
Aldous Huxley
What is the Cloud and Cutting Edge IT?
My entire professional career, as well as that of my husband, has been in information security, risk, and controls. For the better part of 30 years, we found ourselves in countless discussions with management of various organizations, enumerating risks and recommendations to protect company reputation, information, business capability, and adoption of emerging technology. Readers of this book will relate to the typical management discussion scenario: imprecision about the exact nature of the risk and its probability of occurrence, and lack of definition about the costs associated with an acceptable level of mitigation. It is subjective opinion to describe what could go wrong, the probability it will go wrong, and how much exactly would need to be done to prevent loss. Therefore, it was quite the interesting experience to be on the receiving end of the risk discussion when we decided that we would begin implementing a personal family disaster plan. It makes sense: we live in a seismically active region with a dormant volcano, surrounded by water with one road for ingress and egress. As we collected proposals and bids for creating a sense of self-reliance in the event of a major seismic event, we realized, This is crazy! What are the chances that this would really happen? This is ridiculously expensive!
Then we had a good laugh at the irony of our reaction.
I share this personal vignette to illustrate a point: as risk and control professionals, we are collectively in the position of trying to predict exposure and to mitigate it to healthy levels. It is not an easy task for the prognosticator or the receiver of the news. Looking back 20 years, it wasn’t easy to evaluate risk and visualize a control framework in anticipation of distributed computing, it wasn’t easy when the Internet was commercialized, it wasn’t easy for the Y2K event, and it is not easy for Cloud Computing. It is much harder now in the second decade of the 21st century. As risk and control professionals, we must constantly be evaluating new ways to streamline what we do because the hamster wheel of pain
for reducing IT risk in this rapidly emerging world of IT opportunity is not slowing down.
For example, Cloud Computing has dominated the discussion of cutting edge IT for much of the last decade. Cloud Computing in all its various forms brings benefits of enterprise computing capability without the commitment and investment required by in-house
computing capabilities: expertise of specialized people, hardware, software licenses, power, floor tiles, third-party contracts, and so forth. Arguably, Cloud Computing provides a layer of abstraction between the core business focus of an enterprise, and the nuts-and-bolts operations of the IT necessary to make it work. It also brings with it risk and control issues that, as of writing, are not well understood by business management and are not resolved.
The stakes are higher than they have ever been for IT. Of all the external factors that could influence the success of a company, technology is the most critical. Market factors, globalization, people skills, socioeconomics, and regulatory factors are all taking a back-seat to the recognized impact that technology can have upon the competitiveness and opportunity of the enterprise based upon IBM’s study involving more than 1,700 chief executive officers. This is unprecedented. The opportunities perceived in Cloud Computing models are just a part of the reason that technology is front of mind for executives: the realization of the opportunity and impact of IT has brought its criticality into focus.
Technology is the backbone of life in developed nations. Electricity, water, food distribution, transportation, accessibility to information and data, finance, and telecommunications would be seriously disrupted if the information technology infrastructure were to be unavailable. But executives’ focus on technology goes beyond assuring its availability. The evolution of technology, the disruptive nature of its influence on society and business, and the opportunity available to those who are able to seize it and exploit it fuels innovation and imagination and drives new business and social benefit.
In this competitive, dynamic, technology-rich field of opportunity, risk and control professionals find themselves increasingly on the horns of a dilemma. Managing risk has more unknowns, and due diligence for the protection of sensitive information assets is not fully understood by adopters. Coming quickly on the heels of Cloud Computing adoption are technology opportunities (and associated challenges) such as social business, crowdsourcing, bring–your-own-device mobile computing, consumerization of IT, big data, and the Internet of Things. These opportunities, and others, are individually and collectively a representation of cutting edge IT.
Every chief information officer (CIO) and chief information security officer (CISO) has experienced the balancing act of budget, legacy IT, and the seductive apparent promise of cutting edge IT. As a community, we have been behind the power curve in this balancing act since computing emerged from its glasshouse.
At the same time, the threat environment surrounding information systems has never been more opportunistic. While each organization will need to evaluate risk individually, the need for a streamlined approach to managing risk to responsible levels has never been greater. The community of risk and control professionals simply cannot keep up with the technology appetite, rate of change, and exploding threats affecting information systems. Organizations will need to change their overall approach to risk and controls for adopting cutting edge IT, or face becoming road kill on the information superhighway.
Companies often, either willfully or ignorantly, underestimate the need and cost of doing business when it comes to IT, and, to use a cliché, implementing any IT, let alone cutting edge IT, without the appropriate and expedient attention to risk and controls is a dog that just won’t hunt.
My personal experience at sticker shock for family disaster readiness has not diminished professional commitment: be ready to demonstrate due diligence to a standard of care appropriate for one’s business. This is a core message of this book.
There are many excellent publications focusing on the principles and techniques for security and controls for IT. ISACA® publishes a risk and control framework as the newly released COBIT 5® for governing and managing the investment in IT and this allows for any relevant standard, such as the ISO20000 and ISO27000 series, to be incorporated as appropriate for the enterprise. The purpose of this book is to offer perspective, strategies, and some techniques that will give IT and business management a jumpstart for success when faced with business drivers that demand cutting edge IT solutions. This book is a supplement to the many existing frameworks, standards, controls, and guidelines available today.
A Growing Gap
The inspiration for this text was born from a career of riding IT transformational waves, and of trying to avoid being the spoiler
in those campaigns. As IT transitioned from mainframe to distributed computing, my program group in Boeing’s Research and Technology unit experimented with multiple computing models such as DCE, CORBA, and OSI. We worked to understand the proper technical constructs for protecting information systems that were rapidly moving from the established, well-understood monolithic model. In the early 1990s, a colleague at Boeing demonstrated the ability for unauthorized macro execution within a new product from Microsoft® called Excel®. Three years later, the Concept. A macro virus for Word® was discovered in the wild.
A hypothetical security risk had just become reality. In 1995, the commercialization of the Internet, and the advent of the Mosaic browser from CERN, generated significant interest for what it could do for us, but the evaluation of what it could do to us was, again, difficult to put into words. It was very hard to have the discussion about potential things that could go wrong outside of the security profession. Budgets were not yet allocated to keep pace with the rate of change to security requirements and emerging threats that came with distributed computing and the Internet.