Continuing last week selections from my various columns for Jim Kaplan, this week I highlight resources that have a “governance” focus. In addition, I want to enforce the importance of being prepared (e.g. implementing a security incident response capability) and being “in control” (i.e. we must have have effective change management). It really is endless!
Have another great week.
Dan Swanson
Board Oversight of IT Is Needed
Traditionally, and rightfully so, the board has focused on governing the organization, that is, the board is ensuring the right CEO is in place, that the right business strategies have been developed, that performance is reported regularly and trending properly, and that the right questions are being asked of management. Nowadays, the board also needs to ensure that the organization's human resources are being positioned for future requirements, that digital information and assets are being appropriately protected, and that the organization is always progressing!
http://www.auditnet.org/articles/DSIA200706.htm
Performance Measurement and Reporting is a Silver Bullet!
Steven Covey, author of The Seven Habits of Highly Effective People, and many others quite rightly recommend that when you start any kind of new project, you should begin with the end in mind. What does that involve? 1) Deciding where you want to be in the future (that is, what your “end state” will be); 2) Defining your key goals and objectives in getting there (to guide your various efforts along the way); and 3) Building and then implementing your plan to get there (the means to reach your desire end state).
http://www.auditnet.org/articles/DSIA200705.htm
What dialogue is occurring within your organization regarding organizational governance? Is everyone on the same page re what organizational governance is and what we are trying to accomplish? I believe its time for all stakeholders to discuss and agree to the many roles and responsibilities that are involved with organizational governance. See below for some leading resources to assist in your discussion.
http://www.auditnet.org/articles/DSIA200710.htm
IT Compliance Institute has published a new IT Audit checklist covering Change Management. This paper, “IT Audit Checklist: Change Management,” supports an internal audit of the organization's change management policies in order to verify compliance and look for opportunities to improve efficiency, effectiveness, and economy. The paper includes advice on assessing the existence and effectiveness of change management in project oversight, development, procurement, IT service testing, and IT operations; guidance for management and auditors on supporting change management; and information on ensuring continual improvement of change management efforts.
http://www.auditnet.org/articles/DSIA200708.htm
Have you assessed your information security program lately?
http://www.auditnet.org/articles/DSIA200712.htm
Creating a Computer Security Incident Response Team
http://www.auditnet.org/articles/DSIA200712.htm