Five Recommendations For Your Information Risk Management and Security Strategy
By John P. Pironti, CISA, CISM, CGEIT, CISSP, CRISC, ISSAP, ISSMP
The strategy associated with an enterprise’s information risk management and security (IRMS) program becomes a road map for its activities. When developing or refreshing your IRMS strategy, there are many considerations that should be accounted for to make sure it is beneficial to your enterprise and plausible for implementation and ongoing success. Here are five things to consider when undergoing this effort:
- Validate your strategy with your intended audiences early in its development—The key to any successful strategy is the positive perception and realization of its value by the people it will impact. Too often IRMS professionals assume they intuitively understand their enterprise’s requirements and expectations, as well as the benefits that will be obtained by implementing their proposed strategies. While this may be the case, it is important to validate these assumptions with the customer of the strategy to ensure they agree. Without their support the strategy will have little chance of success. The easiest way to achieve this validation is to socialize the concepts and ideas that you intend to include in your strategy with key leaders and stakeholders early in the development process. If they are involved in shaping its development and agree with your views and approach, there is a much higher likelihood of successful execution.
- Align the IRMS strategy with your enterprise’s information risk profile—An enterprise’s approach to IRMS should be about information risk first and security second. When developing your IRMS strategy, make sure you align your programs and activities with your enterprise’s information risk profile. This profile will identify the information risk appetite of your enterprise. A risk-based strategy presented to a sponsor or leader has a high probability of gaining support since it is designed to align with needs and expectations. If your enterprise does not have a formal information risk profile, seek out the individuals who have risk management responsibilities in the enterprise (i.e., finance, legal, compliance) as well as business process and data owners to work with them to identify their information risk appetite and expectations of security to create a profile to support them.
- Leverage staff as a force multiplier—Leaders and individual contributors associated with IRMS programs and capabilities often feel as though they are overworked and undersupported by their enterprises. One approach that can help to ease this pain is to plan in your IRMS strategy to leverage your enterprise’s overall staff as a force multiplier. One strategy that is often successful is to identify individuals who will be tasked as IRMS champions within the key functions and services within your organization. By empowering these champions with knowledge, capabilities and expectations, they can assist you in meeting your IRMS objectives without having to significantly expand the budget or staffing of your program. Beyond the establishment and support of champions, the creation of a risk-conscious and security-aware culture within your enterprise can provide an effective force multiplier for your efforts as individuals incorporate IRMS as a business as usual activity.
- Consider current and projected business conditions—Current and projected economic and business conditions can have a distinct impact on ISRM strategy development. If your enterprise is currently or projected to contract or operate in an extremely cost-cautious manner, develop a strategy that accounts for this situation. Even when considering areas such as compliance, where many ISRM professionals assume their organizations will have to invest to ensure alignment, it is important to identify contingencies in cases where they are unwilling or unable to do so.
Alternatively, if your enterprise is currently or plans to be operating in a business growth and expansion mode, this is an ideal time to invest in programs and capabilities that will ensure alignment with business needs and expectations. When developing strategies in either scenario, it is important to identify and validate the business value of your proposed strategy to gain the support of your enterprise’s leadership and program sponsors.
- Ensure the strategy can be implemented and operate successfully with your existing budget and resources—A common mistake made in the development of IRMS strategy is to assume that enhanced funding will be provided or sustained as part of its execution. Business conditions and information risk appetites of organizations can change quickly. IRMS can be an easy target for budget and resource adjustments. If the foundation of your strategy is based on the use of your current budget and resource allocation, your ISRM program and its capabilities will be more resilient during these types of fluctuations. Components of your strategy that require expanded budget and staff should be developed as modular initiatives whose business value can be clearly understood and monitored, but also easily adjusted if business conditions change
John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.
Build Your Own COBIT 5 Conference Within a Conference
Want to learn more about COBIT 5, COBIT® 5 for Information Security and introductory details for COBIT® 5 for Risk? Now you can! Attend the European Computer Audit, Control and Security (CACS) and Information Security and Risk Management (ISRM) Conference from 10-12 September 2012 in Munich, Germany.
With the Introduction to COBIT 5 Workshop as well as seven individual sessions focused on COBIT 5, you will leave EuroCACS/ISRM with a better understanding of ISACA’s newest framework.
Individual sessions will explore the following topics:
- Using COBIT 5 to manage information security
- Debating strategic IT assurance based on COBIT
- Discussing how COBIT 5 for Information Security will provide your enterprise with more comprehensive information security frameworks, good practices and standards
- Discussing coverage and assurance
- Transitioning from COBIT 4.1 to COBIT 5
Also, the Introduction to COBIT 5 Workshop is offered as a one-day workshop at two different times, prior to or following EuroCACS/ISRM, enabling participants to attend the one that best fits their schedule.
This workshop has been designed to provide you with a professional education opportunity to learn more about how to effectively transition to or implement COBIT 5 in your enterprise.
Build your own “COBIT 5 conference within a conference” by attending all or several of these sessions. Enhance your conference experience by exchanging your ideas with the COBIT experts in the COBIT Lounge.
Register now for EuroCACS/ISRM, a must-attend event!
Acquire Your Copy of Calculating Cloud ROI: From the Customer Perspective
ISACA White Paper is Available for Complimentary Download
Calculating Cloud ROI: From the Customer Perspective examines the premise that marketing hype claims that cloud computing can help any enterprise meet most IT service needs at a lower total cost of ownership (TCO) and higher return on investment (ROI). However, the promise of the cloud requiring minimal capital investment and the subjectivity of some cloud benefits have created confusion among IT professionals trying to determine whether to adopt cloud services.
Calculating Cloud ROI: From the Customer Perspective suggests that calculating ROI for cloud services requires some up-front work to understand business requirements, organizational maturity, control considerations, and regulatory requirements, and to quantify benefits and costs associated with the cloud model the enterprise has selected. It is also important to consider that strategic benefits could be more subjective and may require additional analysis to measure their financial impact. To determine if the cloud is a viable option, it is necessary to separate the hype from reality. Moreover, calculating ROI does not need to be complex; it is only an estimate to support investment decisions. However, it must be accurate and based on realistic expectations.
Tips on Testing Auditing Applications
ISACA Journal volume 4 author Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA, provides useful tips for IT professionals to test auditing applications using computer-assisted audit techniques (CAATs) and the ETL (extract transform and load) process to determine if the applications are working properly or are producing flawed data or errors:
- CAATs—Are helpful in conducting procedures such as data mining that examine results in data from posting by the application to determine if the application’s controls are working, and if the application itself is working properly or produced any errors. CAATs are also useful in analyzing data for objectives such as data integrity and could be used to re-perform automatic calculations or automatic reconciliations.
- Data mining—Could be used to support the audit objectives. In particular, it is useful in conducting IT-related substantive procedures, such as testing approvals or classification errors related to proper codes.
- Purchase order thresholds—Any time an application involves a threshold where initial/additional approval is needed, CAATs are useful in determining if that control is operating effectively. For instance, if the application is either purchase orders or disbursements, and if purchases and payments are one-to-one (i.e., disbursements are paid by invoice and not statements), a simple test of extracting all disbursements over the threshold against the data file containing the approval (e.g., purchase order file) would expose any exceptions to the control/threshold. This also has the added benefit of fraud detection if someone is frustrating the threshold deliberately to perpetrate a fraud.
- Inventory anomalies—If the app is recording receipt of inventory, CAATs could be used to show whether the application allows zero or negative quantities to be recorded. Obviously that constitutes an error (anomaly) and, thus, the application would be seen as containing a control deficiency and in need of either a change in the application or a compensating control. There are other applications that could make use of this test.
Second, if the application is a file maintenance program, the system would (hopefully) minimize situations in which an employee could make undocumented changes to the inventory data that lead to discrepancies and data errors. Controls are needed to prevent this anomaly. For example, use of logical segregation of duties (SoD) could limit employees who can make file maintenance changes. Also, the application/system could track changes by recording data before the change and after the change. Without such tracking, employees could falsify changes and create errors or fraud in the data. Data mining could spot differences in account balances by taking the beginning balance, adding up all transactions and verifying the sum against the ending balance. A similar situation exists for any file maintenance application.
- ETL—Is useful in detecting flawed data that can be traced back to the application that produced it and, thus, provide the opportunity to correct the flaw in the application.
- Tests of controls—Some possible tests of controls include reconciliation, recalculation, duplication and gaps.
Read Tommie W. Singleton’s full article, “Auditing Applications, Part 2,” in the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.