Stakeholders expect that businesses create value, but at what cost? In the end, stakeholders and businesses are looking for the same thing: to protect their future. Information technology plays an important role. It can be a solution or part of the problem depending on how it is governed and managed.
COBIT 5 can be used to help enterprises create value for their stakeholders, including sustainable development in their goals and in the governance and management of IT (GEIT):
During the last few years, companies have evolved exponentially through the adoption of new technologies, devices and habits that allow them to improve the business from one side, but also to be more vulnerable to cyberattacks from the other. As the attack surface expands and cyberattacks evolve using different techniques and vectors, companies need to adapt their assessment methodologies, going beyond the traditional vulnerability and malware identification or data loss prevention.
For example, consider advanced persistent threats (APT). They are probably the most dangerous threats. They target specific companies and rely on social engineering as the main vector to gain access to inner information and communications technology (ICT) systems. In order to face these threats, companies should start considering possible tools or methodologies to evaluate their risk and the real extent of their exposure. What makes a corporation an attractive target? Could the employees effectively face an advanced social engineering attack? How simple is it to perform a technological attack against workstations? What kind of information is reachable and which assets are exploitable from hidden backdoors?
Recently, with the goal of combating anorexia, French lawmakers voted in favor of a measure that would ban excessively thin fashion models from the runway and potentially fine their employers. The law would forbid anyone under a certain body mass index (BMI) from working as a runway model. In addition to protecting models from the risk of being thin at any cost, the law would indirectly (ideally) protect adolescents from aspiring to be like fashion models and possibly developing eating disorders. So, a new set of rules is born in France. Although not directly relevant to information ethics, this story highlights the role of rules in everyday life. My recent Journal column has examples of rules as they relate to information ethics.
Process automation is an important part of any tool kit to enforce governance—for business or IT. Unfortunately, it is also one that is rarely considered. That is unfortunate because the benefits of automation for risk, audit and compliance are manifold. Automated processes typically document what they do as part of completing a task. Automation provides clear, auditable logs that show what was done, when and by whom. With increased automation, organizations reduce the potential for manual errors and increase the speed of regularly occurring tasks or those that involve a broad range of systems. This increase in efficiency leads to greater consistency, reliability and, ultimately, a better quality of service for the business.
Information technology systems require a security policy that includes both information and communication in a balanced way. This policy should take technical, human and behavioral aspects into account in order to mitigate potential threats and vulnerabilities.
Our recent Journal article aims to present best practices for building a security policy for information and communication (SPIC) within the federal public administration organizations of Brazil. This approach checks how organizations are in compliance with best practices in developing their security policies of information and communication. It also provides a comparative study in order to evaluate the maturity of these essential security policies. The study looks toward a collection of articles and papers on information security policies and communication security policies from federal administration organizations.