ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Information Security Controls

Information Security Controls

| Published: 4/11/2011 8:08 AM | Permalink | Email this Post | Comments (0)
Hui Lin, Ph.D., and Meghann Abell Cefaratti, Ph.D.
According to the American Institute of Certified Public Accountants (AICPA)’s Annual Top Technology Initiatives survey conducted in 2010, information security management continues to be the most important initiative affecting IT strategy, investment and implementation in business organizations. To better understand how organizations are using IT controls, we developed a survey to gauge IT auditor perceptions on the prevalence of specific information security controls, as outlined by ISO 27002 (formerly ISO 17799) Information technology—Security techniques—Code of practice for information security management, supported by IT in their organizations. We received support from both ISACA and The Institute of Internal Auditors (The IIA). Survey responses were collected from 154 IT auditors who were asked to rate, on a 5-point scale, the prevalence of 107 information security controls outlined in ISO 27002. As a majority of the survey participants from The IIA were internal auditors, we also analyzed responses from chief audit executives (CAEs) who oversee organizations’ internal audit functions.
Per the results of the survey, a majority of the most frequently implemented controls are related to the Communications and Operations Management and Information Access Control Management sections of ISO 27002. Physical and environmental security controls were commonly mentioned among the least frequently implemented information security controls by IT auditors. See our article “The Prevalence of Information Security Controls: Perspectives From IT Auditors” for the full survey results.
After viewing the results through a cohesive organizational lens, we gained an appreciation for the high level of intersection between the roles IT auditors play in an organization, usually as members of internal audit, and those of CAEs, as leaders of internal audit, often with IT auditors as part of the internal audit team. Therefore, we were excited to read about the Memo of Understanding between ISACA and The IIA that was discussed in the 8 November 2010 press release from ISACA and the 29 October 2010 joint blog post from Susan Caldwell, chief executive officer (CEO) of ISACA, and Richard Chambers, president and CEO of The IIA. Encouraging participation in continuing education programs offered by both organizations should result in cross-training that will benefit organizations’ control environments. Identifying and learning about risk management from multiple viewpoints may mitigate overall risk faced by organizations.
Read Hui Lin, Meghann Abell Cefaratti and Linda Wallace’s recent Journal article:
The Prevalence of Information Security Controls: Perspectives From IT Auditors,” JournalOnline, ISACA Journal, volume 2, 2011


There are no comments yet for this post.