|
| Recent
Articles |
The Ex-lawyer And Red Hat Support
When I bought my first home, I used a lawyer that a friend referred me to. The lawyer was great, thorough, responded quickly and took the time to explain things in plain English. I used him again 2 years later for an...
Google Not Having Luck Hiring In India
The Times Of India reports that Google has had trouble finding enough quality talent to hire for its Indian offices. India may have an exploding IT industry, but Google has been notorious in setting its standards super-high...
The IT Consultant Keeps Spare Parts Handy
An IT consultant needs to be aware that PC vendors are typically very willing to cover inexpensive products like a mouse under standard warranties. But because as an IT consultant your client can probably buy a replacement...
Dells Reputation Tipping Point
All sorts of opinions are flying around about Dell's recall of over four million laptop computer batteries announced Monday. A quick scan of blog posts in Technorati show some people saying it's the largest product recall...
|
 |
| Recent WebProNews Articles |
Newspaper Sites Need More Video
To help with the transition from purely print-based operations to the online world, it has been suggested that newspapers need to have more than static text and images on their websites to keep the attention...
Black Friday Cashes In Online
Although most people think of long lines of shoppers outside stores awaiting 5 a.m. openings and deeply discounted merchandise, the lines were just as impressive on the Internet. Amazon.com and Wal-Mart were among the websites that had some issues...
Google Helps News Publishers With Sitemaps
An expressed desire for better indexing from Google News has prompted Google to release a Sitemaps product specifically for those news publishers. While Google has emphasized the positives for using its...
Google Has Long Road To Hoe To Pass Yahoo
As GOOG climbs above $500 per share, as predicted to happen about this time last year before the great January plunge, questions as to just how high Google can get, in terms of stock, search share, and visits, get more intense. Last week, a Citigroup analyst predicted...
|
 |
|
11.28.06
Managing Risk In Information Technology
 By Alan Calder
As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.
There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization's strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.
Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.
ITIL, the Information Technology Infrastructure Library, has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove - to its management, let alone an external third party - that it has taken the risk-reduction step of implementing best practice.
More than that, ITIL is particularly weak where information security management is concerned - the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.
The emergence of the international IT Service Management (ISO 27001) and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate - to customers and potential customers - the quality and security of their IT services and information security processes achieve significant competitive advantages.
Information Security Risk
The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.
IT Process Risk
IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes - and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000 as in ITIL, as the "service provider") exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.
Regulatory and Compliance Risk
All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:
Combined Code and Turnbull Guidance (UK)
Basel2
EU data protection, privacy regimes
Sectoral regulation: FSA (1) , MiFID (2) , AML (3)
Human Rights Act, Regulatation of Investigatory Powers Act
Computer misuse regulation
Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.
Click here to resume reading this article.
About the Author:
Alan Calder is an international authority on IT Governance and information security management. He led the world's first successful implementation of BS 7799, the information security management standard upon which ISO 27001 is based, and wrote the definitive compliance guide for this standard, IT Governance: A Manager's Guide to Data Security and BS7799/ISO17799.
|
