Last week I posted a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. Next weeks’ post is part 2 of 2 would greatly appreciate your ideas / feedback / constructive criticism.  Thank you in advance for sharing your ideas with me.

Barriers to implementing IT Governance

• All encompassing scope
• Complex PPM Project Portfolio Management
• Expensive
• Time consuming
• Risk is very difficult to quantify
• False sense of security confuses cost justifying security budgets
• Turf wars over accepting / relegating ownership of responsibilities
• Maintaining longevity of the process

Micro – Governance a practical alternative

• Minimize liability of executives / board
• Facilitates communications between Governance and the Security Team regarding cost justification of budget
• Provides a regular opportunity for the Security Team to convey top priorities with requests for executive authorization
• Minimizes decision time and frustration levels by identifying bite sized issues
• Quantify the few most threatening risks
• Create a virtual team with responsibility to mitigate and report
• Measure the results
• Authorize / fund the virtual team

Call to Action

• CEO and CIO discuss a few  top priority IT security risks that require immediate decisions / funding
• Formally create a micro-Governance process to address each risk.
• Engage a third party advisor to expedite the process.
• Create a small virtual team to manage each risk management process.
• Assign other management and employees as appropriate to the virtual team.
• Identify a timeline to complete the project.
• Identify a mechanism to test the degree of success of the mitigation
• Identify a timeline to report the degree of success back to the IT Governance Committee.

Assess Financial Cost of Risk and Residual Risk

• document the technical risks
• Translate them into business risks
• Utilize a straw poll for executives to estimate the cost of liability should the risks become realities.
• Utilize a straw poll for technology experts to guestimate the % chance of a onetime occurrence both before and after mitigation steps are applied.
• Compare the cost of risk vs. residual risk to the cost of mitigation

Create Longevity to the Micro- Governance Process(es)

• Direct the virtual team(s) to continue monitoring and report according to a defined schedule Committee
• Otherwise dissolve the virtual team(s)

Sources of Information – Governance Authorities

• ISACA (Information Systems Audit and Control Association) www.isaca.org
• ITGI (IT Governance Institute) www.itgi.org
• Gartner Group www.gartner.com
• IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
• SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

Tags: Information Security, Information Security Compliance, IT Governance, IT Security

This entry was posted on Tuesday, December 8th, 2009 at 3:13 pm and is filed under Information Security, Internet Security, Security Postings. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.