Last week I posted a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. Next weeks’ post is part 2 of 2 would greatly appreciate your ideas / feedback / constructive criticism.  Thank you in advance for sharing your ideas with me.

Barriers to implementing IT Governance

• All encompassing scope
• Complex PPM Project Portfolio Management
• Expensive
• Time consuming
• Risk is very difficult to quantify
• False sense of security confuses cost justifying security budgets
• Turf wars over accepting / relegating ownership of responsibilities
• Maintaining longevity of the process

Micro – Governance a practical alternative

• Minimize liability of executives / board
• Facilitates communications between Governance and the Security Team regarding cost justification of budget
• Provides a regular opportunity for the Security Team to convey top priorities with requests for executive authorization
• Minimizes decision time and frustration levels by identifying bite sized issues
• Quantify the few most threatening risks
• Create a virtual team with responsibility to mitigate and report
• Measure the results
• Authorize / fund the virtual team

Call to Action

• CEO and CIO discuss a few  top priority IT security risks that require immediate decisions / funding
• Formally create a micro-Governance process to address each risk.
• Engage a third party advisor to expedite the process.
• Create a small virtual team to manage each risk management process.
• Assign other management and employees as appropriate to the virtual team.
• Identify a timeline to complete the project.
• Identify a mechanism to test the degree of success of the mitigation
• Identify a timeline to report the degree of success back to the IT Governance Committee.

Assess Financial Cost of Risk and Residual Risk

• document the technical risks
• Translate them into business risks
• Utilize a straw poll for executives to estimate the cost of liability should the risks become realities.
• Utilize a straw poll for technology experts to guestimate the % chance of a onetime occurrence both before and after mitigation steps are applied.
• Compare the cost of risk vs. residual risk to the cost of mitigation

Create Longevity to the Micro- Governance Process(es)

• Direct the virtual team(s) to continue monitoring and report according to a defined schedule Committee
• Otherwise dissolve the virtual team(s)

Sources of Information – Governance Authorities

• ISACA (Information Systems Audit and Control Association) www.isaca.org
• ITGI (IT Governance Institute) www.itgi.org
• Gartner Group www.gartner.com
• IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
• SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

This week I am sharing with you a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance.  I would greatly appreciate your ideas / feedback / constructive criticism.  Thank you in advance for sharing your ideas with me.

Executive Summary

IT Governance is difficult for most organizations, large and small, to initiate and to maintain as an ongoing process.  There are many organizations, vendors, and consultants that cater to the needs of IT governance.   Yet because of its inherent difficulties and complexities, IT Governance eludes most organizations.  The author proposes a dramatically scaled down approach to achieving and to successfully implementing bite sized pieces of critical elements of the Governance process, aptly named Micro-Governance.

Definitions of IT Governance

Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent.  Three prominent authorities say the following:

1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.

Significance of IT Governance for Compliance

IT Governance deals with the following subjects:

However, the scope of this whitepaper is confined to IT Governance as it applies to compliance to standards and regulations imposed by statutes and by governing bodies.

Compliance violations may attracts all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.

Legal Counsel and external auditors recommend compliance with standards and regulations

• Financial SOX, Bill 109, PCI, SAS 70
• Electrical Infrastructure for North America NERC CIP
• Privacy PIPEDA, Red Flag, GLB
• Industry Best Practice Standards: COBIT, ITIL,

Insufficient Governance Impedes the Security Team

• Slows decision making
• Inhibits communication of risk and associated financial loss from IT Security Team
• Inhibits attaining sufficient IT security budget

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

Sources of Information – Governance Authorities

• ISACA (Information Systems Audit and Control Association) www.isaca.org
• ITGI (IT Governance Institute) www.itgi.org
• Gartner Group www.gartner.com
• IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
• SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382