Active Software Escrow s Usefulness for Companies Embracing COBIT 5 By Andrew Stekhoven
|
|
- Helena Watson
- 8 years ago
- Views:
Transcription
1 Volume 3, July 2012 Come join the discussion! Andrew Stekhoven will be responding to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 23 July Active Software Escrow s Usefulness for Companies Embracing COBIT 5 By Andrew Stekhoven IT governance is integral to the success of overall enterprise governance because it integrates and institutionalises optimal ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring and evaluating the IT function and its performance. The latest edition of ISACA s globally accepted framework, COBIT 5, provides an end-to-end business view of governance and management of enterprise IT (GEIT) that reflects the central role of information and technology in creating value for enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world. As in previous editions of COBIT, COBIT 5 contains several references to software escrow. Software escrow (specifically, active software escrow) has been described by Gartner as a smart and effective way for software licensees that is, all businesses and organisations utilising IT to protect their mission-critical applications in an ever-changing environment. [Software escrow] is an insurance policy to make sure you have access to that source code should that vendor no longer maintain that software for your organization, so [it] gives you an alternative. 1 This article defines active escrow, highlights its benefits for user organisations as well as software developers, and explains where and how active software escrow underpins COBIT 5 objectives using three examples. Defining Active Software Escrow IT systems and software products are never bug-free, complete or static in their development cycle. For there to be any form of maintenance and/or development of the software (that is, business continuity in respect to the vital business process or function that it supports), there has to be access to the source code of that mission-critical software. Active software escrow is a legally binding agreement signed between the user of the IT system, the supplier of the IT system and an independent escrow service provider to ensure that the software source code and technical documentation related to the services provided are not only kept safe, but are also professionally verified and updated on a routine basis. If certain conditions mentioned in the agreement come to pass, the escrow agent releases the source code and any other technology or documentation mentioned in the agreement to the user company. In an active software escrow agreement: The supplier deposits its intellectual property with the escrow agent (the neutral and independent trusted third party) for the future, conditional benefit of the user company in the event of a trigger condition as defined in the escrow agreement The escrow agent verifies and holds the deposited material in escrow Under specific conditions as set out in the escrow agreement, the escrow agent is authorised to release the material to the user company, specifically for the purposes of the user company s business continuity The Benefits of Active Software Escrow For many medium-sized and large user companies, the business case for active software escrow is excellent, considering:
2 The value of their business processes and revenue streams that are dependent upon the software platforms concerned The value of the investments they have made in, for example, the software product, the implementation project, training, support and maintenance The magnitude of reputational, consequential and other damage in the event of business disruption due to mission-critical IT system failure For the larger software or IT system developer, active software escrow: Reinforces ownership rights in the source code, which typically are the most valuable asset, by providing the developer company with documentation when securing a patent claim, significant assistance in an infringement suit and robust proof to support an intellectual property copyright claim Mitigates the permanent loss of critical source code and related technical documentation, as having the most valued asset in escrow with a neutral third party provides an alternative to disaster in the event of an emergency Reduces dependency on key employees who may hoard instead of share information For the small and medium-sized enterprise (SME) or software developer, software escrow: Could open new markets by providing potential customers with security (smaller information and communications technology [ICT] suppliers are often precluded from tendering for major projects despite their expertise and intellectual property because the contracting organisation believes it is less risky to deal with large, established firms) Ensures business continuity should those with whom the intellectual property resides leave the company or are unable to fulfil their work obligations because of illness or death Active Software Escrow Can Support Effective Implementation of COBIT 5 Guidance Current protocols such as COBIT and King III recognise that IT has become an integral part of doing business today it is fundamental to the support, sustainability and growth of organisations. Developing an understanding of COBIT 5 and how it can be leveraged to lead IT organisations and mitigate IT-related risk is an advantage that any chief information officer (CIO) can acquire. Doing so will establish credibility with external auditors, the audit committee, shareholders and executive management. And, knowing where to utilise active software escrow can assist the CIO in implementing COBIT 5 guidance effectively. The following are three instances where active software escrow underpins COBIT 5. Instance 1: APO10.04 Manage Supplier Risk APO10.04 Manage supplier risk in the COBIT 5 process reference guide states that the organisation must identify, monitor and, where appropriate, manage risk relating to the supplier s ability to deliver service efficiently, effectively, securely, reliably and continually. Partnering with a professional active software escrow service provider can assist the organisation in meeting these requirements. Based on industry best practice, it can: Define the contract to provide for potential service risk by clearly defining service requirements Consider alternative suppliers or standby agreements to mitigate possible supplier failure Address the security and protection of intellectual property (IP) Take into account any legal or regulatory requirements within the country in which the organisation and the supplier company are trading By ensuring that business-critical assets are held in escrow, the user company is protected in the event that a key supplier cannot meet its contractual obligations. Upon failure, materials can be released to the user organisation safely, minimising disruption, time and cost. Ultimately, escrow is a smart, simple way of managing risk and demonstrating holistic corporate governance. For example, Fedict, the Belgian Federal State Service for Information and Communication Technology, elected to utilise active software escrow to secure, in all circumstances, the use of the software it utilises to deliver e-government services. Fedict s software applications, as well as those developed by Fedict for other federal government services, are ultimately essential applications, the use of which must be guaranteed in all circumstances. Escrow service is just one of the measures taken within a global framework to ensure continuity of these IT services. In terms of the Fedict agreement, the escrow agent acts as a neutral, independent third party that, in certain circumstances, Volume 3, July 2012 Page 2
3 would release the latest version of licensed software held in escrow to Fedict so that its continued use of the software is guaranteed. Currently, all software suppliers to the Belgian federal government are subject to this escrow arrangement they cannot do business with Fedict unless a complete set of source code, with the relevant technical documentation, has been lodged in escrow nominating Fedict as the legally entitled escrow beneficiary. In this way, Fedict is able to guarantee the continuity of its technology dependent services to its stakeholders: the taxpaying public. Instance 2: DSS04.07 Manage Backup Arrangements DSS04.07 Manage backup arrangements in the COBIT 5 process reference guide requires that the organisation to ensure availability of business-critical information that systems, applications, data and documentation maintained or processed by third parties are adequately backed up or otherwise secured. COBIT 5 states: Consider escrow or deposit arrangements. Once again, active software escrow is a simple solution for companies seeking to comply with COBIT 5, as opposed to passive escrow or untested escrow deposits. The latter are often useless when called upon to deliver business continuity in the face of the supplier s inability to continue supporting its technology. The passive approach to escrow or intellectual property custodianship involves passive custodians (such as banks, notaries and legal firms) physically holding a copy of the software, source code and documentation, but these custodians do not warrant that they are the correct or up-to-date versions. With active software escrow, the escrow agent verifies the property held at least once a year to warrant that the deposit contains what the supplier has committed to lodge. This provides proper reassurance that the material on deposit is up to date and usable. Research has highlighted that as many as nine out of 10 unverified source code deposits held in escrow are useless and, therefore, unable to provide for a business s continuity should its software partner no longer be in a position to continue supporting the systems it has provided. 2 For example, one professional escrow agent offers three levels of technical verification and reporting depending on how mission-critical the client considers the business application to be: 1. Basic technical integrity test Ensures that the deposited media are readable and contain those elements agreed upon in the escrow agreement 2. Detailed technical integrity test Includes level 1 plus an analysis of the user environment to ensure that deposited media contain source code of the software used in the operational software environment 3. Full technical integrity test Includes level 1 and 2 plus full compilation of software, including representative testing of compiled object code in a comparable hardware environment, to fully ensure that the media contain every element required within the operational environment The following example highlights why COBIT 5 s insistence on verification is so important. A few years ago, the Lorenzo patient record system at the heart of Britain s 10 billion (US $25 billion) National Health Service IT upgrade was exposed as foilware. According to an article in The Australian, the Lorenzo system was initially scheduled for release in March 2004, but there had been a series of delays and no British hospital trust was using the new software being developed by isoft in Europe. isoft Australia was at the time supplying the same product for various state health projects, including Victoria s Aus $323 million HealthSmart. There the latest delivery date was 2008, but a review found the date to be far too optimistic. David More, an independent consultant and e-health blogger, wrote, New South Wales Health should not rely on its passive escrow arrangements with isoft to protect the rollout of patient administration systems. There is no point holding obsolete software code in escrow. All that does is provide a false sense of security. 3 Instance 3: APO10.02 Select Suppliers APO10.02 Select suppliers in the COBIT 5 process reference guide requires the user company to select suppliers according to a fair and formal practice to ensure a viable best fit based on specified requirements. Requirements should be optimised with input from potential suppliers. In the specific case of software acquisition, the rights and obligations of all parties should be included and enforced in the contract terms. Volume 3, July 2012 Page 3
4 Active software escrow ensures the rights of all parties are enforced, as required by COBIT 5. In one example, a South African fund manager ( Manco ) with more than R200 billion funds under management demonstrated the value of active software escrow when aligning its risk strategies to COBIT. Manco selected SoftwareX as its preferred IT system based on best features and total cost of ownership considerations. SoftwareX was also the IP of a small and financially challenged company, which was in negotiations to sell. Manco concluded its agreement and implemented SoftwareX. At the same time, its developer was acquired by the listed company with which it had been negotiating. Within nine months, the listed entity decided to discontinue providing support and maintenance of SoftwareX. Manco cried foul and insisted the listed entity was in breach of contract. The listed entity disagreed. Fortunately, Manco had insisted on an escrow agreement as part of the selection criteria process and exercised its right to maintain and support SoftwareX solely for purposes of business continuity. The escrow service provider was, therefore, required to release the source code and all supporting documents to Manco. As a result of the escrow agreement, Manco satisfied its operational risk management and good governance imperatives, achieved the return on investment it was looking for when it implemented SoftwareX, and was able to switch to a new system on its own terms and within its own time frame. Conclusion Active software escrow can meet many of the concerns about business continuity addressed in COBIT 5, including: Disaster recovery Permanent loss of critical information is not an option. Having the organisation s most valued asset in escrow with a neutral third party provides the organisation with an alternative to disaster in the event of an emergency. The active escrow agent maintains a copy of the intellectual property stored off-site in a professional vaulting facility and available for restoration. Reduced dependency on key employees 30-day escrow deposit cycles can ensure proper delivery according to functional specification and agreed-upon deliverables (including documentation) when independent technical verification is performed on each deposit as a matter of course. Quality deposits Verification services provide assurance to an organisation s clients that all source-code deposits meet a superior technical standard. Verification On request, most escrow agents can provide extended verification services. Compilation is included in the analysis and testing of the deposit; it verifies that the deposit is readable, correct and complete in all respects. This testing warrants that the escrow deposit will be useable if released. Andrew Stekhoven Is managing director of Escrow Europe (Pty) Ltd. During the last 25 years, he has been engaged in a broad cross-section of executive roles within the ICT industry. Stekhoven has been a member of the Institute of Directors in South Africa (IoD) for 15 years. Since its inception in 2004, Stekhoven has established Escrow Europe as the leading active escrow company in South Africa and is closely involved in the promotion of ICT good governance practices and the convergence of international protocols, such as COBIT, with the local King recommendations for corporate governance. Escrow Europe has also been featured by Microsoft Inc. as one of only seven internationally recognised escrow service providers for their CfMD (Certified for Microsoft Dynamics) Partner Programme (the only one on the African continent) and is the only escrow service provider in Africa to be ISO 9001:2008 certified. Endnotes 1 Bona, Alexa and Younker, Edward, Management Update: How to Protect Yourself If Your Software Vendor is Acquired, Gartner Inc. Research Products G , September 8, And Disbrow, J. and Park, A., Be Aware of Contract Issues When Negotiating Software Escrows, Gartner Inc. Research Note G , February 7, 2005 as part of Iron Mountain white paper, Best Practices: Technology Escrow Who s Using It and Why?, 2 Escrow Europe, Review of Verification: For a copy of the full report, contact Escrow Europe on helpdesk@escroweurope.co.za. 3 More, David; Australian Health Information Technology, Volume 3, July 2012 Page 4
5 COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors content ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at Framework Committee Steven A. Babb, CGEIT, CRISC, UK, chair Charles Betz, USA David Cau, ITIL, MSP, Prince2, France Sushil Chatterji, CGEIT, Singapore Frank Cindrich, CGEIT, CIPP, CIPP/G, USA Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria Anthony P. Noble, CISA, USA Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil Paras Shah, CISA, CGEIT, CRISC, CA, Australia Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at 2012 ISACA. All rights reserved. Volume 3, July 2012 Page 5
Chayuth Singtongthumrongkul
IT is complicated. IT Governance doesn t have to be. Chayuth Singtongthumrongkul CISSP, CISA, ITIL Intermediate, PMP, IRCA ISMS (ISO/IEC 27001) Director of International Academic Alliance, ACIS Professional
More informationIT Governance and Outsourcing
Copyright 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. IT Governance and Outsourcing By Hugh Parkes, CISA, FCA is a subset of corporate governance. It refers
More informationAuditors Need to Know June 13th, 2012. ISACA COBIT 5 for Assurance
COBIT 5 What s New, What Auditors Need to Know June 13th, 2012 Anthony Noble Viacom Inc. ISACA COBIT 5 for Assurance Task Force Chair Special thanks to Derek Oliver & ISACA for supplying material for this
More informationoperational risk management intellectual property protection software escrow
operational risk management intellectual property protection software escrow If your company s processes are dependent on software which you licence or rent, then your business is at risk of events that
More informationDid Someone Say Value? Delivering Enterprise Value the Metrics Way
Volume 3, July 2011 Come join the discussion! Sandeep Khanna will respond to questions and comments in the discussion area of the COBIT Use It Effectively topic beginning 15 July 2011. Did Someone Say
More informationIT Governance Charter
Version : 1.01 Date : 16 September 2009 IT Governance Network South Africa USA UK Switzerland www.itgovernance.co.za info@itgovernance.co.za 0825588732 IT Governance Network, Copyright 2009 Page 1 1 Terms
More informationCOBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.
COBIT 5 for Risk CS 3-7: Monday, July 6 4:00-5:00 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net Disclaimer of Use and Association Note: It is understood that
More informationADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0
ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright
More informationFrequently Asked Questions
FAQ INTELLECTUAL PROPERTY MANAGEMENT Escrow Verification Services Frequently Asked Questions overview The value of an escrow arrangement is heavily dependent on the quality of the deposit materials a fact
More informationAuditor General s Office. Governance and Management of City Computer Software Needs Improvement
Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City
More informationGeoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK www.maatconsulting.com
COBIT 5 All together now! Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK www.maatconsulting.com 1 Copyright Notice COBIT is 1996, 1998, 2000, 2005 2012 ISACA and IT Governance Institute.
More informationICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)
ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS) TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIMS OF THE POLICY...
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationStrategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013
Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013 AGENDA IT s Changing Landscape ISACA s Response Vision and Mission COBIT 5
More informationRisk Management Policy and Framework
Risk Management Policy and Framework December 2014 phone 1300 360 605 08 89589500 email info@centraldesert.nt.gov.au location 1Bagot Street Alice Springs NT 0870 post PO Box 2257 Alice Springs NT 0871
More information"Integrating ITIL and COBIT 5 to Optimize IT Process and Service Delivery"
"Integrating ITIL and COBIT 5 to Optimize IT Process and Service Delivery" 6th itsmf South East Europe Conference Michalis Samiotakis, ISACA Athens Chapter Athens, Greece, April 19, 2013 2 Agenda Who we
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationDublin City University
Asset Management Policy Asset Management Policy Contents Purpose... 1 Scope... 1 Physical Assets... 1 Software Assets... 1 Information Assets... 1 Policies and management... 2 Asset Life Cycle... 2 Asset
More informationCOBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30
COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net
More informationCloud Computing: Contracting and Compliance Issues for In-House Counsel
International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,
More informationRISK MANAGEMENt AND INtERNAL CONtROL
RISK MANAGEMENt AND INtERNAL CONtROL Overview 02-09 Internal control the Board meets regularly throughout the year and has adopted a schedule of matters which are required to be brought to it for decision.
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core
More informationApplication for CISA Certification
Application for CISA Certification 4/2015 Requirements to Become a Certified Information Systems Auditor become a Certified Information Systems Auditor (CISA), an applicant must: 1. Score a passing grade
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationPortfolio: Transformation, Modernisation and Regulation
Portfolio: Transformation, Modernisation and Regulation Procurement Committee 19 October 2006 Procurement of E-mail, Calendar and Archiving System Report by: Ward Implications: Head of City Service and
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationIS Audit and Assurance Guideline 2402 Follow-up Activities
IS Audit and Assurance Guideline 2402 Activities The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply
More informationfor Information Security
for Information Security The following pages provide a preview of the information contained in COBIT 5 for Information Security. The publication provides guidance to help IT and Security professionals
More informationBusiness Continuity Management. Policy Statement and Strategy
Business Continuity Management Policy Statement and Strategy November 2011 Title Business Continuity Management Policy & Strategy Date of Publication: Cabinet Council Published by Borough Council of King
More informationRECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management
RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES Cost-Effective, Legally Defensible Records Management Does This Sound Familiar? A data breach could send our share price tumbling. I need to minimise our
More informationSpecialist Cloud Services Lot 4 Cloud Printing and Imaging Consultancy Services
Specialist Cloud Services Lot 4 Cloud Printing and Imaging Consultancy Services Page 1 1 Contents 1 Contents... 2 2 Transcend360 Introduction... 3 3 Service overview... 4 3.1 Service introduction... 4
More informationSOFTWARE ESCROW AGREEMENTS: A BUSINESS CONTINUITY STRATEGY PAPER PRESENTED FOR NEW ZEALAND COMPUTER SOCIETY THE LAW OF IT SEMINARS
SOFTWARE ESCROW AGREEMENTS: A BUSINESS CONTINUITY STRATEGY PAPER PRESENTED FOR NEW ZEALAND COMPUTER SOCIETY THE LAW OF IT SEMINARS Wellington and Auckland March and April 2003 2 Where software is licensed,
More informationTelstra Service Management Framework. Your assurance of first-class network support
Telstra Service Framework Your assurance of first-class network support The Service Framework delivers comprehensive, integrated support Service Frame work SERVICE IMPROVEMENT & REPORTING Performance &
More informationGOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011
APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT January 7, 2011 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS
More informationCOBIT 5 Introduction. 28 February 2012
COBIT 5 Introduction 28 February 2012 COBIT 5 Executive Summary 2012 ISACA. All rights reserved. 2 Information! Information is a key resource for all enterprises. Information is created, used, retained,
More informationTERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs)
TERMS OF REFERENCE FOR CERTIFICATION BODIES (CBs) AUGUST 2014 1. Introduction National Information Technology Authority (NITA-U) was established by the Act of Parliament (National Information Technology
More informationWebsite terms and conditions
Website terms and conditions Thank you for visiting our website. Before you go any further, it is important that you read and understand the conditions under which you will be using this site. Acceptance
More informationCyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13
Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...
More informationAssessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks
Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks 2ο InfoCom Security Conference Anestis Demopoulos, Vice President ISACA Athens Chapter, & Senior Manager, Advisory Services, Ernst
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationNational Statistics Code of Practice Protocol on Data Management, Documentation and Preservation
National Statistics Code of Practice Protocol on Data Management, Documentation and Preservation National Statistics Code of Practice Protocol on Data Management, Documentation and Preservation London:
More informationCloud Computing Security Considerations
Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction
More informationApplication of King III Corporate Governance Principles
APPLICATION of KING III CORPORATE GOVERNANCE PRINCIPLES 2013 Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have
More informationBusiness Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:
Module Db Technical Solution Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL: Cost is reduced through greater economies of scale, removal of duplication
More informationSpecialist Cloud Services Lot 4 Cloud EDRM Consultancy Services
Specialist Cloud Services Lot 4 Cloud EDRM Consultancy Services Page 1 1 Contents 1 Contents... 2 2 Transcend360 Introduction... 3 3 Service overview... 4 3.1 Service introduction... 4 3.2 Service description...
More informationIS Audit and Assurance Guideline 2202 Risk Assessment in Planning
IS Audit and Assurance Guideline 2202 Risk Assessment in Planning The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards
More informationEnabling Information PREVIEW VERSION
Enabling Information These following pages provide a preview of the information contained in COBIT 5: Enabling Information. The main benefit of this publication is that it provides COBIT 5 users with a
More informationTENDER NUMBER: ITT/SACU/015/2015/O Information and Communication Technology (ICT) Audit IT Effectiveness Review
TENDER NUMBER: ITT/SACU/015/2015/O Information and Communication Technology (ICT) Audit IT Effectiveness Review CLOSING DATE & TIME FRIDAY, 23 JANUARY 2015 17H00 (Namibian Time) POSTAL & PHYSICAL ADDRESS
More informationProtecting Malaysia in the Connected world
Protecting Malaysia in the Connected world cyber Security Company of the Year (Cybersecurity Malaysia, 2014) Most innovative information security company in Malaysia (Cybersecurity Malaysia, 2012) BAE
More informationProfil stručnjaka za informacijsku sigurnost - certificirati se ili ne? Biljana Cerin, CISA, CISM, CGEIT, CBCP, PMP www.ostendogroup.
Profil stručnjaka za informacijsku sigurnost - certificirati se ili ne? Biljana Cerin, CISA, CISM, CGEIT, CBCP, PMP www.ostendogroup.com DA! (by Global knowledge & TechRepublic) Top certifications by salary:
More informationThe Software Experts. Software Asset Management Services & Solutions
The Software Experts Software Asset Management Services & Solutions one WORLD CLASS SOFTWARE ASSET MANAGEMENT Make Optimised IT Simple Simplify the management of IT assets and minimise financial, legal
More informationProcurement of Goods, Services and Works Policy
Procurement of Goods, Services and Works Policy Policy CP083 Prepared Reviewed Approved Date Council Minute No. Procurement Unit SMT Council April 2016 2016/0074 Trim File: 18/02/01 To be reviewed: March
More informationSoftware Escrow: Practical Strategies for Bolstering Licensing Agreements
INFORMATION MANAGEMENT INTELLECTUAL PROPERTY MANAGEMENT Place image here Software Escrow: Practical Strategies for Bolstering Licensing Agreements April 27, 2010 Legal IT Lynda P.S. Covello, LL.M. & John
More informationLot 1 Service Specification MANAGED SECURITY SERVICES
Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013 OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationReducing Cost and Risk Through Software Asset Management
RESEARCH SUMMARY NOVEMBER 2013 Reducing Cost and Risk Through Software Asset Management A survey conducted by CA Technologies among delegate attendees at the 2013 Gartner IT Financial, Procurement & Asset
More informationInformation Security Policy. Information Security Policy. Working Together. May 2012. Borders College 19/10/12. Uncontrolled Copy
Working Together Information Security Policy Information Security Policy May 2012 Borders College 19/10/12 1 Working Together Information Security Policy 1. Introduction Borders College recognises that
More informationFIVE BEST PRACTICES FOR PROTECTING BACKUP DATA
OFFSITE DATA PROTECTION FIVE BEST PRACTICES FOR PROTECTING BACKUP DATA Backup encryption should be one of many activities that formulate a comprehensive security strategy. In many environments, storage
More informationCYBER SECURITY Audit, Test & Compliance
www.thalescyberassurance.com CYBER SECURITY Audit, Test & Compliance 02 The Threat 03 About Thales 03 Our Approach 04 Cyber Consulting 05 Vulnerability Assessment 06 Penetration Testing 07 Holistic Audit
More informationCloud Services for Microsoft
The success of your business depends on your ability to adapt to a dynamic market environment, where globalisation and economic pressures are reshaping the landscape. To remain competitive, your organisation
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationThe Governance of Enterprise Information and Information Technology Challenges and Approaches
The Governance of Enterprise Information and Information Technology Challenges and Approaches Dr. Ronald Hale Ph.D., CISM ISACA Chief Knowledge Officer Accelerated Change Accelerated Information Risk http://blog.qmee.com/qmee-online-in-60-seconds/
More informationAll about CPEs. David Gittens CISA CISM CISSP CRISC HISP
All about CPEs David Gittens CISA CISM CISSP CRISC HISP The Designer David Gittens ISSA Barbados Past President Certified in ethical hacking and computer forensics Certified in security management and
More informationINFORMATION SECURITY & GOVERNANCE SYSTEMS AND IT INFRASTRUCTURE INFOSEC & TECHNOLOGY TRAINING. forebrook
INFORMATION SECURITY & GOVERNANCE SYSTEMS AND IT INFRASTRUCTURE INFOSEC & TECHNOLOGY TRAINING forebrook Forebrook offers a range of information security, governance, IT systems and infrastructure related
More informationMANAGING THE SOFTWARE PUBLISHER AUDIT PROCESS
MANAGING THE SOFTWARE PUBLISHER AUDIT PROCESS 3 THE USE OF BUSINESS SOFTWARE AND SPORTS ARE DEFINITELY QUITE SIMILAR; IF YOU WANT TO PLAY (USE THE SOFTWARE), YOU HAVE TO ACCEPT THE RULES. THIS INCLUDES
More informationFor Smart Insurance Solutions Choose Coverforce
For Smart Insurance Solutions Choose Coverforce Our Capability Issue Date 1st October 2012 A different company Creating smart insurance solutions for clients is what we do. Our determination to genuinely
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More information:: market pulse :::: market pulse :::: market pulse :::: market pulse :::: market
How to Minimize Risk with a Software Vendor Prenup :: market pulse :::: market pulse :::: market pulse :::: market pulse :::: market Safeguard technology investments against contract breaches, discontinued
More informationOur Services. Unlocking IT Value - Transforming IT Enabled Investments into Business Value
Our Services Unlocking IT Value - Transforming IT Enabled Investments into Business Value Our core services IT Auditing IT Governance Consulting IT Projects Advisory Training Enterprise Risk Management
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationContract Terms and Conditions
Contract Terms and Conditions: CyberText Consulting and 1 Contract Terms and Conditions These terms and conditions are part of the contract agreement between CyberText Consulting Pty Ltd and .
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationSecurity in the Cloud: Visibility & Control of your Cloud Service Providers
Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,
More informationIMPLEMENTATION DETAILS
Policy: Title: Status: 1. Introduction ISP-I11 Software License Regulations Approved Information Security Policy Documentation IMPLEMENTATION DETAILS 1.1. The Software Management Policy (ISP-S13) makes
More informationPresented by. Denis Darveau CISM, CISA, CRISC, CISSP
Presented by Denis Darveau CISM, CISA, CRISC, CISSP Las Vegas ISACA Chapter, February 19, 2013 2 COBIT Definition Control Objectives for Information and Related Technology (COBIT) is an IT governance framework
More informationA risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure
A risky business Why you can t afford to gamble on the resilience of business-critical infrastructure Banking on a computer system that never fails? Recent failures in the retail banking system show how
More informationWHITE PAPER. How Software as a Service (SaaS) Providers Can Instill Customer Confidence IRON MOUNTAIN DIGITAL
WHITE PAPER How Software as a Service (SaaS) Providers Can Instill Customer Confidence IRON MOUNTAIN DIGITAL Table of Contents Introduction........................................................................................3
More informationMSc Computer Games and Entertainment BUSINESS AND PRACTICE. Prof William Latham. Goldsmiths College (University of London).
MSc Computer Games and Entertainment BUSINESS AND PRACTICE. Prof William Latham Email:- w.latham@gold.ac.uk www.williamlatham1.com Goldsmiths College (University of London). Lecture 5 MSc Games and Entertainment.
More informationHow not to lose your head in the Cloud: AGIMO guidelines released
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
More informationInformation and records management. Purpose. Scope. Policy
Information and records management NZQA Quality Management System Policy Purpose The purpose of this policy is to establish a framework for the management of corporate information and records within NZQA.
More informationTERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL
TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationquality, health & safety and environment training and consulting
quality, health & safety and environment training and consulting QUALMS Group QHSE Training & Consulting is a leading business services provider of applied; Quality, Food Safety, Occupational Health &
More informationOFFICIAL. NCC Records Management and Disposal Policy
NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy
More informationNomination title: Managed Service Provider of the Year. How long has this organisation been involved in the IT services and solutions market in EMEA?
Nominee: Claranet Nomination title: Managed Service Provider of the Year How long has this organisation been involved in the IT services and solutions market in EMEA? Founded in 1996, Claranet has evolved
More informationIAAS Product Terms PRODUCT TERMS
IAAS Product Terms PRODUCT TERMS 1. Our contract with you 1.1. These Product Terms apply to the services ( IAAS Services ) provided by the Company ( us, we or our ) to the Client ( you or your ) under
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationApplication of King III Corporate Governance Principles
Application of Corporate Governance Principles Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have been applied
More informationehealth Architecture Principles
ehealth Architecture Principles Version 3.0 June 2009 Document Control Details Title: ehealth Architecture Principles Owner: Head of Architecture and Design, Scottish Government ehealth Directorate Version:
More informationCOBIT 5 Implementation Certifi cate. Training Course & Exam
COBIT 5 Implementation Certifi cate Training Course & Exam Introduction The COBIT 5 Implementation Certifi cate is a Practitioner Level Training Course that focuses on how to apply COBIT 5 (The Framework
More informationMount Gibson Iron Limited Corporate Governance Policies and Practices Manual Shareholder Communication Policy
1 Introduction 1.1 Mount Gibson Iron Limited (the Company) is committed to the following objectives: (d) (e) Ensuring that shareholders and the market are provided with full and timely information about
More informationTerms of Reference for an IT Audit of
National Maritime Safety Authority (NMSA) TASK DESCRIPTION PROJECT/TASK TITLE: EXECUTING AGENT: IMPLEMENTING AGENT: PROJECT SPONSOR: PROJECT LOCATION: To engage a professional and qualified IT Auditor
More informationState Records Guideline No 25. Managing Information Risk
State Records Guideline No 25 Managing Information Risk Table of Contents 1 Introduction... 4 1.1 Purpose... 4 1.2 Authority... 4 2 Risk Management and Information... 5 2.1 Overview... 5 2.2 Risk management...
More informationROYAL MAIL GROUP ADDRESS MANAGEMENT UNIT PAF DIRECT END USER LICENCE
ROYAL MAIL GROUP ADDRESS MANAGEMENT UNIT PAF DIRECT END USER LICENCE Introduction This licence permits the use of PAF Data by an end user. Details of other licences available for the use of PAF Data can
More informationHow To Manage An Ip Telephony Service For A Business
Enabling organisations to focus on core revenue generating activities Your business needs reliable, flexible and secure communication tools to enable better connectivity and collaboration with your employees,
More informationWHITE PAPER. 10 Things Every Law Firm Should Know About Improving IT Performance: A Practice Director s Guide
WHITE PAPER 10 Things Every Law Firm Should Know About Improving IT Performance: A Practice Director s Guide To remain successful and experience growth, you must focus on improving your firm s IT performance
More information