IT Governance and Outsourcing
|
|
- Eustacia Gardner
- 8 years ago
- Views:
Transcription
1 Copyright 2004 Information Systems Audit and Control Association. All rights reserved. IT Governance and Outsourcing By Hugh Parkes, CISA, FCA is a subset of corporate governance. It refers to how well an organisation governs or ITgovernance controls those of its activities that involve the use of information technology. In both business and government organisations, there are now few key activities that do not involve the use of IT as either an enabler or an intrinsic part of the capacity to allow the activity to take place. It should be stressed that IT governance refers to how the entire activity using IT is controlled not just the IT department or the physical manifestations of IT, but the business knowledge and information that the activity requires for its successful operation. Outsourcing, in its most common form, involves the contracting out of one or more of an organisation s activities to an enterprise outside the corporate or government bounds. Activities of many types can be outsourced. The form of contracts or agreements that set the parameters under which the outsourced activity will be carried out can also vary considerably. Properly constituted organisations have the capacity to enter into contracts with one another, and many legal endeavours go into working out the terms of the contract, as well as assessing how its terms are complied with during the duration of the contract. However, the leaders of the organisations entering into an outsourcing agreement need to ask if their experience in reality delivers the objectives they have set for themselves in making the strategic decision to outsource or to provide the service now outsourced. IT Governance Perspectives for Organisations Outsourcing Activities The perspective of executives or directors toward the need for effective IT governance depends on how important the activity or resource provision outsourced is in the context of achieving the organisation s strategies. If what is outsourced is a replaceable commodity or service, then problems can be overcome by going to an alternative supplier with low transfer risks. However, if what is outsourced is vital for the organisation s ability to operate, then IT governance considerations and the frequency of reporting on service delivery and effectiveness of associated performance become of high importance. Figure 1 sets out types of activities that can be outsourced, the risks associated with outsourcing such activities and what IT governance issues should be considered. Figure 1 Outsourcing Activities, Risks and Considerations 1.Outsourced information management and storage Very high risk Depending on how critical the Ensure the outsourcing contract covers (all value stored, databases, customer files, key information stored with the outsourcer is acceptable access rights and clear parameters, etc.) Consequences of loss or unauthorised access ownership of information. via penetration or poor security Ensure adequate backup and disaster Immediate impact, meaning this instant recovery arrangements have been made. Exposure to a wide spectrum of risks, e.g., loss, Executives should cite specific evidence of theft, integrity corruption, competitor access successful recovery testing. Directors should Outsourcer negotiating power through request from CEO written confirmation that organisation dependence on continuing access this test has taken place. Inquire as to security over information stored and communications channels with access to the information. Inquire as to information management effectiveness (how it is stored, how it is used, what management reports are derived from it and about its condition this is where the organisation s value is stored). Inquire as to the extent of information mining in use, information architectural fit with organisation s needs, and level of integration of related information for process effectiveness. Ensure that the cost of outsourced service and the level of service received meet strategic needs.
2 Figure 1 Outsourcing Activities, Risks and Considerations (cont.) 2.Outsourced core knowledge systems and High to very high risk Depending on how Ensure adequate backup and disaster development of new, or maintenance of existing, critical the outsourced knowledge systems are recovery arrangements have been systems (corporate memory, key knowledge to the organisation s strategic operations made (as noted previously). elements, activity processes, executive Exposure to a wide spectrum of risks, including Inquire as to security over system stored on preferences, etc.) intellectual property theft, process integrity the outsourcer s servers or in its computer corruption and competitor access installation. Dependence on an outsourcer to develop new Inquire into how systems access information systems and/or associated intellectual property is stored by outsourcers and the security of can mean extreme vulnerability or loss of associated communication channels. credibility. Inquire as to the level of the organisation s dependency on the outsourcer for development or maintenance of new or existing software; understand where knowledge and necessary competencies covering systems now reside it may now be in Bangalore rather than San Jose. Inquire as to project delivery management for new systems. Inquire as to system uptime and maintenance performance, e.g., is the IT engine being adequately maintained? operational commitments are being met by the outsourcer. 3.Outsourced major computer installation and Medium to high risk Ensure adequate backup and disaster ancillary support services Establishing major data centres run by major recovery arrangements have been made and outsourcers should lower risk via economies tested (as noted previously) with participation of scale, experience, sound data centre or observers from the organisation onsite. procedures, and depth of supporting services. Inquire as to assurance reports on Organisation outsourcing needs to ensure that installation service and uptime outsourcer s installation is soundly run and performance. contractually arrange access rights and verification arrangements (possibly via a third operational commitments are being met by party such as a competent assurance provider). the outsourcer. Risks arise where outsourcing organisation does not monitor the service received or the ongoing condition of the computer installation on which it depends. 4.Outsourced networks or communications Medium to high risk Ensure adequate backup and disaster Risks include illegal or malicious penetration recovery arrangements have been (hacking), denial-of-service attacks, made and tested. information or system corruption, intellectual Inquire deeply as to security at all points of property theft, viruses, worms and Trojan the network, extranets and intranets, as well horse attacks. as over links to the Internet, to Internet Alternate network routing capabilities must service providers (ISPs) and to the exist and have been tested for major networks organisation s web site. so single point of failure dependency Inquire as to the adequacy of bandwidth or (bottleneck risk) is overcome. communication network capacity to the Insufficient communications capacity slows organisation, e.g., does it meet strategic processing or lengthens customer service needs? centre response times. operational commitments for networks and communication channels are being met by the outsourcer. 5.Provision of computer equipment, replacement of Usually low risk Comply with terms of outsourcing agreement network PCs and servers, network devices Alternate suppliers available (service received/payments made). (Issues Contract does not meet commercial/entity arising are normally handled by entity needs over time. middle management.) Poor service is received leading to lower Bring to executive or directors attention productivity or higher downtime. only if a disaster occurs, probably to Outsourced service provider does not keep seek recovery fund. equipment current.
3 Easy-to-Understand Reporting It is usually possible to present clear reports to executives and directors in the form of overview flowcharts of outsourced activities with problem areas highlighted in colour (e.g., red for major IT governance concern area), as well as showing the linkages to activities that have not been outsourced. IT governance covers a wide range of risk issues as well as operational and commercial delivery issues. Some people find it much easier to get the big picture from a diagram rather than from long reports in technical jargon. If understandable reports are not being received at present by executives or directors, then IT governance issues can become a major corporate governance liability. Figures 2 and 3 provide examples of reporting on IT governance in an overview flowchart form, allowing one to get the big picture on internal controls and security quickly, and to focus on what matters. IT Governance Perspectives for Organisations Providing Outsourcer Services The other party in an outsourcing arrangement is the outsourcer the entity providing the original organisation with services. The outsourcer is the other party to the contract for service delivery, and has a different perspective to be considered for IT governance purposes from that of the receiving organisation. The differences are emphasised in figure 4. Hugh Parkes, CISA, FCA is a director of Parkes & Parkes, management consultants, based in Melbourne, Victoria, Australia. Parkes has extensive experience in IT consulting, banking and financial services, which has included the management of outsourced relationships as well as the provision of services as an outsourcer. A past member of the IT Governance Board, ISACA s International Board of Directors and the Australian Auditing Standards Board, Parkes currently serves as chairman or independent member of a number of audit committees in Australia. Figure 2 Reporting on IT Governance HOW OUR INTERNAL CONTROLS ARE OPERATED Sound internal controls Automated monitoring in place (or assurance review within last 12 months) Control deficiencies identified, management action in progress. Being monitored. International Marketing Sales + Marketing KNOWLEDGE SUPPORT International Sales Major control issues identified. CEO and board attention required. Not assessed by assurance within 12 months. Internal control condition not validated. No automated monitoring in place..do NOT KNOW! Board of Directors OPERATIONS Operations INTERNATIONAL OPERATIONS AND SUPPORT Management Inventory Board EXECUTIVE TEAM SUPPLY CHAIN MANUFACTURING Supply Chain KOREA MFG PURCHASING Distribution Manufacturing Warehouse BELGIUM CALIFORNIA SINGAPORE Overall Operation of Internal Controls Executive Team CALL CENTRES Call Centre INDIA IRELAND CANADA Extent of 24/7/365 Automated Monitoring of Internal Controls SHARED SUPPORT SERVICES RESEARCH AND DEVELOPMENT Finance and Accounting Finance/Accounting Personnel HR FACILITIES MANAGEMENT Facilities Management Information Systems AUSTRALIA IT
4 Figure 3 The Story: An Important IT Governance Perspective LOGICAL + PHYSICAL SECURITY OVERVIEW HEAD OFFICE Web Sales + Marketing Supply Chain s Purchasing Warehousing Belgium Singapore Physical s REMOTE COMPUTERS Research & Development Research Mainframe Stores Stores India Ireland Canada SHARED SERVICES Finance HR Facilities Manufacturing Physical Korea SCADA Controller H.Parkes 2003 California Network PABX IT Operations and Applications INTERNAL SECURITY Gateways Main Computer Environment Research Mainframe Physical Disk array MAJOR SECURITY RISKS PLUS IDENTIFIED EXPOSURES EXPOSURES identified, under investigation WELL SECURED plus assurance received within last three months to BS 7799 HR Comms. Controllers Figure 4 Differences in Perspective 5.Outsourced information management and storage Very high risk Depending on how critical the Ensure the outsourcing contract covers (all value stored, databases, customer files, key information stored with the outsourcer is customer access and clear responsibilities parameters, etc.) (and does the outsourcer understand this) for ownership of information. Loss of information through penetration, Profitability of service and cost of the level hacking of service actually provided corruption or inability to provide service Ensure adequate backup and disaster Risks of embarrassment to reputation in the recovery arrangements have been made. marketplace Executives should cite specific evidence of Breach of contract/risks of legal action successful recovery testing. Directors should Costs of recovery request written confirmation from CEO that this testing has been confirmed as taking place. Inquire as to security over information stored for customers. Inquire as to information management effectiveness, e.g., is it reliable, is the customer advised of quality issues on data received?
5 Figure 4 Differences in Perspective (cont.) 4.Outsourced core knowledge systems and High to very high risk Depending on how Ensure adequate backup and disaster development of new or maintenance of existing critical the outsourced knowledge systems are recovery arrangements have been made systems (e.g., corporate memory, key knowledge to the customer (as noted). elements, activity processes, executive preferences) Keeping customer s systems operating at Inquire deeply as to security over systems agreed uptime and service levels stored at the data centre on behalf Continuing ability to develop new systems and of customers. associated intellectual property Inquire deeply into the security of Continuing ability to maintain/support associated communication channels. customer s existing software in times of rapid Ensure contracted software development change or where there are major and software maintenance services are redesign/paradigm changes to install provided to contracted standards. Loss of software skills, especially on obsolete Inquire deeply as to project delivery software languages still requiring support management for new systems. Inquire as to system uptime and maintenance performance, e.g., are service delivery levels being consistently met? Ensure that the recruitment and training of staff with required skills is taking place. 3.Outsourced major computer installation and Medium to high risk Ensure adequate backup and disaster ancillary support services Cost of keeping major data centres operational recovery arrangements have been and able to provide contracted support services made and tested (as noted). Cost of investment in future technology Limit disruption caused by auditors providing infrastructure to remain market-credible, assurance reports on installation service competitive and sustainable and uptime performance; consider Changing ways of doing business may lead to appointing a sole provider for this purpose. customer paradigm shifts. operational commitments are being met by the data centre. Ensure customers are not being overserviced or are paying for services out of the agreed scope. 2.Outsourced networks or communications Medium to high risk Ensure that adequate backup and disaster Risks include illegal or malicious penetration recovery arrangements have been (hacking), denial-of-service attacks, information made and tested (as noted). or system corruption, intellectual property Inquire as to security at all points of the theft, viruses, worms and Trojan horse attacks. network, extranets and intranets, as well as It is critical to provide alternate network routing over links to the Internet, Internet service where outsourcer also provides networking providers (ISPs), Internet service and web services to customer. sites directly linked to the data centre. Insufficient communications capacity to meet Ensure that adequate capacity planning customer demands/contracted service levels. is done to meet expected customer demand trends. 1.Provision of computer equipment, replacement of Usually low risk Comply with terms of outsourcing agreement network PCs and servers, network devices Market competition (service provided/payments received). Contract not meeting customers needs Ask about the condition of customer over time relationship and customer satisfaction Excessive service demands from customer levels with outsourced IT services provided. Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCA TM Information Systems Control Association TM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass , to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN ( ), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
Information security governance has become an essential
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Developing for Effective John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP Information security governance has become an essential element of overall
More informationFeature. Log Management: A Pragmatic Approach to PCI DSS
Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who
More informationThis article describes the history of the Payment Card
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Achieving Compliance With the PCI Data Security Standard By Alex Woda, CISA, QDSP, QPASP This article describes the history of the Payment Card
More informationWhile Microsoft Access database is not an enterprise
Copyright 2006 ISACA. All rights reserved. www.isaca.org. Important, But Often Dismissed: Internal Control in a Microsoft Access Database By John H. White, Ph.D., CISA, CPA While Microsoft Access database
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationCyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:
Company or Trading Name: Address: Post Code: Telephone: E-mail: Website: Date Business Established Number of Employees Do you have a Chief Privacy Officer (or Chief Information Officer) who is assigned
More informationJournal Online. Impact of Security Awareness Training Components on Perceived Security Effectiveness. Do you have something to say about this article?
Journal Online Impact of Security Awareness Training Components on Perceived Security Effectiveness Karen Quagliata, Ph.D., PMP, has worked in the IT field for more than 10 years in diverse capacities.
More informationUnited Tribes Technical College Acceptable Use Policies for United Tribes Computer System
United Tribes Technical College Acceptable Use Policies for United Tribes Computer System 1.0 Policy The purpose of this policy is to outline the acceptable use of computer equipment at United Tribes Technical
More informationRS Official Gazette, No 23/2013 and 113/2013
RS Official Gazette, No 23/2013 and 113/2013 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 2 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005
More informationNetwork Security and the Small Business
Network Security and the Small Business Why network security is important for a small business Many small businesses think that they are less likely targets for security attacks as compared to large enterprises,
More informationDecision on adequate information system management. (Official Gazette 37/2010)
Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)
More informationIn recent years, information technology (IT) used by firms,
Copyright 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. Impact of SAS No. 94 on Computer Audit Techniques By M. Virginia Cerullo, CPA, CIA, CFE, and Michael
More informationGovernance of Outsourced IT Services. Donna Hutcheson, CISA Information Technology Audit Director Energy Future Holdings Corp.
Governance of Outsourced IT Services Donna Hutcheson, CISA Information Technology Audit Director Energy Future Holdings Corp. Topics Covered in This Session Common failures in governing outsourced IT services
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationIT Audit- Hospital Risks, Controls and Audit. AHIA Conference. Grant Thornton LLP. All rights reserved.
IT Audit- Hospital Risks, Controls and Audit Approaches AHIA Conference Grant Thornton LLP. All rights reserved. Agenda risk and organizational exposure understanding gyour information technology environment
More informationMelbourneOnline.com.au Hosting Terms and Conditions
MelbourneOnline.com.au Hosting Terms and Conditions Last Updated: 5 th April 2012 MelbourneOnline.com.au provides a variety of hosting services, including web hosting, email hosting, database services,
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationINFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationWhite Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks
White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider
More informationIT Security. Securing Your Business Investments
Securing Your Business Investments IT Security NCS GROUP OFFICES Australia Bahrain China Hong Kong SAR India Korea Malaysia Philippines Singapore Sri Lanka Securing Your Business Investments! Information
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationManaging internet security
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
More informationPrudential Practice Guide
Prudential Practice Guide PPG 231 Outsourcing October 2006 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal advice and users
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationChapter 8 Service Management
Microsoft SQL Server 2000 Chapter 8 Service Management SQL Server 2000 Operations Guide Abstract This chapter briefly presents the issues facing the database administrator (DBA) in creating a service level
More informationDODO WEB HOSTING TERMS OF SERVICE
DODO WEB HOSTING TERMS OF SERVICE INDEX Dodo WEB HOSTING TERMS OF SERVICE 1. Definitions 1 2. General Terms of Service 1 3. The Service 1 4. Payment 2 5. Amending These Terms 2 6. Termination 2 7. Acceptable
More informationBy using the Cloud Service, Customer agrees to be bound by this Agreement. If you do not agree to this Agreement, do not use the Cloud Service.
1/9 CLOUD SERVICE AGREEMENT (hereinafter Agreement ) 1. THIS AGREEMENT This Cloud Service Agreement ("Agreement") is a binding legal document between Deveo and you, which explains your rights and obligations
More informationSecurity audit advice For holders of all remote gambling operator licences including specified remote lottery licences
Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences July 2015 1 Introduction 1.1 This July 2015 advice is updated from the previously
More information(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)
(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002) 1. Approval and Authorisation Completion of the following signature blocks signifies
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationResidual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)
Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening
More informationBusiness Continuity and Disaster Survival Strategies for the Small and Mid Size Business. www.integrit-network.com
Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business www.integrit-network.com Business Continuity & Disaster Survival Strategies for the Small & Mid Size Business AGENDA:
More informationUoB Risk Assessment Methodology
[Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment
More informationInformation Technology Services Information Security Incident Response Plan
Information Technology Services Information Security Incident Response Plan Authors: Peter Hamilton Security Manager Craig Collis Head of Risk, Quality and Continuity Date:1/04/2014 Version:1.3 Status:Final
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationE-Commerce at Wells Fargo. SF IIA/ISACA Presentation
E-Commerce at Wells Fargo SF IIA/ISACA Presentation By Wells Fargo Audit Services October 17, 2000 2 Discussion Topics E-Commerce at Wells Fargo - Our Story E-Commerce Risks General Conclusions Q&A Afternoon
More informationTHE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE
THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationOutsourcing and third party access
Outsourcing and third party access This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security
More informationShared Hosting Terms of Service
Shared Hosting Terms of Service 3WDirect, provides web hosting services to subscribers around the world. The following terms of service are designed to provide the highest level of service available. Content
More informationDraft Information Technology Policy
Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software
More informationHigh Availability of VistA EHR in Cloud. ViSolve Inc. White Paper February 2015. www.visolve.com
High Availability of VistA EHR in Cloud ViSolve Inc. White Paper February 2015 1 Abstract Inspite of the accelerating migration to cloud computing in the Healthcare Industry, high availability and uptime
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationLicence Fee means the fees calculated as set out on the Website or such other fee as is agreed between You and the Supplier from time to time.
BY CLICKING ON I AGREE BELOW, OR BY DOWNLOADING, INSTALLING OR MAKING ANY USE OF THE SYSTEM DESCRIBED BELOW, YOU AGREE TO THE FOLLOWING TERMS OF THIS AGREEMENT BETWEEN YOU AND {Reseller Business Name}
More informationCloud Computing: Contracting and Compliance Issues for In-House Counsel
International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationHow To Become A Security Professional
Journal Online Jason Andress, Ph.D., CISM, CISSP, GPEN, ISSAP, is a seasoned security professional with experience in the academic and business worlds. In his present and previous roles, he has provided
More informationSoftware Licensing AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE
Systems Audit and Control Association www.isaca.org Formatted Software Licensing AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE Formatted The Systems Audit and Control Association With more than 23,000
More information1.1 The expressions 'we', 'us' and 'our' are a reference to the operator of this Web Site, 'RewardBet'.
RewardBet - Wagering Interface and Services Terms and Conditions of Use. These Terms and Conditions are subject to change without notice and it is the responsibility of any person seeking to rely on the
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More informationAPES GN 30 Outsourced Services
APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: [DATE] Copyright 2012 Accounting Professional & Ethical Standards Board Limited (
More informationIT OUTSOURCING SECURITY
IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationBusiness Continuity Planning and Disaster Recovery Planning
4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business
More informationProtecting Official Records as Evidence in the Cloud Environment. Anne Thurston
Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after
More information1. Perimeter Security Dealing with firewall, gateways and VPNs and technical entry points. Physical Access to your premises can also be reviewed.
Service Definition Technical Security Review Overview of Service Considering the increasing importance of security, the number of organisations that allow for contingency in their Information Security
More informationWith the dawn of the 21st century, a new era of
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Auditing CMMI Maturity and Sarbanes-Oxley Compliance By Laurent Janssens, CISA, and Peter Leeson With the dawn of the 21st century, a new era of
More informationHow not to lose your head in the Cloud: AGIMO guidelines released
How not to lose your head in the Cloud: AGIMO guidelines released 07 December 2011 In brief The Australian Government Information Management Office has released a helpful guide on navigating cloud computing
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationActive Software Escrow s Usefulness for Companies Embracing COBIT 5 By Andrew Stekhoven
Volume 3, July 2012 Come join the discussion! Andrew Stekhoven will be responding to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 23 July 2012. Active Software Escrow
More informationMANAGED WORKSTATIONS: Keeping your IT running
MANAGED WORKSTATIONS: Keeping your IT running What state are your PCs in? Systems running slowly? PCs or laptops crashing for no reason? Too much time trying to resolve simple IT issues? Out-of-date software?
More informationSecurity Risk Solutions Limited is a privately owned Kenyan company that was established in 2007.
Information Security Management Present and Future By: Jona Owitti, CISA Director, Security Risk Solutions Limited Immediate Past Chairman, ISACA Kenya Chapter About SRS www.securityrisksolutions.net -
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationAcceptable Use Policy
1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established culture of openness,
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationSPECIAL CONDITIONS FOR WEBSITE HOSTING SERVICES ON A DEDICATED SERVER. Version Date 22 June 2009
SPECIAL CONDITIONS FOR WEBSITE HOSTING SERVICES ON A DEDICATED SERVER Version Date 22 June 2009 The Supplier provides different categories of Dedicated Server. The hardware and software configurations,
More informationIP Trading Solutions
In many mature financial organisations, middle-and back-office functions already collaborate via high-quality, well-integrated voice and video traffic. Their trading floors, on the other hand, still operate
More informationREGION 19 HEAD START. Acceptable Use Policy
REGION 19 HEAD START Acceptable Use Policy 1.0 Overview Research, Evaluation, Assessment and Information Systems (R.E.A.I.S.) intentions for publishing an Acceptable Use Policy are not to impose restrictions
More informationElectronic business conditions of use
Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users
More informationOur consultancy team will provide guidance throughout the process helping you to produce the necessary documentation and raise staff awareness.
Service Definition Business Continuity Plan Overview of Service Sapphire provides a bespoke service, working with your organisation to develop a comprehensive Business Continuity Plan (BCP) designed to
More informationAcceptable Use Policy
Acceptable Use Policy 1. General Interoute reserves the right to modify the Acceptable Use Policy ( AUP ) from time to time. Changes to this Acceptable Use Policy will be notified to Customer in accordance
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationBusiness Continuity and Disaster Survival Strategies for the Small and Mid Size Business
Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business Business Continuity & Disaster Survival Strategies for the Small and Mid Size Business AGENDA Welcome / Introduction
More informationData Management Session: Privacy, the Cloud and Data Breaches
Data Management Session: Privacy, the Cloud and Data Breaches Annelies Moens Head of Sales and Operations, IIS President, iappanz IACCM APAC Australia Sydney, 1 August 2012 Overview Changing privacy regulation
More informationCLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC.
CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC. S EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD.
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure
ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure MANUAL: Hospital Wide SECTION: Information Technology SUBJECT: Acceptable Use of Information Systems Policy IMPLEMENTATION: 01/2011 CONCURRENCE:
More informationAPES GN 30 Outsourced Services
APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited
More informationAcceptable Use Policy
Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationBy writing to: Cougar Wireless, Attention: Customer Service, 4526 S. Regal St., Suite A, Spokane, WA., 99224
COUGAR WIRELESS ACCEPTABLE USE POLICY I. INTRODUCTION Cougar Wireless and its various affiliates and subsidiaries (collectively we, us, our ) are committed to being responsible network citizens. To assist
More informationAre you prepared to be next? Invensys Cyber Security
Defense In Depth Are you prepared to be next? Invensys Cyber Security Sven Grone Critical Controls Solutions Consultant Presenting on behalf of Glen Bounds Global Modernization Consultant Agenda Cyber
More information1.3 Your access to and use of the Site, including your order of Products through the Site, is subject to these terms and conditions.
Home Support Network Terms and Conditions General 1.1 This Home Care site at www.homesupportnetwork.com.au ( Site ) is a shopping website where you can browse, select and order products advertised on the
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...
More informationIBM Virtualization Engine TS7700 GRID Solutions for Business Continuity
Simplifying storage processes and ensuring business continuity and high availability IBM Virtualization Engine TS7700 GRID Solutions for Business Continuity The risks are even greater for companies that
More informationAcceptable Use Policy Revision date: 26/08/2013
Acceptable Use Policy Revision date: 26/08/2013 Acceptable usage Policy for all Services As a provider of web site hosting and other Internet-related services, Corgi Tech Limited offers its customer (also
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More information1.1 These Terms and Conditions set out the agreement between MRS Web Solutions Ltd, 1 Blue Prior Business Park, Redfields Ln, Church Crookham,
Terms and Conditions of Sale and Services Please read these Terms and Conditions for the Supply of Services ( Terms and Conditions ) carefully, as they form part of the Agreement for the supply of our
More informationTerms of Service (v2.2)
Terms of Service (v2.2) 1. Definitions 1.1. Zuver means Zuver Pty Ltd of Victoria, Australia. 1.2. Customer means the person or entity who ordered our services. 1.3. Service, "Service(s)" or "Services"
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationCOMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance
Back-up Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Back Up Policy Version Date 10/10/12 Effective
More informationEnsuring security the last barrier to Cloud adoption
Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It
More informationSPECIAL CONDITIONS FOR WEBSITE HOSTING SERVICES ON A REAL PRIVATE SERVER
SPECIAL CONDITIONS FOR WEBSITE HOSTING SERVICES ON A REAL PRIVATE SERVER Version Date 22 June 2009 The Supplier provides different categories of Real Private Server. The hardware and software configurations,
More informationWith the advent of web-enabled and Internet-connected
Copyright 2006 ISACA. All rights reserved. www.isaca.org. Key Elements of a Threat and Vulnerability Management Program By John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP With the advent of web-enabled
More informationHow To Use A College Computer System Safely
1.0 Overview Keuka College provides access to modern information technology in support of its mission to promote excellence and achievement across its mission areas of instruction, research, and service.
More informationHow To Use A Minicloud Server On An Ovh Cloud (For Free) For A Long Time
O V H SPECIAL CONDITIONS FOR MINICL0UD SOLUTIONS Version dated 31th May 2010 Definitions: Cloud: Technology aimed for the remote use of executing resources and storage. Loyalty scheme: A section in the
More information