GLOBAL STANDARD FOR INFORMATION MANAGEMENT

Similar documents
AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Making Compliance Work for You

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

ENTERPRISE RISK MANAGEMENT FOR BANKS

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Trends in Information Technology (IT) Auditing

Principled Performance & GRC

Self-Service SOX Auditing With S3 Control

What Should IS Majors Know About Regulatory Compliance?

IT Compliance After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

How To Improve Your Business

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

Executive's Guide to

COBIT 4.1 TABLE OF CONTENTS

COBIT Helps Organizations Meet Performance and Compliance Requirements

Benchmark of controls over IT activities Report. ABC Ltd

How to Lead the People in a Program Based Environment

BADM 590 IT Governance, Information Trust, and Risk Management

ITIL AND COBIT EXPLAINED

COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process

IT Governance Dr. Michael Shaw Term Project

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Compliance and Governance

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Enabling Information PREVIEW VERSION

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK

Presentation on COBIT Education

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Achieving Business Imperatives through IT Governance and Risk

The Copenhagen Compliance Governance Framework is based on the Nordic Governance Model

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

How To Achieve Pca Compliance With Redhat Enterprise Linux

It s All About Process

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

INFORMATION TECHNOLOGY FLASH REPORT

TWO-THIRDS OF ORGANISATIONS HAVE ENGAGED WITH ITIL Is your Company an IT Service Management Laggard?

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Feature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits.

26 February Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

IT Risk Management Life Cycle and enabling it with GRC Technology

Strong IT Governance: Ethical Arguments & GRC Convergence Strategies. A Crash Course in IT Governance & Compliance

Case Study: ICICI BANK INTERNAL AUDIT DEPARTMENT PENTANA AUDIT WORK SYSTEM IMPLEMENTATION

The Role of Governance, Risk and Compliance in a Firm

ITIL and ISO/IEC How ITIL can be used to support the delivery of compliant practices for Information Security Management Systems

Integrated Information Management Systems

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

Comply, Improve, Transform: Regulatory Compliance Management for Software Development. Jim Duggan

Agile Governance. Appropriate oversight for the Agile organisation. Chris Davies AXA Personal Lines Insurance. Andrew Craddock Partner - nlighten

IT Governance. Infocom India Presentation. Pathfinder Technology Solutions. December 6, 2006

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

ASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT

Based on 2008 Survey of 255 Non-IT CEOs/Executives

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009

Certified Software Quality Assurance Professional VS-1085

CHArTECH BOOkS MANAgEMENT SErIES INTrODuCINg ITSM AND ITIL A guide TO IT SErvICE MANAgEMENT

Sarbanes-Oxley Compliance and Identity and Access Management

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

Cloud Governance is more than Security. Cloud Law or Legal Cloud?

The changing lens of information security kpmg.com

IT governance in Brazil:

How To Ensure Financial Compliance

Domenico Raguseo. IT Governance e Business Technology (approfondimenti su ITIL)

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Using COSO Small Business Guidance for Assessing Internal Financial Controls

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

ITIL's IT Service Lifecycle - The Five New Silos of IT

IT Governance Implementation Workshop

Open Certification Framework. Vision Statement

Symantec Control Compliance Suite Content Third-party License Agreements Readme. Version 10.0

QRadar SIEM 6.3 Datasheet

White Paper. Continuous Process Improvement (CPI) Integrating Systems. Paper 2 of 2. Six Sigma Black Belt

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Chayuth Singtongthumrongkul

IT Governance A Framework for Performance and Compliance

Project Management and ITIL Transitions

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services

Security and Privacy in Cloud Computing

Surviving an Identity Audit

iso20000templates.com

Security Information Lifecycle

Design of Database Security Policy In Enterprise Systems

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

ESET Secure Authentication

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

An Implementation Roadmap

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

for Oil & Gas Industry

Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

ITIL and Outsourcing Engagements

Transcription:

GLOBAL STANDARD FOR INFORMATION MANAGEMENT Manohar Ganshani Businesses have today expanded beyond local geographies. Global presence demands uniformity within the processes across disparate locations of the organisation s business in order to provide consistent response to business needs. The information technology remains the central element of information management due to the fact that most of the information resides in and is processed by IT. To bring about uniformity within the processes, organisations need to adopt a standard that meets the business objectives. This leads to the question, which standard to choose and adopt? The challenge is further compounded not only by the standard but by the fact that the organisations have to comply with multiple regulations and legal requirements while transacting the business across boundaries. So the question turns into a puzzle: Do we need a global standard for information management? This article attempts to solve the puzzle and offers an approach based on how the complex organisations treat this puzzle, though it need not be the only suggested approach or alternative.

Best practices, standards, and framework For the sake of clarity and to avoid a situation where these terms are used interchangeably here is a simple definition of these terms. Best practices Result/output oriented cost-beneficial informally accepted methods followed by homogeneous industries across the world. Organisations generally tweak them depending upon individual requirements. For example, unified customer experience offered by some of the global banks, quality initiatives (Six Sigma, CMMI etc), balanced scorecard for performance measurements and so on. Standards Framework Mainly address WHAT part of best practices. Provide uniformity for processes to be followed and offer opportunity of certification. In case of certification, compliance is mandatory. For example, various standards by International Standards Organisation (ISO), British Standards Institute (BSI), American National Standards Institute (ANSI), Australia-New Zealand Standards (ANZ) and so on. Addresses HOW part of implementation of standards/best practices. Provides a set of key ingredients and processes to build maturity models. For example - Committee of Sponsoring Organisations (COSO), Control Objectives for Information and related Technology (COBIT) and Risk IT (IT risk maturity assessment) by IT Governance Institute, ITIL (Information Technology Infrastructure Library) and so on. Various facets of compliance Legal Regulatory Laws enacted by sovereign governments applicable to organisations registered/operating in government s territory. Sarbanes-Oxley, Gramm-Leach-Bliley Act (GLBA), IT Act (Amendment) 2008, North American Electric Reliability Corporation (NERC), Health Insurance Portability and Accountability Act (HIPPA), privacy acts, data protection acts. Requirements specified by authorised agencies for specific industries. BASEL II (through central banks), Securities and Exchange Commission (SEC), Securities and Exchange Board of India (SEBI), Payment Card Industry Data Security Standard (PCI DSS) etc.

External Internal Industry mandates eg SAS 70. Business strategy and company policies. Legal and regulatory compliances are necessary to protect stakeholders interests. Essence of information management It is important to understand the essence of information management before deliberating on the need for a global standard. COBIT defines information management as IT resources and processes that provide information to the business processes to achieve business objectives. Although information management does not necessarily cover only IT resources and processes, dependency of organisations on IT for information management makes it relevant. Thus reliable information needs to be made available without compromising the security, through an optimum (efficient) use of resources whenever needed and should be relevant (effective) to the business, for management to take decisions. The mechanism of provisioning the information in an effective and efficient manner deals with the governance aspect of it. So essentially, information management is like a coin that has two sides ie information governance and information security. Since most of the information is held in IT systems, IT governance would meet the objective of information governance to a large extent. This may be debatable however the idea is that the approach applied for information within IT system can be extended for manual processes within the information management. The solution The solution to the puzzle lies in understanding the essence of information management. We now need to deal with two aspects, ie IT governance and information security. Most of the mature organisations have adopted one standard and then looked at the incremental requirements of various other compliances, for dealing with these two aspects. Having a close look at the umbrella of available standard set COSO, for example, provides a framework at a high level to deal with internal controls while COBIT provides guidelines to implement controls for interface between business management and IT related activities (and is lower level to deal with maturity assessment). ITIL4 (for IT Service management) and ISO270013 (for information security) are further granular, reaching to operational level. It is ideal to have a common requirement of standards to build information management that demands compliance with more than one standard to meet the business needs. The fact is that smart and complex organisations leverage the existing

standard and framework and benefit from the intersection of these framework and standards in conjunction with best practices. Challenges 1. Identification Identifying the base standard/framework is key to the success of information management since this is going to be the foundation. One approach is to create a business case where the business impact would help determine the base standard. The business impact would consider various parameters like fulfillment of security and privacy requirements, alignment with the business objectives, skill and resource requirements, regulatory and legal compliance requirements etc. 2. Interpretation and scope coverage The interpretation should provide the required coverage of scope in terms of scalability and expansion to other boundaries. 3. Implementation and sustenance While satisfying the two fold requirements of information management, it is ideal to have the processes of the standard/framework chosen automated to maintain the consistency and transparency in the subsequent reporting process. Not only that, automation also results into an easier change management process. The key challenge here is the selection of an IT GRC tool. Look for an IT GRC tool that provides benefit in terms of customisation and scalability without calling for extraordinary skills. Sustenance is more imperative from assurance perspective and not merely from the certification perspective. To conclude, it is imperative to use a unified compliance framework and to adopt a risk based approach while choosing and adopting a standard, framework and compliance (regulatory, legal or industry mandates) requirements. Risk based approach would help to determine the impacting regulation and standard to be used from the umbrella of existing standards, framework, best practices etc. Unified compliance framework will help build the common requirements and then evolve a process to deal with the delta change due to the new regulations as the business crosses the existing boundaries. It serves the purpose of governance, security and therefore meets the essence of information management that aligns with the business objectives. In a nutshell, there is no need for yet another global standard.

References 1. COBIT - The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). 2. COSO - The Committee of Sponsoring Organisations (COSO) is a voluntary private-sector organisation. COSO framework provides guidance on organisational governance, internal control, fraud, enterprise risk management and financial reporting. 3. ISO27001:2005 - An ISO/IEC 27001 family standard for Information Security Management Systems. However there are revisions to ISO27001 for meeting other different requirements like ISO27004 which is the designated number for a new standard covering information security system management measurement and metrics. 4. ITIL - IT Infrastructure Library originally created by the UK government is the framework for building and implementing IT service management in an organisation. About the author: Manohar Ganshani is practice partner for governance risk and compliance practice at Wipro Consulting Services. The article has inputs and review comments also from Sunil Bakshi who is a senior manager in the same team.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information