Security and Risk Mgmt

Question 1

How should IT governance be considered by Board or Directors?

Answer 1

IT Governance Institute says board of directors should:

1. be informed about info security
2. set direction to drive policy and strategy
3. provide resources to security efforts
4. assign mgmt responsibilities
5. set priorities
6. support changes required
7. define cultural values related to risk assessment
8. obtain assurance from internal and external auditors
9. insist that security investments are made measurable and reported on for program effectiveness

Question 2

What should management do in regards to IT governance?

Answer 2

Management should:

• write security policies with biz input
• ensure that roles and responsibilities are defined and clearly understood
• identify threats and vulnerabilities
• implement security infrastructures and control frameworks (standards, guidelines, baselines, and procedures)
• ensure that policy is approved by governing body
• establish priorities and implement security project in a timely manner
• monitor breaches
• conduct periodic reviews and tests
• reinforce awareness education as critical
• build security into the systems development lifecycle