Articles under the topic Governance Risk & Compliance (GRC)
A lot of CIOs ask me as to how they can find out if corporate governance rules are being flouted in their organizations, and the ways in which they can guard themselves. For this to happen, CIOs must ensure that the ticketing system in the organization is intact. Everything that goes into the production system must pass through the process, even if it comes from the CEO.
The concept of "Bring Your Own Device" (BYOD) is encouraging. At last, we are moving into an era where knowledge workers can exert their choice of devise. But unfortunately, BYOD is fraught with complication and risk, which could adversely affect the corporates. BYOD model exponentially increases the already existing complexity in enterprise IT infrastructure, and, with that, the costs.
Social media is fast becoming a way of life for hundreds of millions of people working in various organizations. While there are several advantages, this also poses several risks to businesses. Therefore, it makes good corporate sense for every organization and its management to develop and implement certain controls.
While putting together an ethics policy for the organization, one must consider a range of issues including guidance that should be provided on how to handle issues such as, conflict of interest, gratuities and gifts, outside employment, contacts with external parties, and confidentiality of information. The ethics culture should be apparent at all levels of the organization.
A defensive posture no longer suffices for the protection of the devices and data. Rather than simply rushing to install defenses on computers, in networks, and in the cloud, we urgently need to step back and take a broader view of the security landscape, in order to take more calculated preemptive measures.
The year 2011 has been a defining year for information security and privacy professionals, wherein we had regulations protecting Banking, the IT-ITeS and Telecom, the three leading sectors of our economy. Though regulation is not the be all and end all, the CISOs should acknowledge that it is definitely a strong driving factor and they can use it as the vehicle to propagate the security paradigm of the company.
BYOT has happened not by choice but by default. There are lessons to be learnt here. The more one resists embracing new technology that is personal, easy to use and available with no/low entry barrier of learning; the more it proliferates as a challenge to enterprise governance and control structures.
The skills that make for a great IT professional are not the same that make for a great information security professional. The IT mindset is that problems are to be overcome by driving forward, innovating and creating new solutions. But often in information security the correct answer is to go backward, look at what we've done, and determine whether we did it right the first time.
Frequently risk conversations in the enterprise is limited to just the financial risk around the financial systems and their control. I'm now thinking the risks in other areas like securing the intellectual property of the company and assuring business continuity due to events affecting the supply chain are likely the bigger risks.