System and Information Security Assurance

Security Governance

Abstract:

How Effective Corporate Governance Facilitates Security and Assurance

IT Operations and Security are often challenged with implementing manageable, verifiable controls in the face of other pressures and priorities.  Corporate governance has the job of ensuring that IT is managed not only correctly, but also most appropriately for the organization and its stakeholders.  Board members meet this duty of care by asking trenchant questions, and carefully considering the answers they get from all parts of the organization.

A significant problem is that the answers to board question may not be the right answers, may not be clear, or may actually obscure the facts.  The board of directors and its audit committee can provide tremendous value to help solve problems, but this role is often underestimated or completely misunderstood.  The board often represents a tremendous pool of knowledge and expertise among people who are motivated to solve problems.  In leading organizations the board often helps solve IT security issues.  These effective practices can be applied in other organizations as well.

Le Grand explores open questions and effective solutions such as: "How much IT knowledge must an auditor have?  Or, does the responsibility reside in the other direction? (i.e., How much knowledge must IT have about audit?)"; The top ten "tricks and tips every auditor should have learned from their mentor(s)"; How to foster effective interfaces between audit, operations, and security (including the special kinship between security and audit that often is not understood or exercised), and What The IIA is doing to help improve information security assurance.

Contact CHL Global Associates for this and other professional guidance.

About the Author

Charles Le Grand is CEO of CHL Global Associates.  He provides direction for all areas on the impacts of technology on business and audit practices, and the use of technology to deliver and promote programs and products for the enterprise and practitioners.  He practices outreach to other organizations and activities interested in the roles of internal auditing relative to information technology and its management, security, control, and assurance.  He previously served as The IIA’s Chief Information Officer, Director of Technology, Director of Research for The IIA Research Foundation, and founder of the ITAudit.org web site.

 

Website Builder