Embedded Files
Definition
Definition
IT Policy is a set of policies that are created by an organization that ensure that all users within an organization (Customers, employees, vendors) that make sure they are complying with the guidelines that help to protect the information that is stores on the network. (What is Information Security Policy?, n.d.)
Key Concepts and Methods
Key Concepts and Methods
Key concept:
IT Risk, is defined by ISACA in COBIT5 as “business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.” (ISACA, 2014) IT Risk is used dozens of times throughout the COBIT4 (IT Governance Institution, 2007) and is a key concept in the development of IT Policy, e.g. for information security and authentication of users (EDUCAUSE, 2008) since IT professionals need to be aware of risk in order to ensure that the business goals continues to be protected and achieved. Unfortunately, IT risk tends to be one of the areas that is misunderstood even as many enterprise’s “information and the technology that supports it represents a valuable asset.” (IT Governance Institution, 2007)
IT Risk is an important concept within the IT policy area as there are many different forms of risk that can affect how an enterprise manages the overall probabilities that they could face in the future.
IT Risk is expanded in scope by ISACA in COBIT5 (ISACA, 2014) to the enterprise level and divided into the organization’s IT Risk Function and the organization’s IT Risk Management. Furthermore, IT Risk is discussed in terms of external policies and international standards in COBIT5, such as ISO 27005:2011, with the benefit of using standardized tools, approaches and policies for risk functions and risk management. These updates provide IT Risk policy makers with many options and allow for more of the frameworks that have been developed (ITIL, ISO/IEC 27001) to be able to work together to provide a more comprehensive framework. (Solms, 2005)(Sahibudin, 2008)
Key method:
IT Assurance, This method is defined by ISACA in COBIT5 as the ability of an “assurance professional to measure and evaluate a process that is the responsibility of another party.” (IT Governance Institution, 2007) When it comes to IT assurance, the other party is a “stakeholder who will benefit from the process but delegates the operations and custodianship of the process” (IT Governance Institution, 2007) COBIT states that in order to provide assurance, there are specific approaches that organizations are recommended to follow. The IT Assurance roadmap can be provided in three stages (IT Governance Institution, 2007):
- Planning is stage one of the process. To create the plan, the professional needs to be able to combine a comprehension of the IT assurance concept and select an appropriate IT control framework
- Scoping is stage two of the process. This step involves defining business and IT goals for the environment that is being reviewed and identifying a set of IT processes and resources required to support those goals
- Execution is the third stage of the process. This process primarily involves testing the core methods.
IT assurance is an important method for IT professionals to understand about the IT policy area as it handles the testing and control of how well the chosen framework (in this instance COBIT) is assisting in providing guidance.
The methodologies and techniques stated in COBIT4 (IT Governance Institution, 2007) were expanded in scope by ISACA in COBIT5 (ISACA, 2014) especially in the key concepts in use. While the key concepts still include the three stages of the assurance process (ISACA, 2014):
- Planning Assurance
- Scoping Assurance
- Executing Assurance
the concepts now include risk drivers and value drivers. On top of that, there are Five Components of an Assurance Initiative that have been added to the processes to assist in guiding the professional in achieving the assurance goals. Those components are:
- The Three-party Relationship:
- Subject Matter
- Suitable Criteria
- Execute
- Conclusion
These components and the key concepts have greatly expanded the overall IT assurance method and allow for a greater level of control of the number of errors that could exist from improper use of the IT assurance method.
Tool/ Best Practice
Tool/ Best Practice
InfoBeyond Technology’s Security Policy Tool -
When developing IT policies that revolve around the security of the enterprises data, it is important to make sure that control access policies are in place to make sure that the data can cony be accessed by individuals with the necessary credentials. The COBIT framework acknowledges that the creation of policies that assist in developing proper access controls over programs and data. Making sure that “adequate access control activities, such as secure passwords, Internet firewalls, data encryption and cryptographic keys, can be effective methods of prevent unauthorized access.” (IT Governance Institute, 2007)
One tool available that will allow for the creation of appropriate policies involving the security of said data is InfoBeoyond Technology’s Security Policy Tool. InfoBeyond Technology is a tech company that “specializes in enhancing IT system and safety to solve diverse cyber security problems.” [5] InfoBeyond offers it service to many public and private organizations including the Department of the Air Force and the IEEE Big Data Initiative. Their Security Policy Tool is a prominent access control solution that allows organizations to develop “Highly Secure access control rules/policies, to terminate the threat of cyber-attacks and insider exploiting access control security vulnerabilities.” (Close the door to access control leaks with Security Policy Tool!, n.d.) The Security Policy Tool offers the following features:
- Designing access control policies
- Testing/verifying access control policies
- Identifying errors on the access control policies
This suite of tools allows IT professionals to ensure that the access control policies that they developed are fully secure before they apply them into the enterprise’s Access Control System. Since the COBIT framework recommends testing access control mechanisms, especially within the AI2: Acquire and Maintain Application Software and DS5: Ensure System Security, this policy tool allows for the testing of the policies before it is introduced.
Business Function
Business Function
The development of policies that relate to how a business uses IT both within its own organization and as an external service for customers. IT policies are in place to allow organizations to be able to manage how the technology that are implementing is being used. In a security setting, many IT policies are “issued by an organization to ensure that all users within the organization or its networks comply with the guidelines related to the security of the information stored digitally at any point in the network.”
Page updated
Google Sites
Report abuse