Fundamentals of Information Risk Management Auditing by Wright Chris

Author:Wright, Chris
Language: eng
Format: epub
ISBN: 9781849288187
Publisher: IT Governance Publishing
Published: 2016-04-18T16:00:00+00:00

CHAPTER 6: SECURITY AND DATA PRIVACY

Overview

There is increasing awareness in the media and elsewhere of cyber terrorism and cyber crime. These are very real risks. Less publicised are the internal risks of data loss – through deliberate action or simple carelessness/lack of understanding of the risks. I like ISACA’s definition of information security. It defines information security as something that:

“Ensures that within the enterprise, information is protected against disclosure to unauthorised users (confidentiality), improper modification (integrity) and non-access when required (availability).”

This definition clearly makes it the responsibility of the organisation to protect its information, in the same way as it would any other asset and clearly defines loss in this context.

The area of IT/information security is one where much has been written and it is not my intention to give a full or technically detailed account. What I can do is to give you the basics so that you can conduct an audit or review. For example, you may need to know the distinction between information security and IT security, as these two terms are often confused. Information security looks at all information whether processed manually or on IT systems, whilst IT security addresses the specific technology controls required to support information security.

Many IRM specialists specialise in this single field – why? Because it represents the main area people think of in information risk. There are so many media articles about hacking cases, threats from governments or terrorist organisations, etc. There are also data privacy regulations to consider and initiatives, such as cyber security. The IRM audit specialist needs a basic understanding of the concepts of IT and information security and often sits as an interpreter or go between, bringing the deeper security specialists together with the rest of the business. Whilst the technical aspects can be very involved, IT security is not just about ticking checklists – it’s about changing behaviours and culture so that users are aware of the potential for phishing/social engineering and the need to act as the first line of defence against potential threats and vulnerabilities.

Like all areas of information risk, it should start with a consideration of risks and controls and then develop into how we approach our audit.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.