bcs-ismp-bk-en-GB March 30, 2010 - 08:51 76
Information Security Management Principles
used with other standards. COSO, produced by the Treadway Commission,
provides a framework for evaluating effectiveness of assurance by establish-
ing a set of objectives for assurance control and measuring against them.
This is often used for testing the effectiveness of accounting controls.
Importance of effective Information Security governance from the highest
levels of organisational management
As discussed at the beginning of this chapter, one senior person within
the organisation should be given the overall responsibility for protecting
the assurance of the organisation’s information assets and be formally held
accountable to ensure that appropriate security controls are implemented
across the business. This director should be supported by a working group to
ensure that adequate assurance measures have been put in place to protect
the organisation to an acceptable level of risk. Involving senior management
will help to endorse the governance process, ensure that adequate resources
are made available, ensure that controls are implemented efffectively and
that any identified security gaps are addressed.
Activity 3.3
After the recent loss of information, Miss Peacock is concerned that she
needs to demonstrate to the regulators and external auditors that good
assurance controls are in place within GANT. How would you provide
her with evidence to demonstrate that assurance is being managed
effectively?
SECURITY INCIDENT MANAGEMENT
No matter how careful you are in conducting the day-to-day business of
the organisation, and regardless of the extent of the assurance controls in
place, security incidents happen. These don’t just affect the confidentiality
of assets, the impact can equally relate to their integrity or availability. It is
important to have plans in place to deal with these eventualities before they
occur, because trying to implement solutions afterwards is seldom likely to
be effective.
LEARNING OUTCOMES
The intention of this section is to provide the reader with the basic knowledge
needed to manage assurance incidents and plan and conduct a forensic
investigation. Once completed, the reader should have an understanding of
the following.
56

Get Information Security Management Principles now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.