eBook - ePub
Auditing Information and Cyber Security Governance
A Controls-Based Approach
Robert E. Davis
This is a test
Condividi libro
- 284 pagine
- English
- ePUB (disponibile sull'app)
- Disponibile su iOS e Android
eBook - ePub
Auditing Information and Cyber Security Governance
A Controls-Based Approach
Robert E. Davis
Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni
Informazioni sul libro
"A much-needed service for society today. I hope this book reaches information managers in the organization now vulnerable to hacks that are stealing corporate information and even holding it hostage for ransom."
– Ronald W. Hull, author, poet, and former professor and university administrator
A comprehensive entity security program deploys information asset protection through stratified technological and non-technological controls. Controls are necessary for counteracting threats, opportunities, and vulnerabilities risks in a manner that reduces potential adverse effects to defined, acceptable levels. This book presents a methodological approach in the context of normative decision theory constructs and concepts with appropriate reference to standards and the respective guidelines. Normative decision theory attempts to establish a rational framework for choosing between alternative courses of action when the outcomes resulting from the selection are uncertain. Through the methodological application, decision theory techniques can provide objectives determination, interaction assessments, performance estimates, and organizational analysis. A normative model prescribes what should exist according to an assumption or rule.
Domande frequenti
Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
Auditing Information and Cyber Security Governance è disponibile online in formato PDF/ePub?
Sì, puoi accedere a Auditing Information and Cyber Security Governance di Robert E. Davis in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Negocios y empresa e Auditoría. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.
Informazioni
Chapter 1
Security Governance
Abstract
Dependence on information by for-profit and not-for-profit organizational formations continues to expand. However, distinguishing information security from cybersecurity is a perspective issue. Contextually, information security means protecting information and information systems from unauthorized access, use, disclosure, modification, disruption, and destruction. In contrast, cybersecurity focuses on protecting IT that acquires, stores, manipulates, manages, moves, controls, displays, switches, interchanges, or transmits digitally encoded data. In contrast, Information Security Governance (ISG) necessitates taking the expanded view that the entity’s data, information, and derived knowledge must receive appropriate protection without regard to the acquisition, handling, processing, transport, or storage method. Chapter 1 focuses on the effect of entity governance, ISG, and Cyber Security Governance as management tools for appropriate information and technology security.
Introduction
Information usually obtains value when considered usable in decision-making (Davis, 2008a). Security is a prominent component within organizational governance that enables fulfilling a stakeholder expectation (Brotby, 2009; Davis, 2017; Flores et al., 2014). Part of the stakeholder security expectation is satisfied through appropriate Information Security Governance (ISG; Davis, 2008a, 2013). Properly constructed and implemented, ISG supports stakeholder expectations concerning management’s explicit or implicit fiduciary responsibilities (Davis, 2008a, 2011, 2017).
Loyalty to the person or group (i.e., principal) tasking the duty is a fiduciary expectation (Davis, 2008a). Consequently, personal interests do not supersede a fiduciary duty, and the fiduciary must not profit from the position unless the principal consents (Davis, 2008a). Therefore, a fiduciary should avoid engaging in activities where personal interests and fiduciary duty are conflictive and situations where the fiduciary duty conflicts with another fiduciary duty (Davis, 2008a). Moreover, a fiduciary should not seek personal benefit from the fiduciary position without expressing principal knowledge and consent (Davis, 2008a).
Control is the exercise of directing or restraining influence (Avison, 2007). An organization’s information security controls comprise the procedures adopted or devised to furnish management with some degree of comfort regarding the achievement of protection objectives for information assets. An entity’s management should, and in several countries do, have a legal responsibility to implement adequate control systems for preventing, detecting, and conditionally correcting errors, mistakes, omissions, irregularities, and illegal acts (Davis, 2006, 2008a).
ISG should address creating and implementing a “system of security controls” that enable ethical and legal managerial responsibilities fulfillment for information assets protection (IAP). Ethically, management must protect an entity’s information assets from potential internal and external threats that can compromise confidentiality, integrity, or availability in order to preserve organization, presentation, and utilization value (Ahmad et al., 2014; Brotby, 2006; Davis, 2008a, 2017; Whitman & Mattord, 2012). Legally, within an entity’s information security control system, explicitly or implicitly, management as fiduciary agents are responsible and accountable for deploying controls that prevent, deter, detect, and correct unacceptable actions (Davis, 2008a).
Management’s information systems related to due care drives appropriate information security due-diligence activities that emanate from fiduciary responsibilities (Boyson, 2014; Davis, 2008a, 2017; Whitman & Mattord, 2012). Instituting and sustaining information safeguarding necessitate a comprehensive program addressing cyber threats that can thwart organizational mission achievement (Ahmad et al., 2014; Davis, 2017; Kushwaha, 2016; Mohare & Lanjewar, 2012). Information security breaches can originate from external or internal actions (Crossler et al., 2013; Davis, 2017; Silic & Back, 2014). Therefore, responsible information technology (IT) manager-leaders should ensure ethical behavior by every individual interacting with the organization’s information systems through effectual ISG (Boyson, 2014; Davis, 2017). However, organizational IAP breaches have decreased value appropriation (Clark & Harrell, 2013; Silic & Back, 2014).
IAP should be an entity’s uppermost concern because IT security incidents can compromise the confidentiality, integrity, or availability of financial and operational systems (Davis, 2008a). Sources of IAP threats can be a person, thing, or event (Davis, 2008a). Scholars and practitioners have synopsized that information security is no longer mainly a technology issue needing operational IT personnel handling but rather more of a governance concern (Davis, 2017; Julisch, 2013; Mohare & Lanjewar, 2012; Whitman & Mattord, 2012).
No single theoretical or practice approach can encompass organizational governance diversity. The Governance Tree framework aims to mobilize and facilitate applying a controls approach in a shared practitioner program while increasing comparability reflecting different scholarly perspectives. The framework allows scholars and practitioners to investigate and apply the drivers, forms, causal mechanisms, and organizational governance pathways, considering the effects on regulatory capacity, performance, and outcomes. This chapter presents the discernible ISG perspectives and evolution. The discussions in this chapter also define cybersecurity reflecting a contextually based understanding and Cyber Security Governance integration insights. Moreover, this chapter advances the organizational governance research agenda by illustrating the Governance Tree framework’s applicability within empirical contexts.
Governance Perspectives
Organizational governance can supply a framework for ethical decision-making and managerial action predicated on transparency, accountability, and defined roles (Marnewick & Labuschagne, 2011). Implicit expectations for effective governance reside in the fiduciary relationship between stakeholders’ and organizational managements’ adherence to shared morality values (Davis, 2008a, 2017). Morality values link to principles and standards (Bagozzi et al., 2009; Northouse, 2013). Values of stakeholders and managements typically address morality regarding overall image perceptions and detailed edicts consisting of regulatory guides for behavior (Bagozzi et al., 2009; Ferrell, 2005). Internationally, a fiduciary duty is considered the highest care standard imposed through law or equity (Davis, 2008a).
Fiduciary relationship establishment may be an expectancy by the entrusting party or decreed by law or regulation (Davis, 2008a). Commonly, fiduciary relationships can exist for professionals, agents, executors, trustees, guardians, and entity employees (Brotby, 2006; Davis, 2008a). Salient fiduciary relationship features are loyalty, good faith, and trust at the entity employee level (Davis, 2008a). Loyalty is faithfulness to the obligating principal (Davis, 2008a). Good faith represents a veracious intention to abstain from taking unfair advantage of another (Davis, 2008a). Trust reflects confidence reposed in one person to manage or safeguard entrusted property for another’s benefit (Davis, 2008a).
Ethical values affect fiduciary loyalty, good faith, and trust. As a set of moral principles, ethics can represent the science of social duty or rules of responsibility drawn from personal duty science (Davis, 2008a). Additionally, ethics can reference a system of rules and principles concerning the duty or the practice linking a social action class (Davis, 2008a). Deontological ethics only considers rational judgments in determining if an action is right or wrong (Bagozzi et al., 2009; Northouse, 2013). In contrast, teleological ethics for a decision to act considers potential outcomes, and virtue ethics focuses primarily on moral character aspects (Bagozzi et al., 2009). Commonly ethical behavior sustains principle– agent fiduciary relationships (Davis, 2008a).
Integrity values also affect fiduciary loyalty, good faith, and trust (Davis, 2008a). Integrity can be considered a set of moral values that reflect the state or quality encompassing honesty, moral principles, uprightness, and sincerity (Davis, 2008a). Typically, integrity results when individuals receive high ethical and behavioral standard communications and practice enforcement (Davis, 2008a). Organizational integrity standards should include administrative actions for removing or reducing incentives and temptations that might prompt employees to engage in dishonest, illegal, or immoral behavior (Davis, 2008a). Organizational governance is a means to attempt controlling contemptible individual and group actions to benefit entity continuity.
Governance assists in satisfying stakeholder expectations concerning managerial responsibilities (Davis, 2008a, 2017). Stakeholder identification (Gil-Lafuente & Paula, 2013) and applying value analysis (Harrison & Wicks, 2013) assist in assessing entity-level strategy and organizational culture alignment (Davis, 2017). Derivatively, the alignment of stakeholder values and organizational values depends on effectively and efficiently pursuing the defined mission while strictly adhering to espoused entity values (Davis, 2017). Alignment exists and is sustainable considering stakeholder values when an entity can furnish products or services supporting acceptable value creation (Chou, 2015; Davis, 2017; Di Gregorio, 2013) and value appropriation (Davis, 2017; Di Gregorio, 2013). Stakeholder value creation and appropriation are derivable from the relevance and quality of products and services, affiliation utility, organizational justice cognitions, and opportunity cost perceptions (Harrison & Wicks, 2013). Values alignment construct deviation by organizational management could result in stakeholder dissatisfaction generating perceptions that competitors offer a stronger value proposition (Davis, 2017).
Information assets contain or can contain data (Davis, 2012, 2017) that may be subject to dishonest, illegal, or immoral behavior. Organizational management needs to address IAP at the governance level to mitigate technology deployment informational risks (Davis, 2017; Yaokumah, 2013). However, the managerial perspective for ISG has diverging views concerning accountability (Williams et al., 2013). On the one hand, some practitioners and scholars considered ISG responsibilities to be an IT governance accountability subfunction (Gheorghe, 2010). On the other hand, some practitioners and scholars considered ISG to have discrete function accountability to those responsible for entity governance (Williams et al., 2013).
Without regard to whether management views ISG as a program directly supporting entity governance or an IT governance program subset, IAP is necessary (Davis, 2017). In meeting the needed IAP, information security perspectives must address managerial and technical aspects (Silic & Back, 2014). An adaptive balance between rational management and applied technology enables appropriate information security (Ahmad et al., 2014; Brotby, 2006; Davis, 2017; Safa & Von Solms, 2016). Organizational management’s development and deployment of reasonable information security policies and procedures permit ensuring appropriate IAP, while efficaciously applied information security technology can increase IAP effectiveness in addressing potential internal and external threats (Ahmad et al., 2014; Davis, 2017).
Rational Management
Management is the act of achieving organizational objectives through the use of available resources. In other words, management is an interactive function that entails planning, organizing, orchestrating, directing, and controlling activities in an organizational setting (Davis, 2008a; Kotter, 2001; Maccoby, 2000; Northouse, 2013). Sound management practice approach to IAP is unavoidable given information systems and associated technology continue increasing in complexity (Bahl & Wali, 2014; Davis, 2008a).
Typically, primary purposes of information systems are useful data collection, reliable input processing, and timely output dissemination (Davis, 2008a). Information systems’ integration design and deployment should include appropriate control measures to achieve management’s objectives (Davis, 2008a). A controls-based approach for information systems operates according to a prescribed or bounded set of criteria. Therefore, an entity’s management should consider IAP as a service requirement that ensures expected delivery and support by applying relevant information criteria (Davis, 2008a). An entity’s information delivery and support deployment should adequately address effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability criteria (Davis, 2008a), where the generally accepted principles for information security are confidentiality, integrity, and availability (Arief et al., 2015; Samonas & Coss, 2014).
Classically, managers receive assignments to function at various authority, responsibility, and accountability levels (Davis, 2008a). Managerial authority, responsibility, and accountability delegation usually occur after considering the following facts:
- Authority provides the power or right to give commands, enforce obedience, initiate action, or make final decisions (Davis, 2008a, 2011). How organizational assignments occur as well as how reporting relationships and authorizatio...