E-Book, Englisch, 486 Seiten
Calder / Watkins IT Governance
1. Auflage 2025
ISBN: 978-1-80638-354-2
Verlag: Packt Publishing
Format: EPUB
Kopierschutz: 0 - No protection
An international guide to data security and ISO 27001/ISO 27002
E-Book, Englisch, 486 Seiten
ISBN: 978-1-80638-354-2
Verlag: Packt Publishing
Format: EPUB
Kopierschutz: 0 - No protection
In the modern digital landscape, information security has never been more critical. This book introduces readers to the essential components of IT governance, focusing on frameworks like ISO 27001 and strategies for managing risks in today's complex information economy. The content explores key topics like cybersecurity, risk management, information security policies, and compliance with international standards.
As you progress, you'll learn to navigate the challenges of organizing and maintaining a secure IT environment, with insights into compliance regulations, security frameworks, and governance codes. The book provides hands-on guidance on applying security controls, setting up robust information security policies, and evaluating risks. Real-world scenarios and practical applications ensure the knowledge gained is immediately applicable to professional environments.
The journey culminates in an understanding of how to integrate IT governance within an organization. You'll learn to assess vulnerabilities, implement risk management strategies, and ensure that security measures align with both business goals and regulatory requirements. The book equips readers with the tools needed to strengthen IT systems against evolving threats and to stay ahead in the information security landscape.
Autoren/Hrsg.
Weitere Infos & Material
INTRODUCTION
This book on IT governance is a key resource for forward-looking executives and managers in 21st-century organizations of all sizes. There are six reasons for this:
1. The development of IT governance, which recognizes the ‘information economy’-driven convergence between business management and IT management, makes it essential for executives and managers at all levels in organizations of all sizes to understand how decisions about IT in the organization should be made and monitored and, in particular, how information security risks are best dealt with.
2. Risk management is a big issue. In the UK, the FRC’s Risk Guidance (formerly the Turnbull Guidance on internal control) gives directors of Stock Exchange-listed companies a clear responsibility to act on IT governance, on the effective management of risk in IT projects, and on computer security. The US Sarbanes–Oxley Act – and more recent SEC regulations – places a similar expectation on directors of all US listed companies. Banks and financial-sector organizations are subject to the requirements of the Bank for International Settlements (BIS) and the Basel 3.1 frameworks, particularly around operational risk – which absolutely includes information and IT risk. Information security and the challenge of delivering IT projects on time, to specification, and to budget also affect private- and public-sector organizations throughout the world.
3. Particularly post-GDPR, information-related legislation and regulation are increasingly important to all organizations. Data protection, privacy and breach regulations, cyber resilience, computer misuse, and regulations around investigatory powers are part of a complex and often competing range of requirements to which directors must respond. There is, increasingly, the need for an overarching information security framework that can provide context and coherence to compliance activity worldwide.
4. As the intellectual capital value of ‘information economy’ organizations increases, their commercial viability and profitability – as well as their stock price – increasingly depend on the security, confidentiality, and integrity of their information and information assets.
5. The dramatic growth and scale of the information economy have created new, global threats and vulnerabilities for all organizations, particularly in cyberspace.
6. The world’s first, and only, globally-accepted standard for information security management systems is at the heart of a recognized framework for information security and assurance. As part of the series of ISO/IEC 27000 standards, the key standard, ISO/IEC 27001, has been updated to contain the latest international best practice, with which, increasingly, organizations are asking their suppliers to conform, and regulatory or licensing conditions rely on it. Compliance with the Standard should enable company directors to demonstrate a proper response – to customers as well as to regulatory and judicial authorities – to all the challenges identified above.
The information economy
Faced with the emergence and speed of growth in the information economy, organizations have an urgent need to adopt IT governance best practice. The main drivers of the information economy are:
• The ongoing globalization of markets, products, and resourcing (including ‘offshoring’ and ‘nearshoring’)
• Electronic information and knowledge intensity
• End-user device proliferation and the migration to the Cloud
• The geometric increase in the level of electronic networking and connectivity
The key characteristics of the global information economy, which affect all organizations, are as follows:
• Unlike the industrial economy, information and knowledge are not depleting resources that have to be rationed and protected
• Protecting knowledge is less obviously beneficial than previously: Sharing knowledge drives innovation, and innovation drives competitiveness
• The effect of geographic location is diminished; virtual and Cloud-based organizations operate around the clock in virtual marketplaces that have no geographic boundaries
• As knowledge shifts to low-tax, low-regulation environments, laws and taxes are increasingly difficult to apply on a solely national basis
• Knowledge-enhanced products command price premiums
• Captured, indexed, and accessible knowledge has greater intrinsic value than knowledge that goes home at the end of every day
• Intellectual capital is an increasingly significant part of stockholder value in every organization
The challenges, demands, and risks faced by organizations operating in this information-rich and technologically intensive environment require a proper response. In the corporate governance climate of the early 21st century, with its demand for stockholder rights, corporate transparency, and board accountability, this response must be a governance one.
What is IT governance?
The Organisation for Economic Co-operation and Development (OECD), in its Principles of Corporate Governance (1999), first formally defined ‘corporate governance’ as “the system by which business corporations are directed and controlled.” Every country in the OECD is evolving – at a different speed – its own corporate governance regime, reflecting its own culture and requirements. Within its overall approach to corporate governance, every organization has to determine how it will govern the information, information assets, and IT on which its business model and business strategy rely. This need has led to the emergence of IT governance as a specific – and pervasively important – component of an organization’s total governance posture.
We define IT governance as “the framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization’s information systems support and enable the achievement of its strategies and objectives.”
There are five specific drivers for organizations to adopt IT governance strategies:
1. The requirements (in the UK) of the Corporate Governance Code and the Risk Guidance; for US-listed companies, Sarbanes–Oxley and more recent SEC regulations; for banks and financial institutions, Basel 3.1, and, in the EU, DORA; and for businesses everywhere, the requirements of their national corporate governance regimes.
2. The increasing intellectual capital value that the organization has at risk.
3. The need to align technology projects with strategic organizational goals and to ensure that they deliver planned value.
4. The proliferation of (increasingly complex) threats to information and information security, particularly in cyberspace, with consequent potential impacts on corporate reputation, revenue, and profitability.
5. The increase in the compliance requirements of (increasingly conflicting and punitive) information- and privacy-related regulation, particularly the EU GDPR and regulations around the world that are inspired by it.
There are two fundamental components of effective management of risk in information and IT. The first relates to an organization’s strategic deployment of IT to achieve its business goals. IT projects often represent significant investments of financial and managerial resources. Stockholders’ interest in the effectiveness of such deployment should be reflected in the transparency with which they are planned, managed, and measured, and the way risks are assessed and controlled. The second component is the way the risks associated with information assets themselves are managed.
Clearly, well-managed IT is a business enabler. All directors, executives, and managers, at every level in any organization of any size, need to understand how to ensure that their investments in information and IT enable the business. Every deployment of IT brings with it immediate risks to the organization, and therefore every director or executive who deploys, or manager who uses, IT needs to understand these risks and the steps that should be taken to counter them. This book deals with IT governance from the perspective of the director or business manager, rather than from that of the IT specialist. It also deals primarily with the strategic and operational aspects of information security.
Information security
Cyber threats now have existential implications for organizations. Today’s information risk environment has four characteristics driving boards and senior managements to prioritize their strategies for managing information risk:
• An expanding attack surface, driven by the migration to the Cloud, the proliferation of end-user devices, and hybrid working
• A crowded threat horizon, in which increasingly complex global threats, from deep fakes and AI to technologically sophisticated cyber crime and nation-state activities, make daily headlines
• Increasingly punitive compliance requirements that mandate boards and senior managements to apply a governance, risk management, and compliance (GRC) strategy to the discharge of their information security obligations
• A flood of detailed, overlapping, competing, and enforced computer- and privacy-related regulation around the world,...
