Page 11 - CITP Review
P. 11

Information security governance



            The basis of what a CITP does and needs to understand in an organization is information security
            governance — ensuring that an organization’s data and information remain safe, secure, and in the
            proper hands. Information security governance starts with creating an information security strategy that
            establishes policies, procedures, processes, and standards for data security. This strategy should also
            cover logical access controls; hardware and physical access controls; security authorization and
            authentication; and business continuity and disaster recovery.




            Information security strategy


            At the foundation of every successful information security governance program is an effective
            information security strategy. An organization’s information security strategy is their roadmap to an
            information security program that aligns with the goals, objectives, and strategic initiatives of the
            organization.

            Objectives and components


            The objective of any information security program centers around the following three core areas of the
            information security triad:

              Confidentiality
              Integrity
              Availability

            Confidentiality addresses the data being stored and data in transit. The objective is to ensure the
            confidentiality of systems, its processes, and its data being created, transported, and stored.
            Integrity focuses on the accuracy and reliability of data, the systems and processes that generate it, and
            the information produced from data. A key operational concern of CITPs is the decision-making
            usefulness related to data integrity. That is, the quality of decisions is directly proportional to the quality,
            or integrity, of the information used to make them. A key external audit concern is the trustworthiness of
            the data in the financial reports, which is clearly about integrity.

            Availability is about the systems, technologies, and associated processes and data being available when
            needed for business operations. Availability, therefore, is primarily an operational and internal concern
            rather than an external auditor’s concern, but it is conceivable that availability could lead to some
            reasonable scenario where the RMM would be great enough to need to be addressed.












            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-3
   6   7   8   9   10   11   12   13   14   15   16