Creator of Knowledge
Information Resources Management Association
Advancing the Concepts & Practices of Information Resources Management in Modern Organizations

Assurance Through Control Objectives, A Governance Basis for Managing Corporate Information Assets

Assurance Through Control Objectives, A Governance Basis for Managing Corporate Information Assets
View Free PDF
Author(s): Dan Shoemaker (University of Detroit Mercy, USA)and Antonio Drommi (University of Detroit Mercy, USA)
Copyright: 2003
Pages: 3
Source title: Information Technology & Organizations: Trends, Issues, Challenges & Solutions
Source Editor(s): Mehdi Khosrow-Pour, D.B.A. (Information Resources Management Association, USA)
DOI: 10.4018/978-1-59140-066-0.ch197
ISBN13: 9781616921248
EISBN13: 9781466665330


Information security systems have to meet two logical criteria to be effective. First the protection must be complete, in the sense that the response should address the entire problem (e.g., everything that requires assurance secured). And second the safeguards have to be uniform. That is, there should be an organization-wide commitment to security. The first principle is established through a systematic implementation strategy. The second requires the organization to define substantive policies, roles and responsibilities, educate employees and describe and enforce accountability. The problem is that this effort takes time and precious resources. Nevertheless there are very real and substantive consequences if the security protection scheme is inconsistent. For example, a secure network without policies to control the people who operate it can be breached no matter how sophisticated the technology employed. One recent illustration of how that exact scenario played out is the national database, which was raided four inside employees for the credit information of 30,000 individuals. That information was sold to an identity theft ring, which subsequently used it commit massive credit card fraud. As a matter of fact there are actually very few breaches of corporate information security that directly involve the technology. Specifically, seventy two percent of the serious losses recorded by the FBI in 2001 originated from the actions of inside people rather than hackers (CSI 2002). Which underscores the principle that, no matter how robust the encryption scheme, there are no practical safeguards unless everybody involved understands what constitutes a violation and what the consequences are for committing one. So, the correct response in nearly three-quarters of the cases last year should have been a systematic set of organizational control procedures, not a more sophisticated firewall.

Body Bottom