The Practical Guide to Assuring Compliance: Identifying Risks to Executives

The Practical Guide to Compliance and Security Risks Rebecca Herold Free with online registration Realtime Publishers

Identifying Risks to Executives
Executives have increasing exposure to information security risks as technology advances and new laws and regulations are implemented. Executives are susceptible to risks such as

• Not being aware of existing risks within the organization and not knowing which risks are most significant
• Failure to create, support, and communicate an adequate and effective security culture and control framework to meet business needs
• Failure to effectively delegate responsibilities for risk management throughout all levels of the organization
• Failure to detect where security weaknesses exist within the organizational business units
• Failure to successfully monitor risk management activities to ensure compliance with policy

Making Security a Business Responsibility

Related compliance information Read Rebecca Herold's insight on the future of compliance in our interview Download the full chapter excerpt from The Practical Guide to Compliance and Security Risks

Information security must be viewed as a business responsibility and must be shared by all members of business management. It is most effective to incorporate security throughout the business units by creating a security management oversight council to ensure that there is clear security direction and apparent management support for security initiatives. Such a council should promote and enhance security within all business processes by applying appropriate commitment and adequate resources.

For some organizations, the oversight council may be part of an existing management body. In others, it will be most effective to create a new group of managers to oversee security. Typically, an information security oversight council

• Reviews, approves, and visibly supports information security policy and overall responsibilities
• Monitors significant changes in risks to information assets and emergence of major threats
• Reviews and monitors information security incidents and how they were resolved
• Approves major initiatives to enhance information security

To be successful in today's information economy, enterprise business governance and IT governance can no longer be considered separate and distinct disciplines. Effective enterprise governance must focus individual and group expertise and experience where it will be most productive. Governance must monitor and measure performance and provide assurance to critical security issues. Information security must be regarded as an integral part of business strategy.

An IT governance structure should link and integrate the IT security processes and resources with the business strategies and objectives.

A successful IT governance framework will integrate and optimize the way IT functions and associated business processes are planned, organized, acquired, implemented, delivered, supported, and monitored. IT governance, which includes security within every element, is integral to the success of enterprise-wide governance. IT governance should assure efficient, effective, and measurable improvements throughout all enterprise processes. Effective IT governance will enable the enterprise to use information in the most efficient and effective way possible, which will ultimately increase business benefits, put the organization in a position to take advantage of emerging opportunities, and enable the company to gain a competitive advantage.

To read more from The Practical Guide to Compliance and Security Risks, download the full excerpt.

BROWSE BY TAG Compliance leadership,   People & policy,   Compliance,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   Information Security Policies, Procedures and Guidelines,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance leadership What to tell senior management about regulatory compliance A SOX army of one: How to spearhead compliance efforts Does your organization need a CCO? Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary