Items Tagged with "Management"
May 02, 2012 Added by:benson dana
I once worked at a place where a senior manager collected the passwords of employees. There had been resistance to giving up this policy, and the excuse was that this unit's mission was unique and that this was necessary. How often does the internal auditor hear this excuse?
April 29, 2012 Added by:Thomas Fox
I was thinking about Captain Kirk and his leadership of the Enterprise in the context of issues relating the Board of Directors responsibility in a company’s compliance program. Kirk did not have to deal with a BOD, but he did lead from the front, and that is what a CCO must do...
April 22, 2012 Added by:Robb Reck
The traditional role of security in the organization has been that of a cost-center to be minimized. Security’s success has historically been defined by internally developed measures. We work to create best-practice metrics that show how mature the security program is...
April 22, 2012 Added by:Steven Fox, CISSP, QSA
Security engineers, analysts, and auditors are apt to use security policies or industry best practices as the foundation of their guidance rather than addressing business needs. While valid in its substance, these appeals to authority are perceived negatively...
March 15, 2012 Added by:Kyle Lagunas
Providing access to all sorts of internal systems for both employees and managers can make for a more adaptable organization regardless of size. IT has struggled with this loss of gatekeeper control, but the sound fiscal results are changing the minds of the C-suite...
March 08, 2012 Added by:Michele Westergaard
An effective risk management process allows for decision making by management with the best likelihood of achieving the desired results. It is not meant to create a brick wall for management to operate within, but more of recommended parameter within which to operate...
February 26, 2012 Added by:Ben Kepes
There’s s flip side to technology democratization in that the high level of accessibility also means that it’s very easy for organizations to set themselves up as vendors – sometimes without the necessary level of professionalism that would be optimal...
February 23, 2012 Added by:PCI Guru
Requirement 3.6.4 always seems to be a sticking point because people get caught up in the key expiration concept. The thing to remember is that whether or not a key expires is typically related to the encryption algorithm such as for those using public key infrastructure...
February 22, 2012 Added by:Rafal Los
"If a CISO initially receives any capability when starting the position, that was capability that was left over from their predecessor. It is now the CISO's responsibility to earn more capability and solidify what may already exist..."
February 17, 2012 Added by:Rafal Los
Capability is often seen as the ability to enforce - whether its corporate politics, budget, or a top-down reporting structure. If you don't have the capability to force people to follow organization-wide decisions it is difficult to have a solid organization...
February 11, 2012 Added by:Rafal Los
The trick is, when security can't clearly and absolutely get definition on what employees should and shouldn't be allowed to do, they have to implement the law of least privilege overly aggressively and then things get slow, tedious, and everyone complains about security...
February 10, 2012 Added by:Thomas Fox
Compliance evaluation is becoming a more common component of the employee selection and hiring process. Many companies now specifically include due diligence in compliance parlance when hiring senior managers or others who will hold high levels of authority...
February 07, 2012 Added by:Fergal Glynn
Knowing how much money you’re going to spend upfront is a challenge until you have the application inventory, until you know what your risk tolerances are, and until you have a fair idea of what the problems are. You’ll have to start slow and realize the number may grow...
February 05, 2012 Added by:Norman Marks
When is the last time you saw an audit report that said management had too many controls or was not taking sufficient risk? When did you last hear a risk officer urging planners to move into a new market more quickly? The same thing applies to information security personnel...
February 04, 2012 Added by:Thomas Fox
It is better to consider the ripple effects of your decision making before throwing that rock into your company’s ethics pond. If you do not do so you can easily run the risk of consequences for which you may have no response for, yet be held accountable for in your company...
February 02, 2012 Added by:Danny Lieberman
DR planning is not about writing a procedure, getting people to sign up and then filing it away somewhere. The disaster recovery plan is designed to assist companies in responding quickly and effectively to a disaster in a local office and restore business as quickly as possible...