CIMA IT Solutions

Triggering the Expected Results from your Online Efforts.

You are here: Home / Archives for IT Governance

A Corporations 1st Line of Defense in Social Media

by

BEST OF THE MARINE CORPS - May 2006 - Defense Visual Information Center

Many companies are not familiar with the many risks Social Media present big and large companies. Last year I created a presentation on Corporate Social Media Guidelines and how to mitigate risks.

One of the topics where I have not seen any improvement has been in seeing policies and procedures revised to reflect better the current risks that every company is facing.

Like most companies when it comes to policies they create them to keep the auditor or  regulators happy. However being an IT Auditor many years and still holding the Certified Information Systems Auditor “CISA” Certification to serve to a few long term clients I have seen how many companies can get away with it.

Regarding policies around Social Media I see how every day more companies have their hands tied when they are confronted with an employee or company representative misuses Social Media.

Many Social Media Policies

The first thing you have to understand before creating a First Line of Defense with Social Media is the concept of the multiple policies that need to be created to integrate with your environment. A list of the multiple policies that should be part of your 1st Line of Defense which I found at Social Media Explorer :

Employee Code of Conduct for

  • Online Communications
  • Company Representation in Online Communications

Employee

  • Blogging Disclosure Policy
  • Facebook Usage Policy
  • Personal Blog Policy
  • Personal Social Network Policy
  • Personal Twitter Policy
  • LinkedIn Policy

Corporate

  • Blogging Policy
  • Blog Use Policy
  • Blog Post Approval Process
  • Blog Commenting Policy
  • Facebook Brand Page Usage Policy
  • Facebook Public Comment/Messaging Policy
  • Twitter Account Policy
  • YouTube Policy
  • YouTube Public Comment Policy

Company Password Policy

I hope this list can serve as a guide for many and can be elaborated. I will be touching each and every policy in the next few posts so there can be more detail.

Is there one set of policies you have questions with?

Do you know of other policies you might need or have created?

How can ISO/IEC 27001 help solve IT Governance issues?

by

Benefits of ISO 27001

The other day I was talking about my plans to give the ISO 27001 Lead Auditor training and someone asked me about the benefits of ISO 27001.

I did give her an overview on my opinion but while browsing on LinkedIn in one of the groups I have joined (CGEIT Network (Certified in the Governance of Enterprise IT) I found the following question regarding ISO 27001 by Mark.E.S.Bernard (who I have to Thank for allowing me to use his opinion on ISO 27001).

services_home_diagram

How can ISO/IEC 27001 help solve IT Governance issues?

Has anyone utilized ISO/IEC 27001 to help solve IT Governance issues like Data Governance etc…?

He answered with the following points:

  • Managements commitment to a management system providing governance over information company wide, data governance
  • Clarification of accountability for controls over assets leading to formalization of roles and responsibilities, who needs to be consulted during decisions and actions, who needs to be informed of the results, who needs to conduct the actions
  • Asset inventory allowing the formal identification of information repositories in addition to software, hardware, people, telecommunications and physical property
  • Information classification identifying the categories of information and what controls need to be applied during the course of regular business activities
  • Risk management allowing management to make decisions based on risk to the business and make changes to align risk to business information with that of the Enterprise risk appetite. This includes reporting through the risk treatment plan which feeds directly into the Enterprise Risk Management process
  • Monitoring through regular management meetings and audits staying on top of action plans and addressing any issues for resourcing or capital. This also includes addressing any issues that block progress
  • Continuous improvement allowing management to address quality, which translates into cost savings by supporting and following up on defects in service delivery impacting availability, software, information repositories impacting data integrity and confidentiality enforcing security standards and processes, etc.

On my part agreeing with Mark I have been able to use ISO 27001 to get Management’s commitment. Once you align Governances efforts on internationally accepted standards, frameworks, or guidelines it helps with management’s buy in. Most auditors also feel more comfortable once they see your controls aligned to a Standard like ISO 27001. On the other side it can also create great Road Maps towards improvement. I have been involved in various assessments where a Gap Analysis is made of how an organization aligns to ISO 27001.

Once we get the current statement and understand the process we move into mapping what would be the ideal Future State. Then the key part is establishing goals and milestones in an organized Road Map to get from Current State to Future State.

ISO 27001 works ideally for this kind of situation.

Do you have other ways where you have utilized ISO 27001 in an effective way to start, improve or simply execute on an IT Governance related project?