Useful overview of ways to control information security risks
Faced with the emergence and speed of growth in the information economy, organizations have an urgent need to adopt IT governance best practice, according to Alan Calder and Steve Watkins in their book IT Governance: An International Guide to Data Security and ISO27001/ISO27002. The authors define IT governance as ‘the framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization’s information systems support and enable the achievement of its strategies and objectives’.
There are so many different things that can go wrong with an organisation’s IT resources that it is hard to know where to start even identifying the possible risks, let alone working out how to get them under control. The old risks of data loss due to hardware failure and financial loss due to project failure still exist, but there are vast numbers of new risks including the risks of data theft or destruction by highly skilled malicious agents who are bent on finding ways to harm your organisation.
Only large organisations will have the resources to go through the full ISO27001 certification process, but in its discussion of the various controls needed for certification, this book provides a very useful overview of the steps which an organisation can take to protect against a large range of information security risks.