ITGovernancePoliciesandProcedures.edited111 xITandInformationSecurityGovernance1 x
As a group, discuss the topics listed below on policy and procedure governance. Produce a 4–8 page paper with the results of your discussion. This paper will be added to the Information Technology (IT) Governance Policies and Procedures Manual that has already been established. The document that your group created will serve as the Policy and Procedure Governance section(s) of the IT Governance Policies and Procedures Manual.
In the Policy and Procedure Governance section(s), you should include the following:
- State the purpose of this section of the document.
- State how this section(s) align with overall governance goals and objectives.
- State how the content of this section might be influenced by U.S. federal security legislation and oversight (e.g., OCIE, FINRA, GLBA, HIPPA).
- Identify the types of changes to policies and procedures this section of the manual will cover.
- List the steps to be followed when the organization introduces a new or modified IT policy or procedure.
- List the steps to be followed when the organization proposes a change to the IT Governance Policies and Procedures Manual.
- Include appropriate approval levels for the types of changes introduced.
i have attached the previous assignments to help you in this
Running Head: IT GOVERNANCE POLICIES AND PROCEDURES 1
IT GOVERNANCE POLICIES AND PROCEDURES 2
IT Governance Policies and Procedures
Name
Professor
Date
Contents
IT Governance Policies and Procedures Manual Title Page
3
Business and IT Goals
4
Business Goals
4
IT Goals to Support the above Business Goals
5
Conflicts between the two Sets of Goals
5
Information Technology Governance and Information Security Governance
6
Summary 6
Similarities and Differences
6
Regulatory Requirements 6
IT Governance Policies and Procedures Manual Title Page
IT Governance: Policies & Procedures Manual, 2019 Edition
is the PMG Company’s apex reference tool used for decision-making to help the company in devising an information systems policy and procedure program uniquely tailored to the needs of the organization.
Other than extensive policies it provides, it is also a valuable resource that often issues information an individual may be in need of
IT Governance: Policies & Procedures
Manual
provides unilateral access to blue print information that relates to:
· Policy and planning
· System security and accompanying documentation
· Systems analysis, design, and engineering
· And other intricate details pertaining to PMG information systems’ policy
LAST UPDATED
03/05/2019
FREQUENCY OF UPDATE
annual basis
COMPANY
PMG Company
Business and IT Goals
Business Goals
The company currently has its eyes set on three major business goals. First, breaking into the northern market of the country and the Canadian market. The Canadian Information Technology market is equally a mature market like the one for the United States. The market is several suppliers who are not very much differentiated but enjoy both internal and external economies of scale. The market power rests in the hands of the buyers or consumers who are spoilt with choices to make of what they need and where to get it from. At the same time, the market is open with low barriers to entry other than the government enacting local company’s protection act to prevent direct competition that can be leveled against small firms whose annual turnover rates are below $ 100 million. There is one major risk with a move towards the northern market and Canada, the risk of liquidity.
Secondly, increasing company annual revenue to $330 million and above with a turnover rate of $ 1 billion. In actual sense, all company business goals and strategic objectives all converge at this particular goal. All resources and plans at the PMG Company are all streamlined towards increasing company revenues by at least 5% and above by closing business this year. Finally, completing a takeover to Green Valley Technologies, an IT network solution with a good presence in the southern Canada market. Due to the local company’s protection act that aims to protect young Canadian companies from direct competition that emanates from foreign companies, the best way to scale up operations in Canada within the shortest period possible is through taking over one of the local companies there. A decision has been reached clearing Green Valley Technologies as the company to go for.
IT Goals to Support the above Business Goals
The company’s IT department in conjunction with the overall strategic plan of the company set three major goals aimed at streamlining operations and ensuring efficiency while at the same time aligning them towards supporting the processes put in place to help achieve the business goals. The first IT goal is eliminating all IT related redundancies by the first quarter of the year. Secondly, implement a pure One Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP)-based network to halve the cost of company network maintenance cost by the end of the second fiscal quarter. Finally, the department also aims to conduct total infrastructure migration to the cloud by the end of the second quarter of the year. The IT department goals go hand in hand with the general company business goals of cutting the cost of internal operations to save as much money as possible for the implementation of core business objective which is running aggressive marketing that would result to international market invasion (Murtagh et al.,. 2016)
Conflicts between the two Sets of Goals
Undoubtedly, the two sets of goals are equally important to the organization’s wellbeing. However, concerns have always been raised regarding budgetary allocation issues and supremacy battles. Since achieving expansion success in the southern states, the company’s IT department received a lot of attention from the management that pitted the department to collision paths with other departments in the company. However, all these misunderstandings were ably addressed through the internal reorganization that has seen the strategic IT Department of the company having its own finance department to help it get over its capital intensive ventures.
Information Technology Governance and Information Security Governance
Summary
Information Technology Governance generally concerns making IT investments in a company and managing the resulting investment well to earn a good return on investment by significantly contributing to the business objectives (Maras, 2015). On the other hand, information security governance points to the responsibilities of individuals mandated to ensure the IT information security agenda is well undertaken.
Similarities and Differences
The two are similar in the sense that they all have a contribution to the final business objectives of the company. For their differences, the IT governance involves observing best practices and established frameworks to optimize resulting benefits of IT investments and support attainment of business goals whereas Information Security Governance concerns polices and processes to maximize and leverage information while at the same time ensuring it is secure meets legal and privacy requirements consistent with the company’s business objectives (Pol, 2016).
Regulatory Requirements
Organization-based Employee Regulatory Requirements
· Internal computer use policies
· Professional Dignity and Promotion of Professional Aims
· Competence, Ethics, and Impartiality
· Protection of Public Interest and Legal Compliance
· Responsibility to Employers and Clients
· Third party data protection policies.
References
Maras, M. H. (2015). Computer Forensics. Jones and Bartlett Learning.
Murtagh, M. J., Blell, M. T., Butters, O. W., Cowley, L., Dove, E. S., Goodman, A., … & Mangino, M. (2018). Better governance, better access: practicing responsible data sharing in the METADAC governance infrastructure. Human genomics, 12(1), 24.
Pol, B. H. T. (2016). Information Governance Policy. Assessment.
Running head: IT GOVERNANCE POLICIES AND PROCEDURES 1
IT GOVERNANCE POLICIES AND PROCEDURES 9
IT Governance Policies and Procedures
Name
Institution
Contents
IT Governance Policies and Procedures Manual Title Page
3
Business and IT Goals 4
Business Goals 4
IT Goals to Support the above Business Goals 5
Conflicts between the two Sets of Goals 5
Information Technology Governance and Information Security Governance 6
Summary 6
Similarities and Differences 6
Regulatory Requirements 6
IT Governance Policies and Procedures Manual Title Page
IT Governance: Policies & Procedures Manual, 2019 Edition
is the PMG Company’s apex reference tool used for decision-making to help the company in devising an information systems policy and procedure program uniquely tailored to the needs of the organization.
Other than extensive policies it provides, it is also a valuable resource that often issues information an individual may be in need of
IT Governance: Policies & Procedures
Manual
provides unilateral access to blue print information that relates to:
· Policy and planning
· System security and accompanying documentation
· Systems analysis, design, and engineering
· And other intricate details pertaining to PMG information systems’ policy
LAST UPDATED
03/05/2019
FREQUENCY OF UPDATE
annual basis
COMPANY
PMG Company
Information security laws refer to the body of codes, legal rules, and standards that require one to protect information systems and information from all forms of unauthorized access
.
In the current data-driven economy, it is essential to comply with information security laws and regulations. Failure to comply often facilitates data breaches which results in costly sales and financial losses and leaks client’s private information (Stoneburner, Goguen, & Feringa, 2002). When these breaches occur, they are likely to drain an individual’s bank accounts, ruin lives and sink businesses. In addition, information security laws and regulations are essential because they benefit companies through;
Improved Security: IT security laws and regulations enhance an organization’s security measures by stipulating baseline requirements. As a result, business data-security levels remain consistent with the respective organization’s requirements. Compliance with the baseline requirements facilitates protection of data which improves security (Whitman & Mattord, 2013)
Reduced Losses: Information security laws and regulations improve security levels which help to reduce breaches which are costly to organizations. These costs are often associated with repair costs, legal fees and sales among others which can be avoided by complying with IT security laws and regulations. The costs related to the replacement of lost data and compromised information is an added cost to the organization.
Increased Control: Security laws and regulations provide an organization with increased control over employee mistakes, insider theft, and outside threats. Their ability to stay updated with activities and undertakings in the company increases control which promotes security.
Increased Trust: Security data increases customer confidence in the service provider. By promoting information control, security laws enable businesses to gain trust from their customers with regards to their information. Improved trust means that the business has access to increased businesses and promotions hence growth.
Interpret the impacts of information security laws and regulations on your information security program.
An efficient information security program at the PMG will facilitate the integrity, confidentiality, and availability of customer information and the company’s essential data. Considering the increasing security incidents and breaches, it is crucial to comply with information security laws and regulations. This is important because, fundamental concepts of information security program such as privacy, integrity, confidentiality, authentication, and availability depend on the development, design, and implementation of technological processes and solutions which are the primary pillars security laws and regulations. This means that IT security laws and rules facilitate compliance with fundamental concepts of the information security program. Also, IT security laws and regulation will promote voluntary compliance with the requirements of the information security program such as the establishment of security benchmarks, compliance, and execution of the benchmarks.
List and describe the information security risks with attention to the organizational, governmental, and regulatory requirements that your organization may face.
Organizational Requirements
Today, many organizations have requirements to depend on uninterrupted connectivity which predisposes them to attacks on the internet infrastructure. Many organizations lack backup for information utilities due to the over dependency on the internet. As a result, these organizations are vulnerable to external threats on the company infrastructure, on the devices and employees. Other organizations often neglect the importance of configuring various security settings efficiently.
Regulatory Frameworks
While regulatory frameworks are intended to increase security, lack of encryption often facilitates attacks by external threats. This predisposes sensitive data to attacks when in transit and at rest. Besides, regulatory requirements are expensive and lengthy and can be tiresome causing organizations to evade them hence causing a security breach.
Governmental Requirements
Government regulations may cause information to suffer the loss of credibility, privacy, and confidentiality due to unauthorized access. The government may be authorized legal access in the event of suspicious dealings and fraudulent businesses. Instead of infringing on personal privacy, the government should improve security practices; restrict public disclosure of cybersecurity information and sensitive personal information. It should also provide funding to support cybersecurity initiatives and programs and promote activities that facilitate information security such as training, workforce and economic development.
Prepare Policies and Procedures to Address the Risks.
PMG Company should understand its extent on internet reliance to address risks of attacks that occur on a frequent basis. The company should also engage with external and internal stakeholders and regional bodies such as the government and regulatory bodies to create contingency plans in the event of a risk (Bulgurcu, Cavusoglu, & Benbasat, 2010). The company should also align the contingency plans of communication provider with organizational plans to ensure existing plans are addressed.
Define the baseline controls that will be used to measure the effectiveness of your strategy and describe how these data will be collected and used for auditing and improvement purposes.
The company aims at reducing related redundancies in the company to improve efficiency through proper use of database normalizations to make the best use of available storage. It can be controlled through proper use of foreign keys. The company also aims to eliminate duplicated groups in the individual tables and to identify every set of data with a different primary key. The company shall also create a separate table for all related sets of data to avoid data duplication. Data for this activity will be collected through control of available data for improvement and auditing purposes.
One Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP) strategy are intended to promote efficiency by reducing the cost of network maintenance by half. To measure the effectiveness and performance of this strategy, the company will analyze expenditure of the second fiscal quarter to show whether the company costs have reduced by half at the end of the second fiscal quarter (Whitman, & Mattord, 2013). Data to analyze this strategy will be obtained by comprising various types of routers, networks, routes, areas, and protocols used in the OSPF.
References
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse A deterrence approach. Information Systems Research, 20(1), 79-98.
Maras, M. H. (2015). Computer Forensics. Jones and Bartlett Learning.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Nist special publication, 800(30), 800-30.
Whitman, M., & Mattord, H. (2013). Management of information security. Nelson Education.
.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
