Develop an IT governance strategy for an organization.

at
Categories
Tags

 

 

Organizations that you work for will often apply an IT governance framework such as COBIT or ISO 27001, or one of the others that are available. These frameworks provide guidelines for IT governance in the organization and offer guidelines for building a governance system. In this unit, you will apply the ISO 27001 Information Security Management System (ISMS) framework to begin outlining a governance strategy for an organization.

Select an organization that you would like to develop an IT governance strategy for, using ISO 27001, Information Security Management System (ISMS). You can find ISMS on the Internet or in this unit’s reading. The organization should be one you are familiar with from having worked there.

In your paper, include the following:

Define and discuss the ISO 27001 Information Security Management System in terms of the Deming Cycle of continuous improvement of Plan-Do-Check-Act (PDCA)
Brief description of the organization and type of business engaged in.
High-level information security policy that defines management’s overall objective for information security as it relates to business requirements and relevant laws and regulations.
Information security direction for the organization
Information security objectives for the organization
Information on how the organization will meet contractual, legal, and regulatory requirements
A statement of commitment to continuous improvement of the ISMS.
High-level risk assessment (for purposes of this paper, discuss the top 3–4 risks only)
Define a risk management framework that will be used
Identify risks and describe the risk
Analyze and evaluate the risks in terms of severity and impact
Statement of Applicability

 

Sample Solution

IT Governance Strategy for a Local Library using ISO 27001

Organization: Sunnyvale Public Library (SPL)

Industry: Public Library

ISO 27001 and the Deming Cycle (PDCA):

The ISO 27001 Information Security Management System (ISMS) aligns with the Deming Cycle (Plan-Do-Check-Act) for continuous improvement. Here’s a breakdown:

  • Plan: Define the ISMS scope, information security policy, objectives, and risk management plan (this paper).
  • Do: Implement controls to address identified risks (e.g., staff training, data encryption).
  • Check: Monitor and measure the effectiveness of the ISMS through audits and reviews.
  • Act: Continuously improve the ISMS based on findings from monitoring and changes in the threat landscape.

High-Level Information Security Policy:

The Sunnyvale Public Library (SPL) is committed to protecting the confidentiality, integrity, and availability of its information assets, including patron data, library resources, and staff information. We will comply with all relevant laws and regulations regarding data privacy and security. We achieve this through a comprehensive ISMS that identifies risks, implements controls, and promotes a culture of security awareness among staff.

Information Security Direction:

  • Implement a risk-based approach to information security, prioritizing the protection of our most critical assets.
  • Continuously improve the ISMS through regular reviews and updates.
  • Foster a culture of information security awareness among staff through training and communication.
  • Maintain compliance with all relevant legal and regulatory requirements.

Information Security Objectives:

  • Achieve a 98% success rate in preventing unauthorized access to patron and staff data.
  • Ensure 99.5% uptime for library online resources (catalog, databases).
  • Train 100% of library staff on information security policies and procedures annually.

Meeting Legal and Regulatory Requirements:

SPL will comply with all applicable federal and state laws regarding data privacy and security, such as the Family Educational Rights and Privacy Act (FERPA) and the California Consumer Privacy Act (CCPA). We will also adhere to industry best practices for information security management.

Commitment to Continuous Improvement:

SPL is committed to continuously improving the effectiveness of its ISMS. We will conduct regular reviews of our information security policies, procedures, and risk assessments to ensure they remain aligned with evolving threats and business needs.

High-Level Risk Assessment (Top 3 Risks):

  1. Cybersecurity Attack: A data breach could compromise patron data (e.g., names, addresses) or library resources (e.g., digital collections).
  2. Human Error: Accidental data loss or misuse by staff could compromise information security.
  3. Physical Security Breach: Unauthorized access to library facilities could lead to theft of equipment or data loss.

Risk Management Framework:

SPL will adopt the NIST Cybersecurity Framework (CSF) to identify, assess, prioritize, address, and monitor information security risks.

Risk Analysis and Evaluation:

  • Cybersecurity Attack: Severity (High) – Could result in significant financial loss, reputational damage, and legal repercussions. Impact (High) – Affects confidentiality, integrity, and availability of information.
  • Human Error: Severity (Medium) – Could result in data loss or disruption of library services. Impact (Medium) – Varies depending on the nature of the error.
  • Physical Security Breach: Severity (Medium) – Could result in theft of equipment or data loss. Impact (Medium) – Varies depending on the information accessed.

Statement of Applicability:

This ISMS policy applies to all staff, volunteers, and contractors who access or handle library information assets.

This is a high-level overview of an IT governance strategy for SPL using ISO 27001. A full implementation would involve a more detailed risk assessment, identification of specific controls, and documented procedures.

This question has been answered.

Get Answer