One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 413299 |
| Date de publication | 2017-09-29 13:04:05 (vue: 2017-09-29 13:04:05) |
| Titre | NBlog September 29 - strategic alignment |
| Texte |  On the ISO27k Forum this morning, a member from a financial services company asked for some advice on aligning IT and Security with overall corporate/business strategies. He said, in part: "Organizational level strategic plan, covering its core business, has been derived. And it includes what is expected form Technology and Security departments, I.E. to keep customers, shareholders happy and to provide safe and secure technology services. [I need] to prepare a strategic plan decoded from organization's strategy, specifically for Technology and Security department, with goals, objectives, principles etc. So for achieving this, my approach is to understand each business strategy and determine the possible ways that Technology and Security team can help it. Business strategy -> Technology strategy -> Security Strategy"I strongly support the idea of explicitly linking 'our stuff' with corporate/business strategies (plus initiatives, projects and policies) but 'our stuff' is more than just technology security, or IT security, or cybersecurity, or data security .... I encourage everyone to refer to information risk, defined as 'risk pertaining to information', an all-encompassing term for what we are managing and doing. Especially in the strategic context, we should all be thinking beyond securing bits and bytes. [The mere fact that they have a department, team or whatever named "Security" that he and presumably others consider a part of, if not very closely tied to, "Technology", strongly suggests a very IT-centric view in the organization. To me, there's the merest whiff of a governance issue there: treating this as 'IT's problem', with the emphasis on security (as in controls, restrictions and prohibitions, as much as protection and safety) is a common but, in my view, sadly misguided and outdated approach - a widespread cultural issue in fact.]Identifying information risk aspects of the corporate strategies is a creative risk assessment activity. In stark contrast to financial risks, information risks tend to be largely unstated, if not unrecognized, at that level but can generally be teased out from the assumptions (both explicit and implicit). For instance, if a business strategy talks about "Expanding into a new market", consider what that actually means and how it will be achieved, then examine each of those proposed activities f |
| Envoyé | Oui |
| Condensat | business finding able about achieve achieved achieving activities activity actually addition adept admit advantage advice ahead aligning alignment all along also and/or approach approved are argument asked aspects assessment assets associated assumptions attention audit back basis been behind being best better beyond bias big bits block both business but bytes call can career centre centric chance chess circumstances clearly closely common company competitive compliance concerning consider context continuity contrast controls core corporate corporate/business costly covering creative cultural curiously current customer customers cuts cybersecurity dangle data decisions decoded defined denied department departments derived determine development difficult discounting diverting doing don driver drivers dutifully each eagerly effects effort else emphasis enablement enabling encompassing encourage especially etc every everyone examine example excellent exists expanding expect expected experienced explicit explicitly exploitable extra fact far feasible financial focusing forget form forum forward foundations from future game: generally get give given goal goals goes going governance guide handy happens happy hard has have help helps high hook horse how idea identified identifying implications implicit includes including information initiatives instance involves involving irrelevancies iso27k issue item its just keep kind largely lays least level like likely limiting linking little long lot love major making management managers managing market maturity may maybe means measure member mere merest metrics metrics: might mileage misguided misstated misunderstood more morning most moves much mundane named nblog need needed negotiating new next not notice objective objectives obvious often operations opportunity optimistic options organization organization: organizational other others out outcome outdated over overall overly part part: pertaining pessimistic: picking picture plan players plus policies possible possibly potentially practice prepare presumably principles prioritizing problem process professional profitably prohibitions projections projects promoting properly proposal proposed protecting protection provide reason reasonably reasons recommend refer relate relates relationships relatively reluctant remember resist resources respond restrictions risk risks risky running sadly safe safety said scratching secure securing security september services set setting several shareholders should show significant single situation soc some something sound specialists specifically squeeze stakes stark strategic strategies strategy strongly stuff subtle suggests superb support supporting sure tagging take talks team teased technology tend tenuous term than that them themselves then there there: these things think thinking thoroughly those tied time trading treating turn undeniably understand undertaking unfounded unrealistic unrecognized unstated use used using valuable very view vulnerable wasting ways what whatever whiff whoever whole why widespread will win within words work worth would wrong year years yet |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.