 |
|
|
|
|
|||||||
 |
|||||||||||
|
|||||||||||
|
|||||||||||
|
|
|
|
|
|
 |
|||||
|
I was taught by former colleagues in an IT quality function that Quality Assurance is (initially at least) about doing something consistently, meaning according to documented, stable procedures. Doing the thing well is a second stage, achieved through gradual/continuous improvement and feedback/learning loops embedded in the processes. Doing it excellently, exceeding customer expectations and gaining a valuable market advantage (brand value) is, in a competitive world, a never-ending quest. If we apply the same basic principles to governance, the first step is to get a grip on your governance processes, then to improve them and finally to use excellent governance to achieve additional value - again an open-ended objective. That sounds simple enough but there’s more to learn from the analogy between QA and governance. A ‘quality’ item is not just the Rolls Royce, a top-of-the range expensive luxury car, it is also the Skoda, a bottom-of-the-range cheap utility car which most Rolls Royce customers would sneer at) provided it is valued by its target customers. Quality, like beauty, is in the eye of the beholder. Skoda’s gradual ascent from its former lamentable position as the butt of many jokes to being a well-respected brand name today is proof of this assertion. Hats-off to Skoda. The analogy suggests that governance is not just a comprehensive, slick framework of tight management, process and system controls, it is also a looser system of controls in organizations that find this lower level appropriate to their needs. One size does not fit all. Shooting for the stars is not appropriate to all circumstances. That line of reasoning is a strong argument in favor of ISO/IEC 27002’s oft-criticized style of recommending broadly rather than mandating specific information security controls. The standard aims to cater for bottom- as well as top-of-the-range organizations. ISO/IEC 27002-compliant organizations use systematic risk assessment firstly to focus on key control objectives, and then to identify appropriate controls from the shopping-lists in the standard (or indeed suitable alternatives not listed in ISO/IEC 27002). With systematic information security management processes and metrics in place (implying consistency), the scene is set for continuous security improvement and, in time, excellent information security management. [This short discussion piece was developed from one of Gary’s occasional musings on the IT Governance forum, itself one of many communities of value to professionals working in IT governance, information security and related fields.] |
|||||
|
Copyright © 2008 IsecT Ltd. |
|||||