The document discusses information governance and information security. It defines information as an important business asset that needs protection. There are different types of information like internal, customer, and outsourced information. IT governance is the process of making decisions about and monitoring IT performance. Information security protects the availability, privacy, and integrity of information using methods like access controls, security policies, asset management, and more. Information security aims to achieve the 4 Ps of security - preventative, protective, corrective and detective measures. Risk is highest during the conception and development periods of a project.
2. Information
According to ISO 27001:2005, information is
defined as:
“An asset that, like other important
business assets, is essential to an
organization’s business and
consequently needs to be suitably
protected.”
Information Governance 2
3. Types of Information
Printed or written on paper
Stored electronically
Transmitted by post or using
electronic means
Shown on corporate videos
Verbal (e.g., spoken in conversations)
Information Governance 3
4. Types of Information
Information that you would not
Internal
want your competitors to know
Information that customers would
Customer or Client
not wish you to divulge
Information that needs to be shared
Outsourced
with other trading partners
Information Governance 4
5. What is “IT Governance”?
IT governance is the process of
making decisions about IT and
monitoring IT performance.
Information Governance 5
6. The Eleven Control Clauses
ORGANIZATIONAL STRUCTURE
Management
Security
Policy
Organizational
Info Sec
Asset Management
Access Control
Compliance
Human Resource Business Continuity
Security Management
Systems Development Communications and Physical &
and Maintenance Operations Management Environ. Security
Operations Security Incident Management
Information Governance 6
9. IT Governance Maturity Benchmark
Non-existent
Non-existent Initial/Ad Hoc
Initial/Ad Hoc Repeatable
Repeatable Defined
Defined Managed
Managed Optimized
Optimized
Level 0 Level 1 1
Level Level 2 Level 33
Level Level 44
Level Level 55
Level
Level 0 – Non-existent – Management processes are not applied
at all
Level 1 – Initial/Ad Hoc – Processes are ad hoc and inconsistent
Level 2 – Repeatable – Processes follow a regular pattern
Level 3 – Defined – Processes are documented and
communicated
Level 4 – Managed – Processes are monitored and measured
Level 5 – Optimized – Good practices are followed and
automated
Information Governance 9
10. What is Information Security
Information security is the process of protecting information. It
protects its availability, privacy/confidentiality and integrity.
Information Governance 10
13. Eleven Main Security
Categories
Security policy
Compliance Organization of
info security
Business continuity Asset
Integrity Confidentiality management
management
Information
Info Sec Incident HR security
management
Availability Physical and
Info systems
development & environmental
maintenance security
Communications
Access control and operations
management
Information Governance 13
14. Risk versus Amount at Stake
Total project life cycle
I
N Plan Accomplish
C Phase 1 Phase 2 Phase 3 Phase 4
R
Conceive Develop Execute Finish
E
A
S $
I
N (period when highest V
G risks are incurred) A
R L
I U
(period of highest
S E
K risk impact)
TIME
Information Governance 14