Information Security Management Remains Chief Concern
Information Security Management is expected to continue to have a powerful influence over business in 2007, according to the 18th Annual Top Technology Initiatives survey of the American Institute of Certified Public Accountants (AICPA). For the fifth consecutive year, the survey identified Information Security as the technology initiative expected to have the greatest effect in the upcoming year.
A related initiative, Identity and Access Management, jumped from sixth place in 2006 to second in 2007. Privacy Management also nudged its way up from fifth to fourth place, while four new initiatives made their debut in this year’s top 10: Securing and Controlling Information Distribution; Mobile and Remote Computing; Electronic Archiving and Data Retention; and Document, Content and Knowledge Management.
“This top technology survey provides the CPA’s unique perspective regarding the impact of technology on financial management and the fulfillment of other fiduciary responsibilities, such as the safeguarding of business assets, oversight of business performance and compliance with regulatory requirements,” said Barry Melancon, CPA, President and CEO of the AICPA. “We sponsor this survey each year because we believe that it is critical for CPAs to stay abreast of the latest technology initiatives and provide guidance regarding its impact to their clients and employers.”
In addition to its Certified Information Technology Professional (CITP) Credential holders and IT Section members, the AICPA collaborated with the Information Technology Alliance (ITA) and ISACA as their members share similar perspectives on the top technologies impacting business today. The survey was conducted in December 2006 under the supervision of a task force led by David Cieslak, CPA, CITP, GSEC, Chairman of the AICPA’s Information Technology Executive Committee. More than 1,500 participants ranked the 30 technology initiatives they felt will have the most significant impact in the next 12 to 18 months.
“Organizations continue to make large-scale IT-related investments and, while the rewards can be significant, the potential for financial loss or harm to reputation due to a security problem is a growing concern,” said Everett C. Johnson, CPA, International President of ISACA. “Businesses are realizing that control and value are achieved by focusing on what IT enables the business to achieve, rather than on the technology itself. As the survey indicates, there is a clear need for management, auditors, and IT professionals to ensure that the appropriate security and governance processes are in place.”
“Each year the members of the ITA look forward to working with the AICPA and ISACA to compile this very important list,” said Ron Eagle, ITA President. “With the different facets and the rapid pace of change in IT today, it is critical to identify what others see as the key issues that may impact you, your clients and employer. The Top Technology Initiative survey meets that need perfectly.”
The 10 most important technology initiatives for 2007, along with their definitions, are as follows:
1. Information Security Management: A systematic approach to encompassing people, processes and IT systems that safeguards critical systems and information, protecting them from internal and external threats. Incorporates the preservation of confidentiality (information is not available or disclosed to unauthorized individuals, entities, or processes), integrity (safeguarding the accuracy and completeness of key data) and availability (systems and data are accessible and usable upon demand by an authorized entity) of information. Other properties such as authenticity, accountability, non-repudiation and reliability may also be involved.
2. Identity and Access Management: Identity and access management consists of the hardware, software and processes used to authenticate a user’s identity, i.e. ensure users are who they say they are; then provide users with appropriate access to systems and data based pre-established rights and privileges. Identity management may utilize one, two or three factor authentication and include passwords, tokens, digital certificates (for web sites and e-mail systems), Public Key Infrastructure (PKI), biometrics and other emerging technologies.
3. Conforming to Assurance and Compliance Standards: Creating formalized strategies and systems to address organizational goals and statutory requirements. These strategies and systems may include collaboration and compliance tools to monitor, document, assess, test and report on compliance with specified controls. It encompasses risk assessment standards, risk management and continuous auditing/continuous monitoring.
4. Privacy Management: The rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personal information. As more information and processes are converted to a digital format, this information must be protected from unauthorized users and from unauthorized usage by those with access to the data, including complying with local, state, national and international laws, and the convergence of security and privacy.
5. Disaster Recovery Planning (DRP) and Business Continuity Management (BCM): A holistic management process that identifies potential threats to an organization and the impact those threats may have on business operations. Resources can include IT equipment, data records, the physical space of an organization, and personnel. Threats to these resources may include theft, virus infestation, weather damage, accidents or other malicious destruction. A well defined, documented, and communicated plan can help provide structure and stability in the event of a business interruption or catastrophe greatly improving the chance of business survival.
6. IT Governance: A structure of relationships and processes that direct and control an organization and help it achieve its goals by adding value while balancing risk versus return over IT and its processes. Includes IT ROI, or the decisions around technology investments and how to optimize related returns.
7. Securing and Controlling Information Distribution (new): Protecting and controlling the distribution of digital data, i.e. enabling secure distribution and/or preventing illegal distribution and access to protected information. Example: a document distribution strategy controlled by a Digital Rights Management (DRM) server that prevents an encrypted document from being opened by anyone other than the intended recipient.
8. Mobile and Remote Computing (new): Technologies that enable users to securely connect to key resources anywhere, anytime regardless of physical location. Enabling technologies include tablet PCs; PDAs; and wireless technologies such as Bluetooth, WiFi and WiMax.
9. Electronic Archiving and Data Retention (new): Technologies that enable appropriate archiving and retrieval of key information over a given (statutory) period of time with improved efficiency and access to the information. This includes policies and processes to ensure destruction of information from storage and archival media in a timely and consistent manner. Information includes traditional data as well as telephony, IM traffic, and other emerging forms of collaboration. Storage and backup technologies, including Direct Attached Storage (DAS), Network Attached Storage (NAS) and Storage Area Networks (SANs), and optical devices such as DVDs, CDs, and Blu-Ray help support the archiving and retrieval process.
10. Document, Content and Knowledge Management (new): The process of capturing, indexing, storing, retrieving, searching and managing information electronically, including database management of PDFs and other formats. Knowledge management then brings structure and control to this information, allowing organizations to harness the intellectual capital contained in the underlying data. This is sometimes referred to as the “paperless” office even though “less-paper” or digital office may be a more accurate term.
For more information on the list, visit www.aicpa.org/infotech.