Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Design Challenges for GDPR RegTech

The Accountability Principle of the GDPR requires that an organisation can demonstrate compliance with the regulations. A survey of GDPR compliance software solutions shows significant gaps in their ability to demonstrate compliance. In contrast, RegTech has recently brought great success to financial compliance, resulting in reduced risk, cost saving and enhanced financial regulatory compliance. It is shown that many GDPR solutions lack interoperability features such as standard APIs, meta-data or reports and they are not supported by published methodologies or evidence to support their validity or even utility. A proof of concept prototype was explored using a regulator based self-assessment checklist to establish if RegTech best practice could improve the demonstration of GDPR compliance. The application of a RegTech approach provides opportunities for demonstrable and validated GDPR compliance, notwithstanding the risk reductions and cost savings that RegTech can deliver. This paper demonstrates a RegTech approach to GDPR compliance can facilitate an organisation meeting its accountability obligations

The consolidation process of the EU regulatory framework on nanotechnologies: within and beyond the EU case-by-case approach

The field of nanotechnologies has been the subject of a process of wide-ranging regulation, which covers two different trends. From the 2000s the European Commission and Parliament agreed on a type of adaptive, experimental and flexible approach, which had its apex with the Commission code of conduct on responsible nano-research developed through a set of consultations. In 2009 this initial agreement subsequently broke down and the EU started to develop a set of regulatory initiatives of a sectoral nature in several fields (cosmetics, food, biocides). Thus, the current arrangement of governance in the field of nanotechnologies appears to be a hybrid, which mixes forms belonging to the new governance method (consultations, self-regulation, agency, comitology committees, networking), working like a lung in the framework of EU policy, with more traditional tools belonging to the classic governance method (regulations, directives). This model of governance based on a case-by-case approach runs the risk of lacking coherence since it is exposed to sudden changes of direction when risks emerge and it has a weak anticipatory dimension due to both its excessive dependency on data collection and its insufficient use of upstream criteria, such as human rights, which should be used earlier, to allow anticipated intervention with a less intense use of hard law solutions

Limits and opportunities of risk analysis application in railway systems

Risk Analysis is a collection of methods widely used in many industrial sectors. In the transport sector it has been particularly used for air transport applications. The reasons for this wide use are well-known: risk analysis allows to approach the safety theme in a stochastic - rather than deterministic - way, it forces to break down the system in sub-components, last but not least it allows a comparison between solutions with different costs, introducing de facto an element of economic feasibility of the project alternatives in the safety field. Apart from the United Kingdom, in Europe the application of this tool in the railway sector is relatively recent. In particular Directive 2004/49/EC (the "railway safety directive") provides for compulsory risk assessment in relation to the activities of railway Infrastructure Managers (IMs) and of Railway Undertakings (RUs). Nevertheless the peculiarity of the railway system - in which human, procedural, environmental and technological components have a continuous interchange and in which human responsibilities and technological functions often overlap - induced the EC to allow wide margins of subjectivity in the interpretation of risk assessment. When enacting Commission Regulation (EC) No 352/2009 which further regulates this subject, a risk assessment is considered positive also if the IM or RU declare to take safety measures widely used in normal practice. The paper shows the results of a structured comparative analysis of the rail sector and other industrial sectors, which illustrate the difficulties, but also the opportunities, of a transfer towards the railway system of the risk analysis methods currently in use for the other systems

Indicators for management of coral reefs and their applications to marine protected areas

Informed planning and decision-making in the management of natural resources requires an ability to integrate complex interactions in ecosystems and communicate these effectively to stakeholders. This involves coping with three fundamental dilemmas. The first comes from the irregular pulse of nature. The second is the recognition that there are no strictly objective criteria for judging the well-being of an ecosystem. The third is posed by the quest for indicators with some integrative properties that may be used to analyze an ecosystem and impart the information to the relevant resource users. This paper presents some examples of indicators used to: 1) assess the status of a coral reef and, in particular, the state of its fisheries resources; 2) identify reefs that are most threatened by human activities; and 3) evaluate the likelihood of success of management interventions. These indicators are not exhaustive, but illustrate the range of options available for the management of coral reef ecosystems

Business Process Risk Management, Compliance and Internal Control: A Research Agenda

Integration of risk management and management control is emerging as an important area in the wake of the Sarbanes-Oxley Act and with ongoing development of frameworks such as the Enterprise Risk Management (ERM) framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on an inductive methodological approach using literature review and interviews with managers engaged in risk management and internal control projects, this paper identifies three main areas that currently have management attention. These are business process risk management, compliance management and internal control development. This paper discusses these areas and identifies a series of research questions regarding these critical issuesRisk management; Internal control; Business processes; Compliance; Sarbanes-Oxley Act; ERP systems; COSO; COBIT

The Role of Boards in Reviewing Information Technology Governance (ITG) as Part of Organizational Control Environment Assessments

IT Governance (ITG) is an important topic as US companies must now monitor ITG under the provisions of the Sarbanes-Oxley Act (2002) (Hoffmann, 2003). Trites (2003) indicates that directors are responsible for strategic planning, internal control structures and business risk. The control environment is defined in Australian Auditing Standard AUS 402 to mean "the overall attitude, awareness and actions of management regarding internal control and its importance to the entity". This paper contributes to the knowledge of ITG by forming an integrated ITG Literature (IIL) which links prior research to four key dimensions of ITG. The paper presents a review of literature on ITG performance measurement systems which assess the ability of organizations to achieve these four ITG dimensions. A revised ITG Dimensions Model offered for consideration. The final contribution of the paper is to propose critical issues Boards should consider as part of their assessment of organizational control environments

Developing the Welfare-to-Work Participation and Employability Appraisal Screening: A Retrospective Study

CalWORKs recipients, unless exempt, are required to participate in welfare-to-work (WTW) program activities as a condition of receiving cash aid. A number of clients, however, may have issues that impede successful engagement in WTW program activities, such as substance abuse, mental health concerns, or domestic violence issues. The Riverside County (California) Department of Mental Health (RCDMH) and the Department of Public Social Services (DPSS) sought to develop a structured case management system to help ensure early identification of WTW customers with barriers to employment and, if necessary, to help facilitate quicker engagement in services to address those barriers and move customers into successful employment. A key component of the structured case management system is an actuarial appraisal screening to help identify those customers most in need of support to make a successful transition to self-sufficiency. This report describes the study conducted by Childrenas Research Center (CRC) to develop an appraisal screening that classifies customers by the likelihood of subsequent WTW program participation and employment. Employment counselors can complete the screening assessment soon after WTW assignment to help identify which customers are in greatest need of additional support and engagement to increase the likelihood of successful program participation

A commentary on recent water safety initiatives in the context of water utility risk management.

Over the last decade, suppliers of drinking water have recognised the limitations of relying solely on end-product monitoring to ensure safe water quality and have sought to reinforce their approach by adopting preventative strategies where risks are proactively identified, assessed and managed. This is leading to the development of water safety plans; structured ‘route maps’ for managing risks to water supply, from catchment to consumer taps. This paper reviews the Hazard Analysis and Critical Control Point (HACCP) procedure on which many water safety plans are based and considers its appropriateness in the context of drinking water risk management. We examine water safety plans in a broad context, looking at a variety of monitoring, optimisation and risk management initiatives that can be taken to improve drinking water safety. These are cross-compared using a simple framework that facilitates an integrated approach to water safety. Finally, we look at how risk management practices are being integrated across water companies and how this is likely to affect the future development of water safety p