In business and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. A good information security system should be implemented by subject matter experts in information security – people who understand risk as well as the importance of using the right internal / external controls that will not only protect data but also contribute towards meeting organizational objectives. To be effective it is also important that the information security policy being implemented also has good management support. This is where the problem begins because many companies that have chosen to set up an expensive information security system but don’t always realize why or how they came to choose its implementation in the first place.

So why should a company measure the information security policy it has implemented. A few industry pointers are listed below:

• To show ongoing improvement,
• To show compliance (with Standards, contracts, SLAs, OLAs, etc),
• To justify any future expenditure (new security software, training, people,
• To identify where implemented controls are not effective in meeting their objectives, and
• To provide confidence to senior management and stakeholders that implemented controls are effective

While on the topic, organizations should also highlight to its stakeholders various advantages of measuring the effectiveness on the security policies which are;

• Proactive tools to measure can prevent problems arising at a later date (e.g. slow networks’, Denial of service, disk failures etc),
• Reduction of incidents,
• Staff motivation, and
• Visible  evidence to auditors, and assurance to senior management

Once organizations have defined the objective and realized that measuring the effectiveness of the security policies has advantages the question arises “What do I measure”

Again industry best practices would suggest that you can break down the information security implementation into the following categories:

1. Management Controls:
These would typically include the Security Policy and procedures IT Policies, and corporate strategy for information security and awareness, Business Objectives, Management Reviews.
2. Business Processes:
This would include conducting the actual risk assessment Risk Assessment & Risk mitigation measures that will be implemented and acceptable risk, as well as data retentions and disposal measures.
3. Operational Controls:
This consists of the Operational Procedures for providing support to the IT services being delivered. Hence processes like change, incident, availability management etc would be a part of the operational controls
4. Technical controls:
These would typically consist of activities like firewall configurations, AV updates, patch management, content filtering etc.

To measure the controls organizations can also have KPI’s defined for the controls so that the controls can also be mapped back to the organizational objectives.

Sometimes organizational security is one of the top victims of budget cutting in a cost cutting exercise. The most common logic is that although it costs money to implement a information security policy the benefits are not very tangible. This makes it difficult to justify the cost incurred. However organizations need to realize that information security benefits become visible only when a control fails. But when that happens the costs incurred may be too high. Hence the need to measure the controls implemented and presents the benefits to all stakeholders. This helps them understand the many benefits that it can bring to business and also help them understand how they can leverage a well implemented policy to drive the business and shape future organizational policies.

Providing IT services once seen as a costly and tedious task requiring significant investments in time and resources now finds favour as an aid to help organizations become more competitive, efficient and effective in today’s global marketplace. Successful IT services help control, comply and align IT with business goals. This enables IT and business to work in tandem as one cohesive unit bringing value to the organization.

There are effectively three things IT service organizations have to master to succeed delivering services to their business customers. These are basic requirements are:

Stabilize the IT organization – One of the basic requirements that any IT service organization must have is the stabilization of their infrastructure. This would mean that any IT organization must know not only how to resolve issues but it should know how to prevent issues from happening on the first place. This would consist of building a Service Desk that acts as a single point of contact for the business users can call when they are facing any issues or when they want something changed. This would imply that when users want to get something done they know where to go.

Control the IT organization – The next step would be to establish control over the physical infrastructure. It would imply that businesses should have successfully implemented Configuration, Change and Release Management. The organization knows what they have and can accurately design changes that achieve the desired outcome for the business with minimum risk and disruption to service.

Improve the IT organization – The next milestone would be for an IT service organization would be to set up processes for continuous improvement. This does not mean just establishing service levels with vendors for services since just reporting on the service levels would not mean that they have been delivered.

Once done this would imply that the organization has been successful in deployment of a framework which not only supports the IT needs of business but does while being cost effective and adds value to the business. It helps ensure the security, integrity and accuracy of information of IT Systems which is of paramount importance to all areas of business and industry.