Corporate Governance

Over the last five years the regulation of IT security has increased markedly, with legislative, regulatory, co-regulatory and self-regulatory bodies taking an increasing interest.

SIFT understands that in a complex regulatory environment, compliance may not be sufficient to achieve the necessary level of security in design, and may in fact increase the cost and risk of developing a system.

Significant difficulties exist in attempting to measure compliance with many of the legislative, co-regulatory and self-regulatory requirements currently in place for Australian industry. This difficulty in turn has driven organisations to utilise “negative assurance” as opposed to “positive assurance”, with a significant loss of confidence in the outcome of such assessments.

SIFT works with our clients to develop Information Risk Management and IT Security Governance Frameworks, including the development of metrics for accurately “measuring” ongoing progress towards a Risk Management or Security target, and for providing consistency in assessment across project boundaries.

Having been involved in the development of the Standards Australia IT Governance standard, and with experienced risk, audit, and security professionals, SIFT have experience both in designing frameworks for, and auditing against, standards including:

• AS 8015-2005: Corporate Governance of Information and Communication Technology
  
• ISO 17799-2001: Information Technology – Code of Practice for Information Security Management
  
• Privacy Act 1988 (including private sector amendments)
  
• APRA Prudential Standards (including Prudential Standard APS 310; Guidance Note GGN 220.5; Prudential Standard APS 231)
  
• Telecommunications Act 1997 and Telecommunications (Interception) Act 1979
  
• Sarbanes-Oxley Act
  
• Many others