Plenary Lecture
Methodologies and Standards for Information System Security Assurance
Professor Mario Spremic
Faculty of Economics and Business
University of Zagreb
CROATIA
E-mail: mspremic@efzg.hr
Abstract: Over the past decade information system security issues has been treated mainly from technology perspective. This paper goes a step further and considers it from the IT governance view, mainly aligning it with the risk management activities and stressing the necessity for a holistic approach in which the executive management should be involved. The main objective of the paper is to stress the importance of implementing information system security governance mechanisms, procedures and metrics. Metrics for information system security assurance are analysed and the phases and processes of its regular reviews (audits) explained in further details. The standards and legislation activities that help in that sense are evaluated. Implementation of industry best practices standards and processes such as ISO 27000, PCI DSS and CobiT combined with other IT-related solutions can deliver substantial security risk reduction and reduce business risks associated with information system security. The holistic model of treating information system security risks as business risks are explained and tested on multiple case studies.
Brief Biography of the Speaker: Mario Spremic, CGEIT is a Full Professor and a head of the Department of Informatics at the Faculty of Economics & Business, University of Zagreb, Croatia. He received a B.Sc. in Mathematical Sciences, M.Sc. in IT Management and Ph.D. in Economics and Business (IT Governance) from the University of Zagreb. He had published 10 books and more than 150 papers in scientific journals, books and conference proceedings mainly in area of e-business, IT governance, IT risk management, IS strategy, IS security, IS control and audit and IT Value. He is also a visiting professor at various postgraduate studies (University of Zagreb, University of Sarajevo, University of Ljubljana) with courses IT Governance, e-Business, Information Systems Strategy and Information System Control and Audit. He is program director and co-founder of the ‘FBA-CIO Academy’, a regional executive development program in the field of IT Governance and Business/IT Alignment (www.efzg.hr/cio) and academic director of Bachelor .Degree in Business study, EPAS accredited 4-year study program taught in English (www.efzg.hr/bdib).
Mario is an associate editor and a member of Boards and Committees for a number of international scientific journals and a program committee member and/or reviewer for various international conferences (full list available at www.efzg.hr/mspremic).
Mario is reviewer and a program committee member at wide range of international conferences (WSEAS, etc., full list available at www.efzg.hr/mspremic). He is an ISACA and IIA member and holds ISACA’s CGEIT international certificate (Certificate in Governing Enterprise IT).
Mario has also been acting as a consultant for a number of companies preferably in areas of IS strategy, IT governance and risk compliance, business process change and IS control and IS audit with the experience in implementing various IT projects and conducting wide range of information system audit projects. As a qualified information system auditor and consultant he has been participating in a number of regulatory-based IS audits and advisory projects and besides scientific, gain in-depth expert knowledge of commonly used standards such as CobiT, ISO 27001, PCI DSS, Basel II, SoX, ITIL, etc. Previously he had been working as system analyst, project manager and CIO deputy.