I am thinking, if an organization (or rather the world) is to create an effective cyber security initiative, it should have majority if not ALL of the following: Legislation and policy Law enforcement Inline with open and international standards Manpower Multi-stakeholderism Responsibility Global and common strategy Global cooperation Adequate funding Support and resources Carefully planned and designed infrastructure Education and training Innovation Development Fair business practices Clear cut public exposure Goodwill.

The acquirement part is of great sense. It involve not a only a single process. It can have varying activities from before, during and after the delivery of the acquired material or solution. The processes may include sub processes and it gets down to having the pre-acquisition and post-acquisition. Underneath the sub processes may go through different stages which starts with careful planning, designing, et al.  If you go to your finance and ask for some money, more often than not, you are asked, for what purpose it is going to be used about. It is typical. Come budget forecasting season, allocation of ICT stuff depending on their lifecycle, where there are some that needs to be replaced and upgraded, everything that is perceived to be necessary and important to operate a peaceable ICT environment must be diligently allocated a reasonable amount. The figure is a CALMS, just to show where is pre- and post-acquisition. Investing in ICT by all means is (can be more or less) ab...

The key stakeholder in a publicly traded organization is board of directors. They are charge, on behalf of the company and shareowners, to deliver and achieve corporate value. On top of anything, is to take care of their money (see on CG of MS, NASDAQ, WB), it takes into account the overall resources; it also facilitates direction and oversees organizations' capability to achieve goals and comply on regulations. Management down the ranks does the rest, working on every details from reporting to supporting business operations and future plans. The capability of any organization to attain expected outcome depends on how both board and management ascertain the need in, for the purpose of the subject take IT. Business people, unless former or current ICT practitioner, rarely knows about the field including the detailed part of it. Management have lots of experts though (from being an specialist of certain IT task, analyst up to managerial level) to rely on when necessary. Many high-lev...

Sarbanes-Oxley Act 2002 is a U.S. law. The passage of the bill is to improve quality and transparency in financial reporting and independent audits and accounting services for public companies in the U.S. including companies that are non-U.S. but being traded in any of the U.S. stock exchanges. The SOX during its early days perceived by many it is not reasonable, in some unexpectedly high even to large publicly-traded corporations. It creates even more burden for smaller reporting companies. With the incarnations being made by concerned regulatory organizations, in this instance the SEC and Public Company Accounting Oversight Board (PCAOB), issues mentioned have been continuously addressed and the law become more relevant for organizations to comply (and even adapt in other cases) to make financial reporting accurate as well as reliable and secure information technology for internal control. Since after the 2007 reforms, which is referred to the released of the new PCAOB Accounting Sta...