"Oversight" is a widespread and generally-applicable type of control, almost universal in fact. It is hard to think of situations where it is not relevant in some form or other.
Oversight is a form of assurance that helps us answer three burning issues:
- Are we doing the right things? For example, overseeing our use and protection of assets (including information) will hopefully confirm that we are extracting the most value from them.
- Are we doing things right? There are lots of options and choices in business, different ways of going about things, so are we making the right decisions? Many reviews and audits explore the manner in which the business is run.
- Are we heading the right way? Whereas the previous questions concern the here and now, this one concerns our need to learn and improve in the future, to adapt and respond to ever-changing situations and where relevant exploit new opportunities.
While assurance is mostly about checking and confirming things, supervisory oversight also involves providing direction and guidance. A project manager, for instance, normally develops plans to achieve business objectives and ensures that the project team follows the plans, encouraging people to hit their targets. Oversight, then, is not entirely hands-off or observational.
The module is intended to:
- Introduce oversight, providing general context and background information;
- Inform workers generally about oversight in the sense of both neglectful omission and supervision, in the context of information risk and security;
- Describe and discuss the managerial, procedural and technical risks, issues, controls and approaches associated with oversight (e.g. management reviews and audits);
- Share good practices for oversight and supervision from fields such as financial management, health and safety, and corporate governance, applying them to information risk and security;
- Help everyone understand and appreciate the purpose and value of ‘checks and balances’, both for the organization as a whole and for those being overseen (e.g. spotting and resolving simple errors early, before they cause downstream impacts).
What about your learning objectives for this topic: what makes oversight and governance pertinent to your organisation? How is greater awareness expected to improve things? Conversely, what's the problem if ignorance continues unabated?
Information security awareness and training materials to update staff, management and specialists on "oversight", an important general-purpose control.