Mark Whittington

Compliance with standards, assurance and audit: does this equal security?

Managing information security is a challenge. Traditional checklist approaches to meeting standards may well provide compliance, but do not guarantee to provide security assurance. The same might be said for audit. The complexity of IT relationships must be acknowledged and explicitly managed by recognising the implications of the self-interest of each party involved. We show how tensions between these parties can lead to a misalignment of the goals of security and what needs to be done to ensure this does not happen.

Developing a Conceptual Framework for Cloud Security Assurance

Managing information security in the cloud is a challenge. Traditional checklist approaches to standards compliance may well provide compliance, but do not guarantee to provide security assurance. The complexity of cloud relationships must be acknowledged and explicitly managed by recognising the implications of self-interest of each party involved. We begin development of a conceptual modelling framework for cloud security assurance that can be used as a starting point for effective continuous security assurance, together with a high level of compliance.

Reflecting on Whether Checklists Can Tick the Box for Cloud Security

All Cloud computing standards are dependent upon checklist methodology to implement and then audit the alignment of a company or an operation with the standards that have been set. An investigation of the use of checklists in other academic areas has shown there to be significant weaknesses in the checklist solution to both implementation and audit, these weaknesses will only be exacerbated by the fast-changing and developing nature of clouds. We examine the problems that are inherent with using checklists and seek to identify some mitigating strategies that might be adopted to improve their efficacy.

The Customer Is King. Enthroned or In Exile? An Analysis of the Level of Customer Focus in Leading Management Accounting Textbooks

In response to fierce criticism of irrelevancy and the need to adapt management accounting (MA) to fully support modern managerial priorities, there is a growing body of MA literature seeking to address the perceived weakness of customer-focused techniques and measures. This paper investigates the impact of this literature on mainstream MA textbooks and, by extension, teaching. The customer-focused content and, in particular, coverage of customer profitability analysis (CPA), is found to be relatively low in quantity and diverse in relation to the choice of techniques being discussed. No generally-accepted way of approaching this area is revealed, perhaps because it is so contingent on circumstances, and it seems that CPA is not yet part of mainstream MA. In the area of customer focus at least, there remain questions over the relevance of mainstream textbooks, teaching and, by further extension, the day-to-day practice of MA.

The Importance of Proper Measurement for a Cloud Security Assurance Model

Defining proper measures for evaluating the effectiveness of an assurance model, which we have developed to ensure cloud security, is vital to ensure the successful implementation and continued running of the model. We need to understand that with security being such an essential component of business processes, responsibility must lie with the board. The board must be responsible for defining their security posture on all aspects of the model, and therefore must also be responsible for defining what the necessary measures should be. Without measurement, there can be no control. However, it will also be necessary to properly engage with cloud service providers to achieve a more meaningful degree of security for the cloud user.

Information Security in the Cloud: Should We be Using a Different Approach?

Since the inception of cloud computing, security researchers have been active in addressing the question of cloud information security, which has seen the development of a wide range of technical solutions. The same can be said for non-cloud information security research which has been active for a far longer period of time. Yet, year on year, security breaches continue to increase, both in volume and in value. The business architecture of a company comprises people, process and technology. Is it not time to consider a different approach?

Financial statement analysis and accounting policy choice: What history can teach us

The choice of accounting policies by a company has implications for the market’s understanding of corporate performance. Whilst the critical areas of choice may change over time with new developments and changes in standards, the underlying issue remains relevant. This paper examines the effect of accounting techniques upon the relationship between accounting variables and UK share prices.

Could the Outsourcing of Incident Response Management Provide a Blueprint for Managing Other Cloud Security Requirements

In this chapter, we consider whether the outsourcing of incident management is a viable technological approach that may be transferable to other cloud security management requirements. We review a viable approach to outsourcing incident response management and consider whether this can be applied to other cloud security approaches, starting with the concept of using proper measurement for a cloud security assurance model. We demonstrate how this approach can be applied, not only to the approach under review, but how it may be applied to address other cloud security requirements.