Project: Analytical Papers

Original, hype-free guidance on pressing information governance, risk management, and compliance issues. Written by and for T2P community members, these resources offer critical insight and hard-learned lessons from practicing technologists, auditors, and business leaders.

Change Management by Frank LeFavi via Truth to Power

Change Management

A Practical Framework for Reducing Infrastructure Failures and Disruptions

Author: Frank A. LeFavi

This paper proposes a framework for a sound, effective, and efficient change management practice. Written for IT managers, internal auditors, and other professionals with enterprise risk management responsibilities, the paper offers experience-based, practical guidance on structuring a change management program, defining and prioritizing change requests, how to reduce risk in emergency and exceptional changes, and more.

T2P Member resource. Please join T2P (and/or log in) to download this paper.
mitigating-risk-in-it-outsourcing_83x108.png

Mitigating Risk in IT Outsourcing

A Practical Framework for Success and Control in Externalized IT Services

Author: Frank A. LeFavi

Cost reduction is a key factor in many executive decisions to outsource IT functions. Many efforts fail these expectations, however: operating costs increase, while operational and customer service levels fall. Reducing risk in IT outsourcing requires a proactive approach encompassing comprehensive knowledge of both the internal environment and the service supplier. This paper provides a practical framework for improving project success and control in externalized IT services.

T2P Member resource. Please join T2P (and/or log in) to download this paper.
pci-requirements-to-action_t2p_ben-tomhave.png

PCI: Requirements to Action

Practical Guidance on More Efficient, Effective Payment Card Security Compliance

Author: Benjamin Tomhave

The PCI Data Security Standard (PCI DSS) can represent an effective baseline for enterprise information security. The greater challenge, however, is making PCI compliance an integral and efficient part of enterprise security programs. This in-depth paper combines high-level analysis with control-level pointers to help compliance and IT managers demystify the PCI DSS and align it with broad risk- and security-management practices.

T2P Member resource. Please join T2P (and/or log in) to download this paper.
10-high-impact-steps-to-harden-ecommerce-systems_tomhave-t2p.png

10 High-Impact Steps to Harden Commerce Systems

A Practical Framework for Success and Control in Externalized IT Services

Author: Benjamin Tomhave

While your ultimate goal might be to secure all system components all of the time, there may come a day when you encounter a high-stress situation that begs the question, "What can I do <em>right now</em> to secure critical information?" This paper addresses the question with specific recommendations for quick-launch, high-impact steps to reduce information risk.

T2P Member resource. Please join T2P (and/or log in) to download this paper.