IT Governance

IT Governance
Information Security
Governance
Acknowledgments
Material is sourced from:
 CISA® Review Manual 2009, © 2008, ISACA. All rights reserved.
Used by permission.
 CISM® Review Manual 2009, © 2008, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri

Funded by National Science Foundation (NSF) Course, Curriculum and

Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Corporate Governance
Corporate Governance: Leadership by
corporate directors in creating and presenting
value for all stakeholders

IT Governance: Ensure the alignment of IT with

enterprise objectives
 Responsibility of the board of directors and
executive mgmt
IT Governance Objectives
 IT delivers value to the business
 IT risk is managed

Processes include:
 Equip IS functionality and address risk
 Measure performance of delivering value to the
business
 Comply with legal and regulatory requirements
 IT Governance Committees
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Board members
& specialists
Optimization of IT costs and risk

Business executives
(IT users), CIO, key
advisors (IT, legal, audit,
finance)
IT Steering Committee
Focuses on Implementation
Monitors current projects
Decides IT spending
IT Strategy Committee
Main Concerns
 Alignment of IT with Business
 Contribution of IT to the Business
 Exposure & containment of IT risk
 Optimization of IT costs
 Achievement of strategic IT objectives
IT Steering Committee
Main Concerns
 Make decision of IT being centralized vs.
decentralized, and assignment of responsibility
 Makes recommendations for strategic plans
 Approves IT architecture
 Review and approves IT plans, budgets,
priorities & milestones
 Monitors major project plans and delivery
performance
Strategic Planning Process
Strategic: Long-term (3-5
year) direction considers
organizational goals,
regulation (and for IT: Strategic
technical advances)
Tactical: 1-year plan moves Tactical
organization to strategic
goal
Operational: Detailed or Operational
technical plans
Security Strategic Planning

Risk Mgmt – Laws

Governance – Policy
Organizational Security Strategic
Data classification
Audit – Risk analysis
Business continuity Tactical
Metrics development
Incident response
Physical security
Network security Operational
Policy compliance
Metrics use
Strategic Planning
Strategy:
 Achieve CMM or COBIT Level 4

Tactical: During next 12 months:

 Each business unit must identify current applications in
use
 25% of all stored data must be reviewed to identify critical
resources
 Business units must achieve regulatory compliance
 A comprehensive risk assessment must be performed for
each business unit
 All users must undergo general security training
 Standards must exist for all policies
Standard IT Balanced Scorecard
Establish a mechanism for reporting IT
strategic aims and progress to the board

Mission = Direction E.g.:

Mission  Serve business efficiently
and effectively
Strategies = Objectives E.g.:
Strategies  Quality thru Availability
 Process Maturity

Measures = Statistics E.g.:

Measures
 Customer satisfaction
 Operational efficiency
 IT Balanced Scorecard
Financial Goals Internal Business Process
How should we appear to What business processes
stockholder? should we excel at?
Vision: Vision:
Metrics: Metrics:
Performance: Performance:
Customer Goals Learning and Growth Goals
How should we appear to our How will we improve
customer? internally?
Vision: Vision:
Metrics: Metrics:
Performance: Performance:
 Enterprise Architecture
 Constructing IT is similar to constructing a building
 It must be designed and implemented at various levels:
 Technical (Hardware, Software)
 IT Procedures & Operations
 Business Procedures & Operations
Data Functional Network People Process Strategy
(App) (Tech) (Org.) (Flow)
Scope
Enterprise Model

Systems Model

Tech Model
Detailed
Representation
Sourcing Practices
Insourced: Performed entirely by the organization’s staff
Outsourced: Performed entirely by a vendor’s staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same geographical
area
Offshore: Performed in a different geographical region

What advantages can you think of for insourcing versus

outsourcing?
Quality with ISO 9000
ISO 9000: Standard for Quality Mgmt Systems.
Recommendations include:
 Quality Manual: Documented procedures
 HR: Documented standards for personnel hiring,
training, evaluation,…
 Purchasing: Documented standards for vendors:
equipment & services
Gap Analysis: The difference between where you
are and where you want to be
Quality Definitions
Quality Assurance: Ensures that staff are
following quality processes: e.g., following
standards in design, coding, testing,
configuration management
Quality Control: Conducts tests to validate
that software is free from defects and
meets user expectations
Performance Optimization
Phases of Performance Measurement include:
 Establish and update performance metrics
 Establish accountability for performance
measures
 Gather and analyze performance data
 Report and use performance results

Note: Strategic direction for how to achieve

performance improvements is necessary
Categories of Performance
Measures
 Performance Measurement: What are
indicators of good IT performance?
 IT Control Profile: How can we measure the
effectiveness of our controls?
 Awareness: What are the risks of not
achieving our objectives?
 Benchmarking: How do we perform relative to
others and standards?
IS Auditor & IT Governance
 Is IS function aligned with organization’s mission,
vision, values, objectives and strategies?
 Does IS achieve performance objectives
established by the business?
 Does IS comply with legal, fiduciary, environmental,
privacy, security, and quality requirements?
 Are IS risks managed efficiently and effectively?
 Is IS control effective and efficient?
Audit: Recognizing Problems
 End-user complaints
 Excessive costs or budget overruns
 Late projects
 Poor motivation - high staff turnover
 High volume of H/W or S/W defects
 Inexperienced staff – lack of training
 Unsupported or unauthorized H/W S/W purchases
 Numerous aborted or suspended development projects
 Reliance on one or two key personnel
 Poor computer response time
 Extensive exception reports, many not tracked to completion
Audit: Review Documentation
 IT Strategies, Plans, Budgets
 Security Policy Documentation
 Organization charts & Job Descriptions
 Steering Committee Reports
 System Development and Program Change Procedures
 Operations Procedures
 HR Manuals
 QA Procedures
 Contract Standards and Commitments
 Bidding, selection, acceptance, maintenance, compliance
 Question
The MOST important function of the IT
department is:
1. Cost effective implementation of IS
functions
2. Alignment with business objectives
3. 24/7 Availability
4. Process improvement
 Question
“Implement virtual private network in the
next year” is a goal at the level:
1. Strategic
2. Operational
3. Tactical
4. Mission
 Question
Which of the following is not a valid purpose of the IS
Audit?
1. Ensure IS strategic plan matches the intent of the
enterprise strategic plan
2. Ensure that IS has developed documented
processes for software acquisition and/or
development (depending on IS functions)
3. Verify that contracts followed a documented process
that ensures no conflicts of interest
4. Investigate program code for backdoors, logic
bombs, or Trojan horses
 Question
The difference between where an
organization performs and where they
intend to perform is known as:
1. Gap analysis
2. Quality Control
3. Performance Measurement
4. Benchmarking
Information Security
Governance

Governance
Policy
Risk
Information Security Importance
 Organizations are dependent upon and are
driven by information
 Software = information on how to process
 Data, graphics retained in files
 Information & computer crime has escalated
 Therefore information security must be
addressed and supported at highest levels
of the organization
Security Governance
Strategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and cost-effectively
control risk
Value Delivery: Prioritized and delivered for greatest business
benefit
Performance Measurement: Metrics, independent assurance
Resource Management: Security architecture development &
documentation
Process Integration: Security is integrated into a well-
functioning organization
Security Manager Interfaces
Directs & Approves
Executive
Cooperation Mgmt
Audit & Helps in Control
Compliance IT implementation

Hiring, Security
Human Security S/W requirements
training, Resources Mgr Develop. Access control
roles &
responsibility,
Incident
handling Quality Secure
Legal
Control testing
Business
Units
Advises
Specific area of expertise,
concern, and responsibility
Executive Mgmt Info Security
Concerns
 Reduce civil and legal liability related to privacy
 Provide policy and standards leadership
 Control risk to acceptable levels
 Optimize limited security resources
 Base decisions on accurate information
 Allocate responsibility for safeguarding information
 Increase trust and improve reputation outside
organization
Personnel Issues
 Background checks can reduce fraud
 More secure position=more checking required
 A standard or procedure may be useful
 Training & signed contracts
 Track and document theft
 Minor incidents could add up to a major pattern
problem
 Email can be monitored for potential problem
employees
 Assuming policy is in place and employees are aware
Legal Issues
International trade,
employment may be
liable to different
regulations than exist in
the U.S. affecting:
 Hiring
 Internet business
 Trans-border data flows
 Cryptography
 Copyright, patents, trade
secrets
Industry may be liable under
legislation:
 SOX: Sarbanes-Oxley:
Publicly traded corp.
 FISMA: Federal Info
Security Mgmt Act
 HIPAA: Health Insurance
Portability and
Accountability Act
 GLBA: Gramm-Leach-
Bliley: Financial privacy
 Etc.
Security Governance Framework
Security
Strategy

Policies,
Security Security
Standards,
Organization Framework
Procedures

Compliance
Monitoring
Security Organization
Review risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies

Board of Directors
Defines security objectives and
institutes security organization

Executive Mgmt
Senior representatives Other positions:
of business functions Chief Risk Officer (CRO)
ensures alignment Chief Compliance Officer (CCO)
of security program
with business Security Chief Info
objectives Steering Security
Committee Officer (CISO)
Security Positions
Security Architect Security Administrator
 Design secure network  Allocate access to data

topologies, access under data owner

control, security policies  Prepare security
& standards. awareness program
 Evaluate security  Test security architecture

technologies  Monitor security violations

 Work with compliance, and take corrective action

risk mgmt, audit  Review and evaluate
security policy
Security Operations
 Identity Mgmt & Access control
 System patching & configuration mgmt
 Change control & release mgmt
 Security metrics collection & reporting
 Control technology maintenance
 Incident response, investigation, and
resolution
Security Policy
Policy = First step to developing security
infrastructure
 Set direction for implementation of
controls, tools, procedures
 Approved by senior mgmt
 Documented and communicated to all
employees and associates
Security Policy Document
 Definition of information security
 Statement of management commitment
 Framework for approaching risk and controls
 Brief explanation of policies, minimally covering
regulatory compliance, training/awareness,
business continuity, and consequences of violations
 Allocation of responsibility, including reporting
security incidents
 References to more detailed documents
Policy Documentation
Policy= Direction for Control Employees must understand intent
Philosophy of organization Auditors test for compliance
Created by Senior Mgmt
Reviewed periodically

Procedures: Standards: Guidelines

Detailed steps to An image of Recommendations
implement a policy. what is acceptable and acceptable
Written by process alternatives
owners
Security Planning: Policies
 Policy Objective: Requirements Rule: Describes ‘what’ needs to be
accomplished
 Policy Control: Technique to meet objectives
 Procedure: Outlines ‘how’ the Policy will be accomplished
 Standard: Specific rule, metric or boundary that implements policy

 Example 1:
 Policy: Computer systems are not exposed to illegal, inappropriate, or
dangerous software
 Policy Control Standard: Allowed software is defined.
 Policy Control Procedure: A description of how to load a computer with
required software.

 Example 2:
 Policy: Access to confidential information is controlled
 Policy Control Standard: Confidential information is never to be emailed
without being encrypted
Discussion: Are these effective controls by themselves?
Other Policy Documents
Data Classification: Defines data security categories,
ownership and accountability
Acceptable Usage Policy: Describes permissible
usage of IT equipment/resources
End-User Computing Policy: Defines usage and
parameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocated
After policy documents are created, they must be
officially reviewed, updated, disseminated, and tested
for compliance
Secure Strategy:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
 Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities
 Confidentiality, Integrity, Availability
 Loss = Downtime + Recovery + Liability + Replacement
3. Estimate Likelihood of Exploitation
 Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss
 Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk
 Survey & Select New Controls
 Reduce, Transfer, Avoid or Accept Risk
Risk Analysis Methods
Qualitative Analysis
 Likelihood is categorized: Low, Medium, High

SemiQuantitative Analysis
 Likelihood is categorized in scale: 1-10

Quantitative Analysis
 Likelihood is based on historical data, past
experience, industry practice, tests, statistical theory
 Quantitative Analysis is the preferred method
Risk Strategies
Avoid: Minimize dangerous activities
 Do not open any attachments or follow links
Mitigate: Lessen the probability of danger
 Open attachments only from within company
 Buy anti-virus software, firewall, anti-spyware…
Transfer: Buy insurance
Accept: Monitor for danger but continue on
dangerous path
 Open those attachments

Residual Risk: Remaining risk after controls are

implemented
Summary of Security Mgmt
Functions
 Develop security strategy
 Regulatory & legal issues are addressed
 Linked with business objectives
 Sr Mgmt acceptance & support
 Complete set of policies
 Standards & Procedures for all relevant policies
 Security awareness for all users and security
training as needed
 Classified information assets by criticality and
sensitivity
Summary of Security Mgmt
Functions
 Effective compliance & enforcement processes
 Metrics are maintained and disseminated
 Monitoring of compliance & controls
 Utilization of security resources is effective
 Noncompliance is resolved in a timely manner
 Effective risk mgmt and business impact assessment
 Risks are assessed, communicated, and managed
 Controls are designed, implemented, maintained, tested
 Incident and emergency response processes are tested
 Business Continuity & Disaster Recover Plans are tested
Summary of Security Mgmt
Functions
 Develop security strategy, oversee security
program, liaise with business process owners for
ongoing alignment
 Clear assignment of roles & responsibilities
 Security participation with Change Management
 Address security issues with 3rd party service
providers
 Liaise with other assurance providers to eliminate
gaps and overlaps
 Question
Documentation that would not be viewed
by the IT Strategy Committee would be:
1. IT Project Plans
2. Risk Analysis & Business Impact
Analysis
3. IT Balanced Scorecard
4. IT Policies
 Question
A document that describes how access
permission is defined and allocated is
the:
1. Data Classification
2. Acceptable Usage Policy
3. End-User Computing Policy
4. Access Control Policies
 Question
The risk that is assumed after
implementing controls is known as:
1. Accepted Risk
2. Annualized Loss Expectancy
3. Quantitative risk
4. Residual risk
 Question
The role of the Information Security
Manager in relation to the security
strategy is:
1. Creator
2. Communicator to other departments
3. Reviewer
4. Approving the strategy
 Question
Product testing is most closely
associated with which department:
1. Audit
2. Quality Assurance
3. Quality Control
4. Compliance
 Question
The role most likely to test a control is the:
1. Security Administrator
2. Security Architect
3. Quality Control Analyst
4. Security Steering Committee
 Question
The Role responsible for defining security
objectives and instituting a security
organization is the:
1. Chief Security Officer
2. Executive Management
3. Board of Directors
4. Chief Information Security Officer
 Question
The persons on the Security Steering
Committee who can contribute the BEST
information relating to insuring Information
Security success is:
1. Chief Information Security Officer
2. Business process owners
3. Executive Management
4. Chief Information Officer
 Question
“Passwords shall be at least 8 characters long,
and require a combination of at least 3 of lower
case, upper case, numeric, or symbols
characters”. This is an example of a:
1. Standard
2. Policy
3. Procedure
4. Guideline
Vocabulary to Study –
High Priority
 IT strategic committee, IT steering committee, Security
steering committee
 Mission, Strategic plan, Tactical plan, Operational plan
 Quality Assurance, Quality Control
 CISO, CIO, CSO, Board of Directors, Executive Mgmt,
Security Architect, Security Administrator
 Policy, Procedure, Standard, Guideline
 IT Balanced Scorecard, Measure, ISO 9000
Vocabulary to Study –
Low Priority
 Enterprise Architecture
 In Source, Out Source, Hybrid, Offshore,
Onsite
 Acceptable Use Policy, Access Control
Policies, Data Classification