Professional Documents
Culture Documents
IT Governance CISA
IT Governance CISA
CORPORATE GOVERNANCE
The degree to which corporations observe basic principles of good corporate governance is an increasingly
important factor for investment decisions.
There is no single model of good corporate governance. The OECD Principles of Corporate Governance
were endorsed by OECD Ministers in 1999 and have since become an international benchmark for policy
makers, investors, corporations and other stakeholders worldwide. They have advanced the corporate
governance agenda and provided specific guidance for legislative and regulatory initiatives.
The Organisation for Economic Co-operation and Development (OECD) has identified some common
elements that underlie good corporate governance. The OECD Principles build on these common elements
and are formulated to embrace the different models that exist. For example, they do not advocate any
particular board structure and the term board as used in this document is meant to embrace the different
national models of board structures found in OECD and non-OECD countries.
I.T. GOVERNANCE
A characteristic theme of IT governance discussions is that IT project can no longer be a black box. The
traditional handling of IT projects by board-level executives is that due to limited technical experience and
project complexity, key decisions are deferred to IT professionals. With IT governance however, all
stakeholders, including the board, internal customers and related areas such as finance, are required to
participate in the decision making process. It also prevents users from later complaining that the system
does not behave or perform as expected.
Information security governance: Within IT governance, information security governance should become
a focused activity with specific value drivers. As a result of global networking and extending the enterprise
beyond its traditional boundaries, security is emerging as a significant governance issue. Hence, information
security should become an important and integral part of IT governance.
Information security governance is also the responsibility of the board of directors and senior executives. It
must be an integral and transparent part of enterprise governance and be aligned with the IT governance
framework.
The Zachman Framework is a framework for Enterprise Architecture which provides a formal and highly
structured way of defining an enterprise's systems architecture. It uses a grid model based around 6 basic
questions (What, How, Where, Who, When, and Why) asked of 5 nominated stakeholder groups (Planner,
Owner, Designer, Builder and Subcontractor) to give an holistic view of the enterprise which is being
modelled.
Often used as part of a systems architecture or enterprise level technology review exercise it is popular
within IT architecture departments but has little hold of either the developer or user communities. The
enterprise architecture can form an input to a firm's software architecture.
The strong points are the complete coverage gained by touching each of the cells on the matrix. The weak
point is that this approach generates a lot of documentation, due to its completeness, which can be difficult
to digest and sometimes of questionable utility.
The FEA provide a common methodology for information technology (IT) acquisition in the United States
federal government. It is designed to ease sharing of information and resources across federal agencies,
reduce costs, and improve citizen services. The FEA is currently a collection of reference models that
develop a common taxonomy for describing IT resources.
STRATEGIC PLANNING
Defined as the long-term direction an organization wants to take in leveraging information technology
for improving its business processes.
Responsibility of top management; with key roles for development and implementation are performed by
IS department management and IS steering committee.
IT governance objective that IT strategic plans synchronize with overall business strategy.
STEERING COMMITTEE
RISK MANAGEMENT
Generally, Risk Management is the process of measuring, or assessing risk and developing strategies to
manage it. Strategies include transferring the risk to another party, avoiding the risk, reducing the negative
effect of the risk, and accepting some or all of the consequences of a particular risk. Traditional risk
management focuses on risks stemming from physical or legal causes (e.g. natural disasters or fires,
accidents, death, and lawsuits). Financial risk management, on the other hand, focuses on risks that can be
managed using traded financial instruments. Regardless of the type of risk management, all large
corporations have risk management teams and small groups and corporations practice informal, if not
formal, risk management.
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the
greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower
loss are handled later. In practice the process can be very difficult, and balancing between risks with a high
probability of occurrence but lower loss vs. a risk with high loss but lower probability of occurrence can often
be mishandled.
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of
these four major categories:
Mitigate, e.g., acquire and deploy security technology to protect the IT infrastructure
Transfer, e.g., share risk with partners or transfer to insurance coverage
Accept, i.e., formally acknowledge the existence of the risk and monitor it
Avoid, i.e. not performing an activity that could carry risk, e.g. not buying a property or business in
order to not take on the liability that comes with it. Avoidance may seem the answer to all risks, but
avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may
have allowed.
In Enterprise Risk Management, a risk is defined as a possible event or circumstance that can have negative
influences on the Enterprise in question. Its impact can be on the very existence, the resources (human and
capital), the products and services, or the customers of the Enterprise, as well as external impacts on
Society, Markets or the Environment.
OUTSOURCING PRACTICES
Outsourcing defined as contractual agreements under which an organization hands over control of part,
or all, of the functions of the IS department to an external party.
Reasons for outsourcing include a desire to focus on core activities, pressure on profit margins,
increasing competition that demands cost s savings, and flexibility for organization/structure.
Services provided by external (third) party can include:
o Data entry
o Design and develop new systems
o Maintenance of existing applications
o Conversion of legacy applications to new platforms
o Operating the help desk or the call center
o Operations processing
Possible advantages of outsourcing:
o Outsourcing companies can achieve economies of scale.
o Outsourcing vendors devote more time and focus than in-house staff
o Outsourcing vendors likely have more experience in problems, issues and techniques
Possible disadvantages of outsourcing include:
o Loss of internal IS experience; loss of control over IS
o Limited product access
o Difficulty in reversing or changing outsourced arrangements
o Costs exceeding customer expectations
o Vendor failure
Audit and Security concerns of outsourcing:
Capacity and growth planning essential due to technology changes; reflect long & short-term plans
User satisfaction users and IT should agree on a level of service (e.g. system availability)
Industry standards/benchmarking - can be obtained from user groups, industry publications and
professional associations.
Change management a defined and documented process exists to manage IT changes.
User-pays scheme (a form of charge back) can improve monitoring of IS expenses and resources. The
cost of services (time, computer, others) are charged to end users based on a formula.
IS management like all other departments, must develop a budget.
QUALITY MANAGEMENT
ISO latest is 9001:2000 Quality Management Systems to replace ISO9000, 9001, 9002 and 9003.
If using previous 1994 versions, a company need to update. A key practice is to perform a gap analysis
against the requirement in the latest standard, then to fill the gaps to comply.
Transition to the new standard must be completed by December 15, 2003.
Software Capability Maturity Model (CMM) is a maturity model or methodology developed by the
Software Engineering Institute at Carnegie Mellon University.
The IS auditor should spend time to observe and determine whether the job description and structures
are adequate. Generally, the following functions IS functions should be reviewed:
Systems development manager responsible for programmers and analysts.
Help desk / support administration includes the following activities, among others:
o Acquisition of hardware/software (HW/SW) on behalf of end users
o Assisting end users with HW/SW difficulties
o Training users to use HW/SW and databases
o Answering end-user queries
Operations: An operations manager is responsible for computer operations personnel. This includes all
the staff required to run the computer information processing facility (IPF) efficiently and effectively (e.g.,
computer operators, librarians, schedulers and data control personnel). The IPF includes the computer,
peripherals, magnetic media and the data stored on the media.
The control group is responsible for the collection, conversion and control of input and the balancing
and distribution of output to the user community. Usually reports to the IPF operations manager and are
in a separate area where only authorized personnel are permitted, as they handle sensitive data.
Librarian: The librarian is required to record, issue, receive and safeguard all program and data files
that are maintained on computer tapes and/or disks by an IPF. Depending upon the size of the
organization, the librarian may be a full-time individual or a member of the data control section who also
performs this function. It is an integral part of the overall operations of the IPF.
Data Entry can take the form of batch entry or online entry.
Systems administrator is responsible for maintaining major multi-user computer systems, including
local area networks (LANs). Typical duties include:
o Adding and configuring new workstations
o Setting up user accounts
o Installing system wide software
o Performing procedures to prevent/detect/correct the spread of viruses
o Allocating mass storage space
Security administration begins with managements commitment. Management must understand and
evaluate security risks, and develop and enforce a written policy that clearly states the standards and
procedures to be followed. The duties of the security administrator should be defined in the policy. To
provide adequate segregation of duties, this individual should be a full-time employee who reports
directly to the director of the IPF.
Database administrator (DBA), as custodian of an organizations data, defines and maintains the data
structures in the corporate database system. He must understand the organization and user data and
data relationship (structure) requirements. This position is responsible for the security of the shared data
stored on database systems; and also responsible for the actual design, definition and proper
maintenance of the corporate databases. The DBA usually reports directly to the director of the IPF.
Systems Programmers
are responsible for maintaining the systems software including the operating system. This function may
require them to have unrestricted access to the entire system. IS management must closely monitor
their activities by requiring that they keep logs of their work and only have access to the system libraries
of the specific software that they maintain.
Network Management / Administrators are responsible for key components of the infrastructure
(routers, firewalls, network segmentation, performance management, remote access). Because of
geographical dispersion, each network (e.g. LAN) may need an administrator. In smaller installations,
this person may also be responsible for security administration.
SEGREGATION OF DUTIES
Transaction Authorization
is the responsibility of the user department.
Custody of Assets - custody of corporate assets must be determined and assigned appropriately. The
data owner usually is assigned to a particular user department and has responsibility for determining
authorization levels required to provide adequate security, while the administration group is often
responsible for implementing and enforcing the security system.
Access to Data -
Controls over access to data are provided by a combination of physical, system and application security.
Access control are based on organizational policy and on two generally accepted standards of practice
segregation of duties and least privilege. Policies also establish levels of sensitivity such as top secret,
secret, confidential, and unclassified for data and other resources.
Authorization Forms -
user department managers must provide IS with approved authorization forms (hard copy or electronic)
that define the access rights of their employees. Access privileges should be reviewed periodically to
ensure that they are current and appropriate to the users job functions.
User Authorization Tables - the IS department should use the data from the authorization forms to
build and maintain user authorization tables to define who is authorized to update, modify, delete and/or
view data. These privileges are provided at the system, transaction or field level. In effect, these are user
access control lists. These authorization tables must be secured against unauthorized access by
additional password protection or data encryption. A control log should record all user activity, and
appropriate management should review this log. All exception items should be investigated.
Compensating Controls for Lack of Segregation of Duties.
In a small business where the IS department may only consist of four to five people, compensating
control measures must exist to mitigate the risk resulting from a lack of duty segregation. Compensating
controls would include:
o Audit trails
o Reconciliation (responsibility of the user)
o Exception reporting
o Transaction logs (either manual or automated)
o Supervisory reviews
o Independent reviews