AIS 5131 - MANAGING INFORMATION TECHNOLOGY

Chapter 1: IT Governance and IT Strategy Components of Enterprise Governance

Framework
IT Governance ➔ Corporate Governance (i.e, conformance)
➔ Not an isolated discipline ➔ Business Governance (i.e, performance)
➔ An integral part of a comprehensive enterprise ➔ Accountability & Assurance
governance program ➔ Value Creation & Resource Utilization
➔ Strategic direction, objectives, management of
risks, and use of resources
➔ The setting of objectives, a measure of Enterprise Governance of Information and
performance, benchmark against objectives, to Technology (EGIT)
move forward or change direction
● EGIT: system in which all stakeholders (BOD,
Senior Management, Internal Customers,
IT Governance and IT Strategy Departments) provide input to IT-decision making
● Corporate governance practices: be process
implemented for ethical issues, decision making, ➔ responsibility of the BOD and executive
and overall practices; management;
- used to direct and control the enterprises ➔ “Stewardship” of IT resources on behalf of
● Who is responsible for governance? BOD internal & external stakeholders
● IT governance: consists of leadership and
● Management: implement systems and IT
organizational structures and processes to
controls (oversighted by the BOD)
achieve strategies and objectives
● EGIT’s Purpose: direct IT endeavors to ensure
Corporate Governance 1. alignment of IT with enterprise objectives,
● Involves relationships between the and
management, BOD, shareholders, and 2. achievement of promised benefits
stakeholders ❖ IT must exploit opportunities and maximize
● Provides structure to objective setting, benefits
objective attainment, and monitoring ❖ IT resources must be used responsibly and
performance IT-related risks must be managed properly
● Purpose: help build trust, transparency, and
accountability for fostering long-term
Processes/Practices in Implementing an EGIT
investment, financial stability, and business
integrity Framework
➢ provides feedback on Value Delivery and Risk
Management
Corporate Governance Framework
A) IT Resource Management: maintaining
● Purpose:
inventory IT resources and addresses risk
1) Reduce inaccurate financial reporting
management process
2) Provide greater transparency and
B) Performance Measurement: ensuring IT
accountability
resources perform as expected to deliver value,
● with the use of formal systems
and identification of risks early on
● Government Regulations: - based on performance indicators that are
A. Require a senior management to sign-off optimized to value delivery and from which
internal controls deviations may lead to risks
B. Include an assessment on the internal C) Compliance Management: implementing
controls over financial reports processes that address legal and regulatory
 policies and contractual compliance
requirements
Governance vs. Management
★ ISACA: Information Systems Audit and Control
Association
- An international professional association focus
on IT Governance
★ COSO: Committee of Sponsoring Organizations
- for manual controls
★ COBIT: Control Objectives for Information and
Related Technology
- COBIT is framework made by ISACA, which
makes a clear distinction between
governance and management, as follows:
● Governance: ensures stakeholder needs,
conditions and options/opinions are
evaluated
- prioritization and decision making
- monitoring of performance and
compliance
● Management: plans, builds, runs and
monitors activities to achieve objectives
- in alignment with the direction set by the
governance body to achieve the
enterprise objectives
Effective Enterprise Governance
● Individual and group expertise
● Before: IT is enabler;
➔ Now: IT is integral part
● Alignment of IT and Enterprise Objectives: a
critical success factor
- cannot simply be seen as either IT
management or IT specialist operations;
● IT needs guidance and supervision from the
senior management and oversight from BOD
● Key element: alignment of business and IT to
achieve business value, which concerns 2 issues:
1. IT delivers value to the business (strategic
alignment)
2. IT risk is managed (driven by embedding
accountability)
Good Practices for EGIT
● Purpose of an IT Governance System: satisfy
stakeholder needs and generate value
● Value: balance of benefits, risk and resources
Factors which made EGIT significant:
a) Demand of business managers and BOD for
better return from IT investments
➢ Example: IT to deliver business needs and
stakeholder value
b) Increasing level of IT expenditure
c) Need to meet regulatory requirements for IT
controls in areas such as in privacy and financial
reporting, and in a specific sector
➢ Examples:
● GDPR
● Basel Accords (Basel I, II, III)
- Ensures that financial institutions
have enough capital on account to
absorb unexpected losses
d) Selection of service providers and management
of service outsourcing and acquisition
➢ Example: Use of cloud computing
e) IT Governance initiatives: adoption of control
frameworks and good practices to help monitor
and improve critical IT activities
- to increase business value and reduce risks
f) Need to optimize costs
- by following standardized rather than
specifically developed approaches
g) Acceptance of well-regarded frameworks
h) Need to assess performance against generally
accepted standards
➢ Example: benchmarking
● Integration with governance: Evaluate, direct
and monitor processes
● Evaluation, direction, and monitoring of:
1. Conformance and performance
2. The system of internal controls
3. Compliance with external requirement (such
as compliance with regulatory agencies)
 Audit’s Role in EGIT
● Establishment of internal controls: ensures
good practices
● Good practices: guide to use resources
● Measurement and reporting of results: provide
input to the cyclical revision and maintenance of
controls
➔ IT is also governed by good practices which
ensure that IT supports the business
objectives, delivers value, uses resources
responsibly, manages risk appropriately and
measures performance
● Audit: has very important role
➔ Audit provides recommendations to senior
management to help improve the IT
governance initiatives
➔ Audit helps ensure compliance
● Monitoring, analysis and evaluation of
metrics: require an independent and balanced
view for qualitative assessment and qualitative
improvement
● Auditing at the highest level of the enterprise;
crossing divisional, functional or departmental
boundaries
● The IS auditor should confirm that the terms
of references state the:
a) Scope of work - with clear definition of
functions and issues to be covered
b) Reporting line to be used - where EGIT
issues are identified & reported to the highest
level of the organization
c) IS auditor’s right to access information –
both within the organization and from
third-party service providers
● Organizational status and skill set of the IS
auditor: should be considered for
appropriateness; if found insufficient, consider
third party to perform audit
● Aspects related to EGIT that need to be
assessed:
1. Alignment of enterprise governance and EGIT
2. Alignment of IT function with the enterprise’s
mission, vision, values, objectives and
strategies
3. Achievement of performance objectives (e.g.,
efficiency and effectiveness)
● In accordance with the defined role of the IS
auditor, the following aspects related to EGIT
need to be assessed:
4. Legal, environmental, information quality,
fiduciary, security and privacy requirements
5. Control environment
6. Inherent risk within the IS environment
7. IT investment/expenditure
Information Security Governance
● Strategic Direction: defined by business goals
and objectives
- long-term & covers whole of the company
● Information Security: support business activities
to be of value
- It is a subset of corporate governance
- Provides strategic direction for security
activities
- Ensures achievement of objectives;
- Ensures information security risk is
appropriately managed and enterprise
information resources are used responsibly
According to the US National Institute of Standards
and Technology (NIST) Special Publication 800-100,
Information Security Handbook: A Guide for
Managers:
➢ Information security governance can be
defined as the process of establishing and
maintaining a framework and supporting
management structure and process to provide
assurance that information security strategies
are aligned with and support business
objectives, are consistent with applicable
laws, and regulations through adherence to
policies and internal controls, and provide
assignment of responsibility, all in an effort to
manage risks
Information Security Governance Framework
● Thru establishment and maintenance of a
framework
 ● Framework:
➔ Guide for development and accomplishment
of comprehensive information security
program
➔ Basis for cost-effective information security
program
● Information Security Program: provides
assurance that information assets are protection
commensurate with their value or the risk poses
to the organization
Elements of an Information Security Governance
Framework
a. Security strategy – intrinsically linked/in line with
business objectives & goals
b. Security policies – addresses each aspect of the
strategy & controls
c. Set of standards for each policy – the
“should-be”
d. Security organizational structure
- Having internal controls, specifically the
physical control: Segregation of Duties
e. Monitoring processes – must
firm-wide/enterprise-wide
Effective Information Security Governance
● Information Security Governance: one of the
highest levels of focused activity; its specific
drivers are-
➢ Confidentiality, integrity, and availability
(CIA) of information
➢ Continuity of services
➢ Protection of information assets
● Security has become a significant governance
issue as a result of:
➔ global networking: communicating worldwide
➔ rapid technological innovation and change:
heightened automation
➔ increased dependence on IT
➔ increased sophistication of threat agents and
exploits - the more we get tech savvy, the
more threats we receive
➔ an extension of the enterprise beyond its
traditional boundaries
● Negligence of Information Security: diminish
capacity to mitigate risks and take advantage of
opportunities
● BOD and CEOs: accountable and responsible
● CEO: (in charge of implementation)
- Accountable to the BOD for information
security governance
- Responsible for its discharge through the
executive management and the organization
and resources under his/her charge
● Senior Management: should come from varied
operations and staff functions; to ensure fair
representation
● Purpose: minimize leaning toward a specific
business priority or technology overhead or
security concerns
● The board-level committee approving security
policies may include:
- Directors
- CEO
- Chief Operating Officer (COO)
be - Chief Financial Officer (CFO)
- Chief Risk Officer (CRO)
- Chief Information Officer (CIO)
- Chief Technology Officer (CTO)
- Head of Human Resources (HR)
- Chief of Audit
- Chief Compliance Officer (CCO)
- Legal
★ Policy approval = CONSENSUS
● Information as a key resource
● Technology: importance from the time
information is created until destroyed
● IT: pervasive; in enterprises and in social, public,
and business environments
- Involves GENERAL COMPUTER CONTROLS
which affects & covers all systems involved
(e.g., controls in developing a system)
➢ Because IT has become pervasive, enterprises
now strive to:
a) Maintain high-quality information
b) Generate business value from IT-enabled
investments
c) Achieve operational excellence (faster and
efficient transactions)
 d) Maintain IT-related risks at an acceptable
level
e) Optimize the cost of IT services and
technology
f) Comply with the relevant laws, regulation,
contractual agreements, and policies
● Protection efforts: currently focused on the
information system rather than the information
itself
● Above approach: narrow, to accomplish needed
security
● Information security: broader view; data, as well
as the information and knowledge based on
them, must be protected
● Applicable situations: data are shared easily
over the Internet
- Data are shared easily over the internet
through blogs, newsfeeds, peer-to-peer or
social networks, or websites
● Protection efforts: both on the process and
information resulting from the process
● Major trends globally: outsourcing and cloud
computing
● Information security coverage: extend beyond
geographic boundary of the enterprise’s
premises
● Basic outcomes of effective information
security governance include:
➔ Strategic alignment
➔ Risk Management
➔ Compliance
➔ Value delivery
Basic outcomes are enabled through the
development of:
a) Performance Measurement
● Measurement, monitoring, and reporting;
ensure that SMART objectives are achieved
● To be accomplished:
1. Set of metrics aligned with strategic
objectives
2. Measurement process to identify
shortcomings and provide feedback
3. Independent assurance
b) Resource Management
● Efficient and effective use of information
security knowledge and infrastructure
● To be considered:
1. Ensure knowledge is captured and
available
2. Document security processes and
practices
3. Develop security architecture(s)
c) Process Integration
● Focus: integration of management
assurance processes for security
● Security activities: fragmented and
segmented in silos with different reporting
structures
● Process integration: improve overall
security and operational efficiencies
Information Systems Strategy
● Information Systems: crucial for enterprise
● Before: minimal involvement of governing
boards and senior management executives on IS
strategy; decisions left to functional management
➔ Now: above approach no longer acceptable
due to dependency on IS for operations and
growth
● Internal and external threats: IS resource
abuse, cybercrime, fraud, and errors & omissions
● IS Strategic processes: integral components
- provide assurance that goals and objectives
will be attained for competitive advantage
Strategic Planning
● Strategic planning: long-term direction on IT to
improve business processes
● Factors to consider in strategic planning
include:
➢ Identifying IT solutions to address problems
and opportunities
➢ Developing action plans
● Enterprises should ensure plans are aligned and
consistent with the goals and objectives
● IT department management, IT steering
committee, Strategy committee: play a key role
in the development and implementation of the
plans
● Effective IS strategic planning involves a
consideration of:
- Enterprise’s requirement for information
systems
- IT’s capacity to deliver new functionality
Additional Notes:
Sarbanes Oxley Acts (SOX)
● Section 302 – The CFO & CEO signs off
● Section 404 – requires businesses to have an
annual audit of the internal controls performed
by an outside firm
● Section 406 – Code of ethics of senior financial
officers

● Determining requirements for information

systems involves:
- Consideration of the strategic intentions
- How these intentions translate into
objectives and initiatives
- IT capabilities to support objectives and
initiatives
- can the current resources and the IT
support & carry over specific tasks?

● Existing system’s portfolio: be reviewed in

terms of functional fit, cost and risk

● Assessing IT’s capacity to deliver: involves

review of the technical IT infrastructure and key
support process to determine whether expansion
or improvement is necessary

● Strategic planning process:

➔ Encompass the delivery of new systems
and technology
➔ Consider return of investment (ROI) on
existing IT and the decommissioning of
legacy systems (old systems previously
used)
● Strategic IT plan: balance cost of maintaining
existing systems against cost of new systems

IS Auditors
1. Should pay attention to the importance of IS
Strategic planning
2. Must put importance to strategic planning
process or planning frameworks
3. Should consider how the CIO or senior IT
management is involved in the creation of the
overall business strategy
 SHORT ASSESSMENT:

1. This starts with setting of objectives, then proceeds to measure performance, benchmark against
objectives and move forward or change direction, as appropriate.
a) Strategic Planning
b) Business Intelligence
c) IT Governance
d) Information Systems Strategy

2. Essential to Information Security Governance, the term CIA refers to:

a) Cohesive, Integrity, Availability
b) Completeness, Integrity, Accountability
c) Comprehensiveness, Identity, Availability
d) Confidentiality, Integrity, Availability

3. It is emphasized that its importance is from the time information is created until destroyed.
a) Technology
b) Policies
c) Regulations
d) Technology

4. Who is mainly responsible for governance?

a) Senior Management
b) Board of Directors
c) External Stakeholders
d) None of the above

5. According to US National Institute of Standards and Technology (NIST) Special Publication

800-100, Information Security Handbook: A Guide for Managers, Information Security Governance
can be defined as:
a) The process of establishing and maintaining a framework and supporting management
structure and processes
b) Provides operational and technical support & support for information and security activities
c) Provide assurance that information security strategies are aligned with and support
business objectives, are non-compliant with applicable laws and regulations
d) Provides guidance that the enterprise information resources are managed responsibly.
6. Security has become a significant governance issue as result of:
a) Global Networking
b) Increased independence on IT
c) Decreased sophistication of threat agents and exploits
d) Slow technological innovation and change

7. Which statement regarding Enterprise Governance of Information and Technology is most correct?
a) IT resources must be used responsibly and IT-related risks must be removed completely
b) IT must exploit opportunities and maximize benefits
c) The implementation of systems and IT controls are oversighted by the Management
d) The purpose of EGIT is to direct IT endeavors to ensure alignment of IT with enterprise
objectives, but not to achieve promised benefits

8. One of the elements of an Information Security Governance Framework is:

a) Security Planning
b) Security Strategy
c) Monitoring Structure
d) Organizational processes

9. A recommended practice in Data Governance is to establish a business/IT advisory team that:

a) Establishes cross organizational benefit measures
b) Allows similar functional perspectives to be represented
c) Recommends non-investment priorities
d) None of the above

10. Which of the following statements regarding Enterprise Governance of Information and Technology
is most correct?
a) It involves an exclusive relationship between the BOD and management only
b) Help build trust, transparency, and accountability for fostering short-term investment,
financial stability, and business integrity
c) Provides structure to objective setting, objective attainment, and monitoring performance
d) It involves an exclusive relationship between the management and stakeholders only
11. Basic outcomes of effective information security governance are enabled through the development
of:
a) Performance Measurement
b) Resource Management
c) Process Integration
d) All of the above

12. They play a key role in the development and implementation of the plans in strategic planning.
a) IT department manager, IT development committee, Technical committee
b) IT department management, IT steering committee, Strategy committee
c) IT database management, IT development committee, Strategy committee
d) IT department management, IT steering committee, Technical committee

13. Which of the following is a factor which made EGIT significant?

a) Need to increase cost
b) Demand of business managers to assess performance against competitors
c) Increasing level of IT expenditure
d) Selection of regulatory requirements for IT controls

14. With regards to strategic planning, IS Auditors should;

a) Should consider how the CEO or IT management is involved in the creation of the overall
business strategy
b) Must put importance to strategic planning process but not planning actual frameworks
c) Should pay attention to the importance of IS Strategic planning
d) Disregard the cost of maintaining existing systems against cost of new systems

15. The IS auditor should confirm that the terms of references state the;
a) Scope of data
b) Reporting line to be used
c) CIO’s right to access information
d) None of the above
16. A process/practice in implementing an EGIT framework which ensures that IT resources perform as
expected to deliver value, and identification of risks early on
a) Performance Measurement
b) IT Resource Management
c) Compliance Management
d) Systems Measurement

17. Which of the following statements regarding the Senior Management is correct?
a) They are most accountable and responsible
b) Responsible for its discharge through the executive management and the organization and
resources under his/her charge
c) Should come from varied operations and staff functions to ensure fair representation
d) Accountable to the BOD for information security governance

18. A very important role as it provides recommendations to senior management to help improve the IT
governance initiatives.
a) Security
b) Audit
c) Privacy
d) Accounting

19. A set of regulations that ensures that financial institutions have enough capital on account to
absorb unexpected losses
a) Sarbanes-Oxley Act (SOX)
b) General Data Protection Regulation (GDPR)
c) Control Objectives for Information and Related Technologies (COBIT)
d) Basel Accords (Basel I, II, III)

20. Which of the following statements pertaining to effective enterprise governance is correct?
a) Only for group expertise
b) Now, IT is an enabler
c) Before, IT is an integral part
d) None of the above
 ANSWER KEY:

1. C 6. A 11. D 16. A

2. D 7. B 12. B 17. C

3. D 8. B 13. C 18. B

4. B 9. A 14. C 19. D

5. A 10. C 15. B 20. D

References:
ISACA. (2019). CISA review manual (27th ed.).
Open information security management maturity model (O-ISM3). (2011, February). ComputerWeekly.com.
https://www.computerweekly.com/ehandbook/Open-Information-Security-Management-Maturity-Model-O-ISM3