Professional Documents
Culture Documents
● The IS auditor should confirm that the terms According to the US National Institute of Standards
of references state the: and Technology (NIST) Special Publication 800-100,
a) Scope of work - with clear definition of Information Security Handbook: A Guide for
functions and issues to be covered Managers:
b) Reporting line to be used - where EGIT ➢ Information security governance can be
issues are identified & reported to the highest defined as the process of establishing and
level of the organization maintaining a framework and supporting
c) IS auditor’s right to access information – management structure and process to provide
both within the organization and from assurance that information security strategies
third-party service providers are aligned with and support business
● Organizational status and skill set of the IS objectives, are consistent with applicable
auditor: should be considered for laws, and regulations through adherence to
appropriateness; if found insufficient, consider policies and internal controls, and provide
third party to perform audit assignment of responsibility, all in an effort to
manage risks
● Aspects related to EGIT that need to be
assessed:
Information Security Governance Framework
1. Alignment of enterprise governance and EGIT
● Thru establishment and maintenance of a
2. Alignment of IT function with the enterprise’s
framework
mission, vision, values, objectives and
strategies
● Framework: ● Negligence of Information Security: diminish
➔ Guide for development and accomplishment capacity to mitigate risks and take advantage of
of comprehensive information security opportunities
program
● BOD and CEOs: accountable and responsible
➔ Basis for cost-effective information security
● CEO: (in charge of implementation)
program
- Accountable to the BOD for information
● Information Security Program: provides
security governance
assurance that information assets are protection
- Responsible for its discharge through the
commensurate with their value or the risk poses
executive management and the organization
to the organization
and resources under his/her charge
● Senior Management: should come from varied
Elements of an Information Security Governance
operations and staff functions; to ensure fair
Framework
representation
a. Security strategy – intrinsically linked/in line with
● Purpose: minimize leaning toward a specific
business objectives & goals
business priority or technology overhead or
b. Security policies – addresses each aspect of the
security concerns
strategy & controls
c. Set of standards for each policy – the ● The board-level committee approving security
“should-be” policies may include:
d. Security organizational structure - Directors
- Having internal controls, specifically the - CEO
physical control: Segregation of Duties - Chief Operating Officer (COO)
e. Monitoring processes – must be - Chief Financial Officer (CFO)
firm-wide/enterprise-wide - Chief Risk Officer (CRO)
- Chief Information Officer (CIO)
Effective Information Security Governance - Chief Technology Officer (CTO)
- Head of Human Resources (HR)
● Information Security Governance: one of the
- Chief of Audit
highest levels of focused activity; its specific
- Chief Compliance Officer (CCO)
drivers are-
- Legal
➢ Confidentiality, integrity, and availability
★ Policy approval = CONSENSUS
(CIA) of information
➢ Continuity of services ● Information as a key resource
➢ Protection of information assets ● Technology: importance from the time
● Security has become a significant governance information is created until destroyed
issue as a result of: ● IT: pervasive; in enterprises and in social, public,
➔ global networking: communicating worldwide and business environments
➔ rapid technological innovation and change: - Involves GENERAL COMPUTER CONTROLS
heightened automation which affects & covers all systems involved
➔ increased dependence on IT (e.g., controls in developing a system)
➔ increased sophistication of threat agents and ➢ Because IT has become pervasive, enterprises
exploits - the more we get tech savvy, the now strive to:
more threats we receive a) Maintain high-quality information
➔ an extension of the enterprise beyond its b) Generate business value from IT-enabled
traditional boundaries investments
c) Achieve operational excellence (faster and
efficient transactions)
d) Maintain IT-related risks at an acceptable b) Resource Management
level ● Efficient and effective use of information
e) Optimize the cost of IT services and security knowledge and infrastructure
technology ● To be considered:
f) Comply with the relevant laws, regulation, 1. Ensure knowledge is captured and
contractual agreements, and policies available
2. Document security processes and
● Protection efforts: currently focused on the
practices
information system rather than the information
3. Develop security architecture(s)
itself
● Above approach: narrow, to accomplish needed c) Process Integration
security ● Focus: integration of management
assurance processes for security
● Information security: broader view; data, as well
● Security activities: fragmented and
as the information and knowledge based on
segmented in silos with different reporting
them, must be protected
structures
● Applicable situations: data are shared easily
● Process integration: improve overall
over the Internet
security and operational efficiencies
- Data are shared easily over the internet
through blogs, newsfeeds, peer-to-peer or
social networks, or websites
Information Systems Strategy
● Protection efforts: both on the process and
information resulting from the process ● Information Systems: crucial for enterprise
● Before: minimal involvement of governing
● Major trends globally: outsourcing and cloud
boards and senior management executives on IS
computing
strategy; decisions left to functional management
● Information security coverage: extend beyond ➔ Now: above approach no longer acceptable
geographic boundary of the enterprise’s due to dependency on IS for operations and
premises growth
● Basic outcomes of effective information ● Internal and external threats: IS resource
security governance include: abuse, cybercrime, fraud, and errors & omissions
➔ Strategic alignment ● IS Strategic processes: integral components
➔ Risk Management - provide assurance that goals and objectives
➔ Compliance will be attained for competitive advantage
➔ Value delivery
IS Auditors
1. Should pay attention to the importance of IS
Strategic planning
2. Must put importance to strategic planning
process or planning frameworks
3. Should consider how the CIO or senior IT
management is involved in the creation of the
overall business strategy
SHORT ASSESSMENT:
1. This starts with setting of objectives, then proceeds to measure performance, benchmark against
objectives and move forward or change direction, as appropriate.
a) Strategic Planning
b) Business Intelligence
c) IT Governance
d) Information Systems Strategy
3. It is emphasized that its importance is from the time information is created until destroyed.
a) Technology
b) Policies
c) Regulations
d) Technology
7. Which statement regarding Enterprise Governance of Information and Technology is most correct?
a) IT resources must be used responsibly and IT-related risks must be removed completely
b) IT must exploit opportunities and maximize benefits
c) The implementation of systems and IT controls are oversighted by the Management
d) The purpose of EGIT is to direct IT endeavors to ensure alignment of IT with enterprise
objectives, but not to achieve promised benefits
10. Which of the following statements regarding Enterprise Governance of Information and Technology
is most correct?
a) It involves an exclusive relationship between the BOD and management only
b) Help build trust, transparency, and accountability for fostering short-term investment,
financial stability, and business integrity
c) Provides structure to objective setting, objective attainment, and monitoring performance
d) It involves an exclusive relationship between the management and stakeholders only
11. Basic outcomes of effective information security governance are enabled through the development
of:
a) Performance Measurement
b) Resource Management
c) Process Integration
d) All of the above
12. They play a key role in the development and implementation of the plans in strategic planning.
a) IT department manager, IT development committee, Technical committee
b) IT department management, IT steering committee, Strategy committee
c) IT database management, IT development committee, Strategy committee
d) IT department management, IT steering committee, Technical committee
15. The IS auditor should confirm that the terms of references state the;
a) Scope of data
b) Reporting line to be used
c) CIO’s right to access information
d) None of the above
16. A process/practice in implementing an EGIT framework which ensures that IT resources perform as
expected to deliver value, and identification of risks early on
a) Performance Measurement
b) IT Resource Management
c) Compliance Management
d) Systems Measurement
17. Which of the following statements regarding the Senior Management is correct?
a) They are most accountable and responsible
b) Responsible for its discharge through the executive management and the organization and
resources under his/her charge
c) Should come from varied operations and staff functions to ensure fair representation
d) Accountable to the BOD for information security governance
18. A very important role as it provides recommendations to senior management to help improve the IT
governance initiatives.
a) Security
b) Audit
c) Privacy
d) Accounting
19. A set of regulations that ensures that financial institutions have enough capital on account to
absorb unexpected losses
a) Sarbanes-Oxley Act (SOX)
b) General Data Protection Regulation (GDPR)
c) Control Objectives for Information and Related Technologies (COBIT)
d) Basel Accords (Basel I, II, III)
20. Which of the following statements pertaining to effective enterprise governance is correct?
a) Only for group expertise
b) Now, IT is an enabler
c) Before, IT is an integral part
d) None of the above
ANSWER KEY:
1. C 6. A 11. D 16. A
2. D 7. B 12. B 17. C
3. D 8. B 13. C 18. B
4. B 9. A 14. C 19. D
References:
ISACA. (2019). CISA review manual (27th ed.).
Open information security management maturity model (O-ISM3). (2011, February). ComputerWeekly.com.
https://www.computerweekly.com/ehandbook/Open-Information-Security-Management-Maturity-Model-O-ISM3