Professional Documents
Culture Documents
com
IT-Related Frameworks
The frameworks help organizations address business issues through governance and
management of information and technology, starting with aligning high-level strategic objectives
with operational-level objectives and then direct work outcomes.
Some of the EGIT frameworks are:
Ø COBIT (Control Objectives for Information and Related Technology): COBIT was developed
by ISACA to support EGIT by providing a framework to ensure that IT is aligned with the
business, IT enables the business and maximizes benefits, IT resources are used responsibly,
and IT risk is managed appropriately. COBIT provides tools to assess and measure the
performance of IT processes within an organization.
Ø ISO (International Organization for Standardization) / IEC (International Electrotechnical
Commission) 27000 series: ISO/IEC 27000 series is a set of best practices that provides
guidance to organizations implementing and maintaining information security programs.
Ø ITIL (Information Technology Infrastructure Library): ITIL was developed by the UK Office
of Government Commerce (OGC), in partnership with the IT Service Management Forum,
and is a detailed framework with hands-on information regarding how to achieve successful
operational service management of IT. It also includes business value delivery.
Ø ISO 3100:2018: Risk management: It provides guidelines on and a common approach to risk
management for organizations.
the strategic objectives of the organization. Policies formulated must support achievement of
business objectives and implementation of IS controls.
Management should review all policies periodically. Policies need to be updated to reflect new
technology, changes in environment (e.g., regulatory compliance requirements), and significant
changes in business processes in exploiting IT for efficiency and effectiveness in productivity or
competitive gains.
Information Security Policy
An information security policy is a set of rules and/or statements developed by an organization to
protect its information and related technology.
The information security policy is be used by the IS auditors as a reference framework for
performing various IS audit assignments. The adequacy and appropriateness of the security policy
could also be an area of review for the IS auditor.
Standards
Standards are the mandatory requirement, code of practice or specification approved by a
recognized external standards organization, such as ISO/IEC, or ISACA. Standards help ensure
effectiveness and reliability of products and services and are necessary to the trust and
effectiveness needed to ensure continued growth.
Procedures
Procedures are documented, defined steps for achieving policy objectives. They must be derived
from the parent policy and must implement the spirit (intent) of the policy statement. Procedures
must be written in a clear and concise manner, so they may be easily and properly understood by
those governed by them. Procedures document business and aligned IT processes (administrative
and operational) and the embedded controls. Procedures are formulated by process owners as
an effective translation of policies.
Guidelines
Guidelines for executing procedures are also the responsibility of operations. Guidelines should
contain information that will be helpful in executing the procedures. This can include clarification
of policies and standards, dependencies, suggestions and examples, narrative clarifying the
procedures, background information that may be useful, and tools that can be used. Guidelines
can be useful in many other circumstances as well, but they are considered here in the context of
information security governance.
Organizational Structure
Organizational structure is a key component to governance. It identifies the key decision-making
entities in an enterprise.
Traditionally, organizations have had executive-level steering committees to handle IT issues that
are relevant organizationwide. There should be a clear understanding of both the IT strategy and
steering levels. A clear analysis of IT Strategy & IT Steering Committee are depicted below:
Responsibility Provides insight and advice to the • Decides the overall level of IT
board on topics such as: spending and how costs will be
allocated
CS421; Faculty: Md Jahangir Alam, CISA, CEH, CBP, ISO 27001 LA, LSSBB; jahangircsebd@gmail.com
Authority • Advises the board and management • Assists the executive in the delivery
on IT strategy of the IT strategy
• Is delegated by the board to provide • Oversees day-to-day management of
input to the strategy and prepare its IT service delivery and IT projects
approval
• Focuses on implementation
• Focuses on current and future
strategic IT issues
Following roles and responsibilities must be defined and appropriately exercise for proper
governance and management of IT.
• Board of Directors
• Senior Management
• Chief Information Security Officer (CISO)
• IT Steering Committee
• Systems development manager
• Project management
• Help desk (service desk)
• End user
• End-user support manager
• Quality assurance (QA) manager
• Systems Administration
• Security Administration
• Database Administration
• Systems Analyst
• Security Architect
• System Security Engineer
• Network administrators
• Errors
• Malicious damage/attack
• Fraud
• Theft
• Equipment/software failure
Examples of vulnerabilities are:
• Lack of user knowledge
• Lack of security functionality
• Inadequate user awareness/education (e.g., poor choice of passwords)
• Untested technology
• Transmission of unprotected communications
Step 3: Evaluation of the Impact
The result of a threat agent exploiting a vulnerability is called an impact. The impact can vary in
magnitude, affected by severity and duration. In commercial organizations, threats usually result
in a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term.
Examples of such losses include:
• Direct loss of money (cash or credit)
• Breach of legislation (e.g., unauthorized disclosure)
• Loss of reputation/goodwill
• Endangering of staff or customers
• Breach of confidence
• Loss of business opportunity
• Reduction in operational efficiency/performance
• Interruption of business activity
Step 4: Calculation of Risk
After the elements of risk have been established, they are combined to form an overall view of
risk. A common method of combining the elements is to calculate the following for each threat:
probability of occurrence × magnitude of impact. This will give a measure of overall risk.
The risk is proportional to the estimated likelihood of the threat and the value of the loss/damage.
Step 5: Evaluation of and Response to Risk
After risk has been identified, existing controls can be evaluated or new controls designed to
reduce the vulnerabilities to an acceptable level. These controls are referred to as
countermeasures or safeguards and include actions, devices, procedures or techniques (i.e.,
people, processes or products). The strength of a control can be measured in terms of its inherent
or design strength and the likelihood of its effectiveness.
RISK ANALYSIS METHODS
The most common risk analysis methods include qualitative, semiquantitative and quantitative.
Each has advantages and limitations.
CS421; Faculty: Md Jahangir Alam, CISA, CEH, CBP, ISO 27001 LA, LSSBB; jahangircsebd@gmail.com
IT Resource Management
Each enterprise faces the challenge of using its limited resources, including people and money, to
achieve its goals and objectives. When an organization invests its resources in a given effort, it
incurs opportunity costs because it is unable to pursue other efforts that could bring value to the
enterprise. An IS auditor should understand an organization’s investment and allocation practices
to determine whether the enterprise is positioned to achieve the greatest value from the
investment of its resources.
CS421; Faculty: Md Jahangir Alam, CISA, CEH, CBP, ISO 27001 LA, LSSBB; jahangircsebd@gmail.com
Traditionally, when IT professionals and top managers discussed the ROI of an IT investment, they
were thinking about financial benefits, which include impacts on the organization’s budget and
finances (e.g., cost reductions or revenue increases). Today, business leaders also consider the
nonfinancial benefits of IT investments, which include impacts on operations or mission
performance and results (e.g., improved customer satisfaction, better information, shorter cycle
time).
Where feasible, nonfinancial benefits should be made visible and tangible by using algorithms that
transform them into monetary units to understand their impact and improve their analysis.
• Quality control (QC)—The observation techniques and activities used to fulfill requirements
for quality. QC is responsible for conducting tests or reviews to verify and ensure that software
is free from defects and meets user expectations. This could be done at various stages of the
development of an application system, but it must be done before the programs are moved
into production. For example, QC will help to ensure that programs and documentation
adhere to the standards and naming conventions.
QUALITY MANAGEMENT
Quality management is one of the means by which IT department-based processes are controlled,
measured and improved. Processes in this context are defined as a set of tasks that, when
properly performed, produce the desired results.
Areas of control for quality management may include:
• Software development, maintenance and implementation
• Acquisition of hardware and software
• Day-to-day operations
• Service management
• Security
• HR management
• General administration
Reference:
§ CISA Review Manual by ISACA
§ ISO/IEC 27001 ISMS Standards
§ https://www.nist.gov/
§ Internet