CISA?

Compliance Integration and Security

Alignment ‐
“Will they satisfy the needs of
today and lay the foundations we
need for tomorrow?”

Roger Southgate
CISA, CISM, FCCA, MBA
rwsouthgate@isaca-
london.org
 The Organisation Challenge

Where and how Define strategy

should IT be used in Create value Preserve value

meeting the
demands of Today Good things to
happen
Bad things not
happening

and preparing for Resolve

the problems

needs of Continuous

Tomorrow? improvement

Measure
results

2
 Global Status Report 2008
Key Findings of the Survey
The 13 key messages that have been identified during the analysis of
the survey reflect important findings from the results of the survey:
1.Although championship for IT governance within the
enterprise comes from the C‐level, in daily practice IT
governance is still very much a CIO/IT director issue. The few non‐IT
people in the sample have a much more positive view of IT than do
the IT professionals themselves.
2. The importance of IT continues to increase.
3.Self‐assessment regarding IT governance has increased
and is quite positive
4.Communication between IT and users is improving, but
slowly.
5.There is still substantial room for improvement in
alignment between IT governance and corporate governance—
as well as for IT strategy and business strategy.
6.IT‐related problems persist. While security/compliance is
an issue, people are the most critical problem.

3
 DS5 Ensure Systems Security
Overall Maturity Assessment

4
 Deliver and Support Domain Overall Maturity
Assessments for all Processes

5
 The World Bank
The Role of International Standards,
Principles and Best Practices
‰ International standards and codes of best
practice are expected to make two
principal contributions. The first is to
enhance transparency by defining
minimum standards and best practices for
disclosure by governments, as well as by
financial institutions and corporations.
‰ Perhaps even more importantly,
international benchmarks can provide a
guide in assessing policies and hence
assist in addressing weaknesses and
strengthening policies and institutions,
both to reduce vulnerability and to
promote long‐term development.

6
 The Context

“What men believe about the

power of the market or the
dangers of the state has a
bearing on the laws they
enact or do not enact - on
what they ask of the
government or entrust to
market forces.”
From the foreword

7
 The Challenges of Complexity, Detail and Time
Models – Frameworks – Proven Practices help us
make sense of the context and the challenges we
face …..they provide roadmaps

Route maps or plans reflect the choices we make to

guide our organisations to our defined goal or
objective
8
 The Compliance Compass

Reach
Pervasive National Global

Principles
Prescription
Range
Focused

Prescription

9

Internal Environment
Risk Management Philosophy
Risk Appetite
Board of Directors
Integrity and Ethical Values
Commitment to Competence
Organisational Structure
Assignment of Authority and
Responsibility
Human Resource Standards
Objective Setting
Strategic Objectives
Related Objectives
Selected Objectives
Risk Appetite
Risk Tolerance
10
COSO ERM
Event Identification
Events
Influencing Factors
Event Identification Techniques
Event Interdependencies
Event Categories
Distinguishing Risks and
Opportunities
Risk Assessment
Inherent and Residual Risk
Establishing Likelihood and
Impact
Data Sources
Assessment Techniques
Event Relationships
Risk Response
Evaluating Possible Responses
Selected Responses
Portfolio View
Control Activities
Integration with Risk Response
Types of Control Activities
Policies and Procedures
Controls over Information Systems
Entity Specific
Information and
Communication
Information
Communication
Monitoring
Ongoing Monitoring Activities
Separate Evaluations
Reporting Deficiencies
 The Human Ingredient in the Recipe for Success

“First,if you begin with “who”, rather than

“what” you can more easily adapt to a
changing world”

“Second, if you have the right people on the

bus, the problem of how to motivate and
manage people largely goes away.”

“Third, if you have

the wrong people, it
doesn’t matter whether you discover the
right direction; you still won’t have a great
company. Great vision without great people
is irrelevant.”
11
 Are we on the same page?

Information security governance is a subset

of enterprise governance that provides strategic direction,
ensures that objectives are achieved, manages risks
appropriately, uses organisation resources responsibly, and
monitors the success or failure of the enterprise security
programme.

Information security deals with all aspects of

information (spoken, written, printed , electronic or any other
medium) and information handling ( created, viewed,
transported, stored or destroyed). This is contrasted with IT
security that is concerned with security of information within
the boundaries of the network infrastructure technology
domain

12
 The World Economic Forum
1. Economics
– 6 trends, 6 issues of concern, 6 risks

2. Geopolitics
– 7 trends, 9 issues of concern, 12 risks

3. Environment
– 3 trends, 6 issues of concern, 7 risks
Published in early
January each year 4. Society
– 4 trends, 4 issues of concern, 4 risks

5. Technology
– 2 trends, 2 issues of concern, 2 risks

13 www.weforum.org
14
 Center for Information Systems Research
(CISR)
Availability

Access

Accuracy

Agility

http://mitsloan.mit.edu/cisr/index.php
15
The Global Information Technology Report

Under the theme Fostering Innovation through

Networked Readiness, this year’s Report places a
particular focus on the role of networked
readiness in spurring innovation.

Published for the seventh consecutive year with

record coverage of 127 economies worldwide, the
Report has become the world’s most
comprehensive and authoritative international
assessment of the impact of ICT on the
development process and the competitiveness of
nations.

16
 World Economic Forum
Global Information Technology Readiness – gitr
The Networked Readiness
Index Framework
Market

Environment Political / Regulatory

Government Usage

Individual Readiness
Networked
Readiness Readiness Business Readiness
Index
Government Readiness

Individual Usage
Usage Business Usage
Government Usage
17
 The Jericho Forum “Commandments”
for the emerging de‐perimeterised future

freely available from

the Jericho Forum Website
Version 1.2 May 2007

http://www.jerichoforum.org

Always refer to www.jerichoforum.org

18 to ensure you have the latest version
 OCTAVE
Human Actors ‐ Network Access

disclosure
modification
accidental loss/destruction
interruption
inside
disclosure
modification
deliberate
loss/destruction
network interruption
asset
disclosure
accidental modification
loss/destruction
interruption
outside
disclosure
deliberate modification
loss/destruction
interruption

asset access actor motive outcome impact

© 2001 Carnegie Mellon University
S8B-19
19
 UN Declaration of Human Rights ‐ Privacy

Article 12
No one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence, nor to attacks upon his
honour and reputation. Everyone has the right to the protection
of the law against such interference or attacks.

20
 COBIT Fundamentals
“To provide the information that the
organisation needs to achieve its
Are we
doing the
objectives, IT resources need to be Are we
getting
right managed by a set of naturally grouped the
things?
processes.”
benefits?

The Business
Requirements for Resources IT Processes
Information
Effectiveness Applications Plan and Organise
Efficiency Information Acquire and Implement
Confidentiality Infrastructure Deliver and Support
Integrity People Monitor and Evaluate
Availability Maturity Model Attributes:
A&C Awareness and Communication Are we
Are we Compliance PSP Policies, Standards and Procedures getting
doing T&A Tools and Automation them
them the
Information S&E Skills and Expertise
Reliability done
right way? R&A Responsibility and Accountability well?
GSM Goal Setting and Measurement

21
 What is Control?
Control is defined within COBIT as the:
policies,
procedures,
practices and
organisational structures designed to provide reasonable
assurance that business objectives will be achieved and
undesired events will be prevented or detected and
corrected.
Enterprise management needs to make control objective choices by:
• Selecting those that are applicable
• Deciding upon those that will be implemented
• Choosing how to implement them (frequency, span, automation, etc.)
• Accepting the risk of not implementing those that may apply

22
 The Drivers and Pulls

Value

Risk
Cost Time

23
 What Does it Mean?

Authority Accountability

Transparency
24
 What Does it Mean?

Authority Accountability

Transparency
25
 Authority and Accountability

What decisions need to be made?

Where should they be made? Global

Who should be Regional

involved?
Country

Business Unit When, where and how will we reap

the benefits?

26
 The Five Focus Areas of
IT Governance
Are we Are we
doing the getting
right Define strategy IT Alignment the
things? benefits?

Create value Preserve value

Risk
Value Delivery Management
Good things to Bad things not
happen happening

Resolve
problems IT Resource
Management

Continuous
improvement Are we
Are we Performance
getting
doing Measurement
them
them the
Measure done
right way?
results well?

27
 What is Trusted and why……?
Do we design and build for Security?
Virtualisation
Local IT
Operations

Key Data Centres

Borders
Confidential Logical
Boundaries
Data Connectivity
Barriers
Administration
Are we Are we
doing them getting
Incidents
the right them done
way? Change well?
Configuration
28
Is it “built in” or “bolted on”
 What Risk does this control mitigate?

Business
Controls Business Processes

• Systems development
Business
Applications
• Change management
• Security
• Computer operations

IT Resources
and Processes

29
 The Way Forward

? Realism
? Relevance
? Results
9 Look
9 Act
9 Speak
9 Think
30
 Standards and Good Practices

COSO

ISO
C
GI T DE VAL
9000 R A
ST IGN
AL
TE EN
M
LI UE
VE
RY

“COBIT
the integrator“

PER SUREM

T
MEA

M EN
FOR

MAN RISK
AGE
www.itgi.org

MAN NT
E
CE
RESOURCE
MANAGEMENT

ISO ISO
CMMI 27000 ITIL 20000

31
 Questions?
Click on the questions tab on your screen, type in your question
(and name if you wish) and hit submit.

32