You are on page 1of 57

IT Governance

IT Governance Information Security Governance

Material is sourced from: CISA Review Manual 2009, 2008, ISACA. All rights reserved. Used by permission. CISM Review Manual 2009, 2008, ISACA. All rights reserved. Used by permission. Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Corporate Governance
Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders
IT Governance: Ensure the alignment of IT with enterprise objectives Responsibility of the board of directors and executive mgmt

IT Governance Objectives

IT delivers value to the business IT risk is managed

Processes include: Equip IS functionality and address risk Measure performance of delivering value to the business Comply with legal and regulatory requirements

IT Governance Committees
Board members & specialists

IT Strategic Committee Focuses on Direction and Strategy Advises board on IT strategy and alignment Optimization of IT costs and risk

Business executives (IT users), CIO, key advisors (IT, legal, audit, finance)

IT Steering Committee Focuses on Implementation Monitors current projects Decides IT spending

IT Strategy Committee Main Concerns

Alignment of IT with Business Contribution of IT to the Business Exposure & containment of IT Risk Optimization of IT costs Achievement of strategic IT objectives

IT Steering Committee Main Concerns

Make decision of IT being centralized vs. decentralized, and assignment of responsibility Makes recommendations for strategic plans Approves IT architecture Reviews and approves IT plans, budgets, priorities & milestones Monitors major project plans and delivery performance

Strategic Planning Process

Strategic: Long-term (3-5 year) direction considers organizational goals, regulation (and for IT: technical advances) Tactical: 1-year plan moves organization to strategic goal Operational: Detailed or technical plans




Security Strategic Planning

Risk Mgmt Laws Governance Policy Organizational Security Data classification Audit Risk analysis Business continuity Metrics development Incident response Physical security Network security Policy compliance Metrics use




Strategic Planning
Strategy: Achieve COBIT Level 4 Tactical: During next 12 months: Each business unit must identify current applications in use 25% of all stored data must be reviewed to identify critical resources Business units must achieve regulatory compliance A comprehensive risk assessment must be performed for each business unit All users must undergo general security training Standards must exist for all policies

Standard IT Balanced Scorecard

Establish a mechanism for reporting IT strategic aims and progress to the board Mission = Direction E.g.: Serve business efficiently and effectively Strategies = Objectives E.g.: Quality thru Availability Process Maturity Measures = Statistics E.g.: Customer satisfaction Operational efficiency




IT Balanced Scorecard
Financial Goals How should we appear to stockholder? Vision: Metrics: Performance: Customer Goals How should we appear to our customer? Vision: Metrics: Performance: Internal Business Process What business processes should we excel at? Vision: Metrics: Performance: Learning and Growth Goals How will we improve internally? Vision: Metrics: Performance:

Case Study: IT Governance

Strategic Plan Tactical Plan

Strategic Plan Objective Time frame

Incorporate the business Pass a professional audit

5 yrs 4 yrs

Tactical Plan: Objective Perform strategiclevel security, includes:

Time frame

1 yr

Perform risk analysis

6 mos.

Perform BIA
Define policies

1 yr
1 yr

Case Study: IT Governance

Operational Planning
Objective and Timeframe Hire an internal auditor and security professional 2 months: March 1 Establish security team of business, IT, personnel: 1 month: Feb. 1 Team initiates risk analysis and prepares initial report 3 months: April 1 Responsibility VP Finance

VP Finance & Chief Info. Officer (CIO) CIO & Security Team

Enterprise Architecture

Constructing IT is similar to constructing a building It must be designed and implemented at various levels:

Technical (Hardware, Software) IT Procedures & Operations Business Procedures & Operations
Functional Network

Enterprise Model


People (Org.)

Process (Flow)


Systems Model

Tech Model
Detailed Representation

Sourcing Practices
Insourced: Performed entirely by the organizations staff Outsourced: Performed entirely by a vendors staff Hybrid: Partial insourced and outsourced Onsite: Performed at IS dept site Offsite or Nearshore: Performed in same geographical area Offshore: Performed in a different geographical region
What advantages can you think of for insourcing versus outsourcing?

Quality with ISO 9000

ISO 9000: Standard for Quality Mgmt Systems. Recommendations include: Quality Manual: Documented procedures HR: Documented standards for personnel hiring, training, evaluation, Purchasing: Documented standards for vendors: equipment & services Gap Analysis: The difference between where you are and where you want to be

Quality Definitions
Quality Assurance: Ensures that staff are following defined quality processes: e.g., following standards in design, coding, testing, configuration management Quality Control: Conducts tests to validate that software is free from defects and meets user expectations

Performance Optimization
Phases of Performance Measurement include: Establish and update performance metrics Establish accountability for performance measures Gather and analyze performance data Report and use performance results Note: Strategic direction for how to achieve performance improvements is necessary

Categories of Performance Measures

Performance Measurement: What are indicators of good IT performance? IT Control Profile: How can we measure the effectiveness of our controls? Risk Awareness: What are the risks of not achieving our objectives? Benchmarking: How do we perform relative to others and standards?

IS Auditor & IT Governance

Is IS function aligned with organizations mission, vision, values, objectives and strategies? Does IS achieve performance objectives established by the business? Does IS comply with legal, fiduciary, environmental, privacy, security, and quality requirements? Are IS risks managed efficiently and effectively? Are IS controls effective and efficient?

Audit: Recognizing Problems

End-user complaints Excessive costs or budget overruns Late projects Poor motivation - high staff turnover High volume of H/W or S/W defects Inexperienced staff lack of training Unsupported or unauthorized H/W S/W purchases Numerous aborted or suspended development projects Reliance on one or two key personnel Poor computer response time Extensive exception reports, many not tracked to completion

Audit: Review Documentation

IT Strategies, Plans, Budgets Security Policy Documentation Organization charts & Job Descriptions Steering Committee Reports System Development and Program Change Procedures Operations Procedures HR Manuals QA Procedures Contract Standards and Commitments

Bidding, selection, acceptance, maintenance, compliance

The MOST important function of the IT department is: Cost effective implementation of IS functions Alignment with business objectives 24/7 Availability Process improvement


2. 3. 4.

Product testing is most closely associated with which department: Audit Quality Assurance Quality Control Compliance

1. 2. 3. 4.

Implement virtual private network in the next year is a goal at the level: Strategic Operational Tactical Mission

1. 2. 3. 4.

Which of the following is not a valid purpose of the IS Audit? 1. Ensure IS strategic plan matches the intent of the enterprise strategic plan 2. Ensure that IS has developed documented processes for software acquisition and/or development (depending on IS functions) 3. Verify that contracts followed a documented process that ensures no conflicts of interest 4. Investigate program code for backdoors, logic bombs, or Trojan horses

Documentation that would not be viewed by the IT Strategy Committee would be: 1. IT Project Plans 2. Risk Analysis & Business Impact Analysis 3. IT Balanced Scorecard 4. IT Policies

Information Security Governance

Governance Policy Risk

Information Security Importance

Organizations are dependent upon and are driven by information


= information on how to process Data, graphics retained in files

Information & computer crime has escalated Therefore information security must be addressed and supported at highest levels of the organization

Security Organization
Review Risk assessment & Business Impact Analysis Define penalties for non-compliance of policies Board of Directors Defines security objectives and institutes security organization

Executive Mgmt Senior representatives of business functions ensures alignment of security program Security with business Steering objectives Committee Other positions: Chief Risk Officer (CRO) Chief Compliance Officer (CCO) Chief Info Security Officer (CISO)

Security Governance
Strategic Alignment: Security solution consistent with organization goals and culture Risk Management: Understand threats and costeffectively control risk Value Delivery: Prioritized and delivered for greatest business benefit Performance Measurement: Metrics, independent assurance Resource Management: Security architecture development & documentation Process Integration: Security is integrated into a wellfunctioning organization

Executive Mgmt Info Security Concerns

Reduce civil and legal liability related to privacy Provide policy and standards leadership Control risk to acceptable levels Optimize limited security resources Base decisions on accurate information Allocate responsibility for safeguarding information Increase trust and improve reputation outside organization

Legal Issues
International trade, employment may be liable to different regulations than exist in the U.S. affecting: Hiring Internet business Trans-border data flows Cryptography Copyright, patents, trade secrets Industry may be liable under legislation: SOX: Sarbanes-Oxley: Publicly traded corp. FISMA: Federal Info Security Mgmt Act HIPAA: Health Insurance Portability and Accountability Act GLBA: Gramm-LeachBliley: Financial privacy Etc.

Road Map for Security (New Program)

Documentation Security Issues Interview stakeholders (HR, legal, finance) to determine org. issues & concerns

Security Policies

Develop security policies for approval to Mgmt

Conduct security training & test for compliance Improve standards Develop compliance monitoring strategy

Info Security Steering Committee

Training materials

Security Relationships
Security requirements Access control
Exec. Mgmt

Security Strategy, Risk, & Alignment

Human Res.

S /W Dev.

Hiring, training, roles & responsibility, Incident handling

Security requirements in RFP Contract requirements



BusiSecurity requirements ness sign-off, Mgmt

Acceptance test, Access authorization

Security requirements and review Change control Security upgrade/test

Quality Control

IT Operations

Legal Dept

Laws & Regulations

Security monitoring, Incident resp., Site inventory, Crisis management

Security Governance Framework

Security Strategy

Security Organization

Security Framework

Policies, Standards, Procedures

Compliance Monitoring

Secure Strategy: Risk Assessment

Five Steps include: 1. Assign Values to Assets:

Where are the Crown Jewels? Confidentiality, Integrity, Availability Loss = Downtime + Recovery + Liability + Replacement Weekly, monthly, 1 year, 10 years? Risk Exposure = ProbabilityOfVulnerability * $Loss Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk


Determine Loss due to Threats & Vulnerabilities

3. 4. 5.

Estimate Likelihood of Exploitation

Compute Expected Loss Treat Risk

Example Policy Documents

Data Classification: Defines data security categories, ownership and accountability Acceptable Usage Policy: Describes permissible usage of IT equipment/resources End-User Computing Policy: Defines usage and parameters of desktop tools Access Control Policies: Defines how access permission is defined and allocated After policy documents are created, they must be officially reviewed, updated, disseminated, and tested for compliance

Compliance Function
Compliance: Ensures compliance with organizational policies E.g.: Listen to selected help desk calls to verify proper authorization occurs when resetting passwords Best if compliance tests are automated
Compliance: ongoing process Ensures adherence to policies

Time Audit: Snapshot of compliance in time

Compliance Program Security Review or Audit Test

Objective: Is our web-interface to DB safe? Scope: Penetration test on DB Constraints: Must test between 1-4 AM Approach: 1. Tester has valid session credentials 2. Specific records allocated for test 3. Test: SQL Injection Result: These problems were found:

Security Positions
Security Architect Design secure network topologies, access control, security policies & standards. Evaluate security technologies Work with compliance, risk mgmt, audit Security Administrator Allocate access to data under data owner Prepare security awareness program Test security architecture Monitor security violations and take corrective action Review and evaluate security policy

Security Architect: Control Analysis Do controls fail secure or fail open?

Is restrictive or permissive policy (denied unless expressly permitted or vice versa?) Does control align with policy & business expectation? Policy
Where are controls located? Are controls layered? Is control redundancy needed? Placement

Does control protect ImplemenEfficiency broadly or one application? Have controls been tested? tation If control fails, is there a Are controls self-protecting? control remaining? Do controls meet control Effectiveness (single point of failure) objectives? If control fails, does appl. fail? Will controls alert security Are controls reliable? personnel if they fail? Do they inhibit productivity? Are control activities logged Are they automated or manual? and reviewed? Are key controls monitored in real-time? Are controls easily circumvented?

Control Practices
These may be useful in particular conditions: Automate Controls: Make technically infeasible to bypass Access Control: Users should be identified, authenticated and authorized before accessing resources Secure Failure: If compromise possible, stop processing Compartmentalize to Minimize Damage: Access control required per system resource set Transparency: Communicate so that average layperson understands control->understanding & support Trust: Verify communicating partner through trusted 3rd party (e.g., PKI) Trust No One: Oversight controls (e.g., CCTV) Segregation of Duties: Require collusion to defraud the organization Principle of Least Privilege: Minimize system privileges

Security Administrator: Security Operations

Identity Mgmt & Access control System patching & configuration mgmt Change control & release mgmt Security metrics collection & reporting Control technology maintenance Incident response, investigation, and resolution

Summary of Security Mgmt Functions

Develop security strategy

Linked with business objectives Regulatory & legal issues are addressed Sr Mgmt acceptance & support

Complete set of policies Standards & Procedures

for all relevant policies

Security awareness for all users and security training as needed Classified information assets by criticality and sensitivity

Summary of Security Mgmt Functions

Effective compliance & enforcement processes

Metrics are maintained and disseminated Monitoring of compliance & controls Utilization of security resources is effective Noncompliance is resolved in a timely manner Risks are assessed, communicated, and managed Controls are designed, implemented, maintained, tested Incident and emergency response processes are tested Business Continuity & Disaster Recover Plans are tested

Effective risk mgmt and business impact assessment

Summary of Security Mgmt Functions

Develop security strategy, oversee security program, liaise with business process owners for ongoing alignment

assignment of roles & responsibilities Security participation with Change Management Address security issues with 3rd party service providers Liaise with other assurance providers to eliminate gaps and overlaps

Who can contribute the MOST to determining the priorities and risk impacts to the organizations information resources? 1. Chief Risk Officer 2. Business Process Owners 3. Security Manager 4. Auditor

A document that describes how access permission is defined and allocated is the: Data Classification Acceptable Usage Policy End-User Computing Policy Access Control Policies

2. 3. 4.

The role of the Information Security Manager in relation to the security strategy is: Primary author with business input Communicator to other departments Reviewer Approves the strategy

2. 3.


1. 2. 3. 4.

The role most likely to test a control is the: Security Administrator Security Architect Quality Control Analyst Security Steering Committee

The Role responsible for defining security objectives and instituting a security organization is the: Chief Security Officer Executive Management Board of Directors Chief Information Security Officer

2. 3.


When implementing a control, the PRIMARY guide to implementation adheres to: 1. Organizational Policy 2. Security frameworks such as COBIT, NIST, ISO/IEC 3. Prevention, Detection, Correction 4. A layered defense

The persons on the Security Steering Committee who can contribute the BEST information relating to insuring Information Security success is: Chief Information Security Officer Business process owners Executive Management Chief Information Officer

1. 2. 3. 4.

Vocabulary to Study High Priority

IT strategic committee, IT steering committee, Security steering committee Mission, Strategic plan, Tactical plan, Operational plan Quality Assurance, Quality Control CISO, CIO, CSO, Board of Directors, Executive Mgmt, Security Architect, Security Administrator Policy, Compliance IT Balanced Scorecard, Measure, ISO 9000

Vocabulary to Study Low Priority

Enterprise Architecture In Source, Out Source, Hybrid, Offshore, Onsite Acceptable Use Policy, Access Control Policies, Data Classification