-
1Governance and
Management of IT
1 By: Shamsuddin Surani
CORPORATE GOVERNANCE
2
Corporate Governance: The system by which business corporations
are directed and
controlled
It is a set of responsibilities and practices used by
an organizations management to provide strategic direction,
thereby ensuring that goals
are achievable, risks are properly addressed and
organizational resources are properly utilitized
IT GOVERNANCE
One of the domains of Enterprise Governance : How IT is
applied within the enterprise.
IT is now regarded as an integral part, CEOs, COOs, CFOs,
CIOs and CTOs, agree that strategic alignment between IT
and enterprise objectives is a critical success factor
Key element of IT governance is the alignment of business
and IT, leading to the achievement of business value.
It is concerned with two issues:
IT delivers value to the business Driven by strategic alignment
with the business
IT risks are managed Driven by embedding accountability into the
enterprise.
3
INFORMATION TECHNOLOGY MONITORING AND
ASSURANCE PRACTICES FOR BOARD AND
SENIOR MANAGEMENT
Traditional involvement of board-level executives
in IT issues was to defer all key decisions to the
companys IT professionals.
IT governance implies a system in which all
stakeholders, including the board, internal
customers and departments such as finance,
provide input into the decision-making process.
IT governance is the responsibility of the board of
directors and executive management.
Key IT governance practices are: IT Strategy
Committee, Risk Management and IT Balanced
Scorecard.4
-
2FIVE FOCUS AREAS OF IT-GOV
Strategic Alignment: Focuses on ensuring the
linkage of business and IT plans; defining,
maintaining and validating the IT value proposition;
and aligning IT operations with enterprise operations.
Value Delivery: About executing the value
proposition throughout the delivery cycle, ensuing
that IT delivers the promised benefits against the
strategy, concentrating on optimizing costs and
proving the intrinsic value of IT
Resources Management: requires risk awareness
by senior corporate officers, a clear understanding of
the enterprise's appetite for risk, understanding of
compliance requirements, transparency about the
significant risks to the enterprise. 5
Resource management: About the optimal
investment in, and the proper management of,
critical IT resources: applications, information,
infrastructure and people.
Performance measurement: Tracks and
monitors strategy implementation, project
completion, resource usage, process performance
and service delivery, using, for example, balanced
scorecards that translate strategy into action to
achieve goals measurable beyond conventional
accounting. 6
IT GOVERNANCE FRAMEWORKS
Control Objectives for Information and related Technology
(CoBIT) was developed by the IT Governance Institute
(ITGITM) to support IT governance by providing a
framework to ensure that: IT is aligned with the
business, IT enables the business and maximizes
benefits, IT resources are used responsibly, and IT
risks are managed appropriately. COBIT provides tools
to assess and measure the performance of 34 IT processes
within an organization.
The ISOIIEC 27001 (ISO 27001) series of standards is a set
of best practices that provides guidance to organizations
implementing and maintaining information security
programs. ISO 27001 originally was published in the
United Kingdom (UK) as British Standard 7799 (BS7799)
and has become a well known standard in the industry.7
The IT Infrastructure Library (ITIL) wasdeveloped by the UK
Office of Government
Commerce (OGC), is a detailed framework with
hands-on information regarding how to achieve
successful operational service management of IT.
Etc.
8
-
3AUDIT ROLE IN IT GOVERNANCE
IT is governed by good or best practices which
ensure that the organization's information and
related technology: support the enterprise's
business objectives (i.e., strategic alignment),
deliver value, use resources responsibly, manage
risks appropriately and measure performance.
Audit plays a significant role in the successful
implementation of IT governance within an
organization. Audit is well positioned to
provide leading practice recommendations
to senior management to help improve the
quality and effectiveness of the IT
governance initiatives implemented.9
The following aspects related to IT governance need to
be assessed:
Alignment of the IS function with the organization's
mission, vision, values, objectives and strategies
Achievement of performance objectives established by
the business (e.g., effectiveness and efficiency) by the
IS function
Legal, environmental, information quality, fiduciary,
security, and privacy requirements
The control environment of the organization
The inherent risks within the IS environment
IT Investment/expenditure
10
IT STRATEGY COMMITTEE
As a committee of the board, it assists the board
in overseeing the enterprise's IT-related matters
by ensuring that the board has the internal and
external information it requires for effective IT
governance decision making.
This is a mechanism for incorporating IT
governance into enterprise governance.
11
IT STRATEGY COMMITTEE VS.
IT STEERING COMMITTEE
IT Strategy Committee
Advises the board and management on IT
strategy
Is delegated by the board to provide input to the
strategy and prepare its approval
Focuses on current and future strategic IT issues
IT Steering Committee
Assists the executive in the delivery of the IT
strategy
Oversees day-to-day management of IT service
delivery and IT projects
Focuses on implementation
12
-
4INFORMATION SECURITY GOVERNANCE
Information security governance is the
responsibility of the board of directors and
executive management, and must be an integral
and transparent part of enterprise governance.
Within IT governance, information security
governance should become a focused activity with
specific value drivers:
confidentiality, integrity, and availability of
information, continuity of services and protection of
information assets.
13
Until recently, the focus of protection has been on
the IT systems that collect, process and store the
vast majority of information rather than the
information itself.
The reach of protection efforts should encompass
not only the process or Systems that generates
the information but also the continued
preservation of information generated as a result
of the controlled processes.14
OUTCOMES OF SECURITY GOVERNANCE
Strategic alignment: Align information security
with business strategy to support organizational
objectives.
Risk management: Manage and execute
appropriate measures to mitigate risks and reduce
potential impacts on information resources to an
acceptable level.
Value delivery: Optimize security investments in
support of business objectives.
Performance measurement: Measure, monitor and
report on information security processes to ensure
that SMART (Specific, Measurable, Achievable,
Relevant and Time-bound) objectives are achieved.
Resource management: Utilize information
security knowledge and infrastructure efficiently and
effectively.
15
Information security governance is the responsibility of
the board of directors and executive management, and
must be an integral and transparent part of enterprise
governance.
Effective Information Security Governance
To achieve effective information security governance,
management must establish and maintain a framework to
guide the development and management of a comprehensive
information security program that supports business
objectives
This framework provides the basis for the development of a
cost-effective information security program that supports
the
organizations business goals.
16
-
5ROLES AND RESPONSIBILITIES OF
SENIOR MANAGEMENT AND BOARDS OF
DIRECTORS
The tone at the top must be conducive to effective
security governance. It is unreasonable to expect
lower-level personnel to abide by security
measures if they are not exercised by senior
management.
Executive management endorsement of intrinsic
security requirements provides the basis for
ensuring that security expectations are met at all
levels of the enterprise. Penalties for
noncompliance must be defined, communicated
and enforced from the board level down. 17
IT INVESTMENT AND ALLOCATION
PRACTICES
Each enterprise faces the challenge of using its
limited resources, including people and money, to
achieve its goals and objectives. When an
organization invests its resources in a given
effort, it incurs opportunity costs because it is
unable to pursue other efforts that could bring
value to the enterprise.
An IS auditor should understand an
organizations investment and allocation practices to determine
whether the enterprise is
positioned to achieve the greatest value from the
investment of its resources.
18
Traditionally, when IT professionals and top
managers discussed the ROI of an IT investment,
they were thinking about financial benefits.
Today, business leaders also consider the
nonfinancial benefits of IT investments.
Financial benefits include impacts on the
organizations budget and finances e.g. cost reductions or
revenue increases.
Nonfinancial benefits include impacts on
operations or mission performance and results
e.g. Improved customer satisfaction, better
information, shorter cycle time.
19
MATURITY AND PROCESS IMPROVEMENT MODELS
Capability Maturity Model (CMM) a standardized framework for
assessing the maturity level of an
organizations information system development and management
processes and products. It consists of five
levels of maturity: Level 1Initial: System development projects
follow no prescribed
process.
Level 2Repeatable: Project management processes and practices
are established to track project costs, schedules, and
functionality.
Level 3Defined: A standard system development process (sometimes
called a methodology) is purchased or developed. All projects use a
version of this process to develop and maintain information systems
and
software.
Level 4Managed: Measurable goals for quality and productivity
are established.
Level 5Optimizing: The standardized system development process
is continuously monitored and improved based on measures and
data
analysis established in Level 4.
20
-
6CAPABILITY MATURITY MODEL (CMM)
POLICIES AND PROCEDURES
Policies
High-level documents
Represent the corporate philosophy of an
organization
Must be clear and concise to be effective
Policies
Management should review all policies carefully
Policies need to be updated to reflect new
technology and significant changes in business
processes
Policies formulated must enable achievement of
business objectives and implementation of IS
controls
22
POLICIES (CONTINUED)
Information Security Policies
Communicate a coherent security standard to users,
management and technical staff
Must balance the level of control with the level of
productivity
Provide management the direction and support for
information security in accordance with
business requirements, relevant laws and
regulations
23
POLICIES (CONTINUED)
Information Security Policy Document
Definition of information security
Statement of management intent
Framework for setting control objectives
Brief explanation of security policies
Definition of responsibilities
References to documentation
24
-
7POLICIES (CONTINUED)
Review of the Information Security Policy
Document
Should be reviewed at planned intervals or when
significant changes occur to ensure its continuing
suitability, adequacy and effectiveness
Should have an owner who has approved
management responsibility for the development,
review and evaluation of the security policy
Should include assessing opportunities for
improvement to the organizations information security policy
25
PROCEDURES
Detailed documents:
Must be derived from the parent policy
Must implement the spirit (intent) of the policy
statement
Procedures must be written in a clear and concise
manner
An independent review is necessary to ensure that
policies and procedures have been properly
documented, understood and implemented 26
RISK MANAGEMENT
The process of identifying vulnerabilities
and threats to the information resources
used by an organization in achieving
business objectives
27
DEVELOPING A RISK MANAGEMENT
PROGRAM
To develop a risk management program:
Establish the purpose of the risk management
program
Assign responsibility for the risk management plan
28
-
8RISK MANAGEMENT PROCESS
Identification and classification of information
resources or assets that need protection
Examples of typical assets associated with
information and IT include: Information and Data, H/w & S/w,
Services, Document, Personnel
Assess threats and vulnerabilities and the
likelihood of their occurrence
Common classes of threats are:
Errors, Malicious damage/attack, Fraud, Theft,
Equipment/software failure
Examples of Vulnerability are:
Lack of user knowledge, Lack of security functionality, Poor
choice of passwords, Untested technology
Once the elements of risk have been established
they are combined to form an overall view of risk
29
The magnitude of the result of a threat agent
exploiting a vulnerability is called an Impact
Threats usually result in a direct financial loss in
the short term or an ultimate (indirect) financial
loss in the long term. Examples of such losses
include:
Direct loss of money (cash or credit)
Breach of legislation
Loss of reputation/goodwill
Endangering of staff or customers
Loss of business opportunity
Reduction in operational efficiency/performance
Interruption of business activity
30
RISK MANAGEMENT PROCESS(CONTINUED)
Once risks have been identified, existing controls
can be evaluated or new controls designed to
reduce the vulnerabilities to an acceptable level
of risk
The remaining level of risk, once controls have
been applied, is called residual risk and can be
used by management to identify those areas in
which more control is required to further reduce
risk
Final acceptance of residual risk takes into
account:
Organizational policy, Cost and effectiveness of
implementation etc.
31
RISK MANAGEMENT PROCESS(CONTINUED)
IT risk management needs to operate at multiple
levels including:
Operational - Risks that could compromise the
effectiveness of IT systems and supporting
infrastructure
Project - Risk management need to focus on the
ability to understand and manage project complexity
Strategic - The risk focus shifts to consideration such
as how well the IT capability is aligned with the
business strategy.32
-
9IS MANAGEMENT PRACTICES
In most organizations, the IS department is a
service (support) department. The traditional role
of a service department is to help production
(line) departments conduct their operations more
effectively and efficiently. Today, however, IS has
become an integral part of every facet of the
operations of an organization.
Management activities to review the
policy/procedure formulations and their
effectiveness within the IS department would
include practices such as personnel
management, sourcing and IT change
management.
33
HUMAN RESOURCE MANAGEMENT
Human resource management relates to
organizational policies and procedures for
recruiting, selecting, training and promoting
staff, measuring staff performance, disciplining
and staff, succession planning, and staff
retention.
The effectiveness of these activities, as they
relate to the IS function, impacts the quality of
staff and the performance of IS duties.
34
Hiring Practices: Hiring practices are important toensure that
the most effective and efficient staff is chosen
and that the company is in compliance with legal
recruitment requirements.
Some of the common controls would include:
Background checks (e.g., criminal, financial,
professional, references).
Confidentiality agreements
Etc.
35
Employee Handbook: Distributed to allemployees upon being hired,
should explain items
such as: security policies and procedures,
company expectations, employee benefits, etc.
Promotion Policies: Promotion policies should
be fair and equitable and understood by
employees. Policies should be based on objective
criteria and consider an individual's performance,
education, experience and level of responsibility.
The IS auditor should ensure that the IS
organization has well defined policies and
procedures for promotion, and is adhering to
them. 36
-
10
Training: Training should be provided on a
regular basis to all employees based on the areas
where employee expertise is lacking. Training is
particularly important for IS professionals, given
the rapid rate of change of technology and
products.
Employee Performance Evaluations:
Employee assessment must be a standard and
regular feature for all IS staff. The HR
department should ensure that IS managers and
employees set mutually agreed goals/expected
results.37
Required Vacations: A required vacation
(holiday) ensures that once a year, at a
minimum, someone other than the regular
employee will perform a job function. This
reduces the opportunity to commit improper or
illegal acts.
Job rotation provides an additional control (to
reduce the risk of fraudulent or malicious acts)
since the same individual does not perform the
same tasks all the time. This provides an
opportunity for an individual other than the
regularly assigned person to perform the job and
notice possible irregularities.
38
Termination Policies: Written termination
policies should be established to provide clearly
defined steps for employee separation. It is
important that policies be structured to provide
adequate protection for the organization's
computer assets and data.
Termination practices should address voluntary
and involuntary (e.g., immediate) terminations.
For certain situations, such as involuntary
terminations under adverse conditions, an
organization should have clearly defined and
documented procedures for escorting the
terminated employee from the premises.39
In all cases, however, the following control
procedures should be applied:
Return of all access keys, ID cards and badges-to
prevent easy physical access
Deletion/revocation of assigned logon IDs and
passwords-to prohibit system access
Notification-to appropriate staff and security
personnel regarding the employee's status change to
"terminated
Arrangement of the final pay routines-to remove the
employee from active payroll files
Performance of a termination interview-to gather
insight on the employee's perception of management
Return of all company property40
-
11
SOURCING PRACTICES Sourcing practices relate to the way an
organization obtains the IS function required to
support the business Organization can perform
all IS functions in-house or outsource all
functions across the globe
Giving consideration to the following:
Is this a core function for the organization?
Does this function have specific knowledge, processes and
staff critical to meeting its goals and objectives, and that
cannot be replicated externally or in another location?
Can this function be performed by another party or in
another location for the same or lower price, with the same
or higher quality, and without increasing risk?
Does the organization have experience managing third
parties or using remote/offshore locations to execute IS or
business functions?
Sourcing strategy should consider each IS
function and determine which approach allows
the IS function to meet the organizations goals
41
If the organization has chosen to use outsourcing, a
rigorous process should be followed, including the
following steps:
Define the IS function to be outsourced.
Describe the service levels required and minimum metrics to
be met.
Know the desired level of knowledge, skills and quality of
the
expected service provider desired.
Know the current in-house cost information to compare with
third-party bids.
Conduct due diligence reviews of potential service
providers.
42
Delivery of IS functions can include:
Insourced-Fully performed by the organization's staff
Outsourced-Fully performed by the vendor's staff
Hybrid-Performed by a mix of the organization's and
vendors staffs
43
IS functions can be performed across the globe,
taking advantage of time zones and arbitraging
labor rates, and can include:
Onsite--Staff work onsite in the IS department
Offsite--Also known as near-shore, staff work at a
remote location in the same geographic area
Offshore--Staff work at a remote location in a
different geographic region44
-
12
45
Outsourcing Practices and Strategies
Contractual agreements under which an organization
hands over control of part or all of the functions of
the IS department to an external party
Becoming increasingly important in many
organizations
The IS auditor must be aware of the various forms
outsourcing can take as well as the associated risks
46
47
SOURCING PRACTICES (CONT..)
48
-
13
SOURCING PRACTICES (CONTINUED)
Possible advantages
Commercial outsourcing companies likely to devote
more time and focus more efficiently on a given
project than in-house staff
Outsourcing vendors likely to have more experience
with a wider array of problems, issues and
techniques
Possible disadvantages
Costs exceeding customer expectations
Loss of internal IS experience
Loss of control over IS
Vendor failure 49
SOURCING PRACTICES (CONTINUED)
Risks can be reduced by:
Establishing measurable, partnership-enacted
shared goals and rewards
Using multiple suppliers
Performing periodic competitive reviews and
benchmarking
Implementing short-term contracts
Forming a cross-functional contract management
team
Including contractual provisions to consider as many
contingencies as can reasonably be foreseen50
SOURCING PRACTICES (CONTINUED)
Globalization Practices and Strategies
Requires management to actively oversee the remote
or offshore locations
The IS auditor can assist an organization in
moving IS functions offsite or offshore by
ensuring that IS management considered the
following:
Legal, regulatory and tax issues
Continuity of operations
Personnel
Telecommunication issues
Cross-border and cross-cultural issues
51
Third-party Service Delivery Management
Every organization using the services of third
parties should have a service delivery
management system in place to implement and
maintain the appropriate level of information
security and service delivery in the line with third-
party service delivery agreements
The organization should check the implementation of
agreements, monitor compliance with the agreements
and manage changes to ensure that the services
delivered meet all requirements agreed to with the
third party 52
-
14
ORGANIZATIONAL CHANGE
MANAGEMENT
Change management is managing IT changes for
the organization, where a defined and
documented process exists to identify and apply
technology improvements at the infrastructure
and application level that are beneficial to the
organization and involving all levels of the
organization impacted by the changes.
53 54
QUALITY MANAGEMENT
Software development, maintenance and
implementation
Acquisition of hardware and software
Day-to-day operations
Service management
Security
Human resource management
General administration
55
PERFORMANCE OPTIMIZATION
Process driven by performance indicators
Optimization refers to the process of improving
the productivity of information systems to the
highest level possible without unnecessary,
additional investment in the IT infrastructure
56
-
15
PERFORMANCE
OPTIMIZATION(CONTINUED)
Five ways to use performance measures
Measure products/services
Manage products/services
Assure accountability
Make budget decisions
Optimize performance
57
IS ROLES AND RESPONSIBILITIES
Systems development manager
Help desk
End user
End user support manager
Data management
Quality assurance manager
Vendor and outsourcer management
Operations manager
Data entry
Systems administration
Quality assurance
Database administration58
SEGREGATION OF DUTIES WITHIN IS
Avoids possibility of errors or misappropriations
Discourages fraudulent acts
Limits access to data
59
SEGREGATION OF DUTIES CONTROLS
Control measures to enforce segregation of duties
include:
Transaction authorization
Custody of assets
Access to data
Authorization forms
User authorization tables
60
-
16
SEGREGATION OF DUTIES CONTROLS
(CONTINUED)
Compensating controls for lack of segregation of
duties include:
Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews
61
AUDITING IT GOVERNANCE STRUCTURE
AND IMPLEMENTATION
Indicators of potential problems include:
Unfavorable end-user attitudes
Excessive costs
Budget overruns
Late projects
High staff turnover
Inexperienced staff
Frequent hardware/software errors
62
REVIEWING DOCUMENTATION
The following documents should be reviewed:
IT strategies, plans and budgets
Security policy documentation
Organization/functional charts
Job descriptions
Steering committee reports
System development and program change
procedures
Operations procedures
Human resource manuals
Quality assurance procedures
63
REVIEWING CONTRACTUAL COMMITMENTS
There are various phases to computer hardware,
software and IS service contracts, including:
Development of contract requirements and service
levels
Contract bidding process
Contract selection process
Contract acceptance
Contract maintenance
Contract compliance
64
