M101 Understanding IT Governance - Davis

5/25/2018 M101 Understanding IT Governance - Davis

1/49

TCTC 2013 Albany, NY March18, 2013

2013 Peter Davis+Associates 1

1 2013 Peter Davis+Associates

Understanding IT Governance

Peter T. Davis, CISA, CISSP, CMA,CSP, CMC, CWNA, CISM, COBIT FC, ITIL FC, PMP, SSGB, CGEIT,PRINCE2 FC, ISO 27001 LI/LA, ISO 20000 FC, ISO 22301 FC,

ISO 27005/31000 RM

Principal, Peter [email protected]

www.pdaconsulting.com(v) 416-907-4041(f) 416-907-4851


Peter T. Davis

IT Governance consulting CISA, CISSP, CMA, CMC,

CISM, COBIT 5 FC, ITILFC, PMP, SSGB, CGEIT,PRINCE2 FC, ISO 27001LI/LA, ISO 20000 FC,ISO 27005/31000 RM

29 years IT security andaudit experience

Authored/co-authored12 books

International Whos Whoof Professionals


2/49




Agenda

What is Governance & IT Governance?

Why is IT Governance important?

How does IT Governance help management?

What are the various methodologies?

How do they fit together?


Governance


3/49




Standards: Committee for Sponsoring Organisations (COSO)

To discharge its responsibilities and achieve its

objectives, management must establish an adequate

system of internal control. This control system or

framework must be in place to support business

requirements for effectiveness and efficiency of

operations, reliability of information and compliance

with laws and regulations.

The Need Defined: Control and

Governance Framework


COSO Framework

Internal Environment: The control environment setsthe tone of an organization, influencing the controland risk consciousness of its people

Objective Setting: Forms the risk appetite of anorganization

Event Identification: Differentiates risks andopportunities and identifies events that affectmeeting objectives

Risk Assessment: Every entity faces a variety ofrisks from external and internal sources that must beassessed both at the entity and the activity level

Risk Response: Identifies and evaluates possibleresponses to risk: avoid, mitigate, transfer or acceptrisk.

Control Activities: The policies and procedures thathelp ensure management directives are carried out

Information and Communication: Pertinentinformation must be identified, captured andcommunicated in a form and timeframe thatsupports all other control components

Monitoring: Internal control systems need to bemonitored a process that assesses the quality ofthe systems performance over time

All components must be in place and working for internal control to be effective!!

www.coso.org


4/49




Components of Internal Control

COSO categoriesInternal environment

Objective setting

Event identification

Risk assessment

Risk response

Control activities

Information/communication

MonitoringHow do these apply to IT?


Internal Environment

Organization structure

Control framework

Organization policies and procedures

External influences


5/49




Organization Structure

Defines managers responsibility for:

Decision making

Establishing company policy

Sets limits of such authority


Control Framework

Segregation of duties

Competence and integrity of

employees

Appropriate level of authority and

responsibilityAccountability

Adequate resources

Supervision of staff and review of

work


6/49




Organization Policies and Procedures

Well-documented policies and procedures

Scope of the function

Activities

Interrelationships

Policies define direction

Procedures define how to implement and

follow policy


Organization Policies and Procedures

Well-documented policies

and procedures

Scope of the function

Activities

Interrelationships

Policies define direction

Procedures define how to

implement and follow

policy


7/49




External Influences

Government requirements

Industry associations

Unions

Culture


Enterprise Governance

COSO

IT

Governance

Other

Governance

HR

Governance

Fiduciary

Governance

ISO9000


8/49



16

Enterprise Process Model

2013 Peter Davis+Associates

APQC


Enterprise governance is about:Conformance

Adhering to legislation, internal policies,audit requirements, etc.

Performance Improving profitability, efficiency,

effectiveness, growth, etc.

Enterprise Governance Drives IT Governance

Enterprise governance and IT governance require a

balance between conformance and performance goals

directed by the board.

Performance

Conformance

ISACA/ITGI


9/49




IT Governance

19

Todays New Business Environment

Growing demand for complex,sophisticated, customized supplies andservices

Increased reliance on contractors for

performance of mission-critical functionsEvolution of worldwide competitive markets



10/49



20

Results:Increased complexity of supplies and

services produced and purchasedIncreased complexity in the processes used

to produce and procure supplies andservices

Need for sophisticated systems to control

contract management processes and outputs

Todays New Business Environment


21

Forces Driving IT Governance

Compliance

Security

Business/IT

Alignment

ROI

Project

Execution



11/49




Why is IT Important?

Gartner reports that 97% of materialweaknesses in internal controls can bemitigated through IT. Americancompanies predict spending $27.3billion on total compliance in 2006.Seventy-three percent of largeenterprises regularly experience

application downtime due to applicationinfrastructure failure.IT Compliance Journal, Spring 2006


Why is IT Governance Important?

Huge investments and large risksIncreasing dependence on information, systems and

communicationsIncreasing pressure to leverage technology in business

strategiesMarginal ROI/productivity gains on technology investments

Dependence on entities beyond the direct control of theenterprise; e.g., extranets and outsourcingIncreasing impact of IT failures on reputation and enterprise

valuePotential for technologies to dramatically change organizations

and business practices, create new opportunities and reducecosts


12/49




Why is IT Governance Important?

Need to build and maintain knowledge essential to sustainand grow the businessGrowing complexity of IT environmentsFragmented IT infrastructuresDemand for technologists outstripping supplyCommunication gap between business and IT managersIT service levels that are disappointingIT costs perceived to be out of controlImpaired organizational flexibility and nimbleness to

changeUser frustration leading to ad hoc solutionsIT managers operating like fire-fighters


Expectations:Deliver results in ever

shortening timeframesDeliver more functionality for

less cost (usually including less

resources)Provide a better service

while reducing operationalcosts

Keep everything undercontrol in riskier environments24x7

IT Managements Challenge


13/49



26

Global Status Report on the Governance of

Enterprise IT (GEIT) - 2011


27

Global Status Report on the Governance of

Enterprise IT (GEIT) - 2011



14/49




IT Managements Challenge

Reality: Executive Management dont always understand IT or its

operation

Us versus Them attitude has led to breakdowns in teamworkand communications

IT find it difficult to prioritize - everyone wants Class Aservice

Poor management reporting can hide good IT service

Poor client facing functions (service desk, user support, projectmgt.) can ruin ITs reputation

IT infrastructure has become chaotic and fragmented

Little or no budgets for investment in underlying IT processesand resources

29

Typical Pain Points

Failed IT initiatives

Rising costs

Perception of low business valuefor IT investments

Significant incidents related to ITrisk (e.g. data loss)

Service delivery problems

Failure to meet regulatory orcontractual requirements

Audit findings for poor ITperformance or low servicelevels

Hidden and/or rogue IT spending

Resource waste through duplicationor overlap in IT initiatives

Insufficient IT resources

IT staff burnout / dissatisfaction

IT enabled changes frequently

failing to meet business needs (latedeliveries or budget overruns)

Multiple and complex IT assuranceefforts

Board members or senior managersthat are reluctant to engage with IT

2012 ISACA. All Rights Reserved. 2013 Peter Davis+Associates


15/49



30

Relevant Trigger Events

Merger, acquisition or divestiture

Shift in the market, economy orcompetitive position

Change in business operatingmodel or sourcing arrangements

New regulatory or compliancerequirements

Significant technology change or

paradigm shift

An enterprise-wide governance focusor project

A new CIO, CFO, COO or CEO

External audit or consultantassessments

A new business strategy or priority

By using pain points or trigger events as

the launching point for IT governance

initiatives, the business case for GEIT

improvement can be related to issuesbeing experienced, which will improve

buy-in to the business case.

2012 ISACA. All Rights Reserved. 2013 Peter Davis+Associates


IT Governance

A structure of relationships and processes to

direct and control the enterprise in order to

achieve the enterprises goals by adding

value while balancing risk versus return over

IT and its processes.

COBIT Framework 3rd Edition, July 2000, Page 5


16/49




What is IT Governance?

IT governance is the term used todescribe how those persons entrustedwith governance of an entity willconsider IT in their supervision,monitoring, control and direction ofthe entity. How IT is applied will havean immense impact on whether theentity will attain its vision, mission orstrategic goals.

Robert Roussey CPA, 2002/2003

President ISACA & ITGI


Overall seek greater assurance on internal control

Stress governance and the responsibility of directors regarding

internal control

Reluctantly accept pervasiveness and importance of IT; to be

integrated in all standards

Hesitantly go beyond financial risk, towards risks that adversely

affect the entitys ability to achieve its objectives and execute its

strategies

Define expected audit steps

Start setting requirements and expectations for SMEs

Emerging Regulations

The image cannot be displayed. Yourcomputer may not have enough memory toopen the image, or the image may havebeen corrupted. Restart your computer,and then open the file again. If the red xstill appears, you may have to delete theimage and then insert it again.

Why Does IT Need a Control andGovernance Framework?


17/49




Emergence of IT Governance

hA structure of relationships and processes to direct and control theenterprise to achieve the enterprises goals by adding value whilebalancing risk vs. return over IT and its processes

Increased IT Manageability

hNew tools that allow management to self-assess and make choicesfor control implementation and improvements

hAbility to align the IT organisation with the goals of the enterprisehPerformance measurements that ensure that these goals are

achieved

Emerging Management Practices

The image cannot be displayed. Yourcomputer may not have enough memory toopen the image, or the image may havebeen corrupted. Restart your computer,and then open the file again. If the red xstill appears, you may have to delete theimage and then insert it again.

Why Does IT Need a Control and

Governance Framework?


Principles of IT Governance

Direct and

control

Responsibility

AccountabilityActivities

Measures

ISACA/ITGI


18/49




How IT Governance Helps

Responsibilities:

Ensures ownership by the Board and

Executive Management of IT issues

Increases the understanding of IT

significance to the business and the

impact of potential risks

IT no longer just the CIOs responsibility

but is shared by the whole of

management

Clarifies CIOs role from a corporate

perspective



Results:Open dialogue of and shared activity for IT initiativesIncreased trust between the business & ITGreater appreciation of IT needs, risks, and capabilities

resulting in better prepared strategies and plans

A collective and balanced approach to business needsand priorities

Increased transparency and understanding of actualperformance and service levels

More focus on the internals of IT and the need toimprove skills / processes / infrastructure


19/49




IT Governance

Ensures:

Joint responsibility for planning and executing

IT in the business

Clearer understanding by all of objectives and

expectations

Clearer visibility of issues and priorities

Transparency and better comprehension of IT

activities and performance


IT Governance Delivers

Alignment of IT withbusiness needs

Improved value delivery(operational and project)

Optimized costsManagement of IT-related

risksImproved Quality of

Service


20/49





Responsibilities:

Ensures ownership by the Board and Executive

Management of IT issues

Increases the understanding of IT significance to the

business and the impact of potential risks

IT no longer just the CIOs responsibility but is shared by

the whole of management

Clarifies CIOs role from a corporate perspective



Results:

Open dialogue of and shared activity for ITinitiatives

Increased trust between the business & IT

Greater appreciation of IT needs, risks, andcapabilities resulting in better prepared strategiesand plans

A collective and balanced approach to businessneeds and priorities

Increased transparency and understanding ofactual performance and service levels

More focus on the internals of IT and the need toimprove skills / processes / infrastructure


21/49




IT Governance

1. Strategic issuesI. Strategy and planning

II. Technology Trends

III. Performance

IV. Personnel

2. Risk issuesV. Risks and controls

VI. Personal information privacy

VII. Availability

VIII. Legal issues


Strategy and Planning

1. Does managementhave a strategicplan?

2. Does the plan form

the basis for annualand long-term plansand budgets andprioritization of ITprojects?


22/49



44

The Relationship Between Business, IS & IT Strategies

BUSINESS STRATEGY Business Decisions

Objectives & Direction

Change

IS STRATEGY Business Based

Demand Orientated

Application Focused

IT STRATEGY

Activity Based

Supply Orientated

Technology Focused

Where is the

business going

and Why

What is required

Howit can

be delivered

Infrastructureand services

Needs andprio

rities

Supportsbusiness

Direction forbusiness


VALUE

added here

COSTS

incurred here


Technology Trends

1. Does management haveappropriate proceduresto ensure theorganization is aware of

technology trends?2. Does management

periodically assess trendsand use for re-positioning?


23/49




Performance

1. Have performance metrics and driversbeen identified?

2. Are they monitored?

3. Are they benchmarked against industrystandards?

4. Does the monitoring include third-partyservice providers?


Governance

1. Is there a steeringcommittee?

2. Is one person tasked withgovernance?

3. Is this person placed highenough in the organization?

4. What procedures are inplace to make sure theorganization complies withall relevant laws?


24/49




Risk and Security

1. Does management periodically assessrisks?

2. How does management ensure dataintegrity, including relevance,completeness, accuracy and timeliness,and its appropriate use within theorganization?

3. Does management regularly review oraudit systems and applications?


Personal Information Privacy

1. Is someone responsible for privacy?

2. Is the organization in compliance withlaws and regulations?


25/49




Availability

1. Is there an adopted formalavailability policy?

2. Have controls been put in toensure availability?

3. Do you understand theimpact of an interruption ofservice?

4. Is there a business continuity

plan?5. Is the plan tested?


Legal Issues

1. Have you considered and addressedlegal implications pertaining to theuse of software, hardware, serviceagreements and copyright laws?


26/49




Everyone Agrees on Whats Important

1. Strategic Alignment

2. Value Delivery

3. Risk Management

4. IT Resource

Management

5. Performance

Measurement

AICPA/CICAAICPA/CICA

BSBS

CIO MagazineCIO Magazine

CompassCompass

CSCCSC

GartnerGartner

GigaGiga

ISACAISACA Technology CouncilTechnology Council


Focus Areas of IT Governance

StakeholderValue Drivers

PerformanceMeasurement

IT ValueDelivery

RiskManagement

IT StrategicAlignment

IT Resource Management

ISACA/ITGI


27/49




IT Governance Process

Processes

StakeholderValue Drivers

Strategy

ResourcesKnowledgeCapabilityInformation...

ResultsOutcomePerformanceRiskAssets

ISACA/ITGI


IT/Enterprise Alignment

EnterpriseStrategy

IT StrategyEnterpriseOperations

IT Operations

AlignmentActivities

The Board should drive business alignment by:

Ascertaining that the IT strategy is alignedwith the business strategy

Ascertaining that IT delivers against the strategy through clear expectations and measurement

Directing IT strategy to balance investments between supporting and growing the enterprise

Making considered decisions about where IT resources should be focused

ISACA/ITGI


28/49




IT Supporting Strategic Objectives

EnterpriseStrategy

Funding

Sourcing/Staffing

TechnicalInfrastructure

ApplicationArchitecture

BusinessFunctions

ISACA/ITGI


timetime

timetime

service

service

quali

ty

quali

ty

support

support

business

business

timetime

service

service

cost

cost

delivery

delivery

time

time

timetime

stakeholderstakeholder

valuevalue

Aligned

Better

CheaperFaster

timetime

ITrisks

ITrisks

SecureControlled

Ref: PriceWaterhouseCoopers

IT Governance Creates Benefit Over

Time


29/49




Enterprise Governance Models

COSO/CoCo

ITGovernance

FiduciaryGovernance

OtherGovernance

COBIT/ISO 38500

ISO 27001 ISO 20000 ISO 15504

ITIL

ISO 9126

CMMI ISO 12207

ISO 9001

TickIT

And other

bestpractices

InfoSec

Management

ISO 27002


Frameworks ComparedCategory Type Examples

IT Governance Focus on how to manage information and

information and communications technology

efficiently and effectively

AS8015-2005, ISO 38500, COBIT, Val IT

Information

Management

Focus on how to perform and organize IT

management, such service delivery and support

ASL, BiSL, GFIM, ISPL, ITIL, OMMF

Enterprise

Architecture

Focus on enterprise components, the externally

visible properties of those components, and therelationships between them.

E2AF, EABOK, EAMMF, FEAF, O-ESA, SABSA,

TOGAF, Zachman

Quality

Management

Focus on quality standards, applied to specific

IT domains

EFQM, ISO 9001, ISO 20000, ISO 27001,

ISO 28000, TQM

Quality

Improvement

Focus on improvement of processes or

performance

IT BSC, ITS-CMM, Six Sigma

ProjectManagement

Focus on portfolio, program and projectmanagement

EVMBOK, IPMA Competence Baseline, MSP,PMBOK, PRINCE2

Risk Management Focus on ident ifyingand managing r isk AS/NZS 4360, COSO ERM, EBIOS, FAIR, ISO27005, ISO 31000, M_o_R, OCTAVE, Risk IT


30/49




Frameworks Compared

Category Type Examples

IT Governance Focus on how to manage information and

information and communications technology

efficiently and effectively

AS8015-2005, ISO 38500, COBIT, Val IT

InformationManagement

Focus on how to perform and organize ITmanagement, such service delivery and support

ASL, BiSL, GFIM, ISPL, ITIL, OMMF

Enterprise

Architecture

Focus on enterprise components, the externally

visible properties of those components, and the

relationships between them.

E2AF, EABOK, EAMMF, FEAF, O-ESA, SABSA,

TOGAF, Zachman

QualityManagement

Focus on quality standards, applied to specificIT domains

EFQM, ISO 9000, ISO 20000, ISO 27001,ISO 28000, TQM

Quality

Improvement

Focus on improvement of processes or

performance

IT BSC, ITS-CMM, Six Sigma

Project

Management

Focus on portfolio, program and project

management

EVMBOK, IPMA Competence Baseline, MSP,

PMBOK, PRINCE2

Risk Management Focus on ident ifyingand managing r isk AS/NZS 4360, COSO ERM, EBIOS, FAIR, ISO

27005, ISO 31000, M_o_R, OCTAVE, Risk IT

61

Why Good Practices are Important!

COBIT, ITIL, ISO 27001 and PRINCE2 are valuable to the ongoing growth

and success of an organization because:

Companies are demanding better returns from IT investments

Best practices help meet regulatory requirements for IT controls

Organizations face increasingly complex IT-related risks

Organizations can optimize costs by standardizing controls

Best practices help organizations assess how IT is performing

Management of IT is critical to the success of enterprise strategy

They help enable effective governance of IT activities

A management framework helps staff understand what to do (policy, internal controlsand defined practices)

They can provide efficiency gains, less reliance on experts, fewer errors, increased

trust from business partners and respect from regulators



31/49



62

Why Good Practices are Important!

Need for internal controls typically requires that managementselect from a wide variety of well-established best practices

Good practices can help avoid re-inventing the wheel,optimize the use of scarce IT resources and reduce theoccurrence of major IT risks, such as: Project failures

Wasted investments

Security breaches

System crashes

Failures by service providers to understand and meet customer

requirements



Process

Standard

Measurement &

Control

Activities

Policy

Input Output

A process is a logically relatedseries of activities intended tocontribute towards reaching adefined objective

Process Owner responsible forprocess results

Process Manager responsiblefor realization and structure ofthe process and reports to PO

Process Operatives responsiblefor defined activities andreports to PM

Standards = KPI Processes described using

procedures and workinstructions


32/49



64

ISO/IEC 15504 a.k.a. SPICE1


1Software Process Improvement and Capability dEtermination

Process

Process

Assessment

Capability

Determination

Process

Improvement

Identifies capability andrisks of

Identifies changes to

Leads to

Isexaminedby

Leads to

65

Creating Value


Crown copyright 2007


33/49




Risk Analysis

Delivery risk

Not delivering required capabilities

Are we doing things the right way?

Are we getting them done well?

Benefit risk

Benefits not being obtained

Are we doing the right things?

Are we getting the benefits?


The Value Questions

Thestrategic question.

The architecture question.

The value question.

The delivery question.

Are we

doing the

right things?

Are we

getting them

done well?

Are we

getting the

benefits?

Are we

doing them

the right

way?

Benefit Risk

Delivery Risk


34/49




COBIT 5


Issuer

The IT Governance Institute

(http://www.itgi.org) is the copyright holder

and issuer of the COBIT guidance

ITGI is part of ISACA (www.isaca.org/cobit)


35/49



70

Governance of Enterprise IT

COBIT 5

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

Audit

COBIT1

2005/720001998

Evolution

1996 2012

Val IT 2.0(2008)

Risk IT(2009)

BMIS(2010)

The Evolution of COBIT 5

2012 ISACA. All Rights Reserved.


71

COBIT 5 Product Family

2012 ISACA. All Rights Reserved.



36/49



72

COBIT 5 Process Reference Model



PERFORMANCE:Business Goals

CONFORMANCE:Basel II, Sarbanes-

Oxley Act, etc.

Enterprise Governance

IT Governance

ISO

9001

ISO

27001

ISO

20000Best Practice Standards

QA

ProceduresProcesses and Procedures

Drivers

COBIT

COSO

ISO 27002 ITIL 2011

Balanced

Scorecard

Where Does COBIT Fit?

ISACA/ITGI


37/49




ITIL 2011


Issuer

IT Infrastructure Library (ITIL) is a collection of best

practices and guidelines for IT service

management and comprises a series of books on

the quality provision of IT-related services

They are published and copyrighted by the UKsCabinet Office (formerly CCTA and Office of

Government Commerce)

See http://www.tsoonline.co.uk and

http://www.get-best-practice.co.uk


38/49



76

What is ITIL?

A public framework that describes Best Practice in

IT Service Management

Used to aid the implementation of a framework for

IT Service Management

2011 and V3 build on concepts from V1 and V2

(2007)

Focuses on continual measurement and improvementof quality of IT service delivered


77

ITIL Qualification Scheme



39/49



78

Service Lifecycle

Crown copyright 2007


79

Service Lifecycle


Strategy Design Transition Operation CSI

Strategy

Management

Service Portfolio

Management

Financial

Management

Demand

ManagementBusiness

Relationship

Management

Design

Coordination

Service Catalog

Management

Service Level

Management

Availability

ManagementCapacity

Management

Service Continuity

Management

Information

Security

Management

Supplier

Management

Transition Planning

and Support

Change

Management

Service Asset and

Configuration

Management

Release andDeployment

Management

Service Validation &

Testing

Change Evaluation

Service Knowledge

Management

Event

Management

Incident

Management

Request

Fulfillment

Problem

ManagementAccess

Management

IT Operations

Management

Technology

Management

Application

Management

Service Desk

7 Step

Improvement

Process


40/49



80

Service Delivery Practices and Processes

The role of the ITIL

framework is to

describe approaches,

functions, roles and

processes on which

enterprises may base

their own practices


81

Service Delivery Practices and Processes



41/49



82

ISO 20000-1 vs. ITIL 2011ISO 20000-1 ITIL 2011

Prescriptive: defines the what to do Descriptive: Defines the how to do it

International standard Best practice

Certification for a service providerorganization

Qualifications for individuals

Definitive high-level requirements forprocesses and management system

Detailed best practice guidance,description and implementation aids

Organization structure independentwith very few mandatory rolesspecified

Defines many non-mandatoryfunctions, processes, roles andresponsibilities

16 processes, no functions, lifecycle notexplicitly specified

26 processes and 4 functionsdocumented in 5 lifecycle stages

Definitive set of required documents Description of key documentation



ISO/IEC 27000


42/49



84

ISO 27000

International Organization for

Standardization (http://www.iso.org)

Is a standard: also a suite of standards

Best known are ISO 27001 and ISO 27002

(a.k.a. ISO 17799)


85

ISO 27000 Series

ISO/IEC 27000:2009 Information security management systems -- Fundamentals andvocabulary

ISO/IEC 27001:2005 Specification for an Information Security Management System ISO/IEC 27002:2005 Code of Practice for Information Security Management ISO/IEC 27003:2010 Information security management system implementation

guidance

ISO/IEC 27004:2009 Information security management Measurement ISO/IEC 27005:2008 Information security risk management

ISO/IEC 27006:2007 Requirements for bodies providing audit and certification ofinformation security management systems

ISO/IEC 27011:2008 Information security management guidelines fortelecommunications organizations based on ISO/IEC 27002

ISO 27799:2008 Information security management in health using ISO/IEC 27002



43/49




ISMS Standards

ISO/IEC 27001:2005

Requirements for Information SecurityManagement Systems

ISO/IEC 27002:2005

Code of Practice for InformationSecurity Management


Issuer

ISO/IEC 27002 Information TechnologyCode ofPractice for Information Security Management waspublished by the International Organisation forStandardisation (http://www.iso.org) andInternational Electrotechnical Commission

(http://www.iec.org)The technical committee identified as ISO/IEC

JTC1/SC27 WG1 is responsible for itsmaintenance


44/49



88 2007-12 Peter Davis+Associates

ISO/IEC 27001:2005 Requirements

ISO/IEC 27001:2005 defines good practices for

information security management system

A management system should balance physical,technical, procedural, and personnel security

Information security is a management process, not

a technological process

Aligns with ISO/IEC 27002:2005

89

ISMS


Source: ISO/IEC 27001:2005


45/49



90

ISO 27002 a.k.a. ISO/IEC 17799

ISO/IEC 17799 Information TechnologyCode ofPractice for Information Security Management waspublished by the International Organization forStandardization (http://www.iso.org) andInternational Electrotechnical Commission(http://www.iec.org)

The technical committee identified as ISO/IECJTC1/SC27 WG1 is responsible for its maintenance

Part of ISO 27000 series



ISO/IEC 27002:2005

Is intended for use as a reference document

Is based on good information security

practices

Was developed by industry for industry

Is not used for assessment and registration

Is not a technical standard


46/49




ISO 27002: The Dirty Dozen

1.1. Risk Assessment and TreatmentRisk Assessment and Treatment2.2. Security PolicySecurity Policy3.3. Security OrganizationSecurity Organization4.4. Asset ManagementAsset Management5.5. Human Resources SecurityHuman Resources Security6.6. Physical and Environmental SecurityPhysical and Environmental Security7.7. Communications and Operations ManagementCommunications and Operations Management8.8. Access ControlAccess Control9.9. Information Systems Acquisition, Development andInformation Systems Acquisition, Development and

MaintenanceMaintenance

10.10. Information Security Incident ManagementInformation Security Incident Management11.11. Business Continuity ManagementBusiness Continuity Management12.12. ComplianceCompliance

93

PRINCE2

PRINCE2 is a process-based approach

for project management providing an

easily tailored and scalable method for

the management of all types of projects.The method is the de-facto standard for

project management in the UK and is

practiced worldwide.



47/49



95

What is PRINCE2?

Formerly known as PRINCE (and PROMPT beforethat!): PRojects IN Controlled Environments

Introduced by central government because highprofile project failures were too common

Owned by UK Cabinet OfficeLaunched in 1996 & currently in its 5th edition (2009)

It is a method for managing projects It is part of Cabinet Offices PPRM portfolio

It is process based


96

PPRMs Related Products

PRINCE2Maturity Model

(P2MM)

Portfolio,Programme

and ProjectOffice(P3O)

Gateway



48/49



97

PRINCE2 Structure


98

PRINCE2 Processes



49/49




Implementing an IT Governance

Framework


Summary

To combat entropy, implement an IT

Governance framework

Standards overlap

Use tools like the CCI (previously the UCP)

Work on processes not solutions

Develop an action plan

Date post:	15-Oct-2015
Category:	Documents
Upload:	leonard-brown
View:	23 times
Download:	0 times

M101 Understanding IT Governance - Davis

Documents