It Gov Books

8/3/2019 It Gov Books

1/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION

IT GovernanceIT Governance


Some thoughts on how IT risk, control,

audit and assurance is evolving beyond COBITtoward the broader concept of IT

governance; why IT governance should be onthe board agenda wherever IT is strategic to

the business; how it fits in the broaderconcepts of enterprise governance and howmanagement and boards can address it.


2/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


&Are they doing the right things?

&Are they doing them the right way?&Are they being done well?

&Are we getting benefits?

What ITproblem?

IT governance is the responsibility of the board of

directors and consists of the leadership, organisational

structures and processes that ensure that the

organisations IT sustains and extends the organisations

strategies and objectives.

What doesthe board

do?

&Cascading strategy and goals&Organisational alignment

&A control framework

&Balanced business scorecard

How doesmanagement

react?


3/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


& Stakeholders& Governance Framework& IT Alignment & Value Delivery& Performance Measurement

& Risk Management& Security& Conclusions

& Stakeholders& Governance Framework& IT Alignment & Value Delivery& Performance Measurement

& Risk Management& Security& Conclusions



4/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Stakeholders Apply PressureStakeholders Apply Pressure

Shareholders and Executive

Lower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share

Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use

Society Greater accountability for executives inGreater accountability for executives in

private and public sectorprivate and public sector


5/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


EE--biz Factsbiz FactsGuarantee of delivery

Customer loyalty

Ease ofuse

Customer serviceSecurity

WhatWhat AArere CCustomersustomers SSaying ?aying ?


6/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Focus on operational risk within which

security and IT are very significant

All major risk issues have been caused by

breakdowns in

Internal control

Oversight

Information technology

WhatWhat SSignalsignals AArere RRegulatorsegulators GGiving?iving?Federal ReserveFederal Reserve


7/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Concern for extreme dependence of industryon IT

Two recommendations Awareness of senior company officers

Need to address three technical improvementsAuthenticateSegregate

Make accountable

President Clintons Commission onPresident Clintons Commission on

Critical Infrastructure ProtectionCritical Infrastructure Protection

WhatWhat SSignalsignals AArere RRegulatorsegulators GGiving?iving?


8/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Cadbury: strengthen internal controlboards need to set

strategic aims, provide leadership, supervise management and

report to shareholders on their stewardship.

Turnbull: board to assure appropriate and effective processes

to monitor risk and effectiveness of the system of internal control

broader corporate governance role for audit committees...monitor

and report on risks...

BIS: ...governance arrangements for critical systems should be

effective, accountable and transparent

WhatWhat DDoo SStandardstandards SSay ?ay ?

Stewardship is extending to IT as boards question the depth ofStewardship is extending to IT as boards question the depth of

their enterprises reliance on IT.their enterprises reliance on IT.


9/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT has been the longest running disappointment in business in the last 30 years!

Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997

Personal & visualPersonal & visual

contactcontact

Uncertainty,Uncertainty,

complexity &complexity &

growthgrowth

Technology can help fulfil a visionary dream, but often its use is closer to a

sobering nightmare!

Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998

WhatWhat IIss MManagementanagement TThinking ?hinking ?

I am writing a book on the history of information technologyin order to better

understand why it is such a mess!

Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001


10/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


& Stakeholders& Governance Framework& IT Alignment & Value Delivery

& Performance Measurement& Risk Management& Security& Conclusions

& Stakeholders& Governance Framework& IT Alignment & Value Delivery

& Performance Measurement& Risk Management& Security& Conclusions



11/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Due diligence

IT is critical to the business

IT is strategic to the business

Expectations and reality dont match

IT hasnt gotten the attention it deserves IT involves huge investments and large risks

Why Get Into Governance?Why Get Into Governance?


12/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Due diligence

y Infrastructure and productive functions

y Skills, culture, operating environmenty Capabilities, risks, process knowledge and customer

information

y Service levels

Why Get Into Governance?Why Get Into Governance?

Enterprises should be equally inquisitive about themselves.Enterprises should be equally inquisitive about themselves.


13/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


This criticality arises from:

y The increasing dependence on information and the systems andcommunications that deliver it

y The dependence on entities beyond the direct control of the

enterprisey IT failures increasingly impacting reputation and enterprise value

y The potential for technologies to dramatically changeorganisations and business practices, create new opportunitiesand reduce costs

y The risks of doing business in an interconnected worldy The need to build and maintain knowledge essential to sustain

and grow the business

IT Is Critical to Most BusinessesIT Is Critical to Most Businesses


14/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


If so, wouldnt you want to know whether your

organisations information technology is:

y Likely to achieve its objectives?y Resilient enough to learn and adapt?

y Judiciously managing the risks it faces?

y

Appropriately recognising opportunities and acting onthem?

IT Is Strategic to Most BusinessesIT Is Strategic to Most Businesses


15/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Harness and exploit IT to

deliver business value

Provide fast development,

with appropriate quality and

with securityAscertain that IT investments

have a quantitative return and

IT does more with less

Move from efficiency and

productivity gains towards

value creation and businesseffectiveness, especially in

industries requiring that the

focus move from the back

office to the front office

Business losses, reputational damage

or a weakened competitive position

Enterprise effectiveness and core

processes directly impacted by the

quality ofIT deliverables

The failure ofIT initiatives intended to

bring innovation to the enterprise to

achieve their promise

Technology that is inadequate for the

enterprise or obsolete too soon

Poor support for the businessDeadlines that are not met

Costs that are higher than expected

and quality and efficiency lower than

anticipated

ExpectationsExpectations RealityReality

Managing Information Technology


16/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


y IT requires more technical insight than do otherdisciplines to understand how IT

Enables the enterprise Creates risks

Gives rise to opportunities

y IT has traditionally been treated as an entity separate to

the businessy IT is complex, and even more so in the extended

enterprise operating in a networked economy

Why Has IT Not GottenWhy Has IT Not Gotten

the Attention It Merits?the Attention It Merits?


17/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT Involves Huge Investments andIT Involves Huge Investments and

Large RisksLarge Risksy October 1992: A new command and control

system developed by the London ambulanceservice failed on the first day of operation.

yAugust 1997: UK investment managers, Save &Prosper, abandoned a major new IT system,having spent 2 million pounds on its design andimplementation.

y 1997: Barings Bank collapsed as a result ofunauthorized trading, in part enabled by the willfulmanipulation of management information.

y October 1998: UK Internet bank Egg launched anew online-only credit card, only to find its technicalinfrastructure was unable to cope with the demand.


18/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


What Should Boards Do About It?

yBe driven by stakeholder value

yAdopt an IT governance framework

y

Ask the right questionsyFocus on ITsAlignment with the business

Value delivery

Risk managementyMeasure results

IT Value

Delivery

Stakeholder

Value Drivers

Performance

Measurement

Risk

Management

IT

Strategic

Alignment


19/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


What Should Management Do About It?

yAlign IT strategy with business goals

yCascade strategy and goals down into the organisation

ySet up organisational structures that facilitate strategy

implementationyAdopt a control and governance framework

yProvide IT infrastructures that facilitate creation and sharing ofbusiness information

yEmbed responsibilities for risk management in the organisationy Focus on important IT processes and core IT competencies

yMeasure performance (balanced business scorecard)


20/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Starts from the premise that IT needs todeliver the information that the enterprise

needs to achieve its objectives.

Promotes process focus and process

ownership

Divides IT into 34 processes belonging to fourdomains and provides a high level control

objective for each

Looks at fiduciary, quality and security needs

of enterprises,providing seven information

criteria that can be used to generically define

what the business requires from IT

Is supported by a set of over 300 detailed

control objectives

Effectiveness

EfficiencyAvailability

Integrity

Confidentiality

Reliability

Compliance

Planning

Acquiring & Implementing

Delivery & Support

Monitoring

CCOBIOBIT: An IT Control FrameworkT: An IT Control Framework


21/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


CCOBIOBIT: An IT Control FrameworkT: An IT Control Framework

Recent CRecent COBIOBIT developments added a management andT developments added a management and

governance layer, providing management with a toolboxgovernance layer, providing management with a toolbox

containing:containing:

Performance measurement elements (outcome measures andperformance drivers for all IT processes)

A list of critical success factors that provides succinct non-

technical best practices for each IT process

A maturity model to assist in benchmarking and decision-making

for control overIT


22/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Several definitions with common elements:

Responsibility of the board of directors

Protects shareholder value

Ensures risk transparency

Directs and controls IT investment, opportunity, benefits and risks

Aligns IT with the business while accepting IT is a critical input to

and component of the strategic plan, influencing strategic

opportunities Sustains the current operation and prepares for the future

Is an integral part of a global governance structure

IT Governance Defined (1)IT Governance Defined (1)


23/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT governance, like other governance subjects, is

the responsibility of executives and shareholders

(represented by the board of directors). It consistsof the leadership and organisational structures and

processes that ensure that the organisations IT

sustains and extends the organisations strategies

and objectives.

IT Governance Defined (2)IT Governance Defined (2)


24/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


SetSetmeasurablemeasurablegoalsgoals

CompareCompareresultsresults

MeasureMeasureperformanceperformance

Act if notAct if notalignedaligned

DeliverDeliveragainst theagainst the

goalsgoals

IT Governance FrameworkIT Governance Framework


25/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT Governance FrameworkIT Governance Framework

Provide

Direction

Compare

Measure

Performance

IT ActivitiesIncrease automation

(make the business

effective)

Decrease cost

(make the enterprise

efficient)

Manage risks

(security, reliability and

compliance)

ITis aligned with thebusiness

IT enables the

business and

maximises benefits

IT resources are used

responsibly

IT-related risks are

managed appropriately

Set Objectives


26/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT Governance Activities BBooaarrdd aanndd//oorrMMaannaaggeemmeenntt

AAccttiivviittyyTTyyppee

Become informed of role and impact ofIT on the enterprise B/M Plan

Set direction and expected return B Direct

Determine required capabilities and investments M Plan

Assign responsibilities B/M Direct

Sustain current operations M Organise

Make transformation happen B/M Direct

Define constraints within which to operate B Direct

Acquire and mobilise resources M Organise

Measure performance B Control

Manage risk B/M Control

Obtain assurance B Control

IT Governance Activities & SubjectsIT Governance Activities & Subjects


27/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


y The objectives ofInformation technologyhow it:- Improves cost-efficiencies- Creates revenue enhancement- Supports the building of new capabilities- Enables core business processes- Enables new business models

y The opportunities and risks of new technology:- Internet and intranet- E-commerce- Mobile computing- Workflow technology- Knowledge systems, etc.

y The key processes and core competencies:- The return on investment ofIT projects and initiatives, and how they deliver

against expectations- Performance ofIT services against service level agreements- IT risks, asset protection and information security- IT acquisition and outsourcing strategies- Important IT processes such as change, application and problem management- Core IT competencies: planning, support, operations, project management,

knowledge management-

Ethical behavior, data privacy and fraud prevention

IT Governance Subjects

IT Governance Activities & SubjectsIT Governance Activities & Subjects


28/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


& Drivers& Stakeholders& Governance Framework& IT Alignment & Value Delivery&

Risk Management& Performance Measurement& Security& Conclusions

& Drivers& Stakeholders& Governance Framework& IT Alignment & Value Delivery&




29/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


The Board should drive business alignment by:

Ascertaining that the IT strategy is alignedwith the business strategy Ascertaining that ITdelivers against the strategy through clear expectations and measurement

Directing IT strategy to balance investments between supporting and growing the enterprise

Making considered decisions about where IT resources should be focused

IT alignment is a journey, not a destination.

Business

Strategy

Alignment

Activities

IT Operations

IT StrategyBusiness

Operations

IT AlignmentIT Alignment


30/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


The board should drive alignment to ensure that IT delivers value:

With the business strategy focusing on competitive advantage, elapsed time for order/service

fulfillment, customer satisfaction, customer wait time, employee productivity and profitability Supported by an IT strategy that delivers on time, within budget and with the benefits that were

promised

IT value is in the eye ofthe beholder.

Business Unit Financial

Business Unit Operational

Business Unit IT Applications

Firm-wide ITInfrastructure

Time for Business Impact

Business Value DeliveredSample Measures

Revenue growthReturn on assetsRevenue per employee

Time to bring a newproduct to market

Sales from new productProduct or service quality

Implementation time:new application

Implementation cost:

new application

Infrastructure availabilityCost per transactionCost per workstation

BusinessBusinessManagementManagement

ITITManagementManagement

Degree of influence

IT Value DeliveryIT Value Delivery


31/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


The board should manage enterprise risk by:

Ascertaining that there is transparency about the significantrisks to the organisation

Being aware that the final responsibility for riskmanagement rests with the board

Being conscious that risk mitigation can generatecost-efficiencies

Considering that a proactive risk management approachcreates competitive advantage

Insisting that risk management is embedded in theoperation of the enterprise

IT Risk ManagementIT Risk Management

It is the IT alligators you do not see that will get you!


32/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Risk Management Expands.

Risk Allocation - contracts, SLAs, etc.

Risk Mitigation - security & control practices

Risk Transfer - insurance & liability

Risk Assurance - audit & certification

Risk Acceptance - formal, transparent

IT Risk ManagementIT Risk Management


33/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Information

Financial

Customer ProcessGoals Measures

Goals Measures

LearningGoals Measures

Goals Measures

IT Goals and MeasuresIT Goals and Measures

IT Balanced ScorecardIT Balanced Scorecard

Ifyou are playing the enterprise game and not

keeping ITs score, you are only practising.


34/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


# of IT customers

Cost per IT customer

Cost-efficiency of IT

processes up

Delivery of IT value per

employee

Information

Availability of systems

& services

Developments on

schedule & budget

Throughput &

response times

Amount of errors and

rework

Level of servicedelivery up

Satisfaction of existing

customers

# of new customers

reached

# of new service

delivery channels

FFinancial

CCustomer

Staff productivity &morale

# of staff trained in

new techno/services

Value delivery per

employee up

Increased availability

knowledge systems

LLearning

PProcess

Example IT MeasuresExample IT Measures

IT Balanced ScorecardIT Balanced Scorecard


35/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Scorecard ObjectivesScorecard Objectives Demonstrate the value added by the IT organisation

Establish a balanced set of measures for determining the effectiveness of

the IT organisation

Set guidelines for creating the IT strategic plan and linking it into

operational plans

Communicate and motivate IT performance in key areas as required by

the business and its stakeholders

Establish a framework for IT management reporting

Approval of an IT scorecard by key stakeholders should be

considered an IT governance best practice.

Approval of an IT scorecard by key stakeholders should be

considered an IT governance best practice.

An IT scorecard is one of the most effective means to

achieve IT and business alignment

From Ron Saull, CIO InvestorsGroup, Ca


36/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


& Drivers

& Stakeholders& Governance Framework& IT Alignment & Value Delivery&


& Drivers





37/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Information SecuritySome Practices for the Board RoomSome Practices for the Board Room

Know what questions to ask

Know what is neededRaise the awareness at the top

Have clarity of purpose

Measure your performance

Keep on doing it


38/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Information SecuritySome Questions for the Board RoomSome Questions for the Board Room

Would people recognise a security incident when they saw one? Would they ignore

it? Would they know what to do about it?

Does anyone know how many computers the company owns? Would management

know if some went missing?

Does anyone know how many people are using the organisations systems? Doesanybody care whether they are allowed or not, or what they are doing?

Did the company suffer from the latest virus attack? How many did it have last year?

What are the most critical information assets of the enterprise? Does management

know where the enterprise is most vulnerable?

Is management concerned that company confidential information can be leaked ?

Has the organisation ever had its network security checked by a third party?

Is IT security a regular agenda item on IT management meetings?


39/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT Security

Requirements

Shorter business cycles

Need to involve/connect/tie in with more partners

Network centric business models

Leverage VPN, remote access, collaborative tools

Manage Risk

Internet - UNIX - TCP/IP

More hackers, more tools

Increased dependency on IT

Leverage Opportunities

E-cash, e-commerce, e-tc.

Open, modular, scalable

Security a commodity

Technology Drivers

Business Drivers

Managing networked

c/s systems

Provenance control

Non-sharable info

Profiling users

Trust.


40/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


How to sell to top management Different styles depending on function

FUD Cost reduction

Responsibility

Differentiator

Cost of security

Strategic approach - benchmark - gapanalysis - choices

IT Security Awareness


41/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Cost of ITSecurity

Cost of security and control vs. IT BudgetCost of security and control vs. IT Budget

5 - 10% 20 - 25% 45 - 50% 55%

Cost ofnoncompliance

Benchmarking

Leadership

Cowboy

operation

Baselineoperation

GoodPractice

Industryreference

site

= driver for change


42/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Tools & Technology

Process

Policy &Procedures

Security

ManagementHuman

Behaviour& Culture

System

Access Control

Network

SegregationApplication

Security

1122

33

6655

44

Policy

IT SecurityPerformance

01996 1997 1998 1999 2000 2001

20

40

60

80

100

9288

76

64

48

42

96

Policies & procedures

Security mgt

Human behav. & culture

Application security

System access controlNetwork segregation

1.

2.

3.

4.

5.

6.

10

10

20

20

20

20100

0Verypoor

1

Poor

2

Fair

3

Good

4Verygood

5

Excel

Legend for ranking used

5 - Excellent: Best possible, highly integrated

4 - Very good: Advanced level of practice

3 - Good: Moderately good level of practice

2 - Fair: Some effort made to address issues

1 - Poor: Recognise the issues

0 - Very poor: Complete lack of good practice

Legend for symbols used

Average of best securityperformers in the financialindustry (begin 96)

Company status Feb 97

Company. objective for 2001


43/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Perform

Intrusion

Testing

Perform

Active

Monitoring

Issue

Security

Policy

Security

Management

Design

Security

Defenses

IT Security is a Continuous Effort


44/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


& Drivers


Performance Measurement& Risk Management& Security& Conclusions

& Drivers


Performance Measurement& Risk Management& Security& Conclusions



45/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Objectivesy To understand the issues and the strategic importance ofIT

y To ensure that the enterprise can sustain its operations and

y To ascertain it can implement the strategies required to extend its

activities into the future

Goaly Ensuring that expectations forIT are met and IT risks are mitigated

Positiony Within broad governance arrangements that cover relationships

between the entity's management and its governing body, its owners

and its other stakeholders and providing the structure through which:

The entity's overall objectives are set

The method of attaining those objectives is outlined

The manner in which performance will be monitored is described

IT Governance SummarizedIT Governance Summarized


46/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Become Informed About:

Business and IT performance measures

Business and IT outcome drivers

IT strategic and alignment issues

Best practices in IT governance

Questions boards and management should ask


47/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION



48/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Board Briefing on IT Governance

TABLE OF CONTENTS

Executive Summary........................................................................................................

1. What Is IT Governance? ............................................................................................

2. Why Is IT Governance Important?............................................................................

3. Who Does It Concern?................................................................................................

4. What Can They Do About It? ....................................................................................

4.1 How Should the Board Address these Challenges?................................................

4.2 How Should Executive Management Address the Expectations?...........................

5. What Does It Cover? ..................................................................................................

5.1IT Strategic Alignment ........................................................................................

5.2IT Value Delivery.................................................................................................

5.3 Performance Measurement ...................................................................................

5.4 Risk Management.................................................................................................

6. What Questions Should Be Asked? ............................................................................7. How Is It Accomplished?............................................................................................

8. How Does Your Organisation Compare? ..................................................................

9. What Do Regulatory and Standards Bodies Say? .....................................................

Appendix A. IT Governance Checklist ..........................................................................Appendix B. Board Action Plan .....................................................................................

Appendix C. Management Action Plan..........................................................................Appendix D. IT Governance Maturity Model ...............................................................

Appendix E.The Emerging Enterprise Model ..............................................................

Appendix F. Regulatory Reports on Governance..........................................................

References.......................................................................................................................

GG


49/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Best Practices

Subjects of attention

IT & Business Objectives

Core IT competencies

Business & Technology Developments

MeasurementPerformance

Measurement

Results

Activities

Critical Success Factors

WHO HOW

V A R P

V = IT Value Delivery A = ITStrategic Alignment

R = Risk Management P = Performance Measurement

IT Governance Toolkit

IT GIT G


50/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT GIT G


51/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


Information Security Governance:Guidance forBoards of Directors and Executive Management

Table ofContents

PURPOSE AND STRUCTURE OF DOCUMENT...................................................................................

INFORMATION SECURITY GOVERNANCE: A PRIMER FOR BOARDS OF DIRECTORS

AND EXECUTIVE MANAGEMENT ......................................................................................................

1.THE BACKGROUND TO INFORMATION SECURITYGOVERNANCE .............................................................

2.WHATIS INFORMATION SECURITY? ......................................................................................................

3.WHYIS INFORMATION SECURITYIMPORTANT? .....................................................................................

4.WHO SHOULD BE CONCERNED WITH INFORMATION SECURITYGOVERNANCE?.......................................

5.WHATSHOULDTHE BOARD AND MANAGEMENTDO? ............................................................................

Understand Why Information Security Needs to be Governed...............................................................Ensure It Fits in the IT Governance Framework...................................................................................

Take Board Level Action .....................................................................................................................

Take Management Level Action...........................................................................................................

6.WHATARE SOMETHOUGHT-PROVOKINGQUESTIONS TOASK? ..............................................................

To Uncover Information Security Issues...............................................................................................To Find Out How Management Addresses the Information Security Issues...........................................

To Self-assess Information Security Governance Practices...................................................................7.WHATSHOULD INFORMATION SECURITYGOVERNANCE DELIVER? ........................................................

Strategic Alignment.............................................................................................................................Value Delivery ....................................................................................................................................

Risk Management................................................................................................................................Performance Measurement..................................................................................................................8.WHATCAN BE DONE TO SUCCESSFULLYIMPLEMENTINFORMATION SECURITYGOVERNANCE?..............

Questions for Directors .......................................................................................................................

Questions for Managers ......................................................................................................................Adopt Best Practices ...........................................................................................................................

Consider Critical Success Factors.......................................................................................................Introduce Performance Measures........................................................................................................

9. HOWDOES MYORGANISATION COMPARE?...........................................................................................

10.WHATDO REGULATORYAND STANDARDS BODIES SAY?.....................................................................REFERENCES ...........................................................................................................................................

IT GIT G


52/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT is an integral partIT is an integral part

of the businessof the business

IT governance is anIT governance is an

integral part ofintegral part of

corporate governancecorporate governance

IT GIT G


53/53

INFORMATION

SYSTEMSAUDIT AND

CONTROL

FOUNDATION


IT Governance InstituteIT Governance Institute

3701 Algonquin Road, Suite 10103701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USARolling Meadows, IL 60008 USAPhone: +1.847.253.1545Phone: +1.847.253.1545Fax: +1.847.253.1443Fax: [email protected]@isaca.org

www.isaca.orgwww.isaca.orgwww.ITgovernance.orgwww.ITgovernance.org


This information is provided for the educational use ofISACA members and chapters

only. It is copyrighted by Information Systems Audit and Control Association. Any

commercial use by chapters members or non members is strictly forbidden

It Gov Books

Documents

Transcript of It Gov Books