CISAb

Governance and Management of IT

 What is Governance?

o The means to direct and control

and organization in order to meet
its strategic objectives
o Ethical issues, decision making and
overall practices flow through
governance
o EGIT is the responsibility of the
board of directors and executive
management
Enterprise Governance of IT (EGIT)

o EGIT is all about stewardship of IT

resources
o EGIT frameworks address:
o IT resource management
o Performance measurement
o Compliance management
 Governance vs. Management

o These disciplines contain different

types of activities and require
different organizational structures.
o Governance makes sure stakeholder
needs, conditions and options are
evaluated to determine enterprise
objectives.
o Management plans, builds, runs and
monitors activities in alignment with
the direction set by governance
 EGIT in the Organization

o The key element of EGIT is the

alignment of business and IT that
leads to the achievement of business
value (COBIT 2019)
o EGIT is concerned with:
o IT delivering value to the business
o IT risk is managed
 CISAb
Governance and Management of IT
 Best Practices for EGIT

o IT governance should satisfy

stakeholder needs and generate
value
o EGIT is significant because:
o Businesses demanding a better
return on IT investments
o The need to meet certain regulatory
requirements (GDPR, HIPAA, etc.)
o The need to assess how you are
performing against standards and
peers (benchmarking)
Audit and Governance

o Controls help maintain direction and

guidance for organizations
o Audit provides leading practice
recommendations to senior
management
o Audit helps ensure compliance with
EGIT initiatives
o The status and skill sets of an IS
Auditor should be checked for
appropriateness
 Information Security and Governance

o The strategy of a business must be

supported by Information Security
o NIST states:
o Information security governance is the
process of establishing and
maintaining a framework that ensures
security of information systems
o ISG must align with and support
business objectives and be consistent
with applicable laws and regulations
 Information Security and Governance

o The Board of Directors and CEO are

accountable and responsible for ISG
o The CEO reports to and is
responsible for implementing the
ISG policies
o Senior management that approve
and create security policies should
come from all areas
o Policy approval should be based on
consensus
 CISAb
Governance and Management of IT
Strategy and Planning
o From an Information Systems
perspective, strategic planning
looks at the “long game”
o Existing portfolios should be
considered when planning strategy
o IS Auditors should pay attention to
the importance of strategic
objectives
o IT should be heavily involved in
planning strategic objectives
 Business Intelligence

o Business Intelligence (BI) is all

about collecting and analyzing
information to assist decision
making in an organization
o BI works on:
o Process cost, efficiency and quality
o Customer satisfaction
o Customer profitability
o Risk management
BI and the Enterprise Data Flow Architecture (EDFA)
o Presentation/Desktop Layer
o Data Source Layer
o Core Data Warehouse
o Data Mart Layer
o Data Staging Layer
o Data Access Layer
o Metadata Repository
o Warehouse Management Layer
 Data Governance and Analytics

o Establish a business/IT advisory

team that allows different functional
perspectives
o Final funding decisions should rest
with an IT Steering Group
o Analysis models include:
o Context Diagrams
o Activity or Swim-lane diagrams
o Entity relationship diagrams
 CISAb
Governance and Management of IT
IT Standards, Policies and Procedures
o Standards: a mandatory
requirement, code of practice or
specification
o Policies: high level statements of
management intent, expectations
and direction
o Procedures: documented, defined
states for achieving policy
objectives
o Guidelines: recommendations for
positive results
 Policies

o Management should review all

policies periodically
o IS Auditors should understand that
they will encounter and test
policies (part of the audit scope)
o One of the most important policies
will be the Information Security
Policy
The Information Security Policy

o Must be approved by senior

management
o Must be documented
o Must be communicated throughout
the entire organization
o Should be reviewed at planned
intervals and when major changes
occur
 CISAb
Governance and Management of IT
Organizational Structures

o The structure of an organization is

vitally important to governance
o The important thing to discern is
the different IT Governing
Committees
o IT Strategy Committee
o IT Steering Committee
 IT Strategy Committee

o Provides insight and advice to the

board on:
o Relevance of IT developments
o Alignment of IT with business direction
o Availability of suitable IT resources to meet
the strategic objectives
o Risk and competitive aspects of IT
investments

o Advises the board and

management on IT strategy
IT Steering Committee
o Decides the level of IT spending
o Approves project plans and budgets
o Monitors project plans for delivery
of expected value
o Communicates strategic goals to
project teams
o Assists the executive management
team in the delivery of IT strategy
o Typically has the CIO as a member
 CISAb
Governance and Management of IT
Roles and Responsibilities

o Board of Directors
o Senior Management
o Information Security Standards
Committee
o Chief Information Security Officer
(CISO)
o IT positions
 Board of Directors

o Provide ultimate direction and

strategy for the organization
o The attitude at the top must be
towards effective security
governance
o Board of Directors is ultimately
accountable and responsible for
the entire organization
Executive and Senior Management

o Implements effective security

governance and defines the strategic
security objectives
o Made up of C-Suite and VP levels
o Implementation of the board of
directors strategy and objectives
 IT Steering Committee and CISO

o The ITSC oversees the IT function

and its activities
o A member of the Board of
Directors should chair this
committee if possible
o Duties and responsibilities should
be defined in the charter
o CISO – Every organization has one
whether they hold the title or not
Segregation of Duties (SoD)

o Avoids the possibility that one single

person can be responsible for critical
functions in a way that error or misuse
could occur
o Helps to protect against fraudulent
and/or malicious acts
o Privileged users of the system should
be remotely logged in a separate
system
Segregation of Duties (SoD)

o SoD Control examples:

o Transaction authorization
o Custody of assets
o Data Access controls
Segregation of Duties (SoD)

o Compensating Control examples:

o Audit trails
o Reconciliation
o Exception reporting
o Transaction logs
o Supervisory reviews
o Independent reviews
 CISAb
Governance and Management of IT
Risk Management in the Enterprise
o EA provides structured
documentation of an
organization’s assets
o Risk management is based upon
your EA
o Begins with a clear understanding
of an organization’s risk appetite
o Risk is identified, analyzed,
planned for and responded to as
part of risk management
 Risk Management in Action

o Identify Assets
o Evaluate threats to assets
o Evaluate impact to assets
o Calculation of risk
o Evaluate risk responses
Risk Management
o Operates at multiple levels
o Operational Level
o Project Level
o Strategic Level
o Risk management should achieve a
cost-effective balance between
control implementation and
acceptance of risk
 CISAb
Governance and Management of IT
Risk Analysis
o Part of the risk assessment process is
risk analysis
o There are three primary modes of
analysis:
o Qualitative
o Quantitative
o Semi-quantitative
Qualitative Risk Analysis

o Uses word or descriptive rankings

to describe probability and impact
(i.e., High, Med, Low)
o Fast and easy to assemble in
probability and impact matrices
o Lacks rigor that is customary for
management
 Quantitative and Semi-quantitative

o Quantitative uses numeric values

o Typically time or money
o Generally performed during BIA’s
o Semi-quantitative brings the
descriptive of qualitative and
associates it with a numeric scale
 CISAb
Governance and Management of IT
Maturity Models
o The quality of controls and policies in
an organization depend upon their
maturity
o Maintaining consistent effectiveness
and efficiency requires a process
maturity framework
o Two maturity models:
o CMMI (Capability Maturity Model
Integration)
o IDEAL (Initiating, Diagnosing, Establishing,
Acting and Learning)
CMMI Characteristics of Maturity Levels

All about continuous

Level 5 improvement at this level. Kaizen

Well Defined and quantitative

Level 4 measurement is performed

Organized with using assets. Well

Level 3 defined processes

Basic, yet complete, set of

Level 2 activities

Incomplete set of activities - Not

Level 1 organized at all
 CISAb
Governance and Management of IT
Role of Industry Standards and Regulations
o Globally there are compliance
requirements in regard to privacy,
intellectual property, and fiduciary
responsibility
o There are also industry specific
compliance requirements
o IS auditors should be aware of all
global, regional and industry specific
regulations
 Governance, Risk and Compliance (GRC)

o Three overlapping and related

activities within an organization
o Includes internal audit, compliance
programs, operational risk, incident
management and problem
management
GRC Role of the IS Auditor

o Auditors should consider:

o Assignment of responsibility to
senior management
o Reliable background of staff
o Standards and procedures
o Communication of policies
o Consistent enforcement
o Compliance monitoring and
auditing
 CISAb
Governance and Management of IT
Resource Management of IT
o Every organization would say that it
doesn’t have enough resources
o IS Auditors should recognize that an
organizations resource utilization
determines the level of value offered
o There are financial and non-financial
of IT investments
o Non-financial benefits should be
made visible to help understand the
overall impact of quality and
compliance
 IT Portfolio Management

o IT service-based organizations
typically have a service/product
portfolio
o Contains current offerings, planned
offerings and retired offerings
o Implementation of the portfolio:
o Risk profile analysis
o Diversification of projects
o Continuous alignment with objectives
 CISAb
Governance and Management of IT
 Human Resource Management

o IS Auditors need to recognize that

there is more than IT systems to
investigate
o Policies for recruiting, hiring,
training and promoting staff as it
relates to IT function must be
investigated as well
o One important tool to look for is an
updated employee handbook
IS Audits and HR

o Required Vacations
o Training
o Termination Policies
 CISAb
Governance and Management of IT
 Organizational Change Management

o Processes to allow change at an

organizational level
o Technology advancement might
require a change in the
organization’s hierarchy
o Communication is key as well as
user and stakeholder feedback
Financial Management Practices

o Chargeback provides parties with a

“marketplace” measure of the
service provided
o Accounting standards require that
companies have a detailed
understanding of costs related to
software development
o IS Auditors should at least be aware
of the IAS 38 six criteria (or how to
research them) and the IFRS
 CISAb
Governance and Management of IT
IT Service Provider Acquisition and Management

o Delivery of IT functions and services

are accomplished by:
o Insourcing
o Outsourcing
o Hybrid
o IT functions can be performed:
o Onsite
o Offsite
o Offshore
 Outsourcing Practices

o The decision to outsource will be a

strategic one based on the board of
directors and executive
management
o Reasons for outsourcing:
o Profit margins
o Increasing competition
o Focusing on core competencies
o Need for flexibility with structure and
market sizing
Auditing and Outsourcing

o IS Auditors help organizations

consider:
o Legal and regulatory issues
o Continuity of operations
o Telecommunication issues
o Cross-border and cross-cultural issues
o IS Auditors should be familiar with
SSAE 18 Reports:
o SOC 1, 2, 3
 CISAb
Governance and Management of IT
 Third-Party Services

o Governance in outsourcing
requires both parties to add
contractual aspects
o Roles and responsibilities must be
clearly defined
o Resource allocation must be set up
beforehand
o Overall, governance should be
preplanned and built into the
contract
Managing Change to Third-Party Services
o A key factor to help manage change
will be the Service Level Agreement
(SLA) by the supplier/vendor
o Change is helpful in improving
services and user satisfaction
o Changes must consider existing
controls and policies, especially in
the area of security
o Both parties will typically agree on
the process of change in all areas of
the agreement
 CISAb
Governance and Management of IT
Quality Assurance and IT Audits
o IS Auditors should understand the
big picture of how quality assurance
and quality control operate within
the organization
o The two terms are often used
interchangeably, but there are
differences
o QA is often used with change and
release management policies
o Source code management software
helps oversee program versions and
source code integrity
Quality Assurance vs Quality Control

Quality Assurance
Systematic and planned activities that assure a
product/item/service conforms to the
requirements set by the stakeholders. QA helps
personnel follow prescribed processes.

Quality Control
Observation techniques and activities that test
whether software, hardware, etc. fulfill the
required attributes. This is done at several stages
but must be completed prior to production
 Quality Assurance and Audits

o QA groups should be independent

within an organization
o Even if you have a small
organization, no individual should
review his/her own work
o SoD is very important in this area
o Policies and controls will deal
primarily with process and
personnel
 CISAb
Governance and Management of IT
Performance Monitoring and Reporting
o Performance metrics must be
designed to accurately measure
against expectations
o Performance is NOT how well a
system works
o Performance IS how the service or
product is perceived by users and
other stakeholders
 Performance Optimization

o Critical Success Factors (CSFs) for

governance:
o Approval of goals by stakeholders
o Acceptance of accountability for
achieving goals by management
o Methodologies, Frameworks &
Tools:
o PDCA
o ITIL
o COBIT
Tools and Reporting Methods

o Six Sigma
o Benchmarking
o Root Cause Analysis
o IT Balanced Scorecard (BSC)
o Key Performance Indicators (KPIs)