It Gov Books
-
Upload
sanket-pai -
Category
Documents
-
view
218 -
download
0
Transcript of It Gov Books
-
8/3/2019 It Gov Books
1/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT GovernanceIT Governance
Some thoughts on how IT risk, control,
audit and assurance is evolving beyond COBITtoward the broader concept of IT
governance; why IT governance should be onthe board agenda wherever IT is strategic to
the business; how it fits in the broaderconcepts of enterprise governance and howmanagement and boards can address it.
-
8/3/2019 It Gov Books
2/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
&Are they doing the right things?
&Are they doing them the right way?&Are they being done well?
&Are we getting benefits?
What ITproblem?
IT governance is the responsibility of the board of
directors and consists of the leadership, organisational
structures and processes that ensure that the
organisations IT sustains and extends the organisations
strategies and objectives.
What doesthe board
do?
&Cascading strategy and goals&Organisational alignment
&A control framework
&Balanced business scorecard
How doesmanagement
react?
-
8/3/2019 It Gov Books
3/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
& Stakeholders& Governance Framework& IT Alignment & Value Delivery& Performance Measurement
& Risk Management& Security& Conclusions
& Stakeholders& Governance Framework& IT Alignment & Value Delivery& Performance Measurement
& Risk Management& Security& Conclusions
IT GovernanceIT Governance
-
8/3/2019 It Gov Books
4/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Stakeholders Apply PressureStakeholders Apply Pressure
Shareholders and Executive
Lower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share
Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use
Society Greater accountability for executives inGreater accountability for executives in
private and public sectorprivate and public sector
-
8/3/2019 It Gov Books
5/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
EE--biz Factsbiz FactsGuarantee of delivery
Customer loyalty
Ease ofuse
Customer serviceSecurity
WhatWhat AArere CCustomersustomers SSaying ?aying ?
-
8/3/2019 It Gov Books
6/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Focus on operational risk within which
security and IT are very significant
All major risk issues have been caused by
breakdowns in
Internal control
Oversight
Information technology
WhatWhat SSignalsignals AArere RRegulatorsegulators GGiving?iving?Federal ReserveFederal Reserve
-
8/3/2019 It Gov Books
7/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Concern for extreme dependence of industryon IT
Two recommendations Awareness of senior company officers
Need to address three technical improvementsAuthenticateSegregate
Make accountable
President Clintons Commission onPresident Clintons Commission on
Critical Infrastructure ProtectionCritical Infrastructure Protection
WhatWhat SSignalsignals AArere RRegulatorsegulators GGiving?iving?
-
8/3/2019 It Gov Books
8/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Cadbury: strengthen internal controlboards need to set
strategic aims, provide leadership, supervise management and
report to shareholders on their stewardship.
Turnbull: board to assure appropriate and effective processes
to monitor risk and effectiveness of the system of internal control
broader corporate governance role for audit committees...monitor
and report on risks...
BIS: ...governance arrangements for critical systems should be
effective, accountable and transparent
WhatWhat DDoo SStandardstandards SSay ?ay ?
Stewardship is extending to IT as boards question the depth ofStewardship is extending to IT as boards question the depth of
their enterprises reliance on IT.their enterprises reliance on IT.
-
8/3/2019 It Gov Books
9/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT has been the longest running disappointment in business in the last 30 years!
Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997
Personal & visualPersonal & visual
contactcontact
Uncertainty,Uncertainty,
complexity &complexity &
growthgrowth
Technology can help fulfil a visionary dream, but often its use is closer to a
sobering nightmare!
Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998
WhatWhat IIss MManagementanagement TThinking ?hinking ?
I am writing a book on the history of information technologyin order to better
understand why it is such a mess!
Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001
-
8/3/2019 It Gov Books
10/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
& Stakeholders& Governance Framework& IT Alignment & Value Delivery
& Performance Measurement& Risk Management& Security& Conclusions
& Stakeholders& Governance Framework& IT Alignment & Value Delivery
& Performance Measurement& Risk Management& Security& Conclusions
IT GovernanceIT Governance
-
8/3/2019 It Gov Books
11/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Due diligence
IT is critical to the business
IT is strategic to the business
Expectations and reality dont match
IT hasnt gotten the attention it deserves IT involves huge investments and large risks
Why Get Into Governance?Why Get Into Governance?
-
8/3/2019 It Gov Books
12/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Due diligence
y Infrastructure and productive functions
y Skills, culture, operating environmenty Capabilities, risks, process knowledge and customer
information
y Service levels
Why Get Into Governance?Why Get Into Governance?
Enterprises should be equally inquisitive about themselves.Enterprises should be equally inquisitive about themselves.
-
8/3/2019 It Gov Books
13/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
This criticality arises from:
y The increasing dependence on information and the systems andcommunications that deliver it
y The dependence on entities beyond the direct control of the
enterprisey IT failures increasingly impacting reputation and enterprise value
y The potential for technologies to dramatically changeorganisations and business practices, create new opportunitiesand reduce costs
y The risks of doing business in an interconnected worldy The need to build and maintain knowledge essential to sustain
and grow the business
IT Is Critical to Most BusinessesIT Is Critical to Most Businesses
-
8/3/2019 It Gov Books
14/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
If so, wouldnt you want to know whether your
organisations information technology is:
y Likely to achieve its objectives?y Resilient enough to learn and adapt?
y Judiciously managing the risks it faces?
y
Appropriately recognising opportunities and acting onthem?
IT Is Strategic to Most BusinessesIT Is Strategic to Most Businesses
-
8/3/2019 It Gov Books
15/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Harness and exploit IT to
deliver business value
Provide fast development,
with appropriate quality and
with securityAscertain that IT investments
have a quantitative return and
IT does more with less
Move from efficiency and
productivity gains towards
value creation and businesseffectiveness, especially in
industries requiring that the
focus move from the back
office to the front office
Business losses, reputational damage
or a weakened competitive position
Enterprise effectiveness and core
processes directly impacted by the
quality ofIT deliverables
The failure ofIT initiatives intended to
bring innovation to the enterprise to
achieve their promise
Technology that is inadequate for the
enterprise or obsolete too soon
Poor support for the businessDeadlines that are not met
Costs that are higher than expected
and quality and efficiency lower than
anticipated
ExpectationsExpectations RealityReality
Managing Information Technology
-
8/3/2019 It Gov Books
16/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
y IT requires more technical insight than do otherdisciplines to understand how IT
Enables the enterprise Creates risks
Gives rise to opportunities
y IT has traditionally been treated as an entity separate to
the businessy IT is complex, and even more so in the extended
enterprise operating in a networked economy
Why Has IT Not GottenWhy Has IT Not Gotten
the Attention It Merits?the Attention It Merits?
-
8/3/2019 It Gov Books
17/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT Involves Huge Investments andIT Involves Huge Investments and
Large RisksLarge Risksy October 1992: A new command and control
system developed by the London ambulanceservice failed on the first day of operation.
yAugust 1997: UK investment managers, Save &Prosper, abandoned a major new IT system,having spent 2 million pounds on its design andimplementation.
y 1997: Barings Bank collapsed as a result ofunauthorized trading, in part enabled by the willfulmanipulation of management information.
y October 1998: UK Internet bank Egg launched anew online-only credit card, only to find its technicalinfrastructure was unable to cope with the demand.
-
8/3/2019 It Gov Books
18/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
What Should Boards Do About It?
yBe driven by stakeholder value
yAdopt an IT governance framework
y
Ask the right questionsyFocus on ITsAlignment with the business
Value delivery
Risk managementyMeasure results
IT Value
Delivery
Stakeholder
Value Drivers
Performance
Measurement
Risk
Management
IT
Strategic
Alignment
-
8/3/2019 It Gov Books
19/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
What Should Management Do About It?
yAlign IT strategy with business goals
yCascade strategy and goals down into the organisation
ySet up organisational structures that facilitate strategy
implementationyAdopt a control and governance framework
yProvide IT infrastructures that facilitate creation and sharing ofbusiness information
yEmbed responsibilities for risk management in the organisationy Focus on important IT processes and core IT competencies
yMeasure performance (balanced business scorecard)
-
8/3/2019 It Gov Books
20/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Starts from the premise that IT needs todeliver the information that the enterprise
needs to achieve its objectives.
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to fourdomains and provides a high level control
objective for each
Looks at fiduciary, quality and security needs
of enterprises,providing seven information
criteria that can be used to generically define
what the business requires from IT
Is supported by a set of over 300 detailed
control objectives
Effectiveness
EfficiencyAvailability
Integrity
Confidentiality
Reliability
Compliance
Planning
Acquiring & Implementing
Delivery & Support
Monitoring
CCOBIOBIT: An IT Control FrameworkT: An IT Control Framework
-
8/3/2019 It Gov Books
21/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
CCOBIOBIT: An IT Control FrameworkT: An IT Control Framework
Recent CRecent COBIOBIT developments added a management andT developments added a management and
governance layer, providing management with a toolboxgovernance layer, providing management with a toolbox
containing:containing:
Performance measurement elements (outcome measures andperformance drivers for all IT processes)
A list of critical success factors that provides succinct non-
technical best practices for each IT process
A maturity model to assist in benchmarking and decision-making
for control overIT
-
8/3/2019 It Gov Books
22/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Several definitions with common elements:
Responsibility of the board of directors
Protects shareholder value
Ensures risk transparency
Directs and controls IT investment, opportunity, benefits and risks
Aligns IT with the business while accepting IT is a critical input to
and component of the strategic plan, influencing strategic
opportunities Sustains the current operation and prepares for the future
Is an integral part of a global governance structure
IT Governance Defined (1)IT Governance Defined (1)
-
8/3/2019 It Gov Books
23/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT governance, like other governance subjects, is
the responsibility of executives and shareholders
(represented by the board of directors). It consistsof the leadership and organisational structures and
processes that ensure that the organisations IT
sustains and extends the organisations strategies
and objectives.
IT Governance Defined (2)IT Governance Defined (2)
-
8/3/2019 It Gov Books
24/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
SetSetmeasurablemeasurablegoalsgoals
CompareCompareresultsresults
MeasureMeasureperformanceperformance
Act if notAct if notalignedaligned
DeliverDeliveragainst theagainst the
goalsgoals
IT Governance FrameworkIT Governance Framework
-
8/3/2019 It Gov Books
25/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT Governance FrameworkIT Governance Framework
Provide
Direction
Compare
Measure
Performance
IT ActivitiesIncrease automation
(make the business
effective)
Decrease cost
(make the enterprise
efficient)
Manage risks
(security, reliability and
compliance)
ITis aligned with thebusiness
IT enables the
business and
maximises benefits
IT resources are used
responsibly
IT-related risks are
managed appropriately
Set Objectives
-
8/3/2019 It Gov Books
26/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT Governance Activities BBooaarrdd aanndd//oorrMMaannaaggeemmeenntt
AAccttiivviittyyTTyyppee
Become informed of role and impact ofIT on the enterprise B/M Plan
Set direction and expected return B Direct
Determine required capabilities and investments M Plan
Assign responsibilities B/M Direct
Sustain current operations M Organise
Make transformation happen B/M Direct
Define constraints within which to operate B Direct
Acquire and mobilise resources M Organise
Measure performance B Control
Manage risk B/M Control
Obtain assurance B Control
IT Governance Activities & SubjectsIT Governance Activities & Subjects
-
8/3/2019 It Gov Books
27/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
y The objectives ofInformation technologyhow it:- Improves cost-efficiencies- Creates revenue enhancement- Supports the building of new capabilities- Enables core business processes- Enables new business models
y The opportunities and risks of new technology:- Internet and intranet- E-commerce- Mobile computing- Workflow technology- Knowledge systems, etc.
y The key processes and core competencies:- The return on investment ofIT projects and initiatives, and how they deliver
against expectations- Performance ofIT services against service level agreements- IT risks, asset protection and information security- IT acquisition and outsourcing strategies- Important IT processes such as change, application and problem management- Core IT competencies: planning, support, operations, project management,
knowledge management-
Ethical behavior, data privacy and fraud prevention
IT Governance Subjects
IT Governance Activities & SubjectsIT Governance Activities & Subjects
-
8/3/2019 It Gov Books
28/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
& Drivers& Stakeholders& Governance Framework& IT Alignment & Value Delivery&
Risk Management& Performance Measurement& Security& Conclusions
& Drivers& Stakeholders& Governance Framework& IT Alignment & Value Delivery&
Risk Management& Performance Measurement& Security& Conclusions
IT GovernanceIT Governance
-
8/3/2019 It Gov Books
29/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
The Board should drive business alignment by:
Ascertaining that the IT strategy is alignedwith the business strategy Ascertaining that ITdelivers against the strategy through clear expectations and measurement
Directing IT strategy to balance investments between supporting and growing the enterprise
Making considered decisions about where IT resources should be focused
IT alignment is a journey, not a destination.
Business
Strategy
Alignment
Activities
IT Operations
IT StrategyBusiness
Operations
IT AlignmentIT Alignment
-
8/3/2019 It Gov Books
30/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
The board should drive alignment to ensure that IT delivers value:
With the business strategy focusing on competitive advantage, elapsed time for order/service
fulfillment, customer satisfaction, customer wait time, employee productivity and profitability Supported by an IT strategy that delivers on time, within budget and with the benefits that were
promised
IT value is in the eye ofthe beholder.
Business Unit Financial
Business Unit Operational
Business Unit IT Applications
Firm-wide ITInfrastructure
Time for Business Impact
Business Value DeliveredSample Measures
Revenue growthReturn on assetsRevenue per employee
Time to bring a newproduct to market
Sales from new productProduct or service quality
Implementation time:new application
Implementation cost:
new application
Infrastructure availabilityCost per transactionCost per workstation
BusinessBusinessManagementManagement
ITITManagementManagement
Degree of influence
IT Value DeliveryIT Value Delivery
-
8/3/2019 It Gov Books
31/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
The board should manage enterprise risk by:
Ascertaining that there is transparency about the significantrisks to the organisation
Being aware that the final responsibility for riskmanagement rests with the board
Being conscious that risk mitigation can generatecost-efficiencies
Considering that a proactive risk management approachcreates competitive advantage
Insisting that risk management is embedded in theoperation of the enterprise
IT Risk ManagementIT Risk Management
It is the IT alligators you do not see that will get you!
-
8/3/2019 It Gov Books
32/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Risk Management Expands.
Risk Allocation - contracts, SLAs, etc.
Risk Mitigation - security & control practices
Risk Transfer - insurance & liability
Risk Assurance - audit & certification
Risk Acceptance - formal, transparent
IT Risk ManagementIT Risk Management
-
8/3/2019 It Gov Books
33/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Information
Financial
Customer ProcessGoals Measures
Goals Measures
LearningGoals Measures
Goals Measures
IT Goals and MeasuresIT Goals and Measures
IT Balanced ScorecardIT Balanced Scorecard
Ifyou are playing the enterprise game and not
keeping ITs score, you are only practising.
-
8/3/2019 It Gov Books
34/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
# of IT customers
Cost per IT customer
Cost-efficiency of IT
processes up
Delivery of IT value per
employee
Information
Availability of systems
& services
Developments on
schedule & budget
Throughput &
response times
Amount of errors and
rework
Level of servicedelivery up
Satisfaction of existing
customers
# of new customers
reached
# of new service
delivery channels
FFinancial
CCustomer
Staff productivity &morale
# of staff trained in
new techno/services
Value delivery per
employee up
Increased availability
knowledge systems
LLearning
PProcess
Example IT MeasuresExample IT Measures
IT Balanced ScorecardIT Balanced Scorecard
-
8/3/2019 It Gov Books
35/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Scorecard ObjectivesScorecard Objectives Demonstrate the value added by the IT organisation
Establish a balanced set of measures for determining the effectiveness of
the IT organisation
Set guidelines for creating the IT strategic plan and linking it into
operational plans
Communicate and motivate IT performance in key areas as required by
the business and its stakeholders
Establish a framework for IT management reporting
Approval of an IT scorecard by key stakeholders should be
considered an IT governance best practice.
Approval of an IT scorecard by key stakeholders should be
considered an IT governance best practice.
An IT scorecard is one of the most effective means to
achieve IT and business alignment
From Ron Saull, CIO InvestorsGroup, Ca
-
8/3/2019 It Gov Books
36/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
& Drivers
& Stakeholders& Governance Framework& IT Alignment & Value Delivery&
Risk Management& Performance Measurement& Security& Conclusions
& Drivers
& Stakeholders& Governance Framework& IT Alignment & Value Delivery&
Risk Management& Performance Measurement& Security& Conclusions
IT GovernanceIT Governance
-
8/3/2019 It Gov Books
37/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Information SecuritySome Practices for the Board RoomSome Practices for the Board Room
Know what questions to ask
Know what is neededRaise the awareness at the top
Have clarity of purpose
Measure your performance
Keep on doing it
-
8/3/2019 It Gov Books
38/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Information SecuritySome Questions for the Board RoomSome Questions for the Board Room
Would people recognise a security incident when they saw one? Would they ignore
it? Would they know what to do about it?
Does anyone know how many computers the company owns? Would management
know if some went missing?
Does anyone know how many people are using the organisations systems? Doesanybody care whether they are allowed or not, or what they are doing?
Did the company suffer from the latest virus attack? How many did it have last year?
What are the most critical information assets of the enterprise? Does management
know where the enterprise is most vulnerable?
Is management concerned that company confidential information can be leaked ?
Has the organisation ever had its network security checked by a third party?
Is IT security a regular agenda item on IT management meetings?
-
8/3/2019 It Gov Books
39/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT Security
Requirements
Shorter business cycles
Need to involve/connect/tie in with more partners
Network centric business models
Leverage VPN, remote access, collaborative tools
Manage Risk
Internet - UNIX - TCP/IP
More hackers, more tools
Increased dependency on IT
Leverage Opportunities
E-cash, e-commerce, e-tc.
Open, modular, scalable
Security a commodity
Technology Drivers
Business Drivers
Managing networked
c/s systems
Provenance control
Non-sharable info
Profiling users
Trust.
-
8/3/2019 It Gov Books
40/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
How to sell to top management Different styles depending on function
FUD Cost reduction
Responsibility
Differentiator
Cost of security
Strategic approach - benchmark - gapanalysis - choices
IT Security Awareness
-
8/3/2019 It Gov Books
41/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Cost of ITSecurity
Cost of security and control vs. IT BudgetCost of security and control vs. IT Budget
5 - 10% 20 - 25% 45 - 50% 55%
Cost ofnoncompliance
Benchmarking
Leadership
Cowboy
operation
Baselineoperation
GoodPractice
Industryreference
site
= driver for change
-
8/3/2019 It Gov Books
42/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Tools & Technology
Process
Policy &Procedures
Security
ManagementHuman
Behaviour& Culture
System
Access Control
Network
SegregationApplication
Security
1122
33
6655
44
Policy
IT SecurityPerformance
01996 1997 1998 1999 2000 2001
20
40
60
80
100
9288
76
64
48
42
96
Policies & procedures
Security mgt
Human behav. & culture
Application security
System access controlNetwork segregation
1.
2.
3.
4.
5.
6.
10
10
20
20
20
20100
0Verypoor
1
Poor
2
Fair
3
Good
4Verygood
5
Excel
Legend for ranking used
5 - Excellent: Best possible, highly integrated
4 - Very good: Advanced level of practice
3 - Good: Moderately good level of practice
2 - Fair: Some effort made to address issues
1 - Poor: Recognise the issues
0 - Very poor: Complete lack of good practice
Legend for symbols used
Average of best securityperformers in the financialindustry (begin 96)
Company status Feb 97
Company. objective for 2001
-
8/3/2019 It Gov Books
43/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Perform
Intrusion
Testing
Perform
Active
Monitoring
Issue
Security
Policy
Security
Management
Design
Security
Defenses
IT Security is a Continuous Effort
-
8/3/2019 It Gov Books
44/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
& Drivers
& Stakeholders& Governance Framework& IT Alignment & Value Delivery&
Performance Measurement& Risk Management& Security& Conclusions
& Drivers
& Stakeholders& Governance Framework& IT Alignment & Value Delivery&
Performance Measurement& Risk Management& Security& Conclusions
IT GovernanceIT Governance
-
8/3/2019 It Gov Books
45/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Objectivesy To understand the issues and the strategic importance ofIT
y To ensure that the enterprise can sustain its operations and
y To ascertain it can implement the strategies required to extend its
activities into the future
Goaly Ensuring that expectations forIT are met and IT risks are mitigated
Positiony Within broad governance arrangements that cover relationships
between the entity's management and its governing body, its owners
and its other stakeholders and providing the structure through which:
The entity's overall objectives are set
The method of attaining those objectives is outlined
The manner in which performance will be monitored is described
IT Governance SummarizedIT Governance Summarized
-
8/3/2019 It Gov Books
46/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Become Informed About:
Business and IT performance measures
Business and IT outcome drivers
IT strategic and alignment issues
Best practices in IT governance
Questions boards and management should ask
-
8/3/2019 It Gov Books
47/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
-
8/3/2019 It Gov Books
48/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Board Briefing on IT Governance
TABLE OF CONTENTS
Executive Summary........................................................................................................
1. What Is IT Governance? ............................................................................................
2. Why Is IT Governance Important?............................................................................
3. Who Does It Concern?................................................................................................
4. What Can They Do About It? ....................................................................................
4.1 How Should the Board Address these Challenges?................................................
4.2 How Should Executive Management Address the Expectations?...........................
5. What Does It Cover? ..................................................................................................
5.1IT Strategic Alignment ........................................................................................
5.2IT Value Delivery.................................................................................................
5.3 Performance Measurement ...................................................................................
5.4 Risk Management.................................................................................................
6. What Questions Should Be Asked? ............................................................................7. How Is It Accomplished?............................................................................................
8. How Does Your Organisation Compare? ..................................................................
9. What Do Regulatory and Standards Bodies Say? .....................................................
Appendix A. IT Governance Checklist ..........................................................................Appendix B. Board Action Plan .....................................................................................
Appendix C. Management Action Plan..........................................................................Appendix D. IT Governance Maturity Model ...............................................................
Appendix E.The Emerging Enterprise Model ..............................................................
Appendix F. Regulatory Reports on Governance..........................................................
References.......................................................................................................................
GG
-
8/3/2019 It Gov Books
49/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Best Practices
Subjects of attention
IT & Business Objectives
Core IT competencies
Business & Technology Developments
MeasurementPerformance
Measurement
Results
Activities
Critical Success Factors
WHO HOW
V A R P
V = IT Value Delivery A = ITStrategic Alignment
R = Risk Management P = Performance Measurement
IT Governance Toolkit
IT GIT G
-
8/3/2019 It Gov Books
50/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT GIT G
-
8/3/2019 It Gov Books
51/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
Information Security Governance:Guidance forBoards of Directors and Executive Management
Table ofContents
PURPOSE AND STRUCTURE OF DOCUMENT...................................................................................
INFORMATION SECURITY GOVERNANCE: A PRIMER FOR BOARDS OF DIRECTORS
AND EXECUTIVE MANAGEMENT ......................................................................................................
1.THE BACKGROUND TO INFORMATION SECURITYGOVERNANCE .............................................................
2.WHATIS INFORMATION SECURITY? ......................................................................................................
3.WHYIS INFORMATION SECURITYIMPORTANT? .....................................................................................
4.WHO SHOULD BE CONCERNED WITH INFORMATION SECURITYGOVERNANCE?.......................................
5.WHATSHOULDTHE BOARD AND MANAGEMENTDO? ............................................................................
Understand Why Information Security Needs to be Governed...............................................................Ensure It Fits in the IT Governance Framework...................................................................................
Take Board Level Action .....................................................................................................................
Take Management Level Action...........................................................................................................
6.WHATARE SOMETHOUGHT-PROVOKINGQUESTIONS TOASK? ..............................................................
To Uncover Information Security Issues...............................................................................................To Find Out How Management Addresses the Information Security Issues...........................................
To Self-assess Information Security Governance Practices...................................................................7.WHATSHOULD INFORMATION SECURITYGOVERNANCE DELIVER? ........................................................
Strategic Alignment.............................................................................................................................Value Delivery ....................................................................................................................................
Risk Management................................................................................................................................Performance Measurement..................................................................................................................8.WHATCAN BE DONE TO SUCCESSFULLYIMPLEMENTINFORMATION SECURITYGOVERNANCE?..............
Questions for Directors .......................................................................................................................
Questions for Managers ......................................................................................................................Adopt Best Practices ...........................................................................................................................
Consider Critical Success Factors.......................................................................................................Introduce Performance Measures........................................................................................................
9. HOWDOES MYORGANISATION COMPARE?...........................................................................................
10.WHATDO REGULATORYAND STANDARDS BODIES SAY?.....................................................................REFERENCES ...........................................................................................................................................
IT GIT G
-
8/3/2019 It Gov Books
52/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT is an integral partIT is an integral part
of the businessof the business
IT governance is anIT governance is an
integral part ofintegral part of
corporate governancecorporate governance
IT GIT G
-
8/3/2019 It Gov Books
53/53
INFORMATION
SYSTEMSAUDIT AND
CONTROL
FOUNDATION
IT GovernanceIT Governance
IT Governance InstituteIT Governance Institute
3701 Algonquin Road, Suite 10103701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USARolling Meadows, IL 60008 USAPhone: +1.847.253.1545Phone: +1.847.253.1545Fax: +1.847.253.1443Fax: [email protected]@isaca.org
www.isaca.orgwww.isaca.orgwww.ITgovernance.orgwww.ITgovernance.org
IT GovernanceIT Governance
This information is provided for the educational use ofISACA members and chapters
only. It is copyrighted by Information Systems Audit and Control Association. Any
commercial use by chapters members or non members is strictly forbidden