Embed Size (px)
Citation preview
Auditing Information Systems (AIS)
Lecture – 5 - ‘IT Governance’
• Ethical corporate behavior by directors or others charged with governance in the creation and presentation of value for all stakeholders
• The distribution of rights and responsibilities among different participants in the corporation, such as board, managers, shareholders and other stakeholders
• Establishment of rules to manage and report on business risks
Corporate Governance
• Comprises the body of issues addressed in considering how IT is applied within the enterprise.
• Effective enterprise governance focuses on:
Individual and group expertise
Experience in specific areas
• Key element: alignment of business and IT
• Two issues:
IT delivers value to the business
IT risks are managed
IT Governance
IT governance implies a system where all stakeholders provide input into the decision making process:
•Board
•Internal customers
•Finance; etc
IT Governance (contd.)
Practice Question
2-1 IT governance ensures that an organization aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.
• What is Strategy?
• Business Strategy
▫Business Goals and Objectives
▫ Is CIO or senior IT management involved in the
creation of the overall business strategy?
Strategic Planning!!!
• IT Goals and Objectives
• Aligned with Business Goals
• Is IT and Business Strategy Aligned?
IT Strategy
Business
Strategy
Alignment Why?
IT Strategy
• IT strategy committee is an industry best practice
• Ensure that the IS department is in harmony with the corporate mission and objectives
Scope
• Advice on strategy when assisting the board in its IT governance responsibilities
• Focus on IT value, risks and performance
• Make recommendations for any changes necessary in IT Strategy.
IT Strategy Committee
• IT steering committee is an industry best practice
• Comprises of IT and representatives of key departments
Scope
• Approves the IT related projects or present to Board for approvals
• Monitor and control the ongoing projects
IT Steering Committee
• Focused activity with specific value drivers
▫ Integrity of information (Integrity)
▫ Continuity of services (Availability)
▫ Protection of information assets (Confidentiality)
• Integral part of IT governance
• Information Security Program should be designed to support overall business
objectives.
Information Security Governance
Significance
Effective information security can add significant value to an organization by:
▫ Providing greater reliance on interactions with
trading partners
▫ Improving trust in customer relationships
▫ Protecting the organization’s reputation
▫ Enabling new and better ways to process electronic
transactions
Information Security Governance (Contd.)
Information security governance requires strategic
direction from:
▫ Boards of directors / senior management
▫ Executive management
▫ Steering committees
▫ Chief information security officers
Information Security Governance (Contd.)
Practice Question
2-2 Which of the following would be included in an IS Strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS
department
Practice Question2-3 Which of the following BEST describes an IT department’s
strategic planning process?
A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives.
B. The IT department’s strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs.
C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.
• Reflect management guidance and direction in
developing controls over Information systems, Related
resources, IS department processes.
• High level documents
• Must be clear and concise
• Set tone for organization as a whole (top down)
Policies and Procedures
Policies
Information Security Policy
• Defines information security, overall objectives and scope
• Is a statement of management intent
• Is a framework for setting control objectives including risk
management
• Defines responsibilities for information security
management
Policies and Procedures (Contd.)
Procedures are detailed documents that:
▫ Define and document implementation policies
▫ Must be derived from the parent policy
▫ Must implement the spirit (intent) of the policy
statement
▫ Must be written in a clear and concise manner
Procedures
Policies and Procedures (Contd.)
The process of identifying vulnerabilities and threats to
the information resources used by an organization in
achieving business objectives.
▫ Avoid
▫ Mitigate
▫ Transfer
▫ Accept
Risk Management
• Identification and classification of information resources or
assets
• Assess threats and vulnerabilities and the likelihood of their
occurrence*
• Once the elements of risk have been established they are
combined to form an overall view of risk
• Evaluate existing controls or design new controls to reduce the
vulnerabilities to an acceptable level of risk
• Residual risk
Risk Management Process
• Qualitative
• Semi quantitative
• Quantitative
▫ Probability and expectancy
▫ Annual loss expectancy method
Risk Analysis Methods
• Sourcing practices relate to the way an organization
obtains the IS function required to support the business
• Organizations can perform all IS functions in-house or
outsource all functions across the globe
• Sourcing strategy should consider each IS function and
determine which approach allows the IS function to
meet the organization’s goals
• Accountability remains with the management of the
client organization
Sourcing Practices
Possible advantages:
▫ Commercial outsourcing companies likely to devote more time and focus more efficiently on a given project than in-house staff
▫ Outsourcing vendors likely to have more experience with a wider array of problems, issues and techniques
Possible disadvantages:
▫ Costs exceeding customer expectations
▫ Loss of internal IS experience
▫ Loss of control over IS
▫ Vendor failure
Sourcing Practices
Risks can be reduced by:
• Establishing measurable, partnership-enacted shared goals
and rewards
• Using multiple suppliers or withholding a piece of business
as an incentive
• Performing periodic competitive reviews and
benchmarking/bench trending
• Forming a cross-functional contract management team
Sourcing Practices
• Contractual means of helping the IS department to
manage information resources under the control of a
vendor.
• Commit a vendor to a required level of service and
support options.
▫ Awareness / consideration of cross-border legislation.
• Right to Audit Clause
Service Level Agreements (SLA)
Organization Structure and Responsibilities
• Systems development manager
• Service Desk (help desk)
• Quality assurance manager
• Vendor and outsourcer management
• Operations manager
• Media management
Data entry
Systems administration
Security administration
Quality assurance
Database administration
Systems analyst
Security architect
Network management
IS Roles and Responsibilities
• Avoids possibility of errors or misappropriations
• Discourages fraudulent acts
• Limits access to data
Segregation of Duties within IT
Segregation of Duties within IT
Practice Question
2-7 Which of the following tasks may be performed by the same person in a well- controlled information processing computer center?
A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and systems maintenance
Practice Question
2-8 Which of the following is the MOST critical control over database administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools
Control measures to enforce segregation of duties
include:
Transaction authorization
Custody of assets
Access to data
▫ Authorization forms
▫ User authorization tables
Segregation of Duties Controls
Compensating controls for lack of segregation of duties include:
• Audit trails
• Reconciliation
• Exception reporting
• Transaction logs
• Supervisory reviews
• Independent reviews
Segregation of Duties Controls
Practice Question
2-4 The MOST important responsibility of a data security officer in an organization is:
A. recommending and monitoring data security policies.
B. promoting security awareness within the organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access controls.
Practice Question
2-5 Which of the following is MOST likely to be performed by the security administrator?
A. Approving the security policy
B. Testing application software
C. Ensuring data integrity
D. Maintaining access rules
Practice Question
2-9 When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?
A. Origination
B. Authorization
C. Recording
D. Correction
Practice Question2-10 In a small organization, where segregation of duties is
not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should an IS auditor recommend?
A. Automated logging of changes to development libraries
B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program changes are implemented
D. Access controls to prevent the operator from making program modifications
Conclusion
•Chapter 2 Quick Reference Review▫Page 84 of CISA Review Manual 2010
•Additional Case Studies▫Case Study B – page 118 of CISA Review
Manual 2010▫Case Study C – page 118 of CISA Review
Manual 2010▫Case Study D – page 119 of CISA Review
Manual 2010
