Embed Size (px)
DESCRIPTION
Citation preview
"IT GovernanceHelping Business Survival”
Steve CrutchleyCEO & Founder
Consult2Complywww.consult2comply.com
• Founder & CEO of Consult2Comply• 39 Years IT & Business Experience• 22 Years GRC - Risk/Compliance
Experience – CGEIT & CISM• Recognized International Consultant• ISO 27001, ISO 20000, BS 25999
Qualified Lead Auditor – IRCA approved
• Content expert – Regulations, Standards & Best Practices - worldwide
• ISO 27001, ISO 20000, BS 25999 Trainer and ACP
• Approved CobIT trainer - ISACA
• Experience in Government, Finance, Utilities, Pharmaceutical, Transportation (Airports) and Insurance
• Successfully ran businesses – ex CEO of a public company
• Developed Assessment Software to support the Business & Security/Risk needs
• Product architect for C2C Products
• Numerous Articles, Speaking and TV appearances related to security and security related solutions
Introduction – Steve Crutchley
Seminar Content?
What is IT Governance?
5
• Information Technology Governance, IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.
• The rising interest in IT Governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.
5
A 2002 Gartner survey found that 20 percent of all expenditures on IT is wasted—a finding that represents, on a global basis, an annual destruction of value totaling about US $600 billion.
A 2004 IBM survey of Fortune 1000 CIOs found that, on average, CIOs believe that 40 percent of all IT spending brought no return to their organizations.
A 2006 study conducted by The Standish Group found that only 35 percent of all IT projects succeeded while the remainder (65 percent ) were either challenged or failed.
In recent years, surveys have consistently revealed that 20 to 70 percent of large-scale investments in IT-enabled change are wasted, challenged or fail to bring a return to the enterprise (figure In fact, one survey on measuring costs and value found that, in many enterprises, less than 8 percent of the IT budget is actually spent on initiatives that create value for the enterprise.
Why target IT?
Reference: Val IT Framework 2.0
Nike reportedly lost more than US $200 million through difficulties experienced in implementing its supply chain software.
Failures in IT-enabled logistics systems at MFI and Sainsbury in the UK led to multimillion-pound write-offs, profit warnings and share priceerosion.
Tokyo Gas reported a US $46.6 million special loss due to cancellation of a large customer relationship management (CRM) project.
In the public sector, the UK Department for Work and Pensions apparently ‘squandered’ more than £2 billion by abandoning three major projects.
Headlines around the world corroborate these findings:
Reference: Val IT Framework 2.0
Why is IT Governance important?
8
8
IT are in competition for budget – Business is beating IT to and for budget
IT needs to become a business focused discipline
IT is viewed by senior management as ‘Fire Fighters’ and not ‘Planners or implementers’
IT is viewed as a monetary drain on business
IT needs to compete effectively at the ‘C’ level
Business does not perceive IT as value for money
IT Governance Discipline
9
9
The discipline of information technology governance derives from corporate governance and deals primarily with the connection between business focus and IT management of an organization.
It highlights the importance of IT related matters and states that strategic IT decisions should be owned by the corporate board, rather than by the CISO/CSO or other IT managers.
History of IT Governance Standards and Frameworks
10
10
Australian Standards – AS 8015:2005 – Corporate Governance of information and communications technology
ITGi – based on CobITVal IT Framework 1.0 – launched 2006Val IT Framework 2.0 – launched 2008
ISO/IEC 38500:2008 Corporate governance of information technology – based on AS 8015:2005
Setting the Scene
11
11
Governance Issues
Human interface
Records Management
Education
Laws of the Land & beyond
Weak Decision making mechanisms
Ineffective enforcement and conflict resolution
Good and concise Policies
Jurisdiction Identification
Boundary Identification
Setting the Risk Appetite
Protecting IP
Protecting Personnel records
Understanding Stakeholder needs
Corporate Monitoring
Making the business owners responsible
Lack of Financial Resources
Understanding Fiduciary responsibilities
Understanding Business responsibilities
Linking it all together
Weak Decision making mechanisms
Ineffective enforcement and conflict resolution
Good and concise Policies
Jurisdiction Identification
Boundary Identification
Setting the Risk Appetite
Protecting IP
Protecting Personnel records
Understanding Stakeholder needs
Corporate Monitoring
Making the business owners responsible
Lack of Financial Resources
Understanding Fiduciary responsibilities
Understanding Business responsibilities
Linking it all together
Risk Issues
Understanding Risk AppetiteUnderstanding Risk Acceptance (Who)
Understanding Residual Risk
Accepting Residual Risk
Understanding Threats and Vulnerabilities
Understanding Control Infrastructures
Understanding Control Selection process
Risk Mitigation
Risk Assessment –v- Risk Management
Risk Reporting
Cost of Remediation
Understanding the Risk Process
Risk Integration – Linking it all together
Ensuring the correct people are involved
Control Linking
Risk Differences:FraudBusinessFinancialTechnologyProcessPeopleTaxGovernance
Understanding Risk AppetiteUnderstanding Risk Acceptance (Who)
Understanding Residual Risk
Accepting Residual Risk
Understanding Threats and Vulnerabilities
Understanding Control Infrastructures
Understanding Control Selection process
Risk Mitigation
Risk Assessment –v- Risk Management
Risk Reporting
Cost of Remediation
Understanding the Risk Process
Risk Integration – Linking it all together
Ensuring the correct people are involved
Control Linking
Risk Differences:FraudBusinessFinancialTechnologyProcessPeopleTaxGovernance
14
Legislative Issues
Security Issues
Internal Threats
External Threats
Physical Security
19
19
What should Information Technology Governance Deliver?
Executives should focus on Information Technology Governance, which when properly implemented should provide the following:
What are the IT Governance Characteristics?
20
A general theme of IT Governance discussions is that the IT capability can no longer be something the business doesn’t understand and that IT must also understand the business and its needs.
Handling of IT has always been an issue for board-level executives because of the technical nature of IT, therefore , key decisions were left to IT professionals. IT Governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process.
This will prevent a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected – very important for IT
20
What are the IT Governance Characteristics (2)?
21
Most importantly - The board needs to understand the overall architecture of its company's IT applications portfolio … The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue…
21
IT Governance Goals
22
22
The primary goals for Information Technology Governance are:
(1)assure that the investments in IT generate business value
(2) mitigate the risks that are associated with IT.
This can be done by implementing an organizational structure with well-defined roles for the responsibility for information, business processes, applications, infrastructure that’s is well communicated across the organization.
C2C’s GRC Model view – supporting IT Governance
Who is this aimed at?
Senior Management CIOsCISOsIT ManagersIT staffandIT centric organizations
What are the Frameworks or
Standards?
Overview of ISO/IEC 38500 and Val IT 2.0
What is the objective of IT Governance?
Strategic alignment of IT with the Business with emphasis on Business Governance
Conformance of the organization to Security, Privacy - Trade Practices, IPR, Records Management, Legislation and Regulations (Laws of the Land) and alignment to Best Practices to reduce and streamline costs and improve revenues.
ISO/IEC 38500:2008
What is a framework?
A framework is a basic conceptual structure used to solve or address complex issues – something like ISO/IEC 38500 – Governance for IT
But it should have processes that are effective.
Principle 1: ResponsibilityIndividuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.
Principle 2: StrategyThe organization’s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization’s business strategy.
Principle 3: AcquisitionIT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.
ISO/IEC 38500 Structure
Principle 4: PerformanceIT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.
Principle 5: ConformanceIT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.
Principle 6: Human BehaviorIT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the ‘people in the process’.
ISO/IEC 38500 Structure
ISO/IEC 38500 Responsibility
3.2 Principle 1: Responsibility – extracts
Evaluate
Directors should evaluate the options for assigning responsibilities in respect of the organization’s current and future use of IT.
Direct
Directors should direct that plans be carried out according to the assigned IT responsibilities.
Monitor
Directors should monitor that appropriate IT governance mechanisms are established.
ISO/IEC 38500 Strategy
3.3 Principle 2: Strategy - extracts
Evaluate
Directors should evaluate developments in IT and business processes to ensurethat IT will provide support for future business needs.
Direct
Directors should direct the preparation and use of plans and policies that ensurethe organization does benefit from developments in IT.
Monitor
Directors should monitor the progress of approved IT proposals to ensure thatthey are achieving objectives in required timeframes using allocated resources.
ISO/IEC 38500 Acquisition
3.4 Principle 3: Acquisition - extracts
EvaluateDirectors should evaluate options for providing IT to realize approved proposals,balancing risks and value for money of proposed investments.
DirectDirectors should direct that IT assets (systems and infrastructure) be acquiredin an appropriate manner, including the preparation of suitable documentation,while ensuring that required capabilities are provided.
MonitorDirectors should monitor IT investments to ensure that they provide therequired capabilities.
ISO/IEC 38500 Performance
3.5 Principle 4: Performance - extracts
EvaluateDirectors should evaluate the means proposed by the managers to ensure thatIT will support business processes with the required capability and capacity.These proposals should address the continuing normal operation of the businessand the treatment of risk associated with the use of IT.
DirectDirectors should ensure allocation of sufficient resources so that IT meets theneeds of the organization, according to the agreed priorities and budgetaryconstraints.
MonitorDirectors should monitor the extent to which IT does support the business.
ISO/IEC 38500 Conformance
3.6 Principle 5: Conformance - extracts
EvaluateDirectors should regularly evaluate the extent to which IT satisfies obligations(regulatory, legislation, common law, contractual), internal policies, standardsand professional guidelines.
DirectDirectors should direct those responsible to establish regular and routinemechanisms for ensuring that the use of IT complies with relevant obligations(regulatory, legislation, common law, contractual), standards and guidelines.
MonitorDirectors should monitor IT compliance and conformance through appropriatereporting and audit practices, ensuring that reviews are timely, comprehensive,and suitable for the evaluation of the extent of satisfaction of the business.
ISO/IEC 38500 Conformance
3.7 Principle 6: Human Behavior - extracts
EvaluateDirectors should evaluate IT activities to ensure that human behaviors areidentified and appropriately considered.
DirectDirectors should direct that IT activities are consistent with identified humanbehavior.
MonitorDirectors should monitor IT activities to ensure that identified humanbehaviors remain relevant and that proper attention is given to them.
Val IT Framework 2.0
Based on CobIT
ITGi – Val IT Framework 2.0
Purpose: Governance of IT Investments
Value governance establishes the overall governance framework, including defining the portfolios required to manage investments and resulting IT services, assets, and resources.
Value governance monitors the effectiveness of the overall governance framework and supporting processes, and recommends improvements as appropriate.
Value Governance (VG)
Portfolio management establishes the strategic direction for investments, the desired characteristics of the investment portfolio, and the resource and funding constraints within which portfolio decisions must be made.
Portfolio management evaluates and prioritizes programs within resource and funding constraints, based on their alignment with strategic objectives, business worth (both financial and non-financial), and risk (both delivery risk and benefits risk), and moves selected programs into the active portfolio for execution.
Portfolio management monitors the performance of the overall portfolio, adjusting the portfolio as necessary in response to program performance or changing business priorities.
Portfolio Management (PM)
Investment management defines potential programs based on business requirements, determines whether they are worthy of further consideration, and develops and passes business cases for candidate investment programs to portfolio management for evaluation.
Investment management launches and manages the execution of active programs, and reports on performance to portfolio management.Investment management moves resulting IT services, assets and resources to the appropriate operational IT portfolio(s) and continues to monitor their contribution to business value.
Investment management retires programs when there is agreement that desired business value has been realized, or when retirement is deemed appropriate for any other reason.
Investment management monitors the performance of IT services, assets and resources to determine whether additional investments are required to maintain, enhance, or retire the service, asset, or resource to sustain or increase their contribution to business value.
Investment Management (IM)
Supporting Standards and Infrastructures
ISO/IEC 27001:2005 Understanding an Information Security Management System
(ISMS)
45
Information
According to ISO/IEC 27001:2005, information is defined as:
“An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.”
46
Types of Information
• Printed or written on paper• Stored electronically• Transmitted by post or using
electronic means• Shown on corporate videos
• Verbal (e.g., spoken in conversations)
Types of Information Covered by an ISMS
47
InternalInformation that you would not want your competitors to know
Customer or Client
Information that customers would not wish you to divulge
OutsourcedInformation that needs to be shared with other trading partners
48
What is Information Security
Confidentiality
Clause 3.3 of ISO/IEC 27001
Ensuring that information is accessible only to those authorized to have access
Integrity
Clause 3.8 of ISO/IEC 27001
Safeguarding the accuracy and completeness of information and processing methods
Availability
Clause 3.2 of ISO/IEC 27001
Ensuring that authorized users have access to information and associated assets when required
49
Summary
• Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities
• Every organization will have a differing set of requirements in terms of controls and the level of confidentiality, integrity, and availability required
Fundamentals of IT Service Management
and the ISO/IEC 20000 Series
51
Service Management
Service management is defined as the:
Management of services to meet the business requirements
2.14, ISO/IEC 20000-1:2005
52
The ISO/IEC 20000 Series
Part 1: Specification forservice management
Part 2: Code of practicefor service management
53
History of ISO/IEC 20000-1:2005
• The U.K. government launched the IT Infrastructure Library (ITIL) in 1989
• ITIL defines “best practice” processes and procedures
• ITSMF formed in 1991 to further develop best practice
• ITSMF approaches BSI to develop a standard
• BS 15000 first published in 2000 as a specification
• BS 15000 revised in 2002• ISO/IEC 20000 released in 2005
54
ISO/IEC 20000-1:2005
• Specifies a number of closely related service management processes
• Identifies that relationships exist between these processes, and that these relationships will be dependent on their application within an organization
• Provides guideline objectives and controls to enable an organization to deliver managed services
55
The Need for ISO/IEC 20000-1
ISO/IEC 20000-1 is necessary because:
• Organizations are increasingly dependant on IT
• User demands continue to grow• Infrastructure is increasingly complex• There is a lack of guidance, accepted
standards, or published best practices for IT service management
56
Purpose of ISO/IEC 20000-1
The ISO/IEC 20000-1 specification:• Defines requirements for an
organization to deliver managed services of an acceptable quality for its customers
• Is the first worldwide standard aimed specifically at IT service management
57
Purpose of ISO/IEC 20000-1
The ISO/IEC 20000-1 specification:
• Introduces a service culture and provides the methodologies to deliver services that meet defined business requirements and priorities in a “manageable way”
• Emphasizes processes to support the quality of live provision
58
Benefits of ISO/IEC 20000-1 to Organizations
ISO/IEC 20000-1 helps organizations:• Promote the adoption of an integrated process
approach to deliver managed services to meet the business and customer requirements
• Understand best practices, objectives benefits, and possible problems of IT service management
• Raise the profile of the IT department• Deliver cost effective service!
59
Benefits of ISO/IEC 20000-1:2005
to OrganizationsThe implementation of ISO/IEC 20000-1:• Provides control, greater efficiency, and
opportunities for improvement• Turns technology focused departments into service
focused departments• Ensures IT services are aligned with and satisfy
business needs• Improves system reliability and availability• Provides a basis for service level agreements• Provides the ability to measure IT service quality
60
Service Management Documents
Supporting documents for IT service management include:
BIP 0005:2004 IT Service Management – A Manager’s Guide
PD 0015:2002 IT Service Management – Self-assessment Workbook
IT Infrastructure Library (ITIL)
A series of guidance books on the provision of IT services produced by the U.K. Office of Government Commerce (OGC)
ISO 20000 IT service management structure?
Overview of ISO/IEC 27001:2005 and ISO/IEC 27002:2005
ISMS Standards
63
ISO/IEC 27001:2005Requirements for Information Security Management Systems
ISO/IEC 27002:2005Code of Practice for Information Security Management
ISO 27001 Information Security management – management
structure?
ISO/IEC 27000 family (a.k.a. ISMS) of standards is growing
ISO/IEC 27000 - ISMS Overview and Vocabulary
Foundational standard in the 27000 series. Progressing through technical level voting. Expected publication is in 2008.
ISO/IEC 27003 – Information Security Management System Implementation Guidance
Provides further guidance on implementing 27001. Under development. Expected publication in 2008.
ISO/IEC 27004 – Information Security Management Measurement
Provides guidance on measuring effectiveness of security program implementation, as required by 27001 and 17799. Expected publication is in 2008.
ISO/IEC 27005 – Information Security Risk Management
Provides guidance on conducting risk assessment and managing risk, as required by 27001 and 27002. Published 2008
ISO/IEC 27007 – ISMS Auditing Guidelines Study Period on the subject was closed with a recommendation to develop New Proposal. China and Sweden submitted contributions and presented at the meeting. New Proposal will be coming out in the next 2 months with an outline for the new standard. Work is expected to commence after October meeting.
66
Risk Assessment
ISO/IEC 27001:2005 Clause 4.2.1 requires a risk assessment to be carried out to identify threats to assets.
Guidance is now available using ISO/IEC 27005:2008
Information Security Management
67
The goal of ISO/IEC 27001:2005 and ISO/IEC 27002:2005 is to:
Safeguard the confidentiality, integrity, and availability of written, spoken, and electronic information
ISO/IEC 27002:2005 Code of Practice
68
• Defines a process to evaluate, implement, maintain, and manage information security
• Is based on BS 7799-1:2005• Is intended for use as a reference document• Is based on best information security practices• Consists of 11 control sections, 39 control
objectives, and 133 controls • Was developed by industry for industry• Is not used for assessment and registration• Is not a technical standard
ISO/IEC 27001:2005Requirements
69
• Specifies requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS)
• Specifies requirements for security controls to be implemented according to the needs of individual organizations
• Consists of 11 control sections, 39 control objectives, and 133 controls
• Is aligned with ISO/IEC 27002:2005
ISO/IEC 27001:2005 Focus
70
• Harmonization with other management system standards
• The need for continual improvement processes
• Corporate governance
• Information security assurance
• Implementation of OECD principles
Holistic Approach
71
• ISO/IEC 27001:2005 defines best practices for information security management
• A management system should balance physical, technical, procedural, and personnel security
• Without a formal Information Security Management System, such as an ISO/IEC 27001:2005-based system, there is a greater risk to your security being breached
• Information security is a management process, not a technological process
Growing Acceptance
72
Status 17th January 2009
See http://www.iso27001certificates.com/ for the registry of certificates
Supporting Documents
73
Benefits of an ISMS
74
1. Provides the means for information security corporate governance
2. Improves the effectiveness of the information security environment
3. Allows for market differentiation due to a positive influence on company prestige and image, as well as a possible effect on the asset or share value of the company
4. Provides satisfaction and confidence of that customers’ information security requirements are being met
5. Allows for focused staff responsibilities
Benefits of an ISMS
75
6. Ensures compliance with mandates and laws
7. Reduces liability and risk due to implemented or enforced policies and procedures, which demonstrate due diligence
8. Potentially lowers rates on insurance
9. Facilitates better awareness of security throughout the organization
10. Provides competitive advantages and reduction in costs connected with the improvement of process efficiency and the management of security costs
The Eleven Control Clauses(a.k.a., the Eleven “Domains”)
76
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human Resources Security
A.9 Physical and Environmental Security
A.10 Communications and Operations Management
A.11 Access Control
A.12 Information Systems Acquisition, Development, and Maintenance
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance
The Eleven Control Clauses
77
ORGANIZATIONAL STRUCTURE
Systems Development and Maintenance
Systems Development and Maintenance
Communications and Operations Management
Communications and Operations Management
Business Continuity Management
Business Continuity Management
Human Resource Security
Human Resource Security
ComplianceCompliance
Asset ManagementAsset Management
Organizational Info Sec
Organizational Info Sec
Access ControlAccess Control
Security Policy
Security Policy
Operations
Management
Security Incident ManagementSecurity Incident Management
Physical & Environ. Security
Physical & Environ. Security
Key Controls
78
The Introduction of ISO/IEC 27001:2005 identifies 10 controls as:
“a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common practice for information security.”
Key Controls
79
Controls Considered Essential from a Legislative Point of View
Data protection and privacy of personal information
Protection of organizational records
Intellectual property rights
Controls Considered to be Best Practice
Information security policy document
Allocation of information security responsibilities
Information security awareness, education, and training
Correct processing in applications
Technical vulnerability management
Business continuity management
Management of information security incidents
and improvements
BS 25999
Business Continuity Management
81
Development of BCM standards
• In 2002 it was widely recognised that numerous BCM models and approaches existed
• All of these looked different but were saying the same thing• Very confusing to organisations and the industry in general• BCM was viewed as a ‘black art’ rather than logical and practical
activities• BCM was at risk of being viewed as costly, fragmented and not
delivering business benefit
• In 2003, PAS 56 was developed by the BSI in conjunction with the Business Continuity Institute
• In November 2006, PAS 56 was replaced BS by BS 25999 Part 1 Code of Practice – 2007 saw Part 2 Specification being issued together with the certification scheme
82
BCM Landscape
• NFPA 1600• Z 1600• FFIEC BCP requirements• Title IX (FCD-1 & 2)• Cert Resiliency Framework• BS 25999• BCI• DRA• New ASIS plan being worked on
83
What is BS 25999-1 – Code of Practice
• BS 25999-1:2006 has been developed by practitioners throughout the global community, drawing upon their considerable academic, technical and practical experiences of BCM.
• It has been produced to provide a system based on good practice for BCM
• It is intended to serve as a single reference point for identifying the range of controls needed for most situations where BCM is practiced in industry and commerce, and to be used by large, medium and small organizations in industrial, commercial, public and voluntary sectors
84
BS 25999-1 Code of Practice
• Provides a common generic framework and
guidelines for BCM• Give guidance on business continuity
management• Establish the principles and terminology of
business continuity management• Describe the activities involved and give
recommendations for good practice• Describe evaluation techniques for use by
managers and auditors
85
BS 25999-1 BS 25999-2
• BS 25999-1:2006– Code of Practice For Business
Continuity Management• Best practices framework –
reference documentation• Use of the word should
• BS 25999-2:2007– Specification With Guidance For
Use• Specify the process for
achieving certification that business continuity capability is appropriate to the size and complexity of an organization
• Auditing specification• Use of the word shall
86
Using the Standard
• The BCM Standard not intended as a beginners guide to BCM
• However some supporting material will be produced alongside which will help the less experienced user
• Can use the standard to get an idea of your current level of expertise and an idea of areas of weakness
• Can use the standard in Service Level agreements
87
BCM Standards
88
1. Terms and definitions2. Overview of business continuity management
(BCM)3. The business continuity management policy4. BCM programme management5. Understanding the organisation6. Determining business continuity strategy7. Developing and implementing BCM response8. Exercising and reviewing BCM arrangements9. Embedding BCM in the organisation
ReferencesList of figuresList of Tables
The Contents of BS 25999-1 Code of Practice
89
1 Scope
2 Terms and definitions
3 Planning the business continuity management system
3.1 General
3.2 Establishing and managing the BCMS
3.3 Embedding BCM in the organization’s culture
3.4 BCMS documentation and records
4 Implementing and operating the BCMS
4.1 Understanding the organization
4.2 Determining business continuity strategy
4.3 Developing and implementing a BCM response
4.4 Exercising, maintaining and reviewing BCM arrangements
5 Monitoring and reviewing the BCMS
5.1 Internal audit
5.2 Management review of the BCMS
6 Maintaining and improving the BCMS
6.1 Preventive and corrective actions
6.2 Continual improvement
The Contents of BS 25999-2Specification
90
Conclusion
• Business Continuity Management is a growing area of organizational concern
• An agreed standard will benefit all sizes of organisation as they seek to improve
• Standards evolve over time and feedback from users is essential to help BSI ensure the standard is useful and relevant
IT Governance for Business
Survival
Modeling IT Governance
Keys to success
1. Don’t work in silos2. Allocate responsibilities3. Make sure people understand the plan and model4. The model must be mapped across the organization5. It must include all aspects and requirements – Policies,
procedures, process maps6. Create relationships across multiple control frameworks
Good IT Governance Principles
CommitmentGovernance PolicyRoles and ResponsibilitiesIdentification of Business Governance issuesObligations to stakeholdersOrganizational PoliciesOperating proceduresDealing with breachesRecord keepingInternal reportingMaintenanceEducation and trainingCommunication and visibilityMonitoring and assessmentReviewReport back
How do you measure IT Governance?
Must have decided on the standard or frameworkMust understand your IT Governance requirementsMust understand your business objectivesMust understand the processes you are supportingMust set a baseline to work from – includes your responsibilitiesMust be able to MonitorMust have a measurement method – MeasureMust be able to Manage
Must be able to Self Assess
What can help you?
95
95
Understand applicable Compliance landscape (GRC)ISO 20000/ITIL – Service management v.3ISO 27001 – Information Security Management SystemBCM Standards and GuidelinesISO/IEC 38500 It Governance StandardCOBIT/ITGI – Val IT 2.0CMM – Maturity ModelingSix Sigma - QualityBalanced Scorecard - Metrics (Monitor, Measure and Manage)Understand your Business need and respond accordingly
Implementation issues
Management Commitment IT understanding from a management perspectiveIT’s understanding of business processesEffective and appropriate trainingPeople - hidden agendasGetting budgetProving Business value for IT Governance implementation
Getting it RIGHT!
Example IT Governance Structure
Harmonization with existing BS/ISO standards & guidelines
ISO 27799 Health Informatics - Security Management in Health using ISO 17799
ISO 19077 Software Asset Management
ISO 27005 Information Security Risk Management ISO 15489 Effective Records Management ISO 21188 Public Key infrastructure for Financial Services
ISO 18044 Incident Management
BS 8470 Secure Disposal of confidential material
BS 8549 Security Consultancy Code of Practice
ISO 15288 System & Software Engineering - System lifecycle processes
99
Questions?
