Vernon Poole ISACA London Chapter 26 September 2002 Information Governance & the IT Auditor

Vernon Poole

ISACA London Chapter26 September 2002

Information Governance Information Governance & the IT Auditor& the IT Auditor

Information GovernanceInformation GovernancePresentation ObjectivePresentation Objective

« This session will show how the Information Governance framework has developed and howthe IT Governance Institute is now working on ways to best convince organisations to adopt best practice & the role the IT auditors need to play»

Information GovernanceInformation Governance

THE CURRENT IT DILEMMA

IT’S RECORD OF ACHIEVEMENT

INFORMATION GOVERNANCE BENEFITS

GOVERNANCE FOCUS BY :-

BOARD

MANAGEMENT

IT AUDITOR

CONCLUSIONS

Are they doing the right things?Are they being done well?Are we getting benefits?

What IT Problem?

Ask tough questionsFocus on risk and valueDirect IT strategy

What does the Board do?

Cascading strategy and goals Organisational alignmentAn IT control frameworkBalanced Business Scorecard

How does management

react? How is Governance being addressed? Are Regulatory rules being followed? Can we benefit from recent case-studies? Is IT governance considered by the

Board?

What should auditors

consider?

1. CURRENT IT DILEMMA1. CURRENT IT DILEMMA






BOARD

MANAGEMENT

IT AUDITOR

CONCLUSIONS

15%15%

85%85%

TANGIBLETANGIBLEASSETSASSETS

INTANGIBLEINTANGIBLEASSETSASSETS

(INC INFORMATION)(INC INFORMATION)

23%28%

49%

SUCCESSFUL SUCCESSFUL CHALLENGED CHALLENGED

FAILED FAILED

CLIENTCLIENTSUPPLIER SUPPLIER PARTNER PARTNER

CEO/CIOCEO/CIO

0.0%

20.0%

40.0%

60.0%

80.0%

100.0%

(B) IT RELATIONSHIPS(B) IT RELATIONSHIPS

ABILITY TO MEASUREABILITY TO MEASURE

ABOVEEXPECTATIONS

APPROPRIATE

BELOWEXPECTATIONS

ONE IN EIGHTONE IN EIGHT

2. IT ’S RECORD OF ACHIEVEMENT ?2. IT ’S RECORD OF ACHIEVEMENT ?

From 2001 surveys by Brookings Institute, Standish Group and AcadysFrom 2001 surveys by Brookings Institute, Standish Group and Acadys

(A) MARKET VALUE(A) MARKET VALUE

PROJECTSPROJECTS

(C) PROJECT MANAGEMENT(C) PROJECT MANAGEMENT (D) PERFORMANCE MEASUREMENT(D) PERFORMANCE MEASUREMENT

“IT has been the longest running disappoinment in business in the last 30

Years!”Jack Welch, Chairman General Electric,Jack Welch, Chairman General Electric,World Economic Forum, Davos, 1997World Economic Forum, Davos, 1997

Personal & visualPersonal & visualcontactcontact

Uncertainty,Uncertainty,Complexity &Complexity &

GrowthGrowth

2. IT ’S RECORD OF ACHIEVEMENT (CONTD)2. IT ’S RECORD OF ACHIEVEMENT (CONTD)






BOARD

MANAGEMENT

IT AUDITOR

CONCLUSIONS

RELIABLE INFORMATION & RELIABLE INFORMATION & TRUSTED SYSTEMSTRUSTED SYSTEMS

Guarantee of QualityGuarantee of Quality Trading Partner ‘Assurance’ Trading Partner ‘Assurance’ Customer LoyaltyCustomer Loyalty Security Assurance Security Assurance Reputation EnhancementReputation Enhancement Sustainable GrowthSustainable Growth

3. INFORMATION GOVERNANCE BENEFITS3. INFORMATION GOVERNANCE BENEFITS

GOVERNANCE/CONTROL=GOVERNANCE/CONTROL=TAKE STAKEHOLDER VALUE INTO ACCOUNTGIVE DIRECTION TO THE PROCESSESENSURE THEY PROVIDE RESULTSENSURE THEY ACT ON THE RESULTSGET RESULTS AND CHALLENGE THEM

DIRECTSDIRECTS

PROCESSESPROCESSES

REPORTREPORT

RESULTSRESULTS

CONFIRMCONFIRMOROR

CHANGECHANGE

ASSETS

RISKS

OUTCOME

PERFORMANCE

IMPROVEIMPROVE

StakeholderValues

STRATEGYSTRATEGY

DRIVEDRIVE

Resources- knowledge- information- capability- …...

USEUSE

MEASUREMEASURE


3. INFORMATION GOVERNANCE BENEFITS3. INFORMATION GOVERNANCE BENEFITS






BOARD

MANAGEMENT

IT AUDITOR

CONCLUSIONS

WHAT SHOULD BOARDS DO ABOUT ITWHAT SHOULD BOARDS DO ABOUT IT

Be driven by stakeholder value Adopt an information governance framework Ask the right questions Focus on it’s

Strategic alignmentValue deliveryIt asset managementRisk management

Measure results

IT Value Delivery

Stakeholder Value Drivers

Performance Measurement

Risk Management

ITStrategic

Alignment

4. INFORMATION GOVERNANCE FOCUS :4. INFORMATION GOVERNANCE FOCUS :

1. Strategic Alignment1. Strategic Alignment

“ALIGNING WITH THE BUSINESS AND COLLABORATIVE SOLUTIONS”

Aligning IT with the business and its goalsAligning IT with the business and its goals Providing a flexible, integrated information infrastructure to Providing a flexible, integrated information infrastructure to

support the business strategysupport the business strategy Instituting cross-functional collaborative information systemsInstituting cross-functional collaborative information systems Be an agent of change enabling business transformationBe an agent of change enabling business transformation Educating and connecting with the BoardroomEducating and connecting with the Boardroom Effectively communicating with IS users.Effectively communicating with IS users.

MARKET ANALYSTS VIEW OF IT PRIORITIES MARKET ANALYSTS VIEW OF IT PRIORITIES 20022002

2. Value Delivery2. Value Delivery

“FOCUS ON COSTS & BENEFITS AND PROOF OF VALUE”

Cost-optimisationCost-optimisation ROI for IT and its bottom-line impactROI for IT and its bottom-line impact Total cost of ownership (TCO) of IT servicesTotal cost of ownership (TCO) of IT services Quality and effectiveness of enterprise-wide service Quality and effectiveness of enterprise-wide service

deliverydelivery Keeping users and managers satisfiedKeeping users and managers satisfied Proving the value of IT.Proving the value of IT.


3. IT Asset Management3. IT Asset Management

“KNOWLEDGE, INFRASTRUCTURE AND PARTNERS”

Selective outsourcing of non-core processes to trusted Selective outsourcing of non-core processes to trusted supplierssuppliers

Leveraging knowledge and skillsLeveraging knowledge and skills Providing an integrated economical IT infrastructure Providing an integrated economical IT infrastructure

where new technology is judiciously introduced and where new technology is judiciously introduced and obsolete systems updated or replacedobsolete systems updated or replaced

Availability, training, retention and competence of key Availability, training, retention and competence of key IT personnelIT personnel


4. Risk Management4. Risk Management

“SAFEGUARDING ASSETS AND DISASTER RECOVERY”

Establishing IT security to safeguard assets and Establishing IT security to safeguard assets and enabling business recovery from IT failuresenabling business recovery from IT failures

Providing privacy and resilienceProviding privacy and resilience Establishing trust in services and partnersEstablishing trust in services and partners Managing internal threats of misuse and errors Managing internal threats of misuse and errors

and external threats from deliberate attacks as and external threats from deliberate attacks as well as from market volatility and the pace of well as from market volatility and the pace of change.change.


“NONE OF THESE DOMAINS

Strategic AlignmentStrategic Alignment Value DeliveryValue Delivery IT Asset ManagementIT Asset Management Risk ManagementRisk Management

CAN BE PROPERLY MANAGED WITHOUT

OUR VIEW OF IT PRIORITY NO. 5OUR VIEW OF IT PRIORITY NO. 5

5. Performance Measurement5. Performance Measurement

2.2.CEO Guide 2002CEO Guide 2002

1.1.Board Briefing 2001Board Briefing 2001

35,000 downloads35,000 downloadsin 7 monthsin 7 months

IT GOVERNANCE INSTITUTE OFFERINGSIT GOVERNANCE INSTITUTE OFFERINGS

3.3.IT Strategy IT Strategy Committe Guide 2002Committe Guide 2002

WHAT SHOULD MANAGEMENT DO ABOUT IT ?WHAT SHOULD MANAGEMENT DO ABOUT IT ? Align it strategy with business goals Cascade strategy and goals down into the organization Set up organizational structures that facilitate strategy

implementation Adopt a control and security governance framework Provide it infrastructures that facilitate creation and sharing

of business information Embed responsibilities for risk management in the

organization Focus on important it processes and core it competencies Measure performance (balanced business scorecard)


1.CobiT3 & CobiT4 An IT Control Framework

WHAT SHOULD MANAGEMENT DO ABOUT IT ?WHAT SHOULD MANAGEMENT DO ABOUT IT ?: ADOPT GLOBAL BEST PRACTICE

Starts from the premise that IT needs to deliver the information that organisations needs to achieve its objectives.

Promotes process focus and process ownership

Divides IT into 34 processes belonging to 4 domains and provides a high level control objective for each domain

Looks at fiduciary, quality and security needs ,and provides 7 information criteria that can be used to define what the organisation requires from IT

Supported by 300+ detailed control objectives

EffectivenessEfficiencyAvailability,IntegrityConfidentialityReliabilityCompliance.

PlanningAcquiring & ImplementingDelivery & SupportMonitoring

CobiT : An IT control frameworkCobiT : An IT control framework

CobiT3 : AchievementsCobiT3 : Achievements- added a governance layer - added a governance layer

Key Goal Indicators Key Goal Indicators : a measure of the outcome of the process; a measure of « what »; indicator of business contribution

Key Performance Indicators Key Performance Indicators : a measure of « how well » the process is performing; must help in improving the process

Critical Success Factors Critical Success Factors : the most important things to do; observable and measureable; leverage capability, skills and behaviour

00 11 22 33 44 55

Non-ExistentNon-Existent InitialInitial RepeatableRepeatable DefinedDefined ManagedManaged OptimisedOptimised

Maturity Models Maturity Models : a generic scale for pragmatic comparison; a “profile” of the enterprise on IT governance and control to determine As-Is and To-Be positions; basis for gap analysis

Through a simple product set, support an expanding target audience with on-line (continuously updated) knowledge on IT control, assurance and governance

MissionMission

To be the global standard for best practice in control over IT, and to assist users from assessment to implementation

VisionVision

•Sharing knowledge•Leveraging expertise•Influencing best practices

ValuesValues

CobiT4 StrategyCobiT4 Strategy

executives & boards executives & boards management management professionalsprofessionals

monitormonitorassessassessimplementimplement

Target AudienceTarget Audience

WHO WHAT

CobiT4 - Product StructureCobiT4 - Product Structure

PracticesResponsibilities

Executives & BoardsExecutives & Boards

Business and Technology ManagementBusiness and Technology Management

Performance measures Critical success factors Maturity models

Audit, control and security professionalAudit, control and security professional

IT Control Practices Self-assessment Tool

MaturityBenchmark

IT GovernanceSurvey

Value AssessmentRisk Analysis

ControlObjectives

AuditGuidelines

ImplementationGuide

PracticesResponibilitiesExecutives & Executives &

BoardsBoards

Business and Technology Business and Technology ManagementManagement

Performance measures Critical success factors Maturity models

Audit, control and security Audit, control and security professional professional

ControlObjectives

AuditGuidelines

ImplementationGuide

What is the ITWhat is the ITControl Framework ?Control Framework ?

How to assess the ITHow to assess the ITControl Framework ?Control Framework ?

How to introduce itHow to introduce itin the enterprise ?in the enterprise ?

IT Control Practices

Self-assessmen Tool

Value assessment

Risk Analysis

CobiTCobiT‘‘lite’lite’

BOARD HAS IT STRATEGY COMMITTEE AND APPROVES IT STRATEGY

BOARD APPROVES IT STRATEGY OR HAS AN IT STRATEGY CTTEE

BOARD IS REGULARLY INFORMED

BOARD OCCASIONALLY ASKS QUESTIONS

BOARD DOES NOT ADDRESS IT1

2

3

4

0

5

The Maturity LevelsThe Maturity Levels

Most senior officers (in ISACA’s database), from 800 Fortune500 and Most senior officers (in ISACA’s database), from 800 Fortune500 and significant government entitiessignificant government entities

146 responses for 205 entities =17.5%146 responses for 205 entities =17.5%

CobiT4 - CobiT4 - Maturity BenchmarkMaturity BenchmarkDRIVERSDRIVERS Compliance with law, standards and regulationsCost reductionMission and goalsPerformance improvementRisk reductionReputation and trustCompetitive environmentCorporate valuesPolitic/economic environment

INHIBITORSINHIBITORSBudget limitationsAvailability of skilled staffManagement awareness/commitmentLack of ownershipExisting architectureNo easy solutionResource conflicts/prioritiesLack of toolsPolitic/economic environment

Average IT Governance Maturity LevelsAverage IT Governance Maturity Levels

PO1PO1 define a strategic IT plan

PO3PO3 determine technological direction

PO5PO5 manage the IT investment

PO9PO9 assess risks

PO10PO10 manage projects

AI1AI1 identify solutions

AI2AI2 acquire & maintain applications

AI5AI5 install and accredit systems

AI6AI6 manage changes

DS1DS1 define service levels

DS4DS4 ensure continuous service

DS5DS5 ensure system security

DS10DS10 manage problems and incidents

DS11DS11 manage data

M1M1 monitor the processes

0 1 2 3 4 5

012345Po1

Po3

Po5

Po9

Po10

A11

A12A15A16

DS1

DS4

DS5

DS10

DS11

M1

Testing / QA

Final Design and Approach

Needs AnalysisNeeds Analysis

PlanningPlanning

DevelopmentDevelopment

InitialRelease

Final QA

Trade-Off Review

Milestone Reviews

0 2 6 10 14 18 22

Schedule in weeks

Data implementation

IT CONTROLIT CONTROLDIAGNOSTICDIAGNOSTIC

MATURITYMATURITYPROFILEPROFILE

GAP ANALYSISGAP ANALYSIS

ROADMAPROADMAP

CobiT4 - CobiT4 - Implementation GuideImplementation Guide

Asses

smen

t &

Asses

smen

t &

com

paris

on

com

paris

on

Browsing &

Browsing &

searching

searching

Comm

unity

Comm

unity

Services

Services

Know

ledg

e &

Know

ledg

e &

use

r man

agem

ent

user

man

agem

ent

CobiTCobiT

KnowledgeKnowledge

BaseBase

CobiT4 - CobiT4 - CobiTCobiTOnlineOnline

what ITGI needs to build, own & operate

downloadsexchange of experiencediscussion forumsknowledge capturing

value added tools available on a commercial basis

By year-end 2002, six or more vendors will offer packaged “smart By year-end 2002, six or more vendors will offer packaged “smart enterprise” portfolios of portal, content and document enterprise” portfolios of portal, content and document management, KM and collaboration products (0.8 probability). management, KM and collaboration products (0.8 probability). Many will also include e-learning.Many will also include e-learning.

Predictor Predictor (Gartner - 7 January 2002)(Gartner - 7 January 2002)

CobiT4 - CobiT4 - CobiTCobiTOnlineOnline

Outcome MeasuresOutcome MeasuresVolume of usage and size of benchmark databaseVolume of usage and size of benchmark databaseNumber of user-suggestions to knowledge baseNumber of user-suggestions to knowledge baseFavorable reviews in professional publicationsFavorable reviews in professional publicationsFrequency, timeliness and cost-efficiency of CobiT releasesFrequency, timeliness and cost-efficiency of CobiT releases

Asses

smen

t &

Asses

smen

t &

com

paris

on

com

paris

on

Browsing &

Browsing &

searching

searching

Comm

unity

Comm

unity

Services

Services

Know

ledg

e &

Know

ledg

e &

use

r m

anag

emen

t

user

man

agem

ent

CobiTCobiT

KnowledgeKnowledge

BaseBase

CobiT4 - CobiT4 - CobiTCobiTlitelite difference in control environment preselection of processes & objectives

15 most important processes 318 CO’s down to 90 plus 15 simplified

simple presentation form brainstorm approach

Early stagesEarly stagesPO1 define strategic IT planPO3 determine technological directionPO5 manage the IT investmentPO9 assess risksPO10manage projectsAI1 identify solutionsAI2 acquire & maintain applications s/wAI5 install and accredit systemsAI6 manage changesDS1 define service levelsDS4 ensure continuous serviceDS5 ensure system securityDS10 manage problems and incidentsDS11 manage dataM1 monitor the processes

short communications path effective span of control simple command structure less build, more buy less complex IT infrastructure less ‘savvy’ about IT take more risk strong profit orientation less segregation less IT capabilities

pro

cess

con

trol

When employees are given their account, they should be provided with initial or refresh- er training and awareness on computer security issues. They should be asked to review the rules and regulations for system access and confirm they have understood.

DS5.5.4effectiveness

cost-efficiency

expedience

• Ignorance of compliance requirements and sanctions leading to rules not being respected.

• Ignoring rules that are too generic or descriptive

• Absence of awareness leading to weak discipline

Practice Risk/Value

CobiT4 - CobiT4 - IT Control PracticesIT Control PracticesDeliverabDeliverablele

Integration with Integration with CobiTCobiTlitelite

and Implementation and Implementation GuideGuide

80/20 - ‘smart things to do’80/20 - ‘smart things to do’

impact

cost

H

H

xEarly stagesEarly stages

CobiT4 - CobiT4 - CobiTCobiTlitelite

high effectiveness, low cost and expedienthigh effectiveness, low cost and expedient

Initial1

2

3

4

0

5

Non-existant

Repeatable

Defined

Managed

Optimised

‘‘mini’ minimum baseline approachmini’ minimum baseline approach maximise at level 3maximise at level 3 simple presentation fromsimple presentation from

2.ISO 17799An Information Security

Framework

WHAT SHOULD MANAGEMENT DO ABOUT IT ?WHAT SHOULD MANAGEMENT DO ABOUT IT ?: ADOPT GLOBAL BEST PRACTICE

ISO 17799 - IS Best PracticeISO 17799 - IS Best Practice

1.Became an ISO Standard in December 2000

2.Adopted by IT Governance Institute in its ‘Information Security Governance booklet - 2001

3.It is the second best selling ISO Standard - gaining global appeal

4.The standard is becoming a contractual obligation - included in ‘service level’ agreements

Therefore it is essential to ‘doing business’


Standard consists of two parts :-

1.Part 1 : Code of Practice - referred to as ISO 17799 - consists of 10 Guiding Principles covering strategic, operational & human issues

2. Part 2 : Information Security Management System (ISMS) - BS7799-2 :requires organisations to select which of the 127 controls are appropriate to them based on risk assessment (currently being revised)


1.Information Security Policy2.Security Organisation3.Asset Classification/Control4.Personnel Security5.Physical/Environmental Security6.Communications & Operations Management7.System Access Control8.Systems Development/Maintenance9.Business Continuity Management10.Compliance


It is therefore imperative that organisations ‘benchmark’ themselves against best practiceand assess any gaps in their Information Security to protect against either internal or external threats that could jeopardise the reliability of information.

The standard also ensures that detailed policiesand procedures are established & creates an ‘Information Security culture’


Current studies show that organisations whoobtain 7799 certification are being respected as reputable & trusted. Future transactions can be conducted in the knowledge that information security risks are being effectively managed.

Information Security is therefore an essential ingredient to sustainable growth & acts as a market differentiator.

WHAT SHOULD IT AUDITORS CONSIDER?WHAT SHOULD IT AUDITORS CONSIDER?

Obtain an understanding about IT Governance Get the Board and Management to focus on the issues

and their responsibilities Recommend the adoption of an IT control and

governance framework, such as CobIT & ISO 17799 Set up organizational structures that facilitate a

strategic implementation of such framework Measure your own performance (Balanced Business

Scorecard)


WHY SHOULD IT AUDITORS CARE?WHY SHOULD IT AUDITORS CARE?

IT is integral and critical to the businessIT is integral and critical to the business

Shareholders are holding Boards accountableShareholders are holding Boards accountable

Boards are holding management responsibleBoards are holding management responsible

An immense shift from tangible to intangible An immense shift from tangible to intangible assets, the majority of the latter being assets, the majority of the latter being informationinformation

Boards and management will look for support to Boards and management will look for support to obtain assurance about the cost, return and risk obtain assurance about the cost, return and risk of IT to the business of IT to the business

IT GovernanceIT Governance




IT GOVERNANCE FOCUS BY :-

BOARD

MANAGEMENT

IT AUDITOR

CONCLUSIONS

“Due diligence” IT involves huge investments and large risk Expectations and reality don’t match IT is critical & strategic to the business IT does not get the attention it deserves Information Governance driven by IT will

give you ‘Competitive Advantage’

Why get into Information GovernanceWhy get into Information Governance

If so, don’t you want to know if your If so, don’t you want to know if your IT Department is:IT Department is:

Likely to achieve its objectives? Resilient enough to learn and

adapt? Judiciously managing the risks it

faces? Appropriately recognising

opportunities and acting upon them?

IT is strategic to most organisationsIT is strategic to most organisations

Why has IT not been Why has IT not been addressed :addressed : requires more

technical insight treated as separate

entity IT is complex

• # of IT customers• Cost per IT customer• Cost-efficiency of IT

processes up• Delivery of IT value per

employee

INFORMATION

• Availability of systems & services

• Developments on schedule & budget

• Throughput & response times

• Amount of errors/rework

• Level of service delivery up• Satisfaction of existing

customers• # of new customers

reached• # of new service delivery

channels

FFINANCIAL

CCUSTOMER

• Staff productivity & morale• # of staff trained in new

techno/services• Value delivery per

employee up• Increased availability

knowledge systems

LLEARNING

PPROCESS

IT Balanced ScorecardIT Balanced Scorecard

IT Balanced ScorecardIT Balanced Scorecard ObjectivesObjectives

Demonstrate the value added by the IT OrganizationDemonstrate the value added by the IT Organization Determine the effectiveness of the IT OrganizationDetermine the effectiveness of the IT Organization Set guidelines for the IT Strategic plan Set guidelines for the IT Strategic plan Communicate and motivate about IT performanceCommunicate and motivate about IT performance Establish IT Management reportingEstablish IT Management reporting

Key resultKey result The most effective means to achieve IT and Business The most effective means to achieve IT and Business

alignmentalignment

Critical success factorCritical success factor Approval of the IT Scorecard by key stakeholdersApproval of the IT Scorecard by key stakeholders

Information Governance FrameworkInformation Governance Framework

Provide Direction

Compare

Measure Performance

IT Activities Increase automation

(make the business effective) Decrease cost (make the enterprise

efficient) Manage risks (security, reliability and

compliance)

IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed

appropriately

Set Objectives

Best Practices

Subjects of attention

IT & Business Objectives

Core IT competencies

Business/Technology Developments

MeasurementPerformance

MeasurementResults

Activities

Critical Success Factors

WHO HOW

V A R P

V = IT Value Delivery A = IT Strategic Alignment R = Risk Management P = Performance Measurement

Information Governance ToolkitInformation Governance Toolkit

Alignment

Value

Delivery

Manag

emen

t

of R

isk

Monitoring &Reporting

Eval

uatio

n

Information Governance LifecycleInformation Governance Lifecycle

ENVIRONMENTEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices…...

Alignment

Value

Delivery

Manag

emen

t

of R

isk

Monitoring &Reporting

Eval

uatio

n

Increasedmarket share

Competitiveadvantage

Improveservice delivery

Reputation fortrust & reliability

Increased revenues & reduced costs

Legal & RegulatoryCompliance

IT Governance InstituteIT Governance Institute3701 Algonquin Road, Suite 10103701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USARolling Meadows, IL 60008 [email protected]@isaca.orgwww.isaca.orgwww.isaca.orgwww.ITgovernance.orgwww.ITgovernance.org


Thank you! Any Questions ?Vernon Poole

Documents

Vernon Poole ISACA London Chapter 26 September 2002 Information Governance & the IT Auditor