ITGovernance (1)

8/8/2019 ITGovernance (1)

1/58

IT Governance

IT GovernanceInformation Security

Governance


2/58

AcknowledgmentsMaterial is sourced from: CISA Review Manual 2009, 2008, ISACA.All rights reserved.

Used by permission. CISM Review Manual 2009, 2008, ISACA.All rights reserved.

Used by permission.Author: Susan J Lincke, PhD

Univ. of Wisconsin-ParksideReviewers/Contributors: Todd Burri

Funded by National Science Foundation (NSF) Course,Curriculum and

Laboratory Improvement (CCLI) grant 0837574: InformationSecurity:Audit,Case Study, and Service Learning.Any opinions, findings, and conclusions or recommendations

expressed in this material are those of the author(s) and/orsource(s) and do not necessarily reflect the views of the NationalScience Foundation.


3/58

Corporate GovernanceCorporate Governance: Leadership by

corporate directors in creating andpresenting value for all stakeholders

IT Governance: Ensure the alignment of IT

with enterprise objectives

Responsibility of the board of directors andexecutive mgmt


4/58

IT Governance Objectives IT delivers value to the business

IT risk is managed

Processes include:

Equip IS functionality and address risk

Measure performance of delivering value to thebusiness

Comply with legal and regulatory requirements


5/58

IT Governance Committees

Board members

& specialists

Business executives(IT users),CIO, keyadvisors (IT, legal, audit,finance)

IT Strategic Committee

Focuses on Direction and StrategyAdvises board on IT strategy and alignment

Optimization of IT costs and risk

IT Steering Committee

Focuses on ImplementationMonitors current projectsDecides IT spending


6/58

IT Strategy Committee

Main Concerns Alignment of IT with Business

Contribution of IT to the Business

Exposure & containment of IT risk

Optimization of IT costs

Achievement of strategic IT objectives


7/58

IT Steering Committee

Main Concerns Make decision of IT being centralized vs.

decentralized, and assignment of responsibility

Makes recommendations for strategic plans

Approves IT architecture

Review and approves IT plans, budgets,

priorities & milestones Monitors major project plans and delivery

performance


8/58

Strategic Planning ProcessStrategic: Long-term (3-5

year) direction considersorganizational goals,

regulation (and for IT:technical advances)

Tactical: 1-year plan movesorganization to strategicgoal

Operational: Detailed ortechnical plans

Strategic

Tactical

Operational


9/58

Security Strategic Planning

Strategic

Tactical

Operational

Risk Mgmt LawsGovernance Policy

Organizational SecurityData classificationAudit Risk analysisBusiness continuityMetrics developmentIncident response

Physical securityNetwork securityPolicy complianceMetrics use


10/58

Strategic PlanningStrategy: Achieve CMM orCOBIT Level 4

Tactical: During next 12 months: Each business unit must identify current applications in

use 25% of all stored data must be reviewed to identify

critical resources

Business units must achieve regulatory compliance A comprehensive risk assessment must be performed

for each business unit All users must undergo general security training Standards must exist for all policies


11/58

Standard IT Balanced Scorecard

Mission

Strategies

Measures

Mission = Direction E.g.:

Serve business efficientlyand effectively

Strategies = Objectives E.g.:

Quality thru Availability

Process Maturity

Measures = Statistics E.g.:

Customer satisfaction

Operational efficiency

Establish a mechanism for reporting ITstrategic aims and progress to the board


12/58

IT Balanced ScorecardFinancial GoalsHow should we appear tostockholder?

Vision:

Metrics:

Performance:

Internal Business Process

What business processesshould we excel at?

Vision:

Metrics:

Performance:

Customer Goals

How should we appear to ourcustomer?

Vision:

Metrics:

Performance:

Learning and Growth Goals

How will we improveinternally?

Vision:

Metrics:

Performance:


13/58

EnterpriseA

rchitecture Constructing IT is similar to constructing a building

It must be designed and implemented at various levels:

Technical (Hardware, Software) IT Procedures & Operations

Business Procedures & Operations

Data Functional(App)

Network

(Tech)

People

(Org.)

Process

(Flow)

Strategy

ScopeEnterprise Model

Systems Model

Tech Model

Detailed

Representation


14/58

Sourcing PracticesInsourced: Performed entirely by the organizations

staff

Outsourced: Performed entirely by a vendors staffHybrid: Partial insourced and outsourced

Onsite: Performed at IS dept site

Offsite or Nearshore: Performed in same

geographical areaOffshore: Performed in a different geographical region

What advantages can you think of for insourcing

versus outsourcing?


15/58

Quality with ISO 9000

ISO 9000: Standard forQuality MgmtSystems. Recommendations include:

Quality Manual: Documented procedures HR: Documented standards for personnel

hiring, training, evaluation,

Purchasing: Documented standards forvendors: equipment & services

Gap Analysis: The difference betweenwhere you are and where you want to be


16/58

Quality Definitions

Quality Assurance: Ensures that staff arefollowing quality processes: e.g., following

standards in design, coding, testing,configuration management

Quality Control: Conducts tests to validate

that software is free from defects andmeets user expectations


17/58

Performance OptimizationPhases of Performance Measurement include:

Establish and update performance metrics

Establish accountability for performancemeasures

Gather and analyze performance data

Report and use performance resultsNote: Strategic direction for how to achieve

performance improvements is necessary


18/58

Categories of Performance

Measures PerformanceMeasurement: What are

indicators of good IT performance?

IT Control Profile: How can we measurethe effectiveness of our controls?

Awareness: What are the risks of not

achieving our objectives?

Benchmarking: How do we performrelative to others and standards?


19/58

ISA

uditor & IT Governance Is IS function aligned with organizations

mission, vision, values, objectives and

strategies? Does IS achieve performance objectives

established by the business?

Does IS comply with legal, fiduciary,

environmental, privacy, security, and qualityrequirements?

Are IS risks managed efficiently and effectively?

Is IS control effective and efficient?


20/58

Audit: Recognizing Problems

End-user complaints Excessive costs or budget overruns Late projects Poor motivation - high staff turnover High volume of H/W or S/W defects Inexperienced staff lack of training Unsupported or unauthorized H/W S/W purchases

Numerous aborted or suspended development projects Reliance on one or two key personnel Poor computer response time Extensive exception reports, many not tracked to

completion


21/58

Audit: Review Documentation

IT Strategies, Plans, Budgets

Security Policy Documentation

Organization charts & Job Descriptions Steering Committee Reports

System Development and Program Change Procedures

Operations Procedures

HR Manuals

QA Procedures

Contract Standards and Commitments Bidding, selection, acceptance, maintenance, compliance


22/58

Question

The MOST important function of the ITdepartment is:

1. Cost effective implementation of ISfunctions

2. Alignment with business objectives

3. 24/7 Availability

4. Process improvement


23/58

Question

Implement virtual private network in thenext year is a goal at the level:

1. Strategic

2. Operational

3. Tactical

4. Mission


24/58

Question

Which of the following is not a valid purpose ofthe IS Audit?

1. Ensure IS strategic plan matches the intent ofthe enterprise strategic plan

2. Ensure that IS has developed documentedprocesses for software acquisition and/ordevelopment (depending on IS functions)

3. Verify that contracts followed a documentedprocess that ensures no conflicts of interest4. Investigate program code for backdoors, logic

bombs, or Trojan horses


25/58

Question

The difference between where anorganization performs and where they

intend to perform is known as:

1. Gap analysis

2. Quality Control

3. Performance Measurement

4. Benchmarking


26/58

Information Security

Governance

GovernancePolicy

Risk


27/58

Information Security Importance Organizations are dependent upon and

are driven by information

Software = information on how to process Data, graphics retained in files

Information & computer crime hasescalated

Therefore information security must beaddressed and supported at highestlevels of the organization


28/58

Security GovernanceStrategic Alignment: Security solution consistent with

organization goals and culture

Risk Management: Understand threats and cost-effectively control risk

Value Delivery: Prioritized and delivered for greatestbusiness benefit

Performance Measurement: Metrics, independent

assuranceResource Management: Security architecture

development & documentation

Process Integration: Security is integrated into a well-functioning organization


29/58

Security Manager Interfaces

Audit &C

ompliance

HumanResources

Legal

BusinessUnits

QualityControl

S/WDevelop.

IT

ExecutiveMgmt

SecurityMgr

Directs &Approves

Helps in Controlimplementation

Specific area of expertise,

concern, and responsibility

Advises

Hiring,training,roles &responsibility,Incident

handling

Cooperation

Securetesting

Securityrequirements

Access control


30/58

Executive Mgmt Info Security

Concerns Reduce civil and legal liability related to privacy

Provide policy and standards leadership

Control risk to acceptable levels

Optimize limited security resources

Base decisions on accurate information

Allocate responsibility for safeguardinginformation

Increase trust and improve reputation outsideorganization


31/58

Personnel Issues

Background checks can reduce fraud More secure position=more checking required A standard or procedure may be useful

Training & signed contracts Track and document theft

Minor incidents could add up to a major patternproblem

Email can be monitored for potential problememployees Assuming policy is in place and employees are aware


32/58

Legal Issues

International trade,employment may beliable to different

regulations than exist inthe U.S. affecting: Hiring Internet business Trans-border data flows

Cryptography Copyright, patents, trade

secrets

Industry may be liable underlegislation:

SOX: Sarbanes-Oxley:

Publicly traded corp. FISMA: Federal Info

Security Mgmt Act HIPAA: Health Insurance

Portability and

Accountability Act GLBA: Gramm-Leach-

Bliley: Financial privacy Etc.


33/58

Security Governance Framework

SecurityOrganization

ComplianceMonitoring

Policies,Standards,Procedures

SecurityStrategy

SecurityFramework


34/58

Security Organization

Board of Directors

Review risk assessment & Business ImpactAnalysisDefine penalties for non-compliance of policies

ExecutiveMgmt

Defines security objectives andinstitutes security organization

Security

Steering

Committee

Chief Info

Security

Officer (CISO)

Senior representatives

of business functionsensures alignmentof security program

with businessobjectives

Other positions:

Chief Risk Officer (CRO)ChiefCompliance Officer (CCO)


35/58

Security Positions

Security Architect

Design secure network

topologies, accesscontrol, security policies& standards.

Evaluate securitytechnologies

Work with compliance,risk mgmt, audit

Security Administrator

Allocate access to data

under data owner Prepare security

awareness program

Test security architecture

Monitor security violationsand take corrective action

Review and evaluatesecurity policy


36/58

Security Operations

Identity Mgmt & Access control

System patching & configuration mgmt

Change control & release mgmt Security metrics collection & reporting

Control technology maintenance

Incident response, investigation, andresolution


37/58

Security Policy

Policy = First step to developing securityinfrastructure

Set direction for implementation ofcontrols, tools, procedures

Approved by senior mgmt

Documented and communicated to allemployees and associates


38/58

Security Policy Document

Definition of information security

Statement of management commitment

Framework for approaching risk and controls Brief explanation of policies, minimally covering

regulatory compliance, training/awareness,business continuity, and consequences of

violations Allocation of responsibility, including reporting

security incidents

References to more detailed documents


39/58

Policy DocumentationPolicy= Direction forControlPhilosophy of organizationCreated by Senior MgmtReviewed periodically

Employees must understand intentAuditors test for compliance

Procedures:

Detailed steps to

implement a policy.Written by processowners

Standards:An image of

what is acceptable

Guidelines

Recommendations

and acceptablealternatives


40/58

Security Planning: Policies Policy Objective: Requirements Rule: Describes what needs to be

accomplished Policy Control: Technique to meet objectives

Procedure: Outlines how the Policy will be accomplished Standard: Specific rule, metric or boundary that implements policy

Example 1: Policy: Computer systems are not exposed to illegal, inappropriate, or

dangerous software Policy Control Standard: Allowed software is defined. Policy Control Procedure: A description of how to load a computer with

required software.

Example 2: Policy: Access to confidential information is controlled Policy Control Standard: Confidential information is never to be emailed

without being encryptedDiscussion: Are these effective controls by themselves?


41/58

Other Policy Documents

Data Classification: Defines data securitycategories, ownership and accountability

Acceptable Usage Policy: Describes permissibleusage of IT equipment/resources

End-User Computing Policy: Defines usage andparameters of desktop tools

Access Control Policies: Defines how access

permission is defined and allocatedAfter policy documents are created, they must be

officially reviewed, updated, disseminated, andtested for compliance


42/58

Secure Strategy:

Risk AssessmentFive Steps include:1. Assign Values to Assets:

Where are the Crown Jewels?

2. Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity,Availability Loss = Downtime + Recovery + Liability + Replacement

3. Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years?

4. Compute Expected Loss Risk Exposure = ProbabilityOfVulnerability * $Loss

5. Treat Risk Survey & Select New Controls Reduce, Transfer,Avoid orAccept Risk


43/58

Risk Analysis Methods

Qualitative Analysis

Likelihood is categorized: Low, Medium, High

SemiQuantitative Analysis

Likelihood is categorized in scale: 1-10

Quantitative Analysis

Likelihood is based on historical data, pastexperience, industry practice, tests, statisticaltheory

Quantitative Analysis is the preferred method


44/58

Risk StrategiesAvoid: Minimize dangerous activities

Do not open any attachments or follow links

Mitigate: Lessen the probability of danger Open attachments only from within company Buy anti-virus software, firewall, anti-spyware

Transfer: Buy insuranceAccept: Monitor for danger but continue on

dangerous path Open those attachments

Residual Risk: Remaining risk after controls areimplemented


45/58

Summary of Security Mgmt

Functions Develop security strategy

Regulatory & legal issues are addressed Linked with business objectives Sr Mgmt acceptance & support Complete set of policies Standards & Procedures for all relevant policies

Security awareness for all users and security

training as needed Classified information assets by criticality and

sensitivity


46/58


Functions Effective compliance & enforcement processes

Metrics are maintained and disseminated

Monitoring of compliance & controls

Utilization of security resources is effective Noncompliance is resolved in a timely manner

Effective risk mgmt and business impact assessment Risks are assessed, communicated, and managed

Controls are designed, implemented, maintained, tested

Incident and emergency response processes are tested

Business Continuity & Disaster Recover Plans are tested


47/58


Functions Develop security strategy, oversee security

program, liaise with business process owners for

ongoing alignment Clear assignment of roles & responsibilities

Security participation with Change Management

Address security issues with 3rd party service

providers Liaise with other assurance providers to eliminate

gaps and overlaps


48/58

Question

Documentation that would not be viewedby the IT Strategy Committee would be:

1. IT Project Plans

2. Risk Analysis & Business ImpactAnalysis

3. IT Balanced Scorecard

4. IT Policies


49/58

Question

A document that describes how accesspermission is defined and allocated is

the:1. Data Classification

2. Acceptable Usage Policy

3. End-UserComputing Policy

4. Access Control Policies


50/58

Question

The risk that is assumed afterimplementing controls is known as:

1. Accepted Risk

2. Annualized Loss Expectancy

3. Quantitative risk

4. Residual risk


51/58

Question

The role of the Information SecurityManager in relation to the security

strategy is:1. Creator

2. Communicator to other departments

3. Reviewer4. Approving the strategy


52/58

Question

Product testing is most closelyassociated with which department:

1. Audit

2. Quality Assurance

3. Quality Control

4. Compliance


53/58

Question

The role most likely to test a control is the:

1. Security Administrator

2. Security Architect

3. Quality Control Analyst

4. Security Steering Committee


54/58

Question

The Role responsible for defining securityobjectives and instituting a security

organization is the:1. Chief Security Officer

2. Executive Management

3. Board of Directors4. Chief Information Security Officer


55/58

Question

The persons on the Security SteeringCommittee who can contribute the BEST

information relating to insuring InformationSecurity success is:

1. Chief Information Security Officer

2. Business process owners

3. Executive Management

4. Chief Information Officer


56/58

Question

Passwords shall be at least 8 characters long,and require a combination of at least 3 of lower

case, upper case, numeric, or symbolscharacters. This is an example of a:

1. Standard

2. Policy

3. Procedure

4. Guideline


57/58

Vocabulary to Study

High Priority IT strategic committee, IT steering committee,

Security steering committee

Mission, Strategic plan, Tactical plan,Operational plan

Quality Assurance,Quality Control

CISO,CIO,CSO, Board of Directors, ExecutiveMgmt, Security Architect, Security Administrator

Policy, Procedure, Standard, Guideline

IT Balanced Scorecard, Measure, ISO 9000


58/58

Vocabulary to Study

Low Priority Enterprise Architecture

In Source, Out Source, Hybrid, Offshore,

Onsite

Acceptable Use Policy,Access ControlPolicies, Data Classification