IT Governance
IT Governance
Information Security
Governance
Acknowledgments
Material is sourced from:
 CISA® Review Manual 2011, © 2010, ISACA. All rights reserved.
Used by permission.
 CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Objectives
Students should be able to:
 Describe IT governance committees: IT strategic committee, IT steering
committee, security steering committee**
 Describe mission, strategic plan, tactical plan, operational plan
 Define quality terms: quality assurance, quality control
 Describe security organization members: CISO, CIO, CSO, Board of
Directors, Executive Management, Security Architect, Security Administrator
 Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001,
enterprise architecture
 Define sourcing practices: insource, outsource, hybrid, onsite, offshore
 Define policy documents: data classification, acceptable usage policy,
access control polices
Corporate Governance
Corporate Governance: Leadership by
corporate directors in creating and
presenting value for all stakeholders
IT Governance: Ensure the alignment of IT
with enterprise objectives
 Responsibility of the board of directors and
executive mgmt
IT Governance Objectives


IT delivers value to the business
IT risk is managed
Processes include:
 Equip IS functionality and address risk
 Measure performance of delivering value to the
business
 Comply with legal and regulatory requirements
IT Governance Committees
Board members
& specialists
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Optimization of IT costs and risk
Business executives
(IT users), CIO, key
advisors (IT, legal, audit,
finance)
IT Steering Committee
Focuses on Implementation
Monitors current projects
Decides IT spending
IT Strategy Committee
Main Concerns





Alignment of IT with Business
Contribution of IT to the Business
Exposure & containment of IT Risk
Optimization of IT costs
Achievement of strategic IT objectives
IT Steering Committee
Main Concerns





Make decision of IT being centralized vs.
decentralized, and assignment of responsibility
Makes recommendations for strategic plans
Approves IT architecture
Reviews and approves IT plans, budgets,
priorities & milestones
Monitors major project plans and delivery
performance
Strategic Planning Process
Strategic: Long-term (3-5
year) direction considers
organizational goals,
regulation (and for IT:
technical advances)
Tactical: 1-year plan moves
organization to strategic
goal
Operational: Detailed or
technical plans
Strategic
Tactical
Operational
Security Strategic Planning
Risk Mgmt – Laws
Governance – Policy
Organizational Security
Data classification
Audit – Risk analysis
Business continuity
Metrics development
Incident response
Physical security
Network security
Policy compliance
Metrics use
Strategic
Tactical
Operational
Strategic Planning
Strategy:
 Achieve COBIT Level 4
Tactical: During next 12 months:
 Each business unit must identify current applications in
use
 25% of all stored data must be reviewed to identify
critical resources
 Business units must achieve regulatory compliance
 A comprehensive risk assessment must be performed
for each business unit
 All users must undergo general security training
 Standards must exist for all policies
Standard IT Balanced Scorecard
Establish a mechanism for reporting IT
strategic aims and progress to the board
Mission
Strategies
Measures
Mission = Direction E.g.:
 Serve business efficiently
and effectively
Strategies = Objectives E.g.:
 Quality thru Availability
 Process Maturity
Measures = Statistics E.g.:
 Customer satisfaction
 Operational efficiency
IT Balanced Scorecard
Financial Goals
How should we appear to
stockholder?
Vision:
Metrics:
Performance:
Internal Business Process
What business processes
should we excel at?
Vision:
Metrics:
Performance:
Customer Goals
How should we appear to our
customer?
Vision:
Metrics:
Performance:
Learning and Growth Goals
How will we improve
internally?
Vision:
Metrics:
Performance:
Case Study: IT Governance
Strategic Plan – Tactical Plan
Strategic Plan
Objective
Incorporate the
business
Pass a professional
audit
Time
frame
5 yrs
4 yrs
Tactical Plan:
Objective
Perform strategiclevel security,
includes:
Time
frame
1 yr
Perform risk
analysis
6
mos.
Perform BIA
1 yr
Define policies
1 yr
Case Study: IT Governance
Operational Planning
Objective and Timeframe
Hire an internal auditor and
security professional
2 months: March 1
Establish security team of
business, IT, personnel:
1 month: Feb. 1
Team initiates risk analysis and
prepares initial report
3 months: April 1
Responsibility
VP Finance
VP Finance &
Chief Info. Officer
(CIO)
CIO &
Security Team
Enterprise Architecture


Constructing IT is similar to constructing a building
It must be designed and implemented at various levels:



Technical (Hardware, Software)
IT Procedures & Operations
Business Procedures & Operations
Data
Functional Network
(Applic.)
Scope
Enterprise Model
Systems Model
Tech Model
Detailed
Representation
(Tech)
People
(Org.)
Process
(Flow)
Strategy
Sourcing Practices
Insourced: Performed entirely by the organization’s
staff
Outsourced: Performed entirely by a vendor’s staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same
geographical area
Offshore: Performed in a different geographical region
What advantages can you think of for insourcing
versus outsourcing?
Quality with ISO 9001
ISO 9001: Standard for Quality Mgmt
Systems. Recommendations include:
 Quality Manual: Documented procedures
 HR: Documented standards for personnel
hiring, training, evaluation,…
 Purchasing: Documented standards for
vendors: equipment & services
Gap Analysis: The difference between
where you are and where you want to be
Quality Definitions
Quality Assurance: Ensures that staff are
following defined quality processes: e.g.,
following standards in design, coding,
testing, configuration management
Quality Control: Conducts tests to validate
that software is free from defects and
meets user expectations
Performance Optimization
Phases of Performance Measurement include:
 Establish and update performance metrics
 Establish accountability for performance
measures
 Gather and analyze performance data
 Report and use performance results
Note: Strategic direction for how to achieve
performance improvements is necessary
Categories of Performance
Measures
Performance Measurement: What are
indicators of good IT performance?
 IT Control Profile: How can we measure
the effectiveness of our controls?
 Risk Awareness: What are the risks of
not achieving our objectives?
 Benchmarking: How do we perform
relative to others and standards?

IS Auditor & IT Governance





Is IS function aligned with organization’s
mission, vision, values, objectives and
strategies?
Does IS achieve performance objectives
established by the business?
Does IS comply with legal, fiduciary,
environmental, privacy, security, and quality
requirements?
Are IS risks managed efficiently and effectively?
Are IS controls effective and efficient?
Audit: Recognizing Problems











End-user complaints
Excessive costs or budget overruns
Late projects
Poor motivation - high staff turnover
High volume of H/W or S/W defects
Inexperienced staff – lack of training
Unsupported or unauthorized H/W S/W purchases
Numerous aborted or suspended development projects
Reliance on one or two key personnel
Poor computer response time
Extensive exception reports, many not tracked to
completion
Audit: Review Documentation









IT Strategies, Plans, Budgets
Security Policy Documentation
Organization charts & Job Descriptions
Steering Committee Reports
System Development and Program Change Procedures
Operations Procedures
HR Manuals
QA Procedures
Contract Standards and Commitments

Bidding, selection, acceptance, maintenance, compliance
Question
1.
2.
3.
4.
The MOST important function of the IT
department is:
Cost effective implementation of IS
functions
Alignment with business objectives
24/7 Availability
Process improvement
Question
1.
2.
3.
4.
Product testing is most closely
associated with which department:
Audit
Quality Assurance
Quality Control
Compliance
Question
1.
2.
3.
4.
“Implement virtual private network in the
next year” is a goal at the level:
Strategic
Operational
Tactical
Mission
Question
Which of the following is not a valid purpose of
the IS Audit?
1. Ensure IS strategic plan matches the intent of
the enterprise strategic plan
2. Ensure that IS has developed documented
processes for software acquisition and/or
development (depending on IS functions)
3. Verify that contracts followed a documented
process that ensures no conflicts of interest
4. Investigate program code for backdoors, logic
bombs, or Trojan horses
Question
Documentation that would not be viewed
by the IT Strategy Committee would be:
1. IT Project Plans
2. Risk Analysis & Business Impact
Analysis
3. IT Balanced Scorecard
4. IT Policies
Information Security
Governance
Governance
Policy
Risk
Information Security Importance

Organizations are dependent upon and
are driven by information
 Software
= information on how to process
 Data, graphics retained in files
Information & computer crime has
escalated
 Therefore information security must be
addressed and supported at highest
levels of the organization

Security Organization
Review Risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies
Board of Directors
Defines security objectives and
institutes security organization
Executive Mgmt
Senior representatives
of business functions
ensures alignment
of security program
Security
with business
Steering
objectives
Committee
Other positions:
Chief Risk Officer (CRO)
Chief Compliance Officer (CCO)
Chief Info
Security
Officer (CISO)
Security Governance
Strategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and costeffectively control risk
Value Delivery: Prioritized and delivered for greatest
business benefit
Performance Measurement: Metrics, independent
assurance
Resource Management: Security architecture
development & documentation
Process Integration: Security is integrated into a wellfunctioning organization
Executive Mgmt Info Security
Concerns







Reduce civil and legal liability related to privacy
Provide policy and standards leadership
Control risk to acceptable levels
Optimize limited security resources
Base decisions on accurate information
Allocate responsibility for safeguarding
information
Increase trust and improve reputation outside
organization
Legal Issues
International trade,
employment may be
liable to different
regulations than exist in
the U.S. affecting:
 Hiring
 Internet business
 Trans-border data flows
 Cryptography
 Copyright, patents, trade
secrets
Industry may be liable under
legislation:
 SOX: Sarbanes-Oxley:
Publicly traded corp.
 FISMA: Federal Info
Security Mgmt Act
 HIPAA: Health Insurance
Portability and
Accountability Act
 GLBA: Gramm-LeachBliley: Financial privacy
 Etc.
Road Map for Security
(New Program)
Documentation
Security Issues
Security
Policies
Training
materials
Interview stakeholders
(HR, legal, finance) to
determine org. issues
& concerns
Develop security
policies for approval
to Mgmt
Conduct security
training & test for
compliance
Improve standards
Develop compliance
monitoring strategy
Info Security
Steering Committee
Security Relationships
Exec.
Mgmt
Security
requirements
Access control
Security requirements
in RFP
Contract requirements
S /W
Dev.
Purchasing
Security Strategy, Risk, & Alignment
Human
Res.
Hiring, training,
roles & responsibility,
Incident handling
BusiSecurity requirements
ness
sign-off,
Mgmt
CISO
Acceptance test,
Access authorization
Security requirements
and review
Change control
Security upgrade/test
Quality
Control
IT
Operations
Legal
Dept
Laws & Regulations
Security monitoring, Incident resp.,
Site inventory, Crisis management
Security Governance Framework
Security
Strategy
Security
Organization
Security
Framework
Compliance
Monitoring
Policies,
Standards,
Procedures
Secure Strategy:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:

2.
Determine Loss due to Threats & Vulnerabilities


3.
Weekly, monthly, 1 year, 10 years?
Compute Expected Loss

5.
Confidentiality, Integrity, Availability
Loss = Downtime + Recovery + Liability + Replacement
Estimate Likelihood of Exploitation

4.
Where are the Crown Jewels?
Risk Exposure = ProbabilityOfVulnerability * $Loss
Treat Risk


Survey & Select New Controls
Reduce, Transfer, Avoid or Accept Risk
Example Policy Documents
Data Classification: Defines data security
categories, ownership and accountability
Acceptable Usage Policy: Describes permissible
usage of IT equipment/resources
End-User Computing Policy: Defines usage and
parameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocated
After policy documents are created, they must be
officially reviewed, updated, disseminated, and
tested for compliance
Compliance Function
Compliance: Ensures compliance with
organizational policies
 E.g.: Listen to selected help desk calls to verify
proper authorization occurs when resetting
passwords
 Best if compliance tests are automated
Compliance: ongoing process
Ensures adherence to policies
Time
Audit: Snapshot of compliance in time
Compliance Program –
Security Review or Audit Test
Objective: Is our web-interface to DB safe?
Scope: Penetration test on DB
Constraints: Must test between 1-4 AM
Approach:
1. Tester has valid session credentials
2. Specific records allocated for test
3. Test: SQL Injection
Result:
These problems were found: …
Security Positions
Security Architect
 Design secure network
topologies, access
control, security policies
& standards.
 Evaluate security
technologies
 Work with compliance,
risk mgmt, audit
Security Administrator
 Allocate access to data
under data owner
 Prepare security
awareness program
 Test security architecture
 Monitor security violations
and take corrective action
 Review and evaluate
security policy
Security Architect:
Control
Analysis
Do controls fail secure or fail open?
Is restrictive or permissive policy
(denied unless expressly permitted
or vice versa?)
Does control align with policy
& business expectation?
Policy
Where are controls located?
Are controls layered?
Is control redundancy needed?
Placement
Does control protect
ImplemenEfficiency
broadly or one application?
Have controls been tested?
tation
If control fails, is there a
Are controls self-protecting?
control remaining?
Do controls meet control
Effectiveness
(single point of failure)
objectives?
If control fails, does appl. fail?
Will controls alert security
Are controls reliable?
personnel if they fail?
Do they inhibit productivity?
Are control activities logged
Are they automated or manual?
and reviewed?
Are key controls monitored in real-time?
Are controls easily circumvented?
Control Practices
These may be useful in particular conditions:
Automate Controls: Make technically infeasible to bypass
Access Control: Users should be identified, authenticated and
authorized before accessing resources
Secure Failure: If compromise possible, stop processing
Compartmentalize to Minimize Damage: Access control required per
system resource set
Transparency: Communicate so that average layperson understands
control->understanding & support
Trust: Verify communicating partner through trusted 3rd party (e.g.,
PKI)
Trust No One: Oversight controls (e.g., CCTV)
Segregation of Duties: Require collusion to defraud the organization
Principle of Least Privilege: Minimize system privileges
Security Administrator:
Security Operations
Identity Mgmt & Access control
 System patching & configuration mgmt
 Change control & release mgmt
 Security metrics collection & reporting
 Control technology maintenance
 Incident response, investigation, and
resolution

Summary of Security Mgmt
Functions

Develop security strategy
 Linked with business objectives
 Regulatory & legal issues are addressed
 Sr Mgmt acceptance & support
 Complete set of policies
 Standards


& Procedures for all relevant policies
Security awareness for all users and security
training as needed
Classified information assets by criticality and
sensitivity
Summary of Security Mgmt
Functions

Effective compliance & enforcement processes





Metrics are maintained and disseminated
Monitoring of compliance & controls
Utilization of security resources is effective
Noncompliance is resolved in a timely manner
Effective risk mgmt and business impact assessment




Risks are assessed, communicated, and managed
Controls are designed, implemented, maintained, tested
Incident and emergency response processes are tested
Business Continuity & Disaster Recover Plans are tested
Summary of Security Mgmt
Functions

Develop security strategy, oversee security
program, liaise with business process owners for
ongoing alignment
 Clear
assignment of roles & responsibilities
 Security participation with Change Management
 Address security issues with 3rd party service
providers
 Liaise with other assurance providers to eliminate
gaps and overlaps
Question
Who can contribute the MOST to determining the
priorities and risk impacts to the organization’s
information resources?
1. Chief Risk Officer
2. Business Process Owners
3. Security Manager
4. Auditor
Question
1.
2.
3.
4.
A document that describes how access
permission is defined and allocated is
the:
Data Classification
Acceptable Usage Policy
End-User Computing Policy
Access Control Policies
Question
1.
2.
3.
4.
The role of the Information Security
Manager in relation to the security
strategy is:
Primary author with business input
Communicator to other departments
Reviewer
Approves the strategy
Question
1.
2.
3.
4.
The role most likely to test a control is the:
Security Administrator
Security Architect
Quality Control Analyst
Security Steering Committee
Question
1.
2.
3.
4.
The Role responsible for defining security
objectives and instituting a security
organization is the:
Chief Security Officer
Executive Management
Board of Directors
Chief Information Security Officer
Question
When implementing a control, the PRIMARY
guide to implementation adheres to:
1. Organizational Policy
2. Security frameworks such as COBIT, NIST,
ISO/IEC
3. Prevention, Detection, Correction
4. A layered defense
Question
1.
2.
3.
4.
The persons on the Security Steering
Committee who can contribute the BEST
information relating to insuring Information
Security success is:
Chief Information Security Officer
Business process owners
Executive Management
Chief Information Officer
Reference
Slide #
Slide Title
Source of Information
4
Corporate Governance
CISA: page 87, 88
6
IT Governance Committees
CISA: page 90
7
IT Strategy Committee
CISA: page 90
12
Standard IT Balance Scorecard
CISA: page 91
16
Enterprise Architecture
CISA: page 94, 95 Exhibit 2.5
17
Sourcing Practices
CISA: page 106
18
Quality with ISO 9001
CISA: page 112
19
Quality Definitions
CISA: page 116
20
Performance Optimization
CISA: page 113, 114
21
Categories of Performance Measures
CISA: page 114
32
Security Organization
CISA: page 94, 95 Exhibit 2.4
33
Security Governance
CISA: page 92, 93
39
Secure Strategy: Risk Assessment
CISM: page 100
40
Example Policy Documents
CISA: page 100
43
Security Positions
CISA: page 116, 117