Eileen Healy – Enterprise Risk Services Director
B.Comm, MBS, CISSP, CISA, ACA
Email: ehealy@deloitte.ie
Mobile: 086 164 3082

@IsacaIreland ISACA Ireland Chapter info@isaca.ie

• Why is consistency important?
• Where do we observe inconsistent practices?
• What is Governance and IT Governance – how can this help?
• What standards exist to support the implementation of Strong
IT Governance
© 2015 Deloitte & Touche. All rights reserved

• Consistency is synonymous with reliability and stability
• Consistency provides greater assurance that confidential information is handled securely
• Consistency provides customers and stakeholders with confidence in how you manage information security risk
• Consistency in practices mitigates the risk that breaches will occur
• Consistency in dealing with breaches minimises the financial and reputational damage
• Consistency maximises the likelihood of meeting all regulatory and legal obligations as well as ensuring sound and robust security practices are implemented to enable and support business delivery
 Risk Management; Compliance ; Quality Assurance
 Customer Satisfaction; Competitive advantage
© 2015 Deloitte & Touche. All rights reserved

• Inconsistency between organisations, between divisions, between departments and between practitioners!!
• System Development/Change Control – Integrity is a key component of security
• Access to Production Environments including those managed by third parties
• Implementation of Data Protection requirements around personal data
• Lack of clarity on data governance
• Mutiple access administration and provisioning systems
• Inconsistent approach to role/authorisation management
• Authentication standards – application, database, network level – user versus privileged access
• What and how much to audit?
© 2015 Deloitte & Touche. All rights reserved

© 2015 Deloitte & Touche. All rights reserved

Risk Committee
Board of Directors
Executive
Management
Team
Wider
Management
Group
Embedded Risk
Management
Audit Committee
Internal Audit
Independent
(Re) Assurance
© 2015 Deloitte & Touche. All rights reserved

• Governance – the systems by which organisations are directed and controlled
• Board responsibility – sometimes delegate to committees
• Management execute, action and report
• Well governed organisations aim to achieve strategic objectives while operating with honesty, integrity and other key principles of good governance.
• Tone at the Top!
• Policies are important – often only become a top line agenda item when something goes wrong!
• Implemented through clear and consistent standards and procedures
• More than just IT - Most breaches are caused by human error!
© 2015 Deloitte & Touche. All rights reserved

Definition: IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.
www.gartner.com/it-glossary/it-governance/
• Benefits:
• Aid in strategically aligning IT with the organizational goals and strategy
• Raise the profile of IT
• Aid in project and portfolio management
• Reduce IT risk
• Aid in IT strategic planning
• Aid in performance measurement
• Aid in embedding IT into the organization’s culture
• Aid in demand management (demand for IT’s services by other departments)
• Optimize IT operations
© 2015 Deloitte & Touche. All rights reserved

• COBIT – IT Governance Framework
• ISO/IEC 27002:2013 - Information security management
© 2015 Deloitte & Touche. All rights reserved

• COBIT 5 - Comprehensive Framework for the Governance and
Management of Enterprise IT
• Principles includes: -
• Separating Governance from Management
• Enabling a Holistic Approach
• Covering the Enterprise End to End
• Professional guides include: - COBIT 5 for Information Security http://www.isaca.org/cobit/pages/default.aspx
© 2015 Deloitte & Touche. All rights reserved

• ISO/IEC 27002:2013 : -
• Information Technology – Security Techniques – Code of Practice for
Information Security Management
© 2015 Deloitte & Touche. All rights reserved

Organisation of information security
Physical and
Environmental
Security
Human Resource
Security
ISO/IEC 27002:2013
Business Continuity
Management
Supplier relationships Risk Management
ISO/IEC 27002
Standards
Information security policies
Asset Management
Operations Security
Access Control
Compliance
Communications
Security
Information
Security Incident
Management
Cryptography
Acquisition,
Development and
Maintenance
© 2015 Deloitte & Touche. All rights reserved

• Consistency in practice is important
• Minimise likelihood and impact of a security breach
• Strong IT Governance required from Top Down
• Tone at the Top is important
• Policies are important
• There is lots of resources from which to draw and assistance is available
© 2015 Deloitte & Touche. All rights reserved

© 2015 Deloitte & Touche. All rights reserved

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
With nearly 2,000 people in Ireland, Deloitte provide audit, tax, consulting, and corporate finance to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. With over 210,000 professionals globally, Deloitte is committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche
Tohmatsu Verein, any of their member firms, or any of the foregoing’s affiliates (collectively the “Deloitte Network”) are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
© 2015 Deloitte & Touche. All rights reserved