ISSM 553
Governance, Risk and Compliance (GRC)
Session I:
Governance
(IT Governance and InfoSec Governance)
Bobby Swar, PhD
bobby.swar@concordia.ab.ca
Agenda
➢ Introduction to IT Governance
➢ Information Security Fundamentals
➢ Introduction to Information Security Governance
➢ Team Sign Up
2
Background
➢ What is the role of IT in business?
➢ Why do business firms invest in IT?
➢ IT should help the enterprise to meet its objectives.
➢ IT enhances the enterprise’s competitiveness.
➢ “Top-performing enterprises generate returns on their
IT investments up to 40 percent greater than their
competitors” (Weill and Ross, 2004, p. 2).
➢ IT is central to enterprise success.
3
Background
Source: Johnson, Vess; Maurer, Chris; Torres, Russell; Guerra, Katia; Mohit, Hossein; Srivastava, Smriti; and Chatterjee, Sourav (2024) "The 2023 SIM IT Issues and
Trends Study," MIS Quarterly Executive: Vol. 23: Iss. 1, Article 7. Available at: https://aisel.aisnet.org/misqe/vol23/iss1/7
4
Background
➢ For IT to deliver value in organizations:
➢ Alignment of IT and business objectives
➢ IT risk management
➢ IT resource management
➢ Compliance (requirements, policies, regulations, laws and
regulations)
5
➢ What is IT governance?
➢ Need for IT governance?
6
Corporate Governance
➢ A system of rules, practices and processes by which
corporations are directed and controlled.
➢ It allows an organization to manage all aspects of its
business to meet its objectives.
➢ It involves balancing stakeholders' interests.
➢ IT plays an important role in improving corporate
governance practices.
7
IT Governance – Different Names
➢ Governance of IT
➢ Corporate Governance of IT (CGIT)
➢ Enterprise Governance of IT (EGIT)
➢ Information and Communications Technology
Governance (ICT Governance)
➢ Organizational Governance of IT
8
IT Governance – Definitions
➢ “The processes that ensure the effective and efficient
use of IT in enabling an organization to achieve its
goals” (Gartner Inc.).
➢ “System by which the current and future use of IT is
directed and controlled” (ISO/IEC 38500:2015).
➢ Subset of corporate governance that focuses on IT
(performance, risk management and compliance).
9
IT Governance
➢ Primary goal – IT generates business value and
mitigates IT-related risks.
➢ Should fit into the enterprise’s overall corporate
governance strategy (as opposed to discipline on its
own).
➢ Responsibility of the board and executives (top
management).
➢ “Effective IT governance is the single most important
predictor of the value an organization generates
from IT” (Weill and Ross, 2004, p. 3-4).
10
IT Governance
➢ Primary goal – IT generates business value and
mitigates IT-related risks.
➢ Should fit into the enterprise’s overall corporate
governance strategy (as opposed to discipline on its
own).
➢ Responsibility of the board and executives (top
management).
➢ “Effective IT governance is the single most important
predictor of the value an organization generates
from IT” (Weill and Ross, 2004, p. 3-4).
11
IT Governance
➢ Corporate Governance vs. IT Governance?
➢ IT Governance vs. IT Management?
12
IT Governance: Focus Areas
➢ 5 focus areas driven by stakeholder value (IT
Governance Institute (ITGI))
Source: Board Briefing on IT Governance, 2nd Edition, IT Governance Institute, IL 60008 USA. P. 20
13
IT Governance: Focus Areas
➢ Value Delivery
➢ Risk Management
➢ Strategic Alignment
➢ Resource Management
➢ Performance Measurement
Source: Board Briefing on IT Governance, 2nd Edition, IT Governance Institute, IL 60008 USA.
14
IT Governance: Focus Areas (others)
➢ Compliance and Standards
➢ IT Policies and Procedures
➢ Decision-Making and Accountability
➢ Monitoring and Reporting
➢ Continuous Improvement
15
IT Governance: Frameworks/Standards
➢ COBIT 5 – A business framework for the governance and
management of enterprise IT.
➢ COBIT 2019 - Enterprise Governance of Information and
Technology.
➢ ISO/IEC 38500:2024 – Information technology -
Governance of IT for the organization.
➢ AS 8015-2005 – Australian standard for corporate
governance of information and communication
technology.
➢ ITIL - Information Technology Infrastructure Library.
➢ And many more
16
17
18
Professional Certification - CGEIT
➢ Four domains:
➢ Governance of Enterprise IT
➢ IT Resources
➢ Benefits Realization
➢ Risk Optimization
19
Professional Certification – COBIT 2019
➢ COBIT Bridge Program (requires COBIT 5 Foundation)
➢ COBIT 2019 Foundation
➢ COBIT 2019 Design and Implementation (Pre-requisites - COBIT
2019 Foundation)
➢ Implementing the NIST Cybersecurity Framework Using COBIT
2019 (Pre-requisites - COBIT 2019 Foundation)
20
Information Security Fundamentals
21
Information Security
➢ “Security should be viewed as an element of business
management rather than an IT concern”.
➢ “Security is the business management tool that ensures
the reliable and protected operation of IT/IS”.
➢ “Security exists to support the objectives, mission, and
goals of the organization”.
➢ “Security should be cost-effective”.
➢ “Security should be legally defensible”.
➢ “Security is a journey, not a finish line”.
Source: Chapple, M., Stewart, J. M., & Gibson, D. (2021). (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide (9th ed.). Wiley Professional Development (P&T). P. 3
22
Information Security
➢ “Generally, a security framework should be adopted
that provides a starting point for how to implement
security”.
➢ “Once an initiation of security has been accomplished,
then fine-tuning that security is accomplished through
evaluation”.
➢ “3 common types of security evaluation: Risk
assessment, Vulnerability assessment, Penetration
testing”.
Source: Chapple, M., Stewart, J. M., & Gibson, D. (2021). (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide (9th ed.). Wiley Professional Development (P&T). P.3
23
Information Security Concepts
➢ Three pillars of security: The CIA Triad
➢ The CIA triad has served as the industry standard for
computer security since the era of the first
mainframes.
➢ Confidentiality: Allowing only authorized subjects to
access information.
➢ Integrity: Allowing only authorized subjects to modify
information.
➢ Availability: Ensuring that information and resources
are accessible when needed.
24
Information Security Concepts
➢ If we increase confidentiality, will we decrease
availability?
➢ What can be done to reduce the risk to CIA?
25
Controls
➢ Constraints and restrictions imposed on a user or a
system to secure against risks.
➢ Countermeasures to mitigate the potential of risk.
➢ Countermeasures may be software configurations,
hardware devices, or procedures.
➢ Examples: Strong password management, firewalls,
security-awareness training etc.
26
Control Types
➢ Administrative Controls - Referred as “soft controls”,
more of management-oriented.
➢ E.g., security policies, procedures, trainings,
documentations etc.
➢ Technical Controls - Referred as “logical controls”,
more of hardware or software component.
➢ E.g., firewalls, encryptions, antimalware etc.
➢ Physical Controls - Items put into place to protect
facility, personnel, and resources.
➢ E.g., security guards, locks, CCTV etc.
27
Control Types
➢ Control types need to be put into place to provide
defense-in-depth.
➢ Defense-in-depth (Layering)– coordinated use of
multiple security controls in a layered approach.
➢ Multilayered defense system minimizes the
probability of successful penetration and
compromise.
➢ E.g., Fence>Locked external door>CCTV>security
guard>locked internal doors>locked server
room>physically secured computers.
28
Control Functionalities
➢ Deterrent: discourage a potential attacker.
➢ Preventive: avoid incident from occurring.
➢ Detective: identify an incident’s activities and
potentially an intruder.
➢ Corrective: fix components & systems after incident has
occurred.
➢ Recovery: restore to return back to normal operations.
➢ Compensating: controls that provide an alternative
measure of control.
29
Control Functionalities
Examples:
➢ Deterrent – firewalls, fences, locks
➢ Preventive – firewalls, security awareness training
➢ Detective – auditing logs, CCTV
➢ Corrective – server images
➢ Recovery – backups, offsite facilities
➢ Compensating – instead of security guards, fences also
can be used to protect the facilities
30
Professional Certification - CISSP
➢ CISSP - Certified Information Systems Security
Professional
➢ Globally recognized expertise in the field of
information security
➢ Vendor-neutral IT security certification
➢ Governed by (ISC)2
(ISC)2 – International Information Systems Security Certification
Consortium
31
Professional Certification - CISSP
➢ Covers eight different subject areas/domains
Security and Risk
Management
Assets Security
Identity and Access
Management
Security Assessment and
Testing
Security Engineering
Security Operations
Communication and Network Software Development
Security
Security
32
Information Security Governance
33
Information Security Governance (ISG)
➢ System by which an organization directs and controls
IT security.
➢ Multiple definitions of ISG, common themes include:
➢ “Promoting good information security practices with clear
direction and understanding at all levels”.
➢ “Controlling information security risks associated with the
business”.
➢ “Creating an overall information security activity that
reflects the organization’s needs and risk appetite levels”.
Source: Love, P., Reinhard, J., Schwab., A. J., and Spafford, G. (2010). Global Technology Audit Guide (GTAG), Information
Security Governance. The Institute of Internal Auditors, FL 32701, USA. P. 1
34
Information Security Governance (ISG):
Objectives
➢ Objectives
➢ Desired Outcomes
Source: ISO/IEC 27014:2013 Information technology – Security techniques –Governance of information security. P. 2.
35
Information Security Governance: Desired
Outcomes Based on IT Governance
➢ Strategic alignment of information security with business
strategy to support organizational objectives.
➢ Effective Risk management by executing appropriate
measures to manage and mitigate risks and reduce potential
impacts on information resources to an acceptable level.
➢ Resource management by utilizing information security
knowledge and infrastructure efficiently and effectively.
➢ Value delivery by optimizing information security
investments in support of organizational objectives.
➢ Performance measurement by measuring, monitoring and
reporting information security governance metrics to ensure
that organizational objectives are achieved.
Source: Information Security Governance: Guidance for Board of Directors and Executive Management, 2nd Edition. IT Governance
Institute, IL 60008 USA.
36
Governance Relationship
Figure 1. Relationship between governance of information security and governance of
information technology
Source: ISO/IEC 27014:2013 Information technology – Security techniques –Governance of information security. P. 3.
37
Information Security Governance:
Relationship
Figure 3.1. Relation between ITS and ITG
Source: Ohki, E., Harada, Y., Kawaguchi, S., Shiozaki, T., & Kagaya, T. (2009). Information security governance framework.
In Proceedings of the first ACM workshop on Information security governance (WISG ‘09). Association for Computing Machinery,
New York, NY, USA, 1-6. P. 3.
38
InfoSec Frameworks/Standards
➢ COBIT
➢ MODAF
➢ NIST SP 800-53
➢ SABSA model
➢ ISO/IEC 27000 series
➢ ITIL
➢ ISO/IEC 27014
➢ Six Sigma
➢ Zachman framework
➢ CMMI
➢ TOGAF
➢ DoDAF
39
40
References
➢
Board Briefing on IT Governance, 2nd Edition. IT Governance Institute, IL 60008 USA.
➢
Chapple, M., Stewart, J. M., & Gibson, D. (2021). (ISC)2 CISSP Certified Information Systems
Security Professional Official Study Guide (9th ed.). Wiley Professional Development (P&T).
Retrieved from https://bookshelf.vitalsource.com/books/9781119786245
➢
Gartner. Information Technology Gartner Glossary. Retrieved from
https://www.gartner.com/en/information-technology/glossary/itgovernance#:~:text=IT%20governance%20(ITG)%20is%20defined,organization%20to%20achieve%
20its%20goals
➢
Global Technology Audit Guide (GTAG), Information Security Governance. Retrieved from
https://www.theiia.org/en/products/bookstore/global-technology-audit-guide-gtag-auditing-itgovernance/
➢
IBM Global Business Services (2007). IT Governance – Helping Organizations Achieve Enterprisewide Governance Over Information Technology (IT). Providing cost effective assessment,
implementation and management solutions to improve an organization’s control and governance
over IT.
➢
Information Security Governance: Guidance for Board of Directors and Executive Management,
2nd Edition.IT Governance Institute, IL 60008 USA.
➢
ISO/IEC 38500:2024. Information technology - Governance of IT for the organization. Retrieved
from https://www.iso.org/obp/ui/#iso:std:iso-iec:38500:ed-3:v1:en
41
References
➢
Kappelman, L., Torres, R., McLean, E., Maurer, C., Johnson, V., Snyder, M., and Guerra, K. (2022).
The 2021 SIM IT Issues and Trends Study, MIS Quarterly Executive, 21(1).
➢
Love, P., Reinhard, J., Schwab., A. J., and Spafford, G. (2010). Global Technology Audit Guide (GTAG),
Information Security Governance. The Institute of Internal Auditors, FL 32701, USA.
➢
Ohki, E., Harada, Y., Kawaguchi, S., Shiozaki, T., & Kagaya, T. (2009). Information security governance
framework. In Proceedings of the first ACM workshop on Information security governance (WISG
‘09). Association for Computing Machinery, New York, NY, USA, 1-6.
➢
Weill, P. and Ross, J. W. (2003). IT Governance: How Top Performers Manage IT Decisions Rights for
Superior Results. Harvard Business School Press.
42
Next Session
➢ COBIT 2019 Foundation, Part I/II
➢ COBIT 2019 Framework: Introduction and Methodology
43
Team Sign Up
➢ Maximum of 4 students per team.
➢ Team activities
➢ Passive Reconnaissance Lab
➢ 2 Case Studies
➢ Research Project
➢ Everyone on the team must participate actively.
➢ Grade reductions will be applied to individuals who
don’t contribute.
44
Questions ?
45