Information Governance & the IT Auditor Vernon Poole ISACA London Chapter 26 September 2002 Information Governance Presentation Objective « This session will show how the Information Governance framework has developed and how the IT Governance Institute is now working on ways to best convince organisations to adopt best practice & the role the IT auditors need to play» Information Governance THE CURRENT IT DILEMMA IT’S RECORD OF ACHIEVEMENT INFORMATION GOVERNANCE BENEFITS GOVERNANCE FOCUS BY : BOARD MANAGEMENT IT AUDITOR CONCLUSIONS 1. CURRENT IT DILEMMA Are they doing the right things? Are they being done well? Are we getting benefits? What IT Problem? What does the Board do? Ask tough questions Focus on risk and value Direct IT strategy Cascading strategy and goals Organisational alignment An IT control framework Balanced Business Scorecard How does management react? What should auditors consider? How is Governance being addressed? Are Regulatory rules being followed? Can we benefit from recent case-studies? Is IT governance considered by the Board? Information Governance THE CURRENT IT DILEMMA IT’S RECORD OF ACHIEVEMENT INFORMATION GOVERNANCE BENEFITS GOVERNANCE FOCUS BY : BOARD MANAGEMENT IT AUDITOR CONCLUSIONS 2. IT ’S RECORD OF ACHIEVEMENT ? TANGIBLE ASSETS 15% 100.0% 80.0% 60.0% 40.0% 85% 20.0% INTANGIBLE ASSETS (INC INFORMATION) 0.0% CLIENT PARTNER SUPPLIER CEO/CIO (A) MARKET VALUE SUCCESSFUL 23% CHALLENGED (B) IT RELATIONSHIPS ONE IN EIGHT 28% ABOVE EXPECTATIONS PROJECTS 49% APPROPRIATE FAILED (C) PROJECT MANAGEMENT ABILITY TO MEASURE BELOW EXPECTATIONS (D) PERFORMANCE MEASUREMENT From 2001 surveys by Brookings Institute, Standish Group and Acadys 2. IT ’S RECORD OF ACHIEVEMENT (CONTD) Uncertainty, Complexity & Growth Personal & visual contact “IT has been the longest running disappoinment in business in the last 30 Years!” Jack Welch, Chairman General Electric, World Economic Forum, Davos, 1997 Information Governance THE CURRENT IT DILEMMA IT’S RECORD OF ACHIEVEMENT INFORMATION GOVERNANCE BENEFITS GOVERNANCE FOCUS BY : BOARD MANAGEMENT IT AUDITOR CONCLUSIONS 3. INFORMATION GOVERNANCE BENEFITS RELIABLE INFORMATION & TRUSTED SYSTEMS Guarantee of Quality Trading Partner ‘Assurance’ Customer Loyalty Security Assurance Reputation Enhancement Sustainable Growth 3. INFORMATION GOVERNANCE BENEFITS Stakeholder Values Information Governance CONFIRM OR CHANGE GOVERNANCE/CONTROL= DRIVE DIRECTS STRATEGY Resources - knowledge - information - capability - …... USE PROCESSES MEASURE REPORT RESULTS TAKE STAKEHOLDER VALUE INTO ACCOUNT GIVE DIRECTION TO THE PROCESSES PERFORMANCE ENSURE THEY PROVIDE RESULTS OUTCOME ENSURE THEY ACT ON THE RESULTS RISKS ASSETS GET RESULTS AND CHALLENGE THEM IMPROVE Information Governance THE CURRENT IT DILEMMA IT’S RECORD OF ACHIEVEMENT INFORMATION GOVERNANCE BENEFITS GOVERNANCE FOCUS BY : BOARD MANAGEMENT IT AUDITOR CONCLUSIONS 4. INFORMATION GOVERNANCE FOCUS : WHAT SHOULD BOARDS DO ABOUT IT Be driven by stakeholder value Adopt an information governance framework Ask the right questions Focus on it’s Strategic alignment Value delivery It asset management Risk management Measure results IT Value Delivery IT Strategic Alignment Stakeholder Value Drivers Performance Measurement Risk Management MARKET ANALYSTS VIEW OF IT PRIORITIES 2002 1. Strategic Alignment “ALIGNING WITH THE BUSINESS AND COLLABORATIVE SOLUTIONS” Aligning IT with the business and its goals Providing a flexible, integrated information infrastructure to support the business strategy Instituting cross-functional collaborative information systems Be an agent of change enabling business transformation Educating and connecting with the Boardroom Effectively communicating with IS users. MARKET ANALYSTS VIEW OF IT PRIORITIES 2002 2. Value Delivery “FOCUS ON COSTS & BENEFITS AND PROOF OF VALUE” Cost-optimisation ROI for IT and its bottom-line impact Total cost of ownership (TCO) of IT services Quality and effectiveness of enterprise-wide service delivery Keeping users and managers satisfied Proving the value of IT. MARKET ANALYSTS VIEW OF IT PRIORITIES 2002 3. IT Asset Management “KNOWLEDGE, INFRASTRUCTURE AND PARTNERS” Selective outsourcing of non-core processes to trusted suppliers Leveraging knowledge and skills Providing an integrated economical IT infrastructure where new technology is judiciously introduced and obsolete systems updated or replaced Availability, training, retention and competence of key IT personnel MARKET ANALYSTS VIEW OF IT PRIORITIES 2002 4. Risk Management “SAFEGUARDING ASSETS AND DISASTER RECOVERY” Establishing IT security to safeguard assets and enabling business recovery from IT failures Providing privacy and resilience Establishing trust in services and partners Managing internal threats of misuse and errors and external threats from deliberate attacks as well as from market volatility and the pace of change. OUR VIEW OF IT PRIORITY NO. 5 “NONE OF THESE DOMAINS Strategic Alignment Value Delivery IT Asset Management Risk Management CAN BE PROPERLY MANAGED WITHOUT 5. Performance Measurement IT GOVERNANCE INSTITUTE OFFERINGS 1.Board Briefing 2001 35,000 downloads in 7 months 2.CEO Guide 2002 3.IT Strategy Committe Guide 2002 4. INFORMATION GOVERNANCE FOCUS : WHAT SHOULD MANAGEMENT DO ABOUT IT ? Align it strategy with business goals Cascade strategy and goals down into the organization Set up organizational structures that facilitate strategy implementation Adopt a control and security governance framework Provide it infrastructures that facilitate creation and sharing of business information Embed responsibilities for risk management in the organization Focus on important it processes and core it competencies Measure performance (balanced business scorecard) WHAT SHOULD MANAGEMENT DO ABOUT IT ? : ADOPT GLOBAL BEST PRACTICE 1.CobiT3 & CobiT4 An IT Control Framework CobiT : An IT control framework Starts from the premise that IT needs to deliver the information that organisations needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to 4 domains and provides a high level control objective for each domain Looks at fiduciary, quality and security needs ,and provides 7 information criteria that can be used to define what the organisation requires from IT Supported by 300+ detailed control objectives Planning Acquiring & Implementing Delivery & Support Monitoring Effectiveness Efficiency Availability, Integrity Confidentiality Reliability Compliance. CobiT3 : Achievements - added a governance layer Key Goal Indicators : a measure of the outcome of the process; a measure of « what »; indicator of business contribution Key Performance Indicators : a measure of « how well » the process is performing; must help in improving the process Critical Success Factors : the most important things to do; observable and measureable; leverage capability, skills and behaviour Maturity Models : a generic scale for pragmatic comparison; a “profile” of the enterprise on IT governance and control to determine As-Is and To-Be positions; basis for gap analysis Non-Existent Initial Repeatable Defined Managed Optimised 0 1 2 3 4 5 CobiT4 Strategy Values Vision •Sharing knowledge •Leveraging expertise •Influencing best practices To be the global standard for best practice in control over IT, and to assist users from assessment to implementation Through a simple product set, support an expanding Mission target audience with on-line (continuously updated) knowledge on IT control, assurance and governance executives & boards monitor Target Audience assess management implement professionals WHO WHAT CobiT4 - Product Structure IT Governance Survey Practices Responsibilities Practices Responibilities Executives & Boards Performance measures Critical success factorsand Technology Business Maturity models Management Executives & Boards Control Objectives What is the IT Control Framework ? Performance measures Critical success factors Maturity models Business and Technology Management Control Audit Implementation Objectives Guidelines Guide Maturity Benchmark CobiT ‘lite’ IT Control Practices Audit Implementation Guidelines Guide How to assess the IT How to introduce it Control Framework ? in the enterprise ? Audit, control and security professional Value Self-assessmen assessment Tool Risk Analysis Audit, control and security professional IT Control Practices Self-assessment Tool Value Assessment Risk Analysis The Maturity Levels Most senior officers (in ISACA’s database), from 800 Fortune500 and significant government entities 146 responses for 205 entities =17.5% 5 BOARD HAS IT STRATEGY COMMITTEE AND APPROVES IT STRATEGY 4 BOARD APPROVES IT STRATEGY OR HAS AN IT STRATEGY CTTEE 3 BOARD IS REGULARLY INFORMED 2 BOARD OCCASIONALLY ASKS QUESTIONS 1 BOARD DOES NOT ADDRESS IT 0 CobiT4 - Maturity Benchmark DRIVERS Compliance with law, standards and regulations Cost reduction Mission and goals Performance improvement Risk reduction Reputation and trust Competitive environment Corporate values Politic/economic environment INHIBITORS Budget limitations Availability of skilled staff Management awareness/commitment Lack of ownership Existing architecture No easy solution Resource conflicts/priorities Lack of tools Politic/economic environment Average IT Governance Maturity Levels CobiT4 - Implementation Guide IT CONTROL DIAGNOSTIC Po1 M1 DS11 DS10 DS5 5 4 3 2 1 0 Po3 Po5 MATURITY PROFILE Po9 Po10 DS4 A11 DS1 A12 A16 A15 GAP ANALYSIS 0 0 2 6 10 14 18 22 Needs Analysis Planning Final Design and Approach Trade-Off Review Development Milestone Reviews Data implementation Testing / QA Schedule in weeks ROADMAP Final QA Initial Release PO1 define a strategic IT plan PO3 determine technological direction PO5 manage the IT investment PO9 assess risks PO10 manage projects AI1 identify solutions AI2 acquire & maintain applications AI5 install and accredit systems AI6 manage changes DS1 define service levels DS4 ensure continuous service DS5 ensure system security DS10 manage problems and incidents DS11 manage data M1 monitor the processes 1 2 3 4 5 CobiT4 - CobiTOnline what ITGI needs to build, own & operate CobiT Knowledge Base downloads exchange of experience discussion forums knowledge capturing value added tools available on a commercial basis CobiT4 - CobiTOnline Predictor (Gartner - 7 January 2002) By year-end 2002, six or more vendors will offer packaged “smart enterprise” portfolios of portal, content and document management, KM and collaboration products (0.8 probability). Many will also include e-learning. Outcome Measures CobiT Knowledge Base Volume of usage and size of benchmark database Number of user-suggestions to knowledge base Favorable reviews in professional publications Frequency, timeliness and cost-efficiency of CobiT releases CobiT4 - CobiTlite Early stages difference in control environment preselection of processes & objectives 15 most important processes 318 CO’s down to 90 plus 15 simplified simple presentation form short communications path effective span of control simple command structure less build, more buy less complex IT infrastructure less ‘savvy’ about IT take more risk strong profit orientation less segregation less IT capabilities process control brainstorm approach PO1 define strategic IT plan PO3 determine technological direction PO5 manage the IT investment PO9 assess risks PO10manage projects AI1 identify solutions AI2 acquire & maintain applications s/w AI5 install and accredit systems AI6 manage changes DS1 define service levels DS4 ensure continuous service DS5 ensure system security DS10 manage problems and incidents DS11 manage data M1 monitor the processes CobiT4 - IT Control Practices Deliverable Practice DS5.5.4 Risk/Value When employees are given • Ignorance of compliance their account, they should be requirements and provided with initial or sanctions leading to rules refresh- er training and not being respected. awareness on computer • Ignoring rules that are too security issues. They should be generic or descriptive asked to review the rules and • Absence of awareness regulations for system access leading to weak discipline and confirm they have understood. effectiveness cost-efficiency expedience Integration with CobiTlite and Implementation Guide CobiT4 - CobiTlite impact H x Early stages 80/20 - ‘smart things to do’ H cost high effectiveness, low cost and expedient 5 Optimised ‘mini’ minimum baseline approach 4 Managed 3 Defined 2 Repeatable 1 Initial 0 Non-existant maximise at level 3 simple presentation from WHAT SHOULD MANAGEMENT DO ABOUT IT ? : ADOPT GLOBAL BEST PRACTICE 2.ISO 17799 An Information Security Framework ISO 17799 - IS Best Practice 1.Became an ISO Standard in December 2000 2.Adopted by IT Governance Institute in its ‘Information Security Governance booklet - 2001 3.It is the second best selling ISO Standard - gaining global appeal 4.The standard is becoming a contractual obligation included in ‘service level’ agreements Therefore it is essential to ‘doing business’ ISO 17799 - IS Best Practice Standard consists of two parts :1.Part 1 : Code of Practice - referred to as ISO 17799 - consists of 10 Guiding Principles covering strategic, operational & human issues 2. Part 2 : Information Security Management System (ISMS) - BS7799-2 :requires organisations to select which of the 127 controls are appropriate to them based on risk assessment (currently being revised) ISO 17799 - IS Best Practice 1.Information Security Policy 2.Security Organisation 3.Asset Classification/Control 4.Personnel Security 5.Physical/Environmental Security 6.Communications & Operations Management 7.System Access Control 8.Systems Development/Maintenance 9.Business Continuity Management 10.Compliance ISO 17799 - IS Best Practice It is therefore imperative that organisations ‘benchmark’ themselves against best practice and assess any gaps in their Information Security to protect against either internal or external threats that could jeopardise the reliability of information. The standard also ensures that detailed policies and procedures are established & creates an ‘Information Security culture’ ISO 17799 - IS Best Practice Current studies show that organisations who obtain 7799 certification are being respected as reputable & trusted. Future transactions can be conducted in the knowledge that information security risks are being effectively managed. Information Security is therefore an essential ingredient to sustainable growth & acts as a market differentiator. 4. INFORMATION GOVERNANCE FOCUS : WHAT SHOULD IT AUDITORS CONSIDER? Obtain an understanding about IT Governance Get the Board and Management to focus on the issues and their responsibilities Recommend the adoption of an IT control and governance framework, such as CobIT & ISO 17799 Set up organizational structures that facilitate a strategic implementation of such framework Measure your own performance (Balanced Business Scorecard) WHY SHOULD IT AUDITORS CARE? IT is integral and critical to the business Shareholders are holding Boards accountable Boards are holding management responsible An immense shift from tangible to intangible assets, the majority of the latter being information Boards and management will look for support to obtain assurance about the cost, return and risk of IT to the business IT Governance THE CURRENT IT DILEMMA IT’S RECORD OF ACHIEVEMENT INFORMATION GOVERNANCE BENEFITS IT GOVERNANCE FOCUS BY : BOARD MANAGEMENT IT AUDITOR CONCLUSIONS Why get into Information Governance “Due diligence” IT involves huge investments and large risk Expectations and reality don’t match IT is critical & strategic to the business IT does not get the attention it deserves Information Governance driven by IT will give you ‘Competitive Advantage’ IT is strategic to most organisations If so, don’t you want to know if your IT Department is: Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognising opportunities and acting upon them? Why has IT not been addressed : requires more technical insight treated as separate entity IT is complex IT Balanced Scorecard FINANCIAL • # of IT customers • Cost per IT customer • Cost-efficiency of IT processes up • Delivery of IT value per employee CUSTOMER PROCESS • Availability of systems & • Level of service delivery up • Satisfaction of existing customers • # of new customers reached • # of new service delivery channels INFORMATION LEARNING • Staff productivity & morale • # of staff trained in new techno/services • Value delivery per employee up • Increased availability knowledge systems services • Developments on schedule & budget • Throughput & response times • Amount of errors/rework IT Balanced Scorecard Objectives Demonstrate the value added by the IT Organization Determine the effectiveness of the IT Organization Set guidelines for the IT Strategic plan Communicate and motivate about IT performance Establish IT Management reporting Key result The most effective means to achieve IT and Business alignment Critical success factor Approval of the IT Scorecard by key stakeholders Information Governance Framework Provide Direction IT Activities Set Objectives IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed appropriately Compare Measure Performance Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability and compliance) Information Governance Toolkit Activities WHO HOW Subjects of attention IT & Business Objectives Best Practices V A R P Critical Success Factors Core IT competencies Business/Technology Developments Measurement Results Measurement Performance V = IT Value Delivery A = IT Strategic Alignment R = Risk Management P = Performance Measurement Information Governance Lifecycle Reputation for trust & reliability Increased market share Competitive advantage ENVIRONMENT Ethics & Culture Laws & Regulations Mission & Vision Role Models Industry Practices …... Increased revenues & reduced costs Improve service delivery Legal & Regulatory Compliance Information Governance Thank you! Any Questions ? Vernon Poole IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA +1.847.253.1545 info@isaca.org www.isaca.org www.ITgovernance.org