Information Governance
& the IT Auditor
Vernon Poole
ISACA London Chapter
26 September 2002
Information Governance
Presentation Objective
« This session will show how the Information
Governance framework has developed and how
the IT Governance Institute is now working on
ways to best convince organisations to adopt
best practice & the role the IT auditors need to
play»
Information Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE
BENEFITS
GOVERNANCE FOCUS BY : BOARD
 MANAGEMENT
 IT AUDITOR
CONCLUSIONS
1. CURRENT IT DILEMMA
Are they doing the right things?
Are they being done well?
Are we getting benefits?
What IT
Problem?
What does the
Board do?
Ask tough questions
Focus on risk and value
Direct IT strategy
Cascading strategy and goals
Organisational alignment
An IT control framework
Balanced Business Scorecard
How does
management
react?
What should
auditors
consider?




How is Governance being addressed?
Are Regulatory rules being followed?
Can we benefit from recent case-studies?
Is IT governance considered by the
Board?
Information Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE
BENEFITS
GOVERNANCE FOCUS BY : BOARD
 MANAGEMENT
 IT AUDITOR
CONCLUSIONS
2. IT ’S RECORD OF ACHIEVEMENT ?
TANGIBLE
ASSETS
15%
100.0%
80.0%
60.0%
40.0%
85%
20.0%
INTANGIBLE
ASSETS
(INC INFORMATION)
0.0%
CLIENT PARTNER
SUPPLIER
CEO/CIO
(A) MARKET VALUE
SUCCESSFUL
23%
CHALLENGED
(B) IT RELATIONSHIPS
ONE IN EIGHT
28%
ABOVE
EXPECTATIONS
PROJECTS
49%
APPROPRIATE
FAILED
(C) PROJECT MANAGEMENT
ABILITY TO MEASURE
BELOW
EXPECTATIONS
(D) PERFORMANCE MEASUREMENT
From 2001 surveys by Brookings Institute, Standish Group and Acadys
2. IT ’S RECORD OF ACHIEVEMENT (CONTD)
Uncertainty,
Complexity &
Growth
Personal & visual
contact
“IT has been the longest running
disappoinment in business in the last 30
Years!”
Jack Welch, Chairman General Electric,
World Economic Forum, Davos, 1997
Information Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE
BENEFITS
 GOVERNANCE FOCUS BY : BOARD
 MANAGEMENT
 IT AUDITOR
CONCLUSIONS
3. INFORMATION GOVERNANCE BENEFITS
RELIABLE INFORMATION &
TRUSTED SYSTEMS
 Guarantee of Quality
 Trading Partner ‘Assurance’
 Customer Loyalty
 Security Assurance
 Reputation Enhancement
 Sustainable Growth
3. INFORMATION GOVERNANCE BENEFITS
Stakeholder
Values
Information
Governance
CONFIRM
OR
CHANGE
GOVERNANCE/CONTROL=
DRIVE
DIRECTS
STRATEGY
Resources
- knowledge
- information
- capability
- …...
USE
PROCESSES
MEASURE
REPORT
RESULTS
TAKE STAKEHOLDER VALUE INTO ACCOUNT
GIVE DIRECTION TO THE PROCESSES
PERFORMANCE
ENSURE THEY PROVIDE RESULTS
OUTCOME
ENSURE THEY ACT ON THE RESULTS
RISKS
ASSETS
GET RESULTS AND CHALLENGE THEM
IMPROVE
Information Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE
BENEFITS
 GOVERNANCE FOCUS BY : BOARD
 MANAGEMENT
 IT AUDITOR
CONCLUSIONS
4. INFORMATION GOVERNANCE FOCUS :
WHAT SHOULD BOARDS DO ABOUT IT
 Be driven by stakeholder value
 Adopt an information governance framework
 Ask the right questions
 Focus on it’s
Strategic alignment
Value delivery
It asset management
Risk management
 Measure results
IT Value
Delivery
IT
Strategic
Alignment
Stakeholder
Value Drivers
Performance
Measurement
Risk
Management
MARKET ANALYSTS VIEW OF IT PRIORITIES
2002
1. Strategic Alignment
“ALIGNING WITH THE BUSINESS AND COLLABORATIVE SOLUTIONS”
 Aligning IT with the business and its goals
 Providing a flexible, integrated information infrastructure to
support the business strategy
 Instituting cross-functional collaborative information systems
 Be an agent of change enabling business transformation
 Educating and connecting with the Boardroom
 Effectively communicating with IS users.
MARKET ANALYSTS VIEW OF IT PRIORITIES
2002
2. Value Delivery
“FOCUS ON COSTS & BENEFITS AND PROOF OF VALUE”




Cost-optimisation
ROI for IT and its bottom-line impact
Total cost of ownership (TCO) of IT services
Quality and effectiveness of enterprise-wide service
delivery
 Keeping users and managers satisfied
 Proving the value of IT.
MARKET ANALYSTS VIEW OF IT PRIORITIES
2002
3. IT Asset Management
“KNOWLEDGE, INFRASTRUCTURE AND PARTNERS”
 Selective outsourcing of non-core processes to trusted
suppliers
 Leveraging knowledge and skills
 Providing an integrated economical IT infrastructure
where new technology is judiciously introduced and
obsolete systems updated or replaced
 Availability, training, retention and competence of key
IT personnel
MARKET ANALYSTS VIEW OF IT PRIORITIES
2002
4. Risk Management
“SAFEGUARDING ASSETS AND DISASTER RECOVERY”
 Establishing IT security to safeguard assets and
enabling business recovery from IT failures
 Providing privacy and resilience
 Establishing trust in services and partners
 Managing internal threats of misuse and errors
and external threats from deliberate attacks as
well as from market volatility and the pace of
change.
OUR VIEW OF IT PRIORITY NO. 5
“NONE OF THESE DOMAINS




Strategic Alignment
Value Delivery
IT Asset Management
Risk Management
CAN BE PROPERLY MANAGED WITHOUT
5. Performance Measurement
IT GOVERNANCE INSTITUTE OFFERINGS
1.Board Briefing 2001
35,000 downloads
in 7 months
2.CEO Guide 2002
3.IT Strategy
Committe Guide 2002
4. INFORMATION GOVERNANCE FOCUS :
WHAT SHOULD MANAGEMENT DO ABOUT IT ?
 Align it strategy with business goals
 Cascade strategy and goals down into the organization
 Set up organizational structures that facilitate strategy
implementation
 Adopt a control and security governance framework
 Provide it infrastructures that facilitate creation and sharing
of business information
 Embed responsibilities for risk management in the
organization
 Focus on important it processes and core it competencies
 Measure performance (balanced business scorecard)
WHAT SHOULD MANAGEMENT DO ABOUT IT ?
: ADOPT GLOBAL BEST PRACTICE
1.CobiT3 & CobiT4
An IT Control Framework
CobiT : An IT control framework
Starts from the premise that IT needs to
deliver the information that organisations
needs to achieve its objectives.
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to 4
domains and provides a high level control
objective for each domain
Looks at fiduciary, quality and security
needs ,and provides 7 information criteria
that can be used to define what the
organisation requires from IT
Supported by 300+ detailed control
objectives
Planning
Acquiring & Implementing
Delivery
& Support
Monitoring
Effectiveness
Efficiency
Availability,
Integrity
Confidentiality
Reliability
Compliance.
CobiT3 : Achievements
- added a governance layer
Key Goal Indicators : a measure of the outcome of the process; a
measure of « what »; indicator of business contribution
Key Performance Indicators : a measure of « how well » the
process is performing; must help in improving the process
Critical Success Factors : the most important things to do;
observable and measureable; leverage capability, skills and behaviour
Maturity Models : a generic scale for pragmatic comparison; a
“profile” of the enterprise on IT governance and control to determine
As-Is and To-Be positions; basis for gap analysis
Non-Existent
Initial
Repeatable
Defined
Managed
Optimised
0
1
2
3
4
5
CobiT4 Strategy
Values
Vision
•Sharing knowledge
•Leveraging expertise
•Influencing best practices
To be the global standard for best practice in control
over IT, and to assist users from assessment to
implementation
Through a simple product set, support an expanding
Mission
target audience with on-line (continuously updated)
knowledge on IT control, assurance and governance
executives & boards monitor
Target Audience
assess
management
implement
professionals
WHO
WHAT
CobiT4 - Product Structure
IT Governance
Survey
Practices
Responsibilities
Practices
Responibilities
Executives &
Boards
 Performance
measures
 Critical success
factorsand Technology
Business
 Maturity
models
Management
Executives & Boards
Control
Objectives
What is the IT
Control Framework ?
 Performance
measures
 Critical success factors
 Maturity models
Business and Technology Management
Control
Audit
Implementation
Objectives
Guidelines
Guide
Maturity
Benchmark
CobiT
‘lite’
IT Control
Practices
Audit
Implementation
Guidelines
Guide
How to assess the IT
How to introduce it
Control
Framework
?
in the enterprise ?
Audit, control
and security
professional
Value
Self-assessmen
assessment
Tool
Risk Analysis
Audit, control and security professional
IT Control Practices
Self-assessment Tool
Value Assessment
Risk Analysis
The Maturity Levels


Most senior officers (in ISACA’s database), from 800 Fortune500 and
significant government entities
146 responses for 205 entities =17.5%
5
BOARD HAS IT STRATEGY COMMITTEE AND APPROVES IT STRATEGY
4
BOARD APPROVES IT STRATEGY OR HAS AN IT STRATEGY CTTEE
3
BOARD IS REGULARLY INFORMED
2
BOARD OCCASIONALLY ASKS QUESTIONS
1
BOARD DOES NOT ADDRESS IT
0
CobiT4 - Maturity Benchmark
DRIVERS
 Compliance with law, standards and regulations
 Cost reduction
 Mission and goals
 Performance improvement
 Risk reduction
 Reputation and trust
 Competitive environment
 Corporate values
 Politic/economic environment
INHIBITORS
 Budget limitations
 Availability of skilled staff
 Management awareness/commitment
 Lack of ownership
 Existing architecture
 No easy solution
 Resource conflicts/priorities
 Lack of tools
 Politic/economic environment
Average IT Governance Maturity Levels
CobiT4 - Implementation Guide
IT CONTROL
DIAGNOSTIC
Po1
M1
DS11
DS10
DS5
5
4
3
2
1
0
Po3
Po5
MATURITY
PROFILE
Po9
Po10
DS4
A11
DS1
A12
A16
A15
GAP ANALYSIS
0
0
2
6
10
14
18
22
Needs Analysis
Planning
Final Design and Approach
Trade-Off Review
Development
Milestone Reviews
Data implementation
Testing / QA
Schedule in weeks
ROADMAP
Final
QA
Initial
Release
PO1
define a strategic IT plan
PO3
determine technological direction
PO5
manage the IT investment
PO9
assess risks
PO10
manage projects
AI1
identify solutions
AI2
acquire & maintain applications
AI5
install and accredit systems
AI6
manage changes
DS1
define service levels
DS4
ensure continuous service
DS5
ensure system security
DS10
manage problems and incidents
DS11
manage data
M1
monitor the processes
1
2
3
4
5
CobiT4 - CobiTOnline
what ITGI needs to
build, own &
operate
CobiT
Knowledge
Base
downloads
exchange of
experience
discussion forums
knowledge capturing
value added
tools available
on a commercial
basis
CobiT4 - CobiTOnline
Predictor (Gartner - 7 January 2002)
By year-end 2002, six or more vendors will offer packaged “smart
enterprise” portfolios of portal, content and document
management, KM and collaboration products (0.8 probability).
Many will also include e-learning.
Outcome Measures
CobiT
Knowledge
Base
Volume of usage and size of benchmark database
Number of user-suggestions to knowledge base
Favorable reviews in professional publications
Frequency, timeliness and cost-efficiency of CobiT releases
CobiT4 - CobiTlite
Early stages
 difference in control environment
 preselection of processes & objectives
15 most important processes
318 CO’s down to 90 plus 15 simplified
 simple presentation form
short communications path
effective span of control
simple command structure
less build, more buy
less complex IT infrastructure
less ‘savvy’ about IT
take more risk
strong profit orientation
less segregation
less IT capabilities
process
control
 brainstorm approach
PO1 define strategic IT plan
PO3 determine technological direction
PO5 manage the IT investment
PO9 assess risks
PO10manage projects
AI1 identify solutions
AI2 acquire & maintain applications s/w
AI5 install and accredit systems
AI6 manage changes
DS1 define service levels
DS4 ensure continuous service
DS5 ensure system security
DS10 manage problems and incidents
DS11 manage data
M1 monitor the processes
CobiT4 - IT Control Practices
Deliverable
Practice
DS5.5.4
Risk/Value
When employees are given
• Ignorance of compliance
their account, they should be
requirements and
provided with initial or
sanctions leading to rules
refresh- er training and
not being respected.
awareness on computer
• Ignoring rules that are too
security issues. They should be
generic or descriptive
asked to review the rules and
• Absence of awareness
regulations for system access
leading to weak discipline
and confirm they have
understood.
effectiveness
cost-efficiency
expedience
Integration with CobiTlite
and Implementation Guide
CobiT4 - CobiTlite
impact
H
x
Early stages
 80/20 - ‘smart things to do’
H
cost
 high effectiveness, low cost and expedient
5
Optimised
 ‘mini’ minimum baseline approach
4
Managed
3
Defined
2
Repeatable
1
Initial
0
Non-existant
 maximise at level 3
 simple presentation from
WHAT SHOULD MANAGEMENT DO ABOUT IT ?
: ADOPT GLOBAL BEST PRACTICE
2.ISO 17799
An Information Security
Framework
ISO 17799 - IS Best Practice
1.Became an ISO Standard in December 2000
2.Adopted by IT Governance Institute in its ‘Information
Security Governance booklet - 2001
3.It is the second best selling ISO Standard - gaining
global appeal
4.The standard is becoming a contractual obligation included in ‘service level’ agreements
Therefore it is essential to ‘doing business’
ISO 17799 - IS Best Practice
Standard consists of two parts :1.Part 1 : Code of Practice - referred to as
ISO 17799 - consists of 10 Guiding Principles
covering strategic, operational & human
issues
2. Part 2 : Information Security Management
System (ISMS) - BS7799-2 :requires
organisations to select which of the 127
controls are appropriate to them based on
risk assessment (currently being revised)
ISO 17799 - IS Best Practice
1.Information Security Policy
2.Security Organisation
3.Asset Classification/Control
4.Personnel Security
5.Physical/Environmental Security
6.Communications & Operations Management
7.System Access Control
8.Systems Development/Maintenance
9.Business Continuity Management
10.Compliance
ISO 17799 - IS Best Practice
It is therefore imperative that organisations
‘benchmark’ themselves against best practice
and assess any gaps in their Information
Security to protect against either internal or
external threats that could jeopardise the
reliability of information.
The standard also ensures that detailed policies
and procedures are established & creates an
‘Information Security culture’
ISO 17799 - IS Best Practice
Current studies show that organisations who
obtain 7799 certification are being respected as
reputable & trusted. Future transactions can be
conducted in the knowledge that information
security risks are being effectively managed.
Information Security is therefore an essential
ingredient to sustainable growth & acts as a
market differentiator.
4. INFORMATION GOVERNANCE FOCUS :
WHAT SHOULD IT AUDITORS CONSIDER?
 Obtain an understanding about IT Governance
 Get the Board and Management to focus on the issues
and their responsibilities
 Recommend the adoption of an IT control and
governance framework, such as CobIT & ISO 17799
 Set up organizational structures that facilitate a
strategic implementation of such framework
 Measure your own performance (Balanced Business
Scorecard)
WHY SHOULD IT AUDITORS CARE?
 IT is integral and critical to the business
 Shareholders are holding Boards accountable
 Boards are holding management responsible
 An immense shift from tangible to intangible
assets, the majority of the latter being
information
 Boards and management will look for support to
obtain assurance about the cost, return and risk
of IT to the business
IT Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE
BENEFITS
IT GOVERNANCE FOCUS BY : BOARD
 MANAGEMENT
 IT AUDITOR
CONCLUSIONS
Why get into Information Governance
 “Due diligence”
 IT involves huge investments and large risk
 Expectations and reality don’t match
 IT is critical & strategic to the business
 IT does not get the attention it deserves
 Information Governance driven by IT will
give you ‘Competitive Advantage’
IT is strategic to most organisations
If so, don’t you want to know if your
IT Department is:
 Likely to achieve its objectives?
 Resilient enough to learn and
adapt?
 Judiciously managing the risks it
faces?
 Appropriately recognising
opportunities and acting upon
them?
Why has IT not been
addressed :
 requires more
technical insight
 treated as separate
entity
 IT is complex
IT Balanced
Scorecard
FINANCIAL
• # of IT customers
• Cost per IT customer
• Cost-efficiency of IT
processes up
• Delivery of IT value per
employee
CUSTOMER
PROCESS
• Availability of systems &
• Level of service delivery up
• Satisfaction of existing
customers
• # of new customers
reached
• # of new service delivery
channels
INFORMATION
LEARNING
• Staff productivity & morale
• # of staff trained in new
techno/services
• Value delivery per
employee up
• Increased availability
knowledge systems
services
• Developments on schedule
& budget
• Throughput & response
times
• Amount of errors/rework
IT Balanced Scorecard

Objectives
Demonstrate the value added by the IT Organization
Determine the effectiveness of the IT Organization
Set guidelines for the IT Strategic plan
Communicate and motivate about IT performance
Establish IT Management reporting

Key result
The most effective means to achieve IT and Business
alignment

Critical success factor
Approval of the IT Scorecard by key stakeholders
Information Governance Framework
Provide
Direction
IT Activities
Set Objectives
IT is aligned with the
business, enables the
business and
maximises benefits
IT resources are used
responsibly
IT related risks are
managed
appropriately
Compare
Measure
Performance
Increase automation
(make the business
effective)
Decrease cost
(make the enterprise
efficient)
Manage risks
(security, reliability and
compliance)
Information Governance Toolkit
Activities
WHO
HOW
Subjects of attention
IT & Business Objectives
Best Practices
V

A
R
P
 

 




  




Critical Success Factors
Core IT competencies
Business/Technology
Developments
Measurement
Results
Measurement
Performance
V = IT Value Delivery A = IT Strategic Alignment
R = Risk Management P = Performance Measurement
Information Governance Lifecycle
Reputation for
trust & reliability
Increased
market share
Competitive
advantage
ENVIRONMENT
Ethics & Culture
Laws & Regulations
Mission & Vision
Role Models
Industry Practices
…...
Increased
revenues &
reduced
costs
Improve
service delivery
Legal & Regulatory
Compliance
Information Governance
Thank you!
Any Questions ?
Vernon Poole
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
+1.847.253.1545
info@isaca.org
www.isaca.org
www.ITgovernance.org