2008 CISA Chapter: I.T.

Governance (handout notes)

CORPORATE GOVERNANCE
The degree to which corporations observe basic principles of good corporate governance is an increasingly
important factor for investment decisions.
There is no single model of good corporate governance. The OECD Principles of Corporate Governance
were endorsed by OECD Ministers in 1999 and have since become an international benchmark for policy
makers, investors, corporations and other stakeholders worldwide. They have advanced the corporate
governance agenda and provided specific guidance for legislative and regulatory initiatives.
The Organisation for Economic Co-operation and Development (OECD) has identified some common
elements that underlie good corporate governance. The OECD Principles build on these common elements
and are formulated to embrace the different models that exist. For example, they do not advocate any
particular board structure and the term board as used in this document is meant to embrace the different
national models of board structures found in OECD and non-OECD countries.
Sample excerpts from the OECD principles of good corporate governance:
VI. The Responsibilities of the Board
The corporate governance framework should ensure the strategic
guidance of the company, the effective monitoring of management
by the board, and the boards accountability to the company and
the shareholders.
A. Board members should act on a fully informed basis, in good faith, with due
diligence and care, and in the best interest of the company and the shareholders.
B. Where board decisions may affect different shareholder groups differently, the
board should treat all shareholders fairly.
C. The board should apply high ethical standards. It should take into account the
interests of stakeholders.
D. The board should fulfill certain key functions, including:
1. Reviewing and guiding corporate strategy, major plans of action, risk policy,
annual budgets and business plans; setting performance objectives; monitoring
implementation and corporate performance; and overseeing major capital
expenditures, acquisitions and divestitures.
2. Monitoring the effectiveness of the companys governance practices and
making changes as needed.
3. Selecting, compensating, monitoring and, when necessary, replacing key
executives and overseeing succession planning.
4. Aligning key executive and board remuneration with the longer term interests of
the company and its shareholders.
5. Ensuring a formal and transparent board nomination and election process.
6. Monitoring and managing potential conflicts of interest of management, board
members and shareholders, including misuse of corporate assets and abuse in
related party transactions.
and so on.
I.T. GOVERNANCE
Information technology governance, or IT governance, is a subset discipline of Corporate governance
focused on information technology systems and their performance and risk management. The rising interest
in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)),
as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the
performance of an organization.
A characteristic theme of IT governance discussions is that IT project can no longer be a black box. The
traditional handling of IT projects by board-level executives is that due to limited technical experience and
project complexity, key decisions are deferred to IT professionals. With IT governance however, all
stakeholders, including the board, internal customers and related areas such as finance, are required to
participate in the decision making process. It also prevents users from later complaining that the system
does not behave or perform as expected.
prepared by: Jose Sabater

2008 CISA Chapter: I.T. Governance (handout notes)

Information security governance: Within IT governance, information security governance should become
a focused activity with specific value drivers. As a result of global networking and extending the enterprise
beyond its traditional boundaries, security is emerging as a significant governance issue. Hence, information
security should become an important and integral part of IT governance.
Information security governance is also the responsibility of the board of directors and senior executives. It
must be an integral and transparent part of enterprise governance and be aligned with the IT governance
framework.
The five basic outcomes of information security governance should include:
1. Strategic alignment of information security with business strategy to support organisational objectives
2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential
impacts on information resources to an acceptable level
3. Resource management by utilising information security knowledge and infrastructure efficiently and
effectively
4. Performance measurement by measuring, monitoring and reporting information security governance
metrics to ensure that organizational objectives are achieved
5. Value delivery by optimising information security investments in support of organisational objectives
ZACHMAN ENTERPRISE ARCHITECTURE
The Zachman Framework is a framework for Enterprise Architecture which provides a formal and highly
structured way of defining an enterprise's systems architecture. It uses a grid model based around 6 basic
questions (What, How, Where, Who, When, and Why) asked of 5 nominated stakeholder groups (Planner,
Owner, Designer, Builder and Subcontractor) to give an holistic view of the enterprise which is being
modelled.
Often used as part of a systems architecture or enterprise level technology review exercise it is popular
within IT architecture departments but has little hold of either the developer or user communities. The
enterprise architecture can form an input to a firm's software architecture.
The strong points are the complete coverage gained by touching each of the cells on the matrix. The weak
point is that this approach generates a lot of documentation, due to its completeness, which can be difficult
to digest and sometimes of questionable utility.
FEDERAL ENTERPRISE ARCHITECTURE
The FEA provide a common methodology for information technology (IT) acquisition in the United States
federal government. It is designed to ease sharing of information and resources across federal agencies,
reduce costs, and improve citizen services. The FEA is currently a collection of reference models that
develop a common taxonomy for describing IT resources.

The FEA has a hierarchy of five reference models:

Performance reference modelA framework to measure the performance of major IT investments
and their contribution to program performance (example measurement areas: mission & business
results, customer results)
Business reference modelA function-driven framework that describes the functions and
subfunctions performed by the government, independent of the agencies that actually perform them
(example measurement area: mode of delivery)
Service component reference modelA functional framework that classifies the service components
that support business and performance objectives (example measurement areas: back office
services, customer services)
Technical reference modelA framework that describes how technology supports the delivery,
exchange and construction of service components (example measurement area: service platform)
Data reference modelWhile still being developed, this will describe the data and information that
support program and business line operations. (example measurement area: data classification)

prepared by: Jose Sabater

2008 CISA Chapter: I.T. Governance (handout notes)

STRATEGIC PLANNING

Defined as the long-term direction an organization wants to take in leveraging information technology
for improving its business processes.
Responsibility of top management; with key roles for development and implementation are performed by
IS department management and IS steering committee.
IT governance objective that IT strategic plans synchronize with overall business strategy.

STEERING COMMITTEE

Should include representatives from senior management, user management, IS department

Duties and responsibilities should be defined in a formal charter.
Primary functions include:
o Review long- and short-range IS plans
o Review and approve (in accordance with limits) major HW / SW acquisitions
o Approve and monitor major projects and status of IS plans and budgets
o Establish priorities, approve standards & procedures, monitor IS performance
o Review and approve plans for outsourcing
o Review adequacy and allocation of resources (time, personnel, equipment)
o Make decisions on centralization vs decentralization; assignment of responsibility
o Support implementation of enterprise-wide information security program
o Report to the BOD on IS activities

POLICIES & PROCEDURES

Policies are high-level documents which represent the corporate philosophy

Can be high-level (corporate-level) policies or lower-level policies (division or department)
IS auditor should understand policies and should test these for compliance
Procedures document business processes and the controls embedded therein

RISK MANAGEMENT
Generally, Risk Management is the process of measuring, or assessing risk and developing strategies to
manage it. Strategies include transferring the risk to another party, avoiding the risk, reducing the negative
effect of the risk, and accepting some or all of the consequences of a particular risk. Traditional risk
management focuses on risks stemming from physical or legal causes (e.g. natural disasters or fires,
accidents, death, and lawsuits). Financial risk management, on the other hand, focuses on risks that can be
managed using traded financial instruments. Regardless of the type of risk management, all large
corporations have risk management teams and small groups and corporations practice informal, if not
formal, risk management.
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the
greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower
loss are handled later. In practice the process can be very difficult, and balancing between risks with a high
probability of occurrence but lower loss vs. a risk with high loss but lower probability of occurrence can often
be mishandled.
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of
these four major categories:

Mitigate, e.g., acquire and deploy security technology to protect the IT infrastructure
Transfer, e.g., share risk with partners or transfer to insurance coverage

Accept, i.e., formally acknowledge the existence of the risk and monitor it

Avoid, i.e. not performing an activity that could carry risk, e.g. not buying a property or business in
order to not take on the liability that comes with it. Avoidance may seem the answer to all risks, but

prepared by: Jose Sabater

2008 CISA Chapter: I.T. Governance (handout notes)

avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may
have allowed.
In Enterprise Risk Management, a risk is defined as a possible event or circumstance that can have negative
influences on the Enterprise in question. Its impact can be on the very existence, the resources (human and
capital), the products and services, or the customers of the Enterprise, as well as external impacts on
Society, Markets or the Environment.
PERSONNEL MANAGEMENT PRACTICES

Hiring Control Practices

o Background checks
o Confidentiality agreements
o Employee bonding (not always accepted practice all over the world)
o Conflict of interest agreement
o Non-compete agreements
Employee handbooks distributed to all employees upon hire (e.g. to explain benefits, security policies
and procedures; disciplinary actions); there should be a published code of conduct.
Promotion policies should be fair (objective) and understood by employees;
Regular and relevant training should include management training, project management and technical
training. Training must also be provided when new HW/SW is being implemented.
Cross training is having more than one individual trained for a specific job or procedure.
Required vacations (minimum, once a year) ensures that someone other that the regular employee will
perform a job function. Job rotation provides an additional control.
Termination Policies provide adequate protection for computer assets and data. Control procedures
that should be applied:
o Return of all access keys, ID cards to prevent easy physical access
o Deletion/revocation of assigned logon Ids, to prohibit system access
o Notify staff and security personnel regarding employee to be terminated
o Final pay routines and removal from active payroll files
o Perform termination interview to gather insight on employees perception
o Return of all company property

OUTSOURCING PRACTICES

Outsourcing defined as contractual agreements under which an organization hands over control of part,
or all, of the functions of the IS department to an external party.
Reasons for outsourcing include a desire to focus on core activities, pressure on profit margins,
increasing competition that demands cost s savings, and flexibility for organization/structure.
Services provided by external (third) party can include:
o Data entry
o Design and develop new systems
o Maintenance of existing applications
o Conversion of legacy applications to new platforms
o Operating the help desk or the call center
o Operations processing
Possible advantages of outsourcing:
o Outsourcing companies can achieve economies of scale.
o Outsourcing vendors devote more time and focus than in-house staff
o Outsourcing vendors likely have more experience in problems, issues and techniques
Possible disadvantages of outsourcing include:
o Loss of internal IS experience; loss of control over IS
o Limited product access
o Difficulty in reversing or changing outsourced arrangements
o Costs exceeding customer expectations
o Vendor failure
Audit and Security concerns of outsourcing:

prepared by: Jose Sabater

2008 CISA Chapter: I.T. Governance (handout notes)

o
o
o
o
o

Contract adequately protects the company

Right to audit vendor operations
Continued service in the event of a disaster
Integrity, confidentiality and availability of company-owned data
Vendor controlled for access control/security, violation reporting & follow up, change control
and testing, network controls, and capacity management.

OTHER I.S. MANAGEMENT PRACTICES

Capacity and growth planning essential due to technology changes; reflect long & short-term plans
User satisfaction users and IT should agree on a level of service (e.g. system availability)
Industry standards/benchmarking - can be obtained from user groups, industry publications and
professional associations.
Change management a defined and documented process exists to manage IT changes.

FINANCIAL MANAGEMENT PRACTICES

User-pays scheme (a form of charge back) can improve monitoring of IS expenses and resources. The
cost of services (time, computer, others) are charged to end users based on a formula.
IS management like all other departments, must develop a budget.

QUALITY MANAGEMENT

ISO latest is 9001:2000 Quality Management Systems to replace ISO9000, 9001, 9002 and 9003.
If using previous 1994 versions, a company need to update. A key practice is to perform a gap analysis
against the requirement in the latest standard, then to fill the gaps to comply.
Transition to the new standard must be completed by December 15, 2003.
Software Capability Maturity Model (CMM) is a maturity model or methodology developed by the
Software Engineering Institute at Carnegie Mellon University.

OTHER I.S. MANAGEMENT PRACTICES

Information Security Management - a major component is the application of risks management

principles to assess the risks to IT assets, mitigate these risks (for example, development of a disaster
recovery plan) and monitor the residual risks.
Caveats of performance measurement include: (a) model, (b) measurement error, (c) lags, (d)
redistribution, (e) mismanagement.
The general uses of performance measures are: (1) measure products/services, (2) manage products/
services, (3) assure accountability, (4) make budget decisions, (5) optimize performance
COBIT Management Guidelines is primarily designed to meet the needs of IT management for
performance measurement. For each of the 34 IT processes, it provides critical success factors (CSF),
key goal indicators (KGI) and maturity models.

I.S. ROLES AND RESPONSIBILITIES

The IS auditor should spend time to observe and determine whether the job description and structures
are adequate. Generally, the following functions IS functions should be reviewed:
Systems development manager responsible for programmers and analysts.
Help desk / support administration includes the following activities, among others:
o Acquisition of hardware/software (HW/SW) on behalf of end users
o Assisting end users with HW/SW difficulties
o Training users to use HW/SW and databases
o Answering end-user queries
Operations: An operations manager is responsible for computer operations personnel. This includes all
the staff required to run the computer information processing facility (IPF) efficiently and effectively (e.g.,
computer operators, librarians, schedulers and data control personnel). The IPF includes the computer,
peripherals, magnetic media and the data stored on the media.

prepared by: Jose Sabater

2008 CISA Chapter: I.T. Governance (handout notes)

The control group is responsible for the collection, conversion and control of input and the balancing
and distribution of output to the user community. Usually reports to the IPF operations manager and are
in a separate area where only authorized personnel are permitted, as they handle sensitive data.
Librarian: The librarian is required to record, issue, receive and safeguard all program and data files
that are maintained on computer tapes and/or disks by an IPF. Depending upon the size of the
organization, the librarian may be a full-time individual or a member of the data control section who also
performs this function. It is an integral part of the overall operations of the IPF.
Data Entry can take the form of batch entry or online entry.
Systems administrator is responsible for maintaining major multi-user computer systems, including
local area networks (LANs). Typical duties include:
o Adding and configuring new workstations
o Setting up user accounts
o Installing system wide software
o Performing procedures to prevent/detect/correct the spread of viruses
o Allocating mass storage space

Security administration begins with managements commitment. Management must understand and
evaluate security risks, and develop and enforce a written policy that clearly states the standards and
procedures to be followed. The duties of the security administrator should be defined in the policy. To
provide adequate segregation of duties, this individual should be a full-time employee who reports
directly to the director of the IPF.

Quality assurance personnel usually perform two distinct tasks:

Quality assurance (QA)Helps the IS department to ensure that the personnel are following
prescribed quality processes. For example, QA will help to ensure that programs and documentation
adhere to the standards and naming conventions.
Quality control (QC)Responsible for conducting tests or reviews to verify and ensure that the
software is free from defects and meets user expectations. This could be done at various stages
application development, but it must be done before the programs are moved into production.

Database administrator (DBA), as custodian of an organizations data, defines and maintains the data
structures in the corporate database system. He must understand the organization and user data and
data relationship (structure) requirements. This position is responsible for the security of the shared data
stored on database systems; and also responsible for the actual design, definition and proper
maintenance of the corporate databases. The DBA usually reports directly to the director of the IPF.

Systems Analysis / Analysts are specialists who design systems based on the needs of the user; usually involved during the initial
phase of the systems development life cycle (SDLC). They interpret the needs of the user and develop
requirements and functional specifications, as well as high-level design documents. These documents
enable programmers to create the particular application.
Security Architect evaluates security technologies; design perimeter, access control, identify
management and other systems; and establish security policies and security requirements. One may
argue that systems analysts perform the same role: however, the set of skills required are quite different
and sample deliverables are program specifications vs. Policies & architecture diagrams.
Applications Programmers
are responsible for developing new systems and for maintaining systems in production. They develop
the programs that will ultimately run in a production environment and therefore, must not have access to
production programs. They should work in a test-only environment and should turn over their work to
another group to move programs into the production environment.

Systems Programmers
are responsible for maintaining the systems software including the operating system. This function may
require them to have unrestricted access to the entire system. IS management must closely monitor
their activities by requiring that they keep logs of their work and only have access to the system libraries
of the specific software that they maintain.

prepared by: Jose Sabater

2008 CISA Chapter: I.T. Governance (handout notes)

Network Management / Administrators are responsible for key components of the infrastructure
(routers, firewalls, network segmentation, performance management, remote access). Because of
geographical dispersion, each network (e.g. LAN) may need an administrator. In smaller installations,
this person may also be responsible for security administration.

SEGREGATION OF DUTIES

Transaction Authorization
is the responsibility of the user department.

Custody of Assets - custody of corporate assets must be determined and assigned appropriately. The
data owner usually is assigned to a particular user department and has responsibility for determining
authorization levels required to provide adequate security, while the administration group is often
responsible for implementing and enforcing the security system.
Access to Data Controls over access to data are provided by a combination of physical, system and application security.
Access control are based on organizational policy and on two generally accepted standards of practice
segregation of duties and least privilege. Policies also establish levels of sensitivity such as top secret,
secret, confidential, and unclassified for data and other resources.
Authorization Forms user department managers must provide IS with approved authorization forms (hard copy or electronic)
that define the access rights of their employees. Access privileges should be reviewed periodically to
ensure that they are current and appropriate to the users job functions.
User Authorization Tables - the IS department should use the data from the authorization forms to
build and maintain user authorization tables to define who is authorized to update, modify, delete and/or
view data. These privileges are provided at the system, transaction or field level. In effect, these are user
access control lists. These authorization tables must be secured against unauthorized access by
additional password protection or data encryption. A control log should record all user activity, and
appropriate management should review this log. All exception items should be investigated.
Compensating Controls for Lack of Segregation of Duties.
In a small business where the IS department may only consist of four to five people, compensating
control measures must exist to mitigate the risk resulting from a lack of duty segregation. Compensating
controls would include:
o Audit trails
o Reconciliation (responsibility of the user)
o Exception reporting
o Transaction logs (either manual or automated)
o Supervisory reviews
o Independent reviews

Project Management Structure

o Should include appropriate resources IS staff and other staff from user departments
o IS auditors may be included as control advocates and experts

prepared by: Jose Sabater