Documente Academic
Documente Profesional
Documente Cultură
Learning Objectives
1. 2. 3. 4. 5.
IT Governance: IT Audit role Information System Strategy Policies and Procedures Risk Management IS Management Practices
To provide leading practice recommendations to senior management to help improve the quality and effectiveness Ensure compliance with IT governance initiatives implemented within an organization Ensure a qualitative assessment that subsequently facilitates the qualitative improvement
Alignment of the IS function with the organization's mission, vision, values, objectives and strategies Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function Legal, environmental, information quality, fiduciary, security, and privacy requirements The control environment of the organization The inherent risks within the IS environment
4
Long-term direction an organization wants to take in leveraging information technology for improving its business processes Identifying cost-effective IT solutions in addressing problems and opportunities that confront the organization Developing action plans for identifying and acquiring needed resources Ensure that the plans are fully aligned and consistent
Determine whether expansion or improvement Not just the delivery of new systems and technology Returns being achieved from investment Spending on existing IT systems, infrastructure and support services accounts for 85 percent or more of total annual IT spending To support the business strategies
6
Review the long- and short-range plans of the IS department to ensure that they are in accordance with the corporate objectives. Review and approve major acquisitions of hardware and software within the limits approved by the board of directors. Approve and monitor major projects and the status of IS plans and budgets, establish priorities, approve standards and procedures, and monitor overall IS performance.
Review and approve sourcing strategies for select or all IS activities, Review adequacy of resources and allocation of resources in terms of time, personnel and equipment. Make decisions regarding centralization vs. decentralization and assignment of responsibility. Support development and implementation of an enterprisewide information security management program. Report to the board of directors on IS activities.
Policies
y
High-level documents Corporate philosophy of an organization and the strategic thinking of senior management and business process owners Clear and concise Set the tone for the organization as a whole Top-down and bottom-up approach Should review all policies periodically
9
Policies
y
Need to be updated Must support achievement of business objectives and implementation of IS controls Must be responsive to the needs of the customers Policies are a part of the audit process Test the policies for compliance
10
Communicates a coherent security standard to users, management and technical staff The security policy must be approved by senior management, and should be documented and communicated The adequacy and appropriateness of the security policy could also be an area of review for the IS auditor Provides management the direction
11
A definition of information security A statement of management intent, goals, and principles Framework for setting control objectives and controls, risk assessment, and risk management Security policies General and specific responsibilities for information security management, including reporting information security incidents References to documentation
12
Addressing :
Statements on confidentiality, integrity and availability Classifications, levels of control Information resources Parameters and usage of desktop Defining and granting access to users to various IT resources
13
Input : Feedback from interested parties Results of independent reviews Status of preventive, detective and corrective actions Results of previous management reviews Process performance and information security policy compliance Changes that could affect the organization's approach to managing information security, including changes to the organizational environment; business circumstances; resource availability; contractual, regulatory and legal conditions; or technical environment Usage of the consideration of outsourcers or offshore of IT or business functions Trends related to threats and vulnerabilities
14
Input : Usage of the consideration of outsourcers or offshore of IT or business functions Trends related to threats and vulnerabilities Reported information security incidents Recommendations provided by relevant authorities Output : Improvement of the organization's approach to managing information security and its processes Improvement of control objectives and controls Improvement in the allocation of resources
15
Procedures
y y y
16
Risk Management - Definition The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures (safeguards or controls), if any, to take in reducing risk to an acceptable level (i.e., residual risk), based on the value of the information resource to the organization.
17
Avoide.g., where feasible, choose not to implement certain activities or processes that would incur risk (i.e., eliminate the risk by eliminating the cause) Mitigatee.g., lessen the probability or impact of the risk by defining, implementing, and monitoring appropriate controls Transfer (deflect, or allocate)e.g., share risk with partners or transfer via insurance coverage, contractual agreement, or other means Accepti.e., formally acknowledge the existence of the risk and monitor it
18
Establish the purpose of the risk management program Assign responsibility for the risk management plan
19
The identification and classification of information resources or assets that need protection, such as : Information and data Hardware Software Services Documents Personnel To assess threats and vulnerabilities associated with the information resource and the likelihood of their occurrence
20
Vulnerability
Lack of user knowledge Lack of security functionality Poor choice of passwords Untested technology Transmission of unprotected communications Errors Malicious damage/attack Fraud Theft Equipment/software failure
Direct loss of money (cash or credit) Breach of legislation Loss of reputation/goodwill Endangering of staff or customers Breach of confidence Loss of business opportunity Reduction in operational efficiency/performance Interruption of business activity
21
Threats
Losses
IS Management Practice
y y y
22
Sourcing Practices
y
Delivery of IS functions can include insourced, outsourced, and hybrid Consideration for method of delivering IS function : Is this a core function for the organization? Does this function have specific knowledge, processes and staff critical to meeting its goals and objectives, and that cannot be replicated externally or in another location? Can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk? Does the organization have experience managing third parties or using remote/offshore locations to execute IS or business functions?
24
Reasons for embarking on outsourcing include : A desire to focus on core activities Pressure on profit margins Increasing competition that demands cost savings Flexibility with respect to both organization and structure The services provided by a third party can include : Data entry Design and development of new systems Maintenance of existing applications Conversion of legacy applications to new platforms Operating the help desk or the call center Operations processing
25