IT Governance

IT Governance
Information Security
Governance

Acknowledgments
Material is sourced from:
CISA Review Manual 2011, 2010, ISACA. All rights reserved.
Used by permission.
CISM Review Manual 2012, 2011, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.

Objectives
Students should be able to:
Describe IT governance committees: IT strategic committee, IT steering
committee, security steering committee**
Describe mission, strategic plan, tactical plan, operational plan
Define quality terms: quality assurance, quality control
Describe security organization members: CISO, CIO, CSO, Board of
Directors, Executive Management, Security Architect, Security Administrator
Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001,
enterprise architecture
Define sourcing practices: insource, outsource, hybrid, onsite, offshore
Define policy documents: data classification, acceptable usage policy, access
control polices

Corporate Governance
Corporate Governance: Leadership by
corporate directors in creating and presenting
value for all stakeholders
IT Governance: Ensure the alignment of IT with
enterprise objectives
Responsibility of the board of directors and
executive mgmt

IT Governance Objectives

IT delivers value to the business

IT risk is managed

Processes include:
Equip IS functionality and address risk
Measure performance of delivering value to the
business
Comply with legal and regulatory requirements

IT Governance Committees
Board members
& specialists

IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Optimization of IT costs and risk

Business executives
(IT users), CIO, key
advisors (IT, legal, audit,
finance)

IT Steering Committee
Focuses on Implementation
Monitors current projects
Decides IT spending

IT Strategy Committee
Main Concerns

Alignment of IT with Business

Contribution of IT to the Business
Exposure & containment of IT Risk
Optimization of IT costs
Achievement of strategic IT objectives

IT Steering Committee
Main Concerns

Make decision of IT being centralized vs.

decentralized, and assignment of responsibility
Makes recommendations for strategic plans
Approves IT architecture
Reviews and approves IT plans, budgets,
priorities & milestones
Monitors major project plans and delivery
performance

Strategic Planning Process

Strategic: Long-term (3-5
year) direction considers
organizational goals,
regulation (and for IT:
technical advances)
Tactical: 1-year plan moves
organization to strategic
goal
Operational: Detailed or
technical plans

Strategic

Tactical

Operational

Security Strategic Planning

Risk Mgmt Laws
Governance Policy
Organizational Security
Data classification
Audit Risk analysis
Business continuity
Metrics development
Incident response
Physical security
Network security
Policy compliance
Metrics use

Strategic

Tactical
Operational

Strategic Planning
Strategy:
Achieve COBIT Level 4
Tactical: During next 12 months:
Each business unit must identify current applications in
use
25% of all stored data must be reviewed to identify critical
resources
Business units must achieve regulatory compliance
A comprehensive risk assessment must be performed for
each business unit
All users must undergo general security training
Standards must exist for all policies

Standard IT Balanced Scorecard

Establish a mechanism for reporting IT
strategic aims and progress to the board

Mission

Strategies

Measures

Mission = Direction E.g.:

Serve business efficiently
and effectively
Strategies = Objectives E.g.:
Quality thru Availability
Process Maturity
Measures = Statistics E.g.:
Customer satisfaction
Operational efficiency

IT Balanced Scorecard

Financial Goals
How should we appear to
stockholder?
Vision:
Metrics:
Performance:

Internal Business Process

What business processes
should we excel at?
Vision:
Metrics:
Performance:

Customer Goals
How should we appear to our
customer?
Vision:
Metrics:
Performance:

Learning and Growth Goals

How will we improve
internally?
Vision:
Metrics:
Performance:

Case Study: IT Governance

Strategic Plan Tactical Plan

Strategic Plan
Objective

Time
frame

Incorporate the
business
Pass a
professional
audit

5 yrs
4 yrs

Tactical Plan:
Objective

Time
frame

Perform strategic- 1 yr
level security,
includes:

Perform risk
analysis

6
mos.

Perform BIA

1 yr

Define policies

1 yr

Case Study: IT Governance

Operational Planning
Objective and Timeframe
Hire an internal auditor and
security professional
2 months: March 1

Responsibility
VP Finance

Establish security team of

business, IT, personnel:
1 month: Feb. 1

VP Finance &
Chief Info.
Officer (CIO)

Team initiates risk analysis

and prepares initial report
3 months: April 1

CIO &
Security Team

Enterprise Architecture

Constructing IT is similar to constructing a building

It must be designed and implemented at various levels:

Technical (Hardware, Software)

IT Procedures & Operations
Business Procedures & Operations
Data

Functional Network

(Applic.)
Scope
Enterprise Model

Systems Model

Tech Model
Detailed
Representation

(Tech)

People
(Org.)

Process
(Flow)

Strategy

Sourcing Practices
Insourced: Performed entirely by the organizations staff
Outsourced: Performed entirely by a vendors staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same geographical area
Offshore: Performed in a different geographical region
What advantages can you think of for insourcing versus
outsourcing?

Quality with ISO 9001

ISO 9001: Standard for Quality Mgmt Systems.
Recommendations include:
Quality Manual: Documented procedures
HR: Documented standards for personnel hiring,
training, evaluation,
Purchasing: Documented standards for vendors:
equipment & services
Gap Analysis: The difference between where you
are and where you want to be

Quality Definitions
Quality Assurance: Ensures that staff are
following defined quality processes: e.g.,
following standards in design, coding,
testing, configuration management
Quality Control: Conducts tests to validate
that software is free from defects and
meets user expectations

Performance Optimization
Phases of Performance Measurement include:
Establish and update performance metrics
Establish accountability for performance
measures
Gather and analyze performance data
Report and use performance results
Note: Strategic direction for how to achieve
performance improvements is necessary

Categories of Performance
Measures
Performance Measurement: What are
indicators of good IT performance?
IT Control Profile: How can we measure the
effectiveness of our controls?
Risk Awareness: What are the risks of not
achieving our objectives?
Benchmarking: How do we perform relative to
others and standards?

IS Auditor & IT Governance

Is IS function aligned with organizations mission,

vision, values, objectives and strategies?
Does IS achieve performance objectives
established by the business?
Does IS comply with legal, fiduciary, environmental,
privacy, security, and quality requirements?
Are IS risks managed efficiently and effectively?
Are IS controls effective and efficient?

Audit: Recognizing Problems

End-user complaints
Excessive costs or budget overruns
Late projects
Poor motivation - high staff turnover
High volume of H/W or S/W defects
Inexperienced staff lack of training
Unsupported or unauthorized H/W S/W purchases
Numerous aborted or suspended development projects
Reliance on one or two key personnel
Poor computer response time
Extensive exception reports, many not tracked to completion

Audit: Review Documentation

IT Strategies, Plans, Budgets

Security Policy Documentation
Organization charts & Job Descriptions
Steering Committee Reports
System Development and Program Change Procedures
Operations Procedures
HR Manuals
QA Procedures
Contract Standards and Commitments

Bidding, selection, acceptance, maintenance, compliance

Question

1.
2.
3.
4.

The MOST important function of the IT

department is:
Cost effective implementation of IS
functions
Alignment with business objectives
24/7 Availability
Process improvement

Question

1.
2.
3.
4.

Product testing is most closely

associated with which department:
Audit
Quality Assurance
Quality Control
Compliance

Question

1.
2.
3.
4.

Implement virtual private network in the

next year is a goal at the level:
Strategic
Operational
Tactical
Mission

Question
Which of the following is not a valid purpose of the IS
Audit?
1. Ensure IS strategic plan matches the intent of the
enterprise strategic plan
2. Ensure that IS has developed documented processes
for software acquisition and/or development
(depending on IS functions)
3. Verify that contracts followed a documented process
that ensures no conflicts of interest
4. Investigate program code for backdoors, logic bombs,
or Trojan horses

Question
Documentation that would not be viewed
by the IT Strategy Committee would be:
1. IT Project Plans
2. Risk Analysis & Business Impact Analysis
3. IT Balanced Scorecard
4. IT Policies

Information Security
Governance
Governance
Policy
Risk

Information Security Importance

Organizations are dependent upon and are

driven by information
Software

= information on how to process

Data, graphics retained in files

Information & computer crime has escalated

Therefore information security must be
addressed and supported at highest levels
of the organization

Security Organization
Review Risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies
Board of Directors
Defines security objectives and
institutes security organization
Executive Mgmt
Senior representatives
of business functions
ensures alignment
of security program
Security
with business
Steering
objectives
Committee

Other positions:
Chief Risk Officer (CRO)
Chief Compliance Officer (CCO)
Chief Info
Security
Officer (CISO)

Security Governance
Strategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and cost-effectively
control risk
Value Delivery: Prioritized and delivered for greatest business
benefit
Performance Measurement: Metrics, independent assurance
Resource Management: Security architecture development &
documentation
Process Integration: Security is integrated into a wellfunctioning organization

Executive Mgmt Info Security

Concerns

Reduce civil and legal liability related to privacy

Provide policy and standards leadership
Control risk to acceptable levels
Optimize limited security resources
Base decisions on accurate information
Allocate responsibility for safeguarding information
Increase trust and improve reputation outside
organization

Legal Issues
International trade,
employment may be
liable to different
regulations than exist in
the U.S. affecting:
Hiring
Internet business
Trans-border data flows
Cryptography
Copyright, patents, trade
secrets

Industry may be liable under

legislation:
SOX: Sarbanes-Oxley:
Publicly traded corp.
FISMA: Federal Info
Security Mgmt Act
HIPAA: Health Insurance
Portability and
Accountability Act
GLBA: Gramm-LeachBliley: Financial privacy
Etc.

Road Map for Security

(New Program)
Documentation
Security Issues

Security
Policies
Training
materials

Interview stakeholders
(HR, legal, finance) to
determine org. issues
& concerns
Develop security
policies for approval
to Mgmt
Conduct security
training & test for
compliance
Improve standards
Develop compliance
monitoring strategy

Info Security
Steering Committee

Security Relationships
Security Strategy, Risk, & Alignment
Security
requirements
Access control

Security requirements
in RFP
Contract requirements

Security requirements
and review
Change control
Security upgrade/test

Hiring, training,
roles & responsibility,
Incident handling
Security requirements
sign-off,
Acceptance test,
Access authorization
Laws & Regulations
Security monitoring, Incident resp.,
Site inventory, Crisis management

Security Governance Framework

Security
Strategy

Security
Organization

Security
Framework

Compliance
Monitoring

Policies,
Standards,
Procedures

Secure Strategy:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:

2.

Determine Loss due to Threats & Vulnerabilities

3.

Weekly, monthly, 1 year, 10 years?

Compute Expected Loss

5.

Confidentiality, Integrity, Availability

Loss = Downtime + Recovery + Liability + Replacement

Estimate Likelihood of Exploitation

4.

Where are the Crown Jewels?

Risk Exposure = ProbabilityOfVulnerability * $Loss

Treat Risk

Survey & Select New Controls

Reduce, Transfer, Avoid or Accept Risk

Example Policy Documents

Data Classification: Defines data security categories,
ownership and accountability
Acceptable Usage Policy: Describes permissible
usage of IT equipment/resources
End-User Computing Policy: Defines usage and
parameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocated
After policy documents are created, they must be
officially reviewed, updated, disseminated, and tested
for compliance

Compliance Function
Compliance: Ensures compliance with
organizational policies
E.g.: Listen to selected help desk calls to verify
proper authorization occurs when resetting
passwords
Best if compliance tests are automated
Compliance: ongoing process
Ensures adherence to policies

Time
Audit: Snapshot of compliance in time

Compliance Program
Security Review or Audit Test
Objective: Is our web-interface to DB safe?
Scope: Penetration test on DB
Constraints: Must test between 1-4 AM
Approach:
1. Tester has valid session credentials
2. Specific records allocated for test
3. Test: SQL Injection
Result:
These problems were found:

Security Positions
Security Architect
Design secure network
topologies, access
control, security policies
& standards.
Evaluate security
technologies
Work with compliance,
risk mgmt, audit

Security Administrator
Allocate access to data
under data owner
Prepare security awareness
program
Test security architecture
Monitor security violations
and take corrective action
Review and evaluate
security policy

Security Architect:
Control
Analysis
Do controls fail secure or fail open?
Is restrictive or permissive policy
(denied unless expressly permitted
or vice versa?)
Does control align with policy
& business expectation?
Policy

Where are controls located?

Are controls layered?
Is control redundancy needed?
Placement

Does control protect

ImplemenEfficiency
broadly or one application?
Have controls been tested?
tation
If control fails, is there a
Are controls self-protecting?
control remaining?
Do controls meet control
Effectiveness
(single point of failure)
objectives?
If control fails, does appl. fail?
Will controls alert security
Are controls reliable?
personnel if they fail?
Do they inhibit productivity?
Are control activities logged
Are they automated or manual?
and reviewed?
Are key controls monitored in real-time?
Are controls easily circumvented?

Control Practices
These may be useful in particular conditions:
Automate Controls: Make technically infeasible to bypass
Access Control: Users should be identified, authenticated and
authorized before accessing resources
Secure Failure: If compromise possible, stop processing
Compartmentalize to Minimize Damage: Access control required per
system resource set
Transparency: Communicate so that average layperson understands
control->understanding & support
Trust: Verify communicating partner through trusted 3rd party (e.g., PKI)
Trust No One: Oversight controls (e.g., CCTV)
Segregation of Duties: Require collusion to defraud the organization
Principle of Least Privilege: Minimize system privileges

Security Administrator:
Security Operations
Identity Mgmt & Access control
System patching & configuration mgmt
Change control & release mgmt
Security metrics collection & reporting
Control technology maintenance
Incident response, investigation, and
resolution

Summary of Security Mgmt

Functions

Develop security strategy

Linked

with business objectives

Regulatory & legal issues are addressed
Sr Mgmt acceptance & support
Complete set of policies
Standards & Procedures for all relevant policies

Security awareness for all users and security

training as needed
Classified information assets by criticality and
sensitivity

Summary of Security Mgmt

Functions

Effective compliance & enforcement processes

Metrics are maintained and disseminated

Monitoring of compliance & controls
Utilization of security resources is effective
Noncompliance is resolved in a timely manner

Effective risk mgmt and business impact assessment

Risks are assessed, communicated, and managed

Controls are designed, implemented, maintained, tested
Incident and emergency response processes are tested
Business Continuity & Disaster Recover Plans are tested

Summary of Security Mgmt

Functions

Develop security strategy, oversee security

program, liaise with business process owners for
ongoing alignment
Clear

assignment of roles & responsibilities

Security participation with Change Management
Address security issues with 3rd party service
providers
Liaise with other assurance providers to eliminate
gaps and overlaps

Question
Who can contribute the MOST to determining the
priorities and risk impacts to the organizations
information resources?
1. Chief Risk Officer
2. Business Process Owners
3. Security Manager
4. Auditor

Question

1.
2.
3.
4.

A document that describes how access

permission is defined and allocated is the:
Data Classification
Acceptable Usage Policy
End-User Computing Policy
Access Control Policies

Question

1.
2.
3.
4.

The role of the Information Security

Manager in relation to the security
strategy is:
Primary author with business input
Communicator to other departments
Reviewer
Approves the strategy

Question

1.
2.
3.
4.

The role most likely to test a control is

the:
Security Administrator
Security Architect
Quality Control Analyst
Security Steering Committee

Question

1.
2.
3.
4.

The Role responsible for defining

security objectives and instituting a
security organization is the:
Chief Security Officer
Executive Management
Board of Directors
Chief Information Security Officer

Question
When implementing a control, the PRIMARY
guide to implementation adheres to:
1. Organizational Policy
2. Security frameworks such as COBIT, NIST,
ISO/IEC
3. Prevention, Detection, Correction
4. A layered defense

Question

1.
2.
3.
4.

The persons on the Security Steering

Committee who can contribute the BEST
information relating to insuring Information
Security success is:
Chief Information Security Officer
Business process owners
Executive Management
Chief Information Officer

Reference
Slide #

Slide Title

Source of Information

Corporate Governance

CISA: page 87, 88

IT Governance Committees

CISA: page 90

IT Strategy Committee

CISA: page 90

12

Standard IT Balance Scorecard

CISA: page 91

16

Enterprise Architecture

CISA: page 94, 95 Exhibit 2.5

17

Sourcing Practices

CISA: page 106

18

Quality with ISO 9001

CISA: page 112

19

Quality Definitions

CISA: page 116

20

Performance Optimization

CISA: page 113, 114

21

Categories of Performance Measures

CISA: page 114

32

Security Organization

CISA: page 94, 95 Exhibit 2.4

33

Security Governance

CISA: page 92, 93

39

Secure Strategy: Risk Assessment

CISM: page 100

40

Example Policy Documents

CISA: page 100

43

Security Positions

CISA: page 116, 117