Domain 2 – Governance and Management of IT PDF
Document Details
Uploaded by ResoluteActinium
Tags
Summary
This document is an IT governance overview, detailing various aspects of IT management, including corporate governance, IT governance, frameworks, goals, and auditing. It covers topics like IT resource management, performance management, compliance management, and risk management, as well as IT investment, allocation, and strategic planning practices.
Full Transcript
IT Auditing 1 Corporate Governance: Corporate Governance is the system by which business corporations are directed and controlled. It is a set of responsibilities and practices used by organizations management to provide strategic direction, thereby ensure: - goals are achievable...
IT Auditing 1 Corporate Governance: Corporate Governance is the system by which business corporations are directed and controlled. It is a set of responsibilities and practices used by organizations management to provide strategic direction, thereby ensure: - goals are achievable - risks are properly addressed and, - organizational resources are properly utilized 2 Governance consist of - framework, - principles, - structure, - processes and - practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise. 3 IT Governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance Consists of the leadership, organizational structures and processes that ensures that the organization’s IT sustains and extends the organization’s strategies and objectives. IT governance provides a structure for aligning IT strategy with business strategy. 4 Implementation the GEIT framework addresses the following: 1. IT resource management 2. Performance management 3. Compliance management 5 Some of the GEIT frameworks are: 1. COBIT 5 2. ISO/IEC 27001 3. ITIL – Information technology infrastructure library 4. ISM3 – The information security management maturity model 5. ISO/IEC 3800:2008 corporate governance of IT 6. ISO/IEC 20000 6 The goals of IT governance are to ensure that: IT investments generate business value, and to mitigate IT risks. 7 Audit role in GEIT Audit plays a significant role in the successful implementation of IT governance within an organization. Audit provide leading practice recommendations to senior management. Audit helps ensure compliance with GEIT initiatives implemented within an organization. 8 The following aspects related to EGIT need to be assessed: How enterprise governance and EGIT are aligned Alignment of the IT function with the organization’s mission, vision, values, objectives and strategies Achievement of performance objectives (e.g., effectiveness and efficiency) established by the business and the IT function Legal, environmental, information quality, fiduciary, security and privacy requirements The control environment of the organization The inherent risk within the IS environment IT investment/expenditure 9 Two committees: 1. IT Strategy Committee 2. IT Steering Committee 10 11 IS are crucial in the support, sustainability and growth of enterprise. Enterprises faces internal and external threats i.e. IS resource abuse Cybercrime Fraud Errors and omissions IS strategic processes are integral components within organization governance structure to provide reasonable assurance that both exiting and emerging business goals and objectives will be attained as a critical facilitators for enhancement of competitive advantage. 12 Strategic planning from an IS standpoint relates to the long term direction an enterprise want to take in leveraging IT for improving its business processes. IT department management along with IT steering committee plays a key role in implementation of the plans. Role of IS auditor: Should pay full attention to the importance of IS strategic planning, taking management control practices into consideration. Focus on the importance of strategic planning process or planning framework. Should consider how the CIO or senior management are involved in the creation of the overall business strategy. 13 Enterprises face challenges of using its limited resources, including people and money, to achieve its goals and objectives. An IS auditor should understand an enterprise’s investment and allocation practices to determine whether the enterprise positioned to achieve the greatest value from the investment of its resources. Financial benefits: impact on the organization’s budget and finances. Non-financial benefits: impact on operations and mission performance and results (e.g. improved customer satisfaction, better information). 14 Decision makers make IT project selection decisions based upon the perceived value of the investment. IT value is determined by the relationship between what the organization will pay (costs) and what it will receive (benefits). The larger the benefit in relation to cost, the greater value of the IT projects. 15 IT-RELATED FRAMEWORKS The frameworks help organizations address business issues through governance and management of information and technology. Examples of EGIT frameworks include the following: 1. COBIT, developed by ISACA to support EGIT which ensure that IT is aligned with business IT enables the business and maximizes benefits, IT resources are used responsibly, and IT risk is managed appropriately. 2. ISO/IEC 27000 series is a set of best practices that provides guidance to organizations implementing and maintaining information security programs. ISO/IEC 27001 has become a well- known standard in the industry. 3. The Information Technology Infrastructure Library (ITIL®) was developed by the UK Office of Government Commerce (OGC), in partnership with the IT Service Management Forum, and is a detailed framework with hands-on information regarding how to achieve successful operational service management of IT. It also includes business value delivery. 4. The Open Information Security Management Maturity Model (OISM3) is a process-based ISM maturity model for security. 5. ISO 3100:2018: Risk management—Guidelines provides guidelines on and a common approach to risk management for organizations. 16 2.5 IT STANDARDS, POLICIES AND PROCEDURES STANDARDS A standard is a mandatory requirement, code of practice or specification approved by a recognized external standards organization. Professional standards refer to standards issued by professional organizations, such as ISACA, with related guidelines and techniques that assist the professional in implementing and complying with other standards. POLICIES Policies are the high-level statements of management intent, expectations and direction. Well developed high-level policies in a mature organization can remain fairly static for extended periods. Management should review all policies periodically. Ideally, these documents should specify a review date, which the IS auditor should check for currency. Policies need to be updated to reflect new technology, changes in environment (e.g., regulatory compliance requirements), and significant changes in business processes in exploiting IT for efficiency and effectiveness in productivity or competitive gains. 17 IS auditors should understand that policies are a part of the audit scope and test the policies for compliance. IS controls should flow from the enterprise’s policies and IS auditors should use policies as a benchmark for evaluating compliance. However, if policies exist that hinder the achievement of business objectives, these policies must be identified and reported for improvement. The IS auditor should also consider the extent to which the policies apply to third parties or outsourcers, the extent to which third parties or outsourcers comply with the policies, and whether the policies of the third parties or outsourcers are in conflict with the enterprise’s policies. 18 Information security policies: Communicate a coherent security standard to users, management and technical staff Must balance the level of control with the level of productivity Provide management the direction and support for information security in accordance with business requirements, relevant laws and regulations 19 Information security policies Document: Definition of information security Statement of management intent Framework for setting control objectives Brief explanation of security policies Definition of responsibilities References to documentation 20 Information Policy Groups: High level information security policy Data classification policy Acceptable usage policy End user computing policy Access control policies 21 Examples of Policies: High‐level Information Security Policy Data Classification Policy Acceptable Usage Policy End User Computing Policy Access Control Policies 22 Review of the IS Security policy document Information security policies should be reviewed at planned intervals or when significant changes occur to ensure its continuing suitability, adequacy and effectiveness Should have an owner who has approved management responsibility for the development, review and evaluation of the security policy Review should include assessing opportunities for improvement to the organization’s information security policy There should be defined management review procedures, including schedule or period for review. 23 Policy must be approved by senior management. Therefore, input to management and out of management is important. The input to the management review should include: Feedback from interested parties Results of independent reviews Status of preventive and corrective actions Results of previous management reviews Process performance and information security policy compliance 24 The output from management review should include any decision related to: Improvement in the alignment of information security with business objectives. Improvement of the organization’s approach to managing information security and its processes. Improvement of control objectives and control. Improvement in the allocation of resources and/or responsibilities. 25 How to Audit Policies: IS Auditor need to assess the following. Basis on which the policy has been defined Appropriateness of the policies Content of the policy Exception to the policy Policy approval process 26 Policy implementation process Effectiveness of implementation of policies Awareness and training Periodic review and update process 27 Procedures are detailed documented, defined steps for achieving policy objectives. Must be derived from the parent policy Must implement the spirit (intent) of the policy statement Must be written in a clear and concise manner 28 Guidelines for executing procedures are also the responsibility of operations. Guidelines should contain information that will be helpful in executing the procedures. Guidelines can be useful in many other circumstances as well, but they are considered here in the context of information security governance. 29 The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures (controls) to take in reducing risk to an acceptable level. 2.8.1 Developing a Risk Management Program: Establish the purpose of the risk management program Assign responsibility for the risk management plan 30 Identification and classification of information resources or assets that need protection Assess threats and vulnerabilities and the likelihood of their occurrence Once the elements of risk have been established they are combined to form an overall view of risk 31 COBIT 5 provides a risk management process, APO12 managing risks, which includes: 1. Collect Data 2. Analyze Risk 3. Maintain a Risk Profile 4. Articulate Risk 5. Define a Risk Management Action Portfolio 6. Respond to Risk 32 To ensure that an enterprise manages its risk consistently and appropriately, an organization should identify and establish a repeatable process to manage its IT risk. Basic steps in the risk management is a 5 step process. 33 Step 1: Asset Identification Examples of typical assets associated with information and IT include: Information and data Hardware Software Services Documents Personnel 34 Step 2: Evaluation of Threats and Vulnerabilities to Assets Common classes of threats are: Errors Malicious damage/attack Fraud Theft Equipment/software failure Examples of vulnerabilities are: Lack of user knowledge Lack of secure functionality Inadequate user awareness/ education (poor choice of passwords) Untested technology Transmission of unprotected communication 35 Step 2: Evaluation of Threats and Vulnerabilities to Assets (conti) Typical human threat actors are: Novices (Script Kiddies) Hacktivists Cyber Criminals Terrorists Nation states Riot / Civil unrest Typical environmental threats are: Floods Lightning Earthquakes 36 Step 3: Evaluation of the impact The result of a threat agent exploiting a vulnerability is called an impact. Examples of impact (loss) are: Direct loss of money Breach of legislation Loss of reputation Endangering of staff or customers Loss of business opportunities Interruption of business activity 37 Step 4: Calculation of risk After establishment of risk, they are combined to form an overall view of risk. A common method of combining the elements is to calculate for each threat = (probability of occurrence) X (Magnitude of impact) 38 Step 5: Evaluation of and response of risk After risk identification, - existing controls have been evaluated, or - design new controls, to reduce the vulnerabilities to an acceptable level of risk These controls are called countermeasures or safeguards, which include: - actions - devices - procedures - techniques 39 Three methods are there for Risk Analysis: 1. Qualitative Analysis Method 2. Semi-quantitative Analysis Method 3. Quantitative Analysis Method (during BIA) Management and IS auditors should keep in mind certain considerations: Risk management should be applied to IT functions throughout the company Senior management responsibility 40 Information Technology Management Practices reflect the implementation of policies and procedures developed for various IS‐related management activities. The role of IT within organization is spread out to all departments i.e. finance, marketing, sales, production and HR. IS auditor must understand and appreciate the extent to which a well-managed IT department is crucial to achieving the organization’s objectives. 41 Management activities to review the policy/ procedure formulations and their effectiveness within the IT department include: - HR management - Sourcing management - IT change management - Financial management - Quality management - Information security management - Performance optimization 42 An organization’s hiring practices are important to ensure that the most effective and efficient staff is chosen ad that the company is in compliance with legal recruitment requirements. Some of the common controls include: Hiring Employee handbook Promotion policies Training Scheduling and time reporting Employee performance evaluations Required vacations Termination policies 43 Organizations can perform all IS functions in house or outsource all functions across the globe Sourcing strategy should consider each IS function and determine which approach allows the IS function to meet the organization's goals 44 Delivery of IS functions can include: Insourced - Fully performed by the organization’s staff Outsourced - Fully performed by the vendor’s staff Hybrid - Performed by a mix of the organization’s and vendor’s staff; can include joint ventures/supplemental staff IS functions can be performed across the globe, taking advantage of time zones and arbitraging labor rates, and can include: Staff will be: Onsite - Staff work onsite in the IS department Offsite - Also known as near shore, staff work at a remote location in the same geographical area Offshore - Staff work at a remote location in a different geographic region 45 Outsourcing practices and strategies Contractual agreements under which an organization hands over control of part or all of the functions of the IS department to an external party The IS auditor must be aware of the various forms outsourcing can take as well as the associated risks 46 Reasons for outsourcing include: A desire to focus on core activities Pressure on profit margins Increasing competition that demands cost savings Flexibility with respect to both organization and structure An IS auditor should determine whether an enterprise considered the advantages, disadvantages and business risks when developing its outsourcing practices and strategies. 47 The services provided by a third party can include: Data entry Design and development of new systems Conversion of legacy applications to new platforms. For example, a specialist company may web-enable the front end of an old application. Operating the help desk or the call center Operations processing 48 Possible advantages: Commercial outsourcing companies likely to devote more time and focus more efficiently on a given project than in-house staff Outsourcing vendors likely to have more experience with a wider array of problems, issues and techniques 49 Possible disadvantages: Costs exceeding customer expectations Loss of internal IS experience Loss of control over IS Vendor failure 50 Service Level Agreement (SLA): A well balanced SLA is of a great importance for quality purposes and future cooperation between the concerned parties. SLA should serve as an instrument of control. SLA stipulate and commit a vendor to a required level of service and support options. SLA are contractual means of helping the It department manage information resources that are under the control of a vendor. 51 Globalization practices and strategies The IS auditor can assist an organization in moving IS functions offsite or offshore by ensuring that IS management considers the following: - Legal, regulatory and tax issues - Continuity of operations - Personnel - Telecommunication issues - Cross‐ border and cross‐ cultural issues 52 Outsourcing and Third Part Audit Report IS auditor to have the assurance of controls implemented by a service provider requires the provider a 3rd party audit report. These 3rd party reports cover a wide range of issues related to confidentiality, integrity and availability of data. 53 Change management is the discipline that guides how we prepare, equip and support individuals to successfully adopt change in order to drive organizational success and outcomes. Managing IT changes for the organization. Identify and apply technology improvements at the infrastructure and application level From auditing point of view, all changes within organization must be approved by senior management. 54 Quality management is one of the means by which IT department-based processes are control, measured and improved. Software development, maintenance and implementation Acquisition of hardware and software Day‐to‐day operations Service management Security Human resource management General administration 55 Information security management provides the lead role to ensure that the organization's information and the information processing resources under its control are properly protected (Domain 5). This would include leading and facilitating the implementation of an organization wide IT security program which includes the development of Business Impact Analysis (BIA), Business Continuity Plan (BCPs) and Disaster Recovery Plans (DRPs) related to lS department functions in support of the organization's critical business processes. 56 Performance is not how well a system works. Performance optimization refers to the process of improving the productivity of information systems to the highest level possible without unnecessary, additional investment in the IT infrastructure. Key aspects of effective performance measurement: 1. Clear definition of performance goals 2. Establishment of effective metrics to monitor achievement of goals 57 Performance Optimization Methodologies and Tools: 1. Continuous improvement methodologies, such as PDCA cycle 2. Comprehensive best practices, such as ITIL 3. Framework, such as COBIT Performance Optimization Tools and Techniques: 1. Six Sigma 2. IT BSC 3. KPIs 4. Business Process Reengineering (BPR) 5. Root Cause Analysis 6. Life-Cycle Cost Benefit Analysis 58 59 Systems development manager Help desk End user End user support manager Data management Quality assurance manager Vendor and outsourcer management Operations manager 60 Control group Media management Data entry Systems administration Security administration Quality assurance Database administration Systems analyst Security architect Applications development and maintenance Infrastructure development and maintenance Network management 61 Quality assurance manager— Responsible for negotiating and facilitating quality activities in all areas of information technology With the increase in outsourcing, including the use of multiple vendors, dedicated staff may be required to manage the vendors and outsourcers, including performing the following functions: Act as the prime contact for the vendor and outsourcer within the IS function. Provide direction to the outsourcer on issues and escalate internally within the organization and IS function. Monitor and report on the service levels to management. Review changes to the contract due to new requirements and obtain IS approvals. 62 Dividing or allocating tasks among various individuals making it possible to reduce the risks of error and fraud. Control measures to enforce segregation of duties include: Transaction authorization Custody of assets Access to data Authorization forms User authorization tables 63 Benefits include: Safeguarding of assets Accurate financial reporting Reduced risk of non-compliance 64 65 Compensating controls for lack of segregation of duties include: Audit trails Reconciliation Exception reporting Transaction logs Supervisory reviews Independent reviews 66 While many conditions concern the IS auditor when auditing the IT function, some of the more significant indicators of potential problems include: Excessive costs Budget overruns Late projects High staff turnover Inexperienced staff Frequent hardware/software errors Poor motivation Slow computer response time Unsupported / unauthorized HW/SW purchases Frequent HW/SW upgrades A reliance on one or two key personnel Lack of adequate training 67 The following documents should be reviewed: IT strategies, plans and budgets Security policy documentation Organization/functional charts Job descriptions IT Steering committee reports System development and program change procedures Operations procedures Human resource manuals The various documents reviewed should be further assessed to determine whether: 1. They were created as management authorized and intended 2. They are current and up to date 68 There are various phases to computer hardware, software and IS service contracts, including: Development of contract requirements and service levels Contract bidding process Contract selection process Contract acceptance Contract maintenance Contract compliance 69 In reviewing a sample of contracts, the IS auditor should evaluate the adequacy of the following terms and conditions: Service levels Right to audit or third party audit reporting Software escrow Penalties for noncompliance Adherence to security policies and procedures Protection of customer information Contract change process Contract termination and any associated penalties 70 Critical services or products are those that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations of an organization. Business Continuity Planning is a proactive planning process that ensures critical services or products are delivered during a disruption. 71 A Business Continuity Plan takes into consideration: Those critical operations that are necessary to the survival of the organization. The personnel, information, equipment, financial allocations, legal counsel and infrastructure protection supporting them. 72 Why is business continuity planning important Every organization is at risk from potential disasters, that include: Natural disasters such as floods, earthquakes and fire Power and energy disruptions Communications, transportation, safety and service sector failure Cyber attacks and hacker activity. Creating and maintaining a BCP helps ensure that an institution has the resources and information needed to deal with these emergencies. 73 Creating a business continuity plan: A BCP typically includes five sections: 1. BCP Governance (Established Controls) 2. Business Impact Analysis (BIA) 3. Plans, measures, and arrangements for business continuity 4. Readiness procedures 5. Quality assurance techniques (exercises, maintenance and auditing) 74 1. Establish control A BCP contains a governance structure often in the form of a committee that will ensure senior management commitments and define senior management roles and responsibilities. Senior managers or a BCP Committee would normally: 1. approve the governance structure; 2. clarify their roles, and those of participants in the program; 3. oversee the creation of a list of appropriate committees, working groups and teams to develop and execute the plan; 75 4. provide strategic direction and communicate essential messages; 5. approve the results of the BIA; 6. review the critical services and products that have been identified; 7. approve the continuity plans and arrangement; 8. monitor quality assurance activities; and 9. resolve conflicting interests and priorities. 76 2. Business Impact Analysis (BIA) Identify the organization's mandate and critical services or products; rank the order of priority of services or products for continuous delivery or rapid recovery; and identify internal and external impacts of disruptions. BIA Process: A. Identify the mandate and critical aspects of an organization This step determines what goods or services it must be delivered. Information can be obtained from the mission statement of the organization, and legal requirements for delivering specific services and products. 77 B. Prioritize critical services or products Once the critical services or products are identified, they must be prioritized based on 1. minimum acceptable delivery levels and 2. the maximum period of time the service can be down before severe damage to the organization results. To determine the ranking of critical services, information is required to determine impact of a disruption to service delivery, loss of revenue, additional expenses and intangible losses. 78 C. Identify impacts of disruptions The impact of a disruption to a critical service or business product determines: how long the organization could function without the service or product, and how long clients would accept its unavailability. It will be necessary to determine the time period that a service or product could be unavailable before severe impact is felt. 79 D. Identify areas of potential revenue loss To determine the loss of revenue, it is necessary to determine: which processes and functions that support service or product delivery are involved with the creation of revenue. If these processes and functions are not performed: is revenue lost? how much? If services or goods cannot be provided, would the organization lose revenue? how much revenue, and for what length of time? If clients cannot access certain services or products would they then to go to another provider, resulting in further loss of revenue? 80 E. Identify additional expenses If a business function or process is inoperable, how long would it take before additional expenses would start to add up? How long could the function be unavailable before extra personnel would have to be hired? Would fines or penalties from breaches of legal responsibilities, agreements, or governmental regulations be an issue, and if so, what are the penalties? 81 F. Identify intangible losses Estimates are required to determine the approximate cost of the loss of consumer and investor confidence, damage to reputation, loss of competitiveness, reduced market share, violation of laws and regulations. Loss of image or reputation is especially important for public institutions as they are often perceived as having higher standards. 82 G. Insurance requirements Since few organizations can afford to pay the full costs of a recovery; having insurance ensures that recovery is fully or partially financed. Use the BIA to help decide both what needs insurance coverage, and the corresponding level of coverage. H. Ranking Once all relevant information has been collected and assembled, rankings for the critical business services or products can be produced. Ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption would cause. Minimum service levels and maximum allowable downtimes are then determined. 83 I. Identify dependencies Identify the internal and external dependencies of critical services or products, since service delivery relies on those dependencies. Internal Dependency: include employee availability, corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and support services such as finance, human resources, security and information technology support. External Dependency: include suppliers, any external corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and any external support services such as facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety service. 84 3. Plans for business continuity Preparation of detailed response/recovery plans and arrangements to ensure continuity. These plans and arrangements detail the ways and means to ensure critical services and products are delivered at a minimum service levels within tolerable down times. Continuity plans should be made for each critical service or product. 1. Mitigating threats and risks 2. Analyze current recovery capabilities 3. Create continuity plans 4. Response preparation 5. Alternate facilities 85 4. Readiness procedures The following can be used to check organization’s readiness: A. Training B. Exercise C. Goal D. Objectives E. Scope F. Communications for Participants G. Testing and Post-Exercise Evaluation 86 5. Quality assurance techniques Review of the BCP should assess the plan's accuracy, relevance and effectiveness. It uncover which aspects of a BCP need improvement. Continuous appraisal of the BCP is essential to maintaining its effectiveness. The appraisal can be performed by an internal review, or by an external audit. 87 Components of BCP Continuity of operation plan Disaster recovery plan (DRP) Business resumption plan BCP may also include: Continuity of support plan / It contingency plan Crisis communication plan Incident response plan Transportation plan Occupant emergency plan Evacuation and emergent relocation plan 88 What to do when a disruption occurs Disruptions are handled in three steps: 1. Response 2. Continuation of critical services 3. Recovery and restoration 89 BCP Plan Testing The BCP test should achieve the following tasks: Verify the completeness of BCP Evaluate the performance of personnel involved in exercise Appraise the training and awareness of employees who are not members of BCP team. Evaluate the coordination between BCP team and external vendors and suppliers. Measure the ability and capacity of the backup site to perform prescribed processing. Assess the vital records retrieval capability. Evaluate state and quantity of equipment and suppliers that have been relocated to recovery site. Measure the overall performance of operational and IT processing activities related to maintain the business entity. 90 BCP Test Types 1. Desk-based evaluation/ paper test – A paper walk-through of the plan, involving major players in the plan’s execution who reason out what might happen in a particular type of service disruption. 2. Preparedness test - Usually a localized version of a full test, wherein actual resources are expended in the simulation of a system crash. 3. Full operation test – This one step away from an actual service disruption. The organization should have tested the plan well on paper and locally before endeavoring to completely shut down operations. 91 The IS auditor’s task include: 1. Understanding and evaluating business continuity strategy and its connection to business objectives. 2. Reviewing BIA findings to ensure that they reflect current business priorities and current controls. 3. Evaluating the BCPs to determine their adequacy and currency, by reviewing the plans and comparing them to appropriate standards and/or government regulations including the RTO, RPO, etc. defined by the BIA. 4. Verifying that the BCPs are effective, by reviewing the results from previous tests performed by IT and end user personnel. 92 The IS auditor’s task include: 5. Evaluating cloud based mechanism. 6. Evaluating offsite storage to ensures its adequacy, by inspecting the facility and reviewing its contents and security and environmental controls. 7. Verifying the arrangements for transportation backup media to ensure that they meet the appropriate security requirements. 8. Evaluating the ability of personnel to respond effectively in emergency situations, by reviewing emergency procedures, employee training and results of their tests and drill. 93 The IS auditor’s task include: 9. Ensuring that the process of maintaining plan is in place and effective and covers both periodic and unscheduled revisions. 10. Evaluating whether the business continuity manuals and procedures are written in a simple and easy to understand manner. 94 When reviewing the developed plan, IS auditors should verify that basic elements of a well-developed plan are evident. Review the Document Review the Application Covered by the plan Review the Business Continuity Teams Plan Testing 95 96