Академический Документы
Профессиональный Документы
Культура Документы
IT Governance concerned with two issues: that IT delivers value to the business and that IT risks are
mitigated. The second is driven by embedding accountability into the enterprise thus, also ensuring
achievement of the first objective.
Audit provides recommendations to senior management to help improve the quality and effectiveness of
the IT governance initiatives.
But, Board of Directors and Executive Management are responsible for IT Governance.
(Steering committee more technical in nature – oversees the project)
Strategic plan is more 3-5 years and based on mission, vision and business objectives.
IS short term plans are more operational or tactical in nature – specific, short term requirements that are
not necessarily strategic in nature.
Risk Mgmt process - Board and executive mgmt choose risk management strategy and action which may
be mitigating the risk, transferring the risk or accepting the risk.
Pre-requisite for balanced scorecard are key performance indicators (KPI) which should be applicable in
the organizational context and have to be known what is being measured.
Balanced scorecard goes beyond traditional financial evaluations, with measures concerning:
Customer satisfaction
Internal/operational processes – how effectively these are managed.
Ability to innovate
Balanced Scorecard used by strategy committee and management to achieve IT and business alignment.
Three parts to the structure
Specific terms -
SLE – Single loss expectancy Dollar amount of potential loss to an organization if a specific threat took
place.
ARO – Annual rate of occurrence # of incidents or exposure that could be expected per year.
Outsourcing: goal is to achieve lasting, meaningful improvement in business processes and services. But,
requires management to actively manage the relationship and outsourced services.
Auditor are concerned with SLAs., quality management including CMM and ISO, continuity of services,
control procedures etc.
SLA should serve as an instrument of control. SLAs set the baseline by which the outsourcers perform the
IS function (these are based on business requirements).
If outsource software development, source code escrow is critical as, in case company goes out of
business, who owns the intellectual property is a concern to the
auditor. BCP is also a concern. Also concerned about cross border issues (data) and if core business
processes are being outsourced.
References should also be part of the RFP. Accountability can never be outsourced – always responsibility
of the outsourcer.
Risk arising out of outsourcing can be mitigated if outsource to more than one vendor.
Gap analysis needed to check company against the requirements in the standards and then company can
fill the gaps. – part of ISO 9001 quality management best practices.
Segregation of duties – Auditor should evaluate functions assigned to staff to make sure this is happening.
Education of users is more important to the successful implementation and maintenance of a security
policy than management support.