IT Governance:

Governance helps ensure the alignment of IT and business objectives.

IT Governance concerned with two issues: that IT delivers value to the business and that IT risks are
mitigated. The second is driven by embedding accountability into the enterprise thus, also ensuring
achievement of the first objective.

IT governance is a subset of corporate governance.

Audit provides recommendations to senior management to help improve the quality and effectiveness of
the IT governance initiatives.

Executive IT setup in an organization includes -

1. Board of Directors
2. Executive Management
3. IT strategy committee – advises board of directors
4. CISO.

But, Board of Directors and Executive Management are responsible for IT Governance.
(Steering committee more technical in nature – oversees the project)

Strategic plan is more 3-5 years and based on mission, vision and business objectives.

IS short term plans are more operational or tactical in nature – specific, short term requirements that are
not necessarily strategic in nature.

Risk Mgmt process - Board and executive mgmt choose risk management strategy and action which may
be mitigating the risk, transferring the risk or accepting the risk.

Cost/benefit analysis is an essential part of this.

IT Balanced Scorecard is used to measure effectiveness of IT.

Pre-requisite for balanced scorecard are key performance indicators (KPI) which should be applicable in
the organizational context and have to be known what is being measured.

Balanced scorecard goes beyond traditional financial evaluations, with measures concerning:

Customer satisfaction
Internal/operational processes – how effectively these are managed.
Ability to innovate

Balanced Scorecard used by strategy committee and management to achieve IT and business alignment.
Three parts to the structure

– mission (what does IT want to do or become?),

– strategies (how will they accomplish their mission) and
– measurements (metrics)
Enterprise architecture: documenting IT’s assets in a structured manner to facilitate understanding,
management and planning for IT investments.

Risk Management Process:

1. Identification and classification of information resources or assets that need protection.
2. Assess the threats and vulnerabilities associated with the assets and likelihood of occurrence. It
includes impact analysis.
3. Evaluate existing controls or new controls designed to address vulnerabilities.

Quantitative vs. Qualitative risk analysis methods

Quantitative risk analysis

Objective. This is based on numbers – Wants to assign numeric values to the elements of the risk
assessment and the potential losses. Requires a lot of time and resources to do. Three steps:
1. Estimate potential loss
2. Conduct a threat analysis
3. Determine annual loss expectancy

Specific terms -
SLE – Single loss expectancy Dollar amount of potential loss to an organization if a specific threat took
place.

EF – Exposure factor Percentage of asset loss if threat is successful.

Asset value * Exposure factor (EF) = SLE

ARO – Annual rate of occurrence # of incidents or exposure that could be expected per year.

ALE – Annual loss expectancy

Single loss expectancy (SLE) * Annual rate of occurrence (ARO) = ALE
Safeguard value (ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard
value to the company.

Qualitative Risk Analysis: subjective – based on high, medium, low ratings.

Outsourcing: goal is to achieve lasting, meaningful improvement in business processes and services. But,
requires management to actively manage the relationship and outsourced services.
Auditor are concerned with SLAs., quality management including CMM and ISO, continuity of services,
control procedures etc.

SLA should serve as an instrument of control. SLAs set the baseline by which the outsourcers perform the
IS function (these are based on business requirements).

If outsource software development, source code escrow is critical as, in case company goes out of
business, who owns the intellectual property is a concern to the
auditor. BCP is also a concern. Also concerned about cross border issues (data) and if core business
processes are being outsourced.

References should also be part of the RFP. Accountability can never be outsourced – always responsibility
of the outsourcer.

Risk arising out of outsourcing can be mitigated if outsource to more than one vendor.

Does the contract/SLAs meet the needs of the business?

Quality Management is the means by which IS department based processes are controlled, measured and
improved.
A quality management system is based on a set of documents, manuals and records.

Gap analysis needed to check company against the requirements in the standards and then company can
fill the gaps. – part of ISO 9001 quality management best practices.

Constant striving for perfection.

Segregation of duties – Auditor should evaluate functions assigned to staff to make sure this is happening.

Several control mechanisms can be used to enforce segregation of duties.

Compensating controls for lack of segregation of duties (mostly detective in nature):

Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews

Education of users is more important to the successful implementation and maintenance of a security
policy than management support.

Email retention is an important focus.

Lack of security controls is vulnerability.