IT Governance

IT Governance
Information Security
Governance
Acknowledgments
Material is sourced from:
 CISA® Review Manual 2011, © 2010, ISACA. All rights reserved.
Used by permission.
 CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng

Funded by National Science Foundation (NSF) Course, Curriculum and

Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Objectives
Students should be able to:
 Describe IT governance committees: IT strategic committee, IT steering
committee, security steering committee**
 Describe mission, strategic plan, tactical plan, operational plan
 Define quality terms: quality assurance, quality control
 Describe security organization members: CISO, CIO, CSO, Board of
Directors, Executive Management, Security Architect, Security Administrator
 Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001,
enterprise architecture
 Define sourcing practices: insource, outsource, hybrid, onsite, offshore
 Define policy documents: data classification, acceptable usage policy,
access control polices
Corporate Governance
Corporate Governance: Leadership by
corporate directors in creating and
presenting value for all stakeholders

IT Governance: Ensure the alignment of IT

with enterprise objectives
 Responsibility of the board of directors and
executive mgmt
IT Governance Objectives
 IT delivers value to the business
 IT risk is managed

Processes include:
 Equip IS functionality and address risk
 Measure performance of delivering value to the
business
 Comply with legal and regulatory requirements
 IT Governance Committees
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Board members
& specialists
Optimization of IT costs and risk

Business executives
(IT users), CIO, key
advisors (IT, legal, audit,
finance)
IT Steering Committee
Focuses on Implementation
Monitors current projects
Decides IT spending
IT Strategy Committee
Main Concerns
 Alignment of IT with Business
 Contribution of IT to the Business
 Exposure & containment of IT Risk
 Optimization of IT costs
 Achievement of strategic IT objectives
IT Steering Committee
Main Concerns
 Make decision of IT being centralized vs.
decentralized, and assignment of responsibility
 Makes recommendations for strategic plans
 Approves IT architecture
 Reviews and approves IT plans, budgets,
priorities & milestones
 Monitors major project plans and delivery
performance
Strategic Planning Process
Strategic: Long-term (3-5
year) direction considers
organizational goals,
regulation (and for IT: Strategic
technical advances)
Tactical: 1-year plan moves Tactical
organization to strategic
goal
Operational: Detailed or Operational
technical plans
Security Strategic Planning

Risk Mgmt – Laws

Governance – Policy
Organizational Security Strategic
Data classification
Audit – Risk analysis
Business continuity Tactical
Metrics development
Incident response
Physical security
Network security Operational
Policy compliance
Metrics use
Strategic Planning
Strategy:
 Achieve COBIT Level 4

Tactical: During next 12 months:

 Each business unit must identify current applications in
use
 25% of all stored data must be reviewed to identify
critical resources
 Business units must achieve regulatory compliance
 A comprehensive risk assessment must be performed
for each business unit
 All users must undergo general security training
 Standards must exist for all policies
Standard IT Balanced Scorecard
Establish a mechanism for reporting IT
strategic aims and progress to the board

Mission = Direction E.g.:

Mission  Serve business efficiently
and effectively
Strategies = Objectives E.g.:
Strategies  Quality thru Availability
 Process Maturity
Measures = Statistics E.g.:
Measures
 Customer satisfaction
 Operational efficiency
 IT Balanced Scorecard
Financial Goals Internal Business Process
How should we appear to What business processes
stockholder? should we excel at?
Vision: Vision:
Metrics: Metrics:
Performance: Performance:
Customer Goals Learning and Growth Goals
How should we appear to our How will we improve
customer? internally?
Vision: Vision:
Metrics: Metrics:
Performance: Performance:
 Case Study: IT Governance
Strategic Plan – Tactical Plan
Tactical Plan: Time
Strategic Plan Time Objective frame
Objective frame Perform strategic- 1 yr
Incorporate the 5 yrs level security,
includes:
business
Pass a professional 4 yrs Perform risk 6
audit analysis mos.
Perform BIA 1 yr
Define policies 1 yr
 Case Study: IT Governance
Operational Planning
Objective and Timeframe Responsibility
Hire an internal auditor and VP Finance
security professional
2 months: March 1
Establish security team of VP Finance &
business, IT, personnel: Chief Info. Officer
1 month: Feb. 1 (CIO)
Team initiates risk analysis and CIO &
prepares initial report Security Team
3 months: April 1
 Enterprise Architecture
 Constructing IT is similar to constructing a building
 It must be designed and implemented at various levels:
 Technical (Hardware, Software)
 IT Procedures & Operations
 Business Procedures & Operations
Data Functional Network People Process Strategy
(Applic.) (Tech) (Org.) (Flow)
Scope
Enterprise Model

Systems Model

Tech Model
Detailed
Representation
Sourcing Practices
Insourced: Performed entirely by the organization’s
staff
Outsourced: Performed entirely by a vendor’s staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same
geographical area
Offshore: Performed in a different geographical region

What advantages can you think of for insourcing

versus outsourcing?
Quality with ISO 9001
ISO 9001: Standard for Quality Mgmt
Systems. Recommendations include:
 Quality Manual: Documented procedures
 HR: Documented standards for personnel
hiring, training, evaluation,…
 Purchasing: Documented standards for
vendors: equipment & services
Gap Analysis: The difference between
where you are and where you want to be
Quality Definitions
Quality Assurance: Ensures that staff are
following defined quality processes: e.g.,
following standards in design, coding,
testing, configuration management
Quality Control: Conducts tests to validate
that software is free from defects and
meets user expectations
Performance Optimization
Phases of Performance Measurement include:
 Establish and update performance metrics
 Establish accountability for performance
measures
 Gather and analyze performance data
 Report and use performance results
Note: Strategic direction for how to achieve
performance improvements is necessary
Categories of Performance
Measures
 Performance Measurement: What are
indicators of good IT performance?
 IT Control Profile: How can we measure
the effectiveness of our controls?
 Risk Awareness: What are the risks of
not achieving our objectives?
 Benchmarking: How do we perform
relative to others and standards?
IS Auditor & IT Governance
 Is IS function aligned with organization’s
mission, vision, values, objectives and
strategies?
 Does IS achieve performance objectives
established by the business?
 Does IS comply with legal, fiduciary,
environmental, privacy, security, and quality
requirements?
 Are IS risks managed efficiently and effectively?
 Are IS controls effective and efficient?
Audit: Recognizing Problems
 End-user complaints
 Excessive costs or budget overruns
 Late projects
 Poor motivation - high staff turnover
 High volume of H/W or S/W defects
 Inexperienced staff – lack of training
 Unsupported or unauthorized H/W S/W purchases
 Numerous aborted or suspended development projects
 Reliance on one or two key personnel
 Poor computer response time
 Extensive exception reports, many not tracked to
completion
Audit: Review Documentation
 IT Strategies, Plans, Budgets
 Security Policy Documentation
 Organization charts & Job Descriptions
 Steering Committee Reports
 System Development and Program Change Procedures
 Operations Procedures
 HR Manuals
 QA Procedures
 Contract Standards and Commitments
 Bidding, selection, acceptance, maintenance, compliance
 Question
The MOST important function of the IT
department is:
1. Cost effective implementation of IS
functions
2. Alignment with business objectives
3. 24/7 Availability
4. Process improvement
 Question
Product testing is most closely
associated with which department:
1. Audit
2. Quality Assurance
3. Quality Control
4. Compliance
 Question
“Implement virtual private network in the
next year” is a goal at the level:
1. Strategic
2. Operational
3. Tactical
4. Mission
 Question
Which of the following is not a valid purpose of
the IS Audit?
1. Ensure IS strategic plan matches the intent of
the enterprise strategic plan
2. Ensure that IS has developed documented
processes for software acquisition and/or
development (depending on IS functions)
3. Verify that contracts followed a documented
process that ensures no conflicts of interest
4. Investigate program code for backdoors, logic
bombs, or Trojan horses
 Question
Documentation that would not be viewed
by the IT Strategy Committee would be:
1. IT Project Plans
2. Risk Analysis & Business Impact
Analysis
3. IT Balanced Scorecard
4. IT Policies
Information Security
Governance

Governance
Policy
Risk
Information Security Importance
 Organizations are dependent upon and
are driven by information
 Software = information on how to process
 Data, graphics retained in files
 Information & computer crime has
escalated
 Therefore information security must be
addressed and supported at highest
levels of the organization
Security Organization
Review Risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies

Board of Directors
Defines security objectives and
institutes security organization

Executive Mgmt
Senior representatives Other positions:
of business functions Chief Risk Officer (CRO)
ensures alignment Chief Compliance Officer (CCO)
of security program
with business Security Chief Info
objectives Steering Security
Committee Officer (CISO)
Security Governance
Strategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and cost-
effectively control risk
Value Delivery: Prioritized and delivered for greatest
business benefit
Performance Measurement: Metrics, independent
assurance
Resource Management: Security architecture
development & documentation
Process Integration: Security is integrated into a well-
functioning organization
Executive Mgmt Info Security
Concerns
 Reduce civil and legal liability related to privacy
 Provide policy and standards leadership
 Control risk to acceptable levels
 Optimize limited security resources
 Base decisions on accurate information
 Allocate responsibility for safeguarding
information
 Increase trust and improve reputation outside
organization
Legal Issues
International trade,
employment may be
liable to different
regulations than exist in
the U.S. affecting:
 Hiring
 Internet business
 Trans-border data flows
 Cryptography
 Copyright, patents, trade
secrets
Industry may be liable under
legislation:
 SOX: Sarbanes-Oxley:
Publicly traded corp.
 FISMA: Federal Info
Security Mgmt Act
 HIPAA: Health Insurance
Portability and
Accountability Act
 GLBA: Gramm-Leach-
Bliley: Financial privacy
 Etc.
 Road Map for Security
(New Program)
Documentation Interview stakeholders
(HR, legal, finance) to
Security Issues determine org. issues
& concerns

Develop security
Security policies for approval Info Security
Policies to Mgmt Steering Committee

Training Conduct security

materials training & test for
compliance

Improve standards
Develop compliance
monitoring strategy
 Security Relationships
Security Strategy, Risk, & Alignment
Exec.
Security Mgmt
requirements S /W Human Hiring, training,
Access control Dev. Res. roles & responsibility,
Incident handling

Security requirements Busi-

in RFP Pur- Security requirements
chasing CISO ness
Contract requirements Mgmt sign-off,
Acceptance test,
Access authorization
Quality Legal
Security requirements Control Dept Laws & Regulations
and review IT
Change control Opera-
tions
Security upgrade/test Security monitoring, Incident resp.,
Site inventory, Crisis management
Security Governance Framework
Security
Strategy

Policies,
Security Security
Standards,
Organization Framework
Procedures

Compliance
Monitoring
Secure Strategy:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
 Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities
 Confidentiality, Integrity, Availability
 Loss = Downtime + Recovery + Liability + Replacement
3. Estimate Likelihood of Exploitation
 Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss
 Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk
 Survey & Select New Controls
 Reduce, Transfer, Avoid or Accept Risk
Example Policy Documents
Data Classification: Defines data security
categories, ownership and accountability
Acceptable Usage Policy: Describes permissible
usage of IT equipment/resources
End-User Computing Policy: Defines usage and
parameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocated
After policy documents are created, they must be
officially reviewed, updated, disseminated, and
tested for compliance
Compliance Function
Compliance: Ensures compliance with
organizational policies
 E.g.: Listen to selected help desk calls to verify
proper authorization occurs when resetting
passwords
 Best if compliance tests are automated
Compliance: ongoing process
Ensures adherence to policies

Time
Audit: Snapshot of compliance in time
Compliance Program –
Security Review or Audit Test
Objective: Is our web-interface to DB safe?
Scope: Penetration test on DB
Constraints: Must test between 1-4 AM
Approach:
1. Tester has valid session credentials
2. Specific records allocated for test
3. Test: SQL Injection
Result:
These problems were found: …
 Security Positions
Security Architect Security Administrator
 Design secure network  Allocate access to data
topologies, access under data owner
control, security policies  Prepare security
& standards. awareness program
 Evaluate security  Test security architecture
technologies  Monitor security violations
 Work with compliance, and take corrective action
risk mgmt, audit  Review and evaluate
security policy
 Security Architect:
Control
Do controls fail secure or fail open?
Analysis
Is restrictive or permissive policy
(denied unless expressly permitted Where are controls located?
or vice versa?) Are controls layered?
Does control align with policy Is control redundancy needed?
& business expectation?
Policy Placement

Implemen- Does control protect

Have controls been tested? Efficiency broadly or one application?
tation
Are controls self-protecting? If control fails, is there a
Do controls meet control control remaining?
objectives? Effectiveness (single point of failure)
Will controls alert security If control fails, does appl. fail?
personnel if they fail? Are controls reliable?
Are control activities logged Do they inhibit productivity?
and reviewed? Are they automated or manual?
Are key controls monitored in real-time?
Are controls easily circumvented?
Control Practices
These may be useful in particular conditions:
Automate Controls: Make technically infeasible to bypass
Access Control: Users should be identified, authenticated and
authorized before accessing resources
Secure Failure: If compromise possible, stop processing
Compartmentalize to Minimize Damage: Access control required per
system resource set
Transparency: Communicate so that average layperson understands
control->understanding & support
Trust: Verify communicating partner through trusted 3rd party (e.g.,
PKI)
Trust No One: Oversight controls (e.g., CCTV)
Segregation of Duties: Require collusion to defraud the organization
Principle of Least Privilege: Minimize system privileges
 Security Administrator:
Security Operations
 Identity Mgmt & Access control
 System patching & configuration mgmt
 Change control & release mgmt
 Security metrics collection & reporting
 Control technology maintenance
 Incident response, investigation, and
resolution
Summary of Security Mgmt
Functions
 Develop security strategy
 Linked with business objectives
 Regulatory & legal issues are addressed
 Sr Mgmt acceptance & support
 Complete set of policies
 Standards & Procedures for all relevant policies
 Security awareness for all users and security
training as needed
 Classified information assets by criticality and
sensitivity
Summary of Security Mgmt
Functions
 Effective compliance & enforcement processes
 Metrics are maintained and disseminated
 Monitoring of compliance & controls
 Utilization of security resources is effective
 Noncompliance is resolved in a timely manner
 Effective risk mgmt and business impact assessment
 Risks are assessed, communicated, and managed
 Controls are designed, implemented, maintained, tested
 Incident and emergency response processes are tested
 Business Continuity & Disaster Recover Plans are tested
Summary of Security Mgmt
Functions
 Develop security strategy, oversee security
program, liaise with business process owners for
ongoing alignment
 Clear assignment of roles & responsibilities
 Security participation with Change Management
 Address security issues with 3rd party service
providers
 Liaise with other assurance providers to eliminate
gaps and overlaps
 Question
Who can contribute the MOST to determining the
priorities and risk impacts to the organization’s
information resources?
1. Chief Risk Officer
2. Business Process Owners
3. Security Manager
4. Auditor
 Question
A document that describes how access
permission is defined and allocated is
the:
1. Data Classification
2. Acceptable Usage Policy
3. End-User Computing Policy
4. Access Control Policies
 Question
The role of the Information Security
Manager in relation to the security
strategy is:
1. Primary author with business input
2. Communicator to other departments
3. Reviewer
4. Approves the strategy
 Question
The role most likely to test a control is the:
1. Security Administrator
2. Security Architect
3. Quality Control Analyst
4. Security Steering Committee
 Question
The Role responsible for defining security
objectives and instituting a security
organization is the:
1. Chief Security Officer
2. Executive Management
3. Board of Directors
4. Chief Information Security Officer
 Question
When implementing a control, the PRIMARY
guide to implementation adheres to:
1. Organizational Policy
2. Security frameworks such as COBIT, NIST,
ISO/IEC
3. Prevention, Detection, Correction
4. A layered defense
 Question
The persons on the Security Steering
Committee who can contribute the BEST
information relating to insuring Information
Security success is:
1. Chief Information Security Officer
2. Business process owners
3. Executive Management
4. Chief Information Officer
Reference
Slide # Slide Title Source of Information

4 Corporate Governance CISA: page 87, 88

6 IT Governance Committees CISA: page 90
7 IT Strategy Committee CISA: page 90
12 Standard IT Balance Scorecard CISA: page 91
16 Enterprise Architecture CISA: page 94, 95 Exhibit 2.5

17 Sourcing Practices CISA: page 106

18 Quality with ISO 9001 CISA: page 112
19 Quality Definitions CISA: page 116
20 Performance Optimization CISA: page 113, 114
21 Categories of Performance Measures CISA: page 114

32 Security Organization CISA: page 94, 95 Exhibit 2.4

33 Security Governance CISA: page 92, 93

39 Secure Strategy: Risk Assessment CISM: page 100
40 Example Policy Documents CISA: page 100
43 Security Positions CISA: page 116, 117