CIS-HANDOUT4

avatar
Created by
Stephanie Joy

Cards (41)

  • Governance
    Making decisions that define expectations, grant authority, or ensure performance
  • Enterprise governance
    A framework covering both the corporate governance and the business governance aspects of an organization
  • Corporate governance
    • Encompasses the ethical issues, decision-making, and overall practices within an organization
    • Involves a set of relationships among a company's management, its board, its shareholders, and other stakeholders
    • Provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined
  • IT governance
    • The management and assessment of strategic information technology (IT) resources
    • Consists of the leadership and organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives
  • Objectives of IT governance
    • Reduce risk
    • Ensure that investments in IT resources add value to the corporation
  • Components of enterprise governance
    • Conformance processes
    • Performance processes
  • Conformance processes
    Board structures and roles, executive remuneration
  • Performance processes

    Strategy and value creation
  • Codes and/or standards can generally help in the conformance processes area, with compliance subject to assurance and audit
  • Performance oversight does not fit easily with a regime of standards and audit, so it is desirable to develop a range of best practice tools and techniques that can be applied intelligently in different types of organizations
  • Enterprise governance frameworks
    • COBIT
    • COSO
    • FAIR
    • ITIL
  • COBIT
    A framework for the governance and management of enterprise information and technology (IT), aimed at the whole enterprise
  • Governance in COBIT

    • Ensures that stakeholder needs, conditions, and options are evaluated to determine balanced on enterprise objectives
    • Sets the direction through prioritization and decision making
    • Monitors performance and compliance against agreed-on direction and objectives
  • Management in COBIT
    Includes planning, building, running, and monitoring activities, in alignment with the direction set by the governance body, to achieve the enterprise objectives
  • COBIT
    • Well suited to organizations focused on risk management and mitigation
    • Very detailed, which can make it costly and time-consuming to implement
  • COBIT provides a formal framework for aligning IS strategy with the business strategy
  • COSO
    A framework that provides an applied risk management approach to internal controls
  • Components of the updated COSO framework
    • Governance and Culture
    • Strategy and Objective Setting
    • Performance
    • Review and Revision
    • Information, Communication, and Reporting
  • FAIR
    A model that helps organizations quantify risk, focusing on cybersecurity and operational risk
  • Primary components of the FAIR framework
    • Threats
    • Assets
    • Organization
    • External Environment
  • ITIL
    Focuses on IT service management, aiming to ensure that IT services support the core processes of the business
  • Stages in ITIL
    • Service strategy
    • Service design
    • Service transition
    • Service operation
    • Continual service improvement
  • Role of auditors in IT governance
    • Provide leading practice recommendations to senior management to help improve the quality and effectiveness of the IT governance initiatives implemented
    • Ensure compliance with EGIT initiatives implemented within an organization
    • Provide an independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT processes and associated EGIT initiatives
  • Aspects an IS auditor should assess related to EGIT
    • Alignment of enterprise governance and EGIT
    • Alignment of the IT function with the organization's mission, vision, values, objectives, and strategies
    • Achievement of performance objectives
    • Legal, environmental, information quality, fiduciary, security, and privacy requirements
    • The control environment of the organization
    • The inherent risk within the IS environment
    • IT investment/expenditure
  • Organizational structure in EGIT
    Identifies the key decision-making entities in an enterprise
  • Organizational structures, roles, and responsibilities in EGIT
    • IT Governing Committees
    • Information security governance
  • IS auditor
    Should be considered for appropriateness about the nature of the planned audit
  • When the IS auditor is found to be insufficient, the appropriate level of management may consider hiring an independent third party to manage or perform the audit
  • Organizational structure
    One of the key components of governance, identifies the key decision-making entities in an enterprise
  • Organizational structures, roles, and responsibilities within an EGIT
    • IT Governing Committees
    • Board of Directors
    • Senior Management
    • Information Security Standards Committee
    • IT Steering Committee
  • IT Governing Committees
    Traditionally, organizations have had executive-level steering committees to handle IT issues that are relevant organization-wide
  • Information security governance
    Requires strategic direction, commitment, resources, and assignment of responsibility for information security management as well as a means for the board to determine that its intent has been met
  • Board of Directors
    Members need to be aware of the organization's information assets and their criticality to ongoing business operations, approve assessment of key assets to be protected, exercise security measures
  • Senior Management
    Responsible for implementing effective security governance and defining the strategic security objectives of an organization
  • Information Security Standards Committee (ISSC)

    Comprised of senior representatives of affected groups, facilitates achieving consensus on priorities and trade-offs, serves as an effective communications channel, provides an ongoing basis for ensuring the alignment of the security program with business objectives
  • IT Steering Committee
    Oversees the IT function and its activities, ensures the IT department is in harmony with the corporate mission and objectives, reviews long- and short-range IT plans, approves major acquisitions and projects, reviews sourcing strategies, reviews resource adequacy and allocation
  • Human resources (HR) management
    Organizational policies and procedures for recruiting, selecting, training, and promoting staff, measuring staff performance, disciplining staff, planning for succession, and retaining staff
  • HR management activities related to IT
    • Hiring practices (background checks, confidentiality agreements, employee bonding, conflict-of-interest agreements, codes of conduct, noncompete agreements)
    • Training (regular training, cross-training)
    • Terms and conditions of employment (confidentiality/nondisclosure agreements, responsibilities, actions for disregarding security requirements)
  • Organizational change management
    Defined and documented process to identify and apply technology improvements at the infrastructure and application levels, involves all levels of the organization impacted by the changes
  • Financial management practices
    Critical element, user-pays scheme (chargeback) can improve application and monitoring of IS expenses and available resources