CORPORATE GOVERNANCE

Governance and
Management of IT

By: Shamsuddin Surani

Corporate Governance: The system by which

business corporations are directed and
controlled
It is a set of responsibilities and practices used by
an organizations management to provide
strategic direction, thereby ensuring that goals
are achievable, risks are properly addressed and
organizational resources are properly utilitized

IT GOVERNANCE

One of the domains of Enterprise Governance : How IT is

applied within the enterprise.

IT is now regarded as an integral part, CEOs, COOs, CFOs,

CIOs and CTOs, agree that strategic alignment between IT
and enterprise objectives is a critical success factor

Key element of IT governance is the alignment of business

and IT, leading to the achievement of business value.

It is concerned with two issues:

IT delivers value to the business Driven by strategic
alignment with the business
IT risks are managed Driven by embedding
accountability into the enterprise.

INFORMATION TECHNOLOGY MONITORING

ASSURANCE PRACTICES FOR BOARD AND
SENIOR MANAGEMENT

AND

Traditional involvement of board-level executives

in IT issues was to defer all key decisions to the
companys IT professionals.
IT governance implies a system in which all
stakeholders, including the board, internal
customers and departments such as finance,
provide input into the decision-making process.
IT governance is the responsibility of the board of
directors and executive management.
Key IT governance practices are: IT Strategy
Committee, Risk Management and IT Balanced
Scorecard.

FIVE FOCUS AREAS OF IT-GOV

Strategic Alignment: Focuses on ensuring the
linkage of business and IT plans; defining,
maintaining and validating the IT value proposition;
and aligning IT operations with enterprise operations.
Value Delivery: About executing the value
proposition throughout the delivery cycle, ensuing
that IT delivers the promised benefits against the
strategy, concentrating on optimizing costs and
proving the intrinsic value of IT
Resources Management: requires risk awareness
by senior corporate officers, a clear understanding of
the enterprise's appetite for risk, understanding of
compliance requirements, transparency about the
5
significant risks to the enterprise.

Resource management: About the optimal

investment in, and the proper management of,
critical IT resources: applications, information,
infrastructure and people.
Performance measurement: Tracks and
monitors strategy implementation, project
completion, resource usage, process performance
and service delivery, using, for example, balanced
scorecards that translate strategy into action to
achieve goals measurable beyond conventional
accounting.

IT GOVERNANCE FRAMEWORKS

Control Objectives for Information and related Technology

(CoBIT) was developed by the IT Governance Institute
(ITGITM) to support IT governance by providing a
framework to ensure that: IT is aligned with the
business, IT enables the business and maximizes
benefits, IT resources are used responsibly, and IT
risks are managed appropriately. COBIT provides tools
to assess and measure the performance of 34 IT processes
within an organization.

The ISOIIEC 27001 (ISO 27001) series of standards is a set

of best practices that provides guidance to organizations
implementing and maintaining information security
programs. ISO 27001 originally was published in the
United Kingdom (UK) as British Standard 7799 (BS7799)
and has become a well known standard in the industry.

The IT Infrastructure Library (ITIL) was

developed by the UK Office of Government
Commerce (OGC), is a detailed framework with
hands-on information regarding how to achieve
successful operational service management of IT.
Etc.

AUDIT ROLE IN IT GOVERNANCE

IT is governed by good or best practices which

ensure that the organization's information and
related technology: support the enterprise's
business objectives (i.e., strategic alignment),
deliver value, use resources responsibly, manage
risks appropriately and measure performance.
Audit plays a significant role in the successful
implementation of IT governance within an
organization. Audit is well positioned to
provide leading practice recommendations
to senior management to help improve the
quality and effectiveness of the IT
governance initiatives implemented.

IT STRATEGY COMMITTEE VS.

IT STEERING COMMITTEE

IT STRATEGY COMMITTEE

The following aspects related to IT governance need to

be assessed:
Alignment of the IS function with the organization's
mission, vision, values, objectives and strategies
Achievement of performance objectives established by
the business (e.g., effectiveness and efficiency) by the
IS function
Legal, environmental, information quality, fiduciary,
security, and privacy requirements
The control environment of the organization
The inherent risks within the IS environment
10
IT Investment/expenditure

IT Strategy Committee
Advises the board and management on IT
strategy
Is delegated by the board to provide input to the
strategy and prepare its approval
Focuses on current and future strategic IT issues

As a committee of the board, it assists the board

in overseeing the enterprise's IT-related matters
by ensuring that the board has the internal and
external information it requires for effective IT
governance decision making.
This is a mechanism for incorporating IT
governance into enterprise governance.

11

IT Steering Committee
Assists the executive in the delivery of the IT
strategy
Oversees day-to-day management of IT service
delivery and IT projects
Focuses on implementation

12

INFORMATION SECURITY GOVERNANCE

Information
security
governance
is
the
responsibility of the board of directors and
executive management, and must be an integral
and transparent part of enterprise governance.

Within IT governance, information security

governance should become a focused activity with
specific value drivers:

confidentiality, integrity, and availability of

information, continuity of services and protection of
information assets.

Until recently, the focus of protection has been on

the IT systems that collect, process and store the
vast majority of information rather than the
information itself.

The reach of protection efforts should encompass

not only the process or Systems that generates
the information but also the continued
preservation of information generated as a result
of the controlled processes.

13

14

OUTCOMES OF SECURITY GOVERNANCE

Strategic alignment: Align information security
with business strategy to support organizational
objectives.
Risk management: Manage and execute
appropriate measures to mitigate risks and reduce
potential impacts on information resources to an
acceptable level.
Value delivery: Optimize security investments in
support of business objectives.
Performance measurement: Measure, monitor and
report on information security processes to ensure
that SMART (Specific, Measurable, Achievable,
Relevant and Time-bound) objectives are achieved.
Resource management: Utilize information
15
security knowledge and infrastructure efficiently and
effectively.

Information security governance is the responsibility of

the board of directors and executive management, and
must be an integral and transparent part of enterprise
governance.
Effective Information Security Governance

To achieve effective information security governance,

management must establish and maintain a framework to
guide the development and management of a comprehensive
information security program that supports business objectives

This framework provides the basis for the development of a

16
cost-effective information security program that supports the
organizations business goals.

ROLES AND RESPONSIBILITIES OF

SENIOR MANAGEMENT AND BOARDS OF
DIRECTORS

IT INVESTMENT AND ALLOCATION

PRACTICES

The tone at the top must be conducive to effective

security governance. It is unreasonable to expect
lower-level personnel to abide by security
measures if they are not exercised by senior
management.
Executive management endorsement of intrinsic
security requirements provides the basis for
ensuring that security expectations are met at all
levels of the enterprise. Penalties for
noncompliance must be defined, communicated
and enforced from the board level down.

17

Each enterprise faces the challenge of using its

limited resources, including people and money, to
achieve its goals and objectives. When an
organization invests its resources in a given
effort, it incurs opportunity costs because it is
unable to pursue other efforts that could bring
value to the enterprise.
An IS auditor should understand an
organizations investment and allocation
practices to determine whether the enterprise is
positioned to achieve the greatest value from the
investment of its resources.

18

MATURITY AND PROCESS IMPROVEMENT MODELS

Capability Maturity Model (CMM) a standardized

framework for assessing the maturity level of an
organizations information system development and
management processes and products. It consists of five
levels of maturity:

Traditionally, when IT professionals and top

managers discussed the ROI of an IT investment,
they were thinking about financial benefits.
Today, business leaders also consider the
nonfinancial benefits of IT investments.

Financial benefits include impacts on the

organizations budget and finances e.g. cost
reductions or revenue increases.
Nonfinancial benefits include impacts on
operations or mission performance and results
e.g. Improved customer satisfaction, better
information, shorter cycle time.

19

Level 1Initial: System development projects follow no prescribed

process.

Level 2Repeatable: Project management processes and practices

are established to track project costs, schedules, and functionality.

Level 3Defined: A standard system development process (sometimes

called a methodology) is purchased or developed. All projects use a
version of this process to develop and maintain information systems and
software.

Level 4Managed: Measurable goals for quality and productivity are

established.

Level 5Optimizing: The standardized system development process

is continuously monitored and improved based on measures and data20
analysis established in Level 4.

CAPABILITY MATURITY MODEL (CMM)

POLICIES AND PROCEDURES

Policies

Policies

POLICIES (CONTINUED)

Management should review all policies carefully

Policies need to be updated to reflect new
technology and significant changes in business
processes
Policies formulated must enable achievement of
business objectives and implementation of IS
controls

22

POLICIES (CONTINUED)

Information Security Policies

High-level documents
Represent the corporate philosophy of an
organization
Must be clear and concise to be effective

Communicate a coherent security standard to users,

management and technical staff
Must balance the level of control with the level of
productivity
Provide management the direction and support for
information security in accordance with
business requirements, relevant laws and
regulations

Information Security Policy Document

23

Definition of information security

Statement of management intent
Framework for setting control objectives
Brief explanation of security policies
Definition of responsibilities
References to documentation

24

PROCEDURES
POLICIES (CONTINUED)

Review of the Information Security Policy

Document

Should be reviewed at planned intervals or when

significant changes occur to ensure its continuing
suitability, adequacy and effectiveness
Should have an owner who has approved
management responsibility for the development,
review and evaluation of the security policy
Should include assessing opportunities for
improvement to the organizations information
security policy

Detailed documents:

Must be derived from the parent policy

Must implement the spirit (intent) of the policy

statement

Procedures must be written in a clear and concise

manner

An independent review is necessary to ensure that

policies and procedures have been properly
documented, understood and implemented

25

26

DEVELOPING A RISK MANAGEMENT

PROGRAM

RISK MANAGEMENT

process of identifying vulnerabilities

and threats to the information resources
used by an organization in achieving
business objectives

To develop a risk management program:

The

27

Establish the purpose of the risk management

program

Assign responsibility for the risk management plan

28

RISK MANAGEMENT PROCESS

Identification and classification of information

resources or assets that need protection

The magnitude of the result of a threat agent

exploiting a vulnerability is called an Impact
Threats usually result in a direct financial loss in
the short term or an ultimate (indirect) financial
loss in the long term. Examples of such losses
include:

Examples of typical assets associated with

information and IT include: Information and Data, H/w
& S/w, Services, Document, Personnel

Assess threats and vulnerabilities and the

likelihood of their occurrence

Common classes of threats are:

Errors, Malicious damage/attack, Fraud, Theft,

Equipment/software failure

Examples of Vulnerability are:

Lack of user knowledge, Lack of security functionality, Poor

choice of passwords, Untested technology

Once the elements of risk have been established

they are combined to form an overall view of risk

29

Direct loss of money (cash or credit)

Breach of legislation
Loss of reputation/goodwill
Endangering of staff or customers
Loss of business opportunity
Reduction in operational efficiency/performance
Interruption of business activity

30

RISK MANAGEMENT PROCESS(CONTINUED)

RISK MANAGEMENT PROCESS(CONTINUED)

Once risks have been identified, existing controls
can be evaluated or new controls designed to
reduce the vulnerabilities to an acceptable level
of risk
The remaining level of risk, once controls have
been applied, is called residual risk and can be
used by management to identify those areas in
which more control is required to further reduce
risk
Final acceptance of residual risk takes into
account:

Organizational policy, Cost and effectiveness of

implementation etc.

31

IT risk management needs to operate at multiple

levels including:

Operational - Risks that could compromise the

effectiveness of IT systems and supporting
infrastructure

Project - Risk management need to focus on the

ability to understand and manage project complexity

Strategic - The risk focus shifts to consideration such

as how well the IT capability is aligned with the
business strategy.

32

HUMAN RESOURCE MANAGEMENT

IS MANAGEMENT PRACTICES

In most organizations, the IS department is a

service (support) department. The traditional role
of a service department is to help production
(line) departments conduct their operations more
effectively and efficiently. Today, however, IS has
become an integral part of every facet of the
operations of an organization.
Management
activities
to
review
the
policy/procedure
formulations
and
their
effectiveness within the IS department would
include
practices
such
as
personnel
management, sourcing and IT change
management.

Human resource management relates to

organizational policies and procedures for
recruiting, selecting, training and promoting
staff, measuring staff performance, disciplining
and staff, succession planning, and staff
retention.
The effectiveness of these activities, as they
relate to the IS function, impacts the quality of
staff and the performance of IS duties.

33

34

Employee

Handbook: Distributed to all

employees upon being hired, should explain items
such as: security policies and procedures,
company expectations, employee benefits, etc.

Hiring

Practices: Hiring practices are important to

ensure that the most effective and efficient staff is chosen
and that the company is in compliance with legal
recruitment requirements.

Some of the common controls would include:

Background checks (e.g., criminal, financial,
professional, references).
Confidentiality agreements
Etc.

35

Promotion Policies: Promotion policies should

be fair and equitable and understood by
employees. Policies should be based on objective
criteria and consider an individual's performance,
education, experience and level of responsibility.
The IS auditor should ensure that the IS
organization has well defined policies and
procedures for promotion, and is adhering to
them.

36

Training: Training should be provided on a

regular basis to all employees based on the areas
where employee expertise is lacking. Training is
particularly important for IS professionals, given
the rapid rate of change of technology and
products.
Employee Performance Evaluations:
Employee assessment must be a standard and
regular feature for all IS staff. The HR
department should ensure that IS managers and
employees set mutually agreed goals/expected
results.

Required Vacations: A required vacation

(holiday) ensures that once a year, at a
minimum, someone other than the regular
employee will perform a job function. This
reduces the opportunity to commit improper or
illegal acts.
Job rotation provides an additional control (to
reduce the risk of fraudulent or malicious acts)
since the same individual does not perform the
same tasks all the time. This provides an
opportunity for an individual other than the
regularly assigned person to perform the job and
notice possible irregularities.

37

Termination Policies: Written termination

policies should be established to provide clearly
defined steps for employee separation. It is
important that policies be structured to provide
adequate protection for the organization's
computer assets and data.

38

In all cases, however, the following control

procedures should be applied:

Termination practices should address voluntary

and involuntary (e.g., immediate) terminations.
For certain situations, such as involuntary
terminations under adverse conditions, an
organization should have clearly defined and
documented procedures for escorting the
terminated employee from the premises.

39

Return of all access keys, ID cards and badges-to

prevent easy physical access
Deletion/revocation of assigned logon IDs and
passwords-to prohibit system access
Notification-to appropriate staff and security
personnel regarding the employee's status change to
"terminated
Arrangement of the final pay routines-to remove the
employee from active payroll files
Performance of a termination interview-to gather
insight on the employee's perception of management
Return of all company property
40

10

SOURCING PRACTICES

Sourcing practices relate to the way an

organization obtains the IS function required to
support the business Organization can perform
all IS functions in-house or outsource all
functions across the globe

Giving consideration to the following:

Is this a core function for the organization?

Does this function have specific knowledge, processes and
staff critical to meeting its goals and objectives, and that
cannot be replicated externally or in another location?
Can this function be performed by another party or in
another location for the same or lower price, with the same
or higher quality, and without increasing risk?
Does the organization have experience managing third
parties or using remote/offshore locations to execute IS or
business functions?

Sourcing strategy should consider each IS

function and determine which approach allows
the IS function to meet the organizations goals

If the organization has chosen to use outsourcing, a

rigorous process should be followed, including the
following steps:

Define the IS function to be outsourced.

Describe the service levels required and minimum metrics to
be met.
Know the desired level of knowledge, skills and quality of the
expected service provider desired.
Know the current in-house cost information to compare with
third-party bids.
Conduct due diligence reviews of potential service providers.

41

Delivery of IS functions can include:

42

IS functions can be performed across the globe,

taking advantage of time zones and arbitraging
labor rates, and can include:

Insourced-Fully performed by the organization's staff

Outsourced-Fully performed by the vendor's staff

Onsite--Staff work onsite in the IS department

Hybrid-Performed by a mix of the organization's and

vendors staffs

Offsite--Also known as near-shore, staff work at a

remote location in the same geographic area

Offshore--Staff work at a remote location in a

different geographic region

43

44

11

Outsourcing Practices and Strategies

Contractual agreements under which an organization

hands over control of part or all of the functions of
the IS department to an external party

Becoming increasingly important in many

organizations

The IS auditor must be aware of the various forms

outsourcing can take as well as the associated risks

45

46

SOURCING PRACTICES (CONT..)

47

48

12

SOURCING PRACTICES (CONTINUED)

Possible advantages

SOURCING PRACTICES (CONTINUED)

Commercial outsourcing companies likely to devote

more time and focus more efficiently on a given
project than in-house staff
Outsourcing vendors likely to have more experience
with a wider array of problems, issues and
techniques

Possible disadvantages

Costs exceeding customer expectations

Loss of internal IS experience
Loss of control over IS
Vendor failure

Risks can be reduced by:

49

Establishing measurable, partnership-enacted

shared goals and rewards
Using multiple suppliers
Performing periodic competitive reviews and
benchmarking
Implementing short-term contracts
Forming a cross-functional contract management
team
Including contractual provisions to consider as many
contingencies as can reasonably be foreseen

50

SOURCING PRACTICES (CONTINUED)

Globalization Practices and Strategies

Requires management to actively oversee the remote

or offshore locations

The IS auditor can assist an organization in

moving IS functions offsite or offshore by
ensuring that IS management considered the
following:

Legal, regulatory and tax issues

Continuity of operations
Personnel
Telecommunication issues
Cross-border and cross-cultural issues

51

Third-party Service Delivery Management

Every organization using the services of third

parties should have a service delivery
management system in place to implement and
maintain the appropriate level of information
security and service delivery in the line with thirdparty service delivery agreements

The organization should check the implementation of

agreements, monitor compliance with the agreements
and manage changes to ensure that the services
delivered meet all requirements agreed to with the
third party

52

13

ORGANIZATIONAL CHANGE
MANAGEMENT

Change management is managing IT changes for

the organization, where a defined and
documented process exists to identify and apply
technology improvements at the infrastructure
and application level that are beneficial to the
organization and involving all levels of the
organization impacted by the changes.

53

QUALITY MANAGEMENT

54

PERFORMANCE OPTIMIZATION

Software development, maintenance and

implementation
Acquisition of hardware and software
Day-to-day operations
Service management
Security
Human resource management
General administration

55

Process driven by performance indicators

Optimization refers to the process of improving
the productivity of information systems to the
highest level possible without unnecessary,
additional investment in the IT infrastructure

56

14

IS ROLES AND RESPONSIBILITIES

PERFORMANCE
OPTIMIZATION(CONTINUED)

Five ways to use performance measures

Measure products/services
Manage products/services
Assure accountability
Make budget decisions
Optimize performance

57

SEGREGATION OF DUTIES WITHIN IS

Systems development manager

Help desk
End user
End user support manager
Data management
Quality assurance manager
Vendor and outsourcer management
Operations manager
Data entry
Systems administration
Quality assurance
Database administration

SEGREGATION OF DUTIES CONTROLS

Avoids possibility of errors or misappropriations

Control measures to enforce segregation of duties

include:

Discourages fraudulent acts

58

Limits access to data

Transaction authorization
Custody of assets
Access to data

59

Authorization forms
User authorization tables

60

15

SEGREGATION OF DUTIES CONTROLS

(CONTINUED)

AUDITING IT GOVERNANCE STRUCTURE

AND IMPLEMENTATION

Compensating controls for lack of segregation of

duties include:

Audit trails
Reconciliation
Exception reporting
Transaction logs
Supervisory reviews
Independent reviews

Indicators of potential problems include:

Unfavorable end-user attitudes

Excessive costs
Budget overruns
Late projects
High staff turnover
Inexperienced staff
Frequent hardware/software errors

61

REVIEWING DOCUMENTATION

REVIEWING CONTRACTUAL COMMITMENTS

The following documents should be reviewed:

62

IT strategies, plans and budgets

Security policy documentation
Organization/functional charts
Job descriptions
Steering committee reports
System development and program change
procedures
Operations procedures
Human resource manuals
Quality assurance procedures

There are various phases to computer hardware,

software and IS service contracts, including:

63

Development of contract requirements and service

levels
Contract bidding process
Contract selection process
Contract acceptance
Contract maintenance
Contract compliance
64

16