IT Governance, Risk, and Compliance


October 7, 2011  8:59 PM

Auditing Information Security Governance – Part V

Robert Davis Robert Davis Profile: Robert Davis

ISG audits normally have an organizational focus. ‘Organizational-based’ ISG audits and reviews examine deployed frameworks, managerial issues, and departmental activities. However, if during organizational-based planning the IT auditor discovers a governance framework is not deployed, the audit or review planner should utilize the Control Objectives for Information and related Technology (COBIT) framework as a minimum basis for setting detail objectives.

Alternatively, ISG may be within the ambit of other IT audit areas. Under these circumstances, a ‘results-based’ audit may be appropriate. However, if the audit unit developed an entity’s performance measurement system, the audit unit would not be deemed independent in conducting a performance audit to evaluate whether the system was adequate. Quantitatively, results-based audits can address performance issues utilizing goal and performance indicators as measurement standards. Whereas, qualitatively, results-based audits can also provide audit area governance knowledge and practices assessments. Whatever results-based audit measurement standards utilized, ISG effectiveness is the primary auditable unit audit objective.

View Part I of the Auditing Information Security Governance series here

October 4, 2011  8:14 PM

Auditing Information Security Governance – Part IV

Robert Davis Robert Davis Profile: Robert Davis

To prevent expectation misinterpretation, the ISG engagement ‘terms of reference’ should minimally address engagement ambit, reporting lines, and IT audit authority. Specifically, ISG functional areas and issues definitions, identified ‘highest-organization-level’ issues reporting, as well as auditor information access rights should be clearly documented in the audit charter and/or engagement letter.

ISG can be an individual audit area examination or an auditable unit examination for every audit or review undertaken. During the IT audit planning process, all or segments of an entity’s deployed governance related frameworks may be selected as auditable units. Furthermore, ISG audits may cross divisional, functional, or departmental demarcations.

View Part I of the Auditing Information Security Governance series here


September 30, 2011  8:54 PM

Auditing Information Security Governance – Part III

Robert Davis Robert Davis Profile: Robert Davis

Reflective of ISACA standards and guidelines, the IT audit process should be replicated within for-profit and not-for-profit entities. Foundational assurance topics which should be considered from a management perspective are presented within the Information Technology Governance Institute’s Information Security Governance: Guidance for Boards of Directors and Executive Management monograph. However, an audit committee’s perceived mandate and mission may affect the approach variability of the Information Security Governance (ISG) audit or review. Furthermore, the ISG audit or review approach may diverge according to ambit and resources applied. Lastly, ISG audit or review evaluation criteria may also fluctuate due to audit objectives. For example, the ISG audit assessment paradigm may be based on performance and/or compliance expectations.

View Part I of the Auditing Information Security Governance series here


September 27, 2011  8:19 PM

Auditing Information Security Governance – Part II

Robert Davis Robert Davis Profile: Robert Davis

Management is responsible for developing and deploying good security governance, which has been typically defined to include resilient protection regarding the IT infrastructure and related information systems supporting critical functions and business processes. Within the information security program, among the assigned responsibilities, requirements should exist to provide risk assessment and risk mitigation strategies for program management and control as well as sub-divisional risk assessments for system security. To facilitate the risk assessment process, guidance should be provided through adopted best practices. Minimally, utilized publications should document minimum baseline security requirements for the entity being audited or reviewed.

View Part I of the Auditing Information Security Governance series here


September 23, 2011  7:47 PM

Auditing Information Security Governance – Part I

Robert Davis Robert Davis Profile: Robert Davis

Governance supports stakeholder expectations related to management’s fiduciary responsibilities. Governance also reflects how an entity achieves its stated mission. Specifically, governance can be considered the program by which entities are directed and controlled. As I have discussed previously; leadership, stewardship, ethics, security, vision, direction, influence, and values are prominent components within entity-level governance.

Various respected knowledge leaders, practicing professionals as well as professional organizations consider an entity’s oversight committee, executive management, internal audit, and external audit as governance cornerstones. Consequently, since information security is usually integrated into most entity processes, IT audit should be considered information security-level governance, IT-level governance as well as entity-level governance cornerstones.

Post Note: As of September 2011, Robert E. Davis, MBA, CISA, CICA is a member of the Master of Science in IT Auditing and Cyber-Security Advisory Council at Temple University.


September 20, 2011  8:33 PM

Common Risk Determinants for an IT Architecture – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

At the departmental-level, value delivery risks are generally an inducement for the entity’s executive management to designate an IT managerial group (e.g. IT Portfolio Management Committee) or individual (e.g. Chief Information Officer) to oversee systems and infrastructure life cycle management. Segmented, personnel assigned responsibility for new systems and/or infrastructure projects can be top, middle, or lower level management. Whereby, potential IT project participants are: a sponsor/owner, project board members, project team members, and a project manager.

For those who have responsibility for executing project management practices, managerial planning normally is required to produce effective and efficient IT project deployments. Completion of certain project management tasks are critical to assuring successful system and/or infrastructure implementation based on defined IT procedures. Operational control is the method of ensuring day-to-day project activities run efficiently and effectively. Accordingly; reviewing information, design preparation, and obtaining design approval are a logical sequence of events complementary to fulfilling project management predevelopment, deployment, and post-deployment responsibilities.

View Part I of the Common Risk Determinants for an IT Architecture series here


September 16, 2011  9:24 PM

Common Risk Determinants for an IT Architecture – Part VII

Robert Davis Robert Davis Profile: Robert Davis

As a logical assumption, IT project management is a primary governance point for the entity’s ITG program. Therefore, derivatively, management’s CE due diligence regarding IT project governance policies will significantly reduce systems and infrastructure life cycle risks.

At the entity-level, control consciousness is influenced significantly by oversight committee members. Therefore, the ideal collective characteristics of individuals participating in entity oversight should include: independence from management, experience and stature, demonstrated activities involvement and scrutiny, appropriate situational actions, sufficient knowledge management, effective management assessment techniques as well as interaction with internal and external audit.

View Part I of the Common Risk Determinants for an IT Architecture series here


September 13, 2011  8:56 PM

Common Risk Determinants for an IT Architecture – Part VI

Robert Davis Robert Davis Profile: Robert Davis

An entity’s oversight committee should provide internal and external controls due diligence. In this regard, entity oversight committees normally delegate responsibility, accountability, and authority to an audit oversight committee that: evaluates project controls, interfaces with auditors and provides direction on audit priorities.

Furthermore, an entity’s oversight committee should provide investments due diligence through an IT strategy committee. In this regard, the IT strategy committee should delegate responsibility, accountability, and authority to an IT group or individual that: evaluates the IT project portfolio, interfaces with project managers and provides direction on project priorities.

View Part I of the Common Risk Determinants for an IT Architecture series here


September 9, 2011  8:31 PM

Common Risk Determinants for an IT Architecture – Part V

Robert Davis Robert Davis Profile: Robert Davis

IT project governance can only be effective if those influencing project decisions are adequately informed. Project management policies, procedures, rules, and individual responsibilities should be distributed to all affected parties. Furthermore, the risk awareness program should require participating employees to periodically sign a statement acknowledging their awareness and acceptance of responsibility for project security.

Management should also ensure that employees have the expertise to carry out their IT project responsibilities. To accomplish this expectation, the IT project governance program should include job descriptions; periodically reassessing the adequacy of individual skills; annual training requirements and professional development programs (to aid in ensuring individual skills are adequate and current); and monitoring employee training and professional development accomplishments.

View Part I of the Common Risk Determinants for an IT Architecture series here


September 6, 2011  7:35 PM

Common Risk Determinants for an IT Architecture – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Fundamentally, IT policies and procedures should be deployed based on assessed effectiveness and efficiency in addressing managements’ risk appetite. Supporting CE risk reduction activities are managements’ IT project governance policies providing for a(n):
 Project Charter
 Risk Awareness Program
 Project Training Program
 Audit Oversight Committee
 IT Strategy Committee

The project management function should have a formal, written charter establishing the department’s position within the entity. It should document the purpose, responsibility, authority and accountability of the project management function. Minimally, the charter document generated should address detail project management aspects — such as mission statement, organizational structure, risk management, critical success factors, quality assurance, and reporting lines.

View Part I of the Common Risk Determinants for an IT Architecture series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: