COBIT

How Does Management Support Deploying IT Governance?

Depending on your abstraction level, IT governance can be viewed as a framework, methodology, or technique. As a framework, IT governance enables a “system of controls” assisting in assuring organizational goals and objectives are achieved effectively and efficiently. As a methodology, IT governance furnishes a description of the role entity direction and controls play in achieving information systems objectives. Lastly, as a technique, IT governance provides processes and steps that can generate superior financial and/or reputational returns for stakeholders.

If you view IT governance as a framework for assisting in organizational governance, then structurally, IT governance should be implemented as an organizational program with objectives, goals, policies, procedures, standards, and rules designed to accomplish management’s intentions. To drive controls, IT governance should subsequently receive ‘significant program’ status because other program results are directly impacted by IT governance effectiveness results — such as control self-assessment (CSA) and quality control (QC) programs. Furthermore, efficiency of controls should be obtained through models available to assist in deploying IT governance; including The Institute of Internal Auditors’ Systems Auditability and Control (SAC) framework and the Information Systems Audit and Control Association’s Control Objectives for Information and related Technology (COBIT) framework.

Alternatively, if you perceive IT governance as a description for achieving information systems objectives, the adopted IT governance methodology should provide management with a series of assessments defining control usefulness and control deployment — with IT governance effectiveness and efficiency directly related to management’s responsibility, accountability, and authority structure demonstrated. Management usually is concerned with the cost of controls and the benefits that can be derived from controls deployment and utilization while achieving an entity’s strategic direction. Hence, understanding IT governance roles are considered key to managing information systems.

If, however, you assume IT governance provides financial and/or reputational benefits, potential stakeholders are presumed to rely upon governance elements prior to investing their time, talent, and/or money. Therefore, ascertaining IT objectives effectiveness and efficiency, through monitoring, is rudimentary to sound business practices for satisfying stakeholder expectations. In this regard, effectiveness and efficiency evaluation requires measurement against established standards. The performance measures should be established when standards are created or adopted. Techniques utilized for IT governance implementation include capability maturity modeling, budgeting, benchmarking, and gap analysis. Supporting the belief that IT governance is a financial enhancement technique, the Center for Information Systems Research (CISR) has suggested that organizations with exceptional IT governance have higher profits than organizations with inferior governance, given the same strategic objective. Based on financial opportunity, with an organization’s reputation enhanced through demonstrated profitability when employing IT governance, new stakeholders may be attracted to the organization as a corollary benefit.

Whatever your perspective may be, the importance of effective and efficient IT governance cannot be overlooked in the current global high technology environment. Considering what is at stake politically, economically and technically for most organizations; usually justifying IT governance deployment based on one viewpoint narrows suitability and expected benefits. In the final analysis, combining the discussed individual abstraction levels may be the most appropriate support for implementing IT governance.

Safeguarding Information Assets - Part IV

Generally, three unique elements are required for adequate information security architectures: people, processes and technology. For most entities, designing and operating adequate safeguards is an extremely complex process requiring a total compliance commitment from every employee empowered to access information assets. Absence of any one of the information security architectural components can create a weak link in safeguarding information assets and hinder security control usefulness.

Technological and non-technological policies, directives, procedures, standards and rules can assist in preventing as well as detecting IT security breaches. However, in the final analysis, it is sustained employee ethics and integrity that determine entrusted asset safety.

Safeguarding Information Assets - Part III

Protection-of-information-assets reflect the development and deployment of security controls to support ISG. Commonly, protection-of-information-assets require implementing:

• Logical Access Controls
• Network Infrastructure Security
• Physical Access Controls
• Risk Analysis Processes
• Environmental Controls
• Confidentiality Life Cycle Controls

Based on assessed risk, once information security management ratifies information resources protection requirements, information security baselines can be developed and deployed. Safeguarding baselines vary depending on asset sensitivity, criticality, and/or impact. However, minimally, information assets should be protected against misuse, abuse and destruction. When implemented, information assets protection baselines can be expressed as technical, operational and managerial standards applicable throughout the entity.

Safeguarding Information Assets - Part II

Responsibilities separation commonly employs segregation-of-functions and segregation-of-duties methodologies. Segregation-of-functions is the construction of individual work units – such as divisional, departmental or sectional organizational groups - to achieve management’s intentions while simultaneously complying with generally accepted control principles. In contrast, segregation-of-duties is the delineation of employee responsibility assignments within a defined work unit to achieve management’s intentions while simultaneously complying with generally accepted control principles. As a basic tenet for adequate control, segregation-of-functions and segregation-of-duties supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Consequently, responsibilities separations are designed and deployed organizational controls that enable ISG to prevent, detect, and/or deter errors, mistakes, omissions, irregularities as well as illegal acts.

The appropriate functional responsibilities separation in a computer system requires defining IT and operational user work units considering control context. Segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity.

Processing centralization, through IT, does not relieve management from separating duties within operational and technical departments. Complete segregation-of-duties within a department is generally more feasible in large rather than small entities. Large entities tend to follow rigid norms and are conductive to high specialization-of-duties, detail labor division, lavish and elaborate administration, and minimal personal interaction. Contrastingly, small entities are characterized by flexible norms and have low specialization-of-duties, broad span-of-control, exiguous and simplistic administration, and extensive personal interaction.

Various control techniques can be activated selectively or collectively to enforce segregation-of-functions and segregation-of-duties, including:

• Role Identification
• User Authentication
• Transaction Authorization
• Information Access
• Asset Custody

Safeguarding Information Assets - Part I

Explicitly or implicitly, safeguarding assets is an inescapable fiduciary obligation bestowed on managers; whether the entity exists for-profit or not-for-profit. Fiduciary duties are an inherent managerial responsibility correlated to accountability that can be conveyed through legislation, regulation, or expectation. Foundationally, an operating entity’s very existence is usually heavily dependent on how well employees safeguard assets utilized in fulfilling the organizational mission. Assumption for safeguarding assets should span the entity’s total tangible and intangible resources. Specifically, information and associated technologies are assets requiring appropriate investments in protective measures to retain intrinsic value.

Safeguarding IT resources usually requires an information security governance (ISG) framework rendering essential information asset coverage. An entity’s management can adopt the Information Systems Audit and Control Association’s (ISACA’s) Control Objectives for Information and related Technology (COBIT) framework, promulgated by the Information Technology Governance Institute, to ensure adequate ISG and/or the International Organization for Standardization (ISO) 27002 methodology. If the COBIT framework is selected for assisting in deploying entity-centric ISG, there are four IT resources classifications: people, information, applications, and infrastructure. Within the COBIT resource category, people attributes include staff skills, plan awareness and productivity, organization, acquisition, delivery, as well as supporting and monitoring information systems and services. Information encompasses utilizable objects, structured and non-structured data, and presentation formats. Applications are deemed the sum of manual and programmed procedures. Whereas, the infrastructure is defined as hardware, operating systems, configuration systems, facilities, and support structure.

With IT considered indispensable for providing processing efficiencies, communication expediency and information reliability, entities should govern safeguarding information assets through an ISG program. To accomplish this security necessity, management normally needs a governance framework enabling organizational alignment, adequate resource allotments, risk management, value delivery and performance measurement. Whether information security governance is abstractively viewed as a distinct governance classification supporting entity governance or a subset of information technology governance, safeguarding IT normally mandates addressing responsibilities separation and ‘protection-of-information-assets’ to assure managerial due diligence.