1 / 29

IT Governance

IT Governance. A Process by which an organisations leaders ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated. Technology. Opportunities Growth Development. Information Technology.

etoile
Télécharger la présentation

IT Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Governance - Ealing Council

  2. IT Governance A Process by which an organisations leaders ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated. IT Governance - Ealing Council

  3. Technology • Opportunities • Growth • Development IT Governance - Ealing Council

  4. Information Technology • Integral part of all processes • Accomplish mission and objectives • Facilitates local and global communications IT Governance - Ealing Council

  5. Technology Threats • Service Disruption • Deception • Theft • Fraud • Trusted Users IT Governance - Ealing Council

  6. What Questions Should You Be Asking • What are IT Controls ? • What should be protected ? • Where are IT controls applied ? • Who is responsible ? • When do we assess IT Controls ? • How much control is enough ? IT Governance - Ealing Council

  7. IT Controls Significant Components • Automation of business controls • Control of IT • Support business management and governance IT Governance - Ealing Council

  8. IT Controls • Corporate Policies • Coded instructions • Physical access • Audit trails – the ability to trace actions and transactions to responsible individuals • Automatic edits (data input) • Data integrity… IT Governance - Ealing Council

  9. Controls Classifications • General controls – (also known as infrastructure controls), apply to all systems components but also include information security policy, administration, access and authentication • Application controls – data input, separation of duties, i.e. transaction initiation versus authorisation • Preventive controls – prevent errors, omissions, or security incidents from occurring, i.e. data entry, access control • Detective controls – detect errors or incidents, e.g. identify account numbers of inactive accounts flagged for monitoring suspicious activities • Corrective controls – correct errors, omissions or incidents once they have been detected, e.g. correction of data entry error, identifying and removing unauthorised users or software from systems or networks IT Governance - Ealing Council

  10. Governance Controls • Primary accountability for internal controls resides with the corporate board • Ensure that effective information management and security principles, policies, and processes are in place and there is sufficient performance and compliance to demonstrate this • Controls mandated by the corporate leadership team (CLT), linked with the concept of your corporate governance, which are driven by the organisations goals and strategies and by external regulators • Performance and Audit Panel’s responsibility is oversight rather than actually performing controls activities, e.g. you don’t do the auditing but oversee both internal and external auditing at Ealing IT Governance - Ealing Council

  11. Management Controls • Responsibility for reaching into the organisation with special attention to critical assets, sensitive information and operational functions • Requires close collaboration with the audit committee to ensure IT controls needed to ensure the achieve established objectives are applied, reliable and provide continuous processing • Management must recognise risks to the organisation its assets and processes • Implement mechanisms to mitigate these risks (protect, monitor and measure results) IT Governance - Ealing Council

  12. Technical Controls Form the foundation, which ensures the reliability of virtually every other control in the organisation e.g. • Protection against unauthorised access and intrusion • Reliance on integrity of information • Evidence of all changes and their authenticity IT Governance - Ealing Council

  13. What to Expect GTAG IIA IT Governance - Ealing Council

  14. Information Security Integral part of all IT controls, with the exception of financial aspects of IT such as Return on Investment, budgetary controls and some Project Management Controls BS/ISO-1779 ITIL IT Governance - Ealing Council

  15. Information Security Three key elements of information security • Confidentiality – information is only divulged as appropriate • Integrity – data is correct and complete • Availability – information must be available to the organisation, customers and partners, when, where and in the manner needed. Also the ability to recover from losses, disruption or corruption of data and IT services IT Governance - Ealing Council

  16. Role of Performance and Audit Panel • What do we mean by IT controls ? • Why do we need IT controls ? • Who is responsible for IT controls ? • When is it appropriate to apply IT controls ? • Where exactly are IT controls applied ? • How do we perform IT controls assessments ? IT Governance - Ealing Council

  17. The Structure of IT Auditing GTAG IIA IT Governance - Ealing Council

  18. IT Audit at Ealing • Essential part of the corporate governance process • Internal audit have specialist and qualified IT auditors performing audits • IT auditing is included in the audit universe and annual plan • Sharing the plan with external audit as in the Response program • Agresso implementation • Post Implementation Reviews • General IT controls – anti-virus, IT security, Network Infrastructure, Operating Systems • Specialist data integrity (CAATS) • Data Protection & Freedom of Information • Applications……… IT Governance - Ealing Council

  19. The Audit Process • Formal structure for addressing IT controls • Sound technical understanding • Provide results of risk and control assessments • Interact with those responsible for controls • Persue continuous learning through CPD and reassessment of new technologies – new opportunities, risks dependencies, strategies and requirements IT Governance - Ealing Council

  20. IT Control Assurance IT controls assurance addresses the ability of controls to protect the organisation against the most important threats and provides evidence that remaining risks are unlikely to harm the organisation and its stakeholders significantly. GTAG IIA IT Governance - Ealing Council

  21. Important Roles and Responsibilities • Corporate Level Performance and Audit panel Audit Board • Management Chief Executive Head of IT IT Security Officer • Audit Internal External IT Governance - Ealing Council

  22. Control Framework Adoption of formal control framework is beneficial • COSO – Monitoring, Information and Communication, Control Activities, Risk Assessment, Control Environment The Committee of Sponsoring Organisations of the Treadway Commission • COBIT – accepted standard for good Information Technology security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners ISACA 2005 IT Governance - Ealing Council

  23. Corporate Level • Oversee risk management and compliance programs concerning information security • Approve and adopt information security principles and assign key managers responsible for information security • Protect the interest of all stakeholders who depend on information security • Review information security policies regarding strategic partners and other third parties • Ensure business continuity • Review provisions of internal ad external audits of the IT • Collaborate with management to specify what information security reviews should be reported to the Corporate Board IT Governance - Ealing Council

  24. Management • Establish information security management policies • Assign information security roles, responsibilities, and required skills, and maintain separation of duties • Training in security matters • Assess IT risks and manage these risks • Information security requirements for strategic partners and other third parties • Identify and classify information assets • Implement and test business continuity • Approve IT acquisitions, development, operations and maintenance • Protect the physical environment • Collaborate with security personnel to specify what needs to be reported to management IT Governance - Ealing Council

  25. Internal/External Audit As covered in previous slide (IT Audit at Ealing), but also… • Advise corporate and management level on IT internal control issues • Ensure IT is included in the Internal audit plan • IT risks are considered when assigning resources and prioritising audit activities • Specialist training • IT issues for key systems are considered • Performing IT risk assessments • Performing IT audits… IT Governance - Ealing Council

  26. Some Useful Websites www.itgi.org- IT Governance Institute www.coso.org– The Committee of Sponsoring Organisations of the Treadway Commission www.isaca.org- Information Systems Audit and Control Association www.theiia.org- Institute of Internal Auditors www.sans.org – Security Policy Resource Page IT Governance - Ealing Council

  27. Shahab Hussein CISA Senior Manager – Computer Assurance Services Deloitte & Touche Public Sector Internal Audit shussein@deloitte.co.uk Direct: 01727 886610 Mobile: 07970 884602 IT Governance - Ealing Council

  28. Questions IT Governance - Ealing Council

  29. Member of Deloitte Touche Tohmatsu

More Related