Promoting Good Corporate Governance through ICT and Accounting Practices

Dr. Richardus Eko Indrajit indrajit@post.harvard.edu

Main Objectives for Today

  What are the definition and relationships of: –  GOOD CORPORATE GOVERNANCE –  INFORMATION GOVERNANCE –  INFORMATION TECHNOLOGY GOVERNANCE –  INFORMATION SECURITY GOVERNANCE

  Why such matters are important?

  How to develop a holistic system of those diverse concepts?

Link to Corporate Governance

Good Corporate

Governance

Information Governance

Information Technology Governance

Information Security

Governance

Information Governance

  Information Governance is a key part of Corporate Governance, and the way to ensure IT activities are aligned, managed and measured to ensure business success

  Information Governance is important because IT is so critical to business success, represents very significant investments, and is complex and risky to manage

Corporate Governance

h Corporate governance focuses on a wide range of stakeholders is therefore concerned with such issues as: h  effectiveness and efficiency of operations h  reliability of financial reporting h  compliance with laws and regulations h  safeguarding of assets h  sustainability of business è  Information Governance because 1.  All business transactions are represented by information 2.  All decision makings are based on information 3.  All communications are information exchange

GCG Supporting Requirements

INFORMATION Ü  Efficiency

Ü  Availability

Ü  Realibility Ü  Effectiveness

Ü  Integrity Ü  Confidentiality

Ü  Compliance

Information Governance Benefits

h Guarantee of Quality h Trading Partner ‘Assurance’ h Customer Loyalty h Security Assurance h Reputation Enhancement h Sustainable Growth

CobiT Framework for IT Governance

IT Processes

IT Resources

Business Requirements

Ü  Data Ü  Information

Systems Ü  Technology Ü  Facilities Ü  Human

Resources

Ü  Plan and Organise Ü  Acquire and

Implement Ü  Deliver and Support Ü  Monitor and

Evaluate

Ü  Effectiveness Ü  Efficiency Ü  Confidentiality Ü  Integrity Ü  Availability Ü  Compliance Ü  Information

Reliability

Why Does IT Need a Control and Governance Framework?

time

serv

ice

qual

ity

supp

ort

busi

ness

time

serv

ice

cost

time de

liver

y tim

e time

stakeholder value

Aligned

Better

Cheaper Faster

time

IT ri

sks

Secured Controlled

IT Governance Definition

New Business Reality

Information Security

  A business-driven, IT-enabled, life cycle approach to protection of the intellectual property that defines the enterprise.

  A critical opportunity for IT to deliver demonstrable business alignment and value and to reduce operational risk.

Information Security Governance

  Information security life cycle management that is demonstrably, transparently driven by strategic, policy, operational, regulatory, and technology priorities and goals of the enterprise at large.

Ü  Effectiveness Ü  Efficiency Ü  Confidentiality Ü  Integrity Ü  Availability Ü  Compliance Ü  Reliability

Information Security Governance Model

Strategy Policies & Procedures

Operations & Organization

Technology

Regulations

  Applications   Architecture   Infrastructure   Procurement   Selection   Vendors   Alignment with business

  Measurement & metrics   Planning   Risk management

  Best practices   Documentation   Human resources   Methodologies   Standards   Training

  Availability   Backup/recovery   Contingent workforce   Outsourcing   Performance   Reliability   Resource management   SLAs

  Business continuity   Data integrity   Data retention   Privacy   Reporting   Security

Governance

Compliance Statistics

1. IS Policy 55 2. Allocation of responsibilities 40 3. Education & Training 25 4. Incident Reporting 20 5. Virus/Technical Controls 60 6. Business Continuity Planning 50 7. Safeguarding Business Assets 70 8. Control of Software Infringements 60 9. Legal Compliance 70 10. IS Compliance - physical breaches 90 - logical breaches 25

Sapphire’s Benchmarking

0.00

1.00

2.00

3.00

4.00

5.00

SECURITY POLICY

ORGANIZATIONAL SECURITY

ASSET CLASSIFICATION & CONTROL

PERSONNEL SECURITY

PHYSICAL AND ENVIRONMENTAL S

ECURITY

COMMUNICATIONS & O

PERATIONS M

GMT

ACCESS CONTROL

SYSTEMS DEVELOPMENT AND MAINTENANCE

BUSINESS CONTINUITY MANAGEMENT

COMPLIANCE

Status at StartStrategyBest Practice

Current Security Pressures

  Risks & threats are real – impact on your organisation   Effective information security requires coordinated

action from the top   IT investments are increasing & need directing   Cultural & organisational factors are important   Rules & priorities need to be established & enforced   Trust in reliability in systems is required by all

stakeholders   Security incidents could be exposed to the public   Reputational damage can be high

Securing Corporate Infrastructure

Management Dilemma — or — Technical Problem

Security Awareness

Corporate Governance

Firewall

DMZ

Layered Defense

Intrusion Detection

Authentication

Hacker

Digital Signatures

Denial of Service

Policies & Procedures

Anti-Virus

Physical Security

Non-Repudiation

Internal Controls

Integrity

Vulnerability Testing

Confidentiality

Accountability

Availability

Device Hardening

Litigation

Access Controls

Security Program

Security Organization

Risk Assessment

Wireless

VPN

Privacy

PKI

Worms

Tokens

Cyber Terrorism

ISO 17799

GLBA

HIPAA

Security Governance

  Governance is: doing things the way they should be done to protect the business, the employee and shareholders value

  Risks and threats are real and could have significant impact on your business

  Information security is the responsibility of the board; members should sign off the policy

  Information assets possess value; proper protection should therefore be in place

  Information security is not free; like any investment, it should be properly managed

Proactive Risk Management

Top management

Political risk

Safety risk

Credit risk

Market risk

External pressure from:   Regulators   Shareholders   Trading partners   Customers

Information risk

RISK MANAGEMENT PROCESSES

Information Security

  Assets oriented Information Security: –  Protecting Confidentiality –  Insuring Integrity –  Preserving Availability –  Addressing Compliancy –  Augmenting Reliability

  Business oriented information security: –  Managing risk –  Insuring business continuity –  Protecting corporate image –  Protecting shareholders’ value

Robert Potvin, CISSP & CBCP

Information Risk Under Control

Detect incidents that slip through Prevent incidents happening,

as far as possible

Facilitate recovery from incidents

Loss of confidentiality,

integrity or availability of information

Business (inc.security) requirements

Threats to the confidentiality, integrity or availability of information: �  accidental �  deliberate

Impact on the

business Business system

Information

PR

EV

EN

TIO

N

RE

CO

VE

RY

� Policies and standards � Ownership � Organisation � Risk identification � Awareness � Service agreements

� User capabilities � IT capabilities � System configuration � Data back-up � Contingency arrangements � Physical security

Arrangements for protecting information -

� Access to information � Change management � Problem management � Special controls � Audit/review � (Business practices)

DE

TE

CT

ION

Risk Management

Risk

Threat

Vulnerability

Risk = Volume of cube

Actual Risk

Asset Value

Threat

Vulnerability

Residual Risk

Asset Value

Threat, Risk, Vulnerabilities

Risk

Vulnerabilities Threats

Controls

Security Requirements

Asset Values

Assets

Protect against

Exploit

Reduce

Expose

Have Met by

Impact on Organisation

Security Controls

Deterrent Control

Threat Corrective

Control

Vulnerability

Impact

Detective Control

Preventative Control

Attack

Reduces Likelihood of

Creates

Exploits

Decreases Results in

Protects

Reduces

Can trigger

Discovers

Security Governance

  Information security governance should deliver: –  Strategic alignment: orientations are driven by business

requirements, not technology, and should impact productivity as little as possible

–  Direction: a standard set of practices coupled with proper effort distribution, keeping focus on areas with the greatest impact and business benefits

–  Risk management: a list of risks we agree to live with, a proper understanding of risk exposure and a sufficient awareness of management priorities

–  Measurement: a defines set of metrics to independently obtain assurance on measurable processes and investment performance

Best Practices

  Complementary standards and guidelines where inspired by ISO17799, design to or supports the implementation of ISO17799: –  AS/NSZ-4360:2004, Risk Management Guidelines –  HB-231:2004, Information Security Risk Management Guidelines –  ISO-19011:1996, Guidelines for Management System Auditing –  PAS56:2003, Guide to Business Continuity Management –  ISO/TR-18044:2004, Information Security Incident Management –  ISO-GMITS:1996/2001 (Guidelines for the Management of IT Security):

  ISO/TR-13335/1:1996, Concepts and Model for IT Security   ISO/TR-13335/2:1997, Planning IT Security   ISO/TR-13335/3:1998, Management of IT Security   ISO/TR-13335/4:2000, Selection of safeguards   ISO/TR-13335/5:2001, Management guidance on network security

  CoBIT control objectives are fully mapped to support ISO17799   ITIL is especially efficient for ‘Communication & Operations

Management’

ISO17799

Access Controls

Asset Classification

Controls

Information Security Policy

Security Organisation

Personnel Security

Physical Security Communication

& Operations Mgmt

System Development &

Maint.

Bus. Continuity Planning

Compliance

Information

Integrity Confidentiality

Availability

1

2

3

4

5

6

7

8

9

10

CobiT 34 Process

ITIL

Security Standard Roadmap

Privacy Act OECD Guidelines

ISO 17799 Information Security Management Incident Reporting

ISO 7498-2 OSI Security Model

ISO 10745 ISO 9160

ISSA Valuation Guidelines

Disaster Recovery

COBIT Security Review

ITSEC Evaluation Criteria

AS/NZS 4360 Risk Management

ISO 10181 Frameworks

ISO 9797 Integrity

ISO 13888 Non-Repudiation

Access Control

ISO 9798 Authentication

Confidentiality

ISO 10164 Audit

ISO 11770 Key Management

-5 -4

-3 -2

-4

-3 -2

Philosophy

Management and Frameworks

Procedures and Mechanisms

Take your pick!

ISO 13335

Certification & Accreditation

NZS 6656 Trustworthy Operation

ITGI Security Maturity Model

Self Assessment

Measure your compliance with policies and processes to judge if you are in reality moving up the security

maturity scale

Are you there yet?

Initial assessment Target maturity

Recommended Reference

Wrap Up

Good Corporate

Governance

Information Governance

Information Technology Governance

Information Security

Governance

Standards:   ISO 17799   CobiT   ITIL

Thank You