Promoting Good Corporate Governance through ICT and Accounting Practices
Dr. Richardus Eko Indrajit [email protected]
Main Objectives for Today
What are the definition and relationships of: – GOOD CORPORATE GOVERNANCE – INFORMATION GOVERNANCE – INFORMATION TECHNOLOGY GOVERNANCE – INFORMATION SECURITY GOVERNANCE
Why such matters are important?
How to develop a holistic system of those diverse concepts?
Link to Corporate Governance
Good Corporate
Governance
Information Governance
Information Technology Governance
Information Security
Governance
Information Governance
Information Governance is a key part of Corporate Governance, and the way to ensure IT activities are aligned, managed and measured to ensure business success
Information Governance is important because IT is so critical to business success, represents very significant investments, and is complex and risky to manage
Corporate Governance
h Corporate governance focuses on a wide range of stakeholders is therefore concerned with such issues as: h effectiveness and efficiency of operations h reliability of financial reporting h compliance with laws and regulations h safeguarding of assets h sustainability of business è Information Governance because 1. All business transactions are represented by information 2. All decision makings are based on information 3. All communications are information exchange
GCG Supporting Requirements
INFORMATION Ü Efficiency
Ü Availability
Ü Realibility Ü Effectiveness
Ü Integrity Ü Confidentiality
Ü Compliance
Information Governance Benefits
h Guarantee of Quality h Trading Partner ‘Assurance’ h Customer Loyalty h Security Assurance h Reputation Enhancement h Sustainable Growth
CobiT Framework for IT Governance
IT Processes
IT Resources
Business Requirements
Ü Data Ü Information
Systems Ü Technology Ü Facilities Ü Human
Resources
Ü Plan and Organise Ü Acquire and
Implement Ü Deliver and Support Ü Monitor and
Evaluate
Ü Effectiveness Ü Efficiency Ü Confidentiality Ü Integrity Ü Availability Ü Compliance Ü Information
Reliability
Why Does IT Need a Control and Governance Framework?
time
serv
ice
qual
ity
supp
ort
busi
ness
time
serv
ice
cost
time de
liver
y tim
e time
stakeholder value
Aligned
Better
Cheaper Faster
time
IT ri
sks
Secured Controlled
Information Security
A business-driven, IT-enabled, life cycle approach to protection of the intellectual property that defines the enterprise.
A critical opportunity for IT to deliver demonstrable business alignment and value and to reduce operational risk.
Information Security Governance
Information security life cycle management that is demonstrably, transparently driven by strategic, policy, operational, regulatory, and technology priorities and goals of the enterprise at large.
Ü Effectiveness Ü Efficiency Ü Confidentiality Ü Integrity Ü Availability Ü Compliance Ü Reliability
Information Security Governance Model
Strategy Policies & Procedures
Operations & Organization
Technology
Regulations
Applications Architecture Infrastructure Procurement Selection Vendors Alignment with business
Measurement & metrics Planning Risk management
Best practices Documentation Human resources Methodologies Standards Training
Availability Backup/recovery Contingent workforce Outsourcing Performance Reliability Resource management SLAs
Business continuity Data integrity Data retention Privacy Reporting Security
Governance
Compliance Statistics
1. IS Policy 55 2. Allocation of responsibilities 40 3. Education & Training 25 4. Incident Reporting 20 5. Virus/Technical Controls 60 6. Business Continuity Planning 50 7. Safeguarding Business Assets 70 8. Control of Software Infringements 60 9. Legal Compliance 70 10. IS Compliance - physical breaches 90 - logical breaches 25
Sapphire’s Benchmarking
0.00
1.00
2.00
3.00
4.00
5.00
SECURITY POLICY
ORGANIZATIONAL SECURITY
ASSET CLASSIFICATION & CONTROL
PERSONNEL SECURITY
PHYSICAL AND ENVIRONMENTAL S
ECURITY
COMMUNICATIONS & O
PERATIONS M
GMT
ACCESS CONTROL
SYSTEMS DEVELOPMENT AND MAINTENANCE
BUSINESS CONTINUITY MANAGEMENT
COMPLIANCE
Status at StartStrategyBest Practice
Current Security Pressures
Risks & threats are real – impact on your organisation Effective information security requires coordinated
action from the top IT investments are increasing & need directing Cultural & organisational factors are important Rules & priorities need to be established & enforced Trust in reliability in systems is required by all
stakeholders Security incidents could be exposed to the public Reputational damage can be high
Securing Corporate Infrastructure
Management Dilemma — or — Technical Problem
Security Awareness
Corporate Governance
Firewall
DMZ
Layered Defense
Intrusion Detection
Authentication
Hacker
Digital Signatures
Denial of Service
Policies & Procedures
Anti-Virus
Physical Security
Non-Repudiation
Internal Controls
Integrity
Vulnerability Testing
Confidentiality
Accountability
Availability
Device Hardening
Litigation
Access Controls
Security Program
Security Organization
Risk Assessment
Wireless
VPN
Privacy
PKI
Worms
Tokens
Cyber Terrorism
ISO 17799
GLBA
HIPAA
Security Governance
Governance is: doing things the way they should be done to protect the business, the employee and shareholders value
Risks and threats are real and could have significant impact on your business
Information security is the responsibility of the board; members should sign off the policy
Information assets possess value; proper protection should therefore be in place
Information security is not free; like any investment, it should be properly managed
Proactive Risk Management
Top management
Political risk
Safety risk
Credit risk
Market risk
External pressure from: Regulators Shareholders Trading partners Customers
Information risk
RISK MANAGEMENT PROCESSES
Information Security
Assets oriented Information Security: – Protecting Confidentiality – Insuring Integrity – Preserving Availability – Addressing Compliancy – Augmenting Reliability
Business oriented information security: – Managing risk – Insuring business continuity – Protecting corporate image – Protecting shareholders’ value
Robert Potvin, CISSP & CBCP
Information Risk Under Control
Detect incidents that slip through Prevent incidents happening,
as far as possible
Facilitate recovery from incidents
Loss of confidentiality,
integrity or availability of information
Business (inc.security) requirements
Threats to the confidentiality, integrity or availability of information: � accidental � deliberate
Impact on the
business Business system
Information
PR
EV
EN
TIO
N
RE
CO
VE
RY
� Policies and standards � Ownership � Organisation � Risk identification � Awareness � Service agreements
� User capabilities � IT capabilities � System configuration � Data back-up � Contingency arrangements � Physical security
Arrangements for protecting information -
� Access to information � Change management � Problem management � Special controls � Audit/review � (Business practices)
DE
TE
CT
ION
Risk Management
Risk
Threat
Vulnerability
Risk = Volume of cube
Actual Risk
Asset Value
Threat
Vulnerability
Residual Risk
Asset Value
Threat, Risk, Vulnerabilities
Risk
Vulnerabilities Threats
Controls
Security Requirements
Asset Values
Assets
Protect against
Exploit
Reduce
Expose
Have Met by
Impact on Organisation
Security Controls
Deterrent Control
Threat Corrective
Control
Vulnerability
Impact
Detective Control
Preventative Control
Attack
Reduces Likelihood of
Creates
Exploits
Decreases Results in
Protects
Reduces
Can trigger
Discovers
Security Governance
Information security governance should deliver: – Strategic alignment: orientations are driven by business
requirements, not technology, and should impact productivity as little as possible
– Direction: a standard set of practices coupled with proper effort distribution, keeping focus on areas with the greatest impact and business benefits
– Risk management: a list of risks we agree to live with, a proper understanding of risk exposure and a sufficient awareness of management priorities
– Measurement: a defines set of metrics to independently obtain assurance on measurable processes and investment performance
Best Practices
Complementary standards and guidelines where inspired by ISO17799, design to or supports the implementation of ISO17799: – AS/NSZ-4360:2004, Risk Management Guidelines – HB-231:2004, Information Security Risk Management Guidelines – ISO-19011:1996, Guidelines for Management System Auditing – PAS56:2003, Guide to Business Continuity Management – ISO/TR-18044:2004, Information Security Incident Management – ISO-GMITS:1996/2001 (Guidelines for the Management of IT Security):
ISO/TR-13335/1:1996, Concepts and Model for IT Security ISO/TR-13335/2:1997, Planning IT Security ISO/TR-13335/3:1998, Management of IT Security ISO/TR-13335/4:2000, Selection of safeguards ISO/TR-13335/5:2001, Management guidance on network security
CoBIT control objectives are fully mapped to support ISO17799 ITIL is especially efficient for ‘Communication & Operations
Management’
ISO17799
Access Controls
Asset Classification
Controls
Information Security Policy
Security Organisation
Personnel Security
Physical Security Communication
& Operations Mgmt
System Development &
Maint.
Bus. Continuity Planning
Compliance
Information
Integrity Confidentiality
Availability
1
2
3
4
5
6
7
8
9
10
Security Standard Roadmap
Privacy Act OECD Guidelines
ISO 17799 Information Security Management Incident Reporting
ISO 7498-2 OSI Security Model
ISO 10745 ISO 9160
ISSA Valuation Guidelines
Disaster Recovery
COBIT Security Review
ITSEC Evaluation Criteria
AS/NZS 4360 Risk Management
ISO 10181 Frameworks
ISO 9797 Integrity
ISO 13888 Non-Repudiation
Access Control
ISO 9798 Authentication
Confidentiality
ISO 10164 Audit
ISO 11770 Key Management
-5 -4
-3 -2
-4
-3 -2
Philosophy
Management and Frameworks
Procedures and Mechanisms
Take your pick!
ISO 13335
Certification & Accreditation
NZS 6656 Trustworthy Operation
Self Assessment
Measure your compliance with policies and processes to judge if you are in reality moving up the security
maturity scale
Are you there yet?
Initial assessment Target maturity
Wrap Up
Good Corporate
Governance
Information Governance
Information Technology Governance
Information Security
Governance
Standards: ISO 17799 CobiT ITIL
Top Related