IPPF – Practice GuideInformationSecurityGovernance
About IPPFThe International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidancepromulgated by The Institute of Internal Auditors. IPPF guidance includes:Mandatory GuidanceConformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internalauditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public exposure for stakeholder input. The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of Ethics,and the International Standards for the Professional Practice of Internal Auditing (Standards).ElementDefinitionDefinitionThe Definition of Internal Auditing states the fundamental purpose, nature, and scope of internalauditing.Code of EthicsThe Code of Ethics states the principles and expectations governing behavior of individuals andorganizations in the conduct of internal auditing. It describes the minimum requirements forconduct and behavioral expectations rather than specific activities.International StandardsStandards are principle-focused and provide a framework for performing and promoting internalauditing. The Standards are mandatory requirements consisting of: S tatements of basic requirements for the professional practice of internal auditing and forevaluating the effectiveness of its performance. The requirements are internationally applicable at organizational and individual levels. Interpretations, which clarify terms or concepts within the statements.It is necessary to consider both the statements and their interpretations to understand and applythe Standards correctly. The Standards employ terms that have been given specific meanings thatare included in the Glossary.Strongly Recommended GuidanceStrongly recommended guidance is endorsed by The IIA through a formal approval processes. It describes practices for effectiveimplementation of The IIA’s Definition of Internal Auditing, Code of Ethics, and Standards. The three strongly recommendedelements of the IPPF are Position Papers, Practice Advisories, and Practice Guides.ElementDefinitionPosition PapersPosition Papers assist a wide range of interested parties, including those not in the internal auditprofession, in understanding significant governance, risk, or control issues and delineating relatedroles and responsibilities of internal auditing.Practice AdvisoriesPractice Advisories assist internal auditors in applying the Definition of Internal Auditing, theCode of Ethics, and the Standards and promoting good practices. Practice Advisories addressinternal auditing’s approach, methodologies, and consideration but not detail processes or procedures. They include practices relating to: international, country, or industry-specific issues; specifictypes of engagements; and legal or regulatory issues.Practice GuidesPractice Guides provide detailed guidance for conducting internal audit activities. They includedetailed processes and procedures, such as tools and techniques, programs, and step-by-stepapproaches, as well as examples of deliverables.This GTAG is a Practice Guide under IPPF.For other authoritative guidance materials, please visit www.theiia.org/guidance/.
Global Technology Audit Guide (GTAG ) 15Information Security GovernanceAuthors:Paul Love, CISSP, CISA, CISMJames Reinhard, CIA, CISAA.J. Schwab, CISAGeorge Spafford, CISAJune 2010Copyright 2010 by The Institute of Internal Auditors located at 247 Maitland Avenue, Altamonte Springs, FL 32701, USA.All rights reserved. Published in the United States of America.Except for the purposes intended by this publication, readers of this document may not reproduce, store in a retrieval system,redistribute, transmit in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — display, rent,lend, resell, commercially exploit, or adapt the statistical and other data contained herein without the permission of The IIA.The information included in this document is general in nature and is not intended to address any particular individual, internalaudit activity, or organization. The objective of this document is to share tools, resources, information, and/or other knowledge that isaccurate, unbiased, and timely. However, based on the date of issuance and changing environments, no individual, internal auditactivity, or organization should act on the information provided in this document without appropriate consultation or examination.
GTAG — Table of ContentsExecutive Summary.1Introduction.22.1. What is Information Security Governance?. 22.2. What is Effective Information Security Governance?. 32.3. What is Efficient Information Security Governance?. 52.4. Why Should the CAE Be Concerned About Information Security Governance?. 6The Internal Audit Activity’s Role in Information Security Governance.73.1. The Internal Audit Activity’s Responsibilities Related to Information Security Governance. 73.2. Auditor Background and Experience Level. 73.3. Audits of Information Security Governance. 7Auditing Information Security Governance.94.1. Auditing Information Security Governance – Planning. 94.2. Auditing Information Security Governance – Testing. 114.3. Auditing Information Security Governance – Analyzing. 14Conclusion/Summary.17Appendix – Sample Audit Questions/Topics.18References.19Authors and Reviewers.20
GTAG — Executive Summarywith an organization, but failing to meet customer expectations for IS controls can cause a current customer to notrenew a business relationship or deter a potential customerfrom forging a new relationship.The IAA should support the ISG process to the extentallowed by its charter and The IIA’s InternationalProfessional Practices Framework (IPPF). This participationwill likely include activities such as: Assessing the degree to which governance activitiesand standards are consistent with the IAA’s understanding of the organization’s risk appetite. Consulting engagements as allowed by the auditcharter and approved by the board. Ongoing dialogue with the ISG activity to ensurethat substantial organizational and risk changes arebeing addressed in a timely manner. Performing formal audits of the ISG activity that areconsistent with The IIA’s International Standards forthe Professional Practice of Internal Auditing (Standards)Standard 2110.A2: “The internal audit activity mustassess whether the information technology governance of the organization sustains and supports theorganization’s strategies and objectives.1”1. Executive SummaryMultiple definitions of information security governance (ISG)exist across organizations and standard-setting bodies.Common ISG themes include: Promoting good information security (IS) practiceswith clear direction and understanding at all levels. Controlling IS risks associated with the business. Creating an overall IS activity that reflects the organization’s needs and risk appetite levels.One way to depict ISG is demonstrated in Figure 1 (Page2). IS is an important part of the enterprise’s overall governance and is placed in the middle of IT governance, IToperations (i.e., current state of IT), and IT projects (i.e.,future state of IT). Figure 1 represents a traditional modelfor IS in many organizations. The trend of the IS field is forISG to have a role in IT and within the organization. ISalways will have a special relationship with IT because of theamount of data that information systems have as well as theimpact of losing that information as opposed to paper-basedbusiness processes. While the information both processeshold is important to the IS practitioner, in terms of sheerimpact, the IT loss would be dramatically more significant.There are no right or wrong governance models; each organization is different as is its needs and risk tolerance.Boards of directors and executive management mustsupport the ISG structure. The board provides overallstrategic guidance to management who must carry out theboard’s directives through day-to-day management and strategic initiative alignment. Effective and efficient IS requiresboth governance and management actions.To improve corporate governance, the board shouldestablish oversight of business/organizational risks includingIS as part of the charter of the board’s risk committeeor another committee under the board’s purview. Theinternal audit activity (IAA) should support the designatedboard committee by assuring relevant policies, procedures,and practices pertaining to IS are in place and operatingeffectively.The chief audit executive (CAE) has responsibility withinan organization to provide assurance over the managementof major risks, including IS risks. Information is a significant component of most organizations’ competitive strategyeither by the direct collection, management, and interpretation of business information or the retention of informationfor day-to-day business processing. Some of the more obviousresults of IS failures include reputational damage, placing theorganization at a competitive disadvantage, and contractualnoncompliance. These impacts should not be underestimated. If an organization depends on the faith and trust of itscustomers, a minor breach can shake customer confidence tothe point of loss of business. IS typically is not a reason thatcustomers choose to create or renew a business relationshipAudits of ISG primarily should focus on the organization’simplementation of ISG practices, which include clearlydefined policies, roles and responsibilities, risk appetitealignment, effective communication, tone at the top, andclear accountability.This Global Technology Audit Guide (GTAG) willprovide a thought process to determine what matters to theorganization. This GTAG also will assist the CAE in incorporating an audit of ISG into the audit plan focusing onwhether the organization’s ISG activity delivers the correctbehaviors, practices, and execution of IS.Core objectives of this GTAG include:1. Define ISG.2. Help internal auditors understand the rightquestions to ask and know what documentationis required.3. Describe the IAA’s role in ISG.1These preliminary discussions may seem familiar to readers ofGTAG-9: Identity and Access Management, which recommendsthat, “Prior to conducting an IAM [identity and access management] audit, auditors need to understand the organization’sexisting IAM structure, such as the company’s businessarchitecture and IAM policies, as well as the laws, regulations,and mandates for which compliance is necessary.” A keydistinction between IAM and ISG is that governance isinherently a strategic activity where access and identitymanagement is largely operational/tactical in nature.1
GTAG — I ntroductionunderestimated because many activities in an organizationoccur outside the formal structures.IT management literature commonly commingles theconcepts of governance and management to the detrimentof both because roles and responsibilities are no longerclear. Governance typically has a board that is responsiblefor setting the organization’s strategy and goals. As part ofthis, the board focuses on strategy, risk management, andleadership. Oversight of management and direction of theorganization are central to governance.In contrast, management is tasked with using resources,including financial and labor, to accomplish and safeguardstated objectives in the identified timeframe. The board doesnot manage the day-to-day activities of management butstrives to ensure that the desires of investors and other keystakeholders are met. For example, pressures from investorsto improve quarterly earnings can cause the board to be atodds with management. The segregation of duties betweenthe board and management provides a key control to safeguard the goal of maximizing return on shareholder equityand balancing it with indentifying and managing risks.The Information Security Practical Guidance on How toPrepare for Successful Audits, from the IT ComplianceInstitute, provides some clarification of the board’s and executive management’s roles in ISG. The document states thatthe board should “provide oversight at a level above otherbusiness managers. The board members’ role in informationsecurity is to ask managers the right questions and encouragethe right results.” The document notes that the board mustprovide the appropriate tone at the top for IS. Conversely,the document states “executive management must provideleadership to ensure that information security efforts aresupported and understood across the organization, demonstrating by example that mandate of security policies.” Figure2 (Page 3) is reprinted from the IT Compliance Institute’sguidance and further outlines the roles of the board andexecutive management, as well as presents the roles of linemanagers and internal auditors. (Note: Additionally, theauthors of this GTAG would add “establish the risk appetite”as part of the board of directors’ roles in Figure 2.) Figure3 (Page 4), taken from GTAG-1: Information Technology2. Introduction2.1. What is InformationSecurity Governance?The IIA’s IPPF provides the following definition ofInformation Technology (IT) Governance:Information Technology Governance consists of leadership, organizational structures, and processes that ensure theenterprise’s information technology sustains and supports theorganization’s strategies and objectives.The IPPF does not provide a specific definition for ISG.However, one way to depict ISG is demonstrated in Figure1 (below). IS is an important part of the enterprise’s overallgovernance, IT operations (i.e., current state of IT), and ITprojects (i.e., future state of IT). (Note: The authors are notsuggesting that IT is the only area where ISG should be practiced, but in terms of impact of control failure, it should beone of the first areas of Enterprise GovernanceFigure 1. Information Security Governance TriangleThe term ISG can be widely interpreted. Various securityorganizations and standard-setting bodies have their owndefinitions and guidance surrounding ISG2. Common ISGthemes among these security organizations and standardsetting bodies include promoting good IS practices with cleardirection and understanding from the top down, controllingsecurity risks associated with the business, and sustaining anoverall IS activity that reflects the organization’s needs andrisk appetite levels. An organization develops a frameworkand reporting structure to address ISG and while formalizeddocumented policies may exist, reporting lines to the organization’s defined governance bodies can be formal or informal.The importance of the informal reporting lines should not be2Examples include the Information Security Forum’s The Standardof Good Practice for Information Security; Australian Standard (AS)11770.1-2003, Information Technology — Security Techniques— Key Management; the Software Engineering Institute’sGoverning for Enterprise Security Implementation Guide; theNational Institutes of Standards and Technology’s Program Reviewfor Information Security Management Assistance (PRISMA); andInformation Security Management Series (ISO 27000) publishedjointly by the International Organization for Standards and theInternational Electrotechnical Commission.2
GTAG — IntroductionInformation Security ResponsibilitiesBoard of Directors Provide oversight.Communicate business imperative.Establish and oversee security policy.Define corporate security culture.Executive Management Provides leadership.Ensures IS efforts are supported and understood across the organization.Dedicates sufficient resources to be effective.Advances the goal of security oversight and promote continuousimprovement and success.Staff and Line-of-Business Managers Contribute to design and implementation of IS activities. Review and monitor security controls. Define security requirements.Internal Auditors Assess information control environments, including understanding,adoption, and effectiveness. Validate IS efforts and compare current practices to industry standards Recommend improvements.Figure 2. Information Security Responsibilities3Controls, further describes a typical structure of a publiccompany’s board, standing committees, and specific executive management roles (e.g., CEO, CFO, CIO) that could bepart of any organization’s ISG program.In regards to IS, it must be recognized as a key risk management activity. “Security is a state of being free from doubt ordanger. Information security involves protection of information assets (whether in digital, physical, or human form) andinformation systems from damage, misuse, or attack (whetherin storage, processing, or transit), resulting in informationbeing stable, reliable, and free of failure.”4Effective IS requires both governance and managementactions. The board needs IS to help mitigate and report onconfidentiality, integrity, and availability risks to the organization’s goals. To improve corporate governance, the boardwould typically establish oversight of IS as part of the charterof the board’s risk committee or another committee withinthe board’s structure. If the business units and the IT servicesthat create and store data do not provide the degree ofconfidentiality, integrity, and availability expected by stakeholders, customers, or regulating entities, then unacceptablerisks likely will exist. In most cases, the lowest commonthreshold is always compliance with the law, which will helpthe IS practitioners understand the lower bar that shouldnever be breached. The internal auditor should confirm thatrelevant policies, procedures, and practices pertaining to ISare in place.Management will then create an IS organizational structure5 and budget that are commensurate with the directionset forth by the risk committee, or other such forum, andthe board. In absence of specific direction, managementshould understand the compliance aspects and use that asthe minimum threshold to fill any vacuums that may existwith guidance from the top. Audits provide assurance thatmanagement has implemented and is sustaining both aneffective IS activity and overall compliance with IS policies.2.2. What is Effective InformationSecurity Governance?An effective ISG program: Involves appropriate organizational personnel. Defines a governance framework or methodology.3Excerpt from the IT Compliance Institute’s Information SecurityPractical Guidance on How to Prepare for Successful it-audit-checklist-information-security4Bihari, Endre. Information Security Definitions, 2003.www.perfres.net5This can include a separate IS activity as well as embedding ISresponsibilities into existing roles as long as accountability is clear.The structure is organizational-dependent.3
GTAG — IntroductionDescription of Various Board Standing Committees and Executive ManagementAudit CommitteeThe role of the audit committee encompasses oversight of financial issues,internal control assessment, risk management, and ethics.Governance CommitteeThe governance committee is responsible for board member selection andassessment and for leadership of the board’s operations.Risk Management CommitteeThe risk management committee is responsible for oversight of all risk analysis and assessment, risk response, and risk monitoring.Finance CommitteeThe main role of the finance committee is to review financial statements,cash flow projections, and investment management. Members of thiscommittee need to understand the control elements of IT that ensure theaccuracy of information used to make key financing decisions and generatefinancial reports.Chief Executive Officer (CEO)The CEO has overall strategic and operational control of the organizationand must consider IT in most aspects of the role.Chief Financial Officer (CFO)The CFO has overall responsibility for all financial matters in the organization and should have a strong understanding of the use of IT to enablefinancial management and to support corporate objectives.Chief Information Officer (CIO)The CIO has overall responsibility for the use of IT within the organization.Chief Security Officer (CSO)The CSO is responsible for all security across the entire organization,including IS, which also may be the responsibility of a chief informationsecurity officer (CISO). Additionally, as discussed in GTAG-6: Managingand Auditing IT Vulnerabilities, the CISO supports activities such as effectivevulnerability management and helping to align technical risks with businessrisks.Chief Legal Counsel (CLC)The CLC may be an employee, an officer of the organization, or an externallegal adviser.Chief Risk Officer (CRO)The CRO is concerned with managing risk at all levels of the organization.Because IT risks form a part of this function, the CRO will consider themwith the help of the CISO.Figure 3. Roles of the Governance Bodies and Functions6 Enables uniform risk measurement across theorganization. Produces quantifiable, meaningful deliverables. Reflects business priorities, organizational risk appetites, and changing levels of risk.must elicit commitment and financial and political support.The IS department will provide standards/baseline toolsand processes to support the execution of the IS activity.Privacy, compliance, legal, and IT functions should participate in this program to ensure that information assets areadequately indentified and managed according to relevantoutside expectations (e.g., current and future customers,regulators, stakeholders, and others who are relevant to theorganization’s long-term, strategic goals). Finally, the humanresources function should assist in communicating uniformstandards to all employees and in providing uniform guidance in disciplinary activity associated with violation ofthe IS mandates. Without the appropriate support of theseThe ISG activity needs to involveappropriate organizational personnel.This personnel includes the board (as discussed in section2.1) and executive management from whom internal auditors6GTAG-1: Information Technology Controls4
GTAG — Introductiongroups, the ISG activity may devolve into IS managementand become an operational/tactical, rather than strategic,activity.be driven by fact-based, objective metrics with appropriaterisk analysis performed by IS professionals who understandthe organization.The ISG activity defines an appropriate frameworkor methodology to guide its activities.Examples of governance frameworks can be found in GTAG11: Developing the IT Audit Plan or the IT GovernanceInstitute’s Information Security Governance: Guidance forBoards of Directors and Executive Management, 2nd Edition.These frameworks help ensure that the organization operates within a structured, consistent, objective, and effectivemanner that can be easily explained to stakeholders, regulatory agencies, service providers, and other outside parties.Well-planned frameworks also can guide future businesschanges and activities by ensuring that proposed activitiesare considered according to the same criteria as existingactivities. Using a framework allows an organization tobenefit from leading practices developed over time.The ISG activity should adapt its prioritiesbased on legal, regulatory, and businesschanges, and deploy policies and standardsthat reflect the organization’s risk appetite andare practical, reasonable, and enforceable.Successful businesses are rarely static. They face changingexternal conditions such as competition, regulation,evolving business models, and changes in supply chains. TheISG team needs to understand and support these activities.As an example, if the organization expands to add a newbusiness activity, the impact must be fully considered. Doesit introduce new regulations? Does it introduce new inherentrisks? Does it alter the state of existing business functions?The ISG activity also should reflect ongoing changes withinestablished businesses. Legacy business activities are alsosubject to emerging regulations and emerging threats. If theorganization does not adapt its governance and managementactivities to reflect these changes, it may not survive. Asnoted in GTAG-11: Developing the IT Audit Plan, 36 percentof internal auditors now re-perform their risk assessmentsmore than once per year. This reflects how rapidly changesin risk can occur.8Uniform IS risk evaluations are alsoan element of effective ISG.Like all business activities, IS activities must be prioritized.Deploying uniform risk measurement tools across the organization helps ensure that the areas of highest IS risk canbe clearly identified. Risk evaluation tools should establishthresholds to distinguish inherent risk across the environment. An organization may, for example, choose to leavesystems as-is (i.e., accept risk) if acceptable thresholds havenot been exceeded. This can begin as a simple assessment ofrisk at a very high level, such as a simple document outliningthe high-level risks. (Note: It is expected that these toolswill evolve, but the authors have seen very complicated,quantitative methods used to implement a risk evaluationprocess that never bears any value due to the sheer numberof risks any organization takes in its day-to-day activities.)It is crucial that management provide the appropriate timeand resources to allow the activity to develop naturallythroughout the organization.2.3. What is Efficient InformationSecurity Governance?An efficient ISG activity will reflect the concept of proportionality by: Encouraging a tiered structure of internal control. Adjusting reporting based on the level of management involved. Allow for properly approved deviations to policiesand standards.An efficient ISG activity encouragesproportional control.This means providing greater control for higher impact activities and more valuable assets. It also encourages less controlThe ISG activity should yield quantifiableand measurable deliverables.7Qualitative data can be useful in management activities,but quantitative data offers improved tracking and trendingcapabilities that are not available through qualitativemeasures. Quantitative measures could include the numberof policies and standards delivered, the number of significantsecurity events occurring, and results of corporate securitytraining programs. This does not mean that qualitativeresults have no value; qualitative data without appropriatequantitative supporting data diminishes the perceived valueof the information provided. A mixture of quantitative andqualitative measures taken together provide the insight intothe IS activity of which management needs to make appropriate decisions. However, a successful ISG activity shouldExamples of deliverables and metrics can be found in theNational Institute of Standards and Technology’s The PerformanceMeasurement Guide for Information Security (Special Publication800-55 Revision 1).7IPPF Standard 2010: Planning — “The chief audit executivemust establish risk-based plans to determine the priorities of theinternal audit activity, consistent with the organization’s goals.”IPPF Standard 2010.A1 — “The internal audit activity’s planof engagements must be based on a documented risk assessment,undertaken at least annually.”85
GTAG — Introductionfor lower risk activities and less valuable assets. Unlesscompelled by regulation or external certification authorities,an organization would not typically spend money to furthercontrol low-risk activities.is keeping its responsibilities regarding IS in context withorganizational needs are: Regulatory actions. Many organizations handle someform of PII, Protected Health Information (PHI), orother regulated information (e.g., prerelease information) for their customers or employees. In manyjurisdictions, this type of information is heavilyregulated. In addition to the well-known PII issues,the loss of data or compromised data integrity couldpresent a serious problem in the confidence of thefinancial statements or
organization. This GTAG also will assist the CAE in incor-porating an audit of ISG into the audit plan focusing on whether the organization's ISG activity delivers the correct behaviors, practices, and execution of IS. Core objectives of this GTAG include: 1. Define ISG. 2. Help internal auditors understand the right
PART III Globalism, liberalism, and governance 191 9 Governance in a globalizing world 193 ROBERT O. KEOHANE AND JOSEPH S. NYE JR., 2000 Defining globalism 193 Globalization and levels of governance 202 Globalization and domestic governance 204 The governance of globalism: regimes, networks, norms 208 Conclusions: globalism and governance 214
Objectives of the ISSA Guidelines on Good Governance 10 Definition of Good Governance 11 Governance Framework for Social Security Institutions 13 Structure of the ISSA Guidelines on Good Governance 15 Acknowledgements 16 A. Good Governance Guidelines for the Board and Management 17 A.1. Principles and Guidelines for the Board 18 A.1.1.
2 Information Security Governance Guidance for Information Security Managers IT Governance Institute The IT Governance Institute (ITGITM) (www.itgi.org) is a non-profit, independent research entity that provides guidance for the global business community on issues related to the governance of IT assets.
Information governance considers a broad perspective of health information issues, while data governance focuses on actual data elements collected in the medical record. Information Technology or IT governance focuses on IT systems and resources specifically. Information governance incorporates both data and IT governance (Dimick, 2013; Kloss .
Corporate Governance, Management vs. Ownership, Majority vs Minority, Corporate Governance codes in major jurisdictions, Sarbanes Oxley Act, US Securities and Exchange Commission; OECD Principles of Corporate Governance; Developments in India, Corporate Governance in Indian Ethos, Corporate Governance – Contemporary Developments. 2.
Module 5: Effective NGO Governance page 145 MODULE 5 EFFECTIVE NGO GOVERNANCE Good governance is key to the growth and sustainability of nongovernmental organizations (NGOs). Module 5, “Effective NGO Governance,” presents methods and techniques for planning and implementing actions to improve an organization’s governance.
Objective: To acquire knowledge of ethics, emerging trends in good governance practices and sustainability. Contents: Part A: Ethics and Governance (70 Marks) 1. Introduction Ethics, Business Ethics, Corporate Governance, Governance through Inner Consciousness and Sustainability Failure of Governance and its Consequences 2.
Governance SOA Governance is the set of policies, rules, and enforcement mechanisms for developing, using, and evolving service-oriented systems, and for analysis of the business value of those systems Design-time governance Runtime governance Change-time governance SOA Governance was crea