Lesson 4 - Information System Governance and Risk Assessment
Lesson 4 - Information System Governance and Risk Assessment
Lesson 4 - Information System Governance and Risk Assessment
It is a set of responsibilities and practices exercised by the board and executive management to:
Performance
Measures
Strategic Alignment
Resource
Management
Value Delivery
Risk
Management
IT Governance
Business Goals and Objectives
To meet customer needs by ensuring that business processes and operations are in place
Business Drivers
Organizational needs
and brand image Business Drivers Social needs
Enablers are factors that individually and collectively influence whether something will work.
Enabler Categories
Is the responsibility of the board of directors and executive management and must have a
clear organizational strategy for preservation
Information Security Governance: Outcomes
Information security is
treated as a critical
business issue
Implementation and
maintenance of information
security activities
Management Support
Management Support
It is the extent to which the senior management understands the importance of the security function
and supports security goals and priorities.
Management Support
Participating in
Committing funding
security plans and and resources
policies
It is the systematic process by which the Department of Commerce involves its employees as
individuals and members of a group.
Types of
Performance
management
IT Balanced Scorecard
It is a performance metric used in strategic management to identify and improve various internal
functions of a business.
Capability Maturity Model
A smart metric stands for specific, measurable, achievable or acceptable, realistic, and time specific
or trackable.
Achievable
Measurable Realistic
It is the process of identifying, assessing, monitoring, and controlling events arising from risks.
Risk Management
Enables business to
prioritize risks
Considers organization
Is based on expert judgment, culture, reputation, and
intuition, and experience brand image
Risk Management
methods are:
Risk avoidance: Eliminate
activities that involve risks
Key Performance Indicator is a quantifiable metric that reflects how well an organization is
achieving its stated goals and objectives.
Key Risk Indicators are metrics used by organizations to provide an early signal of
increasing risk exposure in various areas of the enterprise.
Metrics
Measurement
KPIs KRIs
Performance Risk
Assessment Assessment
Analytics
Decision Making
Key Performance Indicator
Risk IT Val IT
IT-related Events
IT Process
Management
COBIT
Risk IT Framework
Risk Governance
• Define IT structure, roles, and
responsibilities
Roles
Components
of IS
Programs are:
People Process
IS Programs Objectives
Implement IS strategy in a
cost-effective manner
Develop methods to
measure progress
Managers
Program Objectives
Sponsors
Funding
Timeline
IS Management Framework: COBIT®
It helps the companies map their IT processes to ISACA’s best practices standard.
Five Principles of COBIT
Emphasis on prevention
Security policies
Access control
Cryptography
Asset management
Operations security
Communications security
Supplier relationships
Compliance
Strategic alignment
Risk management
Value delivery
Performance
management
Resource management
Business process
assurance
Outcomes of IS Program
Strategic alignment
Risk Management
Value Delivery
Resource
Management • It determines the competitiveness of an
organization.
specified either as a string containing a path to the build context
Performance • It explains how organizations can increase
Management growth and profitability.
Business Process
Assurance
Outcomes of IS Program
Strategic alignment
Risk Management
Value Delivery
Resource
Management • Information security manager is responsible
for information assets.
specified either as a string containing a path to the build context
Performance • IS manager must understand threats to the
Management organization, its vulnerabilities, and the risk
profile.
Business Process
Assurance
Outcomes of IS Program
Strategic alignment
Risk Management
Value Delivery
Resource
Management IS program must deliver the required level of
security effectively and efficiently.
specified either as a string containing a path to the build context
Performance
Management
Business Process
Assurance
Outcomes of IS Program
Strategic alignment
Risk Management
Value Delivery
Resource
Management • IS manager must use human technical
knowledge and financial resources effectively.
Strategic alignment
Risk Management
Value Delivery
Resource
Management • It must develop monitoring process and
metrics.
specified either as a string containing a path to the build context
Performance • IS managers must seek independent
Management assurance.
Business Process
Assurance
Outcomes of IS Program
Strategic alignment
Risk Management
Value Delivery
Resource
Management IS manager must understand that IS is only a
part of effective security.
specified either as a string containing a path to the build context
Performance
Management
Business Process
Assurance
Supply Chain
Supply Chain
Certification of international
standards
Supplier Management Controls
It is the process whereby companies monitor and manage interactions with all
external parties with which they have a relationship.
Personnel Management
Personnel Management
Roles
Responsibility Skills
Organizational Culture
Case Study: AWS Outage
Problem Statement: In May 2017, Amazon faced a big A.W.S. outage that took down a
bunch of large internet sites for several hours on a Tuesday afternoon.
Case Study: AWS Outage
Inadequate funding
Key Takeaways
a. Measureable
b. Initial
c. Achievable
d. Reliable
Knowledge
Check Which of the following model describes a five-level evolutionary path of increasingly
organized and systematically more mature processes?
1
a. Measureable
b. Initial
c. Achievable
d. Reliable
The model which describes a five-level evolutionary path of increasingly organized and systematically more
mature processes is initial.
Knowledge
Check Which of the following is a system of organizations, people, activities, information, and
resources involved in moving a product to customer?
2
c. Supply chain
c. Supply chain
Supply chain is a system of organizations, people, activities, information, and resources involved in moving a
product to customer.
Knowledge
Check
Which of the following are the components of IS Programs?
3
a. Roles
b. Skills
c. Responsibility
d. Process
Knowledge
Check
Which of the following are the components of IS Programs?
3
a. Roles
b. Skills
c. Responsibility
d. Process