Gtag No 01: IT Controls
Gtag No 01: IT Controls
Gtag No 01: IT Controls
Authors
David A. Richards, CIA, President, The IIA
Alan S. Oliphant, MIIA, QiCA, MAIR International
March 20057
July20
Copyright 20057 by The Institute of Internal Auditors (IIA), 247 Maitland Ave., Altamonte Springs, FL 32701-4201 USA.
All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written
permission from the publisher.
The IIA publishes this document for informational and educational purposes. This document is intended to provide information,
but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or
accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be
sought and retained.
Section 19
Section 2
Section 20
............................iii
Appendix I References
Section 3
Introduction
................................423
........................................445
Section 21
..........................................................1
Section 4
Section 22
........................2
Section 5
Understanding IT Controls
......................................3
Section 23
Appendix L GTAG Partners and
Global Project Team ..............................................4950
Section 6
Importance of IT Controls ......................................10
Section 7
IT Roles in the Organization
..................................11
Section 8
Analyzing Risk......................................................15
Section 9
Monitoring and Techniques
....................................18
Section 10
Assessment ..........................................................20
Section 11
Conclusion ..........................................................22
Section 12
Appendix A Information Security
Program Elements..................................................23
Section 13
Appendix B Compliance With Laws
and Regulations ....................................................24
Section 14
Appendix C Three Categories of
IT Knowledge for Internal Auditors ..........................28
Section 15
Appendix D Compliance Frameworks
....................29
Section 16
Appendix E - Assessing IT Controls
Using COSO ........................................................356
Section 17
Appendix F - ITGI Control Objectives for
Information and Related Technology (CobiT) ............378
Section 18
Appendix G Example IT Control Metrics
to Be Considered by Audit Committees ....................3940
ii
IT controls do not exist in isolation. They form an interdependent continuum of protection, but they may also be subject to compromise due to a weak link. They are subject to
error and management override, may range from simple to
highly technical, and may exist in a dynamic environment.
IT controls have two significant elements: the automation of business controls and control of IT. Thus, IT controls
support business management and governance as well as provide general and technical controls over IT infrastructures.
The internal auditors role in IT controls begins with a
sound conceptual understanding and culminates in providing the results of risk and control assessments. Internal
auditing involves significant interaction with the people in
positions of responsibility for controls and requires continuous learning and reassessment as new technologies emerge
and the organizations opportunities, uses, dependencies,
strategies, risks, and requirements change.
Many issues drive the need for IT controls, ranging from the
need to control costs and remain competitive through the
need for compliance with internal and external governance.
IT controls promote reliability and efficiency and allow the
organization to adapt to changing risk environments. Any
control that mitigates or detects fraud or cyber attacks
enhances the organizations resiliency because it helps the
organization uncover the risk and manage its impact.
Resiliency is a result of a strong system of internal controls
because a well-controlled organization has the ability to
manage challenges or disruptions seamlessly.
Key indicators of effective IT controls include:
The ability to execute and plan new work such as
IT infrastructure upgrades required to support new
products and services.
Development projects that are delivered on time
and within budget, resulting in cost-effective and
better product and service offerings compared to
competitors.
Ability to allocate resources predictably.
Consistent availability and reliability of information
and IT services across the organization and for
customers, business partners, and other external
interfaces.
Clear communication to management of key
indicators of effective controls.
The ability to protect against new vulnerabilities and
GTAG Introduction 3
Introduction 3
The audit process provides a formal structure for addressing IT controls within the overall system of internal
controls. Figure 1, The Structure of IT Auditing, below,
divides the assessment into a logical series of steps.
The internal auditors role in IT controls begins with a
sound conceptual understanding and culminates in providing the results of risk and control assessments. Internal
auditors interact with the people responsible for controls
and must pursue continuous learning and reassessment as
new technologies emerge and the organizations opportunities, uses, dependencies, strategies, risks, and requirements
change.
Figure 2
technologies in use within the organizations IT infrastructures. The ability to automate technical controls that implement and demonstrate compliance with managements
intended information-based policies is a powerful resource to
the organization.
Figure 4 IT Controls
the system and data processed.
A statement on the classification of information and
the rights of access at each level. The policy should
also define any limitations on the use of this information by those approved for access.
A definition of the concepts of data and systems
ownership, as well as the authority necessary to originate, modify, or delete information. Without these
guidelines, it is often difficult to coordinate change
within large organizations, because there may not be
anyone designated to have overall responsibility for
the data or systems.
A general policy that defines the extent to which users
can deploy intelligent workstations to create their own
applications.
Personnel policies that define and enforce conditions
for staff in sensitive areas. This includes the positive
vetting of new staff prior to joining the organization,
carrying out annual credit checks, and having employees sign agreements accepting responsibility for the
required levels of control, security, and confidentiality.
This policy would also detail related disciplinary
procedures.
Definitions of overall business continuity planning
requirements. These policies should ensure that all
aspects of the business are considered in the event of
5.3.1 Policies
All organizations need to define their aims and objectives
through strategic plans and policy statements. Without clear
statements of policy and standards for direction, organizations can become disoriented and perform ineffectively.
Organizations with clearly defined aims and objectives tend
to be successful.
Because technology is vital to the operations of most organizations, clear policy statements regarding all aspects of IT
should be devised and approved by management, endorsed
by the board of directors, and communicated to all staff.
Many different policy statements can be required, depending
on the organizations size and the extent to which it deploys
IT. For smaller organizations, a single policy statement may
be sufficient, provided it covers all the relevant areas. Larger
organizations that implement IT extensively will require
more detailed and specific policies.
IT policy statements include, but are not restricted to:
A general policy on the level of security and privacy
throughout the organization. This policy should be
consistent with all relevant national and international legislation and should specify the level of control
and security required depending on the sensitivity of
5
5.3.2 Standards
Standards exist to support the requirements of policies. They
are intended to define ways of working that achieve the
required objectives of the organization. Adopting and
enforcing standards also promotes efficiency because staff are
not required to reinvent the wheel every time a new business
application is built or a new network is installed. Standards
also enable the organization to maintain the whole IT
operating environment more efficiently.
Large organizations with significant resources are in a
position to devise their own standards. On the other hand,
smaller organizations rarely have sufficient resources for this
exercise. There are many sources of information on standards and best practice, some of which are listed in
Appendix I (See page 45).
As a guideline, the CAE should expect to see standards
adopted for:
Systems Development Processes When organizations develop their own applications, standards apply
to the processes for designing, developing, testing,
implementing, and maintaining systems and
programs. If organizations outsource application
development or acquire systems from vendors, the
CAE should ascertain that agreements require the
providers to apply standards consistent with the
organizations standards, or acceptable to the
organization.
Systems Software Configuration Because systems
software provides a large element of control in the IT
environment, standards related to secure system configurations, such as the CIS Benchmarks from the
Center for Internet Security, are beginning to gain
wide acceptance by leading organizations and technology providers. The way products such as operating
systems, networking software, and database management systems are configured can either enhance
security or create weaknesses that can be exploited.
Application Controls All applications which
support business activities need to be controlled.
Standards are necessary for all applications the organization develops or purchases that define the types of
controls that must be present across the whole range
of business activities, as well as the specific controls
Risk Appetite
An organizations risk appetite defines the degree of risk a company or other organization is willing to accept in
pursuit of its goals, as determined by executive management and governance. Risk appetite can specify, for
example, whether or not an organization will take an aggressive role in the deployment of new and emerging
technologies. An organizations risk appetite can be affected by its industry and regulatory environment. Closely
related to risk appetite is an organizations risk tolerance, which measures how far it is willing to deviate from its
stated measure of risk appetite.
Public Accounting Reform and Investor Protection Act of 2002, known as Sarbanes-Oxley after its sponsors U.S. Sen. Paul Sarbanes and
U.S. Rep. Michael Oxley.
2
10
that allocating these roles does not compromise the need for
division of duties where roles are incompatible. Where IT is
outsourced, there is still a requirement for organizations to
keep many of these roles in-house to provide oversight of the
outsourced functions.
7.2.1 Chief Executive Officer
The individual with overall strategic and operational
control of the organization must consider IT in most aspects
of the role. In particular, the CEO will:
Define corporate objectives and performance
measures in relation to IT.
Act as custodian over the organizations critical
success factors in relation to IT.
Understand and approve the short-term and
long-range strategy for IT.
Approve IT resources for the organization, including
structure and oversight/monitoring.
Determine IT issues for periodic management, board,
and staff discussion.
Operate as the highest-level control owner, having
ultimate responsibility for the success or failure of
controls and for coordinating all other operational
managers within their responsibilities framework who
act as control owners of their particular areas.
7.2 Management
Several specific roles have emerged in large organizations in
relation to IT risk and control. As stated previously, small
organizations might not allocate an individual for each role,
although the function must still be performed. An individual may perform multiple roles, but care must be taken so
12
Ensures that security staff provide support for implementing controls at all levels.
Acts as the key leader for investigating and evaluating new best practices that may be incorporated into
the organization.
7.2.5 Chief Information Security Officer (CISO)
Information security is a subset of the overall security role.
The CISO:
Develops and implements the information security
policy in coordination with the CSO.
Controls and coordinates information security
resources, ensuring they are allocated adequately to
meet the organizations security objectives.
Ensures alignment of information security and business objectives.
Manages operational information risks throughout
the organization.
Oversees security within the IT organization.
Provides education and awareness on information
security issues and new best practices.
Develops end-user policies for the usage of IT
information, in conjunction with the human
resources function.
Coordinates information security work with the
chief risk officer (CRO) and CIO.
Advises the CEO, CRO, CIO, and board on IT
risk issues.
Acts as a key link for the CAE when internal
auditing performs IT control-related audits.
7.3 Audit
7.3.1 Internal Auditing CAE and Audit Staff
Internal auditing is an essential part of the corporate
governance process, whether or not a specific internal audit
group is employed. Internal auditors need a general understanding of IT, but the level of their understanding will vary
depending on the category of auditing or audit supervision
they perform (IIA Standard 1210.A3). The IIA defines
three categories of IT knowledge for internal auditors.
Appendix C (See page 28) describes these categories.
The internal audit role in relation to IT involves:
Advising the audit committee and senior
management on IT internal control issues.
Ensuring IT is included in the audit universe and
annual plan (selecting topics).
Ensuring IT risks are considered when assigning
resources and priorities to audit activities.
Defining IT resources needed by the internal audit
department, including specialized training of audit
staff.
Ensuring that audit planning considers IT issues for
each audit.
Liaising with audit clients to determine what they
want or need to know.
Performing IT risk assessments.
Determining what constitutes reliable and verifiable
evidence.
Performing IT enterprise-level controls audits.
Performing IT general controls audits.
Performing IT applications controls audits.
Performing specialist technical IT controls audits.
Making effective and efficient use of IT to assist the
audit processes.
During systems development or analysis activities,
operating as experts who understand how controls
can be implemented and circumvented.
Helping to monitor and verify the proper implementation of activities that minimize all known and
documented IT risks.
7.3.2 External Auditor
Independent external audits are a requirement for most
organizations and normally are performed annually. Topics
to be considered by the internal audit department and the
audit committee include:
14
These definitions are taken from the COSO Enterprise Risk Management Integrated Framework (Oct 2004)
15
Digital Dozen
One of the most concise and broadly useful summaries of
security guidance is the VISA CISP, which has proven its
value for over two years in use by VISA credit card network
service providers, including banks, processors, merchants,
and others. VISA refers to these requirements as its Digital
Dozen.
1. Install and maintain a working firewall to protect data.
2. Keep security patches up-to-date.
3. Protect stored data.
4. Encrypt data sent across public networks.
5. Use and regularly update anti-virus software.
6. Restrict access by "need to know."
7. Assign an unique Identification Code (ID) to each
person with computer access.
8. Don't use vendor-supplied defaults for passwords
and security parameters.
9. Track all access to data by unique ID.
10. Regularly test security systems and processes.
11. Implement and maintain an information
security policy.
12. Restrict physical access to data.
Fundamental Five
The Consensus Benchmarks, from the Center for Internet
Security (www.cisecurity.org), provide guidance on the
Fundamental Five of basic security hygiene. Use of these
benchmarks typically results in an 80 percent to 95 percent
reduction of known vulnerabilities.
1. Identity and Access Management
(including privilege assignment and authentication)
2. Change Management (including patch management)
3. Configuration Management
4. Firewalls (workstation, host, sub-network,
and perimeter)
5. Malware protection (including worms and viruses)
17
Control Activities:
Review board for change management
Comparison of technology initiatives to
plan and return on investment
Documentation and approval of IT plans
and systems architecture
Compliance with information and
physical security standards
Adherence to business continuity risk
assessment
Technology standards
compliance enforcement
GTAG Assessment 10
10.1
A lot has changed in the 40 years that IT auditing has existed: Technology components have become smaller, faster,
and cheaper even as overall IT costs to the organization
have increased significantly. The majority of business
processes have been automated, typically to provide
efficiencies, but also to enable certain business processes that
cannot be performed manually. Ubiquitous network communications, including the Internet, have eliminated any
distinction between business and electronic business.
The audit process similarly has evolved to match the
automation of business processes. In the early days of
automation, auditors audited around the computer. Now
they use software routinely to test or analyze data and
technical controls within systems.
A widely used audit approach involves operational analysis of the processing of important business transactions by
automated systems. In such audits, the auditor identifies
activities and information subject to control and assesses the
ability of existing controls to provide reliable protection
including sufficient evidence of the reliability of controls.
Because operational audits of automated business processes
frequently identify internal control deficiencies, internal
auditors may sometimes shift their attention to audits of
or even involvement in the processes whereby business
activities are automated, such as systems design, development and acquisition, implementation, and maintenance.
Experienced auditors develop extensive knowledge of
internal controls and their strengths and weaknesses.
Therefore, it is not uncommon for internal auditors to
provide consulting services to the management responsible
for designing and implementing internal controls. The
scope and limitations on such consulting activity are
prescribed in the International Standards for the
Professional Practice of Internal Auditing (See http://www.theiia.org/guidance/standards-and-practices). However, internal
auditor involvement in design, development, or implementation activities does not absolve management from
responsibility for those activities.
10.2
In addition to assessing the adequacy of IT control mechanisms, regular reviews should be performed to ensure that
controls continue to function as required. A traditional
method used by internal auditors is to create a population of
test data that can be processed through the business systems
to check the results to ensure, for example, that controls
continue to accept valid data and reject incorrect and
invalid items. However, given the widespread, complex, and
interactive nature of business systems today, audit testing
tends to focus more specifically on key automated controls
and analysis of the data.
10.2.1 Automated Continuous Monitoring
Continuous monitoring and audit tools have been used for
many years. Previously called embedded audit software, program code in business systems checks data being processed
against predetermined criteria and reports anomalies it
detects. The benefit of such monitoring is obvious: Any discrepancies can be identified and acted upon immediately.
Many proprietary business software products now provide
such continuous monitoring functionality. The concept has
also gone beyond business applications. For example, most
firewall products and intrusion detection systems continu-
GTAG Assessment 10
ously check for potential attack scenarios and provide
instant alerts when potential attacks are detected. This type
of monitoring can cause problems due to the considerable
volume of data and potential errors that are highlighted, not
all of which will be worthy of attention. The task of refining
the analysis techniques and monitoring thresholds requires
constant vigilance to determine which alerts to highlight
and which to accept as normal events.
10.3
Audit Committee/Management/
Audit Interfaces
It is impractical to establish rules for reporting on every special IT control situation. The CAE must apply prudent judgment when expressing an opinion or submitting a report to
the audit committee. This is no different from the way the
CAE interacts with the audit committee regarding other
internal control issues.
The CAE will discuss internal control issues with the
audit committee to determine the optimum level of information to be provided to enable the audit committee to achieve
its statutory, regulatory, policy, due care, or other governance
obligations.
Metrics and reporting and audit report summaries are
two areas where the CAE should interact with the audit
committee regarding internal controls. Further interactions
will depend on the needs of the specific audit committee and
any legislative or regulatory requirements.
Metrics and reporting. Metrics and reports must present
meaningful information on the status of IT controls. While
management provides the metrics and reporting, the CAE
should be able to attest to their validity and opine on their
GTAG Conclusion 11
Assessing IT controls is an ongoing process, because business
processes are constantly changing, technology continues to
advance, threats evolve as new vulnerabilities emerge, and
audit methods keep improving. The CAE should keep
assessments of IT controls that support business objectives
near the top of the audit agenda.
Assessing IT controls is not a case of determining
whether best practices are employed, as controls are specific to the organizations mission, objectives, culture, deployed
processes and technologies, and risks. Technology should be
tailored to provide effective control, and the CAE should
ensure internal auditing adopts appropriate and effective
methods. Auditing IT is a continuous learning process.
The CAE is rarely in a position to understand all the
technologies used in his or her environment and their specific control implications. That is why properly certified and
experienced IT auditors are a major asset for any internal
audit function. However, the CAE should understand the
overall control issues and be able to communicate them to
senior management and to appropriate committees of the
board of directors in a form they will understand and in a
manner that will result in an appropriate response. The key
to assessing IT controls effectively is communication with
technical staff, management, and board members.
22
12.1
12.2
Management
12.3
Technical
13.1
Sarbanes-Oxley (http://www.theiia.org/iia/guidance/issues/
sarbanes-oxley.pdf) was intended to reform public accounting practices and other corporate governance processes and
shore up the capital markets in the wake of the Enron and
WorldCom corporate governance scandals. The PCAOB
provides a comprehensive collection of information and
advice on Sarbanes-Oxley at its Web site (http: www.sarbanes-oxley.com/). The key requirements of SarbanesOxley, the SEC, and U.S. stock listing exchanges are fully
compared and contrasted in an IIA Research Foundation
analysis titled Assessment Guide for U.S. Legislative,
Regulatory, and Listing Exchanges Requirements Affecting
Internal Auditing (www.theiia.org/iia/download.cfm?file
=519).
However, Sarbanes-Oxley does not address the issue of IT
controls specifically. This does not mean IT can be ignored
when performing the compliance reviews required by the
act. The act is neutral with regard to technology, but the
implication is clear that IT controls are critical to an organizations overall system of internal controls. As IT controls
address the secure, stable, and reliable performance of hardware, software, and personnel to ensure the reliability of
24
13.2
Basel II Accord
13.4
The GLBA was introduced to protect the privacy of customer information in the financial sector, but it extends
beyond financial companies. Any company that handles
non-public financial customer information may be held
accountable under this law, depending on the circumstances.
More
information
is
available
from
EPIC
(http://www.epic.org/privacy/glba/) and the U.S. Federal
Trade Commission (http://www.ftc.gov/bcp/conline/pubs/
buspubs/glblong.shtm).
-whois
13.5
13.6
13.3
Data Protection
The concept of data protection was developed when computerization issues were raised at United Nations and OECD
conferences in the late 1960s. The first national law was
enacted in 1974 in Sweden, and the OECD published its
Data Protection Guidelines in 1980 (OECD C (80) 58
final). Regional bodies like the Council of Europe (Data
Protection Convention 108/1981, human rights-based) and
the European Commission (EC) (Directive 95/46/EC,
consumer protection-oriented) have enacted binding frameworks for implementation in their member states.
Depending on their legal system, many countries around the
globe have constitutional provisions and omnibus laws or a
broad spectrum of sector regulations for data protection.
To bridge the differences in U.S. and European Union (EU)
privacy regulations, the EC and the U.S. Department of
Commerce developed a safe harbor framework for U.S.
companies. The safe harbor is a framework agreement
consisting of seven principles and a series of frequently asked
questions. (See also: http://www.was4.hewitt.com/hewitt/
resource/legislative_updates/europe/eu_data1.htm).
26
27
Note: The Three Categories of IT Knowledge for Internal Auditors document is not part of The IIAs Standards, but is practical guidance provided by
The IIAs International Advanced Technology Committee.
28
COSO
15.2
CICA CoCo
15.3
15.4
15.5
15.6
15.7
30
events. This principle recognizes the need for the public and private sectors to jointly establish mechanisms
and procedures for rapid and effective threat-event
reporting and handling. Access to threat-event history could support effective response to threat events
and may help prevent future incidents.
Assessment Principle The risks to information and
information systems should be assessed periodically.
Rationale Information and security requirements
vary over time. Organizations periodically should
assess the information, its value, and the probability,
frequency, and severity of direct and indirect harm or
loss. Periodic assessment identifies and measures the
variances from available and established security
measures and controls, such as those articulated in the
GAISP, as well as the risk associated with such variances. It also enables accountable parties to make
informed information risk management decisions
about accepting, mitigating, or transferring the identified risks with due consideration of cost effectiveness.
Equity Principle Management shall respect the
rights and dignity of individuals when setting policy
and when selecting, implementing, and enforcing
security measures.
Rationale Information security measures implemented by an organization should not infringe upon
the obligations, rights, and needs of legitimate users,
owners, and others affected by the information when
exercised within the legitimate parameters of the
mission objectives.
15.8
15.8.1
15.8.2
The term policies refers to written statements that communicate managements intent, objectives, requirements, responsibilities, and standards for a
particular subject. Some policies may be described explicitly as such, being contained in policy manuals or similarly labeled documents. However, some
policies may be contained in documents without such explicit labeling, including for example, notices or reports to employees or outside parties.
32
6
Although some privacy regulations use the term principle, the term component is used in the AICPA/CICA Trust Services Principles and Criteria
Framework to represent that concept, because the term principle previously has been defined in the Trust Services literature.
33
15.8.5
15.9
The IIA provides the SAC model The SAC model sets the
stage for effective technology risk management by giving
companies a framework to guide an evaluation of the e-business control environment. SAC recognizes the importance
of governance both within an organization and between
business partners to ensure effective security, auditability,
and control of information. SAC provides current information to understand, monitor, assess, and mitigate technology
risks. SAC examines risks in all business system components,
including customers, competitors, regulators, and partners.
Full details of the model can be found at
http://www.theiia.org/eSAC/index.cfm, with a detailed
discussion of the model at www.theiia.org/itaudit/index.cfm?
fuseaction=forum&fid=411.
15.10
Corporate Governance
The COSO Internal Control Integrated Framework is recognized as a formal model for the purpose of Sarbanes-Oxley
attestation by the SEC and provides a hierarchical categorization of controls. In addition, the audit standard from the
PCAOB states:
Because of the frequency with which management of
public companies is expected to use COSO as the
framework for the assessment, the directions in the
standard are based on the COSO framework. Other
suitable frameworks have been published in other
countries and likely will be published in the future.
Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSOs general themes.
The COSO model was refined and enhanced during 2004
through development of the COSO Enterprise Risk
Management Integrated Framework (http://www.coso.org).
This appendix describes the earlier framework, which is the
version referenced for regulatory compliance. Nonetheless,
the CAE should investigate the Enterprise Risk Management
Integrated Framework.
16.1
16.2
.htm) key
36
Copyright 2000 by ITGI and reprinted with the permission of the ITGI. No other right or permission is granted with
respect to this work.
38
18.1
18.2
7 http://reform.house.gov/TIPRC/
39
41
Action
Questions
a. Values.
b. Philosophy.
c. Management style.
d. IT awareness.
e. Organisation.
f. Policies.
g. Standards.
2. What legislation exists that impacts on the need for
IT controls?
a. Governance.
b. Reporting.
c. Data protection.
d. Compliance.
3. Identify the roles and responsibilities for IT control in
relation to:
a. Board of directors.
i. Audit committee.
ii. Risk committee.
iii. Governance committee.
iv. Finance committee.
b. Management.
i. CEO
ii. CFO and controller
iii. CIO
iv. CSO
v. CISO
vi. CLC
vii. CRO
c. Audit.
i. Internal Audit.
ii. External Audit.
42
Action
Questions
11. How is the risk appetite and tolerance of the
organization determined?
b. Risk tolerances?
c. Risk analysis?
b. Control failures.
43
20.1
Governance
20.2
Management
20.3
Technical Issues
20.4
Auditing IT
45
46
47
22.1
48
23
The IIA is joined in this GTAG project by a specially selected team of professional associations, academic institutions,
and practitioners in both auditing and technology. IIA is
grateful for the support provided by this team, as the guide
would not have been possible without them. For The IIA to
provide meaningful guidance to auditors about how to relate
to audit customers, it is essential to gain agreement with the
key representatives of those customers. To speak to a global
audience, the guide needs consensus from a broad group representing many of the countries where internal auditors
operate. So we thank both the individuals and the organizations who contributed so much to this guide.
23.3
23.1
The Advisory Council is made up of individuals who contributed to the development of this guide from the outset of
planning the GTAG project, through design and development of the IT Controls Guide outline and various drafts, to
the completion of the final product. These individuals went
beyond the role of a volunteer support team to truly act in a
leadership role.
23.2
Partner Organizations
Rich Crawford, Vice President/Senior Security Advisor,
Janus Risk Management, USA
49
23
23
P. Shreekanth, India
Amit Yoran
23.4
23.6
23.5
Other International
23.7
23.8
Michael Feland
Trish Harris
Tim McCollum
52
23
Th
ra
ement
ity Manag
its
gram.
d su
Contin
nts.
V
is
lopm
of a
Business
planning for continuity of critical information technology infrastructure and business application systems.
pport management in
Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks, controls,
costs, and benefits of adopting a BCM program. Although it is true that recent disasters around the world have
motivated some corporate leaders to give attention to BCM programs, the implementation of such programs
is far from universal. The key challenge is engaging corporate executives to make BCM a priority
. Although
it www
.theiia.org/guidance/technology/gtag/gtag10
to drate
thismany
GT
AGwill
or submit
comme
most
executives
are likely to agree that BCM is a goo
idea,
struggleyour
to find
the budget necessary
to fund the program as well as an executive sponsor that has the time to ensure its success. Business Continuity
Management
will help
theope
CAEbility
communicate
business continuity
risk
awareness
an
is G
nded
of the organization
were to occur
. The
guide includes
disaster rec
could potentially encounter if a natural or
deve
BCM pr
AG
T focuses
on how business continuity management (BCM) is designed to enable business leaders to
hat affects
the exte
manage the level of risk the organization
man-made disruptive event
t
ISBN 0-89413-570-8I
SBN 978-0-89413-623-8
www.theiia.org