GTAG 1: Information Technology Controls - iia colombia

Information Technology ControlsA uditing Application Controls

Authors

David A Richards CIA President The IIA

Alan S Oliphant MIIA QiCA MAIR InternationalChristine Bellino Jefferson Wells

Charles H Le Grand CIA CHL GlobalSteve Hunt Enterprise Controls Consulting LP

July 200March 20057

Copyright copy 20057 by The Institute of Internal Auditors (IIA) 247 Maitland Ave Altamonte Springs FL 32701-4201 USA All rights reserved Printed in the United States of America No part of this publication may be reproduced stored in a retrieval system or transmitted in any form by any means mdash electronic mechanical photocopying recording or otherwise mdash without prior written

permission from the publisher

The IIA publishes this document for informational and educational purposes This document is intended to provide information but is not a substitute for legal or accounting advice The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document When legal or accounting issues arise professional assistance should be

sought and retained

i

Section 1Letter from the President ii

Section 2IT Controls ndash Executive Summary iii

Section 3Introduction 1

Section 4Assessing IT Controls ndash An Overview 2

Section 5Understanding IT Controls 3

Section 6Importance of IT Controls 10

Section 7IT Roles in the Organization 11

Section 8Analyzing Risk15

Section 9Monitoring and Techniques 18

Section 10Assessment 20

Section 11Conclusion 22

Section 12Appendix A ndash Information Security Program Elements23

Section 13Appendix B ndash Compliance With Laws and Regulations 24

Section 14Appendix C ndashThree Categories of IT Knowledge for Internal Auditors 28

Section 15Appendix D ndash Compliance Frameworks 29

Section 16Appendix E - Assessing IT ControlsUsing COSO356

Section 17Appendix F - ITGI Control Objectives for Information and Related Technology (CobiT) 378

Section 18Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees 3940

Section 19Appendix H ndash CAE Checklist 423

Section 20Appendix I ndash References 445

Section 21Appendix J ndash Glossary467

Section 22Appendix K ndash About the Global Technology Audit Guides 489

Section 23Appendix L ndash GTAG Partners and Global Project Team 4950

GTAG mdash Table of Contents

ii

GTAG mdash Letter from the President mdash 1

In my previous role as a chief audit executive (CAE) I noted a need for guidance on IT management and control written specifically for executives So one of my first acts as president of The IIA was to initiate a project to produce this ITControls guide This guide is for the executive not the technical staff mdash although it will help those personnel better relateto management and governance perspectives

The purpose of this document is to explain IT controls and audit practice in a format that allows CAEs to understand andcommunicate the need for strong IT controls It is organized to enable the reader to move through the framework for assess-ing IT controls and to address specific topics based on need This document provides an overview of the key components ofIT control assessment with an emphasis on the roles and responsibilities of key constituents within the organization who candrive governance of IT resources You may already be familiar with some aspects of this document while other segments willprovide new perspectives on how to approach this key audit strategy It is our hope that the components can be used to edu-cate others about what IT controls are and why management and internal auditing must ensure proper attention is paid tothis fundamental methodology for good governance

Although technology provides opportunities for growth and development it also provides the means and tools for threatssuch as disruption deception theft and fraud Outside attackers threaten our organizations yet trusted insiders are a fargreater threat Fortunately technology can also provide protection from threats as you will see in this guide Executivesshould know the right questions to ask and what the answers mean For example

bull Why should I understand IT controls One word Assurance Executives play a key role in assuring information reliability Assurance comes primarily from an interdependent set of business controls plus the evidence that controlsare continuous and sufficient Management and governance must weigh the evidence provided by controls and auditsand conclude that it provides reasonable assurance This guide will help you understand the evidence

bull What is to be protected Letrsquos start with trust Trust enables business and efficiency Controls provide the basis for trustalthough they are often unseen Technology provides the foundation for many mdash perhaps most mdash business controlsReliability of financial information and processes mdash now mandated for many companies mdash is all about trust

bull Where are IT controls applied Everywhere IT includes technology components processes people organization andarchitecture mdash collectively known as infrastructure mdash as well as the information itself Many of the infrastructure controls are technical and IT supplies the tools for many business controls

bull Who is responsible Everybody But you must specify control ownership and responsibilities otherwise no one is respon-sible This guide addresses specific responsibilities for IT controls

bull When do we assess IT controls Always IT is a rapidly changing environment fueling business change New risksemerge at a rapid pace Controls must present continuous evidence of their effectiveness and that evidence must beassessed and evaluated constantly

bull How much control is enough You must decide Controls are not the objective controls exist to help meet businessobjectives Controls are a cost of doing business and can be expensive mdash but not nearly as expensive as the probableconsequences of inadequate controls

IT controls are essential to protect assets customers and partners and sensitive information demonstrate safe efficient andethical behavior and preserve brand reputation and trust In todayrsquos global market and regulatory environment these are alltoo easy to lose

Use this guide as a foundation to assess or build your organizationrsquos framework and audit practices for IT business controlcompliance and assurance Use it to help make sense of the conflicting advice you receive Make sure all the elements are inplace to meet the challenges of constant change increasing complexity rapidly evolving threats and the need to improveefficiency constantly

The IIA produced this guide but it is truly a team effort The principal writers are Charles H Le Grand of CHL Globaland Alan S Oliphant FIIA MIIA QiCA of Mair International We owe a great debt of gratitude to our partners IIA inter-national affiliates and members of the Global Technology Audit Guide (GTAG) team We are grateful for their support andencouragement This guide is a testimony to what The IIA does best ldquoProgress Through Sharingrdquo

Sincerely

David A Richards CIA CPAPresident The Institute of Internal Auditors Inc

GTAG Information Technology Controls describes the knowl-edge needed by members of governing bodies executives ITprofessionals and internal auditors to address technologycontrol issues and their impact on business Other profes-sionals may find the guidance useful and relevant The guideprovides information on available frameworks for assessingIT controls and describes how to establish the right frame-work for an organization Moreover it sets the stage forfuture GTAGs that will cover specific IT topics and associ-ated business roles and responsibilities in greater detail

The objectives of the IT Controls guide are tobull Explain IT controls from an executive perspectivebull Explain the importance of IT controls within the

overall system of internal controlsbull Describe the organizational roles and responsibilities

for ensuring IT controls are addressed adequatelywithin the overall system of internal controls

bull Describe the concepts of risk inherent in the use andmanagement of technology by any organization

bull Describe the basic knowledge and understanding of IT controls needed by the CAE to ensure effectiveinternal audit assessments of IT controls

bull Describe the relevant elements of the IT controlsassessment process as provided by the internal auditfunction

21 Introduction to IT ControlsIT controls do not exist in isolation They form an interde-pendent continuum of protection but they may also be sub-ject to compromise due to a weak link They are subject toerror and management override may range from simple tohighly technical and may exist in a dynamic environment

IT controls have two significant elements the automa-tion of business controls and control of IT Thus IT controlssupport business management and governance as well as pro-vide general and technical controls over IT infrastructures

The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditing involves significant interaction with the people inpositions of responsibility for controls and requires continu-ous learning and reassessment as new technologies emergeand the organizationrsquos opportunities uses dependenciesstrategies risks and requirements change

22 Understanding IT ControlsIT controls provide for assurance related to the reliability of information and information services IT controls helpmitigate the risks associated with an organizationrsquos use oftechnology They range from corporate policies to theirphysical implementation within coded instructions fromphysical access protection through the ability to traceactions and transactions to responsible individuals and fromautomatic edits to reasonability analysis for large bodies of data

You donrsquot need to ldquoeverythingrdquo about IT controls butremember two key control concepts

bull Assurance must be provided by the IT controls within the system of internal controls This assurancemust be continuous and provide a reliable and continuous trail of evidence

bull The auditorrsquos assurance is an independent and objective assessment of the first assurance Auditorassurance is based on understanding examining andassessing the key controls related to the risks theymanage and performing sufficient testing to ensurethe controls are designed appropriately and function-ing effectively and continuously

Many frameworks exist for categorizing IT controls and theirobjectives This guide recommends that each organizationuse the applicable components of existing frameworks to categorize and assess IT controls and to provide and docu-ment its own framework for

bull Compliance with applicable regulations and legislation

bull Consistency with the organizationrsquos goals and objectives

bull Reliable evidence (reasonable assurance) that activi-ties comply with managementrsquos governance policiesand are consistent with the organizationrsquos riskappetite

23 Importance of IT ControlsMany issues drive the need for IT controls ranging from theneed to control costs and remain competitive through theneed for compliance with internal and external governanceIT controls promote reliability and efficiency and allow theorganization to adapt to changing risk environments Anycontrol that mitigates or detects fraud or cyber attacksenhances the organizationrsquos resiliency because it helps theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsbecause a well-controlled organization has the ability tomanage challenges or disruptions seamlessly

Key indicators of effective IT controls includebull The ability to execute and plan new work such as

IT infrastructure upgrades required to support newproducts and services

bull Development projects that are delivered on time and within budget resulting in cost-effective and better product and service offerings compared tocompetitors

bull Ability to allocate resources predictablybull Consistent availability and reliability of information

and IT services across the organization and for customers business partners and other externalinterfaces

bull Clear communication to management of key indicators of effective controls

bull The ability to protect against new vulnerabilities and

iii

GTAG mdash Executive Summary mdash 2

mscotchie
Typewritten Text

threats and to recover from any disruption of IT services quickly and efficiently

bull The efficient use of a customer support center or help desk

bull Heightened security awareness on the part of the users and a security-conscious culture throughout theorganization

24 IT Roles and ResponsibilitiesMany different roles have emerged in recent years for posi-tions within the organization with IT control responsibilitiesand ownership Each position within the governance management operational and technical levels should havea clear description of its roles responsibilities and owner-ship for IT controls to ensure accountability for specificissues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure

25 Analyzing RiskIT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified suit-able risk responses are determined ranging from doing nothingand accepting the risk as a cost of doing business to applying awide range of specific controls including insurance Thissection explains the concepts of when to apply IT controls

26 Monitoring and TechniquesThe implementation of a formal control framework facili-tates the process of identifying and assessing the IT controlsnecessary to address specific risks A control framework is astructured way of categorizing controls to ensure the wholespectrum of control is covered adequately The frameworkcan be informal or formal A formal approach will morereadily satisfy the various regulatory or statutory require-ments for organizations subject to them The process ofchoosing or constructing a control framework shouldinvolve all positions in the organization with direct respon-sibility for controls The control framework should apply toand be used by the whole organization mdash not just internalauditing

27 IT Control AssessmentAssessing IT controls is a continuous process Businessprocesses are changing constantly as technology continuesto evolve Threats emerge as new vulnerabilities are discov-ered Audit methods improve as auditors adopt an approachwhere IT control issues in support of the business objectivesare near the top of the agenda

Management provides IT control metrics and reportingAuditors attest to their validity and opine on their valueThe auditor should liaise with management at all levels andwith the audit committee to agree on the validity and effec-tiveness of the metrics and assurances for reporting

iv


IT is an integral part of all processes that enable businessesand governments to accomplish their missions and objec-tives IT facilitates local and global communications and fosters international business cooperation IT controls havetwo significant components automation of business controlsand control of IT They support business management andgovernance and they provide general and technical controlsover the policies processes systems and people that comprise IT infrastructures

IT controls do not exist in isolation They form an inter-dependent continuum of protection but they also may besubject to compromise due to a ldquoweak linkrdquo They are subject to error and management override may range fromsimple to highly technical and may exist in a dynamic environment IT controls support the concept of ldquodefense in depthrdquo so a single weakness does not always result in asingle point of failureControls exist to protect stakeholder interests

bull The ownerrsquos equitybull Customer concerns such as privacy and identitybull Employeesrsquo jobs and abilities to prove they did the

right thingbull Managementrsquos comfort with the assurance provided

by automated processesIT control assurance addresses the ability of controls to protect the organization against the most important threatsand provides evidence that remaining risks are unlikely toharm the organization and its stakeholders significantlyThese controls also are essential for assuring the reliability offinancial processes and reporting

1

Introduction ndash 3GTAG mdash Introduction mdash 3

They are all connected

When a security administrator selects the settings in a firewall configuration file (a technical task requiring specificskills and knowledge) he or she implements a policy (which may or may not be documented elsewhere) that when deployed determines the messages that will or will not be allowed into or out of the communications network and establishes the ldquoportsrdquo through which they may travel Your organization gets an element of protection from its firewalls that is vital to the protection of information and the infrastructures where that information is collected processed stored and communicated

When CAEs review and assess the controls over IT theyshould ask

bull What do we mean by IT controlsbull Why do we need IT controlsbull Who is responsible for IT controlsbull When is it appropriate to apply IT controlsbull Where exactly are IT controls appliedbull How do we perform IT control assessments

The audit process provides a formal structure for address-ing IT controls within the overall system of internal controls Figure 1 The Structure of IT Auditing belowdivides the assessment into a logical series of steps

The internal auditorrsquos role in IT controls begins with asound conceptual understanding and culminates in provid-ing the results of risk and control assessments Internalauditors interact with the people responsible for controlsand must pursue continuous learning and reassessment asnew technologies emerge and the organizationrsquos opportuni-ties uses dependencies strategies risks and requirementschange

GTAG mdash Assessing IT Controls mdash An Overview mdash 4

2

ldquoI keep six honest serving-men

(They taught me all I knew)

Their names are

What and Why and When

and How and Where and Whordquo

mdash Rudyard Kipling

from ldquoElephantrsquos Childrdquo

in Just So Stories

Figure 1 - The Structure of IT Auditing

3

COSO1 defines internal control as ldquoA process effected by anorganizationrsquos board of directors management and otherpersonnel designed to provide reasonable assurance regard-ing the achievement of objectives in the following cate-gories

bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulationsrdquo

IT controls encompass those processes that provide assur-ance for information and information services and help mit-igate the risks associated with an organizationrsquos use oftechnology These controls range from written corporatepolicies to their implementation within coded instructionsfrom physical access protection to the ability to trace actionsand transactions to the individuals who are responsible forthem and from automatic edits to reasonability analysis forlarge bodies of data

51 Control ClassificationsControls may be classified to help understand their purposesand where they fit into the overall system of internal controls(See Figure 3 Some Control Classifications page 4) By under-standing these classifications the control analyst and auditorare better able to establish their positions in the controlframework and answer key questions such as Are the detec-tive controls adequate to identify errors that may get past thepreventive controls Are corrective controls sufficient to fixthe errors once detected A common classification of IT controls is general versus application

General controls (also known as infrastructure controls)apply to all systems components processes and data for agiven organization or systems environment General controls include but are not limited to information security policy administration access and authenticationseparation of key IT functions management of systemsacquisition and implementation change managementbackup recovery and business continuity

Application controls pertain to the scope of individualbusiness processes or application systems They include suchcontrols as data edits separation of business functions (egtransaction initiation versus authorization) balancing ofprocessing totals transaction logging and error reportingThe function of a control is highly relevant to the assessment of its design and effectiveness Controls may be classified as preventive detective or corrective

Preventive controls prevent errors omissions or securityincidents from occurring Examples include simple data-entryedits that block alphabetic characters from being enteredinto numeric fields access controls that protect sensitive dataor system resources from unauthorized people and complexand dynamic technical controls such as antivirus softwarefirewalls and intrusion prevention systems

GTAG mdash Understanding IT Controls mdash 5

1 COSO ndash Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (The Committee of Sponsoring Organizationsof the Treadway Commission) See wwwcosoorg

It is not necessary to know ldquoeverythingrdquo about IT controls

Do not be concerned if you do not understand the full continuum or all the technical intricacies of IT controls Many of these controls are the domain of specialists who manage specific risks associated with individual components of the systems and network infrastructure In keeping with good separation of duties prac-tices some people who have specialized knowledge in a technology such as database management may know littleabout network components or communication protocols and vice versa

There are two key control concepts to remember1 Assurance must be provided by the IT controls within the whole system of internal control and must

be continuous and produce a reliable and continuous trail of evidence2 The auditorrsquos assurance is an independent and objective assessment of the first assurance It is based

on understanding examining and assessing the key controls related to the risks the auditors manage as well as performing sufficient tests to ensure the controls are designed appropriately and function effectively

Figure 2

Detective controls detect errors or incidents that eludepreventive controls For example a detective control mayidentify account numbers of inactive accounts or accountsthat have been flagged for monitoring of suspicious activi-ties Detective controls can also include monitoring andanalysis to uncover activities or events that exceed author-ized limits or violate known patterns in data that may indi-cate improper manipulation For sensitive electroniccommunications detective controls can indicate that a mes-sage has been corrupted or the senderrsquos secure identificationcannot be authenticated

Corrective controls correct errors omissions or inci-dents once they have been detected They vary from simplecorrection of data-entry errors to identifying and removingunauthorized users or software from systems or networks torecovery from incidents disruptions or disasters

Generally it is most efficient to prevent errors or detectthem as close as possible to their source to simplify correc-tion These corrective processes also should be subject topreventive and detective controls because they representanother opportunity for errors omissions or falsification

Many other control classifications described in this guidemay be useful in assessing their effectiveness For exampleautomated controls tend to be more reliable than manualcontrols and nondiscretionary controls are more likely to beapplied consistently than discretionary controls Other control classifications include mandatory voluntary complementary compensating redundant continuous on-demand and event-driven

52 Governance Management TechnicalAnother common classification of controls is by the groupresponsible for ensuring they are implemented and main-tained properly For the purpose of assessing roles andresponsibilities this guide primarily categorizes IT controls

as governance management and technical Information securi-ty program elements for these three categories are describedin Appendix A (page 25) The first two levels mdash gover-nance and management mdash are the most applicable to thescope of this guide although it may also be useful to under-stand how higher-level controls specifically are establishedwithin the technical IT infrastructures Technical controlswill be the subject of more topic-specific GTAGs

521 Governance Controls

The primary responsibility for internal control resides withthe board of directors in its role as keeper of the governanceframework IT control at the governance level involvesensuring that effective information management and security principles policies and processes are in place andperformance and compliance metrics demonstrate ongoingsupport for that framework

Governance controls are those mandated by and controlled by either the entire board of directors or a boardcommittee in conjunction with the organizationrsquos executivemanagement These controls are linked with the concepts of corporate governance which are driven both by organizational goals and strategies and by outside bodiessuch as regulators

An important distinction between governance and management controls is the concept of ldquonoses in fingersoutrdquo The boardrsquos responsibility involves oversight ratherthan actually performing control activities For example theaudit committee of the board does no auditing but it does oversee both the internal and external auditing of theorganization

522 Management Controls

Management responsibility for internal controls typicallyinvolves reaching into all areas of the organization with special attention to critical assets sensitive information andoperational functions Consequently close collaborationamong board members and executive managers is essentialManagement must make sure the IT controls needed toachieve the organizationrsquos established objectives are appliedand ensure reliable and continuous processing These controls are deployed as a result of deliberate actions bymanagement to

bull Recognize risks to the organization its processes and assets

bull Enact mechanisms and processes to mitigate and manage risks (protect monitor and measure results)

523 Technical Controls

Technical controls form the foundation that ensures the reli-ability of virtually every other control in the organizationFor example by protecting against unauthorized access andintrusion they provide the basis for reliance on the integri-ty of information mdash including evidence of all changes andtheir authenticity These controls are specific to the

GTAG ndash Understanding IT Controls ndash 5

4

Figure 3 - Some Control Classifications


5

technologies in use within the organizationrsquos IT infrastruc-tures The ability to automate technical controls that imple-ment and demonstrate compliance with managementrsquosintended information-based policies is a powerful resource tothe organization

53 IT Controls ndash What to ExpectIndividual control mechanisms a CAE can expect to findwithin the organization can be defined within the hierarchyof IT controls from the overall high-level policy statementsissued by management and endorsed by the board of direc-tors down to the specific control mechanisms incorporatedinto application systems

The hierarchy in Figure 4 IT Controls this page representsa logical ldquotop-downrdquo approach both when considering controls to implement and when determining areas onwhich to focus audit resources during reviews of the entireIT operating environment The different elements of thehierarchy are not mutually exclusive they are all connect-ed and can intermingle Many of the control types withinthe elements are described below

531 Policies

All organizations need to define their aims and objectivesthrough strategic plans and policy statements Without clearstatements of policy and standards for direction organiza-tions can become disoriented and perform ineffectivelyOrganizations with clearly defined aims and objectives tendto be successfulBecause technology is vital to the operations of most organ-izations clear policy statements regarding all aspects of ITshould be devised and approved by management endorsedby the board of directors and communicated to all staffMany different policy statements can be required dependingon the organizationrsquos size and the extent to which it deploysIT For smaller organizations a single policy statement maybe sufficient provided it covers all the relevant areas Largerorganizations that implement IT extensively will requiremore detailed and specific policies

IT policy statements include but are not restricted tobull A general policy on the level of security and privacy

throughout the organization This policy should beconsistent with all relevant national and internation-al legislation and should specify the level of controland security required depending on the sensitivity of

the system and data processedbull A statement on the classification of information and

the rights of access at each level The policy shouldalso define any limitations on the use of this informa-tion by those approved for access

bull A definition of the concepts of data and systemsownership as well as the authority necessary to origi-nate modify or delete information Without theseguidelines it is often difficult to coordinate changewithin large organizations because there may not beanyone designated to have overall responsibility forthe data or systems

bull A general policy that defines the extent to which userscan deploy intelligent workstations to create their ownapplications

bull Personnel policies that define and enforce conditionsfor staff in sensitive areas This includes the positivevetting of new staff prior to joining the organizationcarrying out annual credit checks and having employ-ees sign agreements accepting responsibility for therequired levels of control security and confidentialityThis policy would also detail related disciplinary procedures

bull Definitions of overall business continuity planningrequirements These policies should ensure that allaspects of the business are considered in the event of

Figure 4 ndash IT Controls

The Center for Internet Security (wwwcisecurityorg) reports that applying controls consistently over system and network component configuration will protect the organization from more than 85 percent ofthe top vulnerabilities identified by the US National Institute of Standards and Technology (NIST) Federal

Bureau of Investigation (FBI) SANS Institute and Computer Security Institute (CSI)

a disruption or disaster mdash not just the IT elementsA good source of IT and security policies is the SANS

Security Policy Resource page (httpwwwsansorgresourcespoliciesintro) a consensus research project ofthe SANS Institute community The project offers freeresources for rapid development and implementation ofinformation security policies including policy templates for24 important security requirements Although the templateswere compiled to help the people attending SANS trainingprograms SANS makes them available to the world becauseInternet security depends on vigilance by all participants

532 Standards

Standards exist to support the requirements of policies Theyare intended to define ways of working that achieve therequired objectives of the organization Adopting andenforcing standards also promotes efficiency because staff arenot required to reinvent the wheel every time a new businessapplication is built or a new network is installed Standardsalso enable the organization to maintain the whole IT operating environment more efficiently

Large organizations with significant resources are in a position to devise their own standards On the other handsmaller organizations rarely have sufficient resources for thisexercise There are many sources of information on stan-dards and best practice some of which are listed inAppendix I (See page 45)As a guideline the CAE should expect to see standardsadopted for

bull Systems Development Processes ndash When organiza-tions develop their own applications standards applyto the processes for designing developing testing implementing and maintaining systems and programs If organizations outsource applicationdevelopment or acquire systems from vendors theCAE should ascertain that agreements require theproviders to apply standards consistent with the organizationrsquos standards or acceptable to the organization

bull Systems Software Configuration ndash Because systemssoftware provides a large element of control in the ITenvironment standards related to secure system con-figurations such as the CIS Benchmarks from theCenter for Internet Security are beginning to gainwide acceptance by leading organizations and tech-nology providers The way products such as operatingsystems networking software and database manage-ment systems are configured can either enhance security or create weaknesses that can be exploited

bull Application Controls ndash All applications which support business activities need to be controlledStandards are necessary for all applications the organ-ization develops or purchases that define the types ofcontrols that must be present across the whole rangeof business activities as well as the specific controls

that should apply to sensitive processes and information

bull Data Structures ndash Having consistent data definitionsacross the full range of applications ensures disparate systems can access data seamlessly and security controls for private and other sensitive data can beapplied uniformly

bull Documentation ndash Standards should specify the minimum level of documentation required for eachapplication system or IT installation as well as for different classes of applications processes andprocessing centers

As with policies standards should be approved by manage-ment should be written in clear and understandable languageand should be made available to all who implement them

533 Organization and Management

Organization and management plays a major role in the wholesystem of IT control as it does with every aspect of an organi-zationrsquos operations An appropriate organization structureallows lines of reporting and responsibility to be defined andeffective control systems to be implemented

5331 Separation of Duties

Separation of duties is a vital element of many controls Anorganizationrsquos structure should not allow responsibility for allaspects of processing data to rest upon one individual ordepartment The functions of initiating authorizinginputting processing and checking data should be separat-ed to ensure no individual can both create an error omission or other irregularity and authorize it andorobscure the evidence Separation-of-duties controls forapplication systems are provided by granting access privileges only in accordance with job requirements for processing functions and accessing sensitive information

Traditional separation of duties within the IT environ-ment is divided between systems development and operations Operations should be responsible for runningproduction systems mdash except for change deployment mdash andshould have little or no contact with the developmentprocess This control includes restrictions preventing operators from accessing or modifying production programssystems or data Similarly systems development personnelshould have little contact with production systems Byassigning specific roles during implementation and otherchange processes to both the personnel responsible for appli-cation systems and those responsible for operations appro-priate separation of duties can be enforced In largeorganizations many other functions should be considered toensure appropriate separation of duties and these controlscan be quite detailed For example privileged accounts suchas the Administrator group in Windows and Super User inUNIX can modify log entries access any file and in manycases act as any user or role It is important to restrict thenumber of individuals with this privilege to a minimum


6


7

Software tools are also available and should be considered tolimit the power and monitor the activities of individualswith privileged accounts

5332 Financial Controls

Because organizations make considerable investments in ITbudgetary and other financial controls are necessary toensure the technology yields the protected return on invest-ment or proposed savings Management processes should bein place to collect analyze and report information related tothese issues Unfortunately new IT developments often suf-fer massive cost over-runs and fail to deliver the expectedcost savings because of insufficient planning Budgetary con-trols can help identify potential failings early in the processand allow management to take positive action They mayalso produce historical data that organizations can use infuture projects

5333 Change Management

Change management processes can be specified under orga-nizational and management control elements Theseprocesses should ensure that changes to the IT environmentsystems software application systems and data are applied ina manner that enforces appropriate division of duties makessure changes work as required prevents changes from beingexploited for fraudulent purposes and reveals the true costsof inefficiencies and system outages that can be obscured byineffective monitoring and reporting processes Changemanagement is one of the most sensitive areas of IT controlsand can seriously impact system and service availability ifnot administered effectively The IT Process Institute haspublished research demonstrating that effective IT changemanagement can bring significant benefits organizations

5334 Other Management Controls

Other typical management controls include vetting proce-dures for new staff performance measurement provision ofspecialist training for IT staff and disciplinary proceduresThese are listed in the Information Security ProgramElements in Appendix A and will be covered in greaterdetail in other GTAG publications

534 Physical and Environmental Controls

IT equipment represents a considerable investment for manyorganizations It must be protected from accidental or deliber-ate damage or loss Physical and environmental controls originally developed for large data centers that house main-frame computers are equally important in the modern worldof distributed client-server and Web-based systems Althoughthe equipment commonly used today is designed for ease ofuse in a normal office environment its value to the businessand the cost and sensitivity of applications running businessprocesses can be significant All equipment must be protect-ed including the servers and workstations that allow staffaccess to the applications

Some typical physical and environmental controls includebull Locating servers in locked rooms to which access is

restrictedbull Restricting server access to specific individualsbull Providing fire detection and suppression equipmentbull Housing sensitive equipment applications and data

away from environmental hazards such as low-lyingflood plains or flammable liquid stores

When considering physical and environmental security it isalso appropriate to consider contingency planning mdash alsoknown as disaster recovery planning mdash which includesresponse to security incidents What will the organization do ifthere is a fire or flood or if any other threat manifests itselfHow will the organization restore the business and related ITfacilities and services to ensure normal processing continueswith minimum effect on regular operations This type of planning goes beyond merely providing for alternative IT pro-cessing power to be available and routine backup of productiondata it must consider the logistics and coordination needed forthe full scope of business activity Finally history consistentlydemonstrates that a disaster recovery plan that has not beentested successfully in a realistic simulation is not reliable

535 Systems Software Controls

Systems software products enable the IT equipment to beused by the application systems and users These productsinclude operating systems such as Windows UNIX andLinux network and communications software firewallsantivirus products and database management systems(DBMS) such as Oracle and DB2

Systems software can be highly complex and can apply tocomponents and appliances within the systems and networkenvironment It may be configured to accommodate highlyspecialized needs and normally requires a high degree of spe-cialization to maintain it securely Configuration techniquescan control logical access to the applications although someapplication systems contain their own access controls andmay provide an opening for hackers to use to break into asystem Configuration techniques also provide the means toenforce division of duties generate specialized audit trailsand apply data integrity controls through access control listsfilters and activity logs

IT audit specialists are required to assess controls in thisarea Small organizations are unlikely to have the resourcesto employ such specialists and should consider outsourcingthe work Whether IT auditors are employed or outsourcedthey require a highly specific set of knowledge Much of thisknowledge can come from experience but such knowledgemust be updated constantly to remain current and usefulCertification confirms that a technical specialist hasacquired a specified set of knowledge and experience and haspassed a related examination In the IT audit world globalcertificates include the Qualification in Computer Auditing(QiCA) from IIAndashUnited Kingdom and Ireland CertifiedInformation Systems Auditor (CISA) available through the

Information Systems Audit and Control Association(ISACA) and Global Information Assurance Certification(GIAC) Systems amp Network Auditor (GSNA) from theSANS Institutersquos GIAC program Additional certificationsaddress general and specialized competence in informationsecurity network administration and other areas closelyrelated to IT auditing and are useful for identifying an ITauditorrsquos potential ability

Some key technical controls the CAE should expect tofind in a well-managed IT environment include

bull Access rights allocated and controlled according tothe organizationrsquos stated policy

bull Division of duties enforced through systems softwareand other configuration controls

bull Intrusion and vulnerability assessment preventionand detection in place and continuously monitored

bull Intrusion testing performed on a regular basisbull Encryption services applied where confidentiality is a

stated requirementbull Change management processes mdash including patch

management mdash in place to ensure a tightly controlledprocess for applying all changes and patches to soft-ware systems network components and data

536 Systems Development and

Acquisition Controls

Organizations rarely adopt a single methodology for all systems development projects Methodologies are chosen tosuit the particular circumstances of each project The ITauditor should assess whether or not the organization devel-ops or acquires application systems using a controlledmethod that subsequently provides effective controls overand within the applications and data they process All computer application systems should perform only thosefunctions the user requires in an efficient way By examiningapplication development procedures the auditor can gainassurance that applications work in a controlled manner

Some basic control issues should be evident in all systemsdevelopment and acquisition work

bull User requirements should be documented and theirachievement should be measured

bull Systems design should follow a formal process toensure that user requirements and controls aredesigned into the system

bull Systems development should be conducted in a structured manner to ensure that requirements anddesign features are incorporated into the finishedproduct

bull Testing should ensure that individual system elementswork as required system interfaces operate as expect-ed users are involved in the testing process and theintended functionality has been provided

bull Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern of control Change management should be

subject to structured assurance validation processesWhere systems development is outsourced the outsourcer orprovider contracts should require similar controls

Project management techniques and controls need to be partof the development process whether developments are performed in-house or are outsourced Management shouldknow projects are on time and within budget and that resourcesare used efficiently Reporting processes should ensure that management completely understands the current status of development projects and does not receive any surprises whenthe end product is delivered

537 Application-based Controls

The objective of internal controls over application systems is toensure that

bull All input data is accurate complete authorized and correct

bull All data is processed as intendedbull All data stored is accurate and completebull All output is accurate and completebull A record is maintained to track the process of data

from input to storage and to the eventual outputReviewing the application controls traditionally has beenthe ldquobread and butterrdquo of the IT auditor However becauseapplication controls now represent a huge percentage ofbusiness controls they should be the priority of every internal auditor All internal auditors need to be able toevaluate a business process and understand and assess thecontrols provided by automated processesThere are several types of generic controls that the CAEshould expect to see in any application

bull Input Controls ndash These controls are used mainly tocheck the integrity of data entered into a businessapplication whether the source is input directly bystaff remotely by a business partner or through aWeb-enabled application Input is checked to ensurethat it remains within specified parameters

bull Processing Controls ndash These controls provide automated means to ensure processing is completeaccurate and authorized

bull Output Controls ndash These controls address what isdone with the data They should compare resultswith the intended result and check them against the input

bull Integrity Controls ndash These controls can monitor datain process andor in storage to ensure that dataremains consistent and correct

bull Management Trail ndash Processing history controls oftenreferred to as an audit trail enable management totrack transactions from the source to the ultimate resultand to trace backward from results to identify the transactions and events they record These controlsshould be adequate to monitor the effectiveness ofoverall controls and identify errors as close as possibleto their sources


8


9

54 Information SecurityInformation security is an integral part of all IT controlsInformation security applies to both infrastructure and dataand is the foundation for the reliability of most other IT con-trols The exceptions are controls relating to the financialaspects of IT (eg ROI budgetary controls) and some proj-ect management controls The universally accepted elements of information security are

bull Confidentiality ndash Confidential information must onlybe divulged as appropriate and must be protected fromunauthorized disclosure or interceptionConfidentiality includes privacy considerations

bull Integrity ndash Information integrity refers to the state ofdata as being correct and complete This specificallyincludes the reliability of financial processing andreporting

bull Availability ndash Information must be available to thebusiness its customers and partners when where andin the manner needed Availability includes the abili-ty to recover from losses disruption or corruption ofdata and IT services as well as from a major disasterwhere the information was located

55 IT Controls FrameworkIT controls are not automatic For the more than 50 yearsorganizations have used IT controls have not always been thedefault condition of new systems hardware or software Thedevelopment and implementation of controls typically lagbehind the recognition of vulnerabilities in systems and thethreats that exploit such vulnerabilities Further IT controls are not defined in any widely recognized standardapplicable to all systems or to the organizations that use them

Many frameworks exist for categorizing IT controls andtheir objectives Each organization should use the mostapplicable components of these frameworks to categorize orassess IT controls and to provide and document its owninternal control framework for



bull Reliable evidence (assurance) that activities are incompliance with managementrsquos governance policiesand are consistent with the organizationrsquos risk appetite

Risk AppetiteAn organizationrsquos risk appetite defines the degree of risk a company or other organization is willing to accept in pursuit of its goals as determined by executive management and governance Risk appetite can specify for example whether or not an organization will take an aggressive role in the deployment of new and emerging technologies An organizationrsquos risk appetite can be affected by its industry and regulatory environment Closelyrelated to risk appetite is an organizationrsquos risk tolerance which measures how far it is willing to deviate from itsstated measure of risk appetite

Many issues drive the need for IT controls including controlling costs and remaining competitive protectingagainst information theft by hackers and complying withlegislation and regulation such as the US Sarbanes-OxleyAct of 20022 the European Unionrsquos Data ProtectionDirective and related legislation in other countries IT con-trols promote reliability and efficiency and allow the organ-ization to adapt to changing risk environments Forexample any control that mitigates or detects fraud or cyberattacks enhances the organizationrsquos resiliency by helping theorganization uncover the risk and manage its impactResiliency is a result of a strong system of internal controlsthat give an organization the ability to manage disruptionsseamlessly

Legislation and regulations in some countries now requireorganizations to report on the effectiveness of internal con-trol and by implication the effectiveness of IT control Themost prominent new law is Sarbanes-Oxley which requiresall companies with shares that are publicly traded in theUnited States and their foreign subsidiaries to report ontheir system of internal controls over financial reportingperformed in conjunction with an audit of financial statements A list of some of the legislation and regulationsapplicable to internal controls is provided in Appendix B(See page 24)

The need for controls is further driven by the complexityresulting from the necessity for diverse technical compo-nents to work with one another While flexibility and adaptability of IT are crucial to meeting the changing needsof customers and business partners and responding to com-petitive pressures they also add complexity to business andIT infrastructures In addition information security has beenacknowledged as a key component of internal control withthe emergence and widespread acceptance of standards suchas the International Organization for Standardization Codeof Practice for Information Security Management (ISO17799)

Organizations that implement effective IT controls experience improvements in efficiencies reliability of services flexibility of systems and availability of assuranceevidence mdash all of which add value and increase stakeholderand regulator confidence in the organization Some key indicators of effective IT controls include

bull The ability to execute planned new work such as the IT infrastructure upgrades required to support newproducts and services

bull Delivery of development projects on time and withinbudget resulting in cheaper and better product andservice offerings when compared with competitors



bull Clear communication to management of effectivecontrols

bull The ability to protect against new vulnerabilities andthreats quickly and efficiently and to recover fromany disruption of IT services

bull The efficient use of a customer support center or helpdesk

bull A security-conscious culture among end usersthroughout the organization

Although the internal audit function likely will include specialist IT auditors to address IT issues in detail the CAEalso should understand IT control issues at a high level particularly their interactions with other IT and non-ITcontrols This understanding is particularly important whendiscussing compliance or control deficiencies with high-level managers such as the chief executive officer (CEO)chief financial officer (CFO) or chief information officer(CIO) and with the various board committees

The CAE should be able to discuss relevant regulationsand legislation with the audit committee the chief legalcounsel and other relevant individuals and committeesThe CAE also should understand how IT controls supportreliability and effectiveness and help promote competitiveadvantage Moreover the CAE should thoroughly under-stand the major issues that drive the need for controls with-in the organizationrsquos particular sector to ensure they areconsidered during audit assessments Without a thoroughknowledge and understanding of IT controls the auditorwill be unable to grasp their significance or to assess themadequately as part of the overall review of internal control

GTAG mdash Importance of IT Controls mdash 6

10

2 Public Accounting Reform and Investor Protection Act of 2002 known as Sarbanes-Oxley after its sponsors US Sen Paul Sarbanes and US Rep Michael Oxley

GTAG mdash IT Roles in the Organization mdash 7

Many different roles have emerged in recent years for posi-tions within the organization with responsibilities and own-ership of IT controls Each position at the governancemanagement operational and technical levels should havea clear description of its roles and responsibilities for IT con-trols to avoid confusion and ensure accountability for specif-ic issues This section addresses the various IT control rolesand responsibilities within the organization and allocatesthem to specific positions within a hypothetical organiza-tional structure

There is no universally applicable means of defining theorganizational structure for IT control The CAE shouldidentify where IT control responsibilities lie and assess theirappropriateness with regard to separation of duties as well asany gaps that may exist in assigned responsibilities Oncethis is done the CAE will know whom to approach to discuss specific IT issues and where specific information canbe obtained

Overall the objectives for the use of IT within any organization are

bull To deliver reliable information efficiently and secureIT services in line with the organizationrsquos strategiespolicies external requirements and risk appetite

bull To protect stakeholder interestsbull To enable mutually beneficial relationships with

customers business partners and other outside parties that accomplish business objectives

bull To identify and respond to threats and potential violations of control appropriately

Specific roles within the organization support these objec-tives The position descriptions and titles will differ acrossdifferent countries industries and organizations and someof the roles may be merged within smaller organizationsHowever some individuals within the organization mustaddress the IT control function and interact with the CAEand internal audit staff members

71 Board of DirectorsGoverning BodyOne important role of the full board of directors is to determine and approve strategies set objectives and ensurethat objectives are being met to support the strategies Inrelation to IT this requires

bull Awareness of the key IT topics such as the IT andinformation security policies and the concepts of riskas they relate to IT An example of board roles in IToversight is provided in The IIArsquos ldquoInformationSecurity Management and Assurance Seriesrdquo atwwwtheiiaorgiiaindexcfmdoc_id=2458

bull Understanding of the IT strategyrsquos infrastructure andcomponents as well as awareness of key system devel-opment and acquisition projects and how they sup-port and impact overall corporate strategiesobjectives and short- and long-term budgets

bull Approval of the data classifications structure and therelated access rights

The board will establish various committees based on itsrelationships with the organization The most common com-mittees of the board are audit compensation and gover-nance but some boards have additional committees such asa risk management committee or finance committee Thesecommittees may bear different names from those identifiedbelow and their roles may vary The functions rather thanthe names are important

711 Audit Committee

The role of the audit committee encompasses oversight offinancial issues internal control assessment risk manage-ment and ethics IT control is a strong element of each ofthese duties and calls for

bull Understanding of financial management (financialexpert role) and the organizationrsquos reliance on IT forfinancial processing and reporting

bull Ensuring IT topics are included in the committeemeeting agenda mdash especially CIO reporting

bull Ensuring general IT controls and controls in businessapplication systems and processes involved in preparing financial statements are assessed and testedadequately

bull Overseeing the overall assessment of IT controlsbull Reviewing the business and control issues related to

new systems development and acquisitionbull Examining internal and external audit plans and

work to ensure IT topics are covered adequatelybull Reviewing the results of audit work and monitoring

the resolution of issues raisedbull Understanding the IT topics that impact ethics

monitoring

712 Compensation Committee

The compensation committee has no direct relationshipwith IT However it can improve the boardrsquos oversight of IT by making IT one of the performance elements of anycompensation plan it approves

713 Governance Committee

The Governance Committee is responsible for board mem-ber selection and assessment and for leadership of the boardrsquosoperations In relation to IT this committee should

bull Ensure that potential and current board membershave a suitable IT knowledge or background

bull Assess board committeesrsquo performance in terms oftheir oversight of IT

bull Review any external regulatory governance assessments in relation to IT topics

bull Ensure that the board reviews IT policies periodicallyand that board meetings focus on IT with adequatefrequency

714 Risk Management Committee

The risk management committee is responsible for oversight

11


of all risk analysis and assessment risk response and riskmonitoring Its role includes

bull Assessing the extent to which management hasestablished effective enterprise risk management inthe organization

bull Being aware of and concurring with the organizationrsquos risk appetite and tolerance

bull Appreciating the impact of IT-related risksbull Reviewing the organizationrsquos risk portfolio mdash

including IT risks mdash and considering it against the organizationrsquos risk appetite

bull Being apprised of the most significant IT risks anddetermining whether or not managementrsquos responseto changes in risk and threats is appropriate

bull Monitoring and evaluating all activities performed by management to minimize all known and documented risks

715 Finance Committee

The main role of the finance committee is to review financial statements cash flow projections and investmentmanagement Members of this committee need to under-stand the control elements of IT that ensure the accuracy ofinformation used to make key financing decisions and generate financial reports They also should consider andask management to report on the benefits and costs ofmaintaining mdash versus replacing mdash critical IT systemsManagementrsquos report should consider ldquosoftrdquo efficiency issuessuch as gains or losses to productivity based on ease and efficiency of use the ldquohardrdquo costs of repairs and upgradesand the potential for risk due to loss or corruption of data

72 ManagementSeveral specific roles have emerged in large organizations inrelation to IT risk and control As stated previously smallorganizations might not allocate an individual for each rolealthough the function must still be performed An individ-ual may perform multiple roles but care must be taken so

that allocating these roles does not compromise the need fordivision of duties where roles are incompatible Where IT isoutsourced there is still a requirement for organizations tokeep many of these roles in-house to provide oversight of theoutsourced functions

721 Chief Executive Officer

The individual with overall strategic and operational control of the organization must consider IT in most aspectsof the role In particular the CEO will

bull Define corporate objectives and performance measures in relation to IT

bull Act as custodian over the organizationrsquos critical success factors in relation to IT

bull Understand and approve the short-term and long-range strategy for IT

bull Approve IT resources for the organization includingstructure and oversightmonitoring

bull Determine IT issues for periodic management boardand staff discussion

bull Operate as the highest-level control owner havingultimate responsibility for the success or failure ofcontrols and for coordinating all other operationalmanagers within their responsibilities framework whoact as control owners of their particular areas

722 Chief Financial Officer

The CFO has overall responsibility for all financial mattersin the organization and should have a strong understandingof the use of IT both to enable financial management and tosupport corporate objectives This individual should have anoverall understanding of

bull The total cost of ownership for IT initiativesbull The entityrsquos IT strategies for remaining

technologically competitivebull The technologies used to implement financial

applicationsbull The operation of specific financial applications

IT Controls and Ethics

As evidenced in the Equity Funding cases in the 1970s to the scandals that continue to emerge today the use oftechnology creates significant opportunities to initiate and perpetuate fraud and deception The authority to overridecertain controls brings with it the temptation to initiate improper actions If such improprieties go unnoticed or are tacitly allowed to continue they can grow into outright fraud Therefore when an organization provides anindividual the opportunity to perform actions on behalf of the organization it has a corresponding responsibility toprovide monitoring to detect and correct improper activities quickly The organization also has a responsibility toidentify threats of this sort and to establish safeguards as a preventive measureThe same technology tools that cancreate the opportunity for fraud can be used to identify activities or even unusual patterns in transactions or otherdata that may indicate evidence of fraud or questionable behavior

12


13

bull The limitations and benefits of ITbull The IT control structure for general controls that

apply to all business systems and data as well as controls that are specific to financial applications

The CFO should operate as the highest-level control ownerfor financial systems and data

723 Chief Information Officer

The CIO has overall responsibility for the use of IT withinthe organization In relation to IT controls the CIO should

bull Understand the business requirements that drive theneed to implement IT

bull Develop IT partnerships with business management tondash Ensure IT strategy is aligned with the business

strategy ndash Ensure compliancendash Profit from process-efficiency gainsndash Mitigate assessed risks

bull Design implement and maintain an IT internal control framework

bull Plan source and control IT resourcesbull Explore assess select and implement technology

advances (eg wireless communications)bull Provide training for IT personnel to ensure that levels

of knowledge and skills remain currentbull Operate as the highest-level datasystem custodian

and IT control owner bull Measure the operational performance of IT in support

of business objectives byndash Setting expectationsndash Evaluating results

bull Developing all necessary means to verify and acknowledge that IT is providing services and supportas expected by its users and final customers such as regulators and external and internal auditors

724 Chief Security Officer

The chief security officer (CSO) is responsible for all security across the entire organization including informa-tion security which may be the responsibility of a chiefinformation security officer as well The CSO

bull Has responsibility for documenting the enterprisesecurity policy and for ensuring mechanisms havebeen established to communicate and enforce thepolicy

bull Has overall responsibility for logical and physicalsecurity in the organization and for all external con-nections to the Internet or other networks

bull Acts as a key link between the compliance legalCIO and audit functions

bull Is at the forefront of implementing key complianceprograms affecting IT such as Sarbanes-Oxley andthe European Union (EU) Data Protection Directive

bull Is responsible for business continuity planningincluding incident handling and disaster recovery

bull Ensures that security staff provide support for imple-menting controls at all levels

bull Acts as the key leader for investigating and evaluat-ing new best practices that may be incorporated intothe organization

725 Chief Information Security Officer (CISO)

Information security is a subset of the overall security roleThe CISO

bull Develops and implements the information security policy in coordination with the CSO

bull Controls and coordinates information securityresources ensuring they are allocated adequately tomeet the organizationrsquos security objectives

bull Ensures alignment of information security and busi-ness objectives

bull Manages operational information risks throughoutthe organization

bull Oversees security within the IT organizationbull Provides education and awareness on information

security issues and new best practicesbull Develops end-user policies for the usage of IT

information in conjunction with the humanresources function

bull Coordinates information security work with the chief risk officer (CRO) and CIO

bull Advises the CEO CRO CIO and board on IT risk issues

bull Acts as a key link for the CAE when internal auditing performs IT control-related audits

726 Chief Legal Counsel (CLC)

Legal counsel may be an employee or officer of the organiza-tion or an external legal adviser The role involves

bull Understanding and dealing with the liabilities arisingout of information disclosures and providing policy-level guidance to help manage risks related thereto

bull Ensuring financial reports and presentations complywith laws and regulations

bull Understanding IT legal issues and advising on legalrisks related to IT

bull Managing organizational reputation in relation tolegal issues compliance and public relations

bull Understanding fraud involving ITbull Managing IT contractual issuesbull Understanding investigative forensics protocols

regarding suspected criminal activity

727 Chief Risk Officer

The CRO is concerned with managing risk at all levels ofthe organization Because IT risks form a part of this function the CRO will consider them with the help of theCISO This includes

bull Analysis and assessment of IT risk exposures including information compromises such as loss

damage unauthorized disclosure and interruptedaccess

bull Assessment of IT events such as interruptions disasters and changes

bull Analysis and assessment of business risk as it is affected by IT risk

bull Monitoring supporting and acting as a mentor for all IT activities related to minimizing risks

73 Audit

731 Internal Auditing ndash CAE and Audit Staff

Internal auditing is an essential part of the corporate governance process whether or not a specific internal auditgroup is employed Internal auditors need a general under-standing of IT but the level of their understanding will varydepending on the category of auditing or audit supervisionthey perform (IIA Standard 1210A3) The IIA definesthree categories of IT knowledge for internal auditorsAppendix C (See page 28) describes these categoriesThe internal audit role in relation to IT involves

bull Advising the audit committee and senior management on IT internal control issues

bull Ensuring IT is included in the audit universe andannual plan (selecting topics)

bull Ensuring IT risks are considered when assigningresources and priorities to audit activities

bull Defining IT resources needed by the internal auditdepartment including specialized training of auditstaff

bull Ensuring that audit planning considers IT issues foreach audit

bull Liaising with audit clients to determine what theywant or need to know

bull Performing IT risk assessmentsbull Determining what constitutes reliable and verifiable

evidencebull Performing IT enterprise-level controls auditsbull Performing IT general controls auditsbull Performing IT applications controls auditsbull Performing specialist technical IT controls auditsbull Making effective and efficient use of IT to assist the

audit processesbull During systems development or analysis activities

operating as experts who understand how controlscan be implemented and circumvented

bull Helping to monitor and verify the proper implemen-tation of activities that minimize all known and documented IT risks

732 External Auditor

Independent external audits are a requirement for mostorganizations and normally are performed annually Topicsto be considered by the internal audit department and theaudit committee include

bull The extent of the external auditorrsquos responsibilitiesfor understanding and evaluating the IT system andrelated IT controls during financial audits

bull The scope of the external auditorrsquos responsibilitiesfor examining the IT system and controls during anyformal attestation that may be required by statute orregulation such as internal controls over financialreporting and other regulatory requirements


14

3 These definitions are taken from the COSO Enterprise Risk Management ndash Integrated Framework (Oct 2004)

81 Risk Determines Response IT controls are selected and implemented on the basis of therisks they are designed to manage As risks are identified mdashthrough experience or formal risk assessment mdash suitable riskresponses are determined ranging from doing nothing andaccepting the risk as a cost of doing business to applying awide range of specific controls including insurance

It would be a relatively straightforward task to create a listof recommended IT controls that must be implementedwithin each organization However each control has a spe-cific cost that may not be justified in terms of cost effective-ness when considering the type of business done by theorganization Furthermore no list of controls is universallyapplicable across all types of organizations Although there isa lot of good advice available on the choice of suitable controls strong judgment must be used Controls must beappropriate for the level of risk faced by the organization

The CAE should be able to advise the audit committeethat the internal control framework is reliable and providesa level of assurance appropriate to the risk appetite of theorganization In this respect the risk appetite of the organi-zation is defined by COSO3 as

ldquohellip the degree of risk on a broad-based level that a com-pany or other organization is willing to accept in pursuitof its goals Management considers the organizationrsquos riskappetite first in evaluating strategic alternatives then insetting objectives aligned with the selected strategy andin developing mechanisms to manage the related risksrdquo

In addition the CAE should consider risk tolerance COSOdefines risk tolerance as

ldquohellip the acceptable level of variation relative to theachievement of objectives In setting specific risk toler-ances management considers the relative importance ofthe related objectives and aligns risk tolerances with itsrisk appetiterdquo

Thus the CAE should consider whether or notbull The organizationrsquos IT environment is consistent with

the organizationrsquos risk appetitebull The internal control framework is adequate to ensure

that the organizationrsquos performance remains withinthe stated risk tolerances

82 Risk Considerations in Determining the Adequacy of IT Controls

Risk management applies to the entire spectrum of activitywithin an organization not just to the application of IT ITcannot be considered in isolation but must be treated as anintegral part of all business processes Choosing IT controlsis not simply a matter of implementing those recommendedas best practices They must add value to the organization byreducing risk efficiently and increasing effectiveness

When considering the adequacy of IT controls within the organizationrsquos internal control framework the CAE

should consider the processes established by management to determine

bull The value and criticality of informationbull The organizationrsquos risk appetite and tolerance for

each business function and processbull IT risks faced by the organization and quality of

service provided to its usersbull The complexity of the IT infrastructurebull The appropriate IT controls and the benefits they

providebull Harmful IT incidents in the past 24 months

The frequency of risk analysis is important and is influencedgreatly by technological change In a static business andtechnical infrastructure environment the risk assessmentprocess could be as infrequent as yearly or could be performed in concert with a major implementation project

821 The IT Infrastructure

Analyzing and assessing risk in relation to IT can be com-plex The IT infrastructure consists of hardware softwarecommunications applications protocols (rules) and data aswell as their implementation within physical space withinthe organizational structure and between the organizationand its external environment Infrastructure also includesthe people interacting with the physical and logical ele-ments of systems

The inventory of IT infrastructure components revealsbasic information about the vulnerabilities of the environ-ment For example business systems and networks connect-ed to the Internet are exposed to threats that do not exist forself-contained systems and networks Because Internet con-nectivity is an essential element of most business systemsand networks organizations must make certain that theirsystems and network architectures include the fundamentalcontrols that ensure basic security

The complete inventory of the organizationrsquos IT hard-ware software network and data components forms thefoundation for assessing the vulnerabilities within the ITinfrastructures that may impact internal controls Systemsarchitecture schematics reveal the implementation of infra-structure components and how they interconnect with othercomponents within and outside the organization To theinformation security expert the inventory and architectureof IT infrastructure components mdash including the placementof security controls and technologies mdash reveals potentialvulnerabilities Unfortunately information about a systemor network can also reveal vulnerabilities to a potentialattacker so access to such information must be restricted toonly those people who need it A properly configured systemand network environment will minimize the amount ofinformation it provides to would-be attackers and an envi-ronment that appears secure presents a less attractive targetto most attackers

GTAG mdash Analyzing Risk mdash 8

15

822 IT Risks Faced by the Organization

The CAE discusses IT risk issues with the CIO and processowners to ensure that all related parties have an appropriateawareness and understanding of the technical risks faced bythe organization through the use of IT and their roles inapplying and maintaining effective controls

823 Risk Appetite and Tolerance

Armed with the knowledge of IT risks the auditor can validate the existence of effective controls to meet the established risk appetite of the organization and its risk tolerance in relation to IT The auditorrsquos assessment willinvolve discussions with many members of management andultimately with the board The level of detail of these discussions can be determined by the CRO with input fromthe CIO CISO CSO CAE and process owners The finaldecision regarding risk appetite and tolerance must be made by the risk committee mdash with input from the auditcommittee mdash and must be endorsed by the full board Thedefinitions of risk appetite and tolerance must be communicat-ed to all relevant managers for implementation

The goal of enterprise risk management is to ensure thateveryone is working with the same level and understandingof risk and that decisions made at all levels of managementare consistent with the organizationrsquos risk appetite

824 Performing Risk analysis

Performing risk analysis is not the sole preserve of either theCRO or the CAE although both of them or their represen-tatives should be involved along with representatives fromIT and the business areas

There are eight basic questions associated with the riskassessment process The first five include

bull What are the assets at risk and the value of theirconfidentiality integrity and availability

bull What could happen to affect that information assetvalue adversely (threat event) Implicit to this question is the vulnerability analysis and mapping of vulnerabilities to threats and potentially impacted information assets

bull If a threat event happened how bad could its impact be

bull How often might the event be expected to occur (frequency of occurrence)

bull How certain are the answers to the first four questions (uncertainty analysis)

The next three questions apply to risk mitigation analysisbull What can be done to reduce the riskbull How much will it costbull Is it cost-efficient

825 Value of Information

Determining the value of the information processed andstored is not an easy task due to the multidimensional natureof value The Generally Accepted Information Security

Principles (GAISP) Guidelines for Information Valuationpublished by the Information Systems Security Association(wwwISSAorg) address information value within the fol-lowing categories

bull Exclusive possession ndash cost in the event of a breachof confidentiality

bull Utility ndash cost in the event of a loss of integritybull Cost of creationre-creation bull Liability in the event of litigationbull Convertibilitynegotiability ndash represents market valuebull Operational impact of unavailability

826 Appropriate IT Controls

Finally appropriate IT controls must be chosen and implemented to address the risks identified Much advice isavailable on this subject See Appendix I (See page 45)

The CAE and internal audit group should be involved inthe process of analyzing and assessing risk While theyshould operate in a manner that maintains the independ-ence and objectivity of their function they also must provide an opinion on the effectiveness of the internal control framework

83 Risk Mitigation StrategiesWhen risks are identified and analyzed it is not alwaysappropriate to implement controls to counter them Somerisks may be minor and it may not be cost effective to imple-ment expensive control processes for them

In general there are several ways to mitigate the poten-tial impact of risks

bull Accept the risk One of the primary functions ofmanagement is managing risk Some risks are minorbecause their impact and probability of occurrence islow In this case consciously accepting the risk as acost of doing business is appropriate as well as periodically reviewing the risk to ensure its impactremains low

bull Eliminate the risk It is possible for a risk to be associated with the use of a particular technologysupplier or vendor The risk can be eliminated byreplacing the technology with more robust productsand by seeking more capable suppliers and vendors

bull Share the risk Risk mitigation approaches can beshared with trading partners and suppliers A goodexample is outsourcing infrastructure management Insuch a case the supplier mitigates the risks associatedwith managing the IT infrastructure by being morecapable and having access to more highly skilled staffthan the primary organization Risk also may be mitigated by transferring the cost of realized risk toan insurance provider

bull Controlmitigate the risk Where other options havebeen eliminated suitable controls must be devisedand implemented to prevent the risk from manifesting itself or to minimize its effects


16

84 Control Characteristics to ConsiderSome of the issues to be addressed during the IT controlevaluation process include

bull Is the control effectivebull Does it achieve the desired resultbull Is the mix of preventive detective and corrective

controls effectivebull Do the controls provide evidence when control

parameters are exceeded or when controls fail How is management alerted to failures and which stepsare expected to be taken

bull Is evidence retained (audit or management trail)

85 Baseline IT ControlsIT controls are to be applied when mitigating the risks is thebest option While IT controls should be applied with dueregard to the relevant risks there is a basic set of controlsthat need to be in place to provide a fundamental level of IThygiene For example the use of a firewall to control trafficbetween a corporate network and a public network such asthe Internet or between internal network domains is abaseline control The level of risk associated with the busi-ness value and sensitivity of the network traffic the servicesprovided and the information stored in the infrastructuredetermines the extent to which firewalls restrict traffic coming into and departing from an organizationrsquos networksFirewalls are a physical and logical manifestation of informa-tion security policy elements that dictate what is allowedinto or out of an organization

IT controls most widely applicable to all IT infrastruc-tures are known as baseline controls There are many types ofbaseline controls Two baselines that apply to IT securitycontrols are the Digital Dozen from the VISA CardholderInformation Security Program (CISP) and the FundamentalFive from the Center for Internet Security (see sidebars onthis page) The Fundamental Five and Digital Dozen com-plement each other

It is not easy to define the baseline IT controls because thegeneral threats such as malicious software and hackingchange and newer technologies and applications frequentlyare implemented across the organization The following questions can be considered when selecting a suitable set ofbaseline controls

bull Do IT policies mdash including for IT controls mdash existbull Have responsibilities for IT and IT controls been

defined assigned and acceptedbull Are IT infrastructure equipment and tools

logically and physically securedbull Are access and authentication control

mechanisms usedbull Is antivirus software implemented and maintainedbull Is firewall technology implemented in accordance

with policy (eg where external connections such asthe Internet exist and where separation betweeninternal networks is needed)

bull Are external and internal vulnerability assessmentscompleted and risks identified and appropriatelyresolved

bull Are change and configuration management and quality assurance processes in place

bull Are structured monitoring and service measurementprocesses in place

bull Are specialist IT audit skills available (eitherinternally or outsourced)

Further information on baseline controls can be found inAppendix I (See page 45) More comprehensive information on risk analysis and management can be found in the IIA paper Information Security Management and Assurance A Call to Action for Corporate Governance httpwwwtheiiaorgeSACpdfBLG0331pdf


Fundamental FiveThe Consensus Benchmarks from the Center for InternetSecurity (wwwcisecurityorg) provide guidance on theldquoFundamental Fiverdquo of basic security hygiene Use of thesebenchmarks typically results in an 80 percent to 95 percentreduction of known vulnerabilities1 Identity and Access Management

(including privilege assignment and authentication)2 Change Management (including patch management)3 Configuration Management4 Firewalls (workstation host sub-network

and perimeter)5 Malware protection (including worms and viruses)

Digital DozenOne of the most concise and broadly useful summaries ofsecurity guidance is the VISA CISP which has proven itsvalue for over two years in use by VISA credit card networkservice providers including banks processors merchantsand others VISA refers to these requirements as its ldquoDigitalDozenrdquo

1 Install and maintain a working firewall to protect data2 Keep security patches up-to-date3 Protect stored data4 Encrypt data sent across public networks5 Use and regularly update anti-virus software6 Restrict access by need to know7 Assign an unique Identification Code (ID) to each

person with computer access8 Dont use vendor-supplied defaults for passwords

and security parameters9 Track all access to data by unique ID

10 Regularly test security systems and processes11 Implement and maintain an information

security policy12 Restrict physical access to data

17

91 Choosing a Control FrameworkThe process of identifying and assessing the IT controls necessary to address specific risks is aided considerably by theorganizationrsquos adoption of a formal control framework Thisframework should apply to and be used by the whole organization mdash not just internal auditing Although manyframeworks exist no single framework covers every possiblebusiness type or technology implementation

A control framework is a structured way of categorizingcontrols to ensure that the whole spectrum of control is adequately covered The framework can be informal or formal A formal approach will satisfy the various regulatoryor statutory requirements faced by many organizations morereadily

Each organization should examine existing control frame-works to determine which of them mdash or which parts mdash mostclosely fit its needs The process of choosing or constructinga control framework should involve all positions in theorganization with direct responsibility for controls The CAEshould be involved in the decision process because the inter-nal audit function will assess the frameworkrsquos adequacy anduse it as a context for planning and performing audit work

The CAE needs an overall knowledge of IT risk issues toassess the effectiveness and appropriateness of IT controlsThe CAE will base the audit plan and allocate auditresources according to the IT areas and issues that meritattention due to their inherent levels of risk Risk analysisand assessment cannot be viewed as a one-time process

especially when applied to IT because technology changesconstantly and rapidly as do the associated risks and threatsCategorizing IT controls according to their organizationalplacement purpose and functionality is useful in assessingtheir value and adequacy as well as the adequacy of the sys-tem of internal controls Knowledge of the range of availableIT controls the driving forces for controls and organization-al roles and responsibilities allows for comprehensive riskanalysis and assessments In assessing control effectivenessit is also useful to understand whether the controls are mandated or voluntary discretionary or nondiscretionarymanual or automated primary or secondary and subject tomanagement override

Finally the assessment of IT controls involves selectingkey controls for testing evaluating test results and determin-ing whether or not evidence indicates any significant controlweaknesses The checklist in Appendix H can help the CAEensure all relevant issues have been considered when plan-ning and directing internal audit assessments of IT controlsSeveral existing frameworks and approaches can assist theCAE and other managers when determining IT controlrequirements However organizations should investigateenough frameworks to determine which one best fits theirown needs and culture A partial list of available frameworksis provided in Appendix D (See page 29)

The COSO Internal Control ndash Integrated Framework(1992) is accepted by the US Public Company AccountingOversight Board (PCAOB) for the purpose of reporting

GTAG mdash Monitoring and Techniques mdash 9

COSO Model for Technology Controls

Monitoringbull Monthly metrics from technology

performance bull Technology cost and control

performance analysisbull Periodic technology

management assessmentsbull Internal audit of technology enterprise bull Internal audit of high risk areas

Control Activitiesbull Review board for change managementbull Comparison of technology initiatives to

plan and return on investmentbull Documentation and approval of IT plans

and systems architecturebull Compliance with information and

physical security standardsbull Adherence to business continuity risk

assessmentbull Technology standards

compliance enforcement

Information and Communicationbull Periodic corporate communications (intranet e-mail

meetings mailings)bull Ongoing technology awareness of best practicesbull IT performance surveybull IT and security training bull Help desk ongoing issue resolution

Risk Assessmentbull IT risks included in overall corporate risk assessmentbull IT integrated into business risk assessmentsbull Differentiate IT controls for high risk business

areasfunctionsbull IT Internal audit assessmentbull IT Insurance assessmentControl Environmentbull Tone from the top ndash IT and security controls

considered Importantbull Overall technology policy and Information

security policybull Corporate Technology Governance Committeebull Technology Architecture and Standards Committeebull Full representation of all business units

Figure 5 - COSO Model for Technology Controls

18

compliance with financial reporting provisions but it is notspecific to all areas of IT This framework is considered to be a ldquosuitable recognizedrdquo framework to adopt forSarbanes-Oxley compliance because it covers all areas of IT implementation albeit at a high level of abstraction (See Figure 5 COSO Model for Technology Controls page 18)

92 Monitoring IT ControlsDetermining where to apply control monitoring and assess-ment and their frequency is not easy Participation by theauditor in risk analysis exercises and implementation of asuitable control framework help ensure that the CAE hassufficient information to create a suitable audit plan toaddress the major IT risks

Ultimately management is responsible for monitoringand assessing controls The auditorrsquos monitoring and assess-ments are performed to independently attest to manage-mentrsquos assertions regarding the adequacy of controlsManagementrsquos control monitoring and assessment activitiesshould be planned and conducted within several categoriesas follows

921 Ongoing Monitoring

bull DailyPeriodic ndash Some information must be checkeddaily to ensure controls are working as requiredManagement normally performs such monitoringwhich traditionally involves checking data-processingcontrol reports to reconcile satisfactory task and jobcompletion Such controls where they exist are mostoften automated The CAE will ensure such manage-ment monitoring is in place and that it is subjectedto internal audit assessment

bull Event-driven ndash Discrepancies or even frauds mayresult within normal processing or in special circum-stances such as where there are large-value transac-tions In many IT environments malicious attacksare likely Consequently specific controls should bein place to detect and report unusual activities to anentity within the organization that is chartered

specifically to investigate and determine if preventiveor corrective actions should be applied Such monitoring controls are complementary to the normal controls employed and provide assurance onthe effectiveness of those controls or early warningthat they may have been breached

bull Continuous ndash Technology now provides the abilityto monitor and assess certain sensitive controls continuously A good example of continuous moni-toring is the use of intrusion detection softwarewhich continually monitors network traffic for evidence that other protective controls such as fire-walls and virus protection may have been breached

922 Special Reviews

bull Annual (or quarterly) control assessment ndashSarbanes-Oxley legislation in the United Statesrequires cyclical control assessments Although theboard of directors is required to make statementsregarding the effectiveness of internal controls management actually must provide the assurances tothe board and the internal and external auditorsmust perform sufficient audit work to attest to theseassurances

bull Audit reviews ndash A regular program of audit reviewsis still necessary despite the proliferation of newaudit approaches It is only through the formal reviewof infrastructure process and technology implemen-tation that the CAE can assess the overall reliabilityand robustness of the system of internal controls Inthe past such reviews were planned on a cyclicalbasis However given the fast-changing world of ITaudit reviews should now be scheduled based on thelevel of risk


Suitable Recognized Framework

ldquohellipthe framework on which managements assessment of the issuers internal control over financial reporting is based must be a suitable recognized control framework that is established by a body or groupthat has followed due-process procedures including the distribution of the framework for public comment By far the best-known framework that meets that definition is the framework designed by The Committee of Sponsoring Organizations of the Treadway Commission otherwise known as the COSO report which was published in 1992rdquo

mdash Scott A Taub Deputy Chief Accountant US Securities and Exchange Commission (SEC)SEC and Financial Reporting Conference Pasadena California May 29 2003

19

101 What Audit Methodology to UseA lot has changed in the 40 years that IT auditing has exist-ed Technology components have become smaller fasterand cheaper even as overall IT costs to the organizationhave increased significantly The majority of businessprocesses have been automated typically to provide efficiencies but also to enable certain business processes thatcannot be performed manually Ubiquitous network commu-nications including the Internet have eliminated any distinction between business and electronic business

The audit process similarly has evolved to match theautomation of business processes In the early days ofautomation auditors ldquoaudited around the computerrdquo Nowthey use software routinely to test or analyze data and technical controls within systems

A widely used audit approach involves operational analy-sis of the processing of important business transactions byautomated systems In such audits the auditor identifiesactivities and information subject to control and assesses theability of existing controls to provide reliable protection mdashincluding sufficient evidence of the reliability of controlsBecause operational audits of automated business processesfrequently identify internal control deficiencies internalauditors may sometimes shift their attention to audits of mdashor even involvement in mdash the processes whereby businessactivities are automated such as systems design develop-ment and acquisition implementation and maintenance

Experienced auditors develop extensive knowledge ofinternal controls and their strengths and weaknessesTherefore it is not uncommon for internal auditors to provide consulting services to the management responsiblefor designing and implementing internal controls The scope and limitations on such consulting activity are prescribed in the International Standards for the Professional Practice of Internal Auditing (See httpwwwtheiia-orgguidancestandards-and-practices) However internal auditor involvement in design development or implemen-tation activities does not absolve management from responsibility for those activities

Today no specific audit methodologies can be regarded asthe sole current best practice Internal auditors adopt themethods and practices that best suit the work needed Forexample

bull When performing an assessment against Sarbanes-Oxley requirements a systems-based audit approachmay be the best method

bull Fraud investigations may require the use of audit software to analyze data and look for evidence Auditsoftware provides strong analytical capability plus theability to examine all relevant records and files

bull Performing annual audit work in support of the maininternal audit objectives will most likely follow arisk-based approach

102 Testing IT Controls and Continuous Assurance

In addition to assessing the adequacy of IT control mecha-nisms regular reviews should be performed to ensure thatcontrols continue to function as required A traditionalmethod used by internal auditors is to create a population oftest data that can be processed through the business systemsto check the results to ensure for example that controlscontinue to accept valid data and reject incorrect andinvalid items However given the widespread complex andinteractive nature of business systems today audit testingtends to focus more specifically on key automated controlsand analysis of the data

1021 Automated Continuous Monitoring

Continuous monitoring and audit tools have been used formany years Previously called embedded audit software pro-gram code in business systems checks data being processedagainst predetermined criteria and reports anomalies itdetects The benefit of such monitoring is obvious Any dis-crepancies can be identified and acted upon immediatelyMany proprietary business software products now providesuch continuous monitoring functionality The concept hasalso gone beyond business applications For example mostfirewall products and intrusion detection systems continu-

20

GTAG mdash Assessment mdash 10

How Auditing Contributes to IT Controls

During the past four decades there have been periods of reflection when management and auditors agreed theauditors could add value to the organization by contributing their controls expertise to development processesto ensure appropriate controls were incorporated into new systems rather than adding controls after an auditrevealed a deficiency These activities coincided with the developments in control and risk self-assessment inthe mainstream audit world Audit consulting and risk-based auditing became widespread The 1990s andbeyond also saw dramatic increases in attention to information security management as cyber attacksincreased in number and severity These events have helped shape the role of the IT auditor as well as thebusinesses worldrsquos recognition of the importance of effective information security management

ously check for potential attack scenarios and provideinstant alerts when potential attacks are detected This typeof monitoring can cause problems due to the considerablevolume of data and potential errors that are highlighted notall of which will be worthy of attention The task of refiningthe analysis techniques and monitoring thresholds requiresconstant vigilance to determine which alerts to highlightand which to accept as normal events

1022 Automated Internal Control Analysis Tools

Audit software can be used to analyze stored data and checkits validity to ensure the continuous reliable operation ofinternal controls Originally designated audit interrogationsoftware products such as ACL (wwwaclcom) or CaseWareIDEA (wwwcasewarecom) now provide sophisticated fea-tures and specific analysis that can reduce the control assess-ment workload while increasing effectiveness and efficiencySpreadsheet products like Microsoft Excel also contain pow-erful analysis tools auditors may use

1023 Automated Risk Analysis

Tools also are available for automating the risk analysisprocess These tools are invaluable to the entire internal auditfunction not just the IT auditor or risk specialist Performinga proper risk analysis in todayrsquos complex IT environments isnot easy without the assistance of automated tools

Management is responsible for performing risk assessmentsto determine the controls to implement or improve Internalauditors perform similar analysis when assessing the adequa-cy of controls for audit plan and scope purposes Automatedtools can assist both processes The automation of internalaudit management is a major topic in its own right

103 Audit CommitteeManagementAudit Interfaces

It is impractical to establish rules for reporting on every spe-cial IT control situation The CAE must apply prudent judg-ment when expressing an opinion or submitting a report tothe audit committee This is no different from the way theCAE interacts with the audit committee regarding otherinternal control issues

The CAE will discuss internal control issues with theaudit committee to determine the optimum level of informa-tion to be provided to enable the audit committee to achieveits statutory regulatory policy due care or other governanceobligations

ldquoMetrics and reportingrdquo and ldquoaudit report summariesrdquo aretwo areas where the CAE should interact with the auditcommittee regarding internal controls Further interactionswill depend on the needs of the specific audit committee andany legislative or regulatory requirementsMetrics and reporting Metrics and reports must presentmeaningful information on the status of IT controls Whilemanagement provides the metrics and reporting the CAEshould be able to attest to their validity and opine on their

value This is accomplished through audit examination ofthe relevant control areas to produce an independent andobjective assessment The CAE should liaise with manage-ment at all levels and with the audit committee to agree onthe validity and effectiveness of the metrics and assuranceschosen for reporting

A basic set of governance and management metrics forinformation security is included in Appendix G (See page40) These metrics do not include specific data regarding theoperation of detailed technical controls although the tech-nical controls may provide the information used in measure-ment The actual metrics used will depend on theorganization and the needs of the audit committee TheCAE can select examples of measurements taken at anylevel of the organization to help illustrate matters that canimpact controls at the governance level materially

Audit Report Summaries Prepared on a regular basis forthe audit committee these reports summarize findings con-clusions and opinions regarding the status of IT controlsThey also can report on the agreed-upon actions from prioraudit reports and the status of those actions mdash probably onan exception basis for actions not taken within the designat-ed time frame IT controls summaries cannot be presented inisolation but should be presented in the context of theentire internal control framework

The frequency of reporting depends on the organizationrsquosneeds In a strong regulatory environment such as providedby Sarbanes-Oxley in the United States quarterly reportingis required Otherwise the frequency of reporting will bedriven by the organizationrsquos governance framework and philosophy and the extent to which IT risks exist


Figure 6 ndash Audit Interfaces

21

Assessing IT controls is an ongoing process because businessprocesses are constantly changing technology continues toadvance threats evolve as new vulnerabilities emerge andaudit methods keep improving The CAE should keepassessments of IT controls that support business objectivesnear the top of the audit agenda

Assessing IT controls is not a case of determiningwhether best practices are employed as controls are specif-ic to the organizationrsquos mission objectives culture deployedprocesses and technologies and risks Technology should betailored to provide effective control and the CAE shouldensure internal auditing adopts appropriate and effectivemethods Auditing IT is a continuous learning process

The CAE is rarely in a position to understand all thetechnologies used in his or her environment and their spe-cific control implications That is why properly certified andexperienced IT auditors are a major asset for any internalaudit function However the CAE should understand theoverall control issues and be able to communicate them tosenior management and to appropriate committees of theboard of directors in a form they will understand and in amanner that will result in an appropriate response The keyto assessing IT controls effectively is communication withtechnical staff management and board members

22

GTAG mdash Conclusion mdash 11

Note This appendix is extracted from the report of the BestPractices and Metrics team of the Corporate InformationSecurity Working Group (CISWG) as provided onNovember 17 2004 to the Subcommittee on TechnologyInformation Policy Intergovernmental Relations and theCensus Government Reform Committee US House ofRepresentatives and subsequently amended on January 102005 Additional information may be obtained from theldquoTechnologyrdquo section of httpwwwtheiiaorg

121 Governance (Board of Directors)bull Oversee risk management and compliance programs

pertaining to information security (eg Sarbanes-Oxley Health Insurance Portability andAccountability Act Gramm-Leach-Bliley Act)

bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information security

bull Strive to protect the interests of all stakeholdersdependent on information security

bull Review information security policies regardingstrategic partners and other third parties

bull Strive to ensure business continuitybull Review provisions for internal and external audits of

the information security programbull Collaborate with management to specify the informa-

tion security metrics to be reported to the board

122 Managementbull Establish information security management policies

and controls and monitor compliancebull Assign information security roles responsibilities

and required skills and enforce role-based information access privileges

bull Assess information risks establish risk thresholdsand actively manage risk mitigation

bull Ensure implementation of information securityrequirements for strategic partners and other thirdparties

bull Identify and classify information assetsbull Implement and test business continuity plansbull Approve information systems architecture

during acquisition development operations andmaintenance

bull Protect the physical environmentbull Ensure internal and external audits of the informa-

tion security program with timely follow-upbull Collaborate with security staff to specify the informa-

tion security metrics to be reported to management

123 TechnicalEstablishing a complete information security programrequires attention to the following technical program elements

bull User identification and authentication

bull User account managementbull User privilegesbull Configuration managementbull Event and activity logging and monitoringbull Communications e-mail and remote access securitybull Malicious code protection including viruses worms

and trojansbull Software change management including patchingbull Firewallsbull Data encryptionbull Backup and recoverybull Incident and vulnerability detection and responsebull Collaboration with management to specify the

technical metrics to be reported to management

23

GTAG mdash Appendix A mdash Information Security Program Elements mdash 12

There is an increasing volume of legislation impacting onthe internal control framework that organizations choose toimplement Although much of this legislation has emergedover recent years in the United States as a result of variouscorporate scandals it has impacted organizations in othercountries as well Organizations should be aware of the rel-evant legislation regulation and business practices aroundthe world mdash particularly in all countries in which they dobusiness mdash to assess the organizational impacts and require-ments

For example data protection legislation in Europeinhibits the transfer of information across borders to countries that do not have comparable data-protection regulation in place This impacts trading relationships wherethe information to be transferred refers to identifiable individuals Sarbanes-Oxley contains requirements forreporting on the system of internal controls for all organiza-tions publicly traded in the United States as well as theirforeign subsidiaries

This appendix provides a summary of requirements andthe impact of some of the major legislation and regulationthat should be considered in assessing and managing IT controls Although this GTAG is aimed at a global audi-ence it covers Sarbanes-Oxley in some depth because it isone of the most significant pieces of legislation to emerge inrecent years The Organisation for Economic Co-operationand Development (OECD) Corporate GovernancePrinciples provide a general framework for the implementa-tion of business controls The Basel II Accords have a majorimpact on the international financial sector and many havesuggested Basel II guidance may also influence other sectors

131 US Sarbanes-Oxley Act of 2002Sarbanes-Oxley (httpwwwtheiiaorgiiaguidanceissuessarbanes-oxleypdf) was intended to reform public account-ing practices and other corporate governance processes andshore up the capital markets in the wake of the Enron andWorldCom corporate governance scandals The PCAOBprovides a comprehensive collection of information andadvice on Sarbanes-Oxley at its Web site (http wwwsar-banes-oxleycom) The key requirements of Sarbanes-Oxley the SEC and US stock listing exchanges are fullycompared and contrasted in an IIA Research Foundationanalysis titled ldquoAssessment Guide for US LegislativeRegulatory and Listing Exchanges Requirements AffectingInternal Auditingrdquo (wwwtheiiaorgiiadownloadcfmfile=519)

However Sarbanes-Oxley does not address the issue of ITcontrols specifically This does not mean IT can be ignoredwhen performing the compliance reviews required by theact The act is neutral with regard to technology but theimplication is clear that IT controls are critical to an organi-zationrsquos overall system of internal controls As IT controlsaddress the secure stable and reliable performance of hard-ware software and personnel to ensure the reliability of

ware software and personnel to ensure the reliability offinancial applications processes and reporting they must bea significant element of compliance reviews

Some key IT control areas have been interpreted as notbeing incorporated in Sarbanes-Oxley compliance Theseinclude privacy business continuity business systems dataclassification and information not specific to financial pro-cessing and reporting Therefore any audit specifically lim-ited to Sarbanes-Oxley compliance will not assess all therisks faced by the organization and must be supplemented toensure full audit coverage of the organizationrsquos risk manage-ment and internal controls

Tools and resources for corporate governance initiativesand current legislation can be found on The IIArsquos Web siteat httpwwwtheiiaorgiiaindexcfmdoc_id=4061 1311 Sarbanes-Oxley Sections Relevant

to IT Controls

The following briefly describes the sections of Sarbanes-Oxley that relate to auditors and IT controls

13111 Sections 103 and 802

These sections establish rules for the public accounting firmrelating to the audit and report In particular they requirethe board to establish standards for the audit work They alsorequire auditors to test the internal control structures andattest to the strength of those structures This review mustinclude a thorough examination of the IT controls that arefundamental to the system of internal control over financialreporting

One specific requirement relates to the retention ofrecords ldquothat in reasonable detail accurately and fairly reflectthe transactions and dispositions of the assetsrdquo Again thisis influenced greatly by the way in which IT records aremaintained and retained

13112 Section 201

This section requires that external auditors be independentThis precludes them from performing work for a client in thecapacity of IT consultants or providing outsourced internalaudit services Organizations that do not wish to employtheir own IT auditors cannot outsource the work to theirexternal auditors

13113 Section 301

Section 301 defines the need for audit committee membersto be independent and precludes them from performing anyother consulting work on behalf of the organization It alsorequires audit committees to establish procedures to handleldquoconfidential anonymous submission by employees of theissuer of concerns regarding questionable accounting orauditing mattersrdquo (whistle-blower complaints) This wouldalso relate to any issues arising from the control of IT

13114 Section 302 and 404

Section 302 of the act requires the CEO and CFO mdash who

24

GTAG mdash Appendix B mdash Compliance With Laws and Regulationsand Guidance on Compliance Implementation mdash 13

25

are responsible for financial information and the system ofinternal controls mdash to evaluate the system of internal con-trols every 90 days and report on their conclusions and anychanges

They must disclosebull ldquoAll significant deficiencies in the design or opera-

tion of internal controls that could adversely affectthe issuerrsquos ability to record process summarize andreport financial data and identify for the issuerrsquos audi-tors any material weaknesses in internal controlsrdquo

bull ldquoAny fraud whether or not material that involvesmanagement or other employees who have a signifi-cant role in the issuerrsquos internal controlsrdquo

Section 404 requires the CEO and CFO to produce an annual audit report that

bull Assesses the effectiveness of the internal controlstructure over financial reporting

bull Discloses all known internal control weaknessesbull Discloses all known frauds

This report will cover all applicable IT controls includingprogram logic and related change controls access controlsand data protection The PCAOB Auditing Standard No 2suggests the COSO Internal Control ndash Integrated Frameworkas a basis for Section 404 compliance managementReferences to Statement of Auditing Standards (SAS) 95also emphasize the importance of IT and information securi-ty controls to Sarbanes-Oxley

13115 Section 409

Section 409 requires organizations to disclose any materialchanges to operations in real time and in plain EnglishSome contend these requirements establish a foundation orneed for continuous monitoring auditing and assuranceprocesses to become part of significant internal controlprocesses

132 Basel II AccordThe Basel II Accord is a global regulatory treaty that definesthe global standards for enterprisewide risk managementpractices in the financial sector with the intent to mitigaterisks of losses in the industry The focus is on the bankingsector but there is a clear intent to harmonize standardsacross all segments of the industry All areas of bank opera-tions are included mdash people processes systems governanceand supplier management

A bank willing to qualify for the Advanced MeasurementApproach (AMA) under the Operational Risk (OR) Treatymust implement best practice in operations and risk manage-ment For risk management this means

bull Senior management is actively involvedbull The bank has an OR management system processes

policies and procedures enterprisewidebull The bank has the right governance and sufficient

resources to manage operational risksbull The bank has an OR management function that is

responsible forndash Designing and implementing the OR management

frameworkndash Codifying policies procedures and controlsndash Designing and implementing an OR measurement

methodologyndash Designing and implementing an OR management

reporting systemndash Developing strategies to identify measure monitor

and control or mitigate ORbull An OR measurement system is closely integrated into

the day-to-day risk management processbull The OR exposures and loss experiences are regularly

reportedbull The OR management system is documentedbull Internal and external auditors regularly review the

OR management processes and measurement systemKey to success in OR management is an information systemthat supports OR exposure self-assessment allows processmapping consists of an OR loss database and reporting func-tion and entails an action-plan management function

The Basel Committee does not specify the approach ordistributional assumptions to be used to generate the ORmeasure for regulatory capital purposes However the frame-work allows for three basic approaches that essentially aredependent on the quality and quantity of risk managementdata Whereas using more data and historical metrics toprove good performance may allow banks to maintain lesscapital reserves and to quantify OR the banks must be ableto demonstrate that their approaches capture potentiallysevere ldquotailrdquo loss events (severe unexpected losses)Moreover consistency with the scope of OR as defined bythe Basel Committee is required

First a bankrsquos organization-wide risk assessment method-ologies must capture key business environmental and internal control factors that can change its OR profile In addition the bank should have a process for assessingoverall capital adequacy

Next the risk measurement system must be granularenough to capture the tails of the loss estimates Banks areexpected to use expert opinion in conjunction with externaldata for scenario analysis to evaluate its exposure to high-severity events Because a bank does not have enough of itsown data in the area of high-impact low-frequency risksthey must acquire data from an external provider such asZurich-based ORX Global Operational Loss Database(GOLD) or MORE Exchange

The banks must have a credible transparent well-documented and verifiable approach for weighting thesefundamental elements in its overall OR measurement system There are additional prerequisites to qualify for theAMA

bull Internal loss and performance data mdash successes nearmisses and failures mdash all must be tracked andaccounted for (reconciled to the books of the bank)


bull Internal loss data must be linked to the bankrsquos current business activities

bull An observation period of at least five years isrequired for internal loss data with a minimum ofthree years necessary when moving to AMA

bull According to the internal loss collection processndash OR losses related to credit risk and historically

included in banksrsquo credit risk databases continue to be treated as credit risk for the purpose of calculat-ing minimum regulatory capital under this frame-work Such losses should be flagged separately

ndash OR losses related to market risk are treated as OR for the purposes of calculating minimum regulatory capital under this framework and are subject to the OR capital charge

bull The OR measurement system must use relevantexternal data

Third Basel II disclosure requires banks to describe their riskmanagement objectives and policies for each separate riskarea including

bull Strategies and processesbull Structure and organization of the risk management

functionbull Scope and nature of risk reportingbull Policies for hedging and mitigating risks (including

operations)Note The BITS Key Risk Measurement Toolfor Information Security Operational Risks or ldquoBITS Kalculatorrdquo (httpwwwbitsinfoorgbitskalculatorjuly04pdf) is a tool financial institutions of all sizes can useto evaluate critical information security risks to their businesses It can be downloaded at no cost from the BITSWeb site (httpwwwbitsinfoorgwphtml)

133 Data ProtectionThe concept of data protection was developed when com-puterization issues were raised at United Nations and OECDconferences in the late 1960s The first national law wasenacted in 1974 in Sweden and the OECD published itsData Protection Guidelines in 1980 (OECD C (80) 58final) Regional bodies like the Council of Europe (DataProtection Convention 1081981 human rights-based) andthe European Commission (EC) (Directive 9546EC consumer protection-oriented) have enacted binding frame-works for implementation in their member statesDepending on their legal system many countries around theglobe have constitutional provisions and omnibus laws or abroad spectrum of sector regulations for data protection To bridge the differences in US and European Union (EU)privacy regulations the EC and the US Department ofCommerce developed a safe harbor framework for US companies The safe harbor is a framework agreement consisting of seven principles and a series of frequently askedquestions (See also httpwwwwas4hewittcomhewittresourcelegislative_updateseuropeeu_data1htm)

The EU legislation requires organizations to protect thepersonal information of individuals The legislation alsomandates that appropriate technical measures be taken toensure the security of personal data whether electronic ormanual Further information regarding data protection canbe found at the Electronic Privacy Information Center(EPIC) (httpwwwepicorg) Privacy International(httpwwwprivacyinternationalorg) and the UK Office ofthe Information Commissioner (httpwwwinformationcommissionergovuk)

134 The US Gramm-Leach-Bliley Act (GLBA) - The Financial Modernization Act of 1999

The GLBA was introduced to protect the privacy of cus-tomer information in the financial sector but it extendsbeyond financial companies Any company that handlesnon-public financial customer information may be heldaccountable under this law depending on the circumstancesMore information is available from EPIC(httpwwwepicorgprivacyglba) and the US FederalTrade Commission (httpwwwftcgovbcpconlinepubsbuspubsglblongshtm-whois)

135 US Health Insurance Portability and Accountability Act (HIPAA) 1996

HIPAA contains requirements for the privacy of personalinformation and for information security The law applies toUS-based companies in the health care sector but can alsopertain to any company that provides health care benefits toemployees depending on the circumstances Further detailscan be found at httpwwwhipaaorg

136 California Security Breach Information Act Civil Code Sections 179829 and 179882 (Frequently Referenced by the Bill ndash CA SB 1386)

Californiarsquos State Bill 1386 amended the InformationPractices Act of 1977 of the California Civil Code to createa sweeping regulation that mandates public disclosure ofcomputer-security breaches in which confidential informa-tion of any California resident may have been compromisedEvery enterprise mdash public or private mdash doing business withCalifornia residents is potentially affected Confidentialinformation covered by the law includes Social Securitynumbers California driverrsquos license numbers account numbers and credit or debit card numbers A more detailedarticle on this regulation can be found athttpwwwtheiiaorgitauditindexcfmfuseaction=forumampfid=5501Although case law for this legislation is not citedhere some discussions on the subject have indicated thecourts may not view an organizationrsquos statement favorably ifit treats its California customers differently from its othercustomers

26


GTAG ndash Appendix B - Compliance with Laws and Regulations - 13

27

137 Global National RegulationsMany countries have national regulations covering internalcontrol including Germany (KonTraG risk managementrequirement) and France (LSF internal control reportingrequirement) In addition external auditors may be requiredto certify the adequacy of financial reporting mechanismsand controls Although most of these regulations do notaddress IT directly they imply the need for an adequatelycontrolled IT infrastructure For this reason many nationalbodies of the International Federation of Accountants(IFAC) provide detailed guidance for evaluating IT controls

GTAG ndash Appendix C ndash Three Categories of IT Knowledge for Internal Auditors - 14

28

141 Auditor Knowledge ConsiderationsStandard 1210 ndash Proficiency of The IIArsquos Standards requirethat the internal audit activity collectively should possess orobtain the knowledge skills and other competencies need-ed to perform its responsibilities4 Varying levels of ITknowledge are needed throughout the organization to pro-vide a systematic disciplined approach to evaluating andimproving the effectiveness of risk management controland governance processes Knowledge of how IT is used therelated risks and the ability to use IT as a resource in theperformance of audit work is essential for auditor effective-ness at all levelsThe IIArsquos International Advanced Technology Committeehas identified three categories of IT knowledge for internalauditors

1411 Category 1 ndash All Auditors

Category 1 is the knowledge of IT needed by all profession-al auditors from new recruits up through the CAE Basic ITknowledge encompasses understanding concepts such as thedifferences in software used in applications operating systems and systems software and networks It includes comprehending basic IT security and control componentssuch as perimeter defenses intrusion detection authentica-tion and application system controls Basic knowledgeincludes understanding how business controls and assuranceobjectives can be impacted by vulnerabilities in businessoperations and the related and supporting systems networksand data components It is fundamentally about ensuringthat auditors have sufficient knowledge to focus on under-standing IT risks without necessarily possessing significanttechnical knowledge

1412 Category 2 ndash Audit Supervisors

Category 2 applies to the supervisory level of auditing Inaddition to having basic IT knowledge audit supervisorsmust understand IT issues and elements sufficiently toaddress them in audit planning testing analysis reportingfollow-up and assigning auditor skills to the elements ofaudit projects Essentially the audit supervisor must

bull Understand the threats and vulnerabilities associatedwith automated business processes

bull Understand business controls and risk mitigation thatshould be provided by IT

bull Plan and supervise audit tasks to address IT-relatedvulnerabilities and controls as well as the effective-ness of IT in providing controls for business applica-tions and environments

bull Ensure the audit team has sufficient competence mdashincluding IT proficiency mdash for audits

bull Ensure the effective use of IT tools in audit assess-ments and testing

bull Approve plans and techniques for testing controlsand information

bull Assess audit test results for evidence of IT vulnerabil-ities or control weaknesses

bull Analyze symptoms detected and relate them to causesthat may have their sources in business or IT plan-ning execution operations change managementauthentication or other risk areas

bull Provide audit recommendations based on businessassurance objectives appropriate to the sources ofproblems noted rather than simply reporting on prob-lems or errors detected

1413 Category 3 ndash Technical IT Audit Specialists

Category 3 applies to the technical IT audit specialistAlthough IT auditors may function at the supervisory levelthey must understand the underlying technologies support-ing business components and be familiar with the threatsand vulnerabilities associated with the technologiesIT auditors also may specialize in only certain areas of technology

IIA programs and products are designed primarily to meetthe information needs of the Category 1 and 2 auditor TheCategory 1 auditor will seek IIA guidance in relating ITthreats vulnerabilities and controls to business assuranceobjectives IIA products also provide information that canbe useful in explaining the business impacts of technicalproblems In addition IIA products can help Category 3technical IT auditors gain proficiency in areas of technologywith which they are not already familiar and in striving toreach supervisory or management audit competence

The SANS Institute provides information security train-ing and awards Global Information Assurance Certification(GIAC) relevant to information security professionalsincluding auditors The course offerings and accompanyingcertifications match the growing demands of students newthreats and new technologies GIAC certifications(httpwwwgiacorgsubject_certsphp) are grouped by sub-ject matter and level of difficulty Some are full certificationsthat accompany five-to six-day training courses while others are certificates related to one-to two-day coursesCertificates are less involved but more intensely focusedthan certifications

Also of interest and benefit to all categories of IT auditorare the materials provided by the Information Systems Auditand Control Association (ISACA) ISACA offers standards guidelines and procedures for IT audit profession-als technical research focused on IT audit topics theCertified Information Systems Auditor (CISA) certifica-tion earned by more than 35000 individuals worldwideand publications education and conferences targeted to ITaudit professionals

4 Note The ldquoThree Categories of IT Knowledge for Internal Auditorsrdquo document is not part of The IIArsquos Standards but is practical guidance provided by The IIArsquos International Advanced Technology Committee

GTAG mdash Appendix D mdash Compliance Frameworks mdash 15

29

151 COSOFormed in 1985 COSO is an independent private-sectorinitiative that studied the factors that can lead to fraudulentfinancial reporting and developed recommendations forpublic companies and their independent auditors the SECand other regulators and educational institutions COSOproduced the Internal Control ndash Integrated FrameworkAppendix E (See page 36) a widely accepted tool for bothmanagement and auditors in September 2004 and it published Enterprise Risk Management ndash Integrated Frameworkin fall 2004 Details of both frameworks can be found athttpwwwcosoorg

152 CICA CoCoThe Canadian Institute of Chartered Accountants (CICA)produced the Criteria of Control Framework (CoCo) in 1992to address public and institutional concerns that the tradi-tional view of control was no longer effective in preventingcorporate failures The mission of CoCo is to improve orga-nizational performance and decision making through betterunderstanding of control risk and governance Moreoverthe framework provides a basis for making judgments aboutthe effectiveness of control

In 1995 Guidance on Control was produced whichdescribes the CoCo framework and defines control in a waythat goes beyond the traditional internal control over finan-cial reporting The CoCo model is a way of focusing on thefuture of an organization to ensure it is in control by havinga clear sense of shared purpose collective commitment toachieve that purpose the resources it needs to do the joband the ability to learn from experience

153 CICA IT Control GuidelinesThe IT Control Guidelines published by the CICA is a reference source for evaluating IT controls It is organized ina manner that is easy to use and written in straightforwardbusiness language

154 ITGI Control Objectives for Information and Related Technology (CobiT)

Established in 1998 the IT Governance Institute (ITGI)provides guidance on current and future issues related to ITgovernance security and assurance The ITGIrsquos leadingguidance publication is Control Objectives for InformationTechnology (CobiT) (See Appendix F) ITGIrsquos CobiT pro-vides a reference framework and common language acrossthe entire information systems life cycle for IS and businessleaders and IS audit control and security practitionersCobiT is one of the most popular and internationally accept-ed set of guidance materials for IT governance

155 ISO 17799 (Code of Practice for Information Security Management)

ISOIEC 177992000(E) promulgated by the InternationalOrganization for Standardization (ISO) and the

International Electrotechnical Commission (IEC) definesinformation security principles that ultimately can provideassurance to trading partners and regulators that an organi-zationrsquos information is protected properly Derived from theBritish Standards Institutionrsquos BS 7799 standard the Codeof Practice for Information Security Management is builtaround specific security elements required within 10 areasincluding physical and environmental security communica-tion and operational management and access controlAlthough as a code of practice ISOIEC 177992000 provides guidance and recommendations it is not intendedto be a specification and care should be taken to ensure thatclaims of compliance are not misleading

The original BS 7799 standard has two parts bull Part 1 is the Code of Practice and is identical to

ISOIEC 177992000 bull Part 2 is a specification for implementing an

information security management system (ISMS) To comply with BS 7799 Part 2 (BS 7799-22002) an organizationrsquos installed ISMS must conform to the set ofrequirements described in the standard which are in theform of shall statements Third-party bodies have beenaccredited to certify or register organizations to BS 7799-22002

1551 What Is Information Security

BS 7799 treats information as an asset which like otherimportant business assets has value to an organization andconsequently needs to be protected Information securityprotects information from a wide range of threats to ensurebusiness continuity minimize business damage and maxi-mize return on investments and business opportunities

Information can exist in many forms printed or writtenon paper stored electronically transmitted by post or usingelectronic means shown on films or spoken in conversa-tion Whatever form the information takes or means bywhich it is shared or stored BS 7799 indicates that it alwaysshould be protected appropriately

Information security is characterized within BS 7799 asthe preservation of

bull Confidentiality ndash ensuring that information is accessible only to those authorized to have access

bull Integrity ndash safeguarding the accuracy and complete-ness of information and processing methods

bull Availability ndash ensuring that authorized users haveaccess to information and associated assets whenrequired

Information security is achieved by implementing a suitableset of controls from BS 7799 which could be policies prac-tices procedures organizational structures and softwarefunctions These controls should be established to ensure thespecific security objectives of the organization are met

1552 How to Establish Security Requirements

BS 7799 states that it is essential that an organization


30

identify its security requirements There are three mainsources

bull Assessing risks to the organization BS 7799 does notprescribe a methodology

bull The legal statutory regulatory and contractualrequirements that an organization its trading partners contractors and service providers haveto satisfy

bull The particular set of principles objectives andrequirements for information processing that anorganization has developed to support its operations

1553 Assessing Security Risks

BS 7799 suggests that security requirements be identified bya methodical assessment of security risks Expenditure oncontrols should be balanced against the business harm likelyto result from security failures The process of assessing risksand selecting controls may need to be performed a numberof times to cover different parts of the organization or indi-vidual information systems and it is important to reviewsecurity risks and implemented controls periodically

1554 Selecting Controls

Once security requirements have been identified controlsfrom BS 7799 should be selected and implemented to ensurerisks are reduced to an acceptable level Controls should beselected based on the cost of implementation in relation tothe risks being reduced and the potential losses if a securitybreach occurs Nonmonetary factors such as loss of reputa-tion should also be taken into account For more informa-tion on BS 7799 see httpwwwbs7799-iso17799com

1555 Topics Addressed in BS 7799

1 Scope2 Terms and definitions3 Security policy

31 Information security policy document32 Review and evaluation

4 Security organization41 Information security infrastructure42 Security of third-party access43 Outsourcing

5 Asset classification and control51 Accountability for assets52 Information classification

6 Personnel security61 Security in job definition and resourcing62 User training63 Responding to security incidents and malfunctions

7 Physical and environmental security71 Secure areas72 Equipment security73 General control

8 Communications and operations management

81 Operational procedures and responsibilities82 System planning and acceptance83 Protection against malicious software84 Housekeeping85 Network management86 Media handling and security87 Exchanges of information and software

9 Access control91 Business requirement for access control92 User access management93 User responsibilities94 Network access control95 Operating system access control96 Application access control97 Monitoring system access and use98 Mobile computing and teleworking

10 Systems development and maintenance101 Security requirements of systems102 Security in application systems103 Cryptographic controls104 Security of system file105 Security in development and support processes

11 Business continuity management111 Business continuity management process

12 Compliance121 Compliance with legal requirements122 Reviews of security policy and technical compliance123 System audit considerations

156 ISF Standard of Good Practice for Information Security

The Information Security Forum (ISF) Standard of GoodPractice for Information Security aims at managing the risksassociated with every aspect of information systems irre-spective of an organizationrsquos market sector size or structureThe standard prepared by ISFrsquos global working groups is apublicly available document split into five key areas securi-ty management critical business applications computerinstallations networks and systems development For moreinformation and details see httpwwwisfsecuritystandardcom

157 Generally Accepted Information Security Principles (GAISP)

The Generally Accepted Information Security Principles(GAISP) culls best practice from all other similar frameworks Developed in 1991 as the Generally AcceptedSystem Security Principles GAISP provides a comprehen-sive hierarchy of guidance for securing information and supporting technology including

bull Pervasive Principles ndash board-level guidance bull Broad Functional Principles ndash designed for execu-

tive-level information management (exposure draft distributed September 1999)


bull Detailed Principles ndash guidance for operational infor-mation security management (under development)

GAISP is now being developed by the Information SystemsSecurity Association (ISSA) (httpwwwissaorg) whichcan provide details

1571 Pervasive Principles

The Pervasive Principles address the confidentiality integri-ty and availability of information They provide generalguidance to establish and maintain the security of informa-tion and supporting technology

bull Accountability Principle ndash Information securityaccountability and responsibility must be definedclearly and acknowledgedRationale ndash Accountability characterizes the ability toaudit the actions of all parties and processes that inter-act with information Roles and responsibilities shouldbe clearly defined identified and authorized at a levelcommensurate with the sensitivity and criticality ofinformation The relationship between all partiesprocesses and information must be defined clearlydocumented and acknowledged by all parties All par-ties must have responsibilities for which they are heldaccountable

bull Awareness Principle ndash All parties with a need toknow mdash including but not limited to informationowners and information security practitioners mdashshould have access to available principles standardsconventions or mechanisms for securing informationand information systems and should be informed ofapplicable threats to the security of informationRationale ndash This principle applies between and with-in organizations Awareness of information securityprinciples standards conventions and mechanismsenhances and enables controls and can help to miti-gate threats Awareness of threats and their signifi-cance also increases user acceptance of controlsWithout awareness of the necessity for particular con-

trols users can pose a risk to information by ignoringbypassing or overcoming existing control mecha-nisms The awareness principle applies to unautho-rized and authorized parties

bull Ethics Principle ndash Information should be used andinformation security should be administered in an eth-ical mannerRationale ndash Information systems pervade our societies Rules and expectations are evolving withregard to the appropriate provision and use of informa-tion systems and the security of information Use ofinformation and information systems should matchthe expectations established by social norms and obli-gations

bull Multidisciplinary Principle ndash Principles standardsconventions and mechanisms for securing informa-tion and information systems should address the considerations and viewpoints of all interested partiesRationale ndash Information security is achieved by thecombined efforts of information owners users custodi-ans and information security personnel Decisionsmade with due consideration of all relevant viewpoints and technical capabilities can enhanceinformation security and receive better acceptance

bull Proportionality Principle ndash Information security con-trols should be proportionate to the risks of modifica-tion denial of use or disclosure of informationRationale ndash Security controls should be commensu-rate with the value and vulnerability of informationassets Consider the value sensitivity and criticality ofthe information as well as the probability frequencyand severity of direct and indirect harm or loss This principle recognizes the value of approaches toinformation security ranging from prevention toacceptance

bull Integration Principle ndash Principles standards conven-tions and mechanisms for the security of informationshould be coordinated and integrated with each otherand with the organizationrsquos policies and procedures tocreate and maintain security throughout an informa-tion systemRationale ndash Many information security breachesinvolve the compromise of more than one safeguardThe most effective control measures are componentsof an integrated system of controls Information security is most efficient when planned managed andcoordinated throughout the organizationrsquos system ofcontrols and the life of the information

bull Timeliness Principle ndash All accountable parties shouldact in a timely coordinated manner to prevent orrespond to breaches of and threats to the security ofinformation and information systemsRationale ndash Organizations should be able to coordi-nate and act swiftly to prevent or mitigate threat

Figure 7 ndash Security Management

31


32

events This principle recognizes the need for the pub-lic and private sectors to jointly establish mechanismsand procedures for rapid and effective threat-eventreporting and handling Access to threat-event histo-ry could support effective response to threat eventsand may help prevent future incidents

bull Assessment Principle ndash The risks to information andinformation systems should be assessed periodicallyRationale ndash Information and security requirementsvary over time Organizations periodically shouldassess the information its value and the probabilityfrequency and severity of direct and indirect harm orloss Periodic assessment identifies and measures thevariances from available and established securitymeasures and controls such as those articulated in theGAISP as well as the risk associated with such vari-ances It also enables accountable parties to makeinformed information risk management decisionsabout accepting mitigating or transferring the identi-fied risks with due consideration of cost effectiveness

bull Equity Principle ndash Management shall respect therights and dignity of individuals when setting policyand when selecting implementing and enforcingsecurity measuresRationale ndash Information security measures imple-mented by an organization should not infringe uponthe obligations rights and needs of legitimate usersowners and others affected by the information whenexercised within the legitimate parameters of the mission objectives

158 AICPACICA Trust Services Principles and Criteria

The American Institute of Certified Public Accountants(AICPA) Assurance Services Executive Committee and theCICA Assurance Services Development Board developedthe Trust Services Principles and Criteria to address the risksand opportunities of IT Trust Services Principles andCriteria set out broad statements of principles and identifyspecific criteria that should be achieved to meet each prin-ciple The principles are broad statements of objectivesCriteria are benchmarks used to measure and present thesubject matter and against which the practitioner can eval-uate the subject matter In the Trust Services Principles andCriteria the criteria are supported by a list of illustrativecontrols The Trust Services Principles and Criteria areorganized into four broad areas

bull Policies ndash The organization has defined and documented its policies5 relevant to the particularprinciple

bull Communications ndash The organization has communi-cated its defined policies to authorized users

bull Procedures ndash The organization uses procedures to achieve its objectives in accordance with itsdefined policies

bull Monitoring ndash The organization monitors the system and takes action to maintain compliance with itsdefined policies

Following are summaries of the Trust Services SecurityAvailability Processing Integrity Privacy Confidentialityand Certification Authority Principles and Criteria TheTrust Services Principles and Criteria can be used to deliverbranded SysTrust and WebTrust engagements which areassurance services designed for a wide variety of IT-based systems Upon attainment of an unqualified assurancereport the organization would be entitled to display aSysTrust or WebTrust Seal and accompanying auditorrsquosreport In addition the framework can be used to provideadvisory and consulting services For a detailed listing of theTrust Services Principles and Criteria seehttpwwwaicpaorg trustservices

1581 Security Principle ndash The system is protected

against unauthorized access (both physical

and logical)

In e-commerce and other systems the respective partiesmust ensure that information provided is available only tothose individuals who need access to complete the transac-tion or services or to follow up on questions or issues thatmay arise Information provided through these systems issusceptible to unauthorized access during transmission andwhile it is stored on the other partyrsquos systems Limitingaccess to the system components helps prevent potentialabuse of the system theft of resources misuse of softwareand improper access to or use alteration destruction or dis-closure of information Key elements for protecting systemcomponents include permitting authorized access and pre-venting unauthorized access to those components

1582 Availability Principle ndash The system is

available for operation and use as

committed or agreed

The availability principle refers to the accessibility to the system products or services as advertised or committed bycontract or by service-level and other agreements This prin-ciple does not in itself set a minimum-acceptable perform-ance level for system availability Instead the minimumperformance level is established by mutual agreement (contract) between the parties

Although system availability functionality and usabilityare connected the availability principle does not addresssystem functionality (the specific functions a system performs) and system usability (the ability of users to applysystem functions to specific tasks or problems) It does

5 The term policies refers to written statements that communicate managementrsquos intent objectives requirements responsibilities and standards for a particular subject Some policies may be described explicitly as such being contained in policy manuals or similarly labeled documents However somepolicies may be contained in documents without such explicit labeling including for example notices or reports to employees or outside parties

6 Although some privacy regulations use the term principle the term component is used in the AICPACICA Trust Services Principles and CriteriaFramework to represent that concept because the term principle previously has been defined in the Trust Services literature


33

address system availability which relates to whether or notthe system is accessible for processing monitoring andmaintenance

1583 Processing Integrity Principle ndash System

processing is complete accurate timely

and authorized

Processing integrity exists if a system performs its intendedfunction in an unimpaired manner free from unauthorizedor inadvertent manipulation Completeness generally indi-cates that all transactions and services are processed or per-formed without exception and that transactions andservices are not processed more than once Accuracyincludes assurances that key information associated with thesubmitted transaction will remain accurate throughout theprocessing of the transaction and that the transaction orservices are processed or performed as intended The timeli-ness of the provision of services or the delivery of goods isaddressed in the context of commitments made for suchdelivery Authorization includes assurances that processingis performed in accordance with the required approvals andprivileges defined by policies governing system processing

The risks associated with processing integrity are that theparty initiating the transaction will not complete the trans-action or provide the service correctly and in accordancewith the desired or specified request Without appropriateprocessing-integrity controls the buyer may not receive thegoods or services ordered may receive more than requestedor may receive the wrong goods or services altogetherHowever if appropriate processing-integrity controls existand are operational within the system the buyer can be rea-sonably assured of receiving the correct goods and services inthe correct quantity and price by the promised dateProcessing integrity addresses all of the system componentsincluding procedures to initiate record process and reportthe information product or service that is the subject of theengagement The nature of data input in e-commerce sys-tems typically involves the user entering data directly overWeb-enabled input screens or forms whereas in other sys-tems the nature of data input can vary significantly Becauseof this difference in data-input processes the nature of con-trols over the completeness and accuracy of data input in e-commerce systems may be somewhat different than forother systems

Processing integrity differs from data integrity because itdoes not imply automatically that the information stored bythe system is complete accurate current and authorized Ifa system processes information from sources outside of thesystemrsquos boundaries an organization can establish only lim-ited controls over the completeness accuracy authorizationand timeliness of the information submitted for processingErrors that may have been introduced into the informationand control procedures at external sites typically are beyond

the organizationrsquos control When the information source isexcluded explicitly from the description of the system thatdefines the engagement it is important to detail that exclusion in the system description In other situations thedata source may be an inherent part of the system beingexamined and controls over the completeness accuracyauthorization and timeliness of information submitted forprocessing would be included in the scope of the system asdescribed

1584 Privacy Principle and Components ndash

Personal information is collected used

retained and disclosed in conformity with the

commitments in the organizationrsquos privacy

notice and with the AICPACICA Trust

Services Privacy Criteria

The Privacy Principle contains 10 components6 and relatedcriteria that are essential to the proper protection and man-agement of personal information These privacy componentsand criteria are based on fair information practices includedin privacy laws and regulations of various jurisdictionsaround the world and many recognized good privacy prac-tices The privacy components are

bull Management ndash The organization defines documentscommunicates and assigns accountability for its pri-vacy policies and procedures

bull Notice ndash The organization provides notice about itsprivacy policies and procedures and identifies thepurposes for which personal information is collectedused retained and disclosed

bull Choice and consent ndash The organization describes thechoices available to the individual and obtainsimplicit or explicit consent with respect to the col-lection use and disclosure of personal information

bull Collection ndash The organization collects personal infor-mation only for the purposes identified in the notice

bull Use and retention ndash The organization limits the useof personal information to the purposes identified inthe notice and for which the individual has providedimplicit or explicit consent The organization retainspersonal information only as long as necessary to fulfill the stated purposes

bull Access ndash The organization provides individuals withaccess to their personal information for review andupdate

bull Disclosure to third parties ndash The organization discloses personal information to third parties onlyfor the purposes identified in the notice and with theimplicit or explicit consent of the individual

bull Security ndash The organization protects personal infor-mation against unauthorized access both physicaland logical

bull Quality ndash The organization maintains accurate


34

complete and relevant personal information for thepurposes identified in the notice

bull Monitoring and enforcement ndash The organizationmonitors compliance with its privacy policies andprocedures and has processes to address privacy-related complaints and disputes

1585 Confidentiality Principle ndash Information

designated as ldquoconfidentialrdquo is protected as

committed or agreed

The confidentiality principle focuses on information desig-nated ldquoconfidentialrdquo There is no widely recognized defini-tion of confidential information unlike personally identifiableinformation which many countries currently are definingthrough regulation In the course of communicating andtransacting business partners often exchange informationthey require to be maintained on a confidential basis Inmost instances the respective parties wish to ensure that theinformation they provide is available only to those individ-uals who need access to complete the transaction or resolveany questions that arise To enhance business partner confi-dence it is important to inform the partner about the orga-nizationrsquos confidentiality practices including those forproviding authorized access to use of and sharing of infor-mation designated as confidential

Information that may be subject to confidentialityincludes

bull Transaction detailsbull Engineering drawingsbull Business plansbull Banking information about businessesbull Inventory availabilitybull Bid or ask pricesbull Price listsbull Legal documentsbull Client and customer listsbull Revenue by client and industry

Unlike personal information there are no defined rights foraccessing confidential information to ensure its accuracyand completeness Interpretations of what is considered con-fidential information can vary significantly from business tobusiness and are driven by contractual arrangements in mostcases As a result those engaged in business relationshipsneed to understand what information will be maintained ona confidential basis and what if any rights of access or otherexpectations an organization might have for updating thatinformation to ensure its accuracy and completeness

Information that is provided to another party is suscepti-ble to unauthorized access during transmission and while itis stored on the other partyrsquos computer systems For examplean unauthorized party may intercept business partner profileinformation and transaction and settlement instructionswhile they are being transmitted Controls such as encryp-tion can be used to protect the confidentiality of this infor-mation during transmission while firewalls and rigorous

access controls can help protect the information while it isstored on computer systems

1586 Certification Authority (CA) Principle

The certification authority discloses its key and certificatelife cycle-management business and information privacypractices and provides its services in accordance with thesepractices This includes the concepts of CA business-practice disclosures service integrity and environmentalcontrols

159 IIA Systems Assurance and Control (SAC)

The IIA provides the SAC model The SAC model sets thestage for effective technology risk management by givingcompanies a framework to guide an evaluation of the e-busi-ness control environment SAC recognizes the importanceof governance mdash both within an organization and betweenbusiness partners mdash to ensure effective security auditabilityand control of information SAC provides current informa-tion to understand monitor assess and mitigate technologyrisks SAC examines risks in all business system componentsincluding customers competitors regulators and partnersFull details of the model can be found athttpwwwtheiiaorgeSACindexcfm with a detailed discussion of the model at wwwtheiiaorgitauditindexcfmfuseaction=forumampfid=411

1510 Corporate Governance

15101 OECD Principles of Corporate Governance

The OECD Principles of Corporate Governance amendedin April 2004 set out a framework for good practice that hasbeen agreed to by all 30 OECD member countries and hasbecome a generally accepted standard (httpwwwoecdorgcorporate) Originally issued in 1999 the principles aredesigned to assist governments and regulatory bodies indrawing up and enforcing effective rules regulations andcodes of corporate governance In parallel they provideguidance for stock exchanges investors companies andothers that have a role in the process of developing good cor-porate governance Although the OECD principles do notprovide specific guidance on IT controls other OECD unitsprovide further guidance and research on information secu-rity and privacy

15102 EU Commission

The European Commissionrsquos Action Plan on Company Lawand Corporate Governance was released in May 2003 tostrengthen corporate governance mechanisms in publicinterest entities (For details see httpeuropaeuintcomminternal_marketcompanyindex_enhtm) The EUrsquosCorporate Governance initiatives do not address IT issuesspecifically but activities of the Information Society

GTAG mdash Appendix E mdash Assessing IT Controls Using COSO mdash 16

35

The COSO Internal Control ndash Integrated Framework is recog-nized as a formal model for the purpose of Sarbanes-Oxleyattestation by the SEC and provides a hierarchical catego-rization of controls In addition the audit standard from thePCAOB states

ldquoBecause of the frequency with which management ofpublic companies is expected to use COSO as theframework for the assessment the directions in thestandard are based on the COSO framework Othersuitable frameworks have been published in othercountries and likely will be published in the futureAlthough different frameworks may not contain exact-ly the same elements as COSO they should have ele-ments that encompass all of COSOrsquos general themesrdquo

The COSO model was refined and enhanced during 2004through development of the COSO Enterprise RiskManagement ndash Integrated Framework (httpwwwcosoorg)This appendix describes the earlier framework which is theversion referenced for regulatory compliance Nonethelessthe CAE should investigate the Enterprise Risk Managementndash Integrated Framework

161 COSO Definition of Internal Control COSO defines internal control (httpwwwcosoorg)keyhtm) as ldquoa process effected by an organizationrsquos board ofdirectors management and other personnel designed toprovide reasonable assurance regarding the achievement ofobjectives in the following categories

bull Effectiveness and efficiency of operationsbull Reliability of financial reportingbull Compliance with applicable laws and regulations

These distinct but overlapping categories address differentneeds such that each require a directed focus The first category addresses an entityrsquos basic business objectivesincluding performance and profitability goals and safeguard-ing of resources which are impacted greatly by the use of IT

The second category relates to the preparation of reliablepublished financial statements including interim and con-densed financial statements as well as earnings releases andother selected publicly reported financial data derived fromsuch statements IT systems frequently produce such reportsand the controls over these systems play a major part in thelevel of internal control

The third category deals with complying with those lawsand regulations to which the entity is subject

Internal control systems operate at different levels ofeffectiveness Internal control can be judged effective ineach of the three categories if the board of directors andmanagement have reasonable assurance that

bull They understand the extent to which the entityrsquosoperations objectives are being achieved

bull Published financial statements are being preparedreliably

bull There is compliance with applicable laws and regulations

Although internal control is a process its effectiveness is a state or condition of the process at one or more pointsin time

162 COSO Internal Control mdash Integrated Framework

Internal control consists of five interrelated componentsthat are derived from the way management runs a businessand are integrated with the management process Althoughthe components apply to all entities small and mid-sizeorganizations may implement them differently than largeenterprises A small organizationrsquos controls may be less for-mal and less structured yet it can still have effective inter-nal control The components are

1621 Control Environment

The control environment sets the tone for an organizationinfluencing the control consciousness of its people estab-lishing the foundation for all other components of internalcontrol and providing discipline and structure Controlenvironment factors include the integrity ethical valuesand competence of the entityrsquos people managementrsquos philos-ophy and operating style the way management assignsauthority and responsibility and organizes and develops itspeople and the attention and direction provided by theboard of directors

1622 Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed A precondition to riskassessment is the establishment of objectives that are linkedat different levels and are consistent internally Risk assess-ment identifies and analyzes the relevant risks to achievingthese objectives and forms a basis for determining how therisks should be managed Because economic industry regulatory and operating conditions will continue tochange organizations need mechanisms to identify and dealwith the special risks associated with change

1623 Control Activities

Control activities are the policies and procedures that helpensure management directives are carried out and that nec-essary actions are taken to address risks to achieving theseobjectives Control activities occur throughout the organiza-tion at all levels and in all functions They include a rangeof activities as diverse as approvals authorizations verifica-tions reconciliations reviews of operating performancesecurity of assets and segregation of duties

1624 Information and Communication

Pertinent information must be identified captured andcommunicated in a form and time frame that enables peopleto perform their responsibilities Information systems produce reports containing operational financial and com-pliance-related information that make it possible to run and

GTAG mdash Appendix E ndash Assessing IT Controls Using COSO mdash 16

36

control the business They deal not only with internally gen-erated data but also with information about external eventsactivities and conditions necessary for informed businessdecision-making and external reporting Effective communi-cation must also occur in a broader sense flowing downacross and up the organization All personnel must receivea clear message from top management that control responsi-bilities have to be taken seriously They need to understandtheir own role in the internal control system as well as howindividual activities relate to the work of others They musthave a means of communicating significant informationupstream There also needs to be effective communicationwith external parties such as customers suppliers regula-tors and shareholders

1625 Monitoring

Internal control systems need to be monitored to assess thequality of their performance over time This is accomplishedthrough ongoing monitoring activities separate evaluationsor a combination of the two Ongoing monitoring occurs inthe course of operations and includes regular managementand supervisory activities and other actions personnel takein performing their duties The scope and frequency of sepa-rate evaluations will depend primarily on an assessment ofrisks and the effectiveness of ongoing monitoring proce-dures Internal control deficiencies should be reportedupstream with serious matters reported to top managementand the board

There is synergy and linkage among the componentsforming an integrated system that reacts dynamically tochanging conditions The internal control system is inter-twined with the entityrsquos operating activities and exists forfundamental business reasons Internal control is most effec-tive when controls are built into the entityrsquos infrastructureand are a part of the essence of the enterprise Built-in con-trols support quality and empowerment initiatives avoidunnecessary costs and enable quick response to changingconditions

There is a direct relationship between the three COSOcategories (effectiveness reliability compliance) of objectives mdash which are what an entity strives to achieve mdashand the components needed to achieve the objectives Allcomponents are relevant to each objectives category Whenlooking at any one category mdash the effectiveness and effi-ciency of operations for instance mdash all five componentsmust be present and functioning effectively to conclude thatinternal control over operations is effective

The internal control definition mdash with its underlyingfundamental concepts of a process affected by people pro-viding reasonable assurance mdash together with the categoriza-tion of objectives and the components and criteria foreffectiveness the associated discussions constitute thisinternal control framework

GTAG mdash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17

37

Organizations must satisfy the quality fiduciary and securityrequirements for their information as for all assetsManagement must also optimize the use of availableresources including data application systems technologyfacilities and people To discharge these responsibilities aswell as to achieve its objectives management must establishan adequate system of internal control Thus an internalcontrol system or framework must be in place to support thebusiness processes and it must be clear how each individualcontrol activity satisfies the information requirements andimpacts the resources Impact on IT resources is highlightedin the CobiT framework together with the business require-ments for effectiveness efficiency confidentiality integrityavailability compliance and reliability of information thatneed to be satisfied Control which includes policies orga-nizational structures practices and procedures is manage-mentrsquos responsibility Management through its corporateand IT governance must ensure that due diligence is exer-cised by all individuals involved in the management usedesign development maintenance or operation of informa-tion systems

Business orientation is the main theme of CobiT It isdesigned not only to be employed by users and auditors butalso and more importantly as a comprehensive checklist forbusiness process owners Increasingly business practiceinvolves the full empowerment of business process owners sothey have total responsibility for all aspects of the businessprocess In particular this includes providing adequate con-trols The CobiT framework provides a tool for the businessprocess owner that facilitates the discharge of this responsi-bility The framework starts from a simple and pragmaticpremise In order to provide the information that the organ-ization needs to achieve its objectives IT resources need tobe managed by a set of naturally grouped processes

CobiT continues with a set of 34 high-level controlobjectives one for each of the IT processes grouped intofour domains Plan and Organize Acquire and ImplementDeliver and Support and Monitor and EvaluatePlan and Organize ndash This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of business objectives

1 Define a strategic IT plan2 Define the information architecture3 Determine the technological direction4 Define the IT organization and relationships5 Manage the IT investment6 Communicate management aims and direction7 Manage human resources8 Ensure compliance with external requirements9 Assess risks

10 Manage projects11 Manage quality

Acquire and Implement ndash To realize the IT strategy IT solutions need to be identified developed or acquired as

well as implemented and integrated into the businessprocess In addition changes in and maintenance of exist-ing systems are covered by this domain to make sure that thelife cycle is continued for these systems

12 Identify automated solutions13 Acquire and maintain application software14 Acquire and maintain technology architecture15 Develop and maintain IT procedures16 Install and accredit systems17 Manage changes

Deliver and Support ndash This domain is concerned with theactual delivery of required services which range from tradi-tional operations over security and continuity aspects totraining This domain includes the actual processing of databy application systems

18 Define and manage service levels19 Manage third-party services20 Manage performance and capacity21 Ensure continuous service22 Ensure systems security23 Identify and allocate costs24 Educate and train users25 Assist and advise IT customers26 Manage the configuration27 Manage problems and incidents28 Manage data29 Manage facilities30 Manage operations

Monitor and Evaluate ndash All IT processes need to be assessedregularly over time for their quality and compliance withcontrol requirements This domain thus addresses manage-mentrsquos oversight of the organizationrsquos control process andindependent assurance provided by internal and externalauditing or obtained from alternative sources

31 Monitor the processes32 Assess internal control adequacy33 Obtain independent assurance34 Provide for independent audit

This structure covers all aspects of information and the tech-nology that supports it By addressing these 34 high-levelcontrol objectives the business process owner can ensurethat an adequate control system is provided for the IT envi-ronment

CobiT is comprised ofbull An executive summary which provides an overview

of CobiTrsquos issues and foundational premisebull CobiT framework which describes in detail the high-

level IT control objectives and identifies the businessrequirements for information and IT resources prima-rily impacted by each control objective

bull Control objectives statements of the desired resultsor purposes to be achieved by implementing the specific detailed control objectives

bull Audit guidelines suggested audit steps correspondingto each of the IT control objectives

Copyright copy 2000 by ITGI and reprinted with the permission of the ITGI No other right or permission is granted withrespect to this work

GTAG ndash Appendix F mdash ITGI Control Objectives for Information and Related Technology CobiT mdash 17

38

bull An implementation tool set which provides lessonslearned from those organizations that successfullyapplied CobiT in their work environments and several tools to help management assess their controlenvironment related to information and IT resources

bull Management guidelines which are composed of maturity models to help determine the stages andexpectation levels of control critical success factorsto identify the most important actions for achievingcontrol over the IT processes key goal indicators todefine target levels of performance and key perform-ance indicators to measure whether an IT controlprocess is meeting its objective

Designated by the IT Governance Institute (ITGI) andISACA as an open standard this portion of COBIT may bedownloaded from httpwwwitgiorg and httpwwwisacaorg

CobiT now in its third edition and available in hard copyor interactive online format (CobiT Online) increasingly isaccepted internationally as good practice for control overinformation IT and related risks Its guidance enables anenterprise to implement effective governance over the ITthat is pervasive and intrinsic throughout the enterprise

39

The following metrics descriptions are taken from theCorporate Information Security Working Group (CISWG)draft report of the Best Practices and Metrics teamsNovember 17 2004 During Phase I of the CISWG convened in November 2003 by Rep Adam Putnam (R-FL) the Best Practices team surveyed available informationsecurity guidance It concluded in its March 2004 report7

that much of this guidance is expressed at a relatively highlevel of abstraction and therefore is not useful immediatelyas actionable guidance without significant and often costlyelaboration A one-page listing of Information SecurityProgram Elements regarded as essential content for compre-hensive enterprise management of information security wascreated upon which it was hoped future actionable guidancecould be built for use by a wide variety of organizations

The Best Practices and Metrics teams of CISWG PhaseII convened in June 2004 were charged with expanding onthe work of Phase I by refining the Information SecurityProgram Elements and developing metrics to support each ofthe elements The goal was to develop a resource that wouldhelp board members managers and technical staff establisha comprehensive structure of principles policies processescontrols and performance metrics to support the peopleprocess and technology aspects of information security

These generic metrics can be used as the basis for deter-mining regular reporting requirements for the audit commit-tee although they are not meant to be a ldquoone-size-fits-allrdquosolution The full set of draft metrics along with explanato-ry notes and descriptions can be found under the

ldquoTechnologyrdquo section of httpwwwtheiiaorg

The Information Security Program Elements andSupporting Metrics are intended to enable boards manage-ment and technical staff to monitor the status and progressof their organizationrsquos information security program overtime Each organization should thoughtfully consider whichprogram elements and metrics might be helpful in its owncircumstances It should then set its own implementationpriorities and establish an appropriate policy process andcontrol structure Larger and more complex organizationswill create policies processes and controls in each programelement that inevitably will be more extensive than those asmaller organization might choose to implement

181 Metrics for Boards of DirectorsTrustees

Establishing a competent information security programrequires board members to devote attention to certain program elements Board members can use the followingmetrics as part of their information security responsibilitiesBoard members generally should find the best target valuefor each metric mdash higher or lower mdash to be self-evident

bull Oversee risk management and compliance programspertaining to information securityndash Percentage of key information assets for which a

comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds

ndash Percentage of key organizational functions for which a comprehensive strategy has been imple-mented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds

ndash Percentage of key external requirements for which the organization has been deemed to be in compliance by an objective audit or other means

bull Approve and adopt broad information security program principles and approve assignment of keymanagers responsible for information securityndash Percentage of information security program

principles for which approved policies and controls have been implemented by management

ndash Percentage of key information security managementroles for which responsibilities accountabilities andauthority are assigned and required skills identified

bull Strive to protect the interests of all stakeholders whodepend on information securityndash Percentage of board meetings andor designated

committee meetings for which information security is on the agenda

ndash Percentage of security incidents that caused damage compromise or loss beyond established thresholds to the organizationrsquos assets functions or stakeholders

ndash Estimated damage or loss in dollars resulting from all security incidents in each of the past four reporting periods

bull Review information security policies regarding strategic partners and other third partiesndash Percentage of strategic partner and other third-

party relationships for which information security requirements have been implemented in agreements

bull Strive to ensure business continuityndash Percentage of organizational units with an

established business-continuity planbull Review provisions for internal and external audits of

the information security programndash Percentage of required internal and external audits

completed and reviewed by the boardndash Percentage of audit findings that have not

been resolvedbull Collaborate with management to specify the informa-


182 Metrics for ManagementThe following program elements and metrics are intended tohelp management implement the information security goals

GTAG mdash Appendix G mdash Example IT Control Metrics to Be Considered by Audit Committees mdash 18

7 httpreformhousegovTIPRC

GTAG ndash Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees ndash 18

40

and policies established by the board as part of an effectiveinformation security program

bull Establish information security management policiesand controls and monitor compliancendash Percentage of information security program

elements for which approved policies and controls are operational

ndash Percentage of staff assigned responsibilities for information security policies and controls who have

acknowledged accountability for their responsibili-ties in connection with those policies and controls

ndash Percentage of information security policy compliance reviews that noted violations

ndash Percentage of business-unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls

bull Assign information security roles responsibilities andrequired skills and enforce role-based information-access privilegesndash Percentage of new employees hired this reporting

period who satisfactorily completed security-awareness training before being granted network access

ndash Percentage of employees who have completed periodic security-awareness refresher training as required by policy

ndash Percentage of position descriptions that define the information security roles responsibilities skills and certifications for+ Security managers and administrators+ IT personnel+ General staff system users

ndash Percentage of job performance reviews that evaluateinformation security responsibilities and policy compliance

ndash Percentage of user roles systems and applications that comply with the separation-of-duties principle

bull Number of individuals with access to security softwarewho are not trained and authorized security adminis-trators

bull Number of individuals who are able to assign securityprivileges for systems and applications who are nottrained and authorized security administratorsndash Percentage of users whose access privileges have

been reviewed this reporting period including+ Employees with high-level system and application

privileges+ All other employees+ Contractors+ Vendors+ Terminated employees and contractors

ndash Percentage of users who have undergone back-ground checks

bull Assess information risks establish risk thresholds and

actively manage risk mitigationndash Percentage of critical information assets and

information-dependent functions for which some form of risk assessment has been performed and documented as required by policy

ndash Percentage of critical assets and functions for whichthe cost of compromise mdash loss damage disclosure or disruption of access mdash has been quantified

ndash Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy

bull Ensure implementation of information security require-ments for strategic partners and other third partiesndash Percentage of known information security risks that

are related to third-party relationshipsndash Percentage of critical information assets or

functions to which third-party personnel have been given access

ndash Percentage of third-party personnel with current information access privileges who a designated authority has deemed to have continued need for access in accordance with policy

ndash Percentage of systems with critical information assets or functions that are connected to third-party systems electronically

ndash Percentage of security incidents that involve third-party personnel

ndash Percentage of third-party agreements that include or demonstrate external verification of policies and procedures

ndash Percentage of third-party relationships that have been reviewed for compliance with information security requirements

ndash Percentage of out-of-compliance review findings that have been corrected since the last review

bull Identify and classify information assetsndash Percentage of information assets that have been

reviewed and classified by the designated owner in accordance with the classification scheme established by policy

ndash Percentage of information assets with defined accessprivileges that have been assigned based on role andin accordance with policy

ndash Date when the asset inventory was last updatedbull Implement and test business-continuity plans

ndash Percentage of organizational units with a documented business-continuity plan for which specific responsibilities have been assigned

ndash Percentage of business-continuity plans that have been reviewed exercised and tested and updated inaccordance with policy

bull Approve information systems architecture duringacquisition development operations and maintenancendash Percentage of information security risks related to

systems architecture identified in the most recent risk assessment that have been mitigated adequately

ndash Percentage of system architecture changes mdash additions modifications or deletions mdash that were reviewed for security impacts approved by the appropriate authority and documented via change-request forms

ndash Percentage of critical information assets or functions residing on systems that are out of compliance with the approved systems architecture

bull Protect the physical environmentndash Percentage of critical organizational information

assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media

ndash Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented

ndash Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature fire and flooding

ndash Percentage of servers in locations with controlled physical access

ndash Percentage of information security requirements of applicable laws and regulations that are included in the internal and external audit program and schedule

ndash Percentage of information security audits conductedin compliance with the approved internal and external audit program and schedule

ndash Percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness

bull Collaborate with security personnel to specify theinformation security metrics to be reported to management


41

GTAG mdash Appendix H mdash CAE Checklist mdash 19

42

1 Identify the IT control environment of the organization including

a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards

2 Identify relevant legislation and regulation impactingIT control such as

a Governance

b Reporting

c Data protection

d Compliance

3 Identify the roles and responsibilities for IT control inrelation to

a Board of directorsi Audit committeeii Risk committeeiii Governance committeeiv Finance committee

b Managementi CEOii CFO and controlleriii CIOiv CSO v CISOvi CLCvii CRO

c Auditi Internal Auditii External Audit

Action Questions

1 Do corporate policies and standards that describe theneed for IT controls exist

2 What legislation exists that impacts on the need forIT controls

3 Has management taken steps to ensure compliancewith this legislation

4 Have all the relevant responsibilities for IT controlsbeen allocated to individual roles

5 Is the allocation of responsibilities compatible withthe need to apply division of duties

6 Are IT responsibilities documented

7 Are IT control responsibilities communicated to thewhole organization

8 Do individual role holders clearly understand theirresponsibilities in relation to IT controls

9 What evidence is there of individual role holdersexercising their responsibilities

10Does internal auditing employ sufficient IT audit specialists to address the IT control issues

CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control elements The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas


43

4 Identify the risk assessment process Does it cover

a Risk appetite

b Risk tolerances

c Risk analysis

d Matching risks to IT controls

5 Identify all monitoring processes including

a Regulatory

b Normal in-house

c Other than internal auditing

6 Identify information and communication mechanisms

a Control information

b Control failures

11 How is the risk appetite and tolerance of the organization determined

12 Is the risk appetite and tolerance of the organization authorized at board level

13 Is the risk appetite and tolerance clearly understood by all those with a responsibility for IT control

14 Is a formal risk analysis process used by theorganization

15 Is the process understood by all those with responsibility for IT control

16 Is the process used consistently throughout theorganization

17 What processes exist to monitor compliancewith all relevant legislation plus internal policiesand standards

18 Are there monitoring processes carried out bymanagement outside of internal audit

19 What metrics are provided to the board of directors its committees and management inrelation to IT security

20 What additional reports are provided to theboard of directors and to management on a regular basis

21 Is management always provided with reportswhen there are IT control failures

22 Do the board of directors and its committeesreceive similar reports of IT control failures

Action Questions

GTAG mdash Appendix I mdash References mdash 20

44

The following list of information security reference materialis taken from a list compiled by the CISWG of theSubcommittee on Technology Information PolicyIntergovernmental Relations and the Census and theGovernment Reform Committee of the US House ofRepresentatives The full list can be found athttpwwwreformhousegovTIPRC or under theldquoT

echnologyrdquo section of httpwwwtheiiaorgThe documents are classified into three sections relatingto governance management and technical issues

201 Governance

Board Briefing on IT Governance ITGIhttpwwwitgiorgTemplate_ITGIcfmSection=ITGIampCONTENTID=6658ampTEMPLATE=ContentManagementContentDisplaycfm

Information Security Governance Guidance for Boards ofDirectors and Executive Management ITGIhttpwwwitgiorg

Information Security Management and Assurance Threereport series from The IIA National Association ofCorporate Directors (NACD) US Critical InfrastructureAssurance Office et al httpwwwtheiiaorgesacindexcfmfuseaction=oramppage=rciap

Information Security Oversight Essential BoardPractices NACD httpwwwnacdonlineorgpublicationspubDetailsasppubID=138ampuser=6158BBEB9D7C4EE0B9E4B98B601E3716

IT Governance Implementation Guide ISACAhttpwwwisacaorgTemplatecfmSection=Browse_By_TopicampTemplate=EcommerceProductDisplaycfmampProductID=503

Turnbull Report - Internal Control - Guidance forDirectors on the Combined Code Institute of CharteredAccountants in England amp Wales httpwwwicaewcoukindexcfmAUB=TB2I_6242MNXI_47896

202 ManagementBS 7799 ndash Parts 1 amp 2 Code of Practice for InformationSecurity Management British Standards Institutionhttpwwwbsiorguk

Common Sense Guide for Senior Managers InternetSecurity Alliance wwwisallianceorg

Corporate Information Security Evaluation for CEOsTechNet httpwwwtechnetorgcybersecurity

Generally Accepted Information Security Principles(GAISP) Information Systems Security Association

Currently available Generally Accepted Systems SecurityPrinciples (GASSP) consisting of Pervasive Principles andBroad Functional Principles Detailed Principles are underdevelopment httpwwwissaorggaispgaisphtml

Generally Accepted Principles and Practices (GAPP)NIST SP 800-18 ldquoGuide for Developing Security Plansfor Information Technology Systemsrdquo December 1998(Marianne Swanson amp Barbara Guttman) eight generallyaccepted principles (see OECD) and ldquoCommon IT SecurityPracticesrdquo httpcsrcnistgovpublicationsnistpubsindexhtml

ICC Handbook on Information Security Policy for Smallto Medium Enterprises International Chamber ofCommerce (ICC) httpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf

IFAC International Guidelines on InformationTechnology Management ndash Managing InformationTechnology Planning for Business Impact InternationalFederation of Accountants httpwwwifacorg

Information Security for Executives Business and IndustryAdvisory Committee to the OECD and ICChttpwwwiccwboorghomee_businessword_documentsSECURITY-finalpdf

ISO 17799 ndash Information Technology ndash Code of Practicefor Information Security Management InternationalOrganization for Standardization (ISO)httpwwwisoorgisoenCatalogueDetailPageCatalogueDetailCSNUMBER=33441ampICS1=35ampICS2=40ampICS3

OECD Guidelines for the Security of Information Systemsand Networks nine pervasive principles for informationsecurity upon which several other guides are based OECDhttpwwwoecdorgdocument4202340en_2649_33703_15582250_1_1_1_100html

Standard of Good Practice for Information SecurityInformation Security Forum httpwwwisfsecuritystan-dardcomindex_iehtm

Trust Services Criteria (including SysTrust andWebTrust) American Institute of Certified PublicAccountants httpwwwaicpaorgtrustservices

203 Technical IssuesConsensus Benchmarks Center for Internet Securityhttpwwwcisecurityorg

DISA Security Technical Implementation Guideshttpwwwcsrcnistgovpcigcightml


45

ISO 15408 Common Criteria httpwwwcsrcnistgovccccv20ccv2listhtm

ISO TR 13335 ndash Guidelines for the Management ofInformation Security Parts 1-5 httpwwwisoorgisoenStandardsQueryFormHandlerStandardsQueryFormHandler

IT Baseline Protection Manual (P BSI 7152 E 1)Bundesamt fuumlr Sicherheit in der Informationstechnikhttpwwwbsibunddegshbenglishmenuehtm

ITCG Information Technology Control GuidelinesCanadian Institute of Chartered Accountants (CICA)httpwwwcicaca

NIST Configuration Guides National Institute ofStandards and Technology (NIST)httpwwwcsrcnistgovpcigcightml

NIST 800-12 The Computer Security Handbook NISThttpwwwcsrcnistgovpublicationsnistpubsindexhtml

NIST 800-30 Risk Management Guide for InformationTechnology Systems NIST httpwwwcsrcnistgovpubli-cationsnistpubsindexhtml

NSA Configuration Guides httpwwwnsagovsnac

SANS Step-by Step Guides SANS Institutehttpwwwstoresansorg

204 Auditing ITControl Objectives for Information and RelatedTechnologies (CobiT) ISACA httpwwwisacaorg

Federal Information Systems Controls Audit Manual(FISCAM) US Government Accountability Officehttpwwwgaogov

Information Technology Control Guidelines (ITCG)CICA httpwwwcicaca

Systems Assurance and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC

Systems Auditability and Control (SAC) IIA ResearchFoundation httpwwwtheiiaorgeSAC

46

GTAG mdash Appendix J mdash Glossary mdash 21

A listing of technical terms used in the guide with a simpleplain English definition

Application Control ndash A control related to the specificfunctioning of an application system that supports a specif-ic business process Common applications includeaccounts payable inventory management and generalledger Integrated applications combine the functions ofmany business processes into integrated systems sharingcommon databases

Assurance ndash The act of assuring a declaration tending to inspire full confidence that which is designed to giveconfidence

CAE ndash Chief audit executive

CEO ndash Chief executive officer

CFO ndash Chief financial officer (and controller)

CIO ndash Chief information officer

CISO ndash Chief information security officer

CLC ndash Chief legal council

COSO ndash The Committee of Sponsoring Organizations ofthe Treadway Commission (the Commission onFraudulent Financial Reporting) See httpwwwcosoorg

CRM ndash Customer resource management

CSO ndash Chief Security Officer

Cyber attack ndash A criminal act perpetrated by the use ofcomputers and telecommunications capabilities resultingin violence destruction andor disruption of services tocreate fear by causing confusion and uncertainty within agiven population with the goal of influencing a govern-ment or population to conform to a particular politicalsocial or ideological agenda

Effective ndash Getting a job done with or without regard forefficiency If the law requires you to do something it prob-ably does not require you to do it efficiently as evidencedby Sarbanes-Oxley compliance and the frequent com-plaint that companies are spending huge sums with noapparent value added to the organization or stakeholders

Efficient ndash To be efficient a process or activity must also beeffective Information Technology Process Institute studiesshow that best-of-breed organizations enjoy considerable

efficiencies by maintaining an effective set of control andmonitoring practices and resolving the source of the prob-lem rather than only responding to the symptoms

Framework ndash A structure for organizing something (eggovernance issues controls) to highlight needs at the var-ious levels of an organization as well as for its activitiesand processes A control framework is an outline thatidentifies the need for controls but does not depict howthey are applied Each organization and organizationalunit provides a level of detail related to its own controlobjectives and control practices

General control ndash A control that applies generally to the ITenvironment or overall mix of systems networks datapeople and processes (also known as IT infrastructure)

GLBA ndash US Gramm-Leach-Bliley Act

Governance ndash The combination of processes and structuresimplemented by the board to inform direct manage andmonitor the activities of the organization toward theachievement of its objectives

GTAG ndash Global Technology Audit Guide

HIPAA ndash US Health Information Portability andAccountability Act

Information asset ndash Information assets are based in thevalue of information to the worth and continued existenceof the organization A distinction is made between infor-mation assets and information resources because informationresources are generally considered to include the relatedhuman resources and human resources are not consideredto be owned by the organization

Information resource ndash Includes all elements of the organization involved in information processing (egacquisition processing communication and storage)including the related hardware software processes andpersonnel

Information security ndash The concepts techniques technicalmeasures and administrative measures used to protectinformation assets from deliberate or inadvertent unautho-rized acquisition damage disclosure manipulation modi-fication loss or use

Information technology (IT) ndash All the computer hardwareand software used to process information and provide com-munications the processes for administering and main-taining the technology and the human resourcesassociated with the use of technology

ISO 17799 ndash Code of Practice for Information SecurityManagement See httpwwwisoorg

IT controls ndash Those controls that provide reasonable assur-ance of the secure reliable and resilient performance ofhardware software processes and personnel as well as thereliability of the organizationrsquos information

IT infrastructure ndash The overall IT environment includingsystems networks data people and processesInfrastructures can also include the interaction of busi-nesses and industries in mutual support through sharedmedia and services such as the Internet energy financialservices utilities government and transportation To theextent that infrastructures support national and regionaleconomies defenses and business continuity they areknown as critical infrastructures

ITPI ndash IT Process Institute See httpwwwitpiorg

Public Company Accounting Oversight Board (PCAOB) ndashA board of the US Securities and Exchange Commissionestablished by the Sarbanes-Oxley Act of 2002 as an over-sight body for public financial reporting and auditing

Risk appetite ndash Defined by COSO as ldquothe degree of risk ona broad-based level that a company or other organizationis willing to accept in pursuit of its goals Managementconsiders the organizationrsquos risk appetite first in evaluatingstrategic alternatives then in setting objectives alignedwith the selected strategy and in developing mechanismsto manage the related risksrdquo

Risk management ndash The ongoing identification measure-ment and mitigation of risk through the demonstrablycost-efficient implementation and administration of con-trol over the known and knowable risks of threat eventsthat can affect the confidentiality integrity or availabilityof an organizationrsquos information assets adversely

Risk Tolerance ndash Defined by COSO as ldquothe acceptable levelof variation relative to the achievement of objectives Insetting specific risk tolerances management considers therelative importance of the related objectives and alignsrisk tolerances with its risk appetiterdquo

47


GTAG mdash Appendix K mdash About A bout the Global Technology Audit Guides mdash 22

48

This IT controls guide is the first in a series of GTAGs whichwill give CAEs and internal auditors a source of informationfor educating and informing themselves and others withinthe organization who have responsibilities related to IT control

The GTAGs will provide guidance on a variety of ITtopics Each guide will describe the underlying technologyfacts and issues sufficiently to explain business opportuni-ties risks and related controls and their impacts on theoverall system of internal controls Subjects to be addressedin the GTAG series will be determined by current andemerging technology areas and their potential ramificationsfor internal controls and assurance Planned topics forguides include intrusion protection security managementchange management wireless security identity manage-ment and authentication

221 Parties to the GTAG ProgramEach GTAG guide is developed through interaction withtechnical audit and security experts audit executives tech-nology vendors and the associations and individuals thatrepresent board members chief executives financial execu-tives information technology professionals and securityexecutives Involvement from The IIArsquos international affili-ates and partners support the global perspective of theguides Other professionals representing specialized viewssuch as legal insurance regulatory and standards will beincluded as appropriate within individual GTAG projects

The IIA is joined in this GTAG project by a specially select-ed team of professional associations academic institutionsand practitioners in both auditing and technology IIA isgrateful for the support provided by this team as the guidewould not have been possible without them For The IIA toprovide meaningful guidance to auditors about how to relateto audit customers it is essential to gain agreement with thekey representatives of those customers To speak to a globalaudience the guide needs consensus from a broad group rep-resenting many of the countries where internal auditorsoperate So we thank both the individuals and the organiza-tions who contributed so much to this guide

231 IT Controls Advisory CouncilThe Advisory Council is made up of individuals who con-tributed to the development of this guide from the outset ofplanning the GTAG project through design and develop-ment of the IT Controls Guide outline and various drafts tothe completion of the final product These individuals wentbeyond the role of a volunteer support team to truly act in aleadership role

Julia H Allen CMUSEI Carnegie-MellonUniversitySoftware Engineering Institute

Michael R Dickson Business Technology Group LLC

Clint Kreitner PresidentCEO CIS The Center forInternet Security

Alex Lajoux NACD National Association of CorporateDirectors

Will Ozier Vice Chair the ISSA GAIS Committee CEOamp President OPA Inc The Integrated RiskManagement Group USA

Mark Salamasick CIA University of Texas at Dallas

Karyn Waller AICPA American Institute of CertifiedPublic Accountants

232 Partner Organizations

AICPA ndash Michael R Dickson Karyn Waller AmericanInstitute of Certified Public Accountants

CIS ndash Clint Kreitner Center for Internet Security

CMUSEI ndash Julia Allen Bob Rosenstein Carnegie-MellonUniversitySoftware Engineering Institute

ISSA ndash Dave Cullinane President Bob Daniels Exec VicePresident Information Systems Security Association

NACD ndash Peter Gleason Alex Lajoux NationalAssociation of Corporate Directors

SANS Institute ndash Alan Paller Director of ResearchStephen Northcutt COO

233 Project Review Team

Peter Allor ISS Internet Security Systems

Jack Antonelli ADP

Ken D Askelson CIA JC Penney Co Inc

Becky Bace Infidel Inc

Kevin Behr IPSI Institute for Integrated Publication andInformation Systems

Jeff Benson BearingPoint

Robert S Block Chairman 3D Business Tools USA

Sylvia Boyd The IIA

Alexandra Branisteanu Information Security OfficerScripps Health San Diego USA

Larry Brown Options Clearing Corp

Stephanie Bryant University of South Florida

Phil Campbell Specialized IT LLC USA

John Carlson BITS Banking Industry TechnologySecretariat

Chris Compton Intrusion Labs

Guy Copeland CSC Computer Sciences Corp

Rich Crawford Vice PresidentSenior Security AdvisorJanus Risk Management USA

Bob Daniels EDS

Bob Dix US House of Representatives

49

GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 2323

50


5

Jerry E Durant CIA President Certifiable TechnologiesLtd Orlando Fla USA

Emily Frye Critical Infrastructure Protections ProgramGeorge Mason University School of Law USAProtections Program

Greg Garcia ITAA Information Technology Association ofAmerica

Russ Gates Dupage Consulting LLC

Lou Giles Chevron Phillips Chemical Co

Doug Guerrero EDS

Kai Tamara Hare Nuserve

Michael S Hines CIA Purdue University

Bob Hirth Protiviti

Don Holden CISSP Concordant Inc USA

Dave Kern Ethentica

Gene Kim CTO Tripwire Inc USA

Jim Kolouch BearingPoint

David Kowal VP JP Morgan Chase

Paul Kurtz CSIA Cyber Security Industry Alliance

Cindy LeRouge PhD Decision SciencesMIS Department

John Cook School of Business St Louis University USA

Andreacutee Lavigne CICA Canadian Institute of CharteredAccountants

Debbie Lew Guidance Software

Brenda Lovell CIA CCSA CGAP The IIA

Warren Malmquist Adolph Coors Co

Stacy Mantzaris CIA IIA

Dennis Miller Heritage Bank

Patrick Morrissey Auditwire

Bruce Moulton Symantec

Paul Moxey ACCA Association of Chartered CertifiedAccountants

Roseane Paligo CIA Chief Financial Officer 1st ChoiceCommunity Federal Credit Union USA

Fred Palmer Palmer Associates

Xenia Parker CIA CFSA VP Enterprise TechnologyGroup Marsh Inc

Bernie Plagman TechPar Group

Heriot Prentice MIIA FIIA QiCA The IIA

Dick Price Beacon IT Ltd BS 7799 Consultancy USA

Michael Quint Corporate Compliance Officer EDSCorporate Audit USA

Sridhar Ramamoorti CIA CFSA Ernst amp Young LLPChicago IL USA

Amy Ray Bentley College

Martin Ross GSC Global Security Consortium

Chip Schilb EDS USA

Howard Schmidt eBay

Mark Silver Symantec

George Spafford President Spafford Global ConsultingSaint Joseph IL USA

Adam Stone Assurant

Jay H Stott CIA Fidelity Investments

Dan Swanson CIA IIA

Jay R Taylor CIA CISA CFE General MotorsCorporation

Bill Tener University amp Community College System ofNevada

Archie Thomas

Fred Tompkins BearingPoint

Don Warren Rutgers University

Dominique Vincenti CIA The IIA

Mark Winn Intrusec

Amit Yoran

234 IIA International Affiliates

Frank Alvern CIA CCSA Nordea Bank Norway

Alexandre Alves Apparecido Brazil

Dror Aviv Israel

David F Bentley England UK and Ireland

Gerardo Carstens CIA IIA Argentina

Richard Cascarino South Africa

Iftikhar Chaudry Pakistan

Hisham T El Gindy Manager KPMG Hazem Hassan Egypt

Dr Ulrich Hahn CIA Switzerland

Rossana S Javier Makati City Philippines

Andras Kovacks Hungary

Christopher McRostie Australia

Furqan Ahmad Saleem Partner Avais Hyder NaumanRizwani RSM Pakistan

Kyoko Shimizu CIA Japan

John Silltow Security Control and Audit Ltd UnitedKingdom

Ken Siong International Federation of Accountants

Anton van Wyk PwC South Africa

Nick Wolanin Adjunt Senior Lecturer Australian Graduate

Julie Young Australia

235 Other International

Carolee Birchall Vice President and Senior Risk Officer Bank of Montreal Canada

P J Corum Quality Assurance Institute Middle East andAfrica United Arab Emirates

Ariel Peled President ISSA Israeli Chapter

P Shreekanth India

Karen Woo Selangor Malaysia

236 IIA International Advanced Technology Committee

Anton van Wyk (Chairman) CIAPricewaterhouseCoopers South Africa

Alexandre Alves Apparecido Brasil Telecom Brazil

Ken D Askelson CIA JC Penney Co Inc USA

Dror Aviv CFSA IIA Israel

Donald L Bailey Grant Thornton LLP USA

EW Sean Ballington PricewaterhouseCoopers LLP USA(originally South Africa)

Norman F Barber Microsoft Corp USA

David F Bentley QiCA Consultant England

Claude Cargou GIE AXA France

Michael P Fabrizius CIA Bon Secours Health SystemInc USA

Ramiz Tofigi Ganizade Azerbaijan Republic Chamber ofAuditors Azerbaijan

Douglas Guerrero EDS Corp USA

Dr Ulrich Hahn CIA Syngenta InternationalSwitzerland

David J Hill IBM Corp USA

Michael S Hines CIA Purdue University USA

Mark J Hornung Ernst amp Young LLP USA


David S Lione KPMG LLP Southeast Region USA

Peter B Millar ACL Services Ltd Canada

Allan M Newstadt CIA World BankInternationalFinance Corp USA

Brenda J S Putman CIA City Utilities of Springfield USA


51

GTAG mdash Appendix L mdash GTAG Partners and Global Project Team mdash 232 23

52

Kyoko Shimizu CIA Shin Nihon amp Co Japan

Brian M Spindel CIA SecurePipe Inc USA

Rajendra P Srivastava University of Kansas USA

Jay Stott CIA Fidelity Investments USA

Jay R Taylor CIA CISA CFE General Motors Corp USA

Thomas Jason Wood CIA Ernst amp Young LLP USA

Akitomo Yamamoto IIA Japan

237 The Writing Team


Alan S Oliphant MIIA QiCA MAIR International

Charles H Le Grand CIA CHL Global

238 IIA Headquarters Staff Production Team

Michael Feland

Trish Harris

Tim McCollum

Information Technology Controls This guide focuses on how IT roles and responsibilities are dispersed throughout the organization how accurate assessment of IT controls is achieved and how an organization can promote IT reliability and efficiency What is GTAGPrepared by The Institute of Internal Auditors each Global Technology AuditGuide (GTAG) is written in straightforward business language to address atimely issue related to information technology management control orsecurity GTAG is a ready resource series for chief audit executives to use inthe education of members of the board and audit committee managementprocess owners and others regarding technology-associated risks andrecommended practices Business

Contin

u

ity Manag

ement

Th

is G

TAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization

could potentially encounter if a natural or

man-made disruptive event t

hat affects the exte

nded ope

ra

bility of the organization were to occur The guide includes disaster rec

o

very

planning for continuity of critical information technology infrastructure and business application systems

Chief audit executives (CAEs) have been challenged to educate corporate executives on the risks controls costs and benefits of adopting a BCM program Although it is true that recent disasters around the world have motivated some corporate leaders to give attention to BCM programs the implementation of such programs is far from universal The key challenge is engaging corporate executives to make BCM a priority Although most executives are likely to agree that BCM is a good idea many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success Business Continuity Management will help the CAE communicate business continuity risk awareness an

d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis

it wwwtheiiaorgguidancetechnologygtaggtag10 to rate this GTAG or submit your comme

nts

Order Number 100645IIA Member US $25Nonmember US $30IIA Event US $2250

wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp

i

Section 1Letter from the President ii

Section 2IT Controls ndash Executive Summary iii

Section 3Introduction 1

Section 4Assessing IT Controls ndash An Overview 2

Section 5Understanding IT Controls 3

Section 6Importance of IT Controls 10

Section 7IT Roles in the Organization 11

Section 8Analyzing Risk15

Section 9Monitoring and Techniques 18

Section 10Assessment 20

Section 11Conclusion 22

Section 12Appendix A ndash Information Security Program Elements23

Section 13Appendix B ndash Compliance With Laws and Regulations 24

Section 14Appendix C ndashThree Categories of IT Knowledge for Internal Auditors 28

Section 15Appendix D ndash Compliance Frameworks 29

Section 16Appendix E - Assessing IT ControlsUsing COSO356

Section 17Appendix F - ITGI Control Objectives for Information and Related Technology (CobiT) 378

Section 18Appendix G ndash Example IT Control Metrics to Be Considered by Audit Committees 3940

Section 19Appendix H ndash CAE Checklist 423

Section 20Appendix I ndash References 445

Section 21Appendix J ndash Glossary467

Section 22Appendix K ndash About the Global Technology Audit Guides 489

Section 23Appendix L ndash GTAG Partners and Global Project Team 4950

GTAG mdash Table of Contents

ii














Sincerely




























iii


mscotchie
Typewritten Text









iv







1









2



Their names are





in Just So Stories


3















Figure 2


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp

ii














Sincerely




























iii


mscotchie
Typewritten Text









iv







1









2



Their names are





in Just So Stories


3















Figure 2


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp



























iii


mscotchie
Typewritten Text









iv







1









2



Their names are





in Just So Stories


3















Figure 2


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp









iv







1









2



Their names are





in Just So Stories


3















Figure 2


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp






1









2



Their names are





in Just So Stories


3















Figure 2


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp






2



Their names are





in Just So Stories


3















Figure 2


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp

3















Figure 2


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp


















4



5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp


5




531 Policies















532 Standards
















6


7
















































8


9


























10
















711 Audit Committee









monitoring











11




























12


13




















































73 Audit



















14

























15






























16





























17



























18









922 Special Reviews







19













20




















21




22


























23










to IT Controls





13112 Section 201


13113 Section 301




24


25









13115 Section 409







































26



27



28






















29
























30










































31


32













and logical)




committed or agreed






33




and authorized






















34





committed or agreed














15102 EU Commission



35

























36


1625 Monitoring






37





















38





39
































40





















































41


42


a Values

b Philosophy

c Management style

d IT awareness

e Organisation

f Policies

g Standards


a Governance

b Reporting

c Data protection

d Compliance





Action Questions













43


a Risk appetite

b Risk tolerances

c Risk analysis



a Regulatory

b Normal in-house




b Control failures













Action Questions


44



201 Governance























45















46




































47



48






















Jack Antonelli ADP






Sylvia Boyd The IIA









Bob Daniels EDS


49


50


5






Doug Guerrero EDS



Bob Hirth Protiviti


Dave Kern Ethentica


























Chip Schilb EDS USA

Howard Schmidt eBay



Adam Stone Assurant


Dan Swanson CIA IIA



Archie Thomas




Mark Winn Intrusec

Amit Yoran




Dror Aviv Israel





















P Shreekanth India

























51


52













Michael Feland

Trish Harris

Tim McCollum


Contin

u

ity Manag

ement

Th

is G





nded ope

ra


o

very



d su

pport management in

its

deve

lopm

ent and maintenance

of a

BCM pr

o

gram

Vis


nts


wwwtheiiaorg

ISBN 0-89413-570-8ISBN 978-0-89413-623-8

mscotchie
Stamp
mscotchie
Stamp

Documents

GTAG 1: Information Technology Controls - iia colombia