Ensuring Consistency in Security
Practices through Strong IT
Governance
Eileen Healy – Enterprise Risk Services Director
B.Comm, MBS, CISSP, CISA, ACA
Email: [email protected]
Mobile: 086 164 3082
@IsacaIreland
ISACA Ireland Chapter
[email protected]
Presentation Overview
•
•
•
•
Why is consistency important?
Where do we observe inconsistent practices?
What is Governance and IT Governance – how can this help?
What standards exist to support the implementation of Strong
IT Governance
© 2015 Deloitte & Touche. All rights reserved
Why is Consistency important?
• Consistency is synonymous with reliability and stability
• Consistency provides greater assurance that confidential information is handled securely
• Consistency provides customers and stakeholders with confidence in how you manage
information security risk
• Consistency in practices mitigates the risk that breaches will occur
• Consistency in dealing with breaches minimises the financial and reputational damage
• Consistency maximises the likelihood of meeting all regulatory and legal obligations as
well as ensuring sound and robust security practices are implemented to enable and
support business delivery
Risk Management; Compliance ; Quality Assurance
Customer Satisfaction; Competitive advantage
© 2015 Deloitte & Touche. All rights reserved
Some key areas of Inconsistency
• Inconsistency between organisations, between divisions, between departments and
between practitioners!!
•
•
•
•
•
•
•
System Development/Change Control – Integrity is a key component of security
Access to Production Environments including those managed by third parties
Implementation of Data Protection requirements around personal data
Lack of clarity on data governance
Mutiple access administration and provisioning systems
Inconsistent approach to role/authorisation management
Authentication standards – application, database, network level – user versus
privileged access
• What and how much to audit?
© 2015 Deloitte & Touche. All rights reserved
Governance – Who, What and When?
© 2015 Deloitte & Touche. All rights reserved
Governance versus Management
Risk Committee
Board of Directors
Audit Committee
Executive
Management
Team
Wider
Management
Group
Internal Audit
Embedded Risk
Management
Independent
(Re) Assurance
© 2015 Deloitte & Touche. All rights reserved
Importance of Governance - Specifically IT
Governance
•
•
•
•
•
•
•
•
Governance – the systems by which organisations are directed and controlled
Board responsibility – sometimes delegate to committees
Management execute, action and report
Well governed organisations aim to achieve strategic objectives while operating with
honesty, integrity and other key principles of good governance.
Tone at the Top!
Policies are important – often only become a top line agenda item when something
goes wrong!
Implemented through clear and consistent standards and procedures
More than just IT - Most breaches are caused by human error!
© 2015 Deloitte & Touche. All rights reserved
What is IT Governance ?
Definition: IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in
enabling an organization to achieve its goals.
www.gartner.com/it-glossary/it-governance/
•
•
•
•
•
•
•
•
•
•
Benefits:
Aid in strategically aligning IT with the organizational goals and strategy
Raise the profile of IT
Aid in project and portfolio management
Reduce IT risk
Aid in IT strategic planning
Aid in performance measurement
Aid in embedding IT into the organization’s culture
Aid in demand management (demand for IT’s services by other departments)
Optimize IT operations
© 2015 Deloitte & Touche. All rights reserved
Standards which support Strong IT Governance
• COBIT – IT Governance Framework
• ISO/IEC 27002:2013 - Information security management
© 2015 Deloitte & Touche. All rights reserved
COBIT
• COBIT 5 - Comprehensive Framework for the Governance and
Management of Enterprise IT
• Principles includes: • Separating Governance from Management
• Enabling a Holistic Approach
• Covering the Enterprise End to End
• Professional guides include: - COBIT 5 for Information Security
http://www.isaca.org/cobit/pages/default.aspx
© 2015 Deloitte & Touche. All rights reserved
ISO 27000
• ISO/IEC 27002:2013 : • Information Technology – Security Techniques – Code of Practice for
Information Security Management
© 2015 Deloitte & Touche. All rights reserved
ISO/IEC 27002:2013
Business Continuity
Management
Supplier
relationships
Risk Management
Organisation of
information security
Information
security policies
Physical and
Environmental
Security
Asset Management
ISO/IEC 27002
Standards
Human Resource
Security
Operations Security
Access Control
Compliance
Communications
Security
Information
Security Incident
Management
Cryptography
Acquisition,
Development and
Maintenance
© 2015 Deloitte & Touche. All rights reserved
Closing Comments
• Consistency in practice is important
• Minimise likelihood and impact of a security breach
• Strong IT Governance required from Top Down
• Tone at the Top is important
• Policies are important
• There is lots of resources from which to draw and assistance is
available
© 2015 Deloitte & Touche. All rights reserved
Questions?
© 2015 Deloitte & Touche. All rights reserved
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent
entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
With nearly 2,000 people in Ireland, Deloitte provide audit, tax, consulting, and corporate finance to public and private clients spanning multiple industries. With a globally connected network of
member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business
challenges. With over 210,000 professionals globally, Deloitte is committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche
Tohmatsu Verein, any of their member firms, or any of the foregoing’s affiliates (collectively the “Deloitte Network”) are, by means of this publication, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action
that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No
entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
© 2015 Deloitte & Touche. All rights reserved