Aligning Controls with the Organization's Business ObjectivesIT governance provides structure to functions and processes within the IT organization. Because of the critical dependency of business on its information systems, the governance structure must ensure that the IT organizational strategy is aligned with the business strategy. The implementation of the IT strategy will help ensure that IT processes contain the necessary controls to reduce risk to the organization and its business objectives. IT resources should be used responsibly, and IT risks should be managed appropriately. Steering CommitteeThe organization should have an IT steering committee to ensure that the IS department's strategy directly aligns with the organization's corporate mission and objectives and efficient use of IT resources. The IT steering committee is a formal organization usually composed of senior managers representing the business areas, with duties outlined in a charter. The charter outlines what authority and responsibilities are assigned to the committee and is a strong indicator that senior management supports the steering committee. One of the functions of the IT steering committee is to keep detailed minutes of the meeting, to document both procedural functions of the committee and its decisions. The committee is responsible for ensuring that the organization's leadership (board of directors and senior management) is informed in a timely manner via the minutes and additional reporting, if required. Although the committee is responsible for reviewing issues such as new and ongoing projects, major equipment acquisitions, and the review and approval of budgets, it does not usually get involved in the day-to-day operations of the IS department. The IT steering committee uses project plans, work breakdown structures, and policy/procedures to review the alignment of the IT department with the organizational mission. Generally, the IT steering committees will meet one to two times per month in a formal meeting at which the head of the IT department and project managers present their progress on major projects, propose new projects and policies, or refine procedures. The lack of a formal chartered IT steering committee could be an indication that the IT department is not correctly aligned with the organization's strategy. In the absence of an IT steering committee, the auditor might find that projects do not support the mission of the organization; that they are not on time or on budget, usually because of the lack of external controls; and that policies are outdated or not communicated or followed consistently throughout the organization. The auditor might also find situations in which an IT steering committee is present, but, because of the lack of a formal charter or direction from senior managers of the organization, members are unclear about their duties or level of authority. The IT steering committee meetings should focus on alignment and should refrain from becoming involved in the operational details of the IS department. In both of these situations, the IT steering committee is not ensuring the efficient use of data-processing resources, examining costs associated with projects, or setting priorities for the IT department. Strategic PlanningOrganizations should have processes for the development and review of strategic plans. Strategic plans ensure that the organization meets its goals and objectives, and, if properly reviewed, reflect the current direction of the organization and associated business units, including the IS department. The strategic-planning process should involve senior management, to ensure that the plan addresses the established goals and objectives, and a review process that enables the organization to update or change the strategic plan in the event of goal or objective changes. Strategic plans should incorporate both long-term (three to five years) and short-term (one to two years) strategic objectives of the organization, and are the responsibility of senior management. When auditing the IS strategic-planning process and implementation, the auditor should review overall goals and business plans but should not focus on procedures. Reviewing management's long-term strategic plans helps the IS auditor gain an understanding of an organization's goals and objectives. The IS policies, procedures, standards, and guidelines are all implemented to support the overall strategic plan. Policies and procedures reflect the actual operational implementation of the strategic plan and should have a formal process for creation, communication, and review. Although most organizations have policies in place, they are often "shelf ware," meaning that they are created once, generally communicated to new employees, and then put on the shelf. The danger with this implementation is that there is the lack of ongoing review of policies and procedures to ensure that they align with the strategic plan. This leads to instances in which employees are not aware of policies and procedures as they apply to the day-to-day work. A review of the strategic plan, policies, procedures, and observations will identify whether there is correct alignment within the organization. Additional review of and questions of who has ownership of the strategic planning and policy creation/implementation and how often plans are reviewed or updated will indicate the presence or absence of a formal process. Organizational StructureIT departments should have a clearly defined structure that outlines authority and responsibility, and defines the hierarchal structure. This structure is usually defined in an organization chart, which helps the IS auditor determine whether there is proper segregation of functions. In addition, each employee should have a job description that provides a detailed outline of job function and the tasks associated with that function. Per ISACA, segregation of duties avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that those errors or misappropriations could occur and not be detected in a timely manner and in the normal course of business processes. The structure of the IT department and its responsibilities could change slightly based on the goals of the organization, but Figure 1.1 shows ISACA's outline of an organizational structure and descriptions of the functions. Figure 1.1. The outline of an organizational structure.To maintain proper control of IT projects, including the acquisition, design, implementation, and maintenance of the IT infrastructure, the IT department should implement the following disciplines:
We discuss these disciplines in further detail throughout the book, but it is important to note that they might fall within a single group or be used across operational groups to efficiently manage IT resources. IT Department HeadThe department is headed by an information technology manager/director, or in larger organizations, by a chief information officer. The head of the IT department is responsible for the overall operation of the IT department, including budget authority, hiring, training and retaining of qualified people, and alignment of IT as a service organization, to ensure that the organization can meet strategic objectives and operational goals. Security DepartmentThe security department is enabled through senior management's understanding of risk and application of the resources to mitigate risk. The security department's functions are guided through policies and procedures, and should remain separate from IT functions. The security administrator should report directly to the head of the security department or, in some cases, to the board of directors. This person is responsible for ensuring that users are complying with security policy and that the policy is adequate to prevent unauthorized access to company assets (including intellectual property, data, programs, and systems). Quality AssuranceQuality-assurance personnel usually perform two functions. First they ensure that all personnel are following quality processes. As an example the QA personnel ensure that the IT department adheres to standards and procedures for IP addressing conventions. Second, quality-control personnel are responsible for testing and review, to verify that software is free of defects and meets user expectations. All functional and operational testing is performed as part of the SDLC and must be complete before systems go into production. ApplicationsThe applications function is divided into two categories: Systems programmers are responsible for maintaining operating systems and systems software. Application programmers are responsible for developing new systems and maintaining applications that are in production. In keeping with proper segregation of duties, managers must ensure that application programmers use a code library (test-only) while creating and updating code, and that they do not have access to production programs. The test-only programs should be reviewed and put into production by a separate group. Systems programmers should have access to entire systems, and management should use compensating controls such as access and change logs to monitor and ensure that they have access to only the system libraries for which they are responsible. The use of a compensating control reduces the risk associated with a control that is not adequate. Another example of compensating controls is a risk associated with unauthorized viewing of sensitive data. Although access controls are in place, there is a possibility that unauthorized users might still review sensitive data. To compensate for limitations of access controls, additional controls can be added:
Systems analysts are involved during the initial phase of the systems-development life cycle and ensure that the needs of users are incorporated into the system or application requirements and high-level design documents. Data ManagementThe database administrator (DBA) is responsible for defining data structures and for maintaining those structures in the organization's database systems. The DBA acts as a data custodian by ensuring that database design, structure, relationships, and maintenance support the needs of the organization and its users, and for maintaining the quality and security of data. The DBA generally has access to all of the organization's data, both test and production. Although it is not practical to prohibit access to the data, management should implement compensating controls to monitor DBA activities. These controls can include using access logs, logging structural changes to data-bases, and applying detective controls over the use of database tools. Technical SupportTechnical support personnel fall into three categories. The first and most common are the help desk technicians. The help desk is responsible for assisting end users with problems or issues with desktops or workstations, and personnel frequently participate in configuring and deploying new equipment, operating systems, and applications. Network administrators are responsible for the network infrastructure, which includes routers, switches, and firewalls. They are also responsible for the performance of the network, as well as redundancy, proper network segmentation, and backups of critical systems. In smaller organizations, network administrators might be responsible for security administration of the systems, including firewall configuration, access control, and authorization activities. Systems administrators are responsible for maintaining the systems that provide services to the organization. These can include file/print sharing, email, and virus prevention and detection. The administrator can add or remove users (set up user accounts), grant access to resources, install system-wide software, and allocate storage. OperationsThe operations group is responsible for computer operations and usually includes computer operators, librarians, and data entry operators. A majority of the organization's information, or input/output, is maintained by the operations group and can include data input, report generation, data output via magnetic media, and operations activities scheduling. |