Pemeriksaan Sistem Informasi dalam Kerangka Information System Governance

Learning Objectives
1. 2. 3. 4. 5.

IT Governance: IT Audit role Information System Strategy Policies and Procedures Risk Management IS Management Practices

IT Governance: IT Audit role

y

To provide leading practice recommendations to senior management to help improve the quality and effectiveness Ensure compliance with IT governance initiatives implemented within an organization Ensure a qualitative assessment that subsequently facilitates the qualitative improvement

Aspects Related to IT governance Need to be Assessed

y

Alignment of the IS function with the organization's mission, vision, values, objectives and strategies Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function Legal, environmental, information quality, fiduciary, security, and privacy requirements The control environment of the organization The inherent risks within the IS environment
4

Information System Strategy - Strategic Planning y

Long-term direction an organization wants to take in leveraging information technology for improving its business processes Identifying cost-effective IT solutions in addressing problems and opportunities that confront the organization Developing action plans for identifying and acquiring needed resources Ensure that the plans are fully aligned and consistent

Information System Strategy - Effective IT Strategic Planning y

Determine whether expansion or improvement Not just the delivery of new systems and technology Returns being achieved from investment Spending on existing IT systems, infrastructure and support services accounts for 85 percent or more of total annual IT spending To support the business strategies
6

Information System Strategy - Steering Committee y

Review the long- and short-range plans of the IS department to ensure that they are in accordance with the corporate objectives. Review and approve major acquisitions of hardware and software within the limits approved by the board of directors. Approve and monitor major projects and the status of IS plans and budgets, establish priorities, approve standards and procedures, and monitor overall IS performance.

Information System Strategy - Steering Committee y

Review and approve sourcing strategies for select or all IS activities, Review adequacy of resources and allocation of resources in terms of time, personnel and equipment. Make decisions regarding centralization vs. decentralization and assignment of responsibility. Support development and implementation of an enterprisewide information security management program. Report to the board of directors on IS activities.

Policies
y

High-level documents Corporate philosophy of an organization and the strategic thinking of senior management and business process owners Clear and concise Set the tone for the organization as a whole Top-down and bottom-up approach Should review all policies periodically
9

Policies
y

Need to be updated Must support achievement of business objectives and implementation of IS controls Must be responsive to the needs of the customers Policies are a part of the audit process Test the policies for compliance

10

Policies - Information Security Policy y

Communicates a coherent security standard to users, management and technical staff The security policy must be approved by senior management, and should be documented and communicated The adequacy and appropriateness of the security policy could also be an area of review for the IS auditor Provides management the direction

11

Policies - Information Security Policy Document y

A definition of information security A statement of management intent, goals, and principles Framework for setting control objectives and controls, risk assessment, and risk management Security policies General and specific responsibilities for information security management, including reporting information security incidents References to documentation

12

Policies - Information Security Policy Document y

Addressing :
Statements on confidentiality, integrity and availability Classifications, levels of control Information resources Parameters and usage of desktop Defining and granting access to users to various IT resources
13

Policies - Review of the Information Security Policy y

Input : Feedback from interested parties Results of independent reviews Status of preventive, detective and corrective actions Results of previous management reviews Process performance and information security policy compliance Changes that could affect the organization's approach to managing information security, including changes to the organizational environment; business circumstances; resource availability; contractual, regulatory and legal conditions; or technical environment Usage of the consideration of outsourcers or offshore of IT or business functions Trends related to threats and vulnerabilities

14

Policies - Review of the Information Security Policy y

Input : Usage of the consideration of outsourcers or offshore of IT or business functions Trends related to threats and vulnerabilities Reported information security incidents Recommendations provided by relevant authorities Output : Improvement of the organization's approach to managing information security and its processes Improvement of control objectives and controls Improvement in the allocation of resources
15

Procedures
y y y

Detailed steps Implement the spirit Clear and concise manner

16

Risk Management - Definition The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures (safeguards or controls), if any, to take in reducing risk to an acceptable level (i.e., residual risk), based on the value of the information resource to the organization.
17

Risk Management - Managements Action y

Avoide.g., where feasible, choose not to implement certain activities or processes that would incur risk (i.e., eliminate the risk by eliminating the cause) Mitigatee.g., lessen the probability or impact of the risk by defining, implementing, and monitoring appropriate controls Transfer (deflect, or allocate)e.g., share risk with partners or transfer via insurance coverage, contractual agreement, or other means Accepti.e., formally acknowledge the existence of the risk and monitor it
18

Developing a Risk Management Program

y

Establish the purpose of the risk management program Assign responsibility for the risk management plan

19

Risk Management Process

y

The identification and classification of information resources or assets that need protection, such as : Information and data Hardware Software Services Documents Personnel To assess threats and vulnerabilities associated with the information resource and the likelihood of their occurrence
20

 Vulnerability

Lack of user knowledge Lack of security functionality Poor choice of passwords Untested technology Transmission of unprotected communications Errors Malicious damage/attack Fraud Theft Equipment/software failure
Direct loss of money (cash or credit) Breach of legislation Loss of reputation/goodwill Endangering of staff or customers Breach of confidence Loss of business opportunity Reduction in operational efficiency/performance Interruption of business activity
21

Threats

Losses

IS Management Practice
y y y

Human Resource Management Sourcing Practices Third-Party Services

22

Human Resource Management

Hiring y Employee handbook y Promotion policies y Training y Scheduling and time reporting y Employee performance evaluations y Required vacations y Termination policies
y
23

Sourcing Practices
y

Delivery of IS functions can include insourced, outsourced, and hybrid Consideration for method of delivering IS function : Is this a core function for the organization? Does this function have specific knowledge, processes and staff critical to meeting its goals and objectives, and that cannot be replicated externally or in another location? Can this function be performed by another party or in another location for the same or lower price, with the same or higher quality, and without increasing risk? Does the organization have experience managing third parties or using remote/offshore locations to execute IS or business functions?
24

Outsourcing Practices and Strategies

y

Reasons for embarking on outsourcing include : A desire to focus on core activities Pressure on profit margins Increasing competition that demands cost savings Flexibility with respect to both organization and structure The services provided by a third party can include : Data entry Design and development of new systems Maintenance of existing applications Conversion of legacy applications to new platforms Operating the help desk or the call center Operations processing
25

Outsourcing Practices and Strategies

Possible advantages of outsourcing include : y Achieve economies of scale through the deployment of reusable component software. y To be able to devote more time and focus more effectively and efficiently on a given project than in-house staff. y To have more experience with a wider array of problems, issues and techniques than in-house staff. y The act of developing specifications and contractual agreements using outsourcing services is likely to result in better specifications than if developed only by in-house staff. y As vendors are highly sensitive to time-consuming diversions and changes, feature creep or scope creep is substantially less likely with outsourcing vendors.
26