Guidance to Validate Internal Control Assertions in Indian Financial Reporting

Transcription

1 Guidance to Validate Internal Control Assertions in Indian Financial Reporting

2 TABLE OF CONTENTS Acknowledgements... 3 Section 1 Executive Summary... 4 Need for This publication... 4 Objective Statement... 5 Identified Stakeholders... 5 An Introduction to This document... 5 Benefits Derived From This Document... 7 Approach to This publication... 8 An Example of How to Read the Document References for the Publication Section 2 Detailed Publication Definitions Chapter 1 - Governance and Risk Management in India Regulatory Requirements to Comply With Indian Regulations Governance Risk Management Assurance Information Technology Act, 2000 (as Amended by Information Technology Amendment Act, 2008) Summary Chapter 2: Introduction to COBIT Chapter 3 How COBIT 5 Can Be Used to Comply With Governance Stakeholder 1 Board of Directors Stakeholder 2 - Management Stakeholder 3 Auditor Summary Section 3 Checklists Checklist 1 General Checklist for Governance Checklist 2 General Checklist for Risk Management Checklist 3 General Checklist Audit and Assurance Checklist 4 Compliance With the Data Protection Areas of IT Act Checklist 5 Sample Checklist for the Auditor to Gain Assurance on the Controls That Are in Place to Protect Personally Identifiable Information

3 ISACA With more than 115,000 constituents in 180 countries, ISACA ( helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA ), Certified Information Security Manager (CISM ), Certified in the Governance of Enterprise IT (CGEIT ) and Certified in Risk and Information Systems Control (CRISC ) credentials. The association has more than 200 chapters worldwide. Disclaimer This book is not intended to, and does not, provide legal, technical or other advice on compliance or related matters. Every entity or individual using this book should seek expert technical, legal or other advice as appropriate to its respective needs and circumstances. ISACA, its office bearers, its advisors/consultants, the authors, the reviewers and other persons associated with the writing, reviewing, printing or publication of this book do not guarantee or warrant the accuracy, adequacy, completeness or suitability of the content of this publication and they hereby disclaim any and all responsibility or liability for damages incurred as a result of the content contained herein. They also hereby disclaim any responsibility or liability whatsoever for the consequences of the use of this book by any person or entity. Courts in Cook County, state of Illinois, USA, alone shall have jurisdiction relating to any lawsuits pertaining to this book. The opinions and views expressed in Guidance to Validate Internal Control Assertions in Indian Financial Reporting are solely those of the authors of this publication, as a practical application and implementation of COBIT 5 principles and good practices. The opinions and views of the authors do not necessarily reflect those of ISACA. Reservation of Rights 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are solely permitted for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material s source. No other right or permission is granted with respect to this work. This text uses relevant ISACA publications with permission. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL USA Phone: Fax: [email protected] Web site: ISACA and COBIT are registered trademarks of ISACA. Participate in the ISACA Knowledge Center: Follow ISACA on Twitter: Join ISACA on LinkedIn: ISACA (Official), Like ISACA on Facebook: 2

4 ACKNOWLEDGMENTS ISACA Wishes to Recognize: The ISACA India Task Force Chairman, Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK, COBIT 5 Approved Trainer Foundation, Advisor, ISACA s India Task Force Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO LA, Freelance consultant and trainer, Pune, India Mr. Anil Bhandari, CISA, CIA, DISA, AICWA, FCA, ANB Consulting Co., Mumbai, India Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India Mr. Sandeep Godbole, CISA, CISM, CGEIT, Syntel, Pune, India Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India Mr. Vaibhav Patkar, CISA, CISM, CRISC, CGEIT, Sutherland, Mumbai, India Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India Mr. Raghavendra Rao Hulgeri, CISA, Oracle Financial Services Software Ltd., Bangalore, India Project Coordinator and Advisor Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India Content Development Team Mr. Anand Prakash Jangid CISA, CISM, CFE, ACA, Quadrisk Advisors, Bangalore, India Mr. Rajiv Gupta CISA, CFE, ACA, Coca-Cola India Ms. Vishakha Chhawchharia CISA, ACA, Quadrisk Advisors, Bangalore, India Mr. Amarnath Daga CISA, ACA, Quadrisk Advisors, Bangalore, India Mr. Bharath Rao B CeHv8, Quadrisk Advisors, Bangalore, India Mr. Anish Jain ACA, Quadrisk Advisors, Bangalore, India Ms. Shefalika Sahu ACA, Quadrisk Advisors, Bangalore, India Mr. Firoz Attarwala ACA, Quadrisk Advisors, Bangalore, India Expert Reviewers Mr. Abdul Rafeq, CISA, CGEIT, CIA, FCA, A. Rafeq and Associates, India Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK, COBIT 5 Approved Trainer Foundation, Advisor, ISACA s India Task Force Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO LA, Freelance consultant and trainer, Pune, India Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India Mr. Shrikant Patil Mr. Shashikant Shirahatti 3

5 SECTION 1 EXECUTIVE SUMMARY NEED FOR THIS PUBLICATION As a part of "Management's Responsibility for Financial Statements", executive management of Indian companies assert to their stakeholders the relevance of "the design, implementation and maintenance of internal controls" for the preparation and presentation of financial statements that need to give a true and fair view of financial position on a particular date and performance for the relevant period. Financial statements need to be devoid of any material misstatements, whether due to fraud or error. This responsibility is an onerous one. Under Section 211 (7) of the Indian Companies Act, 1956, in the event that a company fails to take all reasonable steps to secure compliance, the willful negligence may be punishable with imprisonment for a term which may extend up to six months or a fine which may extend to ten thousand rupees or with both imprisonment and a fine. The new Companies Act, 2013 has not only emphasized the above requirements, but also has upped the ante in increasing a number of corporate governance and risk management requirements. This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements and committing to assertions on internal controls. This publication guides the board, management and auditors in complying with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA s COBIT 5 framework. With the changing times, there also is a need for greater accountability of companies to their shareholders and customers. A need for governance arises from the separation of management from ownership. For a firm success, companies need to concentrate on both economic and social aspects. Companies needs to be fair with producers, shareholders, customers, etc., and have various responsibilities toward employees, and communities. Companies need to serve their responsibilities in all aspects. There are several important issues in governance and they play a great role. All the issues are inter-related and interdependent with each other. Each of the issues connected with governance has different priorities in each of the corporate bodies. The issues are: 1. Value-based corporate culture 2. Holistic view 3. Compliance with laws 4. Disclosure, transparency, and accountability 5. Governance and human resource management 6. Innovation Corporate scandals, internally or at other companies, have shed light on the need to manage strategically in an effort to avoid such catastrophes that often leave executives unemployed. Many executives believe that risks are higher than ever before. However, they are unsure about how to manage them; therefore, many executives are welcoming risk management plans and infrastructures. Finally, companies have learned that managing risk correctly can lead to increased shareholder value. Companies are hoping to shift from a simple control process to a value creation process using an enterprisewide approach. The concept of governance hinges on total transparency, integrity and accountability of management and the board of directors. The importance of governance along with efficient risk management lies in its contribution both to business prosperity and to accountability. 4

6 OBJECTIVE STATEMENT This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements and committing to assertions on internal controls. This publication guides the board, management and auditors in complying with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA s COBIT 5 framework. IDENTIFIED STAKEHOLDERS This publication is targeted at the following audience, as their roles play the most crucial role in developing, maintaining and evaluating governance. COBIT 5 is a business framework for the governance and management of enterprise IT, and hence their roles are restricted to the areas in which IT Information is present. Board of directors Management o Chief executive officer (CEO) o Chief financial officer (CFO) o Chief information officer (CIO) o Chief risk officer (CRO) o Chief information security officer (CISO) Auditors (external and internal) AN INTRODUCTION TO THIS DOCUMENT Today, there is a growing dialogue among stakeholders about governance and how it should evolve to cope with the increasingly dynamic and global nature of capital markets. This dialogue is taking place against a background of legislative and regulatory change. There has been a significant increase in the scope of audit and other internal control and risk management along with increased public scrutiny. It is only with dialogue and active participation of all stakeholders that the appropriate balance can be reached between: Strengthened central controls and fast local responsiveness Effective risk management and the enduring need for innovation The costs of compliance with the new governance regulation and the value it brings The following factors disrupt the normal operations of the company. Internal Factors The Board of Directors/Management The board advises the company s CEO, who runs the daily operations, and reviews the quality of recommendations the CEO receives from others in corporate management. Some board members may be employees or family members (most often from the extended family of the company s founder). Other board members may be affiliated with the company through a banking relationship, a law company retained by the company, or someone who represents a customer or supplier. Such members may be subject to potential conflicts of interest that cause them to act in ways not necessarily in the shareholders best interests. This has led some observers to argue that boards should be composed primarily of independent directors and different individuals should hold the CEO and board chairperson positions. 5

7 Internal Controls Well-designed systems generate information that poses a reduced threat of material misstatements. However, simply having systems in place even if they are properly engineered and constructed is not sufficient to guarantee both the effectiveness of the required actions and the reliability of the collected data. Thus, extra procedures are built into every system by management to help ensure that every operation is performed as intended and the resulting financial data are reliable. Internal controls over financial reporting is a formal system of checks and balances, monitored by management and the board of directors and reviewed by the outside auditor. To be efficient and effective, these systems must be carefully designed and maintained. They need to keep company assets secure at a minimum cost. In addition, appropriate record keeping is a required aspect of virtually every system. Anti-takeover Defenses A company s management and board may employ defenses to gain leverage in negotiating with a potential suitor or to solidify current management s position within the company. Corporate Culture and Values While internal systems and controls are important, good governance also results when the employee culture is instilled with appropriate core values and behaviors. Setting the right tone and direction comes from the board of directors and senior management and their willingness to behave in a manner consistent with what they demand from other employees. Impact Due to Internal Factors One can conclude that if the company s internal controls are not aligned for achieving governance, the company can face serious repercussions regarding integrity and professionalism of the company, which in turn affects the goodwill of the company. Internal controls help the company to achieve long-term stability. If there is chaos in the company, loss of shareholder faith and loss of money would be inevitable. External Factors Federal and state legislation, the court system, regulators, institutional activists and the corporate takeover market all play an important role in maintaining good governance practices. Institutional Activists Pension funds, hedge funds, private equity investors and mutual funds have become increasingly influential institutions that can affect the policies of companies in which they invest. There is growing evidence that institutional activism, in combination with merger and acquisition activity, has become an important factor in disciplining underperforming managers. Amalgamations and Acquisitions Changes in corporate control can occur because of a hostile (i.e., bids contested by the target s board and management) or friendly takeover of a target company or because of a proxy contest initiated by dissident shareholders. When a company s internal mechanisms that govern management control are relatively weak, the corporate takeover market seems to act as a court of last resort to discipline inappropriate management behavior. Strong internal governance mechanisms, by contrast, lessen the role of the takeover threat as a disciplinary factor. Moreover, the disciplining effect of a takeover threat on a company s management can be reinforced when it is paired with a large shareholding by an institutional investor. Impact Due to External Factors After establishing an ideal internal control environment for achieving governance, it is crucial that the company maintains the same. External factors also affect the company s governance. Thus, events like accounting frauds, cyberattacks, social engineering attacks and market instability would be unavoidable if governance is not implemented correctly. Any changes in legal, compliance, statutory, etc., areas has to be fulfilled by the company to sustain itself in the market and grow accordingly. 6

8 This publication is aimed at giving guidance in developing, maintaining and evaluating the governance that arises out of the governance, risk management and information security regulatory requirements from the Companies Act, 2013, Clause 49 and the Information Technology Act, 2008 (as amended). BENEFITS DERIVED FROM THIS DOCUMENT Using this guidance note results in a number of easier governance and enterprise risk management (ERM) solutions to the enterprise and in a number of enterprise benefits, such as: Reduced complexity and increased cost-effectiveness due to improved and easier integration of governance and risk management compliances, best practices, etc. Increased user satisfaction with governance arrangements and outcomes Improved integration of governance and ERM in the enterprise Informed risk decisions and risk awareness Reduced (impact of) costs of noncompliance of governance and ERM Improved management of costs related to the governance and ERM Better understanding of governance, ERM and internal controls Enhanced support for innovation and competitiveness 7

9 APPROACH TO THIS PUBLICATION This publication was prepared in keeping with the following: Regulations of Companies Act, 2013 and Clause 49 Regulations related to governance and risk management and data privacy were identified. Stakeholders were identified. Stakeholder Needs Identification Questions are given from COBIT. Questions are selected based on the regulation that is applicable to the stakeholder. Enterprise Goals Identification Respective enterprise goals are selected for stakeholder needs. IT Goals Identification Enterprise goals are converted to relevant IT goals according to the mapping that is given in the annexure of the COBIT 5 framework. Process Enablers & Management Practices Process enablers and practices from COBIT are selected and applied in the relevant section. The COBIT enablers are tailored for compliance of governance requirements, enterprise risk management (ERM) and data security requirements based on the previous chart. Section two of this publication is divided into three chapters. The first chapter gives a broad view of the following: 8

10 Regulation requirements are captured in detail with respect to each identified stakeholder of the Companies Act, 2013, Clause 49 and Information Technology Act, 2008, covering areas of governance, risk management, assurance and data security. Relevant practices are suggested by COBIT 5 that can be implemented to comply with these areas. Chapter 2 gives an idea of the COBIT 5 framework and the COBIT 5 methodology through its principles and enablers. Chapter 3 gives the relevant guidance for compliance to the listed regulations, keeping the stakeholders in mind, by using COBIT 5. This chapter has segregated the requirements that were applicable for each stakeholder, respectively, and the respective COBIT enabler usage to meet the stakeholder requirements is explained. Therefore, it is crucial that the previous chart be kept in mind while going through the document. Chapter 1 Regulatory requirements from the Companies Act, 2013, Clause 49 and Information Technology Act, 2008 Governance, risk management, assurance and security Chapter 2 Introduction to COBIT 5 Principles and enablers Chapter 3 Stakeholder segregation RACI charts for the role of the stakeholder in an activity COBIT 5 recommended practices for each stakeholder Stakeholders are expected to follow these steps in order to bring value to their company: 9

11 Step 1 - Identify the regulation with which the company needs to comply (from chapter 1). Step 2 - Determine the stakeholders that are affected. Classify them as primary and secondary. Step 3 - Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation from the How this document will be useful row. Step 4 - Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI (Responsible, Accountable, Consulted, Informed) chart that has been provided. Step 5 - Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3). AN EXAMPLE OF HOW TO READ THE DOCUMENT Risk management compliance is to be performed by the company. Step 1 Identify the regulation with which the user needs to comply (from chapter 1). Section Reference Companies Act, 2013 Section 134, Clause 3(n) How this document will be useful: Regulatory Requirement There shall be attached to statements laid before a company in general meeting, a report by its board of directors, which shall include a statement indicating development and implementation of a risk management policy for the company including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company. Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant management practices as identified for the various stakeholders in chapter 3 Step 2 Determine the stakeholders that are affected. Classify them as primary and secondary. Primary stakeholder identified Board of Directors Secondary stakeholder Identified Management Step 3 Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation from the How this document will be useful row. Identified processes EDM03, APO12 10

12 Step 4 Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI chart (Responsible, Accountable, Consulted, Informed) that has been provided. RACI Chart Board of Directors Governance Practice Board EDM03.01 Evaluate risk management. A EDM03.02 Direct risk management. A EDM03.03 Monitor risk management. A RACI Chart - Management Management Practice Chief Executive Officer Chief Financial Officer Chief Information Security Officer Chief Risk Officer Chief Information Officer APO12.01 Collect data. I R R A APO12.02 Analyze risk. I C R A APO12.03 Maintain a risk profile. I C A R APO12.04 Articulate risk. I C R A APO12.05 Define a risk management action portfolio. I C A R APO12.06 Respond to risk. I R R A Step 5 Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3). Board of Directors 1. EDM03.01 Evaluate risk management. Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed. 11

13 ACTIVITY 1. Determine the level of IT-related risk that the enterprise is willing to take to meet its risk objectives. 2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise s acceptable risk and opportunity levels. 3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy. 4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made. 5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards. 6. Evaluate risk management activities to ensure alignment with the enterprise s capacity for ITrelated loss and leadership s tolerance of it. The board needs to actively take part in the risk evaluation process of the enterprise, which also includes the IT-related risks, and, in assessing the risk, define a risk tolerance threshold for acceptable risks and opportunity levels. The board needs to evaluate the risk factors before taking decisions on strategies to ensure that impact of risk has been factored. The board should evaluate the risk management activities and regularly define the enterprise s capacity for loss and the tolerance limits. 2. EDM03.02 Direct risk management. Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board s risk appetite. ACTIVITY 1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts. 2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations. 3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans. 4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to appropriate levels of management, supported by agreed-on principles of escalation (what to report, when, where and how). 5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with published policies and procedures and escalated to the relevant decision makers. 6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques and processes for capturing and reporting the measurement information. The board needs to actively take part in promoting a culture where opportunities, risks and their impacts are proactively identified. The board should ensure that there is integration within the risk strategies for IT and the enterprise and there are no conflicts. The board should direct the development of risk communication plans and action plans to all levels of the enterprise, which shall ensure timely responses to a changing risk environment. The board should encourage reporting of incidents by any level of management in a timely manner and direct handling of incidents according to the defined policies and procedures. 12

14 3. EDM03.03 Monitor risk management. Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported for remediation. ACTIVITY 1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds. 2. Monitor key goals and metrics of risk governance and management processes against targets, analyze the cause of any deviations, and initiate remedial actions to address the underlying causes. 3. Enable key stakeholders review of the enterprise s progress towards identified goals. The board needs to monitor the extent to which the risk profile is managed and whether the profile is within the thresholds of risk appetite. The board should ensure that deviations of the processes against the defined targets are analyzed and corrective action needed is taken. Management - 1. APO12.01 Collect data. Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting. 1. Establish and maintain a method for the collection, classification and analysis of IT risk-related data, accommodating multiple types of events, multiple categories of IT risk and multiple risk factors. 2. Record relevant data on the enterprise s internal and external operating environment that could play a significant role in the management of IT risk. 3. Survey and analyze the historical IT risk data and loss experience from externally available data and trends, industry peers through industry-based event logs, databases, and industry agreements for common event disclosure. 4. Record data on risk events that have caused or may cause impacts to IT benefit/value enablement, IT program and project delivery, and/or IT operations and service delivery. Capture relevant data from related issues, incidents, problems and investigations. 5. For similar classes of events, organize the collected data and highlight contributing factors. Determine common contributing factors across multiple events. 6. Determine the specific conditions that existed or were absent when risk events occurred and the way the conditions affected event frequency and loss magnitude. 7. Perform periodic event and risk factor analysis to identify new or emerging risk issues and to gain an understanding of the associated internal and external risk factors. Management needs to establish and maintain a method for collection, classification and analysis of risk-related data, which accommodates multiple events, categories of risk and risk factors. Management can record relevant data on the enterprise internal and external operating environment that would play a significant role in management of risk. There can be a survey and analysis of historical risk data and loss experience from externally available trends, industry peers through event logs, databases and agreements for common event disclosures. The risk events that have caused or potentially cause impact to IT value benefits, programs and project delivery should be captured. In addition, data from incidents, problems and investigation can be recorded. Management needs to determine the specific conditions that existed or were absent when risk events occurred and the way they affect event frequency and loss magnitude. Management should perform periodic event and risk factor analysis to identify new/emerging risk issues and gain an understanding of associated risk factors. 13

15 2. APO12.02 Analyze risk. Develop useful information to support risk decisions that take into account the business relevance of risk factors. ACTIVIES 1. Define the appropriate breadth and depth of risk analysis efforts, considering all risk factors and the business criticality of assets. Set the risk analysis scope after performing a cost-benefit analysis. 2. Build and regularly update IT risk scenarios, including compound scenarios of cascading and/or coincidental threat types, and develop expectations for specific control activities, capabilities to detect and other response measures. 3. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios. Take into account all applicable risk factors, evaluate known operational controls and estimate residual risk levels. 4. Compare residual risk to acceptable risk tolerance and identify exposures that may require a risk response. 5. Analyze cost-benefit of potential risk response options such as avoid, reduce/mitigate, transfer/share, and accept and exploit/seize. Propose the optimal risk response. 6. Specify high-level requirements for projects or programs that will implement the selected risk responses. Identify requirements and expectations for appropriate key controls for risk mitigation responses. 7. Validate the risk analysis results before using them in decision making, confirming that the analysis aligns with enterprise requirements and verifying that estimations were properly calibrated and scrutinized for bias. Management needs to define the appropriate breadth and depth of risk and criticality of assets, and set the risk scope after performing a cost-benefit analysis. Management needs to build and regularly update the risk scenarios, including compound scenarios of cascading/coincidental threat types and development expectations for specific control activities, capabilities to detect and other response measures. Management needs to estimate the frequency and magnitude of loss or gain associated with risk scenarios. The applicable risk factors need to be taken into account and management needs to evaluate operational controls and estimate residual risk levels. There needs to be a comparison between residual risk to acceptable risk tolerance and risk exposure needs to be identified, which will require responses. Management needs to conduct a cost-benefit analysis of potential risk response options such as avoid, reduce, transfer and accept. Management should specify high-level requirements for programs that will implement the risk responses. Management should identify requirements for key controls. Management needs to validate the risk analysis results before using them for decision making, confirm whether risk aligns with enterprise requirements and verify that estimations were calibrated. 3. APO12.03 Maintain a risk profile. Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and of related resources, capabilities and current control activities. 1. Inventory business processes, including supporting personnel, applications, infrastructure, facilities, critical manual records, vendors, suppliers and outsourcers, and document the dependency on IT service management processes and IT infrastructure resources. MANAGEMENT S ROLE Management can take an inventory of business processes, applications, infrastructure, facilities, critical manual records, vendors, etc., and document the dependency on IT service management processes and IT infrastructure resources. 14

16 2. Determine and agree on which IT services and IT infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and identify weak links. 3. Aggregate current risk scenarios by category, business line and functional area. 4. On a regular basis, capture all risk profile information and consolidate it into an aggregated risk profile. 5. Based on all risk profile data, define a set of risk indicators that allow the quick identification and monitoring of current risk and risk trends. 6. Capture information on IT risk events that have materialized, for inclusion in the IT risk profile of the enterprise. Further, management should determine and agree on which IT services and infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and weak links. Management needs to aggregate current risk scenarios by categories, business lines and functional areas. On a regular basis, management should capture risk profile information and consolidate it into aggregated risk profiles. Based on the profiles, management needs to define a set of risk indicators that allow quick identification and monitoring of current risk trends. Capture the information on risk events that have materialized for inclusion in profiles of the enterprise. 4. APO12.04 Articulate risk. Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required stakeholders for appropriate response. 1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return. 2. Provide decision makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal or regulatory considerations. 3. Report the current risk profile to all stakeholders, including effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, redundancies, remediation status, and their impacts on the risk profile. 4. Review the results of objective third-party assessments, internal audit and quality assurance reviews, and map them to the risk profile. Review identified gaps and exposures to determine the need for additional risk analysis. Management needs to report the results of risk analysis to all affected stakeholders in terms of formats supporting decision making. Wherever possible, include probabilities and range of loss or gain with confidence levels to balance risk and return. Management can provide to the decision makers an understanding of worst case and most probable scenarios, due diligence exposures and reputation, legal or regulatory consideration. The report on current risk profile includes effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, etc., and their impact on risk profile to the stakeholders. Management should review the results of third-party assessments, internal audits and quality assurance (QA) reviews, and map them to the risk profiles. 15

17 5. APO12.05 Define a risk management action portfolio. Manage opportunities to reduce risk to an acceptable level as a portfolio. 1. Maintain an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with risk appetite and tolerance. Classify control activities and map them to specific IT risk statements and aggregations of IT risk. 2. Determine whether each organizational entity monitors risk and accepts accountability for operating within its individual and portfolio tolerance levels. 3. Define a balanced set of project proposals designed to reduce risk and/or projects that enable strategic enterprise opportunities, considering cost and benefits, effect on current risk profile and regulations. Management needs to make an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with appetite and tolerance. The control activities should be classified and mapped to specific risk statements and aggregations of risk. Management needs to determine that risk and accountability for operating within individual and portfolio tolerance levels are monitored. Management defines a balanced set of project proposals which are designed to reduce risk and/or projects that enable strategic opportunities considering the cost-benefit analysis. 6. APO12.06 Respond to risk. Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events. 1. Prepare, maintain and test plans that document the specific steps to take when a risk event may cause a significant operational or development incident with serious business impact. Ensure that plans include pathways of escalation across the enterprise. 2. Categorize incidents, and compare actual exposures against risk tolerance thresholds. Communicate business impacts to decision makers as part of reporting, and update the risk profile. 3. Apply the appropriate response plan to minimize the impact when risk incidents occur. 4. Examine past adverse events/losses, missed opportunities, and determine root causes. Communicate root cause, additional risk response requirements and process improvements to appropriate decision makers and ensure that the cause, response requirements and process improvement are included in risk governance processes. Management needs to prepare, maintain and test plans that document specific steps to take when a risk event may cause a significant operational or development incident with serious impact on the business. Further, ensure that plans include escalations across the enterprise. There needs to be a categorization of incidents and a comparison of actual exposures against risk thresholds and communication to decision makers as a part of reporting and updating risk profiles. Management should apply plans to minimize the impact when risk incidents occur, to examine the past adverse event and missed opportunities, and to determine root causes. Communicate the root causes, risk response requirements and process improvements to decision makers. 16

18 REFERENCES FOR THE PUBLICATION Companies Act, 2013 Clause 49 of the Listing Agreement of SEBI Information Technology Act, 2000 (as Amended by IT Amendment Act, 2008) COBIT 5 framework COBIT 5: Enabling Processes COBIT 5 Implementation COBIT 5 for Risk COBIT 5 for Assurance Securing Sensitive Personal Data or Information Under India s IT Act Using COBIT 5 COBIT 5: Enabling Information COBIT 5 for Information Security Board Briefing on IT Governance (an ISACA publication) 17

19 SECTION 2 DETAILED PUBLICATION Section 2 is the core section of this publication. Section 2 consists of the guidance note for compliance of governance and risk management in India using COBIT 5. It is divided into three chapters. Chapter 1 describes all the regulations that are relevant to be complied with in order to have the minimum required governance and ERM. Chapter 2 gives a brief introduction of the COBIT 5 framework and its five principles and its seven enablers. Chapter 3 gives a detailed explanation of how COBIT 5 can be used to comply with the regulations that have been identified in chapter 1 for each stakeholder that has been identified in the scope of this publication. DEFINITIONS The following terms are defined according to their respective acts. The same meaning should be used while interpreting this document. Sr. No. Term Definition 1 Board of Directors In relation to a company, the collective body of the directors of the company 2 Independent Director An independent director referred to in sub-section (6) of section 149, i.e., a director other than a managing director or a whole-time director or a nominee director a) in the opinion of the Board, a person of integrity who possesses relevant expertise and experience (b) (i) person who is or was not a promoter of the company or its holdings, subsidiary or associate company (b) (ii) person who is not related to promoters or directors in the company, its holdings, subsidiary or associate company (c) person who has or had no pecuniary relationship with the company, its holdings, subsidiary or associate company, or their promoters, or directors, during the two immediately preceding financial years or during the current financial year (d) person, none of whose relatives has or had a pecuniary relationship or transaction with the company, its holdings, subsidiary or associate company, or their promoters, or directors, amounting to two percent or more of its gross turnover or total income or fifty lakh rupees or such higher amount as may be prescribed, whichever is lower, during the two immediately preceding financial years or during the current financial year 18

20 Sr. No. Term Definition (e) person who, neither himself nor any of his relatives (i) holds or has held the position of key managerial personnel or is or has been an employee of the company or its holdings, subsidiary or associate company in any of the three financial years immediately preceding the financial year in which he is proposed to be appointed (ii) is or has been an employee or proprietor or a partner, in any of the three financial years immediately preceding the financial year in which he is proposed to be appointed, of: (A) a firm of auditors or company secretaries in practice or cost auditors of the company or its holdings, subsidiary or associate company; or (B) any legal or a consulting firm that has or had any transaction with the company, its holdings, subsidiary or associate company amounting to ten percent. or more of the gross turnover of such firm (iii) holds together with his relatives two percent. or more of the total voting power of the company or (iv) is a chief executive or director, by whatever name called, of any nonprofit organization that receives twenty-five percent or more of its receipts from the company, any of its promoters, directors or its holdings, subsidiary or associate company or that holds two percent. or more of the total voting power of the company or (f) who possesses such other qualifications as may be prescribed 3 Key Managerial Personnel In relation to a company: (i) the CEO or the managing director or the manager (ii) the company secretary (iii) the whole-time director (iv) the chief financial officer; and (v) such other officer as may be prescribed 19

21 Sr. No. Term Definition 4 Sensitive Personal Data Personal information that relates to passwords; financial information such as bank account or credit card or debit card or other payment instrument details; physical, psychological and mental health condition; sexual orientation; medical records and history, biometric information 5 Body Corporate Any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The term is not restricted to a body corporate established in India. It refers to an organization that collects, stores or processes sensitive data on behalf of a body corporate (data processor). 8 Identity Theft A form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity, usually as a method to gain access to resources. This process is also called personation. 9 Cyberterrorism Threats to the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by: (i) denying or causing the denial of access to any person authorized to access a computer resource; or (ii) attempting to penetrate or access a computer resource without authorization or exceeding authorized access; or (iii) introducing or causing to introduce any computer contaminant. By means of such conduct, causes or is likely to cause death or injuries to persons or damage to or destruction of property or disruptions or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section Intermediary Any person who on behalf of another person stores or transmits a message or provides any service with respect to that message 11 Computer resources Computer, communication device, computer system, computer network, data, computer database or software 1 Internal Control Process/methods designed by management or other personnel to ensure the integrity of financial and accounting information meet operational and profitable targets and transmit management policies throughout the organization. Basic policies related to internal controls were created to ensure suitable business practices. 2 Audit Committee An operating committee of a company's board of directors that is in charge of overseeing financial reporting and disclosure. They are also responsible for overseeing all internal and external audit functions of a company. 20

22 Sr. No. Term Definition 3 Whistleblower Anyone who has and reports insider knowledge of illegal activities occurring in an organization. Whistleblowers can be employees, suppliers, contractors, clients or any individual who somehow becomes aware of illegal activities taking place in a business, either through witnessing the behavior or being told about it. In other words, a person who informs on a person or organization regarded as engaging in an unlawful or immoral activity. 21

23 CHAPTER 1 - GOVERNANCE AND RISK MANAGEMENT IN INDIA REGULATORY REQUIREMENTS TO COMPLY WITH THE INDIAN REGULATIONS This chapter present information on the enactments, and it provides the scope and objectives of this guidance note using COBIT 5. Detailed explanation of the COBIT 5 guidance has been explained in chapter 3 with respect to each stakeholder. Companies Act, 2013 and Clause 49 have been concentrated to a great extent. Because this is also the digital era, importance is also given to the Information Technology Act, 2000 (as amended by IT Amendment Act, 2008) with respect to the data privacy and penalty laws in India. All of the respective regulations have been identified and explained for every stakeholder in the scope of this publication with reference to the governance, risk management, assurance and privacy regulations. GOVERNANCE Governance regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Companies Act, 2013 Section 149, Schedule IV How this document will be useful Companies Act, 2013 Section 177, Clause 4(vii) How this document will be useful Clause 49 Section IV, Clause (c) Regulatory Requirement The Company and independent directors shall abide by the provision specified in Schedule IV, which includes the roles and functions of independent directors, i.e.: To help in bringing an independent judgment to bear on the board s deliberations on risk management issues To satisfy themselves on the integrity of financial information, those financial controls, and that the systems of risk management are robust and defensible Provides guidance by mapping to COBIT 5 processes EDM03, APO12, and their relevant management practices as identified for the various stakeholders in chapter 3 Every audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall inter alia include evaluation of internal financial controls and risk management systems. Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, BAI01, BAI02, DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The company shall lay down procedures to inform board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined risk management framework. How this document will be useful Clause 49 Section IV, Clause (f) How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, APO02, APO12, BAI01, BAI02 DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 As part of the directors report or as an addition thereto, a Management Discussion and Analysis report should form part of the Annual Report to the shareholders. This Management Discussion and Analysis report should include discussion on risks and concerns within the limits set by the company s competitive position. Provides guidance by mapping to COBIT 5 processes EDM03, APO01, APO12, BAI01, BAI02,BAI06, BAI07, DSS01, DSS06 and their relevant management practices as identified 22

24 Section Reference Companies Act, 2013 Section 138 (1) How this document will be useful Companies Act, 2013 Section 143, Clause 3 How this document will be useful Companies Act, 2013 Section 177 (4) How this document will be useful Clause 49 Section II, Clause (d), (e) How this document will be useful Regulatory Requirement for the various stakeholders in chapter 3 Such class or classes of companies as may be prescribed shall be required to appoint an internal auditor, who shall be either a chartered accountant or a cost accountant, or such other professional as may be decided by the board to conduct internal audit of the functions and activities of the company. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The auditor s report shall also state whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Every audit committee shall act in accordance with the terms of reference specified in writing by the board which shall, inter alia, include: Review and monitor of the auditor s independence and performance, and the effectiveness of the audit process. Evaluation of internal financial controls and risk management systems Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The role of the audit committee shall include the following: a) Reviewing, with management, performance of statutory and internal auditors, adequacy of the internal control systems b) Reviewing the adequacy of internal audit function, if any, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit c) Discussion with internal auditors of any significant findings and follow up d) Reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board e) Management discussion and analysis of financial condition and results of operations f) Management letters/letters of internal control weaknesses issued by the statutory auditors. g) Internal audit reports relating to internal control weaknesses Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 23

25 RISK MANAGEMENT Risk management regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Companies Act, 2013 Section - 134, Clause - 3(n) How this document will be useful Companies Act, 2013 Section (8), Schedule IV How this document will be useful Clause 49 Section - IV, Clause c How this document will be useful Clause 49 Section - IV, Clause f How this document will be useful Regulatory Requirement There shall be attached to statements laid before a company in general meeting, a report by its board of directors, which shall include a statement indicating development and implementation of a risk management policy for the company, including identification of elements of risk, if any, which in the opinion of the board may threaten the existence of the company. Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant management practices as identified for the various stakeholders in chapter 3 The independent director shall help in bringing an independent judgment to bear on the board s deliberations on risk management resources and satisfy themselves that financial controls and the systems of risk management are robust and defensible. Provides guidance by mapping to COBIT 5 processes EDM01, EDM04, EDM03, APO12, DSS06 and their relevant management practices as identified for the various stakeholders in chapter 3 The company shall lay down procedures to inform board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework. Provides guidance by mapping to COBIT 5 processes EDM01, EDM05, APO12, DSS06, MEA01, MEA02, MEA03, DSS01 and their relevant management practices as identified for the various stakeholders in chapter 3 Management Discussion and Analysis report should include discussion on risks and concerns as well as internal control systems and their adequacy within the limits set by the company s competitive position. Provides guidance by mapping to COBIT 5 processes APO12, MEA02 and their relevant management practices as identified for the various stakeholders in chapter 3 24

26 ASSURANCE Assurance regulatory requirements for the auditor stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Companies Act, 2013 Section - 134, Clause - 3(n) How this document will be useful Companies Act, 2013 Section (1) How this document will be useful Companies Act, 2013 Section (3), clause i How this document will be useful Clause 49 Section - II, Clause - d (6) How this document will be useful Clause 49 Section - II, Clause - d (7) How this document will be useful Clause 49 Section - II, Clause - d (9) How this document will be useful Clause 49 Section - II, Clause - d (12) How this document will be useful Clause 49 Regulatory Requirement Every audit committee shall act in accordance with the terms of reference specified in writing by the board, which shall include evaluation of internal financial controls and risk management systems. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 Prescribed classes of companies shall be required to appoint an internal auditor, who is an assurance professional (auditor) decided by the board to conduct internal audit of the functions and activities of the company. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The auditor s report shall state that whether the company has adequate internal financial controls system in place and the operating effectiveness of such controls. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The role of the audit committee shall include reviewing, with management, the performance of statutory and internal auditors, and adequacy of the internal control systems. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The role of the audit committee shall include reviewing the adequacy of internal audit function, if any, including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure coverage and frequency of internal audit. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The role of the audit committee shall include reviewing the findings of any internal investigations by the internal auditors into matters where there is suspected fraud or irregularity or a failure of internal control systems of a material nature and reporting the matter to the board. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The role of the audit committee shall include reviewing the functioning of the whistleblower mechanism, in case the same is prevailing. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The audit committee shall mandatorily review the management discussion and analysis of financial condition and results of operations. 25

27 Section Reference Regulatory Requirement Section - II, Clause - e (1) How this document will be useful Clause 49 Section - II, Clause - e (3) How this document will be useful Clause 49 Section - II, Clause - e (4) How this document will be useful Clause 49 Section - VII, Clause - 1 How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The audit committee shall mandatorily review the management letters / letters of internal control weaknesses issued by the statutory auditors. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The audit committee shall mandatorily review the internal audit reports relating to internal control weaknesses. Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their relevant management practices as identified for the various stakeholders in chapter 3 The company shall obtain a certificate from either the auditors or practicing company secretaries regarding compliance of conditions of governance as stipulated in this clause and annex the certificate with the directors report, which is sent annually to all the shareholders of the company. N/A 26

28 INFORMATION TECHNOLOGY ACT, 2000 (AS AMENDED BY INFORMATION TECHNOLOGY AMENDMENT ACT, 2008) Data privacy and penalty regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49 and have been explained in the following table. Section Reference Regulatory Requirement Section 43A How this document will be useful Section 43A How this document will be useful Section 43A The obligation to protect sensitive personal data applies to every entity (body corporate) that: Possesses, deals with or handles any sensitive personal data or information (SPDI) In a computer resource that it owns, controls or operates Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02, DSS05 and their relevant management practices as identified for the various stakeholders in chapter 3 Where an entity that is obliged to maintain security of sensitive personal data is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such entity would be liable to pay damages by way of compensation to the person so affected. Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02, DSS05 and their relevant management practices as identified for the various stakeholders in chapter 3 Body corporate to provide policy for privacy and disclosure of information. The body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals or handles information of provider of information, shall provide a privacy policy for handling of or dealing in personal information, including sensitive personal data or information, and ensure that the policy is available for view by such providers of information who have provided such information under lawful contract. How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03 and their relevant management practices as identified for the various stakeholders in chapter 3 Section 66E Punishment for violation for privacy : Anybody being guilty of intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with a fine not exceeding two lakh rupees, or with both imprisonment and a fine. How this document will be useful Section 66A How this document will be useful N/A Any person who sends, by means of a computer resource or a communication device: a) any information that is grossly offensive or has menacing character; or b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes use of such computer resource or a communication device, c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) N/A 27

29 Section Reference Regulatory Requirement Section 66B How this document will be useful Section 66C How this document will be useful Section 66D How this document will be useful Section 67C How this document will be useful Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the resource or device to be stolen, shall be punished with imprisonment of either description for a term, which may extend to three years or with a fine, which may extend to rupees one lakh or with both imprisonment and a fine. N/A Whoever fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to a fine which may extend to rupees one lakh. N/A Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term, which may extend to three years and shall also be liable to a fine, which may extend to one lakh rupees. N/A (1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the central government may prescribe. (2) Any intermediary who intentionally or knowingly contravenes the provisions of subsection (1) shall be punished with imprisonment for a term which may extend to three years and shall also be liable to a fine N/A SUMMARY There is great effort being made in India to achieve efficient governance and risk management. Governance and risk management are regulated by the Companies Act, 2013 and Clause 49. Data that are generated have to be preserved, keeping in mind Confidentiality and Privacy perspectives. Privacy of the data is regulated by the Information Technology Act, 2000 (as amended in 2008). 28

30 CHAPTER 2: INTRODUCTION TO COBIT 5 Executive Summary According to COBIT 5, information is the currency of the 21st century enterprise. Information, and the technology that supports it, can drive success, but it also raises challenging governance and management issues. This section explains the need for using the approach and latest thinking provided by globally recognized framework COBIT 5 as a benchmark for reviewing and implementing governance and management of enterprise IT. It explains the principles and enablers of COBIT 5 and how it can be an effective tool to help enterprises to simplify complex issues, deliver trust and value, manage risk, reduce potential public embarrassment, protect intellectual property, and maximize opportunities. COBIT 5 helps enterprises to manage IT-related risk and ensures compliance, continuity, security and privacy. COBIT 5 enables clear policy development and good practice for IT management, including increased business user satisfaction. The key advantage of using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, notfor-profit or in the public sector. Five Principles of COBIT 5 Source: COBIT 5, ISACA, USA, 2012, figure 2 COBIT 5 simplifies governance challenges with just five principles. The five key principles for governance and management of enterprise IT in COBTI 5 taken together enable the enterprise to build an effective governance and management framework that optimizes information and technology investment and use for the benefit of stakeholders. Principles 1: Meeting Stakeholder Needs: Enterprises exist to create value for their stakeholders by maintaining a balance between the realization of benefits and the optimization of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation using IT. Because every enterprise has different objectives, an enterprise can customize COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable specific, IT-related goals and mapping these to specific processed and practices. The COBIT 5 goals cascade is the mechanism to translate stakeholder needs to specific, actionable and customized enterprise goals IT-related goals and enabler goals. 29

31 Principle 2: Covering the Enterprise End-to-end: COBIT 5 integrates governance of enterprise IT into enterprise governance. It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the IT function, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. It considers all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and everyone internal and external that is relevant to governance and management of enterprise information and related IT. Principle 3: Applying a Single Integrated Framework: There are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 is a single and integrated framework because it aligns with other latest relevant standards and frameworks; this allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. Principle 4: Enabling a Holistic Approach: Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several integrating components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve objectives of the enterprise. Principle 5: Separating Governance From Management: The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organizational structures and serve different purposes. Governance: It ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making, and monitoring performance and compliance against agreed-on direction and objectives. In most organizations, governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organizational structures at an appropriate level, especially in larger, complex organizations. Management: It plans, builds, runs and monitors activities in alignment with the direction set by the governing body to achieve the objectives. In most enterprises, management is the responsibility of executive management under the leadership of the chief executive officer (CEO). From the definition of governance and management it is clear that they comprise different types of activities, with different responsibilities; however, given the role of governance to evaluate, direct and monitor, a set of interactions is required between governance and management to result in an efficient and effective governance system. Seven Enablers of COBIT 5 Enablers are factors that, individually and collectively, influence whether something will work, in this case, governance and management over enterprise IT. The goals cascade, i.e., higher level IT-related goals defining what the different enablers should achieve, drives enablers. The seven categories of enablers are: Principles, Policies and Frameworks are the vehicles to translate the desired behavior into practical guidance for dayto-day management. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. Organizational Structures are the key decision-making entities in an enterprise. Culture, Ethics and Behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. Information is pervasive throughout any organization and includes all information produced and used by the enterprise. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 30

32 Services, Infrastructure and Applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. People, Skills and Competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions. Source: COBIT 5, ISACA, USA, 2012, figure 2 31

33 CHAPTER 3 HOW COBIT 5 CAN BE USED TO COMPLY WITH GOVERNANCE Chapter 3 has been developed so that the COBIT 5 practices that are required for every stakeholder as an individual are provided. COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector. The solution has been formulated by following these steps: Step 1 Identification of stakeholder needs that are required by the regulations and mapping with the relevant enterprise goals Step 2 Mapping of enterprise goals with the relevant IT goals Step 3 Mapping of IT goals with relevant IT processes Step 4 Segregation of IT processes that would be applicable to the following stakeholders: Stakeholder 1 Board of directors Stakeholder 2 Management (CEO, CFO, CISO, CIO and other members of the C-level) Stakeholder 3 Auditors This chapter consists of tables, as follows: Activities The text in the column consists of the set of suggestions and guidance that have been prescribed by the COBIT 5 product family publications. The text in the column consists of the interpretation of the activities from the perspective of the stakeholder, area under discussion and the regulatory requirements. 32

34 Step 1 Identification of Stakeholder Needs That Are Required by the Regulations and Mapping With the Relevant Enterprise Goals All stakeholder needs which are relevant have been highlighted in blue and the corresponding enterprise-related goals have been derived. Stakeholder value of business investments Portfolio of competitive products and services Managed business risks (safeguarding of assets) Compliance with external laws and regulations Financial transparency Customer-oriented service culture Business service continuity and availability Agile responses to a changing business environment Information-based strategic decision making Optimisation of service delivery costs Optimisation of business process functionality Optimisation of business process costs Managed business change programmes Operational and staff productivity Compliance with internal policies Skilled and motivated people Stakeholder Needs How do I get value from the use of IT? Are end users satisfied with the quality of the IT service? Y Y Y Y Y Y Y How do I manage performance of IT? Y Y Y Y Y Y Y How can I best exploit new technology for new strategic opportunities? Y Y Y Y Y Y How do I best build and structure my IT department? Y Y Y Y Y Y Y How dependent am I on external providers? How well are IT outsourcing agreements being managed? How do I obtain assurance over external providers? Y Y Y Product and business innovation culture What are (control) requirements for Information? Y Y Y Did I address all IT-related risks? Y Y Y Y Am I running an efficient and resilient IT operation? Y Y How do I control cost of IT? How do I use IT resources in the most effective and efficient manner? What are the most effective and efficient sourcing options? Y Y Y Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance? Y Y Y How do I get assurance over IT? Y Y Is the information I am processing well secured? Y Y Y How do I improve business agility through a more flexible IT environment? Y Y Y Y Do IT projects fail to deliver what they promised, and if so - why? Is IT standing in the way of executing the business strategy? Y Y Y Y Y Y Y How critical is IT to sustaining the enterprise? What do I do if IT is not available? Y Y Y What concrete vital primary business processes are dependent on IT, and what are the requirements of business processes? Y Y Y Y What has been the average overrun of IT operational budgets? How often and how much do IT projects go over budget? Y Y Y Y How much of the IT effort goes to fire fighting rather than enabling business improvements? Y Y Y Are sufficient IT resources and infrastructure available to meet required enterprise strategic objectives? Y Y Y Y How long does it take to make major IT decisions? Y Y Y Y Are the total IT effort and investments transparent? Y Y Y Y Does IT support the enterprise in complying with regulations and service levels? How do I know whether I m compliant with all applicable regulations? Y Y 33

35 Step 2 Mapping of enterprise goals With the Relevant IT Goals The enterprise goals that have been derived from step 1 have been mapped to their corresponding IT-related goal. This mapping is based on the matrix that is presented in the COBIT 5 framework. 34

36 Step 3 Mapping of IT goals With Relevant IT processes The IT processes that have been derived from step 2 have been mapped to the relevant COBIT 5 processes. This mapping is based on the matrix that is presented in the COBIT 5 framework. 35

37 Summary of Selected IT-related Goals The following IT-related goals as derived from step 3 would be made applicable after following the goals cascade approach and keeping in mind the scope of the document. IT Goal No. IT-related Goal Priority Comments 1 Alignment of IT and business strategy P Irrelevant 2 IT compliance and support for business compliance with external laws and regulations P Relevant 3 Commitment of executive management for making IT-related decisions P Irrelevant 4 Managed IT-related business risks P Relevant 5 Realized benefits from IT-enabled investments and services portfolio P Irrelevant 6 Transparency of IT costs, benefits and risk P Relevant 7 Delivery of IT services in line with business requirements P Relevant 8 Adequate use of applications, information and technology solutions P Relevant 9 IT agility P Irrelevant 10 Security of information and processing infrastructure and applications P Irrelevant 11 Optimization of IT assets, resources and capabilities P Relevant 12 Enablement and support of business processes by integrating applications and technology into business processes 13 Delivery of programs on time, on budget, and meeting requirements and quality standards P P Irrelevant Irrelevant 14 Availability of reliable and useful information for decision making P Irrelevant 15 IT compliance with internal policies P Relevant 16 Competent and motivated business and IT personnel P Irrelevant 17 Knowledge, expertise and initiatives for business innovation P Irrelevant P = Primary 36

38 Step 4 Segregation of IT Processes That Would Be Applicable to Stakeholders Collectively The following figure gives an idea of the relationship between the board of directors, management and auditors to comply with the regulatory requirements that have been imposed by the regulators of the enterprise. Therefore, the board of directors needs to ensure compliance to regulations, which shall be verified by the auditors and shall, in the end, report the same to the regulators. Management will have to implement the directions that have been imposed by the board of directors and account for the same to the board of directors. 37

39 STAKEHOLDER 1 BOARD OF DIRECTORS The board of directors is the highest governing authority within the management structure at any publicly traded company. They are policy managers of a corporation or organization elected by the shareholders or members. The board in turn chooses the officers of the corporation, sets basic policy and is responsible to the shareholders. In small corporations, there are usually only three directors. The board is directly accountable to the shareholders, and each year the company will hold an annual general meeting (AGM) at which the directors must provide a report to shareholders on the performance of the company and what its plans and strategies are, and submit themselves for re-election to the board. Roles of board of directors include: Determine the company's vision and mission to guide and set the pace for its current operations and future development. Determine the values to be promoted throughout the company. Determine and review company goals. Determine company policies. Review and evaluate present and future opportunities, threats and risks in the external environment and current and future strengths, weaknesses and risks relating to the company. Determine strategic options, select those to be pursued, and decide the means to implement and support them. Determine the business strategies and plans that underpin the corporate strategy. Ensure that the company's organizational structure and capability are appropriate for implementing the chosen strategies. 38

40 Because COBIT 5 is a comprehensive framework for governance and management of enterprise IT, it allows enterprises to use the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of management, toward achieving their goals and objectives. The image below depicts that, out of the 37 processes, the stakeholder (the board) can adapt relevant processes (borders shaded in black) and their underlying management practices, which shall assist in achieving the goals of the enterprise. RACI CHART A responsibility assignment matrix, also known as a RACI chart (Responsible, Accountable, Consulted, Informed), ARCI matrix or linear responsibility chart, describes the participation by various roles in completing tasks or deliverables for a project or business process. The following RACI chart explains the roles of the board of directors in contributing to effective corporate IT governance. The processes explained in this chapter would have to be executed keeping in mind the perspective of the roles in the following chart. Governance Practice Board EDM01.01 Evaluate the governance system. A EDM01.02 Direct the governance system. A EDM01.03 Monitor the governance system. A 39

41 Governance Practice Board EDM03.01 Evaluate risk management. A EDM03.02 Direct risk management. A EDM03.03 Monitor risk management. A EDM05.01 Evaluate stakeholder-reporting requirements. A EDM05.02 Direct stakeholder communication and reporting. A EDM05.03 Monitor stakeholder communication. A MEA01.05 Ensure the implementation of corrective actions. I MEA02.02 Review business process controls effectiveness. I MEA02.08 Execute assurance initiatives. I MEA03.03 Confirm external compliance. I MEA03.04 Obtain assurance of external compliance. I 1. EDM01.01 Evaluate the governance system. Continually identify and engage with the enterprise s stakeholders, document an understanding of the requirements, and make a judgment on the current and future design of governance of enterprise IT. 1. Analyze and identify the internal and external environmental factors (legal, regulatory & contractual obligations) and trends in the business environment that may influence governance decisions. 2. Determine the significance of IT and its role with respect to business. 3. Consider external regulations, laws and The board needs to identify the internal and external factors and trends in the business environment that influence governance decisions. The board should envision the significance of IT and the role it shall play toward achieving business objectives and benefits realization. The board needs to consider the impact of laws and 40

42 contractual obligations and determine how they should be applied with the governance of enterprise IT. 4. Align the ethical use and processing of information and its impact on society, natural environment, and internal and external stakeholder interests with the enterprise s direction, goals and objectives. 5. Determine the implications of the overall enterprise control environment with regard to IT. 6. Articulate principles that will guide the design of governance and decision making of IT 7. Understand the enterprise s decision-making culture and determine the optimal decisionmaking model for IT. 8. Determine the appropriate levels of authority delegation, including threshold rules, for IT decisions. regulations and determine the governance of enterprise IT. The board needs to frame ethical standards and consider the impact of business decisions on society, environment and the interests of stakeholders in relation to business objectives. The board can develop guidelines and principles for governance in IT. The board can devise appropriate levels of delegated authority and devise rules for IT-related decisions. 2. EDM01.02 Direct the governance system. Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the governance of IT in line with agreed-on governance design principles, decision-making models and authority levels. Define the information required for informed decision-making. 1. Communicate governance of IT principles and agree with executive management on the way to establish informed and committed leadership. 2. Establish or delegate the establishment of governance structures, processes and practices in line with agreed-on design principles. 3. Allocate responsibility, authority and accountability in line with agreed-on governance design principles, decision-making models and delegation. 4. Ensure that communication and reporting mechanisms provide those responsible for oversight and decision-making with appropriate information. 5. Direct that staff follow relevant guidelines for ethical and professional behavior and ensure that consequences of non-compliance are known and enforced. 6. Direct the establishment of a reward system to promote desirable cultural change. The board needs to communicate the governance principles and establish systems toward committed leadership. The board needs to ensure that a system is established with governance structures, practices and processes, which are in line with an agreed-on governance methodology. The board should allocate responsibility should allocate accountability to management on the basis of agreed-on governance principles. The board needs to direct staff to follow guidelines on ethical and professional behavior and ensure that staff are aware of the consequences and actions of noncompliance. The board can also implement a reward-based system to promote a cultural change within the organization. 41

43 3. EDM01.03 Monitor the governance system. Monitor the effectiveness and performance of the enterprise s governance of IT. Assess whether the governance system and implemented mechanisms (including structures, principles and processes) are operating effectively and provide appropriate oversight of IT. 1. Assess the effectiveness and performance of those stakeholders given delegated responsibility and authority for governance of enterprise IT. 2. Periodically assess whether agreed-on governance of IT mechanisms (structures, principles, processes, etc.) is established and operating effectively. 3. Assess the effectiveness of the governance design and identify actions to rectify any deviations found. 4. Maintain oversight of the extent to which IT satisfies obligations (regulatory, legislation, common law, contractual), internal policies, standards and professional guidelines. 5. Provide oversight of the effectiveness of, and compliance with, the enterprise s system of control. 6. Monitor regular and routine mechanisms for ensuring that the use of IT complies with relevant obligations (regulatory, legislation, common law, contractual), standards and guidelines. The board needs to assess the effectiveness and performance of management personnel who have been assigned the task of governance of the enterprise. The board should assess periodically the governance systems, policies and procedures for efficient operations and rectify the deviations, if any, found in the governance system. The board should maintain oversight of the extent to which IT is able to satisfy obligations, standards and professional guidelines. 4. EDM03.01 Evaluate risk management. Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise. Consider whether the enterprise s risk appetite is appropriate and that risk to enterprise value related to the use of IT is identified and managed. 1. Determine the level of IT-related risk that the enterprise is willing to take to meet its risk objectives. 2. Evaluate and approve proposed IT risk tolerance thresholds against the enterprise s acceptable risk and opportunity levels. 3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy. 4. Proactively evaluate IT risk factors in advance of The board needs to actively take part in the risk evaluation process of the enterprise, which also includes the IT-related risks and, on assessing those risks, define a risk tolerance threshold for acceptable risks and opportunity levels. The board needs to evaluate the risk factors before making decisions on strategies to ensure that impact of risk has been factored in. 42

44 pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made. 5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and national standards. 6. Evaluate risk management activities to ensure alignment with the enterprise s capacity for ITrelated loss and leadership s tolerance of it. The board should evaluate risk management activities and regularly define the enterprise s capacity for loss and the tolerance limits. 5. EDM03.02 Direct risk management Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board s risk appetite. 1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts. 2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations. 3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans. 4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to appropriate levels of management, supported by agreed-on principles of escalation (what to report, when, where and how). 5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with published policies and procedures and escalated to the relevant decision makers. 6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques and processes for capturing and reporting the measurement information. The board needs to actively take part in promoting a culture where opportunities, risks and their impacts are proactively identified. The board should ensure that there is integration within the risk strategies for IT and the enterprise and there are no conflicts. The board should direct the development of risk communication plans and action plans to all levels of the enterprise, which shall ensure timely responses to changing risk environments. The board should encourage reporting of incidents by any level of management in a timely manner and direct handling of incidents according to defined policies and procedures. 6. EDM03.03 Monitor risk management Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported for remediation. 43

45 1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds. 2. Monitor key goals and metrics of risk governance and management processes against targets, analyze the cause of any deviations, and initiate remedial actions to address the underlying causes. 3. Enable key stakeholders review of the enterprise s progress towards identified goals. The board needs to monitor the extent to which the risk profile is managed and whether it lies within the thresholds of risk appetite. The board should ensure that deviations of the processes against the defined targets are analyzed and corrective action is taken. 7. EDM05.01 Evaluate stakeholder reporting. Continually examine and make judgment on the current and future requirements for stakeholder communication and reporting, including both mandatory reporting requirements (e.g., regulatory) and communication to other stakeholders. Establish the principles for communication. 1. Examine and make a judgment on the current and future mandatory reporting requirements relating to the use of IT within the enterprise (regulation, legislation, common law, contractual), including extent and frequency. 2. Examine and make a judgment on the current and future reporting requirements for other stakeholders relating to the use of IT within the enterprise, including extent and conditions. 3. Maintain principles for communication with external and internal stakeholders, including communication formats and communication channels, and for stakeholder acceptance and sign-off of reporting The board needs to make a judgment on current and future mandatory reporting requirements relating to the use of IT within the enterprise and maintain principles for communication with stakeholders, including communication formats and channels.. 8. EDM05.02 Direct stakeholder communication and reporting. Ensure the establishment of effective stakeholder communication and reporting, including mechanisms for ensuring the quality and completeness of information, oversight of mandatory reporting, and creating a communication strategy for stakeholders. 1. Direct the establishment of the communication The board needs to establish a communication strategy for 44

46 strategy for external and internal stakeholders. 2. Direct the implementation of mechanisms to ensure that information meets all criteria for mandatory IT reporting requirements for the enterprise. 3. Establish mechanisms for validation and approval of mandatory reporting. 4. Establish reporting escalation mechanisms. internal and external stakeholders and direct the implementation of mechanisms to ensure that information needs meet all criteria for reporting requirements of the enterprise. The board needs to establish mechanisms for validation and approval of reporting and for escalation mechanisms. 9. EDM05.03 Monitor stakeholder communication. Monitor the effectiveness of stakeholder communication. Assess mechanisms for ensuring accuracy, reliability and effectiveness, and ascertain whether the requirements of different stakeholders are met. 1. Periodically assess the effectiveness of the mechanisms for ensuring the accuracy and reliability of mandatory reporting. 2. Periodically assess the effectiveness of the mechanisms for, and outcomes from, communication with external and internal stakeholders. 3. Determine whether the requirements of different stakeholders are met. The board needs to ensure that they assess the effectiveness of the mandatory reporting mechanisms and determine whether there are deviations from the predefined requirements of the stakeholders, and take corrective action to remediate the deviations. MEA01.05, MEA02.03, MEA02.08, MEA03.03 and MEA03.04 are the other management practices that have been identified for the board as well as auditors. They are explained in the stakeholder 3 section that follows. 45

47 STAKEHOLDER 2 - MANAGEMENT Chief Executive Officer (CEO) The CEO is the top executive responsible for a firm's overall operations and performance. He or she is the leader of the firm, serves as the main link between the board of directors and the firm's various parts or levels, and is held solely responsible for the firm's success or failure. One of the major duties of a CEO is to maintain and implement corporate policy, as established by the board. Also called president or managing director (MD), he or she may also be the chairperson of the board. Responsibilities of the CEO- The responsibilities of an organization's CEO or MD are set by the organization's board of directors or other authority, depending on the organization's legal structure. The responsibilities can be far-reaching or quite limited and are typically enshrined in a formal delegation of authority. Typically, the CEO/MD has responsibilities as a director, decision maker, leader, manager and executor. The communicator role can involve the press and the rest of the outside world, as well as the organization's management and employees; the decisionmaking role involves high-level decisions about policy and strategy. As a leader of the company, the CEO/MD advises the board of directors, motivates employees and drives change within the organization. As a manager, the CEO/MD presides over the organization's day-to-day operations. Chief Financial Officer (CFO) The CFO is the senior manager responsible for overseeing the financial activities of an entire company. The CFO's duties include financial planning and monitoring cash flow. He or she analyzes the company's financial strengths and weaknesses and suggests plans for improvement. The CFO is similar to a treasurer or controller in that he or she is responsible for overseeing the 46

48 accounting and finance departments and for ensuring that the company's financial reports are accurate and completed on time. The role of CFO includes: Credit control Preparing budgets and financial statements Coordinating financing and fundraising Monitoring expenditure and liquidity Managing investment and taxation issues Reporting financial performance to the board Providing timely financial data to the CEO, etc. Chief Information Officer (CIO) The CIO is a company executive who is responsible for the management, implementation and usability of information and computer technologies. The CIO will analyze how these technologies can benefit the company or improve an existing business process and will then integrate a system to realize that benefit or improvement. In other words, the CIO is responsible for development, implementation and operation of a firm's information technology policy. He or she oversees all information systems infrastructure within the organization and is responsible for establishing information-related standards to facilitate management control over all corporate resources. Roles of the CIO include: Develop and maintain an appropriate IT organizational structure that supports the needs of the business. Establish IT departmental goals, objectives and operating procedures. Identify opportunities for the appropriate and cost-effective investment of financial resources in IT systems and resources, including staffing, sourcing, purchasing and in-house development. Assess and communicate risks associated with IT investments. Develop, track and control the information technology annual operating and capital budgets. Develop business case justifications and cost-benefit analyses for IT spending and initiatives. Direct development and execution of an enterprisewide disaster recovery and business continuity plan. Assess and make recommendations on the improvement or re-engineering of the IT organization. Chief Risk Officer (CRO) The chief risk officer (CRO), or chief risk management officer (CRMO), of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. He or she is responsible for identifying, analyzing and mitigating internal and external events that could threaten a company. The CRO works to ensure that the company is compliant with government regulations and reviews factors that could negatively affect investments or a company's business units. The position of CRO is constantly evolving. As new technologies are adopted by a company, the CRO must govern information security, protect against fraud and guard intellectual property. By developing internal controls and overseeing internal audits, threats from within a company can be identified before they result in regulatory issues. Chief Information Security Officer (CISO) The CISO is a senior-level executive responsible for aligning security initiatives with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected. 47

49 The CISO's responsibilities have shifted over the years from general security to identifying, developing, implementing and maintaining security-related processes that reduce the organization's operational risks. Duties and responsibilities may include: Establish and implementing security-related policies. Oversee regulatory compliance. Ensure data privacy. Manage the company's Computer Security Incident Response Team. Supervise identity and access management. Establish and overseeing the organization's security architecture. Conduct electronic discovery and digital forensic investigations. Work with other high-level executives to establish disaster recovery and business continuity plans. Because COBIT 5 is a comprehensive framework for governance and management of enterprise IT, it allows enterprises to use the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of management, toward achieving their goals and objectives. The image below depicts that, out of the 37 processes, the stakeholder (the management) can adapt relevant processes (border shaded in black) and their underlying management practices, which shall assist in achieving the goals of the enterprise. RACI CHART A responsibility assignment matrix, also known as a RACI chart, ARCI matrix or linear responsibility chart, describes the participation by various roles in completing tasks or deliverables for a project or business process. The following RACI chart explains the different roles of the members of management in contributing to effective corporate IT governance. The processes explained in this chapter would have to be executed keeping in mind the perspective of the roles in the following RACI chart. 48

50 Management Practice Chief Executive Officer Chief Financial Officer Chief Information Security Officer Chief Risk Officer Chief Information Officer EDM04.01 Evaluate resource management R C C C R EDM04.02 Direct resource management. R C I I R EDM04.03 Monitor resource management R C C C R APO01.01 Define the organizational structure. C C A APO01.02 Establish roles and responsibilities. A APO01.03 Maintain the enablers of the management system. A C C C R APO01.04 Communicate management objectives and direction. A R R R R APO01.05 Optimize the placement of the IT function. C C R APO01.06 Define information (data) and system ownership. I I C APO01.07 Manage continual improvement of processes. R APO01.08 Maintain compliance with policies and procedures. A R APO02.01 Understand enterprise direction. C C C C R APO02.02 Assess the current environment, capabilities and performance. C C C A APO02.03 Define the target IT capabilities. A C C R APO02.04 Conduct a gap analysis. C A APO02.05 Define the strategic plan and road map. C I C C A APO02.06 Communicate the IT strategy and direction. R I I I R APO03.01 Develop the enterprise architecture vision. A C C R APO03.02 Define reference architecture. C C C R APO03.03 Select opportunities and solutions. A C C R APO03.04 Define architecture implementation. A C C R APO03.05 Provide enterprise architecture services. A C C R APO12.01 Collect data. I R R A 49

51 Management Practice Chief Executive Officer Chief Financial Officer Chief Information Security Officer Chief Risk Officer Chief Information Officer APO12.02 Analyze risk. I C R A APO12.03 Maintain a risk profile. I C A R APO12.04 Articulate risk. I C R A APO12.05 Define a risk management action portfolio. I C A R APO12.06 Respond to risk. I R R A APO13.01 Establish and maintain an ISMS. C A C R APO13.02 Define and manage an information security risk treatment plan. C A C R APO13.03 Monitor and review the ISMS. A R DSS01.02 Manage outsourced IT services. I A DSS01.03 Monitor IT infrastructure. I I DSS01.04 Manage the environment. A C C DSS01.05 Manage facilities. A C C DSS06.01 Align control activities embedded in business processes with enterprise objectives. C C I I C DSS06.02 Control the processing of information. R R I I C DSS06.03 Manage roles, responsibilities, access privileges and levels of authority. R I C DSS06.04 Manage errors and exceptions. I DSS06.05 Ensure traceability of information events and accountabilities. I C DSS06.06 Secure information assets. C I I C MEA01.01 Establish a monitoring approach. A R R MEA01.02 Set performance and conformance targets. I I C MEA01.03 Collect and process performance and conformance data. A MEA01.04 Analyze and report performance. C MEA01.05 Ensure the implementation of corrective actions. I I A 50

52 Management Practice Chief Executive Officer Chief Financial Officer Chief Information Security Officer Chief Risk Officer Chief Information Officer MEA02.01 Monitor internal controls. I C R A MEA02.02 Review business process controls effectiveness. I R I I C MEA02.03 Perform control self-assessments. I C R A MEA02.04 Identify and report control deficiencies. I C I I A MEA02.05 Ensure that assurance providers are independent and qualified. R MEA02.06 Plan assurance initiatives. A R MEA02.07 Scope assurance initiatives. R MEA02.08 Execute assurance initiatives. I I I R MEA03.01 Identify external compliance requirements. R MEA03.02 Optimize response to external requirements. R R R MEA03.03 Confirm external compliance. R R R MEA03.04 Obtain assurance of external compliance. I I R 1. EDM04.01 Evaluate resource management. Continually examine and make judgment on the current and future need for IT-related resources, options for resourcing (including sourcing strategies), and allocation and management principles to meet the needs of the enterprise in the optimal manner. 1. Examine and make judgment on the current and future strategy, options for providing IT resources, and developing capabilities to meet current needs and future needs (including sourcing options). 2. Define the principles for guiding the allocation and management of resources and capabilities so that IT can meet the needs of the enterprise, with the required capability and capacity according to the agreed-on priorities and budgetary constraints. Management is the link toward accomplishment of stakeholder expectations and their fulfillment. Management should examine and make a judgment on the current future strategies for providing resources and developing capabilities to meet the present and future needs of the organization. Management should define the principles for guidance, allocation and management of resources according to agreed-on priorities, keeping in mind the budgetary constraints so that there is a balance maintained between 51

53 3. Review and approve the resource plan and enterprise architecture strategies for delivering value and mitigating risk with the allocated resources. 4. Understand requirements for aligning resource management with enterprise financial and human resources (HR) planning. 5. Define principles for the management and control of the enterprise architecture. the constraints and the budgets. Management should align resource management with finance and human resources (HR) departments. Management should set the principles for managing and controlling the enterprise. 2. EDM04.02 Direct resource management. Ensure the adoption of resource management principles to enable optimal use of IT resources throughout their full economic life cycle. 1. Communicate and drive the adoption of the resource management strategies, principles, and agreed-on resource plan and enterprise architecture strategies. 2. Assign responsibilities for executing resource management. 3. Define key goals, measures and metrics for resource management. 4. Establish principles related to safeguarding resources. 5. Align resource management with enterprise financial and HR planning. Management needs to ensure optimization of the resources and adherence to the agreed-on principles, plans and strategies. Responsibilities need to be assigned toward execution of resource management and its alignment with the HR and finance departments. 3. EDM04.03 Monitor resource management. Monitor the key goals and metrics of the resource management processes and establish how deviations or problems will be identified, tracked and reported for remediation. 1. Monitor the allocation and optimization of resources in accordance with enterprise objectives and priorities using agreed-on goals and metrics. 2. Monitor IT sourcing strategies, enterprise architecture strategies, IT resources and capabilities to ensure that current and future needs of the enterprise can be met. 3. Monitor resource performance against targets, analyze the cause of deviations, and initiate remedial action to address the underlying causes. Management, after defining and directing the resources, needs to ensure that resources are monitored in accordance with the priorities and goals of the enterprise. This also includes monitoring the sourcing strategies and architecture strategies for present and future needs of the enterprise. 52

54 4. APO01.01 Define the organizational structure. Establish an internal and extended organizational structure that reflects business needs and IT priorities. Put in place the required management structures (e.g., committees) that enable management decision making to take place in the most effective and efficient manner. 1. Define the scope, internal and external functions, internal and external roles, and capabilities and decision rights required, including those IT activities performed by third parties. 2. Identify decisions required for the achievement of enterprise outcomes and the IT strategy, and for the management and execution of IT services. 3. Establish the involvement of stakeholders who are critical to decision making (accountable, responsible, consulted or informed). 4. Align the IT-related organization with enterprise architecture organizational models. 5. Define the focus, roles and responsibilities of each function within the IT-related organizational structure. 6. Define the management structures and relationships to support the functions and roles of management and execution, in alignment with the governance direction set. 7. Establish an IT strategy committee (or equivalent) at the board level. This committee should ensure that governance of IT, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board. 8. Establish an IT steering committee (or equivalent) composed of executive, business and IT management to determine prioritization of ITenabled investment programs in line with the enterprise s business strategy and priorities; track status of projects and resolve resource conflicts; and monitor service levels and service improvements. Management needs to play a pivotal role in defining the scope, functions, roles and capabilities of the organization and identify decisions required for achievement of expected outcomes. Management needs to ensure that stakeholders are engaged in critical decision making regarding the enterprise. Management needs to ensure the alignment of the IT framework with the architecture of the organization and accordingly define the roles and responsibilities of each function within the organization. Management can create an IT strategy committee at the board level, and the committee should ensure that governance of IT is addressed, advise on strategic decisions and review the major investments on behalf of the board. Establish an IT steering committee, which is composed of executives of business and IT management for determining priority of IT investment programs, which should be in line with the enterprise business strategies. Track status of projects and resolve conflicts. Management needs to provide guidelines for each level of management and the expected outcomes need to be informed and updated. 9. Provide guidelines for each management structure (including mandate, objectives, meeting attendees, timing, tracking, supervision and oversight) as well as required inputs for and expected outcomes of meeting 10. Define ground rules for communication by identifying communication needs, and implementing plans based on those needs, 53

55 considering top-down, bottom-up and horizontal communication. 11. Regularly verify the adequacy and effectiveness of the organizational structure. 5. APO01.02 Establish roles and responsibilities. Establish, agree on and communicate roles and responsibilities of IT personnel, as well as other stakeholders with responsibilities for enterprise IT, that clearly reflect overall business needs and IT objectives and relevant personnel s authority, responsibilities and accountability. 1. Establish, agree on and communicate IT-related roles and responsibilities for all personnel in the enterprise, in alignment with business needs and objectives. Clearly delineate responsibilities and accountabilities, especially for decision-making and approvals. 2. Consider requirements from enterprise and IT service continuity when defining roles, including staff back-up and cross-training requirements. 3. Provide input to the IT service continuity process by maintaining up-to-date contact information and role descriptions in the enterprise. 4. Include in role and responsibility descriptions adherence to management policies and procedures, the code of ethics, and professional practices. 5. Implement adequate supervisory practices to ensure that roles and responsibilities are properly exercised, to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review performance. The level of supervision should be in line with the sensitivity of the position and extent of responsibilities assigned. 6. Ensure that accountability is defined through roles and responsibilities. 7. Structure roles and responsibilities to reduce the possibility for a single role to compromise a critical process. Management needs to establish, agree on and communicate the roles and responsibilities for all personnel in the enterprise and also consider the requirements of the enterprise while defining roles, which includes backup plans for staff and cross-training functions. Management needs to provide inputs to the IT service continuity process by maintaining up-to-date contact information for all of the roles within the enterprise. The code of ethics and professional practices should form a part of the responsibilities of the organizational personnel. Management needs to ensure that supervisory practices ensure proper exercise of roles and there is sufficient authority to execute the responsibilities by the concerned authority. The levels of supervision should be aligned with the sensitivity of the position. There needs to be accountability for all the roles and responsibilities defined for the organization. The roles should be structured in such a way that there is no conflict between roles, and also so that no single role compromises a critical process. 6. APO01.03 Maintain the enablers of the management system. Maintain the enablers of the management system and control environment for enterprise IT, and ensure that they are integrated and aligned with the enterprise s governance and management philosophy and operating style. These enablers include the clear communication of expectations/requirements. The management system should encourage cross-divisional co-operation and teamwork, promote compliance and continuous improvement, and handle process deviations (including failure). 54

56 1. Obtain an understanding of the enterprise vision, direction and strategy. 2. Consider the enterprise s internal environment, including management culture and philosophy, risk tolerance, security, ethical values, code of conduct, accountability, and requirements for management integrity. 3. Derive and integrate IT principles with business principles. 4. Align the IT control environment with the overall IT policy environment, IT governance and IT process frameworks, and existing enterprise-level risk and control frameworks. Assess industry-specific good practices or requirements (e.g., industry-specific regulations) and integrate them where appropriate. 5. Align with any applicable national and international governance and management standards and codes of practice, and evaluate available good practices such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework and the COSO Enterprise Risk Management Integrated Framework. 6. Create a set of policies to drive the IT control expectations on relevant key topics such as quality, security, confidentiality, internal controls, and usage of IT assets, ethics and intellectual property rights. 7. Evaluate and update the policies at least yearly to accommodate changing operating or business environments. 8. Roll out and enforce IT policies to all relevant staff, so they are built into, and are an integral part of, enterprise operations. 9. Ensure that procedures are in place to track compliance with policies and define the consequences of non-compliance. Management needs to get an understanding of the vision of the stakeholders toward the direction, strategies and operations of the enterprise. Management needs to consider internal factors like culture and philosophy, risk tolerance, ethical values, and codes of conduct to develop enablers of the system. Management needs to ensure that there exists an alignment between the principles, governance, process and frameworks between IT and the enterprise as a whole. The industryspecific goals and practices should be incorporated into the system. Management can align the principles and practices set by international governance and management standards and the codes of practice from the COSO model and any other framework. Management needs to create a set of policies, which shall drive IT control and expectations on quality, security, confidentiality, internal controls, usage of IT assets and intellectual property rights. Management should evaluate and update policies on a yearly basis to accommodate changing business environments. On developing policies and frameworks, management needs to ensure that they are adhered to and there is a tracking mechanism to check on the noncompliance of policies. 7. APO01.04 Communicate management objectives and direction. Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and users throughout the enterprise. 1. Continuously communicate IT objectives and direction. Ensure that executive management in action and words, using all available channels, supports communications. Management ensures that it communicates the objectives and directions, which are supported by executive management where there is a clearly defined mission, objectives, security, internal controls, quality, code of 55

57 2. Ensure that the information communicated encompasses a clearly articulated mission, service objectives, security, internal controls, quality, code of ethics/conduct, policies and procedures, roles and responsibilities, etc. Communicate the information at the appropriate level of detail for the respective audiences within the enterprise. 3. Provide sufficient and skilled resources to support the communication process. ethics/conduct, roles and responsibilities, etc., and provides resources to support the communication process. 8. APO01.05 Optimize the placement of the IT function. Position the IT capability in the overall organizational structure to reflect an enterprise model relevant to the importance of IT within the enterprise, specifically its criticality to enterprise strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the importance of IT within the enterprise. 1. Understand the context for the placement of the IT function, including an assessment of the enterprise strategy and operating model (centralized, federated, decentralized, hybrid), importance of IT, and sourcing situation and options. 2. Identify, evaluate and prioritize options for organizational placement, sourcing and operating models. 3. Define placement of the IT function and obtain agreement. Management should assess the enterprise strategy and operating model to ensure that the functions are optimized. 9. APO01.06 Define information (data) and system ownership. Define and maintain responsibilities for ownership of information (data) and information systems. Ensure that owners make decisions about classifying information and systems and protecting them in line with this classification. 1. Provide policies and guidelines to ensure appropriate and consistent enterprise wide classification of information (data). 2. Define, maintain and provide appropriate tools, techniques and guidelines to provide effective security and controls over information and information systems in collaboration with the owner. 3. Create and maintain an inventory of information (systems and data) that includes a listing of owners, custodians and classifications. Include systems that Management should provide policies and guidelines for appropriate classification of data throughout the enterprise by defining and maintaining appropriate tools, techniques and guidelines, which ensure effective security and controls over information and information systems. Management should create an inventory of information that includes lists of owners, custodians and classifications. Further, there should be integrity and consistency for all information stored in data warehouses and data archives. 56

58 are outsourced and those for which ownership should stay within the enterprise. 4. Define and implement procedures to ensure the integrity and consistency of all information stored in electronic form such as databases, data warehouses and data archives. 10. APO01.07 Manage continual improvement of processes. Assess, plan and execute the continual improvement of processes and their maturity to ensure that they are capable of delivering against enterprise, governance, management and control objectives. Consider COBIT process implementation guidance, emerging standards, compliance requirements, automation opportunities, and the feedback of process users, the process team and other stakeholders. Update the process and consider impacts on process enablers. 1. Identify business-critical processes based on performance and conformance drivers and related risk. Assess process capability and identify improvement targets. Analyze gaps in process capability and control. Identify options for improvement and redesign of the process. Prioritize initiatives for process improvement based on potential benefits and costs. 2. Implement agreed-on improvements; operate as normal business practice, and set performance goals and metrics to enable monitoring of process improvements. 3. Consider ways to improve efficiency and effectiveness (e.g., through training, documentation, standardization and automation of the process). 4. Retire outdated processes, process components or enablers. Management should identify business-critical processes on performance drivers and related risks. There should be an assessment of process capability and control and options identified for improvement and redesign of processes when needed. The improvements should be implemented and performance goals and metrics should be defined to monitor the processes. Management should take action to retire outdated processes, components and enablers. 11. APO01.08 Maintain compliance with policies and procedures. Put in place procedures to maintain compliance with and performance measurement of policies and other enablers of the control framework, and enforce the consequences of non-compliance or inadequate performance. Track trends and performance and consider these in the future design and improvement of the control framework. 1. Track compliance with policies and procedures. 2. Analyze non-compliance and take appropriate action (this could include changing requirements). 3. Integrate performance and compliance into Management must ensure compliance with policies and procedures within the organization and take appropriate action when required. 57

59 individual staff members performance objectives. 4. Regularly assess the performance of the framework s enablers and take appropriate action. 12. APO02.01 Understand enterprise direction. Consider the current enterprise environment and business processes, as well as the enterprise strategy and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant regulations, basis for competition). 1. Develop and maintain an understanding of enterprise strategy and objectives, as well as the current enterprise operational environment and challenges. 2. Develop and maintain an understanding of the external environment of the enterprise. 3. Identify key stakeholders and obtain insight on their requirements. 4. Identify and analyze sources of change in the enterprise and external environments. 5. Ascertain priorities for strategic change. 6. Understand the current enterprise architecture and work with the enterprise architecture process to determine any potential architectural gaps. Management needs to develop and maintain the strategies and objectives of the enterprise, which cover not only the current but the future objectives. Management needs to also obtain insights of the stakeholders. Management needs to analyze sources of change to the enterprise and external environment. Management should review the current enterprise architecture and identify the gaps within the present structure. 13. APO02.02 Assess the current environment capabilities and performance Assess the performance of current internal business and IT capabilities and external IT services, and develop an understanding of the enterprise architecture in relation to IT. Identify issues currently being experienced and develop recommendations in areas that could benefit from improvement. Consider service provider differentiators and options and the financial impact and potential costs and benefits of using external services. 1. Develop a baseline of the current business and IT environment, capabilities and services against which future requirements can be compared. Include the relevant high-level detail of the current enterprise architecture (business, information, data, applications and technology domains), business processes, IT processes and procedures, the IT organization structure, external service provision, governance of IT, and enterprise wide IT-related skills and competencies. 2. Identify risk from current, potential and declining technologies. 3. Identify gaps between current business and IT capabilities and services and reference standards Management should develop a baseline of the current business and IT environment against which the future requirements can be compared. It should contain high-level details of the present business processes, IT processes and procedures. Risk from current technologies should be identified and the gaps identified between current business and IT capabilities and services and reference standards and good practices should be made. Management should identify the strengths, opportunities and threats in the current environment, capabilities and services to understand current performance and identify areas for 58

60 and good practices, competitor business and IT capabilities, and comparative benchmarks of good practice and emerging IT service provision. 4. Identify issues, strengths, opportunities and threats in the current environment, capabilities and services to understand current performance. Identify areas for improvement in terms of IT s contribution to enterprise objectives. improvement. 14. APO02.03 Define the target IT capabilities. Define the target business and IT capabilities and required IT services. This should be based on the understanding of the enterprise environment and requirements; the assessment of the current business process and IT environment and issues; and consideration of reference standards, good practices and validated emerging technologies or innovation proposals. 1. Consider validated emerging technology or innovation ideas. 2. Identify threats from declining, current and newly acquired technologies. 3. Define high-level IT objectives/goals and how they will contribute to the enterprise s business objectives. 4. Define required and desired business process and IT capabilities and IT services and describe the highlevel changes in the enterprise architecture (business, information, data, applications and technology domains), business and IT processes and procedures, the IT organization structure, IT service providers, governance of IT, and IT skills and competencies. 5. Align and agree with the enterprise architect on proposed enterprise architecture changes. 6. Demonstrate traceability to the enterprise strategy and requirements. Management needs to consider emerging technologies and innovative ideas. Further, management should ascertain the present threats from declining, current and newly acquired technologies. Management needs to define the desired business process and IT capabilities and services in the current enterprise architecture and align them with the proposed architecture. 15. APO02.04 Conduct a gap analysis. Identify the gaps between the current and target environments and consider the alignment of assets (the capabilities that support services) with business outcomes to optimize investment in and utilization of the internal and external asset base. Consider the critical success factors to support strategy execution. 1. Identify all gaps and changes required to realize the target environment. 2. Consider the high-level implications of all gaps. Management needs to identify the gaps and changes required to reach the target environment. To achieve the target environment, the high-level implication 59

61 Consider the value of potential changes to business and IT capabilities, IT services and enterprise architecture, and the implications if no changes are realized. 3. Assess the impact of potential changes on the business and IT operating models, IT research and development capabilities, and IT investment programs. 4. Refine the target environment definition and prepare a value statement with the benefits of the target environment. of gaps needs to be considered as well as their potential changes to business and architecture. Management needs to assess the impact of potential changes on business, IT operational models, IT research and development capabilities and the IT investment program. 16. APO02.05 Define the strategic plan and road map Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT-related goals will contribute to the enterprise s strategic goals. Include how IT will support IT-enabled investment programs, business processes, IT services and IT assets. Direct IT to define the initiatives that will be required to close the gaps, the sourcing strategy and the measurements to be used to monitor achievement of goals, then prioritize the initiatives and combine them in a high-level road map. 1. Define the initiatives required to close gaps and migrate from the current to the target environment, including investment/operational budget, funding sources, sourcing strategy and acquisition strategy. 2. Identify and adequately address risk, costs and implications of organizational changes, technology evolution, regulatory requirements, business process re-engineering, staffing, insourcing and outsourcing opportunities, etc., in the planning process. 3. Determine dependencies, overlaps, synergies and impacts amongst initiatives, and prioritize the initiatives. 4. Identify resource requirements, schedule and investment/operational budgets for each of the initiatives. 5. Create a road map indicating the relative scheduling and interdependencies of the initiatives. 6. Translate the objectives into outcome measures represented by metrics (what) and targets (how much) that can be related to enterprise benefits. Management needs to define the initiatives required to close the gaps and migrate to the target environment, which includes the investment budgets, sourcing strategy and acquisition strategy. Management needs to identify and address risks, costs and implication of organizational changes, technology evolution, business process re-engineering, staffing, etc. during the planning process. Management needs to determine the dependencies, overlaps, synergies and impact among initiatives and prioritize them. Further, management should identify the resource requirements, schedule and investment budgets for each initiative. Management should create a road map, which indicates the scheduling and interdependencies of the initiatives and then translate the objectives into outcome measures that can be related to enterprise benefits. 60

62 17. APO02.06 Communicate the IT strategy and direction. Create awareness and understanding of the business and IT objectives and direction, as captured in the IT strategy, through communication to appropriate stakeholders and users throughout the enterprise. 1. Develop and maintain a network for endorsing, supporting and driving the IT strategy. 2. Develop a communication plan covering the required messages, target audiences, communication mechanisms/channels and schedules. 3. Obtain feedback and update the communication plan and delivery as required. Management needs to develop and maintain a network for endorsing and supporting IT strategy. Management needs to develop a communication plan covering the required messages, target audiences and channels. 18. APO03.01 Develop the enterprise architecture vision. The architecture vision provides a first-cut, high-level description of the baseline and target architectures, covering the business, information, data, application and technology domains. The architecture vision provides the sponsor with a key tool to sell the benefits of the proposed capability to stakeholders within the enterprise. The architecture vision describes how the new capability will meet enterprise goals and strategic objectives and address stakeholder concerns when implemented. 1. Identify the key stakeholders and their concerns/objectives, and define the key enterprise requirements to be addressed as well as the architecture views to be developed to satisfy the various stakeholder requirements. 2. Identify the enterprise goals and strategic drivers of the enterprise and define the constraints that must be dealt with, including enterprise wide constraints and project-specific constraints (time, schedule, resources, etc.). 3. Align architecture objectives with strategic program priorities. 4. Understand the capabilities and desires of the business, then identify options to realize those capabilities. 5. Assess the enterprise s readiness for change. 6. Define what is inside and what is outside the scope of the baseline architecture and target architecture efforts, understanding that the baseline and target need not be described at the same level of detail. 7. Confirm and elaborate architecture principles, including enterprise principles. Ensure that any Management needs to identify stakeholder objectives and define the key enterprise requirements, along with architecture views, which need to be addressed and developed to satisfy stakeholder requirements. Management shall identify the goals and strategic drivers of the enterprise and define the constraints that must be dealt with, which includes project-specific constraints. Management needs to understand the capabilities and desires of the business and then identify the options to realize them. Management needs to factor in the enterprises readiness to change. Management needs to define what is within and outside of the scope of baseline architecture and target architecture efforts. Management should elaborate on the existing definitions and 61

63 existing definitions are current and clarify any areas of ambiguity. 8. Understand the current enterprise strategic goals and objectives and work with the strategic planning process to ensure that IT-related enterprise architecture opportunities are leveraged in the development of the strategic plan. 9. Based on stakeholder concerns, business capability requirements, scope, constraints and principles, create the architecture vision a high-level view of the baseline and target architectures. 10. Define the target architecture value propositions, goals and metrics. 11. Identify the enterprise change risk associated with the architecture vision, assess the initial level of risk (e.g., critical, marginal or negligible) and develop a mitigation strategy for each significant risk. 12. Develop an enterprise architecture concept business case, outline plans and statement of architecture work, and secure approval to initiate a project aligned and integrated with the enterprise strategy. clarify the areas of ambiguity. Based on the enterprise goals, Management needs to work on strategic planning processes to ensure that the IT-related architecture opportunities are leveraged in the development of the plans. Based on the concerns, the business capability requirements, scope, constraints and principles, management can create a high-level vision of the baseline and target architectures. Management should develop a business case, outline plans and statement of architecture work and secure approval to initiate a project aligned and integrated with the enterprise strategy. 19. APO03.02 Define reference architecture. The reference architecture describes the current and target architectures for the business, information, data, application and technology domains. 1. Maintain an architecture repository containing standards, reusable components, Modelling artifacts, relationships, dependencies and views to enable uniformity of architectural organization and maintenance. 2. Select reference viewpoints from the architecture repository that will enable the architect to demonstrate how stakeholder concerns are being addressed in the architecture. 3. For each viewpoint, select the models needed to support the specific view required, using selected tools or methods and the appropriate level of decomposition. 4. Develop baseline architectural domain descriptions, using the scope and level of detail necessary to support the target architecture and, to the extent possible, identifying relevant architecture building blocks from the architecture repository. 5. Maintain a process architecture model as part of the baseline and target domain descriptions. Standardize the descriptions and documentation of processes. Define the roles and responsibilities of Management needs to maintain a repository containing the standards, reusable components, modeling artifacts and relationships, dependencies, and views to enable uniformity within the architectural organization. There should be a selection of reference viewpoints from the repository that will enable demonstration of how stakeholder concerns are being addressed within the architecture. For each viewpoint, management should select the model needed to support the specific view that is required using selected tools or methods and an appropriate level of decomposition. Management should develop baseline architecture domain descriptions using scope and level of details necessary to support target architecture and identify relevant architecture building blocks from the repository. A process architecture model should be maintained as a part of baseline and target domain descriptions. Standardize the descriptions and document processes. The roles and responsibilities of the process decision makers, process 62

64 the process decision makers, process owner, process users, process team and any other process stakeholders who should be involved. 6. Maintain an information architecture model as part of the baseline and target domain descriptions, consistent with the enterprise s strategy to enable optimal use of information for decision-making. Maintain an enterprise data dictionary that promotes a common understanding and a classification scheme that includes details about data ownership, definition of appropriate security levels, and data retention and destruction requirements. 7. Verify the architecture models for internal consistency and accuracy and perform a gap analysis between the baseline and target. Prioritize gaps and define new or modified components that must be developed for the target architecture. Resolve potential impacts such as incompatibilities, inconsistencies or conflicts within the envisioned architecture. 8. Conduct a formal stakeholder review by checking the proposed architecture against the original motivation for the architecture project and the statement of architecture work. 9. Finalize business, information, data, applications and technology domain architectures, and create an architecture definition document. owners and team and other process should be defined. An information architecture model should be maintained as a part of baseline and target domain descriptions, consistent with enterprise strategy to enable optimal use of information for decision making. A data dictionary should be maintained that promotes a common understanding and classification scheme that includes details about data ownership and definition of appropriate security levels. 20. APO03.03 Select opportunities and solutions. Rationalize the gaps between baseline and target architectures, taking both business and technical perspectives, and logically group them into project work packages. Integrate the project with any related IT-enabled investment program to ensure that the architectural initiatives are aligned with and enable these initiatives as part of overall enterprise change. Make this a collaborative effort with key enterprise stakeholders from business and IT to assess the enterprise s transformation readiness, and identify opportunities, solutions and all implementation constraints. 1. Determine and confirm key enterprise change attributes, including the enterprise s culture and how this will impact enterprise architecture implementation, as well as the enterprise s transition capabilities. 2. Identify any enterprise drivers that would constrain the sequence of implementation, including a review of the enterprise and line of business strategic and business plans, and consideration of the current enterprise architecture maturity. 3. Review and consolidate the gap analysis results between the baseline and target architectures and Management needs to determine and confirm key enterprise change attributes, including the enterprise s culture and how it will influence architecture implementation, as well as transition capabilities. Management needs to identify drivers that constrain the sequence of implementation, which includes a review of the enterprise and line of business strategic and plans, and architecture maturity should be considered. Management needs to review and consolidate the gaps identified between the baseline and target architectures and assess the implication for potential solutions and alignment 63

65 assess their implications with respect to potential solutions/opportunities, interdependencies and alignment with current IT-enabled programs. 4. Assess the requirements, gaps, solutions and factors to identify a minimal set of functional requirements whose integration into work packages would lead to a more efficient and effective implementation of the target architecture. 5. Reconcile the consolidated requirements with potential solutions. 6. Refine the initial dependencies, ensuring that any constraints on the implementation and migration plans are identified, and consolidate them into a dependency analysis report. 7. Confirm the enterprise s readiness for, and the risk associated with, enterprise transformation. 8. Formulate a high-level implementation and migration strategy that will guide the target architecture implementation and structure the transition architectures in alignment with enterprise strategic objectives and time scales. 9. Identify and group major work packages into a coherent set of programs and projects, respecting the enterprise strategic implementation direction and approach. 10. Develop a series of transition architectures as necessary where the scope of change required to realize the target architecture requires an incremental approach. with IT-enabled programs. There needs to be an assessment of the requirements, gaps, solutions and factors to identify a minimal set of functional requirements whose integration would lead to efficient and effective implementation of target architecture. Management should refine the dependencies ensuring that the constraints on implementation and migration plans are identified and consolidated into a dependency report. Management needs to confirm the readiness and risk association with enterprise transformation. Management needs to formulate a high-level implementation and migration strategy that will guide the target architecture implementation and structure transitions in alignment with objectives and time scales. Major work packages should be identified and grouped into a set of programs and projects. Management should develop a series of transition architecture, as necessary and where the change is required, to realize the target architecture. 21. APO03.04 Define architecture implementation. Create a viable implementation and migration plan in alignment with the program and project portfolios. Ensure that the plan is closely coordinated to ensure that value is delivered and the required resources are available to complete the necessary work. 1. Establish what the implementation and migration plan should include as part of program and project planning and ensure that it is aligned with the requirements of applicable decision makers. 2. Confirm transition architecture increments and phases and update the architecture definition document. 3. Define architecture implementation governance requirements. Management needs to establish what implementation and migration plan shall be included as a part of the program and ensure its alignment with requirements of the stakeholders. Management needs to confirm transition architecture increments and phases, update the definition document, and define architecture governance requirements. 22. APO03.05 Provide enterprise architecture services. The provision of enterprise architecture services within the enterprise includes guidance to and monitoring of 64

66 implementation projects, formalizing ways of working through architecture contracts, and measuring and communicating architecture s value-add and compliance monitoring. 1. Confirm scope and priorities and provide guidance for solution development and deployment. 2. Manage the portfolio of enterprise architecture services to ensure alignment with strategic objectives and solution development. 3. Manage enterprise architecture requirements and support with architectural principles, models and building blocks. 4. Identify and align enterprise architecture priorities to value drivers. Define and collect value metrics and measure and communicate enterprise architecture value. 5. Establish a technology forum to provide architectural guidelines, advice on projects and guidance on the selection of technology. Measure compliance with these standards and guidelines, including compliance with external requirements and their business relevance. Management needs to confirm scope, priority and guidance for solution development and deployment. A portfolio of enterprise architecture services needs to be managed to ensure alignment with strategic objectives and solution development. The architecture requirements need to be managed to support principles, models and building blocks. Management needs to identify and align enterprise priorities to value drivers. Management needs to establish a technology form to provide architectural guidelines and advice on projects and guidance on the selection of technology. 23. APO12.01 Collect data. Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting. 1. Establish and maintain a method for the collection, classification and analysis of IT risk-related data, accommodating multiple types of events, multiple categories of IT risk and multiple risk factors. 2. Record relevant data on the enterprise s internal and external operating environment that could play a significant role in the management of IT risk. 3. Survey and analyze the historical IT risk data and loss experience from externally available data and trends, industry peers through industry-based event logs, databases, and industry agreements for common event disclosure. 4. Record data on risk events that have caused or may cause impacts to IT benefit/value enablement, IT program and project delivery, and/or IT operations and service delivery. Capture relevant data from related issues, incidents, problems and investigations. 5. For similar classes of events, organize the collected Management needs to establish and maintain a method for collection, classification and analysis of risk-related data, which accommodates multiple events, categories of risk and risk factors. Management can record relevant data on an enterprise s internal and external operating environment that would play a significant role in the management of risk. There can be a survey and analysis of historical risk data and loss experience from externally available trends, industry peers through event logs, databases and agreements for common event disclosures. The risk events that have caused or potentially cause impact to IT value benefits, programs and project delivery should be captured. In addition, data from incidents, problems and investigation can be recorded. Management needs to determine the specific conditions that 65

67 data and highlight contributing factors. Determine common contributing factors across multiple events. 6. Determine the specific conditions that existed or were absent when risk events occurred and the way the conditions affected event frequency and loss magnitude. 7. Perform periodic event and risk factor analysis to identify new or emerging risk issues and to gain an understanding of the associated internal and external risk factors. existed or were absent when risk events occurred and the way they affect event frequency and loss magnitude. Management should perform periodic event and risk factor analysis to identify new/emerging risk issues and gain an understanding of associated risk factors. 24. APO12.02 Analyze risk. Develop useful information to support risk decisions that take into account the business relevance of risk factors. 1. Define the appropriate breadth and depth of risk analysis efforts, considering all risk factors and the business criticality of assets. Set the risk analysis scope after performing a cost-benefit analysis. 2. Build and regularly update IT risk scenarios, including compound scenarios of cascading and/or coincidental threat types, and develop expectations for specific control activities, capabilities to detect and other response measures. 3. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios. Take into account all applicable risk factors, evaluate known operational controls and estimate residual risk levels. 4. Compare residual risk to acceptable risk tolerance and identify exposures that may require a risk response. 5. Analyze cost-benefit of potential risk response options such as avoid, reduce/mitigate, transfer/share, and accept and exploit/seize. Propose the optimal risk response. 6. Specify high-level requirements for projects or programs that will implement the selected risk responses. Identify requirements and expectations for appropriate key controls for risk mitigation responses. 7. Validate the risk analysis results before using them in decision-making, confirming that the analysis aligns with enterprise requirements and verifying that estimations were properly calibrated and scrutinized for bias. Management needs to define the appropriate breadth and depth of risk and criticality of assets. Set the risk scope after performing a cost-benefit analysis. Management needs to build and regularly update the risk scenarios, including compound scenarios of cascading/coincidental threat types and development expectations for specific control activities, capabilities to detect and other response measures. Management needs to estimate the frequency and magnitude of loss or gain associated with risk scenarios. Applicable risk factors need to be taken into account, and evaluate operational controls and estimate residual risk levels. There needs to be a comparison of residual risk to acceptable risk tolerance and risk exposures should be identified, which will require responses. Management needs to conduct a cost-benefit analysis of potential risk response options such as avoid, reduce, transfer and accept. Management should specify high-level requirements for programs that will implement the risk responses. Identify requirements for key controls. Management needs to validate the risk analysis results before using them for decision making, and confirm whether the results align with enterprise requirements, and verify that estimations were calibrated. 66

68 25. APO12.03 Maintain a risk profile. Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and of related resources, capabilities and current control activities. 1. Inventory business processes, including supporting personnel, applications, infrastructure, facilities, critical manual records, vendors, suppliers and outsourcers, and document the dependency on IT service management processes and IT infrastructure resources. 2. Determine and agree on which IT services and IT infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and identify weak links. 3. Aggregate current risk scenarios by category, business line and functional area. 4. On a regular basis, capture all risk profile information and consolidate it into an aggregated risk profile. 5. Based on all risk profile data, define a set of risk indicators that allow the quick identification and monitoring of current risk and risk trends. 6. Capture information on IT risk events that have materialized, for inclusion in the IT risk profile of the enterprise. Management can take an inventory of business processes, applications, infrastructure, facilities, critical manual records, vendors, etc., and document the dependency on IT service management processes and IT infrastructure resources. Further, management should determine and agree on which IT services and infrastructure resources are essential to sustain the operation of business processes. Analyze dependencies and weak links. Management needs to aggregate current risk scenarios by categories, business lines and functional areas. On a regular basis, management should capture risk profile information and consolidate it into aggregated risk profiles. Based on the profiles, management needs to define a set of risk indicators that allow quick identification and monitoring of current risk trends. Capture the information on risk events that have materialized for inclusion in profiles of the enterprise. 26. APO12.04 Articulate risk. Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required stakeholders for appropriate response. 1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return. Management needs to report the results of risk analysis to all the affected stakeholders in terms of formats supporting decision making. Wherever possible, include probabilities and range of loss or gain with confidence levels to balance risk and return. Management can provide to the decision makers an 67

69 2. Provide decision makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal or regulatory considerations. 3. Report the current risk profile to all stakeholders, including effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, redundancies, remediation status, and their impacts on the risk profile. 4. Review the results of objective third-party assessments, internal audit and quality assurance reviews, and maps them to the risk profile. Review identified gaps and exposures to determine the need for additional risk analysis. understanding of worst case and most probable scenarios, due diligence exposures and reputation, legal or regulatory consideration. The report to stakeholders on current risk profile should include effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, etc., and their impact on the risk profile. Management should review the results of third-party assessments, internal audits and quality assurance (QA) reviews, and map them to the risk profiles. 27. APO12.05 Define a risk management action portfolio. Manage opportunities to reduce risk to an acceptable level as a portfolio. 1. Maintain an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with risk appetite and tolerance. Classify control activities and map them to specific IT risk statements and aggregations of IT risk. 2. Determine whether each organizational entity monitors risk and accepts accountability for operating within its individual and portfolio tolerance levels. 3. Define a balanced set of project proposals designed to reduce risk and/or projects that enable strategic enterprise opportunities, considering cost/benefits, effect on current risk profile and regulations. Management needs to make an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with appetite and tolerance. The control activities should be classified and mapped to specific risk statements and aggregations of risk. Management needs to determine that risk and accountability for operating within individual and portfolio tolerance levels are monitored. Management defines a balanced set of project proposals which are designed to reduce risk and/or projects that enable strategic opportunities, considering the cost-benefit analysis. 28. APO12.06 Respond to risk. Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events. 1. Prepare, maintain and test plans that document the specific steps to take when a risk event may cause a significant operational or development incident with serious business impact. Ensure that plans include pathways of escalation across the enterprise. Management needs to prepare, maintain and test plans that document specific steps to take when a risk event may cause significant operational or development incident with serious impact on the business. Further, ensure that plans include 68

70 2. Categorize incidents, and compare actual exposures against risk tolerance thresholds. Communicate business impacts to decision makers as part of reporting, and update the risk profile. 3. Apply the appropriate response plan to minimize the impact when risk incidents occur 4. Examine past adverse events/losses, missed opportunities, and determine root causes. Communicate root cause, additional risk response requirements and process improvements to appropriate decision makers and ensure that the cause, response requirements and process improvement are included in risk governance processes. escalations across the enterprise. There needs to be a categorization of incidents, a comparison of actual exposures against risk thresholds and communication of this to decision makers as a part of reporting, and an update of risk profiles. Management should apply plans to minimize the impact when risk incidents occur, examine the past adverse event and missed opportunities, and determine root causes. Communicate the root causes, risk response requirements and process improvements to decision makers. 29. APO13.01 Establish and maintain an information security management system (ISMS). Establish and maintain an ISMS that provides a standard, formal and continuous approach to security management for information, enabling secure technology and business processes that are aligned with business requirements and enterprise security management. 1. Define the scope and boundaries of the ISMS in terms of the characteristics of the enterprise, the organization, its location, assets and technology. 2. Include details of, and justification for, any exclusion from the scope. 3. Define ISMS in accordance with enterprise policy and aligned with the enterprise, the organization, its location, assets and technology. 4. Align the ISMS with the overall enterprise approach to the management of security. 5. Obtain management authorization to implement and operate or change the ISMS. 6. Prepare and maintain a statement of applicability that describes the scope of the ISMS. 7. Define and communicate Information security management roles and responsibilities. 8. Communicate the ISMS approach. Management needs to define the scope and boundaries of the ISMS in terms of characteristics such as location, assets and technology of the enterprise. Include the justification for any exclusion from the scope. Management needs to define the ISMS in accordance with the policy and align with the enterprise approach toward management of security. Management needs to obtain the authorization to implement and operate changes to the ISMS. Management should prepare and maintain a statement of applicability that describes scope of the ISMS, and should communicate roles and responsibilities. 30. APO13.02 Define and manage an information security risk treatment plan. Maintain an information security plan that describes how information security risk is to be managed and aligned with the enterprise strategy and enterprise architecture. Ensure that recommendations for implementing security improvements are based on approved business cases and implemented as an integral part of services and solutions development, then operated as an integral part of business operation. 69

71 1. Formulate and maintain an information security risk treatment plan aligned with strategic objectives and the enterprise architecture. Ensure that the plan identifies the appropriate and optimal management practices and security solutions, with associated resources, responsibilities and priorities for managing identified information security risk. 2. Develop proposals to implement the information security risk treatment plan, supported by suitable business cases, which include consideration of funding and allocation of roles and responsibilities. 3. Provide input to the design and development of management practices and solutions selected from the information security risk treatment plan. 4. Define how to measure the effectiveness of the selected management practices and specify how these measurements are to be used to assess effectiveness to produce comparable and reproducible results. 5. Recommend information security training and awareness programs. 6. Integrate the planning, design, implementation and monitoring of information security procedures and other controls capable of enabling prompt prevention, detection of security events and response to security incidents. Management needs to formulate and maintain an information security risk plan, which should be aligned with strategic objectives and enterprise architecture. Also, ensure the plan identifies appropriate and optimal management practices and security solutions, with associated resources and responsibilities for managing identified information security risk. Develop proposals to implement the information security risk treatment plan, supported by suitable business cases, considering funding and allocation of roles and responsibilities. Management needs to provide input to design and development of practices and solutions selected from the risk treatment plan. Management should define how to measure the effectiveness of selected management practices and specify how these measures are used to assess effectiveness to produce comparable results. Further, recommend information security training and awareness programs. Management should integrate the planning, design, implementation and monitoring of information security procedures and other controls capable of enabling prompt prevention, detection of security events and response to security incidents. 31. APO13.03 Monitor and review the ISMS. Maintain and regularly communicate the need for, and benefits of, continuous information security improvement. Collect and analyze data about the ISMS, and improve the effectiveness of the ISMS. Correct non-conformities to prevent recurrence. Promote a culture of security and continual improvement. 1. Undertake regular reviews of the effectiveness of the ISMS including meeting ISMS policy and objectives, and review of security practices. Take into account results of security audits, incidents, and results from effectiveness measurements, suggestions and feedback from all interested parties. 2. Conduct internal ISMS audits at planned intervals. 3. Undertake a management review of the ISMS on a regular basis to ensure that the scope remains Management should undertake regular reviews of effectiveness of the ISMS, including meeting policies and objectives, and review of practices. Also, take into account results of security audits, results from effectiveness measurements, suggestions and feedback from all interested parties. Management should conduct ISMS audits at planned intervals and undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate and improvements to processes are identified. 70

72 adequate and improvements in the ISMS process are identified. 4. Provide input to the maintenance of the security plans to take into account the findings of monitoring and reviewing activities. 5. Record actions and events that could have an impact on the effectiveness or performance of the ISMS. The actions and events that may impact effectiveness of performance should be recorded. 32. DSS01.02 Manage outsourced IT services. Manage the operation of outsourced IT services to maintain the protection of enterprise information and reliability of service delivery. 1. Ensure that the enterprise s requirements for security of information processes are adhered to in accordance with contracts and SLAs with third parties hosting or providing services. 2. Ensure that the enterprise s operational business and IT processing requirements and priorities for service delivery are adhered to in accordance with contracts and SLAs with third parties hosting or providing services. 3. Integrate critical internal IT management processes with those of outsourced service providers, covering, e.g., performance and capacity planning, change management, configuration management, service request and incident management, problem management, security management, business continuity, and the monitoring of process performance and reporting. 4. Plan for independent audit and assurance of the operational environments of outsourced providers to confirm that agreed-on requirements are being adequately addressed. Management needs to ensure that requirements of security of information processes are adhered to in accordance with contracts and SLAs with third parties, which provide services. Also, ensure that the operational business and IT process requirements and priorities for service delivery are adhered to in accordance with contracts. Management should integrate critical internal IT management processes with those of outsourced service providers covering change management, configurations management, service requests and incident management problems, security management and business continuity. Plan for independent audit assurance of the operational environment of outsourced providers to confirm that agreedon requirements are being addressed. 33. DSS01.03 Monitor IT infrastructure. Monitor the IT infrastructure and related events. Store sufficient chronological information in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations. 1. Log events, identifying the level of information to be Management needs to ensure that events are logged and 71

73 recorded based on a consideration of risk and performance. 2. Identify and maintain a list of infrastructure assets that need to be monitored based on service criticality and the relationship between configuration items and services that depend on them. 3. Define and implement rules that identify and record threshold breaches and event conditions. Find a balance between generating spurious minor events and significant events so event logs are not overloaded with unnecessary information. 4. Produce event logs and retain them for an appropriate period to assist in future investigations. 5. Establish procedures for monitoring event logs and conduct regular reviews. 6. Ensure that incident tickets are created in a timely manner when monitoring identifies deviations from defined thresholds. identified levels of information are recorded based on a consideration of risk and performance. Identify and maintain a list of infrastructure assets that need to be monitored based on service criticality and the relationship between configurations and services that are dependent on them. Management should define and implement rules that identify and record threshold breaches and event conditions. Find a balance between generating spurious events and significant events so event logs are not overloaded with unnecessary information. The event logs need to be produced and retained for appropriate periods for future investigation assistance. Management needs to ensure that incident tickets are created, which identify deviations from defined thresholds. 34. DSS01.04 Manage the environment. Maintain measures for protection against environmental factors. Install specialized equipment and devices to monitor and control the environment. 1. Identify natural and man-made disasters that might occur in the area within which the IT facilities are located. Assess the potential effect on the IT facilities. 2. Identify how IT equipment, including mobile and offsite equipment, is protected against environmental threats. Ensure that the policy limits or excludes eating, drinking and smoking in sensitive areas, and prohibits storage of stationery and other supplies posing a fire hazard within computer rooms. 3. Situate and construct IT facilities to minimize and mitigate susceptibility to environmental threats. 4. Regularly monitor and maintain devices that proactively detect environmental threats (e.g., fire, water, smoke, humidity). 5. Respond to environmental alarms and other notifications. Document and test procedures, which should include prioritization of alarms and contact with local emergency response authorities, and train personnel in these procedures. 6. Compare measures and contingency plans against insurance policy requirements and report results. Address points of non-compliance in a timely manner. Management needs to identify natural and man-made disasters that might occur in the area within which the IT facilities are located and assess the potential effect on IT facilities. Management should identify how IT equipment, including mobile and offsite equipment, is protected against environmental threats. Ensure that policies include prohibitions on consumption and smoking in sensitive areas and storage of stationery, which might pose a fire hazard within the computer rooms. Management should ensure that the situation and construction of IT facilities minimize and mitigate environmental threats. Further, regularly monitor and maintain devices that detect threats proactively and monitor that response to alarms and other notifications are made. Document and test procedures, which should include prioritization of alarms and contacts with local emergency authorities. Management should compare measures and contingency plans with insurance policy requirements and report the results. Address points of noncompliance in a timely manner. 72

74 7. Ensure that IT sites are built and designed to minimize the impact of environmental risk (e.g., theft, air, fire, smoke, water, vibration, terror, vandalism, chemicals, and explosives). Consider specific security zones and/or fireproof cells (e.g., locating production and development environments/servers away from each other). Further, ensure that the sites built are designed to minimize the impacts of environmental threats and consider specific security zones and fireproof cells. 35. DSS01.05 Manage facilities. Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines. 1. Examine the IT facilities requirement for protection against power fluctuations and outages, in conjunction with other business continuity planning requirements. Procure suitable uninterruptible supply equipment (e.g., batteries, generators) to support business continuity planning. 2. Regularly test the uninterruptible power supply s mechanisms, and ensure that power can be switched to the supply without any significant effect on business operations. 3. Ensure that the facilities housing the IT systems have more than one source for dependent utilities (e.g., power, telecommunications, water, gas). Separate the physical entrance of each utility. 4. Confirm that cabling external to the IT site is located underground or has suitable alternative protection. Determine that cabling within the IT site is contained within secured conduits, and wiring cabinets have access restricted to authorized personnel. Properly protect cabling against damage caused by fire, smoke, water, interception and interference. 5. Ensure that cabling and physical patching (data and phone) are structured and organized. Cabling and conduit structures should be documented (e.g., blueprint building plan and wiring diagrams). 6. Analyze the facilities housing s high-availability systems for redundancy and fail-over cabling requirements (external and internal). 7. Ensure that IT sites and facilities are in ongoing compliance with relevant health and safety laws, regulations, guidelines, and vendor specifications. 8. Educate personnel on a regular basis on health and safety laws, regulations, and relevant guidelines. Educate personnel on fire and rescue drills to Management needs to examine the IT facilities for protection against power fluctuations and outages, in conjunction with business continuity planning requirements by procuring suitable uninterruptible supply equipment. Regularly test the power supply mechanisms and ensure that power can be switched to the supply without any significant effect on business operations. The facilities housing IT systems need to have more than one source for dependent utilities and separate physical entrances for each utility. Management needs to confirm that the external cabling to the site is located underground or has suitable alternative protection and determine whether the cabling within the IT site is contained with secured conduits. Also, ensure that physical patching is structured and organized, and the conduit structures need to be documented. Management needs to analyze the facilities housing s highavailability systems for redundancy and fail-over cabling requirements. The IT sites and facilities are in ongoing compliance with relevant health and safety laws, regulations, guidelines and vendor specifications. Also, educate personnel on fire and rescue drills to ensure knowledge and corrective action taken in case of any future incidents. Management should record, monitor, manage and resolve facilities incidents in line with management process and ensure that incidents are disclosed in terms of laws and 73

75 ensure knowledge and actions taken in case of fire or similar incidents. 9. Record, monitor, manage and resolve facilities incidents in line with the IT incident management process. Make available reports on facilities incidents where disclosure is required in terms of laws and regulations. regulations. 36. DSS06.01 Align control activities embedded in business processes with enterprise objectives Continually assess and monitor the execution of the business process activities and related controls, based on enterprise risk, to ensure that the processing controls are aligned with business needs. 1. Identify and document control activities of key business processes to satisfy control requirements for strategic, operational, reporting and compliance objectives 2. Prioritize control activities based on the inherent risk to the business and identify key controls. 3. Ensure ownership of key control activities. 4. Continually monitor control activities on an end--to- -end basis to identify opportunities for improvement. 5. Continually improve the design and operation of business process controls. Management needs to identify and document control activities of key business processes to satisfy control requirements. Management needs to prioritize the control activities based on the inherent risk to the business and identify key controls. Management needs to ensure ownership of key control activities. Management needs to continuously monitor the activities on an end-to-end basis to identify opportunities for improvement. 37. DSS06.02 Control the processing of information. Operate the execution of the business process activities and related controls, based on enterprise risk, to ensure that information processing is valid, complete, accurate, timely, and secure (i.e., reflects legitimate and authorized business use). 1. Create transactions by authorized individuals following established procedures, including, where appropriate, adequate segregation of duties regarding the origination and approval of these transactions. 2. Authenticate the originator of transactions and verify that he/she has the authority to originate the transaction. 3. Input transactions in a timely manner. Verify that transactions are accurate, complete and valid. Validate input data and edit or, where applicable, send back for correction as close to the point of Management needs to create transactions by authorized individuals following established procedures, including, where appropriate, adequate segregation of duties regarding the origination and approval of transactions. 74

76 origination as possible. 4. Correct and resubmit data that were erroneously input without compromising original transaction authorization levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time. 5. Maintain the integrity and validity of data throughout the processing cycle. Ensure that detection of erroneous transactions does not disrupt processing of valid transactions. 6. Maintain the integrity of data during unexpected interruptions in business processing and confirm data integrity after processing failures. 7. Handle output in an authorized manner, deliver to the appropriate recipient and protect the information during transmission. Verify the accuracy and completeness of the output. 8. Before passing transaction data between internal applications and business/operational functions (inside or outside the enterprise), check for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport. 38. DSS06.03 Manage roles, responsibilities, access privileges and levels of authority. Manage the business roles, responsibilities, levels of authority and segregation of duties needed to support the business process objectives. Authorize access to any information assets related to business information processes, including those under the custody of the business, IT and third parties. This ensures that the business knows where the data are and who is handling data on its behalf. 1. Allocate roles and responsibilities based on approved job descriptions and allocated business process activities. 2. Allocate levels of authority for approval of transactions, limits and any other decisions relating to the business process, based on approved job roles. 3. Allocate access rights and privileges based on only what is required to perform job activities, based on pre-defined job roles. Remove or revise access rights immediately if the job role changes or a staff member leaves the business process area. Periodically review to ensure that the access is appropriate for the current threats, risk, technology and business need. 4. Allocate roles for sensitive activities so that there is a clear segregation of duties. Management should allocate roles and responsibilities based on approved descriptions and allocate business process activity. Management should allocate levels of authority for approval of transactions, limits and any other decisions relating to the business process based on the approved roles. Management should also include allocation of access rights and privileges based on predefined roles. Also, remove or revise access rights if the roles change or staff member leaves the process areas. Management should allocate roles for sensitive activities so that there is a clear segregation of duties. Awareness and training regarding roles and responsibilities should be provided on a regular basis to everyone. 75

77 5. Provide awareness and training regarding roles and responsibilities on a regular basis so that everyone understands their responsibilities; the importance of controls; and the integrity, confidentiality and privacy of company information in all its forms. 6. Periodically review access control definitions, logs and exception reports to ensure that all access privileges are valid and aligned with current staff members and their allocated roles. Management should periodically review access control definitions, logs and exception reports to ensure that all access privileges are valid and aligned. 39. DSS06.04 Manage errors and exceptions. Manage business process exceptions and errors and facilitate their correction. Include escalation of business process errors and exceptions and the execution of defined corrective actions. This provides assurance of the accuracy and integrity of the business information process. 1. Define and maintain procedures to assign ownership, correct errors, override errors and handle out-of-balance conditions. 2. Review errors, exceptions and deviations. 3. Follow up, correct, approve and resubmit source documents and transactions. 4. Maintain evidence of remedial actions. 5. Report relevant business information process errors in a timely manner to perform root cause and trending analysis. Management should define and maintain procedures to assign ownership, correct and override errors and handle out-of-balance conditions. Management needs to review errors, exceptions and deviations. Management should report relevant business information process errors in a timely manner to perform the root cause analysis. 40. DSS06.05 Ensure traceability of Information events and accountabilities. Ensure that business information can be traced to the originating business event and accountable parties. This enables traceability of the information through its life cycle and related processes. This provides assurance that information that drives the business is reliable and has been processed in accordance with defined objectives. 1. Define retention requirements, based on business requirements, to meet operational, financial reporting and compliance needs. 2. Capture source information, supporting evidence and the record of transactions. 3. Dispose of source information, supporting evidence and the record of transactions in accordance with the retention policy. Management needs to define retention requirements, which are based on business requirements to meet the operational, financial reporting and compliance needs. Management can capture source information, support evidence and record the transaction. Management should dispose of source information, supporting evidence accordance to the retention policy. 76

78 41. DSS06.06 Secure information assets. Secure information assets accessible by the business through approved methods, including information in electronic form (such as methods that create new assets in any form, portable media devices, user applications and storage devices), information in physical form (such as source documents or output reports) and information during transit. This benefits the business by providing end-to-end safeguarding of information. MEA01, MEA02 and MEA03 are explained in the stakeholder 3 section that follows. STAKEHOLDER 3 AUDITOR Assurance means that, pursuant to an accountability relationship between two or more parties, an IT audit and assurance professional may be engaged to issue a written communication expressing a conclusion about the subject matters to the accountable party. Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter. For example, assurance engagements could include support for audited financial statements; assessment of value provided by IT to the enterprise; reviews of controls; compliance with required standards and practices; and compliance with agreements, licenses, legislation and regulations. An auditor can be either an independent auditor unaffiliated with the company being audited or a captive auditor, and some are elected public officials. Auditors are used to ensure that organizations are maintaining accurate and honest financial records and statements. Auditors can work for many different entities. Auditors are also found in the private sector at accounting firms. There are both internal and external auditors; internal auditors are usually employees or contractors with the company they are auditing, while external auditors generally work either directly for or in conjunction with governmental agencies. Various roles of the auditor include: 77

79 Inquiring of management and others to gain an understanding of the organization itself, its operations, financial reporting, and known fraud or error Evaluating and understanding the internal control system Performing analytical procedures on expected or unexpected variances in account balances or classes of transactions Testing documentation supporting account balances or classes of transactions Observing the physical inventory count Confirming accounts receivable and other accounts with a third party At the completion of the audit, the auditor may also offer objective advice for improving financial reporting and internal controls to maximize a company s performance and efficiency. The need of this stakeholder can be assessed by virtue of the following questions that the auditor should primarily develop prior to an audit engagement: How dependent am I on external providers? What are the (control) requirements for information? Did I address all IT-related risk? Am I running an efficient and resilient IT operation? How do I get assurance over IT? Is the information I am processing well secured? How do I know my business partner s operations are secure and reliable? How do I know the enterprise is compliant with applicable rules and regulations? How do I know the enterprise is maintaining an effective system of internal control? Do business partners have the information chain between them under control? The auditor will be able to perform the following: Better understanding of their responsibilities and roles with regard to assurance provisioning with reference to the governance and internal controls and risk management Having a well-illustrated, structured and comprehensive approach for providing assurance over IT with reference to the governance and internal controls and risk management Having a structured framework that provides a common language among all stakeholders to provide assurance over specific IT areas As drafted in COBIT 5 for Assurance, an assurance initiative consists of five components, as illustrated in the following figure. Each of those components is described in further detail in the following subsections. 78

80 Source: COBIT 5 for Assurance, ISACA, USA, 2013, figure 4 Three-party Relationship An accountable party is the individual, group or entity (auditee), usually involving management, that is ultimately responsible for subject matter, process or scope. An assurance engagement involves two other parties: Depending on the circumstances, the user could include a variety of stakeholders, such as shareholders, creditors, customers, the board of directors, the audit committee, legislators or regulators. For some types of assurance activities, the auditee and the user can be identical, e.g., IT management. The assurance professional (auditor) is the person who has overall responsibility for the performance of the assurance engagement and for the issuance of the report on the subject matter. In conducting an assurance assignment, an accountability relationship exists among the three parties. The accountability relationship is a prerequisite for an assurance engagement, and it exists when one party (the auditee) is responsible to another party (the user) for a subject matter, or voluntarily chooses to report to another party on a subject matter. The accountability relationship may arise as a result of an (contractual) agreement or legislation, or because a user can be expected to have an interest in how the accountable party has discharged its responsibility for a subject matter. Subject Matter Subject matter is the specific information, practices or controls, such as any of the seven COBIT 5 enablers, that are the subject of an audit and assurance professional s review, examination and report. This subject matter can include the design or operation of internal controls and management practices over any aspect of the enterprise, or compliance with privacy practices or standards or specified laws and regulations. Suitable Criteria Criteria are the standards and benchmarks, such as COBIT 5, used to measure and present the subject matter and against which the practitioner evaluates the subject matter. Criteria can be formal or less formal. There can be different criteria for the same subject matter. Suitable criteria are required for reasonably consistent evaluation or measurement of a subject matter within the context of professional judgment. Suitable criteria must have the necessary information quality goal attributes as defined in the COBIT 5 Information model, in particular: 79

81 Objectivity Criteria should be free from bias. Measurability Criteria should permit reasonably consistent measurements, qualitative or quantitative, of subject matter. Understandability Criteria should be communicated clearly and not be subject to significantly different interpretations by intended users. Completeness Criteria should be sufficiently complete so that those relevant factors that would alter a conclusion about the subject matter are not omitted. Relevance Criteria should be relevant to the subject matter. Where criteria are established by management, assurance professionals must ensure that the scope covers what would normally be considered appropriate based on generally accepted definitions of the scope of the subject matter, or identify any scope limitations in their reports. Execution When undertaking an assurance activity, the audit and assurance professional eventually executes the assignment by following a structured approach, dependent on other enablers, to reach a conclusion on the evaluation of the subject matter. Conclusion The process of evaluating the results of audit or assurance testing, after confirmation, to arrive at conclusions and recommendations can be complex. What appears to be a problem may, in fact, be the effect of a problem, not the cause. Therefore, it is important for the audit and assurance professional to follow the conclusion process, from confirming facts with key individuals in the areas being audited to determining root causes. The individual findings can then be used to provide examples that support higher-level analysis: Developing various scenarios leading to potential recommendations Selecting an appropriate recommendation that is practical and achievable Identifying steps necessary to ensure buy-in of key stakeholders Indeed, audit and assurance professionals should obtain an adequate understanding of the subject matter and its business environment. They should see the bigger picture, link the impact of the issues/findings to the overall organizational strategic goals and objectives to tell the the story behind the story, and communicate value insights. Executives are not very interested in knowing the observations; they need to understand the insights behind the findings. Recommendations resulting from the conduct of audit and assurance engagements may be reported in a separate report, not as part of the audit or assurance report. The recommendations which, as part of the reporting process require review and agreement by management and the auditee or other stakeholders should be presented in a clear, concise and actionable manner. Reports to senior management and executives should address issues and concepts, with detailed audit findings used as illustrations of the issue, problem or result. Reports to middle and line management should contain the same information, but with a different level of detail, to allow them to fully understand the issue and handle the problem. Where appropriate, recommendations should include provision for timely monitoring and follow-up. The Assurance Function The assurance function perspective has been adopted from COBIT 5 for Assurance. The assurance function perspective describes what is needed in an enterprise to build and provide assurance functions. COBIT 5 is an end-to-end business framework, meaning that it considers the provisioning and use of assurance as part of the overall governance and management of enterprise IT. 80

82 Source: COBIT 5 for Assurance, ISACA, USA, 2013, figure 5 The assurance function perspective describes how each enabler contributes to the overall provisioning of assurance, for example: Which organizational structures are required to provide assurance (board/audit committee, audit function, etc.) Which information items are required to provide assurance (audit universe, audit plan, audit reports, etc.) Core Assurance Processes Because COBIT 5 is a comprehensive framework for governance and management of enterprise IT, it allows enterprises to use the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of the management, toward achieving their goals and objectives. The image following depicts that, out of the 37 processes, the stakeholder (the auditor) can adapt relevant processes (borders shaded in black) and their underlying management practices, which shall assist in achieving the goals of the enterprise. 81

83 The processes comprised in the Monitor, Evaluate and Assess (MEA) domain of COBIT 5 can be regarded as the core assurance processes required within every enterprise. Process Identification MEA01 Monitor, evaluate and assess performance and conformance. MEA02 Monitor, evaluate and assess the system of internal control. MEA03 Monitor, evaluate and assess compliance with external requirements. Reasoning This process covers the provisioning of transparency regarding performance and conformance, and drives achievement of goals by: Collecting, validating and evaluating business, IT and process goals and metrics Monitoring that processes are performing against agreed-on performance and conformance goals and metrics Providing reporting that is systematic and timely This process covers obtaining transparency for key stakeholders on the adequacy of the system of internal controls and thus providing trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk by: Continuously monitoring and evaluating the control environment, including self-assessments and independent assurance reviews Enabling management to identify control deficiencies and inefficiencies and initiate improvement actions Planning, organizing and maintaining standards for internal control assessment and assurance activities This process ensures that the enterprise is compliant with all applicable external requirements by: Evaluating that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements 82

84 Obtaining assurance that the requirements have been identified and the enterprise has complied with these requirements. Integrating IT compliance with overall enterprise compliance Source: COBIT 5 for Assurance, ISACA, USA, 2013, figure 32 As shown in the previous figure, the proposed assurance engagement approach refers explicitly to all COBIT 5 enabler categories. The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use organizational structures, as well as information items (inputs and outputs). When developing the audit/assurance program, it will become clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential for a lot of duplication. Avoiding duplication is up to the assurance professional. Generic Assurance Program 83

85 The assurance approach depicted in the previous figure is described in more detail and developed into a generic audit/assurance program including guidance on how to proceed during each step in the remainder of this section. This generic audit/assurance program is: Aligned with generally accepted auditing standards and practices, distinguishing among: Phase A Planning and scoping the assurance engagement Phase B Understanding the subject matter, setting suitable assessment criteria and performing the actual assessment Phase C Communicating the results of the assessment Fully aligned with COBIT 5: It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the enablers. It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement can be put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives to enterprise and IT risk and benefits. Comprehensive yet flexible: The generic program is comprehensive because it contains assurance steps covering all enablers in quite some detail, yet it is also flexible because this detailed structure enables clear and well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set of enablers or some enabler instances and, while the decision will reduce the scope and related assurance engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement user. Easy to understand, follow and apply because of its clear structure RACI CHART A responsibility assignment matrix, also known as RACI matrix, ARCI matrix or linear responsibility chart, describes the participation by various roles in completing tasks or deliverables for a project or business process. The following RACI chart explains the roles of the auditor in evaluating effective corporate IT governance. The processes explained in this chapter would have to be executed keeping in mind the perspective of the roles in the following RACI chart. Management Practice Auditor MEA01.01 Establish a monitoring approach. C MEA01.04 Analyze and report performance. C MEA01.05 Ensure the implementation of corrective actions. C MEA02.01 Monitor internal controls. R MEA02.02 Review business process controls effectiveness. R MEA02.03 Perform control self-assessments. R 84

86 MEA02.04 Identify and report control deficiencies. R MEA02.06 Plan assurance initiatives. C MEA02.07 Scope assurance initiatives. A MEA02.08 Execute assurance initiatives. A MEA03.01 Identify external compliance requirements. R MEA03.02 Optimize response to external requirements. R MEA03.04 Obtain assurance of external compliance. A 1. MEA01.01 Establish a monitoring approach. Engage with stakeholders to establish and maintain a monitoring approach to define the objectives, scope and method for measuring business solution and service delivery and contribution to enterprise objectives. Integrate this approach with the corporate performance management system. 1. Engage with the stakeholders and communicate the enterprise requirements and objectives for monitoring, aggregating and reporting, using common definitions (e.g., enterprise glossary, metadata and taxonomy), base lining and benchmarking. 2. Align and continually maintain the monitoring and evaluation approach with the enterprise approach and the tools to be used for data gathering and enterprise reporting (e.g., business intelligence applications). 3. Agree on the goals and metrics (e.g., conformance, performance, value, and risk), taxonomy (classification and relationships between goals and metrics) and data (evidence) retention. 4. Agree on a life cycle management and change control process for monitoring and reporting. Include improvement opportunities for reporting, metrics, approach, base lining and benchmarking. 5. Request, prioritize and allocate resources for monitoring (consider appropriateness, efficiency, effectiveness and confidentiality). The auditor needs to engage with the stakeholders toward developing the objectives of monitoring, using common definitions, base lining and benchmarking. Further, on setting the previous objectives, the auditor needs to ensure that monitoring and evaluation are done on a continuous basis. The auditor needs to ensure that the goals, metrics, taxonomies and retention polices are agreed on, which shall result in administrative efficiencies. The auditor can review the policies on life cycle management and change control, which may include improvement opportunities for performance base lining and benchmarking. The auditor should validate the approach periodically for changes within the environment, which could be change of stakeholders, requirements and resources. 85

87 6. Periodically validate the approach used and identify new or changed stakeholders, requirements and resources. 2. MEA01.04 Analyze and report performance. Periodically review and report performance against targets, using a method that provides a succinct all-around view of IT performance and fits within the enterprise monitoring system. 1. Design process performance reports that are easy to understand, and tailored to the management needs. Facilitate effective, timely decision-making (e.g., scorecards, traffic light reports) and ensure that the cause and effect between goals and metrics are communicated in an understandable manner. 2. Compare the performance values to targets and benchmarks. 3. Recommend changes to the goals and metrics, where appropriate. 4. Distribute reports to the stakeholders. 5. Analyze the cause of deviations against targets, initiate remedial actions, assign responsibilities for remediation, and follow up and search for root causes, where necessary. Document the results of the events. 6. Where feasible, link achievement of performance targets to the organizational reward compensation system. The auditor can assist in designing the performance reports which are easy to understand and are tailored to the needs of management in facilitating timely decision-making. The reports should highlight the performance of the results against the targets set. Whenever there arises a deviation from the desirable results, there should be a root cause analysis to identify the real cause and appropriate action should be taken based on the findings. The findings and corrective action should be well documented. The auditor should ensure that the reports are made available to the stakeholders in a timely manner. 3. MEA01.05 Ensure the implementation of corrective action. Assist stakeholders in identifying, initiating and tracking corrective actions to address anomalies. 1. Review management responses and recommendations to address issues and major deviations. 2. Ensure that the assignment of responsibility for corrective action is maintained. 3. Track the results of actions committed. 4. Report the results to the stakeholders. The auditor should ensure that the recommendations have been accepted and management responses have been obtained. The auditor should also ensure that the responsibility to take corrective action is assigned to correct process owners. In case there is any difference of opinion, the auditor should report it to the stakeholders, i.e., board of directors. 86

88 4. MEA02.01 Monitor internal controls. Continuously monitor benchmark, improve the IT control environment, and control framework to meet organizational objectives. 1. Perform internal control monitoring and evaluation of the activities based on organizational governance standards and industry-accepted frameworks and Practices. 2. Consider independent evaluations of the internal control system (e.g., by internal audit or peers). 3. Identify the boundaries of the IT internal control system (e.g., consider how organizational IT internal controls take into account outsourced and/or offshore development or production activities). 4. Ensure that control activities are in place and exceptions are promptly reported, followed up and analyzed, and appropriate corrective actions are prioritized and implemented according to the risk management profile (e.g., classify certain exceptions as a key risk and others as a non-key risk). 5. Maintain the IT internal control system, considering ongoing changes in business and IT risk, the organizational control environment, relevant business and IT processes, and IT risk. If gaps exist, evaluate and recommend changes. 6. Regularly evaluate the performance of the IT control framework. Consider formal adoption of a continuous improvement approach to internal control monitoring. 7. Assess the status of external service providers internal controls and confirm that service providers comply with legal and regulatory requirements and contractual obligations. The auditor should ensure that the internal controls are monitored, for which compliance testing can be performed. Identify exceptions, if any, which should be reported and the root causes. The auditor needs to define his/her boundaries for internal control systems for outsourced/offshore work during the engagement process to ensure that the objectives of the review are predefined and set. The auditor should ensure that the control activities are in place and the exceptions, if any, are analyzed and corrective action is taken in a timely manner. The auditor can assist management toward benchmarking performances against the best practices accepted. The auditor faces the challenge to maintain the prerequisite controls in a changing environment, which can be prone to new risks. Gap analysis can be performed and recommendations made for incorporating changes. 5. MEA02.02 Review business process controls effectiveness. Review the operation of controls, including a review of monitoring and test evidence, to ensure that controls within business processes operate effectively. Include activities to maintain evidence of the effective operation of controls through mechanisms such as periodic testing of controls, continuous controls monitoring, independent assessments, command and control centers, and network operations centers. This provides the business with the assurance of control effectiveness to meet requirements related to business, regulatory and social responsibilities. 87

89 1. Understand and prioritize risk to organizational objectives. 2. Identify key controls and develop a strategy suitable for validating controls. 3. Identify information that will persuasively indicate whether the internal control environment is operating effectively. 4. Develop and implement cost-effective procedures to determine that persuasive information is based on the information criteria. 5. Maintain evidence of control effectiveness. The auditor should prioritize the risks that may impact the objectives of the organization. The auditor should identify the key controls and develop strategies to reduce the impact of risks. The review should be well-defined and cost-effective to the organization, and all the findings should be documented with relevant evidences. 6. MEA02.03 Perform control self-assessments. Encourage management and process owners to take positive ownership of control improvement through a continuing program of self-assessment to evaluate the completeness and effectiveness of management s control over processes, policies and contracts. 1. Maintain plans and scope and identify evaluation criteria for conducting self-assessments. Plan the communication of results of the self-assessment process to business, IT, general management, and the board. Consider internal audit standards in the design of self-assessments. 2. Determine the frequency of periodic selfassessments, considering the overall effectiveness and efficiency of ongoing monitoring. 3. Assign responsibility for self-assessment to appropriate individuals to ensure objectivity and competence. 4. Provide for independent reviews to ensure objectivity of the self-assessment and enable the sharing of internal control good practices from other enterprises. 5. Compare the results of the self-assessments against industry standards and good practices. 6. Summarize and report outcomes of selfassessments and benchmarking for remedial actions. The auditor should ensure that management has developed plans and procedures for conducting self-assessment and communicate the results to management. The auditor can assist in determining the frequency of periodic self-assessments, considering the overall effectiveness and efficiency of the monitoring process. The auditor can assist in assigning responsibilities to competent individuals to ensure objectivity is met for the defined procedures. The auditor can also provide independent reviews toward setting good practices from the industry. The results of the self-assessment can be pegged against the industry standards and benchmarking standards can be set for comparisons. The auditor can ensure that the approach is consistent in terms of measurability of performances. 7. MEA02.04 Identify and report control deficiencies. 88

90 Identify control deficiencies, analyze, and identify their underlying root causes. Escalate control deficiencies and report to stakeholders. 1. Identify report and log control exceptions, and assign responsibility for resolving them and reporting on the status. 2. Consider related enterprise risk to establish thresholds for escalation of control exceptions and breakdowns. 3. Communicate procedures for escalation of control exceptions, root cause analysis, and reporting to process owners and IT stakeholders. 4. Decide which control exceptions should be communicated to the individual responsible for the function and which exceptions should be escalated. Inform affected process owners and stakeholders. 5. Follow up on all exceptions to ensure that agreedon actions have been addressed. 6. Identify, initiate, track and implement remedial actions arising from control assessments and reporting. The auditor should identify and log exceptions and ensure that process owners resolve them. The auditor should define the thresholds for escalation of identified exceptions and breakdowns of controls. The auditor needs to ensure that he/she follows up on the exceptions, which have been reported, and they have to be addressed in a timely manner. 8. MEA02.06 Plan assurance initiatives. Plan assurance initiatives based on enterprise objectives and strategic priorities, inherent risk, resource constraints, and sufficient knowledge of the enterprise 1. Determine the intended users of the assurance initiative output and the object of the review. 2. Perform a high-level risk assessment and/or assessment of process capability to diagnose risk and identify critical IT processes. 3. Select, customize and reach agreement on the control objectives for critical processes that will be the basis for the control assessment. The auditor should first set the objective of the assurance review and determine the intended users. The auditor should then perform the risk assessment and identify critical IT processes. After the assessment is done, the auditor can define the control objectives for the critical processes as identified, in consultation with management. 9. MEA02.07 Scope assurance initiatives. Define and agree with management on the scope of the assurance initiative, based on the assurance objectives. 89

91 1. Define the actual scope by identifying the enterprise and IT goals for the environment under review, the set of IT processes and resources, and all the relevant auditable entities within the enterprise and external to the enterprise (e.g., service providers), if applicable. 2. Define the engagement plan and resource requirements. 3. Define practices for gathering and evaluating information from process(es) under review to identify controls to be validated, and current findings (both positive assurance and any deficiencies) for risk evaluation. 4. Define practices to validate control design and outcomes and determine whether the level of effectiveness supports acceptable risk (required by organizational or process risk assessment). 5. Where control effectiveness is not acceptable, define practices to identify residual risk (in preparation for reporting). The auditor, in agreement with management, should decide on the scope of the assurance function and accordingly plan the audit to cover entities (including external service providers, if agreed on) and IT processes. The engagement plan can also have the resources defined for the activity. The audit plan should include the practices defined for gathering and evaluating information, validating controls and determining the levels of risk and whether the risks are acceptable or not. The auditor needs to identify residual risks where the control effectiveness is not acceptable and report it to management. 10. MEA02.08 Execute assurance initiatives. Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where appropriate, and recommendations for improvement relating to identified operational performance, external compliance and internal control system residual risk. 1. Refine the understanding of the IT assurance subject. 2. Refine the scope of key control objectives for the IT assurance subject. 3. Test the effectiveness of the control design of the key control objectives. 4. Alternatively/additionally test the outcome of the key control objectives. 5. Document the impact of control weaknesses. 6. Communicate with management during execution of the initiative so that there is a clear understanding of the work performed and agreement on and acceptance of the preliminary findings and recommendations. 7. Supervise the assurance activities and make sure the work done is complete, meets objectives and is of an acceptable quality. 8. Provide management with a report (aligned with the The auditor should execute the audit plan based on the parameters set during the planning stage and test the effectiveness of controls. The auditor can refine the scope of key control objectives by conducting alternative/additional tests. The auditor should document the impact of control weaknesses and communicate the findings and recommendations with management. The auditor should furnish a report to management on the findings of the audit. 90

92 terms of reference, scope and agreed-on reporting standards) that supports the results of the initiative and enables a clear focus on key issues and important actions. 11. MEA03.01 Identify external compliance requirements On a continuous basis, identify and monitor for changes in local and international laws, regulations and other external requirements that must be complied with from an IT perspective. 1. Assign responsibility for identifying and monitoring any changes of legal, regulatory and other external contractual requirements relevant to the use of IT resources and the processing of information within the business and IT operations of the enterprise. 2. Identify and assess all potential compliance requirements and the impact on IT activities in areas such as data flow, privacy, internal controls, financial reporting, industry-specific regulations, intellectual property, health and safety. The impact of IT-related legal and regulatory requirements on third-party contracts related to IT operations, service providers and business trading partners. 3. Obtain independent counsel, where appropriate, on changes to applicable laws, regulations and standards. 4. Maintain an up-to-date log of all relevant legal, regulatory and contractual requirements, their impact and required actions. 5. Maintain a harmonized and integrated overall register of external compliance requirements for the enterprise. The auditor can direct management to assign responsibility to individuals to identify and monitor changes to legal, regulatory and other contractual requirements relevant to IT. The auditor should ensure that the potential compliance requirements and the impact on IT activities of data flow, privacy, internal controls, health and safety are identified. The auditor can, if the need arises, ask management to obtain legal opinion on changes to applicable laws, regulations and standards. The auditor should ensure that management maintains a regular log of all relevant legal requirements, their impact and desired actions. 12. MEA03.02 Optimize response to external requirements. Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated. Consider industry standards, codes of good practice, and good practice guidance for adoption and adaptation. 1. Regularly review and adjust policies, principles, standards, procedures and methodologies for their effectiveness in ensuring necessary compliance and addressing enterprise risk using internal and The auditor should review and adjust the policies, standards and principles to ensure that they are effective in ensuring compliance and addressing risk. 91

93 external experts, as required. 2. Communicate new and changed requirements to all relevant personnel. The auditor should ensure that the changes made to the requirements are communicated to the process owners in a timely manner. 13. MEA03.04 Obtain assurance of external compliance. Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner. 1. Obtain regular confirmation of compliance with internal policies from business and IT process owners and unit heads. 2. Perform regular (and, where appropriate, independent) internal and external reviews to assess levels of compliance. 3. If required, obtain assertions from third party IT service providers on levels of their compliance with applicable laws and regulations. 4. If required, obtain assertions from business partners on levels of their compliance with applicable laws and regulations as they relate to intercompany electronic transactions. 5. Monitor and report on non-compliance issues and, where necessary, investigate the root cause. 6. Integrate reporting on legal, regulatory and contractual requirements at an enterprise wide level, involving all business units. The auditor should, while discharging the assurance function, obtain assertions/confirmation on compliance from management for adherence to laws and regulations. The assertions can also be obtained from third-party service providers. The auditor can then monitor and report on the noncompliance of individual parties and initiate corrective action. The auditor can develop an integrated report involving all the business units and submit the report to management. SUMMARY The concept of governance hinges on total transparency, integrity and accountability of the management and the board of directors. The importance of governance lies in its contribution both to business prosperity and to accountability. Because COBIT 5 is a business framework for the governance and management of enterprise IT and a flexible framework, it can be used to achieve governance, risk management and assurance requirements from the Indian context. The activities and implications mentioned previously can be followed by the stakeholder according to his/her needs and situation. Governance is a means, not an end; corporate excellence should be the end. SECTION 3 CHECKLISTS 92

94 This section consists of all of the checklists that have been drafted, keeping in mind all of the stakeholders targeted in this publication. These checklists can be used by the stakeholder as an evaluation to check that the COBIT 5 processes that have been implemented in their enterprise are compliant with the regulations with which the enterprise is bound to comply. The checklists that have been included in this publication are illustrative and are not exhaustive. CHECKLIST 1 GENERAL CHECKLIST FOR GOVERNANCE Sl. No Topic Checklist 1 Internal Control CARO Internal control relating to purchase of inventory and fixed asset. Is there a "continuing failure" in correcting any major weakness in the internal controls relating to purchases? Were these weaknesses communicated to management in earlier year(s)? Are there previous year's working papers where the weakness was communicated to management? Internal control relating to sales of goods and services. Is there a record of the system relating to sale of goods and services in our files? Have we tested the system? Is there a "continuing failure" in correcting any major weakness in the internal controls relating to sale of goods and services? Were these weaknesses communicated to management in earlier year(s)? 2 Whistle-blower Policy Does the audit committee consider whether management arrangements for whistle-blowing are satisfactory? Shall the company affirm that it has not denied access to the audit committee of the company (in respect to matters involving alleged misconduct) and that it has provided protection to "whistle-blowers" from unfair termination and other unfair or prejudicial employment practices? 3 CEO/CFO Certification Have the CEO/CFO reviewed the balance sheet and profit and loss account and all its schedules and notes on accounts, as well as the cash flow statements and the directors report? Have they established and maintained the internal control of the company? 4 Directors' Responsibilities Is the company in compliance with governance requirements under applicable law and has adequate internal control in response to this been established whether: reporting functions are adequate? the company has in place insider trading restrictions? each of the directors and the company s shareholders are sufficiently informed about the company s operations and financial status, and concerns are dealt with 93

95 in a timely and effective manner? the company has obtained a certificate from either the auditors or practicing company secretaries regarding compliance of conditions of governance as stipulated in this clause and annexure of the certificate with the directors report, which is sent annually to all shareholders of the company? The same certificate shall also be sent to the stock exchanges along with the annual returns filed by the company. CHECKLIST 2 GENERAL CHECKLIST FOR RISK MANAGEMENT Area Sl. No Question Risk Management 1 Elements of risk have been identified or not? 2 Risk management policy has been developed or not? 3 Risk management policy has been implemented or not? 4 Risk management resources have been identified or not? 5 Resources to manage risk have been allocated efficiently and effectively or not? 6 Functioning of risk management system has been tested or not? 7 Frequency to review the system has been decided or not? 8 Procedures to review the system have been laid down or not? 9 Elements of risk have been identified or not? 10 Risk management policy has been developed or not? 11 Risk management policy has been implemented or not? 12 Risk management resources have been identified or not? 13 Resources to manage risk have been allocated efficiently and effectively or not? 14 Functioning of risk management system has been tested or not? 15 Frequency to review the system has been decided or not? 16 Procedures to review the system have been laid down or not? CHECKLIST 3 GENERAL CHECKLIST AUDIT AND ASSURANCE Area Sl. No Question Audit and Assurance 1 Internal auditor has been appointed or not? 94

96 2 Audit committee has been formed or not? 3 Statutory auditor has been appointed on not? 4 How often does management review and act on the work and observations of the internal auditor? 5 How often does management review and act on the work and observations of the audit committee? 6 How often does management review and act on the work and observations of the statutory auditor? 7 Did they obtain a certificate from the auditors for compliance of conditions of governance according to Clause 49? 8 Did they review the risk management policy and procedures? 9 Did they review the internal control policy and procedures? 10 Did they evaluate the adequacy of the risk management system? 11 How often do they evaluate the adequacy of the risk management system? 12 Did they evaluate the adequacy of the internal control system? 13 How often do they evaluate the adequacy of the internal control system? 14 Did they have a discussion with management regarding their work and observations after reviewing and evaluation of risk management system? 15 Did they have discussion with management regarding their work and observations after reviewing and evaluating the internal control system? 9 Does the auditor include the status on adequacy of internal control system and risk management system in his or her audit report? 10 Does the auditor include the status on operating effectiveness of such controls in his/her audit report? 11 Did they review the structure of internal audit department, staffing and seniority of the official heading the department? 12 Did they review the reporting structure coverage for the internal audit? 13 Does the auditor certify the company for compliance of conditions of governance as stipulated in Clause 49? CHECKLIST 4 COMPLIANCE WITH THE DATA PROTECTION AREAS OF THE INFORMATION TECHNOLOGY ACT Sl. No Area Question 95

97 Sl. No Area Question 1 Section 43A -- Applicability of the act to body corporate 1. Is the entity concerned a firm sole proprietorship or partnership? A private limited or public limited company? Or any other association of individuals (such as those registered as a society or public trust or other organization)? 2. Does it possess, deal with or handle sensitive personal data? 3. Are such data in a computer resource? 4. Does the entity own, control or operate such a computer resource? 5. Is such firm, sole proprietorship or other association of individuals engaged in commercial or professional activities? 2 Section 43A -- Reasonable Security practices to be included 1. Is it sensitive personal information? 2. Does any agreement specify protection from unauthorized access, etc.? 3. Does any sector-specific law specify such protection? 4. Is protection specified under the Central Government notified Rules issued on 11 April 2011 and titled Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011? 3 Section 43A -- Body corporate s obligations as to privacy policy 4 Section 43A Compensation for failure to protect data 5 Section 66 Computer Related Offences 6 Section 66A Punishment for sending offensive messages through communication service, etc. 7 Section 66B Punishment for dishonestly receiving stolen computer resource or communication device 8 Section 66C Punishment for identity theft 9 Section 66D Punishment for cheating by personation by using computer resource 10 Section 66E Punishment for violation for privacy 1. Does the entity collect, receive, possess, store, deal with or handle personal information (including sensitive personal data)? 2. Is the personal information made available under lawful contract? 3. Do we have a privacy policy? 4. Is the personal information available for viewing by the people who provide their personal information? 1. Was the entity negligent in implementing and maintaining reasonable security practices and procedures? 2. Was wrongful loss or wrongful gain caused to any person by such negligence? 1. Is there a mechanism in place to detect the computer-related offenses? 1. What are the different communication modes of sending offensive messages? 2. Is there any mechanism to detect the sending of offensive messages through such communication services? 1. Is there a mechanism in place to ensure that the stolen computer or resources are returned or intimated? 1.Is there any mechanism to track fraudulent or dishonest use of the electronic signature, password or any other unique identification feature of any other person? 1. Are the means of communication devices or resources available to cheat by personation in the entity? 2. How are such fraudulent actions traced and tackled? 3. Is there any disciplinary committee to take action on such instances? 1. Is there any policy mandating procedures to deal with violation of privacy? 2. What are the penal actions taken for such privacy breaches? 96

98 Sl. No Area Question 11 Section 66F Punishment for cyber terrorism 12 Section 67C Preservation and Retention of information by intermediaries 1. Is there any intent of threat to unity, integrity, security and sovereignty of India? 2. Is there any attempt to penetrate/access the computer resources? 3. Is there an attempt of unauthorized access? 1. Does the entity have in place appropriate information security policies? 2. Do such policies contain managerial, technical, operational and physical security control measures? 3. Are such measures commensurate with the information assets being protected and the nature of our business? 4. Is there in place a comprehensive information security program? 5. Is the information security program well documented? 6. Do we consistently implement such security practices and standards? 7. Can it be demonstrated, whenever called upon to do so by an agency mandated under the law, that we have implemented security control measures as per our documented information security program and policies? 13 Section 72A Punishment for Disclosure of information in breach of lawful contract 1. Does the entity have mechanisms in place to: Review all materials published by us? Check if any sensitive personal data are part of such materials? Mask or redact such sensitive personal data? 2. Does the entity obtain agreement from third parties with whom we share sensitive personal data to forbid them from further disclosing such data? 3. Is there a mechanism in place to ensure the above? 97

99 CHECKLIST 5 SAMPLE CHECKLIST FOR THE AUDITOR TO GAIN ASSURANCE ON THE CONTROLS THAT ARE IN PLACE TO PROTECT PERSONALLY IDENTIFIABLE INFORMATION (PII) 1. PLANNING AND SCOPING THE AUDIT 1.1 Define audit/assurance objectives. The audit/assurance objectives are high level and describe the overall audit goals Review the audit/assurance objectives in the introduction to this audit/assurance program Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan and charter. 1.2 Define boundaries of review. The review must have a defined scope. The reviewer must understand the operating environment and prepare a proposed scope, subject to a later risk assessment Perform a high-level walk-through of the organization s data privacy and PII-specific policies, including the organization s schema for data classification Establish initial boundaries of the audit/assurance review Identify limitations and/or constraints affecting the audit. 1.3 Define assurance. The review requires two sources of standards. The enterprise standards defined in the policy and procedure documentation establish the enterprise s expectations. At minimum, the enterprise standards should be implemented. The second source, a good practice reference, establishes industry standards. Enhancements should be proposed to address gaps between the two Determine whether COBIT 5 and the appropriate data privacy framework will be used as a good practice reference. 1.4 Identify and document risk. The risk assessment is necessary to evaluate where audit resources should be focused. The risk-based approach assures utilization of audit resources in the most effective manner Identify the data flow of PII and evaluate the effectiveness of the controls in place Identify the business risk associated with the failure to implement appropriate data organization-wide classification and PII protection policies and procedures. Proper protection procedures include segregation of files containing PII information on separate servers or virtual local area networks (VLANs); access to such files and information is restricted to authorized personnel only; and all access is logged, reviewed and monitored Identify the technology risk associated with the failure to implement appropriate electronic data protection, such as encryption, data masking, tokenization, application logical security and general IT controls (antivirus, firewall, etc.), in an appropriately secure fashion Determine whether a network security assessment and vulnerability modelling have been conducted recently and specifically include network components where PII is received, processed and/or stored Determine whether all issues identified in the network security assessment and vulnerability modelling have been addressed and appropriately remediated Based on risk assessment, identify changes to the scope. 98

100 1.4.7 Discuss the risk with business, IT and operational audit management, and adjust the risk assessment as appropriate. 1.5 Define the change process. The initial audit approach is based on the reviewer s understanding of the operating environment and associated risk, based on the information life cycle of PII and other possible assessment activities. As further research and analysis are performed, changes to the scope and approach may result Identify the senior IT audit/assurance resource responsible for the review Establish the process for suggesting and implementing changes to the audit/assurance program and the authorizations required. 1.6 Define assignment success. Define the audit/review success factors and ensure appropriate and regular communication among the IT audit/assurance team, other assurance teams, and the organization Identify the drivers for a successful review (this should exist in the audit/assurance function s standards and procedures) Communicate success attributes to the process owner or stakeholder, and obtain agreement. 1.7 Define audit/assurance resources required. The resources required are defined in the introduction to this audit/assurance program Determine the audit/assurance skills necessary for the review Determine the estimated total resources (hours) and time frame (start and end dates), required for the review. 1.8 Define deliverables. Deliverables include control evaluations, assessments, questionnaires, analysis of technical documentation supporting the interim report (as applicable) and final report. Communication between the audit/assurance teams and the process owner is essential to assignment success Determine the interim deliverables, including initial findings, status reports, draft reports, due dates for responses and the final report. 1.9 Communicate. The audit/assurance process is clearly communicated to the customer/client Conduct an opening conference to discuss the review objectives with the executive(s) responsible for data privacy and protection. 2. RISK MANAGEMENT 2.1 Risk Assessment Audit/Assurance Objective: The protection of PII is subject to routine risk assessment processes PII Initial Risk Assessment Control: Management evaluated the risk associated with maintenance of PII Verify that there is an inventory of PII held, with justification, retention period, classification and security requirements Determine whether a recent risk assessment relating to PII has been performed that includes the organization s PII 99

101 data classification and inventory If so, determine whether the risk assessment scope was adequate to support the organization s PII inventory and associated inherent risk Determine whether the compliance requirements relating to PII have been determined and documented for every relevant legal jurisdiction and industry-standard Obtain and review risk assessment documentation and determine that PII and data privacy policies and procedures are adequate to support the PII protection program and appropriately protect the organization as required Obtain and review board minutes or other documentation to support the approval of the risk assessment PII Continuing Risk Assessment Control: A risk assessment is performed and approved by management where significant changes are initiated in the PII or data privacy programs or to reaffirm the previous risk assessment Determine whether subsequent risk assessments have been performed after the initial risk assessment Obtain and review the risk assessment documentation, if available, to determine whether the risk assessment scope is adequate to support the changes in the PII or data privacy programs that continue to protect the organization as appropriate. 3. POLICIES 3.1 Policies Audit/Assurance Objective: Policies supporting PII protection initiatives have been defined, documented, implemented and maintained Third Parties Control: Agreements with third parties relating to PII are properly enforced Check whether there are any agreements with external customers, clients regarding retention, classification and security of PII If so, verify that the corresponding third-party PII is subject to the same restrictions and protections (see below) as the organization s own PII Employee PII Agreement Control: The employee agreement clearly defines the responsibilities of the company and employee when handling or processing PII Verify that employees must sign the PII agreement before being granted access to PII Verify that, as an awareness technique, employees must review and sign the PII agreement annually Review the employee PII agreement for the following: Employee is aware of the sensitivity of PII Employee is aware of the organization s policies and procedures for classifying and handling PII Employee is required to undergo training, at or near orientation/onboarding, in the handling, storage and processing of PII Employee must immediately report any incident of lost, stolen or compromised PII that comes to their attention 100

102 Employee is aware of the appropriate channels for reporting PII-related incidents Employee is aware of the procedures required for a PII-related incident Employee will exercise reasonable care when handling PII Employee will subscribe to organizational use policies related to PII Employee will subscribe to organizational data security policies Employee will abide by the updated PII agreement when revised and distributed The organization may impose disciplinary action (up to and including termination) for infringement of policies relating to PII Determine that all employees have signed their acceptance of the employee agreement Determine the date of the last PII employment agreement revision Select a sample of employees with access to PII, stored in both electronic and hard copy forms. Include employees of varying job functions and titles in the sample. Obtain their PII employee agreements and determine that each agreement is: The most current employee agreement Signed and dated Amended if revisions have been instituted since the previous signed document PII Acceptable Use and Handling Policy Control: The employee must adhere to the organization's PII Acceptable Use and Handling Policy Obtain and verify the PII Acceptable Use and Handling Policy Determine that all employees and relevant third parties (e.g., consultants) have been made aware of the policy, e.g., through formal training at orientation with regular refreshes Determine the date of the last revision to the policy Select a sample of employees with access to PII. Include employees of varying job functions and titles in the sample Obtain their individual employee agreements and determine that each one is: The most current policy Signed and dated Suitably amended if revisions have been instituted since the previous signed document Human Resources (HR) Support for PII Control: PII handling, processing, and storing processes are integrated into HR services, policies and compliance Determine whether the HR function is responsible for initial and annual signing of Employee PII and PII Acceptable Use and Handling Policy documents Determine whether HR onboarding procedures include signing of Employee PII and Acceptable Use and Handling Policy statements Determine whether background checks are carried out and references taken for all employees with access to PII. 101

103 Select a sample of new employees with access to PII. Determine if the employees had signed the appropriate documents Determine whether HR has a current list of employees with access to PII, to ensure termination procedures include PII exit procedures Obtain the PII participant list. Select a sample and determine whether the names on the list are current employees Obtain the list of recently terminated employees. Verify that terminated employees are not on the PII participant list Determine how HR manages the transfer of PII participants to other divisions or locations. Prepare appropriate audit test procedures to satisfy audit objective, Determine whether disciplinary policies and supporting processes are in effect for violations of the PII and Acceptable Use and Handling policy, including: Established and publicized disciplinary action for infringements Uniform application of disciplinary action policy Evaluate the effectiveness of disciplinary policies Determine whether disciplinary policies are applied uniformly, considering staff, middle management and senior management in your evaluation Determine whether violations are recorded in a disciplinary system If a disciplinary system exists, select a sample of incidents, determine the disciplinary action and evaluate if policy is followed If no disciplinary system exists, determine how disciplinary actions are managed Determine how policies and execution of policies are aligned with governmental and other regulatory rules to avoid fines, legal action or other penalties for noncompliance Evaluate PII employee policies and determine if additional controls, policies or procedures are required to protect organizational assets, including monitoring and logging of access and restriction of data download capability Contractors Control: Contractors and other third parties have only restricted access to PII when connecting to the organization s network Determine the policies in effect to permit third parties, e.g., contractors and customers, to utilize organizational IT resources, while protecting organizational assets and intellectual property from unauthorized access Determine that a clear definition exists of the types of information not to be made accessible to third parties, such as contractors Evaluate the effectiveness of PII and data privacy controls upon third-party access. Such access should be closely monitored and logged. Restriction of data download should be considered. 102

104 4. LEGAL 4.1 Legal Issues Audit/Assurance Objective: PII policies and procedures comply with legal requirements and minimize the organization s exposure to legal actions Legal Involvement in PII Policies and Procedures Control: Legal counsel with appropriate knowledge and experience has reviewed and approved the organization s PII policies and procedures Determine whether legal counsel has reviewed and approved legal issues relating to PII policies and procedures. Consider: The various geographic and national jurisdictions, as well as industry mandates, with bearing on the organization s controls and security over PII Legal discovery on employee-owned mobile devices, e.g., smartphones and tablet computers Obtain evidence of legal counsel s review and approval Determine that the most recent legal review covers all recent changes in PII legislation, industry mandates and organizational policies/procedures. 5. GOVERNANCE 5.1 Governance Audit/Assurance Objective: Handling of PII is subject to oversight and monitoring by management PII Oversight Control: A formal PII/privacy oversight committee is in place with responsibility for all aspects of PII handling, storage, processing and protection Determine that a senior management-level committee exists to oversee PII and data privacy Determine that the PII/data privacy committee has representatives from senior management, legal, HR, PR and lines of business Determine from minutes and documentation that the PII/data privacy committee meets regularly (at least quarterly) Determine from documentation that the PII/data privacy committee reports to the highest level of the organization Determine that the PII/data privacy committee performs at least the following: Defines policy and procedures relating to PII Ensures that PII policy and procedures are in line with changes in the environment, e.g., changes to legislation or industry mandates Is directly involved in all incidents relating to loss or compromise of PII, including reporting to the board and to relevant authorities, public relations, financial budgets for resolving issues, etc Policy Approval Control: PII and data privacy policy has been approved by executive management. 103

105 Determine the reporting structure of the PII approval process and evaluate whether the approval process included affected business units that collect, handle, process, store or dispose of PII Obtain the minutes of the meeting and other documentation used to evaluate the approval process Monitoring PII Execution Control: Executive management receives regularly scheduled status reports on PII issues, adherence to policy and exceptions Verify that formal measures are in place to monitor the use and processing of PII Obtain executive management status reports for PII Determine the frequency with which management receives status reports Determine the contents of the status report, including: PII-related incidents with relevant ongoing status Follow-up and disposition 6. TRAINING 6.1 User Awareness and Training Audit/Assurance Objective: Users with access to PII attend initial orientation awareness training with periodic training on a regular schedule (at least annually or when significant policy or procedure changes are implemented) Initial Training Control: PII users are required to attend initial training on PII and data privacy policy, acceptable use and support procedures Obtain the training resources used in initial training Evaluate the completeness of the training program. Ensure it addresses all policy issues identified in the policy section of this audit program Determine that users with access to, or responsible for, PII have attended the session(s) Select a sample of PII users at all organizational levels and business units. Inspect attendance logs and other documentation to determine whether the selected users have completed required training Security and Awareness Training Control: Security awareness and periodic training are required and conducted at least annually Obtain the PII and data privacy awareness program. Perform the following steps Determine that the program continues to address adequately the handling of PII and defines appropriate security policies Determine the requirement for attendance at training programs Select a sample of PII users; determine the frequency of attendance Determine the percentage of PII users who have attended the subsequent training program Evaluate the effectiveness of the training program, based on historical metrics, e.g., numbers of PII handling incidents or procedure failures per period. 104

106 7. PII-RELATED INFORMATION SECURITY 7.1 PII-related Information Security Controls Audit/Assurance Objective: Information security policy and procedures specifically address the technical aspects of data privacy and protection of PII Information Security Policy Addresses PII Control: The organization s Information Security policy addresses the special needs of data privacy and PII Obtain a copy of the organization s current Information Security policy and determine that it addresses the technical IT aspects related to processing, storing, disposing of and managing PII Determine that the Network Security Policy requires the highest levels of technical security when processing or storing PII, including encryption of PII both at rest and in transit across networks, strong authentication (preferably two-factor) to access databases and files containing PII, appropriate data classification; formal key management for handling encryption/decryption keys, etc If the organization develops its own application software (on any platform), obtain a copy of the organization s current system development life cycle (SDLC) standards document and policy and determine that it addresses the security requirements for software that will process PII Determine that the organization s SDLC standards require all applications that process PII to pass formal vulnerability testing before deployment into production Determine that assessments are performed to identify and remediate vulnerabilities in new and existing code, relevant to protection of PII Select a sample of new applications and maintenance on preexisting applications Obtain copies of the relevant vulnerability assessments Determine that the assessments were completed and all material vulnerabilities were remediated before the corresponding code was deployed into production Network Security Addresses the Needs of PII Control: Networks that process PII meet the organization s highest levels of technical security Select a sample of networks (or all networks, if possible) and obtain the corresponding network architecture diagrams Determine that each network in the sample has been secured to the organization s highest security level, including the following: Encryption of all in-flight PII, using Secure Sockets Layer (SSL)/ /transport layer security (TLS) or virtual private networks (VPNs) Encryption of all at-rest databases which store PII, using AES or 3DES Strong authentication (preferably two-factor) procedures before any user is permitted to access PII All networks containing PII are isolated from non-pii networks, using firewalls, VLANs, or dedicated networks All networks containing PII are in scope of operational intrusion detection systems (IDSs)/intrusion prevention systems (IPSs) Formal authorization on a strictly need-to-know basis Regular security reviews and penetration studies of networks containing PII, by external and internal groups 105

107 Obtain copies of the reports from recent security reviews, audit reports, and penetration studies of a sample of networks containing PII and determine, by review of documentation, that the following occurred in a timely manner: Identified vulnerabilities were remediated Vulnerabilities were reported to both the Data Privacy/Protection committee and to senior business management Any recommendations were addressed Reasons were provided for all exceptions, i.e., where recommendations were not addressed Measures are in place to mitigate the risk identified IT Identifies all Systems That Process PII and the Locations Thereof Control: IT has a set of operational procedures to identify the location of PII in all systems Obtain a copy of IT s relevant procedures for locating PII in existing and new systems Determine that IT has an effective ongoing process to identify the presence of PII in databases and flat files Determine whether IT possesses software tools to scan databases and flat files (including s, text documents, spreadsheets, etc.) for the presence, or likelihood, of PII. Such tools often report the statistical likelihood that columns in databases or text may comprise PII such as social security numbers, or debit/credit card numbers Obtain copies of reports from the above scanning tools and determine that the presence of unexpected PII was suitably remediated (i.e., ether by removing the PII or by ensuring appropriate protection in accordance with the organization s data privacy/protection standards). 7.2 PII-related Information Security Controls Audit/Assurance Objective: PII-related issues are included in the compliance with statutes and industry requirements, especially if international IT Is Aware of PII Compliance Requirements Control: Individuals in IT, in cooperation with privacy and legal professionals, are responsible for ensuring that IT systems comply with all relevant PII-related statues (e.g., jurisdictional data privacy laws) and industry requirements (e.g., those required for credit card or health care processing.) By discussion and review of relevant documentation, identify individuals in IT with responsibility for PII compliance of IT systems Determine that these individuals have appropriate levels of experience and training in PII compliance issues Where relevant, obtain copies of recent reports after external compliance reviews Determine that the IT specialists were involved with the reviews and that they followed relevant findings through to full remediation (i.e., clean reports). 7.3 Incident Response and Reporting Audit/Assurance Objective: The organization s incident response and reporting process meets the requirements for PII-related incidents, e.g., after loss or compromise of PII PII-related Incident Management 106

108 Control: The organization s standard, documented incident response and reporting process specifically includes PII-related incidents and any special procedures for PII, such as reporting the loss of PII to the individuals concerned or to designated law enforcement authorities as required by local legislation Obtain a copy of the organization s incident response and reporting procedure document and determine that it addresses any special needs related to compliance with PII-related laws or industry requirements. This may require consultation with appropriate legal counsel to identify all relevant in-scope legislation or industry requirements Obtain a copy of a recent incident response report, or if no such incident has occurred recently, a copy of a recent incident response test, and determine that all relevant PII-related procedures were properly carried out. 107