IT Governance and Outsourcing



Similar documents
Information security governance has become an essential

Feature. Log Management: A Pragmatic Approach to PCI DSS

This article describes the history of the Payment Card

While Microsoft Access database is not an enterprise

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

CyberEdge. Desired Coverages. Application Form. Covers Required. Financial Information. Company or Trading Name: Address: Post Code: Telephone:

Journal Online. Impact of Security Awareness Training Components on Perceived Security Effectiveness. Do you have something to say about this article?

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

RS Official Gazette, No 23/2013 and 113/2013

Network Security and the Small Business

Decision on adequate information system management. (Official Gazette 37/2010)

In recent years, information technology (IT) used by firms,

Governance of Outsourced IT Services. Donna Hutcheson, CISA Information Technology Audit Director Energy Future Holdings Corp.

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT Audit- Hospital Risks, Controls and Audit. AHIA Conference. Grant Thornton LLP. All rights reserved.

MelbourneOnline.com.au Hosting Terms and Conditions

Domain 1 The Process of Auditing Information Systems

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Credit Union Liability with Third-Party Processors

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

IT Security. Securing Your Business Investments

Managing Outsourcing Arrangements

Managing internet security

Prudential Practice Guide

Operational Risk Publication Date: May Operational Risk... 3

Chapter 8 Service Management

DODO WEB HOSTING TERMS OF SERVICE

By using the Cloud Service, Customer agrees to be bound by this Agreement. If you do not agree to this Agreement, do not use the Cloud Service.

Security audit advice For holders of all remote gambling operator licences including specified remote lottery licences

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Risk Management of Outsourced Technology Services. November 28, 2000

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

UoB Risk Assessment Methodology

Information Technology Services Information Security Incident Response Plan

Service Schedule for CLOUD SERVICES

E-Commerce at Wells Fargo. SF IIA/ISACA Presentation

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

Outsourcing and third party access

Shared Hosting Terms of Service

Draft Information Technology Policy

High Availability of VistA EHR in Cloud. ViSolve Inc. White Paper February

ISO27001 Controls and Objectives

Licence Fee means the fees calculated as set out on the Website or such other fee as is agreed between You and the Supplier from time to time.

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Projectplace: A Secure Project Collaboration Solution

How To Become A Security Professional

Software Licensing AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE

1.1 The expressions 'we', 'us' and 'our' are a reference to the operator of this Web Site, 'RewardBet'.

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

APES GN 30 Outsourced Services

IT OUTSOURCING SECURITY

Business Continuity Planning and Disaster Recovery Planning

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

1. Perimeter Security Dealing with firewall, gateways and VPNs and technical entry points. Physical Access to your premises can also be reviewed.

With the dawn of the 21st century, a new era of

How not to lose your head in the Cloud: AGIMO guidelines released

Western Australian Auditor General s Report. Information Systems Audit Report

Active Software Escrow s Usefulness for Companies Embracing COBIT 5 By Andrew Stekhoven

MANAGED WORKSTATIONS: Keeping your IT running

Security Risk Solutions Limited is a privately owned Kenyan company that was established in 2007.

ISO Controls and Objectives

Acceptable Use Policy

Information Security Awareness Training

SPECIAL CONDITIONS FOR WEBSITE HOSTING SERVICES ON A DEDICATED SERVER. Version Date 22 June 2009

IP Trading Solutions

REGION 19 HEAD START. Acceptable Use Policy

Electronic business conditions of use

Our consultancy team will provide guidance throughout the process helping you to produce the necessary documentation and raise staff awareness.

Acceptable Use Policy

Managing IT Security with Penetration Testing

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business

Data Management Session: Privacy, the Cloud and Data Breaches

CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC.

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure

APES GN 30 Outsourced Services

Acceptable Use Policy

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

By writing to: Cougar Wireless, Attention: Customer Service, 4526 S. Regal St., Suite A, Spokane, WA., 99224

Are you prepared to be next? Invensys Cyber Security

1.3 Your access to and use of the Site, including your order of Products through the Site, is subject to these terms and conditions.

Small businesses: What you need to know about cyber security

IBM Virtualization Engine TS7700 GRID Solutions for Business Continuity

Acceptable Use Policy Revision date: 26/08/2013

INFORMATION TECHNOLOGY SECURITY STANDARDS

1.1 These Terms and Conditions set out the agreement between MRS Web Solutions Ltd, 1 Blue Prior Business Park, Redfields Ln, Church Crookham,

Terms of Service (v2.2)

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

Ensuring security the last barrier to Cloud adoption

SPECIAL CONDITIONS FOR WEBSITE HOSTING SERVICES ON A REAL PRIVATE SERVER

With the advent of web-enabled and Internet-connected

How To Use A College Computer System Safely

How To Use A Minicloud Server On An Ovh Cloud (For Free) For A Long Time

Transcription:

Copyright 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. IT Governance and Outsourcing By Hugh Parkes, CISA, FCA is a subset of corporate governance. It refers to how well an organisation governs or ITgovernance controls those of its activities that involve the use of information technology. In both business and government organisations, there are now few key activities that do not involve the use of IT as either an enabler or an intrinsic part of the capacity to allow the activity to take place. It should be stressed that IT governance refers to how the entire activity using IT is controlled not just the IT department or the physical manifestations of IT, but the business knowledge and information that the activity requires for its successful operation. Outsourcing, in its most common form, involves the contracting out of one or more of an organisation s activities to an enterprise outside the corporate or government bounds. Activities of many types can be outsourced. The form of contracts or agreements that set the parameters under which the outsourced activity will be carried out can also vary considerably. Properly constituted organisations have the capacity to enter into contracts with one another, and many legal endeavours go into working out the terms of the contract, as well as assessing how its terms are complied with during the duration of the contract. However, the leaders of the organisations entering into an outsourcing agreement need to ask if their experience in reality delivers the objectives they have set for themselves in making the strategic decision to outsource or to provide the service now outsourced. IT Governance Perspectives for Organisations Outsourcing Activities The perspective of executives or directors toward the need for effective IT governance depends on how important the activity or resource provision outsourced is in the context of achieving the organisation s strategies. If what is outsourced is a replaceable commodity or service, then problems can be overcome by going to an alternative supplier with low transfer risks. However, if what is outsourced is vital for the organisation s ability to operate, then IT governance considerations and the frequency of reporting on service delivery and effectiveness of associated performance become of high importance. Figure 1 sets out types of activities that can be outsourced, the risks associated with outsourcing such activities and what IT governance issues should be considered. Figure 1 Outsourcing Activities, Risks and Considerations 1.Outsourced information management and storage Very high risk Depending on how critical the Ensure the outsourcing contract covers (all value stored, databases, customer files, key information stored with the outsourcer is acceptable access rights and clear parameters, etc.) Consequences of loss or unauthorised access ownership of information. via penetration or poor security Ensure adequate backup and disaster Immediate impact, meaning this instant recovery arrangements have been made. Exposure to a wide spectrum of risks, e.g., loss, Executives should cite specific evidence of theft, integrity corruption, competitor access successful recovery testing. Directors should Outsourcer negotiating power through request from CEO written confirmation that organisation dependence on continuing access this test has taken place. Inquire as to security over information stored and communications channels with access to the information. Inquire as to information management effectiveness (how it is stored, how it is used, what management reports are derived from it and about its condition this is where the organisation s value is stored). Inquire as to the extent of information mining in use, information architectural fit with organisation s needs, and level of integration of related information for process effectiveness. Ensure that the cost of outsourced service and the level of service received meet strategic needs.

Figure 1 Outsourcing Activities, Risks and Considerations (cont.) 2.Outsourced core knowledge systems and High to very high risk Depending on how Ensure adequate backup and disaster development of new, or maintenance of existing, critical the outsourced knowledge systems are recovery arrangements have been systems (corporate memory, key knowledge to the organisation s strategic operations made (as noted previously). elements, activity processes, executive Exposure to a wide spectrum of risks, including Inquire as to security over system stored on preferences, etc.) intellectual property theft, process integrity the outsourcer s servers or in its computer corruption and competitor access installation. Dependence on an outsourcer to develop new Inquire into how systems access information systems and/or associated intellectual property is stored by outsourcers and the security of can mean extreme vulnerability or loss of associated communication channels. credibility. Inquire as to the level of the organisation s dependency on the outsourcer for development or maintenance of new or existing software; understand where knowledge and necessary competencies covering systems now reside it may now be in Bangalore rather than San Jose. Inquire as to project delivery management for new systems. Inquire as to system uptime and maintenance performance, e.g., is the IT engine being adequately maintained? operational commitments are being met by the outsourcer. 3.Outsourced major computer installation and Medium to high risk Ensure adequate backup and disaster ancillary support services Establishing major data centres run by major recovery arrangements have been made and outsourcers should lower risk via economies tested (as noted previously) with participation of scale, experience, sound data centre or observers from the organisation onsite. procedures, and depth of supporting services. Inquire as to assurance reports on Organisation outsourcing needs to ensure that installation service and uptime outsourcer s installation is soundly run and performance. contractually arrange access rights and verification arrangements (possibly via a third operational commitments are being met by party such as a competent assurance provider). the outsourcer. Risks arise where outsourcing organisation does not monitor the service received or the ongoing condition of the computer installation on which it depends. 4.Outsourced networks or communications Medium to high risk Ensure adequate backup and disaster Risks include illegal or malicious penetration recovery arrangements have been (hacking), denial-of-service attacks, made and tested. information or system corruption, intellectual Inquire deeply as to security at all points of property theft, viruses, worms and Trojan the network, extranets and intranets, as well horse attacks. as over links to the Internet, to Internet Alternate network routing capabilities must service providers (ISPs) and to the exist and have been tested for major networks organisation s web site. so single point of failure dependency Inquire as to the adequacy of bandwidth or (bottleneck risk) is overcome. communication network capacity to the Insufficient communications capacity slows organisation, e.g., does it meet strategic processing or lengthens customer service needs? centre response times. operational commitments for networks and communication channels are being met by the outsourcer. 5.Provision of computer equipment, replacement of Usually low risk Comply with terms of outsourcing agreement network PCs and servers, network devices Alternate suppliers available (service received/payments made). (Issues Contract does not meet commercial/entity arising are normally handled by entity needs over time. middle management.) Poor service is received leading to lower Bring to executive or directors attention productivity or higher downtime. only if a disaster occurs, probably to Outsourced service provider does not keep seek recovery fund. equipment current.

Easy-to-Understand Reporting It is usually possible to present clear reports to executives and directors in the form of overview flowcharts of outsourced activities with problem areas highlighted in colour (e.g., red for major IT governance concern area), as well as showing the linkages to activities that have not been outsourced. IT governance covers a wide range of risk issues as well as operational and commercial delivery issues. Some people find it much easier to get the big picture from a diagram rather than from long reports in technical jargon. If understandable reports are not being received at present by executives or directors, then IT governance issues can become a major corporate governance liability. Figures 2 and 3 provide examples of reporting on IT governance in an overview flowchart form, allowing one to get the big picture on internal controls and security quickly, and to focus on what matters. IT Governance Perspectives for Organisations Providing Outsourcer Services The other party in an outsourcing arrangement is the outsourcer the entity providing the original organisation with services. The outsourcer is the other party to the contract for service delivery, and has a different perspective to be considered for IT governance purposes from that of the receiving organisation. The differences are emphasised in figure 4. Hugh Parkes, CISA, FCA is a director of Parkes & Parkes, management consultants, based in Melbourne, Victoria, Australia. Parkes has extensive experience in IT consulting, banking and financial services, which has included the management of outsourced relationships as well as the provision of services as an outsourcer. A past member of the IT Governance Board, ISACA s International Board of Directors and the Australian Auditing Standards Board, Parkes currently serves as chairman or independent member of a number of audit committees in Australia. Figure 2 Reporting on IT Governance HOW OUR INTERNAL CONTROLS ARE OPERATED Sound internal controls Automated monitoring in place (or assurance review within last 12 months) Control deficiencies identified, management action in progress. Being monitored. International Marketing Sales + Marketing KNOWLEDGE SUPPORT International Sales Major control issues identified. CEO and board attention required. Not assessed by assurance within 12 months. Internal control condition not validated. No automated monitoring in place..do NOT KNOW! Board of Directors OPERATIONS Operations INTERNATIONAL OPERATIONS AND SUPPORT Management Inventory Board EXECUTIVE TEAM SUPPLY CHAIN MANUFACTURING Supply Chain KOREA MFG PURCHASING Distribution Manufacturing Warehouse BELGIUM CALIFORNIA SINGAPORE Overall Operation of Internal Controls Executive Team CALL CENTRES Call Centre INDIA IRELAND CANADA Extent of 24/7/365 Automated Monitoring of Internal Controls SHARED SUPPORT SERVICES RESEARCH AND DEVELOPMENT Finance and Accounting Finance/Accounting Personnel HR FACILITIES MANAGEMENT Facilities Management Information Systems AUSTRALIA IT

Figure 3 The Story: An Important IT Governance Perspective LOGICAL + PHYSICAL SECURITY OVERVIEW HEAD OFFICE Web Sales + Marketing Supply Chain s Purchasing Warehousing Belgium Singapore Physical s REMOTE COMPUTERS Research & Development Research Mainframe Stores Stores India Ireland Canada SHARED SERVICES Finance HR Facilities Manufacturing Physical Korea SCADA Controller H.Parkes 2003 California Network PABX IT Operations and Applications INTERNAL SECURITY Gateways Main Computer Environment Research Mainframe Physical Disk array MAJOR SECURITY RISKS PLUS IDENTIFIED EXPOSURES EXPOSURES identified, under investigation WELL SECURED plus assurance received within last three months to BS 7799 HR Comms. Controllers Figure 4 Differences in Perspective 5.Outsourced information management and storage Very high risk Depending on how critical the Ensure the outsourcing contract covers (all value stored, databases, customer files, key information stored with the outsourcer is customer access and clear responsibilities parameters, etc.) (and does the outsourcer understand this) for ownership of information. Loss of information through penetration, Profitability of service and cost of the level hacking of service actually provided corruption or inability to provide service Ensure adequate backup and disaster Risks of embarrassment to reputation in the recovery arrangements have been made. marketplace Executives should cite specific evidence of Breach of contract/risks of legal action successful recovery testing. Directors should Costs of recovery request written confirmation from CEO that this testing has been confirmed as taking place. Inquire as to security over information stored for customers. Inquire as to information management effectiveness, e.g., is it reliable, is the customer advised of quality issues on data received?

Figure 4 Differences in Perspective (cont.) 4.Outsourced core knowledge systems and High to very high risk Depending on how Ensure adequate backup and disaster development of new or maintenance of existing critical the outsourced knowledge systems are recovery arrangements have been made systems (e.g., corporate memory, key knowledge to the customer (as noted). elements, activity processes, executive preferences) Keeping customer s systems operating at Inquire deeply as to security over systems agreed uptime and service levels stored at the data centre on behalf Continuing ability to develop new systems and of customers. associated intellectual property Inquire deeply into the security of Continuing ability to maintain/support associated communication channels. customer s existing software in times of rapid Ensure contracted software development change or where there are major and software maintenance services are redesign/paradigm changes to install provided to contracted standards. Loss of software skills, especially on obsolete Inquire deeply as to project delivery software languages still requiring support management for new systems. Inquire as to system uptime and maintenance performance, e.g., are service delivery levels being consistently met? Ensure that the recruitment and training of staff with required skills is taking place. 3.Outsourced major computer installation and Medium to high risk Ensure adequate backup and disaster ancillary support services Cost of keeping major data centres operational recovery arrangements have been and able to provide contracted support services made and tested (as noted). Cost of investment in future technology Limit disruption caused by auditors providing infrastructure to remain market-credible, assurance reports on installation service competitive and sustainable and uptime performance; consider Changing ways of doing business may lead to appointing a sole provider for this purpose. customer paradigm shifts. operational commitments are being met by the data centre. Ensure customers are not being overserviced or are paying for services out of the agreed scope. 2.Outsourced networks or communications Medium to high risk Ensure that adequate backup and disaster Risks include illegal or malicious penetration recovery arrangements have been (hacking), denial-of-service attacks, information made and tested (as noted). or system corruption, intellectual property Inquire as to security at all points of the theft, viruses, worms and Trojan horse attacks. network, extranets and intranets, as well as It is critical to provide alternate network routing over links to the Internet, Internet service where outsourcer also provides networking providers (ISPs), Internet service and web services to customer. sites directly linked to the data centre. Insufficient communications capacity to meet Ensure that adequate capacity planning customer demands/contracted service levels. is done to meet expected customer demand trends. 1.Provision of computer equipment, replacement of Usually low risk Comply with terms of outsourcing agreement network PCs and servers, network devices Market competition (service provided/payments received). Contract not meeting customers needs Ask about the condition of customer over time relationship and customer satisfaction Excessive service demands from customer levels with outsourced IT services provided. Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCA TM Information Systems Control Association TM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information