TMS6104

INFORMATION TECHNOLOGY
STRATEGY AND GOVERNANCE

Risk Management
Policies and Procedures

Contents
IT Risk and Internal Controls

IT Audit and Controls

Security
Policies and Procedures

The policies and procedures that your organization implements

depend on many factors, including your industry and
government regulations.

There are many other policies that an organization might create,

depending on activities and duties performed. For example, a
restaurant may require policies for food preparation and service.
Policies
• Policies are concise formal statements
of principles that indicate how the
organization will act in a particular
aspect of its operation. In this way,
Policies regulate and direct actions
and conduct.
• Having policies in place and ensuring
the employees are aware will minimize
the risk in organization.
Categories of Policy

Restraining policies – define the parameters within which

Restraining decision are made

Enabling policies – essentially relate to the dissemination

Enabling of best practice.
Example of Restraining and Enabling
Policies
Restraining Policies Enabling Policies

Technical compatibility standards Making group-resourced services available to business

units
Standards for buying equipment and services Negotiating volume discounts

Common system mandate Managing supplier relationships

Disaster recovery, security and quality Influencing behaviour through charge-out rules

Group systems standards Setting criteria for selecting common systems

Group job specifications Funding shared assets

Any conformance to industry standards Establishing tendering procedures

Outside revenue earning ability of IS function Developing common systems

Charge-out and benefit reclaim Using consultants

Ergonomic standards Carrying out post-implementation reviews

Staffing levels Negotiating group-wide technology agreements.

Procedure

A clear and precise documented

description of an activity. A well-
Procedures describe in detail the
prepared procedure will detail the
process to implement a Policy.
What, Why, When, How, Where and by
Procedures are written in sequential
Whom of the activity. It shall also specify
order at a relatively high level and assign
explicitly the safety critical steps or
responsibilities. Generally, a Procedure
aspects and who is responsible for the
refers to the process rather than the
‘barriers’. A procedure does not express
result.
policy or how a group of activities are
managed.
◦ IT Risk
◦ the potential that a given threat will exploit
IT Risk and
vulnerabilities of an asset or group of assets and Internal
thereby cause harm to the organization. It is
measured in terms of a combination of the Controls
probability of occurrence of an event and its
consequence.

◦ As part of the IT supply strategy, it is crucial to identify

the risks to IT systems and information, to reduce or
manage those risks, and to develop a response plan in
the event of an adverse situation occurring
◦ Internal Controls
◦ Can be defined as a system designed, introduced IT Risk and
and maintained by the company’s management
and top-level executives, to provide a substantial Internal Controls
degree of assurance in achieving business objective, (cont..)
while complying with the policies and laws,
safeguarding the assets, maintaining efficiency and
effectiveness in regular operations and reliability of
financial statements.

◦ Internal controls exist to prevent and detect fraud,

abuse, or unethical activity, especially with regard to
the collection and presentation of financial
information. The goal is to ensure that a company's
financial reports are reliable and accurate.
Risk Management
◦ The process of identifying vulnerabilities and threats to the information
resources used by an organization in achieving business objectives, and
deciding what countermeasures if any, to take in reducing risk to an
acceptable level, based on the value of the information resource to the
organization.”
(Source: Certified Information Systems Auditor Review Manual)
Risk Management (cont..)

It also includes the

benefit/value-enabling risk
Encompasses not just the
associated with missing business
negative impact of operations
opportunities to use technology
and service delivery which can
and the IS/IT project
bring destruction or reduction
management risks such as
on the value of the organization
overspending or late delivery
with adverse business impact.
Hardware and software failure – such as power loss or data Threats to IT
corruption
systems and
Malware – malicious software designed to disrupt computer information
operation

Viruses – computer code that can copy itself and spread

from one computer to another, often disrupting computer
operations.

Spam, scams and phishing – unsolicited email that seeks to

fool people into revealing personal details or buying
fraudulent goods.

Human error – incorrect data processing, careless data

disposal, or accidental opening of infected email
attachments.
Hackers – people who illegally break into Specific or
computer systems targeted Criminal
Fraud – using a computer to alter data for illegal threats to IT
benefit systems and data
Password theft – often a target for malicious
hackers;

Denial-of-service – online attacks that prevent

website access for authorized users;

Security breaches – includes physical break-ins as

well as online intrusion;

Staff dishonesty – theft of data or sensitive

information, such as customer details.
Natural Disaster

Fire, cyclone, floods also present risks to IT systems, data

and infrastructure.

Damage to buildings and computer hardware can result

in loss or corruption of customers records/transaction or
affect transactions and customer interactions.
Securing computers, servers and wireless networks. To Protect IT
Using anti-virus and anti-spyware protection, and firewalls.
Systems and
Data
Regularly update software to the latest versions.

Using data back-ups that include off-site or remote storage.

Secure passwords.

Training staff in IT policies and procedures.

Understanding legal obligations for online trading and the

protection of information assets.
Understand legal requirements
◦ As a first step in managing IT risks, it is
important to be aware of the legal
and legislative requirements, such as
spam, electronic transactions and
privacy laws.
Risk assessment
◦ Such an assessment will identify risks to
the business, where they lie, how big
they are, and perform a business
impact analysis.
Risk Mitigation
Identifying areas or risks that are unacceptable and estimating countermeasures, costs and
resources to be implemented as a measure to reduce the level of risks.

Prior to developing mitigating strategies, it is important to determine the organizations ‘risks appetite’
Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives,
before action is deemed necessary to reduce the risk.

This can then facilitate prioritizing, evaluating, and implementing appropriate risk-reducing controls.

Because elimination of all risk is impossible, organizations should consider using the least cost
approach and implement the most appropriate controls to decrease risk to an acceptable level,
with minimal adverse impact on the organization’s resources and objectives.
Develop Response Plans
Having identified risk and
likely business impacts, the
development of a business
continuity plan can help a
business survive and
recover from an adverse IT
event.
A business continuity plan
identifies critical business
activities, risks, response
plan and recovery
procedures.
IT Risks Management Policies and
Procedures
◦ IT policies and procedures explain to staff,
contractors and customers the importance of
managing IT risks and may form part of risks
management and business continuity plans.
◦ Security policies and procedures, for example, can
assist staff training on issues such as:
◦ Safe email use, including handling of infected
mail;
◦ Setting out processes for common tracks;
◦ Managing changes to IT systems;
◦ Response to IT incidents.
A code of conduct can provide staff and IT Risks
customers with clear direction and define
acceptable behaviors in relation to keys Management
issues, such as protection of privacy and
ethical conduct.
Policies and
Procedures

Training new and existing staff in IT risk

management strategies.

Training can cover key business processes

and policies, such protecting the privacy of
customer details and priority actions in the
event of an online security breach.
The process of risks management is an
ongoing iterative process. Assessment
must be repeated frequently as the Evaluation and
business environment is constantly Assessment
changing and new threats and
vulnerabilities emerge almost every day.

It is impossible for a business to prevent or

avoid all IT risks and threats, business
insurance is an essential part of IT risk
management and recovery planning.
IT Audit and Controls

◦ IT audit is an audit of an organization’s IT systems, operations and

related control processes. It can be carried out in connection with a
financial statements audit, selective audit or thematic audit.

◦ The role of information technology (IT) audit and control has become a
critical mechanism for ensuring the integrity of information systems (IS)
and the reporting of organization finances to avoid and hopefully
prevent future financial loss.
Evaluate the reliability of data from
IT systems which have an impact
on the financial statements.
IT Audit
Objectives

Evaluate effectiveness of IT
controls to ensure systems are
functioning as intended.

Ascertain compliance with

applicable laws, policies and
standards.
Importance of IT Audit

Ascertain whether IT
Ascertain whether IT
systems are
systems provide
adequately
reliable information.
protected.

Ascertain whether IT
Evaluate the risk of
systems are managed
data tampering
to achieve their
and/or data loss.
intended benefits.
IT Audit and Controls
◦ IT auditing is an integral part of the audit function because it supports the auditor's judgment on
the quality of the information processed by computer systems. Initially, auditors with IT audit
skills are viewed as the technological resource for the audit staff.
◦ There are many types of audit needs within IT auditing, such as organizational IT audits
(management control over IT), technical IT audits (infrastructure, data centers, data
communication), application IT audit (business/financial/operational),
development/implementation IT audits (specification/ requirements, design, development, and
post-implementation phases), and compliance IT audits involving national or international
standards.
◦ The IT auditor's role has evolved to provide assurance that adequate and appropriate controls
are in place. Of course, the responsibility for ensuring that adequate internal controls are in
place rests with the management.
Audit Process
◦ The audit process includes the following steps or phases:
◦ 1. Planning
◦ 2. Definition of audit objectives and scope.
◦ 3. Evidence collection and evaluation.
◦ 4. Documentation and reporting.
Principles of Auditing
Integrity, Responsibility of
Skills and
objectivity and Confidentiality work performed
competence
Independece others

Accounting
Documentation Planning Audit evidence system and
internal control

Audit
Audit report
conclusions
Security
◦ This policy describes how entities establish effective security planning and can
embed security into risk management practices. Security planning can be used
to identify and manage risks and assist decision-making by:
a.applying appropriate controls effectively and consistently (as part of the entity's existing
risk management arrangements)
b.adapting to change while safeguarding the delivery of business and services
c.improving resilience to threats, vulnerabilities and challenges
d.driving protective security performance improvements.
◦
Security Risk
A security risk is something that could result in the compromise, loss, unavailability or damage to
information or assets, or cause harm to people. Security risk is the effect of uncertainty on objectives
and is often measured in terms of its likelihood and consequences. The causes are generally people,
systems, processes, procedures, crime, attacks or natural events. An:

a.effect is a deviation from the expected and may be positive or negative

b.objective has different aspects such as financial, health and safety and environmental goals, and can apply
at multiple levels such as strategic, organisation-wide, project, product and process levels.

Entities are encouraged to consider where security risks intersect with other risks including fraud,
privacy and business continuity. Entities are encouraged to treat risk holistically across its operations.
For example, there may be opportunities to treat multiple risks with one mitigation control.
Successfully managing entity security risks and
Security
protecting people, information and assets requires Planning
an understanding of what needs protecting, what
the threat is and how assets will be protected. Approach
Security planning is designing, implementing,
monitoring, reviewing and continually improving
practices for security risk management.

A security plan specifies the approach,

responsibilities and resources applied to managing
protective security risks. The security plan allows
entities to review the degree of security risk that
exists in different areas of operations and take
action to mitigate identified risks.
◦ A security risk management process manages risks
across all areas of security (governance, information,
personnel and physical) to determine sources of threat
Security Planning
and risk (and potential events) that could affect Approach
government or entity business. Security risk (cont..)
management includes:

i. security risk assessments, which are structured and

comprehensive processes to identify, analyse and
evaluate security risks and determine practical steps
to minimise the risks

i. security risk treatments, which are the considered,

coordinated and efficient actions and resources
required to mitigate or lessen the likelihood or
negative consequences of risks.
Regardless of an entity's functions or security concerns,
the central messages for managing security risks are:
a.security is everyone's responsibility and risk Managing
management is the business of all personnel
(including contractors) in the entity, supported by Security Risk
security awareness training
b.security is a business enabler that informs decision-
making, is part of day-to-day business and is
embedded into an entity's business processes
c.security management is logical, systematic and
transparent and is part of the enterprise risk
management process
d.security processes identify changes in the threat
environment and allow for adjustments to maintain
acceptable levels of risk, balancing operational and
security needs.