1. IT Governance Information Security Governance
This chapter covers CISA Review Manual up to Section 2.7 IS Management Practices. Much of 2.7 is not included for this Information Security course, particularly designed for undergraduates. The vocabulary for 2.7 Sourcing is included, but hiring/promotion/training/termination, most of outsourcing are not included. IS Roles & Responsibilities are not discussed, but Segregation of Duties is covered in the Fraud presentation. Risk is covered in the Risk Presentation.
Much or some of CISM Chapter 1 and 4 is also covered in this presentation. Sections of CISM Chapter 1 and 4 are covered in other presentations: Risk, Security Program Development, Network Security.

2. Acknowledgments Material is sourced from:
CISA® Review Manual 2011, © 2010, ISACA. All rights reserved. Used by permission.
CISM® Review Manual 2012, © 2011, ISACA. All rights reserved. Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant : Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

3. Objectives Students should be able to:
Describe IT governance committees: IT strategic committee, IT steering committee, security steering committee**
Describe mission, strategic plan, tactical plan, operational plan
Define quality terms: quality assurance, quality control
Describe security organization members: CISO, CIO, CSO, Board of Directors, Executive Management, Security Architect, Security Administrator
Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001, enterprise architecture
Define sourcing practices: insource, outsource, hybrid, onsite, offshore
Define policy documents: data classification, acceptable usage policy, access control polices
Plan/schedule a security implementation.

4. Corporate Governance
Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders
IT Governance: Ensure the alignment of IT with enterprise objectives
Responsibility of the board of directors and executive mgmt
The big idea here is that IT Governance serves the business, not itself (or IT).
‘presenting value’ = helping the organization pursue it’s goals, i.e. not an unnecessary expenditure.
Stakeholders are anyone who has an interest in organizational goals (and is affected by policies) including business managers, partners, employees, and investors.

5. IT Governance Objectives
IT delivers value to the business
IT risk is managed
Processes include:
Equip IS functionality and address risk
Measure performance of delivering value to the business
Comply with legal and regulatory requirements
The main goal of business is to provide value to the shareholders and be a good community neighbor (e.g., obey laws)
The main purpose of IT is to support the business in its goals of providing value to the shareholders.

6. IT Governance Committees
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Optimization of IT costs and risk
Board members
& specialists
IT Steering Committee
Focuses on Implementation
Monitors current projects
Decides IT spending
IT Strategic is highest level – they APPROVE business strategy and may help to DEFINE/DECIDE it.
IT Steering is lower than IT Strategic, but involves management.
Think Steering = Deciding where to turn when driving a car. The car is still on the ground and navigates through real traffic.
Business executives
(IT users), CIO, key
advisors (IT, legal, audit,
finance)

7. IT Strategy Committee Main Concerns
Alignment of IT with Business
Contribution of IT to the Business
Exposure & containment of IT Risk
Optimization of IT costs
Achievement of strategic IT objectives
This group provides direction and high-level overview. They will be concerned that:
IT plans align with business plans
IT delivers promised benefits and objectives
All understand risk
IT Delivers IT services at optimized costs
Group can track IT performance via metrics, scheduling, costs
IT Strategy Committee ensures availability of IT resources, skills and infrastructure to meet strategic objectives
IT Strategy Committee provides direction to management relative to IT strategy
Source:  CISA® Review Manual 2011 © 2010, ISACA. All rights reserved. Used by permission.

8. IT Steering Committee Main Concerns
Make decision of IT being centralized vs. decentralized, and assignment of responsibility
Makes recommendations for strategic plans
Approves IT architecture
Reviews and approves IT plans, budgets, priorities & milestones
Monitors major project plans and delivery performance
This is the functions of the lower management committee, the one which steers. They monitor progress of projects, detailed funding.

9. Strategic Planning Process
Strategic: Long-term (3-5 year) direction considers organizational goals, regulation (and for IT: technical advances)
Tactical: 1-year plan moves organization to strategic goal
Operational: Detailed or technical plans
Strategic is highest level and involves Directors and top executives.
Each level below that involves lower level rungs on the management/employee ladder.

10. Security Strategic Planning
Risk Mgmt – Laws
Governance – Policy
Organizational Security
Data classification
Audit – Risk analysis
Business continuity
Metrics development
Incident response
Physical security
Network security
Policy compliance
Metrics use
The aspects covered at each level (Strategic/Tactical/Operational) are each listed beside that level. Thus, Risk Management is a Strategic Plan concern, while metrics use and policy compliance is an Operational Plan concern. Some concerns are concerns of two levels, such as Incident Response, which is a concern both at the Tactical and Operational levels.

11. Strategic Planning Strategy: Achieve COBIT Level 4
Tactical: During next 12 months:
Each business unit must identify current applications in use
25% of all stored data must be reviewed to identify critical resources
Business units must achieve regulatory compliance
A comprehensive risk assessment must be performed for each business unit
All users must undergo general security training
Standards must exist for all policies
CMM = Capability Maturity Model
COBIT is a IT maturity model provided by ISACA. Level 4 means that all processes are documented and measured (via statistics). Levels range between 0 and 5.
Here, the Tactical implements the Strategic goal of achieving COBIT level 4.

12. Standard IT Balanced Scorecard
Establish a mechanism for reporting IT
strategic aims and progress to the board
Mission = Direction E.g.:
Serve business efficiently and effectively
Strategies = Objectives E.g.:
Quality thru Availability
Process Maturity
Measures = Statistics E.g.:
Customer satisfaction
Operational efficiency
The IT Balanced Scorecard defines IT’s goals and how the goals will be measured.
The mission is the direction for the department.
The strategies are the specific objectives that support the mission.
The measures are the statistics or measurements to determine whether the objectives and mission is being accomplished.
Both the management committees would be interested in this performance summary data.

13. IT Balanced Scorecard Financial Goals
How should we appear to stockholder?
Vision:
Metrics:
Performance:
Internal Business Process
What business processes should we excel at?
Customer Goals
How should we appear to our customer?
Learning and Growth Goals
How will we improve internally?
The IT Balanced scorecard can address different areas, such as Financial goals, customer goals, internal business process goals, and learning and growth goals.

14. Case Study: IT Governance Strategic Plan – Tactical Plan
Objective
Time
frame
Perform strategic-level security, includes:
1 yr
Perform risk analysis
6 mos.
Perform BIA
Define policies
Strategic Plan
Objective
Time
frame
Incorporate the business
5 yrs
Pass a professional audit
4 yrs
In the Workbook/Case Study, you will prepare a Strategic Plan, Tactical Plan and Operational Plan. Notice that the business longer-term goals are part of the Strategic Plan. The Tactical plan begins to achieve those goals, with shorter term goals.

15. Case Study: IT Governance Operational Planning
Objective and Timeframe
Responsibility
Hire an internal auditor and security professional
2 months: March 1
VP Finance
Establish security team of business, IT, personnel:
1 month: Feb. 1
VP Finance &
Chief Info. Officer (CIO)
Team initiates risk analysis and prepares initial report
3 months: April 1
CIO &
Security Team
The Operational Plan sets out specific tasks, milestone dates, and responsible persons.

16. Enterprise Architecture
Constructing IT is similar to constructing a building
It must be designed and implemented at various levels:
Technical (Hardware, Software)
IT Procedures & Operations
Business Procedures & Operations
Data
Functional (Applic.)
Network
(Tech)
People
(Org.)
Process
(Flow)
Strategy
Scope
Enterprise Model
Systems Model
Tech Model
Detailed
Representation
This model is for defining Business & IT system
Horizontal = Different aspects to be considered
Vertical = Different levels of abstraction
Enterprise Model = Business Model
Systems Model = Architecture of systems
Technology Model = Technology selection
Detailed Representation = Configuration of Technology
If each entry is filled in, then the design is complete.

17. What advantages can you think of for insourcing versus outsourcing?
Sourcing Practices
Insourced: Performed entirely by the organization’s staff
Outsourced: Performed entirely by a vendor’s staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same geographical area
Offshore: Performed in a different geographical region
What advantages can you think of for insourcing versus outsourcing?
Advantages outsourcing: Advantages insourcing:
Economies of scale for reusable component software Retain control over IS
More experience or cheaper Loss of internal IS experience Disgruntled employees

18. Quality with ISO 9001
ISO 9001: Standard for Quality Mgmt Systems. Recommendations include:
Quality Manual: Documented procedures
HR: Documented standards for personnel hiring, training, evaluation,…
Purchasing: Documented standards for vendors: equipment & services
Gap Analysis: The difference between where you are and where you want to be
ISO 9001 is a worldwide quality standard from the International Standards Organization (ISO) that evaluates organizations to determine their maturity. There is a focus on Project Management and Defined Processes.
HR = Human Resources
Gap analysis is an important concept. It defines where you currently are and where you want to be.

19. Quality Definitions
Quality Assurance: Ensures that staff are following defined quality processes: e.g., following standards in design, coding, testing, configuration management
Quality Control: Conducts tests to validate that software is free from defects and meets user expectations
Quality Assurance: Determines that the process (or creation/factory) is a quality process. Therefore few errors will occur since defects do not ever enter the process.
Quality Control: Concerned with testing. After we build something we test it.
Often both exist – and should.

20. Performance Optimization
Phases of Performance Measurement include:
Establish and update performance metrics
Establish accountability for performance measures
Gather and analyze performance data
Report and use performance results
Note: Strategic direction for how to achieve performance improvements is necessary
Performance measurement tries to determine how effective a process is by using metrics (statistics) to gauge the performance of the current process versus future process. Recent thought is that managers can’t simply expect higher numbers without defining good strategies to get there – otherwise, people may cheat to get those numbers without actually improving anything.

21. Categories of Performance Measures
Performance Measurement: What are indicators of good IT performance?
IT Control Profile: How can we measure the effectiveness of our controls?
Risk Awareness: What are the risks of not achieving our objectives?
Benchmarking: How do we perform relative to others and standards?
Measures are effectively statistics. This provides some categories for performance metrics.

22. IS Auditor & IT Governance
Is IS function aligned with organization’s mission, vision, values, objectives and strategies?
Does IS achieve performance objectives established by the business?
Does IS comply with legal, fiduciary, environmental, privacy, security, and quality requirements?
Are IS risks managed efficiently and effectively?
Are IS controls effective and efficient?
These are functions that an IS Auditor would we concerned with relative to IT governance.
Fiduciary = Financial

23. Audit: Recognizing Problems
End-user complaints
Excessive costs or budget overruns
Late projects
Poor motivation - high staff turnover
High volume of H/W or S/W defects
Inexperienced staff – lack of training
Unsupported or unauthorized H/W S/W purchases
Numerous aborted or suspended development projects
Reliance on one or two key personnel
Poor computer response time
Extensive exception reports, many not tracked to completion
These are things that an auditor would look for.

24. Audit: Review Documentation
IT Strategies, Plans, Budgets
Security Policy Documentation
Organization charts & Job Descriptions
Steering Committee Reports
System Development and Program Change Procedures
Operations Procedures
HR Manuals
QA Procedures
Contract Standards and Commitments
Bidding, selection, acceptance, maintenance, compliance
Auditors would review this documentation. Do they follow best practices? Do they document processes well?

25. Question The MOST important function of the IT department is:
Cost effective implementation of IS functions
Alignment with business objectives
24/7 Availability
Process improvement
2 – Alignment with enterprise objectives

26. Question
Product testing is most closely associated with which department:
Audit
Quality Assurance
Quality Control
Compliance
3. Quality Control = Test
Audit and Compliance verify controls are defined and implemented properly – but this assumes product testing, not security controls.
Quality Assurance is concerned with quality throughout the process.

27. Question
“Implement virtual private network in the next year” is a goal at the level:
Strategic
Operational
Tactical
Mission
3 This is a 1-year type general goal that can be broken down into multiple smaller Operational goals.

28. Question
Which of the following is not a valid purpose of the IS Audit?
Ensure IS strategic plan matches the intent of the enterprise strategic plan
Ensure that IS has developed documented processes for software acquisition and/or development (depending on IS functions)
Verify that contracts followed a documented process that ensures no conflicts of interest
Investigate program code for backdoors, logic bombs, or Trojan horses
4 – The auditor is most concerned with documented processes and implementation. Where documentation is voluminous (e.g., code or transactions) randomly selected or selectively chosen samples may be evaluated.

29. Question
Documentation that would not be viewed by the IT Strategy Committee would be:
IT Project Plans
Risk Analysis & Business Impact Analysis
IT Balanced Scorecard
IT Policies
1 – Project Plans. The IT Strategy Committee is the highest level committee, and thus would be interested in high-level documentation, such as Risk, BIA, IT Balanced Scorecard, and policies. However detailed project plans are not a concern.

30. Information Security Governance
Policy
Risk
The previous section was on IT. This section is on IT Security.

31. Information Security Importance
Organizations are dependent upon and are driven by information
Software = information on how to process
Data, graphics retained in files
Information & computer crime has escalated
Therefore information security must be addressed and supported at highest levels of the organization
This slide emphasizes the increasing importance of both IS in the organization, as well as the escalation in computer crime. Thus, it would be appropriate to have an IS security representative at the highest levels of the organization.

32. Security Organization
Review Risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies
Board of Directors
Defines security objectives and
institutes security organization
Executive Mgmt
Senior representatives
of business functions
ensures alignment
of security program
with business
objectives
The CISO exists whether one is allocated or not. If the responsibility is not explicitly delegated then it will be held by default by the Chief Information Officer (CIO), Chief Technical Officer, Chief Financial Officer, or Chief Executive Officer.
Again the positions on the top are the highest level.
The Security Steering committee consists of senior representatives of business functions in combination with IS security. The point is ‘alignment with business objectives’.
Other positions:
Chief Risk Officer (CRO)
Chief Compliance Officer (CCO)
Security
Steering
Committee
Chief Info
Security
Officer (CISO)

33. Security Governance
Strategic Alignment: Security solution consistent with organization goals and culture
Risk Management: Understand threats and cost-effectively control risk
Value Delivery: Prioritized and delivered for greatest business benefit
Performance Measurement: Metrics, independent assurance
Resource Management: Security architecture development & documentation
Process Integration: Security is integrated into a well-functioning organization
ISACA really stresses Strategic Alignment: IS serves business.
For a doctor’s office, the primary aim is not implementing a VPN. The primary aim is to serve patients, and this includes having patient records available full time. Also, staying legal is very important – all aspects of HIPAA are important.
Process Integration: Security is not just the security department’s responsibility. It should be everyone’s responsibility.

34. Executive Mgmt Info Security Concerns
Reduce civil and legal liability related to privacy
Provide policy and standards leadership
Control risk to acceptable levels
Optimize limited security resources
Base decisions on accurate information
Allocate responsibility for safeguarding information
Increase trust and improve reputation outside organization

35. Legal Issues
International trade, employment may be liable to different regulations than exist in the U.S. affecting:
Hiring
Internet business
Trans-border data flows
Cryptography
Copyright, patents, trade secrets
Industry may be liable under legislation:
SOX: Sarbanes-Oxley: Publicly traded corp.
FISMA: Federal Info Security Mgmt Act
HIPAA: Health Insurance Portability and Accountability Act
GLBA: Gramm-Leach-Bliley: Financial privacy
Etc.
The column on the right are security-oriented regulation for the U.S.
The left column indicates that regulation for other countries differs from the U.S., often in these areas.

36. Road Map for Security (New Program)
Documentation
Interview stakeholders
(HR, legal, finance) to
determine org. issues
& concerns
Security Issues
Develop security
policies for approval
to Mgmt
Security
Policies
Info Security
Steering Committee
The steering committee is comprised of department heads or other management types. Their participation ensures both that security is aligned with business objectives and that management is on board with the security program.
The IS Steering Committee is developed as part of the first step gathering interested parties. This committee is then involved with the further steps. The left-hand side shows documentation this is created or read by each stage. In other words, Security Policies are developed, then used to generate training materials.
Conduct security
training & test for
compliance
Training
materials
Improve standards
Develop compliance
monitoring strategy

37. Security Relationships
CISO
Exec.
Mgmt
Human
Res.
Busi-ness
Legal
Dept IT
Opera-
tions
Quality
Control
Pur-
chasing
S /W
Dev.
Security Strategy, Risk, & Alignment
Security
requirements
Access control
Hiring, training,
roles & responsibility,
Incident handling
Security requirements
in RFP
Contract requirements
Security requirements
sign-off,
Acceptance test,
Access authorization
The Security Manager needs to establish and maintain relationships throughout the organization.
RFP= Request for Proposal: A document sent to vendors stating requirements and asking for bids
Security requirements
and review
Change control
Security upgrade/test
Laws & Regulations
Security monitoring, Incident resp.,
Site inventory, Crisis management

38. Security Governance Framework
The security strategy must be linked with business objectives. The security organization must be devoid of conflicts of interest.
A security framework considers all 4 of these aspects.

39. Secure Strategy: Risk Assessment
Five Steps include:
Assign Values to Assets:
Where are the Crown Jewels?
Determine Loss due to Threats & Vulnerabilities
Confidentiality, Integrity, Availability
Loss = Downtime + Recovery + Liability + Replacement
Estimate Likelihood of Exploitation
Weekly, monthly, 1 year, 10 years?
Compute Expected Loss
Risk Exposure = ProbabilityOfVulnerability * $Loss
Treat Risk
Survey & Select New Controls
Reduce, Transfer, Avoid or Accept Risk
See Risk presentation for more details on this and subsequent Risk slides. This is here for review and emphasis.
Risk is important to get management buy-in. Without management support, security has little opportunity.
If they can see how expensive it is to ignore security, then perhaps they are willing to pay for it. The risk aspect puts a $ value on the security functions.

40. Example Policy Documents
Data Classification: Defines data security categories, ownership and accountability
Acceptable Usage Policy: Describes permissible usage of IT equipment/resources
End-User Computing Policy: Defines usage and parameters of desktop tools
Access Control Policies: Defines how access permission is defined and allocated
After policy documents are created, they must be officially reviewed, updated, disseminated, and tested for compliance

41. Compliance Function
Compliance: Ensures compliance with organizational policies
E.g.: Listen to selected help desk calls to verify proper authorization occurs when resetting passwords
Best if compliance tests are automated
Automated tests could include:
PC check for good passwords, open applications, security settings
Check for backup tape/disk registration
Comparison of access control planned versus actual
Compliance: ongoing process
Ensures adherence to policies
Time
Audit: Snapshot of compliance in time

42. Compliance Program – Security Review or Audit Test
Objective: Is our web-interface to DB safe?
Scope: Penetration test on DB
Constraints: Must test between 1-4 AM
Approach:
Tester has valid session credentials
Specific records allocated for test
Test: SQL Injection
Result:
These problems were found: …
This shows the format of a security review (audit test)

43. Security Positions Security Architect
Design secure network topologies, access control, security policies & standards.
Evaluate security technologies
Work with compliance, risk mgmt, audit
Security Administrator
Allocate access to data under data owner
Prepare security awareness program
Test security architecture
Monitor security violations and take corrective action
Review and evaluate security policy
The security administrator does system administration things related to security.
The Security architect understands more about security and can do more related to design.

44. Security Architect: Control Analysis
Do controls fail secure or fail open?
Is restrictive or permissive policy (denied unless expressly permitted
or vice versa?)
Does control align with policy
& business expectation?
Where are controls located?
Are controls layered?
Is control redundancy needed?
Policy
Placement
Does control protect
broadly or one application?
If control fails, is there a
control remaining?
(single point of failure)
If control fails, does appl. fail?
Implemen-
tation
Efficiency
Have controls been tested?
Are controls self-protecting?
Do controls meet control
objectives?
Will controls alert security
personnel if they fail?
Are control activities logged
and reviewed?
Here are some good control objectives, and audit questions.
Effectiveness
Are controls reliable?
Do they inhibit productivity?
Are they automated or manual?
Are key controls monitored in real-time?
Are controls easily circumvented?

45. Control Practices These may be useful in particular conditions:
Automate Controls: Make technically infeasible to bypass
Access Control: Users should be identified, authenticated and authorized before accessing resources
Secure Failure: If compromise possible, stop processing
Compartmentalize to Minimize Damage: Access control required per system resource set
Transparency: Communicate so that average layperson understands control->understanding & support
Trust: Verify communicating partner through trusted 3rd party (e.g., PKI)
Trust No One: Oversight controls (e.g., CCTV)
Segregation of Duties: Require collusion to defraud the organization
Principle of Least Privilege: Minimize system privileges
CCTV=Close Circuit Television

46. Security Administrator: Security Operations
Identity Mgmt & Access control
System patching & configuration mgmt
Change control & release mgmt
Security metrics collection & reporting
Control technology maintenance
Incident response, investigation, and resolution
Identity management = authentication
System patching: updating OS and applications with security fixes, as required.
Change control: Documenting and tracking changes to systems

47. Summary of Security Mgmt Functions
Develop security strategy
Linked with business objectives
Regulatory & legal issues are addressed
Sr Mgmt acceptance & support
Complete set of policies
Standards & Procedures for all relevant policies
Security awareness for all users and security training as needed
Classified information assets by criticality and sensitivity
Without senior management support, everyone will be too busy to do security. Therefore, this is of utmost importance.

48. Summary of Security Mgmt Functions
Effective compliance & enforcement processes
Metrics are maintained and disseminated
Monitoring of compliance & controls
Utilization of security resources is effective
Noncompliance is resolved in a timely manner
Effective risk mgmt and business impact assessment
Risks are assessed, communicated, and managed
Controls are designed, implemented, maintained, tested
Incident and emergency response processes are tested
Business Continuity & Disaster Recover Plans are tested
If you have policies, you must monitor that employees adhere to the policies. Controls assume that procedures are documented and technologies provided for security. Compliance ensures that the policies are implemented.
Companies that are audited are actually tested for all this. This is not just theory.

49. Summary of Security Mgmt Functions
Develop security strategy, oversee security program, liaise with business process owners for ongoing alignment
Clear assignment of roles & responsibilities
Security participation with Change Management
Address security issues with 3rd party service providers
Liaise with other assurance providers to eliminate gaps and overlaps
Liaise = communicate/meet/come to agreement
3rd Party service providers: You contract with an organization that contracts with another organization.
Change management – a formal procedure for proposing, approving and introducing changes into a process

50. Question
Who can contribute the MOST to determining the priorities and risk impacts to the organization’s information resources?
Chief Risk Officer
Business Process Owners
Security Manager
Auditor 2

51. Question
A document that describes how access permission is defined and allocated is the:
Data Classification
Acceptable Usage Policy
End-User Computing Policy
Access Control Policies
4 – Access Control Polices is concerned with permissions. Acceptable Use and End-User Computing are concerned with end user use of computers, including access. But Access Control Policies are detailed directions on how permissions are granted.

52. Question
The role of the Information Security Manager in relation to the security strategy is:
Primary author with business input
Communicator to other departments
Reviewer
Approves the strategy
1 Primary author – with help from business mgmt.
Security strategy is approved by Executive Mgmt.

53. Question The role most likely to test a control is the:
Security Administrator
Security Architect
Quality Control Analyst
Security Steering Committee
Security Administrator – like a system administrator runs security software & hardware

54. Question
The Role responsible for defining security objectives and instituting a security organization is the:
Chief Security Officer
Executive Management
Board of Directors
Chief Information Security Officer
“Instituting the security organization” … can’t be the CSO or CISO who is part of the security organization (since you can’t institute yourself). So Executive Management is the correct answer: 2.
Board of Directors approves security objectives, but does not define them.
CSO = Security guard management

55. Question
When implementing a control, the PRIMARY guide to implementation adheres to:
Organizational Policy
Security frameworks such as COBIT, NIST, ISO/IEC
Prevention, Detection, Correction
A layered defense
Controls are designed from Policy

56. Question
The persons on the Security Steering Committee who can contribute the BEST information relating to insuring Information Security success is:
Chief Information Security Officer
Business process owners
Executive Management
Chief Information Officer
2 Business Process owners. They know the most what needs protecting. They provide the requirements for security.

57. Reference Slide # Slide Title Source of Information 4
Corporate Governance
CISA: page 87, 88 6
IT Governance Committees
CISA: page 90 7
IT Strategy Committee 12
Standard IT Balance Scorecard
CISA: page 91 16
Enterprise Architecture
CISA: page 94, 95 Exhibit 2.5 17
Sourcing Practices
CISA: page 106 18
Quality with ISO 9001
CISA: page 112 19
Quality Definitions
CISA: page 116 20
Performance Optimization
CISA: page 113, 114 21
Categories of Performance Measures
CISA: page 114 32
Security Organization
CISA: page 94, 95 Exhibit 2.4 33
Security Governance
CISA: page 92, 93 39
Secure Strategy: Risk Assessment
CISM: page 100 40
Example Policy Documents
CISA: page 100 43
Security Positions
CISA: page 116, 117