Question

Question 2: Strategic Management of IT [50 marks]

The strategic management of IT can be achieved through the use of various resources.

a) With the aid of examples, discuss the role played by policies and procedures in the strategic management of IT. [25 marks]

b) Propose and discuss the aspects that should be considered during the drafting of an Information Security policy document [25 marks]

Answer 1

A. What is Strategy management for IT services?
For IT services is a process of defining and maintaining the perspective, position, plans, and patterns of an organization with regards to its services and management of those services. The purpose of strategy management for IT services is to make sure that a strategy is defined properly, maintained and managed adequately to achieve its purpose.

Role played by policies and procedures in the strategic management of IT:

Example : The organization's IT policies, standards, and procedures.

An auditor can learn a great deal about an organization by simply reviewing the strategic plan and examining the company's policies and procedures. These documents reflect management's view of the company. Some might even say that policies are only as good as the management team that created them. Policies should exist to cover most every aspect of organizational control because companies have legal and business requirements to establish policies and procedures. The law dictates who is responsible and what standards must be upheld to meet minimum corporate governance requirements.

Management is responsible for dividing the company into smaller subgroups that control specific functions. Policies and procedures dictate how activities occur in each of the functional areas. One of the first steps in an audit is for the auditor to examine these critical documents. Any finding an auditor makes should be referenced back to the policy. This allows the auditor to establish a cause and specify how to rectify identified problems. Policies can be developed in either a top-down or a bottom-up method.

Policy Development:
Not all policies are created in the same way. The policy process can be driven from the top or from the bottom of the organization. Top-down policy development means that policies are pushed down from the top of the company. The advantage of a top-down policy development approach is that it ensures that policy is aligned with the strategy of the company. What it lacks is speed. It's a time-consuming process that requires a substantial amount of time to implement. A second approach is bottom-up policy development. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns, and builds on known risk. This is faster than a top-down approach but has a huge disadvantage in that it risks the lack of senior management support.

No matter what the development type is, policies are designed to address specific concerns:

• Regulatory—Ensure that the organization's standards are in accordance with local, state, and federal laws. Industries that frequently use these documents include health care, public utilities, refining, and the federal government.
• Advisory—Ensure that all employees know the consequences of certain behavior and actions. An example of an advisory policy is one covering acceptable use of the Internet. This policy might state how employees can use the Internet during the course of business; if they violate the policy, it could lead to disciplinary action or dismissal.
• Informative—Designed not for enforcement, but for teaching. Their goal is to inform employees and/or customers. An example of an informative policy is a return policy on goods bought on the business's website.

Policies and Procedures :

Policies are high-level documents developed by management to transmit its guiding strategy and philosophy to employees. Management and business process owners are responsible for the organization and design of policies to guide it toward success. Policies apply a strong emphasis to the words of management. They define, detail, and specify what is expected from employees and how management intends to meet the needs of customers, employees, and stakeholders. Policies can be developed internally, or can be based on international standards such as Common Criteria or ISO 17799:

• Common Criteria—A framework used to specify security requirements.
• ISO 17799—Provides best practice recommendations for implementing good security management.

One specific type of policy is the organization's security policy. Security policy dictates management's commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. Figure 2.4 highlights these concerns.

An auditor must look closely at all policies during the audit process and should review these to get a better idea of how specific processes function. As an example, the auditor should examine policies that have been developed for disaster recovery and business continunity. Some questions to consider are what kind of hardware and software backup is used; whether the software backup media is stored off site, and if so, what kind of security does the offsite location have, and what type of access is available? These are just a few of the items an auditor will be tasked with reviewing. The disaster recovery policy is an important part of corrective control. Disaster recovery is discussed in detail in Chapter 9, "Disastor Recovery and Business Continuity."

During the audit, the auditor must verify how well policy actually maps to activity. You might discover that existing policy inhibits business or security practices. Operators might have developed better methods to meet specific goals. When faced with these situations, the auditor should identify the problem and look for ways to improve policy.

Policies don't last forever. Like most things in life, they need to be reviewed periodically to make sure they stay current. Technology becomes obsolete, new technology becomes affordable, and business processes change. Although it's sometimes easy to see that low-level procedures need to be updated, this also applies to high-level policies. Policies are just one level of procedural control. The next focus of discussion is on procedures.

Evaluate the organization's IT policies, standards, and procedures; and the processes for their development, approval, implementation, and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements.
Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards, and procedures.

Knowledge Statements :
Knowledge of the purpose of IT strategies, policies, standards, and procedures for an organization and the essential elements of each
Knowledge of generally accepted international IT standards and guidelines
Knowledge of the processes for the development, implementation, and maintenance of IT strategies, policies, standards, and procedures (for example, protection of information assets, business continuity and disaster recovery, systems and infrastructure lifecycle management, IT service delivery and support)
An auditor can learn a great deal about an organization by simply reviewing the strategic plan and examining the company's policies and procedures. These documents reflect management's view of the company. Some might even say that policies are only as good as the management team that created them. Policies should exist to cover most every aspect of organizational control because companies have legal and business requirements to establish policies and procedures. The law dictates who is responsible and what standards must be upheld to meet minimum corporate governance requirements.

Management is responsible for dividing the company into smaller subgroups that control specific functions. Policies and procedures dictate how activities occur in each of the functional areas. One of the first steps in an audit is for the auditor to examine these critical documents. Any finding an auditor makes should be referenced back to the policy. This allows the auditor to establish a cause and specify how to rectify identified problems. Policies can be developed in either a top-down or a bottom-up method.

Policy Development
Not all policies are created in the same way. The policy process can be driven from the top or from the bottom of the organization. Top-down policy development means that policies are pushed down from the top of the company. The advantage of a top-down policy development approach is that it ensures that policy is aligned with the strategy of the company. What it lacks is speed. It's a time-consuming process that requires a substantial amount of time to implement. A second approach is bottom-up policy development. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns, and builds on known risk. This is faster than a top-down approach but has a huge disadvantage in that it risks the lack of senior management support.

No matter what the development type is, policies are designed to address specific concerns:

• Regulatory—Ensure that the organization's standards are in accordance with local, state, and federal laws. Industries that frequently use these documents include health care, public utilities, refining, and the federal government.
• Advisory—Ensure that all employees know the consequences of certain behavior and actions. An example of an advisory policy is one covering acceptable use of the Internet. This policy might state how employees can use the Internet during the course of business; if they violate the policy, it could lead to disciplinary action or dismissal.
• Informative—Designed not for enforcement, but for teaching. Their goal is to inform employees and/or customers. An example of an informative policy is a return policy on goods bought on the business's website.

Policies and Procedures :
Policies are high-level documents developed by management to transmit its guiding strategy and philosophy to employees. Management and business process owners are responsible for the organization and design of policies to guide it toward success. Policies apply a strong emphasis to the words of management. They define, detail, and specify what is expected from employees and how management intends to meet the needs of customers, employees, and stakeholders. Policies can be developed internally, or can be based on international standards such as Common Criteria or ISO 17799:

• Common Criteria—A framework used to specify security requirements
• ISO 17799—Provides best practice recommendations for implementing good security management

One specific type of policy is the organization's security policy. Security policy dictates management's commitment to the use, operation, and security of information systems and assets. It specifies the role security plays within the organization. Security policy should be driven by business objectives and should meet all applicable laws and regulations. The security policy should also act as a basis to integrate security into all business functions. It serves as a high-level guide to develop lower-level documentation, such as procedures. The security policy must be balanced, in the sense that all organizations are looking for ways to implement adequate security without hindering productivity. The issue also arises that the cost of security cannot be greater than the value of the asset. Figure 2.4 highlights these concerns.

An auditor must look closely at all policies during the audit process and should review these to get a better idea of how specific processes function. As an example, the auditor should examine policies that have been developed for disaster recovery and business continunity. Some questions to consider are what kind of hardware and software backup is used; whether the software backup media is stored off site, and if so, what kind of security does the offsite location have, and what type of access is available? These are just a few of the items an auditor will be tasked with reviewing. The disaster recovery policy is an important part of corrective control.

During the audit, the auditor must verify how well policy actually maps to activity. You might discover that existing policy inhibits business or security practices. Operators might have developed better methods to meet specific goals. When faced with these situations, the auditor should identify the problem and look for ways to improve policy.

Policies don't last forever. Like most things in life, they need to be reviewed periodically to make sure they stay current. Technology becomes obsolete, new technology becomes affordable, and business processes change. Although it's sometimes easy to see that low-level procedures need to be updated, this also applies to high-level policies. Policies are just one level of procedural control. The next focus of discussion is on procedures.

Procedures :
Procedures are somewhat like children—they are detailed documents built from the parent policy. Procedures provide step-by-step instruction. Like children, they are more dynamic than their parent policy. They require more frequent changes to stay relevant to business processes and the technological environment. Procedures are detailed documents tied to specific technologies and devices. Procedures change when equipment changes. The company might have a policy dictating what type of traffic can enter or leave the company's network, but a procedure would provide the step-by-step instruction on how the policy is to be carried out. As an example, if your company has a CheckPoint firewall, the procedure would provide step-by-step instruction on its configuration. If the company decided to migrate to a Cisco Adaptive Security Appliance (ASA), the policy would remain unchanged, but the procedure for configuration of the firewall would change.

During an audit, the auditor must review all relevant procedures and map them to employee behavior through direct observation or interview. Misalignment can mean that there are no existing procedures, that procedures don't map well to existing practices, or that employees have not had the proper or adequate training on the procedures.

B. The aspects that should be considered during the drafting of an Information Security policy document.

A security policy can be as broad as you want it to be from everything related to IT security and the security of related physical assets, but enforceable in its full scope. The following list offers some important considerations when developing an information security policy.

1. Purpose
First state the purpose of the policy which may be to:

• Create an overall approach to information security.
• Detect and preempt information security breaches such as misuse of networks, data, applications, and computer systems.
• Maintain the reputation of the organization, and uphold ethical and legal responsibilities.
• Respect customer rights, including how to react to inquiries and complaints about non-compliance.

2. Audience
Define the audience to whom the information security policy applies. You may also specify which audiences are out of the scope of the policy (for example, staff in another business unit which manages security separately may not be in the scope of the policy).

3. Information security objectives
Guide your management team to agree on well-defined objectives for strategy and security. Information security focuses on three main objectives:

• Confidentiality—only individuals with authorization canshould access data and information assets
• Integrity—data should be intact, accurate and complete, and IT systems must be kept operational
• Availability—users should be able to access information or systems when needed.

4. Authority and access control policy

• Hierarchical pattern—a senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs. a junior employee. The policy should outline the level of authority over data and IT systems for each organizational role.
• Network security policy—users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts.

5. Data classification
The policy should classify data into categories, which may include “top secret”, “secret”, “confidential” and “public”. Your objective in classifying data is:

To ensure that sensitive data cannot be accessed by individuals with lower clearance levels.
To protect highly important data, and avoid needless security measures for unimportant data.

6. Data support and operations

• Data protection regulations—systems that store personal data, or other sensitive data, must be protected according to organizational standards, best practices, industry compliance standards and relevant regulations. Most security standards require, at a minimum, encryption, a firewall, and anti-malware protection.
• Data backup—encrypt data backup according to industry best practices. Securely store backup media, or move backup to secure cloud storage.
• Movement of data—only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network.

7. Security awareness and behavior
Share IT security policies with your staff. Conduct training sessions to inform employees of your security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification.

• Social engineering—place a special emphasis on the dangers of social engineering attacks. Make employees responsible for noticing, preventing and reporting such attacks.
• Clean desk policy—secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands.
• Acceptable Internet usage policy—define how the Internet should be restricted. Do you allow YouTube, social media websites, etc.? Block unwanted websites using a proxy.

8. Responsibilities, rights, and duties of personnel
Appoint staff to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy.