INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Similar documents
TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information Security Policy

Corporate Information Security Policy

Apex Information Security Policy

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Certified Information Systems Auditor (CISA)

Information Security Strategy

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Business Continuity Management Standards A Side-by-Side Comparison

Manchester Metropolitan University Information Security Strategy

Canada Life Cyber Security Statement 2018

Information Technology Branch Organization of Cyber Security Technical Standard

The Common Controls Framework BY ADOBE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

01.0 Policy Responsibilities and Oversight

ISO : 2013 Method Statement

ISC10D026. Report Control Information

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Table of Contents 1. INTRODUCTION CONCEPT ORGANISATIONAL AND MANAGEMENT CONTROLS...7

Google Cloud & the General Data Protection Regulation (GDPR)

Security Policies and Procedures Principles and Practices

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Version 1/2018. GDPR Processor Security Controls

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

General Data Protection Regulation

Building a Resilient Security Posture for Effective Breach Prevention

GUIDANCE NOTE ON CYBERSECURITY

REPORT 2015/010 INTERNAL AUDIT DIVISION

MEETING ISO STANDARDS

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

MNsure Privacy Program Strategic Plan FY

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

Certified Information Security Manager (CISM) Course Overview

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Advent IM Ltd ISO/IEC 27001:2013 vs

Policy. Business Resilience MB2010.P.119

What is ISO ISMS? Business Beam

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

CCISO Blueprint v1. EC-Council

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

ASD CERTIFICATION REPORT

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

INFORMATION SECURITY AND RISK POLICY

Checklist: Credit Union Information Security and Privacy Policies

Information Security Management System

Session 5: Business Continuity, with Business Impact Analysis

PHYSICAL AND ENVIRONMENTAL SECURITY

Information Security Policy

Building a BC/DR Control Library and Regulatory Response Program

Introduction To IS Auditing

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Business Continuity Policy

MassMutual Business Continuity Disclosure Statement

Disaster Recovery and Business Continuity Planning (Mile2)

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

Standard CIP Cyber Security Critical Cyber Asset Identification

Global Statement of Business Continuity

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Standard CIP Cyber Security Critical Cyber Asset Identification

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

REPORT 2015/149 INTERNAL AUDIT DIVISION

Cyber Security Program

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Information Technology General Control Review

Altius IT Policy Collection Compliance and Standards Matrix

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Data Encryption Policy

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

AUTHORITY FOR ELECTRICITY REGULATION

Management Information Systems. B15. Managing Information Resources and IT Security

University of Liverpool

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Information Security Policy

Cybersecurity in Higher Ed

CISA Training.

April Appendix 3. IA System Security. Sida 1 (8)

ISO/IEC Information technology Security techniques Code of practice for information security management

Data Protection Policy

A View From the Top. Mark Hughes BT Group Security Director

IT risks and controls

Altius IT Policy Collection Compliance and Standards Matrix

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Information Security Management

Nine Steps to Smart Security for Small Businesses

Eco Web Hosting Security and Data Processing Agreement

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

The next generation of knowledge and expertise

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Introduction to ISO/IEC 27001:2005

WELCOME ISO/IEC 27001:2017 Information Briefing

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

CISM Certified Information Security Manager

QuickBooks Online Security White Paper July 2017

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Transcription:

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK 1. INTRODUCTION The Board of Directors of the Bidvest Group Limited ( the Company ) acknowledges the need for an IT Governance Framework as recommended in the Code of Governance Principles for South Africa ( King III ). 2. PURPOSE OF THE IT GOVERNANCE FRAMEWORK King III recommends that The Board should be responsible for IT governance should ensure that an IT framework is adopted implemented. The responsibility for the implementation of this framework should be delegated to management. The Board should monitor evaluate significant IT investments expenditure, as well as ensuring that information assets are managed effectively. The risk audit committee should assist the Board in carrying out its IT responsibilities. IT should form an integral part of the company s risk management. 3. FRAMEWORK ADOPTION When reviewing the role IT plays in the business, the following high level risk categories should be considered: People risk: Information risk: Integrity of data & availability risk: Legal risk: Change project management risk: Outsourcing risk: What is the level of reliance on IT personnel, considering both key reliance level of skill? How is the management team securing data? How reliable are the IT systems (both applications infrastructure?) Is the environment such that audit can supply the audit committee with a level of assurance? What legislation / regulations are applicable to the IT environment? How can IT help the business comply with other relevant regulations / legislation? Is there management level awareness of all the changes to the IT environment how are these changes monitored? What is the level of dependency on IT managed by third parties how is the third party managing those risks? How is the third party providing outsourced IT services being managed? Review date: October 2012 Page 1 of 5

4. IT MATURITY ASSESSMENTS The decentralised diversified nature of the Group recognises that IT plays a variety of roles throughout. The adoption implementation of the Group stards should be customised adapted to meet the needs of each business /or divisional IT environment. The current required level of IT maturity will be determined taking into account the business IT strategy the extent of exposure to risk as identified by the divisional risk committee. The level of IT maturity determines the extent of adoption of the Group stards as depicted in the table below: Maturity Levels: 0 Nonexistent 1 Initial/ad hoc 2 Repeatable but intuitive 3 Defined 4 Managed & measured 5 Optimised Status of the environment There is no need for in this environment. Some need for but is disorganised ad hoc Controls are in place but up to the individual to perform them. Not documented Controls are in place documented but not managed or measured. depends on a robust system of Enterprise wide risk programme provides effective continuous comfort. Establishment of s No intent to establish s Internal reviews performed ad hoc usually as a result of an incident Controls established for specific IT processes as required by IT manager Critical IT processes are defined ownership attributed to key role players IT criticality is regularly defined with full support agreement from business owners. Business changes consider the criticality of IT processes. For critical processes independent assurance reviews are performed

5. RESPONSIBILITIES RESPONSIBILITIES RESPONSIBL E PERSON FREQUENC Y Bidvest Board Divisional Board responsibilities: To appoint a group / divisional officer responsible for the IT management Ensure alignment of business IT strategies Delegate responsibility for implementing the IT framework to the divisional risk committees Ensure IT is placed on the group divisional risk committee agendas regular feedback is provided to the boards The boards must further conclude report to their stakeholders an assessment regarding the effectiveness of IT governance management activities Chairperson of the board Annually Bidvest Group Risk Committee To assist the boards in the function of IT governance Determine communicate levels of IT risk tolerance / appetite The group risk committee will review the material IT risks as profiled by divisional risk committees apply its own mind to the completeness of the risks facing the Group To ensure that compliance with the adopted IT stards has been achieved Group risk committee chair Quarterly Divisional Risk Committee To assist the group risk committee in the function of IT governance To review the material IT risks as profiled by each business apply its own mind to the completeness of the risks facing the division To ensure the IT Maturity assessment has been performed to review the assessed IT maturity levels, both current required within the business the division To review the identified gap analysis between current required maturity levels ensure an appropriate acceptable plan is in place To monitor progress against the execution of the IT maturity plan Divisional risk committee chair Quarterly

6. MINIMUM GOVERNANCE REQUIREMENTS The following basic IT policies have been established as the Group stard. These policy requirements should be considered applied appropriately within each business environment. These policies may exist as a single policy or as separate policies, however the twelve requirements below should be implemented within each business in order to comply with the Group stard: name objectives 1. Information Security Information is an asset to the business just like any other business asset. Therefore information security is the protection of all company information in any form it may exist (i.e. printed or written on paper, electronic files, or spoken in conversations) from a wide range of threats in order to ensure business continuity, minimise business risk maximise return on investments. 2. Organisation of Information Security To manage information security within a business to maintain the security of this business asset including information information processing facilities that are accessed, processed, communicated to, or managed by third parties. 3. Asset To manage asset classification s is to maintain appropriate protection of these business assets. All information assets should be accounted for have an owner. Accountability for assets assist to ensure that appropriate protection is maintained. Information needs to be classified to ensure that the information asset get the correct level of protection. 4. Human Resources Security To set guidelines on how to reduce the risks of human error, theft, fraud or misuse of the business facilities as well as to ensure that users are aware of information security threats concerns are adequately equipped to support the security policy during their everyday work. Personnel need to be informed with regards to how they should hle security threats in order to minimise the damage caused by such threats. 5. Physical Environmental Security To prevent unauthorised access, damage interference to business premises information; loss, damage or compromise of assets interruption to business activities, compromise or theft of information information processing facilities. 6. Computer Telecom Usage To ensure the proper use of computer telecommunication resources services by its employees, independent contractors other users, require that all users commit themselves to the responsible use of the computer telecommunications resources for the benefit only of the business in an efficient, ethical, lawful manner.

name objectives 7. Communication Operations To ensure the correct secure operation of information processing facilities; to minimise the risk of system failures; to document all current system processes; to appropriately any changes made to the systems by way of change management; to ensure any new system that is implemented is properly introduced into the new business environment so as to limit the exposure of system failure to the business. 8. Access Control To prevent unauthorised logical physical access to the business information information processing facilities through ling of user access, password s etc 9. Backup Recovery To maintain integrity availability of the business information, through guiding back up procedures; frequency of backups; rotation of backup media; storage of backups; restoration from backup media etc 10. Monitoring 11. Business Continuity To detect any unauthorised information processing activities through the use of audit logging error logging mechanisms To counteract interruptions to business to protect critical business processes from the effects of major failures of information systems or disasters to ensure their timely resumption. 12. Information Security Incident To ensure information security events weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken as well as to ensure a consistent effective approach is applied to the management of information security incidents. 7. EVALUATION The evaluation of this framework related policies should be performed annually. 8. APPROVAL OF THIS FRAMEWORK On an annual basis this framework is reviewed recommended to the board of directors signed on their behalf by Chairman of the board.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback