IT systems assurance is the process by which the CIO/CTO provides evidence to senior management that the IT function is meeting its governance requirements relating to the acquisition and implementation of new systems and their subsequent delivery and support of IT services to stakeholders. It primarily concerns itself with governance, confidentiality, integrity, availability, compliance and value for money.
IT has a poor history of developing, implementing and supporting well controlled business solutions which provide value for money to the enterprise. IT systems assurance is the process whereby the CIO/CTO provide evidence that their acquisition and implementation processes will ensure that the solution will be delivered on-time, to budget, will meet the business requirement and that the delivered solution provides suitable security, compliance, maintainability, environmental, and sustainability aspects.
- Acquisition and implementation
- Third-party supplier assurance
- Full life cycle
- International & National Standards
BCS position on key issues:
Acquisition and implementation: Most development methods concern themselves with tracking delivery timescales and budgets. BCS believes that consideration should focus on the ability of the delivered solution to operate in the target environment, integrate with other processes and have clear security and compliance objectives. This should extend into the supply chain to an equal degree particularly where significant levels of the solution rely on the management of an outsourced implementation and/or support resources. The ongoing maintenance of the solution should be considered during the design or acquisition phase.
Confidentiality: We believe that the level of access to the code and data should be specified at the design or acquisition phase, together with an ongoing assurance programme, such as that required for ISO 27001 compliance.
Integrity: The quality requirements for code and data should be specified at the design or acquisition phase, together with an ongoing assurance programme, such as that proposed for Sarbanes-Oxley compliance.
Availability: The availability requirements for the solution should be specified at the design or acquisition phase, together with an ongoing assurance programme, such as that required for ISO 20001 compliance.
Compliance: The internal and external compliance requirements for code and data should be specified at the design or acquisition phase, together with an ongoing assurance programme to prove that all statutory and regulatory requirements are complied with, such as the Data Protection Act and the Computer Misuse Act. This should be extended to suppliers through contractual arrangements and rigorous assessment of suppliers at appropriate time intervals.
Reliability: All of the above can be shown to be working on a consistent basis.
Maintenance: The ongoing maintenance mechanisms should be specified at the design stage so that change is suitably controlled, such as is required for ISO 9001, over its full life-cycle from requirements to decommissioning.
Assurance process: IT systemsassurance can be obtained in a variety of ways:
- Control environment assessment
- Control self-assessment
- Independent assessment
The assurance process is often a comparison against a known baseline, or best practice. Baselines may be internal, such as a service level agreement, or external such as international standards relating to IT:
ISO 8000 (Data quality)
ISO 9000 (Quality process)
ISO 9126 (Software quality)
ISO 15504 (Process assessment)
ISO 20000 (Service delivery & support)
ISO 22301 (Business continuity)
ISO 27000 (Information security)
ISO 31000 (Risk management)
ISO 38500 (IT governance)
Other baselines are the IT Infrastructure Library (ITIL) and Control Objectives for IT (COBIT).
IT systems assurance can also be obtained by conducting penetration testing, extraction and checking of data for integrity and parallel simulation of code.
Any assurance should extend to third party suppliers either by utilising their own verified assurance process or conducting additional tests that take them into account.
Where possible, the assurance process should comply with standards provided by the Institute of Internal Auditors (IIA) and/or the Information Systems and Assurance Association (ISACA), or other relevant professional bodies.
Assurance reporting: We believe that senior management should require the CIO/CTO to regularly report on their assurance programme and compliance with appropriate internal and external requirements and act on the findings. This may include independent assessments from internal and/or external audit, risk management and specialist assessors such as penetration testers.
International & National Standards and the Regulatory Framework
The above requirements must be considered within the framework of international and national standards and the regulatory requirements within a specific industry sector. It is incumbent on the CIO/CTO to check for the existence of relevant standards and regulations.