cobit - bhsearch.comkemal.bhsearch.com/wp-content/uploads/2012/11/07_cobit.pdf · what is the...
TRANSCRIPT
COBIT
IT Governance
CEN 667
1
Project proposal (week 4) • Goal of the projects are to find applicable measurement and metric methods to improve processes:
– For 27000 series of standards 27001 and 27004 – For ITIL – For Business Continuity and BS 25999 – For Disaster Recovery – For Penetration testing – For Operational and Security Incident management – For Risk Management – Secure method for visual authentication – Mobile securty access with speach recognition – Other agreed with lecturer
• Literature review on selected topic - between 500 and 1000 words • Proposal / for improvements of choosen method, approach, techniqe, - up to
2000 words • List of references • Document prepared in two columns as it should Be prepared for the conference paper • Week report on updates
2
Project proposal (week 7)
3
Candidate Topic Literature review draft
Paper
Azizah Ibrahim Mobile IPv6 handover packet loss avoidance
NO NO
Emina Aličković A Novel Intrusion System Based on Support Vector Machines
NO
NO
Jasmin Kevrić Algorithm improvement for the network anomaly detection using improved KDD 2009
NO
NO
Adnan Miljković Implementation of two factor authentication for web appliacation
YES (463 words)
NO
Fatih Ozturk Evolutionary Computation Method Application for Network Intrusion Detection System using Real Network Data
NO
NO
Tarik Kraljić NO
NO
NO
Adnan Kraljić NO NO NO
IT Governance
CEN 667
4
COBIT
5
Week Topic
Week 1 Introduction to IT governance
Week 2
Overwiev of Information Security standards - ISO 27000 series of standards (27001,
27002, 27003, 27004, 27005)
Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2
Week 4 ITIL
Week 5 Business Continuity and BS 25999-1 and BS 25999-2
Week 6 Disaster Recovery
Week 7 COBIT
Week 8 Project implementation (ISO 10006 and ISO 27003)
Week 9 Midterm
Week 10 Risk Managament (ISO 27005)
Week 11 Application and Network Security and security testing
Week 12 Specific Requirements and Controls Implementation (ISO 27002)
Week 13 Operational and Security Incident managament
Week 14 Perforamnce Measurement and Metrics (ISO 27004)
Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus
Lectures Schedule
6
7
What is CobiT?
What is the CobiT Framework?
What is the Control Objectives document?
How can auditors effectively use CobiT?
8
Authoritative, up-to-date, international set of
generally accepted IT control objectives and
control practices for day-to-day use by
business managers and auditors.
Structured and organized to provide a
powerful control model
9
CobiT CobiT is designed to be the break-through IT governance tool that helps in the understanding and managing of risks and benefits associated with information and related IT.
10
C Control OB OBjectives
I for Information T and Related Technology
11
• Right information, to only the right party, at the right time.
• Information that is relevant, reliable and secure.
• Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.
12
A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.
13
IT Governance Objectives
• IT is aligned with the business and enables the business to maximize benefit
• IT resources are safeguarded and used in a responsible and ethical manner
• IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure
14
• The need for better operational controls
• Technology that makes new business processes possible may come with a loss of control
• Demand for increased effectiveness and efficiency
• The importance of technology
• The need to hold officers and senior management accountable and strengthen governance
15
• Dashboard: How do responsible managers keep the ship on course?
• Scorecard: How do we achieve satisfactory results for our stake-holders?
• Benchmarking: How do we adapt in a timely manner to trends, developments, and “best practices” for our organization’s environment?
16
• Increasing dependence on information and the systems that deliver the information
• Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare
• Scale and cost of the current and future investments in information and information systems
• Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs
17
1980s
Glass-house
Data centres Secure buildings
1990s
Network
Business integration
Managed networks
21st Century
Cyberspace
Virtual Value Chain
E-Commerce
Extended Enterprise
? ?
Streetwise users
Unpredictable and fast
Unstructured and innovative
Hard to implement
18
CobiT’s Scope and Overall Objectives
19
• CobiT focuses on information having integrity and being secure and available.
• At the highest level, it focuses on the
importance of information to the long-term success of the organization.
20
For Information System Services functions, CobiT can be applied from single point IT operations to across the enterprise.
For application systems, CobiT can be applied
from a single application-based system to enterprise-based systems.
21
CobiT is management oriented
Supports corporate and IT governance
Serves as excellent criteria for evaluation and a basis for audit planning
22
Addresses key attributes of information
produced by IT.
Links recommended control practices for IT to
business and control objectives.
Provides guidance in implementing and
evaluating the appropriateness of IT-related
control practices.
23
As a control model, CobiT should be tailored to organizational, platform and system standards.
Use CobiT as the Structure to which you link organization-specific operational and control requirements, policies, and standards
24
Helps business process owners to ensure the integrity
of information systems and auditors to provide
statements of assurance by providing:
– management with generally applicable and accepted
standards for good practice for IT control and
governance
– users with a solid base upon which to manage IT and
obtain assurance
– auditors with excellent criteria for review/audit work
25
Standards used to determine whether something meets expectations.
Basis upon which one measures or compares something against.
Need to be generally accepted, recognized, understandable, and defendable.
Need to be authoritative.
26
CobiT as an Authoritative Source
27
CobiT is an Authoritative Source
• Built on a sound framework of control and
IT-related control practices.
• Aligned with de jure and de facto standards
and regulations.
28
Based on a Strong Foundation and Sound Principles of Internal
Control
29
What is Internal Control?
How it is defined impacts its design, exercise, and evaluation.
30
Purpose of Internal Control
Designed to keep an organization on course toward achievement of its mission minimizing surprises along the way.
Assist in dealing with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth.
Source: Committee of Sponsoring Organizations (COSO) of the Treadway
Commission, Internal Control - Integrated framework, Executive Summary, p. 1.
31
The design, implementation, and proper exercise of a system of internal controls should provide "reasonable assurance" that management's goals are attained, control objectives are addressed, legal obligations are met, and undesired events do not occur.
Controls reduce or eliminate the risk of exposures, or the exposures themselves.
32
Internal Control
Controls are framed by what is to be attained (control objectives) and the means to attain those goals (the controls).
33
Goals of Internal Control
“Keep things in Check”
Adhering to the Rules of the Road
Reduce risk
Based Upon “Best Practices”
Proof the Rules Have Been Followed
Provide assurance that operations are according to standard
Keep those blasted auditors happy
34
Building
CobiT’s Definition of
Internal Control
35
Control Internal control is broadly defined as a process,
effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
efficiency and effectiveness of operations
reliability of financial reporting
compliance with applicable laws and regulations
Source: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p. 1.
36
Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved and that undesired events
will be prevented or detected and corrected.
• Source: COBIT Control Objectives, p. 12.
37
IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
38
CobiT supports all fundamental
Internal Control requirements
39
Internal Control Requirements
Systemization
Documentation
Standards, defined expectations
Measurement
Appropriate risk assessment
40
Internal Control Requirements
Well-defined operational and control
objectives
Appropriate controls
Competent and trustworthy people
Monitoring & evaluation
Desired
state of system
Goals and plans
Observe
actual state
of system
Observations Document
actual state
of system
Documentation
Evaluate
system Evaluation
Recommend
changes to
system
Recommendations
Source: Gelinas and Oram, Accounting Information Systems, 3rd ed.,
South-Western Publishing, 1996, p. 214. 24
CRITERIA
via CobiT
Goals and plans
Observe
the process
& controls
Gain Understanding
Observations Document
The process
& controls
AWP & Work Papers
Test & Evaluate
Process &
controls Draw
Conclusions
Recommend
Changes if
needed
Report Recommendations
Internal Control Review
24
43
Control Principles
Controls should be considered as “built in” rather than “added on”.
Controls need to support control objectives that are tied to business objectives.
In order to support monitoring and evaluation, controls need to be testable and auditable.
Controls need to be cost effective.
44
Value of Internal Control
• Often the value of internal control is only recognized by the results of not having adequate control in place.
• Control Objectives and related controls are valued by the degree to which they assist an organization to achieve objectives and avoid undesired events.
45
Control Models:
Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices.
Provide statements of responsibilities for control
Provide guidance regarding mechanisms to assess the need for control, and to design, develop, implement and exercise control
Requires that controls be monitored and evaluated.
46
To Be of Value, a Control Model Should Be:
• Based on sound principles
• Applicable & Flexible in application
• Comprehendible
• Subject to having “staying power”
47
Impact of Technology on Control
Operational and control objectives change little
• Some technology-specific control objectives change
There is a significant impact on the “mix” of controls used to address the control objectives.
• Technology can facilitate achieving control objectives
48
Impact of Technology on Audit
Has provided us with some tools to increase audit effectiveness and efficiency
Has allowed us to rethink post and pre-emptive or on-going audit techniques
Has provided opportunities to facilitate achieving control objectives
49
Control Responsibilities
• Management -- primary responsibility for
ensuring that controls are in place and in effect to
provide reasonable assurance that operational and
control objectives will be met.
• Users -- exercise controls.
• Audit -- evaluates, advises and provides
statements of assurance regarding the adequacy of
controls.
50
CobiT
Assists in evaluating appropriateness of controls
Assists in identifying desired states of systems
and processes
Assists in identifying what to look for when
observing system operations
Provides a working control model for IT-related
control objectives
51
The CobiT Control Model Provides a Framework for Understanding
Control Objectives and Control Practices
52
CobiT Framework
53
CobiT Framework
Documents relationships among information criteria, IT resources, and IT processes
Links control objectives and control practices to business processes and business objectives
Assists in confirming that appropriate IT processes are in place
Facilitates discussion
54
CobiT Framework
Facilitates the understanding of the: relationship of controls to control objectives,
importance of focusing on control objectives and their relationship to the business organization and its business processes, and
value of managed processes and resources tied to strategic initiatives.
COBIT’s Focus on Process and Objectives
Business (organization) Retail merchandising
(Walmart, etc.)
Objectives/Requirements ROI, market share, customer
loyalty (right product, time,
price) Business Processes (to meet objectives)
Order fulfillment (OE/S, Inventory, Purchasing)
Information Required (for processes)
Data availability and reliability
IT Resources (to provide
information)
Data, Application Systems, People
IT Processes (to manage & control resources)
Planning & Organization, Delivery & Support 55
56
Framework’s Three Components
Business Requirements for Information
IT Resources
IT Processes
57
“Business Requirements for Information”
To support business processes and satisfy business objectives, information needs to conform to certain criteria.
COBIT calls these criteria “business requirements for information.”
58
Sources of Information Criteria
• Quality Requirements: Quality, Cost, Delivery, Better, Cheaper, Faster
• Fiduciary Requirements
– Effectiveness and Efficiency of operations
– Reliability of Financial Reporting
– Compliance with Laws and Regulations
• Security Requirements: Confidentiality, Integrity, Availability
59
Promotes a Healthy, Constructive
Focus on Information Criteria
• Viewing Information as being: – relevant and reliable
– delivered in a timely, correct, consistent, usable and
complete manner
– accurate, complete and valid
– provided through an optimal use of resources
– protected against unauthorized use, manipulation or
disclosure
– available when required
– in compliance with legal and contractual obligations
60
Information Criteria -- The 1st Component
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability of Information
61
Information Criteria -- The 1st Component
• Effectiveness: deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner.
• Efficiency: concerns the provision of information through the optimal (most productive and economical) use of resources. See Framework, p. 14.
62
Information Criteria -- The 1st Component
• Confidentiality: concerns the protection of sensitive information from unauthorized disclosure.
• Integrity: relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations.
See Control Objectives, p. 14.
63
Information Criteria -- The 1st Component
• Availability: relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
• Compliance: deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria.
See Framework, p. 15.
64
Information Criteria -- The 1st Component
• Reliability of Information: relates to the provision of appropriate information for management to operate the entity and for management , in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.
See Framework, p. 13.
65
IT Resources -- The 2nd Component
• Data
• Application Systems
• Technology
• Facilities
• People
66
IT Resources -- The 2nd Component
• Data: Objects in their widest sense (i.e., external and internal), structured and not structured, graphics, sound, etc.
• Application Systems: Application systems are
understood to be the sum of manual and programmed procedures.
See Control Objectives, page 14.
67
IT Resources -- The 2nd Component
• Technology: Hardware, operating systems, data base management, networking, multi-media, etc.
• Facilities: Resources to house and support information systems.
• People: Include staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services.
See Control Objectives, page 14.
68
Domains
Processes
Tasks &
Activities
Natural grouping of processes, often matching an organizational domain of responsibility A series of joined tasks & Activities with natural (control) breaks.
Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete
(4)
(34)
(318)
See Framework, p. 16.
Information Processes (3rd component)
69
Planning/ Organization
Acquisition / Implementation
Delivery / Support
Monitoring
COBIT Domains: Information
Processes (3rd Component)
70
How do they relate ?
IT Processes
IT Resources
Business
Requirements
Data
Information Systems
Technology
Facilities
Human Resources
Planning and organisation
Aquisition and implementation
Delivery and Support
Monitoring
Effectiveness
Efficiency
Confidenciality
Integrity
Availability
Compliance
Information Reliability
71
IT Resource Management
CobiT underscores and demonstrates a clear understanding that IT resources need to be managed by naturally grouped processes in order to provide organizations with type and quality, and availability and security of information needed to achieve organizational objectives.
72
BUSINESS
PROCESSES
INFORMATION
IT RESOURCES
• data • application systems • technology • facilities • people
• effectiveness • efficiency • confidentiality • integrity • Availability • Compliance • reliability
Information Criteria
?
Do they match?
Framework
What you need What you get
73
Process/Criteria Relationships
• Primary: the degree to which the defined control objective directly impacts the information requirement concerned.
• Secondary: the degree to which the defined control objective only satisfies to a lesser extent or indirectly the business requirement concerned.
• Blank: could be applicable; however, requirements are more appropriately satisfied by another criteria in this process and/or another process.
See Control Objectives, page 17.
= IT Resource is managed by this process
The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process
The control of
which satisfy
is enabled by
considering
IT Processes
Business Requirements
Control Statements
Control Practices
See Framework, p. 18. 56
75
Re
qu
irem
en
ts
Resources
Data
Ap
plic
atio
n
Syste
ms
Te
ch
no
log
y
Fa
cili
tie
s
Pe
op
le
Planning and Organisation
Aquisition and implementation
Monitoring
Delivery and Support
Effectiveness
Efficiency
Confidenciality
Integrity
Availability
Compliance
Reliability
The planning process must consider data integrity requirements
(By Gustavo Solis)
76
Control Objectives
Control Objectives
– Planning and organisation 11
– Acquisition and Implementation Domain 6
– Delivery and Support 13
– Monitoring Domain 4
77
78
Planning and Organization Domain
• 11 High-level Control Objectives
• 100 Detailed Control Objectives
(IT-related management control practices)
• 170+ Control Tasks and Activities
.
79
Planning and Organization
• Develop strategy and tactical plans for IT • Identify ways that IT can best contribute to
the achievement of business objectives • Plan, communicate, and manage the
realization of the strategic vision • Establish the IT organization and set the stage
for information management and the technology infrastructure
See Control Objectives, p. 32.
80
Planning and Organization Domain
• PO 1 Define a Strategic Information Technology Plan
• PO 2 Define the Information Architecture
• PO 3 Determine the Technological Direction
• PO 4 Define the IT Organization and Relationships
• PO 5 Manage the Investment in Information Technology
• PO 6 Communicate Management Aims and Directions
.
Planning and organisation 11 Acquisition and Implementation Domain Delivery and Support Monitoring Domain
81
Planning and Organization Domain
• PO 7 Manage Human Resources
• PO 8 Ensure Compliance with External Requirements
• PO 9 Assess Risks
• PO 10 Manage Projects
• PO 11 Manage Quality
.
Planning and organisation 11 Acquisition and Implementation Domain Delivery and Support Monitoring Domain
82
Acquisition and Implementation Domain
• 6 High-level Control Objectives
• 68 Detailed Control Objectives
(IT-related management control practices)
• 100+ Control Tasks and Activities
83
Acquisition and Implementation
• IT solutions
– Identified
– Developed or acquired
– Implemented
– Integrated into the business processes
• Change and maintain existing systems
See Framework, p. 17.
84
Acquisition and Implementation Domain
• AI 1 Identify Automated Solutions
• AI 2 Acquire and Maintain Application Software
• AI 3 Acquire & Maintain Technology Infrastructure
• AI 4 Develop and Maintain IT Procedures
• AI 5 Install and Accredit Systems
• AI 6 Manage Changes Planning and organisation Acquisition and Implementation Domain 6 Delivery and Support Monitoring Domain
85
Delivery and Support Domain
• 13 High-level Control Objectives
• 126 Detailed Control Objectives
(IT-related management control practices)
• 190+ Control Tasks and Activities
86
Delivery and Support
• Deliver required services • Ensure security and continuity of
services • Set up support processes, including
training • Process data (including “application”
controls)
See Control Objectives, p. 90.
87
Delivery and Support Domain DS 1 Define Service Levels
DS 2 Manage Third-Party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Allocate Costs
DS 7 Educate and Train Users Planning and organisation Acquisition and Implementation Domain Delivery and Support 13 Monitoring Domain
88
Delivery and Support Domain
DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations Planning and organisation Acquisition and Implementation Domain Delivery and Support 13 Monitoring Domain
89
Monitoring Domain
• 4 High-level Control Objectives
• 24 Detailed Control Objectives
• (IT-related management control practices)
• 51+ Control Tasks and Activities
.
90
Monitoring Domain
• Regularly assess IT processes for
– Quality
– Compliance with control requirements
• Addresses management oversight of organization’s control provisions
• Provides for audit function
See Control Objectives, p. 126.
91
Monitoring Domain
• M 1 Monitor the Process
• M 2 Assess Internal Control Adequacy
• M 3 Obtain Independent Assurance
• M 4 Provide for Independent Audit
.
Planning and organisation Acquisition and Implementation Domain Delivery and Support Monitoring Domain 4
Thank you
92