cobit - bhsearch.comkemal.bhsearch.com/wp-content/uploads/2012/11/07_cobit.pdf · what is the...

COBIT

IT Governance

CEN 667

1

Project proposal (week 4) • Goal of the projects are to find applicable measurement and metric methods to improve processes:

– For 27000 series of standards 27001 and 27004 – For ITIL – For Business Continuity and BS 25999 – For Disaster Recovery – For Penetration testing – For Operational and Security Incident management – For Risk Management – Secure method for visual authentication – Mobile securty access with speach recognition – Other agreed with lecturer

• Literature review on selected topic - between 500 and 1000 words • Proposal / for improvements of choosen method, approach, techniqe, - up to

2000 words • List of references • Document prepared in two columns as it should Be prepared for the conference paper • Week report on updates

2

Project proposal (week 7)

3

Candidate Topic Literature review draft

Paper

Azizah Ibrahim Mobile IPv6 handover packet loss avoidance

NO NO

Emina Aličković A Novel Intrusion System Based on Support Vector Machines

NO

NO

Jasmin Kevrić Algorithm improvement for the network anomaly detection using improved KDD 2009

NO

NO

Adnan Miljković Implementation of two factor authentication for web appliacation

YES (463 words)

NO

Fatih Ozturk Evolutionary Computation Method Application for Network Intrusion Detection System using Real Network Data

NO

NO

Tarik Kraljić NO

NO

NO

Adnan Kraljić NO NO NO

IT Governance

CEN 667

4

COBIT

5

Week Topic

Week 1 Introduction to IT governance

Week 2

Overwiev of Information Security standards - ISO 27000 series of standards (27001,

27002, 27003, 27004, 27005)

Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2

Week 4 ITIL

Week 5 Business Continuity and BS 25999-1 and BS 25999-2

Week 6 Disaster Recovery

Week 7 COBIT

Week 8 Project implementation (ISO 10006 and ISO 27003)

Week 9 Midterm

Week 10 Risk Managament (ISO 27005)

Week 11 Application and Network Security and security testing

Week 12 Specific Requirements and Controls Implementation (ISO 27002)

Week 13 Operational and Security Incident managament

Week 14 Perforamnce Measurement and Metrics (ISO 27004)

Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus

Lectures Schedule

7

What is CobiT?

What is the CobiT Framework?

What is the Control Objectives document?

How can auditors effectively use CobiT?

8

Authoritative, up-to-date, international set of

generally accepted IT control objectives and

control practices for day-to-day use by

business managers and auditors.

Structured and organized to provide a

powerful control model

9

CobiT CobiT is designed to be the break-through IT governance tool that helps in the understanding and managing of risks and benefits associated with information and related IT.

10

C Control OB OBjectives

I for Information T and Related Technology

11

• Right information, to only the right party, at the right time.

• Information that is relevant, reliable and secure.

• Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.

12

A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.

13

IT Governance Objectives

• IT is aligned with the business and enables the business to maximize benefit

• IT resources are safeguarded and used in a responsible and ethical manner

• IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure

14

• The need for better operational controls

• Technology that makes new business processes possible may come with a loss of control

• Demand for increased effectiveness and efficiency

• The importance of technology

• The need to hold officers and senior management accountable and strengthen governance

15

• Dashboard: How do responsible managers keep the ship on course?

• Scorecard: How do we achieve satisfactory results for our stake-holders?

• Benchmarking: How do we adapt in a timely manner to trends, developments, and “best practices” for our organization’s environment?

16

• Increasing dependence on information and the systems that deliver the information

• Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare

• Scale and cost of the current and future investments in information and information systems

• Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs

17

1980s

Glass-house

Data centres Secure buildings

1990s

Network

Business integration

Managed networks

21st Century

Cyberspace

Virtual Value Chain

E-Commerce

Extended Enterprise

? ?

Streetwise users

Unpredictable and fast

Unstructured and innovative

Hard to implement

18

CobiT’s Scope and Overall Objectives

19

• CobiT focuses on information having integrity and being secure and available.

• At the highest level, it focuses on the

importance of information to the long-term success of the organization.

20

For Information System Services functions, CobiT can be applied from single point IT operations to across the enterprise.

For application systems, CobiT can be applied

from a single application-based system to enterprise-based systems.

21

CobiT is management oriented

Supports corporate and IT governance

Serves as excellent criteria for evaluation and a basis for audit planning

22

Addresses key attributes of information

produced by IT.

Links recommended control practices for IT to

business and control objectives.

Provides guidance in implementing and

evaluating the appropriateness of IT-related

control practices.

23

As a control model, CobiT should be tailored to organizational, platform and system standards.

Use CobiT as the Structure to which you link organization-specific operational and control requirements, policies, and standards

24

Helps business process owners to ensure the integrity

of information systems and auditors to provide

statements of assurance by providing:

– management with generally applicable and accepted

standards for good practice for IT control and

governance

– users with a solid base upon which to manage IT and

obtain assurance

– auditors with excellent criteria for review/audit work

25

Standards used to determine whether something meets expectations.

Basis upon which one measures or compares something against.

Need to be generally accepted, recognized, understandable, and defendable.

Need to be authoritative.

26

CobiT as an Authoritative Source

27

CobiT is an Authoritative Source

• Built on a sound framework of control and

IT-related control practices.

• Aligned with de jure and de facto standards

and regulations.

28

Based on a Strong Foundation and Sound Principles of Internal

Control

29

What is Internal Control?

How it is defined impacts its design, exercise, and evaluation.

30

Purpose of Internal Control

Designed to keep an organization on course toward achievement of its mission minimizing surprises along the way.

Assist in dealing with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth.

Source: Committee of Sponsoring Organizations (COSO) of the Treadway

Commission, Internal Control - Integrated framework, Executive Summary, p. 1.

31

The design, implementation, and proper exercise of a system of internal controls should provide "reasonable assurance" that management's goals are attained, control objectives are addressed, legal obligations are met, and undesired events do not occur.

Controls reduce or eliminate the risk of exposures, or the exposures themselves.

32

Internal Control

Controls are framed by what is to be attained (control objectives) and the means to attain those goals (the controls).

33

Goals of Internal Control

“Keep things in Check”

Adhering to the Rules of the Road

Reduce risk

Based Upon “Best Practices”

Proof the Rules Have Been Followed

Provide assurance that operations are according to standard

Keep those blasted auditors happy

34

Building

CobiT’s Definition of

Internal Control

35

Control Internal control is broadly defined as a process,

effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

efficiency and effectiveness of operations

reliability of financial reporting

compliance with applicable laws and regulations

Source: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p. 1.

36

Control (as defined by COBIT)

The policies, procedures, practices and

organizational structures designed to provide

reasonable assurance that business objectives

will be achieved and that undesired events

will be prevented or detected and corrected.

• Source: COBIT Control Objectives, p. 12.

37

IT Control Objective

A statement of desired result or

purpose to be achieved by

implementing control procedures

in a particular IT activity

38

CobiT supports all fundamental

Internal Control requirements

39

Internal Control Requirements

Systemization

Documentation

Standards, defined expectations

Measurement

Appropriate risk assessment

40

Internal Control Requirements

Well-defined operational and control

objectives

Appropriate controls

Competent and trustworthy people

Monitoring & evaluation

Desired

state of system

Goals and plans

Observe

actual state

of system

Observations Document

actual state

of system

Documentation

Evaluate

system Evaluation

Recommend

changes to

system

Recommendations

Source: Gelinas and Oram, Accounting Information Systems, 3rd ed.,

South-Western Publishing, 1996, p. 214. 24

CRITERIA

via CobiT

Goals and plans

Observe

the process

& controls

Gain Understanding

Observations Document

The process

& controls

AWP & Work Papers

Test & Evaluate

Process &

controls Draw

Conclusions

Recommend

Changes if

needed

Report Recommendations

Internal Control Review

24

43

Control Principles

Controls should be considered as “built in” rather than “added on”.

Controls need to support control objectives that are tied to business objectives.

In order to support monitoring and evaluation, controls need to be testable and auditable.

Controls need to be cost effective.

44

Value of Internal Control

• Often the value of internal control is only recognized by the results of not having adequate control in place.

• Control Objectives and related controls are valued by the degree to which they assist an organization to achieve objectives and avoid undesired events.

45

Control Models:

Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices.

Provide statements of responsibilities for control

Provide guidance regarding mechanisms to assess the need for control, and to design, develop, implement and exercise control

Requires that controls be monitored and evaluated.

46

To Be of Value, a Control Model Should Be:

• Based on sound principles

• Applicable & Flexible in application

• Comprehendible

• Subject to having “staying power”

47

Impact of Technology on Control

Operational and control objectives change little

• Some technology-specific control objectives change

There is a significant impact on the “mix” of controls used to address the control objectives.

• Technology can facilitate achieving control objectives

48

Impact of Technology on Audit

Has provided us with some tools to increase audit effectiveness and efficiency

Has allowed us to rethink post and pre-emptive or on-going audit techniques

Has provided opportunities to facilitate achieving control objectives

49

Control Responsibilities

• Management -- primary responsibility for

ensuring that controls are in place and in effect to

provide reasonable assurance that operational and

control objectives will be met.

• Users -- exercise controls.

• Audit -- evaluates, advises and provides

statements of assurance regarding the adequacy of

controls.

50

CobiT

Assists in evaluating appropriateness of controls

Assists in identifying desired states of systems

and processes

Assists in identifying what to look for when

observing system operations

Provides a working control model for IT-related

control objectives

51

The CobiT Control Model Provides a Framework for Understanding

Control Objectives and Control Practices

52

CobiT Framework

53

CobiT Framework

Documents relationships among information criteria, IT resources, and IT processes

Links control objectives and control practices to business processes and business objectives

Assists in confirming that appropriate IT processes are in place

Facilitates discussion

54

CobiT Framework

Facilitates the understanding of the: relationship of controls to control objectives,

importance of focusing on control objectives and their relationship to the business organization and its business processes, and

value of managed processes and resources tied to strategic initiatives.

COBIT’s Focus on Process and Objectives

Business (organization) Retail merchandising

(Walmart, etc.)

Objectives/Requirements ROI, market share, customer

loyalty (right product, time,

price) Business Processes (to meet objectives)

Order fulfillment (OE/S, Inventory, Purchasing)

Information Required (for processes)

Data availability and reliability

IT Resources (to provide

information)

Data, Application Systems, People

IT Processes (to manage & control resources)

Planning & Organization, Delivery & Support 55

56

Framework’s Three Components

Business Requirements for Information

IT Resources

IT Processes

57

“Business Requirements for Information”

To support business processes and satisfy business objectives, information needs to conform to certain criteria.

COBIT calls these criteria “business requirements for information.”

58

Sources of Information Criteria

• Quality Requirements: Quality, Cost, Delivery, Better, Cheaper, Faster

• Fiduciary Requirements

– Effectiveness and Efficiency of operations

– Reliability of Financial Reporting

– Compliance with Laws and Regulations

• Security Requirements: Confidentiality, Integrity, Availability

59

Promotes a Healthy, Constructive

Focus on Information Criteria

• Viewing Information as being: – relevant and reliable

– delivered in a timely, correct, consistent, usable and

complete manner

– accurate, complete and valid

– provided through an optimal use of resources

– protected against unauthorized use, manipulation or

disclosure

– available when required

– in compliance with legal and contractual obligations

60

Information Criteria -- The 1st Component

• Effectiveness

• Efficiency

• Confidentiality

• Integrity

• Availability

• Compliance

• Reliability of Information

61


• Effectiveness: deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner.

• Efficiency: concerns the provision of information through the optimal (most productive and economical) use of resources. See Framework, p. 14.

62


• Confidentiality: concerns the protection of sensitive information from unauthorized disclosure.

• Integrity: relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations.

See Control Objectives, p. 14.

63


• Availability: relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

• Compliance: deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria.

See Framework, p. 15.

64


• Reliability of Information: relates to the provision of appropriate information for management to operate the entity and for management , in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.


65

IT Resources -- The 2nd Component

• Data

• Application Systems

• Technology

• Facilities

• People

66


• Data: Objects in their widest sense (i.e., external and internal), structured and not structured, graphics, sound, etc.

• Application Systems: Application systems are

understood to be the sum of manual and programmed procedures.

See Control Objectives, page 14.

67


• Technology: Hardware, operating systems, data base management, networking, multi-media, etc.

• Facilities: Resources to house and support information systems.

• People: Include staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services.


68

Domains

Processes

Tasks &

Activities

Natural grouping of processes, often matching an organizational domain of responsibility A series of joined tasks & Activities with natural (control) breaks.

Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete

(4)

(34)

(318)


Information Processes (3rd component)

69

Planning/ Organization

Acquisition / Implementation

Delivery / Support

Monitoring

COBIT Domains: Information

Processes (3rd Component)

70

How do they relate ?

IT Processes

IT Resources

Business

Requirements

Data

Information Systems

Technology

Facilities

Human Resources

Planning and organisation

Aquisition and implementation

Delivery and Support

Monitoring

Effectiveness

Efficiency

Confidenciality

Integrity

Availability

Compliance

Information Reliability

71

IT Resource Management

CobiT underscores and demonstrates a clear understanding that IT resources need to be managed by naturally grouped processes in order to provide organizations with type and quality, and availability and security of information needed to achieve organizational objectives.

72

BUSINESS

PROCESSES

INFORMATION

IT RESOURCES

• data • application systems • technology • facilities • people

• effectiveness • efficiency • confidentiality • integrity • Availability • Compliance • reliability

Information Criteria

?

Do they match?

Framework

What you need What you get

73

Process/Criteria Relationships

• Primary: the degree to which the defined control objective directly impacts the information requirement concerned.

• Secondary: the degree to which the defined control objective only satisfies to a lesser extent or indirectly the business requirement concerned.

• Blank: could be applicable; however, requirements are more appropriately satisfied by another criteria in this process and/or another process.


= IT Resource is managed by this process

The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process

The control of

which satisfy

is enabled by

considering

IT Processes

Business Requirements

Control Statements

Control Practices

See Framework, p. 18. 56

75

Re

qu

irem

en

ts

Resources

Data

Ap

plic

atio

n

Syste

ms

Te

ch

no

log

y

Fa

cili

tie

s

Pe

op

le

Planning and Organisation

Aquisition and implementation

Monitoring


Effectiveness

Efficiency

Confidenciality

Integrity

Availability

Compliance

Reliability

The planning process must consider data integrity requirements

(By Gustavo Solis)

76

Control Objectives

Control Objectives

– Planning and organisation 11

– Acquisition and Implementation Domain 6

– Delivery and Support 13

– Monitoring Domain 4

77

78

Planning and Organization Domain

• 11 High-level Control Objectives

• 100 Detailed Control Objectives

(IT-related management control practices)

• 170+ Control Tasks and Activities

.

79

Planning and Organization

• Develop strategy and tactical plans for IT • Identify ways that IT can best contribute to

the achievement of business objectives • Plan, communicate, and manage the

realization of the strategic vision • Establish the IT organization and set the stage

for information management and the technology infrastructure


80


• PO 1 Define a Strategic Information Technology Plan

• PO 2 Define the Information Architecture

• PO 3 Determine the Technological Direction

• PO 4 Define the IT Organization and Relationships

• PO 5 Manage the Investment in Information Technology

• PO 6 Communicate Management Aims and Directions

.

Planning and organisation 11 Acquisition and Implementation Domain Delivery and Support Monitoring Domain

81


• PO 7 Manage Human Resources

• PO 8 Ensure Compliance with External Requirements

• PO 9 Assess Risks

• PO 10 Manage Projects

• PO 11 Manage Quality

.

Planning and organisation 11 Acquisition and Implementation Domain Delivery and Support Monitoring Domain

82

Acquisition and Implementation Domain





83

Acquisition and Implementation

• IT solutions

– Identified

– Developed or acquired

– Implemented

– Integrated into the business processes

• Change and maintain existing systems


84

Acquisition and Implementation Domain

• AI 1 Identify Automated Solutions

• AI 2 Acquire and Maintain Application Software

• AI 3 Acquire & Maintain Technology Infrastructure

• AI 4 Develop and Maintain IT Procedures

• AI 5 Install and Accredit Systems

• AI 6 Manage Changes Planning and organisation Acquisition and Implementation Domain 6 Delivery and Support Monitoring Domain

85

Delivery and Support Domain





86


• Deliver required services • Ensure security and continuity of

services • Set up support processes, including

training • Process data (including “application”

controls)


87

Delivery and Support Domain DS 1 Define Service Levels

DS 2 Manage Third-Party Services

DS 3 Manage Performance and Capacity

DS 4 Ensure Continuous Service

DS 5 Ensure Systems Security

DS 6 Identify and Allocate Costs

DS 7 Educate and Train Users Planning and organisation Acquisition and Implementation Domain Delivery and Support 13 Monitoring Domain

88

Delivery and Support Domain

DS 8 Assist and Advise IT Customers

DS 9 Manage the Configuration

DS 10 Manage Problems and Incidents

DS 11 Manage Data

DS 12 Manage Facilities

DS 13 Manage Operations Planning and organisation Acquisition and Implementation Domain Delivery and Support 13 Monitoring Domain

89

Monitoring Domain



• (IT-related management control practices)


.

90

Monitoring Domain

• Regularly assess IT processes for

– Quality

– Compliance with control requirements

• Addresses management oversight of organization’s control provisions

• Provides for audit function


91

Monitoring Domain

• M 1 Monitor the Process

• M 2 Assess Internal Control Adequacy

• M 3 Obtain Independent Assurance

• M 4 Provide for Independent Audit

.

Planning and organisation Acquisition and Implementation Domain Delivery and Support Monitoring Domain 4

Thank you

92