IT Assurance and ReliabilityWhy Should You Care?
Richard Oppenheim, CPA, CITP
President, SysTrust Services Corporation
Presented to ISACA Regional Meeting
Denver, CO October 17, 2001
Prepared by SysTrust Services Corporation2
Today’s Discussion
Valuable Assets need reliable protection Dealing with Uncertainty in Uncertain Times Ideas for assuring control
Prepared by SysTrust Services Corporation3
Valuable assets need to be reliable
Overcoming loss of resources Average laptops lost / day = 1,000
Identify costs to replace - Equipment and Resources Data
What is cost of Data in the hands of someone you do not control?
Prepared by SysTrust Services Corporation4
Business Systems
Data is business foundation Decision making – too much and too little IT systems include relationships
Take inventory of what you have Back ups internal and off site
Data, Applications, Operations, Data Networks Documentation, Procedures manuals Redundant operations, Hot Sites Controls
Prepared by SysTrust Services Corporation5
Reliable Systems Are Needed
More than just financial Data to manage business processes
Control at all levels Design Development Maintenance
Monitoring Data, Applications, Resources People, Paper, Procedures
Prepared by SysTrust Services Corporation6
Why should you care ?
7 World Trade Center
Prepared by SysTrust Services Corporation7
Reliable Systems - Verification
Beneficiaries Board, Management, Staff Customers Bankers, Insurers, Investors Vendors
Goals Opinion for Business Continuity On time, On budget, On point
Prepared by SysTrust Services Corporation8
Reliable Systems - Verification
Audit Goals – Now & Future Continuous auditing and reporting Understanding IT business process
Certification opportunity Controls determine CRITERIA System reliability is goal
Prepared by SysTrust Services Corporation9
Reliable Systems - Assurance
Internal vs External Needs Need for consistency
Price vs Cost Spending for prevention Cost of recovery
Resource Access vs Disaster Value of assurance Principles of SysTrust
Prepared by SysTrust Services Corporation10
SysTrust from AICPA
SysTrust is a report issued by a CPA or CA on the “Reliability”of an entity’s system.
Reliable Systems
COBIT from ISACA
IT GOVERNANCE
A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes.
Prepared by SysTrust Services Corporation11
Why Get Involved With SysTrust
When there is a system failure the CEO is going to call Structure and framework built on platform including COBIT Can be used to help decide if /when outsourcing is appropriate Due diligence issues
Prepared by SysTrust Services Corporation12
Why is SysTrust Important
Enterprise Resource Planning (ERP) When employees are busy, controls
are put aside or forgotten Company secrets are more vulnerable Attacks can cripple business
operations Outsourcing is a financial alternative
Prepared by SysTrust Services Corporation13
SysTrust Services Corp.
Documentation package that provides for:
Definitions of principles, criteria, and controls
Data center self assessment and description
Auditor testing, evaluation, conclusion, plan
Prepared by SysTrust Services Corporation14
Disasters Happen
10 things the SME can do
Prepared by SysTrust Services Corporation15
10 Things the SME can do
1 Management must be involved: executives, senior mgmt, operations, IT
2 Disaster Plan must be in writing 3 Backup data daily and move one copy
offsite 4 Practice system outage recovery 5 Understand who the users of the IT
system are and where they are located
Prepared by SysTrust Services Corporation16
10 Things the SME can do
6 IT and business documents, manuals for operations, training, etc. must be in writing
7 Personnel must also have backups 8 Contracts for outsourced support and
services need review 9 IT recovery needs 10 Obtain expert support as needed
Prepared by SysTrust Services Corporation17
How / Where / When to Begin
SHORT TERM Start NOW Create procedures for tasks done regularly Assess value related to process
LONG TERM
Operations redundancy / Hot site Risk assessment Continuous auditing
Prepared by SysTrust Services Corporation18
Resistance to Implementation
$ Management priorities elsewhere Lack of personnel Lack of resources Lack of user participation
Issues working against IT Assurance and Reliability
Prepared by SysTrust Services Corporation19
IT Assurance & Reliability
Something to care about – NOW
Prepared by SysTrust Services Corporation20
IT Assurance & Reliability
Richard Oppenheim, CPA, CITP
President, SysTrust Services Corporation
www.systrustservices.com
303-795-8847