generally accepted Information. Technology Control Objectives for day-to-day
use by business and. IT managers and the auditors.” COBIT Mission ...
Our mission is to build relationships and develop innovative solutions which help dynamic people and organizations to create and realize value...
IT Controls and COBIT Presentation © 2004 Wöll Consulting, CH-8807 Freienbach
Homepage: www.woell.ch Email:
[email protected] Tel: +41 55 420 12 72
Changing Emphasis
Ten years ago we were afraid of rockets destroying computing centres..........
..........right now, we should be aware of software errors destroying rockets ! Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 2
Content
Overview of COBIT General understanding of COBIT Gain an understanding of IT controls and control objectives
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 3
Structur of COBIT (3rd ed)
Executive Summary
Framework
Senior Executives (CEO, CIO) “There is a Method...”
Senior Operational Management “The Method Is...”
Implementation Tool Set Director, Middle Management “Here’s How You Implement...”
Management Guidelines Director, Middle Management “Here’s How You Measure...”
Control Objectives Middle Management “Minimum Controls Are...”
Audit Guidelines Line Management, Controls Practitioner “Here’s How You Audit...”
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 4
COBIT Mission
“To research, develop, publicise and promote an authoritative, upto-date, international set of generally accepted Information Technology Control Objectives for day-to-day use by business and IT managers and the auditors.”
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 5
The Framework’s Principles
Linking the management’s IT expectations with the management’s IT responsibilities
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 6
COBIT Overview • Board • User / Business Owner • Auditor • IT Manager
IT-Processes
Information Technology
“ Black-box IT ”
IT-Resources • People • Applications • Technolgies • Facilities • Data
COBIT FRAMEWORK OF CONTROLS
• Planning & Organisation • Acquisition & Implementation • Delivery & Support • Monitoring
InformationCriteria Criteria Information • Quality • Fiduciary • Security
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 7
What‘s a control?
Control “The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.” IT Control Objective “A statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.” Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 8
Example
Control • policies and directives for the user authorization process i.e. directive to use the ‘4-eyes principle’ in the user authorization processes, segregation of duties in the organization) • periodically audits of the user rights in specific (most critical) applications, systems and facilities Control objective • to take sure, that only autorized users has access rights to critical applications, systems and facilities
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 9
The COBIT Cube Cobit = Control Objectives for Information and related Technology
Information Criteria
ity r u c Se Applications Technology Facilities Data
y r a i c du i F
Domains
so ur c
es
Processes
People
Activities
ITRe
IT Processes
y la it Qu
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 10
Information criteria Business Requirements
Quality
Security
Fiduciary
Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. Efficiency concerns the provision of information through the optimal (most productive and economical) usage of resources. Confidentiality concerns protection of sensitive information from unauthorized disclosure. Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations. Availability relates to information being available when required by the business process, and hence also concerns the safeguarding of resources. Compliance deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria. Reliability of information relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 11
IT Resources Data: Data – Data objects in their widest sense, i.e., external and internal, structured and non-structured, graphics, sound, etc.
Application ApplicationSystems: Systems – understood to be the sum of manual and programmed procedures.
Technology Technology – covers hardware, operating systems, database management systems, networking, multimedia, etc..
Facilities: Facilities – Resources to house and support information systems.
People People: – Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services.
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 12
IT Processes
4
Domains
34
Processes
318
Activities (Controls)
>3000
Control Questions
Natural grouping of processes, often matching an organisational domain of responsibility. A series of joined activities with natural (control) breaks. Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discreet.
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 13
Example of a control DS Delivery & Support … DS 5 Ensure Systems Security DS 5.1 Manage Security Measures DS 5.2 Identification, Authentication and Access DS 5.3 Security of Online Access to Data DS 5.4 User Account Management DS 5.5 Management Review of User Accounts DS 5.6 User Control of User Accounts DS 5.7 Security Surveillance DS 5.8 Data Classification DS 5.9 Central Identification and Access Rights Management DS 5.10 Violation and Security Activity Reports DS 5.11 Incident Handling DS 5.12 Re-Accreditation DS 5.13 Counterparty Trust DS 5.14 Transaction Authorisation DS 5.15 Non-Repudiation DS 5.16 Trusted Path DS 5.17 Protection of Security Functions DS 5.18 Cryptographic Key Management DS 5.19 Malicious Software Prevention, Detection and Correction DS 5.20 Firewall Architectures and Connections with Public Networks DS 5.21 Protection of Electronic Value
Control Objectives
The information services function’s security administration should assure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorised activity.
The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege, or need to know.
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 14
Planning & Organisation IT Domain
PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 PO 11
Define a Strategic IT Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects * Strategy and tactics for IT contribution Manage Quality * Meeting business objectives * Appropriately planned, communicated and managed * Proper organisation and technological infrastructure Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 15
Acquisition & Implementation IT Domain
AI 1
Identify Solutions
AI 2 AI 3 AI 4 AI 5 AI 6
Acquire and Maintain Application Software Acquire and Maintain Technology Architecture Develop and Maintain IT Procedures Install and Accredit Systems Manage Changes
* Realization of IT strategy * Solutions identified, developed, or acquired and implemented * Solutions integrated into business process * Change and maintenance of systems Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 16
Delivery and Support IT Domain
DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13
Define Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Attribute Costs Educate and Train Users Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents * Actual delivery of required services Manage Data * Actual operations through security including training Manage Facilities * Establishment of support processes * Actual processing of data by applications Manage Operations Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 17
Monitoring IT Domain
M 1 Monitor the Processes M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit
* Regular assessment of all IT processes * Compliance with and quality of controls Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 18
The Framework’s Principles
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 19
Control Objectives
Summary Table
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 20
Control Objectives
Example
ENSURING SYSTEMS SECURITY (DS-5)
P P
P P
S S
S S
S S
IT Resources pe a p opl e pl ic at io te ch ns no l fa ogy ci lit ie da s ta
ef fe c
tiv e ef fic nes s co i e nf nc y id en in tial te ity g r av ai i ty l co abil ity m pl i re anc lia e bi lit y
Information Criteria
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 21
Link the control to the business requirement Control over the IT process of ENSURING SYSTEMS SECURITY (DS-5)
that satisfies the business requirement to safeguard information against unauthorized use, disclosure or modification, damage or loss
is enabled by Logical access controls which ensure that access to systems, data and programs is restricted to authorized users
and takes into consideration: •authorisation & authentication •User profiles and identification •trusted path, firewalls •virus prevention and detection •cryptographic key management •incident handling, reporting and follow up
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 22
Adopt COBIT? Why Should an Organisation
Attention on Corporate Governance Management accountability for resources Specific need for control of IT resources Business oriented solutions Framework for risk assessment Authoritative basis Improved communication among management, users and auditors
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 23
A Product For Many Audiences
IT manager Auditor Executive manager Business manager Project manager Developer Operations User Information security officer Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 24
Who needs COBIT ?
Management needs COBIT – to evaluate IT investment decisions – to balance risk and control of investment in an often unpredictable IT environment – to benchmark existing and future IT environment
Users need COBIT – to obtain assurance on security and controls of products and services provided by internal and third-parties.
IS auditors need COBIT – to substantiate opinions to management on internal controls – to answer the question: What minimum controls are necessary?
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 25
COBIT for the …
IT Manager
COBIT could serve objectives for you…
Some specific approaches which could prove useful...
Use the COBIT process model and detailed control objectives to structure IT services function into manageable and controllable processes focusing on business contribution policies and norms
Use the COBIT control model to establish SLA’s and communicate with business functions Use the COBIT control model as basis for process-related performance measures and IT-related Use COBIT as baseline model to establish the appropriate level of control objectives and external certifications
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 26
COBIT for …
Auditors
COBIT could serve the following objectives for you…
Some specific approaches which could prove useful...
As basis for determining the IT audit universe and as IT control reference
Use COBIT as criteria for review review and examination, and for framing IT-related audits The objectives of auditing are to: • provide management with reasonable assurance that control objectives are being met; • where there are significant control weaknesses, • to substantiate the resulting risks; and • advise management on corrective actions. Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 27
Auditors
COBIT for … Audit Guidelines
The process is audited by: Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources. Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 28
Auditors
COBIT for … Generic Audit Guideline
Gain an understanding of: – – – – – –
Business requirements Organisation structure Roles and responsibilities Policies and procedures Laws and regulations Control measures in place
Evaluate the controls – – – –
Documented processes Appropriate deliverables Responsibility/accountability Compensating controls
Assess compliance – – – –
procedures process deliverables Determine level of testing provide assurance that the IT process is adequate
Substantiate the risk – control weaknesses – actual and potential impact
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 29
COBIT for the …
Executive Manager
COBIT could serve the following objectives for you… Accept and promote COBIT as general IT governance model for all enterprises within enterprise
Some specific approaches which could prove useful... Use COBIT to compliment existing internal control framework Use COBIT process model to establish common language between business and IT; allocate clear responsibilities
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 30
COBIT for the …
Business Manager
COBIT could serve the following objectives for you… Use COBIT to establish a common entity-wide model to manage and monitor IT’s contribution to the business
Some specific approaches which could prove useful... Use COBIT control objectives as a code of good practice for dealing with IT within the business function Use COBIT control objectives to determine needs to be covered by Service Level Agreements (internal or outsourced)
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 31
COBIT for the …
Project Manager
COBIT could serve the following objectives for you… As a general framework for minimal project and quality assurance Standards
Some specific approaches which could prove useful... Use COBIT to help ensure that project plans incorporate generally accepted phases in IT planning, acquisition and development, service delivery and project management, and assessment
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 32
COBIT for the …
Developer
COBIT could serve the following objectives for you… As minimal guidance for controls to be applied within development processes as well as for internal control to be integrated in information systems being built
Some specific approaches which could prove useful... Use COBIT to ensure that all applicable IT control objectives in the development project have been addressed
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 33
COBIT for …
Operations
COBIT could serve the following objectives for you… As general framework for minimal controls to be integrated into service delivery and support processes, placing clear focus on client objectives
Some specific approaches which could prove useful... Use COBIT to ensure that operational policies and procedures are sufficiently comprehensive
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 34
COBIT for …
Users
COBIT could serve the following objectives for you… As minimal guidance for internal control to be integrated within information systems, being fully operational or under development
Some specific approaches which could prove useful... Use COBIT to guide service level agreements
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 35
COBIT for the …
Security Officer
COBIT could serve the following objectives for you… As harmonising framework providing a way to integrate information security with other business related IT objectives
Some specific approaches which could prove useful... Use COBIT to structure the information security program, policies and procedures
Homepage: www.woell.ch Email:
[email protected] Tel: +41 43 888 90 19
Page 36
