COBIT. IT Governance CEN 667

Transcription

1 COBIT IT Governance CEN 667 1

2 Project proposal (week 4) Goal of the projects are to find applicable measurement and metric methods to improve processes: For series of standards and For ITIL For Business Continuity and BS For Disaster Recovery For Penetration testing For Operational and Security Incident management For Risk Management Secure method for visual authentication Mobile securty access with speach recognition Other agreed with lecturer Literature review on selected topic - between 500 and 1000 words Proposal / for improvements of choosen method, approach, techniqe, - up to 2000 words List of references Document prepared in two columns as it should Be prepared for the conference paper Week report on updates 2

3 Project proposal (week 7) Candidate Topic Literature review draft Azizah Ibrahim Emina Aličković Jasmin Kevrić Mobile IPv6 handover packet loss avoidance A Novel Intrusion System Based on Support Vector Machines Algorithm improvement for the network anomaly detection using improved KDD 2009 NO NO NO Paper NO NO NO Adnan Miljković Implementation of two factor authentication for web appliacation YES (463 words) NO Fatih Ozturk Evolutionary Computation Method Application for Network Intrusion Detection System using Real Network Data NO NO Tarik Kraljić NO NO NO Adnan Kraljić NO NO NO 3

4 COBIT IT Governance CEN 667 4

5 Lectures Schedule Week Topic Introduction to IT governance Week 1 Overwiev of Information Security standards - ISO series of standards (27001, Week , 27003, 27004, 27005) Week 3 Information Technology Service management ISO and ISO Week 4 ITIL Week 5 Business Continuity and BS and BS Week 6 Disaster Recovery Week 7 COBIT Week 8 Project implementation (ISO and ISO 27003) Week 9 Midterm Week 10 Risk Managament (ISO 27005) Week 11 Application and Network Security and security testing Week 12 Specific Requirements and Controls Implementation (ISO 27002) Week 13 Operational and Security Incident managament Week 14 Perforamnce Measurement and Metrics (ISO 27004) Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus 5

6 6

7 What is CobiT? What is the CobiT Framework? What is the Control Objectives document? How can auditors effectively use CobiT? 7

8 Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. Structured and organized to provide a powerful control model 8

9 CobiT CobiT is designed to be the breakthrough IT governance tool that helps in the understanding and managing of risks and benefits associated with information and related IT. 9

10 C OB I T Control OBjectives for Information and Related Technology 10

11 Right information, to only the right party, at the right time. Information that is relevant, reliable and secure. Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment. 11

12 A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise s goals by adding value while balancing risk versus return over IT and its processes. 12

13 IT Governance Objectives IT is aligned with the business and enables the business to maximize benefit IT resources are safeguarded and used in a responsible and ethical manner IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure 13

14 The need for better operational controls Technology that makes new business processes possible may come with a loss of control Demand for increased effectiveness and efficiency The importance of technology The need to hold officers and senior management accountable and strengthen governance 14

15 Dashboard: How do responsible managers keep the ship on course? Scorecard: How do we achieve satisfactory results for our stake-holders? Benchmarking: How do we adapt in a timely manner to trends, developments, and best practices for our organization s environment? 15

16 Increasing dependence on information and the systems that deliver the information Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare Scale and cost of the current and future investments in information and information systems Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs 16

17 Secure buildings 1980s Glass-house Data centres Unpredictable and fast Unstructured and innovative Hard to implement Managed networks 1990s Network Business integration?? Streetwise users 21st Century Cyberspace Virtual Value Chain E-Commerce Extended Enterprise 17

18 CobiT s Scope and Overall Objectives 18

19 CobiT focuses on information having integrity and being secure and available. At the highest level, it focuses on the importance of information to the long-term success of the organization. 19

20 For Information System Services functions, CobiT can be applied from single point IT operations to across the enterprise. For application systems, CobiT can be applied from a single application-based system to enterprise-based systems. 20

21 CobiT is management oriented Supports corporate and IT governance Serves as excellent criteria for evaluation and a basis for audit planning 21

22 Addresses key attributes of information produced by IT. Links recommended control practices for IT to business and control objectives. Provides guidance in implementing and evaluating the appropriateness of IT-related control practices. 22

23 As a control model, CobiT should be tailored to organizational, platform and system standards. Use CobiT as the Structure to which you link organization-specific operational and control requirements, policies, and standards 23

24 Helps business process owners to ensure the integrity of information systems and auditors to provide statements of assurance by providing: management with generally applicable and accepted standards for good practice for IT control and governance users with a solid base upon which to manage IT and obtain assurance auditors with excellent criteria for review/audit work 24

25 Standards used to determine whether something meets expectations. Basis upon which one measures or compares something against. Need to be generally accepted, recognized, understandable, and defendable. Need to be authoritative. 25

26 CobiT as an Authoritative Source 26

27 CobiT is an Authoritative Source Built on a sound framework of control and IT-related control practices. Aligned with de jure and de facto standards and regulations. 27

28 Based on a Strong Foundation and Sound Principles of Internal Control 28

29 What is Internal Control? How it is defined impacts its design, exercise, and evaluation. 29

30 Purpose of Internal Control Designed to keep an organization on course toward achievement of its mission minimizing surprises along the way. Assist in dealing with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth. Source: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p

31 The design, implementation, and proper exercise of a system of internal controls should provide "reasonable assurance" that management's goals are attained, control objectives are addressed, legal obligations are met, and undesired events do not occur. Controls reduce or eliminate the risk of exposures, or the exposures themselves. 31

32 Internal Control Controls are framed by what is to be attained (control objectives) and the means to attain those goals (the controls). 32

33 Goals of Internal Control Keep things in Check Adhering to the Rules of the Road Reduce risk Based Upon Best Practices Proof the Rules Have Been Followed Provide assurance that operations are according to standard Keep those blasted auditors happy 33

34 Building CobiT s Definition of Internal Control 34

35 Control Internal control is broadly defined as a process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: efficiency and effectiveness of operations reliability of financial reporting compliance with applicable laws and regulations Source: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p

36 Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives, p

37 IT Control Objective A statement of desired result or purpose to be achieved by implementing control procedures in a particular IT activity 37

38 CobiT supports all fundamental Internal Control requirements 38

39 Internal Control Requirements Systemization Documentation Standards, defined expectations Measurement Appropriate risk assessment 39

40 Internal Control Requirements Well-defined operational and control objectives Appropriate controls Competent and trustworthy people Monitoring & evaluation 40

41 Observe actual state of system Observations Recommendations Document actual state of system Documentation Recommend changes to system Evaluation Evaluate system Desired state of system Goals and plans Source: Gelinas and Oram, Accounting Information Systems, 3rd ed., South-Western Publishing, 1996, p

42 Internal Control Review Observe the process & controls Gain Understanding Observations Document The process & controls Report Recommendations AWP & Work Papers Recommend Changes if needed Draw Conclusions Test & Evaluate Process & controls CRITERIA via CobiT Goals and plans 24

43 Control Principles Controls should be considered as built in rather than added on. Controls need to support control objectives that are tied to business objectives. In order to support monitoring and evaluation, controls need to be testable and auditable. Controls need to be cost effective. 43

44 Value of Internal Control Often the value of internal control is only recognized by the results of not having adequate control in place. Control Objectives and related controls are valued by the degree to which they assist an organization to achieve objectives and avoid undesired events. 44

45 Control Models: Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices. Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess the need for control, and to design, develop, implement and exercise control Requires that controls be monitored and evaluated. 45

46 To Be of Value, a Control Model Should Be: Based on sound principles Applicable & Flexible in application Comprehendible Subject to having staying power 46

47 Impact of Technology on Control Operational and control objectives change little Some technology-specific control objectives change There is a significant impact on the mix of controls used to address the control objectives. Technology can facilitate achieving control objectives 47

48 Impact of Technology on Audit Has provided us with some tools to increase audit effectiveness and efficiency Has allowed us to rethink post and preemptive or on-going audit techniques Has provided opportunities to facilitate achieving control objectives 48

49 Control Responsibilities Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met. Users -- exercise controls. Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls. 49

50 CobiT Assists in evaluating appropriateness of controls Assists in identifying desired states of systems and processes Assists in identifying what to look for when observing system operations Provides a working control model for IT-related control objectives 50

51 The CobiT Control Model Provides a Framework for Understanding Control Objectives and Control Practices 51

52 CobiT Framework 52

53 CobiT Framework Documents relationships among information criteria, IT resources, and IT processes Links control objectives and control practices to business processes and business objectives Assists in confirming that appropriate IT processes are in place Facilitates discussion 53

54 CobiT Framework Facilitates the understanding of the: relationship of controls to control objectives, importance of focusing on control objectives and their relationship to the business organization and its business processes, and value of managed processes and resources tied to strategic initiatives. 54

55 COBIT s Focus on Process and Objectives Business (organization) Objectives/Requirements Business Processes (to meet objectives) Information Required (for processes) IT Resources (to provide information) IT Processes (to manage & control resources) Retail merchandising (Walmart, etc.) ROI, market share, customer loyalty (right product, time, price) Order fulfillment (OE/S, Inventory, Purchasing) Data availability and reliability Data, Application Systems, People Planning & Organization, Delivery & Support 55

56 Framework s Three Components Business Requirements for Information IT Resources IT Processes 56

57 Business Requirements for Information To support business processes and satisfy business objectives, information needs to conform to certain criteria. COBIT calls these criteria business requirements for information. 57

58 Sources of Information Criteria Quality Requirements: Quality, Cost, Delivery, Better, Cheaper, Faster Fiduciary Requirements Effectiveness and Efficiency of operations Reliability of Financial Reporting Compliance with Laws and Regulations Security Requirements: Confidentiality, Integrity, Availability 58

59 Promotes a Healthy, Constructive Focus on Information Criteria Viewing Information as being: relevant and reliable delivered in a timely, correct, consistent, usable and complete manner accurate, complete and valid provided through an optimal use of resources protected against unauthorized use, manipulation or disclosure available when required in compliance with legal and contractual obligations 59

60 Information Criteria -- The 1st Component Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of Information 60

61 Information Criteria -- The 1st Component Effectiveness: deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner. Efficiency: concerns the provision of information through the optimal (most productive and economical) use of resources. See Framework, p

62 Information Criteria -- The 1st Component Confidentiality: concerns the protection of sensitive information from unauthorized disclosure. Integrity: relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations. See Control Objectives, p

63 Information Criteria -- The 1st Component Availability: relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance: deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria. See Framework, p

64 Information Criteria -- The 1st Component Reliability of Information: relates to the provision of appropriate information for management to operate the entity and for management, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations. See Framework, p

65 IT Resources -- The 2nd Component Data Application Systems Technology Facilities People 65

66 IT Resources -- The 2nd Component Data: Objects in their widest sense (i.e., external and internal), structured and not structured, graphics, sound, etc. Application Systems: Application systems are understood to be the sum of manual and programmed procedures. See Control Objectives, page

67 IT Resources -- The 2nd Component Technology: Hardware, operating systems, data base management, networking, multimedia, etc. Facilities: Resources to house and support information systems. People: Include staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services. See Control Objectives, page

68 Information Processes (3rd component) (4) (34) Domains Processes Natural grouping of processes, often matching an organizational domain of responsibility A series of joined tasks & Activities with natural (control) breaks. (318) Tasks & Activities See Framework, p. 16. Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete 68

69 COBIT Domains: Information Processes (3rd Component) Planning/ Organization Monitoring Acquisition / Implementation Delivery / Support 69

70 How do they relate? IT Resources IT Processes Business Requirements Data Information Systems Technology Facilities Human Resources Planning and organisation Aquisition and implementation Delivery and Support Monitoring Effectiveness Efficiency Confidenciality Integrity Availability Compliance Information Reliability 70

71 IT Resource Management CobiT underscores and demonstrates a clear understanding that IT resources need to be managed by naturally grouped processes in order to provide organizations with type and quality, and availability and security of information needed to achieve organizational objectives. 71

72 Framework What you get BUSINESS PROCESSES What you need INFORMATION Do they match? Information Criteria effectiveness efficiency confidentiality integrity Availability Compliance reliability IT RESOURCES data application systems technology facilities people? 72

73 Process/Criteria Relationships Primary: the degree to which the defined control objective directly impacts the information requirement concerned. Secondary: the degree to which the defined control objective only satisfies to a lesser extent or indirectly the business requirement concerned. Blank: could be applicable; however, requirements are more appropriately satisfied by another criteria in this process and/or another process. = IT Resource is managed by this process See Control Objectives, page

74 The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process The control of IT Processes which satisfy Business Requirements is enabled by Control Statements considering Control Practices See Framework, p

75 Data Application Systems Technology Facilities People Resources Effectiveness The planning process must consider data integrity requirements Efficiency Confidenciality Integrity Availability Compliance Reliability Requirements Monitoring Delivery and Support Aquisition and implementation Planning and Organisation (By Gustavo Solis) 75

76 Control Objectives 76

77 Control Objectives Planning and organisation 11 Acquisition and Implementation Domain 6 Delivery and Support 13 Monitoring Domain 4 77

78 Planning and Organization Domain 11 High-level Control Objectives 100 Detailed Control Objectives (IT-related management control practices) 170+ Control Tasks and Activities. 78

79 Planning and Organization Develop strategy and tactical plans for IT Identify ways that IT can best contribute to the achievement of business objectives Plan, communicate, and manage the realization of the strategic vision Establish the IT organization and set the stage for information management and the technology infrastructure See Control Objectives, p

80 Planning and Organization Domain PO 1 Define a Strategic Information Technology Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organization and Relationships PO 5 Manage the Investment in Information Technology PO 6 Communicate Management Aims and Directions. Planning and organisation 11 Acquisition and Implementation Domain Delivery and Support Monitoring Domain 80

81 Planning and Organization Domain PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality. Planning and organisation 11 Acquisition and Implementation Domain Delivery and Support Monitoring Domain 81

82 Acquisition and Implementation Domain 6 High-level Control Objectives 68 Detailed Control Objectives (IT-related management control practices) 100+ Control Tasks and Activities 82

83 Acquisition and Implementation IT solutions Identified Developed or acquired Implemented Integrated into the business processes Change and maintain existing systems See Framework, p

84 Acquisition and Implementation Domain AI 1 Identify Automated Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire & Maintain Technology Infrastructure AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes Planning and organisation Acquisition and Implementation Domain 6 Delivery and Support Monitoring Domain 84

85 Delivery and Support Domain 13 High-level Control Objectives 126 Detailed Control Objectives (IT-related management control practices) 190+ Control Tasks and Activities 85

86 Delivery and Support Deliver required services Ensure security and continuity of services Set up support processes, including training Process data (including application controls) See Control Objectives, p

87 Delivery and Support Domain DS 1 Define Service Levels DS 2 Manage Third-Party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Allocate Costs DS 7 Educate and Train Users Planning and organisation Acquisition and Implementation Domain Delivery and Support Monitoring Domain

88 Delivery and Support Domain DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations Planning and organisation Acquisition and Implementation Domain Delivery and Support 13 Monitoring Domain 88

89 Monitoring Domain 4 High-level Control Objectives 24 Detailed Control Objectives (IT-related management control practices) 51+ Control Tasks and Activities. 89

90 Monitoring Domain Regularly assess IT processes for Quality Compliance with control requirements Addresses management oversight of organization s control provisions Provides for audit function See Control Objectives, p

91 Monitoring Domain M 1 Monitor the Process M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit. Planning and organisation Acquisition and Implementation Domain Delivery and Support 91 Monitoring Domain 4

92 Thank you 92