IT and Security Governance. Jacqueline Johnson

Similar documents
COBIT 5. COBIT 5 Online Collaborative Environment

2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval

COBIT 5. COBIT 5 Online Collaborative Environment

September 17, 2012 Pittsburgh ISACA Chapter

COBIT 5: IT is complicated. IT governance does not have to be

COBIT 5. COBIT 5 Online Collaborative Environment

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

and COBIT 5 ISACA STRATEGIC ADVISORY BOARD VICE PRESIDENT STRATEGY & INNOVATION CA TECHNOLOGIES 2012 ISACA. All Rights Reserved.

CGEIT Certification Job Practice

COBIT 5. COBIT 5 Online Collaborative Environment

ISACA All Rights Reserved.

Enterprise Governance of IT

Annex 1 (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5

Introduction to COBIT 5

COBIT 5 for Information Security. Dr. Derek J. Oliver Co-Chair, COBIT 5 Task Force

If It s not a Business Initiative, It s not COBIT 5

Governance SPICE. Using COSO and COBIT Process Assessment Models BPM GOSPEL

ISO Standards in Strengthening Organizational Resilience, Mitigating Risk & Addressing Sustainability Concerns

CGEIT QAE ITEM DEVELOPMENT GUIDE

ECQA Certified Profession. Governance SPICE Model. Internal Financial Control Assessor Training Programme

Service Strategy Quick Reference Guide

Achieving Business/IT Alignment through COBIT 5

Information and Technology. Governance. System for

The Role of ISO Standards in Governance, Risk and Compliance Management for Today s Business

COBIT 5 Foundation Exam

Feature. Unlocking Hidden Value in ERP System Acquisitions Using Risk Management. Risk. Monitoring. Residual Risk Acceptance.

ISO/IEC Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

International Civil Aviation Organization FIRST INFORMATION MANAGEMENT PANEL (IMP/1) Montreal, Canada January, 25 30, 2015

The Anatomy and Lifecycle of a Metric

Log of Changes Implemented to the COBIT 5 Product Family

Appendix A - Service Provider RACI Model

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

Portfolio, Program and Project Management Using COBIT 5

Does Assurance Add Value? (We Don t Know What We Don t Know Until We Know It) John Mitchell. PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE

IT Audit Process. Prof. Mike Romeu. February 13, IT Audit Process. Prof. Mike Romeu

Enterprise Security Architecture A Top-down Approach. Contextual Security Architecture. Logical Security Architecture. Physical Security Architecture

CGEIT ITEM DEVELOPMENT GUIDE

IT Assurance Services And Role Of CA In BPO-KPO. IT Enabled Services And Emerging Technologies

Risk Management Strategy

29/11/2017. Risk Management Policy

Selftestengine COBIT5 36q

Index. client-supplier paradigm 202

Changes Reviewed by Date. JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology: Issa Laty. CIO, Jordan- Mohammad Aburoub

COBIT 5.0: Capability Level of Information Technology Directorate General of Treasury

"IT Governance Helping Business Survival

Business Continuity Management Policy

Assessment of IT Operations. Frameworks* An Overview

TABLE OF CONTENTS 2. INFORMATION TECHNOLOGY IN A BUSINESS ENVIRONMENT 15

6. IT Governance 2006

PG&E Gas Operations. Gas Safety Excellence API 1173

Evidence Management for the COBIT 5 Assessment Programme By Jorge E. Barrera N., CISA, CGEIT, CRISC, COBIT (F), ITIL V3F, PMP

Head of Architecture (Enterprise Architect) Grade: Assistant Director Strategy & Architecture

BC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP

Managing Suppliers Quality

Braindumps COBIT5 50q

Understanding the Challenge and Incredible Potential of IT Governance

ITIL V3 Managing Across the Lifecycle

Risk Analysis of IT Applications Using FMEA and AHP SAW Method With COBIT 5

Cobit 5! Not just for your Auditor!! Fusion (Cobit as an approach to Business & IT Alignment)! Integra(on

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Guidelines for information security management systems auditing

Exploring Differences between Large and Medium Organizations Corporate Governance of Information Technology

IT risks and controls

The purpose of this document is to define the overall IT Strategy for the period 2016 to 2021

Topics. Background Approach Status

Senior Manager. Develop and design effective enterprise solutions that meet the business requirements while ensuring alignment to the IT strategy.

Education Quality Development for Excellence Performance with Higher Education by Using COBIT 5

Chapter 2 Strategic Planning of IT

10 metrics for improving the level of management. Pekka Forselius, Senior Advisor, FiSMA ry Risto Nevalainen, Senior Advisor, FiSMA ry

ISACA. The recognized global leader in IT governance, control, security and assurance

RISK MANAGEMENT IN ELECTRONIC PAYMENTS. Olutimilehin Oyesanya (Phillips Consulting) CISSP, CISA, COBIT 5 Assessor, PMP, ISO LA, ISO LI

Embed with SFIA Secrets from the missing Framework

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

Title: Configuration Management: The Core of IT Operations Session #: 495 Speaker: Donna Scott Company: Gartner

ISO/IEC Service Management. Your implementation guide

Critical Success Factor in ERM Implementation

Firm Profile TURNING RISKS INTO OPPORTUNITIES

Developing a successful governance strategy. By Muhammad Iqbal Hanafri, S.Pi., M.Kom. IT GOVERNANCE STMIK BINA SARANA GLOBAL

Using Risk Management to achieve good IT Governance. Carl Sackey CISA, CISM, CRISC, ISO LA/LI

Contents. viii. List of figures. List of tables. OGC s foreword. 6 Organizing for Service Transition 177. Chief Architect s foreword.

Enterprise SPICE Good to Go!


Further excellence. Freedom of association. How can you enhance social responsibility within your supply chain? Social responsibility Audit solutions

IT and Enterprise Governance By Michael J. A. Parkinson, CISA, CIA, and Nicholas J. Baker, CPA

Applying Integrated Assurance Management Scenarios for Governance Capability Assessment

METHODOLOGICAL RECOMMENDATIONS FOR INFORMATION SYSTEMS AUDIT

Job Description. No of Direct Reports : 0. Titles of Direct Reports: Size of Department: 5. Budget Responsibility (direct) :

Guidelines on the protection of personal data in IT governance and IT management of EU institutions

INTERNAL AUDIT DIVISION

Assistant Regional Asset Manager EU, Wider Europe and Americas. Department/Country Global Estates. Duration of job

Infrastructure Solution Architect

Vacancy reference: Applications close: Friday 27 April 2018

Certificate in Internal Audit IV

What, Why and how? Transition to TickITplus... Welcome and Introduction

Business Continuity. Building a Program Fit for Purpose

Plans for a Balanced Scorecard Approach to Information Security Metrics

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

Understanding Model Representations and Levels: What Do They Mean?

The Chartered Project Professional Standard

COBIT. IT Governance CEN 667

Transcription:

IT and Security Governance Jacqueline Johnson

Background Control Objectives for Information and related Technology Developed by IT Governance Institute (ITGI) Not incremental High level standard 5 principles 2 Jacqueline Johnson 06/04/2012

Principle 1. Meeting Stakeholder Needs WHO? 3

Principle 1. Goal cascade steps 1. Stakeholder drivers to Stakeholder Needs 2. Stakeholder Needs to Enterprise Goals 3. Enterprise Goals to IT related Goals 4. IT related Goals to Enabler Goals 4

Principle 1. Goal cascade step 2- Stakeholder Needs to Enterprise Goals BSC Enterprise goals BENEFITS REALISATION Financial -II- -II- -II- STAKEHOLDER VALUE OF BUSINESS INVESTMENTS PORTFOLIO OF COMPETITIVE PRODUCTS AND SERVICES MANAGED BUSINESS RISKS SAFEGUARDING OF ASSETS COMPLIANCE WITH EXTERNAL LAWS AND REGULATIONS P P RISK OPTIMISATION -II- FINANCIAL TRANSPARENCY P S P P RESOURCE OPTIMISATION S S 5 3/28/2012

Principle 1. Goal cascade step 2- Stakeholder Needs to Enterprise Goals Stakeholder concern Enterprise goal 1 Enterprise goal 2 Enterprise goal 3 How do I know whether I'm compliant with all applicable regulations? How do I best build and structure my IT department? Compliance with external laws and regulations Managed business risks (safeguarding of assets) Financial transparency What are (control) requirements for information? X X X Did I address IT related risk? X X Am I running an efficient and resilient IT operation? X X 6 3/28/2012

Principle 1. Goal cascade step 3- Enterprise Goals to IT Goals BSC IT Goals Enterprise goals Enterprise goals Financial Alignment of IT and business strategy COMPLIANCE WITH EXTERNAL LAWS AND REGULATIONS MANAGED BUSINESS RISKS SAFEGUARDING OF ASSETS -II- -II- IT compliance and support for business compliance with external laws and regulations Commitment of executive management for making IT related decisions -II- Managed IT related business risks S -II- Realised benefits from IT enabled investments and services portfolio -II- Transparency of IT costs, benefits and risk P P Internal Security of information and processing infrastructure and applications P 7 3/28/2012

Principle 1. Goal cascade step 4- IT Goals to Cobit processes B SC IT Goals BA1 Manage Programmes and Projects DDS1 Manage Operations DDS2 Manage Assets DDS3 Manage Configurati on DDS4 Manage Service Requests and Incidents Fina ncial - II- II- II- II- II- - - - - Alignment of IT and business strategy IT compliance and support for business compliance with external laws and regulations Commitment of executive management for making IT related decisions Managed IT related business risks Realised benefits from IT enabled investments and services portfolio Transparency of IT costs, benefits and risk S S S S S P P P P S S P 8 3/28/2012

Principle 1. Stake holders needs Goals cascade 9

Principle 2. Covering the Enterprise End-to-end 10

Principle 3. Applying a Single Integrated Framework Integration of frameworks for governance and management both regarding business and IT. Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PRINCE2, CMMI Links standards and framework 11

Principle 4. Enabling a Holistic Approach enablers overview 12

Principle 4. Enabling a Holistic Approach- enablers dimensions 13

Principle 5. Separating Governance From Management Governance Governance is the system or mechanism by which organisations are Evaluated, Directed and Monitored (EDM). Responsible: board of directors. Management Management Plans, Builds, Runs and Monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Responsible: CEO. 14

Principle 5. Separating Governance From Management- PRM COBIT 5 process reference model 15

Process Reference Model sample på process- DS1 The high-level measurable objectives of performing the process and the likely outcomes of effective implementation of the process The activities that, when consistently performed, contribute to achieving the process purpose 16 Jacqueline Johnson 06/04/2012

Process Capability Levels Optimizing The process is continuously improved to meet relevant current and projected business goals Predictable The process is enacted consistently within defined limits Level 5 Optimizing process PA 5.1 Process innovation attribute PA 5.2 Process optimization attribute Level 4 Predictable process PA 4.1 Process measurement attribute PA 4.2 Process control attribute Established A defined process is used based on a standard process Level 3 Established process PA 3.1 Process definition attribute PA 3.2 Process deployment attribute Level 1 Performed process PA 1.1 Level 2 Managed process PA 2.1 PA 2.2 Performance management attribute Work product management attribute Process performance attribute Performed The process is implemented and achieves its process purpose Managed The process is managed and work products are established, controlled and maintained Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose 17 Jacqueline Johnson 06/04/2012

Process Attributes- Level 1 PA 1.1 Process performance extent to which the process purpose is achieved. full achievement means that the process achieves its defined outcomes. 18 Jacqueline Johnson 06/04/2012

Process Attributes- Level 2 PA 2.1 Performance management A measure of the extent to which the performance of the process is managed. As a result of full achievement of this attribute: a. Objectives for the performance of the process are identified. b. Performance of the process is planned and monitored. c. Performance of the process is adjusted to meet plans. d. Responsibilities for performing the process are defined, assigned and communicated. e. Resources necessary for performing the process are identified, available, allocated and used. f. Effective communication between the involved parties and clear assignment of responsibility. PA 2.2 Work product management A measure of the extent to which the work products produced by the process are appropriately managed. As a result of full achievement of this attribute: a. Requirements for the work products of the process are defined. b. Requirements for documentation and control of the work products are defined. c. Work products are appropriately identified, documented and controlled. d. Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements. 19 Jacqueline Johnson 06/04/2012

Completion scale 20 Jacqueline Johnson 06/04/2012

Process Attribute Ratings and Capability Levels 1 2 3 4 5 Level 5 - Optimizing PA 5.2 Optimization PA 5.1 Innovation L / F Level 4 - Predictable PA 4.2 Control PA 4.1 Measurement L / F F Level 3 - Established PA 3.2 Deployment PA 3.1 Definition L / F F F Level 2 - Managed PA 2.2 Work product management PA 2.1 Performance management L / F F F F Level 1 - Performed PA 1.1 Process performance L / F F F F F Level 0 - Incomplete 21 Jacqueline Johnson 06/04/2012

Comparison between COBIT 4.1 and COBIT 5 levels 22 Jacqueline Johnson 06/04/2012

COBIT implementation 1. Commitment, mandate and support reg. improvement project from top business management 2. Scope, mapping fr. drivers to processes Assessment of status via process capability assessment 3. Agree targets, time, processes and level 4. Prepare implementation and operational plans 5. Implementation of solution. Stipulate metrics 6. Verification of target reached 7. Identification of improvement to project and maintaining 23 Jacqueline Johnson 06/04/2012

Informtion Security Management

ISO27001, ISO27002 and ISO27014 ISO 27001 ( audit standard) 8.3.3 Removal of access The access rights of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. ISO27002 (implementation guide)3.3 Removal of access Upon termination, the access rights of an individual to assets associated with information systems and services should be reconsidered. This will determine whether it is necessary to remove access rights. Changes of an employment should be reflected in removal of all access rights that were not approved for the new employment. The access rights that should be removed or adapted include physical and logical access, keys, identification cards, information processing facilities, subscriptions, and removal from any documentation that identifies them as a current member of the organization. If a departing employee, contractor or third party user has known passwords for accounts remaining active, these should be changed upon termination or change of employment, contract or agreement. 25 Jacqueline Johnson 06/04/2012

Plan, Do, Check and Act 26 Jacqueline Johnson 06/04/2012

Risk assessment - placing IT Security Policy Standards Procedures Risk Assessment 27

Risk assessment 1. Scope in the company 2. Assets 3. Vulnerabilities 4. Threats 5. Consequenences 6. Likelyhood 28 Jacqueline Johnson 06/04/2012

Risk management 1. "Degree of assurance" 2. Analysis of existing security controls 3. Gap analyse 4. Identification of new security controls 5. Policies and procedures 6. Implementation and risk reduction 7. Rik acceptance (residual risk) 29

Statement of applicability Mandatory Explain why the company has chosen the stipulated controls, connected to the risk analysis and why areas has been discarded. Documentation of compliance Should be able to make public 30

Certification (3 years) Desktop review statement of applicability risk assessment security policy procedures Compliance Interview Samples, are the controls implemented Observing Final recommendation Certification Non compliances 31

Thank you! Jacqueline Johnson jacqueline.johnson@nordea.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback