IT and Security Governance Jacqueline Johnson
Background Control Objectives for Information and related Technology Developed by IT Governance Institute (ITGI) Not incremental High level standard 5 principles 2 Jacqueline Johnson 06/04/2012
Principle 1. Meeting Stakeholder Needs WHO? 3
Principle 1. Goal cascade steps 1. Stakeholder drivers to Stakeholder Needs 2. Stakeholder Needs to Enterprise Goals 3. Enterprise Goals to IT related Goals 4. IT related Goals to Enabler Goals 4
Principle 1. Goal cascade step 2- Stakeholder Needs to Enterprise Goals BSC Enterprise goals BENEFITS REALISATION Financial -II- -II- -II- STAKEHOLDER VALUE OF BUSINESS INVESTMENTS PORTFOLIO OF COMPETITIVE PRODUCTS AND SERVICES MANAGED BUSINESS RISKS SAFEGUARDING OF ASSETS COMPLIANCE WITH EXTERNAL LAWS AND REGULATIONS P P RISK OPTIMISATION -II- FINANCIAL TRANSPARENCY P S P P RESOURCE OPTIMISATION S S 5 3/28/2012
Principle 1. Goal cascade step 2- Stakeholder Needs to Enterprise Goals Stakeholder concern Enterprise goal 1 Enterprise goal 2 Enterprise goal 3 How do I know whether I'm compliant with all applicable regulations? How do I best build and structure my IT department? Compliance with external laws and regulations Managed business risks (safeguarding of assets) Financial transparency What are (control) requirements for information? X X X Did I address IT related risk? X X Am I running an efficient and resilient IT operation? X X 6 3/28/2012
Principle 1. Goal cascade step 3- Enterprise Goals to IT Goals BSC IT Goals Enterprise goals Enterprise goals Financial Alignment of IT and business strategy COMPLIANCE WITH EXTERNAL LAWS AND REGULATIONS MANAGED BUSINESS RISKS SAFEGUARDING OF ASSETS -II- -II- IT compliance and support for business compliance with external laws and regulations Commitment of executive management for making IT related decisions -II- Managed IT related business risks S -II- Realised benefits from IT enabled investments and services portfolio -II- Transparency of IT costs, benefits and risk P P Internal Security of information and processing infrastructure and applications P 7 3/28/2012
Principle 1. Goal cascade step 4- IT Goals to Cobit processes B SC IT Goals BA1 Manage Programmes and Projects DDS1 Manage Operations DDS2 Manage Assets DDS3 Manage Configurati on DDS4 Manage Service Requests and Incidents Fina ncial - II- II- II- II- II- - - - - Alignment of IT and business strategy IT compliance and support for business compliance with external laws and regulations Commitment of executive management for making IT related decisions Managed IT related business risks Realised benefits from IT enabled investments and services portfolio Transparency of IT costs, benefits and risk S S S S S P P P P S S P 8 3/28/2012
Principle 1. Stake holders needs Goals cascade 9
Principle 2. Covering the Enterprise End-to-end 10
Principle 3. Applying a Single Integrated Framework Integration of frameworks for governance and management both regarding business and IT. Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PRINCE2, CMMI Links standards and framework 11
Principle 4. Enabling a Holistic Approach enablers overview 12
Principle 4. Enabling a Holistic Approach- enablers dimensions 13
Principle 5. Separating Governance From Management Governance Governance is the system or mechanism by which organisations are Evaluated, Directed and Monitored (EDM). Responsible: board of directors. Management Management Plans, Builds, Runs and Monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Responsible: CEO. 14
Principle 5. Separating Governance From Management- PRM COBIT 5 process reference model 15
Process Reference Model sample på process- DS1 The high-level measurable objectives of performing the process and the likely outcomes of effective implementation of the process The activities that, when consistently performed, contribute to achieving the process purpose 16 Jacqueline Johnson 06/04/2012
Process Capability Levels Optimizing The process is continuously improved to meet relevant current and projected business goals Predictable The process is enacted consistently within defined limits Level 5 Optimizing process PA 5.1 Process innovation attribute PA 5.2 Process optimization attribute Level 4 Predictable process PA 4.1 Process measurement attribute PA 4.2 Process control attribute Established A defined process is used based on a standard process Level 3 Established process PA 3.1 Process definition attribute PA 3.2 Process deployment attribute Level 1 Performed process PA 1.1 Level 2 Managed process PA 2.1 PA 2.2 Performance management attribute Work product management attribute Process performance attribute Performed The process is implemented and achieves its process purpose Managed The process is managed and work products are established, controlled and maintained Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose 17 Jacqueline Johnson 06/04/2012
Process Attributes- Level 1 PA 1.1 Process performance extent to which the process purpose is achieved. full achievement means that the process achieves its defined outcomes. 18 Jacqueline Johnson 06/04/2012
Process Attributes- Level 2 PA 2.1 Performance management A measure of the extent to which the performance of the process is managed. As a result of full achievement of this attribute: a. Objectives for the performance of the process are identified. b. Performance of the process is planned and monitored. c. Performance of the process is adjusted to meet plans. d. Responsibilities for performing the process are defined, assigned and communicated. e. Resources necessary for performing the process are identified, available, allocated and used. f. Effective communication between the involved parties and clear assignment of responsibility. PA 2.2 Work product management A measure of the extent to which the work products produced by the process are appropriately managed. As a result of full achievement of this attribute: a. Requirements for the work products of the process are defined. b. Requirements for documentation and control of the work products are defined. c. Work products are appropriately identified, documented and controlled. d. Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements. 19 Jacqueline Johnson 06/04/2012
Completion scale 20 Jacqueline Johnson 06/04/2012
Process Attribute Ratings and Capability Levels 1 2 3 4 5 Level 5 - Optimizing PA 5.2 Optimization PA 5.1 Innovation L / F Level 4 - Predictable PA 4.2 Control PA 4.1 Measurement L / F F Level 3 - Established PA 3.2 Deployment PA 3.1 Definition L / F F F Level 2 - Managed PA 2.2 Work product management PA 2.1 Performance management L / F F F F Level 1 - Performed PA 1.1 Process performance L / F F F F F Level 0 - Incomplete 21 Jacqueline Johnson 06/04/2012
Comparison between COBIT 4.1 and COBIT 5 levels 22 Jacqueline Johnson 06/04/2012
COBIT implementation 1. Commitment, mandate and support reg. improvement project from top business management 2. Scope, mapping fr. drivers to processes Assessment of status via process capability assessment 3. Agree targets, time, processes and level 4. Prepare implementation and operational plans 5. Implementation of solution. Stipulate metrics 6. Verification of target reached 7. Identification of improvement to project and maintaining 23 Jacqueline Johnson 06/04/2012
Informtion Security Management
ISO27001, ISO27002 and ISO27014 ISO 27001 ( audit standard) 8.3.3 Removal of access The access rights of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. ISO27002 (implementation guide)3.3 Removal of access Upon termination, the access rights of an individual to assets associated with information systems and services should be reconsidered. This will determine whether it is necessary to remove access rights. Changes of an employment should be reflected in removal of all access rights that were not approved for the new employment. The access rights that should be removed or adapted include physical and logical access, keys, identification cards, information processing facilities, subscriptions, and removal from any documentation that identifies them as a current member of the organization. If a departing employee, contractor or third party user has known passwords for accounts remaining active, these should be changed upon termination or change of employment, contract or agreement. 25 Jacqueline Johnson 06/04/2012
Plan, Do, Check and Act 26 Jacqueline Johnson 06/04/2012
Risk assessment - placing IT Security Policy Standards Procedures Risk Assessment 27
Risk assessment 1. Scope in the company 2. Assets 3. Vulnerabilities 4. Threats 5. Consequenences 6. Likelyhood 28 Jacqueline Johnson 06/04/2012
Risk management 1. "Degree of assurance" 2. Analysis of existing security controls 3. Gap analyse 4. Identification of new security controls 5. Policies and procedures 6. Implementation and risk reduction 7. Rik acceptance (residual risk) 29
Statement of applicability Mandatory Explain why the company has chosen the stipulated controls, connected to the risk analysis and why areas has been discarded. Documentation of compliance Should be able to make public 30
Certification (3 years) Desktop review statement of applicability risk assessment security policy procedures Compliance Interview Samples, are the controls implemented Observing Final recommendation Certification Non compliances 31
Thank you! Jacqueline Johnson jacqueline.johnson@nordea.com