MigratingtoCOBIT5forAuditors

May10,2012
Anthony Noble Viacom Inc.
Rob Johnson Bank of America

ISACA COBIT 5 for Assurance

Task Force Members
Special thanks to Derek Oliver & ISACA for supplying material for this presentation.

RobJohnson,CISA,CISM,CGEIT,
CRISC has over 20 years experience
CRISC,hasover20yearsexperience
ininformationrisk,ITauditand
privacy/securitymanagement. Heis
currentlytheseniorvicepresidentfor
ITauditatBankofAmerica. Inhis
careerhehasalsoheldleadership
rolesasheadofITriskforaGlobal
InsuranceCompanyandVP/CISOfor
largeregionalbank. Johnsonstarted
his career as an architect and worked
hiscareerasanarchitectandworked
atasoftwarecompanywherehe
launchedseveralinternational
commercialsoftwareproducts. He
hasservedonseveralISACA
committeesincludingchairingthe
EducationBoard,memberofthe
AssuranceCommittee,COBIT5Task
Forceandcurrentlyservesonthe
COBIT 5 Assurance Task Force
COBIT5AssuranceTaskForce.
SPEAKER BIOGRAPHY
TonyNoble,CISA,istheNewYork
based VP of IT audit for Viacom Inc
basedVPofITauditforViacomInc.
Hehas30plusyearsofITexperience
andhasbeenemployedbymajor
organizations,suchasUPS,Coopers
&LybrandandtheformerChase
y
ManhattanBankduringhis20years
asanITauditor.Heisamemberof
theISACAFrameworkCommitteeand
isChairoftheCOBIT5Assurance
Guide Task Force He was a member
GuideTaskForce.Hewasamember
oftheISACAGuidanceandPractices
Committeefortwoyears.This
committeepublishesall
g
methodologiesandassurance
guidanceforISACA.
 Migrating to COBIT 5
MigratingtoCOBIT5
Intro
IntrotoCOBIT5forAssurance
to COBIT 5 for Assurance
Professionals
TypesofAssurance
AuditMethodologies
Audit Methodologies
COBIT5forAssuranceExamples
INTROTOCOBIT5FORASSURANCE
PROFESSIONALS
 COBIT 5 Initiative
COBIT5Initiative
TheCOBIT5TaskForcewas
createdin2009:
d i 2009
Includedinternationalexperts
fromacrossISACA
constituencygroups
(Assurance,Security
Managementand
Risk/Governance)
CochairJohnLainhart
(PastInternationalPresident)
CoChairDerekOliver
(PastChairmanoftheBMIS
DevelopmentCommittee)
Allrightsreserved.
COBIT5TaskForce(20092011)
John W Lainhart IV CISA CISM CGEIT IBM Global
JohnW.Lainhart,IV,CISA,CISM,CGEIT,IBMGlobal
ConsultingServices,USA,Cochair
DerekJ.Oliver,Ph.D.,DBA,CISA,CISM,CITP,FBCS,FISM,
MInstISP+,RavenswoodConsultantsLtd,UK,Cochair
Pippa G.Andrews,CISA,ACA,CIA,KPMG,Australia
Elisabeth Antonsson, CISM, BSc, BA, Nordea Bank,Sweden
ElisabethAntonsson,CISM,BSc,BA,Nordea Bank, Sweden
StevenA.Babb,CGEIT,KPMG,UK
StevenDeHaes,Ph.D.,AntwerpManagementSchool,
Belgium
PeterHarrison,CGEIT,FCPA,IBMAustraliaLtd.,Australia
JimmyHeschl,CISA,CISM,CGEIT,ITILExpert,bwin.party
digitalentertainmentplc,Austria
RobJohnson,CISA,CISM,CGEIT,CRISC,CISSP,Bankof
America,USA
ErikPols,CISA,CISM,ShellInternationalITCI,Netherlands
VernonPoole,CISM,CGEIT,Sapphire,UK
Abdul Rafeq CISA CGEIT CIA FCA A Rafeq andAssociates,
AbdulRafeq,CISA,CGEIT,CIA,FCA,A.Rafeq and Associates
India
4
 The Need?
TheNeed?
Moreemphasisonoperationalriskmanagement
Needtodriveriskmanagementdisciplinesdirectlyintotheday
todayresponsibilitiesofprofessionals
Regulatorybodiesrequiringmoreprivacy,securityandanenhanced
Regulatory bodies requiring more privacy security and an enhanced
controlenvironment
Respondingtofinancialcrisis
Increasedpublicityandliability
Workforcesareincreasinglyglobalizedanddistributed,which
increases complexities to govern and manage
increasescomplexitiestogovernandmanage
Massivevolumesofinformation supportedbytechnology
drivebusinesssuccessbutalsoraiseahostofcomplex
challenges for business and IT leaders
challengesforbusinessandITleaders
WhatisCOBIT5?

APracticalView
 Builds on COBIT 4 as a Foundation
BuildsonCOBIT4asaFoundation
COBIT5isasignificantstrategicevolutionofCOBIT4.1
g g

COBIT5isacomprehensivegovernanceandmanagement
framework comprising industry practices analytical tools and
frameworkcomprisingindustrypractices,analyticaltoolsand
modelsthathelpanenterpriseachieveoptimalvalueand
objectivebybalancingtechnology:

Benefits
Risk
ResourceUse
 COBIT:OneFrameworkforthe
GovernanceofEnterpriseIT
f
GovernanceofEnterpriseIT
p

ITGovernance

V l IT 2 0
ValIT2.0
Evolution

Management (2008)

Control
E

RiskIT
ik
(2009)
Audit

COBIT1 COBIT2 COBIT3 COBIT4.0/4.1

T4 0/4 1 COBIT 5
COBIT5

1996 1998 2000 2005/7 2012

An business framework from ISACA at www isaca org/cobit

AnbusinessframeworkfromISACA,atwww.isaca.org/cobit
 ShiftsfromaTechnologytoa
BusinessConversation
Focusonstakeholderobjectives:
Obtainqualityinformationtosupportbusinessdecisions
GeneratebusinessvaluefromITenabledinvestments,i.e.
achievestrategicgoalsandrealisebusinessbenefits
througheffectiveandinnovativeuseofIT
Achieveoperationalexcellencethroughreliableand
Achieve operational excellence through reliable and
efficientapplicationoftechnology
MaintainITrelatedriskatanacceptablelevel
OptimisethecostofITservicesandtechnology
O ti i th t f IT i dt h l
Complywitheverincreasingrelevantlaws,regulations,
contractualagreementsandpolicies
 COBIT 5 is Generic
COBIT5isGeneric
The
TheFrameworkcanbeappliedtoany
Framework can be applied to any
Enterpriseorbusinessprocessalthoughit
does reference Enterprise IT
doesreferenceEnterpriseIT
Theprocessesincludedareneededinany
business process not just Enterprise IT
businessprocessnotjustEnterpriseIT
Managementprocessesandthemonitoringof
themisthefocusforassurance
e s e ocus o assu a ce
AreadoesnotneedtobeusingCOBIT5inorder
toapplytheframeworkforassurancepurposes
pp y p p
 Key Concept for Auditors
KeyConceptforAuditors
COBIT
COBIT5issignificantforauditorsasitno
5 is significant for auditors as it no
longercontainsanyspecificControlObjectives
except:
Enterprisegoalsshouldbeachieved
IT
ITAssuranceGuide:UsingCOBIT4.1included
Assurance Guide Using COBIT 4 1 included
ControlObjectivesbutthebaseCOBIT4did
not so is an ongoing trend
notsoisanongoingtrend
WhatsinCOBIT5forAuditors?

Highlights ATaste!
 The COBIT 5 Framework
TheCOBIT5Framework
The
Theinitialpublicationintroduces,definesand
initial publication introduces defines and
describesthecomponentsthatmakeupthe
COBIT Framework
COBITFramework
Principles
Architecture
Enablers
Introductiontoimplementationguidanceandthe
Introd ction to implementation g idance and the
COBITprocessassessmentapproach
 COBIT5Principles:LinksITand
theBusiness
h
Balance benefits, risk, resources
Makesaclear
distinction
between IIntegratesgovernance
governanceand ofenterpriseITinto
management enterprisegovernance

Definesasetof
enablers to support
enablerstosupport
theimplementation Serveastheoverarching
ofacomprehensive frameworkforgovernance
governanceand g
andmanagementof
managementsystem enterpriseIT
 ShiftsITProcessestoa
BusinessView

IntegratesgovernanceofenterpriseITintoenterprisegovernance
Coversallfunctionsandprocesseswithintheenterprise;COBIT5does
p p ;
notfocusonlyontheITfunction,buttreatsinformationandrelated
technologiesasassetsthatneedtobedealtwithjustlikeanyotherasset
byeveryoneintheenterprise.
ConsidersallITrelatedgovernanceandmanagementenablerstobe
Considers all IT related governance and management enablers to be
enterprisewideandendtoend,i.e.inclusiveofeverythingand
everyone,internalandexternalthatisrelevanttogovernanceand
managementofenterpriseinformationandrelatedIT
 COBIT5EnablersDimensions
All enablers have a set of common dimensions.
provides a common, simple, and structured way to deal with
enablers,
allows to manage their complex interactions, and

TheCOBIT5frameworkdefines
sevencategoriesofenablers:
Processes
Frameworks,Principlesand
F k Pi i l d
policies
Organisationalstructures
People,Skillsand
competencies
Culture,ethicsandbehaviour
Services,Infrastructure&
Applications
Information
 Principle5:Separating
GovernancefromManagement
f

Governanceensuresthatenterpriseobjectives
areachievedbyevaluatingstakeholderneeds,
conditionsandoptions;settingdirection
throughprioritisationanddecisionmaking;
andmonitoringperformance,complianceand
progressagainstplans.

Managementplans,builds,runsandmonitors
activitiesinalignmentwiththedirectionsetby
thegovernancebodytoachievetheenterprise
objectives.
 ImmediateDifferences:Thefour
MANAGEMENTdomains
d
Align,Plan&Organise(APO)replacesPO
Align, Plan & Organise (APO) replaces PO
Define&Manage theEnterpriseITControlFramework
Build,Acquire&Implement(BAI)replacesAI
Manage Knowledge
Deliver,Service&Support(DSS)replacesDS
Manage Suppliers
Monitor,Evaluate&Assess(MEA)replacesME
ProvideAssurance
Provide Assurance (KeymanagementDomainforAuditors)
(Key management Domain for Auditors)

Moremeaningful&morebusinessrelated!
gf
 Monitor,Evaluate&Assess(MEA)

COBIT5:ProcessReference
GuideExposureDraft

Alignmentisnowconsideredtobethe
g
resultofallgovernanceandmanagement
activities.
COBIT5ProcessMap
 The Lens Concept
TheLensConcept
The Eye of the Beholder: what are you looking for?

COBIT5Framework

COBIT5
COBIT5 COBIT5 COBIT5 COBIT5
For
ForAudit ForRisk For? For?
Security

OtherStandards,Frameworks,
Guidelinesetc
e.g.ISO,ITIL,NationalStandards.
g , ,
EasiertoNavigate:SmallerIntegrated
P bli i
Publications
 Capability vs. Maturity Model
Capabilityvs.MaturityModel

TheprocessmaturitymodelofCOBIT4.1hasbeenreplacedwitha
capabilitymodelbasedonISO/IEC15504toalignwithandsupporta
separateISACAinitiative,theCOBITAssessmentProgram(CAP).
NotetheAssessmentmodelisnotanAssurancemodel
Thereareanumberofbenefitsindoingso:
Focusonprocessisachievingitsintendedpurposeanddeliveringits
requiredoutcomesasexpected.
q p
Simplification
Improvedreliabilityandrepeatability ofprocesscapabilityassessment
Compliancewithagenerallyaccepted(ISO)processassessment
Compliance with a generally accepted (ISO) process assessment
standard
 ProcessCapabilityModel
Comparison
COBIT4.1 COBIT5ISO/IEC
MeaningoftheCOBIT5ISO/IEC15504Based
Meaning of the COBIT 5 ISO/IEC 15504 Based
MaturityModel 15504Based Context
CapabilityLevels
Levels CapabilityLevels

Continuouslyimprovedtomeetrelevantcurrentand
5.Optimised 5.Optimised
p j
projectedenterprisegoals.
p g
Enterpriseview/
4.Managedand Operateswithindefinedlimitstoachieveitsprocess
4.Predictable corporate
Measurable outcomes.
knowledge
Implementedusingadefinedprocessthatiscapableof
3.Defined 3.Established
achieving its process outcomes
achievingitsprocessoutcomes.

Implementedinamanagedfashion(planned,monitored
N/A 2.Managed andadjusted)anditsworkproductsareappropriately
established,controlledandmaintained.
Instanceview/
2.Repeatable 1.Performed Processachievesitsprocesspurpose. individual
1. Initial/Adhoc knowledge

Notimplementedorlittleornoevidenceofany
0.Nonexistent 0.Incomplete
systematicachievementoftheprocesspurpose.
COBIT 5 Process Capability Model
COBIT5ProcessCapabilityModel
InISO/IEC15504capabilitylevelsaredefinedbyaset
ofnineprocessattributes;theseattributescoversome
groundcoveredbythecurrentCOBIT4maturity
attributesand/orprocesscontrols,butonlytoacertain
extentandinadifferentway.
BenefitsofCOBIT5for
B fit f COBIT 5 f
Auditors?

APracticalView
 Benefits of the Update
BenefitsoftheUpdate
ThebenefitsofthenewCOBIT5ProcessCapabilityModelcomparedto
theCOBIT4.1MaturityModelsinclude:
h COBIT 4 1 M i M d l i l d
Auditorcanfocusonprocessthatassuresachievingitspurposeandrequiredoutcomes.
Simplifieswhattestingcontenteliminatingofduplication,becausetheCOBIT4.1
Maturity Model assessment requires the use of a number of specific components,
MaturityModelassessmentrequirestheuseofanumberofspecificcomponents,
includingtheGenericMaturityModel,ProcessMaturityModels,ControlObjectivesand
ProcessControlstosupportprocessassessment.
Improvedreliabilityandrepeatabilityofprocesscapabilityassessmentactivitiesand
evaluations reducing debates and disagreements between stakeholders on assessment
evaluations,reducingdebatesanddisagreementsbetweenstakeholdersonassessment
results.
Compliancewithagenerallyacceptedprocessassessmentstandardandtherefore
strongsupportforprocessassessmentapproachinthemarket.
Increasedusabilityofprocesscapabilityassessmentresults,asthenewmodel
establishesabasisformoreformal,rigorousassessmentstobeperformed,forboth
internalandpotentialexternalpurposes.
 APracticalView

TYPESOFASSURANCE
 What is Assurance?
WhatisAssurance?

TakenfromITAssuranceGuide:UsingCOBITV4.1
 Types of Assurance
TypesofAssurance
ITAssuranceActivitiesinclude:
IT Assurance Activities include:
Performariskassessment
Diagnoseoperationaland/orprojectrisk
Diagnose operational and/or project risk
Plan/performriskbasedassuranceactivities
Assess/Selfassessprocessmaturity
A /S lf t it
Assess/Selfassesscontrols
Substantiaterisk
S b i ik
Processcapabilityassessments
 APracticalView

ASSURANCEMETHODOLOGIES
 Standard Audit Methodology
StandardAuditMethodology
AuditPlanningg
Usebusinessgoalsasastarter
Riskassessment/analysisofnotmeetinggoals
DefineScope/ObjectivesofAudit
/
Examinedriversfortheaudit
Selectcontrolobjectivesforreview
Select control objectives for review
ExecuteAudit
Testthecontrolsandtheirdesign
g
Documentcontrolweaknesses
Reportanoverallconclusionandrecommendations
 Example: Assessment Overview
Example:AssessmentOverview

ProcessAssessmentModel
Process Assessment Model

AssessmentProcess

33

ThisfigureisreproducedfromISO155042:2003withthepermissionofISOatwww.iso.org.CopyrightremainswithISO.
 Examples

APractitionersView
 Change Management
ChangeManagement
AI6inCOBIT4.1andBAI06inCOBIT5
AI6 in COBIT 4 1 and BAI06 in COBIT 5

COBIT4.1containedaMaturityModel
CO i d i d l
COBIT5usestheCapabilityModel

WilluseEmergencyChangesforourexample
Will use Emergency Changes for our example
 COBIT 4.1 COAI6.3
COBIT4.1 CO AI6.3 =BAI06.2
BAI06.2
AI6.3EmergencyChanges
6.3 e ge cy C a ges
Establishaprocessfordefining,raising,testing,
documenting,assessingandauthorising emergency
changesthatdonotfollowtheestablishedchange
h th t d t f ll th t bli h d h
process.
BAI06.02ManageEmergencyChanges.
BAI06.02 Manage Emergency Changes.
Carefullymanageemergencychangestominimise
furtherincidentsandmakesurethechangeis
controlledandtakesplacesecurely.Verifythat
emergencychangesareappropriatelyassessedand
authorised afterthechange.
g
 For Assurance we can..
ForAssurancewecan..
MaturityAssessment
y
UsetheCOBITV4.1MaturityModel
CapabilityAssessment
UsetheCOBITProcessAssessmentModelV4.1
EfficiencyandEffectivenessofControls
Assessment
UsetheITAssuranceGuide:UsingCOBITV4.1
UsetheISACAChangeManagementAuditProgram
whichreferencesCOBIT4.1
h h f
DevelopacustomauditprogramusingCOBIT5
ProcessReferenceGuide
 COBIT 4.1 Maturity Model AI6
COBIT4.1MaturityModel
Managementoftheprocessthatsatisfiesthebusiness
requirementforITofrespondingtobusiness
requirementsinalignmentwiththebusinessstrategy,
whilstreducingsolutionandservicedeliverydefectsand
reworkis:
ki
Level3Definedwhenthereisadefinedformalchange
managementprocessinplace,includingcategorisation,
prioritisation emergency procedures change authorisation and
prioritisation,emergencyprocedures,changeauthorisation and
releasemanagement,andcomplianceisemerging.
Workaroundstakeplace,andprocessesareoftenbypassed.
Errorsmayoccurandunauthorised changesoccasionallyoccur.
Th
TheanalysisoftheimpactofITchangesonbusinessoperations
l i f th i t f IT h b i ti
isbecomingformalised,tosupportplannedrolloutsofnew
applicationsandtechnologies.
 COBIT 4.1 Capability Model AI6
COBIT4.1CapabilityModel
Purpose:SatisfythebusinessrequirementofmanagingITchangesinalignment
with the business strategy to reduce solution and service delivery defects and
withthebusinessstrategytoreducesolutionandservicedeliverydefectsand
rework.

Outcomes(Os)NumberDescription
AI6
AI6O1
O1 Changestandardsandassociatedprocedures,includingthoseforemergency
Ch t d d d i t d d i l di th f
changes,aredefinedandcommunicated.
AI6O2 Changesareassessed,prioritised andauthorised.
AI6O3 Changestatusistrackedandreported.

BasePractices(BPs)
AI6BP1 Developandimplementaprocesstoconsistentlyrecord,assessandprioritise
changerequests.Supports AI1O1
AI6BP2 Assessimpactandprioritise changesbasedonbusinessneeds.Supports AI1O2
AI6BP3 Assurethatanyemergencyandcriticalchangefollowstheapprovedprocess.
Supports AI1O1
AI6BP4 Authorise changes.Supports AI1O2
AI6BP5 Manageanddisseminaterelevantinformationregardingchanges.Supports AI1O3
 Assurance Guide COBIT 4.1 AI6
AssuranceGuideCOBIT4.1
TestofControls EmergencyChanges
Enquirewhetherandconfirmthattheoverallchange
managementprocessincludesemergencychangeprocedures
(e.g.,defining,raising,testing,documenting,assessingand
authorising emergencychanges).
emergency changes)
Inspectthedocumentationforarepresentativesampleof
emergencychangesand,byinterviewingkeystaffmembers,
establishwhetheremergencychangesareimplementedas
g y g p
specifiedinthechangemanagementprocess.
Confirmthroughinterviewswithkeystaffmembersthat
emergencyaccessarrangementsareauthorised,documented
andrevokedafterthechangehasbeenapplied.
d k d ft th h h b li d
Enquirewhetherandconfirmthatapostimplementation
reviewofemergencychangesisconducted.
 Assurance Guide COBIT 4.1 AI6
AssuranceGuideCOBIT4.1
TestSamples
p EmergencyChanges
g y g
Inspectasampleofemergencychangesandverifythat
theyhavebeenprocessedinaccordancewiththechange
management framework Verify that procedures have
managementframework.Verifythatprocedureshave
beenfollowedtoauthorise,documentandrevokeaccess
afterthechangehasbeenapplied.
Inspectasampleofemergencychangesanddetermineifa
Inspect a sample of emergency changes and determine if a
postimplementationreviewhasbeenconductedafterthe
changeswereapplied.Considerimplicationsforfurther
applicationsystemmaintenance,impactondevelopment
li ti t i t i t d l t
andtestenvironments,applicationsoftwaredevelopment
quality,documentationandmanuals,anddataintegrity.
 ISACA Audit Program
ISACAAuditProgram
6.4.2
6.4.2Testobjective:Toverifytheeffectiveness
Test objective: To verify the effectiveness
oftheemergencychangecontrolprocessthat
ensurestheintegrityoftheproductionlibraries
g y p
andapplicationdata.
Selectasampleofemergencymovestoproduction.
p g y p
Determineiftheprogramwasrunfromaninterimlibraryor
theproductionlibrary.
Iftheproductionlibrarywasused,determineifaonetime
If the production library was used determine if a one time
passwordwasretrieved.
Determineiftheonetimepasswordwasdisabled.
 Build Your Own Audit Program
BuildYourOwnAuditProgram
Process
Processgoal:Allemergencychangesare
goal: All emergency changes are
reviewedandauthorised afterthechange.
Reviewhistoricalmetrics:
Percentoftotalchangesthatareemergencyfixes
Numberofemergencychangesnotauthorised
afterthechange
Examinetheoutputforverification:
Documentedpostimplementationreviewof
emergencychanges
 Build Your Own Audit Program
BuildYourOwnAuditProgram
TestthattheBasePracticeactivitiesarebeingperformed:
Ensurethatadocumentedprocedureexiststodeclare,assess,
givepreliminaryapproval,authorise afterthechangeandrecord
anemergencychange.
Verifythatallemergencyaccessarrangementsforchangesare
V if th t ll t f h
appropriatelyauthorised,documentedandrevokedafterthe
changehasbeenapplied.
Monitorallemergencychanges,andconductpost
Monitor all emergency changes and conduct post
implementationreviewsinvolvingallconcernedparties.The
reviewshouldconsiderandinitiatecorrectiveactionsbasedon
rootcausessuchasproblemswithbusinessprocess,application
systemdevelopmentandmaintenance,developmentandtest
t d l t d i t d l t dt t
environments,documentationandmanuals,anddataintegrity.
Definewhatconstitutesanemergencychange.
 Example: Information Quality
Example:InformationQuality
StakeholdersCanbeinternalorexternaltotheenterprise.
informationproducers,informationcustodiansandinformationconsumers:
Informationproducer,responsibleforcreatingtheinformation
Informationcustodian,responsibleforstoringandmaintainingtheinformation
Information custodian responsible for storing and maintaining the information
Informationconsumer,responsibleforusingtheinformation

Goals:
Thegoalsofinformationaredividedinthreesubdimensionsofquality:

IntrinsicqualityTheextenttowhichdatavaluesareinconformancewiththeactualortruevalues.Itincludes:
Intrinsic qualityThe extent to which data values are in conformance with the actual or true values It includes:
AccuracyTheextenttowhichinformationiscorrectandreliable
ObjectivityTheextenttowhichinformationisunbiased,unprejudicedandimpartial
BelievabilityTheextenttowhichinformationisregardedastrueandcredible
ReputationTheextenttowhichinformationishighlyregardedintermsofitssourceorcontent
ContextualandrepresentationalqualityTheextenttowhichinformationisapplicabletothetask.Itincludes:
RelevancyTheextenttowhichinformationisapplicableandhelpfulforthetaskathand
R l Th t t t hi h i f ti i li bl d h l f l f th t k t h d
CompletenessTheextenttowhichinformationisnotmissingandisofsufficientdepthandbreadthforthetaskat
hand
CurrencyTheextenttowhichinformationissufficientlyuptodateforthetaskathand
AppropriateamountofinformationTheextenttowhichthevolumeofinformationisappropriateforthetaskathand
ConciserepresentationTheextenttowhichinformationiscompactlyrepresented
ConsistentrepresentationTheextenttowhichinformationispresentedinthesameformat
InterpretabilityTheextenttowhichinformationisinappropriatelanguages,symbols,andunits,andthedefinitions
areclear
UnderstandabilityTheextenttowhichinformationiseasilycomprehended
EaseofmanipulationTheextenttowhichinformationiseasytomanipulateandapplytodifferenttasks
Security/AccessibilityqualityTheextenttowhichinformationisavailableorobtainable.Itincludes:
AvailabilityTheextenttowhichinformationisavailablewhenrequired,oreasilyandquicklyretrievable
RestrictedAccessTheextenttowhichaccesstoinformationisrestrictedappropriatelytoauthorisedparties
 Collaborate Contribute Connect

www.isaca.org/knowledge-center
The Knowledge Center is a collection of
resources and online communities that
connect ISACA members globally, across
industries and by professional focus - under
one umbrella. Add or reply to a discussion,
post a document or link, connect with other
ISACA members, or create a wiki by
participating in a community today!