Overview of Frameworks: Cobit,

COSO ITIL
COSO, ITIL, ISO,
ISO
andd more
oe
Jennifer F. Alfafara, CISA
Consultant
Frameworks vs Standards
What is a Framework?

Main Entry:
• frame·work
Pronunciation:
P i ti
• \ frām- wərk\
Function:
• noun
Date:
• 1578
1 a: a basic conceptional structure (as of ideas) <the
the framework of
the United States Constitution> b: a skeletal, openwork, or
structural frame
2: frame of reference
3 the
3: th larger
l branches
b h off a tree
t that
th t determine
d t i its
it shape
h
3
What is a Standard?
Standard - a rule or principle that is used as a
basis for judgment
¾ GAAP (FASB) – Generally Accepted Accounting
Principals (Financial Accounting Standards Board
¾ IFRS (IASB) – International Financial Reporting
Standards (International Accounting Standards
Board)
¾ PCAOB (Public Companies Accounting Oversight
Board) Auditing Standards
¾ ISO/IEC 27000 (International Organization for
Standardization/International Electrotechnical
Commission)
4
Then, what is HIPAA
Then
considered?
HIPAA (American Health Insurance
Portability and Accountability Act 1996) is a
“Guideline”.

More on HIPAA later….

5
Why have frameworks
been developed?
¾ Lack of alignment between business
practices and technology
p gy
¾ Provide guidance to Corporate management
to ensure they are in compliance with
regulatory requirements

6
Why adopt a framework?

¾ Regulatory requirement
¾ Business requirement
¾ Best in class

7
What is a Control
Framework?
Control Framework - A recognized system
of control categories that covers all
internal controls expected in an
organization.
organization

8
Control Framework
To be comprehensive, the framework
must:
1. Provide a favorable control environment
2 Provide for the continuing assessment
2.
of risk
3 Provide for the design
3. design, implementation
implementation,
and maintenance of effective control-
related p
policies and p
procedures,
9
Control Framework
continued

4. Provide for the effective communication

of information
5. Provide for the ongoing monitoring of the
effectiveness of control-related policies
and procedures as well as the resolution
of potential problems identified by
controls
t l

10
SEC on Frameworks
“The COSO Framework satisfies our criteria and may
be used as an evaluation framework for purposes of
management's
management s annual internal control evaluation and
disclosure requirements. However, the final rules do not
mandate use of a particular framework, such as the
COSO Framework
Framework, in recognition of the fact that other
evaluation standards exist outside of the United States,
and that frameworks other than COSO may be
developed within the United States in the future
future, that
satisfy the intent of the statute without diminishing the
benefits to investors."

11
Control Frameworks
¾ COSO
¾ COBIT 4.1
¾ ITIL
¾ ISO/IEC 27002 (Actually a Standard)
¾ ISO/IEC 27799 (Guidelines for 27002)

12
 COSO
Committee of Sponsoring Organizations
COSO
COSO - Committee of Sponsoring
Organizations of the Treadway
Commission

COSO is a U.S. private-sector initiative, formed

in 1985
1985.

14
COSO
Who are the Sponsors?
1. American Institute of Certified Public
Accountants (AICPA)
( )
2. American Accounting Association (AAA)
3. Financial Executives Institute (FEI)
( )
4. The Institute of Internal Auditors (IIA) and
5. The Institute of Management
Accountants (IMA).

15
COSO Major Objectives

COSO's main objectives are to assist

organizations regarding:
1) effectiveness and efficiency of
operations;
2) reliability of financial reporting;
3) compliance with applicable laws and
regulations.

16
COSO and Healthcare

¾ Internal control tools developed by the COSO

in 1992 and byy the Department
p of Health and
Human Services (HHS) Office of the
Inspector General (OIG) highlight the
i
importance
t off the
th internal
i t l audit
dit ffunction
ti ini
detecting and preventing violations.
¾ Tightened
Ti ht d internal
i t l controls
t l have
h helped
h l d fifight
ht
Medicare and Medicaid abuse.

17
Medicare Losses
¾ 1996 $23 Billion
¾ 1999 $12 Billion – an improvement; however
$12 Billion still demands attention
¾ Much of these losses can be attributed to
abuse, fraud, and inefficiencies.

18
COSO (1992)
Internal Control Framework

Five Components
p
¾ Monitoring
¾ Information &
Communication
¾ Control Activities
¾ Risk
Ri k A
Assessmentt
¾ Control Environment

19
COSO (2004)
Enterprise Risk Management
Framework
This COSO ERM framework defines
essential components
components, suggests a common
language, and provides clear direction and
guidance for enterprise risk management.

20
COSO (2004)
Enterprise
p Risk Management
g
Framework Eight Components
¾ Internal Environment
¾ Objective Setting
¾ Event Identification
¾ Risk Assessment
¾ Risk Response
¾ Control Activities
¾ Information &
Communication
¾ Monitoring
21
COSO Components
Internal Environment
¾ encompasses the tone of an organization
¾ sets the basis for how risk is viewed
¾ addressed by an entity’s
entity s people
people, including
risk management philosophy and risk
appetite, integrity and ethical values, and the
environment in which they operate.

22
COSO Components
Objective Setting
¾ Objectives must exist before management
can identify potential events affecting their
achievement.

23
COSO Components
Event Identification
¾ Internal and external events affecting
achievement of an entity’s objectives must be
identified,, distinguishing
g g between risks and
opportunities.

24
COSO Components
Risk Assessment
¾ Analysis of risk
¾ Consideration of likelihood and impact
¾ How risks should be managed

25
COSO Components
Risk Response
¾ Avoid Risk
¾ Accept Risk
¾ Reduce Risk
¾ Share Risk

26
COSO Components
Control Activities
¾ Policies and procedures are established and
implemented.

27
COSO Components
Information and Communication
¾ Relevant information is identified
identified, captured
captured,
and communicated in a form and timeframe
that enable ppeople
p to carry
y out their
responsibilities.

28
COSO Components
Monitoring
¾ The entirety of enterprise risk management is
monitored and modifications made as
necessary.
y

29
Financial vs Technical Issues

Okay, that addresses issues related to

“Finance” what about other
Frameworks and Standards in
Healthcare?
HIPAA Title II
Focused on Preventing Healthcare Fraud
and Abuse; Administrative Simplification;
Medical Liability Reform

Title II provides for the enactment of five

rules.
l

31
HIPAA Title II Rules
¾ Privacy Rule
¾ Transactions and Code Sets Rule
¾ Security Rule
¾ Unique Identifiers Rule (National Provider
Identifier)
¾ Enforcement Rule

32
HIPAA & Technology
Challenges for Information Technology (IT)
¾ Transactions and Code Sets
¾ Privacy
¾ Security Rules

33
Transactions & Code
Sets (X12 Transactions)
¾ These transactions and code Sets relate to
EDI ((Electronic Data Interchange).
g )
¾ EDI – the structured transmission of data
between organizations by electronic means.
¾ There are 11 defined code sets.

34
Transactions & Code
Sets (X12 Transactions)
• EDI Health Care Claim Transaction set (837)
• EDI Retail Pharmacy Claim Transaction (835)
• EDI Benefit Enrollment and Maintenance Set (834)
• EDI Payroll Deducted and other group Premium Payment
for Insurance Products (820)

35
Transactions & Code
Sets Rule (continued)
• EDI Health Care Eligibility/Benefit Inquiry (270)
• EDI Health Care Eligibility/Benefit
g y Response ((271))
• EDI Health Care Claim Status Request (276)
• EDI Health Care Claim Status Notification (277)
( )
• EDI Health Care Service Review Information (278)
• EDI Functional Acknowledgement Transaction Set (997)

36
Privacy Rule
It establishes regulations for the use and
disclosure of Protected Health Information
(PHI). PHI is any information held by a
covered entity which concerns health status
status,
provision of health care, or payment for
health care that can be linked to an
individual.

37
Security Rule
Lays out three types of security safeguards
required for compliance:
¾ Administrative – Policies and Procedures
¾ Physical – Access to Protected Data
¾ Technical – Access to Computers that
store and manage protected data

38
Obeying the “Rules”
Implement Control Frameworks that
facilitate compliance with the “Rules”
Rules
¾ COBIT
¾ ITIL
¾ ISO/IEC 27002
¾ ISO 27799

39
 COBIT
Control Objectives for
Information
and Related Technology
COBIT
The Control Objectives for Information and related
Technology
gy ((COBIT)) is a set of best p
practices
(framework) for information technology (IT)
management created by the Information Systems
A dit and
Audit dCControl
t lAAssociation
i ti (ISACA)
(ISACA), and d th
the IT
Governance Institute (ITGI) in 1992.

COBIT 4.1, the most current version was released

in 2007
2007.
41
COBIT
What COBIT Provides:
¾ A set of generally accepted measures
¾ Indicators
¾ Processes
¾ Best practices?

42
COBIT Structure
Covers four domains
1.
1 Plan and Organize (PO)
2. Acquire and Implement (AI)
3
3. Deliver and Support (DS)
4. Monitor and Evaluate (ME)

43
COBIT
Plan and Organize covers:
¾ the use of information & technology
¾ how best it can be used in a company to help
achieve the company’s
company s goals and objectives
objectives.
¾ also highlights the organizational and
infrastructural form IT is to take in order to
achieve the optimal results and to generate
the most benefits from the use of IT

44
COBIT
Acquire and Implement covers:
¾ Identification of IT requirements
requirements,
¾ Acquisition of technology, and
¾ Implementation within the company’s
company s current
business processes.

45
COBIT
Delivery and Support covers:
¾ The deliveryy aspects
p of the information technology gy
¾ The execution of the applications within the IT
system and its results,
¾ The support processes that enable the effective and
efficient execution of these IT systems. These
support
pp p processes include securityy issues,, training,
g,
Help Desk, and backup & recovery.

46
COBIT
Monitor and Evaluate:
¾ Deals with a company’s strategy in assessing the
needs of the company
¾ Determines whether or not the current IT system still
meets the objectives for which it was designed
¾ Identifies the controls necessary to comply with
regulatory requirements.
¾ Deals with the issue of an independent assessment
of the effectiveness of IT system in its ability to meet
business objectives and the evaluation of the
company’s control processes by internal and
external auditors.
47
COBIT, COSO & SOX
¾ The most referenced control frameworks for
SOX and FIEL ((Financial Instruments and
Exchange Law – aka “JSOX”)
¾ Not all COBIT controls apply to ICFR
(Internal Controls over Financial Reporting)
¾ COBIT “Lite”

48
COBIT “Lite”

IT Control
Objectives for
Sarbanes - Oxley
49
 ITIL

The five ITIL V3 volumes

ITIL
¾ ITIL is published in a series of books, each of
which covers an IT management
g topic.
p
¾ ITIL gives a detailed description of a number
of important IT practices with comprehensive
checklists, tasks and procedures that any IT
organization can tailor to its needs.
¾ ITIL has been mapped to COBIT, but
reporting requirements are not the same

51
ITIL Structure
ITIL v3, published in May 2007, comprises
5 keyy volumes:
1. Service Strategy
g
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement

52
ITIL
ITIL is owned and maintained by the UK
Office of Government Commerce (OGC).
( )

The names ITIL and IT Infrastructure Library are registered

trademarks of the OGC.

53
ISO/IEC 27002:2005
27002 2005
(actually a ‘Standard’)
ISO/IEC
• ISO (International Organization for
Standardization)) is the world's largest
g
developer and publisher of International
Standards.
• IEC (International Electrotechnical
Commission) is the international standards
and conformity assessment body for all
fields of electrotechnology.

55
ISO 27002
The standard is comprised in two parts:

¾ Part 1: ISO/IEC 17799

• Contains guidance and explanatory information
• Formally published as ISO/IEC 27002 Code of
Practice for Information Securityy Management
g

56
ISO 27002

¾ Part 2: ((British Standard)) BS7799 / ISO

27001
• Provides a model that can be used by
businesses to set up and run an effective
Information Security Management System
(ISMS)
• Formally
F ll published
bli h d as ISO/IEC 27001
Information Security Management Systems -
Requirements

57
ISO 17799
¾ This is essentially the set of security controls:
the measures and safeguards
g for p
potential
implementation.
¾ After the introduction, scope, terminology
and structure sections, the remainder of
ISO/IEC 17799 specifies control objectives
categorized
t i d iinto
t 11 maini sections
ti tto protect
t t
information assets against threats to their
confidentiality integrity and availability
confidentiality, availability.
58
ISO 17799
Security Controls
¾ Security Policy
¾ Organization of Information Security
¾ Asset Management
¾ Human Resources
¾ Physical and Environmental Security
¾ Communications and Operations
Management

59
ISO 17799
Security Controls (cont’)
¾ Access Control
¾ Information Systems Acquisition,
Development and Maintenance
¾ Information Securityy Incident Management
g
¾ Business Continuity Management
¾ Compliance

60
ISO 27001
¾ This is the ‘specification’ for an Information
Securityy Management
g System
y ((ISMS).
) It is
the means to measure, monitor and control
security management from the top down
perspective.
ti It explains
l i h how tto apply
l ISO
17799.

61
ISO 27001
Defined as a six part process:
¾ Define a securityy p
policy
y
¾ Define the scope of ISMS
¾ Undertake a risk assessment
¾ Manage the risk
¾ Select control objectives and controls to be
implemented
¾ Prepare a statement of applicability

62
ISO 27002
Healthcare Challenges:
¾ ISO 27002 is extremely difficult to implement
for large units
¾ Compliance scopes that cover no more than
two to three sites or approximately 50 staff or
approximately ten processes have been
found to work very well.

63
 ISO 27799:2008

Health informatics - Information

securityy management
g in health
using ISO/IEC 27002
ISO 27799
This International Standard provides
guidance to healthcare organizations and
other custodians of personal health
information on how best to protect the
confidentiality, integrity and availability of
such information by implementing ISO/IEC
27002.

65
ISO 27799
¾ Health information security
¾ Practical Action Plan for Implementing ISO
17799/27002
¾ Healthcare Implications
p of ISO 17799/27002
¾ Threats
¾ Tasks and documentation of the ISMS
¾ Potential benefits and tool attributes

66
 Relationships Between
Standards & Regulations

HIPAA
ISO 17799
BS7799
COBIT & ITIL
Remember: ISO
17799 and BS 7799
are ISO 27002

67
Questions?
For More Information:
Jennifer F. Alfafara
Consultant
Resources Global Professionals
jalfafara@resources-usa
jalfafara@resources usa.com
com

69
Thank you!
y