Professional Documents
Culture Documents
Overview of Frameworks: Cobit, Coso Itil Iso Coso, Itil, Iso, and More D Oe
Overview of Frameworks: Cobit, Coso Itil Iso Coso, Itil, Iso, and More D Oe
COSO ITIL
COSO, ITIL, ISO,
ISO
andd more
oe
Jennifer F. Alfafara, CISA
Consultant
Frameworks vs Standards
What is a Framework?
Main Entry:
• frame·work
Pronunciation:
P i ti
• \ frām- wərk\
Function:
• noun
Date:
• 1578
1 a: a basic conceptional structure (as of ideas) <the
the framework of
the United States Constitution> b: a skeletal, openwork, or
structural frame
2: frame of reference
3 the
3: th larger
l branches
b h off a tree
t that
th t determine
d t i its
it shape
h
3
What is a Standard?
Standard - a rule or principle that is used as a
basis for judgment
¾ GAAP (FASB) – Generally Accepted Accounting
Principals (Financial Accounting Standards Board
¾ IFRS (IASB) – International Financial Reporting
Standards (International Accounting Standards
Board)
¾ PCAOB (Public Companies Accounting Oversight
Board) Auditing Standards
¾ ISO/IEC 27000 (International Organization for
Standardization/International Electrotechnical
Commission)
4
Then, what is HIPAA
Then
considered?
HIPAA (American Health Insurance
Portability and Accountability Act 1996) is a
“Guideline”.
5
Why have frameworks
been developed?
¾ Lack of alignment between business
practices and technology
p gy
¾ Provide guidance to Corporate management
to ensure they are in compliance with
regulatory requirements
6
Why adopt a framework?
¾ Regulatory requirement
¾ Business requirement
¾ Best in class
7
What is a Control
Framework?
Control Framework - A recognized system
of control categories that covers all
internal controls expected in an
organization.
organization
8
Control Framework
To be comprehensive, the framework
must:
1. Provide a favorable control environment
2 Provide for the continuing assessment
2.
of risk
3 Provide for the design
3. design, implementation
implementation,
and maintenance of effective control-
related p
policies and p
procedures,
9
Control Framework
continued
10
SEC on Frameworks
“The COSO Framework satisfies our criteria and may
be used as an evaluation framework for purposes of
management's
management s annual internal control evaluation and
disclosure requirements. However, the final rules do not
mandate use of a particular framework, such as the
COSO Framework
Framework, in recognition of the fact that other
evaluation standards exist outside of the United States,
and that frameworks other than COSO may be
developed within the United States in the future
future, that
satisfy the intent of the statute without diminishing the
benefits to investors."
11
Control Frameworks
¾ COSO
¾ COBIT 4.1
¾ ITIL
¾ ISO/IEC 27002 (Actually a Standard)
¾ ISO/IEC 27799 (Guidelines for 27002)
12
COSO
Committee of Sponsoring Organizations
COSO
COSO - Committee of Sponsoring
Organizations of the Treadway
Commission
14
COSO
Who are the Sponsors?
1. American Institute of Certified Public
Accountants (AICPA)
( )
2. American Accounting Association (AAA)
3. Financial Executives Institute (FEI)
( )
4. The Institute of Internal Auditors (IIA) and
5. The Institute of Management
Accountants (IMA).
15
COSO Major Objectives
16
COSO and Healthcare
17
Medicare Losses
¾ 1996 $23 Billion
¾ 1999 $12 Billion – an improvement; however
$12 Billion still demands attention
¾ Much of these losses can be attributed to
abuse, fraud, and inefficiencies.
18
COSO (1992)
Internal Control Framework
Five Components
p
¾ Monitoring
¾ Information &
Communication
¾ Control Activities
¾ Risk
Ri k A
Assessmentt
¾ Control Environment
19
COSO (2004)
Enterprise Risk Management
Framework
This COSO ERM framework defines
essential components
components, suggests a common
language, and provides clear direction and
guidance for enterprise risk management.
20
COSO (2004)
Enterprise
p Risk Management
g
Framework Eight Components
¾ Internal Environment
¾ Objective Setting
¾ Event Identification
¾ Risk Assessment
¾ Risk Response
¾ Control Activities
¾ Information &
Communication
¾ Monitoring
21
COSO Components
Internal Environment
¾ encompasses the tone of an organization
¾ sets the basis for how risk is viewed
¾ addressed by an entity’s
entity s people
people, including
risk management philosophy and risk
appetite, integrity and ethical values, and the
environment in which they operate.
22
COSO Components
Objective Setting
¾ Objectives must exist before management
can identify potential events affecting their
achievement.
23
COSO Components
Event Identification
¾ Internal and external events affecting
achievement of an entity’s objectives must be
identified,, distinguishing
g g between risks and
opportunities.
24
COSO Components
Risk Assessment
¾ Analysis of risk
¾ Consideration of likelihood and impact
¾ How risks should be managed
25
COSO Components
Risk Response
¾ Avoid Risk
¾ Accept Risk
¾ Reduce Risk
¾ Share Risk
26
COSO Components
Control Activities
¾ Policies and procedures are established and
implemented.
27
COSO Components
Information and Communication
¾ Relevant information is identified
identified, captured
captured,
and communicated in a form and timeframe
that enable ppeople
p to carry
y out their
responsibilities.
28
COSO Components
Monitoring
¾ The entirety of enterprise risk management is
monitored and modifications made as
necessary.
y
29
Financial vs Technical Issues
31
HIPAA Title II Rules
¾ Privacy Rule
¾ Transactions and Code Sets Rule
¾ Security Rule
¾ Unique Identifiers Rule (National Provider
Identifier)
¾ Enforcement Rule
32
HIPAA & Technology
Challenges for Information Technology (IT)
¾ Transactions and Code Sets
¾ Privacy
¾ Security Rules
33
Transactions & Code
Sets (X12 Transactions)
¾ These transactions and code Sets relate to
EDI ((Electronic Data Interchange).
g )
¾ EDI – the structured transmission of data
between organizations by electronic means.
¾ There are 11 defined code sets.
34
Transactions & Code
Sets (X12 Transactions)
• EDI Health Care Claim Transaction set (837)
• EDI Retail Pharmacy Claim Transaction (835)
• EDI Benefit Enrollment and Maintenance Set (834)
• EDI Payroll Deducted and other group Premium Payment
for Insurance Products (820)
35
Transactions & Code
Sets Rule (continued)
• EDI Health Care Eligibility/Benefit Inquiry (270)
• EDI Health Care Eligibility/Benefit
g y Response ((271))
• EDI Health Care Claim Status Request (276)
• EDI Health Care Claim Status Notification (277)
( )
• EDI Health Care Service Review Information (278)
• EDI Functional Acknowledgement Transaction Set (997)
36
Privacy Rule
It establishes regulations for the use and
disclosure of Protected Health Information
(PHI). PHI is any information held by a
covered entity which concerns health status
status,
provision of health care, or payment for
health care that can be linked to an
individual.
37
Security Rule
Lays out three types of security safeguards
required for compliance:
¾ Administrative – Policies and Procedures
¾ Physical – Access to Protected Data
¾ Technical – Access to Computers that
store and manage protected data
38
Obeying the “Rules”
Implement Control Frameworks that
facilitate compliance with the “Rules”
Rules
¾ COBIT
¾ ITIL
¾ ISO/IEC 27002
¾ ISO 27799
39
COBIT
Control Objectives for
Information
and Related Technology
COBIT
The Control Objectives for Information and related
Technology
gy ((COBIT)) is a set of best p
practices
(framework) for information technology (IT)
management created by the Information Systems
A dit and
Audit dCControl
t lAAssociation
i ti (ISACA)
(ISACA), and d th
the IT
Governance Institute (ITGI) in 1992.
42
COBIT Structure
Covers four domains
1.
1 Plan and Organize (PO)
2. Acquire and Implement (AI)
3
3. Deliver and Support (DS)
4. Monitor and Evaluate (ME)
43
COBIT
Plan and Organize covers:
¾ the use of information & technology
¾ how best it can be used in a company to help
achieve the company’s
company s goals and objectives
objectives.
¾ also highlights the organizational and
infrastructural form IT is to take in order to
achieve the optimal results and to generate
the most benefits from the use of IT
44
COBIT
Acquire and Implement covers:
¾ Identification of IT requirements
requirements,
¾ Acquisition of technology, and
¾ Implementation within the company’s
company s current
business processes.
45
COBIT
Delivery and Support covers:
¾ The deliveryy aspects
p of the information technology gy
¾ The execution of the applications within the IT
system and its results,
¾ The support processes that enable the effective and
efficient execution of these IT systems. These
support
pp p processes include securityy issues,, training,
g,
Help Desk, and backup & recovery.
46
COBIT
Monitor and Evaluate:
¾ Deals with a company’s strategy in assessing the
needs of the company
¾ Determines whether or not the current IT system still
meets the objectives for which it was designed
¾ Identifies the controls necessary to comply with
regulatory requirements.
¾ Deals with the issue of an independent assessment
of the effectiveness of IT system in its ability to meet
business objectives and the evaluation of the
company’s control processes by internal and
external auditors.
47
COBIT, COSO & SOX
¾ The most referenced control frameworks for
SOX and FIEL ((Financial Instruments and
Exchange Law – aka “JSOX”)
¾ Not all COBIT controls apply to ICFR
(Internal Controls over Financial Reporting)
¾ COBIT “Lite”
48
COBIT “Lite”
IT Control
Objectives for
Sarbanes - Oxley
49
ITIL
51
ITIL Structure
ITIL v3, published in May 2007, comprises
5 keyy volumes:
1. Service Strategy
g
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
52
ITIL
ITIL is owned and maintained by the UK
Office of Government Commerce (OGC).
( )
53
ISO/IEC 27002:2005
27002 2005
(actually a ‘Standard’)
ISO/IEC
• ISO (International Organization for
Standardization)) is the world's largest
g
developer and publisher of International
Standards.
• IEC (International Electrotechnical
Commission) is the international standards
and conformity assessment body for all
fields of electrotechnology.
55
ISO 27002
The standard is comprised in two parts:
56
ISO 27002
57
ISO 17799
¾ This is essentially the set of security controls:
the measures and safeguards
g for p
potential
implementation.
¾ After the introduction, scope, terminology
and structure sections, the remainder of
ISO/IEC 17799 specifies control objectives
categorized
t i d iinto
t 11 maini sections
ti tto protect
t t
information assets against threats to their
confidentiality integrity and availability
confidentiality, availability.
58
ISO 17799
Security Controls
¾ Security Policy
¾ Organization of Information Security
¾ Asset Management
¾ Human Resources
¾ Physical and Environmental Security
¾ Communications and Operations
Management
59
ISO 17799
Security Controls (cont’)
¾ Access Control
¾ Information Systems Acquisition,
Development and Maintenance
¾ Information Securityy Incident Management
g
¾ Business Continuity Management
¾ Compliance
60
ISO 27001
¾ This is the ‘specification’ for an Information
Securityy Management
g System
y ((ISMS).
) It is
the means to measure, monitor and control
security management from the top down
perspective.
ti It explains
l i h how tto apply
l ISO
17799.
61
ISO 27001
Defined as a six part process:
¾ Define a securityy p
policy
y
¾ Define the scope of ISMS
¾ Undertake a risk assessment
¾ Manage the risk
¾ Select control objectives and controls to be
implemented
¾ Prepare a statement of applicability
62
ISO 27002
Healthcare Challenges:
¾ ISO 27002 is extremely difficult to implement
for large units
¾ Compliance scopes that cover no more than
two to three sites or approximately 50 staff or
approximately ten processes have been
found to work very well.
63
ISO 27799:2008
65
ISO 27799
¾ Health information security
¾ Practical Action Plan for Implementing ISO
17799/27002
¾ Healthcare Implications
p of ISO 17799/27002
¾ Threats
¾ Tasks and documentation of the ISMS
¾ Potential benefits and tool attributes
66
Relationships Between
Standards & Regulations
HIPAA
ISO 17799
BS7799
COBIT & ITIL
Remember: ISO
17799 and BS 7799
are ISO 27002
67
Questions?
For More Information:
Jennifer F. Alfafara
Consultant
Resources Global Professionals
jalfafara@resources-usa
jalfafara@resources usa.com
com
69
Thank you!
y