This action might not be possible to undo. Are you sure you want to continue?
Session S23 Use of COBIT as a Risk Management & Audit Framework for Access Compliance
Presented on October 5, 2004 by Lance M. Turcato, CISM, CISA, CPA
Lance M. Turcato, CISM, CISA, CPA
Managing Director ñ Access Assessment & Policy Compliance Information Security Administration Charles Schwab & Co., Inc.
Email: firstname.lastname@example.org Phone: 602-977-4376
October 5, 2004
2004 San Francisco ISACA Fall Conference
Marta OíShea, CISA
Senior Manager ñ Technology Infrastructure & Security Oversight Internal Audit Department Charles Schwab & Co., Inc.
Email: email@example.com Phone: 415-636-7348
October 5, 2004
2004 San Francisco ISACA Fall Conference
Users of a framework other than COBIT? October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 4 .Strong knowledge of COBIT framework? Current Users of COBIT .Audience Poll COBIT Knowledge .Adopted by IT Management? .First exposure? .Incorporated Into Audit Process? .General understanding? .
Available Tools October 5.Measuring Security & Assessing Risk . & Components . Scope.COBIT Mission.COBIT Role In IT Governance .Agenda Topic 6 7 8 9 17 26 30 Page Overview of COBIT Framework .Audit Approach Overview COBIT As A Risk Framework For Information Security 60 63 70 .Framework .Defining Security Requirements .Audit Guidelines .Control Objectives . 2004 2004 San Francisco ISACA Fall Conference Slide 5 . Objectives.Management Guidelines COBIT As An Audit Framework 40 47 .COBIT Family .Process for Implementing COBIT .
itgi.org/ ) .Overview of COBIT Framework Source of Information IT Governance Institute (http://www.
oriented Based on IT Governance Institute Control Objectives ! ! aligned with the de jure and de facto standards and regulations based on critical review of tasks and activities or function 2004 San Francisco ISACA Fall Conference Slide 7 October 5. international set of generally accepted Information Technology Control Objectives for day-to-day use by business managers and auditors. up-to-date. 2004 .COBITís Mission. regardless of technology employed ( generic ) Focused on business requirements for information Management .î Scope & Objectives: Generally applicable and accepted international standard for good practice for Information Technology controls For application to enterprise-wide information systems.business process owner . develop. publicize and promote an authoritative. Scope & Objectives Mission: ìTo research.
COBITís Role In IT Governance IT Governance Framework Address Gaps IT Management Sets Measurable Goals Compare Results Deliver Against Goals Apply Consistent Control Framework Internal Audit Measure Performance 2004 San Francisco ISACA Fall Conference Slide 8 October 5. 2004 .
COBIT Family ñ 3rd Edition ìThere is a Method. 2004 2004 San Francisco ISACA Fall Conference Slide 9 .î ìHereís How You Audit.....î ìThe Method Is...î October 5...î ìHereís How You Implement.î ìHereís How You Measure Your Performance Öî ìMinimum Controls Are...
2004 . Mid-Level IS October 5. # Framework . # Management Guidelines .Director of IS and Audit/Control. CIO) Provides awareness on key concepts for Senior Management.COBIT ñ Pieces of The Puzzle Framework Control Objectives Audit Guidelines Management Guidelines Implementation Tool Set Executive Summary # Executive Summary . Director of IS. Operations Manager and Auditor) IT Management and IT Audit / Control Managers Critical Success Factors. Maturity Model.Senior Executives (CEO.Line Management and Controls Practitioner (Applications or Statements of desired results by implementing 318 specific control objectives.Senior Operational Management.Senior Operational Management (Directors of IT and IS Audit / Controls) # Control Objectives . Mid-Level Suggested audit procedures. Key Goal Indicators.Middle Management (Mid-Level IT Management and IS Describes 34 high-level objectives. Audit/Controls Managers / Seniors) # Audit Guidelines . 2004 San Francisco ISACA Fall Conference Slide 10 Management and IS Audit/Control Managers . Key Performance Indicators. # Implementation Tool Set Suggested implementation tools and implementation success stories.
quality and security needs of enterprises. 2004 2004 San Francisco ISACA Fall Conference Slide 11 . providing seven information criteria that can be used to generically define what the business requires from IT Information Criteria $Is supported by a set of over 300 detailed control objectives $Effectiveness $Efficiency $Availability $Integrity $Confidentiality $Reliability $Compliance October 5.COBIT As An IT Control Framework Framework $Starts $Planning $Acquiring $Delivery IT Domains & Implementing & Support from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives $Promotes process focus and process ownership $Divides IT into 34 processes belonging to four domains (providing a high level control objective for each process) $Monitoring $Looks at fiduciary.
2004 2004 San Francisco ISACA Fall Conference IT R es Slide 12 o ur c es Activities People Application Systems Technology Facilities Data IT Processes IT Resources .Components Framework #IT Domains & Processes #Information Criteria = Business Requirements #IT Resources Information Criteria y r cia u Fid ty ali Qu Se ity ur c Business Requirements Domains Processes IT Processes October 5.COBIT Framework .
2004 2004 San Francisco ISACA Fall Conference Slide 13 . IT Processes IT Resources Processes ï A series of joined activities with natural (control) breaks. October 5. Activities have a life-cycle whereas tasks are discreet. often matching an organizational domain of responsibility. Activities ï Actions needed to achieve a measurable result.COBIT Domains of Processes & Activities Framework Domains Business Requirements ï Natural grouping of processes.
Business Requirements Framework Business Requirements = Information Criteria Quality Requirements ï Quality ï Cost ï Delivery Business Requirements IT Processes IT Resources Fiduciary Requirements (COSO Report) ï Effectiveness and Efficiency of Operations ï Reliability of Financial Reporting ï Compliance with Laws and Regulations Security Requirements ï Confidentiality ï Integrity ï Availability 2004 San Francisco ISACA Fall Conference Slide 14 October 5. 2004 .
sound. 2004 Slide 15 . multimedia. networking. awareness and productivity to plan. structured and non-structured. support and monitor information systems and services.. 2004 San Francisco ISACA Fall Conference Framework Business Requirements IT Processes IT Resources October 5. graphics.IT Resources Data: Data objects in their widest sense (i. etc. etc. Technology: covers hardware. organize. deliver. operating systems. external and internal. acquire. database management systems. Facilities: Resources to house and support information systems.e. People: Staff skills.) Application Systems: understood to be the sum of manual and programmed procedures.
2004 Slide 16 .Examples Business Requirements IT Processes IT Resources Framework Domains Processes Activities IT Domains ï ï ï ï ï ï ï ï IT Processes IT strategy Change Management Contingency Planning Problem Management Policy & Procedures Feasibility Study Acceptance Testing etc... 2004 San Francisco ISACA Fall Conference Activities ï ï ï ï ï ï record new problem analyze propose solution monitor solution record known problem etc. ï Planning & Organization ï Acquisition & Implementation ï Delivery & Support ï Monitoring October 5..COBIT Framework ..
2004 2004 San Francisco ISACA Fall Conference Slide 17 . IT resources need to be managed by a set of naturally grouped processes. -IT Governance Institute October 5.COBIT Framework Illustrated Framework COBITís Golden Rule In order to provide the information that the organization needs to achieve its objectives.
2004 . Resource & Criteria Acquisition & Implementation Information Criteria ss ty ty ce ity ne ncy iali ty ili n l t ve ie n gri lab plia abi ti i c e e i i c fe eff nfid int ava om rel ef c co S S P Delivery & Support Process Domains Monitoring The control of IT Processes which satisfy Business Requirements is enabled by Control Statements and considers % % Control Practices 2004 San Francisco ISACA Fall Conference ns y s e pl atio log itie ta o c l o a pe pli hn aci d f p ec a t IT Resources Slide 18 October 5.Linking The Processes To Control Objectives Control Objectives (34 High-level and 300+ Detailed Objectives) COBITís Waterfall and Navigation Aids Planning & Organisation linking Process.
time-to-market.Linking The Processes To Control Objectives Control Objectives (Example) Control over the IT process of DEFINING A STRATEGIC IT PLAN that satisfies the business requirement to strike an optimum balance of information technology opportunities and IT business requirements as well as ensuring its further accomplishment is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans. 2004 . support and critical review 2004 San Francisco ISACA Fall Conference Slide 19 October 5. quality #need for senior management buy-in. the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals and takes into consideration: #enterprise business strategy #definition of how IT supports the business objectives #inventory of technological solutions and current infrastructure #monitoring the technology markets #timely feasibility studies and reality checks #existing systems assessments #enterprise position on risk.
2004 2004 San Francisco ISACA Fall Conference Slide 20 .COBIT ñ IT Processes/High-Level Objectives Control Objectives Planning and Organization PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 PO 11 Define a Strategic IT Plan Define the Information Architecture Determine Technological Direction Define the IT Organization and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality October 5.
COBIT ñ IT Processes/High-Level Objectives Control Objectives Acquisition and Implementation AI 1 AI 2 AI 3 AI 4 AI 5 AI 6 Identify Automated Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Infrastructure Develop and Maintain Procedures Install and Accredit Systems Manage Changes October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 21 .
COBIT ñ IT Processes/High-Level Objectives Delivery and Support DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13 2004 San Francisco ISACA Fall Conference Control Objectives Define and Manage Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Allocate Costs Educate and Train Users Assist and Advise Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations Slide 22 October 5. 2004 .
2004 2004 San Francisco ISACA Fall Conference Slide 23 .COBIT ñ IT Processes/High-Level Objectives Control Objectives Monitoring M1 M2 M3 M4 Monitor the Processes Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit October 5.
2 PO 1.Example Control Objectives For A Process Control Objectives DOMAIN: Planning and Organization (PO) PROCESS (High-level Control Objective): Define a Strategic IT Plan (PO 1) DETAILED CONTROL OBJECTIVES: PO 1.4 PO 1.3 PO 1.7 PO 1.1 PO 1.5 PO 1.8 IT as Part of the Organizationís Long.and Short-Range Plan Next Slide IT Long-Range Plan IT Long-Range Planning Approach and Structure IT Long-Range Plan Changes Short-Range Planning for the IT Function Communication of IT Plans Monitoring and Evaluating of IT Plans Assessment of Existing Systems October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 24 .6 PO 1.
2004 .and Short-Range Plan CONTROL OBJECTIVE Senior management is responsible for developing and implementing long. In this respect. senior management should ensure that IT issues as well as opportunities are adequately assessed and reflected in the organizationís long.IT as Part of the Organizationís Long.and short-range plans.and short-range plans that fulfill the organizationís mission and goals.Example Control Objectives For A Process Control Objectives DEFINE A STRATEGIC INFORMATION TECHNOLOGY PLAN (PO 1) PO 1. IT longand short-range plans should be developed to help ensure that the use of IT is aligned with the mission and business strategies of the organization.1 . 2004 San Francisco ISACA Fall Conference Slide 25 October 5.
2004 San Francisco ISACA Fall Conference Slide 26 October 5.Summary of COBIT At This Point Control Objectives # Framework defines a construct for reviewing IT. # Four domains are identified. there are from 3 to 30 detailed IT control objectives (300+ in total). # Within each process there are high-level IT control objectives defining controls that should be in place.34 total. 2004 . # For each of the 34 processes. # IT control objectives are generic and applicable to all environments. # Within each domain there are processes -. # COBIT is a systematic and logical method for defining and communicating IT control objectives.
how do I fix it?î 2004 San Francisco ISACA Fall Conference Slide 27 October 5.COBIT Audit Guidelines . if not.ìIs what Iím doing adequate? And.Purpose Audit Guidelines COBIT provides detailed audit guidelines for each of the 34 IT processesÖ &Enables the auditor to review specific IT processes against COBITís Control Objectives to determine where controls are sufficient or advise management where processes need to be improved. &Helps process owners answer questions . 2004 .
generic. and high-level structure for auditing IT controls ! ! ! ! based on generally accepted audit practices Aligned with the COBIT framework generic for applicability to varying audit objectives and practices providing clear policies and good practices for security and control of information and related technologies ! enabling the development of specific audit programs or the enhancement of existing programs & To enable auditors to review IT processes against COBITís recommended detailed control objectives to provide management assurance and/or advice for improvement & The Audit Guidelines are NOT intended as ! ! ! ! a tool for creating the overall audit plan a tool for providing audit training a solution for audit automation (although there are lots of opportunities) exhaustive or definitiveÖguidelines will continue to evolve 2004 San Francisco ISACA Fall Conference Slide 28 October 5. 2004 .Objectives Audit Guidelines & To provide a simple.COBIT Audit Guidelines .
providing management with a toolbox containingÖ # A maturity model to assist in benchmarking and decision-making for control over IT # A list of critical success factors (CSF) that provides succinct nontechnical best practices for each IT process # Generic and action oriented performance measurement elements (key performance indicators [KPI] and key goal indicators [KGI] . 2004 .what do others do? 2004 San Francisco ISACA Fall Conference Slide 29 October 5.outcome measures and performance drivers for all IT processes) PurposeÖ ï IT Control profiling ñ what is important? ï Awareness ñ where is the risk? ï Benchmarking .COBIT Management Guidelines Management Guidelines COBIT 3rd Edition added a Management and Governance layer.
2004 .Maturity Model GAP Analysis (Current Vs. Goal) Management Guidelines Method of scoring the maturity of IT processesÖ Managementís Target Goal Öderived from the maturity model defined by the Software Engineering Institute for the maturity of software development. 2004 San Francisco ISACA Fall Conference Slide 30 October 5.
It is however left to the individual to follow these processes. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. 3 Defined. 4 Managed. There is evidence that the organisation has recognised that the issues exist and need to be addressed. 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. October 5. The overall approach to management is disorganised. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. providing tools to improve quality and effectiveness. The procedures themselves are not sophisticated but are the formalisation of existing practices. IT is used in an integrated way to automate the workflow.GENERIC Generic Maturity Model Management Guidelines 0 Non-Existent. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. 5 Optimised. Automation and tools are used in a limited or fragmented way. based on the results of continuous improvement and maturity modelling with other organisations. making the enterprise quick to adapt. There is no formal training or communication of standard procedures and responsibility is left to the individual. Processes have been refined to a level of best practice. 1 Initial. 2004 2004 San Francisco ISACA Fall Conference Slide 31 .Maturity Model . Complete lack of any recognisable processes. Procedures have been standardised and documented. The organisation has not even recognised that there is an issue to be addressed. and it is unlikely that deviations will be detected. and communicated through training. Processes are under constant improvement and provide good practice.
Incidents are promptly addressed with formalized incident response procedures supported by automated tools. supporting the implementation of security measures. without addressing the specific needs of the organization. Intrusion testing. 4 ñ Managed Responsibilities for IT security are clearly assigned. 5 ñ Optimized IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. IT security information is generated. because responsibilities are unclear. October 5. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. rather than business focused. misleading or not pertinent. and adequate mitigating controls are promptly communicated and implemented. Responsibilities and accountabilities are not assigned for ensuring security. 2 ñ Repeatable Responsibilities and accountabilities for IT security are assigned to an IT security co-ordinator with no management authority. driving risk analysis and security solutions. Security policies are being developed. managed and enforced. IT security reporting is IT focused. Responses to IT security breaches are unpredictable. Responsibilities for IT security are assigned. IT security processes are co-ordinated with the overall organization security function. but not consistently enforced. Security certification of staff is being established. Security policies and practices are completed with specific security baselines. but is not analyzed. but inadequate skills and tools are still being used. Security awareness is fragmented and limited. Measures supporting the management of IT security are not implemented. There is a complete lack of a recognizable system security administration process. IT security reporting is linked to business objectives. 2004 2004 San Francisco ISACA Fall Conference Slide 32 . IT security requirements are clearly defined. 1 ñ Initial The organization recognizes the need for IT security. Security awareness briefings have been standardized and formalized. IT security reporting is incomplete. Ad hoc intrusion testing is performed. authentication and authorization are being standardized. IT security risk and impact analysis is consistently performed. Security solutions tend to respond reactively to IT security incidents and by adopting third-party offerings. Security awareness briefings have become mandatory. There is no IT security reporting and no response process to IT security breaches. Security processes and technologies are integrated organization wide. optimized and included in a verified security plan. 3 ñ Defined Security awareness exists and is promoted by management. is increasingly being utilized. IT security procedures are defined and fit into a structure for security policies and procedures. Intrusion testing is a standard and formalized process leading to improvements. IT security breaches invoke "finger pointing" responses if detected.Maturity Model ñ PROCESS SPECIFIC DS5 ñ Ensure System Security Description Management Guidelines Rating 0 ñ Non-Existent The organization does not recognize the need for IT security. Information on new threats and vulnerabilities is systematically collected and analyzed. IT security reporting provides early warning of changing and emerging risk. An IT security plan exists. using automated active monitoring approaches for critical systems. Cost/benefit analysis. but security awareness depends on the individual. User identification. Periodic security assessments evaluate the effectiveness of implementation of the security plan. IT security is addressed on a reactive basis and not measured.
Number of critical business processes relying on IT that have adequate continuity plans. October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 33 . & Key Performance Indicators Measures how well the process is performing ! Example: (DS4) Number of outstanding continuous service issues not resolved or addressed.Measuring Success Management Guidelines & Critical Success Factors What are the most important things to do to increase the probability of success of the process? ! Example: (DS4) Critical infrastructure components are identified and continuously monitored. & Key Goal Indicators Measures whether an IT process achieved its business requirements ! Examples: (DS4) No incidents causing public embarassment.
Focus on obtaining. maintaining Control Practices and leveraging capability and skills 2004 San Francisco ISACA Fall Conference Slide 34 October 5. # Most important things that contribute to the IT process achieving its The control of goal IT Processes which satisfy Strategically Technically Organizationally Process or Procedure # Visible and measurable signs of success ï ï ï ï Business Requirements is enabled by Control Statements and considers # Control Statements and Considerations of the ëWaterfallí # Short.CSF ñ Critical Success Factors Management Guidelines Management oriented IT control implementation guidance that are observable ñ usually measurable ñ characteristics of the organization and processes. focused and action oriented . 2004 .
e.. but may be expressed as well in terms of the business contribution.e. # # # # # # Describe the outcome of the process and are therefore ëlagí indicators (i. a measure of ìwhatî target to achieve) Are IT oriented.. wherever possible Focus on those information criteria that The control of have been identified to be of most IT Processes importance for the process which satisfy Business Requirements is enabled by Control Statements and considers Control Practices October 5. but business driven (Business Requirements from ëWaterfallí) Are expressed in precise measurable terms.KGI ñ Key Goal Indicators Management Guidelines Measurable indicators of the process achieving its goal. measurable after the fact) Are indicators of the success of the process. if that contribution is specific to that IT process Represent the process goal (i. 2004 2004 San Francisco ISACA Fall Conference Slide 35 .
2004 2004 San Francisco ISACA Fall Conference Slide 36 .. # Are a measure of ìhow wellî the process is performing # Predict the probability of success or failure in the future (. ëLEADí indicators) # Are expressed in precise.KPI ñ Key Performance Indicators Management Guidelines Measurable indicators of performance of the enabling factors. measurable terms # How well managment leverages / manages the resources needed for the process # Control Statements & Control Practices from ëWaterfallí # Are process oriented. but IT driven The control of # Help in improving the IT process IT Processes which satisfy Business Requirements is enabled by Control Statements and considers Control Practices October 5. i.e.
CSF, KGI, KPI ñ Examples
Critical Success Factors
IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability, and IT management is rewarded based on these measures The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged Everyone involved in the process is goal focused and has the appropriate information on customers, on internal processes and on the consequences of their decisions A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability Goals and objectives are communicated across all disciplines and are understood It is known how to implement and monitor process objectives and who is accountable for process performance A continuous process quality improvement effort is applied There is clarity on who the customers of the process are The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist
Key Performance Indicators
System downtime Throughput and response times Amount of errors and rework Number of staff trained in new technology and customer service skills Benchmark comparisons Number of non-compliance reportings Reduction in development and processing time
Key Goal Indicators
Increased level of service delivery Number of customers and cost per customer served Availability of systems and services Absence of integrity and confidentiality risks Cost efficiency of processes and operations Confirmation of reliability and effectiveness Adherence to development cost and schedule Cost efficiency of the process Staff productivity and morale Number of timely changes to processes and systems Improved productivity (e.g., delivery of value per employee)
October 5, 2004
2004 San Francisco ISACA Fall Conference
COBIT As An Audit Framework A Success Story
Additional Information COBIT Case Study (http://www.itgi.org/casestudy4.htm) (http://www.isaca.org/ctcase27.htm)
Process For Implementing COBIT
Recognize Need Educate Senior IT Management Map COBIT to FFIEC Examination Guidelines
Map Audit Universe to COBIT High Level Control Objectives Map Annual Audit Plan to COBIT Detailed Level Control Objectives (IT Activities) Develop Questionnaire / Joint Risk Self-Assessment Facilitate Assessment Work Sessions with Client Analyze, Document, Validate Results, Report To Management
2004 San Francisco ISACA Fall Conference Slide 39
October 5, 2004
ïIT (URSIT) is one of many components evaluated to determine the UFIRS score. Uniform Financial Institution Rating System (UFIRS) Composite Score (1-5) Uniform Rating System for Information Technology (URSIT) Composite Score (1-5) URSIT Rating Criteria 1 = Strong 2 = Satisfactory 3 = Less than Satisfactory 4 = Deficient 5 = Critically Deficient Federal Reserve IssuedÖ SR 99-8 (SUP) March 31.The Need ñ Increased Regulatory Focus Regulatory Ratings Overall (UFIRS) & IT-Specific (URSIT) ïUFIRS rating reflects institution safety and soundness. 1999 Öreferences COBIT Note inverted scale: Fed rating of 5 is deficient and COBIT rating of 5 is Optimized COBIT Maturity Ratings COBIT Maturity Ratings 0 = Non-Existent 1 = Initial 2 = Repeatable 3 = Defined 4 = Managed 5 = Optimized October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 40 .
2004 . audit kick-off meetings. work sessions.Educating Senior IT Management Encouraging Senior IT Management To Adopt COBIT & Framework for Risk Self-Assessment (RSA) process & Emphasize business orientation (NOT audit orientation) & Emphasize value of self-assessment. performance measurement and benchmarking ' provide real examples & Knowledge that COBIT is based on industry standards with input from many sources & Resource for regulatory examinations & During rollout 'monitor progress and report on results Educating IT Management At All Levels & Executive summary focus for senior management & Workshops for line management and key technicians & Integration with the audit process (engagement memos. reporting) 2004 San Francisco ISACA Fall Conference Slide 41 October 5.
5 Short-Range Planning for the IT Function 1.1 IT as Part of the Organization's Long.4 Security Levels 14-1 14-2 Security Administration and Accountability Security Plan i t ra t Illus y Onl on ÖOther considerations ' map to relevant ISO standards.1 Information Architecture Model 2. etc. PLANNING & ORGANIZATION 10-1 9-6 9-6 9-6 9-6 9-6 9-8 12-2 Corporate Contingency Planning Responsibilities Planning Planning Planning Planning Planning Controls System Development Standards FFIEC Chapter Title & Relevant Section COBIT objectives mapped to relevant FFIEC examination criteria COBIT Ref. FFIEC ñ Federal Financial Institutions Examination Council 2004 San Francisco ISACA Fall Conference Slide 42 October 5. PO1 Define a Strategic IT Plan 1. technology specific process / control methodologies. Approach & Structure 1.Linking COBIT To Other Sources of ìBest Practiceî COBIT Domains & Control Objectives FFIEC Ref.4 IT Long-Range Plan Changes 1.2 Corporate Data Dictionary & Data Syntax Rules 2.2 IT Long-Range Plan 1.7 Monitoring & Evaluating of IT Plans 1.6 Communication of IT Plans 1.8 Assessment of Existing Systems PO2 Define the Information Architecture 2. 2004 .3 IT Long-Range Planning.and Short-Range Plan 1.3 Data Classification Scheme 2.
Alignment With Technology Infrastructure Internal Risks Unauthorized Access by Internal Users (employees or contractors) Distributed Systems UNIX & Windows (Illustration Only) External Risks Vulnerability to Hackers Internet DMZ Other Servers ïEmail ïFTP ïDNS Firewalls Databases & Applications Subsidiaries Router Firewalls / Secure Routing Router 3rd Parties LANS Mainframe Systems Remote LANS VPN Databases & Applications Router Remote Access Databases & Applications Monitoring. Intrusion Detection & Anti-Virus Systems 2004 San Francisco ISACA Fall Conference Slide 43 October 5. 2004 .
2004 .Security Audit Universe Access Management & Compliance Distributed Security Mainframe Security Identity Management Security Governance Security Monitoring Audit Universe Database Security Application Security Software Management Intrusion Detection Incident Response Virus Prevention Remote Access Security Physical Security Network & Perimeter Security 2004 San Francisco ISACA Fall Conference Slide 44 October 5.
e. PO2) n atio r llust I y Onl 2004 San Francisco ISACA Fall Conference Applicable Objectives Noted With ëXí Slide 45 October 5. 2004 .Map Audit Universe To COBIT High Level Objective (i.
5 Audit Approach Overview COBIT Control Assessment Questionnaire Client Work Sessions 1 COBIT Manuals & Other Best Practice Material 6 Audit Planning Session Audit Team Audit Testing Work Program 7 Exit Meeting 2 COBIT To Audit Mapping Template 3 Engagement Memo 4 8 4 Kick-Off Meeting Reporting 9 QAR 2004 San Francisco ISACA Fall Conference Slide 46 October 5. 2004 .
Map Audit Plan To COBIT High Level Objective (i. 2004 2004 San Francisco ISACA Fall Conference Slide 47 .e.1) Risk Category Noted In This Column October 5. 2. PO2) Applicable Objectives Noted In This Column Detailed Level Objective (i.e.
y Onl on rati t Illus 2004 San Francisco ISACA Fall Conference Slide 48 October 5.Using COBIT Framework To Tie It All TogetherÖ COBIT Control Assessment Questionnaire Work Program Engagement Memo Audit Report Use of a Framework ensures consistent coverage across audits and allows for trending the ìstate of controlsî over time. 2004 .
COBIT Control Assessment Questionnaire Questionnaire is used during joint work sessions held with clients to complete a joint risk assessment of the area under review. One Table For Each High-Level COBIT Objective Included In Scope XYZ Company Specific Control Objectives One COBIT Control Objective Per Row COBIT Maturity Rating (0-5) assigned based on Joint Assessment 2004 San Francisco ISACA Fall Conference Preplanned Assessment Questions Clientís Response & Assessment Results October 5. 2004 Slide 49 . Overall Maturity Rating for each High-Level Control Objective assigned based on results of joint assessments of each Detailed Control Objective.
C) 2004 San Francisco ISACA Fall Conference Client Provided Responses Slide 50 October 5.COBIT Based Audit Report Overall Rating Clients Target Goal Audit Metrics Overall Conclusion Statements Supporting Overall Rating QAR Concise Background & Scope Responsible Manager Provided Response Control Weakness highlighting business impact Due Date Issue Priority (A. 2004 . B.
e. corresponds to a row in the Assessment Questionnaire) Highlighting Key Performance Indicators (i.. 2004 .COBIT Based Audit Report Highlighting Key Performance Indicators (i. Metrics) Summary Conclusions and Points Supporting Rating 2004 San Francisco ISACA Fall Conference Slide 51 Assigned Maturity Rating October 5. Metrics) Strategic Focal Point Table (one row for each high-level objective included in scope) Detailed Control Objectives Included In Scope Listed Summary Conclusions and Points Supporting Rating Overall Rating For High-Level Control Objective Control Focal Point Table (highlighting key controls) Applicable Detailed Control Objective (one per row.e..
.e. 2004 2004 San Francisco ISACA Fall Conference Slide 52 . Metrics) i t ra t Illus y Onl on Automated or Manual Control October 5.COBIT Based Audit Report Process Workflow Diagram For Area Assessed Table Defining Key Control Points In Process Flow Highlighting Key Performance Indicators (i.
COBIT To Audit Mapping Repository i t ra t Illus y Onl on Questionnaire Audit Report Quarterly Report Of Audit Results (QAR) 2004 San Francisco ISACA Fall Conference Slide 53 October 5. 2004 .
00% Successful Target Rate 97% 90.0 0 % Failed & Backed Out Caused Problem Caused Outage Cancelled Unstatused Internal Audit Observations: # # # Q1. 2002 Q3. change management processes are successful on average 75% of the time.0 0 % 0 .00% 0.0 0 % 1 5 . additional management scrutiny is appropriate for the ìunstatusedî items.Managed 3 .00% 50. therefore. Data Not Available For 2001 6 Analysis of Key Technology Metrics Example of Metric Analysis To Include In QAR (Illustration Only) Although target rates have not been achieved.0 0 % 2 0 . Large percentage (~20%) of ìunstatusedî tickets indicates process adherence issues.00% 10. 2004 Slide 54 . Trend for tickets with implementation problems is increasing . 2003 2003 North America CACS Conference Slide 77 October 5.00% 80.additional analysis to ascertain root cause of the increase in this activity would be appropriate.Optimized 4 .00% 60. May 20.00% 40. 2002 YTD nly r llust I O ion at 2004 San Francisco ISACA Fall Conference Change management processes appear to be consistently applied with only minor variances in volume.Initial 0 ñ Non-Existent Date Printed: 03/24/2003 Charles Schwab & Co. Inc.00% 70. 2002 2002 Q3. 2002 YTD Failed & Backed Out Caused Problem Caused Outage Cancelled Unstatused (Source: Technology Management Balanced Scorecard) 2 5 . Q2. Root cause may rest with testing and validation processes. 2002 Q2.Quarterly Audit Report Audit Results Metrics IAD Focal Point Methodology Scorecard Overall Audit Results Infrastructure Audits Infrastructure6) Audits (refer to slide (refer to slide 6) (refer to slide 7) 100% 25% 25% 25% 25% 90% 80% 60% 60% 60% 70% 60% TBD 50% 40% 30% 40% 40% 40% 20% 10% 0% Q1 Q2 Q3 2002 Q4 YTD Prior Year Q1 Q2 Q3 2002 Q4 YTD Prior Year Security Audits Security Audits (refer to slide 7) OVERALL OVERALL 12% 12% 68% TBD 68% 25% TBD 75% 75% 75% 75% 75% No Reports Issued Data Not Available For 2001 Data Not Available For 2001 70% 20% 20% Q1 Q2 Q3 2002 Q4 YTD 17% 13% Prior Year Legend: 5 . True results cannot accurately be determined.00% 20.Defined 2 -Repeatable 1 . Less then 1% of appropriately recorded changes resulted in problems or outagesÖ 100.0 0 % 5 .00% 30.00% Q1.0 0 % 1 0 .
and audit concepts. including input into the audit schedule and scope. # Relationships transformed into partnerships by jointly assessing control procedures.. 2004 San Francisco ISACA Fall Conference Slide 55 October 5. Facilitated efforts to implement processes necessary for Sarbanes-Oxley compliance.e. # IT management becomes conversant in risk. # Audit approach is methodical and is consistent with IT Governance practices implemented throughout the companyís technology organization. Risk Self Assessment ñ RSA). # Meaningful reporting for senior IT management. # Audit Report streamlinedÖconcise report supported by detailed questionnaire (i.Benefits RealizedÖ # IT management partners with Internal Audit throughout the audit life cycle. 2004 . control.
isaca.itgi.htm) October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 56 .org/ctcase27.htm) COBIT Case Study (http://www.htm) (http://www.org/casestudy4.org/resources/downloads.sfisaca.Additional Audit Resources Templates (http://www.
COBIT As A Risk Management Framework For Information Security Case Study Information Security ñ Access Compliance .
!Open. modular. remote access. new tools Regulatory Requirements Key To Success! Management ìBuy Inî ï Awareness (value of IT governance framework) ï Perceived / Understood Risk Manage Risk Technology Drivers Leverage Opportunities !E-cash. more tools ï Cost / Benefit ï Benchmarks ï Clarity of Purpose 2004 San Francisco ISACA Fall Conference Slide 58 October 5. 2004 .Drivers of Information Security Requirements Business Drivers Shorter business cycles Need to involve/connect/tie in with more partners Network centric business models Leverage VPN. e-commerce. scalable !Increased dependency on IT !Security a commodity !Internet . e-tc.UNIX .TCP/IP !More hackers.
Senior Management Awareness ñ Tone From Top Questions From Senior Management / Board $ What does security cost? $ Have we completed a risk assessment in order to define where the enterprise is most vulnerable (i. 2004 .. where do we most appropriately focus our security resources)? $ How do we measure our ìstateî of security. $ How do we ensure that customer data (NPI) and sensitive financial information is appropriately safeguarded and only accessible by users with a business ìneed to know or useî the data? $ Do we know for certain how many people are accessing the organizationís systems? Are we monitoring the access ñ are resource owners appropriately engaged? $ What are the most critical information assets of the enterprise (do we have an inventory)? Has data been classified and secured based on relative risk? Do we maintain an inventory of all system devices that the company owns / leases? Would management know if some went missing? $ Would people recognize a security incident when they saw one? Would they ignore it? Would they know what to do about it? 2004 San Francisco ISACA Fall Conference Slide 59 $ Has the organization ever had its security ìvalidatedî by a third party? October 5.e.
25% 45 .Cost of Information Security Cost of Security / Control VERSUS IT Budget Leadership Best Practices Industry Leader Benchmarking Baseline Operation Minimum Requirements Non-Compliance 5 .50% 2004 San Francisco ISACA Fall Conference 55% Slide 60 = Drivers October 5. 2004 .10% ìCowboyî Operation 20 .
Risk Drivers ñ Lessons Learned From COBIT? (Risk decreases when processes are: ï Mature ñ sustainable and measurable ï Repeatable and predictable ï Systematic / automated ï Monitored ï Standardized (designed / defined) ï Documented and communicated (Risk increases when processes are: ï Inconsistent ï Ad-hoc (not standardized) ï Not monitored ï Relying upon the knowledge of individuals (i. access management should include formal steps for proactively evaluating compliance via monitoring activities and meaningful performance indicators (i.Monitoring Emerging Risk Indicators: Is Risk Well Managed? Risk management is concerned (in part) with processes designed and sustained by management to reduce the risk of material errorÖ # Frequent measurement of results is prerequisite for a sustained and controlled environment.. metrics)Ö 2004 San Francisco ISACA Fall Conference Slide 61 October 5. # Standardization and design are prerequisite for repeatability.e.. lack of documentation) ÖIn line with COBITís Management Guidelines. 2004 .e.
ï Management reporting is reflective of results as of a point in time.e. ï Ongoing dialogue regarding areas of significant or increasing risk. October 5. metrics) on an ongoing basisÖ Ongoing Monitoring Of Risk Indicators (Gaining Efficiencies Through Focus On High Risk Indicators) Traditional Risk Assessment Approach (Prioritization based on annual risk assessment of function) Expectation Expectation Ongoing Measurement Report Report Assess 2 Report Control Environment Reality Control Environment Assess 1 Assess 2 Asses 1 Reality t1 t2 Time t1 t2 Time Benefits of Ongoing Monitoring ï Quarterly readout of assessment results for technology management. ï Priorities more closely associated with known risk factors ultimately leading to more controlled risk mitigation and potential process improvements / efficiency gains. )Good or Bad?? ï If a risk assessment on the function has not been completed for a long time.. focus on past areas of weakness). Challenges Of ìPoint-In-Timeî Assessment ï Evaluation of risk and control is as of a point in time. there may be a learning curve.Monitoring Emerging Risk Indicators: Ongoing Measurement / Ongoing Dialogue Monitor key performance indicators (i. ï Priorities may be influenced by prior results (i. 2004 2004 San Francisco ISACA Fall Conference Slide 62 .e.
The analysis indicates priorities for remediation efforts and any required changes to existing processes. 2004 San Francisco ISACA Fall Conference Slide 63 October 5. Results of metric analysis is presented to senior management on a quarterly basis.Monitoring Emerging Risk Indicators: Overall Objective & Goal ÖGoal is to proactively monitor metrics on an ongoing basis to focus risk remediation efforts on high-risk processes and tasks where performance indicators indicate potential problems. 2004 .
2004 2004 San Francisco ISACA Fall Conference Slide 64 .Information Security: Security Metrics Development Process October 5.
Information Security: Security Metrics Implementation Process October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 65 .
2004 .Good: 2 .Very good: 3 . Policies & Procedures 2.Poor: 0 . Network Segregation Legend for ranking used Legend for Symbols Used Average of best security performers in the financial industry (begin ë96) 5 .Excellent: 4 . highly integrated Advanced level of practice Moderately good level of practice Some effort made to address issues Recognise the issues Complete lack of good practice Company objective for 2001 1996 1997 1998 1999 2000 2001 2004 San Francisco ISACA Fall Conference Slide 66 October 5. Behavior & Culture 4.Information Security: Measuring Performance (illustration only) Policy Security Management Process Human Policy & Behaviour 2 Procedures 1 3 & Culture Network 6 Segregation 5 Security 4 Application System Access Control Tools & Technology 0 1 2 3 4 5 Very Very poor Poor Fair Good good Excel 100 80 60 40 20 0 48 42 64 88 76 92 96 10 10 20 20 20 20 1.Fair: 1 . Security Management 3.Very poor: Company status ó Feb ë97 Best possible. Application Security 5. System Access Control 6.
2004 San Francisco ISACA Fall Conference Slide 67 B October 5. These results demonstrate that a significant number of Q1 vulnerabilities have been resolved. 2002 YTD 0 Q1. A # A decrease in external vulnerabilities was noted from Q1 to Q2. 2004 . 2002 Q2. 2002 Observations: Slight increase in high risk vulnerabilities # An increase in internal vulnerabilities occurred from Q1 to Q2.Information Security: Measuring Performance (illustration only) The Security Officer consistently performs both internal and external vulnerability scans on a monthly basis. The majority of vulnerabilities identified are low riskÖ External Vulnerability Scans 3000 2500 Internal Vulnerability Scans 1000 900 800 700 600 A Low Risk Vulnerabilities 2000 B 500 400 Medium Risk Vulnerabilities 1500 1000 500 0 300 200 High Risk Vulnerabilities Low Risk Vulnerabilities Medium Risk Vulnerabilities High Risk Vulnerabilities 100 YTD Q1. The increase is explained due to new system patches checked for by the vulnerability scanner that have not been applied to the XYZ company servers. Technology management appropriately applies patches only after the patches have been tested and certified. 2002 Q2.
deletions.Information Security: Key Indicators ñ Access Compliance $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ Access Administration Workflow (adds. special requests) Access Administration Service Level Attainment (measured against target / goal) Percentage of ID requests submitted with appropriate approvals Inactive ID Remediation (percentage decline over time) Privileged Access Oversight (percentage of total IDs) Shared / Generic ID Oversight (percentage of total IDs) Percentage of current access administration policies / standards Percentage of current access administration guidelines Percentage of current access administration procedures Number of access related incidents reported Average time elapsed between incident discovery and implementation of corrective action Percentage of IDs for which supervisory review has been completed in the past quarter to validate that access remains appropriate for the userís job function Percentage of systems for which access security parameters have been tested and evaluated in the past year & percentage of non-compliant systems Percentage of system resources without a defined / accountable resource owner assigned Percentage of systems that maintain logs (audit trail) to trace user activity Percentage / Number of access violations to critical system resources Percentage of passwords not in compliance with policy (password quality) 2004 San Francisco ISACA Fall Conference Slide 68 October 5. changes. 2004 .
Tools To Facilitate Your Risk Management Efforts .
COBIT Security Baseline October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 70 .
.. October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 71 .COBIT Security Baseline (continued) Focusing attention on security-related objectives from the entire COBIT framework.
COBIT Security Baseline (continued) October 5. 2004 2004 San Francisco ISACA Fall Conference Slide 72 .
2004 . end users and control professionals to implement highly specific controls based on an analysis of operational and IT risks. The current COBIT IT processes.DS5 Ensure System Security IT control practices expand the capabilities of COBIT by providing the practitioner with an additional level of detail. business requirements and detailed control objectives define what needs to be done to implement an effective control structure. service providers. 2004 San Francisco ISACA Fall Conference Slide 73 October 5. The IT control practices provide the more detailed how and why needed by management.IT Control Practice Statement COBIT .
dictionary checking and adequate protection of emergency passwords. 2004 .04 Third-party users are not provided with user codes or passwords unless they have signed a nondisclosure agreement..05 All contracts for outsourcing or contracting address the need for the provider to comply ïwith all security related policies.4 User Account Management Why do it? The enforcement of adequate user account management in line with the control practices will help ensure: ïProper administration of the lifecycle of user accounts ïCommunication to and acknowledgment by users of the rules with which they need to comply Control Practices ïDS 5. appropriate minimum password length. All actions require formal approval. password checking against list of not-allowed values.IT Control Practice Statement COBIT .DS5 Ensure System Security (EXAMPLE) DS 5.4. Third-party users are provided with the organization's security policy and related documents and must sign off that they understand their obligations.4. standards and procedures.4. ïDS 5. suspending and closing user accounts. ïDS 5. Users are asked to review a set of rules and regulations for system access.03 Users use quality passwords as determined by the organization's password guidelines. 2004 San Francisco ISACA Fall Conference Slide 74 October 5.4. Quality aspects of passwords include: enforcement of initial password change on first use. ïDS 5.g. they are provided with initial or refresher training and awareness on computer security issues. establishing. ïDS 5.01 Procedures are in place to ensure timely actions in relation to requesting.02 When employees are given their account. issuing.4. e. appropriate and enforced frequency of password changes.
Additional Resources & Questions Templates & Resources (http://www.ffiec.htm) ï ï ï ï ï ï ï ï COBIT Security Baseline IT Control Practice Statement ñ COBIT DS5 Ensure System Security Questionnaire for IT Control Practice Statement DS5 Security Self-Assessment Guide for Information Technology Systems (National Institute of Standards & Technology) Security Metrics Guide for Information Technology Systems (National Institute of Standards & Technology) Access Compliance Scorecard ñ Template ISO 17799 (http://www.html) October 5.gov/ffiecinfobase/html_pages/it_01.iso-17799.org/resources/downloads.com/) FFIEC Information Security Examination Handbook (http://www. 2004 2004 San Francisco ISACA Fall Conference Slide 75 .sfisaca.
2004 .Questions? Thank You! 2004 San Francisco ISACA Fall Conference Slide 76 October 5.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.