1 / 29

Control Objectives for Information and Related Technologies (COBIT)

Control Objectives for Information and Related Technologies (COBIT). MBAD 7090. Objectives. History Overview Maturity Model An Example: Manage Third-Party Services Auditing IT Controls Benefits and Current Adoption. Background. ISACA published the first edition of COBIT in 1996

bryce
Télécharger la présentation

Control Objectives for Information and Related Technologies (COBIT)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Control Objectives for Information and Related Technologies (COBIT) MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)

  2. Objectives History Overview Maturity Model An Example: Manage Third-Party Services Auditing IT Controls Benefits and Current Adoption IS Security, Audit, and Control (Dr. Zhao)

  3. Background • ISACA published the first edition of COBIT in 1996 • A set of control objectives for business applications • ISACA • More than 75,000 members world wide • Over 60,000 CISA and 7,000 CISM • Second version was published in 1998 • The implementation tool set and high level and detailed control objectives • Released the third version in 2000 • Management guidelines • Prime publisher: Information Technology Governance Institute • Newest version: 4.1 IS Security, Audit, and Control (Dr. Zhao)

  4. Development • Industry-wide voluntary contributions: • ISACA members, COBIT users, expert advisors. • Academic research projects • E.g., UAMS Belgium, the University of Hawaii • An incremental update process IS Security, Audit, and Control (Dr. Zhao)

  5. Audiences • BOD wants to ensure that Mgmt implements IT aligned to Business • Mgmt wants to ensure that investments are properly made, risks reduced, capacity for expansion, etc. • Users wants assurance on security and quality of products and services • Auditors needs to ensure the effectiveness of control mechanisms • Board • Management • Users • Auditors IS Security, Audit, and Control (Dr. Zhao)

  6. IT Governance • Strategic Alignment • Business objectives, competitive environment, current and future technologies • Value Delivery • Appropriate quality • On-time and within-budget delivery • Risk Management • Varieties • Determine the enterprise’s appetite for risk • Performance Measurement • Financial means • Intangible assets: customer focus, process efficiency, ability to learn and grow • Resource Management • Data, application, technology, facilities, and people IS Security, Audit, and Control (Dr. Zhao)

  7. Direction and Resourcing Requirements Goals Control Objectives Responsibilities Governance Business IT Information executives and board need to exercise their responsibilities Information the business needs to achieve its objectives IT Governance and COBIT IT Governance IS Security, Audit, and Control (Dr. Zhao)

  8. Framework • Resources • Data • Application systems • Technologies • Facilities • People • Processes • 4 Major Domains • Plan & Organize • Acquisition & Implementation • Delivery & Support • Monitoring • Business Requirements • -Effectiveness • -Efficiency • -Confidentiality • -Integrity • Availability • Compliance • Reliability IS Security, Audit, and Control (Dr. Zhao)

  9. Natural grouping of processes, often matching an organisational domain of responsibility (4) Domains A series of joined activities with natural control breaks (34) Processes Process Orientation Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete Activities or Tasks IS Security, Audit, and Control (Dr. Zhao)

  10. Domain 1: Plan and Organize (PO) • Emphasis on vision, strategy, tactics, organization, and infrastructure • Processes (11): • PO1: Define strategic IT plan • PO2: Define IT architecture • PO3: Determine technology direction • PO4: Define IT organization and relationships • PO5: Management Investment in IT • Etc. IS Security, Audit, and Control (Dr. Zhao)

  11. Domain 2: Acquire & Implement (AI) • Emphasis on solutions, changes, and maintenance • Processes (6) • AI1: Identify automated solutions • AI2: Acquire and maintain application software • AI3: Acquire and maintain technology infrastructure • AI4: Develop and maintain IT procedures • AI5: Install and accredit systems • AI6: Manage changes IS Security, Audit, and Control (Dr. Zhao)

  12. Domain 3: Deliver & Support (DS1) • Emphasis on delivery of required services, set up of support processes and processing by application systems • Processes (13) • DS1: Define and manage service levels • DS2: Manage third party services • DS3: Manage performance & capacity • DS4: Ensure continuous services • DS5: Ensure system security • Etc. IS Security, Audit, and Control (Dr. Zhao)

  13. Domain 4: Monitoring (M) • Emphasis on assessment over time, delivering assurance, management review of control systems, performance measurement. • Processes (4) • M1: Monitor the process • M2: Assess internal control adequacy • M3: Obtain independent assurance • M4: Provide for independent audit IS Security, Audit, and Control (Dr. Zhao)

  14. Support Framework • Management guidelines: • Input and output processes • RACI Chart • Control objectives and practices (how) • Performance Metrics • Lag indicator: key goal indicators (KGI) • Lead indicator: key performance indicator (KPI) • Maturity Model IS Security, Audit, and Control (Dr. Zhao)

  15. Maturity Model • Purpose: • The actual performance of the enterprise – where the enterprise is today. • The current status of the industry – the comparison • The enterprise’s target for improvement – where the enterprise wants to be. • Five stages: • 0 – Non existent – Management processes are not applied at all, • 1 – Initial processes are ad hoc and disorganized, • 2 – Repeatable – processes follow a regular pattern • 3 –Defined Processes are documented and communicated, • 4 – Managed processes are monitored and measured, • 5- Optimized - Good practices are followed and automated. IS Security, Audit, and Control (Dr. Zhao)

  16. An Example: DS2 Manage Third-Party Services Case Study of IT Outsourcing Risks—Loss of Important Information Dr. Larry Ponemon reports on a case study of a US-based corporation that outsourced major IT operational functions to the Ukraine. This location was chosen because: • The workforce was well educated and the vendor had the necessary call center setup skills. • The cost of operations was very favorable and included significant tax incentives provided by the government. • The outsourcing industry in the Ukraine was booming. Unfortunately, after a relatively short period the company experienced many problems with billing, identity theft and fraud on customer bank accounts. According to Ponemon, a forensic expert found that the source of the information leak was in the Ukraine and undertaken by a new IT employee. Ponemon notes that: While the IT employee did not have a criminal history, her husband was a convicted mobster on a US cybercrime watch list. She claimed that her company did not explain security and privacy requirements to employees. She believed that the downloading and sharing of information would not harm anyone. Source: CIO magazine, April 2004 IS Security, Audit, and Control (Dr. Zhao)

  17. DS2: Management Guidelines IS Security, Audit, and Control (Dr. Zhao)

  18. DS2: Goals and Metrics IS Security, Audit, and Control (Dr. Zhao)

  19. Selected Control Practices • DS2.1 Identification of All Supplier Relationships • Define and regularly review criteria to identify and categorize all supplier relationships according to supplier type, significance and criticality of service. • Ds2.2 Supplier Relationship Management • Assign relationship owners for all suppliers and make them accountable for the quality of services provided IS Security, Audit, and Control (Dr. Zhao)

  20. DS2 Maturity Model 0 Non-existent when Responsibilities and accountabilities are not defined. There are no formal policies and procedures regarding contracting with third parties. Third-party services are neither approved nor reviewed by management. There are no measurement activities and no reporting by third parties. In the absence of a contractual obligation for reporting, senior management is not aware of the quality of the service delivered. 1 Initial/AdHoc when Management is aware of the need to have documented policies and procedures for third-party management, including signed contracts. There are no standard terms of agreement with service providers. Measurement of the services provided is informal and reactive. Practices are dependent on the experience (e.g., on demand) of the individual and the supplier. 2 Repeatable but Intuitive when The process for overseeing third-party service providers, associated risks and the delivery of services is informal. A signed, pro forma contract is used with standard vendor terms and conditions (e.g., the description of services to be provided). Reports on the services provided are available, but do not support business objectives. IS Security, Audit, and Control (Dr. Zhao)

  21. DS2 Maturity Model 3 Defined when Well-documented procedures are in place to govern third-party services, with clear processes for vetting and negotiating with vendors. When an agreement for the provision of services is made, the relationship with the third party is purely a contractual one. The nature of the services to be provided is detailed in the contract and includes legal, operational and control requirements. The responsibility for oversight of third-party services is assigned. Contractual terms are based on standardized templates. The business risk associated with the third-party services is assessed and reported. 4 Managed and Measurable when Formal and standardized criteria are established for defining the terms of engagement, including scope of work, services/deliverables to be provided, assumptions, schedule, costs, billing arrangements and responsibilities. Responsibilities for contract and vendor management are assigned. Vendor qualifications, risks and capabilities are verified on a continual basis. Service requirements are defined and linked to business objectives. A process exists to review service performance against contractual terms, providing input to assess current and future third-party services. Transfer pricing models are used in the procurement process. All parties involved are aware of service, cost and milestone expectations. Agreed-upon goals and metrics for the oversight of service providers exist. 5 Optimized when Contracts signed with third parties are reviewed periodically at predefined intervals. The responsibility for managing suppliers and the quality of the services provided is assigned. Evidence of contract compliance to operational, legal and control provisions is monitored, and corrective action is enforced. The third party is subject to independent periodic review, and feedback on performance is provided and used to improve service delivery. Measurements vary in response to changing business conditions. Measures support early detection of potential problems with third-party services. Comprehensive, defined reporting of service level achievement is linked to the third-party compensation. Management adjusts the process of third-party service acquisition and monitoring based on the measurers. IS Security, Audit, and Control (Dr. Zhao)

  22. Audit IT Controls 1. Plan and scope IT controls • Assign accountability and responsibility • Inventory relevant applications and related subsystems • Develop a preliminary and obtain approval • Consider multilocation issues • Identify dependencies on third-party service organizations IS Security, Audit, and Control (Dr. Zhao)

  23. Audit IT Controls 2. Assess IT risks • Risks depend on • Nature of technology • Nature of people • Nature of processes • Past experience • Significance to the financial reports • Refine scope and update the plan IS Security, Audit, and Control (Dr. Zhao)

  24. Audit IT Controls 3. Document controls Policy manuals Procedures, narratives, flowcharts, decision tables Questionnaire IS Security, Audit, and Control (Dr. Zhao)

  25. Audit IT Controls 4. Evaluate control design and operating effectiveness • Approaches • Review the design • Perform a walk-through • Test the effectiveness of a control • Evidence • Inquiry • Inspection of documentation • Observation • Reperformance • Roll-forward testing IS Security, Audit, and Control (Dr. Zhao)

  26. Audit IT Controls 5. Prioritize and remediate deficiencies • Identify and assess IT general control deficiencies • Consider the aggregate effect of deficiencies • Remediate control deficiencies • Significant money and effort IS Security, Audit, and Control (Dr. Zhao)

  27. Audit IT Controls 6. Build Sustainability Convert the IT control project into a process Rationalize controls Perform application benchmarking IS Security, Audit, and Control (Dr. Zhao)

  28. COBIT Adoption and Benefits • From 2006 PWC survey • Awareness in the general population of the existence of COBIT has increased by 50 percent since 2003, from 18 percent to 27 percent. • COBIT is being used by about 10 percent of the IT population. • 18 percent have simultaneously implemented ITIL, ISO and COBIT • Benefits IS Security, Audit, and Control (Dr. Zhao)

  29. Group Assignment • Please compare COBIT to one of the other three control frameworks (COSO, ITIL, ISO17799) • Each group pick one control framework (randomly picked in the class) • Deliverable • A group presentation (15-20 minutes) • Content • Brief introduction of the other control framework • Comparison with COBIT: similarities and differences • Suggestions to the managers • Due: September 29 @5:00pm • Please submit an electronic version of the presentation to kzhao2@uncc.edu IS Security, Audit, and Control (Dr. Zhao)

More Related