• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CobiT CobiT CobiT CobiT CobiT CobiT CobiT CobiT , ITIL and ...
 

CobiT CobiT CobiT CobiT CobiT CobiT CobiT CobiT , ITIL and ...

on

  • 3,440 views

 

Statistics

Views

Total Views
3,440
Views on SlideShare
3,424
Embed Views
16

Actions

Likes
1
Downloads
372
Comments
0

2 Embeds 16

http://www.slideshare.net 15
http://uceticc.wikispaces.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CobiT CobiT CobiT CobiT CobiT CobiT CobiT CobiT , ITIL and ... CobiT CobiT CobiT CobiT CobiT CobiT CobiT CobiT , ITIL and ... Presentation Transcript

    • CobiT, ITIL and ISO17799 How to use them in conjunction Angeli Hoekstra & Nicolette Conradie PwC
    • Content • Overview IS O 17799 - Nicolette • Overview CobiT • Overview ITIL • How to us e them in conjunction 2 • Conclus ion CobiT, ITIL and IS O17799 Global Risk Management Solutions PwC July 2002
    • Overview IS O 17799 Nicolette PwC
    • IS O 17799 Overview BS 7799 • P rovides guidelines and recommendations for s ecurity management. • P art 1 - S tandard; and 4 • P art 2 - Certification. 2000 2001 BS7799 ISO 17799 SABS 17799 CobiT, ITIL and IS O17799 IS O 17799 • P art 1 accepted as International S tandard; • P art 2 to be accepted end of 2002. Global Risk Management Solutions PwC July 2002
    • IS O 17799 Modules Organisational Risks 5 Security Physical and Personnel Organisation Asset Environmental Security CobiT, ITIL and IS O17799 Security Classification Security Policy and Control System Compliance Development Business Comm / Ops Access and Continuity Management Control Planning Maintenance Global Risk Management Solutions PwC July 2002
    • IS O 17799 Controls Documented & communicate IS policy Security R egularly reviewed Policy 6 Allocation of roles & res pons ibilities Security 3rd-party acces s ris ks /controls Organisation CobiT, ITIL and IS O17799 Outs ourcing Asset Classification Inventory of As s ets and Control Clas s ification bas ed on s ens itivity/bus ines s impact Global Risk Management Solutions PwC July 2002
    • IS O 17799 Controls Personnel R ecruitment s creening Security Awarenes s & training R eporting of incidents 7 Physical and P hys ical s ecurity perimeters Environmental CobiT, ITIL and IS O17799 Security E quipment s iting Clear des k & clear s creen Incident procedures Comm / Ops S egregation of duties Management S ys tem planning & acceptance Malicious s oftware protection E -mail controls Global Risk Management Solutions PwC July 2002
    • IS O 17799 Controls Managing Acces s - Application Level Access Control - Operating Level - Network Level 8 Change control procedures CobiT, ITIL and IS O17799 System S egregation of environments Development and S ecurity requirements Maintenance Bus ines s continuity plans Business BCP framework and team roles & res pons ibilities Continuity Tes ting continuity plans Planning Maintaining and updating continuity plans Global Risk Management Solutions PwC July 2002
    • IS O 17799 Controls Copyright controls Compliance R etention of records and information 9 Compliance with legis lation - Data protection Compliance with company policy CobiT, ITIL and IS O17799 Global Risk Management Solutions PwC July 2002
    • Overview CobiT PwC
    • CobiT P roduct F amily EXECUTIVE SUMMARY Implementation 11 Tool Set CobiT, ITIL and IS O17799 Framework with High-Level Control Objectives Management Detailed Control Audit Guidelines Objectives Guidelines Key Performance and Goal Indicators Maturity Model Critical Success Factors Global Risk Management Solutions PwC July 2002
    • CobiT P rinciples IT I Planning & Organisation N F B R What you need O U E Acquisition & Implementation R S S 12 M I O A N U Delivery & Support CobiT, ITIL and IS O17799 T E R What you get I S C Monitoring O S E •Effectiveness S N •Efficiency •Data •Confidentiality •Applications Process •Integrity •Technology Domains •Availibility •Facilities •Compliance •People •Reliability Global Risk Management Solutions PwC July 2002
    • CobiT Domains Acquisition & Implementation Processes 13 AI 1: Identify automated solutions AI 2: Acquire and maintain application software CobiT, ITIL and IS O17799 AI 3: Acquire and maintain technology infrastructure AI 4: Develop and maintain procedures AI 5: Install and accredit systems AI 6: Manage Changes Per process: •Control objectives AI 6: Manage Changes: Control objectives 6.1: Change request initiation and control •KPI’s: measure of performance 6.2: Impact assessment •CSF’s: what do you need to do 6.3: Control of changes 6.4: Emergency changes •KGI’s: measure of outcome 6.5: Documentation and procedures •Maturity model 6.6: Authorised maintenance 6.7: Software release policy 6.8: Distribution of software Global Risk Management Solutions PwC July 2002
    • CobiT Key Goal Indicators: Manage Change •Reduced number# of errors introduced into systems due to changes •Reduced number# of disruptions (loss of availability) caused by poorly managed change •Reduced impact of disruptions caused by change •Reduced level of resources and time required as a ratio to number# of changes •Number# of emergency fixes/time •…. 14 Key Performance Indicators: Manage Change •Number# of different versions installed at the same time CobiT, ITIL and IS O17799 •Number# of software release/and distribution methods per platform •Number# of deviations from the standard configuration •Number# of emergency fixes for which the normal change management process was not applied retro-actively •Time lag between availability of fix and implementation of it. . •ratio of accepted vs refused change implementation requests. Critical Success Factors: Manage Change • Expedient and comprehensive acceptance test procedures are applied prior to making the change. • There is a reliable hardware and software inventory. • There is segregation of duties between production and development • …. Global Risk Management Solutions PwC July 2002
    • Overview ITIL PwC
    • The ITIL jigsaw what service the business requires of the provider ensuring that the customer has access to the appropriate in order to provide adequate support to the business users services to support the business functions 16 CobiT, ITIL and IS O17799 understanding and improving IT service provision, as an integral part Network Service Management of an overall business requirement for high quality IS management Business Continuity Management Operations Management partnerships and outsourcing Management of Local Processors surviving change Computer Installation and Acceptance transformation of business practice through radical change. Systems Management Global Risk Management Solutions PwC July 2002
    • ITIL service support & service delivery processes • S ervice s upport: – S ervice des k – Incident manag ement – P roblem manag ement 17 – Config uration management – Chang e manag ement – R eleas e management CobiT, ITIL and IS O17799 • S ervice delivery – capacity management – availability manag ement – financial management of IT s ervices – s ervice level management – IT s ervice continuity manag ement Global Risk Management Solutions PwC July 2002
    • How can they be used in conjunction? PwC
    • What do we want to achieve with IT? business Support Aligned time IT risks 19 Better Controlled service quality Secure CobiT, ITIL and IS O17799 time time Stakeholder Value Cheaper delivery Faster service time cost time time Global Risk Management Solutions PwC July 2002
    • How we can achieve these IT goals The assignment of responsibility for performing specified activities to specific groups or individuals The people that support The assignment of effective and efficient Structure IT service management measurements to people, 20 & processes, technology and controls to ensure they Roles comply to what they are CobiT, ITIL and IS O17799 People Metrics intended for Controls Processes The interrelated series of activities The assignment of controls to that combine to produce products IT processes to ensure that they or services for internal & external deliver efficiently and Technology clients effectively in line with clients requirements The technology that is supporting the IT delivery Global Risk Management Solutions 13 PwC July 2002
    • How we can achieve these IT goals ITIL BS 7799 - limited Structure ? 21 & CobiT v3 Roles CobiT, ITIL and IS O17799 People Metrics Controls Processes ITIL CobiT ISO 17799 CobiT - limited Technology ISO 17799 - limited ITIL- limited Global Risk Management Solutions 13 PwC July 2002
    • How we can achieve these IT goals: Where are the methods strong in? • ITIL s trong in IT proces s es , but limited in s ecurity and s ys tem development • CobiT s trong in IT controls and IT metrics , but does not s ay how (i.e. proces s flows ) and not that s trong in s ecurity 22 • ISO 17799 s trong in s ecurity controls , but does not s ay how (i.e. proces s flows ) CobiT, ITIL and IS O17799 • Conclus ion: – No contradictions or real overlaps – None identify people requirements – Not s trong on organis ational s ide (s tructure & roles ) – Not s trong on technolog y s ide Global Risk Management Solutions PwC July 2002
    • How can we achieve these IT goals: continuous IT improvement BS15000 Where do we Vision & ISO 17799 want to be? objectives CobiT compliant etc. How well does IT support business?: Alignment assessment Where are we How controlled is IT?: CobiT compliance check 23 Assessments now? How secure is IT?: ISO 17799 Health Check How cost effective is IT?: benchmarking CobiT, ITIL and IS O17799 What does the user think of IT?: surveys ITIL How do we get ISO 17799 IT design there? CobiT How do we know CobiT v3 mngt guidelines Metrics we have arrived? Global Risk Management Solutions PwC July 2002
    • lity ess ce n ienc y dent ia uatio ibility Eval ol it y tiven plian Control Risk y r bil Cont rit Effic ic Relia Confi Effec Integ Avail Com Materiality 4 4 4 1.5 1.5 1.5 1.5 Planning and organisation PO 1 Define a strategic IT plan 2 C H PO 2 Define the information architecture 1 E C C O PO 3 Determine the technological direction 2 C H PO 4 Define organisation and relationships 2 C H PO 5 Manage the investment 2 C C O PO 6 Communicate management aims and direction 1 E O PO 7 Manage human resources 1 E E PO 8 Ensure compliance with external requirements 1 E c O PO 9 Assess risk 1 C C E c c O O PO 10 Manage projects PO 11 Manage quality 1 1 E E E E c O CobiT compliance check Acquisition and implementation AI 1 Identify automated solutions 1 E C AI 2 AI 3 Acquire and maintain application software Acquire and maintain technology architecture 1 1 E E E E O O O O 24 AI 4 Develop and maintain procedures 1 E E O O O AI 5 Install and accredit systems 1 E O O AI 6 Managing changes 2 C C c c O CobiT, ITIL and IS O17799 Delivery and support DS 1 Define service levels 1 E E C O O O O DS 2 Manage third-party services 1 E E C O O O O DS 3 Manage performance and capacity 1 E E O DS 4 Ensure continuous service 2 C H c DS 5 Ensure systems security 2 C c O O O DS 6 Identify and allocate costs 1 E c DS 7 Educate and train users 1 E C DS 8 Assist and advice customers 1 E DS 9 Manage the configuration 1 E O O DS 10 Manage problems and incidents 1 E E O DS 11 Manage data 2 c DS 12 Manage facilities 2 c c DS 13 Manage operations 1 E E O O Monitoring M1 Monitor the process 1 E C C O O O O M2 Assess internal control adequacy 1 E E C O O O O M3 Obtain independent assurance 1 E E C O O O O M4 Provide for Independent Audit 1 E E C O O O O Legend: E Exposure H Housekeeping Global Risk Management Solutions C Concern O c OK concern + PwC July 2002
    • How can we achieve these IT goals: continuous IT improvement ISO 17799 Health Check Graph depicting the level of non-compliance of company XYZ 70% 62.50% 25 60% CobiT, ITIL and IS O17799 50% % Non-compliance 40% 29.03% 30% 18.75% 20% 15.84% 11.39% 9.43% 8.33% 10% 4.88% 4.82% 0.00% 0% 1 2 3 4 5 6 7 8 9 10 ISO 17799 Modules Global Risk Management Solutions PwC July 2002
    • Conclusion • Us e CobiT and IS O 17799 health check to determine current s tatus • Identify weaknes s es in proces s es and controls • Us e ITIL to improve IT proces s es & controls , us e IS O 17799 to improve s ecurity proces s es & controls (although not s trong on proces s s ide) 26 • Us e ITIL to determine technology, although not complete • Us e CobiT to define metrics CobiT, ITIL and IS O17799 ITIL • Query ITIL on pos s ible s tructures ISO 17799 - limited Structure ? & CobiT v3 Roles People Metrics Controls Processes CobiT ITIL ISO 17799 Technology CobiT - limited ISO 17799 - ITIL-limited limited Global Risk Management Solutions PwC July 2002
    • Nicolette Conradie: Nicolette.Conradie@za.pwcglobal.com 082 891 8648 Angeli Hoekstra Angeli.Hoekstra@za.pwcglobal.com 082 783 1371 Your worlds Our people ©2002 PricewaterhouseCoopers LLP. PricewaterhouseCoopers refers to the U.S. firm of PricewaterhouseCoopers LLP and other members of the worldwide PricewaterhouseCoopers organization.