Cobit Presentation - ISACA Willamette Valley Chapter
Upcoming SlideShare
Loading in...5
×
 

Cobit Presentation - ISACA Willamette Valley Chapter

on

  • 2,495 views

 

Statistics

Views

Total Views
2,495
Views on SlideShare
2,495
Embed Views
0

Actions

Likes
3
Downloads
154
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cobit Presentation - ISACA Willamette Valley Chapter Cobit Presentation - ISACA Willamette Valley Chapter Presentation Transcript

  • ISACA Willamette Valley Chapter Luncheon Thursday, March 20, 2008 Practical Auditors Guide for CobiT Steve Balough, CISA
  • Most of us are familiar with CobiT; however it can be an often overlooked and underutilized tool. Today's talk will provide some helpful approaches for leveraging CobiT for use in all types of Audits. C ontrol Ob jectives for I nformation T echnology
  • Today we will discuss:
    • Overview of the CobiT Framework
    • II. Navigating the on-line tool,
      • What is there?
      • What you might you need?
      • III. Reference to Risk Assessment (Real World)
      • IV. Testing Guide
      • V. Maturity Assessment
      • VI. Mapping CobiT to other standards
    • Framework for comprehensive IT control coverage.
    • Well thought out and researched. *
    • Maintained and kept up to update.
    • Sponsoring organization, IT Governance Institute (ITGI)
    • A means to address “IT governance”
    Why is Cobit Valuable? * COBIT (1996) was produced by a large group of people. Sections were developed over time by project teams, project steering committees, and researchers and expert reviewers. I. Overview of the CobiT Framework
  • The benefits of implementing COBIT as a governance framework over IT include: • Better alignment, based on a business focus • A view, understandable to management, of what IT does • Clear ownership and responsibilities, based on process orientation • General acceptability with third parties and regulators • Shared understanding amongst all stakeholders, a common language • Fulfillment of the COSO requirements for the IT control environment
  • CIO Magazine - July 2006 “… . Cobit isn’t widely used: Less than half of the CIOs in the financial services industry, where Cobit is most popular, are even aware of the guidelines, … The reason? Since it was created in 1996, Cobit has expanded to cover so many control objectives and management guidelines that it’s difficult to make sense of them. … .Cobit 4.0. (now 4.1) The authors have done away with Cobit’s multiple volumes, integrating the information about all 34 high-level control processes, 239 detailed control objectives and related management guidelines into one volume. … ..the material is organized by how one approaches projects: First, plan and organize (PO), next, acquire and implement (AI), then deliver and support (DS), and finally, monitor (M) and evaluate. … .Cobit 4.0 offers more details on how to measure whether IT processes are delivering what the business needs. ….”
    • Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives
    • Process focus and ownership
    • Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each
    • Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
    • Is supported by a set of over 239 detailed control objectives
    • Effectiveness
    • Efficiency
    • Availability
    • Integrity
    • Confidentiality
    • Reliability
    • Compliance
    • Plan and Organise
    • Acquire and Implement
    • Deliver and Support
    • Monitor and Evaluate
    What does CobiT consist of ?
  • Process Orientation Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete. Domains Natural grouping of processes, often matching an organizational domain of responsibility
  • Business Requirements COSO = C ommittee O f the S ponsoring O rganization
    • Quality Requirements :
      • • Quality
      • • Delivery
      • • Cost
    • Security Requirements
      • • Confidentiality
      • • Integrity
      • • Availability
    • Fiduciary Requirements
    • (COSO Report)
      • • Effectiveness and efficiency of operations
      • • Compliance with laws and regulations
      • • Reliability of financial reporting
    • Effectiveness
    • Efficiency
    • Confidentiality
    • Integrity
    • Availability
    • Compliance
    • Reliability of information
  • The C OBI T Cube
  • CobiT Hierarchy 239 (No longer numbered) IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process.
    • Plan and Organise (PO)
    • Covers strategy and tactics, and the identification of how IT can best contribute to the achievement of the business objectives. Strategic vision needs to be planned, communicated and managed and organisation and infrastructure in place.
    • Acquire and Implement
    • IT solutions need to be identified, developed or acquired, implemented, and integrated into the business process. Changes in and maintenance of existing systems are covered to ensure the life cycle is continued for these systems.
    • Deliver and Support (DS)
    • Delivery of required services, which range from traditional operations over security and continuity aspects to training. Includes the processing of data by application systems, often classified under application controls.
    • Monitor and Evaluate
    • IT processes need to be regularly assessed over time for their quality and compliance with control requirements. Addresses management’s oversight of the organization's control process and independent assurance provided by internal and external audit or alternative sources.
    CobiT Domains
      • PO1 Define a strategic IT plan
      • PO2 Define the information architecture
      • PO3 Determine the technological direction
      • PO4 Define the IT organisation and relationships
      • PO5 Manage the IT investment
      • PO6 Communicate management aims and direction
      • PO7 Manage human resources
      • PO8 Ensure compliance with external requirements
      • PO9 Assess risks
      • PO10 Manage projects
      • PO11 Manage quality
      • AI1 Identify automated solutions
      • AI2 Acquire and mantain application software
      • AI3 Acquire and maintain technology infrastructure
      • AI4 Develop and maintain IT procedures
      • AI5 Install and accredit systems
      • AI6 Manage changes
      • M1 Monitor the process
      • M2 Assess internal control adequacy
      • M3 Obtain independent assurance
      • M4 Provide for independent audit
      • DS1 Define service levels
      • DS2 Manage third-party services
      • DS3 Manage peformance and capacity
      • DS4 Ensure continuous service
      • DS5 Ensure systems security
      • DS6 Identify and attribute costs
      • DS7 Educate and train users
      • DS8 Assist and advise IT customers
      • DS9 Manage the configuration
      • DS10 Manage problems and incidents
      • DS11 Manage data
      • DS12 Manage facilities
      • DS13 Manage operations
    Business Requirements C OBI T Framework MONITOR AND EVALUATE IT RESOURCES
    • Data
    • Application systems
    • Technology
    • Facilities
    • People
    PLAN AND ORGANISE ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT
    • Effectiveness
    • Efficiency
    • Confidenciality
    • Integrity
    • Availability
    • Compliance
    • Reliability
    Criteria
  • The control of IT Processes which satisfy is enabled by Control Statements considering Control Practices 4 Domains - 34 Processes - 239 Control Objectives Business Requirements
    • Effectiveness
    • Efficiency
    • Availability
    • Integrity
    • Confidentiality
    • Reliability
    • Compliance
  • General controls are controls embedded in IT processes and services. Examples include: • Systems development • Change management • Security • Computer operations Controls embedded in business process applications are commonly referred to as application controls. Examples include: • Completeness • Accuracy • Validity • Authorisation • Segregation of duties IT GENERAL CONTROLS AND APPLICATION CONTROLS
    • I. Overview of the CobiT Framework
    • II. Navigating the on-line tool,
      • What is there?
      • What you might you need?
      • III. Reference to Risk Assessment (Real World)
      • IV. Testing Guide
      • V. Maturity Assessment
      • VI. Mapping CobiT to other standards
    • I. Overview of the CobiT Framework
    • II. Navigating the on-line tool,
      • What is there?
      • What you might you need?
      • III. Reference to Risk Assessment (Real World)
      • IV. Testing Guide
      • V. Maturity Assessment
      • VI. Mapping CobiT to other standards
  • Information Technology Risk Based Auditing From Your Company’s Audit Program Data Center User Access Management Web Development Narratives Flowcharting Prior Audits Compliance R R R R R R R R R R Security Change Management Code Development Performance Management 2- Risk Assessment 3- Risks Identified 4- Risk Categorized 1- IT Audits 5- Control Sources Policies & Procedures Regulatory Best Practices CobiT ITIL ISO 17799:2000
    • Web Development Audit
    • (example of initial risk assessment w/ no input from CobiT):
    • CHANGE MANAGEMENT – A control objective grouping based on risk
    • Risk That :
    • Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality.
    • Changes are may not be appropriately reviewed, approved, and communicated.
  • Information Technology Risk Based Auditing From Your Company’s Audit Program Web Development Narratives Flowcharting Prior Audits Compliance R R R R R R R R R R DS 5: Ensure System Security AI 6: Manage Changes AI 2: Acquire & Maintain Application Software DS 3: Manage Performance & Capacity 2- Risk Assessment 3- Risks Identified 4- Risk Categorized 1- IT Audit 5- Control Sources Policies & Procedures Regulatory Best Practices (CobiT for this page)
  • DS 5: Ensure System Security Security DS 3: Manage Performance & Capacity Performance Management AI 2: Acquire & Maintain Application Software Code Development AI 6: Manage Changes Change Management CobiT Processes Risk Categorization
  • CobiT ‘AI 6 Manage Changes’ Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorization, release, and distribution policies and procedures. Domain or high level Control Objective Detailed Control Objective
    • Web Development Audit (Acquisition & Implementation)
    • (example of initial risk assessment with CobiT review):
    • AI 6 - MANAGE CHANGES (CobiT online)
    • Risk That (risk drivers):
    • Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality.
    • Changes are may not be appropriately approved and communicated.
    • Appropriate contingencies for change control may not be addressed or followed.
    • Inappropriate allocation of resources
    • Production system availability may be impacted (reduced).
  • Control and Control Objective Definitions The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected Definition of Control Definition of IT Control Objective A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity
    • I. Overview of the CobiT Framework
    • II. Navigating the on-line tool,
      • What is there?
      • What you might you need?
      • III. Reference to Risk Assessment (Real World)
      • IV. Testing Guide
      • V. Maturity Assessment
      • VI. Mapping CobiT to other standards
    • I. Overview of the CobiT Framework
    • II. Navigating the on-line tool,
      • What is there?
      • What you might you need?
      • III. Reference to Risk Assessment (Real World)
      • IV. Testing Guide
      • V. Maturity Assessment
      • VI. Mapping CobiT to other standards
  • Process Description
    • Critical Success Factors
    • Key Goal
    • Indicators
    • Key
    • Performance
    • Indicators
    Information Criteria Resources 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Maturity Model Management Guidelines Framework
  • Maturity Models Usage 0 1 2 3 4 5 Nonexistent Initial Repeatable Defined Managed Optimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for Symbols Used Legend for Rankings Used 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.
  • Possible maturity level of an IT process: The example illustrates a process that is largely at level 3 but still has some compliance issues with lower level requirements whilst already investing in performance measurement (level 4) and optimization (level 5) Using the maturity models developed for each of COBIT’s 34 IT processes, management can identify: • The actual performance of the enterprise—Where the enterprise is today • The enterprise’s target for improvement—Where the enterprise wants to be Maturity Attribute Table
    • I. Overview of the CobiT Framework
    • II. Navigating the on-line tool,
      • What is there?
      • What you might you need?
      • III. Reference to Risk Assessment (Real World)
      • IV. Testing Guide
      • V. Maturity Assessment
      • VI. Mapping CobiT to other standards
  • COBIT ISO 17799:2000
    • I. Overview of the CobiT Framework
    • II. Navigating the on-line tool,
      • What is there?
      • What you might you need?
      • III. Reference to Risk Assessment (Real World)
      • IV. Testing Guide
      • V. Maturity Assessment
      • VI. Mapping CobiT to other standards
    Today we reviewed:
    • • Information Systems Audit and Control
    • Association
    • www.isaca.org
    • • IT Governance Institute
    • www.itgi.org
    • • Committee of Sponsoring Organizations of
    • the Treadway Commission (COSO)
    • www.coso.org
    • ITIL Information Technology Infrastructure Library
    • http://www.itil-officialsite.com/home/home.asp
    Useful Links
  • Questions ?