Your SlideShare is downloading. ×
Feb 26 NETP Slide Deck
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Feb 26 NETP Slide Deck

1,539
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,539
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
63
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IT Policies, Standards and Technical Directives Sarah Cortes Inman Technology February, 2009
  • 2. IT Policies, Standards and Technical Directives Agenda
    • Purpose?
    • Standards Frameworks
    • COBIT Framework
    • ISACA Framework
    • Fidelity Process
    • Who are we?
  • 3. IT Policies, Standards and Technical Directives Standards Overview
    • ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission
    • ITIL – Information Technology Infrastructure Library
    • NIST - National Institute of Standards and Technology
    • PMBOK – Project Management Body of Knowledge
    • TOGAF - The Open Group Architecture Framework
    • CMMI for Development - Capability Maturity Model Integration
    • SEI’s CMM (Capability Maturity Model) for SW
        • (US DoD) Software Engineering Institute
    • COBIT - Control Objectives for Information & related Technology
        • Information Systems Audit and Control Association
  • 4. IT Policies, Standards and Technical Directives Is the P urpose to…?
    • Drive you crazy?
    • Waste your precious resources in a pointless task that will soon be out of date?
    • Serve as evidence to be used against you later?
  • 5. IT Policies, Standards and Technical Directives Could policies help….?
    • Save you after you have already gotten into trouble?
    • Attempt, however lamely, to keep you out of trouble
    • Prove that, however obvious the trouble is, it is not your fault
  • 6. IT Policies, Standards and Technical Directives Calling in the Experts
  • 7. IT Policies, Standards and Technical Directives Did you know….?
    • Seven out of ten attacks are from…
  • 8. IT Policies, Standards and Technical Directives You may be wondering…
    • Why develop and document IT policies, standards and technical directives?
    • Is it really worth it? What’s in it for me?
    • Who will pay for the resources thusly diverted?
  • 9. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview
    • PLAN AND ORGANISE - 10
    • ACQUIRE AND IMPLEMENT - 7
    • DELIVER AND SUPPORT - 13
    • MONITOR AND EVALUATE – 4
    • Total - 34
  • 10. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE
    • PO1 Define a Strategic IT Plan
    • PO2 Define the Information Architecture
    • PO3 Determine Technological Direction
    • PO4 Define the IT Processes, Organisation and Relationships
    • PO5 Manage the IT Investment
    • PO6 Communicate Management Aims and Direction
    • PO7 Manage IT Human Resources
    • PO8 Manage Quality
    • PO9 Assess and Manage IT Risks
    • PO10 Manage Projects
  • 11. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT
    • AI1 Identify Automated Solutions
    • AI2 Acquire and Maintain Application Software
    • AI3 Acquire and Maintain Technology Infrastructure
    • AI4 Enable Operation and Use
    • AI5 Procure IT Resources
    • AI6 Manage Changes
    • AI7 Install and Accredit Solutions and Changes
  • 12. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT
    • DS1 Define and Manage Service Levels
    • DS2 Manage Third-party Services
    • DS3 Manage Performance and Capacity
    • DS4 Ensure Continuous Service
    • DS5 Ensure Systems Security
    • DS6 Identify and Allocate Costs
    • DS7 Educate and Train Users
    • DS8 Manage Service Desk and Incidents
    • DS9 Manage the Configuration
    • DS10 Manage Problems
    • DS11 Manage Data
    • DS12 Manage the Physical Environment
    • DS13 Manage Operations
  • 13. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE
    • ME1 Monitor and Evaluate IT Performance
    • ME2 Monitor and Evaluate Internal Control
    • ME3 Ensure Regulatory Compliance
    • ME4 Provide IT Governance
  • 14. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security
    • DS5.1 Management of IT Security
    • DS5.2 IT Security Plan
    • DS5.3 Identity Management
    • DS5.4 User Account Management
    • DS5.5 Security Testing, Surveillance and Monitoring
    • DS5.6 Security Incident Definition
    • DS5.7 Protection of Security Technology
    • DS5.8 Cryptographic Key Management
    • DS5.9 Malicious SW Prevention, Detection,Correction
    • DS5.10 Network Security
    • DS5.11 Exchange of Sensitive Data
  • 15. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures
    • IS Guideline: G18 IT Governance
    • IS Guideline: G20 Reporting
    • IS Guideline: G21 Enterprise Resource Planning (ERP) Systems
    • IS Guideline: G22 Business to Consumer (B2C) E-commerce
    • IS Guideline: G23 System Development Life Cycle (SDLC)
    • IS Guideline: G24 Internet Banking
    • IS Guideline: G25 Review of Virtual Private Networks
    • IS Guideline: G26 Business Process Reengineering (BPR) Project
    • IS Guideline: G27 Mobile Computing
    • IS Guideline: G28 Computer Forensics
    • IS Guideline: G29 Post Implementation Review
    • IS Guideline: G30 Competence
    • IS Guideline: G31 Privacy
    • IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective
    • IS Guideline: G33 General Considerations on the Use of Internet
    • IS Guideline: G34 Responsibility, Authority and Accountability
    • IS Guideline: G35 Follow-up Activities
  • 16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures
    • IS Guideline: G36 Biometric Controls
    • IS Guideline: G38 Access Controls
    • IS Guideline: G39 IT Organization
    • IS Guideline: G40 Review of Security Management Practices
    • IS Procedure: P01 IS Risk Assessment Measurement
    • IS Procedure: P02 Digital Signatures
    • IS Procedure: P03 Intrusion Detection
    • IS Procedure: P04 Viruses and Other Malicious Logic
    • IS Procedure: P05 Control Risk Self-assessment
    • IS Procedure: P06 Firewalls
    • IS Procedure: P07 Irregularities and Illegal Acts
    • IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis
    • IS Procedure: P09 Mgt Controls Over Encryption Methodologies
    • IS Procedure: P10 Business Application Change Control
    • IS Procedure: P11 Electronic Funds Transfer (EFT)
  • 17. IT Policies, Standards and Technical Directives Fidelity Process
    • Over 50 subsidiaries
    • Over 30,000 employees worldwide
    • Over 12,000 employees in Boston area
    • Over 250 IT Policy categories
    • Over 500 Technical directives
    • Periodic Advisory Board Review process
  • 18. IT Policies, Standards and Technical Directives Fidelity Issues
    • Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)
    • Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)
    • A policy begets formal training and training recordkeeping (applications unto themselves)
  • 19. IT Policies, Standards and Technical Directives Fidelity Issues
    • “ Required,” “Recommended,” or “Highly Recommended?” (the shell game)
    • Need to self-assess at the policy element level (a/k/a your new full-time job)
  • 20. Inman Technology
    • Clients:
      • Harvard Law
      • Harvard CAIT
      • Biogen
      • Fidelity
      • Etc.
    • Practice expertise
      • IT Security/Disaster Recovery
      • IT Project Management
      • Major Application Development
    • Background – Sarah Cortes
      • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments
      • Previously ran major applications development for Trading/Analytics Systems
      • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center
      • Coordinated over 65 audits per year
      • Certified Information Systems Auditor (CISA) and PMP-certified ( Project Management Program)