IT Policies, Standards and Technical Directives Sarah Cortes Inman Technology February, 2009
IT Policies, Standards and Technical Directives Agenda <ul><li>Purpose? </li></ul><ul><li>Standards Frameworks </li></ul><...
IT Policies, Standards and Technical Directives Standards Overview  <ul><li>ISO/IEC 27000  -  International Organization f...
IT Policies, Standards and Technical Directives Is the P urpose to…? <ul><li>Drive you crazy? </li></ul><ul><li>Waste your...
IT Policies, Standards and Technical Directives Could policies help….? <ul><li>Save you after you have already gotten into...
IT Policies, Standards and Technical Directives Calling in the Experts
IT Policies, Standards and Technical Directives Did you know….? <ul><li>Seven out of ten attacks are from… </li></ul>
IT Policies, Standards and Technical Directives You may be wondering… <ul><li>Why develop and document IT policies, standa...
IT  Policies, Standards and Technical Directives   COBIT Control Objectives  -   Overview <ul><li>PLAN AND ORGANISE - 10 <...
IT Policies, Standards and Technical Directives COBIT Control Objectives   -   PLAN AND ORGANISE <ul><li>PO1 Define a Stra...
IT Policies, Standards and Technical Directives COBIT Control Objectives  -   ACQUIRE AND IMPLEMENT <ul><li>AI1 Identify A...
IT Policies, Standards and Technical Directives COBIT Control Objectives   -   DELIVER AND SUPPORT <ul><li>DS1 Define and ...
IT Policies, Standards and Technical Directives COBIT Control Objectives   –   MONITOR AND EVALUATE <ul><li>ME1 Monitor an...
IT Policies, Standards and Technical Directives COBIT Control Objectives –   DS5 Ensure Systems Security <ul><li>DS5.1 Man...
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures <ul><li>IS Guideline: G18 IT Gove...
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures <ul><li>IS Guideline: G36 Biometr...
IT Policies, Standards and Technical Directives Fidelity Process <ul><li>Over 50 subsidiaries  </li></ul><ul><li>Over 30,0...
IT Policies, Standards and Technical Directives Fidelity Issues <ul><li>Who, specifically by name, is responsible for ensu...
IT Policies, Standards and Technical Directives Fidelity Issues <ul><li>“ Required,” “Recommended,” or “Highly Recommended...
Inman Technology <ul><li>Clients:  </li></ul><ul><ul><li>Harvard Law </li></ul></ul><ul><ul><li>Harvard CAIT </li></ul></u...
Upcoming SlideShare
Loading in...5
×

Feb 26 NETP Slide Deck

1,574

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,574
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
63
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Feb 26 NETP Slide Deck

  1. 1. IT Policies, Standards and Technical Directives Sarah Cortes Inman Technology February, 2009
  2. 2. IT Policies, Standards and Technical Directives Agenda <ul><li>Purpose? </li></ul><ul><li>Standards Frameworks </li></ul><ul><li>COBIT Framework </li></ul><ul><li>ISACA Framework </li></ul><ul><li>Fidelity Process </li></ul><ul><li>Who are we? </li></ul>
  3. 3. IT Policies, Standards and Technical Directives Standards Overview <ul><li>ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission </li></ul><ul><li>ITIL – Information Technology Infrastructure Library </li></ul><ul><li>NIST - National Institute of Standards and Technology </li></ul><ul><li>PMBOK – Project Management Body of Knowledge </li></ul><ul><li>TOGAF - The Open Group Architecture Framework </li></ul><ul><li>CMMI for Development - Capability Maturity Model Integration </li></ul><ul><li>SEI’s CMM (Capability Maturity Model) for SW </li></ul><ul><ul><ul><li>(US DoD) Software Engineering Institute </li></ul></ul></ul><ul><li>COBIT - Control Objectives for Information & related Technology </li></ul><ul><ul><ul><li>Information Systems Audit and Control Association </li></ul></ul></ul>
  4. 4. IT Policies, Standards and Technical Directives Is the P urpose to…? <ul><li>Drive you crazy? </li></ul><ul><li>Waste your precious resources in a pointless task that will soon be out of date? </li></ul><ul><li>Serve as evidence to be used against you later? </li></ul>
  5. 5. IT Policies, Standards and Technical Directives Could policies help….? <ul><li>Save you after you have already gotten into trouble? </li></ul><ul><li>Attempt, however lamely, to keep you out of trouble </li></ul><ul><li>Prove that, however obvious the trouble is, it is not your fault </li></ul>
  6. 6. IT Policies, Standards and Technical Directives Calling in the Experts
  7. 7. IT Policies, Standards and Technical Directives Did you know….? <ul><li>Seven out of ten attacks are from… </li></ul>
  8. 8. IT Policies, Standards and Technical Directives You may be wondering… <ul><li>Why develop and document IT policies, standards and technical directives? </li></ul><ul><li>Is it really worth it? What’s in it for me? </li></ul><ul><li>Who will pay for the resources thusly diverted? </li></ul>
  9. 9. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview <ul><li>PLAN AND ORGANISE - 10 </li></ul><ul><li>ACQUIRE AND IMPLEMENT - 7 </li></ul><ul><li>DELIVER AND SUPPORT - 13 </li></ul><ul><li>MONITOR AND EVALUATE – 4 </li></ul><ul><li>Total - 34 </li></ul>
  10. 10. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE <ul><li>PO1 Define a Strategic IT Plan </li></ul><ul><li>PO2 Define the Information Architecture </li></ul><ul><li>PO3 Determine Technological Direction </li></ul><ul><li>PO4 Define the IT Processes, Organisation and Relationships </li></ul><ul><li>PO5 Manage the IT Investment </li></ul><ul><li>PO6 Communicate Management Aims and Direction </li></ul><ul><li>PO7 Manage IT Human Resources </li></ul><ul><li>PO8 Manage Quality </li></ul><ul><li>PO9 Assess and Manage IT Risks </li></ul><ul><li>PO10 Manage Projects </li></ul>
  11. 11. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT <ul><li>AI1 Identify Automated Solutions </li></ul><ul><li>AI2 Acquire and Maintain Application Software </li></ul><ul><li>AI3 Acquire and Maintain Technology Infrastructure </li></ul><ul><li>AI4 Enable Operation and Use </li></ul><ul><li>AI5 Procure IT Resources </li></ul><ul><li>AI6 Manage Changes </li></ul><ul><li>AI7 Install and Accredit Solutions and Changes </li></ul>
  12. 12. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT <ul><li>DS1 Define and Manage Service Levels </li></ul><ul><li>DS2 Manage Third-party Services </li></ul><ul><li>DS3 Manage Performance and Capacity </li></ul><ul><li>DS4 Ensure Continuous Service </li></ul><ul><li>DS5 Ensure Systems Security </li></ul><ul><li>DS6 Identify and Allocate Costs </li></ul><ul><li>DS7 Educate and Train Users </li></ul><ul><li>DS8 Manage Service Desk and Incidents </li></ul><ul><li>DS9 Manage the Configuration </li></ul><ul><li>DS10 Manage Problems </li></ul><ul><li>DS11 Manage Data </li></ul><ul><li>DS12 Manage the Physical Environment </li></ul><ul><li>DS13 Manage Operations </li></ul>
  13. 13. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE <ul><li>ME1 Monitor and Evaluate IT Performance </li></ul><ul><li>ME2 Monitor and Evaluate Internal Control </li></ul><ul><li>ME3 Ensure Regulatory Compliance </li></ul><ul><li>ME4 Provide IT Governance </li></ul>
  14. 14. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security <ul><li>DS5.1 Management of IT Security </li></ul><ul><li>DS5.2 IT Security Plan </li></ul><ul><li>DS5.3 Identity Management </li></ul><ul><li>DS5.4 User Account Management </li></ul><ul><li>DS5.5 Security Testing, Surveillance and Monitoring </li></ul><ul><li>DS5.6 Security Incident Definition </li></ul><ul><li>DS5.7 Protection of Security Technology </li></ul><ul><li>DS5.8 Cryptographic Key Management </li></ul><ul><li>DS5.9 Malicious SW Prevention, Detection,Correction </li></ul><ul><li>DS5.10 Network Security </li></ul><ul><li>DS5.11 Exchange of Sensitive Data </li></ul>
  15. 15. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures <ul><li>IS Guideline: G18 IT Governance </li></ul><ul><li>IS Guideline: G20 Reporting </li></ul><ul><li>IS Guideline: G21 Enterprise Resource Planning (ERP) Systems </li></ul><ul><li>IS Guideline: G22 Business to Consumer (B2C) E-commerce </li></ul><ul><li>IS Guideline: G23 System Development Life Cycle (SDLC) </li></ul><ul><li>IS Guideline: G24 Internet Banking </li></ul><ul><li>IS Guideline: G25 Review of Virtual Private Networks </li></ul><ul><li>IS Guideline: G26 Business Process Reengineering (BPR) Project </li></ul><ul><li>IS Guideline: G27 Mobile Computing </li></ul><ul><li>IS Guideline: G28 Computer Forensics </li></ul><ul><li>IS Guideline: G29 Post Implementation Review </li></ul><ul><li>IS Guideline: G30 Competence </li></ul><ul><li>IS Guideline: G31 Privacy </li></ul><ul><li>IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective </li></ul><ul><li>IS Guideline: G33 General Considerations on the Use of Internet </li></ul><ul><li>IS Guideline: G34 Responsibility, Authority and Accountability </li></ul><ul><li>IS Guideline: G35 Follow-up Activities </li></ul>
  16. 16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures <ul><li>IS Guideline: G36 Biometric Controls </li></ul><ul><li>IS Guideline: G38 Access Controls </li></ul><ul><li>IS Guideline: G39 IT Organization </li></ul><ul><li>IS Guideline: G40 Review of Security Management Practices </li></ul><ul><li>IS Procedure: P01 IS Risk Assessment Measurement </li></ul><ul><li>IS Procedure: P02 Digital Signatures </li></ul><ul><li>IS Procedure: P03 Intrusion Detection </li></ul><ul><li>IS Procedure: P04 Viruses and Other Malicious Logic </li></ul><ul><li>IS Procedure: P05 Control Risk Self-assessment </li></ul><ul><li>IS Procedure: P06 Firewalls </li></ul><ul><li>IS Procedure: P07 Irregularities and Illegal Acts </li></ul><ul><li>IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis </li></ul><ul><li>IS Procedure: P09 Mgt Controls Over Encryption Methodologies </li></ul><ul><li>IS Procedure: P10 Business Application Change Control </li></ul><ul><li>IS Procedure: P11 Electronic Funds Transfer (EFT) </li></ul>
  17. 17. IT Policies, Standards and Technical Directives Fidelity Process <ul><li>Over 50 subsidiaries </li></ul><ul><li>Over 30,000 employees worldwide </li></ul><ul><li>Over 12,000 employees in Boston area </li></ul><ul><li>Over 250 IT Policy categories </li></ul><ul><li>Over 500 Technical directives </li></ul><ul><li>Periodic Advisory Board Review process </li></ul>
  18. 18. IT Policies, Standards and Technical Directives Fidelity Issues <ul><li>Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat) </li></ul><ul><li>Need to break down policy categories into specific policy elements (1 policy becomes 100 policies) </li></ul><ul><li>A policy begets formal training and training recordkeeping (applications unto themselves) </li></ul>
  19. 19. IT Policies, Standards and Technical Directives Fidelity Issues <ul><li>“ Required,” “Recommended,” or “Highly Recommended?” (the shell game) </li></ul><ul><li>Need to self-assess at the policy element level (a/k/a your new full-time job) </li></ul>
  20. 20. Inman Technology <ul><li>Clients: </li></ul><ul><ul><li>Harvard Law </li></ul></ul><ul><ul><li>Harvard CAIT </li></ul></ul><ul><ul><li>Biogen </li></ul></ul><ul><ul><li>Fidelity </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>Practice expertise </li></ul><ul><ul><li>IT Security/Disaster Recovery </li></ul></ul><ul><ul><li>IT Project Management </li></ul></ul><ul><ul><li>Major Application Development </li></ul></ul><ul><li>Background – Sarah Cortes </li></ul><ul><ul><li>SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments </li></ul></ul><ul><ul><li>Previously ran major applications development for Trading/Analytics Systems </li></ul></ul><ul><ul><li>As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center </li></ul></ul><ul><ul><li>Coordinated over 65 audits per year </li></ul></ul><ul><ul><li>Certified Information Systems Auditor (CISA) and PMP-certified ( Project Management Program) </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×