CobIT presentation

  • 2,146 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,146
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
129
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Auditing IT Compliance Auditing IT compliance : a practical approach (EEMA) November 2005 Mr. Marc Vael Managing Director Valuendo © 2005 Valuendo. All rights reserved. 1 INFORMATION CLASSIFICATION = PUBLIC Agenda In this session an answer will be given on: – How to manage IT risks & compliance within an organisation using CobIT, the IT governance standard; – How to present the results of IT risk & compliance audits? © 2005 Valuendo. All rights reserved. 2 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 1
  • 2. Auditing IT Compliance Introduction • Marc Vael • Managing Director Valuendo (“value & do”) since July 2001 • Education – Master Applied Economics (UAntwerp) – Master Information Management (UHasselt) – Master+ Applied Economics & ICT (KUL) • Core Services – ERM – IT Governance – Information Security Management – Business Continuity / Disaster Recovery – Crisis Management – Data Privacy & Protection – IT Audit & Compliance • Certifications – CISA / CISM / CISSP / ITIL Service Manager © 2005 Valuendo. All rights reserved. 3 INFORMATION CLASSIFICATION = PUBLIC Introduction (Compliance) audits are executed by independent (internal/external) skilled parties & result in a report for board of directors, executive management and/or external parties in order to provide comfort/assurance. • Scope (what & what not) • Execution (D – O – T) • Facts based (documentation / reports / tests) • Reporting (Obs – Risk – Rec) © 2005 Valuendo. All rights reserved. 4 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 2
  • 3. Auditing IT Compliance Introduction MONITOR IMPLEMENT COMPLIANCE ASSESS DESIGN © 2005 Valuendo. All rights reserved. 5 INFORMATION CLASSIFICATION = PUBLIC Need for Audit & Compliance New legislation & regulation • “assurance” on internal control • Stress governance & responsibility of directors • Pervasiveness & importance of IT • Beyond financial risk: towards risks that adversely affect the organization’s ability to achieve its objectives and execute its strategies • SME’s Examples: Sarbanes-Oxley (SOx), Basel II, GBLA, HIPAA, Code Lippens, Code Buysse © 2005 Valuendo. All rights reserved. 6 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 3
  • 4. Auditing IT Compliance Need for Audit & Compliance New management practices • IT Governance A structure of IT relationships & processes to direct and control the enterprise to achieve the enterprise’s goals by adding value while balancing risk vs. return over IT and its processes • IT Manageability - New tools for management to self-assess and make choices for control implementation and improvements - Ability to align the IT organisation with the goals of the enterprise - Performance measurements that ensure that these goals are achieved © 2005 Valuendo. All rights reserved. 7 INFORMATION CLASSIFICATION = PUBLIC IT Governance Compliance © 2005 Valuendo. All rights reserved. 8 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 4
  • 5. Auditing IT Compliance IT Governance Compliance Implementing Control & Governance Drivers Inhibitors Compliance with law, standards Budget limitations and regulations Availability of skilled staff Cost reduction Management awareness Mission & goals Management commitment Performance improvement Lack of ownership Risk reduction Existing architecture Reputation and trust No easy solution Competitive environment Resource conflicts/priorities Corporate values Lack of tools Political/economic environment Political/economic environment © 2005 Valuendo. All rights reserved. 9 INFORMATION CLASSIFICATION = PUBLIC © 2005 Valuendo. All rights reserved. 10 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 5
  • 6. Auditing IT Compliance CobIT & IT Governance Compliance Link between COBIT and IT Governance COBI Direction Requirements (IT strategy & policy) Control Goals Responsibilities Objectives Governance Business IT Information Information the executive and board business needs to need to exercise achieve its their responsibilities objectives © 2005 Valuendo. All rights reserved. 11 INFORMATION CLASSIFICATION = PUBLIC CobIT & IT Governance Compliance Link between COBIT and IT Governance COBI Direction Requirements (IT strategy & policy) Control Goals Responsibilities Objectives Governance Business IT Information (IT Information the control, risk & business needs to assurance) achieve its objectives IT Governance © 2005 Valuendo. All rights reserved. 12 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 6
  • 7. Auditing IT Compliance CobIT CobIT: IT Control Framework COBIT’s Vision OBIT To be the (de facto) model for IT governance To research, develop, publicise and promote an authoritative, COBIT’s Mission OBIT up-to-date, international set of generally accepted IT control objectives for day-to-day use by business managers & auditors The policies, procedures, practices and organisational structures Definition of designed to provide reasonable assurance that business Control objectives will be achieved & that undesired events will be prevented or detected and corrected Definition of IT A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity Control Objective © 2005 Valuendo. All rights reserved. 13 INFORMATION CLASSIFICATION = PUBLIC CobIT CobIT: IT Control Framework CobIT basic principles • Generally applicable & internationally accepted open standard • Regardless of technology • Starting from business requirements for information • Management- and business process owner-oriented • Includes existing standards and techniques Risk assessment concepts Business risk / value assessment Assurance planning and scoping Control evaluation and testing Control and process maturity (self-assessment) Substantiating risk and effective reporting • First published in 1992 • 4th edition is planned for end 2005 © 2005 Valuendo. All rights reserved. 14 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 7
  • 8. Auditing IT Compliance CobIT CobIT: IT Control Framework Executive Summary Implementation Guide •Road map for implementation •Planning tools and templates Framework •Presentations •Awareness and diagnostic tools with high-level control objectives Management Audit Detailed Control Guidelines Guidelines Objectives Key Performance Critical Key Goal Maturity Control Practices Indicators Success Factors Indicators Models © 2005 Valuendo. All rights reserved. 15 INFORMATION CLASSIFICATION = PUBLIC CobIT CobIT: IT Control Framework Relationship between IT resources & business requirements Business IT IT Requirements Resources Processes People Plan and Organise Effectiveness Efficiency Information Acquire and Implement Confidentiality Applications Deliver and Support Integrity Infrastructure Monitor and Evaluate Availability Compliance Information Reliability © 2005 Valuendo. All rights reserved. 16 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 8
  • 9. Auditing IT Compliance BUSINESS PO1 Define a strategic IT Plan OBJECTIVES PO2 Define the information architecture PO3 Determine the technological direction Criteria PO4 Define the IT organization and relationships • effectiveness PO5 Manage the IT investment • efficiency PO6 Communicate management aims and direction • confidentiality PO7 Manage human resources • integrity PO8 Ensure compliance with external requirements • availability • compliance PO9 Assess risks • reliability PO10 Manage Projects PO11 Manage Quality ME1 Manage IT Performance ME2 Monitor Internal Controls IT ME3 Oversee IT Governance RESOURCES ME4 Ensure regulatory compliance • information • applications • infrastructure • people PLAN AND 4 Domains ORGANISE 34 Processes MONITOR & EVALUATE Control Objectives 318 AQUIRE & AQUIRE & IMPLEMENT DS1 Define and manage service levels DS2 Manage third-party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DELIVER & DS6 Identify and allocate costs SUPPORT DS7 Educate and train users AI1 Identify automated solutions DS8 Assist and advise customers AI2 Acquire and maintain application software DS9 Manage the configuration AI3 Acquire and maintain technology infrastructure DS10 Manage problems and incidents AI4 Develop and maintain procedures DS11 Manage data AI5 Install and accredit systems DS12 Manage facilities AI6 Manage changes DS13 Manage operations © 2005 Valuendo. All rights reserved. 17 INFORMATION CLASSIFICATION = PUBLIC © 2005 Valuendo. All rights reserved. 18 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 9
  • 10. Auditing IT Compliance CobIT results CobIT: IT Control Framework Maturity Measurement & Reporting Inexistent Initial Repeatable Defined Managed Optimized 0 1 2 3 4 5 Symbols Ranking 0 – Processes are not applied at all Current status of the organisation 1 – Processes are ad hoc & not organised 2 – Processes follow a regular pattern Goal of the organisation 3 – Processes are documented & communicated 4 – Processes are monitored & measured International standard 5 – Processes are optimized & automated Industry “best practice” © 2005 Valuendo. All rights reserved. 19 INFORMATION CLASSIFICATION = PUBLIC CobIT What is COBIT used for in practise? (Result from surveys) COBI To improve audit approach/programs To support audit work with detailed audit guidelines To provide guidance for IT governance As a valuable benchmark for IT control To manage IT risks To improve IT controls To standardise audit approach/programs To communicate with management, auditors and IT © 2005 Valuendo. All rights reserved. 20 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 10
  • 11. Auditing IT Compliance Conclusion MONITOR IMPLEMENT COMPLIANCE ASSESS DESIGN © 2005 Valuendo. All rights reserved. 21 INFORMATION CLASSIFICATION = PUBLIC Relevant organisations in Belgium • ISACA – http://www.isaca.be – http://www.isaca.org • ISSA – http://www.issa-be.org – http://www.issa.org • IIA – http://www.iia.be – http://www.iia.org © 2005 Valuendo. All rights reserved. 22 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 11
  • 12. Auditing IT Compliance Contact information Mr. Marc Vael Managing Director Valuendo Kriebrugstraat 33 1760 Roosdaal Belgium T: +32 5 433 61 93 M: +32 473 99 30 31 M: mvael@valuendo.com mvael@ valuendo.com © 2005 Valuendo. All rights reserved. 23 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 12