COBIT and IT Policy Presentation

8,446 views
8,142 views

Published on

How COBIT and Standards framewrks can assist in developing Security and other IT Standards, Policies and technical directives

Published in: Technology, Business

COBIT and IT Policy Presentation

  1. 1. IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
  2. 2. IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
  3. 3. Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
  4. 4. IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
  5. 5. IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
  6. 6. IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
  7. 7. IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
  8. 8. IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
  9. 9. IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
  10. 10. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
  11. 11. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
  12. 12. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
  13. 13. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
  14. 14. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
  15. 15. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
  16. 16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
  17. 17. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
  18. 18. IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
  19. 19. IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
  20. 20. IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20

×