The document provides information about COBIT (Control Objectives for Information and Related Technology), a framework for governance and management of IT. It includes an overview of the COBIT framework and its components, which provide guidance on IT processes, control objectives, implementation tools, and more. The document also includes an order form and details on purchasing or donating to support further COBIT research.
Sentric Presents ACT 32 - November 2011Shannon Maggs
Slideshow describing ACT 32 for PA Local Taxes, and what employers must do to comply. Also covers how Sentric is handling these changes for their affected clients.
IT Strategic Planning - Methodology and ApproachDave Shiple
The document outlines an IT strategic planning methodology that involves interviews, benchmarking, workshops, and opportunity validation to develop a 3-5 year strategic plan. Key elements include assessing the current state, defining a future state and gaps, prioritizing IT opportunities, and creating an implementation plan and timeline to realize the strategy. The deliverables will include assessment findings, identified opportunities, a total cost of ownership model, and a roadmap for achieving meaningful use compliance.
The document discusses a one or two day offsite workshop called the Strategic Planning Workshop for management teams. The workshop uses a proven framework called the Gazelles One Page Strategic Plan to help teams develop a strategic plan and execution priorities. Through a facilitated process, teams clarify their purpose, direction, and priorities to increase alignment, focus, and growth.
The document discusses how to conduct an effective Business Impact Analysis (BIA) according to ITIL best practices. It recommends a 6 step process: 1) establish impact measurement metrics and identify stakeholders, 2) create a standardized BIA form and questionnaire, 3) gather data by sending the questionnaire to stakeholders, 4) analyze the collected data to quantify potential impacts, 5) validate the findings with stakeholders, and 6) publish the final BIA report. Following this process results in a consistent, cost-effective way to improve IT decision making by considering all potential impacts.
Bullzeye is a discount retailer offering a wide range of products,.docxCruzIbarra161
Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys, and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online store. Due to the recent credit card data breaches of various prominent national retail companies (e.g., Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information security, especially as it pertains to the protection of credit cardholder data within the Bullzeye environment. The Board has asked executive management to evaluate and strengthen the enterprise’s information security infrastructure, where needed.
In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and recommend control remediation strategies to prevent or to detect and appropriately respond to data breaches. Your firm has been requested to liaison with the Internal Audit Department during the engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO).
The following key information was obtained.
Background
IT Security Framework/Policy -
Bullzeye has an information security policy, which was developed by the CISO. The policy was developed in response to an internal audit conducted by an external firm hired by the CAE. The policy is not based on one specific IT control framework but considers elements contained within several frameworks. An information security committee has been recently formed to discuss new security risks and to develop mitigation strategies.
The meeting will be held monthly and include the CISO and other key IT Directors reporting to the CIO.
In addition, a training program was implemented last year in order to provide education on various information security topics (e.g., social engineering, malware, etc.). The program requires that all staff within the IT department complete an annual information security training webinar and corresponding quiz. The training program is complemented by a monthly e-mail sent to IT staff, which highlights relevant information security topics.
General IT Environment -
Most employees in the corporate office are assigned a standard desktop computer, although certain management personnel in the corporate and retail locations are issued a laptop if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows operating system image, which includes anti-malware/anti-virus software and patch update software among others. In addition, new laptops are now encrypted; however, desktops and existing laptops are not currently encrypted due to budget concerns. The user provisioning.
This document summarizes an article from the DITY Newsletter about how the ITIL framework can be governed using COBIT to ensure proper IT governance. It states that ITIL alone is not sufficient and requires integration with other frameworks like COBIT. COBIT addresses what needs to be controlled, measured, and aligned in IT to meet business goals, while ITIL focuses on delivering and supporting IT services. The article argues that both COBIT and ITIL are needed frameworks and should be integrated together to provide the necessary guidance and governance over IT practices.
This step-by-step webinar is about how to register and request donated software and hardware through the TechSoup Canada Product Donations Program.
Lori Smith, Program Manager at TechSoup Canada, will walk you through all the benefits of registering and requesting products from 25 donor partners, like Microsoft, Adobe, Cisco, Symantec, Intuit.
The following information will be covered:
- Steps to registering and requesting donated products
- What documentation and information you will need for registration
- How to choose the most appropriate activity type for your organization
- Explanation of what happens during the qualification process
- How to shop for, and make product requests
- And much more!
Sentric Presents ACT 32 - November 2011Shannon Maggs
Slideshow describing ACT 32 for PA Local Taxes, and what employers must do to comply. Also covers how Sentric is handling these changes for their affected clients.
IT Strategic Planning - Methodology and ApproachDave Shiple
The document outlines an IT strategic planning methodology that involves interviews, benchmarking, workshops, and opportunity validation to develop a 3-5 year strategic plan. Key elements include assessing the current state, defining a future state and gaps, prioritizing IT opportunities, and creating an implementation plan and timeline to realize the strategy. The deliverables will include assessment findings, identified opportunities, a total cost of ownership model, and a roadmap for achieving meaningful use compliance.
The document discusses a one or two day offsite workshop called the Strategic Planning Workshop for management teams. The workshop uses a proven framework called the Gazelles One Page Strategic Plan to help teams develop a strategic plan and execution priorities. Through a facilitated process, teams clarify their purpose, direction, and priorities to increase alignment, focus, and growth.
The document discusses how to conduct an effective Business Impact Analysis (BIA) according to ITIL best practices. It recommends a 6 step process: 1) establish impact measurement metrics and identify stakeholders, 2) create a standardized BIA form and questionnaire, 3) gather data by sending the questionnaire to stakeholders, 4) analyze the collected data to quantify potential impacts, 5) validate the findings with stakeholders, and 6) publish the final BIA report. Following this process results in a consistent, cost-effective way to improve IT decision making by considering all potential impacts.
Bullzeye is a discount retailer offering a wide range of products,.docxCruzIbarra161
Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys, and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online store. Due to the recent credit card data breaches of various prominent national retail companies (e.g., Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information security, especially as it pertains to the protection of credit cardholder data within the Bullzeye environment. The Board has asked executive management to evaluate and strengthen the enterprise’s information security infrastructure, where needed.
In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and recommend control remediation strategies to prevent or to detect and appropriately respond to data breaches. Your firm has been requested to liaison with the Internal Audit Department during the engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO).
The following key information was obtained.
Background
IT Security Framework/Policy -
Bullzeye has an information security policy, which was developed by the CISO. The policy was developed in response to an internal audit conducted by an external firm hired by the CAE. The policy is not based on one specific IT control framework but considers elements contained within several frameworks. An information security committee has been recently formed to discuss new security risks and to develop mitigation strategies.
The meeting will be held monthly and include the CISO and other key IT Directors reporting to the CIO.
In addition, a training program was implemented last year in order to provide education on various information security topics (e.g., social engineering, malware, etc.). The program requires that all staff within the IT department complete an annual information security training webinar and corresponding quiz. The training program is complemented by a monthly e-mail sent to IT staff, which highlights relevant information security topics.
General IT Environment -
Most employees in the corporate office are assigned a standard desktop computer, although certain management personnel in the corporate and retail locations are issued a laptop if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows operating system image, which includes anti-malware/anti-virus software and patch update software among others. In addition, new laptops are now encrypted; however, desktops and existing laptops are not currently encrypted due to budget concerns. The user provisioning.
This document summarizes an article from the DITY Newsletter about how the ITIL framework can be governed using COBIT to ensure proper IT governance. It states that ITIL alone is not sufficient and requires integration with other frameworks like COBIT. COBIT addresses what needs to be controlled, measured, and aligned in IT to meet business goals, while ITIL focuses on delivering and supporting IT services. The article argues that both COBIT and ITIL are needed frameworks and should be integrated together to provide the necessary guidance and governance over IT practices.
This step-by-step webinar is about how to register and request donated software and hardware through the TechSoup Canada Product Donations Program.
Lori Smith, Program Manager at TechSoup Canada, will walk you through all the benefits of registering and requesting products from 25 donor partners, like Microsoft, Adobe, Cisco, Symantec, Intuit.
The following information will be covered:
- Steps to registering and requesting donated products
- What documentation and information you will need for registration
- How to choose the most appropriate activity type for your organization
- Explanation of what happens during the qualification process
- How to shop for, and make product requests
- And much more!
Taimur Ansar Sheikh is an Information Systems Auditor and Data Analytics professional currently working as an Assistant Vice President at the National Bank of Pakistan. He has over 15 years of experience in conducting IT audits, risk assessments, and developing audit reporting and analytics tools. Some of his responsibilities include performing risk ratings of branches and applications, evaluating internal controls, and conducting off-site reviews of branches through data analysis. He is certified in various information security and audit standards and has expertise in databases, data analytics, and developing customized audit and reporting systems using business intelligence techniques.
This document summarizes an article from the DITY Newsletter about justifying ITIL implementation. It discusses how IT departments often do not communicate their value to the business, resulting in decisions based primarily on cost. The article then provides examples of how ITIL can help "do more, with more, for less" by increasing efficiency and productivity rather than just cutting costs. Specific areas where ITIL can generate rapid ROI, such as in vendor management savings, bandwidth management savings, and asset management savings, are highlighted.
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxalfred4lewis58146
Page 1 of 4
Bullzeye Data Breach Readiness Assessment
IIA Case Study
Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys,
and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online
store. Due to the recent credit card data breaches of various prominent national retail companies (e.g.,
Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information
security, especially as it pertains to the protection of credit cardholder data within the Bullzeye
environment. The Board has asked executive management to evaluate and strengthen the enterprise’s
information security infrastructure, where needed.
In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief
Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and
recommend control remediation strategies to prevent or to detect and appropriately respond to data
breaches. Your firm has been requested to liaison with the Internal Audit Department during the
engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit
Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief
Information Officer (CIO), and Chief Information Security Officer (CISO). The following key
information was obtained.
Background
IT Security Framework/Policy - Bullzeye has an information security policy, which was developed by the
CISO. The policy was developed in response to an internal audit conducted by an external firm hired by
the CAE. The policy is not based on one specific IT control framework but considers elements contained
within several frameworks. An information security committee has been recently formed to discuss new
security risks and to develop mitigation strategies. The meeting will be held monthly and include the
CISO and other key IT Directors reporting to the CIO. In addition, a training program was implemented
last year in order to provide education on various information security topics (e.g., social engineering,
malware, etc.). The program requires that all staff within the IT department complete an annual
information security training webinar and corresponding quiz. The training program is complemented by
a monthly e-mail sent to IT staff, which highlights relevant information security topics.
General IT Environment - Most employees in the corporate office are assigned a standard desktop
computer, although certain management personnel in the corporate and retail locations are issued a laptop
if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows
operating system image, which includes anti-malware/anti-virus software and patch update software
among others. In addition, new laptops are .
This document summarizes an article from the DITY Newsletter about Component Failure Impact Analysis (CFIA). CFIA identifies components that could cause an outage, lack backups, and evaluates failure risk. It helps justify investments and assists with creating and maintaining the Configuration Management Database. The summary outlines a 3-step process for conducting CFIA: 1) select a service and list components, 2) create a matrix of components and services to identify failures and backups, 3) examine failures and backups to identify single points of failure and propose design changes or redundancy.
How New Customer Experience Technology Can Generate Massive ROIAggregage
The webinar discussed how new customer experience technologies can generate massive returns on investment (ROI) for financial institutions. A panel of executives from banks and credit unions discussed how customer expectations have changed since the pandemic to demand more digital and omnichannel services. Measuring engagement through benchmark data is key to calculating the ROI of new technologies. The panel shared how technologies have helped solidify customer loyalty by increasing engagement. Tips included leading change by communicating the business case for digital transformation and creating seamless omnichannel experiences.
This document summarizes the high costs of lacking IT processes. It states that the average Fortune 500 company loses the equivalent of $261 million per year due to a lack of IT processes. Some key costs highlighted include $3.75 million annually spent on help desk calls to fix self-inflicted IT issues, 25% of annual IT budgets wasted on unused hardware and software, and $72 billion annually lost to failed and over-budget IT projects. The document argues that instituting proper IT processes could help recoup these substantial losses and better align IT with business goals.
This document summarizes best practices for budgeting in IT based on the ITIL framework. It recommends starting with a clean analysis of current IT costs and requirements before using corporate budget templates. Understanding drivers of IT costs and getting input from capacity management helps determine needs. Costs are broken into categories and prices obtained from vendors. The resulting budget model allows for changes over the budget year to facilitate accounting comparisons.
This package contains 65 make-up product market analyses from the following countries: Armenia, Australia, Austria, Azerbaijan, Belgium, Bulgaria, Canada, Chile, China, Colombia, Czech Republic, Denmark, Ecuador, Eritrea, Estonia, Ethiopia, Finland, France, Georgia, Germany, Ghana, Greece, Hungary, India, Indonesia, Iran, Ireland, Italy, Japan, Jordan, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Moldova, Morocco, Netherlands, Nigeria, Norway, Oman, Pakistan, Panama, Peru, Poland, Portugal, Qatar, Romania, Russia, Sierra Leone, Singapore, Slovakia, Slovenia, South Korea, Spain, Sri Lanka, Sweden, Thailand, Turkey, Ukraine, United Kingdom, United States and Uruguay.
Comparison of Project Management in IT Service versus Product DevelopmentDr. Amarjeet Shan
The document compares IT project management in IT service delivery versus product development. In IT service delivery, projects focus on clearly defining the service, customers, delivery parameters, and benchmarks to ensure service level agreements are met. In contrast, IT product development requires understanding target customers, selecting development lifecycles, defining the product utilization and lifecycle, and creating supporting ecosystems to provide a complete user experience. While both require defining requirements, IT service delivery emphasizes consistent delivery while product development focuses on building usable, reliable, and valuable products within an ecosystem.
This document summarizes an optical industry database report. It provides rankings of all major optical retailers by country based on turnover. It also includes profiles for each retailer with key data. Customers can purchase a one-year subscription to access the online system and rankings. The report contains rankings per country, individual retailer profiles, and is updated annually.
This document is a reprint of an ITSM Solutions newsletter about implementing ITIL best practices for capacity management. The newsletter provides a practical 7-step approach to capacity management using existing tools and resources. The steps include identifying vital business functions, the supporting IT services and infrastructure, creating a workload catalog, monitoring utilization, maintaining a capacity database, producing a capacity plan, and raising requests for changes. Following these steps can help organizations answer key capacity questions and gain benefits with minimal investment.
This Module is Specially Designed for getting GSTR2 Mismatch Alert via Email or SMS Directly from Tally.ERP9.
For Enquiry :
Mail on : info@cbditsolutions.com
Contact on : 8433714999 , 8433718999 , 9167841999
Visit Us at - http://www.getmyerp.com
Ecube is a web based platform for managing the Membership Management Solution which includes Invoice, Accounts, Service Package Subscription and Corporate Member Management of your club
This document summarizes how a large city government saved over $2.76 million in one year through ITIL best practices using an IT service management tool focusing on configuration management database (CMDB) capabilities. Specifically, the tool helped optimize vendor management, identifying $10,000 per month in rebates and cost reductions, and optimize bandwidth utilization, finding underutilized network circuits to eliminate and save $180,000 per month ongoing. The tool supported ITIL processes to improve capacity and availability management through visibility into infrastructure performance and utilization.
This document discusses business analysis (BA) training and certifications that would be beneficial for an IT service management (ITSM) organization adopting ITIL best practices. It outlines five key questions: 1) what is business analysis, 2) what BA training and certifications should an ITSM organization pursue, 3) what options are available to take the CBAP certification exam, 4) what ITSM roles and responsibilities can be assumed with BA training and certifications, and 5) why BA training and certification can improve chances for jobs or promotions. The Certified Business Analysis Professional (CBAP) designation from the International Institute of Business Analysis is recommended.
SummaryCbeyond, Inc. (Cbeyond) provides Voice over Internet Protocol (VoIP)-based managed services primarily to small businesses. The company is engaged in offering integrated data and voice service packages on IP platform. The company's service offerings include long distance and local voice services, mobile data and voice, broadband Internet access, voicemail, email, web hosting, file sharing and securing, virtual private network, and host of other services. It is focused on offering advanced communication tools to small business enterprises at nominal prices. The company has its presence mainly in select metropolitan cities of the US. The company is headquartered at Atlanta, Georgia, the US.Global Markets Direct's Cbeyond, Inc. - Financial Analysis Review is an in-depth business, financial analysis of Cbeyond, Inc.. The report provides a comprehensive insight into the company, including business structure and operations, executive biographies and key competitors. The hallmark of the report is the detailed financial ratios of the companyScope- Provides key company information for business intelligence needs The report contains critical company information ' business structure and operations, the company history, major products and services, key competitors, key employees and executive biographies, different locations and important subsidiaries.- The report provides detailed financial ratios for the past five years as well as interim ratios for the last four quarters.- Financial ratios include profitability, margins and returns, liquidity and leverage, financial position and efficiency ratios.Reasons to buy- A quick 'one-stop-shop' to understand the company.- Enhance business/sales activities by understanding customers' businesses better.- Get detailed information and financial analysis on companies operating in your industry.- Identify prospective partners and suppliers ' with key data on their businesses and locations.- Compare your company's financial trends with those of your peers / competitors.- Scout for potential acquisition targets, with detailed insight into the companies' financial and operational performance.KeywordsCbeyond, Inc.,Financial Ratios, Annual Ratios, Interim Ratios, Ratio Charts, Key Ratios, Share Data, Performance, Financial Performance, Overview, Business Description, Major Product, Brands, History, Key Employees, Strategy, Competitors, Company Statement,
E-Business Suite Organizations Spend As Much As 19 Million Annually on Financ...eprentise
A few years ago, we conducted a survey among 264 Oracle Applications users in order to get a better idea of how businesses that use Oracle were financially structured, whether they had attempted a restructure in the past, and if so, the reasons, problems, and costs associated with fundamentally changing the underlying financial structure.
View the original Blog post: http://www.eprentise.com/blog/return-on-investment-analysis/e-business-suite-organizations-spend-as-much-as-19-million-annually-on-finance-operations/
Website: www.eprentise.com
Twitter: @eprentise
Google+: https://plus.google.com/u/0/+Eprentise/posts
Facebook: https://www.facebook.com/eprentise
Ensure your data is Complete, Consistent, and Correct by using eprentise software to transform your Oracle® E-Business Suite.
TechSoup Canada is a collaboration between TechSoup Global, the Centre for Social Innovation, and the Information Technology Association of Canada that provides resources like a learning center, newsletter, blog, and webinars to help non-profits get discounted or donated software. They have over 25 donor partners that provide over 300 products like Norton Anti-Virus, Microsoft Office, and Adobe Creative Suite at low administrative fees. To qualify for donations, an organization must be a registered Canadian charity or nonprofit with an annual budget under $5 million and not advocate discrimination. The process involves reviewing donor guidelines, adding eligible items to a cart, and receiving volume license keys by email after approval.
This document provides guidance for creating an effective patch management program for industrial control systems. It recommends establishing several key plans: a configuration management plan to track systems and software; a patch management plan to evaluate vulnerabilities and deploy patches; a backup/archive plan to preserve system states; a patch testing plan to validate patches; an incident response plan to address vulnerabilities; and a disaster recovery plan in case patches fail. When these plans are integrated and their resources leveraged together, they provide a robust approach to patch management that balances security, reliability and operational needs.
The Medicaid Information Technology Architecture (MITA) is both an initiative and framework developed by CMS to promote improvements in Medicaid systems and processes. As an initiative, MITA provides a plan for collaboration between CMS and states. As a framework, MITA offers models, guidelines and principles for states to implement enterprise solutions. The goal of MITA is to change how states design, build and modify Medicaid systems and perform IT planning according to national guidelines. The MITA framework consists of a business architecture, information architecture and technical architecture. The business architecture describes business needs, goals and processes. The information architecture identifies Medicaid data and provides models and strategies for data management. The technical architecture provides guidance on technologies, tools and standards for implementing MITA.
Taimur Ansar Sheikh is an Information Systems Auditor and Data Analytics professional currently working as an Assistant Vice President at the National Bank of Pakistan. He has over 15 years of experience in conducting IT audits, risk assessments, and developing audit reporting and analytics tools. Some of his responsibilities include performing risk ratings of branches and applications, evaluating internal controls, and conducting off-site reviews of branches through data analysis. He is certified in various information security and audit standards and has expertise in databases, data analytics, and developing customized audit and reporting systems using business intelligence techniques.
This document summarizes an article from the DITY Newsletter about justifying ITIL implementation. It discusses how IT departments often do not communicate their value to the business, resulting in decisions based primarily on cost. The article then provides examples of how ITIL can help "do more, with more, for less" by increasing efficiency and productivity rather than just cutting costs. Specific areas where ITIL can generate rapid ROI, such as in vendor management savings, bandwidth management savings, and asset management savings, are highlighted.
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxalfred4lewis58146
Page 1 of 4
Bullzeye Data Breach Readiness Assessment
IIA Case Study
Bullzeye is a discount retailer offering a wide range of products, including: home goods, clothing, toys,
and food. The company is a regional retailer with 10 brick-and-mortar stores as well as a popular online
store. Due to the recent credit card data breaches of various prominent national retail companies (e.g.,
Target, Home Depot, Staples), the Bullzeye Board of Directors has taken particular interest in information
security, especially as it pertains to the protection of credit cardholder data within the Bullzeye
environment. The Board has asked executive management to evaluate and strengthen the enterprise’s
information security infrastructure, where needed.
In order to respond to the Board regarding their preparedness for a cyber-security attack, the Chief
Financial Officer (CFO) has engaged your IT consulting firm to identify the inherent risks and
recommend control remediation strategies to prevent or to detect and appropriately respond to data
breaches. Your firm has been requested to liaison with the Internal Audit Department during the
engagement. Your first step is to gain an understanding of Bullzeye’s IT environment. The Chief Audit
Executive (CAE) schedules a meeting with key Bullzeye leadership personnel, including the CFO, Chief
Information Officer (CIO), and Chief Information Security Officer (CISO). The following key
information was obtained.
Background
IT Security Framework/Policy - Bullzeye has an information security policy, which was developed by the
CISO. The policy was developed in response to an internal audit conducted by an external firm hired by
the CAE. The policy is not based on one specific IT control framework but considers elements contained
within several frameworks. An information security committee has been recently formed to discuss new
security risks and to develop mitigation strategies. The meeting will be held monthly and include the
CISO and other key IT Directors reporting to the CIO. In addition, a training program was implemented
last year in order to provide education on various information security topics (e.g., social engineering,
malware, etc.). The program requires that all staff within the IT department complete an annual
information security training webinar and corresponding quiz. The training program is complemented by
a monthly e-mail sent to IT staff, which highlights relevant information security topics.
General IT Environment - Most employees in the corporate office are assigned a standard desktop
computer, although certain management personnel in the corporate and retail locations are issued a laptop
if they can demonstrate their need to work remotely. The laptops are given a standard Microsoft Windows
operating system image, which includes anti-malware/anti-virus software and patch update software
among others. In addition, new laptops are .
This document summarizes an article from the DITY Newsletter about Component Failure Impact Analysis (CFIA). CFIA identifies components that could cause an outage, lack backups, and evaluates failure risk. It helps justify investments and assists with creating and maintaining the Configuration Management Database. The summary outlines a 3-step process for conducting CFIA: 1) select a service and list components, 2) create a matrix of components and services to identify failures and backups, 3) examine failures and backups to identify single points of failure and propose design changes or redundancy.
How New Customer Experience Technology Can Generate Massive ROIAggregage
The webinar discussed how new customer experience technologies can generate massive returns on investment (ROI) for financial institutions. A panel of executives from banks and credit unions discussed how customer expectations have changed since the pandemic to demand more digital and omnichannel services. Measuring engagement through benchmark data is key to calculating the ROI of new technologies. The panel shared how technologies have helped solidify customer loyalty by increasing engagement. Tips included leading change by communicating the business case for digital transformation and creating seamless omnichannel experiences.
This document summarizes the high costs of lacking IT processes. It states that the average Fortune 500 company loses the equivalent of $261 million per year due to a lack of IT processes. Some key costs highlighted include $3.75 million annually spent on help desk calls to fix self-inflicted IT issues, 25% of annual IT budgets wasted on unused hardware and software, and $72 billion annually lost to failed and over-budget IT projects. The document argues that instituting proper IT processes could help recoup these substantial losses and better align IT with business goals.
This document summarizes best practices for budgeting in IT based on the ITIL framework. It recommends starting with a clean analysis of current IT costs and requirements before using corporate budget templates. Understanding drivers of IT costs and getting input from capacity management helps determine needs. Costs are broken into categories and prices obtained from vendors. The resulting budget model allows for changes over the budget year to facilitate accounting comparisons.
This package contains 65 make-up product market analyses from the following countries: Armenia, Australia, Austria, Azerbaijan, Belgium, Bulgaria, Canada, Chile, China, Colombia, Czech Republic, Denmark, Ecuador, Eritrea, Estonia, Ethiopia, Finland, France, Georgia, Germany, Ghana, Greece, Hungary, India, Indonesia, Iran, Ireland, Italy, Japan, Jordan, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Moldova, Morocco, Netherlands, Nigeria, Norway, Oman, Pakistan, Panama, Peru, Poland, Portugal, Qatar, Romania, Russia, Sierra Leone, Singapore, Slovakia, Slovenia, South Korea, Spain, Sri Lanka, Sweden, Thailand, Turkey, Ukraine, United Kingdom, United States and Uruguay.
Comparison of Project Management in IT Service versus Product DevelopmentDr. Amarjeet Shan
The document compares IT project management in IT service delivery versus product development. In IT service delivery, projects focus on clearly defining the service, customers, delivery parameters, and benchmarks to ensure service level agreements are met. In contrast, IT product development requires understanding target customers, selecting development lifecycles, defining the product utilization and lifecycle, and creating supporting ecosystems to provide a complete user experience. While both require defining requirements, IT service delivery emphasizes consistent delivery while product development focuses on building usable, reliable, and valuable products within an ecosystem.
This document summarizes an optical industry database report. It provides rankings of all major optical retailers by country based on turnover. It also includes profiles for each retailer with key data. Customers can purchase a one-year subscription to access the online system and rankings. The report contains rankings per country, individual retailer profiles, and is updated annually.
This document is a reprint of an ITSM Solutions newsletter about implementing ITIL best practices for capacity management. The newsletter provides a practical 7-step approach to capacity management using existing tools and resources. The steps include identifying vital business functions, the supporting IT services and infrastructure, creating a workload catalog, monitoring utilization, maintaining a capacity database, producing a capacity plan, and raising requests for changes. Following these steps can help organizations answer key capacity questions and gain benefits with minimal investment.
This Module is Specially Designed for getting GSTR2 Mismatch Alert via Email or SMS Directly from Tally.ERP9.
For Enquiry :
Mail on : info@cbditsolutions.com
Contact on : 8433714999 , 8433718999 , 9167841999
Visit Us at - http://www.getmyerp.com
Ecube is a web based platform for managing the Membership Management Solution which includes Invoice, Accounts, Service Package Subscription and Corporate Member Management of your club
This document summarizes how a large city government saved over $2.76 million in one year through ITIL best practices using an IT service management tool focusing on configuration management database (CMDB) capabilities. Specifically, the tool helped optimize vendor management, identifying $10,000 per month in rebates and cost reductions, and optimize bandwidth utilization, finding underutilized network circuits to eliminate and save $180,000 per month ongoing. The tool supported ITIL processes to improve capacity and availability management through visibility into infrastructure performance and utilization.
This document discusses business analysis (BA) training and certifications that would be beneficial for an IT service management (ITSM) organization adopting ITIL best practices. It outlines five key questions: 1) what is business analysis, 2) what BA training and certifications should an ITSM organization pursue, 3) what options are available to take the CBAP certification exam, 4) what ITSM roles and responsibilities can be assumed with BA training and certifications, and 5) why BA training and certification can improve chances for jobs or promotions. The Certified Business Analysis Professional (CBAP) designation from the International Institute of Business Analysis is recommended.
SummaryCbeyond, Inc. (Cbeyond) provides Voice over Internet Protocol (VoIP)-based managed services primarily to small businesses. The company is engaged in offering integrated data and voice service packages on IP platform. The company's service offerings include long distance and local voice services, mobile data and voice, broadband Internet access, voicemail, email, web hosting, file sharing and securing, virtual private network, and host of other services. It is focused on offering advanced communication tools to small business enterprises at nominal prices. The company has its presence mainly in select metropolitan cities of the US. The company is headquartered at Atlanta, Georgia, the US.Global Markets Direct's Cbeyond, Inc. - Financial Analysis Review is an in-depth business, financial analysis of Cbeyond, Inc.. The report provides a comprehensive insight into the company, including business structure and operations, executive biographies and key competitors. The hallmark of the report is the detailed financial ratios of the companyScope- Provides key company information for business intelligence needs The report contains critical company information ' business structure and operations, the company history, major products and services, key competitors, key employees and executive biographies, different locations and important subsidiaries.- The report provides detailed financial ratios for the past five years as well as interim ratios for the last four quarters.- Financial ratios include profitability, margins and returns, liquidity and leverage, financial position and efficiency ratios.Reasons to buy- A quick 'one-stop-shop' to understand the company.- Enhance business/sales activities by understanding customers' businesses better.- Get detailed information and financial analysis on companies operating in your industry.- Identify prospective partners and suppliers ' with key data on their businesses and locations.- Compare your company's financial trends with those of your peers / competitors.- Scout for potential acquisition targets, with detailed insight into the companies' financial and operational performance.KeywordsCbeyond, Inc.,Financial Ratios, Annual Ratios, Interim Ratios, Ratio Charts, Key Ratios, Share Data, Performance, Financial Performance, Overview, Business Description, Major Product, Brands, History, Key Employees, Strategy, Competitors, Company Statement,
E-Business Suite Organizations Spend As Much As 19 Million Annually on Financ...eprentise
A few years ago, we conducted a survey among 264 Oracle Applications users in order to get a better idea of how businesses that use Oracle were financially structured, whether they had attempted a restructure in the past, and if so, the reasons, problems, and costs associated with fundamentally changing the underlying financial structure.
View the original Blog post: http://www.eprentise.com/blog/return-on-investment-analysis/e-business-suite-organizations-spend-as-much-as-19-million-annually-on-finance-operations/
Website: www.eprentise.com
Twitter: @eprentise
Google+: https://plus.google.com/u/0/+Eprentise/posts
Facebook: https://www.facebook.com/eprentise
Ensure your data is Complete, Consistent, and Correct by using eprentise software to transform your Oracle® E-Business Suite.
TechSoup Canada is a collaboration between TechSoup Global, the Centre for Social Innovation, and the Information Technology Association of Canada that provides resources like a learning center, newsletter, blog, and webinars to help non-profits get discounted or donated software. They have over 25 donor partners that provide over 300 products like Norton Anti-Virus, Microsoft Office, and Adobe Creative Suite at low administrative fees. To qualify for donations, an organization must be a registered Canadian charity or nonprofit with an annual budget under $5 million and not advocate discrimination. The process involves reviewing donor guidelines, adding eligible items to a cart, and receiving volume license keys by email after approval.
This document provides guidance for creating an effective patch management program for industrial control systems. It recommends establishing several key plans: a configuration management plan to track systems and software; a patch management plan to evaluate vulnerabilities and deploy patches; a backup/archive plan to preserve system states; a patch testing plan to validate patches; an incident response plan to address vulnerabilities; and a disaster recovery plan in case patches fail. When these plans are integrated and their resources leveraged together, they provide a robust approach to patch management that balances security, reliability and operational needs.
The Medicaid Information Technology Architecture (MITA) is both an initiative and framework developed by CMS to promote improvements in Medicaid systems and processes. As an initiative, MITA provides a plan for collaboration between CMS and states. As a framework, MITA offers models, guidelines and principles for states to implement enterprise solutions. The goal of MITA is to change how states design, build and modify Medicaid systems and perform IT planning according to national guidelines. The MITA framework consists of a business architecture, information architecture and technical architecture. The business architecture describes business needs, goals and processes. The information architecture identifies Medicaid data and provides models and strategies for data management. The technical architecture provides guidance on technologies, tools and standards for implementing MITA.
States are working to apply healthcare information technology (HIT) within their Medicaid programs to improve efficiency and reduce costs. Through initiatives like the Medicaid Transformation Grants and the Medicaid Information Technology Architecture (MITA) framework, states are using HIT to enhance clinical decision making, expand e-prescribing, and provide electronic health records for Medicaid beneficiaries. Going forward, organizations like the National Association of State Medicaid Directors and the State Alliance for e-Health continue to support greater adoption of HIT within Medicaid.
Facets Overview and Navigation User Guide.pdfwardell henley
This document provides an overview and introduction to the Facets managed healthcare system. It begins with the lesson objectives, which include being introduced to Facets navigation, applications, and how to use the system. It then provides a high-level overview of Facets, explaining what it is, why Sierra Health Services implemented it, and an overview of the implementation process. The majority of the document introduces and describes the main Facets application groups and their related applications. These include accounting, billing, claims processing, customer service, and other groups. It concludes by explaining how to open and close Facets, explore the product navigation window, and change passwords.
This document provides guidance for contractors on conducting self-inspections of their security programs as required by the National Industrial Security Program Operating Manual (NISPOM). It outlines a three-step self-inspection process of pre-inspection, inspection, and post-inspection. The pre-inspection involves planning, while the inspection involves reviewing security practices against a checklist. Areas to check include classified storage, training, visits, and more. The post-inspection involves reporting findings, taking corrective actions, and briefing management. Interview techniques are also provided to verify security compliance with employees. The goal is for contractors to regularly inspect and improve their security programs.
The document provides guidance on Change Advisory Board (CAB) meetings in ITIL. It outlines that the Change Manager chairs CAB meetings to review pending changes and authorize or reject them. The CAB considers each change's risks, impacts, and resources required. It documents any issues, recommendations, and authorizations. Changes that the CAB cannot decide on may be escalated to higher levels for a final determination.
Boston Financial's Information Security Program is committed to ensuring customer data is protected from unauthorized access through a layered security approach. The program employs risk assessment, security policies and standards, awareness training, and a dedicated security team led by a Chief Information Security Officer to prevent breaches and adhere to industry best practices and compliance standards. The scope of the program encompasses security administration, technology infrastructure, and policy management to consistently monitor threats and protect customer information.
This document discusses Good Manufacturing Practices (GMP) for pharmaceuticals. It introduces GMP, explaining that GMP ensures pharmaceutical products are consistently manufactured and controlled to quality standards for their intended use. It also discusses the relationships between quality assurance (QA), GMP, and quality control (QC), noting that QA oversees the whole system, GMP ensures consistent manufacturing quality, and QC tests samples to ensure quality. Finally, it provides an overview of key aspects of GMP, including facilities, equipment, packaging, and documentation.
This document is a checklist and certification for information security program requirements for an RFP or contract. It requires identification of the type of information involved, applicable security categories and position sensitivity designations. It also requires certification by a Project Officer and Information Systems Security Officer that appropriate security requirements are specified to protect government interests in compliance with federal standards.
The document outlines the basic components of an information security program for mortgage industry professionals. It discusses 13 first priority cybersecurity practices like managing risk, protecting systems from malware, patching systems, and training employees. It also discusses 10 second priority practices such as encrypting sensitive data, third party risk management, and disaster recovery planning. The document is intended to provide a succinct overview of security risks and basic practices to help small and medium businesses manage those risks.
Best practices for_implementing_security_awareness_trainingwardell henley
- Security professionals are most concerned about data breaches, phishing, spearphishing, and ransomware attacks. These threats can be addressed through effective security awareness training.
- The vast majority of surveyed organizations had experienced security incidents like phishing attacks delivering malware, targeted email attacks, or data breaches in the past year.
- Over 90% of organizations report that phishing and spearphishing attempts reaching end users have increased or stayed the same over the past 12 months, indicating ongoing threats.
DMARC requires alignment between the authentication domain from SPF or DKIM and the From header domain. SPF authenticates the MAIL FROM or EHLO domain, while DKIM authenticates the domain in the d= tag. Alignment can be strict, requiring an exact match, or relaxed, allowing subdomains. DMARC policies use tags to specify whether strict or relaxed alignment is needed for SPF (aspf) or DKIM (adkim) to pass DMARC verification. Alignment helps validate the authenticity of the From header by linking it to the authenticated domains.
This document discusses security considerations for service-oriented architectures (SOA) and on-demand environments. It describes several subsystems that are important for a comprehensive security management architecture (MASS), including access control, identity and credential management, information flow control, security auditing, and solution integrity. Technologies that can be used to implement each subsystem are also outlined, such as directories, firewalls, encryption, and systems management solutions. The document stresses that security requires an integrated approach across all of these areas.
This chapter discusses security architecture and models, including computer organization, distributed systems, protection mechanisms, formal security models like Bell-LaPadula and Biba integrity models. It covers topics like certification and accreditation processes to establish security requirements are met. Evaluation criteria for security classifications from class D to class A are also mentioned to assess security assurance levels.
This document outlines an enterprise security architecture seminar. It introduces security architecture and the SABSA framework. SABSA is a step-by-step approach that involves identifying business drivers, attributes, threats, control objectives, and security services. A worked example is provided that protects customer information. The seminar covers developing a contextual and conceptual security understanding, logical security architecture components, and deliverables including control frameworks.
This document discusses security architecture and models, including differences between commercial and government security requirements. It covers security evaluation criteria, security practices for the Internet, technical platforms in terms of hardware/software, and system security techniques like preventative, detective and corrective controls. The document also describes the layered approach to security architecture.
This document provides a checklist for securing a Splunk software installation, including setting up authenticated users and managing access, using certificates to encrypt communications, hardening Splunk instances, setting consistent passwords across servers, securing service accounts, auditing the system regularly to monitor access and activities, and monitoring files and directories.
The document provides best practices for using the Splunk App for Windows Infrastructure, including synchronizing clocks, configuring Active Directory monitoring, limiting baseline data collection, and disabling SID translation to reduce domain controller resource usage. Specific configuration changes are recommended in the Splunk_TA_microsoft_ad and Splunk_TA_Windows add-ons to implement these practices.
This document provides an overview of Enterprise Content Management (ECM) and discusses how ECM solutions can be supported by various storage technologies and solutions. It begins with introductions to ECM and storage concepts for specialists in the opposite fields. It then discusses business drivers for ECM and provides a reference architecture for matching ECM requirements to appropriate storage strategies. The reference architecture addresses requirements for security, integrity, retention, availability and cost, among others. It also covers storage considerations for availability, backup/recovery, business continuity and capacity planning.
Oracle Services Procurement allows organizations to better manage services spending. It enables defining complex payment terms for services contracts, tracking project progress and payments, and ensuring compliance. The software also enforces the use of preferred suppliers through requisition processes and rate cards. This improves visibility and oversight of an organization's services spending.
1. The IT Governance Institute® is pleased to offer
you this complimentary download of COBIT®.
COBIT provides good practices for the management of IT processes in a manageable and logical structure,
meeting the multiple needs of enterprise management by bridging the gaps between business risks, technical
issues, control needs and performance measurement requirements. If you believe as we do, that COBIT enables
the development of clear policy and good practices for IT control throughout your organisation, we invite you to
support ongoing COBIT research and development.
There are two ways in which you may express your support: (1) Purchase COBIT through the association
(ISACA) Bookstore (please see the following pages for order form and association membership application.
Association members are able to purchase COBIT at a significant discount); (2) Make a generous donation to
the IT Governance Institute, which conducts research and authors COBIT.
The complete COBIT package consists of all six publications, an ASCII text diskette, four COBIT implementation/
orientation Microsoft® PowerPoint® presentations and a CD-ROM. A brief overview of each component is
provided below. Thank you for your interest in and support of COBIT!
For additional information about the IT Governance Institute, visit www.itgi.org.
Management Guidelines Control Objectives
To ensure a successful enterprise, you must effectively manage the The key to maintaining profitability in a technologically changing
union between business processes and information systems. The environment is how well you maintain control. COBIT’s Control
new Management Guidelines is composed of maturity models, Objectives provides the critical insight needed to delineate a clear
critical success factors, key goal indicators and key performance policy and good practice for IT controls. Included are the state-
indicators. These Management Guidelines will help answer the ments of desired results or purposes to be achieved by
questions of immediate concern to all those who have a stake in implementing the 318 specific, detailed control objectives
enterprise success. throughout the 34 high-level control objectives.
Executive Summary Implementation Tool Set
Sound business decisions are based on timely, relevant and con- The Implementation Tool Set contains management awareness and
cise information. Specifically designed for time-pressed senior IT control diagnostics, implementation guide, frequently asked
executives and managers, the COBIT Executive Summary questions, case studies from organizations currently using COBIT
explains COBIT’s key concepts and principles. and slide presentations that can be used to introduce COBIT into
organizations. The tool set is designed to facilitate the implementa-
Framework tion of COBIT, relate lessons learned from organizations that
A successful organization is built on a solid framework of data quickly and successfully applied COBIT in their work environ-
and information. The Framework explains how IT processes ments and assist management in choosing implementation options.
deliver the information that the business needs to achieve its
objectives. This delivery is controlled through 34 high-level CD-ROM
control objectives, one for each IT process, contained in the The CD-ROM, which contains all of COBIT, is published as a
four domains. The Framework identifies which of the seven Folio infobase. The material is accessed using Folio Views®, which
information criteria (effectiveness, efficiency, confidentiality, is a high-performance, information retrieval software tool. Access
integrity, availability, compliance and reliability), as well as to COBIT’s text and graphics is now easier than ever, with flexible
which IT resources (people, applications, technology, facilities keyword searching and built-in index links (optional purchase).
and data) are important for the IT processes to fully support
the business objective. A network version (multi-user) of COBIT 3rd Edition is
available. It is compatible with Microsoft Windows NT/2000 and
Audit Guidelines Novell NetWare environments. Contact the ISACA Bookstore for
Analyze, assess, interpret, react, implement. To achieve your pricing and availability.
desired goals and objectives you must constantly and consistently
audit your procedures. Audit Guidelines outlines and suggests See order form, donation information and membership
actual activities to be performed corresponding to each of the 34 application on the following pages.
high-level IT control objectives, while substantiating the risk of
control objectives not being met.
We invite your comments and suggestions regarding COBIT. Please visit www.isaca.org/cobitinput.
2. ITGI Contribution Form
Contributor: ______________________________________________ Contribution amount (US $):
$25 (donor) $100 (Silver) $250 (Gold)
Address:_________________________________________________
$500 (Platinum) Other US $_______
________________________________________________________ Check enclosed payable in US dollars to ITGI
City_________________________State/Province ________________ Charge my: VISA MasterCard
American Express Diners Club
Zip/Postal Code ________________Country ____________________
Card number ____________________________Exp. Date _________
Remitted by: _____________________________________________
Name of cardholder: _______________________________________
Phone: __________________________________________________ Signature of cardholder: ____________________________________
E-mail: __________________________________________________ Complete card billing address if different from address on left
________________________________________________________
________________________________________________________
For information on the institute and
contribution benefits see www.itgi.org ________________________________________________________
U.S. Tax ID number: 95-3080691
Fax your credit card contribution to ITGI at +1.847.253.1443, or mail your contribution to:
ITGI, 135 S. LaSalle Street, Department 1055, Chicago, IL 60674-1055 USA
Direct any questions to Scott Artman at +1.847.253.1545, ext. 459, or finance@isaca.org.
Thank you for supporting COBIT!
Recent ITGI Research Projects
Security Provisioning: Risks of Customer Relationship Management
Managing Access in Extended Enterprises, ISSP A Security, control and Audit Approach, ISCR
Member - $20 Nonmember - $30 e-Commerce Security Member - $75 Nonmember - $85
Public Key Infrastructure: Good Practices
for Secure Communications, TRS-2
Member - $35 Nonmember - $50
e-Commerce Security e-Commerce Security
Securing the Network Perimeter, TRS-3 Business Continuity Planning, IBCP
Member - $35 Nonmember - $50 Member - $35 Nonmember - $50
For additional information on these publications and others offered through the Bookstore, please visit www.isaca.org/bookstore.
4. Please complete both sides
U.S. Federal I.D. No. 23-7067291
www.isaca.org
MEMBERSHIP APPLICATION membership@isaca.org
□ MR. □ MS. □ MRS. □ MISS □ OTHER _______________ Date ____________________________
MONTH/DAY/YEAR
Name_______________________________________________________________________________________________________
FIRST MIDDLE LAST/FAMILY
____________________________________________________________________________________________________________
PRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATE
Residence address ____________________________________________________________________________________________
STREET
____________________________________________________________________________________________
CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP
Residence phone _____________________________________ Residence facsimile ____________________________________
AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER
Company name ____________________________________________________________________________________________
Business address ____________________________________________________________________________________________
STREET
____________________________________________________________________________________________
CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP
Business phone _____________________________________ Business facsimile _____________________________________
AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER
E-mail ________________________________________________________
Send mail to Form of Membership requested s I do not want to be included on How did you hear about ISACA?
s Home s Chapter Number (see reverse)________________ a mailing list, other than that for 1 s Friend/Coworker
s Business s Member at large (no chapter within 50 miles/80 km) Association mailings. 2 s Employer
s Student (must be verified as full-time) 3 s Internet Search 6 s Local Chapter
s Retired (no longer seeking employment) 4 s IS Control Journal 7 s CISA Program
5 s Other Publication 8 s Direct Mail
9 s Educational Event
Current field of employment (check one) Level of education achieved Work experience
1 s Financial (indicate degree achieved, or number of years of (check the number of years of Information
2 s Banking university education if degree not obtained) Systems work experience)
3 s Insurance 1s One year or less 7 s AS 1 s No experience 4 s 8-9 years
4 s Transportation 2s Two years 8s BS/BA 2 s 1-3 years 5 s 10-13 years
5 s Retail & Wholesale 3s Three years 9s MS/MBA/Masters 3 s 4-7 years 6 s 14 years or more
6 s Government/National 4s Four years 10 s Ph.D.
7 s Government/State/Local 5s Five years 99 s Other Current professional activity (check one)
8 s Consulting 6s Six years or more 1
______________ s CEO
9 s Education/Student 2 s CFO
10 s Education/Instructor Certifications obtained (other than CISA) 3 s CIO/IS Director
11 s Public Accounting 1 s CISM 8 s FCA 4 s Audit Director/General Auditor
12 s Manufacturing 2 s CPA 9 s CFE 5 s IS Security Director
13 s Mining/Construction/Petroleum 3 s CA 10 s MA 6 s IS Audit Manager
14 s Utilities 4 s CIA 11 s FCPA 7 s IS Security Manager
15 s Other Service Industry 5 s CBA 12 s CFSA 8 s IS Manager
16 s Law 6 s CCP 13 s CISSP 9 s IS Auditor
17 s Health Care 7 s CSP 99 s Other __________ 10 s External Audit Partner/Manager
99 s Other 11 s External Auditor
12 s Internal Auditor
Date of Birth________________________ 13 s IS Security Staff
MONTH/DAY/YEAR 14 s IS Consultant
15 s IS Vendor/Supplier
16 s IS Educator/Student
99 s Other ____________________________
Payment due By applying for membership in the Information Systems Audit and Control
• Association dues ✝ $ 120.00 (US) Association, members agree to hold the association and the IT Governance
• Chapter dues (see following page) $ _____ (US) Institute, their officers, directors, agents, trustees, and employees and members,
• New member processing fee $ 30.00 (US)* harmless for all acts or failures to act while carrying out the purpose of the
association and the institute as set forth in their respective bylaws, and they
PLEASE PAY THIS TOTAL $ _____ (US) certify that they will abide by the association’s Code of Professional Ethics
✝ For student membership information please visit www.isaca.org/student (www.isaca.org/ethics).
* Membership dues consist of association dues, chapter dues and new member Initial payment entitles new members to membership beginning the first day of
processing fee. the month following the date payment is received by International Headquarters
through the end of that year. No rebate of dues is available upon early resignation
Method of payment of membership.
s Check payable in US dollars, drawn on US bank Contributions, dues or gifts to the Information Systems Audit and Control
s Send invoice (Applications cannot be processed until dues payment is received.) Association are not tax deductible as charitable contributions in the United States.
s MasterCard s VISA s American Express s Diners Club However, they may be tax deductible as ordinary and necessary business
All payments by credit card will be processed in US dollars expenses.
Membership dues allocated to a 1-year subscription to the IS Control Journal are
ACCT # ____________________________________________ as follows: $45 for US members, $60 for non-US members. This amount is not
Print name of cardholder _______________________________ deductible from dues.
Expiration date _______________________________________ Make checks payable to:
MONTH/YEAR
Information Systems Audit and Control Association
Mail your application and check to:
Signature ___________________________________________ Information Systems Audit and Control Association
Cardholder billing address if different than address provided above: 135 S. LaSalle, Dept. 1055
Chicago, IL 60674-1055 USA
___________________________________________________ Phone: +1.847.253.1545 x470
___________________________________________________ Fax: +1.847.253.1443
5. U.S. dollar amounts listed below are for local chapter dues. For current chapter dues, or if the amount is not listed below, please
While correct at the time of printing, chapter dues are subject to visit the web site www.isaca.org/chapdues or contact your local
change without notice. Please include the appropriate chapter dues chapter at www.isaca.org/chapters.
amount with your remittance.
Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter
Name Number Dues Name Number Dues Name Number Dues Name Number Dues
ASIA Kenya 158 $40 New England (Boston, MA) 18 $30 Boise, ID 42 $30
Hong Kong 64 $40 Latvia 139 $10 New Jersey (Newark) 30 $40 Willamette Valley, OR 50 $30
Bangalore, India 138 $15 Lithuania 180 $20 Central New York 29 $0 (Portland)
Cochin, India 176 $10 Netherlands 97 $50 (Syracuse) Utah (Salt Lake City) 04 $30
Coimbatore, India 155 $10 Lagos, Nigeria 149 $20 Hudson Valley, NY 120 $0 Mt. Rainier, WA (Olympia) 129 $20
Hyderabad, India 164 $17 Oslo, Norway 74 $50 (Albany) Puget Sound, WA (Seattle) 35 $25
Kolkata, India 165 ✳ Warsaw, Poland 151 $30 New York Metropolitan 10 $50
Madras, India (Chennai) 99 $10 Moscow, Russia 167 $0 Western New York 46 $30 OCEANIA
Mumbai, India 145 ✳ Romania 172 $50 (Buffalo) Adelaide, Australia 68 $0
New Delhi, India 140 $10 Slovenia 137 $50 Harrisburg, PA 45 $25 Brisbane, Australia 44 $16
Pune, India 159 $17 Slovensko 160 $40 Lehigh Valley 122 $35 Canberra, Australia 92 $15
Indonesia 123 ✳ South Africa 130 $35 (Allentown, PA) Melbourne, Australia 47 $25
Nagoya, Japan 118 $130 Barcelona, Spain 171 $110 Philadelphia, PA 06 $40 Perth, Australia 63 $5
Osaka, Japan 103 $10 Valencia, Spain 182 $25 Pittsburgh, PA 13 $20 Sydney, Australia 17 $30
Tokyo, Japan 89 $120 Sweden 88 $45 National Capital Area, DC 05 $40 Auckland, New Zealand 84 $30
Korea 107 $30 Switzerland 116 $35 Wellington, New Zealand 73 $22
Lebanon 181 $35 Tanzania 174 $40 Southeastern United States Papua New Guinea 152 $0
Malaysia 93 $10 London, UK 60 $80 North Alabama (Birmingham) 65 $30
Muscat, Oman 168 $40 Central UK 132 $55 Jacksonville, FL 58 $30
Karachi, Pakistan 148 $15 Northern England 111 $50 Central Florida (Orlando) 67 $30 To receive your copy of the
Manila, Philippines 136 $0 Scottish, UK 175 $45 South Florida (Miami) 33 $40 Information Systems Control Journal,
West Florida (Tampa) 41 $35 please complete
Jeddah, Saudi Arabia 163 $0
NORTH AMERICA Atlanta, GA 39 $35 the following subscriber
Riyadh, Saudi Arabia 154 $0 information:
Singapore 70 $10 Canada Charlotte, NC 51 $35
Sri Lanka 141 $15 Calgary, AB 121 $0 Research Triangle 59 $25 Size of organization
Edmonton, AB 131 $25 (at your primary place of business)
Taiwan 142 $50 (Raleigh, NC)
Vancouver, BC 25 $20 Piedmont/Triad 128 $30 ➀ s Fewer than 50 employees
Bangkok, Thailand 109 $10 ➁ s 50-100 employess
UAE 150 $10 Victoria, BC 100 $0 (Winston-Salem, NC)
➂ s 101-500 employees
Winnipeg, MB 72 $15 Greenville, SC 54 $30 ➃ s More than 500 employees
CENTRAL/SOUTH AMERICA Nova Scotia 105 $0 Memphis, TN 48 $45
Size of your professional audit staff
Buenos Aires, Argentina 124 $35 Ottawa Valley, ON 32 $10 Middle Tennessee 102 $45
(local office)
Mendoza, Argentina 144 ✳ Toronto, ON 21 $25 (Nashville)
➀ s 1 individual
São Paulo, Brazil 166 $25 Montreal, PQ 36 $20 Virginia (Richmond) 22 $30 ➁ s 2-5 individuals
LaPaz, Bolivia 173 $25 Quebec City, PQ 91 $35 ➂ s 6-10 individuals
Santiago de Chile 135 $40 Southwestern United States ➃ s 11-25 individuals
Bogotá, Colombia 126 $50 Islands Central Arkansas 82 $60 ➄ s More than 25 individuals
San José, Costa Rica 31 $33 Bermuda 147 $0 (Little Rock) Your level of purchasing authority
Quito, Ecuador 179 $15 Trinidad & Tobago 106 $25 Central Mississippi 161 $0 ➀ s Recommend products/services
Mérida, Yucatán, México 101 $50 (Jackson) ➁ s Approve purchase
Mexico City, México 14 $65 Midwestern United States Denver, CO 16 $40 ➂ s Recommend and approve
Monterrey, México 80 $65 Chicago, IL 02 $50 Greater Kansas City, KS 87 $0 purchase
Panamá 94 $25 Illini (Springfield, IL) 77 $30 Baton Rouge, LA 85 $25 Education courses attended
Lima, Perú 146 $15 Central Indiana 56 $30 Greater New Orleans, LA 61 $20 annually (check one)
Puerto Rico 86 $30 (Indianapolis) St. Louis, MO 11 $25 ➀ s None
Montevideo, Uruguay 133 $100 Michiana (South Bend, IN) 127 $25 New Mexico (Albuquerque) 83 $25 ➁s1
Iowa (Des Moines) 110 $25 Central Oklahoma (OK City) 49 $30 ➂ s 2-3
Venezuela 113 $25
Kentuckiana (Louisville, KY) 37 $30 Tulsa, OK 34 $25 ➃ s 4-5
➄ s More than 5
EUROPE/AFRICA Detroit, MI 08 $35 Austin, TX 20 $25
Austria 157 $45 Western Michigan 38 $25 Greater Houston Area, TX 09 $40 Conferences attended annually
Belux 143 $48 (Grand Rapids) North Texas (Dallas) 12 $30 (check one)
Minnesota (Minneapolis) 07 $30 San Antonio/So. Texas 81 $25 ➀ s None
(Belgium and Luxembourg)
➁s1
Croatia 170 $50 Omaha, NE 23 $30 ➂ s 2-3
Czech Republic 153 $110 Central Ohio (Columbus) 27 $25 Western United States ➃ s 4-5
Denmark 96 ✳ Greater Cincinnati, OH 03 $20 Anchorage, AK 177 $20 ➄ s More than 5
Estonian 162 $10 Northeast Ohio (Cleveland) 26 $30 Phoenix, AZ 53 $30
Primary reason for joining the
Finland 115 $70 Kettle Moraine, WI 57 $25 Los Angeles, CA 01 $25 association (check one)
Paris, France 75 ✳ (Milwaukee) Orange County, CA 79 $30 ➀ s Discounts on association
German 104 $80 Quad Cities 169 $0 (Anaheim) products and services
Athens, Greece 134 $20 Sacramento, CA 76 $20 ➁ s Subscription to IS Control Journal
Budapest, Hungary 125 $60 Northeastern United States San Francisco, CA 15 $45 ➂ s Professional advancement/
Irish 156 $40 Greater Hartford, CT 28 $40 San Diego, CA 19 $25 certification
Silicon Valley, CA 62 $25 ➃ s Access to research, publications,
Tel-Aviv, Israel 40 ✳ (Southern New England)
Central Maryland 24 $25 and education
Milano, Italy 43 $53 (Sunnyvale)
99 s Other___________________
Rome, Italy 178 $26 (Baltimore) Hawaii (Honolulu) 71 $30
✳Call chapter for information
6. Certification
One of the most important assets of an enterprise is its information. The integrity and reliability of
that information and the systems that generate it are crucial to an enterprise’s success. Faced with
complex and correspondingly ingenious cyberthreats, organizations are looking for individuals who
have the proven experience and knowledge to identify, evaluate and recommend solutions to mitigate
IT system vulnerabilities. ISACA offers two certifications to meet these needs.
Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM)
The CISA program is designed to assess and certify individuals in the CISM is a newly created credential for security managers that pro-
IS audit, control and security profession who demonstrate exception- vides executive management with the assurance that those certified
al skill and judgment. have the expertise to provide effective security management and
consulting. It is business-oriented and focused on information risk
The CISA examination content areas include: management while addressing management, design and technical
• The IS audit process security issues at a conceptual level.
• Management, planning and organization of IS
• Technical infrastructure and operational practices The CISM credential measures expertise in the areas of:
• Protection of information assets • Information security governance
• Disaster recovery and business continuity • Risk management
• Business application system development, acquisition, • Information security program(me) development
implementation and maintenance • Information security management
• Business process evaluation and risk management • Response management
To earn the CISA designation, candidates are required to: To earn the CISM designation, information security professionals are
• Successfully complete the CISA examination required to:
• Adhere to the Information Systems Audit and Control Association • Successfully complete the CISM examination
(ISACA) Code of Professional Ethics • Adhere to the Information Systems Audit and Control Association
• Submit verified evidence of a minimum number of years of (ISACA) Code of Professional Ethics
professional information systems auditing, control or security • Submit verified evidence of a minimum number of years of
work experience information security experience, with a number of those years in the
• Comply with the CISA continuing education program (after job analysis domains
becoming certified) • Comply with the CISM continuing education program (after
becoming certified)
A grandfathering opportunity, available through 31 December 2003,
allows information security professionals with the necessary experi-
ence to apply for certification without taking the CISM exam.
Being a CISA or a CISM is more than passing an examination. It demonstrates the
commitment, dedication and proficiency required to excel in your profession. These
certifications identify their holders as consummate professionals who maintain a
competitive advantage among their peers. Earning these designations helps assure a
positive reputation and distinguishes you among other candidates seeking positions in
both the private and public sectors. As a member of ISACA, you have the opportunity to
sit for the exams, purchase review materials and attend ISACA conferences to maintain
your certifications at a substantially reduced cost.
For more information on becoming a CISA or a CISM, visit the ISACA web site at
www.isaca.org/certification.
7. ®
COBIT 3rd Edition
Control Objectives
July 2000
Released by the COBIT Steering Committee and the IT Governance InstituteTM
The COBIT Mission:
To research, develop, publicise and promote an authoritative, up-to-date,
international set of generally accepted information technology control objectives
for day-to-day use by business managers and auditors.
8. LATVIA
AMERICAN SAMOA LEBANON
ARGENTINA INFORMATION SYSTEMS AUDIT AND LIECHTENSTEIN
ARMENIA
AUSTRALIA CONTROL ASSOCIATION LITHUANIA
LUXEMBURG
AUSTRIA MALAYSIA
BAHAMAS A Single International Source MALTA
BAHRAIN MALAWI
BANGLADESH for Information Technology Controls MAURITIUS
BARBADOS MEXICO
BELGIUM NAMIBIA
BERMUDA The Information Systems Audit and • Its professional education programme
NEPAL
BOLIVIA Control Association is a leading global offers technical and management NETHERLANDS
BOTSWANA NEW GUINEA
BRAZIL professional organisation representing conferences on five continents, as well
NEW ZEALAND
BRITISH VIRGIN ISLANDS individuals in more than 100 countries as seminars worldwide to help NICARAGUA
CANADA NIGERIA
CAYMAN ISLANDS and comprising all levels of IT — professionals everywhere receive high-
NORWAY
CHILE executive, management, middle quality continuing education. OMAN
CHINA PAKISTAN
COLOMBIA management and practitioner. The • Its technical publishing area provides
PANAMA
COSTA RICA Association is uniquely positioned to references and professional PARAGUAY
CROATIA PERU
CURACAO fulfil the role of a central, harmonising development materials to augment its
PHILIPPINES
CYPRUS source of IT control practice standards for distinguished selection of programmes POLAND
CZECH REPUBLIC PORTUGAL
DENMARK the world over. Its strategic alliances with and services.
QATAR
DOMINICAN REPUBLIC RUSSIA
other groups in the financial, accounting,
ECUADOR SAUDI ARABIA
EGYPT auditing and IT professions are ensuring The Information Systems Audit and SCOTLAND
EL SALVADOR SEYCHELLES
an unparalleled level of integration and Control Association was formed in 1969
ESTONIA SINGAPORE
FAEROE ISLANDS commitment by business process owners. to meet the unique, diverse and high SLOVAK REPUBLIC
FIJI SLOVENIA
technology needs of the burgeoning IT
FINLAND SOUTH AFRICA
FRANCE Association Programmes field. In an industry in which progress is SPAIN
GERMANY SRI LANKA
GHANA and Services measured in nano-seconds, ISACA has
ST. KITTS
GREECE moved with agility and speed to bridge ST. LUCIA
The Association’s services and programmes
GUAM SWEDEN
GUATEMALA have earned distinction by establishing the needs of the international business
SWITZERLAND
HONDURAS community and the IT controls profession. TAIWAN
the highest levels of excellence in
HONG KONG TANZANIA
HUNGARY certification, standards, professional TASMANIA
ICELAND For More Information THAILAND
INDIA education and technical publishing.
TRINIDAD & TOBAGO
INDONESIA • Its certification programme (the Certified To receive additional information, you
TUNISIA
IRAN TURKEY
Information Systems Auditor ) is the
TM may telephone (+1.847.253.1545), send
IRELAND UGANDA
ISRAEL only global designation throughout the an e-mail (research@isaca.org) or visit UNITED ARAB EMIRATES
ITALY UNITED KINGDOM
IT audit and control community. these web sites:
IVORY COAST UNITED STATES
JAMAICA • Its standards activities establish the www.ITgovernance.org URUGUAY
JAPAN VENEZUELA
quality baseline by which other IT www.isaca.org
JORDAN VIETNAM
KAZAKHSTAN audit and control activities are WALES
KENYA YUGOSLAVIA
KOREA measured.
ZAMBIA
KUWAIT ZIMBABWE
10. ACKNOWLEDGMENTS
COBIT STEERING COMMITTEE
Erik Guldentops, S.W.I.F.T. sc, Belgium
John Lainhart, PricewaterhouseCoopers, USA
Eddy Schuermans, PricewaterhouseCoopers, Belgium
John Beveridge, State Auditor’s Office, Massachusetts, USA
Michael Donahue, PricewaterhouseCoopers, USA
Gary Hardy, Arthur Andersen, United Kingdom
Ronald Saull, Great-West Life Assurance, London Life and Investors Group, Canada
Mark Stanley, Sun America Inc., USA
SPECIAL THANKS to the ISACA Boston and National Capital Area Chapters for
their contributions to the COBIT Control Objectives.
SPECIAL THANKS to the members of the Board of the Information Systems Audit
and Control Association and Trustees of the Information Systems Audit and
Control Foundation, headed by International President Paul Williams, for their
continuing and unwavering support of COBIT.
4 IT GOVERNANCE INSTITUTE
11. CONTROL OBJECTIVES
EXECUTIVE OVERVIEW
Critically important to themanagementthis globalofinforma-
organisation is effective
survival and success an
related Information Technology (IT). In
of information and
acquiring and implementing, delivering and supporting, and
monitoring IT performance to ensure that the enterprise’s
information and related technology support its business
tion society—where information travels through cyberspace objectives. IT governance thus enables the enterprise to take
without the constraints of time, distance and speed—this full advantage of its information, thereby maximising bene-
criticality arises from the: fits, capitalising on opportunities and gaining competitive
• Increasing dependence on information and the systems advantage.
that deliver this information
• Increasing vulnerabilities and a wide spectrum of
threats, such as cyber threats and information warfare IT GOVERNANCE
• Scale and cost of the current and future investments in A structure of relationships and processes to direct
information and information systems and control the enterprise in order to achieve the
• Potential for technologies to dramatically change organi- enterprise’s goals by adding value while balancing risk
sations and business practices, create new opportunities versus return over IT and its processes.
and reduce costs
For many organisations, information and the technology that
supports it represent the organisation’s most valuable assets.
Moreover, in today’s very competitive and rapidly changing
Organisations must for theirthethe use offiduciaryall assets.
rity requirements
satisfy
Management must also optimise
quality,
information, as for
and secu-
available
business environment, management has heightened expecta- resources, including data, application systems, technology,
tions regarding IT delivery functions: management requires facilities and people. To discharge these responsibilities, as
increased quality, functionality and ease of use; decreased well as to achieve its objectives, management must under-
delivery time; and continuously improving service levels— stand the status of its own IT systems and decide what secu-
while demanding that this be accomplished at lower costs. rity and control they should provide.
Many organisations recognise the potential benefits that Control Objectives for Information and related Technology
technology can yield. Successful organisations, however, (COBIT), now in its 3rd edition, helps meet the multiple needs
understand and manage the risks associated with imple- of management by bridging the gaps between business risks,
menting new technologies. control needs and technical issues. It provides good practices
across a domain and process framework and presents activi-
There are numerous changes in IT and its operating environ- ties in a manageable and logical structure. COBIT’s “good
ment that emphasise the need to better manage IT-related practices” means consensus of the experts—they will help
risks. Dependence on electronic information and IT systems optimise information investments and will provide a measure
is essential to support critical business processes. In addition, to be judged against when things do go wrong.
the regulatory environment is mandating stricter control over
information. This, in turn, is driven by increasing disclosures Management must ensure that an internal control system or
of information system disasters and increasing electronic framework is in place which supports the business processes,
fraud. The management of IT-related risks is now being makes it clear how each individual control activity satisfies
understood as a key part of enterprise governance. the information requirements and impacts the IT resources.
Impact on IT resources is highlighted in the COBIT
Within enterprise governance, IT governance is becoming Framework together with the business requirements for
more and more prominent, and is defined as a structure of effectiveness, efficiency, confidentiality, integrity, availabili-
relationships and processes to direct and control the enter- ty, compliance and reliability of information that need to be
prise in order to achieve the enterprise’s goals by adding satisfied. Control, which includes policies, organisational
value while balancing risk versus return over IT and its structures, practices and procedures, is management’s
processes. IT governance is integral to the success of enter- responsibility. Management, through its enterprise gover-
prise governance by assuring efficient and effective measur- nance, must ensure that due diligence is exercised by all indi-
able improvements in related enterprise processes. IT gover- viduals involved in the management, use, design, develop-
nance provides the structure that links IT processes, IT ment, maintenance or operation of information systems. An
resources and information to enterprise strategies and objec- IT control objective is a statement of the desired result or
tives. Furthermore, IT governance integrates and institution- purpose to be achieved by implementing control procedures
alises good (or best) practices of planning and organising, within a particular IT activity.
IT GOVERNANCE INSTITUTE 5
12. Balso, andorientation is the mainonly by users andguidance
but
usiness
designed to be employed not
theme of C T. It is
more importantly, as comprehensive
OBI
auditors,
Specifically, COBIT provides Maturity Models for control
over IT processes, so that management can map where the
organisation is today, where it stands in relation to the best-
for management and business process owners. Increasingly, in-class in its industry and to international standards and
business practice involves the full empowerment of business where the organisation wants to be; Critical Success
process owners so they have total responsibility for all Factors, which define the most important management-ori-
aspects of the business process. In particular, this includes ented implementation guidelines to achieve control over and
providing adequate controls. within its IT processes; Key Goal Indicators, which define
measures that tell management—after the fact—whether an
The COBIT Framework provides a tool for the business IT process has achieved its business requirements; and Key
process owner that facilitates the discharge of this responsi- Performance Indicators, which are lead indicators that
bility. The Framework starts from a simple and pragmatic define measures of how well the IT process is performing in
premise: enabling the goal to be reached.
In order to provide the information that the organisation
needs to achieve its objectives, IT resources need to be COBIT’s Management Guidelines are generic and
managed by a set of naturally grouped processes. action oriented for the purpose of answering the fol-
lowing types of management questions: How far
The Framework continues with a set of 34 high-level Control should we go, and is the cost justified by the benefit?
Objectives, one for each of the IT processes, grouped into What are the indicators of good performance? What
four domains: planning and organisation, acquisition and are the critical success factors? What are the risks of
implementation, delivery and support, and monitoring. This not achieving our objectives? What do others do? How
structure covers all aspects of information and the technolo- do we measure and compare?
gy that supports it. By addressing these 34 high-level control
objectives, the business process owner can ensure that an COBIT also contains an Implementation Tool Set that provides
adequate control system is provided for the IT environment. lessons learned from those organisations that quickly and
successfully applied COBIT in their work environments. It
provided in the C T
IT governanceITguidance is alsoand information to enterprise
Framework. governance provides the structure that
links IT processes, IT resources
OBI has two particularly useful tools—Management Awareness
Diagnostic and IT Control Diagnostic—to assist in analysing
an organisation’s IT control environment.
strategies and objectives. IT governance integrates optimal
ways of planning and organising, acquiring and implement- Over the next few years, the management of organisations
ing, delivering and supporting, and monitoring IT perfor- will need to demonstrably attain increased levels of security
mance. IT governance enables the enterprise to take full and control. COBIT is a tool that allows managers to bridge
advantage of its information, thereby maximising benefits, the gap with respect to control requirements, technical issues
capitalising on opportunities and gaining competitive advan- and business risks and communicate that level of control to
tage. stakeholders. COBIT enables the development of clear policy
and good practice for IT control throughout organisations,
In addition, corresponding to each of the 34 high-level con- worldwide. Thus, COBIT is designed to be the break-
trol objectives is an Audit Guideline to enable the review of through IT governance tool that helps in understanding
IT processes against COBIT’s 318 recommended detailed and managing the risks and benefits associated with
control objectives to provide management assurance and/or information and related IT.
advice for improvement.
ThetoManagementeffectively andCenablesmostand require-
Guidelines,
opment, further enhances
ment deal more
T’s
OBI recent devel-
enterprise manage-
with the needs
ments of IT governance. The guidelines are action oriented
and generic and provide management direction for getting
the enterprise’s information and related processes under con-
trol, for monitoring achievement of organisational goals, for
monitoring performance within each IT process and for
benchmarking organisational achievement.
6 IT GOVERNANCE INSTITUTE
13. CONTROL OBJECTIVES
COBIT IT PROCESSES DEFINED WITHIN THE FOUR DOMAINS
BUSINESS OBJECTIVES
IT GOVERNANCE
M1 monitor the processes PO1 define a strategic IT plan
M2 assess internal control adequacy PO2 define the information architecture
M3 obtain independent assurance PO3 determine the technological direction
M4 provide for independent audit PO4 define the IT organisation and relationships
PO5 manage the IT investment
PO6 communicate management aims and direction
PO7 manage human resources
PO8 ensure compliance with external requirements
PO9 assess risks
PO10 manage projects
PO11 manage quality
INFORMATION
effectiveness
efficiency
confidentiality
integrity
availability
compliance
reliability
MONITORING PLANNING &
ORGANISATION
IT RESOURCES
people
application systems
technology
facilities
data
DELIVERY &
SUPPORT ACQUISITION &
IMPLEMENTATION
DS1 define and manage service levels
DS2 manage third-party services
DS3 manage performance and capacity
DS4 ensure continuous service
DS5 ensure systems security
DS6 identify and allocate costs
DS7 educate and train users
DS8 assist and advise customers AI1 identify automated solutions
DS9 manage the configuration AI2 acquire and maintain application software
DS10 manage problems and incidents AI3 acquire and maintain technology infrastructure
DS11 manage data AI4 develop and maintain procedures
DS12 manage facilities AI5 install and accredit systems
DS13 manage operations AI6 manage changes
IT GOVERNANCE INSTITUTE 7
14. THE COBIT FRAMEWORK
THE NEED FOR CONTROL IN THE BUSINESS ENVIRONMENT:
INFORMATION TECHNOLOGY COMPETITION, CHANGE AND COST
In recent years, it has become increasingly evident that Global competition is here. Organisations are restructur-
there is a need for a reference framework for security and ing to streamline operations and simultaneously take
control in IT. Successful organisations require an appreci- advantage of the advances in IT to improve their compet-
ation for and a basic understanding of the risks and itive position. Business re-engineering, right-sizing, out-
constraints of IT at all levels within the enterprise in sourcing, empowerment, flattened organisations and dis-
order to achieve effective direction and adequate controls. tributed processing are all changes that impact the way
that business and governmental organisations operate.
MANAGEMENT has to decide what to reasonably These changes are having, and will continue to have,
invest for security and control in IT and how to balance profound implications for the management and opera-
risk and control investment in an often unpredictable IT tional control structures within organisations worldwide.
environment. While information systems security and
control help manage risks, they do not eliminate them. Emphasis on attaining competitive advantage and cost-
In addition, the exact level of risk can never be known efficiency implies an ever-increasing reliance on tech-
since there is always some degree of uncertainty. nology as a major component in the strategy of most
Ultimately, management must decide on the level of risk organisations. Automating organisational functions is, by
it is willing to accept. Judging what level can be tolerat- its very nature, dictating the incorporation of more pow-
ed, particularly when weighted against the cost, can be a erful control mechanisms into computers and networks,
difficult management decision. Therefore, management both hardware-based and software-based. Furthermore,
clearly needs a framework of generally accepted IT the fundamental structural characteristics of these con-
security and control practices to benchmark the existing trols are evolving at the same rate and in the same “leap
and planned IT environment. frog” manner as the underlying computing and network-
ing technologies are evolving.
There is an increasing need for USERS of IT services to
be assured, through accreditation and audit of IT ser- Within the framework of accelerated change, if man-
vices provided by internal or third parties, that adequate agers, information systems specialists and auditors are
security and control exists. At present, however, the indeed going to be able to effectively fulfil their roles,
implementation of good IT controls in information sys- their skills must evolve as rapidly as the technology and
tems, be they commercial, non-profit or governmental, the environment. One must understand the technology
is hampered by confusion. The confusion arises from the of controls involved and its changing nature if one is to
different evaluation methods such as ITSEC, TCSEC, exercise reasonable and prudent judgments in evaluating
IS0 9000 evaluations, emerging COSO internal control control practices found in typical business or govern-
evaluations, etc. As a result, users need a general foun- mental organisations.
dation to be established as a first step.
EMERGENCE OF ENTERPRISE
Frequently, AUDITORS have taken the lead in such AND IT GOVERNANCE
international standardisation efforts because they are To achieve success in this information economy, enter-
continuously confronted with the need to substantiate prise governance and IT governance can no longer be
their opinion on internal control to management. considered separate and distinct disciplines. Effective
Without a framework, this is an exceedingly difficult enterprise governance focuses individual and group
task. Furthermore, auditors are increasingly being called expertise and experience where it can be most produc-
on by management to proactively consult and advise on tive, monitors and measures performance and provides
IT security and control-related matters. assurance to critical issues. IT, long considered solely an
8 IT GOVERNANCE INSTITUTE
15. CONTROL OBJECTIVES
enabler of an enterprise’s strategy, must now be regard- aligned with and enable the enterprise to take full advan-
ed as an integral part of that strategy. tage of its information, thereby maximising benefits,
capitalising on opportunities and gaining a competitive
IT governance provides the structure that links IT advantage.
processes, IT resources, and information to enterprise
strategies and objectives. IT governance integrates and Enterprise
institutionalises optimal ways of planning and organis- Activities
ing, acquiring and implementing, delivering and sup-
porting, and monitoring IT performance. IT governance
require information from
is integral to the success of enterprise governance by
assuring efficient and effective measurable improve-
ments in related enterprise processes. IT governance Information
Technology
enables the enterprise to take full advantage of its infor- Activities
mation, thereby maximising benefits, capitalising on
opportunities and gaining competitive advantage.
Enterprises are governed by generally accepted good (or
Looking at the interplay of enterprise and IT governance best) practices, to ensure that the enterprise is achieving
processes in more detail, enterprise governance, the sys- its goals-the assurance of which is guaranteed by certain
tem by which entities are directed and controlled, drives controls. From these objectives flows the organisation’s
and sets IT governance. At the same time, IT should direction, which dictates certain enterprise activities,
provide critical input to, and constitute an important using the enterprise’s resources. The results of the enter-
component of, strategic plans. IT may in fact influence prise activities are measured and reported on, providing
strategic opportunities outlined by the enterprise. input to the constant revision and maintenance of the
controls, beginning the cycle again.
Enterprise
Governance
Enterprise Governance
drives and sets DIRECT
Information
Technology Enterprise
Governance Objectives CONTROL Resources
Activities
Enterprise activities require information from IT activi- USING
ties in order to meet business objectives. Successful REPORT
organisations ensure interdependence between their
strategic planning and their IT activities. IT must be
IT GOVERNANCE INSTITUTE 9
16. THE COBIT FRAMEWORK, continued
IT also is governed by good (or best) practices, to porting, and monitoring, for the dual purposes of man-
ensure that the enterprise’s information and related tech- aging risks (to gain security, reliability and compliance)
nology support its business objectives, its resources are and realising benefits (increasing effectiveness and effi-
used responsibly and its risks are managed appropriate- ciency). Reports are issued on the outcomes of IT activi-
ly. These practices form a basis for direction of IT activ- ties, which are measured against the various practices
ities, which can be characterised as planning and organ- and controls, and the cycle begins again.
ising, acquiring and implementing, delivering and sup-
IT Governance
DIRECT
Objectives IT Activities
• IT is aligned with PLAN Planning and Organisation
the business, DO Acquisition and Implementation
enables the CHECK Delivery and Support
business and
CORRECT Monitoring
maximises CONTROL
benefits
Manage risks Realise Benefits
• IT resources are
• security Increase Decrease
used responsibly • reliability Automation - Costs - be
• compliance be effective efficient
• IT related risks
are managed
appropriately
REPORT
In order to ensure that management reaches its business objectives, it must direct and manage IT activities to
reach an effective balance between managing risks and realising benefits. To accomplish this, management
needs to identify the most important activities to be performed, measure progress towards achieving goals and
determine how well the IT processes are performing. In addition, it needs the ability to evaluate the organisa-
tion’s maturity level against industry best practices and international standards. To support these manage-
ment needs, the COBIT Management Guidelines have identified specific Critical Success Factors, Key
Goal Indicators, Key Performance Indicators and an associated Maturity Model for IT governance, as
presented in Appendix I.
10 IT GOVERNANCE INSTITUTE
17. CONTROL OBJECTIVES
RESPONSE TO THE NEED related international standards evolved the original
In view of these ongoing changes, the development of Information Systems Audit and Control Foundation’s
this framework for control objectives for IT, along with Control Objectives from an auditor’s tool to COBIT, a
continued applied research in IT controls based on this management tool. Further, the development of IT
framework, are cornerstones for effective progress in the Management Guidelines has taken COBIT to the next
field of information and related technology controls. level-providing management with Key Goal Indicators
(KGIs), Key Performance Indicators (KPIs), Critical
On the one hand, we have witnessed the development Success Factors (CSFs) and Maturity Models so that it
and publication of overall business control models like can assess its IT environment and make choices for con-
COSO (Committee of Sponsoring Organisations of the trol implementation and control improvements over the
Treadway Commission-Internal Control—Integrated organisation’s information and related technology.
Framework, 1992) in the US, Cadbury in the UK, CoCo
in Canada and King in South Africa. On the other hand, Hence, the main objective of the COBIT project is the
an important number of more focused control models development of clear policies and good practices for
are in existence at the level of IT. Good examples of the security and control in IT for worldwide endorsement by
latter category are the Security Code of Conduct from commercial, governmental and professional organisa-
DTI (Department of Trade and Industry, UK), tions. It is the goal of the project to develop these con-
Information Technology Control Guidelines from CICA trol objectives primarily from the business objectives
(Canadian Institute of Chartered Accountants, Canada), and needs perspective. (This is compliant with the
and the Security Handbook from NIST (National COSO perspective, which is first and foremost a man-
Institute of Standards and Technology, US). However, agement framework for internal controls.) Subsequently,
these focused control models do not provide a compre- control objectives have been developed from the audit
hensive and usable control model over IT in support of objectives (certification of financial information, certifi-
business processes. The purpose of COBIT is to bridge cation of internal control measures, efficiency and effec-
this gap by providing a foundation that is closely linked tiveness, etc.) perspective.
to business objectives while focusing on IT.
AUDIENCE: MANAGEMENT,
(Most closely related to COBIT is the recently published USERS AND AUDITORS
AICPA/CICA SysTrustTM Principles and Criteria for COBIT is designed to be used by three distinct audiences.
Systems Reliability. SysTrust is an authoritative
issuance of both the Assurance Services Executive MANAGEMENT:
Committee in the United States and the Assurance to help them balance risk and control investment in an
Services Development Board in Canada, based in part often unpredictable IT environment.
on the COBIT Control Objectives. SysTrust is designed
to increase the comfort of management, customers and USERS:
business partners with the systems that support a busi- to obtain assurance on the security and controls of IT
ness or a particular activity. The SysTrust service entails services provided by internal or third parties.
the public accountant providing an assurance service in
which he or she evaluates and tests whether a system is AUDITORS:
reliable when measured against four essential principles: to substantiate their opinions and/or provide advice to
availability, security, integrity and maintainability.) management on internal controls.
A focus on the business requirements for controls in IT
and the application of emerging control models and
IT GOVERNANCE INSTITUTE 11
18. THE COBIT FRAMEWORK, continued
BUSINESS OBJECTIVES ORIENTATION Control is
the policies, procedures, practices
COBIT is aimed at addressing business objectives. The and organisational structures
defined as designed to provide reasonable
control objectives make a clear and distinct link to busi-
ness objectives in order to support significant use out- assurance that business objectives
side the audit community. Control objectives are defined will be achieved and that undesired
in a process-oriented manner following the principle of events will be prevented or detect-
business re-engineering. At identified domains and ed and corrected.
processes, a high-level control objective is identified and
rationale provided to document the link to the business
objectives. In addition, considerations and guidelines a statement of the desired result or
IT Control Objective
are provided to define and implement the IT control purpose to be achieved by imple-
is defined as menting control procedures in a
objective.
particular IT activity.
The classification of domains where high-level control
objectives apply (domains and processes), an indication
of the business requirements for information in that a structure of relationships and
domain, as well as the IT resources primarily impacted IT Governance processes to direct and control the
by the control objectives, together form the COBIT is defined as enterprise in order to achieve the
Framework. The Framework is based on the research enterprise’s goals by adding value
activities that have identified 34 high-level control while balancing risk versus return
objectives and 318 detailed control objectives. The over IT and its processes.
Framework was exposed to the IT industry and the audit
profession to allow an opportunity for review, challenge
and comment. The insights gained have been appropri-
ately incorporated.
GENERAL DEFINITIONS
For the purpose of this project, the following definitions
are provided. “Control” is adapted from the COSO
Report (Internal Control—Integrated Framework,
Committee of Sponsoring Organisations of the
Treadway Commission, 1992) and “IT Control
Objective” is adapted from the SAC Report (Systems
Auditability and Control Report, The Institute of
Internal Auditors Research Foundation, 1991 and 1994).
12 IT GOVERNANCE INSTITUTE