The document discusses IT policies, standards, and technical directives. It provides an overview of several frameworks for IT standards including COBIT, ISACA, ISO, ITIL, NIST, PMBOK, and TOGAF. It also summarizes the key objectives within the COBIT framework for planning and organizing, acquiring and implementing, delivering and supporting, and monitoring and evaluating IT processes. Finally, it provides details on Fidelity's process for managing over 500 technical directives across many categories.

1. IT Policies, Standards and Technical Directives Sarah Cortes Inman Technology February, 2009

2. IT Policies, Standards and Technical Directives Agenda Purpose? Standards Frameworks COBIT Framework ISACA Framework Fidelity Process Who are we?

3. IT Policies, Standards and Technical Directives Standards Overview ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission ITIL – Information Technology Infrastructure Library NIST - National Institute of Standards and Technology PMBOK – Project Management Body of Knowledge TOGAF - The Open Group Architecture Framework CMMI for Development - Capability Maturity Model Integration SEI’s CMM (Capability Maturity Model) for SW (US DoD) Software Engineering Institute COBIT - Control Objectives for Information & related Technology Information Systems Audit and Control Association

4. IT Policies, Standards and Technical Directives Is the P urpose to…? Drive you crazy? Waste your precious resources in a pointless task that will soon be out of date? Serve as evidence to be used against you later?

5. IT Policies, Standards and Technical Directives Could policies help….? Save you after you have already gotten into trouble? Attempt, however lamely, to keep you out of trouble Prove that, however obvious the trouble is, it is not your fault

6. IT Policies, Standards and Technical Directives Calling in the Experts

7. IT Policies, Standards and Technical Directives Did you know….? Seven out of ten attacks are from…

8. IT Policies, Standards and Technical Directives You may be wondering… Why develop and document IT policies, standards and technical directives? Is it really worth it? What’s in it for me? Who will pay for the resources thusly diverted?

9. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview PLAN AND ORGANISE - 10 ACQUIRE AND IMPLEMENT - 7 DELIVER AND SUPPORT - 13 MONITOR AND EVALUATE – 4 Total - 34

10. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects

11. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes

12. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations

13. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance

14. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security DS5.1 Management of IT Security DS5.2 IT Security Plan DS5.3 Identity Management DS5.4 User Account Management DS5.5 Security Testing, Surveillance and Monitoring DS5.6 Security Incident Definition DS5.7 Protection of Security Technology DS5.8 Cryptographic Key Management DS5.9 Malicious SW Prevention, Detection,Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data

15. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures IS Guideline: G18 IT Governance IS Guideline: G20 Reporting IS Guideline: G21 Enterprise Resource Planning (ERP) Systems IS Guideline: G22 Business to Consumer (B2C) E-commerce IS Guideline: G23 System Development Life Cycle (SDLC) IS Guideline: G24 Internet Banking IS Guideline: G25 Review of Virtual Private Networks IS Guideline: G26 Business Process Reengineering (BPR) Project IS Guideline: G27 Mobile Computing IS Guideline: G28 Computer Forensics IS Guideline: G29 Post Implementation Review IS Guideline: G30 Competence IS Guideline: G31 Privacy IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective IS Guideline: G33 General Considerations on the Use of Internet IS Guideline: G34 Responsibility, Authority and Accountability IS Guideline: G35 Follow-up Activities

16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures IS Guideline: G36 Biometric Controls IS Guideline: G38 Access Controls IS Guideline: G39 IT Organization IS Guideline: G40 Review of Security Management Practices IS Procedure: P01 IS Risk Assessment Measurement IS Procedure: P02 Digital Signatures IS Procedure: P03 Intrusion Detection IS Procedure: P04 Viruses and Other Malicious Logic IS Procedure: P05 Control Risk Self-assessment IS Procedure: P06 Firewalls IS Procedure: P07 Irregularities and Illegal Acts IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis IS Procedure: P09 Mgt Controls Over Encryption Methodologies IS Procedure: P10 Business Application Change Control IS Procedure: P11 Electronic Funds Transfer (EFT)

17. IT Policies, Standards and Technical Directives Fidelity Process Over 50 subsidiaries Over 30,000 employees worldwide Over 12,000 employees in Boston area Over 250 IT Policy categories Over 500 Technical directives Periodic Advisory Board Review process

18. IT Policies, Standards and Technical Directives Fidelity Issues Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat) Need to break down policy categories into specific policy elements (1 policy becomes 100 policies) A policy begets formal training and training recordkeeping (applications unto themselves)

19. IT Policies, Standards and Technical Directives Fidelity Issues “ Required,” “Recommended,” or “Highly Recommended?” (the shell game) Need to self-assess at the policy element level (a/k/a your new full-time job)

20. Inman Technology Clients: Harvard Law Harvard CAIT Biogen Fidelity Etc. Practice expertise IT Security/Disaster Recovery IT Project Management Major Application Development Background – Sarah Cortes SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments Previously ran major applications development for Trading/Analytics Systems As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center Coordinated over 65 audits per year Certified Information Systems Auditor (CISA) and PMP-certified ( Project Management Program)