This presentation, I along with my team mates........ Vishal, Anju, Sonali, Shivangi, Charu, Khyati and Shreeya made to Anand Jangid Sir....... in respect with the subject Governance & Compliance in Trimester 5 in MBA from welingkar on 18th Sept 2009

1. Information Security Governance: COBIT or ISO 17799/ BS 7799 Presented by- Abhinav Goyal AnjuBhadoria Charu Sharma Khyati Shah Shivangi Gupta ShreeyaDhingra Sonali Gupta Vishal Jain

3. 1st Edition in 1996

4. 2nd Edition in 1998

5. 3rd Edition in 2000

6. 4th Edition in 2005

7. IT Governance and its importance

8. International StandardsCobit is developed by ISACA and the IT Governance Institute (ITGI) in order to implement IT Governance in organizations Control Objectives for Information and Related Technology.

10. Proactive, Not Reactive!

11. Adaptable to Organizations

12. Common Sense – maximize benefits of IT while providing IT governance and control.Executive Summary - “There is a method…” Framework - “The method is…” Control Objectives - “The minimum controls are…” Audit Guidelines - “Here’s how you audit…” Management Guidelines - “Here’s how you measure your performance…” Implementation Guide - “Here’s how you implement…” The Cobit Model

14. Plan & Organize (PO)

15. Acquire & Implement (AI)

16. Deliver & Support (DS)

17. Monitor & Evaluate (ME)

18. 34 High Level Control Objectives

20. Information Criteria: Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Business Processes PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO10 Manage Projects PO11 Manage Quality IT Resources Data Applications Technology Facilities People ME1 Monitor the Process ME2 Assess Internal Control Adequacy ME3 Obtain Independent Assurance ME4 Provide for Independent Audit Monitor & Evaluate Plan & Organize DS1 Define and Manage Service Levels DS2 Manage Third-Party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Assist and Advise Customers DS9 Manage the Configuration DS10 Manage Problems and Incidents DS11 Manage Data DS12 Manage Facilities DS13 Manage Operations Deliver & Support Acquire & Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Develop and Maintain Procedures AI5 Install and Accredit Systems AI6 Manage Changes

22. Describes what needs to be taken into account when making IT related decisions and investments; helps balance risk and control investment.

23. IT Providers

24. Provides clear expectations on minimum controls in IT environments

25. IT Users

26. Assurance over security and controls (internal & external providers)

27. Auditors

28. List of control objectives and minimum controls

29. Substantiation of opinion

30. Self Assessment Tool for All GroupsUsers of COBIT

31. BS 7799 ISO 17799 INTRODUCTION

32. ISO 17799 / BS 7799 SECURITY PARAMETERS ORGANISATIONAL AND INFORMATION SECURITY STRUCTURE RISK ASSESSMENT AND TREATMENT ASSET MANAGEMENT SECURITY POLICY HUMAN RESOURCE SECURITY

33. ISO 17799 / BS 7799 PHYSICAL SECURITY ACQUISITION, DEVELOPMENT AND MAINTAINANCE COMMUNICATION AND OPERATIONAL SECURITY INCIDENTAL MANAGEMENT BUSINESS CONTINUITY ACCESS CONTROL INFORMATION SYSTEMS COMPLIANCE

34. ISO 17799

35. ISO 17799 Overview

36. ISO 17799 modules

37. ISO 17799 Controls

38. ISO 17799 Controls

39. ISO 17799 Controls

40. ISO 17799 Controls

41. Differences

42. Differences

43. What do we want to achieve with IT?

44. How we can achieve these IT goals

45. How we can achieve these IT goals

46. How we can achieve these IT goals:Where are the methods strong in?

47. How can we achieve these IT goals:continuous IT improvement

48. ThankYou