3. Why We Are Here
What compliance and governance is and why you
should care
Distinguishing Myth from Reality
Going Beyond “Just Good Enough” Approaches
Introduction to Compliance Frameworks
Balancing Competing Frameworks: Apples & Oranges?
Implementing Compliance Frameworks
E-Mail Management Issues to Be Addressed
On-Line resources
What do you need to take home?
10. Compliance is Everywhere
At last count, there are at
least 200 international
regulatory & legal drivers
that must be complied with
as tracked by IBM Business
Consulting Services
11. Compliance is Everywhere
Sarbanes-Oxley FTC
SEC rule 17a-4 Patriot Act
European Union Privacy Laws
California Security Breach Notice Law
FDA
BASEL II FMFIA HIPAA
Financial Services Modernization FISMAV)
Act of 1999 (GLBA, Gramm-Leach-Bliley Act, Title
25. Information technology is so
embedded in the operations of an
enterprise that strong IT
Governance is needed to support
corporate governance objectives
and compliance requirements.
29. COBIT Copyright The Information Technology Governance Institute, All rights reserved. Used with permission
30.
31. (IT Strategy and Policy)
Requirements
Direction
Control
Goals Responsibilities
Objectives
Business Governance
Business Needs to Information (IT
Achieve Its Objectives Control, Risk and
Assurance)
IT Governance
COBIT Copyright The Information Technology Governance Institute, All rights reserved. Used with permission
32.
33. IT Resources Information
• Data • Effectiveness
• Application Systems • Efficiency
• Technology • Confidentiality
• Facilities • Integrity
• People • Availability
• Compliance
• Reliability
Plan and Organise
Monitor And
Evaluate
Acquire and Implement
Deliver and
Support
COBIT Copyright The Information Technology Governance Institute, All rights reserved. Used with permission
34. PO7 manage human resources
PO8 ensure compliance with external requirements
PO9 assess risks
IT Resources Information PO10 manage projects
PO11 manage quality
• Data • Effectiveness
• Application Systems • Efficiency
• Technology • Confidentiality
• Facilities • Integrity
• People • Availability
• Compliance
• Reliability
Plan and Organise
Monitor And
Evaluate
Acquire and Implement
M1 monitor the processes
M2 assess internal control adequacy
M3 obtain independent assurance
M4 provide for independent audit Deliver and
Support
DS4 Ensure continuous service
DS5 Ensure systems security AI1 identify automated solutions
DS7 Educate and train users AI2 acquire and maintain application software
DS8 Assist and advise IT customers AI3 acquire and maintain technology infrastructure
DS9 Manage the configuration AI4 develop and maintain procedures
DS10 Manage problems and incidents AI5 install and accredit systems
DS11 Manage data AI6 manage changes
COBIT Copyright The Information Technology Governance Institute, All rights reserved. Used with permission
35. Control Process P06 –
Control over the IT process of
communicating management aims and direction
that satisfies the business requirement of to provide automated process
that satisfies the business requirement
to ensure user awareness and understanding of those aims
is enabled by
policies established and communicated to the user community; furthermore, standards
need to be established to translate the strategic options into practical and usable user rules
and takes into consideration
• clearly articulated mission
• technology directives linked to business aims
• code of conduct/ethics
• quality commitment
• security and internal control policies
• security and internal control practices
• lead-by-example
• continuous communications programme
• providing guidance and checking compliance
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56. Questions, Comments,
and Discussion
How to Contact Me:
Christopher Byrne
iscontrolscaddy@gmail.com
Techies Cartoon Copyright 2000 Jeff Larson, All Rights Reserved, Permission Pending