Tentang_COBIT
Transcript of Tentang_COBIT
-
8/10/2019 Tentang_COBIT
1/51
1
Presented by
Marmah Hadi
Sekolah Tinggi Akuntansi Negara&
Institute of Information System Audit Studies
COBIT
Control Objectives for Information and related Technology
-
8/10/2019 Tentang_COBIT
2/51
-
8/10/2019 Tentang_COBIT
3/51
3
COBIT-FrameworkGovernance, Control andAudit forInformation andRelated Technology
Introduction to COBIT 2nd edition
- Elements
- Source standards and regulations
- The framework
How to put COBIT to effective use
- Comparison of COBIT with other methods
- COBIT - a product for many audiences
- Some ideas and case studies
Summary
-
8/10/2019 Tentang_COBIT
4/51
4
Technology,
Control & Governance
Technology makes new business
processes possible leading to loss of
control and more regulation
Developments in IT and businesspractices make corporate governance
more difficult
Officers and management will be held
accountable Already major changes have occurred
but pressure to continue to change
remains
-
8/10/2019 Tentang_COBIT
5/51
5
Responsibility for Control
Committee for Sponsoring Organisations (COSO)
In order to discharge managements responsibilities as well as to achieve its
objectives, they must establish an adequate system of internal control. This
control system or framework must be in place to support business
requirements for effectiveness and efficiency of operations, reliability of
information and compliance with laws and regulations.
National Institute for Standards and Technology
While computer security helps manage risks, it does not eliminate it. In
addition, the exact level of risk can never be known since there is always
some degree of uncertainty. Ultimately, management must decide on the
level of risk it is willing to accept. Judging what level can be tolerated,
particularly when weighed against the cost, can be a difficult management
decision.
-
8/10/2019 Tentang_COBIT
6/51
6
ControlThe policies, procedures, practices and
organisational structures designed to
provide reasonable assurance that
business objectives will be achieved and
that undesired events will be prevented or
detected and corrected.
IT Control Objective
A statement of the desired result or
purpose to be achieved by implementingcontrol procedures in a particular IT
activity.
Definitions
-
8/10/2019 Tentang_COBIT
7/51
7
The Five Elements of COBIT- a first look at all the components
Executive Summary senior executives (CEO, CIO)
There is a method...
Framework senior operational management
The method is...
Control Objectives middle management
Minimum controls are...
Audit Guidelines line management, controls practitioner
Heres how you audit... Implementation Tool Set director, middle management
Heres how you implement...
-
8/10/2019 Tentang_COBIT
8/51
8
Standards and RegulationsCOBIT includes 36 national and international standards
Codes of conductissued by
Council of Europe, OECD,
ISACA, etc.
Qualification criteriafor IT
systems and processes: ITSEC,
TCSEC, ISO 9000, SPICE,TickIT, Common Criteria, etc.
Professional standardsin
internal control and auditing:
COSO Report, IFAC, AICPA,
IIA, ISACA, PCIE, GAOstandards, etc.
Industry practicesand
requirements from industry
forums (ESF, I4) and
government-sponsored platforms
(IBAG, NIST, DTI), etc.
Technical standardsfrom ISO,EDIFACT, etc.
Emerging industry-specific
requirementssuch as from
banking, electroniccommerce
and IT manufacturing
-
8/10/2019 Tentang_COBIT
9/51
9
The Frameworks Principles
Linking the managements IT expectations
with the managements IT responsibilities
-
8/10/2019 Tentang_COBIT
10/51
10
effectiveness- deals with information being relevant and pertinent to the business processas well as being delivered in a timely, correct, consistent and usable manner.
efficiency- concerns the provision of information through the optimal (most productive andeconomical) usage of resources.
confidentiality- concerns protection of sensitive information from unauthorized disclosure.
integrity- relates to the accuracy and completeness of information as well as to its validity inaccordance with the business' set of values and expectations.
availability- relates to information being available when required by the business process,and hence also concerns the safeguarding of resources.
compliance- deals with complying with those laws, regulations and contractual
arrangements to which the business process is subject; i.e., externally imposed businesscriteria.
reliabilityof information - relates to systems providing management with appropriateinformation for it to use in operating the entity, in providing financial reporting to users of the
financial information, and in providing information to report to regulatory bodies with regard
to compliance with laws and regulations.
Quality
Fiduciary
Security
Business Requirements= Information Criteria
IT Processes
BusinessRequirements
IT Resources
-
8/10/2019 Tentang_COBIT
11/51
11
BusinessRequirements
IT Processes
IT Resources
IT Resources
Data :Data objects in their widest sense, i.e., external and
internal, structured and non-structured, graphics, sound, etc.
Application Systems : understood to be the sum of manual andprogrammed procedures.
Technology :covers hardware, operating systems, database
management systems, networking, multimedia, etc..
Facilities :Resources to house and support information
systems. People :Staff skills, awareness and productivity to plan,
organise, acquire, deliver, support and monitor information
systems and services.
-
8/10/2019 Tentang_COBIT
12/51
12
Domains
Processes
Activities
ITResources
BusinessRequirements
ITProcesses
IT Domains & Processes
Natural grouping of processes, often matching
an organisational domain of responsibility.
A series of joined activities with natural
(control) breaks.
Actions needed to achieve a measurable result.
Activities have a life-cycle whereas tasks are
discreet.
-
8/10/2019 Tentang_COBIT
13/51
-
8/10/2019 Tentang_COBIT
14/51
14
* Realization of IT strategy*Solutions identified, developed, or acquired and implemented
*Solutions integrated into business process*Change and maintenance of systems
IT Domain
Acquisition & Implementation
AI 1 Identify Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire and Maintain Technology Architecture
AI 4 Develop and Maintain IT Procedures
AI 5 Install and Accredit SystemsAI 6 Manage Changes
-
8/10/2019 Tentang_COBIT
15/51
15
*Actual delivery of required services
*Actual operations through security including training
*Establishment of support processes
*Actual processing of data by applications
IT Domain
Delivery and Support
DS 1 Define Service Levels
DS 2 Manage Third-Party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems SecurityDS 6 Identify and Attribute Costs
DS 7 Educate and Train Users
DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
-
8/10/2019 Tentang_COBIT
16/51
16
* Regular assessment of all IT processes
*Compliance with and quality of controls
IT Domain
Monitoring
M 1 Monitor the Processes
M 2 Assess Internal Control Adequacy
M 3 Obtain Independent Assurance
M 4 Provide for Independent Audit
-
8/10/2019 Tentang_COBIT
17/51
17
ControlStatements
ControlPractices
is enabled by
and considers
IT Processes
The control of
Business
Requirements
which satisfy
SS PP
Planning &
Delivery &
Organisation
Support
Monitoring
Acquisition &
Implementation
AnExampleofanITProc
ess
COBITs Navigation Aidslinking process, resource & criteria
-
8/10/2019 Tentang_COBIT
18/51
18
Control over the IT process ofENSURING SYSTEMS SECURITY DS-5
that satisfies the business requirement
to safeguard information against unauthorised use, disclosure or
modification, damage or loss
is enabled byLogical access controls which ensure that access to
systems, data and programs is restricted to authorised users
and takes into consideration:authorisation & authentication
User profiles and identification
trusted path, firewallsvirus prevention and detection
cryptographic key management
incident handling, reporting and follow up
AnExample
ofanITProcess
Linking the Processesto control objectives
SS PP
-
8/10/2019 Tentang_COBIT
19/51
19
Typical ExampleDomain Delivery & Support
5.1 Manage Security Measures
5.2 Identification, Authentication and Access
5.3 Security of Online Access to Data
5.4 User Account Management
5.5 Management Review of User Accounts
5.6 User Control of User Accounts
5.7 Security Surveillance
5.8 Data Classification
5.9 Central Identification and Access Rights
Management5.10 Violation and Security Activity Reports
5.11 Incident Handling
5.12 Re-Accreditation
5.13 Counterparty Trust
5.14 Transaction Authorisation
5.15 Non-Repudiation
5.16 Trusted Path
5.17 Protection of Security Functions5.18 Cryptographic Key Management
5.19 Malicious Software Prevention, Detection
and Correction
5.20 Firewall Architectures and Connections
with Public Networks
5.21 Protection of Electronic Value
Control Objectives
DS 5.10 Violation and Security Activity Reports:
The information services functions security
administration should assure that violation and
security activity is logged, reported, reviewed and
appropriately escalated on a regular basis to
identify and resolve incidents involving
unauthorised activity.
The logical access to the computer resources
accountability information (security and other
logs) should be granted based upon the principle
of least privilege, or need to know.
Process Ensuring System Security
-
8/10/2019 Tentang_COBIT
20/51
20
PO 1 Define a Strategic IT Plan
PO 2 Define the Information Architecture
PO 3 Determine the Technological Direction
PO 4 Define the IT Organisation and Relationships
PO 5 Manage the IT Investment
PO 6 Communicate Management Aims and Direction
PO 7 Manage Human Resources
PO 8 Ensure Compliance with External Requirements
PO 9 Assess Risks
PO 10 Manage ProjectsPO 11 Manage Quality
AI 1 Identify Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire and Maintain Technology Architecture
AI 4 Develop and Maintain IT Procedures
AI 5 Install and Accredit Systems
AI 6 Manage Changes
DS 1 Define Service Levels
DS 2 Manage Third-Party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Attribute Costs
DS 7 Educate and Train Users
DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
M 1 Monitor the Processes
M 2 Assess Internal Control Adequacy
M 3 Obtain Independent Assurance
M 4 Provide for Independent Audit
Business Processes
IT Resources
information criteria effectivene ss efficiency confide ntiality
integrity availability compliance reliability
Monitoring
Delivery &Support
Acquisition &Implementation
Planing &Organisation
data applications
technology facilite s people
-
8/10/2019 Tentang_COBIT
21/51
21
What COBIT Is Used ForSurvey ISACA Switzerland Chapter 1997/98
Comparison of 4 methods
COBIT (1st ed)
Code of Practice (BS7799)
BSI Grundschutzhandbuch 1997
Marion
What they are used for
Which method is used and how often
Requirements for a good method
-
8/10/2019 Tentang_COBIT
22/51
22
CobiT
27%
59%
7%7%
Risk Anal ysis
Audit
Sec. Poli cy
Sec. Handbook
COBIT in ComparisonSurvey ISACA Switzerland Chapter 1997/98
Code of Practice
23%
18%
36%
23%
Risikoanalyse
Revision
Sich.konzept
Sich.handbuch
-
8/10/2019 Tentang_COBIT
23/51
23
Criteria for ComparisonSurvey ISACA Switzerland Chapter 1997/98
Standardisat ion
Independence
Certi f ication
Practicabil i ty
Ad aptabi l i ty
Range (Scope)
Presentation of results
Eff ic iency
Top ical ity
Ease of use
-
8/10/2019 Tentang_COBIT
24/51
24
Code of Practice
0,00
1,00
2,00
3,00
4,00
Standardisation
Independence
Certification
Practicability
Adaptabi lit y
Range (Scope)
Presentation
Efficiency
Topicality
Ease of use
COBIT in ComparisonSurvey ISACA Switzerland Chapter 1997/98
CobiT
0,00
1,00
2,00
3,00
4,00
Standardisation
Independence
Certification
Practicability
Adaptabi l ity
Range (Scope)
Presentation
Efficiency
Topicality
Ease of use
COBIT
CoP
-
8/10/2019 Tentang_COBIT
25/51
25
COBIT in ComparisonSurvey ISACA Switzerland Chapter 1997/98
C o d e o f P r a c t i c e
(BS7799)
COBIT ( 1 s t e d , 1 9 9 6 )Marion Gru ndschutzhandbuch
(1997)
preferred uses primary: security policy;
v e r y f r e q u e n t f o r a l l u s
audit risk analysis,
security policy
security policy,
securit y handbook
l e s s u s e d f o r- security policy,
security handbook
audit,
securit y handbook
risk analysis,
audit
strengths independence
standardisat ion
certification
independence
standardisation
p r e s e n t a t i o nindependence
adaptability
topicality
weaknesses p r e s e n t a t i o n o f r e s u l t sp r e s e n t a t i o n o f r e
ease of use
cert ification p r e s e n
rating
( 1 = b a d , ,
4 = i d e a l )
r a t h e r h i g h ( 3 . 0 )r a t h e r h i g h ( 3 . 0 )medium (2.5) r a t h e r
re mark s C o P i s f o c u s s e d o n
i n f o r m a t i o n s e c u r i t y a n d
i s t h e r e f o r e u s e d a s a
basis for informat ion
s e c u r i t y p o l i c i e s ( f o r e -
most in Europe).
Apart from security
COBIT c o v e r s q u a l i t y
r e l i a b i l i t y ; s t i l l
k n o w n o u t s i d e t h e
world.
M a r i o n i s n o
frequent ly outside
F r a n c e ; i n S
M a r i o n i s u s
risk analysis.
I s u s e
r e f e r e
s e l e c t
mentation of security
m e a s u r
r i s k a
-
8/10/2019 Tentang_COBIT
26/51
26
Official COBIT SurveyISACA`s survey results, presented July 1998 Brussels
Objectives:
reasons for (not) adopting COBIT
differences between users and non-users
Survey mailed to 5,315 purchasers 429 usable responses (8.1% response rate)
Lots of questions
Region, certification, industry, people
employed, control methodologies, reasons for
purchasing,
-
8/10/2019 Tentang_COBIT
27/51
27
Official COBIT SurveyISACA`s survey results, presented July 1998 Brussels
Interesting results
59% of respondents were COBIT users
COBIT was purchased primarily to improve audit
approaches and programs
Size of internal audit staff correlates to COBIT use
CISAs are more likely to adopt COBIT
4 out of 5 adopters use COBIT with little or no
modification
Users agree that COBIT is the best published set of
control guidelines for IT
-
8/10/2019 Tentang_COBIT
28/51
28
Why Should an Organisation
Adopt COBIT?
Attention on Corporate Governance
Management accountability for resources
Specific need for control of IT resources Business oriented solutions
Framework for risk assessment
Authoritative basis
Improved communication among management,
users and auditors
-
8/10/2019 Tentang_COBIT
29/51
29
A Product For Many Audiences
Executive manager
Business manager
IT manager
Project manager
Developer
Operations
User Information security officer
Auditor
-
8/10/2019 Tentang_COBIT
30/51
30
COBIT for the Executive Manager
COBIT could serve
the following Some specific approaches
objectives for you which could prove useful...
Accept and promote Use COBIT to compliment
COBIT as general IT existing internal control
governance model framework
for all enterprises
within enterprise Use COBIT process model
to establish common
language between business
and IT; allocate clear
responsibilities
-
8/10/2019 Tentang_COBIT
31/51
31
RISK Who Does It?Importance = How important for the organisation on a scale from 1 (not at all) to 5 (very)
Performance = How well is it done from 1 (dont know or badly)
to 5 (very well)
Audited = Yes, No or ?
Formality = Is there a contract, SLA, or a clearly documented
Procedure? (Yes, No or ?)
Accountable =Name or dont know
Importance
Performance
COBITs Domains and Processes
IT
Other
Outside
DontKnow
Audited
Formality
Who is Accountable?
Plannin & Or anisationPO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine the Technological Direction
PO4 Define the IT Organisation and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
Acquisition & ImplementationAI1 Identify Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology ArchitectureAI4 Develop and Maintain IT Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
Deliver & Su ortDS1 Define Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure System Security
DS6 Identify and Attribute Costs
DS7 Educate and Train Users
DS8 Assist and Advise IT Customers
DS9 Manage the Configuration
DS10 Manage Problems and Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
MonitorinM1 Monitor the Processes
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
COBIT for the Executive Manager
IT Governance Self-Assessment
-
8/10/2019 Tentang_COBIT
32/51
32
COBIT for the Business Manager
COBIT could serve
the following Some specific approaches
objectives for you which could prove useful...
Use COBIT to establish Use COBIT control objectives
a common entity-wide as a code of good practice
model to manage and for dealing with IT within the
monitor ITs contribution business function
to the business
Use COBIT control objectives
to determine needs to be
covered by Service Level
Agreements (internal or
outsourced)
-
8/10/2019 Tentang_COBIT
33/51
33
COBIT for the Business Manager
Managements IT Concerns Diagnostic
Technology Concerns to Management (Gartner Group) Management Internet / IntranetEnterprise Packaged
SolutionsClient/Server Architecture
Workgroups and
GroupWareNetwork Management
RISKFACTORS
ITinitiativesinline
withbusinessstrategy
ITpoliciesandcorporate
governance
UtilisingITfor
competitiveadvantage
ConsolidatingtheIT
infrastructure
Reducingcostof
ITownership
Acquiringanddeveloping
skills
Unauthorisedaccess
tocorporatenetwork
Unauthorisedaccessto
confidentialmessages
Loss
ofintegrity
corporatetransactions
Leakageof
confidentialdata
Interruptiontoservice
availability
VirusInfection
Failuretomeetuser
requirements
Failuretointegrate
Notcompatiblewith
technicalinfrastructure
Vendorsupport
problems
Expensive/complex
implementation
Failuretocoordinate
requirements
Accesscontrolproblems
Notcompatiblewith
technicalinfrastructure
Endusermanagement
problems
Controlofsoftware
versions
Highcostsofownership
Qualitycontrol
Accesscontrol
Informalprocedures
Dataintegrity
Configurationcontrol
Availability
Security
Configurationcontrol
Incidentmanagement
Costs
Supportand
maintenance
LANNING RGANISATIONPO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine the Technological Direction
PO4 Define the IT Oranisation and Relationships
PO5 Manage the Investment in IT
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
ACQUISITION & IMPLEMENTATIONAI1 Identify Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Architecture
AI4 Develop and Maintain IT Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
DELIVERY & SUPPORTDS1 Define Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Attribute Costs
DS7 Educate and Train Users
DS8 Assist and Advise IT Customers
DS9 Manage the Configuration
DS10 Manage Problems and Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
MONITORINGM1 Monitor the Processes
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
-
8/10/2019 Tentang_COBIT
34/51
34
COBIT for the IT Manager
COBIT could servethe following Some specific approaches
objectives for you which could prove useful...
Use the COBIT process Use the COBIT control model to
model and detailed establish SLAs and communicate
control objectives to with business functions
structure IT services
function into manageable Use the COBIT control model as
and controllable basis for process-related
processes focussing on performance measures and IT-related
business contribution policies and norms
Use COBIT as baseline model to
establish the appropriate level of
control objectives and external
certifications
-
8/10/2019 Tentang_COBIT
35/51
35
COBIT for the IT Manager
Define SLAs
-
8/10/2019 Tentang_COBIT
36/51
36
COBIT for the Project Manager
COBIT could servethe following Some specific approaches
objectives for you which could prove useful...
As a general framework Use COBIT to help ensure that
for minimal project and project plans incorporate
quality assurance generally accepted phases in
Standards IT planning, acquisition and
development, service delivery
and project management, and
assessment
-
8/10/2019 Tentang_COBIT
37/51
37
COBIT for the Project Manager
Internal Controls Built Into System
-
8/10/2019 Tentang_COBIT
38/51
38
COBIT for the Developer
COBIT could servethe following Some specific approaches
objectives for you which could prove useful...
As minimal guidance Use COBIT to ensure that all
for controls to be applied applicable IT control objectives
within development in the development project
processes as well as for have been addressed
internal control to be
integrated in information
systems being built
IT Process Information Criteria IT Resources
X effectiveness
-
8/10/2019 Tentang_COBIT
39/51
39
X efficiency
X confidentiality
X integrity
X availability
X compliance
X reliability
X people
X applications
X technology
X facilities
X dataPO1 D e f i n e a S t r a t e g i c I n f o r P S
PO2 D e f i n e t h e I n f o r m a t i o nP S S S
PO3 D e t e r m i n e T e c h n o l o g i c aP S
PO4 D e f i n e t h e I T O r g a n i s a t iP S
PO5 M a n a g e t h e I n v e s t m e n t i nP P S
PO6 C o m m u n i c a t e M a n a g e m e n tP S
PO7 Manage Human Resources P P
PO8 E n s u r e C o m p l i a n c e w i t h EP P S
PO9 Assess Risks S S P P P S S
PO10 Manage Project s P P
PO11 Manage Quality P P P S
AI1 Identify Solut ions P S
AI2 A c q u i r e a n d M a i n t a i n A pP P S S S
AI3 A c q u i r e a n d M a i n t a i n T e cP P S
AI4 D e v e l o p a n d M a i n t a i n I TP P S S S
AI5 I n s t a l l a n d A c c r e d i t SP S S
AI6 Managing Changes P P P P S
DS1 Define Service Levels P P S S S S S
DS2 Manage Third-Party Services P P S S S S S
DS3 M a n a g e P e r f o r m a n c e a n dP P S
DS4 Ensure Cont inuous Service P S P
DS5 E n s u r e S y s t e m s S e c u r i tP P S S S
DS6 I d e n t i f y a n d A l l o c a t eP P
DS7 E d u c a t e a n d T r a i n U s eP S
DS8 A s s i s t i n g a n d A d v i s i n gP
DS9 M a n a g e t h e C o n f i g u r a tP S S
DS10 M a n a g e P r o b l e m s a n d I nP S
DS11 Manage Data P P
DS12 Manage Facilities P P
DS13 Manage Operat ions P P S S
M1 Monitor the Process P S S S S S S
M2 A s s e s s I n t e r n a l C o n t r o lP P S S S S S
M3 O b t a i n I n d e p e n d e n t A s sP P S S S S S
M4 P r o v i d e f o r I n d e p e n d e tP P S S S S S
P = p r i m a r y c
S = s e c o n d a r y = c o
COBIT for the Developer
Select Appropriate Controls
-
8/10/2019 Tentang_COBIT
40/51
40
COBIT for Operations
COBIT could servethe following Some specific approaches
objectives for you which could prove useful...
As general framework Use COBIT to ensure that
for minimal controls to operational policies and
be integrated into service procedures are sufficiently
delivery and support comprehensive
processes, placing clear
focus on client objectives
-
8/10/2019 Tentang_COBIT
41/51
41
COBIT for Users
COBIT could serve
the following Some specific approaches
objectives for you which could prove useful...
As minimal guidance Use COBIT to guide service
for internal control to level agreementsbe integrated within
information systems,
being fully operational
or under development
-
8/10/2019 Tentang_COBIT
42/51
42
COBIT for the Security Officer
COBIT could servethe following Some specific approaches
objectives for you which could prove useful...
As harmonising frame- Use COBIT to structure the
work providing a way information security program,
to integrate information policies and procedures
security with other
business related IT
objectives
-
8/10/2019 Tentang_COBIT
43/51
43
COBIT for the Security
Officer
Assess yourRisks
-
8/10/2019 Tentang_COBIT
44/51
44
COBIT for Auditors
COBIT could servethe following Some specific approaches
objectives for you which could prove useful...
As basis for determining Use COBIT as criteria for review
the IT audit universe and review and examination, and for
as IT control reference framing IT-related audits
The objectives of auditing are to:
provide management with reasonable assurancethat control objectives are being met;
where there are significant control weaknesses,
to substantiate the resulting risks; and
advise management on corrective actions.
-
8/10/2019 Tentang_COBIT
45/51
45
In Prior Prior Audit DispositionScope Opinion of Findings
Yes
No
IT Process Unqualified
Qualified
Adverse
Disclaimer
MaterialWeaknesse
s
Findings
Resolved
Unresolved
N/A
NotDetermined
PO1 Define a Strategic IT plan
PO2 Define the Information Architecture
PO3 Determine the Technological Direction
PO4 Define IT Organization and Relationships
PO5 Manage the Investment
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
AI1 Identify Automated Solutions
AI2 Acquire & Maintain Application Software
AI3 Acquire & Maintain Technology Architecture
AI4 Develop & Maintain Procedures
AI5 Install & Accredit System
AI6 Manage Changes
DS1 Define Service Llevels
DS2 Manage Third-Party Services
DS3 Manage Performance & Capacity
DS4 Ensure Continuous Service
DS5 Ensure System Security
DS6 Identify & Allocate Costs
DS7 Educate & Train Users
DS8 Assist & Advise Customers
DS9 Manage the Configuration
DS10 Manage Problems & Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
M1 Monitor the Processes
M2 Obtain independent assurance
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
Insert the number of findings if there is more than
one per process category and then reflect the
appropriate number under each column.
Prior Audit Work Form
-
8/10/2019 Tentang_COBIT
46/51
46
COBIT for Auditors
Audit Guidelines
The process is audited by:
Obtaining an understanding
of business requirements,
related risks, and relevant control measures
Evaluating the appropriateness
of stated controls Assessing compliance
by testing whether the stated
controls are working as prescribed, consistently and
continuously
Substantiating the risk
of the control objectives not
being met by using analytical techniques and/or
consulting alternative sources.
-
8/10/2019 Tentang_COBIT
47/51
47
COBIT for Auditors
Generic Audit Guideline
Gain an understanding of:
Business requirements
Organisation structure
Roles and responsibilities
Policies and procedures
Laws and regulations
Control measures in place
Evaluate the controls
Documented processes
Appropriate deliverables
Responsibility/accountability
Compensating controls
Assess compliance
procedures
process deliverables
Determine level of testing
provide assurance that the IT
process is adequate
Substantiate the risk
control weaknesses
actual and potential impact
-
8/10/2019 Tentang_COBIT
48/51
48
Who needs COBIT ?
Management needs COBIT
to evaluate IT investment decisions
to balance risk and control of investment in an often
unpredictable IT environment
to benchmark existing and future IT environment
Users need COBIT
to obtain assurance on security and controls of products
and services provided by internal and third-parties.
IS auditors need COBIT
to substantiate opinions to management on internal
controls
to answer the question: What minimum controls are
necessary?
-
8/10/2019 Tentang_COBIT
49/51
49
Assessment of COBITSurvey ISACA Switzerland Chapter 1997/98
Usefulfor
IT audits
Setting targets for IT Comprehensive
For specific topics
Awareness
Business and IT management
Partlyuseful for
Health-check & risk-assessment
Not useful for
Detailed security policies
Choosing controls
Quick&dirty-approaches
Assessment of business
related risks
-
8/10/2019 Tentang_COBIT
50/51
50
Pros & Cons
A package for every possible target group Executive, business and IT manager, user
Project manager, developer, operations
Information security officer, auditor
Well structured, comprehensive, precise
Nationally and internationally accepted
Very complete package
Executive SummaryThere is a method...
FrameworkThe method is...
Control ObjectivesMinimum controls are... Audit GuidelinesHeres how you audit...
Implementation Tool SetHeres how you implement...
CD with Info-DB
Needs a big starting effort
Has reputation of an audit
standard
No control self assessment
-
8/10/2019 Tentang_COBIT
51/51
Putting it all togethernever go without your COBIT
Business Processes
IT Resources
information crite ria effectiveness efficiency confide ntiality integrity availability compliance
reliability
Monitoring
Delivery &Support
Acquisition &Implementation
Planing &Organisation
data applications technology facilites people
Dontconcentrate on details
Dont use all those gadgets
Forget about do-it-yourself
only a comprehensive
planning, acquisition,
delivery and support of all IT
resources will guarantee your
success.