2004 San Francisco ISACA Fall Conference
Session S23Use of COBIT as a Risk Management & Audit Framework
for Access Compliance
Presented on October 5, 2004 byLance M. Turcato, CISM, CISA, CPA
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 2
Speaker
Lance M. Turcato, CISM, CISA, CPAManaging Director � Access Assessment & Policy ComplianceInformation Security AdministrationCharles Schwab & Co., Inc.
Email: [email protected]: 602-977-4376
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 3
Guest Speaker
Marta O�Shea, CISASenior Manager � Technology Infrastructure & Security OversightInternal Audit DepartmentCharles Schwab & Co., Inc.
Email: [email protected]: 415-636-7348
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 4
Audience Poll
COBIT Knowledge- First exposure?- General understanding?- Strong knowledge of COBIT framework?
Current Users of COBIT- Incorporated Into Audit Process?- Adopted by IT Management?- Users of a framework other than COBIT?
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 5
Agenda
60- Defining Security Requirements
7- COBIT Role In IT Governance6- COBIT Mission, Objectives, Scope, & Components
17- Control Objectives
70- Available Tools
47- Audit Approach Overview
COBIT As A Risk Framework For Information Security
40- Process for Implementing COBIT
Overview of COBIT Framework
63- Measuring Security & Assessing Risk
COBIT As An Audit Framework
30- Management Guidelines26- Audit Guidelines
9- Framework8- COBIT Family
PageTopic
Overview of COBIT Framework
Source of InformationIT Governance Institute(http://www.itgi.org/ )
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 7
COBIT�s Mission, Scope & Objectives
Mission:�To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted Information Technology Control Objectives for day-to-day use by business managers and auditors.�
Generally applicable and accepted international standardfor good practice for Information Technology controlsFor application to enterprise-wide information systems, regardless of technology employed ( generic )Focused on business requirements for information
Scope & Objectives:
Management - business process owner - oriented
Based on IT Governance Institute Control Objectives! aligned with the de jure and de facto standards and regulations! based on critical review of tasks and activities or function
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 8
COBIT�s Role In IT Governance
IT Governance Framework
IT IT ManagementManagementSets Sets Measurable Measurable GoalsGoals
Compare Compare ResultsResults
Deliver Deliver Against Against GoalsGoals
ApplyApplyConsistentConsistentControl Control FrameworkFramework
InternalInternalAuditAudit
Address GapsAddress Gaps
Measure Measure PerformancePerformance
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 9
COBIT Family � 3rd Edition
�There is a Method...�
�The Method Is...�
�Minimum Controls Are...� �Here�s How You Audit...��Here�s How You Measure YourPerformance ��
�Here�s How You Implement...�
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 10
COBIT � Pieces of The Puzzle
ExecutiveSummary Framework Control
ObjectivesAuditGuidelines
ManagementGuidelines
ImplementationTool Set
# Executive Summary - Senior Executives (CEO, CIO)Provides awareness on key concepts for Senior Management.
# Framework - Senior Operational Management (Directors of IT and IS Audit / Controls)Describes 34 high-level objectives.
# Control Objectives - Middle Management (Mid-Level IT Management and IS Audit/Controls Managers / Seniors)Statements of desired results by implementing 318 specific control objectives.
# Audit Guidelines - Line Management and Controls Practitioner (Applications or Operations Manager and Auditor)Suggested audit procedures.
# Management Guidelines - Senior Operational Management, Director of IS, Mid-Level IT Management and IT Audit / Control Managers Critical Success Factors, Key Performance Indicators, Key Goal Indicators, Maturity Model.
# Implementation Tool Set - Director of IS and Audit/Control, Mid-Level IS Management and IS Audit/Control Managers Suggested implementation tools and implementation success stories.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 11
Framework
COBIT As An IT Control Framework
$Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives$Promotes process focus and process
ownership$Divides IT into 34 processes belonging to
four domains (providing a high level control objective for each process)$Looks at fiduciary, quality and security needs
of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT$Is supported by a set of over 300 detailed
control objectives
$Planning$Acquiring & Implementing$Delivery & Support$Monitoring
IT Domains
$Effectiveness$Efficiency$Availability$Integrity$Confidentiality$Reliability$Compliance
Information Criteria
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 12
Framework
COBIT Framework - Components
#IT Domains & Processes#Information Criteria = Business Requirements#IT Resources
IT Res
ource
s
QualityFiduciary
Security
Information Criteria
IT P
roce
sses
Peop
leA
pplic
atio
n Sy
stem
s
Dat
a
Tech
nolo
gy
Faci
litie
s
Domains
Processes
Activities
BusinessRequirements
IT Processes IT Resources
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 13
Framework
COBIT Domains of Processes & Activities
Domains
Processes
Activities
� Natural grouping of processes, often matching an organizational domain of responsibility.
� A series of joined activities with natural (control) breaks.
� Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discreet.
BusinessRequirements
IT Processes IT
Resources
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 14
Framework
Business Requirements
Business Requirements = Information Criteria
Quality Requirements� Quality� Cost� Delivery
Fiduciary Requirements (COSO Report)� Effectiveness and Efficiency of Operations� Reliability of Financial Reporting� Compliance with Laws and Regulations
Security Requirements� Confidentiality� Integrity� Availability
BusinessRequirements
IT Processes IT
Resources
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 15
Framework
IT Resources
Data: Data objects in their widest sense (i.e., external and internal, structured and non-structured, graphics, sound, etc.)Application Systems: understood to be the sum of manual and programmed procedures.Technology: covers hardware, operating systems, database management systems, networking, multimedia, etc.Facilities: Resources to house and support information systems.People: Staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services.
BusinessRequirements
IT Processes
IT Resources
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 16
Framework
COBIT Framework - ExamplesDomains
Processes
Activities
IT Processes
BusinessRequirements
IT Resources
IT Domains� Planning & Organization� Acquisition & Implementation� Delivery & Support� Monitoring
IT Processes� IT strategy� Change Management� Contingency Planning � Problem Management� Policy & Procedures� Feasibility Study� Acceptance Testing� etc...
Activities� record new problem� analyze� propose solution� monitor solution� record known problem� etc...
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 17
Framework
COBIT Framework Illustrated
CCOBIOBIT�s Golden RuleT�s Golden Rule
In order to provide the information that the
organization needs to achieve its objectives, IT
resources need to be managed by a set of naturally grouped
processes.-IT Governance Institute
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 18
Linking The Processes To Control Objectives(34 High-level and 300+ Detailed Objectives)
COBIT�s Waterfall and Navigation Aidslinking Process, Resource & Criteria
ControlObjectives
Planning & Organisation
effec
tiven
ess
effici
ency
confid
entia
lity
integrit
y
avail
abilit
y
complia
nce
reliab
ility
SS PP
InformationCriteria
Acquisition & Implementation
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
people
applic
ations
technology
facilit
ies
data
% %
Monitoring
ITResources
ProcessDomainsDelivery &
Support
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 19
Linking The Processes To Control Objectives(Example)
ControlObjectives
Control over the IT process ofDEFINING A STRATEGIC IT PLAN
that satisfies the business requirementto strike an optimum balance of information technology opportunities and IT business requirements as well as ensuring its further accomplishment
is enabled bya strategic planning process undertaken at regular intervals giving riseto long-term plans; the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals
and takes into consideration:#enterprise business strategy#definition of how IT supports the business objectives#inventory of technological solutions and current infrastructure#monitoring the technology markets#timely feasibility studies and reality checks#existing systems assessments#enterprise position on risk, time-to-market, quality#need for senior management buy-in, support and critical review
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 20
COBIT � IT Processes/High-Level ObjectivesControlObjectives
Planning and Organization
PO 1 Define a Strategic IT PlanPO 2 Define the Information ArchitecturePO 3 Determine Technological DirectionPO 4 Define the IT Organization and RelationshipsPO 5 Manage the IT InvestmentPO 6 Communicate Management Aims and DirectionPO 7 Manage Human ResourcesPO 8 Ensure Compliance with External RequirementsPO 9 Assess RisksPO 10 Manage ProjectsPO 11 Manage Quality
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 21
COBIT � IT Processes/High-Level ObjectivesControlObjectives
Acquisition and Implementation
AI 1 Identify Automated SolutionsAI 2 Acquire and Maintain Application SoftwareAI 3 Acquire and Maintain Technology InfrastructureAI 4 Develop and Maintain ProceduresAI 5 Install and Accredit SystemsAI 6 Manage Changes
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 22
COBIT � IT Processes/High-Level ObjectivesControlObjectives
Delivery and Support
DS 1 Define and Manage Service LevelsDS 2 Manage Third-Party ServicesDS 3 Manage Performance and CapacityDS 4 Ensure Continuous ServiceDS 5 Ensure Systems SecurityDS 6 Identify and Allocate CostsDS 7 Educate and Train UsersDS 8 Assist and Advise CustomersDS 9 Manage the ConfigurationDS 10 Manage Problems and IncidentsDS 11 Manage DataDS 12 Manage FacilitiesDS 13 Manage Operations
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 23
COBIT � IT Processes/High-Level ObjectivesControlObjectives
Monitoring
M 1 Monitor the ProcessesM 2 Assess Internal Control AdequacyM 3 Obtain Independent AssuranceM 4 Provide for Independent Audit
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 24
Example Control Objectives For A ProcessControlObjectives
DOMAIN: Planning and Organization (PO)
PROCESS (High-level Control Objective): Define a Strategic IT Plan (PO 1)
DETAILED CONTROL OBJECTIVES:
PO 1.1 IT as Part of the Organization�s Long- and Short-Range PlanPO 1.2 IT Long-Range PlanPO 1.3 IT Long-Range Planning Approach and StructurePO 1.4 IT Long-Range Plan ChangesPO 1.5 Short-Range Planning for the IT FunctionPO 1.6 Communication of IT PlansPO 1.7 Monitoring and Evaluating of IT PlansPO 1.8 Assessment of Existing Systems
Next Slide
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 25
DEFINE A STRATEGIC INFORMATION TECHNOLOGY PLAN
(PO 1)
ControlObjectivesExample Control Objectives For A Process
PO 1.1 - IT as Part of the Organization�s Long- and Short-Range Plan
CONTROL OBJECTIVE
Senior management is responsible for developing and implementinglong- and short-range plans that fulfill the organization�s mission and goals. In this respect, senior management should ensure thatIT issues as well as opportunities are adequately assessed and reflected in the organization�s long- and short-range plans. IT long-and short-range plans should be developed to help ensure that the use of IT is aligned with the mission and business strategies of theorganization.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 26
Summary of COBIT At This PointControlObjectives
#Framework defines a construct for reviewing IT.#Four domains are identified.#Within each domain there are processes -- 34 total.#Within each process there are high-level IT control objectives
defining controls that should be in place.#For each of the 34 processes, there are from 3 to 30 detailed IT
control objectives (300+ in total).# IT control objectives are generic and applicable to all
environments.#COBIT is a systematic and logical method for defining and
communicating IT control objectives.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 27
COBIT Audit Guidelines - PurposeAuditGuidelines
COBIT provides detailed audit guidelines for each of the 34 IT processes�
&Enables the auditor to review specific IT processes against COBIT�s Control Objectives to determine where controls are sufficient or advise management where processes need to be improved.
&Helps process owners answer questions - �Is what I�m doing adequate? And, if not, how do I fix it?�
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 28
COBIT Audit Guidelines - ObjectivesAuditGuidelines
& To provide a simple, generic, and high-level structure for auditing IT controls! based on generally accepted audit practices! Aligned with the COBIT framework! generic for applicability to varying audit objectives and practices! providing clear policies and good practices for security and control of information and
related technologies! enabling the development of specific audit programs or the enhancement of existing
programs
& To enable auditors to review IT processes against COBIT�s recommended detailed control objectives to provide management assurance and/or advice for improvement
& The Audit Guidelines are NOT intended as! a tool for creating the overall audit plan ! a tool for providing audit training! a solution for audit automation (although there are lots of opportunities) ! exhaustive or definitive�guidelines will continue to evolve
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 29
ManagementGuidelinesCOBIT Management Guidelines
COBIT 3rd Edition added a Management and Governance layer, providing management with a toolbox containing�
# A maturity model to assist in benchmarking and decision-making for control over IT
# A list of critical success factors (CSF) that provides succinct non-technical best practices for each IT process
# Generic and action oriented performance measurement elements (key performance indicators [KPI] and key goal indicators [KGI] - outcome measures and performance drivers for all IT processes)
Purpose�� IT Control profiling � what is important?� Awareness � where is the risk?� Benchmarking - what do others do?
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 30
Method of scoring the maturity of IT processes�
Management�s Target Goal
GAP Analysis(Current Vs. Goal)
ManagementGuidelinesMaturity Model
�derived from the maturity model defined by the Software Engineering Institute for the maturity of software development.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 31
ManagementGuidelinesMaturity Model - GENERIC
Generic Maturity Model0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised.2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 32
ManagementGuidelinesMaturity Model � PROCESS SPECIFIC
DS5 � Ensure System Security
IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analyzed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organization wide.
5 � Optimized
Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings have become mandatory. User identification, authentication and authorization are being standardized. Security certification of staff is being established. Intrusion testing is a standard and formalized process leading to improvements. Cost/benefit analysis, supporting the implementation of security measures, is increasingly being utilized. IT security processes are co-ordinated with the overall organization security function. IT security reporting is linked to business objectives.
4 � Managed
Security awareness exists and is promoted by management. Security awareness briefings have been standardized and formalized. IT security procedures are defined and fit into a structure for security policies and procedures. Responsibilities for IT security are assigned, but not consistently enforced. An IT security plan exists, driving risk analysis and security solutions. IT security reporting is IT focused, rather than business focused. Ad hoc intrusion testing is performed.
3 � Defined
Responsibilities and accountabilities for IT security are assigned to an IT security co-ordinator with no management authority. Security awareness is fragmented and limited. IT security information is generated, but is not analyzed. Security solutions tend to respond reactively to IT security incidents and by adopting third-party offerings, without addressing the specific needs of the organization. Security policies are being developed, but inadequate skills and tools are still being used. IT security reporting is incomplete, misleading or not pertinent.
2 � Repeatable
The organization recognizes the need for IT security, but security awareness depends on the individual. IT security is addressed on a reactive basis and not measured. IT security breaches invoke "finger pointing" responses if detected, because responsibilities are unclear. Responses to IT security breaches are unpredictable.
1 � Initial
The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned for ensuring security. Measures supporting the management of IT security are not implemented. There is no IT security reporting and no response process to IT security breaches. There is a complete lack of a recognizable system security administration process.
0 � Non-Existent
DescriptionRating
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 33
ManagementGuidelinesMeasuring Success
& Critical Success FactorsWhat are the most important things to do to increase the probabilityof success of the process?! Example: (DS4) Critical infrastructure components are identified and continuously
monitored.
& Key Performance IndicatorsMeasures how well the process is performing! Example: (DS4) Number of outstanding continuous service issues not resolved or
addressed.
& Key Goal IndicatorsMeasures whether an IT process achieved its business requirements! Examples: (DS4) No incidents causing public embarassment. Number of critical
business processes relying on IT that have adequate continuity plans.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 34
CSF � Critical Success Factors
#Most important things that contribute to the IT process achieving itsgoal
� Strategically� Technically� Organizationally� Process or Procedure
#Visible and measurable signs of success
#Control Statements and Considerations of the �Waterfall� #Short, focused and action oriented - Focus on obtaining, maintaining
and leveraging capability and skills
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
Management oriented IT control implementation guidance thatare observable � usually measurable � characteristics of theorganization and processes.
ManagementGuidelines
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 35
ManagementGuidelinesKGI � Key Goal Indicators
Measurable indicators of the process achieving its goal.# Describe the outcome of the process and are therefore �lag� indicators (i.e.,
measurable after the fact)# Are indicators of the success of the process, but may be expressed as well in
terms of the business contribution, if that contribution is specific to that IT process
# Represent the process goal (i.e., a measure of �what� target to achieve)# Are IT oriented, but business driven (Business Requirements from �Waterfall�)# Are expressed in precise measurable terms, wherever possible# Focus on those information criteria that
have been identified to be of mostimportance for the process
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 36
KPI � Key Performance IndicatorsManagementGuidelines
#Are a measure of �how well� the process is performing#Predict the probability of success or failure in the future (, i.e., �LEAD�
indicators)#Are expressed in precise, measurable terms#How well managment leverages / manages the resources needed for the
process#Control Statements & Control Practices from �Waterfall�#Are process oriented, but IT driven#Help in improving the IT process
Measurable indicators of performance of the enabling factors.
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 37
ManagementGuidelinesCSF, KGI, KPI � Examples
Critical Success Factors● IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability, and IT management is rewarded based on these
measures● The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged● Everyone involved in the process is goal focused and has the appropriate information on customers, on internal processes and on the consequences of their decisions● A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement● Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability● Goals and objectives are communicated across all disciplines and are understood● It is known how to implement and monitor process objectives and who is accountable for process performance● A continuous process quality improvement effort is applied● There is clarity on who the customers of the process are● The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist
Key Performance Indicators● System downtime● Throughput and response times● Amount of errors and rework● Number of staff trained in new technology and customer service skills● Benchmark comparisons● Number of non-compliance reportings● Reduction in development and processing time
Key Goal Indicators● Increased level of service delivery● Number of customers and cost per customer served● Availability of systems and services● Absence of integrity and confidentiality risks● Cost efficiency of processes and operations● Confirmation of reliability and effectiveness● Adherence to development cost and schedule● Cost efficiency of the process● Staff productivity and morale● Number of timely changes to processes and systems● Improved productivity (e.g., delivery of value per employee)
COBIT As An Audit FrameworkA Success Story
Additional InformationCOBIT Case Study
(http://www.itgi.org/casestudy4.htm)(http://www.isaca.org/ctcase27.htm)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 39
Process For Implementing COBIT
Recognize Need
Integrating
COBIT
Into IT
Governance,
Risk Management,
&
Systems Audit
Approach
Educate Senior IT Management
Map COBIT to FFIEC Examination Guidelines
Map Audit Universe to COBIT High Level Control Objectives
Map Annual Audit Plan to COBIT Detailed Level Control Objectives (IT Activities)
Develop Questionnaire / Joint Risk Self-Assessment
Facilitate Assessment Work Sessions with Client
Analyze, Document, Validate Results, Report To Management
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 40
The Need � Increased Regulatory FocusRegulatory Ratings
Overall (UFIRS) & IT-Specific (URSIT)
URSIT Rating Criteria1 = Strong2 = Satisfactory3 = Less than Satisfactory4 = Deficient5 = Critically Deficient
Uniform Financial Institution Rating System (UFIRS)Composite Score (1-5)
�UFIRS rating reflects institution safety and soundness.�IT (URSIT) is one of many components evaluated to determine the UFIRS score.
Uniform Rating System for Information Technology (URSIT)Composite Score (1-5)
Federal Reserve Issued�SR 99-8 (SUP)
March 31, 1999�references COBIT
Note inverted
scale: Fed rating of 5 is deficientand COBIT rating of 5
is Optimized
COBIT Maturity Ratings0 = Non-Existent1 = Initial2 = Repeatable3 = Defined4 = Managed5 = Optimized
COBIT Maturity Ratings
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 41
Educating Senior IT Management
Encouraging Senior IT Management To Adopt COBIT& Framework for Risk Self-Assessment (RSA) process& Emphasize business orientation (NOT audit orientation)& Emphasize value of self-assessment, performance measurement and
benchmarking ' provide real examples& Knowledge that COBIT is based on industry standards with input from many
sources& Resource for regulatory examinations& During rollout 'monitor progress and report on results
Educating IT Management At All Levels& Executive summary focus for senior management&Workshops for line management and key technicians& Integration with the audit process (engagement memos, audit kick-off
meetings, work sessions, reporting)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 42
Linking COBIT To Other Sources of �Best Practice�
COBITRef.
COBIT Domains & Control Objectives FFIECRef.
FFIEC Chapter Title & Relevant Section
PLANNING & ORGANIZATION
PO1 Define a Strategic IT Plan 1.1 IT as Part of the Organization's Long- and Short-Range
Plan 10-1 Corporate Contingency Planning Responsibilities
1.2 IT Long-Range Plan 9-6 Planning 1.3 IT Long-Range Planning, Approach & Structure 9-6 Planning 1.4 IT Long-Range Plan Changes 9-6 Planning 1.5 Short-Range Planning for the IT Function 9-6 Planning 1.6 Communication of IT Plans 9-6 Planning 1.7 Monitoring & Evaluating of IT Plans 9-8 Controls 1.8 Assessment of Existing Systems 12-2 System Development Standards
PO2 Define the Information Architecture 2.1 Information Architecture Model 2.2 Corporate Data Dictionary & Data Syntax Rules 2.3 Data Classification Scheme 2.4 Security Levels 14-1
14-2 Security Administration and Accountability
Security Plan
Illustration Only
COBITobjectives
mapped torelevantFFIEC
examinationcriteria
�Other considerations ' map to relevant ISO standards, technology specific process / control methodologies, etc.
FFIEC � Federal Financial Institutions Examination Council
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 43
Alignment With Technology Infrastructure(Illustration Only)
Remote Access
Mainframe Systems
Databases & Applications
Distributed SystemsUNIX & Windows
DMZ
Databases& Applications
Other Servers
Firewalls /Secure Routing
External RisksVulnerability to Hackers
Databases& Applications
�Email�FTP�DNS
Monitoring, Intrusion Detection & Anti-Virus Systems
Firewalls
Internet
Subsidiaries
Router
Router
LANS
Router
3rd Parties
VPN
Remote LANS
Internal RisksUnauthorized Access by Internal Users (employees or contractors)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 44
Security Audit Universe
Access Management & ComplianceIdentity Management
Distributed SecuritySecurity Governance
Mainframe Security
AuditUniverse
Security Monitoring
Remote Access Security
Intrusion Detection
Virus PreventionPhysical Security
Incident Response Software Management
Network & Perimeter Security
Application Security
Database Security
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 45
Map Audit Universe To COBIT
High Level
Objective(i.e. PO2)
ApplicableObjectives
NotedWith �X�Illustration Only
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 46
Audit Approach Overview
Reporting
Audit Planning Session
Audit Team
Work Program
COBIT Manuals & Other Best Practice Material
Client Work Sessions
Audit Testing
1
2
gagement Memo
Kick-Off Meeting
Exit Meeting7
8
COBIT Control Assessment Questionnaire
6
4
5
COBIT To Audit Mapping Template
QAR9
4
3 En
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 47
Map Audit Plan To COBIT
ApplicableObjectivesNoted In
ThisColumn
RiskCategoryNoted In
ThisColumn
HighLevel
Objective(i.e. PO2)
DetailedLevel
Objective(i.e. 2.1)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 48
Using COBIT Framework To Tie It All Together�
Illustration Only
Use of a Frameworkensures consistent coverageacross audits and allows for
trending the �state of controls� over time.
COBIT ControlAssessment Questionnaire
WorkProgram
Engagement Memo
Audit Report
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 49
COBIT Control Assessment Questionnaire
Preplanned AssessmentQuestions
Client�s Response&
Assessment Results
COBIT MaturityRating (0-5)
assigned based onJoint Assessment
Overall Maturity Rating for eachHigh-Level Control Objectiveassigned based on results of
joint assessments of each Detailed Control Objective.
XYZ Company Specific Control
Objectives
One COBIT Control Objective
Per Row
One Table For EachHigh-Level COBIT
Objective Included In Scope
Questionnaire is used during joint work sessions held with clients to complete a joint risk assessment of the area under review.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 50
COBIT Based Audit Report
Overall RatingClients Target Goal
OverallConclusionStatementsSupporting
Overall Rating AuditMetrics
QAR
ConciseBackground
&Scope Responsible Manager
Provided Response
Control Weaknesshighlighting
business impactDue Date
ClientProvided
Responses
Issue Priority(A, B, C)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 51
COBIT Based Audit Report
Overall RatingFor High-Level
Control Objective
Highlighting KeyPerformance Indicators
(i.e., Metrics)
Strategic Focal Point Table(one row for each high-levelobjective included in scope)
Detailed Control Objectives Included
In Scope Listed Summary Conclusionsand
Points Supporting Rating
Control Focal Point Table(highlighting key controls)
Applicable DetailedControl Objective
(one per row;corresponds to a row
in the AssessmentQuestionnaire)
Highlighting KeyPerformance Indicators
(i.e., Metrics)
Summary Conclusionsand
Points Supporting RatingAssignedMaturity Rating
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 52
COBIT Based Audit Report
Automatedor
ManualControl
Illustration Only
ProcessWorkflowDiagram
ForArea
Assessed
TableDefining
KeyControlPoints
InProcess
Flow
Highlighting KeyPerformance Indicators
(i.e., Metrics)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 53
COBIT To Audit Mapping Repository
Illustration Only
Questionnaire
Audit Report
QuarterlyReport OfAudit Results (QAR)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 54
Quarterly Audit ReportAudit Results Metrics
Date Printed: 03/24/2003 Charles Schwab & Co, Inc. 6
IAD Focal Point Methodology ScorecardOverall Audit Results
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0 � Non-Existent1 - Initial
5 - Optimized4 - Managed
Legend:
Security Audits(refer to slide 7)
Security Audits(refer to slide 7)
OVERALLOVERALLInfrastructure Audits
(refer to slide 6)Infrastructure Audits
(refer to slide 6)
2 -Repeatable3 - Defined
60%
Q1 PriorYear
Q22002
Dat
a N
ot A
vaila
ble
For 2
001
40%
60%
40%
No
Rep
orts
Issu
ed
TBD
YTDQ3 Q4
60%
40%
75%
Q1 PriorYear
Q22002
Dat
a N
ot A
vaila
ble
For 2
001
TBD
YTDQ3 Q4
25%
Q1 PriorYear
Q22002
Dat
a N
ot A
vaila
ble
For 2
001
20%
TBD
YTDQ3 Q4
68%
13%
70%
25%
75%
25%
75%
25%
75%
75%
25%12
%
20%
68%
12%
17%
Analysis of Key Technology Metrics
May 20, 2003 2003 North America CACS Conference Slide 77
Example of Metric Analysis To Include In QAR(Illustration Only)
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
Q1, 2002 Q2, 2002 Q3, 2002 YTD
Successful
Failed & Backed Out
Caused ProblemCaused Outage
Cancelled
Unstatused
Although target rates have not been achieved, change management processes are successful on average 75% of the time. Less then 1% of appropriately recorded changes resulted in problems or outages�
Internal Audit Observations:# Change management processes appear to be consistently applied with only minor variances in volume.
# Large percentage (~20%) of �unstatused� tickets indicates process adherence issues. True results cannot accurately be determined; therefore, additional management scrutiny is appropriate for the �unstatused� items.
# Trend for tickets with implementation problems is increasing - additional analysis to ascertain root cause of the increase in this activity would be appropriate. Root cause may rest with testing and validation processes.
Target Rate97%(Source:
TechnologyManagement
BalancedScorecard)
0.0 0%
5.0 0%
10.0 0%
15.0 0%
20.0 0%
25.0 0%
Q1,2002
Q2,2002
Q3,2002
YTD
Failed & Backed Out
Caused Problem
Caused Outage
Cancelled
Unstatused
Illustration Only
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 55
Benefits Realized�
# IT management partners with Internal Audit throughout the audit life cycle, including input into the audit schedule and scope.
# IT management becomes conversant in risk, control, and audit concepts.
#Relationships transformed into partnerships by jointly assessing control procedures.
#Audit Report streamlined�concise report supported by detailed questionnaire (i.e., Risk Self Assessment � RSA).
#Audit approach is methodical and is consistent with IT Governance practices implemented throughout the company�s technology organization.
#Meaningful reporting for senior IT management. Facilitated efforts to implement processes necessary for Sarbanes-Oxley compliance.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 56
Additional Audit Resources
Templates(http://www.sfisaca.org/resources/downloads.htm)
COBIT Case Study(http://www.itgi.org/casestudy4.htm)(http://www.isaca.org/ctcase27.htm)
COBIT As A Risk Management Framework For Information Security
Case StudyInformation Security � Access Compliance
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 58
Drivers of Information Security Requirements
Shorter business cycles
Need to involve/connect/tie in with more partners
Network centric business models
Leverage VPN, remote access, new tools
Regulatory Requirements
Manage Risk
!Internet - UNIX - TCP/IP
!More hackers, more tools
!Increased dependency on IT
Leverage Opportunities
!E-cash, e-commerce, e-tc.
!Open, modular, scalable
!Security a commodity
Technology Drivers
Business Drivers
Management�Buy In�
� Awareness(value of IT governance framework)
� Perceived / Understood Risk
� Cost / Benefit
� Benchmarks
� Clarity of Purpose
Key To Success!
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 59
Senior Management Awareness � Tone From Top
Questions From Senior Management / BoardQuestions From Senior Management / Board$What does security cost?$ Have we completed a risk assessment in order to define where the enterprise is most
vulnerable (i.e., where do we most appropriately focus our security resources)?
$ How do we measure our �state� of security.$ How do we ensure that customer data (NPI) and sensitive financial information is
appropriately safeguarded and only accessible by users with a business �need to know or use� the data?
$ Do we know for certain how many people are accessing the organization�s systems? Are we monitoring the access � are resource owners appropriately engaged?
$What are the most critical information assets of the enterprise (do we have an inventory)? Has data been classified and secured based on relative risk? Do we maintain an inventory of all system devices that the company owns / leases? Would management know if some went missing?
$Would people recognize a security incident when they saw one? Would they ignore it? Would they know what to do about it?
$ Has the organization ever had its security �validated� by a third party?
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 60
Cost of Information Security
Cost of Security / Control Cost of Security / Control VERSUSVERSUS IT BudgetIT Budget
IndustryLeader
Leadership
BestPracticesBenchmarking
BaselineOperationMinimum
Requirements
�Cowboy�Operation
Non-Compliance
45 - 50% 55%20 - 25%5 - 10%
= Drivers
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 61
Monitoring Emerging Risk Indicators:Is Risk Well Managed?
Risk management is concerned (in part) with processes designed and sustained by management to reduce the risk of material error�# Frequent measurement of results is prerequisite for a sustained and controlled environment. # Standardization and design are prerequisite for repeatability.
Risk Drivers � Lessons Learned From COBIT?
(Risk decreases when processes are:� Mature � sustainable and measurable� Repeatable and predictable� Systematic / automated� Monitored� Standardized (designed / defined)� Documented and communicated
(Risk increases when processes are:� Inconsistent� Ad-hoc (not standardized)� Not monitored� Relying upon the knowledge of individuals (i.e., lack of documentation)
�In line with COBIT�s Management Guidelines, access management should include formal steps for proactively evaluating compliance via monitoring activities and meaningful performance indicators (i.e., metrics)�
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 62
Monitoring Emerging Risk Indicators:Ongoing Measurement / Ongoing Dialogue
Monitor key performance indicators (i.e. metrics) on an ongoing basis�
Reality
t1
Con
trol
Env
iron
men
t
Asses 1
Assess 2
Timet2
Challenges Of �Point-In-Time� Assessment� Evaluation of risk and control is as of a point in time.� Management reporting is reflective of results as of a point in
time.� Priorities may be influenced by prior results (i.e., focus on
past areas of weakness). )Good or Bad??� If a risk assessment on the function has not been completed
for a long time, there may be a learning curve.
Expectation
t1
Con
trol
Env
iron
men
t
Assess 1
Assess 2
t2
Reality
Report
ReportReport
Time
Ongoing MeasurementExpectation
Traditional Risk Assessment Approach(Prioritization based on annual risk assessment of function)
Ongoing Monitoring Of Risk Indicators(Gaining Efficiencies Through Focus On High Risk Indicators)
Benefits of Ongoing Monitoring� Quarterly readout of assessment results for technology
management.� Ongoing dialogue regarding areas of significant or increasing
risk.� Priorities more closely associated with known risk factors
ultimately leading to more controlled risk mitigation and potential process improvements / efficiency gains.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 63
Monitoring Emerging Risk Indicators:Overall Objective & Goal
�Goal is to proactively monitor metrics on an ongoing basis to focus risk remediation efforts on high-risk processes and tasks where performance indicators indicate potential problems.
Results of metric analysis is presented to senior management on a quarterly basis. The analysis indicates priorities for remediation efforts and any required changes to existing processes.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 64
Information Security:Security Metrics Development Process
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 65
Information Security:Security Metrics Implementation Process
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 66
Tools & Technology
ProcessPolicy &
Procedures
SecurityManagement
HumanBehaviour& Culture
SystemAccess Control
NetworkSegregation
ApplicationSecurity
11 22 3366 55 44
Policy
Information Security:Measuring Performance (illustration only)
Policies & ProceduresSecurity ManagementBehavior & CultureApplication SecuritySystem Access Control Network Segregation
1.2.3.4.5.6.
0Verypoor
1
Poor
2
Fair
3
Good
4Verygood
5
Excel
Legend for ranking used
5 - Excellent: Best possible, highly integrated4 - Very good: Advanced level of practice3 - Good: Moderately good level of practice2 - Fair: Some effort made to address issues1 - Poor: Recognise the issues0 - Very poor: Complete lack of good practice
Legend for Symbols UsedAverage of best securityperformers in the financialindustry (begin �96)
Company status � Feb �97
Company objective for 2001
101020202020
01996 1997 1998 1999 2000 2001
20
40
60
80
100
928876
64
4842
96
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 67
Information Security:Measuring Performance (illustration only)
The Security Officer consistently performs both internal and external vulnerability scans on a monthly basis. The majority of vulnerabilities identified are low risk�
0
100
200
300
400
500
600
700
800
900
1000
Q1, 2002 Q2, 2002 YTD
Low RiskVulnerabilitiesMedium RiskVulnerabilitiesHigh RiskVulnerabilities
Observations:# An increase in internal vulnerabilities occurred from Q1 to Q2. The increase is explained due to new system
patches checked for by the vulnerability scanner that have not been applied to the XYZ company servers. Technology management appropriately applies patches only after the patches have been tested and certified.
# A decrease in external vulnerabilities was noted from Q1 to Q2. These results demonstrate that a significant number of Q1 vulnerabilities have been resolved.
0
500
1000
1500
2000
2500
3000
Q1, 2002 Q2, 2002 YTD
Low RiskVulnerabilitiesMedium RiskVulnerabilitiesHigh RiskVulnerabilities
Internal Vulnerability Scans External Vulnerability Scans
A B
A
B
Slight increase in high risk vulnerabilities
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 68
Information Security:Key Indicators � Access Compliance
$ Access Administration Workflow (adds, changes, deletions, special requests)$ Access Administration Service Level Attainment (measured against target / goal)$ Percentage of ID requests submitted with appropriate approvals$ Inactive ID Remediation (percentage decline over time)$ Privileged Access Oversight (percentage of total IDs)$ Shared / Generic ID Oversight (percentage of total IDs)$ Percentage of current access administration policies / standards$ Percentage of current access administration guidelines$ Percentage of current access administration procedures$ Number of access related incidents reported$ Average time elapsed between incident discovery and implementation of corrective action$ Percentage of IDs for which supervisory review has been completed in the past quarter to validate that
access remains appropriate for the user�s job function$ Percentage of systems for which access security parameters have been tested and evaluated in the past
year & percentage of non-compliant systems$ Percentage of system resources without a defined / accountable resource owner assigned$ Percentage of systems that maintain logs (audit trail) to trace user activity$ Percentage / Number of access violations to critical system resources$ Percentage of passwords not in compliance with policy (password quality)
Tools To Facilitate Your Risk Management Efforts
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 70
COBIT Security Baseline
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 71
COBIT Security Baseline (continued)
Focusing attention on security-related objectives from the entire COBIT framework...
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 72
COBIT Security Baseline (continued)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 73
IT Control Practice StatementCOBIT - DS5 Ensure System Security
IT control practices expand the capabilities of COBIT by providing the practitioner with an additional level of detail.
The current COBIT IT processes, business requirements and detailed control objectives define what needs to be done to implement an effective control structure.
The IT control practices provide the more detailed how and why needed by management, service providers, end users and control professionals to implement highly specific controls based on an analysis of operational and IT risks.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 74
IT Control Practice StatementCOBIT - DS5 Ensure System Security (EXAMPLE)
DS 5.4 User Account Management
Why do it?The enforcement of adequate user account management in line with the control practices will help ensure:
�Proper administration of the lifecycle of user accounts�Communication to and acknowledgment by users of the rules with which they need to comply
Control Practices�DS 5.4.01 Procedures are in place to ensure timely actions in relation to requesting, establishing, issuing, suspending and closing user accounts. All actions require formal approval.
�DS 5.4.02 When employees are given their account, they are provided with initial or refresher training and awareness on computer security issues. Users are asked to review a set of rules and regulations for system access.
�DS 5.4.03 Users use quality passwords as determined by the organization's password guidelines. Quality aspects of passwords include: enforcement of initial password change on first use, appropriate minimum password length, appropriate and enforced frequency of password changes, password checking against list of not-allowed values, e.g., dictionary checking and adequate protection of emergency passwords.
�DS 5.4.04 Third-party users are not provided with user codes or passwords unless they have signed a nondisclosure agreement. Third-party users are provided with the organization's security policy and related documents and must sign off that they understand their obligations.
�DS 5.4.05 All contracts for outsourcing or contracting address the need for the provider to comply�with all security related policies, standards and procedures.
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 75
Additional Resources & Questions
Templates & Resources(http://www.sfisaca.org/resources/downloads.htm)
� COBIT Security Baseline� IT Control Practice Statement � COBIT DS5 Ensure System Security� Questionnaire for IT Control Practice Statement DS5� Security Self-Assessment Guide for Information Technology Systems
(National Institute of Standards & Technology)� Security Metrics Guide for Information Technology Systems
(National Institute of Standards & Technology)� Access Compliance Scorecard � Template� ISO 17799 (http://www.iso-17799.com/)� FFIEC Information Security Examination Handbook
(http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html)
October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 76
Questions?
Thank You!
Top Related