Date post: | 18-Dec-2015 |
Category: |
Documents |
Upload: | ethel-snow |
View: | 217 times |
Download: | 1 times |
www.isaca-malta.orgwww.isaca-malta.org
Roger Southgate
Past President of ISACA London ChapterMember of the BSI Committees for Service Management and IT Governance
Leader of the COBITDevelopment Group in London
Obtaining Assurance from IT through governance frameworks
www.isaca-malta.org 2
Delegate Update
The next five slides were added to my presentation to provide some more detail on COBIT Security Baseline, which was introduced by Eric in the session immediately before lunch
www.isaca-malta.org 4
Plan and OrganiseDefine the security strategy and the information architectureDefine the IT Organisation and relationshipsCommunicate management aims and directionManage IT human resourcesAssess and manage IT risks
Acquire and ImplementIdentify automated solutionsAcquire and maintain application technology infrastructureEnable operation and useManage changesInstall and accredit solutions and changes
10 steps
10 steps
The COBIT Security Baseline – 44 Steps
www.isaca-malta.org
Deliver and SupportDefine and manage service levelsManage third-party servicesEnsure continuous serviceManage the configurationManage dataManage the physical environment
Monitor and EvaluateMonitor and evaluate IT performance – assess internal control adequacyObtain independent assuranceEnsure regulatory compliance
21steps
3steps
The COBIT Security Baseline – 44 Steps
www.isaca-malta.org 6
Regularly discuss with key staff (from business and IT management) where and when security problems can adversely impact business objectives and how to protect against them.
Prepare a risk management action plan to address all risks according to business risk.
Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security controls (e.g., backup, access control, virus protection, firewalls) and insurance coverage.
8
9
10
ISO/IEC27002:2005
4.1
4.2
4.1,4.2,6.1,8.2
COBIT 4.1
PO2: 2.3PO9: 9.1,
9.2,9.3,9.4
PO9: 9.5,9.6
PO7: 7.4AI1: 1.1,
1.2PO9: 9.5
Assess and Manage IT Risks
www.isaca-malta.org 7
Boards of Directors / Trustees
Senior Executives
Home Users15 Non Technical Precautions +7 Technical
Professional Users
10 “Dos” and 10 “Don’ts”
Managers
38 Conditions to Check
Executives13 Questions to Ask + 17 Items to Action
13 Questions to Ask + 7 Items to Action
9 Questions to Ask + 7 Items to Action
6
6
7
5
6
6
Specific Information Security Risks
Six Information Security Survival Kits
www.isaca-malta.org
Session Plan
• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?
8
www.isaca-malta.org
Session Plan
• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?
10
www.isaca-malta.org
Enterprise Governance in Practice
Enterprise Governance
Conformance PerformanceCorporate Governance
processesBusiness Governance
processes
• Chairman / CEO• Non-Executive Directors• Audit Committee• Resource and Remuneration Committee• Strategic Risk Management for compliance• Controls Assurance
AccountabilityAssurance
Value CreationResource Utilisation
• Strategic Planning and Alignment• Strategic Decision Making• Dashboards / Scorecards• Strategic Enterprise Systems• Continuous Improvement• Strategic Risk Management
11
www.isaca-malta.org
The Challenges We Face
Are we doing the
right
things?
Are we doing them
the right way?
12
Are we getting
them done well?
Are we getting the benefits?
www.isaca-malta.org
The Roots
Assurance v11996
IT Control v21998
Management of IT Performance v32000
Governance - IT Focus v4.12005/2007
BusinessGoals
IT Goals
IT Processes
IT Activities
The journey continues
2001-3
13
www.isaca-malta.orgwww.isaca-malta.org
COBIT Components and inter-relationships
Maturity Models
Outcome Measures
Performance Indicators
IT GoalsIT Processes
Business Goals
requirements information
mea
sure
d by
for perfo
rman
ce
for o
utco
me
for maturity
Key Activities
broken down into
RACI Chart
perf
orm
ed b
y
Control Design Tests
audite
d with
audited with
Control Outcome Tests
derivedfrom
basedon
Control Objectives
controlled by
Control Practices
implemented with
ValueDrivers
RiskDrivers
why
14
www.isaca-malta.org
COSO
International / National Legal Framework
ISO 38500
ISO
900
0
CMM
I
ISO
270
00
ITIL
ISO
200
00
Frameworks, Standards and Codes of Practice
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RESOURCEMANAGEMENT
RIS
KM
AN
AG
EM
EN
T
VALUEDELIVERYSTRATEGIC
ALIGNMENT
www.itgi.org
“COBIT the integrator“
15
www.isaca-malta.org
Sets out six principles for good corporate governance of IT.
1: Responsibility2: Strategy3: Acquisition4: Performance5: Conformance6: Human Behaviour
Directors should govern IT through three main tasks:a) Evaluate the current and future use of IT.b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives.c) Monitor conformance to policies, and performance against the plans.
ITGI Enables ISO/IEC 38500
© ISO/IEC 2008 – All rights reserved16
www.isaca-malta.org
Session Plan
• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?
18
www.isaca-malta.org
How we LOOk at things......... .
.....really does make a difference
What can you see?
19
www.isaca-malta.org
We are ALL human after all
What we plan to do
What we think we do
What we say we do
What we actually do
From the neck up there is no limitation on what a person can accomplish
From the shoulders down, we are all severely limited in what we can accomplish by ourselves
We are all fallible, frail and forgetful
Thought + Action = Result + Consequences
“Mind the gap!”
20
www.isaca-malta.org
Complexity, Detail and Time
Models – Frameworks – Good Practices help us make sense of the context and the challenges we face they provide roadmaps
Route maps or plans reflect the choices we make to guide our organisations to our defined destination
21
www.isaca-malta.org
Session Plan
• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?
22
www.isaca-malta.org
Where are we right now?
How are we going to get there?
Where do we need to get to?
Are we on the same page?
23
www.isaca-malta.org
Session Plan
• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?
27
www.isaca-malta.org
The Opportunity Clock is always ticking…
The demands of Today
The needs of Tomorrow
Maturity Model Attributes:A&C Awareness and CommunicationPSP Policies, Standards and ProceduresT&A Tools and AutomationS&E Skills and ExpertiseR&A Responsibility and AccountabilityGSM Goal Setting and Measurement
Requirements for Information:
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Information Reliability
28 28
www.isaca-malta.org
Define strategy
Preserve valueCreate value
Good things to happen
Bad things nothappening
Resolveproblems
Continuousimprovement
Measureresults
What?
How?
RiskManagement
Value Delivery
IT ResourceManagement
StrategicAlignment
PerformanceMeasurement
The Five Focus Areas of IT Governance
Are we doing the
right
things?
Are we doing them
the right way?
Are we getting
them done well?
Are we getting the benefits?
29
www.isaca-malta.org
Business Process/esBusiness Controls
IT ProcessesApplication
Controls
Generic Process Controls
General IT Controls
IT Resource Stack
• Systems development• Change management• Security• Computer operations
Data
Data
DesktopsData
Information Services Resource and Control View
30
www.isaca-malta.org
The BusinessRequirements for
Information IT Processes Resources
Effectiveness EfficiencyConfidentialityIntegrityAvailabilityCompliance Information Reliability
Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate
ApplicationsInformation InfrastructurePeople
“To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”
COBIT Fundamentals
Maturity Model Attributes:A&C Awareness and CommunicationPSP Policies, Standards and ProceduresT&A Tools and AutomationS&E Skills and ExpertiseR&A Responsibility and AccountabilityGSM Goal Setting and Measurement
Are we doing the
right
things?
Are we doing them
the right way?
Are we getting
them done well?
Are we getting the benefits?
31
www.isaca-malta.org
? Realism? Relevance? Results
Look Act Speak Think
The Way ForwardOur journey continues.....
Thank you
[email protected]: +44(0)2392 259720
Mob: +44(0)7714 769617
All ISACA publications are available from www.isaca.org
32