INFORMATION ASSURANCE USING COBIT
Download
Report
Transcript INFORMATION ASSURANCE USING COBIT
INFORMATION
ASSURANCE
USING COBIT
MEYCOR COBIT CSA & MEYCOR
COBIT AG TOOLS
Relationship between COSO and COBIT
What is COBIT?
A model to implement IT Governance.
An open, widely-known standard.
Comprises 34 process and 220 low level Control
Objectives.
It is 100% compatible with ISO 17799, COSO I & II,
and other less general standards on which it relies
upon.
COBIT establishes the what and the supporting
standards establish the how regarding IT
Governance implementation.
COBIT
Stands for Control Objectives for
Information and Related Technology.
Is a model developed by ISACA and
the IT Governance Institute (ITGI) in
order to implement IT Governance in
organizations.
ISACA
Founded in 1969.
Is a leading organization on IT Governance, Control,
Assurance, and Auditing.
Headquartered in Chicago, USA.
It has over 60.000 members in more than 100
countries.
Holds events, conferences and develops standards on
IT Governance, Assurance and Security.
COBIT:
1st Edition in 1996
2nd Edition in 1988
3rd Edition in 2000
4th Edition in 2005 (Nov/Dec)
COBIT Framework
BUSINESS
REQUIREMENTS
INFORMATION
CRITERIA
INFORMATION
PROCESSES
IT RESOURCES
•
•
•
•
?
applications
information
infrastructure
personnel
•
•
•
•
•
•
•
effectiveness
efficiency
confidentiality
integrity
availability
compliance
reliability
COBIT 4.0
Information Assurance
Information assurance is the basis on which decision-making
is built in an organization. Without assurance, companies
have no certainty that the information on which they
support their critical-mission decisions is reliable, secure and
available when needed.
Information Assurance is defined as the use of information
operations that protect and defend information and
information systems and networks by ensuring their
availability, integrity, authentication, confidentiality, and
nonrepudiation, considering risk impacts due to local or
remote threats from communications and Internet.
We will see two important assurance techniques: selfassessment and information systems auditing.
COBIT: Control Self-assessment
(Meycor COBIT CSA)
This management technique ensures to
all stakeholders that the internal control
system is reliable.
It also ensures that the personnel is
aware of the business risks, and that they
perform regular and proactive reviews of
the controls.
COBIT Audit Guidelines
(Meycor COBIT AG)
The Guidelines provide a simple structure
to audit IT controls.
They are general in nature and high-level
structured.
They allow to review the Processes
against the IT Control Objectives.
The steps that must be followed in an audit:
Obtaining an understanding of the business
requirements and associated risks and the relevant
control measures.
Evaluating the appropriateness of stated controls.
Assessing compliance to ensure that the control
measures established are working as prescribed,
consistently and continuously.
Substantiating the risk of the control objectives
not being met by using analytical techniques
and/or consulting alternative sources.
Generic Audit Guideline
Obtaining an Understanding
The audit steps to be performed to document the activities
underlying the control objectives as well as to identify the stated
control measures/procedures in place.
Interview appropriate management and staff to gain an
understanding of:
Business requirements and associated risks.
Organization’s structure.
Roles and responsibilities.
Control measures in place.
Management reporting (status, performance, action items).
Document the process-related IT resources particularly affected by
the process under review. Confirm the understanding of the
process under review, the Key Performance Indicators (KPI) of the
process, the control implications, e.g., by a process walk through.
Generic Audit Guideline
Evaluating the Controls
The audit steps to be performed in assessing the effectiveness of
control measures in place or the degree to which the control
objective is achieved. Basically deciding what, whether and how
to test.
Evaluate the appropriateness of control measures for the process
under review by considering identified criteria and industry
standard practices, the Critical Success Factors (CSF) of the
control measures and applying auditor professional judgment.
Document processes exists.
Appropriate deliverables exists.
Responsibility and accountability are clear and effective.
Compensating controls exists, where necessary.
Conclude the degree to which the control objective is met.
Generic Audit Guideline
Assessing Compliance
The audit steps to be performed to ensure that the control
measures established are working as prescribed, consistently
and continuously and to conclude on the appropriateness of
the control environment.
Obtain direct or indirect evidence for selected items/periods
to ensure that the procedures have been complied with for
the period under review using both direct and indirect
evidence.
Perform a limited review of the adequacy of the process
deliverables.
Determine the level of substantive testing and additional
work needed to provide assurance that the IT process is
adequate.
Generic Audit Guideline
Substantiating the Risk
The audit steps to be performed to substantiate the
risk of the control objective not being met by using
analytical techniques and/or consulting alternative
sources.
Document the control weaknesses, and resulting
threats and vulnerabilities.
Identify and document the actual and potential impact;
e.g., through root-cause analysis.
Provide comparative information, e.g., through
benchmarks.
Description of the
Meycor COBIT CSA and AG tools
Meycor COBIT CSA
IT Processes Importance
We must identify for the processes defined by
COBIT their importance and performance, whether
they have been audited or not, how they are
processed and who is responsible for them.
Meycor COBIT CSA
Self-assess controls
Meycor COBIT CSA includes the COBIT 4.0
Control Objectives and additional security
questions on specific software platforms.
Meycor COBIT CSA
Assessment Report
Results are displayed using scores. In this
way it is possible to establish target values.
Meycor COBIT CSA
IT Processes Diagnosis
The red line represent the score obtained.
The closer to the center this line is, risks are
less covered by the controls.
Meycor COBIT CSA
Assessing several Analysis Centers
Results
can
be
displayed
comparatively (for platforms,
branches and technologies)
Meycor COBIT CSA
Audit Projects
Allows to create audit projects,
resources and even manage them.
assign
The objective is to determine whether the
process' controls provide assurance.
Meycor COBIT CSA
Alignment with Business Objectives
The alignment between IT Objectives and
Business Objectives is clearly identified.
Meycor COBIT AG
Technology inventory
Here we identify how IT resources
effectively contribute to the achievement
of objectives.
Meycor COBIT AG
Relationship between COBIT Processes
and Business Processes
A heat map is generated based on the IT
resources and the required information
criteria.
Meycor COBIT AG
Beginning the Audit Process
The process begins when a reviewer
creates a project and assigns it to an
auditor. It is also possible to record
whenever an auditor disagrees with an
observation.
Meycor COBIT AG
Auditing an IT Process
Meycor COBIT AG provides guidance through
the different stages (interviewing, etc.),
allowing to record tasks and observations as
well as attaching evidence.
Meycor COBIT AG
Audit Guidelines
Auditors have audit guidelines available that
provide a knowledge base to improve the
quality of the audit work.
Meycor COBIT AG
Record Tasks
Here we identify who performed the
task, the time invested, any pertinent
comments, etc.
Meycor COBIT AG
Findings and Recommendations
The observations are defined in a format that
includes the determination of the criteria
used to perform the assessment, the
consequences, etc.
Meycor COBIT AG
Work papers Example (I)
Report of the audit program sorted
by projects.
Meycor COBIT AG
Work papers Example (II)
Report on the degree of
strength of the audited
controls.
Meycor COBIT AG
Work papers Example (III)
Identification of findings, the auditee's
opinion, follow-ups, etc.
DATASEC IT Security &
Control
Patria 716 - CP 11300 - Montevideo - Uruguay
Phone: (+598 2) 711-58-78 / 711-04-20
Fax: (+598 2) 711-58-94
Website: www.datasec-soft.com