Slide 1

Download Report

Transcript Slide 1 

Obtaining Assurance from IT
through governance frameworks
Roger Southgate
Leader of the COBIT
Development Group in
London
Past President of ISACA London Chapter
Member of the BSI Committees for Service Management and IT Governance
www.isaca-malta.org
Delegate Update
The next five slides were added to my presentation
to provide some more detail on COBIT Security
Baseline, which was introduced by Eric in the
session immediately before lunch
www.isaca-malta.org
2
COBIT Security Baseline Structure
48 Pages
Page 16 - 22
www.isaca-malta.org
3
The COBIT Security Baseline – 44 Steps
Plan and Organise
Define the security strategy and the information architecture
Define the IT Organisation and relationships
Communicate management aims and direction
Manage IT human resources
Assess and manage IT risks
10
steps
Acquire and Implement
Identify automated solutions
Acquire and maintain application technology infrastructure
Enable operation and use
Manage changes
Install and accredit solutions and changes
www.isaca-malta.org
4
10
steps
The COBIT Security Baseline – 44 Steps
Deliver and Support
Define and manage service levels
Manage third-party services
Ensure continuous service
Manage the configuration
Manage data
Manage the physical environment
21
steps
Monitor and Evaluate
Monitor and evaluate IT performance – assess internal control
adequacy
Obtain independent assurance
Ensure regulatory compliance
www.isaca-malta.org
3
steps
Assess and Manage IT Risks
ISO/IEC
27002:2005
COBIT 4.1
PO2: 2.3
PO9: 9.1,
9.2,
9.3,
9.4
8
Regularly discuss with key staff (from business and IT
management) where and when security problems can
adversely impact business objectives and how to protect
against them.
4.1
9
Prepare a risk management action plan to address all risks
according to business risk.
4.2
PO9: 9.5,
9.6
Establish staff understanding of the need for
responsiveness and consider cost-effective means to
manage the identified security risks through security
controls (e.g., backup, access control, virus protection,
firewalls) and insurance coverage.
4.1,
4.2,
6.1,
8.2
PO7: 7.4
AI1: 1.1,
1.2
PO9: 9.5
10
www.isaca-malta.org
6
Six Information Security Survival Kits
Specific Information
Security Risks
6
6 Boards of Directors / Trustees
9 Questions to Ask + 7 Items to Action
Senior Executives
13 Questions to Ask + 7 Items to Action
6 Executives
13 Questions to Ask + 17 Items to Action
6 Managers
38 Conditions to Check
5 Professional Users
10 “Dos” and 10 “Don’ts”
7 Home Users
15 Non Technical Precautions +7 Technical
www.isaca-malta.org
7
Session Plan
•
•
•
•
•
How I got started
The challenges we face
A word of caution
How can I get stated?
What help is available?
www.isaca-malta.org
8
How I got started
www.isaca-malta.org
9
Session Plan
•
•
•
•
•
How I got started
The challenges we face
A word of caution
How can I get stated?
What help is available?
www.isaca-malta.org
10
Enterprise Governance in Practice
Enterprise Governance
Conformance
Corporate Governance
processes
•
•
•
•
Chairman / CEO
Non-Executive Directors
Audit Committee
Resource and
Remuneration Committee
• Strategic Risk Management
for compliance
• Controls Assurance
Accountability
Assurance
www.isaca-malta.org
Performance
Business Governance
processes
• Strategic Planning and
Alignment
• Strategic Decision Making
• Dashboards / Scorecards
• Strategic Enterprise Systems
• Continuous Improvement
• Strategic Risk Management
Value Creation
Resource Utilisation
11
The Challenges We Face
Are we
doing the
right
Are we
getting the
benefits?
things?
Are we
doing them
the right
way?
www.isaca-malta.org
Are we
getting
them done
well?
12
The Roots
The journey continues
Business
Goals
IT
Goals
2005/2007
2001-3
2000
1998
1996
IT
Processes
IT
Activities
Governance - IT Focus
v4.1
v3
Management of IT Performance
v2
IT Control
Assurance
www.isaca-malta.org
v1
13
COBIT Components and inter-relationships
Business
Goals
requirements
information
IT Goals
IT Processes
Key Activities
performed by
Control
Outcome Tests
RACI Chart
www.isaca-malta.org
Performance
Indicators
Outcome
Measures
Maturity
Models
derived
from
Control
Design
Tests
Control
Objectives
based
on
14
Value
Drivers
why
Risk
Drivers
Control
Practices
Frameworks, Standards
and Codes of Practice
International / National Legal Framework
COSO
DE VAL
LI UE
VE
RY
CE
MA N N T
E
FOR
PER SUREM
MEA
T
C
GI T
TE EN
A
M
R
ST IGN
AL
www.isaca-malta.org
www.itgi.org
ITIL
ISO 20000
ISO 27000
RESOURCE
MANAGEMENT
CMMI
ISO 9000
ISO 38500
MAN RISK
AGE
MEN
“COBIT
the integrator“
15
ITGI Enables ISO/IEC 38500
Sets out six principles for good corporate governance of IT.
1: Responsibility
2: Strategy
3: Acquisition
4: Performance
5: Conformance
6: Human Behaviour
Directors should govern IT through three main tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of plans and policies to ensure
that use of IT meets business objectives.
c) Monitor conformance to policies, and performance against the plans.
www.isaca-malta.org
© ISO/IEC 2008 – All rights reserved
16
Implementing and Continually Improving
IT Governance
www.isaca-malta.org
17
Session Plan
•
•
•
•
•
How I got started
The challenges we face
A word of caution
How can I get stated?
What help is available?
www.isaca-malta.org
18
.
How we LOOk at things.........
What can you see?
.....really does
make a difference
www.isaca-malta.org
19
We are ALL human after all
From the neck up there is no limitation on what a person can accomplish
From the shoulders down, we are all severely limited in what we can accomplish by
ourselves
We are all fallible, frail and forgetful
What we plan to do
“Mind the gap!”
What we think we do
What we say we do
What we actually do
Thought + Action = Result + Consequences
www.isaca-malta.org
20
Complexity, Detail and Time
Models – Frameworks – Good Practices help us make
sense of the context and the challenges we face they
provide roadmaps
Route maps or plans reflect the choices we make to guide
our organisations to our defined destination
www.isaca-malta.org
21
Session Plan
•
•
•
•
•
How I got started
The challenges we face
A word of caution
How can I get stated?
What help is available?
www.isaca-malta.org
22
Are we on the same page?
Where
are we
right
now?
Where do
we need
to get to?
How are we
going to get
there?
www.isaca-malta.org
23
Getting Started with Value Management
Diagram from
page 20
www.isaca-malta.org
24
Where are we right now?
www.isaca-malta.org
25
Where are we right now?
www.isaca-malta.org
26
Session Plan
•
•
•
•
•
How I got started
The challenges we face
A word of caution
How can I get stated?
What help is available?
www.isaca-malta.org
27
The Opportunity Clock is always ticking…
The demands
of Today
Maturity Model Attributes:
A&C Awareness and Communication
PSP Policies, Standards and Procedures
T&A Tools and Automation
S&E Skills and Expertise
R&A Responsibility and Accountability
GSM Goal Setting and Measurement
Requirements for
Information:
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
The needs
of Tomorrow
28www.isaca-malta.org
Information Reliability
28
The Five Focus Areas of IT Governance
Are we
doing the
right
What?
Define strategy
Strategic
Alignment
things?
Preserve value
Create value
Value
Delivery
Bad things not
happening
Good things to
happen
How?
Are we
doing them
the right
way?
Resolve
problems
Continuous
improvement
Risk
Management
IT Resource
Management
Performance
Measurement
Measure
results
www.isaca-malta.org
Are we
getting the
benefits?
29
Are we
getting
them done
well?
Information Services
Resource and Control View
Data
Desktops
Application
Controls
Generic
Process
Controls
Business
Controls
Business Process/es
General IT
Controls
IT Processes
IT Resource
Stack
•
•
•
•
Systems development
Change management
Security
Computer operations
Data
www.isaca-malta.org
Data
30
COBIT Fundamentals
Are we
doing the
right
“To provide the information that the organisation
needs to achieve its objectives, IT resources need to
be managed by a set of naturally grouped processes.”
things?
The Business
Requirements for
Information
Are we
doing them
the right
way?
www.isaca-malta.org
Resources
IT Processes
Effectiveness
Applications
Plan and Organise
Efficiency
Information
Acquire and Implement
Confidentiality
Infrastructure
Deliver and Support
Integrity
People
Monitor and Evaluate
Availability
Compliance
Information
Reliability
Are we
getting the
benefits?
Maturity Model Attributes:
A&C Awareness and Communication
PSP Policies, Standards and Procedures
T&A Tools and Automation
S&E Skills and Expertise
R&A Responsibility and Accountability
GSM Goal Setting and Measurement
Are we
getting
them done
well?
31
TheOur
Wayjourney
Forwardcontinues.....
? Realism
? Relevance
? Results
 Look
 Act
 Speak
 Think
Thank you
[email protected]
Tel: +44(0)2392 259720
Mob: +44(0)7714 769617
All ISACA publications are available from
www.isaca.org
www.isaca-malta.org
32