Document 7396786
Download
Report
Transcript Document 7396786
COBIT
Part 2 IT Governance
Presented by George Grachis
CISSP
Abstract
The business goal of Harley-Davidson Motor
Company is to produce and sell high-quality
motorcycles.
The challenge was in getting management,
information technology (IT) and audit speaking the
same language and working toward increased
control. This all had to be accomplished by building
consensus among varied departments and without
affecting quality or slowing production.
Background
Harley-Davidson Motor Company was founded in
1903 in Milwaukee, Wisconsin, USA. It is the oldest
producer of motorcycles in the US and has enjoyed
20 consecutive years of record revenue. In 2003,
Harley-Davidson had limited IT controls in place and
staff had limited control knowledge.
In addition, it had been difficult finding other
manufacturers for benchmarking, and COBIT helped
show Harley-Davidson management where the
company was positioned regarding controls and what
should be done to improve.
Process
To jumpstart IT governance and Sarbanes-Oxley activities,
Harley-Davidson created an IS compliance department and
began implementing a vendor’s general computer controls
model.
Reasons behind Harley-Davidson’s selection of COBIT include:
It is an internationally accepted standard for IT governance and
control practices.
It can be used by management, end users, and IT audit and
security professionals, and it provides a common language.
The company was able to gain agreement with the external
auditor on the same framework and control objectives.
Key to introducing COBIT was ensuring that all of IT
and management understood why they needed to
care about effective, value-focused controls.
COBIT’s business-focused language allowed
management, IT and internal audit to ensure they
were on the same road.
The team started by mapping implemented controls
to COBIT and compared the results. Gaps were
identified and plans were developed to close these
gaps
One of the major benefits of using COBIT as
its overall internal control and compliance
model was getting everyone—especially non
technical motorcycle experts—revved up
about control activities and why controls are
important.
Tracking and reporting are important components of
ongoing IT governance activities. Harley-Davidson
developed an MS Access issues-tracking database to
have joint IT and internal audit visibility of known
control weaknesses.
Driving internal change was also a key goal of this
highly competitive company, and COBIT
benchmarking was an invaluable tool for independent
comparison.
Summary
Prior to implementing the COBIT framework, areas the external
auditor audited were chosen randomly or on loose justifications.
Now the areas selected for auditing are firmly based on
business value and control needs.
COBIT open architecture allowed it to be used successfully as a
central control model. COBITS benefits:
End users need to be aware of only one standard.
It gains external audit agreement on the company’s control
position.
It establishes the ability to use control objectives to help identify
root causes.
There is a comprehensive view of the risk and control
environment.
COBIT Users
Harley Davidson
Sun Microsystems
University of Iowa
Prudential
Allstate
Charles Schwab
U.S. House of Representatives
Why IT Governance
Due diligence
IT is critical to the business
IT is strategic to the business
Expectations and reality don’t match
IT hasn’t gotten the attention it
deserves
IT involves huge investments and large
risks
“Due diligence”
Infrastructure and productive functions
Skills, culture, operating environment
Capabilities, risks, process knowledge and
customer information
Service levels
IT is Critical to Business
This criticality arises from:
The increasing dependence on information
and the systems and communications that
deliver it
The dependence on entities beyond the direct
control of the enterprise
The risks of doing business in an
interconnected world
IT is Strategic to Business
If so, wouldn’t you want to know whether
your organization’s information
technology is:
Likely to achieve its objectives?
Resilient enough to learn and adapt?
Judiciously managing the risks it faces?
Appropriately recognizing opportunities and
acting on them?
Why IT has not been valued
IT requires more technical insight than do
other disciplines to understand how IT
Enables the enterprise
Creates risks
Gives rise to opportunities
IT has traditionally been treated as an entity
separate to the business
IT is complex, and even more so in the
extended enterprise operating in a networked
economy
IT Governance Defined
Responsibility of the board of directors
Protects shareholder value
Ensures risk transparency
Directs and controls IT investment, opportunity,
benefits and risks
Aligns IT with the business while accepting IT is a
critical input to and component of the strategic plan,
influencing strategic opportunities
Sustains the current operation and prepares for the
future
IT Governance Framework
Fig 1
Set
measurable
goals
Act if not
aligned
Deliver
Compare against the
results
goals
Measure
performance
Information Security
Know what questions to ask
Know what is needed
Raise the awareness at the top
Have clarity of purpose
Measure your performance
Keep on doing it
Some good questions
Would people recognize a security incident when they saw one?
Would they ignore it? Would they know what to do about it?
Does anyone know how many computers the company owns?
Did the company suffer from the latest virus attack? How many
did it have last year?
What are the most critical information assets of the enterprise?
Does management know where the enterprise is most
vulnerable?
Has the organization ever had its network security checked by a
third party?
Is IT security a regular agenda item on IT management
meetings?
COBIT Structure
21 DETAILED CONTROL Objectives
5 ENSURE SYSTEMS SECURITY
5.1 Manage Security Measures
CONTROL OBJECTIVE
IT security should be managed such that
security measures are in line with business
requirements. This includes:
• Translating risk assessment information
to the IT security plans
• Implementing the IT security plan
• Updating the IT security plan to reflect
changes in the IT configuration
• Assessing the impact of change requests
on IT security
• Monitoring the implementation of the IT
security plan
• Aligning IT security procedures to other
policies and procedures
5.2 Identification, Authentication and
Access
CONTROL OBJECTIVE
The logical access to and use of IT
computing resources should be restricted
by the implementation of adequate
identification, authentication and
authorization mechanisms, linking users
and resources with access rules. Such
mechanisms should prevent unauthorized
personnel, dial-up connections and other
system (network) entry ports from
accessing computer resources and
minimize the need for authorized users to
use multiple sign-ons. Procedures should
also be in place to keep authentication and
access mechanisms effective (e.g., regular
password changes).
5.4 User Account Management
CONTROL OBJECTIVE
Management should establish procedures
to ensure timely action relating to
requesting, establishing, issuing,
suspending and closing of user
accounts. A formal approval procedure
outlining the data or system owner granting
the access privileges should be included.
The security of third-party access should
be defined contractually and address
administration and non-disclosure
requirements. Outsourcing arrangements
should address the risks, security controls
and procedures for information systems
and networks in the contract between the
parties.
5.6 User Control of User Accounts
CONTROL OBJECTIVE
Users should systematically control the
activity of their proper accounts. Also
information mechanisms should be in place
to allow them to oversee normal activity as
well as to be alerted to unusual activity in a
timely manner
5.11 Incident Handling
CONTROL OBJECTIVE
Management should establish a computer
security incident handling capability to
address security incidents by providing a
centralized platform with sufficient
expertise and equipped with rapid and
secure communication facilities. Incident
management responsibilities and
procedures should be established to
ensure an appropriate, effective and
timely response to security incidents.
5.9 Central Identification and Access
Rights Management
CONTROL OBJECTIVE
Controls are in place to ensure that the
identification and access rights of users as
well as the identity of system and data
ownership are established and managed in
a unique and central manner to obtain
consistency and efficiency of global
access control.
5.10 Violation and Security Activity
Reports
CONTROL OBJECTIVE
IT security administration should ensure
that violation and security activity is logged,
reported, reviewed and appropriately
escalated on a regular basis to identify and
resolve incidents involving unauthorized
activity. The logical access to the computer
resources accountability information
(security and other logs) should be granted
based upon the principle of least privilege,
or need-to-know.
5.20 Firewall Architectures and
Connections with
Public Networks
CONTROL OBJECTIVE
If connection to the Internet or other public
networks exists, adequate firewalls should
be operative to protect against denial of
services and any unauthorized access to
the internal resources; should control any
application and infrastructure management
flows in both directions; and should protect
against denial of service attacks.
Questions
Thank you