a governance and management system for - isaca...
TRANSCRIPT
A Governance and Management System for
POPI, ISO 27001, CGICT, King IV
www.itgovernance.com
0825588732
+44-(0) 81333180 © 2012 IT Governance Network. All Rights Reserved.
Bibliography – Peter Hill
2
PROCESS as a foundation for: Governance Framework Management System POPI Implementation Information Security Supplier Management Service Integration (SIAM)
COBIT 5 Capability Assessment Tool
POPI / GDPR (2009 - 2016)
– POPI Management System
– Privacy Impact Assessments
– Information Officers
ISO 19600 Compliance Management System
ISO 27001 Information Security Management Sys.
ISO 30301 Records Management System
ISO 31000 Risk Management System
Director of the IT Governance Network, Capability Certification Services
Previously: partner with Deloitte, director of N:Crypt and zenAptix
Worked as an IT auditor, programmer, IT manager, Security R&D and in Privacy
Pioneering IT governance since 1992
Extensive knowledge and experience working with COBIT since 1996
First COBIT workshop for ISACA presented at EuroCACS in 1997
20 years of COBIT training: Basics, Fundamentals, Foundation, Assessor, Implementation, Advanced, IT Governance Framework, COBIT Management System, APO 13 Security Management, Using COBIT for POPI (Privacy)
Agenda
3
What is a Governance and Management System?
Leveraging resources requires accountability and responsibility
Governance and Management System for POPI
Using ISO 27001 to manage Information Security
Implementing Cloud Computing and Cyber Security controls
Illustrations throughout. © 2012 IT Governance Network. All Rights Reserved.
© 2016 IT Governance Network. All Rights Reserved.
ISO 38500: A Model for Corporate
Governance of IT
Business pressures
Business needs
Corporate Governance
of ICT
Evaluate
Monitor Direct
confo
rmance
perf
orm
ance
ICT Operations
Pla
ns
Polic
ies
Pro
cesses
pro
posals
ICT Projects
Business processes
4
© 2016 IT Governance Network. All Rights Reserved.
5
Governance and Management Dashboard
POPI ISO 27001 CGICTPF / COBIT
6
Corporate Governance of ICT
Interrelationship of frameworks
H
o
w
W
H
A
T
Ope
ratio
ns
ICT
Man
agem
ent
Gov
erna
nce
of IC
T
Cor
pora
te
Gov
erna
nce
of IC
T
Cor
pora
te
Gov
erna
nce
S c o p e
o f
C o v e r a g e
King III ISO/IEC 38500
COBIT 5
Various Operational Frameworks such as ITIL and ISO 27001
© 2016 IT Governance Network. All Rights Reserved.
Governance and management System
for CGICT 7
Multiple Layers
Separating Governance Roles
from Management Roles 9
Plan and Execute
Monitor Progress 11
Build Capability - level 2.1 and 2.2 12
Level 2 – 1. Manage Performance and 2. Manage Work Products
Continuous Improvement Road
at Capability Level 1.1 13
Capability Assessments
– Assessor Rating 14
Capability Profile – level 1.1
15
Governance and management System
for POPI using COBIT processes 16
A Governance and Management System
for POPI using ISO 27001 and COBIT 17
Policy about
“POPI” and Lawful Processing
ISO 27001
COBIT 5
CGICT PF
.
Cyber Security
Capability Improvement
Value Creation
GOALS
Configuration Management
Problem Management
Incident Management
Budgets and Accounting
Security Management
Capacity Management
Continuity and Availability Man.
Service Level Management
Service Reporting
Business Relationship Management
Supplier Management
Change Management
Management
New/Changed Service
Monitor
Run Build
Plan B
ud
gets
an
d
Acc
ou
nti
ng
Secu
rity
M
anag
eme
nt
Cap
acit
y M
anag
eme
nt
Co
nti
nu
ity
and
A
vaila
bili
ty M
anag
e.
Serv
ice
Leve
l M
anag
eme
nt
Inci
de
nt
Man
agem
en
t
Pro
ble
m
Man
agem
en
t
Co
nfi
gura
tio
n
Man
agem
en
t
Ch
ange
M
anag
eme
nt
Sup
plie
r M
anag
eme
nt
Bu
sin
ess
Rel
atio
nsh
ip
Man
agem
en
t
Serv
ice
Rep
ort
ing
Evaluate
Direct Monitor
Corporate
Governance
GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS
Privacy (POPI)
Establish accountability Assign responsibility Align work with outcomes Monitor progress
Illustration of a Governance and Management System
WHAT
HOW
19
A Governance and Management
System Corporate governance is the system by which a governing body exercises
ethical and effective leadership to establish an ethical culture; sustainable
performance and value-creation; adequate and effective control by the governing
body; and trust in the organisation, its reputation and legitimacy.
Organisations often use a wide variety of resources and governance
mechanisms to achieve their purpose, strategic goals and to fulfil the broader
needs of stakeholders. Leveraging resources requires the establishment of
accountability, assignment of responsibility and transparency and fairness in the
way work gets done.
While governing bodies are expected to be pro-active in ensuring that information
assets are leveraged for growth there are few tools actually available that provide
governing bodies with sufficient oversight.
A governance and management system provides an integrated solution that brings
the governors and the managers together and provides a holistic approach for
them to effectively govern and manage the current and future use of
technology and information. Better governance and good management are key
requirements of the Protection of Personal Information Act (POPI).
© 2016 IT Governance Network. All Rights Reserved.
COBIT:
GOVERNANCE and MANAGEMENT SYSTEM 20
KING IV A GOVERNANCE and MANAGEMENT system provides the means to institutionalise the enablers of good corporate governance. People (organisational structure, frameworks, skill and culture), process, technology and information come together in an integrated governance and management system to build capability
that enables the creation of value, and support the achievement of the business' and organisation's strategic
goals.
ISO 38500
ISO 9001
ISO 20000
ISO 21500
ISO 27001
ISO 31000
21
Multiple frameworks to Govern and Manage
22
Privacy Management System
© 2012 IT Governance Network. All Rights Reserved.
Privacy Management System
Governance and Management System
for ISO 27001 24
Framework Activities
Governance and Management System
for ISO 27001 25
Selected Activity
Governance and Management System
for ISO 27001 26
Linked to Operations
Governance and Management System
for ISO 27001 27
Performed Activity
Vulnerabilities Knowledgebase
28
Knowledgebase of Safeguards
29
Tracking Safeguard Implementation
30
31
Risk Register
For a detailed risk register, the Risk Manager (or
another role with access) should select all (or per
process) activities of a specified:
Vulnerability, and/or
Risk type, and/or
Risk impact on business, and/or
Risk level, and/or
Risk response, and/or
Remediation priority, and/or
Last audit finding
Maintain a Risk Register
32
33
Maintain various Controls Library
Sources:
Controls as per Framework (or framework area)
Controls assessed in the operational environment
Controls set per tracker = Control
34
Maintain various Controls Library
Cloud Computing:
35
Workflow status for tracker = Control
Control status can be changed by authorized roles
Report on number of controls at each status
Unreliable
Informal
Standardized
Monitoring
Optimized
36
Repository of evidence supporting
performed activities
Evidence reviewed by the auditor
Uploaded document
Attached screen capture
Notes written
Checklist completed
Links to another source.
37
Audit Planning
For each selected COBIT process, and the
selected activity:
Add a high-level framework to specify scope (POPI, ISO
27001, Legal Register, etc.) and
Add one or more audit actions (with tracker = audit)
With or without subtasks
Per calendar period
Per capability level.
38
Add audit comments
Include public and private comments for each audit
activity
Use pre-defined templates to specify Audit Steps
or documentation requirements
Use Checklists to refine % Done measurements.
39
Collect additional information
Use custom fields (lists, text, dropdown list, etc.)
Business units
Special characteristics
Additional details.
40
Collect additional information for
the Information Officer (POPI)
Needed
for a
Privacy
Impact
Assessment
41
Knowledgebase
Used for the IT Legal Register
Contains relevant sections of the Act
Contains link to complete Act
Contains links to issues that a address Act
Used for Security Policy
Contains policy clauses
Shows links to implementation activities
Used for Control requirements of standard, model
Contains policy clauses
Shows links to control implementation.
42
Knowledgebase
Vulnerability Register
Contains details of threats (by process and category)
Register for ….
Contains details of ….
Process specific practices
Work instructions for staff
Process specific information
Access controlled at process level.
43
Uploads, Documents, Files
Store templates for (forms, checklists)
Organised in groups
Separate for each process
With access control
Download the template (e.g. Risk register.xls)
Files
Distribution of files
downloads numbered
validation control (hash)
version control.
44
Management Reports
Inventory of Risks (by process/activity or theme)
Inventory of Controls (by process/activity or theme)
Status of Controls (by process or theme)
Audit findings reports (by process, theme, activity)
Assessor ratings reports (by process, theme, activity)
Progress with process execution (activity status).
45
Centralised document repository
By process
With access control according to process rights
Viewable online or downloadable.
46
IT Dashboard
Status per Process area
% Done per life-cycle phase
Risk level per Type
Risk level per Process
Control Status
Control % Done
Capability level across Processes
Assessor rating of % Process Attribute Achieved.
47
Dashboard
Process with Privacy Risk
Processes with date Over Due
Login per IP address
Status per process
Time spent per process activity
% Done ratio per process activity
Target rating
Status per Tracker
Custom field on Tracker
Custom field and Process.
48
Governance and Management Dashboard
POPI ISO 27001 CGICTPF / COBIT
49
Summary of Features for the POPI Governance and management System
System features:
Gather information to plan privacy enhancing initiatives
Identify new risks and respond to changes in vulnerability
React to incidents, track responses and retain history logs
Handle data subject complaints and information requests
Implement policies across the operational environment
Secure, role based access from multiple devices
Provision staff with knowledge and work instructions
Plan and coordinate privacy management activities
Implement risk treatment plans
Manage teams, provision work, choreograph workflow
Manage resources for the privacy management system
Maintain a central repository of artefacts
Monitor and control the technical effort and time spent
Control processors, service providers and contractors
Control access to retained information
Promptly respond to security events
Validate third party assertions
Audit internal controls and assess capability
Privacy aware reporting of progress against plans
Privacy aware governance and management dashboards.
Target Users
50
A governance and management system is an integrated, multi-purpose system to assist: a) CEO and responsible parties
Achieve strategic objectives and regulatory compliance Retain documented information Verify operator compliance with agreements
b) Information officers Handle data subject complaints and requests
c) Responsible staff (and process owners) Manage assigned responsibilities
d) Operations management Schedule planned work and report progress Maintain history log of privacy events and actions
e) Operators, service providers, contractors and third parties Adhere to instructions and report incidents
f) Legal officer Manage statutory obligations and legal commitments
g) POPI programme management Manage staff and third parties Implement improvements Provide detailed instructions, templates and wikis
h) Information security management Protect personal information and respond to breaches
i) Risk and compliance management Maintain risk and control libraries with status checks
j) Auditors and capability assessors Perform assessments and report findings.
Endless Customisation
51
52
Thank you
IT Governance Network
South Africa, US, UK, Switzerland
+27 825588732
+44 – (0)20 81333180
+1 302-5044408
© 2012 IT Governance Network. All Rights Reserved.