overview of frameworks: cobit, coso itil isocoso, · pdf fileoverview of frameworks: cobit,...
Post on 30-Jan-2018
310 Views
Preview:
TRANSCRIPT
Overview of Frameworks: Cobit, COSO ITIL ISOCOSO, ITIL, ISO,
and mored o eJennifer F. Alfafara, CISA
Consultant
Frameworks vs StandardsFrameworks vs Standards
What is a Framework?
Main Entry: • frame·work
P i tiPronunciation: • \ frām- wərk\
Function: • noun• noun
Date: • 1578
1 a: a basic conceptional structure (as of ideas) <the framework of1 a: a basic conceptional structure (as of ideas) the framework of the United States Constitution> b: a skeletal, openwork, or structural frame
2: frame of reference3 th l b h f t th t d t i it h
3
3: the larger branches of a tree that determine its shape
What is a Standard?
Standard - a rule or principle that is used as a basis for judgment
GAAP (FASB) Generally Accepted AccountingGAAP (FASB) – Generally Accepted Accounting Principals (Financial Accounting Standards BoardIFRS (IASB) – International Financial Reporting Standards (International Accounting StandardsStandards (International Accounting Standards Board)PCAOB (Public Companies Accounting Oversight Board) Auditing StandardsBoard) Auditing StandardsISO/IEC 27000 (International Organization for Standardization/International Electrotechnical Commission)
4
Commission)
Then what is HIPAAThen, what is HIPAA considered?HIPAA (American Health Insurance Portability and Accountability Act 1996) is aPortability and Accountability Act 1996) is a “Guideline”.
More on HIPAA later….
5
Why have frameworksWhy have frameworks been developed?
Lack of alignment between business practices and technologyp gyProvide guidance to Corporate management to ensure they are in compliance with regulatory requirements
6
Why adopt a framework?
Regulatory requirementBusiness requirementBusiness requirementBest in class
7
What is a ControlWhat is a Control Framework?
Control Framework - A recognized system of control categories that covers allof control categories that covers all internal controls expected in an organizationorganization.
8
Control Framework
To be comprehensive, the framework must:must:
1. Provide a favorable control environment2 Provide for the continuing assessment2. Provide for the continuing assessment
of risk3 Provide for the design implementation3. Provide for the design, implementation,
and maintenance of effective control-related policies and procedures,
9
p p
Control FrameworkControl Frameworkcontinued
4. Provide for the effective communication of information
5. Provide for the ongoing monitoring of the effectiveness of control-related policies and procedures as well as the resolution of potential problems identified by
t lcontrols
10
SEC on Frameworks
“The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation andmanagement s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework in recognition of the fact that otherCOSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future thatdeveloped within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors."
11
Control Frameworks
COSO COBIT 4.1COBIT 4.1ITILISO/IEC 27002 (Actually a Standard)ISO/IEC 27002 (Actually a Standard)ISO/IEC 27799 (Guidelines for 27002)
12
COSOCOSOCommittee of Sponsoring Organizations
COSO
COSO - Committee of Sponsoring Organizations of the TreadwayOrganizations of the Treadway Commission
COSO is a U.S. private-sector initiative, formed in 1985in 1985.
14
COSOCOSOWho are the Sponsors?
1. American Institute of Certified Public Accountants (AICPA)( )
2. American Accounting Association (AAA)3. Financial Executives Institute (FEI)( )4. The Institute of Internal Auditors (IIA) and 5. The Institute of Management5. The Institute of Management
Accountants (IMA).
15
COSO Major Objectives
COSO's main objectives are to assist organizations regarding:organizations regarding:
1) effectiveness and efficiency of operations;operations;
2) reliability of financial reporting; 3) compliance with applicable laws and3) compliance with applicable laws and
regulations.
16
COSO and Healthcare
Internal control tools developed by the COSO in 1992 and by the Department of Health and y pHuman Services (HHS) Office of the Inspector General (OIG) highlight the i t f th i t l dit f ti iimportance of the internal audit function in detecting and preventing violations. Ti ht d i t l t l h h l d fi htTightened internal controls have helped fight Medicare and Medicaid abuse.
17
Medicare Losses
1996 $23 Billion1999 $12 Billion – an improvement; however1999 $12 Billion an improvement; however $12 Billion still demands attentionMuch of these losses can be attributed to abuse, fraud, and inefficiencies.
18
COSO (1992)Internal Control Framework
Five ComponentspMonitoringInformation & CommunicationControl ActivitiesRi k A tRisk AssessmentControl Environment
19
COSO (2004)
Enterprise Risk Management FrameworkFramework
This COSO ERM framework defines essential components suggests a commonessential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.guidance for enterprise risk management.
20
COSO (2004)Enterprise Risk Management
Eight ComponentsInternal Environment
p gFramework
Objective SettingEvent IdentificationRisk AssessmentRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoring
21
Monitoring
COSO Components
Internal Environmentencompasses the tone of an organizationencompasses the tone of an organizationsets the basis for how risk is viewedaddressed by an entity’s people includingaddressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and theappetite, integrity and ethical values, and the environment in which they operate.
22
COSO Components
Objective SettingObjectives must exist before managementObjectives must exist before management can identify potential events affecting their achievement.
23
COSO Components
Event IdentificationInternal and external events affectingInternal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and , g gopportunities.
24
COSO Components
Risk AssessmentAnalysis of riskAnalysis of risk Consideration of likelihood and impact How risks should be managedHow risks should be managed
25
COSO Components
Risk ResponseAvoid RiskAvoid RiskAccept RiskReduce RiskReduce RiskShare Risk
26
COSO Components
Control ActivitiesPolicies and procedures are established andPolicies and procedures are established and implemented.
27
COSO Components
Information and CommunicationRelevant information is identified capturedRelevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their p p yresponsibilities.
28
COSO Components
MonitoringThe entirety of enterprise risk management isThe entirety of enterprise risk management is monitored and modifications made as necessary. y
29
Financial vs Technical IssuesFinancial vs Technical Issues
Okay, that addresses issues related to “Finance” what about other
Frameworks and Standards inFrameworks and Standards in Healthcare?
HIPAA Title II
Focused on Preventing Healthcare Fraud and Abuse; Administrative Simplification;and Abuse; Administrative Simplification; Medical Liability Reform
Title II provides for the enactment of five lrules.
31
HIPAA Title II Rules
Privacy Rule Transactions and Code Sets RuleTransactions and Code Sets Rule Security Rule Unique Identifiers Rule (National ProviderUnique Identifiers Rule (National Provider Identifier) Enforcement RuleEnforcement Rule
32
HIPAA & Technology
Challenges for Information Technology (IT)Transactions and Code SetsTransactions and Code Sets PrivacySecurity RulesSecurity Rules
33
Transactions & CodeTransactions & Code Sets (X12 Transactions)
These transactions and code Sets relate to EDI (Electronic Data Interchange).( g )EDI – the structured transmission of data between organizations by electronic means.There are 11 defined code sets.
34
Transactions & CodeTransactions & Code Sets (X12 Transactions)• EDI Health Care Claim Transaction set (837) • EDI Retail Pharmacy Claim Transaction (835) • EDI Benefit Enrollment and Maintenance Set (834)• EDI Payroll Deducted and other group Premium Payment
for Insurance Products (820)for Insurance Products (820)
35
Transactions & CodeTransactions & Code Sets Rule (continued)• EDI Health Care Eligibility/Benefit Inquiry (270)
• EDI Health Care Eligibility/Benefit Response (271)g y ( )
• EDI Health Care Claim Status Request (276)
• EDI Health Care Claim Status Notification (277)( )
• EDI Health Care Service Review Information (278)
• EDI Functional Acknowledgement Transaction Set (997)EDI Functional Acknowledgement Transaction Set (997)
36
Privacy Rule
It establishes regulations for the use and disclosure of Protected Health Informationdisclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health statuscovered entity which concerns health status, provision of health care, or payment for health care that can be linked to anhealth care that can be linked to an individual.
37
Security Rule
Lays out three types of security safeguards required for compliance:required for compliance:
Administrative – Policies and ProceduresPhysical Access to Protected DataPhysical – Access to Protected DataTechnical – Access to Computers that store and manage protected datastore and manage protected data
38
Obeying the “Rules”
Implement Control Frameworks that facilitate compliance with the “Rules”facilitate compliance with the Rules
COBITITILITILISO/IEC 27002ISO 27799
39
COBITControl Objectives for
Information and Related Technology
COBIT
The Control Objectives for Information and related Technology (COBIT) is a set of best practices gy ( ) p(framework) for information technology (IT) management created by the Information Systems A dit d C t l A i ti (ISACA) d th ITAudit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992.
COBIT 4.1, the most current version was released in 2007
41
in 2007.
COBIT
What COBIT Provides:A set of generally accepted measuresA set of generally accepted measuresIndicatorsProcessesProcessesBest practices?
42
COBIT Structure
Covers four domains1 Plan and Organize (PO)1. Plan and Organize (PO)2. Acquire and Implement (AI)3 Deliver and Support (DS)3. Deliver and Support (DS)4. Monitor and Evaluate (ME)
43
C TCOBIT
Plan and Organize covers:the use of information & technologythe use of information & technologyhow best it can be used in a company to help achieve the company’s goals and objectivesachieve the company s goals and objectives. also highlights the organizational and infrastructural form IT is to take in order toinfrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT
44
C TCOBIT
Acquire and Implement covers:Identification of IT requirementsIdentification of IT requirements, Acquisition of technology, andImplementation within the company’s currentImplementation within the company s current business processes.
45
C TCOBITDelivery and Support covers:
The delivery aspects of the information technologyy p gyThe execution of the applications within the IT system and its results, The support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues, training, pp p y , g,Help Desk, and backup & recovery.
46
C TCOBITMonitor and Evaluate:
Deals with a company’s strategy in assessing the needs of the companyneeds of the companyDetermines whether or not the current IT system still meets the objectives for which it was designedIdentifies the controls necessary to comply withIdentifies the controls necessary to comply with regulatory requirements. Deals with the issue of an independent assessment of the effectiveness of IT system in its ability to meetof the effectiveness of IT system in its ability to meet business objectives and the evaluation of the company’s control processes by internal and external auditors.
47
external auditors.
COBIT, COSO & SOX
The most referenced control frameworks for SOX and FIEL (Financial Instruments and (Exchange Law – aka “JSOX”)Not all COBIT controls apply to ICFR (Internal Controls over Financial Reporting)COBIT “Lite”
48
COBIT “Lite”
IT Control Objectives for Sarbanes Oxley
49
Sarbanes - Oxley
ITIL
The five ITIL V3 volumesThe five ITIL V3 volumes
ITIL
ITIL is published in a series of books, each of which covers an IT management topic.g pITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.ITIL has been mapped to COBIT, but reporting requirements are not the same
51
ITIL Structure
ITIL v3, published in May 2007, comprises 5 key volumes:y
1. Service Strategy 2. Service Design g3. Service Transition 4. Service Operation4. Service Operation 5. Continual Service Improvement
52
ITIL
ITIL is owned and maintained by the UK Office of Government Commerce (OGC). ( )
The names ITIL and IT Infrastructure Library are registered trademarks of the OGC.
53
ISO/IEC 27002 2005ISO/IEC 27002:2005 (actually a ‘Standard’)
ISO/IEC
• ISO (International Organization for Standardization) is the world's largest ) gdeveloper and publisher of International Standards.
• IEC (International Electrotechnical Commission) is the international standards and conformity assessment body for all fields of electrotechnology.
55
ISO 27002
The standard is comprised in two parts:
Part 1: ISO/IEC 17799• Contains guidance and explanatory information• Contains guidance and explanatory information• Formally published as ISO/IEC 27002 Code of
Practice for Information Security Management y g
56
ISO 27002
Part 2: (British Standard) BS7799 / ISO ( )27001 • Provides a model that can be used by
businesses to set up and run an effectivebusinesses to set up and run an effective Information Security Management System (ISMS)F ll bli h d ISO/IEC 27001• Formally published as ISO/IEC 27001 Information Security Management Systems -Requirements
57
ISO 17799
This is essentially the set of security controls: the measures and safeguards for potential g pimplementation. After the introduction, scope, terminology and structure sections, the remainder of ISO/IEC 17799 specifies control objectives
t i d i t 11 i ti t t tcategorized into 11 main sections to protect information assets against threats to their confidentiality integrity and availability
58
confidentiality, integrity and availability.
ISO 17799ISO 17799Security Controls
Security Policy Organization of Information SecurityOrganization of Information Security Asset Management Human ResourcesHuman ResourcesPhysical and Environmental Security Communications and OperationsCommunications and Operations Management
59
ISO 17799ISO 17799Security Controls (cont’)
Access Control Information Systems Acquisition,Information Systems Acquisition, Development and Maintenance Information Security Incident Management y gBusiness Continuity Management ComplianceCompliance
60
ISO 27001
This is the ‘specification’ for an Information Security Management System (ISMS). It is y g y ( )the means to measure, monitor and control security management from the top down
ti It l i h t l ISOperspective. It explains how to apply ISO 17799.
61
ISO 27001
Defined as a six part process:Define a security policyy p yDefine the scope of ISMSUndertake a risk assessmentManage the riskSelect control objectives and controls to be implementedPrepare a statement of applicability
62
ISO 27002
Healthcare Challenges:ISO 27002 is extremely difficult to implementISO 27002 is extremely difficult to implement for large unitsCompliance scopes that cover no more thanCompliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well.
63
ISO 27799:2008ISO 27799:2008
Health informatics - Information security management in health y g
using ISO/IEC 27002
ISO 27799
This International Standard provides guidance to healthcare organizations andguidance to healthcare organizations and other custodians of personal health information on how best to protect theinformation on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IECsuch information by implementing ISO/IEC 27002.
65
ISO 27799
Health information security Practical Action Plan for Implementing ISOPractical Action Plan for Implementing ISO 17799/27002 Healthcare Implications of ISO 17799/27002 pThreats Tasks and documentation of the ISMSTasks and documentation of the ISMS Potential benefits and tool attributes
66
Relationships BetweenRelationships Between Standards & Regulations
ISO 17799HIPAA
ISO 17799BS7799COBIT & ITILCOBIT & ITIL
Remember: ISO 17799 and BS 7799 are ISO 27002
67
are ISO 27002
Questions?Questions?
For More Information:
Jennifer F. AlfafaraConsultantConsultantResources Global Professionalsjalfafara@resources-usa comjalfafara@resources usa.com
69
Thank you!y
top related