COBIT

Part 2 IT GovernancePresented by George Grachis

CISSP

Abstract The business goal of Harley-Davidson Motor

Company is to produce and sell high-quality motorcycles.

The challenge was in getting management, information technology (IT) and audit speaking the same language and working toward increased control. This all had to be accomplished by building consensus among varied departments and without affecting quality or slowing production.

Background

Harley-Davidson Motor Company was founded in 1903 in Milwaukee, Wisconsin, USA. It is the oldest producer of motorcycles in the US and has enjoyed 20 consecutive years of record revenue. In 2003, Harley-Davidson had limited IT controls in place and staff had limited control knowledge.

In addition, it had been difficult finding other manufacturers for benchmarking, and COBIT helped show Harley-Davidson management where the company was positioned regarding controls and what should be done to improve. 

Process

To jumpstart IT governance and Sarbanes-Oxley activities, Harley-Davidson created an IS compliance department and began implementing a vendor’s general computer controls model.

Reasons behind Harley-Davidson’s selection of COBIT include:

It is an internationally accepted standard for IT governance and control practices.

It can be used by management, end users, and IT audit and security professionals, and it provides a common language.

The company was able to gain agreement with the external auditor on the same framework and control objectives.

Key to introducing COBIT was ensuring that all of IT and management understood why they needed to care about effective, value-focused controls.

COBIT’s business-focused language allowed management, IT and internal audit to ensure they were on the same road. 

The team started by mapping implemented controls to COBIT and compared the results. Gaps were identified and plans were developed to close these gaps

One of the major benefits of using COBIT as its overall internal control and compliance model was getting everyone—especially non technical motorcycle experts—revved up about control activities and why controls are important.

Tracking and reporting are important components of ongoing IT governance activities. Harley-Davidson developed an MS Access issues-tracking database to have joint IT and internal audit visibility of known control weaknesses.

Driving internal change was also a key goal of this highly competitive company, and COBIT benchmarking was an invaluable tool for independent comparison.

Summary

Prior to implementing the COBIT framework, areas the external auditor audited were chosen randomly or on loose justifications. Now the areas selected for auditing are firmly based on business value and control needs.

COBIT open architecture allowed it to be used successfully as a central control model. COBITS benefits:

End users need to be aware of only one standard. It gains external audit agreement on the company’s

control position. It establishes the ability to use control objectives to help

identify root causes. There is a comprehensive view of the risk and control

environment.

COBIT Users

Harley Davidson Sun Microsystems University of Iowa Prudential Allstate Charles Schwab U.S. House of Representatives

Why IT Governance

Due diligence IT is critical to the business IT is strategic to the business Expectations and reality don’t match IT hasn’t gotten the attention it

deserves IT involves huge investments and

large risks

“Due diligence” Infrastructure and productive

functions Skills, culture, operating environment Capabilities, risks, process knowledge

and customer information Service levels

IT is Critical to Business

This criticality arises from: The increasing dependence on

information and the systems and communications that deliver it

The dependence on entities beyond the direct control of the enterprise

The risks of doing business in an interconnected world

IT is Strategic to Business

If so, wouldn’t you want to know whether your organization’s information technology is: Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities

and acting on them?

Why IT has not been valued IT requires more technical insight than do

other disciplines to understand how IT Enables the enterprise Creates risks Gives rise to opportunities

IT has traditionally been treated as an entity separate to the business

IT is complex, and even more so in the extended enterprise operating in a networked economy

IT Governance Defined Responsibility of the board of directors Protects shareholder value Ensures risk transparency Directs and controls IT investment,

opportunity, benefits and risks Aligns IT with the business while accepting IT

is a critical input to and component of the strategic plan, influencing strategic opportunities

Sustains the current operation and prepares for the future

IT Governance Framework

Fig 1

Information Security

Know what questions to ask Know what is needed Raise the awareness at the top Have clarity of purpose Measure your performance Keep on doing it

Some good questions Would people recognize a security incident when they

saw one? Would they ignore it? Would they know what to do about it?

Does anyone know how many computers the company owns?

Did the company suffer from the latest virus attack? How many did it have last year?

What are the most critical information assets of the enterprise? Does management know where the enterprise is most vulnerable?

Has the organization ever had its network security checked by a third party?

Is IT security a regular agenda item on IT management meetings?

COBIT Structure

21 DETAILED CONTROL Objectives

5 ENSURE SYSTEMS SECURITY5.1 Manage Security MeasuresCONTROL OBJECTIVEIT security should be managed such that security measures are in line with business requirements. This includes:• Translating risk assessment information to the IT security plans• Implementing the IT security plan• Updating the IT security plan to reflectchanges in the IT configuration• Assessing the impact of change requests on IT security• Monitoring the implementation of the ITsecurity plan• Aligning IT security procedures to otherpolicies and procedures

5.2 Identification, Authentication and AccessCONTROL OBJECTIVEThe logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes).

5.4 User Account ManagementCONTROL OBJECTIVEManagement should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending and closing of useraccounts. A formal approval procedure outlining the data or system owner granting the access privileges should be included. The security of third-party access should be defined contractually and address administration and non-disclosurerequirements. Outsourcing arrangements should address the risks, security controls and procedures for information systems and networks in the contract between the parties.

5.6 User Control of User AccountsCONTROL OBJECTIVEUsers should systematically control the activity of their proper accounts. Also information mechanisms should be in place to allow them to oversee normal activity as well as to be alerted to unusual activity in a timely manner

5.11 Incident HandlingCONTROL OBJECTIVEManagement should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid andsecure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective andtimely response to security incidents.

5.9 Central Identification and Access Rights ManagementCONTROL OBJECTIVEControls are in place to ensure that the identification and access rights of users as well as the identity of system and data ownership are established and managed in a unique and central manner to obtain consistency and efficiency of globalaccess control.

5.10 Violation and Security Activity ReportsCONTROL OBJECTIVEIT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information(security and other logs) should be grantedbased upon the principle of least privilege, or need-to-know.

5.20 Firewall Architectures and Connections withPublic NetworksCONTROL OBJECTIVEIf connection to the Internet or other public networks exists, adequate firewalls should be operative to protect against denial of services and any unauthorized access to the internal resources; should control any application and infrastructure management flows in both directions; and should protect against denial of service attacks.

Questions

Thank you