it general controls - john gatto (part 2) - isaca · pdf fileit general controls 31 it general...

IT General Controls 31


Business Alignment

The IT planning efforts need to be integrated with the organization’s business plans. As business plans change and business priorities evolve, the IT function needs a process to continually refine priorities. IT also needs to acquaint the business with what is currently possible, and at what price.

If not actively involved in the strategic planning processes, IT management at least needs to understand the organization’s strategic directions and plans in detail.

IT can take a leadership role by developing data-driven strategies, integrated application portfolios, and “blue sky” awareness of emerging technologies and competitor activities.

Developing, implementing and continuously improving management systems should be part of IT’s overall quality strategy.


Adequate segregation of

duties

Implemented controls for

recruitment and staff procedures

Adequate and ongoing training

programs

Adherence to enterprise

• Evaluation processes

• PTO processes

Things to Look For....



Main objective for Segregation of Duties in the IT organization:

Responsibility for all

aspects of processing

data does not rest with a

single individual, group

or department

SOD


The user department does not perform its own IT duties. Users sometimes provide its own IT support (e.g., help desk) BUT should not do security, programming and other critical IT duties.

User departments should be expected to provide input into systems and application development and provide a quality assurance function during the testing phase.

Users of a new application must test it before it goes into operation and sign a user acceptance agreement indicating it is performing according to the information requirements.

SOD: IT and User Departments



DBA - critical position requiring high level of

SoD.

• DBA knows everything about the data, database structure and database management system

• Superuser has what security experts refer to as “keys to the kingdom”

• Leads to an extremely high level of assessed risk in the IT function

Segregate the DBAs from everything except what they must have to

perform their duties

• Installation, configuration, upgrade, and migration

• Backup and recovery

• Storage and capacity planning

• Performance monitoring and tuning

IT auditor reviews an organization chart

• The DBA would be in a symbol that looks like an island with no other functions reporting to the DBA

• No responsibilities or interaction with programming, security or computer operations

SOD: DBA vs. Rest of IT


IT functions that should be segregated include:

Initiation Authorization

Input Processing

Checking / Quality

Assurance

Segregating Functions



Primary segregation of duties is between operational areas and systems development areas:

SOD

• Operations is responsible for running production

systems only

SOD

• Systems development is responsible for designing and writing of applications

only

Primary Segregation of Duties


Defining Data Centers

Gartner defines a data center as a department within a business that houses and maintains its back-end IT

systems, mainframe servers and databases.

Previously, centralized IT was the norm and all these systems were housed in one place

With distributed IT models, single-site data centers are much less common

“Data center” still refers to the department responsible for these centers, regardless of how

dispersed they are



Essential Data Center Aspects

On-demand access

• Users specify the service requirements and these are automatically provisioned by the data center.

Measured service

• Service requirements are measureable so consumers can be charged for resource usage.

Network access

• A portal or platform should be supplied to users so they can submit and manage their jobs.

Resource pooling

• Resources in the data center can be shared by consumers with different SLAs.

Virtualization

• The data center topology should not matter to the user. Applications are easily migrated across hardware platforms as demands and usage change automatically.pl ge ng y.

Reliability

• Multiple redundant copies of stored content exist.

Maintenance

• Handled by a professional, dedicated IT team.


IT infrastructure refers to:

§ Mainframes and Servers

§ Network Connectivity

§ IT processes that support them

Very Costly

IT Infrastructure



Policy exists and approved within the last

24 months

Physical access to data center is restricted

Badge authorization for computer room areas

• New User

• Access Review

Pre-Approved contractor list exists

and is approved

Access for individuals without a permanent badge is approved

Individuals requiring access to Data Center

must sign in

Visitor / Supplier is escorted to the Data

Center

Computer room contains environmental devices /

equipment

Backup power sources exist

Physical Security


Security guards

Perimeter fences

Intrusion detection systems

Closed circuit television / security cameras

Access control systems (card keys) with appropriate reporting

tools

Biometric controls

Physical protection of personnel and equipment:

Physical Security



Fire protection and prevention

Halon

CO2

Water

Testing of alarms

Continuity of power supplies

Quality monitoring of power supply

Uninterruptible power supply (UPS)

Dual supply systems -from multiple power

grids and/or providers

Things to Look For….


COBIT – DS 13 Manage Operations



Define, implement and maintain procedures for:

IT operations staff to be familiar with

all tasks

Backup and restoration of

systems, applications, data

Documentation in line with business requirements and the continuity plan

Inventory of stored and

archived media to ensure their usability and

integrity

Operations Management


Store offsite all critical backup media,

documentation and other IT resources necessary for IT recovery and business

continuity

Organize the scheduling of jobs, processes and tasks

into the most efficient sequence, maximizing

throughput and utilization to meet business

requirements

Test the IT disaster recovery plan on a regular basis ensuring IT systems

can be effectively recovered, shortcomings

are addressed and the plan remains relevant

Operations Management



Data is stored securely (based on media type)

Media disposal procedures ensure that the security of corporate data is not compromised

Physical inventory taken of off-site media

Production jobs are prioritized

Rerun / Restart procedures are implemented




Reporting on how SLAs are met and the results

Number of service levels impacted by operational incidents

Hours of unplanned downtown

Reporting and monitoring of incidents

Rerun / Restart procedures are implemented



Why The Need?

Backward Looking VisibilityBackward Looki

Quickly correlate new incidents back to a change

king Visibilityooki

Ensure the incidents can be remediated

Forward Looking VisibilityForward Look

Avoid technical conflicts with other changes

oking Visibilityok

Avoid resource conflicts with other changes

Governance

Doing the right thing At the right time The right way

Mitigate Risk to The Business


Increased regulatory requirements

• Focus from Audit Committee and Senior Management

• Internal auditors responsible for providing IT controls assurance

Technology is everywhere

• All business decisions result in at least one IT change

• Changes not controlled can impact the entire organization

• According to analysts, 80% of all outages are due to change

Responsibility for IT change management

• Rests with IT

• Covers programs, hardware, software, patches, etc.

Why Audit Change Management?



Business requirements:

high degree of IT uptime

(availability)

Regulatory requirements:

controls to ensure the

confidentiality and integrity of

information

Stable and managed IT production

environments:

changes are implemented

in a predictable

and repeatable manner

IT personnel implementing changes must

follow a controlled

process that is defined,

monitored and enforced

Combination of

Preventative controls

(segregation of duties)

Detective controls

(supervisory)

Understand Change Management


BAI06 Manage Changes

Area: Management

Domain: Build, Acquire and

Implement

Process Description

Manage all changes in a controlled manner, including standard

changes and emergency maintenance relating to business

processes, applications and infrastructure. This includes

change standards and procedures, impact assessment,

prioritization and authorization, emergency changes, tracking,

reporting, closure and documentation.

Process Purpose Statement

Enable fast and reliable delivery of change to the business and

mitigation of the risk of negatively impacting the stability or

integrity of the changed environment.

COBIT – BAI 06



§All requests for changes, system maintenance and supplier maintenance are:

Subject to formal change management procedures

Categorized and prioritized and specific procedures are in place to handle urgent matters

Assessed in a structured way for all possible impacts on the system and its functionality

Change Management


Request

• Capture

• Documentation and tracking

• Filtering and prioritization

• Categorization

Risk

• Impact:

• Business

• IT

• Change reversibility

• External factors

Planning

• Review and approval

• Change scheduling

• Back-out and testing plans

• Change communication

• Change build

Testing

• Resource allocation and coordination

• Change rollout

• Sensitive production information is not used in the development/test environment

Phases of Change



COSO ERM Model For Change & Patch Management

CONTROL ACTIVITIES

RISK ASSESSMENT

MONITORING

INFORMATION &

COMMUNICATION

INTERNAL

ENVIRONMENT

RISK RESPONSE

RISK ASSESSMENT

EVENT IDENTIFICATION

OBJECTIVE SETTING

Control Activities:

• Common process in place and

documented

• Effective Change Control Committee

structure

• Change Control Log used

• SOD between developers and technical

staff

• Automated controls to enforce process of

promoting changes into production

• Automated process to return production

environment to pre-change state

• Approved configurations documented

• Clear delegation of authority documented

• Approvals for changes documented

• Automated system and data backups

• Ability to restore from approved

environment

odel ForCo

•

Change Management Processes


COSO ERM Model For Change & Patch Management

CONTROL ACTIVITIES

RISK ASSESSMENT

MONITORING

INFORMATION &

COMMUNICATION

INTERNAL

ENVIRONMENT

RISK RESPONSE

OBJECTIVE SETTING

Risk Assessment:

• Strategic Risk Assessments consider risks

associated with unintended or unauthorized

changes

• Risks well understood by IT

• Risk Assessment of all proposed changes

performed

• Business Continuity Planning in place

• Internal Audit assessment performed

• Risk factors assessed to determine

classification of the change and level of

testing and approval

Ri

•

Change Management Processes



Changes not being recorded and tracked

Emergency changes implemented without adequate oversight

Lack of priority management of changes

Unauthorized business process changes being introduced into the operations

Financial statements being materially misstated

Inconsistent processing results

Erroneous processes, unauthorized business processes and inefficiencies

Change Management Risks


Additional access authorization not being terminated properly

Unauthorized changes being applied, resulting in compromised security and unauthorized access to corporate information

Failure to comply with compliance requirements

Adverse effects on capacity and performance of the infrastructure

System or application failure, resulting in lack of availability

Reduced system availability

Security intrusions

Change Management Risks



Processes

• Documented and maintained

• Followed

• Controlled

Testing

• Performed on all changes by IT and the user

• Traced to requirements

• Signed off

Emergency Changes

• Follow the same process but at an accelerated pace

• Recorded and authorized by IT management prior to implementation

• Reviewed and approved timely

Things to Look for….


Reviewed and approved at least every two years or as needed

Process to release / promote

changes to the production

environment Mainframe –usually using Endevor

Distributed –various tools like Serena

MausEn

Two main environments

Release Management



Management PracticeInputs Outputs

From Description Description To

BAI07.06 Promote to production and

manage releases. Promote the accepted

solution to the business and operations.

Where appropriate, run the solution as a

pilot implementation or in parallel with the

old solution for a defined period and

compare behavior and results. If

significant problems occur, revert back to

the original environment based on the

fallback/back out plan. Manage releases

of solution components.

Release plan •BAI10.01

Release log •Internal

Activities

1.Prepare for transfer of business procedures and supporting services, applications and infrastructure from testing to the

production environment in accordance with organizational change management standards.

2.Determine the extent of pilot implementation or parallel processing of the old and new systems in line with the implementation

plan.

3.Promptly update relevant business process and system documentation, configuration information and contingency plan

documents, as appropriate.

4.Ensure that all media libraries are updated promptly with the version of the solution component being transferred from testing

to the production environment. Archive the existing version and its supporting documentation. Ensure that promotion to

production of systems, application software and infrastructure is under configuration control.

5.Where distribution of solution components is conducted electronically, control automated distribution to ensure that users are

notified and distribution occurs only to authorized and correctly identified destinations. Include in the release process back out

procedures to enable the distribution of changes to be reviewed in the event of a malfunction or error.

6.Where distribution takes physical form, keep a formal log of what items have been distributed, to whom, where they have

been implemented, and when each has been updated.

COBIT BAI07.06 - Releases


Unauthorized changes

Processes are followed

Developer not moving changes into production

Ability to trace changes from production libraries to Endevor




Release and deployment plans appropriately authorized before executed

Communicated to end users and stakeholders

Back-out / roll back plans are developed so the production environment can be restored to the pre-change state

Systems personnel and end users understand the disaster recovery/business continuity procedures to follow



Alignment

Aligning IT and Business Priorities is an On-Going Effort

Where does one

start?

The organization’s strategic planning

effort should be the first place to start

What does IT need

to do?

The IT planning efforts need to be integrated with the

organization’s business plans

According to GAO research, high-

performing organizations have

strong IT investment management

processes in addition to robust business planning processes and IT management

practices



Create a strategic plan that defines how IT goals will

contribute to the enterprise’s strategic objectives and related

costs and risks

Create a portfolio of tactical IT plans derived from the IT

strategic plan

Describe required IT initiatives, resource

requirements, and how the use of resources and

achievement of benefits will be monitored and

managed

Assess the current capability and performance

of solution and service delivery to establish a baseline against which

future requirements can be compared

Strategic Planning


Five Critical Issues

Does management have a strategic IT plan in place which

is updated regularly and supports the annual plans,

budgets and prioritization of the various IT efforts?

What level of investment in IT and IT security has occurred

over the past two to three years and over the next two to three

years?

Have the roles and responsibilities for IT

management, including IT investment management, been defined and assigned within the

organization?

Have performance indicators for the IT function and IT security function been developed? Is

performance being periodically reported to the board?

Does management monitor IT’s performance as well as its

capability to continue providing the services upon which the

organization relies?



• Define the initiatives required to close gaps and migrate from the current

to the target environment, including investment/operational budget,

funding sources, sourcing strategy and acquisition strategy.

• Identify and adequately address risk, costs and implications of

organizational changes, technology evolution, regulatory requirements,

business process re-engineering, staffing, insourcing and outsourcing

opportunities, etc., in the planning process.

• Determine dependencies, overlaps, synergies and impacts amongst

initiatives, and prioritize the initiatives.

• Identify resource requirements, schedule and investment/operational

budgets for each of the initiatives.

• Create a road map indicating the relative scheduling and

interdependencies of the initiatives.

• Translate the objectives into outcome measures represented by metrics

(what) and targets (how much) that can be related to enterprise benefits.

• Formally obtain support from stakeholders and obtain approval for the

plan.

COBIT APO 0205


Communicate the IT strategy and direction

Create awareness and understanding of the business and IT objectives and direction, as

captured in the IT strategy, through communication to appropriate stakeholders and users throughout

the enterprise.

COBIT APO 0206



Determine whether:

Significant business priorities are being appropriately identified and assessed on an ongoing basis

Changes to those priorities are monitored

Significant investment management controls are operating effectively and consistently

Risk management techniques are in place and effective

Management and staff have the processes to respond to new business opportunities as they arise

IT-related investments are being effectively and efficiently managed

IT Investment Management


Audit Focus

Provide guidance on process

effectiveness and feedback on managerial

decisions and results

Independently and objectively assess the organization’s

efforts to continually align IT

and business priorities

Provide assurance to

management and the board that all

that should be done is being

done



Business goals mapped to IT goals

Business strategy clearly delineated in IT strategy

Review of both strategies to ensure alignment

Approval of plans at highest level



EDM03 Process Practices, Inputs/Outputs and Activities

Governance PracticeInputs Outputs


EDM03.01 Evaluate risk management.

Continually examine and make judgement

on the effect of risk on the current and

future use of IT in the enterprise. Consider

whether the enterprise’s risk appetite is

appropriate and that risk to enterprise value

related to the use of IT is identified and

managed.

APO12.01Emerging risk issues

and factorsRisk appetite guidance •APO12.03

Outside

COBIT

Enterprise risk

management

principles

Approved risk tolerance

levels•APO12.03

Evaluation of risk

management activities•APO12.01

Activities

1.Determine the level of IT-related risk that the enterprise is willing to take to meet its objectives (risk appetite).

2.Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels.

3.Determine the extent of alignment of the IT risk strategy to enterprise risk strategy.

4.Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware

enterprise decisions are made.

5.Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and

national standards.

6.Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT-related loss and leadership’s

tolerance of it.

COBIT – Risk Management





EDM03.02 Direct risk management.

Direct the establishment

of risk management practices to

provide reasonable assurance that

IT risk management practices are

appropriate to ensure that the actual

IT risk does not exceed the board's risk

appetite.

APO12.03

Aggregated ris

k profile,

including status

of risk

management a

ctions

Risk management

policies•APO12.01

Outside COBIT

Enterprise risk

management (

ERM) profiles

and mitigation

plans

Key objectives to be

monitored for risk

management

•APO12.01

Approved process for

measuring risk

management

•APO12.01

Activities

1.Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential

business impacts.

2.Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations.

3.Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans.

4.Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to

appropriate levels of management, supported by agreed-on principles of escalation (what to report, when, where and how).

5.Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be

managed in accordance with published policies and procedures and escalated to the relevant decision makers.

6.Identify key goals and metrics of risk governance and management processes to be monitored, and approve the

approaches, methods, techniques and processes for capturing and reporting the measurement information.





EDM03.03

Monitor risk management.

Monitor the key goals and metrics

of the risk management processes

and establish how deviations or

problems will be identified, tracked

and reported for remediation.

APO12.02Risk analysis

results

Remedial actions to

address risk

management deviati

ons

•APO12.06

APO12.04

• Opportunities

for acceptance

of greater risk

• Results of third-

party risk

assessments

• Risk analysis

and risk profile

reports for

stakeholders

Risk management

issues for the board•EDM05.01

Activities

1.Monitor the extent to which the risk profile is managed within the risk appetite thresholds.

2.Monitor key goals and metrics of risk governance and management processes against targets, analyze the

cause of any deviations, and initiate remedial actions to address the underlying causes.

3.Enable key stakeholders’ review of the enterprise’s progress towards identified goals.

4.Report any risk management issues to the board or executive committee.




The risk assessment process has:

• measures to identify risks using qualitative and quantitative metrics

• a strategy to address identified risks

• a strategy for accepting risks

• a strategy for determining the appropriate protection needed to mitigate risks

Management encourages risk assessments as an important tool for providing information on potential

threats and vulnerabilities

• Results are reviewed

• Corrective actions are taken

Risk Management


• Processes documented and maintained

• Processes are followed

• IT performs an annual risk assessment

• Risk definitions consistently used

IT • Remediation plans for all Critical and High Risks

• Appropriate due dates for remediation

Internal Audit partners with IT Risk Management




Management Practice

Inputs Outputs

From DescriptionDescriptio

nTo

DSS02.04 Investigate, diagnose

and allocate incidents. Identify

and record incident symptoms,

determine possible causes, and

allocate for resolution.

BAI07.07Supplemental

support plan

Incident

symptoms•Internal

Problem

log•DSS03.01

Activities

• Identify and describe relevant symptoms to establish the most probable causes, of the

incidents. Reference available knowledge resources (including known errors and

problems) to identify possible incident resolutions (temporary workarounds and/or

permanent solutions).

• If a related problem or known error does not already exist and if the incident satisfies

agreed-on criteria for problem registration, log a new problem.

• Assign incidents to specialist functions if deeper expertise is needed, and engage the

appropriate level of management, where and if needed.

COBIT DSS 02.04 – Incident Management


Management Practice

Inputs Outputs

From DescriptionDescriptio

nTo

DSS02.05 Resolve and recover

from incidents. Document,

apply and test the identified

solutions or workarounds and

perform recovery actions to

restore the IT-related service.

APO12.06

Risk-related

incident

response

plans

Incident

resolutions•DSS03.04DSS03.03

Known error

records

DSS03.04

Communica

tion of

knowledge

learned

Activities

• Select and apply the most appropriate incident resolutions (temporary workaround and/or

permanent solution).

• Record whether workarounds were used for incident resolution.

• Perform recovery actions, if required.

• Document incident resolution and assess if the resolution can be used as a future

knowledge source.

COBIT DSS 02.04 – Incident Management



Incident Management

Policy exists to define the functions for all calls, reported incidents, service requests or information demands and reviewed and approved at least once

every two years or as needed

A process exists for managing Service Desk operations and is documented and defines:

• capturing information to determine priority

• the activities for routing tickets

• restoring normal service operation in a timely manner

• minimizing the impact on business operations



Incidents are logged and assigned a priority

Resources allocated to incidents

Changes use the change management process

Statistics are reported to management



Methodology

• Helps ensure that the development of an application or system occurs in a formal and controlled manner

Development

• Provides a method for implementing controls during the development of the system, rather than retrofitting the system with necessary controls after it is in production environment

System Development Life Cycle


The system development life cycle (or Solution Delivery Methodology – SDM) is the process:

Which is custom-developed or purchased or a combination of both

Used to convert a management need into an application system

Involving multiple stages (feasibility to carrying out post implementation)

SDLC - Definition



The potential that a given threat

will exploit vulnerabilities of an

asset or group of assets to cause

loss or damage to the assets

Risk Definition


Governance:

Business & IT Alignment

Project Management

Organizational Change

Management

Tactical

IT Solution Readiness

Post Implementation

Business &

IT Alignment

Organizational

Change

Management

Project

ManagementIT Solution

ReadinessPost

Implementation

Areas of Focus



Market

• Disruption of service

• Competitive advantage

• Brand image

Financial

• Loss of revenue

• Loss of ROI

• Loss of shareholders / investors

• Regulatory compliance fines

Technology

• Facility closure

• Facility damage

• System unavailable

People

• Loss of business experts

• Loss of IT people

• Inexperienced people

gu

Project Risks

High Level Risks


Businesses invest heavily in IT Projects to:

Enable business process efficiencies in order to save moneyy

Automate key processes and controls

Manage risk

Meet regulatory and legal requirements

Enable new business models and allow the company to enter new markets

Many other reasons…

Business Investments



Identification of key risks early on in the project

Add value by evaluating the effectiveness of risk management on both IT and Organizational aspects

Offer an independent assessment on whether the project has reached stated objectives

Why Audit IT Projects?


Business Strategy IT Strategy

The vision & objectives of

both IT and the business are

understood and in harmony

The project is in line with the strategy

of the organization

project line withith

Alignment is

maintained throughout the project

vision & ectives of

T and the iness are

tood and harmony

Theis the

Business & IT Alignment



Methodology Assessment

Project Risk Assessment

Readiness Assessment

Key Phase Review

Post-Implementation Review

Advisory Services

Types of Project Engagements


Determine if methodology exists, is complete and meets the needs of the organizationth

Why

Anytime, preferably before any detailed project reviews are conducted

An

When

Coordinate with PMO, research PM best practices, review history of PM problems

How

Methodology Assessment

it general controls - john gatto (part 2) - isaca · pdf fileit general controls 31 it general...

Documents