oiac it audit wo cartoons
DESCRIPTION
Risk Management / Audit LifeCycleTRANSCRIPT
Office of Internal Audit and Compliance
IT Auditing Overview
CIO Advisory Counsel MeetingSpring 2011 - Savannah, Ga.
Office of Internal Audit and Compliance
Session Guide
• Erwin (Chris) L. Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP,
LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!)Board of Regents, University System of Georgia Office of Internal Audit and Compliance270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 FaxEmail: [email protected] [email protected] [email protected] http://www.linkedin.com/in/thebishop Twitter: @ecarrowSkype: erwin.louis.carrow
2
Office of Internal Audit and Compliance
Session Agenda(22 Slides – unless additional needs for clarity)
Quick Overview – Audit Methodology (slides 1-15) Assessment Lifecycle & Applying Controls (slides 16-18) Overview & Summary (slides 19-22)______________________________________________________________ Terminology & Context of Security Implementation (slides 23-27)
Securing Business Functions Governance Business Function Characteristics Vertical (B2S) and Horizontal (B2B) Relationship
Risk Identification & Reconciliation (slides 28-34) Business Impact Analysis Risk Assessment Process Risk Analysis Methodology
Categories and Types (slides 35-37) Risk – Enterprise Risk Management (BIA, RA, ERM) Information, Information Systems, & Users
Controls Framework (slides 38-44) Types of Controls, Skill Sets, and Resources Criteria Maturity of Controls to Support Outcomes Procedures Operational Tasks to Implement and Support Controls (low-level)
Example: Identity Management (COBIT, CMMI, & NIST) (slides 45-55) 3
Office of Internal Audit and Compliance
Key Takeaways
Understand OIAC requirements how IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.
Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.
Provide a resources for review & dialogue
4
Office of Internal Audit and Compliance
Quick Overview – Audit Methodology
5
Office of Internal Audit and Compliance
Why We Audit – Mission & Charter
• “Internal auditing provides independent and objective assurance and consulting services to the Board of Regents (Board), the Chancellor, and institution leadership in order to add value and improve operations. The internal audit activity helps the University System Office (USO) and USG institutions accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, compliance, and internal control processes.”- Internal Audit Charter approved by the Board of Regents
*(underline added )
6
Office of Internal Audit and Compliance
Types of Audits – Federal, State, Campus, and Board of Regents
• Federal Auditors– Rely on work of state auditors– May focus on federal compliance (FISMA, FERPA, HIPAA, etc.),
financial aid, and federal grants management• State Auditors – Financial and Performance
– Financial / Operational auditors - external auditors validating internal controls and the AFR
– Performance auditors – external auditors focused on specific system-wide process or policy issue
• Campus Auditors– Varies by campus– Generally focused on departmental reviews– Report to institution President and USO Chief Audit Officer
• Board of Regents Auditors– Shoot the gaps that other agencies do not address and engage with
specific BOR or Legislative concerns
Office of Internal Audit and Compliance
The Audits Selection Process: OIAC Risk Assessment & Planning Process
(The “Why Us Syndrome and What We Audit?”)
• OIAC’s Risk Assessment process– Quantitative Data: previous findings,
financials, etc.– Qualitative Data: surveys, interviews,
trends, etc.– Quarterly review and assessment
versus annual approach to be proactive• Rolling Audit Plan
– Designed to ensure coverage of institutions with high risk
– Also designed to ensure OIAC coverage at all USG institutions at least once every 3-4 years
– Specifies institution and broad categories in which to audit
– May also incorporate consulting engagements and other special projects
Office of Internal Audit and Compliance
Overall Engagement PlanSummary of Process
• Top Down methodology for the auditing assessment– Risk based: High Impact / High Probability – 32 different influencers– Business Goals to Standards and Practices– Business Function critical component identification– Leadership (administrator) to Technician or Staff member (end user)– Assess Requirements, Resources, and Processes
• The approach focused on key business functions and their associated Business Goals and Objectives as it relates to the assessed entities.
• Once identified and agreed upon for each business function, the key associated requirements, resources, and processes were identified and assessed to determine if high or critical risk is being managed.
• Focus was upon Control Practices and Responsibility / Accountability associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes.
9
Office of Internal Audit and Compliance
Methodology, Scope, & Criteria
• Standards for the Methodology– Institute of Internal Auditor (IIA - www.theiia.org)– Information System Audit & Control Association (ISACA - www.isaca.org)
• Scope of Application: Area of Emphasis (Entity or Process)– Usually focused on institution-wide processes, e.g., data classification, IT
services, NOC, incident response / emergency planning, strategic planning, change management, etc.
• Determine what areas of High Risk or Critical Systems exist for the assessed entities at the institution?– Risk Analysis (OIAC) & Preliminary Assessment with Institution– Prior Coordination / Business Impact Analysis / Risk Assessment - Information request list, based
upon audited entities
– Analysis of information provided from pre-audit phase• Scope of Execution: Area of Emphasis (Entity or Process)
– Business Functions (High Critical Risk)• Examples: IAM: Identity and Access Control Management & NETSEC: Perimeter & Network Security
– Will incorporate recommended focus areas from institutional leadership– Scope can change during the course of an audit if warranted
• CMMI Criteria level 3: Process is Defined & Documented and periodically Evaluated
10
Office of Internal Audit and Compliance
Those Involved in Areas Reviewed & Priority of Emphasis (# Personnel – # Meetings)
Information TechnologyDepartment(High)
Auxiliaries(Low)
Academic Units(Limited)
Administrative Units (Medium)
11
Office of Internal Audit and Compliance
Summary for Plan of Action
During the engagement we …• Gather Information / Evidence - related to
implementation of controls to address High Impact / High Probability risk– Interviews with key personnel (Business Owner,
Trustees, & Stewards)– Test and Validate Objectives
• Information - Information systems• Direct observation & dialogue
• Document initial analysis (informal)• Dialogue and gain Confirmation of Observations
(validation)• Dialogue and gain Common Understanding of
Exceptions and Issues• Identify to Key Shareholders / Leadership Issues
and discuss Solutions• Up until the final report is completed, dialogue will
continue with audited entity regarding issues (objections are welcome – it is your right!)
12
Office of Internal Audit and Compliance
The Process We Follow – From Notification to Reporting
• 1st Phase: Pre-Campus Work (Preparatory Efforts)– Announcement / Notification Letter, sent to President upon rolling audit plan approval
(specific 5-month period during which the audit will be conducted)– Preliminary Survey- Brief visit on campus, approx. 60 prior to start of audit– Engagement Letter – Sent to President approx. 30 days prior to start of audit– Data Collection – Initial interviews, data requests, network scans may take place prior to
arrival on campus – the more we get ahead of time the less time we have to spend onsite
• 2nd Phase: On-Campus Fieldwork (Evidence Gathering Phase)– Initiated with Entrance Conference (“Line in the Sand”)– Scope of work may expand / contract– Campus POC kept informed on audit progress and issues (daily)– End of field work review, a meeting conducted at close of work summarizing initial
results and implications• 3rd Phase: Post-Campus Work (Documentation & Publication Phase)
– Draft Report prepared and sent as discussion document– Exit Conference held either in person or via phone / video conference– Official Draft Report sent requiring response from institution– Institution’s response incorporated in report– Report published and distributed
13
Office of Internal Audit and Compliance
Summary of Engagement Flow Timeframes
Audit Letter with data request sent – preliminary assessment
Entrance meeting & field work
Discussion Draft
Report Sent
Final Report with
responses issued
Draft with responses
returned
30 Days
1-2 Wks
2 to 4 Wks
Exit Conference w/
Key Leadership
Action items
reviewed quarterly
4-6 Wks
Preliminary Survey onsite with Senior Leadership60 Days
End of field work meeting w/ Key Shareholders
Rolling Risk Assessment & Notification – three times per year
End of field
work
1Wk
Official D
raft Sent
30 Days 1Wk 90 Days
1
2
3
14
Office of Internal Audit and Compliance
Assessment Results / Reporting
15
Office of Internal Audit and Compliance
Assessment Lifecycle & Applying of Controls
16
Office of Internal Audit and Compliance
Assessment Life Cycle?
17
Office of Internal Audit and Compliance
“Life Cycle” of Security & Process Provisioning
18
Office of Internal Audit and Compliance
Overview & Summary
19
Office of Internal Audit and Compliance
Putting it all together…
20
Office of Internal Audit and Compliance
Thank You for Your Patience & Participation - Any Questions?
Understand OIAC requirements and the IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.
Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.
Provide a resources for review & dialogue
21
Office of Internal Audit and Compliance
Helpful Resources
CIS Benchmarks - http://www.cisecurity.org/benchmarks.html IIA - www.theiia.org ISACA - www.isaca.org ISC(2) - www.isc2.org ISO - www.iso.org ITGI - www.itgi.org NIST - csrc.nist.gov NSA - www.nsa.gov IASE - iase.disa.mil Web App Consortium - www.webappsec.org EDUCAUSE - educause.edu/security Univ. Austin Texas Sec. - security.utexas.edu Univ. Cornell Sec. - www.cit.cornell.edu/security Virginia Tech Sec. - security.vt.edu Ga. Tech Info Sec. Center - www.gtisc.gatech.edu
22
Office of Internal Audit and Compliance
Terminology & Context of the Audit Implementation
23
Office of Internal Audit and Compliance
Securing Business Events
• It still comes down to …, Business event Needs and Outcomes– Goals or Objectives – Vision, Mission, & Operations– Rules and Requirements
• Identifying critical business functions– Support Infrastructure: Finance and Accounting, Human Resources, Facilities, Services, other
administrative functions or departments– Production Infrastructure: those folks who actually make the widgets (Instruction)!
• Identify the departments and who are the key personnel, e.g., Business owners, Trustees and Stewards?
• Identify the vertical (B2S - dependent) and horizontal (B2B - interdependent) relationships that potentially introduce risk (IT Governance)
• Identify the systems that support business functions• Categories and type of information and information systems• Answer the question … “How are the people and systems integrated into the
business process?”• Answer the question … “What internal controls exist or need to be implemented
to mitigate risk?”
24
Office of Internal Audit and Compliance
Governance Interdependencies & Value Drivers
Control Objectives for Information and related Technology (COBIT®)
25
Office of Internal Audit and Compliance
Control Objectives for Information and related Technology (COBIT®)
Business Functions and Characteristics
26
Office of Internal Audit and Compliance
Governance: Business to Stewardship (B2S) versus Business to Business (B2B)
27
Office of Internal Audit and Compliance
Risk Identification & Reconciliation
28
Office of Internal Audit and Compliance
Audit Risk Life Cycle Variables
29
Office of Internal Audit and Compliance
Standards of Application
• Industry Standards / Frameworks– COBiT 4.1 (Control Objectives for Information Technology)– NIST (National Institute of Standards and Technology)– ISO 17799/27001 (International Organization for Standardization)– ITIL (Information Technology Infrastructure Library)
• Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA, PCI, SOX, SCADA, etc.)
• Board of Regents Standards– Board of Regents Policy– ITS Security Guidelines– Business Process Manual
• Institutions’ Local Policies and ProceduresNOT PERSONAL OPINION OR PREFERENCES!!!!!
30
Office of Internal Audit and Compliance
Business Impact Analysis
Must understand … Business goals and requirements Internal and external relationships What resources are involved Who is in charge and what
interdependencies exist Vision (Strategic) Mission (Tactical)
Objectives (Operational) factors for success
KPI’s What are the Key Performance / Process Indicators? What distinctions and outcomes exist for
each stage What is the scope of probability / impact
(Beware “Chicken Little” effect) What expectations exist for each key
shareholderCertified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin
31
Office of Internal Audit and Compliance
Assessing for Risk …
Risk assessment evaluates components of information, information system security and compliance as it relates to the business function
Assess Mitigate / Monitor Re-Assess Ongoing risk management program must be
in place Business owner or key shareholder must
own the process Establish a standard for considering and
negotiating risk Annual (periodic) risk assessment
deliverable with recommendations for corrective action
Clearly define and document accepted risk – someone needs to sign off on the responsibility
32
Office of Internal Audit and Compliance
Risk Mitigation
Once risks are identified, they must be mitigated via internal controls
Internal Controls: a practice approved by management to mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance
Design Document Implement Document and retain artifacts. Test the controls prior to implementation
to validate expectations Monitor results Re-test controls periodically
33
Office of Internal Audit and Compliance
Re-Assess Risks
Risk Assessments are an on-going exercise;
Track mitigation strategies, did they work? What “Framework(s)” are being applied? Is there an identifiable “Structure” in place e.g., risk
management program? Is the “Methodology” recognizable, e.g., documented and
not arbitrary? Are you using tools to monitor, manage, and validate the
associated processes?
Test re-test controls (design and effectiveness)
Document test results, corrective actions, changes in business needs / requirements.
Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin
34
Office of Internal Audit and Compliance
Categories and Types
35
Office of Internal Audit and Compliance
Risk Categories and Types?
Determined how the categories of risk may or may not apply: Risk Types
Strategic: Affects the entities’ ability to achieve goals and objectives
Compliance: Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.
Reputational: Affects reputation, public perception, political issues, etc.
Financial: Affects loss of assets, technology, etc. Operational: Affects on-going management processes
and procedures Risk Management Process
Agreed upon methodology to assess priorities (BIA, RA, ERM)
Consistency and agreement in identification of risks Focus upon high probability / high impact risk
Types and classification – Information, Systems, & People
36
Office of Internal Audit and Compliance
Information & Information System Users (Internal & External) Categories and Types?
37
What type of information, on which systems, are being accessed by which users?
Public, administrative, sensitive, confidential Internal: Administrative, Managerial,
Informational External: General Public or Specific Target
group What level of access and authorization
of the information is being provided to those types of users?
Is the risk being managed with effective controls?
People who use or interact with the Information include:
Share Holders / Owners / Management Employees & Business Partners Service providers / Contractors / Customers / Clients Regulators etc…
Office of Internal Audit and Compliance
Controls Framework
38
Office of Internal Audit and Compliance
Control Objectives for Information and related Technology (COBIT)
• Developed by the ITGI (Current v4.1 5.0)– https://www.isaca.org/
• Value of IT, Risk, and Control• Links IT service delivery to business requirements
(already defined, right?)• A lifecycle; constantly adapting, improving, re-adapting• Four Responsibility Domains:– Plan and Organize (PO)– Acquire and Implement (AI)– Deliver and Support (DS)– Monitor and Evaluate (ME)
• Make a grocery list of needs and then go shopping 39
Office of Internal Audit and Compliance
Audit Program Design
40
Office of Internal Audit and Compliance
Audit Controls Definition
Audit Controls & Assessment• Provides roadmap to auditor on which areas to focus audit
steps (assess controls)– Preventive: controls to stop the problem from occurring– Detective: controls to find the problem– Corrective: controls to repair the problem after detection– Administrative: policies, standards, guidelines, &
procedures – Technical: controls using hardware or software for
processing & analysis– Physical: controls to implement barriers or deterrents
• Based upon industry standards, requirements, & practices• Build list of high level objectives and outcomes to address risks
associated with audited entity 41
Office of Internal Audit and Compliance
Common Maturity Model Integrated (CMMI)
– Variants of the CMMI: CMM & ISO 15504– Identifies WHERE you are at in the application of IT risk
mitigation controls and HOW to get to the next level– Levels of Application
• Level 0: No Recognizable Process, though one is needed• Level 1: Process is Ad-hoc and perform by key individuals• Level 2: Process is Repeatable , but not controlled• Level 3: Process is Defined & Documented and
periodically Evaluated• Level 4: Managed & Measurable; effective Internal
Controls with Risk Management• Level 5: Optimized Enterprise wide risk and control
program 42
Office of Internal Audit and Compliance
Engagement: Application of Standards
• Assessment Standards & Identification – Create assessment program (pre-engagement)
• Identify risk & criteria• Identify audit resources, skill sets, & personnel• Develop information requirements for requests
– Share expectations and objectives with institution• Gather Information / Evidence
– Assess Controls: Strengths / Weaknesses (during engagement) [validate assurance or identify vulnerabilities / exploitation]
– Calculate Level of Control criteria being applied (CMMI)• Analysis to Determine if Compliant with Standards• Document Variances or Exceptions / Issues [potential issues]
• Report Per Charter Requirements (Ratings)
43
Office of Internal Audit and Compliance
Controls Development & Implementation
44
Office of Internal Audit and Compliance
Example: Controls Mapping
04/08/2023
45Framework for Information & System
Security
Office of Internal Audit and Compliance
IAM Example: Entity to be Assessed for Risk
• IAM: Identity and Access Control Management– Identity Management; the management of user
credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities
– Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares
46
Office of Internal Audit and Compliance
Users Involved in Business Functions and Types of Information and Systems?
(Provisioning of High Risk or Critical Information)
Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization Business Owner: Responsible for the provisioning and delegation of the processes or functions and associated
privileges, e.g., Payroll, Finance, HR, etc. Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated
departments that conduct day to day operations Stewards: Responsible to service and support the business function, typically provide a technical system or
infrastructure to facilitate business needs, e.g., Information Technology Services, etc. Audience: What / Who is the use of the information intended. B2S versus B2B: Vertical and horizontal relationships (IT Governance)
Types of Information (classification) per organization or agency Unrestricted / Public: No consequence typically general information Sensitive: typically references’ legal or externally imposed constraints that requires this restriction Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or
inappropriate use, e.g., FERPA, HIPAA, etc.
Types of Information Systems to support information exchange Infrastructure and architecture to support business driven events Classification and type (comparable to the information being managed) Supply Chain Management (SCM), Enterprise Resource Planning (ERP), Customer Resource Management (CRM),
Business Intelligence (BI), basic communications, etc.
Determine scope of assessment and entities (people, application systems, & information) to be assessed
47
Office of Internal Audit and Compliance
Example associated Key Process – Ecommerce e.g., One Card System
• COBIT high level framework for controls relating to the Ecommerce systems– Plan and Organize (PO) — Provides direction to solution delivery(AI) and
service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11– Acquire and Implement (AI) —Provides the solutions and passes them to
be turned into services AI5 and AI4– Deliver and Support (DS) —Receives the solutions and makes them usable
for end users: DS1, DS5 and DS11
• Map the requirements to your preferred checklist, e.g. NIST or ISO• Requirements for Ecommerce Compliment other Processes
– Less work required for other system implementations– No duplication of effort if requirements are properly addressed
• Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases
48
Office of Internal Audit and Compliance
Example: Identity and Access Control Management (IAM)
COBIT 4.1 DS5.3 Identity Management• Ensure that all users (internal, external and temporary) and their activity
on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.
• Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities.
• Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person.
• Maintain user identities and access rights in a central repository. • Deploy cost-effective technical and procedural measures, and keep them
current to establish user identification, implement authentication and enforce access rights.
49
Office of Internal Audit and Compliance
Example: Identity and Access Control Management (IAM)
Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated)
• Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents
• By focusing on – defining IT security policies, plans and procedures, and monitoring, detecting,
reporting and resolving security vulnerabilities and incidents• Is achieved by
– Understanding security requirements, vulnerabilities and threats– Managing user identities and authorizations in a standardized manner– Testing security regularly
• And is measured by– Number of incidents damaging the organization's reputation with the public– Number of systems where security requirements are not met– Number of violations in segregation of duties
50
Office of Internal Audit and Compliance
How to Measure Success? Maturity Model – CMMI DS5 Snapshot (Criteria)
DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is:
0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process.
1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable.
2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.
3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed.
4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured.
5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated ….
51
Office of Internal Audit and Compliance
COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)
52
Office of Internal Audit and Compliance
NIST 800-53, Revision 1 StandardsTerminology and Application
53
Office of Internal Audit and Compliance
Audit Program Development Life-Cycle
54
Office of Internal Audit and Compliance
COBIT Mappings
Others besides NIST are currently posted at www.isaca.org/downloads:Aligning COBIT, ITIL and ISO 17799 for Business BenefitCOBIT® Mapping: Mapping of CMMI for DevelopmentCOBIT® Mapping: Mapping of ISO/IEC 17799:2000COBIT® Mapping: Mapping of ISO/IEC 17799:2005COBIT® Mapping: Mapping of ITIL COBIT® Mapping: Mapping of PMBOK COBIT® Mapping: Mapping of PRINCE2 COBIT® Mapping: Mapping of SEI’s CMM for Software COBIT® Mapping: Mapping of TOGAF 8.1 COBIT® Mapping: Overview of International IT Guidance
55