s23 cobit framework access compliance

2004 San Francisco ISACA Fall Conference

Session S23Use of COBIT as a Risk Management & Audit Framework

for Access Compliance

Presented on October 5, 2004 byLance M. Turcato, CISM, CISA, CPA

October 5, 2004 2004 San Francisco ISACA Fall Conference Slide 2

Speaker

Lance M. Turcato, CISM, CISA, CPAManaging Director � Access Assessment & Policy ComplianceInformation Security AdministrationCharles Schwab & Co., Inc.

Email: [email protected]: 602-977-4376

mailto:[email protected]


Guest Speaker

Marta O�Shea, CISASenior Manager � Technology Infrastructure & Security OversightInternal Audit DepartmentCharles Schwab & Co., Inc.

Email: [email protected]: 415-636-7348

mailto:[email protected]


Audience Poll

COBIT Knowledge- First exposure?- General understanding?- Strong knowledge of COBIT framework?

Current Users of COBIT- Incorporated Into Audit Process?- Adopted by IT Management?- Users of a framework other than COBIT?


Agenda

60- Defining Security Requirements

7- COBIT Role In IT Governance6- COBIT Mission, Objectives, Scope, & Components

17- Control Objectives

70- Available Tools

47- Audit Approach Overview

COBIT As A Risk Framework For Information Security

40- Process for Implementing COBIT

Overview of COBIT Framework

63- Measuring Security & Assessing Risk

COBIT As An Audit Framework

30- Management Guidelines26- Audit Guidelines

9- Framework8- COBIT Family

PageTopic

Overview of COBIT Framework

Source of InformationIT Governance Institute(http://www.itgi.org/ )


COBIT�s Mission, Scope & Objectives

Mission:�To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted Information Technology Control Objectives for day-to-day use by business managers and auditors.�

Generally applicable and accepted international standardfor good practice for Information Technology controlsFor application to enterprise-wide information systems, regardless of technology employed ( generic )Focused on business requirements for information

Scope & Objectives:

Management - business process owner - oriented

Based on IT Governance Institute Control Objectives! aligned with the de jure and de facto standards and regulations! based on critical review of tasks and activities or function


COBIT�s Role In IT Governance

IT Governance Framework

IT IT ManagementManagementSets Sets Measurable Measurable GoalsGoals

Compare Compare ResultsResults

Deliver Deliver Against Against GoalsGoals

ApplyApplyConsistentConsistentControl Control FrameworkFramework

InternalInternalAuditAudit

Address GapsAddress Gaps

Measure Measure PerformancePerformance


COBIT Family � 3rd Edition

�There is a Method...�

�The Method Is...�

�Minimum Controls Are...� �Here�s How You Audit...��Here�s How You Measure YourPerformance ��

�Here�s How You Implement...�


COBIT � Pieces of The Puzzle

ExecutiveSummary Framework Control

ObjectivesAuditGuidelines

ManagementGuidelines

ImplementationTool Set

# Executive Summary - Senior Executives (CEO, CIO)Provides awareness on key concepts for Senior Management.

# Framework - Senior Operational Management (Directors of IT and IS Audit / Controls)Describes 34 high-level objectives.

# Control Objectives - Middle Management (Mid-Level IT Management and IS Audit/Controls Managers / Seniors)Statements of desired results by implementing 318 specific control objectives.

# Audit Guidelines - Line Management and Controls Practitioner (Applications or Operations Manager and Auditor)Suggested audit procedures.

# Management Guidelines - Senior Operational Management, Director of IS, Mid-Level IT Management and IT Audit / Control Managers Critical Success Factors, Key Performance Indicators, Key Goal Indicators, Maturity Model.

# Implementation Tool Set - Director of IS and Audit/Control, Mid-Level IS Management and IS Audit/Control Managers Suggested implementation tools and implementation success stories.


Framework

COBIT As An IT Control Framework

$Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives$Promotes process focus and process

ownership$Divides IT into 34 processes belonging to

four domains (providing a high level control objective for each process)$Looks at fiduciary, quality and security needs

of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT$Is supported by a set of over 300 detailed

control objectives

$Planning$Acquiring & Implementing$Delivery & Support$Monitoring

IT Domains

$Effectiveness$Efficiency$Availability$Integrity$Confidentiality$Reliability$Compliance

Information Criteria


Framework

COBIT Framework - Components

#IT Domains & Processes#Information Criteria = Business Requirements#IT Resources

IT Res

ource

s

QualityFiduciary

Security

Information Criteria

IT P

roce

sses

Peop

leA

pplic

atio

n Sy

stem

s

Dat

a

Tech

nolo

gy

Faci

litie

s

Domains

Processes

Activities

BusinessRequirements

IT Processes IT Resources


Framework

COBIT Domains of Processes & Activities

Domains

Processes

Activities

� Natural grouping of processes, often matching an organizational domain of responsibility.

� A series of joined activities with natural (control) breaks.

� Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discreet.


IT Processes IT

Resources


Framework

Business Requirements

Business Requirements = Information Criteria

Quality Requirements� Quality� Cost� Delivery

Fiduciary Requirements (COSO Report)� Effectiveness and Efficiency of Operations� Reliability of Financial Reporting� Compliance with Laws and Regulations

Security Requirements� Confidentiality� Integrity� Availability


IT Processes IT

Resources


Framework

IT Resources

Data: Data objects in their widest sense (i.e., external and internal, structured and non-structured, graphics, sound, etc.)Application Systems: understood to be the sum of manual and programmed procedures.Technology: covers hardware, operating systems, database management systems, networking, multimedia, etc.Facilities: Resources to house and support information systems.People: Staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services.


IT Processes

IT Resources


Framework

COBIT Framework - ExamplesDomains

Processes

Activities

IT Processes


IT Resources

IT Domains� Planning & Organization� Acquisition & Implementation� Delivery & Support� Monitoring

IT Processes� IT strategy� Change Management� Contingency Planning � Problem Management� Policy & Procedures� Feasibility Study� Acceptance Testing� etc...

Activities� record new problem� analyze� propose solution� monitor solution� record known problem� etc...


Framework

COBIT Framework Illustrated

CCOBIOBIT�s Golden RuleT�s Golden Rule

In order to provide the information that the

organization needs to achieve its objectives, IT

resources need to be managed by a set of naturally grouped

processes.-IT Governance Institute


Linking The Processes To Control Objectives(34 High-level and 300+ Detailed Objectives)

COBIT�s Waterfall and Navigation Aidslinking Process, Resource & Criteria

ControlObjectives

Planning & Organisation

effec

tiven

ess

effici

ency

confid

entia

lity

integrit

y

avail

abilit

y

complia

nce

reliab

ility

SS PP

InformationCriteria

Acquisition & Implementation

Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy

people

applic

ations

technology

facilit

ies

data

% %

Monitoring

ITResources

ProcessDomainsDelivery &

Support


Linking The Processes To Control Objectives(Example)

ControlObjectives

Control over the IT process ofDEFINING A STRATEGIC IT PLAN

that satisfies the business requirementto strike an optimum balance of information technology opportunities and IT business requirements as well as ensuring its further accomplishment

is enabled bya strategic planning process undertaken at regular intervals giving riseto long-term plans; the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals

and takes into consideration:#enterprise business strategy#definition of how IT supports the business objectives#inventory of technological solutions and current infrastructure#monitoring the technology markets#timely feasibility studies and reality checks#existing systems assessments#enterprise position on risk, time-to-market, quality#need for senior management buy-in, support and critical review


COBIT � IT Processes/High-Level ObjectivesControlObjectives

Planning and Organization

PO 1 Define a Strategic IT PlanPO 2 Define the Information ArchitecturePO 3 Determine Technological DirectionPO 4 Define the IT Organization and RelationshipsPO 5 Manage the IT InvestmentPO 6 Communicate Management Aims and DirectionPO 7 Manage Human ResourcesPO 8 Ensure Compliance with External RequirementsPO 9 Assess RisksPO 10 Manage ProjectsPO 11 Manage Quality



Acquisition and Implementation

AI 1 Identify Automated SolutionsAI 2 Acquire and Maintain Application SoftwareAI 3 Acquire and Maintain Technology InfrastructureAI 4 Develop and Maintain ProceduresAI 5 Install and Accredit SystemsAI 6 Manage Changes



Delivery and Support

DS 1 Define and Manage Service LevelsDS 2 Manage Third-Party ServicesDS 3 Manage Performance and CapacityDS 4 Ensure Continuous ServiceDS 5 Ensure Systems SecurityDS 6 Identify and Allocate CostsDS 7 Educate and Train UsersDS 8 Assist and Advise CustomersDS 9 Manage the ConfigurationDS 10 Manage Problems and IncidentsDS 11 Manage DataDS 12 Manage FacilitiesDS 13 Manage Operations



Monitoring

M 1 Monitor the ProcessesM 2 Assess Internal Control AdequacyM 3 Obtain Independent AssuranceM 4 Provide for Independent Audit


Example Control Objectives For A ProcessControlObjectives

DOMAIN: Planning and Organization (PO)

PROCESS (High-level Control Objective): Define a Strategic IT Plan (PO 1)

DETAILED CONTROL OBJECTIVES:

PO 1.1 IT as Part of the Organization�s Long- and Short-Range PlanPO 1.2 IT Long-Range PlanPO 1.3 IT Long-Range Planning Approach and StructurePO 1.4 IT Long-Range Plan ChangesPO 1.5 Short-Range Planning for the IT FunctionPO 1.6 Communication of IT PlansPO 1.7 Monitoring and Evaluating of IT PlansPO 1.8 Assessment of Existing Systems

Next Slide


DEFINE A STRATEGIC INFORMATION TECHNOLOGY PLAN

(PO 1)

ControlObjectivesExample Control Objectives For A Process

PO 1.1 - IT as Part of the Organization�s Long- and Short-Range Plan

CONTROL OBJECTIVE

Senior management is responsible for developing and implementinglong- and short-range plans that fulfill the organization�s mission and goals. In this respect, senior management should ensure thatIT issues as well as opportunities are adequately assessed and reflected in the organization�s long- and short-range plans. IT long-and short-range plans should be developed to help ensure that the use of IT is aligned with the mission and business strategies of theorganization.


Summary of COBIT At This PointControlObjectives

#Framework defines a construct for reviewing IT.#Four domains are identified.#Within each domain there are processes -- 34 total.#Within each process there are high-level IT control objectives

defining controls that should be in place.#For each of the 34 processes, there are from 3 to 30 detailed IT

control objectives (300+ in total).# IT control objectives are generic and applicable to all

environments.#COBIT is a systematic and logical method for defining and

communicating IT control objectives.


COBIT Audit Guidelines - PurposeAuditGuidelines

COBIT provides detailed audit guidelines for each of the 34 IT processes�

&Enables the auditor to review specific IT processes against COBIT�s Control Objectives to determine where controls are sufficient or advise management where processes need to be improved.

&Helps process owners answer questions - �Is what I�m doing adequate? And, if not, how do I fix it?�


COBIT Audit Guidelines - ObjectivesAuditGuidelines

& To provide a simple, generic, and high-level structure for auditing IT controls! based on generally accepted audit practices! Aligned with the COBIT framework! generic for applicability to varying audit objectives and practices! providing clear policies and good practices for security and control of information and

related technologies! enabling the development of specific audit programs or the enhancement of existing

programs

& To enable auditors to review IT processes against COBIT�s recommended detailed control objectives to provide management assurance and/or advice for improvement

& The Audit Guidelines are NOT intended as! a tool for creating the overall audit plan ! a tool for providing audit training! a solution for audit automation (although there are lots of opportunities) ! exhaustive or definitive�guidelines will continue to evolve


ManagementGuidelinesCOBIT Management Guidelines

COBIT 3rd Edition added a Management and Governance layer, providing management with a toolbox containing�

# A maturity model to assist in benchmarking and decision-making for control over IT

# A list of critical success factors (CSF) that provides succinct non-technical best practices for each IT process

# Generic and action oriented performance measurement elements (key performance indicators [KPI] and key goal indicators [KGI] - outcome measures and performance drivers for all IT processes)

Purpose�� IT Control profiling � what is important?� Awareness � where is the risk?� Benchmarking - what do others do?


Method of scoring the maturity of IT processes�

Management�s Target Goal

GAP Analysis(Current Vs. Goal)

ManagementGuidelinesMaturity Model

�derived from the maturity model defined by the Software Engineering Institute for the maturity of software development.


ManagementGuidelinesMaturity Model - GENERIC

Generic Maturity Model0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised.2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.


ManagementGuidelinesMaturity Model � PROCESS SPECIFIC

DS5 � Ensure System Security

IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analyzed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organization wide.

5 � Optimized

Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings have become mandatory. User identification, authentication and authorization are being standardized. Security certification of staff is being established. Intrusion testing is a standard and formalized process leading to improvements. Cost/benefit analysis, supporting the implementation of security measures, is increasingly being utilized. IT security processes are co-ordinated with the overall organization security function. IT security reporting is linked to business objectives.

4 � Managed

Security awareness exists and is promoted by management. Security awareness briefings have been standardized and formalized. IT security procedures are defined and fit into a structure for security policies and procedures. Responsibilities for IT security are assigned, but not consistently enforced. An IT security plan exists, driving risk analysis and security solutions. IT security reporting is IT focused, rather than business focused. Ad hoc intrusion testing is performed.

3 � Defined

Responsibilities and accountabilities for IT security are assigned to an IT security co-ordinator with no management authority. Security awareness is fragmented and limited. IT security information is generated, but is not analyzed. Security solutions tend to respond reactively to IT security incidents and by adopting third-party offerings, without addressing the specific needs of the organization. Security policies are being developed, but inadequate skills and tools are still being used. IT security reporting is incomplete, misleading or not pertinent.

2 � Repeatable

The organization recognizes the need for IT security, but security awareness depends on the individual. IT security is addressed on a reactive basis and not measured. IT security breaches invoke "finger pointing" responses if detected, because responsibilities are unclear. Responses to IT security breaches are unpredictable.

1 � Initial

The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned for ensuring security. Measures supporting the management of IT security are not implemented. There is no IT security reporting and no response process to IT security breaches. There is a complete lack of a recognizable system security administration process.

0 � Non-Existent

DescriptionRating


ManagementGuidelinesMeasuring Success

& Critical Success FactorsWhat are the most important things to do to increase the probabilityof success of the process?! Example: (DS4) Critical infrastructure components are identified and continuously

monitored.

& Key Performance IndicatorsMeasures how well the process is performing! Example: (DS4) Number of outstanding continuous service issues not resolved or

addressed.

& Key Goal IndicatorsMeasures whether an IT process achieved its business requirements! Examples: (DS4) No incidents causing public embarassment. Number of critical

business processes relying on IT that have adequate continuity plans.


CSF � Critical Success Factors

#Most important things that contribute to the IT process achieving itsgoal

� Strategically� Technically� Organizationally� Process or Procedure

#Visible and measurable signs of success

#Control Statements and Considerations of the �Waterfall� #Short, focused and action oriented - Focus on obtaining, maintaining

and leveraging capability and skills

Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy

Management oriented IT control implementation guidance thatare observable � usually measurable � characteristics of theorganization and processes.

ManagementGuidelines


ManagementGuidelinesKGI � Key Goal Indicators

Measurable indicators of the process achieving its goal.# Describe the outcome of the process and are therefore �lag� indicators (i.e.,

measurable after the fact)# Are indicators of the success of the process, but may be expressed as well in

terms of the business contribution, if that contribution is specific to that IT process

# Represent the process goal (i.e., a measure of �what� target to achieve)# Are IT oriented, but business driven (Business Requirements from �Waterfall�)# Are expressed in precise measurable terms, wherever possible# Focus on those information criteria that

have been identified to be of mostimportance for the process

Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy


KPI � Key Performance IndicatorsManagementGuidelines

#Are a measure of �how well� the process is performing#Predict the probability of success or failure in the future (, i.e., �LEAD�

indicators)#Are expressed in precise, measurable terms#How well managment leverages / manages the resources needed for the

process#Control Statements & Control Practices from �Waterfall�#Are process oriented, but IT driven#Help in improving the IT process

Measurable indicators of performance of the enabling factors.

Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy


ManagementGuidelinesCSF, KGI, KPI � Examples

Critical Success Factors● IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability, and IT management is rewarded based on these

measures● The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged● Everyone involved in the process is goal focused and has the appropriate information on customers, on internal processes and on the consequences of their decisions● A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement● Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability● Goals and objectives are communicated across all disciplines and are understood● It is known how to implement and monitor process objectives and who is accountable for process performance● A continuous process quality improvement effort is applied● There is clarity on who the customers of the process are● The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist

Key Performance Indicators● System downtime● Throughput and response times● Amount of errors and rework● Number of staff trained in new technology and customer service skills● Benchmark comparisons● Number of non-compliance reportings● Reduction in development and processing time

Key Goal Indicators● Increased level of service delivery● Number of customers and cost per customer served● Availability of systems and services● Absence of integrity and confidentiality risks● Cost efficiency of processes and operations● Confirmation of reliability and effectiveness● Adherence to development cost and schedule● Cost efficiency of the process● Staff productivity and morale● Number of timely changes to processes and systems● Improved productivity (e.g., delivery of value per employee)

COBIT As An Audit FrameworkA Success Story

Additional InformationCOBIT Case Study

(http://www.itgi.org/casestudy4.htm)(http://www.isaca.org/ctcase27.htm)

http://www.itgi.org/casestudy4.htm

http://www.isaca.org/ctcase27.htm



Process For Implementing COBIT

Recognize Need

Integrating

COBIT

Into IT

Governance,

Risk Management,

&

Systems Audit

Approach

Educate Senior IT Management

Map COBIT to FFIEC Examination Guidelines

Map Audit Universe to COBIT High Level Control Objectives

Map Annual Audit Plan to COBIT Detailed Level Control Objectives (IT Activities)

Develop Questionnaire / Joint Risk Self-Assessment

Facilitate Assessment Work Sessions with Client

Analyze, Document, Validate Results, Report To Management


The Need � Increased Regulatory FocusRegulatory Ratings

Overall (UFIRS) & IT-Specific (URSIT)

URSIT Rating Criteria1 = Strong2 = Satisfactory3 = Less than Satisfactory4 = Deficient5 = Critically Deficient

Uniform Financial Institution Rating System (UFIRS)Composite Score (1-5)

�UFIRS rating reflects institution safety and soundness.�IT (URSIT) is one of many components evaluated to determine the UFIRS score.

Uniform Rating System for Information Technology (URSIT)Composite Score (1-5)

Federal Reserve Issued�SR 99-8 (SUP)

March 31, 1999�references COBIT

Note inverted

scale: Fed rating of 5 is deficientand COBIT rating of 5

is Optimized

COBIT Maturity Ratings0 = Non-Existent1 = Initial2 = Repeatable3 = Defined4 = Managed5 = Optimized

COBIT Maturity Ratings


Educating Senior IT Management

Encouraging Senior IT Management To Adopt COBIT& Framework for Risk Self-Assessment (RSA) process& Emphasize business orientation (NOT audit orientation)& Emphasize value of self-assessment, performance measurement and

benchmarking ' provide real examples& Knowledge that COBIT is based on industry standards with input from many

sources& Resource for regulatory examinations& During rollout 'monitor progress and report on results

Educating IT Management At All Levels& Executive summary focus for senior management&Workshops for line management and key technicians& Integration with the audit process (engagement memos, audit kick-off

meetings, work sessions, reporting)


Linking COBIT To Other Sources of �Best Practice�

COBITRef.

COBIT Domains & Control Objectives FFIECRef.

FFIEC Chapter Title & Relevant Section

PLANNING & ORGANIZATION

PO1 Define a Strategic IT Plan 1.1 IT as Part of the Organization's Long- and Short-Range

Plan 10-1 Corporate Contingency Planning Responsibilities

1.2 IT Long-Range Plan 9-6 Planning 1.3 IT Long-Range Planning, Approach & Structure 9-6 Planning 1.4 IT Long-Range Plan Changes 9-6 Planning 1.5 Short-Range Planning for the IT Function 9-6 Planning 1.6 Communication of IT Plans 9-6 Planning 1.7 Monitoring & Evaluating of IT Plans 9-8 Controls 1.8 Assessment of Existing Systems 12-2 System Development Standards

PO2 Define the Information Architecture 2.1 Information Architecture Model 2.2 Corporate Data Dictionary & Data Syntax Rules 2.3 Data Classification Scheme 2.4 Security Levels 14-1

14-2 Security Administration and Accountability

Security Plan

Illustration Only

COBITobjectives

mapped torelevantFFIEC

examinationcriteria

�Other considerations ' map to relevant ISO standards, technology specific process / control methodologies, etc.

FFIEC � Federal Financial Institutions Examination Council


Alignment With Technology Infrastructure(Illustration Only)

Remote Access

Mainframe Systems

Databases & Applications

Distributed SystemsUNIX & Windows

DMZ

Databases& Applications

Other Servers

Firewalls /Secure Routing

External RisksVulnerability to Hackers

Databases& Applications

�Email�FTP�DNS

Monitoring, Intrusion Detection & Anti-Virus Systems

Firewalls

Internet

Subsidiaries

Router

Router

LANS

Router

3rd Parties

VPN

Remote LANS

Internal RisksUnauthorized Access by Internal Users (employees or contractors)


Security Audit Universe

Access Management & ComplianceIdentity Management

Distributed SecuritySecurity Governance

Mainframe Security

AuditUniverse

Security Monitoring

Remote Access Security

Intrusion Detection

Virus PreventionPhysical Security

Incident Response Software Management

Network & Perimeter Security

Application Security

Database Security


Map Audit Universe To COBIT

High Level

Objective(i.e. PO2)

ApplicableObjectives

NotedWith �X�Illustration Only


Audit Approach Overview

Reporting

Audit Planning Session

Audit Team

Work Program

COBIT Manuals & Other Best Practice Material

Client Work Sessions

Audit Testing

1

2

gagement Memo

Kick-Off Meeting

Exit Meeting7

8

COBIT Control Assessment Questionnaire

6

4

5

COBIT To Audit Mapping Template

QAR9

4

3 En


Map Audit Plan To COBIT

ApplicableObjectivesNoted In

ThisColumn

RiskCategoryNoted In

ThisColumn

HighLevel

Objective(i.e. PO2)

DetailedLevel

Objective(i.e. 2.1)


Using COBIT Framework To Tie It All Together�

Illustration Only

Use of a Frameworkensures consistent coverageacross audits and allows for

trending the �state of controls� over time.

COBIT ControlAssessment Questionnaire

WorkProgram

Engagement Memo

Audit Report


COBIT Control Assessment Questionnaire

Preplanned AssessmentQuestions

Client�s Response&

Assessment Results

COBIT MaturityRating (0-5)

assigned based onJoint Assessment

Overall Maturity Rating for eachHigh-Level Control Objectiveassigned based on results of

joint assessments of each Detailed Control Objective.

XYZ Company Specific Control

Objectives

One COBIT Control Objective

Per Row

One Table For EachHigh-Level COBIT

Objective Included In Scope

Questionnaire is used during joint work sessions held with clients to complete a joint risk assessment of the area under review.


COBIT Based Audit Report

Overall RatingClients Target Goal

OverallConclusionStatementsSupporting

Overall Rating AuditMetrics

QAR

ConciseBackground

&Scope Responsible Manager

Provided Response

Control Weaknesshighlighting

business impactDue Date

ClientProvided

Responses

Issue Priority(A, B, C)



Overall RatingFor High-Level

Control Objective

Highlighting KeyPerformance Indicators

(i.e., Metrics)

Strategic Focal Point Table(one row for each high-levelobjective included in scope)

Detailed Control Objectives Included

In Scope Listed Summary Conclusionsand

Points Supporting Rating

Control Focal Point Table(highlighting key controls)

Applicable DetailedControl Objective

(one per row;corresponds to a row

in the AssessmentQuestionnaire)


(i.e., Metrics)

Summary Conclusionsand

Points Supporting RatingAssignedMaturity Rating



Automatedor

ManualControl

Illustration Only

ProcessWorkflowDiagram

ForArea

Assessed

TableDefining

KeyControlPoints

InProcess

Flow


(i.e., Metrics)


COBIT To Audit Mapping Repository

Illustration Only

Questionnaire

Audit Report

QuarterlyReport OfAudit Results (QAR)


Quarterly Audit ReportAudit Results Metrics

Date Printed: 03/24/2003 Charles Schwab & Co, Inc. 6

IAD Focal Point Methodology ScorecardOverall Audit Results

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0 � Non-Existent1 - Initial

5 - Optimized4 - Managed

Legend:

Security Audits(refer to slide 7)

Security Audits(refer to slide 7)

OVERALLOVERALLInfrastructure Audits

(refer to slide 6)Infrastructure Audits

(refer to slide 6)

2 -Repeatable3 - Defined

60%

Q1 PriorYear

Q22002

Dat

a N

ot A

vaila

ble

For 2

001

40%

60%

40%

No

Rep

orts

Issu

ed

TBD

YTDQ3 Q4

60%

40%

75%

Q1 PriorYear

Q22002

Dat

a N

ot A

vaila

ble

For 2

001

TBD

YTDQ3 Q4

25%

Q1 PriorYear

Q22002

Dat

a N

ot A

vaila

ble

For 2

001

20%

TBD

YTDQ3 Q4

68%

13%

70%

25%

75%

25%

75%

25%

75%

75%

25%12

%

20%

68%

12%

17%

Analysis of Key Technology Metrics

May 20, 2003 2003 North America CACS Conference Slide 77

Example of Metric Analysis To Include In QAR(Illustration Only)

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

Q1, 2002 Q2, 2002 Q3, 2002 YTD

Successful

Failed & Backed Out

Caused ProblemCaused Outage

Cancelled

Unstatused

Although target rates have not been achieved, change management processes are successful on average 75% of the time. Less then 1% of appropriately recorded changes resulted in problems or outages�

Internal Audit Observations:# Change management processes appear to be consistently applied with only minor variances in volume.

# Large percentage (~20%) of �unstatused� tickets indicates process adherence issues. True results cannot accurately be determined; therefore, additional management scrutiny is appropriate for the �unstatused� items.

# Trend for tickets with implementation problems is increasing - additional analysis to ascertain root cause of the increase in this activity would be appropriate. Root cause may rest with testing and validation processes.

Target Rate97%(Source:

TechnologyManagement

BalancedScorecard)

0.0 0%

5.0 0%

10.0 0%

15.0 0%

20.0 0%

25.0 0%

Q1,2002

Q2,2002

Q3,2002

YTD

Failed & Backed Out

Caused Problem

Caused Outage

Cancelled

Unstatused

Illustration Only


Benefits Realized�

# IT management partners with Internal Audit throughout the audit life cycle, including input into the audit schedule and scope.

# IT management becomes conversant in risk, control, and audit concepts.

#Relationships transformed into partnerships by jointly assessing control procedures.

#Audit Report streamlined�concise report supported by detailed questionnaire (i.e., Risk Self Assessment � RSA).

#Audit approach is methodical and is consistent with IT Governance practices implemented throughout the company�s technology organization.

#Meaningful reporting for senior IT management. Facilitated efforts to implement processes necessary for Sarbanes-Oxley compliance.


Additional Audit Resources

Templates(http://www.sfisaca.org/resources/downloads.htm)

COBIT Case Study(http://www.itgi.org/casestudy4.htm)(http://www.isaca.org/ctcase27.htm)

http://www.itgi.org/casestudy4.htm



http://www.sfisaca.org/resources/downloads.htm

COBIT As A Risk Management Framework For Information Security

Case StudyInformation Security � Access Compliance


Drivers of Information Security Requirements

Shorter business cycles

Need to involve/connect/tie in with more partners

Network centric business models

Leverage VPN, remote access, new tools

Regulatory Requirements

Manage Risk

!Internet - UNIX - TCP/IP

!More hackers, more tools

!Increased dependency on IT

Leverage Opportunities

!E-cash, e-commerce, e-tc.

!Open, modular, scalable

!Security a commodity

Technology Drivers

Business Drivers

Management�Buy In�

� Awareness(value of IT governance framework)

� Perceived / Understood Risk

� Cost / Benefit

� Benchmarks

� Clarity of Purpose

Key To Success!


Senior Management Awareness � Tone From Top

Questions From Senior Management / BoardQuestions From Senior Management / Board$What does security cost?$ Have we completed a risk assessment in order to define where the enterprise is most

vulnerable (i.e., where do we most appropriately focus our security resources)?

$ How do we measure our �state� of security.$ How do we ensure that customer data (NPI) and sensitive financial information is

appropriately safeguarded and only accessible by users with a business �need to know or use� the data?

$ Do we know for certain how many people are accessing the organization�s systems? Are we monitoring the access � are resource owners appropriately engaged?

$What are the most critical information assets of the enterprise (do we have an inventory)? Has data been classified and secured based on relative risk? Do we maintain an inventory of all system devices that the company owns / leases? Would management know if some went missing?

$Would people recognize a security incident when they saw one? Would they ignore it? Would they know what to do about it?

$ Has the organization ever had its security �validated� by a third party?


Cost of Information Security

Cost of Security / Control Cost of Security / Control VERSUSVERSUS IT BudgetIT Budget

IndustryLeader

Leadership

BestPracticesBenchmarking

BaselineOperationMinimum

Requirements

�Cowboy�Operation

Non-Compliance

45 - 50% 55%20 - 25%5 - 10%

= Drivers


Monitoring Emerging Risk Indicators:Is Risk Well Managed?

Risk management is concerned (in part) with processes designed and sustained by management to reduce the risk of material error�# Frequent measurement of results is prerequisite for a sustained and controlled environment. # Standardization and design are prerequisite for repeatability.

Risk Drivers � Lessons Learned From COBIT?

(Risk decreases when processes are:� Mature � sustainable and measurable� Repeatable and predictable� Systematic / automated� Monitored� Standardized (designed / defined)� Documented and communicated

(Risk increases when processes are:� Inconsistent� Ad-hoc (not standardized)� Not monitored� Relying upon the knowledge of individuals (i.e., lack of documentation)

�In line with COBIT�s Management Guidelines, access management should include formal steps for proactively evaluating compliance via monitoring activities and meaningful performance indicators (i.e., metrics)�


Monitoring Emerging Risk Indicators:Ongoing Measurement / Ongoing Dialogue

Monitor key performance indicators (i.e. metrics) on an ongoing basis�

Reality

t1

Con

trol

Env

iron

men

t

Asses 1

Assess 2

Timet2

Challenges Of �Point-In-Time� Assessment� Evaluation of risk and control is as of a point in time.� Management reporting is reflective of results as of a point in

time.� Priorities may be influenced by prior results (i.e., focus on

past areas of weakness). )Good or Bad??� If a risk assessment on the function has not been completed

for a long time, there may be a learning curve.

Expectation

t1

Con

trol

Env

iron

men

t

Assess 1

Assess 2

t2

Reality

Report

ReportReport

Time

Ongoing MeasurementExpectation

Traditional Risk Assessment Approach(Prioritization based on annual risk assessment of function)

Ongoing Monitoring Of Risk Indicators(Gaining Efficiencies Through Focus On High Risk Indicators)

Benefits of Ongoing Monitoring� Quarterly readout of assessment results for technology

management.� Ongoing dialogue regarding areas of significant or increasing

risk.� Priorities more closely associated with known risk factors

ultimately leading to more controlled risk mitigation and potential process improvements / efficiency gains.


Monitoring Emerging Risk Indicators:Overall Objective & Goal

�Goal is to proactively monitor metrics on an ongoing basis to focus risk remediation efforts on high-risk processes and tasks where performance indicators indicate potential problems.

Results of metric analysis is presented to senior management on a quarterly basis. The analysis indicates priorities for remediation efforts and any required changes to existing processes.


Information Security:Security Metrics Development Process


Information Security:Security Metrics Implementation Process


Tools & Technology

ProcessPolicy &

Procedures

SecurityManagement

HumanBehaviour& Culture

SystemAccess Control

NetworkSegregation

ApplicationSecurity

11 22 3366 55 44

Policy

Information Security:Measuring Performance (illustration only)

Policies & ProceduresSecurity ManagementBehavior & CultureApplication SecuritySystem Access Control Network Segregation

1.2.3.4.5.6.

0Verypoor

1

Poor

2

Fair

3

Good

4Verygood

5

Excel

Legend for ranking used

5 - Excellent: Best possible, highly integrated4 - Very good: Advanced level of practice3 - Good: Moderately good level of practice2 - Fair: Some effort made to address issues1 - Poor: Recognise the issues0 - Very poor: Complete lack of good practice

Legend for Symbols UsedAverage of best securityperformers in the financialindustry (begin �96)

Company status � Feb �97

Company objective for 2001

101020202020

01996 1997 1998 1999 2000 2001

20

40

60

80

100

928876

64

4842

96


Information Security:Measuring Performance (illustration only)

The Security Officer consistently performs both internal and external vulnerability scans on a monthly basis. The majority of vulnerabilities identified are low risk�

0

100

200

300

400

500

600

700

800

900

1000

Q1, 2002 Q2, 2002 YTD

Low RiskVulnerabilitiesMedium RiskVulnerabilitiesHigh RiskVulnerabilities

Observations:# An increase in internal vulnerabilities occurred from Q1 to Q2. The increase is explained due to new system

patches checked for by the vulnerability scanner that have not been applied to the XYZ company servers. Technology management appropriately applies patches only after the patches have been tested and certified.

# A decrease in external vulnerabilities was noted from Q1 to Q2. These results demonstrate that a significant number of Q1 vulnerabilities have been resolved.

0

500

1000

1500

2000

2500

3000

Q1, 2002 Q2, 2002 YTD

Low RiskVulnerabilitiesMedium RiskVulnerabilitiesHigh RiskVulnerabilities

Internal Vulnerability Scans External Vulnerability Scans

A B

A

B

Slight increase in high risk vulnerabilities


Information Security:Key Indicators � Access Compliance

$ Access Administration Workflow (adds, changes, deletions, special requests)$ Access Administration Service Level Attainment (measured against target / goal)$ Percentage of ID requests submitted with appropriate approvals$ Inactive ID Remediation (percentage decline over time)$ Privileged Access Oversight (percentage of total IDs)$ Shared / Generic ID Oversight (percentage of total IDs)$ Percentage of current access administration policies / standards$ Percentage of current access administration guidelines$ Percentage of current access administration procedures$ Number of access related incidents reported$ Average time elapsed between incident discovery and implementation of corrective action$ Percentage of IDs for which supervisory review has been completed in the past quarter to validate that

access remains appropriate for the user�s job function$ Percentage of systems for which access security parameters have been tested and evaluated in the past

year & percentage of non-compliant systems$ Percentage of system resources without a defined / accountable resource owner assigned$ Percentage of systems that maintain logs (audit trail) to trace user activity$ Percentage / Number of access violations to critical system resources$ Percentage of passwords not in compliance with policy (password quality)

Tools To Facilitate Your Risk Management Efforts


COBIT Security Baseline


COBIT Security Baseline (continued)

Focusing attention on security-related objectives from the entire COBIT framework...


COBIT Security Baseline (continued)


IT Control Practice StatementCOBIT - DS5 Ensure System Security

IT control practices expand the capabilities of COBIT by providing the practitioner with an additional level of detail.

The current COBIT IT processes, business requirements and detailed control objectives define what needs to be done to implement an effective control structure.

The IT control practices provide the more detailed how and why needed by management, service providers, end users and control professionals to implement highly specific controls based on an analysis of operational and IT risks.


IT Control Practice StatementCOBIT - DS5 Ensure System Security (EXAMPLE)

DS 5.4 User Account Management

Why do it?The enforcement of adequate user account management in line with the control practices will help ensure:

�Proper administration of the lifecycle of user accounts�Communication to and acknowledgment by users of the rules with which they need to comply

Control Practices�DS 5.4.01 Procedures are in place to ensure timely actions in relation to requesting, establishing, issuing, suspending and closing user accounts. All actions require formal approval.

�DS 5.4.02 When employees are given their account, they are provided with initial or refresher training and awareness on computer security issues. Users are asked to review a set of rules and regulations for system access.

�DS 5.4.03 Users use quality passwords as determined by the organization's password guidelines. Quality aspects of passwords include: enforcement of initial password change on first use, appropriate minimum password length, appropriate and enforced frequency of password changes, password checking against list of not-allowed values, e.g., dictionary checking and adequate protection of emergency passwords.

�DS 5.4.04 Third-party users are not provided with user codes or passwords unless they have signed a nondisclosure agreement. Third-party users are provided with the organization's security policy and related documents and must sign off that they understand their obligations.

�DS 5.4.05 All contracts for outsourcing or contracting address the need for the provider to comply�with all security related policies, standards and procedures.


Additional Resources & Questions

Templates & Resources(http://www.sfisaca.org/resources/downloads.htm)

� COBIT Security Baseline� IT Control Practice Statement � COBIT DS5 Ensure System Security� Questionnaire for IT Control Practice Statement DS5� Security Self-Assessment Guide for Information Technology Systems

(National Institute of Standards & Technology)� Security Metrics Guide for Information Technology Systems

(National Institute of Standards & Technology)� Access Compliance Scorecard � Template� ISO 17799 (http://www.iso-17799.com/)� FFIEC Information Security Examination Handbook

(http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html)

http://www.sfisaca.org/resources/downloads.htm


Questions?

Thank You!

s23 cobit framework access compliance

Documents