350 likes | 871 Views
COBIT. Part 2 IT Governance Presented by George Grachis CISSP. Abstract. The business goal of Harley-Davidson Motor Company is to produce and sell high-quality motorcycles.
E N D
COBIT Part 2 IT Governance Presented by George Grachis CISSP
Abstract • The business goal of Harley-Davidson Motor Company is to produce and sell high-quality motorcycles. • The challenge was in getting management, information technology (IT) and audit speaking the same language and working toward increased control. This all had to be accomplished by building consensus among varied departments and without affecting quality or slowing production.
Background • Harley-Davidson Motor Company was founded in 1903 in Milwaukee, Wisconsin, USA. It is the oldest producer of motorcycles in the US and has enjoyed 20 consecutive years of record revenue. In 2003, Harley-Davidson had limited IT controls in place and staff had limited control knowledge. • In addition, it had been difficult finding other manufacturers for benchmarking, and COBIT helped show Harley-Davidson management where the company was positioned regarding controls and what should be done to improve.
Process • To jumpstart IT governance and Sarbanes-Oxley activities, Harley-Davidson created an IS compliance department and began implementing a vendor’s general computer controls model. • Reasons behind Harley-Davidson’s selection of COBIT include: • It is an internationally accepted standard for IT governance and control practices. • It can be used by management, end users, and IT audit and security professionals, and it provides a common language. • The company was able to gain agreement with the external auditor on the same framework and control objectives.
Key to introducing COBIT was ensuring that all of IT and management understood why they needed to care about effective, value-focused controls. • COBIT’s business-focused language allowed management, IT and internal audit to ensure they were on the same road. • The team started by mapping implemented controls to COBIT and compared the results. Gaps were identified and plans were developed to close these gaps
One of the major benefits of using COBIT as its overall internal control and compliance model was getting everyone—especially non technical motorcycle experts—revved up about control activities and why controls are important.
Tracking and reporting are important components of ongoing IT governance activities. Harley-Davidson developed an MS Access issues-tracking database to have joint IT and internal audit visibility of known control weaknesses. • Driving internal change was also a key goal of this highly competitive company, and COBIT benchmarking was an invaluable tool for independent comparison.
Summary • Prior to implementing the COBIT framework, areas the external auditor audited were chosen randomly or on loose justifications. Now the areas selected for auditing are firmly based on business value and control needs. • COBIT open architecture allowed it to be used successfully as a central control model. COBITS benefits: • End users need to be aware of only one standard. • It gains external audit agreement on the company’s control position. • It establishes the ability to use control objectives to help identify root causes. • There is a comprehensive view of the risk and control environment.
COBIT Users • Harley Davidson • Sun Microsystems • University of Iowa • Prudential • Allstate • Charles Schwab • U.S. House of Representatives
Why IT Governance • Due diligence • IT is critical to the business • IT is strategic to the business • Expectations and reality don’t match • IT hasn’t gotten the attention it deserves • IT involves huge investments and large risks
“Due diligence” • Infrastructure and productive functions • Skills, culture, operating environment • Capabilities, risks, process knowledge and customer information • Service levels
IT is Critical to Business This criticality arises from: • The increasing dependence on information and the systems and communications that deliver it • The dependence on entities beyond the direct control of the enterprise • The risks of doing business in an interconnected world
IT is Strategic to Business If so, wouldn’t you want to know whether your organization’s information technology is: • Likely to achieve its objectives? • Resilient enough to learn and adapt? • Judiciously managing the risks it faces? • Appropriately recognizing opportunities and acting on them?
Why IT has not been valued • IT requires more technical insight than do other disciplines to understand how IT • Enables the enterprise • Creates risks • Gives rise to opportunities • IT has traditionally been treated as an entity separate to the business • IT is complex, and even more so in the extended enterprise operating in a networked economy
IT Governance Defined • Responsibility of the board of directors • Protects shareholder value • Ensures risk transparency • Directs and controls IT investment, opportunity, benefits and risks • Aligns IT with the business while accepting IT is a critical input to and component of the strategic plan, influencing strategic opportunities • Sustains the current operation and prepares for the future
IT Governance Framework Act if not aligned Fig 1 Deliver against the goals Set measurable goals Compare results Measure performance
Information Security • Know what questions to ask • Know what is needed • Raise the awareness at the top • Have clarity of purpose • Measure your performance • Keep on doing it
Some good questions • Would people recognize a security incident when they saw one? Would they ignore it? Would they know what to do about it? • Does anyone know how many computers the company owns? • Did the company suffer from the latest virus attack? How many did it have last year? • What are the most critical information assets of the enterprise? Does management know where the enterprise is most vulnerable? • Has the organization ever had its network security checked by a third party? • Is IT security a regular agenda item on IT management meetings?
21 DETAILED CONTROL Objectives 5 ENSURE SYSTEMS SECURITY 5.1 Manage Security Measures CONTROL OBJECTIVE IT security should be managed such that security measures are in line with business requirements. This includes: • Translating risk assessment information to the IT security plans • Implementing the IT security plan • Updating the IT security plan to reflect changes in the IT configuration • Assessing the impact of change requests on IT security • Monitoring the implementation of the IT security plan • Aligning IT security procedures to other policies and procedures
5.2 Identification, Authentication and Access CONTROL OBJECTIVE The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes).
5.4 User Account Management CONTROL OBJECTIVE Management should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending and closing of user accounts. A formal approval procedure outlining the data or system owner granting the access privileges should be included. The security of third-party access should be defined contractually and address administration and non-disclosure requirements. Outsourcing arrangements should address the risks, security controls and procedures for information systems and networks in the contract between the parties.
5.6 User Control of User Accounts CONTROL OBJECTIVE Users should systematically control the activity of their proper accounts. Also information mechanisms should be in place to allow them to oversee normal activity as well as to be alerted to unusual activity in a timely manner
5.11 Incident Handling CONTROL OBJECTIVE Management should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and timely response to security incidents.
5.9 Central Identification and Access Rights Management CONTROL OBJECTIVE Controls are in place to ensure that the identification and access rights of users as well as the identity of system and data ownership are established and managed in a unique and central manner to obtain consistency and efficiency of global access control.
5.10 Violation and Security Activity Reports CONTROL OBJECTIVE IT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege, or need-to-know.
5.20 Firewall Architectures and Connections with Public Networks CONTROL OBJECTIVE If connection to the Internet or other public networks exists, adequate firewalls should be operative to protect against denial of services and any unauthorized access to the internal resources; should control any application and infrastructure management flows in both directions; and should protect against denial of service attacks.
Questions Thank you