350 likes | 675 Views
INFORMATION ASSURANCE USING C OBI T. MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS. Relationship between COSO and COBIT. What is C OBI T?. A model to implement IT Governance. An open, widely-known standard. Comprises 34 process and 220 low level Control Objectives.
E N D
INFORMATION ASSURANCEUSING COBIT MEYCOR COBIT CSA & MEYCOR COBIT AG TOOLS
What is COBIT? • A model to implement IT Governance. • An open, widely-known standard. • Comprises 34 process and 220 low level Control Objectives. • It is 100% compatible with ISO 17799, COSO I & II, and other less general standards on which it relies upon. • COBIT establishes the what and the supporting standards establish the how regarding IT Governance implementation.
COBIT • Stands for Control Objectives for Information and Related Technology. • Is a model developed by ISACA and the IT Governance Institute (ITGI) in order to implement IT Governance in organizations.
ISACA • Founded in 1969. • Is a leading organization on IT Governance, Control, Assurance, and Auditing. • Headquartered in Chicago, USA. • It has over 60.000 members in more than 100 countries. • Holds events, conferences and develops standards on IT Governance, Assurance and Security. • COBIT: • 1st Edition in 1996 • 2nd Edition in 1988 • 3rd Edition in 2000 • 4th Edition in 2005 (Nov/Dec)
COBIT Framework BUSINESS REQUIREMENTS INFORMATION CRITERIA INFORMATION PROCESSES • effectiveness • efficiency • confidentiality • integrity • availability • compliance • reliability IT RESOURCES • applications • information • infrastructure • personnel ?
Information Assurance • Information assurance is the basis on which decision-making is built in an organization. Without assurance, companies have no certainty that the information on which they support their critical-mission decisions is reliable, secure and available when needed. • Information Assurance is defined as the use of information operations that protect and defend information and information systems and networks by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation, considering risk impacts due to local or remote threats from communications and Internet. • We will see two important assurance techniques: self-assessment and information systems auditing.
COBIT: Control Self-assessment (Meycor COBIT CSA) • This management technique ensures to all stakeholders that the internal control system is reliable. • It also ensures that the personnel is aware of the business risks, and that they perform regular and proactive reviews of the controls.
COBIT Audit Guidelines(Meycor COBIT AG) • The Guidelines provide a simple structure to audit IT controls. • They are general in nature and high-level structured. • They allow to review the Processes against the IT Control Objectives.
The steps that must be followed in an audit: • Obtaining an understanding of the business requirements and associated risks and the relevant control measures. • Evaluating the appropriateness of stated controls. • Assessing compliance to ensure that the control measures established are working as prescribed, consistently and continuously. • Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources.
Generic Audit Guideline Obtaining an Understanding • The audit steps to be performed to document the activities underlying the control objectives as well as to identify the stated control measures/procedures in place. • Interview appropriate management and staff to gain an understanding of: • Business requirements and associated risks. • Organization’s structure. • Roles and responsibilities. • Control measures in place. • Management reporting (status, performance, action items). • Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, the control implications, e.g., by a process walk through.
Generic Audit Guideline Evaluating the Controls • The audit steps to be performed in assessing the effectiveness of control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test. • Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying auditor professional judgment. • Document processes exists. • Appropriate deliverables exists. • Responsibility and accountability are clear and effective. • Compensating controls exists, where necessary. • Conclude the degree to which the control objective is met.
Generic Audit Guideline Assessing Compliance • The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously and to conclude on the appropriateness of the control environment. • Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence. • Perform a limited review of the adequacy of the process deliverables. • Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.
Generic Audit Guideline Substantiating the Risk • The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. • Document the control weaknesses, and resulting threats and vulnerabilities. • Identify and document the actual and potential impact; e.g., through root-cause analysis. • Provide comparative information, e.g., through benchmarks.
Meycor COBIT CSAIT Processes Importance We must identify for the processes defined by COBIT their importance and performance, whether they have been audited or not, how they are processed and who is responsible for them.
Meycor COBIT CSASelf-assess controls Meycor COBIT CSA includes the COBIT 4.0 Control Objectives and additional security questions on specific software platforms.
Meycor COBIT CSAAssessment Report Results are displayed using scores. In this way it is possible to establish target values.
Meycor COBIT CSAIT Processes Diagnosis The red line represent the score obtained. The closer to the center this line is, risks are less covered by the controls.
Meycor COBIT CSAAssessing several Analysis Centers Results can be displayed comparatively (for platforms, branches and technologies)
Meycor COBIT CSAAudit Projects Allows to create audit projects, assign resources and even manage them. The objective is to determine whether the process' controls provide assurance.
Meycor COBIT CSAAlignment with Business Objectives The alignment between IT Objectives and Business Objectives is clearly identified.
Meycor COBIT AGTechnology inventory Here we identify how IT resources effectively contribute to the achievement of objectives.
Meycor COBIT AGRelationship between COBIT Processes and Business Processes A heat map is generated based on the IT resources and the required information criteria.
Meycor COBIT AGBeginning the Audit Process The process begins when a reviewer creates a project and assigns it to an auditor. It is also possible to record whenever an auditor disagrees with an observation.
Meycor COBIT AGAuditing an IT Process Meycor COBIT AG provides guidance through the different stages (interviewing, etc.), allowing to record tasks and observations as well as attaching evidence.
Meycor COBIT AGAudit Guidelines Auditors have audit guidelines available that provide a knowledge base to improve the quality of the audit work.
Meycor COBIT AGRecord Tasks Here we identify who performed the task, the time invested, any pertinent comments, etc.
Meycor COBIT AGFindings and Recommendations The observations are defined in a format that includes the determination of the criteria used to perform the assessment, the consequences, etc.
Meycor COBIT AGWork papers Example (I) Report of the audit program sorted by projects.
Meycor COBIT AGWork papers Example (II) Report on the degree of strength of the audited controls.
Meycor COBIT AGWork papers Example (III) Identification of findings, the auditee's opinion, follow-ups, etc.
DATASEC IT Security & Control Patria 716 - CP 11300 - Montevideo - Uruguay Phone: (+598 2) 711-58-78 / 711-04-20 Fax: (+598 2) 711-58-94 Website: www.datasec-soft.com