SlideShare uma empresa Scribd logo

COBIT and IT Policy Presentation

Transferir como PPT, PDF
Sarah Cortes
Sarah Cortes

How COBIT and Standards framewrks can assist in developing Security and other IT Standards, Policies and technical directives

TecnologiaNegócios
1 de 20
IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20

Recomendados

Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
kinjalmkothari92
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 

Recomendados

Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
PECB
 
COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
kinjalmkothari92
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
SlideTeam
 
Use COBIT for IT SAVINGS
Use COBIT for IT SAVINGSUse COBIT for IT SAVINGS
Use COBIT for IT SAVINGS
Sanjiv Arora
 
Cobit
CobitCobit
Cobit
ifourkhushbooshah
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
Eryk Budi Pratama
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdf
mohammed539963
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policy
Coi Xay
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
Laddawan Rattanaruang
 
RWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
RWDG Slides: A Complete Set of Data Governance Roles & ResponsibilitiesRWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
RWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
DATAVERSITY
 
3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policies
mrmwood
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
marindi
 

Mais conteúdo relacionado

Mais procurados

NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
SlideTeam
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
RWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
RWDG Slides: A Complete Set of Data Governance Roles & ResponsibilitiesRWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
RWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
DATAVERSITY
 

Mais procurados (20)

Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Security policy
Security policySecurity policy
Security policy
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
 
Use COBIT for IT SAVINGS
Use COBIT for IT SAVINGSUse COBIT for IT SAVINGS
Use COBIT for IT SAVINGS
 
Cobit
CobitCobit
Cobit
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdf
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policy
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
RWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
RWDG Slides: A Complete Set of Data Governance Roles & ResponsibilitiesRWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
RWDG Slides: A Complete Set of Data Governance Roles & Responsibilities
 

Destaque

Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
marindi
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategy
mrmwood
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
Hamisi Kibonde
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 

Destaque (15)

3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policies
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
 
IT Policy
IT PolicyIT Policy
IT Policy
 
It Policies
It PoliciesIt Policies
It Policies
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT Policy
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategy
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour
 
Ict policy planning and implementation issues
Ict policy planning and implementation issuesIct policy planning and implementation issues
Ict policy planning and implementation issues
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 

Semelhante a COBIT and IT Policy Presentation

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
ddcomeau
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
vrickens
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management Technologies
DATAVERSITY
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811
faau09
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 

Semelhante a COBIT and IT Policy Presentation (20)

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
 
Fisher Practice Areas 2012
Fisher Practice Areas 2012Fisher Practice Areas 2012
Fisher Practice Areas 2012
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization services
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest Lecture
 
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
 
AI in the Enterprise
AI in the EnterpriseAI in the Enterprise
AI in the Enterprise
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management Technologies
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offer
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 

Mais de Sarah Cortes

Mais de Sarah Cortes (7)

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity Delivery
 
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
 
Social Media
Social MediaSocial Media
Social Media
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam Prep
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project Management
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And Surveillance
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

COBIT and IT Policy Presentation

  • 1. IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
  • 2. IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
  • 3. Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
  • 4. IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
  • 5. IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
  • 6. IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
  • 7. IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
  • 8. IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
  • 9. IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
  • 10. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
  • 11. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
  • 12. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
  • 13. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
  • 14. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
  • 15. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
  • 16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
  • 17. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
  • 18. IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
  • 19. IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
  • 20. IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20