SlideShare uma empresa Scribd logo

it grc

Transferir como PPTX, PDF
9
9535814851

1 st sem mcom it grc module ppt

Educação
1 de 73
INTRODUCTION Information technology has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. It for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly runs under the label of governance, risk management and compliance (GRC IS). Information systems such as enterprise resource planning systems separate financial from nan-financial data and therefore enable better financial accounting. On the other hand, they provide new potential for management control as “data become accurate, shareable and available to many different parties but does hardly create the panoptic dreams of visibility and action at a distance”.
Governance The process by which policy is set and decision making is executed. Governance is the of policies, laws, culture, and institutions that define how an organization should be managed.
• The process for preventing an unacceptable level of uncertainty in business objectives with a balance of avoidance through reconsideration of objectives, mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms. It is also the process to ensure that important business processes and behaviors remain within the tolerances associated with policies and decisions set through the provenance process. Risk management is coordinate activities that direct and control an organization forecasting and managing events/risks that might have a negative impact on the business.
The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Compliance is the act of adhering to regulations as well as corporate policies and procedures.
 Create and distribute policies and controls and map them to regulations and internal compliance requirements.  Assess whether the controls are actually in place and working and fix them if they are not.  Ease risk assessment and mitigation.  IT GRC provide coordination and standardization of policies and controls.  Automate information gathering.  It enable enterprises to rapidly adapt to change.
governance Enterprise risk management and assessment Board compliance capabilities such as options policy compliance, ethics and policy compliance, etc. Business performance reporting such as balanced scorecards, risk scorecards, operational controls dashboards, etc Policy management, documentation and communication
• Risk assessment • Risk analysis and prioritization • Root cause analysis of issues and mitigation • Risk analytics and trend analysis
• Flexible controls hierarchy • Assessments and audits • Issues tracking and remediation • analytics
Importance of IT-GRC • An improvement in the quality and availability of information; • A reduction in breaches and errors; • A reduction in costs and greater efficiencies; • A more flexible and externally focused workforce capable of rapid change to meet customer and organizational needs; • A greater assurance for the organization and its board and senior management that grace issues are being appropriately dealt with and the organization remains “on target” with its performance objectives; and • Improved levels of communication across the organization the organization.
BUSINESS IS MORE DEPENDENT ON IT • IT environment is more complex. • Less time between IT failures and organizational impact. • Increase in threats related to IT. • Increase in threats related to IT. • Increase in regulations, standards and controls.
IT GRC Challenges • Mapping the policies and control • Audit fatigue • Security exposure • Redundancy and inefficiency
Other Challenges • A perception by staff that the initiative may have an ulterior motive, for example a cost recovery drive or head count reduction. • Business unit managers or middle management are fearful of being marginalized as GRC responsibilities are devolved to those in lower levels of the hierarchy. • Organizations are sometimes skeptical regarding the targeting and measurement systems proposed and are concerned that there will not ultimately be an appropriate return on investment given the establishment and maintenance costs involved. • Corporate cynicism and skepticism around the outcomes and results achieved from past planned organizational change (and management “fads” generally).
Factors to be consider at the time of implementation of IT GRC • Strategy • Reporting and audit • Legal function • Information technology • Ethics and corporate social responsibility • Corporate culture • Business process management
Information system audit standards
Introduction Information systems auditing involves using technical tools and expertise to evaluate the adequacy and effectiveness of information systems in an organization. Further, it involves working with management to identify weak controls and risk, which arises due to the application of technology in a business. It also suggests ways to enhance these weak controls to increase the reliability of IS, which will help an organization to achieve its strategic objectives.
Meaning Information systems audit is a process to collect and evaluate evidence to determine whether the information systems safeguard assets, maintain data integrity, achieve organizational goals effectively and consume resources efficiently. The common element between any manual audit and IS audit is data integrity. All type of audits (information audits) have to evaluate the data integrity. Since IS audit involves efficiency and effectiveness, it includes some elements of management and proprietary audit too.
IS auditing methodology • Step 1: define objectives of the audit. • Step 2: obtain basic understanding of systems and flow of transactions. • Step 3 : Detailed information gathering • Step 4 : Search for exposures that exist under the system and suggest the control in eliminate the exposure. • Step 5 : Define Auditing procedures to verify controls. • Step 6 : Perform audit test using various techniques and tools. • Step 7 : Evaluation of findings. • Step 8 : Generation of Report.
Scope of IS audit • Data • Application systems • Technology • Facilities • People
Elements of IS audit Exposures Causes Controls Physical and environmental review System administration review System administration review Application software review Network security review Business continuity review Data integrity review
Need for IS audit • Confidentiality • Integrity • Availability • Reliability
Categories of IS audits • Systems and applications • Information processing facilities • Systems development • Management of IT and enterprise architecture • Telecommunications intranets and extranets
Information Security and management standard Meaning information security relates to the physical and logical protection of data or information recorded, processed, shared, transmitted or received from an electronic from. The protection is provided against joss, inaccessibility, alternation, or unauthorized disclosure. The protection is achieved through physical safeguard such as locks, security guard, insurance etc. and logical safeguard as user identifiers, passwords, firewalls.
Information security • Meaning: • It is the practice of defending information from unauthorized access, use discloser, disruption modification, perusal, inspection recording or destruction • Definition • “Information security is the process of protecting the intellectual property of an organization” • IT security: it is referred to as computer security .a computer is any device with a processor and some memory such device can range from non-networked standalone device as simple as calculator to networked mobile computing device such as smart phone ad tablet .IT security is mainly used in major enterprise establishment due to the nature and value of the data within larger business
Information assurance • The act of ensuring that data is not lost when critical issues aries.thes issues include but are not limited to natural disaster computer server malfunction physical theft or any other instance where data potential of being lost.
Threats Computer system threats come in many different forms. some of the most common threats today are software attack, theft of intellectual property identity theft of equipment or info are common example of software attack Key concept of information security Confidentiality Integrity Availability
Risk management ‘Risk management is the process of identifying vulnerabilities and threats to the information resources ‘
control Selecting proper control and implementing those will initially help an organization to bring down risk to acceptable level. Control selection should follow and should be based on the risk assessment .control can vary in nature but they are fundamentally they are ways of protecting the confidentially. Types of control are • Administrative control • Logical control • Physical control
Security organization structure 1. Information security forum (ISF) 2. Information security management group (ISMG) 3. Assistant group security officer (AGSO) 4. System owner 5. Personal security officer (PSO) 6. Line manager 7. Users
Standards For Information Securities The international organization for standardization[ISO] established in 1947, is a non-governmental international body that collaborates with the international commission technology[ITC] standard. The following is commonly referenced ISO security standards.
Introduction to ISO 27001 ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
Framework of ISO 27001 implementation of ISO 27001 is an ideal response legal requirements and potential security threats such as: • Vandalism/Terrorism • Fire • Misuse • Theft • Viral attack
Features of ISO 27001 • Adopted PDCA(PLAN-DO-CHECK-ACT) model. • Adopted a process approach. • Identify-manage actives-function effectively. • Stress on continual process improvements • Scope covers information security not only IT security. • Focused on people, process, technology. • Combination of management control, operational controls and technical control.
Benefits of ISMS ISO 27001 certification: • Independent framework that will take account of all legal and regulatory requirements. • Helps provide a competitive edge to the company. • Helps to identify and meet contractual and regulatory requirements. • Independently verifies that risks to the company are properly identified and managed. • Demonstrates to customers that security of three information is taken seriously.
CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT) INTRODUCTION: COBIT was first released in 1996; the current vision, COBIT 5 was published in 2012. Its mission is “to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.
Theframeworkprovidesgoodpracticesacrossadomainandprocessframework: “The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement and identifying the associated responsibilitiesofbusinessandIT processowners.” COBIT is a framework of generally applicable information systems security and control. The framework allows: 1) Benchmarking of the security andcontrol arrangement. 2) Auditor to review internal controls and advise on ITsecurity matters. 3) Users of IT services to beassured that adequate security and control exist
The framework addresses the issue of control from 3 vantage points
IT Processes Controls are required to be implemented in all the processes, which are broken into 4 domains:  Planning and organization  Acquisition and implementation.  Delivery and support and  Monitoring.
Business objectives To satisfy business objectives, information must satisfy some criteria that COBIT refers to as business requirement for information. The criteria are divided into seven categories:  Effectiveness  Efficiency  Confidentiality  Integrity
IT RESOURCES To protect the IT resources must be developed which includes:  People  Application system  Hardware devices  Facilities and data  Security controls.
Advantages of COBIT I. COBIT is aligned with other standards and best practices and should be used together with them. II. It’s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. III. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. IV. It provides tools to help manage IT activities.
1) Strategic alignment focuses on ensuring the linkage of business and IT plans; defining maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. 2) Value delivery is about executing the value proposition throughout delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing cost and providing the intrinsic value of IT. Cobit has five IT governance areas of concentration
3) Resource management is about the optimum investment and proper management of critical IT resources: applications. Information, infrastructure and people. 4) Risk management is a clear understanding of the enterprises, appetite for risk, understanding of compliance requirements, and transparency into the organization 5) Performance measurements track and monitors strategy implementation, project completion, resource usage, process performance and service delivery, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Cobit has five IT governance areas of concentration
Health Insurance Portability And Act(HIPAA)
Introduction • The health insurance portability and accountability act (HIPAA) became law in 1996. The purpose of the HIPAA is to improve the efficiency and effectiveness of healthcare transactions by standardizing the exchange of administrative and financial data, as well as protecting the privacy and security of individual health information that is maintained or transmitted.
• HIPAA imposes stringent privacy and security requirements on health plans, healthcare providers, and healthcare clearinghouses that maintain and/or transmit individual health information in electronic form. The term “healthcare provider” includes individual physicians, physician group practices, dentists, other healthcare practitioners, hospitals, and nursing facilities.
Specific objectives of the regulations are: • Standardizing the format and content of primary commercial and administrative electronic healthcare transactions. • Developing standards to protect confidential patient information from improper use or disclosure and establishing patients rights to control such uses. • Developing standards for computer systems and networks to ensure the security, integrity, and availability of patient data.
HIPAA is also know as public law. The Act has five top-level titles: • Title 1. health access, portability, and renewability. • Title 2. preventing health care fraud and abuse (administrative simplification0, which includes: • (1) transaction and code sets (2) identifiers (3) privacy (4) security. • Title 3. Tax-related health previsions (medical savings accounts and health insurance tax deductions for self-employed individuals).
• Title 4. Group health plan provisions • Title 5. Revenue offset provisions.
HIPAA Transaction And Codes • HIPAA is named for its contribution to portability of insurance and accountability for insurance claims. The administrative simplification section of HIPAA requires the standardization of identifiers, code sets and, transactions. HIPAA provides various limits to the exclusions that insurers may use, provides credit for past insurance, and attempts to assure that insurance can be purchased. As stated previously, HIPAA ensures only that insurance is available, not that it is inexpensive.
The Security Rule: • The security lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.
The Standards And Specifications Are As Follows: • Covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. • The policies and procedures nust reference management oversight and organizational buy-in to compliance with the documented security controls. • Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). • The procedures must address access authorization, establishment, modification, and termination
• A contingency plan should be in place for responding to emergencies. • Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. • Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
Technical Safeguards: • Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. • Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized.
• Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. • Data corroboration, including the use of check sum, double-keying, message authentication, and signature may be used to ensure data integrity. • Covered entities must also authenticate entities it communicates with authentication consists password systems, two or three-way handshakes, telephone call-back, and token systems.
Physical safeguards: • Controlling physical access to protect against inappropriate access to protected data • Controls must govern the introduction and removal of hardware and software from the network. • Access to equipment containing health information should be carefully controlled and monitored. • Access to hardware and software must be limited to properly authorized individuals.
STATEMENT OF AUDITING STANDARDS FOR SERVICE ORGANISATION
Introduction Statement on Auditing Standards No.70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of American Institute of Certified Public Accountants(AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal control of a service organization and issue a service auditor’s report.
Meaning of SAS SAS 70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to asses the contracted internal controls of a service organization. Service organizations, such as hosted data centers , insurance claims processors and credit processing companies, provide outstanding services that affect the operation of the contracting enterprise.
Under SAS 70 (the Statement on Auditor reports are classified as either Type I or Type II. In a Type I report the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluate the likelihood that those efforts will produce the future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports also incorporate data complied during a specific time period, usually a minimum of six months.
1. Statement on Auditing Standards (SAS) No. 70, Service Organizations, in an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants(AICPA). 2. SAS 70 provides guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organization’s description of controls through a Service Auditor’s Report. 3. Service auditors are required to follow the AICPA’s standards for fieldwork, quality control, and reporting. 4. A formal report including the auditor’s opinion (“Service Auditor’s Report”) is issued to the service organization at the conclusion of a 70 examination. CHARACTERSTICS or STATEMENT OF AUDITING standards for service organizations
5. A SAS 70 examination is not a “checklist” audit. SAS No. 70 is generally applicable when an auditor (“user auditor”) is auditing the financial statements of an entity (“user organization”) that obtains services from another organization (“service organization”). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. 6. A SAS 70 audit or service auditor’s examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities which generally include controls over information technology and related processes.
Type I SAS 70 audits opinion on controls that are in place of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type II SAS 70 audits opinion on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with fairness of presentation of the controls, the design of the controls in terms of their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports since verification is provided regarding these matters for a substantial period of time. Type I and type ii audit standards
1. A service auditor’s report ensure that all user organization and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements. 2. SAS 70 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. 3. A service auditor’s report with an unqualified opinion that is issued by an independent accounting firm differentiate the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. 4. A SAS 70 engagement allows a service organization who have its control policies procedures evaluated and tested (in the case of a TYPEII engagement) by an independent party 5. A service auditor’s report also helps a service organization build trust with its users organizations (I.e. Customers). Benefits of the service organization
CAPABILTY MATURITY MODEL(CMM) INTRODUCTION: The CMM was developed from 1984 by Watts Humphrey and the Software Engineering Institute(SEI). The SEI is a part of Carnegie Mellon University. The work was funded and continues to be funded by the Department of Defense(DoD), which was originally looking for ways to compare and measure the various contractors that were developing software for the DoD.
Meaning : “A Capability of Maturity Model(CMM) is a formal archetype of the levels through which an organization evolves as it defines, implements , measures, controls and improves its processes in a particular area of operation. It thus enables the organization to consciously choose a certain target level ofmaturityandthen toworktowardsthatlevel.” Definition: “The definition implies that the CMM concept is mainly applicable to organizational processes, such as development processes or business processes. This process orientation underlies the model described in this paper and thus with knowledge within the framework of business processes.
PROCESS OF CAPABILITY MATURITY MODEL(CMM) INITIAL MATURITY LEVEL REPEATABLE MATURITY LEVEL DEFINED MATURITY LEVEL MANAGED MATURITY LEVEL OPTIMIZING MATURITY LEVEL
INITIALMATURITY LEVEL The software process is characterized as inconsistent and occasionally even chaotic. Defined processes and standard practices that exist are abandoned during a crisis. Success of the organization majorly depends on an individual effort, talent and heroics. The heroes eventually move on to other organizations taking their wealth of knowledge or lessons learnt with them.
REPEATABLE MATURITY LEVEL This level of Software Development Organization has a basic and consistent project management processes to track cost, schedule and functionality. The process is in place to replace the earlier successes on projects with similar applications. Program management is a key characteristics of a level two organization.
DEFINED MATURITY LEVEL The software process for both management and engineering activities and documented, standardized and integrated into a standard software process for the entire organization and all projects across the organization use an approved, tailored version of the organization’s standard software process for developing, testing and maintaining the application.
MANAGED MATURITY LEVEL Management can effectively control the software development effort using precise measurements. At this level, organization set a quantitative quality goal for both software process and software maintenance. At this maturity level, the performance of processes is controlled using statistical and other quantitative techniques and is quantitatively predictable.
The key characteristics of this level is focusing on continually improving process performance through both incremental and innovative technological improvements. At this level changes to the process are to improve the process performance and at the same time maintaining statistical probability to achieve the established quantitative process - improvement objectives. OPTIMIZING MATURITY LEVEL
it grc

Recomendados

GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 

Recomendados

GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesCapgemini
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRCTranscendent Group
 
GRC
GRCGRC
GRCMaryam Hidayatallah CPFA,MIPA,MA,CICA
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
It governance
It governanceIt governance
It governanceMahetab Khan
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Aujas
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelSarah Moore
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting ServicesePlus
 
Identity & Access Governance
Identity & Access GovernanceIdentity & Access Governance
Identity & Access GovernanceHorst Walther
 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
 
jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply
 

Mais conteúdo relacionado

Mais procurados

IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Aujas
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelSarah Moore
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting ServicesePlus
 
Identity & Access Governance
Identity & Access GovernanceIdentity & Access Governance
Identity & Access GovernanceHorst Walther
 

Mais procurados (20)

Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
 
GRC
GRCGRC
GRC
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
It governance
It governanceIt governance
It governance
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting Services
 
Identity & Access Governance
Identity & Access GovernanceIdentity & Access Governance
Identity & Access Governance
 

Destaque

jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply
 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceSPAN Infotech (India) Pvt Ltd
 
Expertool GRC Accelerator
Expertool GRC AcceleratorExpertool GRC Accelerator
Expertool GRC Acceleratorslideshareneilj
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5justinklooster
 
Software Evaluation Checklist
Software Evaluation ChecklistSoftware Evaluation Checklist
Software Evaluation ChecklistSalina Saharudin
 
The Evaluation Checklist
The Evaluation ChecklistThe Evaluation Checklist
The Evaluation Checklistwmartz
 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpointsmcmanus3
 

Destaque (11)

Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
 
jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0
 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
Expertool GRC Accelerator
Expertool GRC AcceleratorExpertool GRC Accelerator
Expertool GRC Accelerator
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
 
Software Evaluation Checklist
Software Evaluation ChecklistSoftware Evaluation Checklist
Software Evaluation Checklist
 
The Evaluation Checklist
The Evaluation ChecklistThe Evaluation Checklist
The Evaluation Checklist
 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpoint
 

Semelhante a it grc

Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfDanteHayashi
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Security Experts
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 
vertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAvertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAarjunnegi34
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsMaria Macri
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 

Semelhante a it grc (20)

Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance Program
 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdf
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
Task 2
Task 2Task 2
Task 2
 
Grc and is audit
Grc and is auditGrc and is audit
Grc and is audit
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
insider threat research
insider threat researchinsider threat research
insider threat research
 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 
vertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAvertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISA
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance Programs
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
 

Mais de 9535814851

Wireless application prorocol
Wireless application prorocolWireless application prorocol
Wireless application prorocol9535814851
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
Information technology govenance
Information technology govenanceInformation technology govenance
Information technology govenance9535814851
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
human resource information system
human resource information system human resource information system
human resource information system 9535814851
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
Software development life cycle copy
Software development life cycle copySoftware development life cycle copy
Software development life cycle copy9535814851
 
Database management system
Database management system Database management system
Database management system 9535814851
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
information system and computers
information system and computers information system and computers
information system and computers 9535814851
 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)29535814851
 
Information system
Information systemInformation system
Information system9535814851
 
Mc card new product launch
Mc card new product launchMc card new product launch
Mc card new product launch9535814851
 
marketing information system
marketing information system marketing information system
marketing information system9535814851
 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
 
2007 mcom mis module 1.0
2007 mcom mis module 1.02007 mcom mis module 1.0
2007 mcom mis module 1.09535814851
 

Mais de 9535814851 (17)

Wireless application prorocol
Wireless application prorocolWireless application prorocol
Wireless application prorocol
 
it act
it act it act
it act
 
information system and computers
information system and computersinformation system and computers
information system and computers
 
Information technology govenance
Information technology govenanceInformation technology govenance
Information technology govenance
 
information system and computers
information system and computersinformation system and computers
information system and computers
 
human resource information system
human resource information system human resource information system
human resource information system
 
information system and computers
information system and computersinformation system and computers
information system and computers
 
Software development life cycle copy
Software development life cycle copySoftware development life cycle copy
Software development life cycle copy
 
Database management system
Database management system Database management system
Database management system
 
information system and computers
information system and computersinformation system and computers
information system and computers
 
information system and computers
information system and computers information system and computers
information system and computers
 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2
 
Information system
Information systemInformation system
Information system
 
Mc card new product launch
Mc card new product launchMc card new product launch
Mc card new product launch
 
marketing information system
marketing information system marketing information system
marketing information system
 
information system and computers
information system and computersinformation system and computers
information system and computers
 
2007 mcom mis module 1.0
2007 mcom mis module 1.02007 mcom mis module 1.0
2007 mcom mis module 1.0
 

Último

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 

Último (20)

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 

it grc

  • 1.
  • 2. INTRODUCTION Information technology has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. It for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly runs under the label of governance, risk management and compliance (GRC IS). Information systems such as enterprise resource planning systems separate financial from nan-financial data and therefore enable better financial accounting. On the other hand, they provide new potential for management control as “data become accurate, shareable and available to many different parties but does hardly create the panoptic dreams of visibility and action at a distance”.
  • 3. Governance The process by which policy is set and decision making is executed. Governance is the of policies, laws, culture, and institutions that define how an organization should be managed.
  • 4. • The process for preventing an unacceptable level of uncertainty in business objectives with a balance of avoidance through reconsideration of objectives, mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms. It is also the process to ensure that important business processes and behaviors remain within the tolerances associated with policies and decisions set through the provenance process. Risk management is coordinate activities that direct and control an organization forecasting and managing events/risks that might have a negative impact on the business.
  • 5. The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Compliance is the act of adhering to regulations as well as corporate policies and procedures.
  • 6.  Create and distribute policies and controls and map them to regulations and internal compliance requirements.  Assess whether the controls are actually in place and working and fix them if they are not.  Ease risk assessment and mitigation.  IT GRC provide coordination and standardization of policies and controls.  Automate information gathering.  It enable enterprises to rapidly adapt to change.
  • 7. governance Enterprise risk management and assessment Board compliance capabilities such as options policy compliance, ethics and policy compliance, etc. Business performance reporting such as balanced scorecards, risk scorecards, operational controls dashboards, etc Policy management, documentation and communication
  • 8. • Risk assessment • Risk analysis and prioritization • Root cause analysis of issues and mitigation • Risk analytics and trend analysis
  • 9. • Flexible controls hierarchy • Assessments and audits • Issues tracking and remediation • analytics
  • 10. Importance of IT-GRC • An improvement in the quality and availability of information; • A reduction in breaches and errors; • A reduction in costs and greater efficiencies; • A more flexible and externally focused workforce capable of rapid change to meet customer and organizational needs; • A greater assurance for the organization and its board and senior management that grace issues are being appropriately dealt with and the organization remains “on target” with its performance objectives; and • Improved levels of communication across the organization the organization.
  • 11. BUSINESS IS MORE DEPENDENT ON IT • IT environment is more complex. • Less time between IT failures and organizational impact. • Increase in threats related to IT. • Increase in threats related to IT. • Increase in regulations, standards and controls.
  • 12. IT GRC Challenges • Mapping the policies and control • Audit fatigue • Security exposure • Redundancy and inefficiency
  • 13. Other Challenges • A perception by staff that the initiative may have an ulterior motive, for example a cost recovery drive or head count reduction. • Business unit managers or middle management are fearful of being marginalized as GRC responsibilities are devolved to those in lower levels of the hierarchy. • Organizations are sometimes skeptical regarding the targeting and measurement systems proposed and are concerned that there will not ultimately be an appropriate return on investment given the establishment and maintenance costs involved. • Corporate cynicism and skepticism around the outcomes and results achieved from past planned organizational change (and management “fads” generally).
  • 14. Factors to be consider at the time of implementation of IT GRC • Strategy • Reporting and audit • Legal function • Information technology • Ethics and corporate social responsibility • Corporate culture • Business process management
  • 16. Introduction Information systems auditing involves using technical tools and expertise to evaluate the adequacy and effectiveness of information systems in an organization. Further, it involves working with management to identify weak controls and risk, which arises due to the application of technology in a business. It also suggests ways to enhance these weak controls to increase the reliability of IS, which will help an organization to achieve its strategic objectives.
  • 17. Meaning Information systems audit is a process to collect and evaluate evidence to determine whether the information systems safeguard assets, maintain data integrity, achieve organizational goals effectively and consume resources efficiently. The common element between any manual audit and IS audit is data integrity. All type of audits (information audits) have to evaluate the data integrity. Since IS audit involves efficiency and effectiveness, it includes some elements of management and proprietary audit too.
  • 18. IS auditing methodology • Step 1: define objectives of the audit. • Step 2: obtain basic understanding of systems and flow of transactions. • Step 3 : Detailed information gathering • Step 4 : Search for exposures that exist under the system and suggest the control in eliminate the exposure. • Step 5 : Define Auditing procedures to verify controls. • Step 6 : Perform audit test using various techniques and tools. • Step 7 : Evaluation of findings. • Step 8 : Generation of Report.
  • 19. Scope of IS audit • Data • Application systems • Technology • Facilities • People
  • 20. Elements of IS audit Exposures Causes Controls Physical and environmental review System administration review System administration review Application software review Network security review Business continuity review Data integrity review
  • 21. Need for IS audit • Confidentiality • Integrity • Availability • Reliability
  • 22. Categories of IS audits • Systems and applications • Information processing facilities • Systems development • Management of IT and enterprise architecture • Telecommunications intranets and extranets
  • 23. Information Security and management standard Meaning information security relates to the physical and logical protection of data or information recorded, processed, shared, transmitted or received from an electronic from. The protection is provided against joss, inaccessibility, alternation, or unauthorized disclosure. The protection is achieved through physical safeguard such as locks, security guard, insurance etc. and logical safeguard as user identifiers, passwords, firewalls.
  • 24. Information security • Meaning: • It is the practice of defending information from unauthorized access, use discloser, disruption modification, perusal, inspection recording or destruction • Definition • “Information security is the process of protecting the intellectual property of an organization” • IT security: it is referred to as computer security .a computer is any device with a processor and some memory such device can range from non-networked standalone device as simple as calculator to networked mobile computing device such as smart phone ad tablet .IT security is mainly used in major enterprise establishment due to the nature and value of the data within larger business
  • 25. Information assurance • The act of ensuring that data is not lost when critical issues aries.thes issues include but are not limited to natural disaster computer server malfunction physical theft or any other instance where data potential of being lost.
  • 26. Threats Computer system threats come in many different forms. some of the most common threats today are software attack, theft of intellectual property identity theft of equipment or info are common example of software attack Key concept of information security Confidentiality Integrity Availability
  • 27. Risk management ‘Risk management is the process of identifying vulnerabilities and threats to the information resources ‘
  • 28. control Selecting proper control and implementing those will initially help an organization to bring down risk to acceptable level. Control selection should follow and should be based on the risk assessment .control can vary in nature but they are fundamentally they are ways of protecting the confidentially. Types of control are • Administrative control • Logical control • Physical control
  • 29. Security organization structure 1. Information security forum (ISF) 2. Information security management group (ISMG) 3. Assistant group security officer (AGSO) 4. System owner 5. Personal security officer (PSO) 6. Line manager 7. Users
  • 30. Standards For Information Securities The international organization for standardization[ISO] established in 1947, is a non-governmental international body that collaborates with the international commission technology[ITC] standard. The following is commonly referenced ISO security standards.
  • 31. Introduction to ISO 27001 ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
  • 32. Framework of ISO 27001 implementation of ISO 27001 is an ideal response legal requirements and potential security threats such as: • Vandalism/Terrorism • Fire • Misuse • Theft • Viral attack
  • 33. Features of ISO 27001 • Adopted PDCA(PLAN-DO-CHECK-ACT) model. • Adopted a process approach. • Identify-manage actives-function effectively. • Stress on continual process improvements • Scope covers information security not only IT security. • Focused on people, process, technology. • Combination of management control, operational controls and technical control.
  • 34. Benefits of ISMS ISO 27001 certification: • Independent framework that will take account of all legal and regulatory requirements. • Helps provide a competitive edge to the company. • Helps to identify and meet contractual and regulatory requirements. • Independently verifies that risks to the company are properly identified and managed. • Demonstrates to customers that security of three information is taken seriously.
  • 35. CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT) INTRODUCTION: COBIT was first released in 1996; the current vision, COBIT 5 was published in 2012. Its mission is “to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.
  • 36. Theframeworkprovidesgoodpracticesacrossadomainandprocessframework: “The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement and identifying the associated responsibilitiesofbusinessandIT processowners.” COBIT is a framework of generally applicable information systems security and control. The framework allows: 1) Benchmarking of the security andcontrol arrangement. 2) Auditor to review internal controls and advise on ITsecurity matters. 3) Users of IT services to beassured that adequate security and control exist
  • 37. The framework addresses the issue of control from 3 vantage points
  • 38. IT Processes Controls are required to be implemented in all the processes, which are broken into 4 domains:  Planning and organization  Acquisition and implementation.  Delivery and support and  Monitoring.
  • 39. Business objectives To satisfy business objectives, information must satisfy some criteria that COBIT refers to as business requirement for information. The criteria are divided into seven categories:  Effectiveness  Efficiency  Confidentiality  Integrity
  • 40. IT RESOURCES To protect the IT resources must be developed which includes:  People  Application system  Hardware devices  Facilities and data  Security controls.
  • 41. Advantages of COBIT I. COBIT is aligned with other standards and best practices and should be used together with them. II. It’s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. III. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. IV. It provides tools to help manage IT activities.
  • 42. 1) Strategic alignment focuses on ensuring the linkage of business and IT plans; defining maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. 2) Value delivery is about executing the value proposition throughout delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing cost and providing the intrinsic value of IT. Cobit has five IT governance areas of concentration
  • 43. 3) Resource management is about the optimum investment and proper management of critical IT resources: applications. Information, infrastructure and people. 4) Risk management is a clear understanding of the enterprises, appetite for risk, understanding of compliance requirements, and transparency into the organization 5) Performance measurements track and monitors strategy implementation, project completion, resource usage, process performance and service delivery, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Cobit has five IT governance areas of concentration
  • 45. Introduction • The health insurance portability and accountability act (HIPAA) became law in 1996. The purpose of the HIPAA is to improve the efficiency and effectiveness of healthcare transactions by standardizing the exchange of administrative and financial data, as well as protecting the privacy and security of individual health information that is maintained or transmitted.
  • 46. • HIPAA imposes stringent privacy and security requirements on health plans, healthcare providers, and healthcare clearinghouses that maintain and/or transmit individual health information in electronic form. The term “healthcare provider” includes individual physicians, physician group practices, dentists, other healthcare practitioners, hospitals, and nursing facilities.
  • 47. Specific objectives of the regulations are: • Standardizing the format and content of primary commercial and administrative electronic healthcare transactions. • Developing standards to protect confidential patient information from improper use or disclosure and establishing patients rights to control such uses. • Developing standards for computer systems and networks to ensure the security, integrity, and availability of patient data.
  • 48. HIPAA is also know as public law. The Act has five top-level titles: • Title 1. health access, portability, and renewability. • Title 2. preventing health care fraud and abuse (administrative simplification0, which includes: • (1) transaction and code sets (2) identifiers (3) privacy (4) security. • Title 3. Tax-related health previsions (medical savings accounts and health insurance tax deductions for self-employed individuals).
  • 49. • Title 4. Group health plan provisions • Title 5. Revenue offset provisions.
  • 50. HIPAA Transaction And Codes • HIPAA is named for its contribution to portability of insurance and accountability for insurance claims. The administrative simplification section of HIPAA requires the standardization of identifiers, code sets and, transactions. HIPAA provides various limits to the exclusions that insurers may use, provides credit for past insurance, and attempts to assure that insurance can be purchased. As stated previously, HIPAA ensures only that insurance is available, not that it is inexpensive.
  • 51. The Security Rule: • The security lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.
  • 52. The Standards And Specifications Are As Follows: • Covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. • The policies and procedures nust reference management oversight and organizational buy-in to compliance with the documented security controls. • Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). • The procedures must address access authorization, establishment, modification, and termination
  • 53. • A contingency plan should be in place for responding to emergencies. • Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. • Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
  • 54. Technical Safeguards: • Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. • Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized.
  • 55. • Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. • Data corroboration, including the use of check sum, double-keying, message authentication, and signature may be used to ensure data integrity. • Covered entities must also authenticate entities it communicates with authentication consists password systems, two or three-way handshakes, telephone call-back, and token systems.
  • 56. Physical safeguards: • Controlling physical access to protect against inappropriate access to protected data • Controls must govern the introduction and removal of hardware and software from the network. • Access to equipment containing health information should be carefully controlled and monitored. • Access to hardware and software must be limited to properly authorized individuals.
  • 57. STATEMENT OF AUDITING STANDARDS FOR SERVICE ORGANISATION
  • 58. Introduction Statement on Auditing Standards No.70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of American Institute of Certified Public Accountants(AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal control of a service organization and issue a service auditor’s report.
  • 59. Meaning of SAS SAS 70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to asses the contracted internal controls of a service organization. Service organizations, such as hosted data centers , insurance claims processors and credit processing companies, provide outstanding services that affect the operation of the contracting enterprise.
  • 60. Under SAS 70 (the Statement on Auditor reports are classified as either Type I or Type II. In a Type I report the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluate the likelihood that those efforts will produce the future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports also incorporate data complied during a specific time period, usually a minimum of six months.
  • 61. 1. Statement on Auditing Standards (SAS) No. 70, Service Organizations, in an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants(AICPA). 2. SAS 70 provides guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organization’s description of controls through a Service Auditor’s Report. 3. Service auditors are required to follow the AICPA’s standards for fieldwork, quality control, and reporting. 4. A formal report including the auditor’s opinion (“Service Auditor’s Report”) is issued to the service organization at the conclusion of a 70 examination. CHARACTERSTICS or STATEMENT OF AUDITING standards for service organizations
  • 62. 5. A SAS 70 examination is not a “checklist” audit. SAS No. 70 is generally applicable when an auditor (“user auditor”) is auditing the financial statements of an entity (“user organization”) that obtains services from another organization (“service organization”). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. 6. A SAS 70 audit or service auditor’s examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities which generally include controls over information technology and related processes.
  • 63. Type I SAS 70 audits opinion on controls that are in place of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type II SAS 70 audits opinion on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with fairness of presentation of the controls, the design of the controls in terms of their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports since verification is provided regarding these matters for a substantial period of time. Type I and type ii audit standards
  • 64. 1. A service auditor’s report ensure that all user organization and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements. 2. SAS 70 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. 3. A service auditor’s report with an unqualified opinion that is issued by an independent accounting firm differentiate the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. 4. A SAS 70 engagement allows a service organization who have its control policies procedures evaluated and tested (in the case of a TYPEII engagement) by an independent party 5. A service auditor’s report also helps a service organization build trust with its users organizations (I.e. Customers). Benefits of the service organization
  • 65. CAPABILTY MATURITY MODEL(CMM) INTRODUCTION: The CMM was developed from 1984 by Watts Humphrey and the Software Engineering Institute(SEI). The SEI is a part of Carnegie Mellon University. The work was funded and continues to be funded by the Department of Defense(DoD), which was originally looking for ways to compare and measure the various contractors that were developing software for the DoD.
  • 66. Meaning : “A Capability of Maturity Model(CMM) is a formal archetype of the levels through which an organization evolves as it defines, implements , measures, controls and improves its processes in a particular area of operation. It thus enables the organization to consciously choose a certain target level ofmaturityandthen toworktowardsthatlevel.” Definition: “The definition implies that the CMM concept is mainly applicable to organizational processes, such as development processes or business processes. This process orientation underlies the model described in this paper and thus with knowledge within the framework of business processes.
  • 67. PROCESS OF CAPABILITY MATURITY MODEL(CMM) INITIAL MATURITY LEVEL REPEATABLE MATURITY LEVEL DEFINED MATURITY LEVEL MANAGED MATURITY LEVEL OPTIMIZING MATURITY LEVEL
  • 68. INITIALMATURITY LEVEL The software process is characterized as inconsistent and occasionally even chaotic. Defined processes and standard practices that exist are abandoned during a crisis. Success of the organization majorly depends on an individual effort, talent and heroics. The heroes eventually move on to other organizations taking their wealth of knowledge or lessons learnt with them.
  • 69. REPEATABLE MATURITY LEVEL This level of Software Development Organization has a basic and consistent project management processes to track cost, schedule and functionality. The process is in place to replace the earlier successes on projects with similar applications. Program management is a key characteristics of a level two organization.
  • 70. DEFINED MATURITY LEVEL The software process for both management and engineering activities and documented, standardized and integrated into a standard software process for the entire organization and all projects across the organization use an approved, tailored version of the organization’s standard software process for developing, testing and maintaining the application.
  • 71. MANAGED MATURITY LEVEL Management can effectively control the software development effort using precise measurements. At this level, organization set a quantitative quality goal for both software process and software maintenance. At this maturity level, the performance of processes is controlled using statistical and other quantitative techniques and is quantitatively predictable.
  • 72. The key characteristics of this level is focusing on continually improving process performance through both incremental and innovative technological improvements. At this level changes to the process are to improve the process performance and at the same time maintaining statistical probability to achieve the established quantitative process - improvement objectives. OPTIMIZING MATURITY LEVEL