metodologia para auditar sistemas de informacion

1. CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007

38. To Achieve Business Objectives To Avoid Risks, Threats and Exposures Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. P. 12.

39. CobiT promotes a healthy understanding about “reasonable assurance” and “residual risk” Knowing the acceptable levels for reasonable assurance and residual risk is a critical success factor for designing and managing an adequate framework of control

40. Assurance Level 100% Residual Risk 0% Reasonable Assurance

43. C OBI T Cube The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives. For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube. Business Requirements for Information Criteria IT Resources IT Processes

46. C OBI T C OBI T is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.

49. Where is C OBI T Today?

52. C OBI T and Related Products Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives IT Assurance Guide Provide guidance on why the control objectives are worth implementing and how to implement them Control Practices Provides a generic road map for implementing IT governance using the COBIT and Val IT resources IT Governance Implementation Guide COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks. C OBI T 4.1 To help overcome these barriers by explaining information security in business terms. It comes complete with tools and techniques to help managers uncover security-related problems Information Security Governance To help executives understand why IT governance is important, what its issues are and what their responsibility is for managing it Board Briefing on IT Governance

53. C OBI T and Related Products To overview and various mappings of COBIT to other international guidance have been published by ITGI, such as CMM, ISO17799. COBIT Mapping Series To explain to business users and senior management the value of IT best practices and how harmonization, implementation and integration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made easier. Aligning COBIT, ITIL and ISO 17799 To provides guidance on how to ensure compliance for the IT environment based on the COBIT control objectives related to financial reporting. IT Control Objectives for Sarbanes-Oxley To summarized version of the COBIT resources, focusing on the most crucial IT processes, control objectives and metrics, all presented in an easy-to-follow format to help users gain the benefits of COBIT quickly. COBIT Quickstart To provides guidance for managing an organization’s portfolio of IT-enabled business investments and for maximizing the quality of business cases for IT-enabled business investments. Val IT To focuses on IT security risk in a way that is simple to follow and implement for everyone, from the home user or small- to medium-sized enterprise to executives and board members of larger organizations. COBIT Security Baseline (available 3rd quarter 2007)

54. C OBI T and Related Products

56. Control Objectives Framework Control Objectives Management Guidelines Maturity Models

59. Concise Control Objectives CobiT 4.1 CobiT 4.0 PO5.1 Financial Management Framework Establish a financial framework for IT that drives budgeting and cost/benefit analysis, based on investment, service and asset portfolios. Maintain the portfolios of IT-enabled investment programmers, IT services and IT assets, which form the basis for the current IT budget. Provide input to business cases for new investments, taking into account current IT asset and service portfolios. New investments and maintenance to service and asset portfolios will influence the future IT budget. Communicate the cost and benefit aspects of these portfolios to the budget prioritization, cost management and benefit management processes. PO5.1 Financial Management Framework Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT enabled investments, business cases and IT budgets. PO1.2 Business-IT Alignment Educate executives on current technology capabilities and future directions, the opportunities that IT provides, and what the business has to do to capitalize on those opportunities. Make sure the business direction to which IT is aligned is understood. The business and IT strategies should be integrated, clearly linking enterprise goals and IT goals and recognizing opportunities as well as current capability limitations, and broadly communicated. Identify where the business (strategy) is critically dependent on IT and mediate between imperatives of the business and the technology, so agreed priorities can be established. PO1.2 Business-IT Alignment Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration. Mediate between business and IT imperatives so priorities can be mutually agreed.

62. Framework Update

68. What Are the Main Changes?

69. C OBI T Domains : Information Processes (3rd Component) Feedback Feedback Feedback Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate

85. The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process High-Level Control Objective Users satisfaction Is measured by The control of which satisfy is focusing on Is achieved by IT Processes Business Requirements Control Statements Control Practices

97. Control Practices Control Practices Control Objectives Value Drivers Risk Drivers

102. IT Assurance Guide Need for IT Governance and Assurance The CobiT Framework IT Assurance Approaches How CobiT Supports IT Assurance Activities

108. 1 Using CobiT

119. Interrelationships of CobiT Components

120. C OBI T Content Diagram CobiT and Val IT frameworks Control Objectives Key Management Pratices IT Governance Implementation Guide, 2 nd Edition CobiT Control Practices 2 nd Edition IT Assurance Guide