More Related Content Similar to CobIT presentation (20) CobIT presentation1. Auditing IT Compliance
Auditing IT compliance :
a practical approach
(EEMA)
November 2005
Mr. Marc Vael
Managing Director
Valuendo
© 2005 Valuendo. All rights reserved.
1
INFORMATION CLASSIFICATION = PUBLIC
Agenda
In this session an answer will be given on:
– How to manage IT risks & compliance within an
organisation using CobIT, the IT governance
standard;
– How to present the results of IT risk &
compliance audits?
© 2005 Valuendo. All rights reserved.
2
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
1
2. Auditing IT Compliance
Introduction
• Marc Vael
• Managing Director Valuendo (“value & do”) since July 2001
• Education
– Master Applied Economics (UAntwerp)
– Master Information Management (UHasselt)
– Master+ Applied Economics & ICT (KUL)
• Core Services
– ERM
– IT Governance
– Information Security Management
– Business Continuity / Disaster Recovery
– Crisis Management
– Data Privacy & Protection
– IT Audit & Compliance
• Certifications
– CISA / CISM / CISSP / ITIL Service Manager
© 2005 Valuendo. All rights reserved.
3
INFORMATION CLASSIFICATION = PUBLIC
Introduction
(Compliance) audits are executed by independent
(internal/external) skilled parties
& result in a report for board of directors, executive
management and/or external parties in order to
provide comfort/assurance.
• Scope (what & what not)
• Execution (D – O – T)
• Facts based (documentation / reports / tests)
• Reporting (Obs – Risk – Rec)
© 2005 Valuendo. All rights reserved.
4
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
2
3. Auditing IT Compliance
Introduction
MONITOR
IMPLEMENT COMPLIANCE ASSESS
DESIGN
© 2005 Valuendo. All rights reserved.
5
INFORMATION CLASSIFICATION = PUBLIC
Need for Audit & Compliance
New legislation & regulation
• “assurance” on internal control
• Stress governance & responsibility of directors
• Pervasiveness & importance of IT
• Beyond financial risk: towards risks that adversely affect the
organization’s ability to achieve its objectives and execute
its strategies
• SME’s
Examples: Sarbanes-Oxley (SOx), Basel II, GBLA, HIPAA,
Code Lippens, Code Buysse
© 2005 Valuendo. All rights reserved.
6
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
3
4. Auditing IT Compliance
Need for Audit & Compliance
New management practices
• IT Governance
A structure of IT relationships & processes
to direct and control the enterprise to achieve the enterprise’s goals
by adding value while balancing risk vs. return over IT and its processes
• IT Manageability
- New tools for management to self-assess and make choices for
control implementation and improvements
- Ability to align the IT organisation with the goals of the enterprise
- Performance measurements that ensure that these goals are
achieved
© 2005 Valuendo. All rights reserved.
7
INFORMATION CLASSIFICATION = PUBLIC
IT Governance Compliance
© 2005 Valuendo. All rights reserved.
8
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
4
5. Auditing IT Compliance
IT Governance Compliance
Implementing Control & Governance
Drivers Inhibitors
Compliance with law, standards Budget limitations
and regulations Availability of skilled staff
Cost reduction Management awareness
Mission & goals Management commitment
Performance improvement Lack of ownership
Risk reduction Existing architecture
Reputation and trust No easy solution
Competitive environment Resource conflicts/priorities
Corporate values Lack of tools
Political/economic environment Political/economic environment
© 2005 Valuendo. All rights reserved.
9
INFORMATION CLASSIFICATION = PUBLIC
© 2005 Valuendo. All rights reserved.
10
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
5
6. Auditing IT Compliance
CobIT & IT Governance Compliance
Link between COBIT and IT Governance
COBI
Direction
Requirements (IT strategy & policy)
Control
Goals Responsibilities
Objectives
Governance
Business IT
Information
Information the
executive and board
business needs to
need to exercise
achieve its
their responsibilities
objectives
© 2005 Valuendo. All rights reserved.
11
INFORMATION CLASSIFICATION = PUBLIC
CobIT & IT Governance Compliance
Link between COBIT and IT Governance
COBI
Direction
Requirements (IT strategy & policy)
Control
Goals Responsibilities
Objectives
Governance
Business IT
Information (IT
Information the
control, risk &
business needs to
assurance)
achieve its objectives
IT Governance
© 2005 Valuendo. All rights reserved.
12
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
6
7. Auditing IT Compliance
CobIT
CobIT: IT Control Framework
COBIT’s Vision
OBIT To be the (de facto) model for IT governance
To research, develop, publicise and promote an authoritative,
COBIT’s Mission
OBIT up-to-date, international set of generally accepted IT control
objectives for day-to-day use by business managers & auditors
The policies, procedures, practices and organisational structures
Definition of
designed to provide reasonable assurance that business
Control objectives will be achieved & that undesired events will be
prevented or detected and corrected
Definition of IT A statement of the desired result or purpose to be achieved
by implementing control practices in a particular IT activity
Control Objective
© 2005 Valuendo. All rights reserved.
13
INFORMATION CLASSIFICATION = PUBLIC
CobIT
CobIT: IT Control Framework
CobIT basic principles
• Generally applicable & internationally accepted open standard
• Regardless of technology
• Starting from business requirements for information
• Management- and business process owner-oriented
• Includes existing standards and techniques
Risk assessment concepts
Business risk / value assessment
Assurance planning and scoping
Control evaluation and testing
Control and process maturity (self-assessment)
Substantiating risk and effective reporting
• First published in 1992
• 4th edition is planned for end 2005
© 2005 Valuendo. All rights reserved.
14
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
7
8. Auditing IT Compliance
CobIT
CobIT: IT Control Framework
Executive Summary Implementation Guide
•Road map for implementation
•Planning tools and templates
Framework •Presentations
•Awareness and diagnostic tools
with high-level control objectives
Management Audit Detailed Control
Guidelines Guidelines Objectives
Key Performance
Critical Key Goal Maturity
Control Practices
Indicators
Success Factors Indicators Models
© 2005 Valuendo. All rights reserved.
15
INFORMATION CLASSIFICATION = PUBLIC
CobIT
CobIT: IT Control Framework
Relationship between IT resources & business requirements
Business
IT IT
Requirements
Resources Processes
People Plan and Organise Effectiveness
Efficiency
Information Acquire and Implement
Confidentiality
Applications Deliver and Support
Integrity
Infrastructure Monitor and Evaluate
Availability
Compliance
Information Reliability
© 2005 Valuendo. All rights reserved.
16
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
8
9. Auditing IT Compliance
BUSINESS PO1 Define a strategic IT Plan
OBJECTIVES PO2 Define the information architecture
PO3 Determine the technological direction
Criteria PO4 Define the IT organization and relationships
• effectiveness PO5 Manage the IT investment
• efficiency PO6 Communicate management aims and direction
• confidentiality
PO7 Manage human resources
• integrity
PO8 Ensure compliance with external requirements
• availability
• compliance PO9 Assess risks
• reliability PO10 Manage Projects
PO11 Manage Quality
ME1 Manage IT Performance
ME2 Monitor Internal Controls IT
ME3 Oversee IT Governance RESOURCES
ME4 Ensure regulatory compliance
• information
• applications
• infrastructure
• people PLAN AND
4 Domains ORGANISE
34 Processes
MONITOR &
EVALUATE Control Objectives
318
AQUIRE & AQUIRE &
IMPLEMENT
DS1 Define and manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security DELIVER &
DS6 Identify and allocate costs
SUPPORT
DS7 Educate and train users AI1 Identify automated solutions
DS8 Assist and advise customers AI2 Acquire and maintain application software
DS9 Manage the configuration AI3 Acquire and maintain technology infrastructure
DS10 Manage problems and incidents AI4 Develop and maintain procedures
DS11 Manage data AI5 Install and accredit systems
DS12 Manage facilities AI6 Manage changes
DS13 Manage operations
© 2005 Valuendo. All rights reserved.
17
INFORMATION CLASSIFICATION = PUBLIC
© 2005 Valuendo. All rights reserved.
18
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
9
10. Auditing IT Compliance
CobIT results
CobIT: IT Control Framework
Maturity Measurement & Reporting
Inexistent Initial Repeatable Defined Managed Optimized
0 1 2 3 4 5
Symbols Ranking
0 – Processes are not applied at all
Current status of the organisation
1 – Processes are ad hoc & not organised
2 – Processes follow a regular pattern
Goal of the organisation
3 – Processes are documented & communicated
4 – Processes are monitored & measured
International standard 5 – Processes are optimized & automated
Industry “best practice”
© 2005 Valuendo. All rights reserved.
19
INFORMATION CLASSIFICATION = PUBLIC
CobIT
What is COBIT used for in practise? (Result from surveys)
COBI
To improve audit approach/programs
To support audit work with detailed audit guidelines
To provide guidance for IT governance
As a valuable benchmark for IT control
To manage IT risks
To improve IT controls
To standardise audit approach/programs
To communicate with management, auditors and IT
© 2005 Valuendo. All rights reserved.
20
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
10
11. Auditing IT Compliance
Conclusion
MONITOR
IMPLEMENT COMPLIANCE ASSESS
DESIGN
© 2005 Valuendo. All rights reserved.
21
INFORMATION CLASSIFICATION = PUBLIC
Relevant organisations in Belgium
• ISACA
– http://www.isaca.be
– http://www.isaca.org
• ISSA
– http://www.issa-be.org
– http://www.issa.org
• IIA
– http://www.iia.be
– http://www.iia.org
© 2005 Valuendo. All rights reserved.
22
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
11
12. Auditing IT Compliance
Contact information
Mr. Marc Vael
Managing Director
Valuendo
Kriebrugstraat 33
1760 Roosdaal
Belgium
T: +32 5 433 61 93
M: +32 473 99 30 31
M: mvael@valuendo.com
mvael@ valuendo.com
© 2005 Valuendo. All rights reserved.
23
INFORMATION CLASSIFICATION = PUBLIC
Marc Vael EEMA
Valuendo November 2005
12