SlideShare uma empresa Scribd logo

COBIT and IT Policy Presentation

Transferir como PPT, PDF
Sarah Cortes
Sarah Cortes

How COBIT and Standards framewrks can assist in developing Security and other IT Standards, Policies and technical directives

TecnologiaNegócios
1 de 20
IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20

Recomendados

CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Business Focused IT Strategy
Business Focused IT StrategyBusiness Focused IT Strategy
Business Focused IT Strategymuhammadsjameel
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Stratos Lazaridis
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 

Recomendados

CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Business Focused IT Strategy
Business Focused IT StrategyBusiness Focused IT Strategy
Business Focused IT Strategymuhammadsjameel
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Stratos Lazaridis
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000Ramana K V
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policiesmrmwood
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policymarindi
 

Mais conteúdo relacionado

Mais procurados

Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000Ramana K V
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 

Mais procurados (20)

ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
All you wanted to know about iso 27000
All you wanted to know about iso 27000All you wanted to know about iso 27000
All you wanted to know about iso 27000
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 

Destaque

3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policiesmrmwood
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policymarindi
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT PolicyClarknuber
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategymrmwood
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Ict policy planning and implementation issues
Ict policy planning and implementation issuesIct policy planning and implementation issues
Ict policy planning and implementation issuesEric Kluijfhout
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobPriyanka Aash
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 

Destaque (15)

3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policies
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
 
IT Policy
IT PolicyIT Policy
IT Policy
 
It Policies
It PoliciesIt Policies
It Policies
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT Policy
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategy
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour
 
Ict policy planning and implementation issues
Ict policy planning and implementation issuesIct policy planning and implementation issues
Ict policy planning and implementation issues
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 

Semelhante a COBIT and IT Policy Presentation

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deckddcomeau
 
Fisher Practice Areas 2012
Fisher Practice Areas 2012Fisher Practice Areas 2012
Fisher Practice Areas 2012fish1960
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization servicesmsikka
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference BriefingJesse Wilkins
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing worldPECB
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest LectureMurthinty
 
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxvrickens
 
AI in the Enterprise
AI in the EnterpriseAI in the Enterprise
AI in the EnterpriseRon Bodkin
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDATAVERSITY
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811faau09
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Ben Rothke
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptxNguyenNM
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"CompTIA
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerCapgemini
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityPriyanka Aash
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceSasha Nunke
 

Semelhante a COBIT and IT Policy Presentation (20)

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
 
Fisher Practice Areas 2012
Fisher Practice Areas 2012Fisher Practice Areas 2012
Fisher Practice Areas 2012
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization services
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest Lecture
 
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
 
AI in the Enterprise
AI in the EnterpriseAI in the Enterprise
AI in the Enterprise
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management Technologies
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offer
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 

Mais de Sarah Cortes

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliverySarah Cortes
 
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam PrepSarah Cortes
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project ManagementSarah Cortes
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And SurveillanceSarah Cortes
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 

Mais de Sarah Cortes (7)

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity Delivery
 
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
 
Social Media
Social MediaSocial Media
Social Media
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam Prep
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project Management
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And Surveillance
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 

Último

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfBuy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfEasyPrinterHelp
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxEasyPrinterHelp
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 

Último (20)

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfBuy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 

COBIT and IT Policy Presentation

  • 1. IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
  • 2. IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
  • 3. Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
  • 4. IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
  • 5. IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
  • 6. IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
  • 7. IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
  • 8. IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
  • 9. IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
  • 10. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
  • 11. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
  • 12. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
  • 13. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
  • 14. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
  • 15. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
  • 16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
  • 17. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
  • 18. IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
  • 19. IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
  • 20. IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20