Top Banner
A Governance and Management System for POPI, ISO 27001, CGICT, King IV info@itgovernance.com www.itgovernance.com 0825588732 +44-(0) 81333180 © 2012 IT Governance Network. All Rights Reserved.
52

A Governance and Management System for - ISACA … 3 What is a Governance and Management System? Leveraging resources requires accountability and responsibility Governance and Management

Apr 25, 2018

ReportDownload

Documents

vokien

  • A Governance and Management System for

    POPI, ISO 27001, CGICT, King IV

    info@itgovernance.com

    www.itgovernance.com

    0825588732

    +44-(0) 81333180 2012 IT Governance Network. All Rights Reserved.

  • Bibliography Peter Hill

    2

    PROCESS as a foundation for: Governance Framework Management System POPI Implementation Information Security Supplier Management Service Integration (SIAM)

    COBIT 5 Capability Assessment Tool

    POPI / GDPR (2009 - 2016)

    POPI Management System

    Privacy Impact Assessments

    Information Officers

    ISO 19600 Compliance Management System

    ISO 27001 Information Security Management Sys.

    ISO 30301 Records Management System

    ISO 31000 Risk Management System

    Director of the IT Governance Network, Capability Certification Services

    Previously: partner with Deloitte, director of N:Crypt and zenAptix

    Worked as an IT auditor, programmer, IT manager, Security R&D and in Privacy

    Pioneering IT governance since 1992

    Extensive knowledge and experience working with COBIT since 1996

    First COBIT workshop for ISACA presented at EuroCACS in 1997

    20 years of COBIT training: Basics, Fundamentals, Foundation, Assessor, Implementation, Advanced, IT Governance Framework, COBIT Management System, APO 13 Security Management, Using COBIT for POPI (Privacy)

  • Agenda

    3

    What is a Governance and Management System?

    Leveraging resources requires accountability and responsibility

    Governance and Management System for POPI

    Using ISO 27001 to manage Information Security

    Implementing Cloud Computing and Cyber Security controls

    Illustrations throughout. 2012 IT Governance Network. All Rights Reserved.

    2016 IT Governance Network. All Rights Reserved.

  • ISO 38500: A Model for Corporate

    Governance of IT

    Business pressures

    Business needs

    Corporate Governance

    of ICT

    Evaluate

    Monitor Direct

    confo

    rmance

    perf

    orm

    ance

    ICT Operations

    Pla

    ns

    Polic

    ies

    Pro

    cesses

    pro

    posals

    ICT Projects

    Business processes

    4

    2016 IT Governance Network. All Rights Reserved.

  • 5

    Governance and Management Dashboard

    POPI ISO 27001 CGICTPF / COBIT

  • 6

    Corporate Governance of ICT Interrelationship of frameworks

    H

    o

    w

    W

    H

    A

    T

    Ope

    ratio

    ns

    ICT

    Man

    agem

    ent

    Gov

    erna

    nce

    of IC

    T

    Cor

    pora

    te

    Gov

    erna

    nce

    of IC

    T

    Cor

    pora

    te

    Gov

    erna

    nce

    S c o p e

    o f

    C o v e r a g e

    King III ISO/IEC 38500

    COBIT 5

    Various Operational Frameworks such as ITIL and ISO 27001

    2016 IT Governance Network. All Rights Reserved.

  • Governance and management System

    for CGICT 7

  • Multiple Layers

  • Separating Governance Roles

    from Management Roles 9

  • Plan and Execute

    Monitor Progress 11

  • Build Capability - level 2.1 and 2.2 12

    Level 2 1. Manage Performance and 2. Manage Work Products

  • Continuous Improvement Road

    at Capability Level 1.1 13

  • Capability Assessments

    Assessor Rating 14

  • Capability Profile level 1.1

    15

  • Governance and management System

    for POPI using COBIT processes 16

  • A Governance and Management System

    for POPI using ISO 27001 and COBIT 17

    Policy about

    POPI and Lawful Processing

    ISO 27001

    COBIT 5

    CGICT PF

  • .

    Cyber Security

    Capability Improvement

    Value Creation

    GOALS

    Configuration Management

    Problem Management

    Incident Management

    Budgets and Accounting

    Security Management

    Capacity Management

    Continuity and Availability Man.

    Service Level Management

    Service Reporting

    Business Relationship Management

    Supplier Management

    Change Management

    Management

    New/Changed Service

    Monitor

    Run Build

    Plan B

    ud

    gets

    an

    d

    Acc

    ou

    nti

    ng

    Secu

    rity

    M

    anag

    eme

    nt

    Cap

    acit

    y M

    anag

    eme

    nt

    Co

    nti

    nu

    ity

    and

    A

    vaila

    bili

    ty M

    anag

    e.

    Serv

    ice

    Leve

    l M

    anag

    eme

    nt

    Inci

    de

    nt

    Man

    agem

    en

    t

    Pro

    ble

    m

    Man

    agem

    en

    t

    Co

    nfi

    gura

    tio

    n

    Man

    agem

    en

    t

    Ch

    ange

    M

    anag

    eme

    nt

    Sup

    plie

    r M

    anag

    eme

    nt

    Bu

    sin

    ess

    Rel

    atio

    nsh

    ip

    Man

    agem

    en

    t

    Serv

    ice

    Rep

    ort

    ing

    Evaluate

    Direct Monitor

    Corporate

    Governance

    GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS GOALS

    Privacy (POPI)

    Establish accountability Assign responsibility Align work with outcomes Monitor progress

    Illustration of a Governance and Management System

    WHAT

    HOW

  • 19

    A Governance and Management

    System Corporate governance is the system by which a governing body exercises

    ethical and effective leadership to establish an ethical culture; sustainable

    performance and value-creation; adequate and effective control by the governing

    body; and trust in the organisation, its reputation and legitimacy.

    Organisations often use a wide variety of resources and governance

    mechanisms to achieve their purpose, strategic goals and to fulfil the broader

    needs of stakeholders. Leveraging resources requires the establishment of

    accountability, assignment of responsibility and transparency and fairness in the

    way work gets done.

    While governing bodies are expected to be pro-active in ensuring that information

    assets are leveraged for growth there are few tools actually available that provide

    governing bodies with sufficient oversight.

    A governance and management system provides an integrated solution that brings

    the governors and the managers together and provides a holistic approach for

    them to effectively govern and manage the current and future use of

    technology and information. Better governance and good management are key

    requirements of the Protection of Personal Information Act (POPI).

    2016 IT Governance Network. All Rights Reserved.

  • COBIT:

    GOVERNANCE and MANAGEMENT SYSTEM 20

    KING IV A GOVERNANCE and MANAGEMENT system provides the means to institutionalise the enablers of good corporate governance. People (organisational structure, frameworks, skill and culture), process, technology and information come together in an integrated governance and management system to build capability

    that enables the creation of value, and support the achievement of the business' and organisation's strategic

    goals.

    ISO 38500

    ISO 9001

    ISO 20000

    ISO 21500

    ISO 27001

    ISO 31000

  • 21

    Multiple frameworks to Govern and Manage

  • 22

    Privacy Management System

    2012 IT Governance Network. All Rights Reserved.

  • Privacy Management System

  • Governance and Management System

    for ISO 27001 24

    Framework Activities

  • Governance and Management System

    for ISO 27001 25

    Selected Activity

  • Governance and Management System

    for ISO 27001 26

    Linked to Operations

  • Governance and Management System

    for ISO 27001 27

    Performed Activity

  • Vulnerabilities Knowledgebase

    28

  • Knowledgebase of Safeguards

    29

  • Tracking Safeguard Implementation

    30

  • 31

    Risk Register

    For a detailed risk register, the Risk Manager (or

    another role with access) should select all (or per

    process) activities of a specified:

    Vulnerability, and/or

    Risk type, and/or

    Risk impact on business, and/or

    Risk level, and/or

    Risk response, and/or

    Remediation priority, and/or

    Last audit finding

  • Maintain a Risk Register

    32

  • 33

    Maintain various Controls Library

    Sources:

    Controls as per Framework (or framework area)

    Controls assessed in the operational environment

    Controls set per tracker = Control

  • 34

    Maintain various Controls Library

    Cloud Computing:

  • 35

    Workflow status for tracker = Control

    Control status can be changed by authorized roles

    Report on number of controls at each status

    Unreliable

    Informal

    Standardized

    Monitoring

    Optimized

  • 36

    Repository of evidence supporting

    performed activities

    Evidence reviewed by the auditor

    Uploaded document

    Attached screen capture

    Notes written

    Checklist completed

    Links to another source.

  • 37

    Audit Planning

    For each selected COBIT process, and the

    selected activity:

    Add a high-level framework to specify scope (POPI, ISO

    27001, Legal Register, etc.) and

    Add one or more audit actions (with tracker = audit)

    With or without subtasks

    Per calendar period

    Per capability level.

  • 38

    Add audit comments

    Include public and private comments for each audit

    activity

    Use pre-defined templates to specify Audit Steps

    or documentation requirements

    Use Checklists to refine % Done measurements.

  • 39

    Collect additional information

    Use custom fields (lists, text, dropdown list, etc.)

    Business units

    Special characteristics

    Additional details.

  • 40

    Collect additional information for

    the Information Officer (POPI)

    Needed

    for a

    Privacy

    Impact

    Assessment

  • 41

    Knowledgebase

    Used for the IT Legal Register

    Contains relevant sections of the Act

    Contains link to complete Act

    Contains links to issues that a address Act

    Used for Security Policy

    Contains policy clauses

    Shows links to implementation activities

    Used for Control requirements of standard, model

    Contains policy clauses

    Shows links to control implementation.

  • 42

    Knowledgebase

    Vulnerability Register

    Contains details of threats (by process and category)

    Register for .

    Contains details of .

    Process specific practices

    Work instructions for staff

    Process specific information

    Access controlled at process level.

  • 43

    Uploads, Documents, Files

    Store templates for (forms, checklists)

    Organised in groups

    Separate for each process

    With access control

    Download the template (e.g. Risk register.xls)

    Files

    Distribution of files

    downloads numbered

    validation control (hash)

    version control.

  • 44

    Management Reports

    Inventory of Risks (by process/activity or theme)

    Inventory of Controls (by process/activity or theme)

    Status of Controls (by process or theme)

    Audit findings reports (by process, theme, activity)

    Assessor ratings reports (by process, theme, activity)

    Progress with process execution (activity status).

  • 45

    Centralised document repository

    By process

    With access control according to process rights

    Viewable online or downloadable.

  • 46

    IT Dashboard

    Status per Process area

    % Done per life-cycle phase

    Risk level per Type

    Risk level per Process

    Control Status

    Control % Done

    Capability level across Processes

    Assessor rating of % Process Attribute Achieved.

  • 47

    Dashboard

    Process with Privacy Risk

    Processes with date Over Due

    Login per IP address

    Status per process

    Time spent per process activity

    % Done ratio per process activity

    Target rating

    Status per Tracker

    Custom field on Tracker

    Custom field and Process.

  • 48

    Governance and Management Dashboard

    POPI ISO 27001 CGICTPF / COBIT

  • 49

    Summary of Features for the POPI Governance and management System

    System features:

    Gather information to plan privacy enhancing initiatives

    Identify new risks and respond to changes in vulnerability

    React to incidents, track responses and retain history logs

    Handle data subject complaints and information requests

    Implement policies across the operational environment

    Secure, role based access from multiple devices

    Provision staff with knowledge and work instructions

    Plan and coordinate privacy management activities

    Implement risk treatment plans

    Manage teams, provision work, choreograph workflow

    Manage resources for the privacy management system

    Maintain a central repository of artefacts

    Monitor and control the technical effort and time spent

    Control processors, service providers and contractors

    Control access to retained information

    Promptly respond to security events

    Validate third party assertions

    Audit internal controls and assess capability

    Privacy aware reporting of progress against plans

    Privacy aware governance and management dashboards.

  • Target Users

    50

    A governance and management system is an integrated, multi-purpose system to assist: a) CEO and responsible parties

    Achieve strategic objectives and regulatory compliance Retain documented information Verify operator compliance with agreements

    b) Information officers Handle data subject complaints and requests

    c) Responsible staff (and process owners) Manage assigned responsibilities

    d) Operations management Schedule planned work and report progress Maintain history log of privacy events and actions

    e) Operators, service providers, contractors and third parties Adhere to instructions and report incidents

    f) Legal officer Manage statutory obligations and legal commitments

    g) POPI programme management Manage staff and third parties Implement improvements Provide detailed instructions, templates and wikis

    h) Information security management Protect personal information and respond to breaches

    i) Risk and compliance management Maintain risk and control libraries with status checks

    j) Auditors and capability assessors Perform assessments and report findings.

  • Endless Customisation

    51

  • 52

    Thank you

    IT Governance Network

    South Africa, US, UK, Switzerland

    +27 825588732

    +44 (0)20 81333180

    +1 302-5044408

    peter@itgovernance.com

    2012 IT Governance Network. All Rights Reserved.

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.