CobIT presentation

• 1. Auditing IT Compliance Auditing IT compliance : a practical approach (EEMA) November 2005 Mr. Marc Vael Managing DirectorValuendo 2005 Valuendo. All rights reserved. 1 INFORMATION CLASSIFICATION = PUBLICAgenda In this session an answer will be given on: How to manage IT risks & compliance within an organisation using CobIT, the IT governance standard; How to present the results of IT risk & compliance audits? 2005 Valuendo. All rights reserved. 2 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 20051

2. Auditing IT ComplianceIntroduction Marc Vael Managing Director Valuendo (value & do) since July 2001 Education Master Applied Economics (UAntwerp) Master Information Management (UHasselt) Master+ Applied Economics & ICT (KUL) Core Services ERM IT Governance Information Security Management Business Continuity / Disaster Recovery Crisis Management Data Privacy & Protection IT Audit & Compliance Certifications CISA / CISM / CISSP / ITIL Service Manager 2005 Valuendo. All rights reserved. 3 INFORMATION CLASSIFICATION = PUBLICIntroduction(Compliance) audits are executed by independent (internal/external) skilled parties& result in a report for board of directors, executive management and/or external parties in order toprovide comfort/assurance. Scope (what & what not) Execution (D O T) Facts based (documentation / reports / tests) Reporting (Obs Risk Rec) 2005 Valuendo. All rights reserved. 4 INFORMATION CLASSIFICATION = PUBLIC Marc VaelEEMA ValuendoNovember 2005 2 3. Auditing IT ComplianceIntroduction MONITORIMPLEMENTCOMPLIANCE ASSESS DESIGN 2005 Valuendo. All rights reserved. 5 INFORMATION CLASSIFICATION = PUBLIC Need for Audit & Compliance New legislation & regulation assurance on internal control Stress governance & responsibility of directors Pervasiveness & importance of IT Beyond financial risk: towards risks that adversely affect the organizations ability to achieve its objectives and execute its strategies SMEsExamples: Sarbanes-Oxley (SOx), Basel II, GBLA, HIPAA, Code Lippens, Code Buysse 2005 Valuendo. All rights reserved. 6 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 20053 4. Auditing IT ComplianceNeed for Audit & ComplianceNew management practices IT GovernanceA structure of IT relationships & processes to direct and control the enterprise to achieve the enterprises goals by adding value while balancing risk vs. return over IT and its processes IT Manageability- New tools for management to self-assess and make choices for control implementation and improvements- Ability to align the IT organisation with the goals of the enterprise- Performance measurements that ensure that these goals are achieved 2005 Valuendo. All rights reserved.7 INFORMATION CLASSIFICATION = PUBLICIT Governance Compliance 2005 Valuendo. All rights reserved.8 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 20054 5. Auditing IT ComplianceIT Governance Compliance Implementing Control & GovernanceDriversInhibitorsCompliance with law, standardsBudget limitationsand regulations Availability of skilled staffCost reductionManagement awarenessMission & goals Management commitmentPerformance improvement Lack of ownershipRisk reductionExisting architectureReputation and trustNo easy solutionCompetitive environment Resource conflicts/prioritiesCorporate valuesLack of toolsPolitical/economic environmentPolitical/economic environment 2005 Valuendo. All rights reserved. 9 INFORMATION CLASSIFICATION = PUBLIC 2005 Valuendo. All rights reserved. 10 INFORMATION CLASSIFICATION = PUBLIC Marc VaelEEMA ValuendoNovember 20055 6. Auditing IT Compliance CobIT & IT Governance ComplianceLink between COBIT and IT GovernanceCOBIDirection Requirements(IT strategy & policy) ControlGoalsResponsibilitiesObjectives GovernanceBusinessIT InformationInformation theexecutive and board business needs toneed to exercise achieve itstheir responsibilities objectives 2005 Valuendo. All rights reserved. 11 INFORMATION CLASSIFICATION = PUBLICCobIT & IT Governance Compliance Link between COBIT and IT GovernanceCOBIDirection Requirements(IT strategy & policy) Control GoalsResponsibilitiesObjectivesGovernanceBusinessITInformation (ITInformation thecontrol, risk & business needs to assurance) achieve its objectives IT Governance 2005 Valuendo. All rights reserved. 12 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 20056 7. Auditing IT Compliance CobIT CobIT: IT Control Framework COBITs VisionOBITTo be the (de facto) model for IT governance To research, develop, publicise and promote an authoritative,COBITs Mission OBIT up-to-date, international set of generally accepted IT controlobjectives for day-to-day use by business managers & auditorsThe policies, procedures, practices and organisational structuresDefinition ofdesigned to provide reasonable assurance that businessControl objectives will be achieved & that undesired events will beprevented or detected and corrected Definition of IT A statement of the desired result or purpose to be achievedby implementing control practices in a particular IT activityControl Objective 2005 Valuendo. All rights reserved.13 INFORMATION CLASSIFICATION = PUBLICCobITCobIT: IT Control Framework CobIT basic principles Generally applicable & internationally accepted open standard Regardless of technology Starting from business requirements for information Management- and business process owner-oriented Includes existing standards and techniquesRisk assessment conceptsBusiness risk / value assessmentAssurance planning and scopingControl evaluation and testingControl and process maturity (self-assessment)Substantiating risk and effective reporting First published in 1992 4th edition is planned for end 2005 2005 Valuendo. All rights reserved.14 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 7 8. Auditing IT Compliance CobITCobIT: IT Control Framework Executive SummaryImplementation Guide Road map for implementation Planning tools and templatesFrameworkPresentations Awareness and diagnostic toolswith high-level control objectivesManagement AuditDetailed Control GuidelinesGuidelines ObjectivesKey PerformanceCritical Key GoalMaturityControl PracticesIndicatorsSuccess Factors Indicators Models 2005 Valuendo. All rights reserved.15 INFORMATION CLASSIFICATION = PUBLICCobIT CobIT: IT Control FrameworkRelationship between IT resources & business requirements Business IT ITRequirementsResources ProcessesPeoplePlan and OrganiseEffectivenessEfficiency Information Acquire and ImplementConfidentiality ApplicationsDeliver and SupportIntegrity InfrastructureMonitor and EvaluateAvailabilityComplianceInformation Reliability 2005 Valuendo. All rights reserved.16 INFORMATION CLASSIFICATION = PUBLIC Marc VaelEEMA ValuendoNovember 2005 8 9. Auditing IT ComplianceBUSINESS PO1 Define a strategic IT PlanOBJECTIVESPO2 Define the information architecturePO3 Determine the technological directionCriteriaPO4 Define the IT organization and relationships effectiveness PO5 Manage the IT investment efficiencyPO6 Communicate management aims and direction confidentialityPO7 Manage human resources integrityPO8 Ensure compliance with external requirements availability compliancePO9 Assess risks reliability PO10 Manage ProjectsPO11 Manage QualityME1Manage IT PerformanceME2Monitor Internal ControlsITME3Oversee IT Governance RESOURCESME4Ensure regulatory compliance information applications infrastructure people PLAN AND4 Domains ORGANISE 34 Processes MONITOR & EVALUATE Control Objectives 318 AQUIRE &AQUIRE &IMPLEMENTDS1 Define and manage service levels DS2 Manage third-party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems securityDELIVER & DS6 Identify and allocate costs SUPPORT DS7 Educate and train users AI1 Identify automated solutions DS8 Assist and advise customers AI2 Acquire and maintain application software DS9 Manage the configurationAI3 Acquire and maintain technology infrastructure DS10 Manage problems and incidentsAI4 Develop and maintain procedures DS11 Manage dataAI5 Install and accredit systems DS12 Manage facilitiesAI6 Manage changes DS13 Manage operations 2005 Valuendo. All rights reserved.17 INFORMATION CLASSIFICATION = PUBLIC 2005 Valuendo. All rights reserved.18 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 9 10. Auditing IT Compliance CobIT results CobIT: IT Control Framework Maturity Measurement & Reporting InexistentInitial RepeatableDefinedManaged Optimized 012 3 4 5 Symbols Ranking0 Processes are not applied at all Current status of the organisation1 Processes are ad hoc & not organised2 Processes follow a regular pattern Goal of the organisation3 Processes are documented & communicated4 Processes are monitored & measured International standard 5 Processes are optimized & automated Industry best practice 2005 Valuendo. All rights reserved.19 INFORMATION CLASSIFICATION = PUBLICCobIT What is COBIT used for in practise? (Result from surveys)COBITo improve audit approach/programs To support audit work with detailed audit guidelines To provide guidance for IT governance As a valuable benchmark for IT control To manage IT risks To improve IT controls To standardise audit approach/programs To communicate with management, auditors and IT 2005 Valuendo. All rights reserved.20 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 10 11. Auditing IT ComplianceConclusionMONITORIMPLEMENT COMPLIANCE ASSESSDESIGN 2005 Valuendo. All rights reserved. 21 INFORMATION CLASSIFICATION = PUBLIC Relevant organisations in Belgium ISACA http://www.isaca.be http://www.isaca.org ISSA http://www.issa-be.org http://www.issa.org IIA http://www.iia.be http://www.iia.org 2005 Valuendo. All rights reserved. 22 INFORMATION CLASSIFICATION = PUBLIC Marc VaelEEMA ValuendoNovember 2005 11 12. Auditing IT Compliance Contact information Mr. Marc VaelManaging DirectorValuendoKriebrugstraat 331760 RoosdaalBelgiumT: +32 5 433 61 93M: +32 473 99 30 31M: [email protected] mvael@ valuendo.com 2005 Valuendo. All rights reserved. 23 INFORMATION CLASSIFICATION = PUBLIC Marc VaelEEMA ValuendoNovember 2005 12