Use COBIT Risk Management & Audit Framework for Access Compliance

2004 San Francisco ISACA Fall Conference
Session S23 Use of COBIT as a Risk Management & Audit Framework for Access Compliance
Presented on October 5, 2004 by Lance M. Turcato, CISM, CISA, CPA
Speaker
Lance M. Turcato, CISM, CISA, CPA
Managing Director Access Assessment & Policy Compliance Information Security Administration Charles Schwab & Co., Inc.
Email: lance.turcato@schwab.com Phone: 602-977-4376
October 5, 2004
Slide 2
Guest Speaker
Marta OShea, CISA
Senior Manager Technology Infrastructure & Security Oversight Internal Audit Department Charles Schwab & Co., Inc.
Email: marta.oshea@schwab.com Phone: 415-636-7348
October 5, 2004
Slide 3
Audience Poll
COBIT Knowledge
- First exposure? - General understanding? - Strong knowledge of COBIT framework?
Current Users of COBIT
- Incorporated Into Audit Process? - Adopted by IT Management? - Users of a framework other than COBIT?
October 5, 2004
Slide 4
Agenda
Topic
6 7 8 9 17 26 30
Page
Overview of COBIT Framework
- COBIT Mission, Objectives, Scope, & Components - COBIT Role In IT Governance - COBIT Family - Framework - Control Objectives - Audit Guidelines - Management Guidelines
COBIT As An Audit Framework

40 47
- Process for Implementing COBIT - Audit Approach Overview
COBIT As A Risk Framework For Information Security

60 63 70
- Defining Security Requirements - Measuring Security & Assessing Risk - Available Tools
October 5, 2004
Slide 5
Overview of COBIT Framework
Source of Information IT Governance Institute (http://www.itgi.org/ )
COBITs Mission, Scope & Objectives
Mission: To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted Information Technology Control Objectives for day-to-day use by business managers and auditors.
Scope & Objectives:
Generally applicable and accepted international standard for good practice for Information Technology controls For application to enterprise-wide information systems, regardless of technology employed ( generic ) Focused on business requirements for information
Management - business process owner - oriented
Based on IT Governance Institute Control Objectives
! !
aligned with the de jure and de facto standards and regulations based on critical review of tasks and activities or function
2004 San Francisco ISACA Fall Conference Slide 7
October 5, 2004
COBITs Role In IT Governance IT Governance Framework

Address Gaps
IT Management Sets Measurable Goals Compare Results Deliver Against Goals
Apply Consistent Control Framework
Internal Audit
Measure Performance
October 5, 2004
COBIT Family 3rd Edition
There is a Method...
Heres How You Implement...
The Method Is...
Heres How You Measure Your Performance Minimum Controls Are...
Heres How You Audit...
October 5, 2004
Slide 9
COBIT Pieces of The Puzzle

Framework Control Objectives Audit Guidelines Management Guidelines Implementation Tool Set
Executive Summary
# Executive Summary
- Senior Executives (CEO, CIO)
Provides awareness on key concepts for Senior Management.
# Framework - Senior Operational Management (Directors of IT and IS Audit / Controls)
# Control Objectives - Middle Management (Mid-Level IT Management and IS
Describes 34 high-level objectives.
Audit/Controls Managers / Seniors)
# Audit Guidelines - Line Management and Controls Practitioner (Applications or
Statements of desired results by implementing 318 specific control objectives.
# Management Guidelines - Senior Operational Management, Director of IS, Mid-Level
Suggested audit procedures.
Operations Manager and Auditor)
IT Management and IT Audit / Control Managers
Critical Success Factors, Key Performance Indicators, Key Goal Indicators, Maturity Model.
# Implementation Tool Set
Suggested implementation tools and implementation success stories.

Management and IS Audit/Control Managers
- Director of IS and Audit/Control, Mid-Level IS
October 5, 2004
COBIT As An IT Control Framework
Framework
$Starts
$Planning $Acquiring $Delivery
IT Domains
& Implementing & Support
from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives $Promotes process focus and process ownership $Divides IT into 34 processes belonging to four domains (providing a high level control objective for each process)
$Monitoring
$Looks
at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
Information Criteria
$Is
supported by a set of over 300 detailed control objectives
$Effectiveness $Efficiency $Availability $Integrity $Confidentiality $Reliability $Compliance
October 5, 2004
Slide 11
COBIT Framework - Components
Framework
#IT Domains & Processes #Information Criteria = Business Requirements #IT Resources Information Criteria
y r cia u Fid ty ali Qu
Se
ity ur c
Business Requirements
Domains
Processes
IT Processes
October 5, 2004
IT
R es
Slide 12
ur c es
Activities
People Application Systems Technology Facilities Data
IT Processes IT Resources
COBIT Domains of Processes & Activities
Framework
Domains
Natural grouping of processes, often matching an organizational domain of responsibility.
IT Processes
IT Resources
Processes
A series of joined activities with natural (control) breaks.
Activities
Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discreet.
October 5, 2004
Slide 13
Framework
Business Requirements = Information Criteria

Quality Requirements Quality Cost Delivery
IT Processes
IT Resources
Fiduciary Requirements (COSO Report) Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with Laws and Regulations Security Requirements Confidentiality Integrity Availability
October 5, 2004
IT Resources
Data: Data objects in their widest sense (i.e., external and internal, structured and non-structured, graphics, sound, etc.) Application Systems: understood to be the sum of manual and programmed procedures. Technology: covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Resources to house and support information systems. People: Staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services.
Framework
IT Processes IT Resources
October 5, 2004
Slide 15
COBIT Framework - Examples

Business Requirements IT Processes IT Resources
Framework
Domains
Processes
Activities
IT Domains

IT Processes
IT strategy Change Management Contingency Planning Problem Management Policy & Procedures Feasibility Study Acceptance Testing etc...
Activities
record new problem analyze propose solution monitor solution record known problem etc...
Planning & Organization Acquisition & Implementation Delivery & Support Monitoring
October 5, 2004
Slide 16
COBIT Framework Illustrated
Framework
COBITs Golden Rule

In order to provide the information that the organization needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.
-IT Governance Institute
October 5, 2004
Slide 17
Linking The Processes To Control Objectives

Control Objectives
(34 High-level and 300+ Detailed Objectives)
COBITs Waterfall and Navigation Aids

Planning & Organisation
linking Process, Resource & Criteria
Acquisition &
Implementation
Information Criteria
ss ty ty ce ity ne ncy iali ty ili n l t ve ie n gri lab plia abi ti i c e e i i c fe eff nfid int ava om rel ef c co
S S
Delivery & Support
Process Domains
Monitoring
The control of
IT Processes
which satisfy
is enabled by
Control Statements
and considers
% %
Control Practices
ns y s e pl atio log itie ta o c l o a pe pli hn aci d f p ec a t
IT Resources
Slide 18
October 5, 2004
Linking The Processes To Control Objectives

Control Objectives
(Example)
Control over the IT process of
DEFINING A STRATEGIC IT PLAN
that satisfies the business requirement
to strike an optimum balance of information technology opportunities and IT business requirements as well as ensuring its further accomplishment
is enabled by
a strategic planning process undertaken at regular intervals giving rise to long-term plans; the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals
and takes into consideration: #enterprise business strategy

#definition of how IT supports the business objectives #inventory of technological solutions and current infrastructure #monitoring the technology markets #timely feasibility studies and reality checks #existing systems assessments #enterprise position on risk, time-to-market, quality #need for senior management buy-in, support and critical review
October 5, 2004
COBIT IT Processes/High-Level Objectives
Control Objectives
Planning and Organization

PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 PO 11 Define a Strategic IT Plan Define the Information Architecture Determine Technological Direction Define the IT Organization and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality
October 5, 2004
Slide 20
Control Objectives
Acquisition and Implementation

AI 1 AI 2 AI 3 AI 4 AI 5 AI 6 Identify Automated Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Infrastructure Develop and Maintain Procedures Install and Accredit Systems Manage Changes
October 5, 2004
Slide 21

Delivery and Support
DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13
Control Objectives
Define and Manage Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Allocate Costs Educate and Train Users Assist and Advise Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations
Slide 22
October 5, 2004
Control Objectives
Monitoring
M1 M2 M3 M4 Monitor the Processes Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit
October 5, 2004
Slide 23
Example Control Objectives For A Process
Control Objectives
DOMAIN: Planning and Organization (PO)
PROCESS (High-level Control Objective): Define a Strategic IT Plan (PO 1)
DETAILED CONTROL OBJECTIVES:
PO 1.1 PO 1.2 PO 1.3 PO 1.4 PO 1.5 PO 1.6 PO 1.7 PO 1.8
IT as Part of the Organizations Long- and Short-Range Plan Next Slide IT Long-Range Plan IT Long-Range Planning Approach and Structure IT Long-Range Plan Changes Short-Range Planning for the IT Function Communication of IT Plans Monitoring and Evaluating of IT Plans Assessment of Existing Systems
October 5, 2004
Slide 24
Example Control Objectives For A Process
Control Objectives
DEFINE A STRATEGIC INFORMATION TECHNOLOGY PLAN (PO 1)
PO 1.1 - IT as Part of the Organizations Long- and Short-Range Plan
CONTROL OBJECTIVE
Senior management is responsible for developing and implementing long- and short-range plans that fulfill the organizations mission and goals. In this respect, senior management should ensure that IT issues as well as opportunities are adequately assessed and reflected in the organizations long- and short-range plans. IT longand short-range plans should be developed to help ensure that the use of IT is aligned with the mission and business strategies of the organization.
October 5, 2004
Summary of COBIT At This Point
Control Objectives
# Framework defines a construct for reviewing IT. # Four domains are identified. # Within each domain there are processes -- 34 total. # Within each process there are high-level IT control objectives defining controls that should be in place. # For each of the 34 processes, there are from 3 to 30 detailed IT control objectives (300+ in total). # IT control objectives are generic and applicable to all environments. # COBIT is a systematic and logical method for defining and communicating IT control objectives.
October 5, 2004
COBIT Audit Guidelines - Purpose
Audit Guidelines
COBIT provides detailed audit guidelines for each of the 34 IT processes
&Enables the auditor to review specific IT processes against COBITs Control Objectives to determine where controls are sufficient or advise management where processes need to be improved.
&Helps process owners answer questions - Is what Im doing adequate? And, if not, how do I fix it?
October 5, 2004
COBIT Audit Guidelines - Objectives
Audit Guidelines
& To provide a simple, generic, and high-level structure for
auditing IT controls
! ! ! !
based on generally accepted audit practices Aligned with the COBIT framework generic for applicability to varying audit objectives and practices providing clear policies and good practices for security and control of information and related technologies ! enabling the development of specific audit programs or the enhancement of existing programs
& To enable auditors to review IT processes against COBITs
recommended detailed control objectives to provide management assurance and/or advice for improvement
& The Audit Guidelines are NOT intended as
! ! ! !
a tool for creating the overall audit plan a tool for providing audit training a solution for audit automation (although there are lots of opportunities) exhaustive or definitiveguidelines will continue to evolve
October 5, 2004
COBIT Management Guidelines
Management Guidelines
COBIT 3rd Edition added a Management and Governance layer, providing management with a toolbox containing
# A maturity model to assist in benchmarking and decision-making for control over IT
# A list of critical success factors (CSF) that provides succinct nontechnical best practices for each IT process
# Generic and action oriented performance measurement elements (key performance indicators [KPI] and key goal indicators [KGI] - outcome measures and performance drivers for all IT processes)
Purpose IT Control profiling what is important? Awareness where is the risk? Benchmarking - what do others do?
October 5, 2004
Maturity Model
GAP Analysis (Current Vs. Goal)
Method of scoring the maturity of IT processes
Managements Target Goal
derived from the maturity model defined by the Software Engineering Institute for the maturity of software development.
October 5, 2004
Maturity Model - GENERIC

Generic Maturity Model
0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
October 5, 2004
Slide 31
Maturity Model PROCESS SPECIFIC

DS5 Ensure System Security
Description
Rating
0 Non-Existent
The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned for ensuring security. Measures supporting the management of IT security are not implemented. There is no IT security reporting and no response process to IT security breaches. There is a complete lack of a recognizable system security administration process.
1 Initial
The organization recognizes the need for IT security, but security awareness depends on the individual. IT security is addressed on a reactive basis and not measured. IT security breaches invoke "finger pointing" responses if detected, because responsibilities are unclear. Responses to IT security breaches are unpredictable.
2 Repeatable
Responsibilities and accountabilities for IT security are assigned to an IT security co-ordinator with no management authority. Security awareness is fragmented and limited. IT security information is generated, but is not analyzed. Security solutions tend to respond reactively to IT security incidents and by adopting third-party offerings, without addressing the specific needs of the organization. Security policies are being developed, but inadequate skills and tools are still being used. IT security reporting is incomplete, misleading or not pertinent.
3 Defined
Security awareness exists and is promoted by management. Security awareness briefings have been standardized and formalized. IT security procedures are defined and fit into a structure for security policies and procedures. Responsibilities for IT security are assigned, but not consistently enforced. An IT security plan exists, driving risk analysis and security solutions. IT security reporting is IT focused, rather than business focused. Ad hoc intrusion testing is performed.
4 Managed
Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings have become mandatory. User identification, authentication and authorization are being standardized. Security certification of staff is being established. Intrusion testing is a standard and formalized process leading to improvements. Cost/benefit analysis, supporting the implementation of security measures, is increasingly being utilized. IT security processes are co-ordinated with the overall organization security function. IT security reporting is linked to business objectives.
5 Optimized
IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analyzed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organization wide.
October 5, 2004
Slide 32
Measuring Success
& Critical Success Factors
What are the most important things to do to increase the probability of success of the process?
Example: (DS4) Critical infrastructure components are identified and continuously monitored.
& Key Performance Indicators
Measures how well the process is performing
Example: (DS4) Number of outstanding continuous service issues not resolved or addressed.
& Key Goal Indicators
Measures whether an IT process achieved its business requirements
Examples: (DS4) No incidents causing public embarassment. Number of critical business processes relying on IT that have adequate continuity plans.
October 5, 2004
Slide 33
CSF Critical Success Factors
Management oriented IT control implementation guidance that are observable usually measurable characteristics of the organization and processes.
# Most important things that contribute to the IT process achieving its

The control of
goal
IT Processes
which satisfy
Strategically Technically Organizationally Process or Procedure # Visible and measurable signs of success
is enabled by
Control Statements
and considers
# Control Statements and Considerations of the Waterfall # Short, focused and action oriented - Focus on obtaining, maintaining
Control Practices
and leveraging capability and skills

October 5, 2004
KGI Key Goal Indicators
Measurable indicators of the process achieving its goal.
# # # #
Describe the outcome of the process and are therefore lag indicators (i.e., measurable after the fact) Are indicators of the success of the process, but may be expressed as well in terms of the business contribution, if that contribution is specific to that IT process Represent the process goal (i.e., a measure of what target to achieve) Are IT oriented, but business driven (Business Requirements from Waterfall) Are expressed in precise measurable terms, wherever possible Focus on those information criteria that The control of have been identified to be of most IT Processes importance for the process which satisfy
is enabled by
Control Statements
and considers
Control Practices
October 5, 2004
Slide 35
KPI Key Performance Indicators
Measurable indicators of performance of the enabling factors.
# Are a measure of how well the process is performing # Predict the probability of success or failure in the future (, i.e., LEAD
indicators) # Are expressed in precise, measurable terms # How well managment leverages / manages the resources needed for the process # Control Statements & Control Practices from Waterfall # Are process oriented, but IT driven The control of # Help in improving the IT process
IT Processes
which satisfy
is enabled by
Control Statements
and considers
Control Practices
October 5, 2004
Slide 36
CSF, KGI, KPI Examples
Critical Success Factors
IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability, and IT management is rewarded based on these measures The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged Everyone involved in the process is goal focused and has the appropriate information on customers, on internal processes and on the consequences of their decisions A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability Goals and objectives are communicated across all disciplines and are understood It is known how to implement and monitor process objectives and who is accountable for process performance A continuous process quality improvement effort is applied There is clarity on who the customers of the process are The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist
Key Performance Indicators
System downtime Throughput and response times Amount of errors and rework Number of staff trained in new technology and customer service skills Benchmark comparisons Number of non-compliance reportings Reduction in development and processing time
Key Goal Indicators
Increased level of service delivery Number of customers and cost per customer served Availability of systems and services Absence of integrity and confidentiality risks Cost efficiency of processes and operations Confirmation of reliability and effectiveness Adherence to development cost and schedule Cost efficiency of the process Staff productivity and morale Number of timely changes to processes and systems Improved productivity (e.g., delivery of value per employee)
October 5, 2004
Slide 37
COBIT As An Audit Framework A Success Story

Additional Information COBIT Case Study (http://www.itgi.org/casestudy4.htm) (http://www.isaca.org/ctcase27.htm)
Process For Implementing COBIT

Recognize Need Educate Senior IT Management Map COBIT to FFIEC Examination Guidelines
Integrating
COBIT
Into IT
Map Audit Universe to COBIT High Level Control Objectives Map Annual Audit Plan to COBIT Detailed Level Control Objectives (IT Activities) Develop Questionnaire / Joint Risk Self-Assessment Facilitate Assessment Work Sessions with Client Analyze, Document, Validate Results, Report To Management
Governance,
Risk Management,
&
Systems Audit
Approach
October 5, 2004
The Need Increased Regulatory Focus
Regulatory Ratings Overall (UFIRS) & IT-Specific (URSIT)

UFIRS rating reflects institution safety and soundness. IT (URSIT) is one of many components evaluated to determine the UFIRS score.
Uniform Financial Institution Rating System (UFIRS) Composite Score (1-5)
Uniform Rating System for Information Technology (URSIT) Composite Score (1-5)
URSIT Rating Criteria 1 = Strong 2 = Satisfactory 3 = Less than Satisfactory 4 = Deficient 5 = Critically Deficient
Federal Reserve Issued SR 99-8 (SUP) March 31, 1999 references COBIT
Note inverted scale: Fed rating of 5 is deficient and COBIT rating of 5 is Optimized
COBIT Maturity Ratings
COBIT Maturity Ratings 0 = Non-Existent 1 = Initial 2 = Repeatable 3 = Defined 4 = Managed 5 = Optimized
October 5, 2004
Slide 40
Educating Senior IT Management
Encouraging Senior IT Management To Adopt COBIT
& Framework for Risk Self-Assessment (RSA) process & Emphasize business orientation (NOT audit orientation) & Emphasize value of self-assessment, performance measurement and benchmarking ' provide real examples & Knowledge that COBIT is based on industry standards with input from many sources & Resource for regulatory examinations & During rollout 'monitor progress and report on results
Educating IT Management At All Levels
& Executive summary focus for senior management & Workshops for line management and key technicians & Integration with the audit process (engagement memos, audit kick-off meetings, work sessions, reporting)
October 5, 2004
Linking COBIT To Other Sources of Best Practice

COBIT Domains & Control Objectives
FFIEC Ref. PLANNING & ORGANIZATION 10-1 9-6 9-6 9-6 9-6 9-6 9-8 12-2 Corporate Contingency Planning Responsibilities Planning Planning Planning Planning Planning Controls System Development Standards FFIEC Chapter Title & Relevant Section
COBIT objectives mapped to relevant FFIEC examination criteria
COBIT Ref.
PO1 Define a Strategic IT Plan 1.1 IT as Part of the Organization's Long- and Short-Range Plan 1.2 IT Long-Range Plan 1.3 IT Long-Range Planning, Approach & Structure 1.4 IT Long-Range Plan Changes 1.5 Short-Range Planning for the IT Function 1.6 Communication of IT Plans 1.7 Monitoring & Evaluating of IT Plans 1.8 Assessment of Existing Systems PO2 Define the Information Architecture 2.1 Information Architecture Model 2.2 Corporate Data Dictionary & Data Syntax Rules 2.3 Data Classification Scheme 2.4 Security Levels 14-1 14-2
Security Administration and Accountability Security Plan
i t ra t Illus
y Onl on
Other considerations ' map to relevant ISO standards, technology specific process / control methodologies, etc.
FFIEC Federal Financial Institutions Examination Council

October 5, 2004
Alignment With Technology Infrastructure

Internal Risks
Unauthorized Access by Internal Users (employees or contractors)
Distributed Systems UNIX & Windows
(Illustration Only)
External Risks
Vulnerability to Hackers
Internet
DMZ
Other Servers
Email FTP DNS
Firewalls
Databases & Applications
Subsidiaries
Router
Firewalls / Secure Routing

Router
3rd Parties
LANS
Mainframe Systems
Remote LANS
VPN
Router
Remote Access
Monitoring, Intrusion Detection & Anti-Virus Systems

October 5, 2004
Security Audit Universe

Access Management & Compliance Distributed Security Mainframe Security
Identity Management
Security Governance
Security Monitoring
Audit Universe
Database Security Application Security Software Management
Intrusion Detection
Incident Response Virus Prevention
Remote Access Security
Physical Security
Network & Perimeter Security

October 5, 2004
Map Audit Universe To COBIT
High Level Objective (i.e. PO2)
n atio r llust I
y Onl
Applicable Objectives Noted With X

Slide 45
October 5, 2004
Audit Approach Overview

COBIT Control Assessment Questionnaire
Client Work Sessions
COBIT Manuals & Other Best Practice Material

6
Audit Planning Session
Audit Team
Audit Testing
Work Program
7
Exit Meeting
COBIT To Audit Mapping Template

3
Engagement Memo
4
Kick-Off Meeting
Reporting
QAR
October 5, 2004
Map Audit Plan To COBIT
High Level Objective (i.e. PO2) Applicable Objectives Noted In This Column
Detailed Level Objective (i.e. 2.1)
Risk Category Noted In This Column
October 5, 2004
Slide 47
Using COBIT Framework To Tie It All Together

COBIT Control Assessment Questionnaire Work Program
Engagement Memo
Audit Report
Use of a Framework ensures consistent coverage across audits and allows for trending the state of controls over time.
y Onl on rati t Illus

October 5, 2004
COBIT Control Assessment Questionnaire

Questionnaire is used during joint work sessions held with clients to complete a joint risk assessment of the area under review.
Overall Maturity Rating for each High-Level Control Objective assigned based on results of joint assessments of each Detailed Control Objective.
One Table For Each High-Level COBIT Objective Included In Scope
XYZ Company Specific Control Objectives
One COBIT Control Objective Per Row
COBIT Maturity Rating (0-5) assigned based on Joint Assessment

Preplanned Assessment Questions
Clients Response & Assessment Results
October 5, 2004
Slide 49
COBIT Based Audit Report

Overall Rating Clients Target Goal Audit Metrics
Overall Conclusion Statements Supporting Overall Rating
QAR
Concise Background & Scope
Responsible Manager Provided Response
Control Weakness highlighting business impact
Due Date
Issue Priority (A, B, C)

Client Provided Responses

Slide 50
October 5, 2004

Highlighting Key Performance Indicators (i.e., Metrics)
Strategic Focal Point Table (one row for each high-level objective included in scope)
Detailed Control Objectives Included In Scope Listed
Summary Conclusions and Points Supporting Rating
Overall Rating For High-Level Control Objective
Control Focal Point Table (highlighting key controls)
Applicable Detailed Control Objective (one per row; corresponds to a row in the Assessment Questionnaire)
Highlighting Key Performance Indicators (i.e., Metrics) Summary Conclusions and Points Supporting Rating
Assigned Maturity Rating
October 5, 2004
Process Workflow Diagram For Area Assessed
Table Defining Key Control Points In Process Flow
Highlighting Key Performance Indicators (i.e., Metrics)
i t ra t Illus
y Onl on
Automated or Manual Control
October 5, 2004
Slide 52
COBIT To Audit Mapping Repository

i t ra t Illus y Onl on
Questionnaire
Audit Report
Quarterly Report Of Audit Results (QAR)

October 5, 2004
Quarterly Audit Report

Audit Results Metrics
IAD Focal Point Methodology Scorecard
Overall Audit Results

Infrastructure Audits Infrastructure6) Audits (refer to slide
(refer to slide 6) (refer to slide 7) 100% 25% 25% 25% 25% 90% 80% 60% 60% 60% 70% 60% TBD 50% 40% 30% 40% 40% 40% 20% 10% 0%
Q1 Q2 Q3 2002 Q4 YTD Prior Year Q1 Q2 Q3 2002 Q4 YTD Prior Year
Security Audits Security Audits (refer to slide 7)
OVERALL OVERALL
12%
12%
68%
TBD
68%
25%
TBD 75% 75% 75% 75% 75%
No Reports Issued
Data Not Available For 2001
70% 20% 20%

Q1 Q2 Q3 2002 Q4 YTD
17% 13%
Prior Year
Legend:
5 - Optimized 4 - Managed 3 - Defined 2 -Repeatable 1 - Initial 0 Non-Existent
Date Printed: 03/24/2003
Charles Schwab & Co, Inc.
Analysis of Key Technology Metrics

Example of Metric Analysis To Include In QAR
(Illustration Only)
Although target rates have not been achieved, change management processes are successful on average 75% of the time. Less then 1% of appropriately recorded changes resulted in problems or outages
100.00%
Successful
Target Rate 97%
90.00% 80.00% 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00%
Q1, 2002 Q2, 2002 Q3, 2002 YTD
Failed & Backed Out

Caused Problem
Caused Outage
Cancelled
Unstatused
(Source: Technology Management Balanced Scorecard)
2 5 .0 0 % 2 0 .0 0 % 1 5 .0 0 % 1 0 .0 0 % 5 .0 0 % 0 .0 0 %
Failed & Backed Out Caused Problem Caused Outage Cancelled Unstatused
Internal Audit Observations:

# # #
Q1, Q2, 2002 2002
Q3, 2002
YTD
nly r llust I O ion at

Change management processes appear to be consistently applied with only minor variances in volume. Large percentage (~20%) of unstatused tickets indicates process adherence issues. True results cannot accurately be determined; therefore, additional management scrutiny is appropriate for the unstatused items. Trend for tickets with implementation problems is increasing - additional analysis to ascertain root cause of the increase in this activity would be appropriate. Root cause may rest with testing and validation processes.
May 20, 2003 2003 North America CACS Conference Slide 77
October 5, 2004
Slide 54
Benefits Realized
# IT management partners with Internal Audit throughout the audit life cycle, including input into the audit schedule and scope.
# IT management becomes conversant in risk, control, and audit concepts.
# Relationships transformed into partnerships by jointly assessing control procedures.
# Audit Report streamlinedconcise report supported by detailed questionnaire (i.e., Risk Self Assessment RSA).
# Audit approach is methodical and is consistent with IT Governance practices implemented throughout the companys technology organization.
# Meaningful reporting for senior IT management. Facilitated efforts to implement processes necessary for Sarbanes-Oxley compliance.
October 5, 2004
Additional Audit Resources
Templates (http://www.sfisaca.org/resources/downloads.htm)
COBIT Case Study (http://www.itgi.org/casestudy4.htm) (http://www.isaca.org/ctcase27.htm)
October 5, 2004
Slide 56
COBIT As A Risk Management Framework For Information Security
Case Study Information Security Access Compliance
Drivers of Information Security Requirements

Business Drivers
Shorter business cycles Need to involve/connect/tie in with more partners Network centric business models Leverage VPN, remote access, new tools Regulatory Requirements
Key To Success!
Management Buy In
Awareness
(value of IT governance framework)
Perceived / Understood Risk

Manage Risk
Technology Drivers
Leverage Opportunities
!E-cash, e-commerce, e-tc. !Open, modular, scalable !Increased dependency on IT !Security a commodity !Internet - UNIX - TCP/IP !More hackers, more tools
Cost / Benefit
Benchmarks
Clarity of Purpose
October 5, 2004
Senior Management Awareness Tone From Top
Questions From Senior Management / Board
What does security cost?
Have we completed a risk assessment in order to define where the enterprise is most vulnerable (i.e., where do we most appropriately focus our security resources)?
How do we measure our state of security.
How do we ensure that customer data (NPI) and sensitive financial information is appropriately safeguarded and only accessible by users with a business need to know or use the data?
Do we know for certain how many people are accessing the organizations systems? Are we monitoring the access are resource owners appropriately engaged?
What are the most critical information assets of the enterprise (do we have an inventory)? Has data been classified and secured based on relative risk? Do we maintain an inventory of all system devices that the company owns / leases? Would management know if some went missing?
Would people recognize a security incident when they saw one? Would they ignore it? Would they know what to do about it?
Has the organization ever had its security validated by a third party?
October 5, 2004
Cost of Information Security
Cost of Security / Control VERSUS IT Budget

Leadership
Best Practices Industry Leader
Benchmarking
Baseline Operation
Minimum Requirements
Non-Compliance 5 - 10%
Cowboy Operation
20 - 25%
45 - 50%
55%
Slide 60
= Drivers
October 5, 2004
Monitoring Emerging Risk Indicators: Is Risk Well Managed?
Risk management is concerned (in part) with processes designed and sustained by management to reduce the risk of material error
# Frequent measurement of results is prerequisite for a sustained and controlled environment. # Standardization and design are prerequisite for repeatability. Risk Drivers Lessons Learned From COBIT?
(Risk decreases when processes are: Mature sustainable and measurable Repeatable and predictable Systematic / automated Monitored Standardized (designed / defined) Documented and communicated (Risk increases when processes are: Inconsistent Ad-hoc (not standardized) Not monitored Relying upon the knowledge of individuals (i.e., lack of documentation)
In line with COBITs Management Guidelines, access management should include formal steps for proactively evaluating compliance via monitoring activities and meaningful performance indicators (i.e., metrics)
October 5, 2004
Monitoring Emerging Risk Indicators: Ongoing Measurement / Ongoing Dialogue
Monitor key performance indicators (i.e. metrics) on an ongoing basis

Ongoing Monitoring Of Risk Indicators
(Gaining Efficiencies Through Focus On High Risk Indicators)
Traditional Risk Assessment Approach
(Prioritization based on annual risk assessment of function)
Expectation Expectation
Ongoing Measurement
Report
Report
Assess 2
Report
Control Environment
Reality
Control Environment
Assess 1
Assess 2
Asses 1
Reality
t1 t2 Time
t1
t2 Time
Benefits of Ongoing Monitoring Quarterly readout of assessment results for technology management. Ongoing dialogue regarding areas of significant or increasing risk. Priorities more closely associated with known risk factors ultimately leading to more controlled risk mitigation and potential process improvements / efficiency gains.
Challenges Of Point-In-Time Assessment Evaluation of risk and control is as of a point in time. Management reporting is reflective of results as of a point in time. Priorities may be influenced by prior results (i.e., focus on past areas of weakness). )Good or Bad?? If a risk assessment on the function has not been completed for a long time, there may be a learning curve.
October 5, 2004
Slide 62
Monitoring Emerging Risk Indicators: Overall Objective & Goal
Goal is to proactively monitor metrics on an ongoing basis to focus risk remediation efforts on high-risk processes and tasks where performance indicators indicate potential problems.
Results of metric analysis is presented to senior management on a quarterly basis. The analysis indicates priorities for remediation efforts and any required changes to existing processes.
October 5, 2004
Information Security: Security Metrics Development Process
October 5, 2004
Slide 64
Information Security: Security Metrics Implementation Process
October 5, 2004
Slide 65
Information Security: Measuring Performance (illustration only)

Policy
Security Management Process Human Policy & Behaviour 2 Procedures 1 3 & Culture Network 6 Segregation
5
Security
4 Application
System Access Control
Tools & Technology
0 1 2 3 4 5 Very Very poor Poor Fair Good good Excel
100 80 60 40 20 0 48 42 64 88 76 92 96
10 10 20 20 20 20
1. Policies & Procedures 2. Security Management 3. Behavior & Culture 4. Application Security 5. System Access Control 6. Network Segregation
Legend for ranking used
Legend for Symbols Used
Average of best security performers in the financial industry (begin 96)

5 - Excellent: 4 - Very good: 3 - Good: 2 - Fair: 1 - Poor: 0 - Very poor:
Company status Feb 97
Best possible, highly integrated Advanced level of practice Moderately good level of practice Some effort made to address issues Recognise the issues Complete lack of good practice
Company objective for 2001
1996 1997 1998 1999 2000 2001

October 5, 2004
Information Security: Measuring Performance (illustration only)
The Security Officer consistently performs both internal and external vulnerability scans on a monthly basis. The majority of vulnerabilities identified are low risk
External Vulnerability Scans
3000 2500
Internal Vulnerability Scans
1000
900
800
700
600
Low Risk Vulnerabilities

2000
500
400
Medium Risk Vulnerabilities

1500 1000 500 0
300
200
High Risk Vulnerabilities
Low Risk Vulnerabilities Medium Risk Vulnerabilities High Risk Vulnerabilities
100 YTD
Q1, 2002 Q2, 2002 YTD
Q1, 2002
Q2, 2002
Observations:
Slight increase in high risk vulnerabilities
An increase in internal vulnerabilities occurred from Q1 to Q2. The increase is explained due to new system patches checked for by the vulnerability scanner that have not been applied to the XYZ company servers. Technology management appropriately applies patches only after the patches have been tested and certified.
A decrease in external vulnerabilities was noted from Q1 to Q2. These results demonstrate that a significant number of Q1 vulnerabilities have been resolved.
October 5, 2004
Information Security: Key Indicators Access Compliance
Access Administration Workflow (adds, changes, deletions, special requests) Access Administration Service Level Attainment (measured against target / goal) Percentage of ID requests submitted with appropriate approvals Inactive ID Remediation (percentage decline over time) Privileged Access Oversight (percentage of total IDs) Shared / Generic ID Oversight (percentage of total IDs) Percentage of current access administration policies / standards Percentage of current access administration guidelines Percentage of current access administration procedures Number of access related incidents reported Average time elapsed between incident discovery and implementation of corrective action Percentage of IDs for which supervisory review has been completed in the past quarter to validate that access remains appropriate for the users job function Percentage of systems for which access security parameters have been tested and evaluated in the past year & percentage of non-compliant systems Percentage of system resources without a defined / accountable resource owner assigned Percentage of systems that maintain logs (audit trail) to trace user activity Percentage / Number of access violations to critical system resources Percentage of passwords not in compliance with policy (password quality)
October 5, 2004
Tools To Facilitate Your Risk Management Efforts
COBIT Security Baseline
October 5, 2004
Slide 70
COBIT Security Baseline (continued)
Focusing attention on security-related objectives from the entire COBIT framework...
October 5, 2004
Slide 71
COBIT Security Baseline (continued)
October 5, 2004
Slide 72
IT Control Practice Statement COBIT - DS5 Ensure System Security
IT control practices expand the capabilities of COBIT by providing the practitioner with an additional level of detail.
The current COBIT IT processes, business requirements and detailed control objectives define what needs to be done to implement an effective control structure.
The IT control practices provide the more detailed how and why needed by management, service providers, end users and control professionals to implement highly specific controls based on an analysis of operational and IT risks.
October 5, 2004
IT Control Practice Statement COBIT - DS5 Ensure System Security (EXAMPLE)
DS 5.4 User Account Management
Why do it?
The enforcement of adequate user account management in line with the control practices will help ensure: Proper administration of the lifecycle of user accounts Communication to and acknowledgment by users of the rules with which they need to comply
Control Practices
DS 5.4.01 Procedures are in place to ensure timely actions in relation to requesting, establishing, issuing, suspending and closing user accounts. All actions require formal approval. DS 5.4.02 When employees are given their account, they are provided with initial or refresher training and awareness on computer security issues. Users are asked to review a set of rules and regulations for system access. DS 5.4.03 Users use quality passwords as determined by the organization's password guidelines. Quality aspects of passwords include: enforcement of initial password change on first use, appropriate minimum password length, appropriate and enforced frequency of password changes, password checking against list of not-allowed values, e.g., dictionary checking and adequate protection of emergency passwords. DS 5.4.04 Third-party users are not provided with user codes or passwords unless they have signed a nondisclosure agreement. Third-party users are provided with the organization's security policy and related documents and must sign off that they understand their obligations. DS 5.4.05 All contracts for outsourcing or contracting address the need for the provider to comply with all security related policies, standards and procedures.
October 5, 2004
Additional Resources & Questions

Templates & Resources
(http://www.sfisaca.org/resources/downloads.htm)
COBIT Security Baseline IT Control Practice Statement COBIT DS5 Ensure System Security Questionnaire for IT Control Practice Statement DS5 Security Self-Assessment Guide for Information Technology Systems (National Institute of Standards & Technology) Security Metrics Guide for Information Technology Systems (National Institute of Standards & Technology) Access Compliance Scorecard Template ISO 17799 (http://www.iso-17799.com/) FFIEC Information Security Examination Handbook (http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html)
October 5, 2004
Slide 75
Questions?
Thank You!
October 5, 2004

Use COBIT Risk Management & Audit Framework for Access Compliance

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Use COBIT Risk Management & Audit Framework for Access Compliance

Uploaded by

Copyright:

Available Formats

2004 San Francisco ISACA Fall Conference

Presented on October 5, 2004 by Lance M. Turcato, CISM, CISA, CPA

Lance M. Turcato, CISM, CISA, CPA

Email: lance.turcato@schwab.com Phone: 602-977-4376

2004 San Francisco ISACA Fall Conference

Marta OShea, CISA

Email: marta.oshea@schwab.com Phone: 415-636-7348

2004 San Francisco ISACA Fall Conference

- First exposure? - General understanding? - Strong knowledge of COBIT framework?

Current Users of COBIT

2004 San Francisco ISACA Fall Conference

Overview of COBIT Framework

COBIT As An Audit Framework

- Process for Implementing COBIT - Audit Approach Overview

COBIT As A Risk Framework For Information Security

2004 San Francisco ISACA Fall Conference

Overview of COBIT Framework

Source of Information IT Governance Institute (http://www.itgi.org/ )

COBITs Mission, Scope & Objectives

Scope & Objectives:

Management - business process owner - oriented

Based on IT Governance Institute Control Objectives

COBITs Role In IT Governance IT Governance Framework

IT Management Sets Measurable Goals Compare Results Deliver Against Goals

Apply Consistent Control Framework

COBIT Family 3rd Edition

Heres How You Implement...

The Method Is...

Heres How You Measure Your Performance Minimum Controls Are...

Heres How You Audit...

2004 San Francisco ISACA Fall Conference

COBIT Pieces of The Puzzle

- Senior Executives (CEO, CIO)

Provides awareness on key concepts for Senior Management.

# Framework - Senior Operational Management (Directors of IT and IS Audit / Controls)

# Control Objectives - Middle Management (Mid-Level IT Management and IS

Describes 34 high-level objectives.

Audit/Controls Managers / Seniors)

# Audit Guidelines - Line Management and Controls Practitioner (Applications or

Statements of desired results by implementing 318 specific control objectives.

# Management Guidelines - Senior Operational Management, Director of IS, Mid-Level

Suggested audit procedures.

Operations Manager and Auditor)

IT Management and IT Audit / Control Managers

# Implementation Tool Set

Suggested implementation tools and implementation success stories.

Management and IS Audit/Control Managers

- Director of IS and Audit/Control, Mid-Level IS

COBIT As An IT Control Framework

& Implementing & Support

supported by a set of over 300 detailed control objectives

$Effectiveness $Efficiency $Availability $Integrity $Confidentiality $Reliability $Compliance

2004 San Francisco ISACA Fall Conference

COBIT Framework - Components

2004 San Francisco ISACA Fall Conference

People Application Systems Technology Facilities Data

COBIT Domains of Processes & Activities

Natural grouping of processes, often matching an organizational domain of responsibility.

A series of joined activities with natural (control) breaks.

2004 San Francisco ISACA Fall Conference

Business Requirements = Information Criteria

COBIT Framework - Examples