Академический Документы
Профессиональный Документы
Культура Документы
Presented By
Lance M. Turcato, CISA, CISM, CPA
Deputy City Auditor Information Technology
City of Phoenix
Audience Poll
COBIT Knowledge
- First exposure?
- General understanding?
- Strong knowledge of COBIT framework?
Page 2
AGENDA
Topic
Page 3
IT Governance Institute
(http://www.itgi.org/ )
COBIT - Background
Generally applicable and accepted international standard
of good practice for IT control
C
OB
I
T
Control
OBjectives
for Information
and Related Technology
Page 5
Page 6
COBIT As A Framework
Enables the auditor to review specific IT processes against
COBITs Control Objectives to determine where controls are
sufficient or advise management where processes need to be
improved.
Page 7
How You
Measure Your
Performance
Page 8
Page 9
COBIT Structure
Overview
Starts
IT Domains
Plan
& Organize
Acquire
& Implement
Deliver
& Support
Monitor
& Evaluate
Information Criteria
Effectiveness
Efficiency
Availability
Integrity
Confidentiality
Reliability
Compliance
Business Requirements
Page 10
COBIT Structure
Aligning Requirements, Processes, Resources & Activities
Business
Requirements
IT
Processes
Processes
A series of joined
activities with natural
(control) breaks.
it
ur
c
Se
Activities
Re
so
ur
ce
s
IT
IT Processes
Activities
ar
People
Applications
Infrastructure
Facilities
Data
i
lit y
uc
a
d
u
i
Q
F
Processes
Natural grouping of
processes, often matching
an organizational domain
of responsibility.
IT
Resources
Information Criteria
Domains
Domains
Page 11
COBIT Structure
Example
IT Domains
Plan & Organize
Acquire & Implement
Deliver & Support
Monitor & Evaluate
IT Processes
Change Management
Contingency Planning
Problem Management
Policy & Procedures
Acceptance Testing
etc...
Activities
Page 13
Page 14
Page 15
Page 16
Information
Criteria
ss
ty
ty ce ity
ne ncy iali ty
ili n
l
e
it v cie ent gri lab plia abi
i m
i
c ffi
e
l
d
t
a
e
i
f
e
re
n f i n av co
ef
co
SS
Acquire &
Implement
Deliver &
Support
The control of
Process
Domains
Monitor &
Evaluate
IT Process
that satisfies
Business Requirements
by focusing on
IT Goals
is achieved by
Key Controls
is measured by
Key Metrics
April 20, 2006
ns y
s
e
pl atio log itie ta
o
l
o
c
i
e
i
da
p pl
hn fac
ap tec
IT
Resources
Page 17
Page 18
Detailed
Control
Objectives
Page 19
Page 20
Managements
Target Goal
Page 21
Page 22
Page 23
IT Goals &
Performance Metrics
Page 24
Process
Specific
Maturity
Model
Page 25
Summing It All Up
Page 26
Integration Overview
Map COBIT to the Technology Audit Universe
Ensure Consistent Audit Coverage By Establishing IT
Audit Focal Points
Integrating
COBIT
Into IT
Audit
Approach
Page 28
Business
Cycles
Applications
Operating
System /
Platform
April 20, 2006
Financial
Accounting
Fixed
Assets
Expenditures Inventory
SAP
UNIX
SF ISACA - April Chapter Luncheon
Revenue
Payroll
Various
Others
Various
Other Systems
Page 30
Internal Risks
Vulnerability to Hackers
Internet
Distributed Systems
UNIX & Windows
DMZ
Other Servers
Email
FTP
DNS
Firewalls
Databases
& Applications
Subsidiaries
Router
Firewalls /
Secure
Routing
Router
Mainframe Systems
3rd Parties
Remote LANS
LANS
VPN
Remote Access
Router
Databases
& Applications
Page 31
Distributed Applications
Mainframe Applications
Distributed Databases
Mainframe Databases
Oracle
DB2
Sybase
Datacom
Database
Controls
Platform
Controls
SQL/Server
DB2
Distributed Servers
Windows NT / 2000 / XP
Mainframes
UNIX
Application
Controls
Network
Controls
Page 32
Policies
Standards
Regulatory & Legal
Evolving Technology
Industry Trends
IT Risk Management
Oversight
Strategic Sourcing
IT Organization
IT Management
Program Management
Change Management
Project Management
Technology Management
* Technology Planning
* Architecture Design
* Vendor / Product Selection
Quality Assurance
Operations
Applications
* Development
- Testing
- Conversion
- Implementation
* IT Change Management
* Maintenance
Portfolio Management
Support
* Vendors / 3rd Party
* Help Desk
* End User Support
* Training
Page 33
Recoverability
Information Security
Distributed Servers
Mainframe
Distributed & Mainframe Databases
Information Privacy
Monitoring & Intrusion Detection
Physical Security
Telecommunications
Audit
Universe
Architecture
Hardware Management
Network Management
Problem Management
Change Management
Software Management
Database Management
System Development
April 20, 2006
Page 34
Information Security
Distributed Servers
Mainframe
Distributed & Mainframe Databases
Information Privacy
Monitoring & Intrusion Detection
Physical Security
Mainframe Security
O/S (OS/390)
Security Systems (Top Secret / RACF)
Sub-systems (CICS, TSO, IMS DC, MQ)
Mainframe Databases (DB2, Datacom)
Audit
Universe
Virus Prevention
Anti-Virus Program
Application Security
ETS Audit Coverage
System Development Projects
Security Management
Policy, Standards, & Procedures Maintenance Process
Security Awareness Program
Security Metrics & Performance Reporting
Security Engineering
Research & Development
Security Self-Assessments
Physical Security
Page 35
Ill
on
i
t
a
ustr
y
Onl
Applicable
Objectives
Noted
With X
SF ISACA - April Chapter Luncheon
Page 36
Infrastructure
Information Security
Access Control
System Security Configuration
Monitoring, Vulnerability
Assessment, & Response
Security Management &
Administration
Example
Page 38
Account Management
Account management procedures exists and are
effective.
Password Management
Password management mechanisms are in place to
ensure that user passwords comply with Schwab
password syntax and management criteria.
System
SystemSecurity
Security
Configuration
Configuration
Standards
Monitoring,
Monitoring,Vulnerability
Vulnerability
Assessment
&
Assessment &Response
Response
Standards & Procedures
Configuration Management
Procedures are in place to facilitate an
effective configuration management
process for standard images, patches and
other updates. Procedures are in place
for handling exceptions for non-standard
configurations.
Procedures
Defined procedures exist to ensure that
systems are configured in compliance
with Schwab security standards. The
procedures are tested, documented and
approved by management.
Logging
Critical system and security events are
logged according to logging standards.
Incident Response
Security incident response procedures
exist and are applied consistently in an
event of a security breach. Escalation
protocols have been defined.
System Utilities
System utilities are managed effectively.
Remote Access
Appropriate mechanisms are in place to control and
monitor remote user access to Schwab's internal
network.
Procedures
Daily operational procedures have been
defined, documented and communicated to
ensure that individuals with administrative
responsibilities are able to effectively
execute standard administration
procedures.
Security
SecurityManagement
Management
&&Administration
Administration
Security Administration
Responsibility for security administration
is appropriately assigned and
accountability has been established.
Environment Understanding
Gain a comprehensive understanding of
the computer-processing environment and
the relevant controls in place.
Page 39
Record Applicable
Focal Points &
Areas of Emphasis
Access
AccessControl
Control
Standards & Procedures
Standards and procedures for access control are
documented, approved, and communicated.
Account Management
Account management procedures exists and are
effective.
Password Management
Password management mechanisms are in place to
ensure that user passwords comply with Schwab
password syntax and management criteria.
Remote Access
Appropriate mechanisms are in place to control and
monitor remote user access to Schwab's internal
network.
Detailed
Objectives
Page 40
Vendor-Specific
Guidance
Classifying Sources
Identify relevant industry standards, guidelines,
and best practices (classify by purpose)
Governance (strategic) focus versus Management
(tactical) focus.
Process Control focus versus process Execution
focus.
What To Do versus How To Do IT
April 20, 2006
Page 42
Classification (Example)
GOVERN
W
H
A
T
Strategic
Control
MANAGE
H
O
W
April 20, 2006
ISO17799
Tactical
Vendor-Specific
Guidance
Execute
SF ISACA - April Chapter Luncheon
Page 43
ITIL Overview
Information Technology Infrastructure Library (ITIL)
Set of books detailing best practices for IT Service
Management (the how)
Originally developed by the UK government to improve
IT Service Management
Now more globally accepted
Currently under revision
www.itil.co.uk
April 20, 2006
Page 44
Page 45
Page 46
Service Management
Service Delivery
Service Support
Page 47
Page 48
Page 49
Page 50
W
H
A
T
H
O
W
Policies:
High-level statements. When there is no specific
standard to follow, policies provide general
guidance.
IT Standards
Standards:
Standards establish a point of reference, providing
criteria that may be used to measure the accuracy
and effectiveness of procedures / mechanisms that
are in place.
IT Guidelines
Guidelines:
Guidelines provide specific and detailed
requirements relative to implementing specific IT
standards (i.e., platform specific; function specific;
component specific, etc.).
IT Procedures
Procedures:
Procedures provide step-by-step instructions for
end-users and technical staff for the execution of
specific IT processes.
SF ISACA - April Chapter Luncheon
Page 52
High
Level
Objective
(e.g. PO1)
ti
a
r
t
llus
nly
O
on
IT Policies
ETC
Detailed
Level
Objective
(e.g. 2.1)
IT Standards
Applicable
Objectives
Noted
Page 53
COBIT
Manuals &
Other Best
Practice Material
Audit Testing
Audit Team
Work Program
7
Exit Meeting
COBIT To Audit
Mapping Template
Engagement
Scope
4
4
Kick-Off
Meeting
Reporting
QAR
Page 55
Detailed
Level
Objective
(e.g. 2.1)
Applicable
Objectives
Noted In
This
Column
Page 56
Work
Program
Audit Report
Use of a Framework
ensures consistent coverage
across audits and allows for
trending the state of controls
over time.
April 20, 2006
Page 57
XYZ Company
Specific Control
Objectives
One COBIT
Control Objective
Per Row
April 20, 2006
COBIT Maturity
Rating (0-5)
assigned based on
Joint Assessment
SF ISACA - April Chapter Luncheon
Preplanned
Assessment
Questions
Clients Response
&
Assessment Results
Page 58
Overall
Conclusion
Statements
Supporting
Overall Rating
Audit
Metrics
Concise
Background
&
Scope
Responsible Manager
Provided Response
Control Weakness
highlighting
business impact
Due Date
Client
Provided
Responses
Issue Priority
(A, B, C)
April 20, 2006
MGT
Reports
Page 59
Detailed Control
Objectives Included
In Scope Listed
Summary Conclusions
and
Points Supporting Rating
Overall Rating
For High-Level
Control Objective
Applicable Detailed
Control Objective
(one per row;
corresponds to a row
in the Assessment
Questionnaire)
Highlighting Key
Performance Indicators
(i.e., Metrics)
Summary Conclusions
and
Points Supporting Rating
Assigned
Maturity Rating
April 20, 2006
Page 60
Process
Workflow
Diagram
For
Area
Assessed
Table
Defining
Key
Control
Points
In
Process
Flow
Highlighting Key
Performance Indicators
(i.e., Metrics)
Automated
or
Manual
Control
Page 61
Page 63
Questionnaire
Audit Reports
MGT REPORTS
Trending Audit Results
Over Time
April 20, 2006
Page 64
12%
25%
25%
25%
25%
75%
90%
75%
100%
17%
OVERALL
OVERALL
(refer to slide 7)
12%
(refer to slide 6)
25%
Infrastructure
Audits
Infrastructure
Audits
(refer to slide 6)
TBD
70%
60%
68%
68%
20%
YTD
75%
20%
TBD
Q4
10%
13%
40%
20%
40%
40%
30%
75%
40%
50%
75%
60%
60%
No Reports Issued
70%
TBD
60%
80%
0%
Q1 Q2 Q3
2002
Q4
YTD
Prior
Year
Q1
Q2 Q3 Q4
2002
YTD
Prior
Year
Q1 Q2 Q3
2002
Prior
Year
Legend:
5 - Optimized
4 - Managed
3 - Defined
2 -Repeatable
Report to IT Management
Audit Results
&
Analysis of Key Technology Metrics
1 - Initial
0 Non-Existent
Analysis of
Key Technology Metrics
Example of Metric Analysis To Include In QAR
(Illustration Only)
Target Rate
97%
(Source:
Technology
Management
Balanced
Scorecard)
100.00%
Successful
90.00%
80.00%
Caused Problem
70.00%
Caused Outage
60.00%
Cancelled
50.00%
Unstatused
40.00%
30.00%
2 5 .0 0 %
20.00%
10.00%
0.00%
Q1, 2002
Q2, 2002
Q3, 2002
YTD
2 0 .0 0 %
Caused Problem
1 5 .0 0 %
Caused Outage
Cancelled
1 0 .0 0 %
Unstatused
5 .0 0 %
0 .0 0 %
Q1,
2002
YTD
Change management processes appear to be consistently applied with only minor variances in volume.
Large percentage (~20%) of unstatused tickets indicates process adherence issues. True results cannot accurately
be determined; therefore, additional management scrutiny is appropriate for the unstatused items.
Trend for tickets with implementation problems is increasing - additional analysis to ascertain root cause of the
increase in this activity would be appropriate. Root cause may rest with testing and validation processes.
Q2,
Q3,
2002 2002
Slide 77
Page 65
15%
25%
Q1
40%
30%
75%
50%
55%
68%
60%
35%
20%
25%
12%
25%
68%
25%
30%
75%
75%
40%
Prior
Year
20%
60%
45%
25%
OVERALL
OVERALL
68%
40%
30%
10%
40%
30%
20%
30%
60%
40%
30%
25%
25%
45%
25%
50%
20%
45%
60%
75%
70%
60%
60%
80%
60%
90%
40%
25%
10%
100%
Security
SecurityAudits
Audits
12%
Infrastructure
InfrastructureAudits
Audits
0%
Q1
Q2 Q3
2002
Q4
YTD
Prior
Year
Q1
Q2 Q3
2002
Q4
YTD
Q2 Q3
2002
Q4
YTD
Prior
Year
Legend:
5 - Optimized
4 - Managed
3 - Defined
2 -Repeatable
1 - Initial
0 Non-Existent
Page 66
Control Environment
Control Environment
Expectation
Assess 2
Expectation
Report
Report
Assess 2
Report
Reality
Assess 1
Asses 1
t1
t2
Time
SF ISACA - April Chapter Luncheon
Reality
t1
t2 Time
Page 67
Expectation
Assess 2
Reality
Asses 1
t2
t1
Time
Page 68
Ongoing Measurement
Expectation
Report
Report
Assess 2
Report
Assess 1
Reality
t1
t2 Time
Page 69
Information Security:
Measuring Performance (illustration only)
The Security Officer consistently performs both internal and external
vulnerability scans on a monthly basis. The majority of vulnerabilities
identified are low risk
Internal Vulnerability Scans
1000
3000
900
2500
800
700
600
500
400
300
200
Low Risk
Vulnerabilities
Medium Risk
Vulnerabilities
2000
1500
Medium Risk
Vulnerabilities
High Risk
Vulnerabilities
1000
High Risk
Vulnerabilities
Low Risk
Vulnerabilities
500
100
0
0
Q1, 2002
Q2, 2002
YTD
Q1, 2002
Q2, 2002
YTD
Observations:
An increase in internal vulnerabilities occurred from Q1 to Q2. The increase is explained due to new system
patches checked for by the vulnerability scanner that have not been applied to the XYZ company servers.
Technology management appropriately applies patches only after the patches have been tested and certified.
A
A decrease in external vulnerabilities was noted from Q1 to Q2. These results demonstrate that a significant
number of Q1 vulnerabilities have been resolved.
Page 70
Change Management:
Measuring Performance (illustration only)
Although target rates have not been achieved, change management
processes are successful on average 75% of the time. Less then 1% of
appropriately recorded changes resulted in problems or outages
Target Rate
97%
(Source:
Technology
Management
Balanced
Scorecard)
100.00%
Successful
90.00%
80.00%
Caused Problem
70.00%
Caused Outage
60.00%
Cancelled
50.00%
Unstatused
40.00%
30.00%
2 5 .0 0 %
20.00%
10.00%
0.00%
Q1, 2002
Q2, 2002
Q3, 2002
YTD
2 0 .0 0 %
Caused Problem
15 .0 0 %
Caused Outage
Cancelled
10 .0 0 %
Unstatused
5 .0 0 %
0 .0 0 %
Q 1,
Q2 ,
Q3 ,
2002 2002 2002
Y TD
Change management processes appear to be consistently applied with only minor variances in volume.
Large percentage (~20%) of unstatused tickets indicates process adherence issues. True results cannot accurately
be determined; therefore, additional management scrutiny is appropriate for the unstatused items.
Trend for tickets with implementation problems is increasing - additional analysis to ascertain root cause of the
increase in this activity would be appropriate. Root cause may rest with testing and validation processes.
Page 71
Benefits Realized
IT management partners with Internal Audit throughout the audit life cycle,
including input into the audit schedule and scope.
IT management becomes conversant in risk, control, and audit concepts.
Relationships transformed into partnerships by jointly assessing control
procedures.
Audit Report streamlinedconcise report supported by detailed
questionnaire.
Audit approach is methodical and is consistent with industry standards / best
practices as well as IT Governance practices implemented throughout the
companys technology organization.
Meaningful reporting for senior IT management.
April 20, 2006
Page 73
Page 74
Page 75