A Governance and Management System for POPI, ISO 27001, CGICT, King IV info@itgovernance.com www.itgovernance.com 0825588732 +44-(0) 81333180 © 2012 IT Governance Network. All Rights Reserved.

Bibliography – Peter Hill Director of the IT Governance Network, Capability Certification Services Previously: partner with Deloitte, director of N:Crypt and zenAptix Worked as an IT auditor, programmer, IT manager, Security R&D and in Privacy Pioneering IT governance since 1992 Extensive knowledge and experience working with COBIT since 1996 First COBIT workshop for ISACA presented at EuroCACS in 1997 20 years of COBIT training: Basics, Fundamentals, Foundation, Assessor, Implementation, Advanced, IT Governance Framework, COBIT Management System, APO 13 Security Management, Using COBIT for POPI (Privacy) POPI / GDPR (2009 - 2016) POPI Management System Privacy Impact Assessments Information Officers ISO 19600 Compliance Management System ISO 27001 Information Security Management Sys. ISO 30301 Records Management System ISO 31000 Risk Management System PROCESS as a foundation for: Governance Framework Management System POPI Implementation Information Security Supplier Management Service Integration (SIAM) COBIT 5 Capability Assessment Tool

Agenda What is a Governance and Management System? Leveraging resources requires accountability and responsibility Governance and Management System for POPI Using ISO 27001 to manage Information Security Implementing Cloud Computing and Cyber Security controls Illustrations throughout. © 2012 IT Governance Network. All Rights Reserved. © 2016 IT Governance Network. All Rights Reserved.

ISO 38500: A Model for Corporate Governance of IT Business pressures Corporate Governance of ICT Business needs Evaluate Processes Policies Plans proposals ICT Projects Business processes Direct Monitor conformance performance ICT Operations © 2016 IT Governance Network. All Rights Reserved.

Governance and Management Dashboard POPI ISO 27001 CGICTPF / COBIT

Corporate Governance of ICT Interrelationship of frameworks WHAT How King III Corporate Governance ISO/IEC 38500 COBIT 5 Corporate Governance of ICT Governance of ICT Various Operational Frameworks such as ITIL and ISO 27001 ICT Management Operations Scope of Coverage © 2016 IT Governance Network. All Rights Reserved.

Governance and management System for CGICT

Multiple Layers

Separating Governance Roles from Management Roles

Plan and Execute Monitor Progress

Build Capability - level 2.1 and 2.2 Level 2 – 1. Manage Performance and 2. Manage Work Products

Continuous Improvement Road at Capability Level 1.1

Capability Assessments – Assessor Rating

Capability Profile – level 1.1

Governance and management System for POPI using COBIT processes

A Governance and Management System for POPI using ISO 27001 and COBIT Policy about “POPI” and Lawful Processing ISO 27001 COBIT 5 CGICT PF

Business Relationship Illustration of a Governance and Management System Evaluate Direct Monitor Corporate Governance WHAT Establish accountability Assign responsibility Align work with outcomes Monitor progress Change Management New/Changed Service Monitor Run Build Plan Budgets and Accounting Security Management Capacity Continuity and Availability Man. Service Level Service Reporting Business Relationship Supplier Configuration Management Problem Incident GOALS . Cyber Security Capability Improvement Value Creation Budgets and Accounting Management Security Capacity Availability Manage. Continuity and Service Level Incident Problem Configuration Change Supplier Business Relationship Service Reporting Privacy (POPI) GOALS HOW

A Governance and Management System Corporate governance is the system by which a governing body exercises ethical and effective leadership to establish an ethical culture; sustainable performance and value-creation; adequate and effective control by the governing body; and trust in the organisation, its reputation and legitimacy. Organisations often use a wide variety of resources and governance mechanisms to achieve their purpose, strategic goals and to fulfil the broader needs of stakeholders. Leveraging resources requires the establishment of accountability, assignment of responsibility and transparency and fairness in the way work gets done. While governing bodies are expected to be pro-active in ensuring that information assets are leveraged for growth there are few tools actually available that provide governing bodies with sufficient oversight. A governance and management system provides an integrated solution that brings the governors and the managers together and provides a holistic approach for them to effectively govern and manage the current and future use of technology and information. Better governance and good management are key requirements of the Protection of Personal Information Act (POPI). © 2016 IT Governance Network. All Rights Reserved.

COBIT: GOVERNANCE and MANAGEMENT SYSTEM KING IV A GOVERNANCE and MANAGEMENT system provides the means to institutionalise the enablers of good corporate governance. People (organisational structure, frameworks, skill and culture), process, technology and information come together in an integrated governance and management system to build capability that enables the creation of value, and support the achievement of the business' and organisation's strategic goals. ISO 38500 ISO 9001 ISO 20000 ISO 21500 ISO 27001 ISO 31000

Multiple frameworks to Govern and Manage

Privacy Management System © 2012 IT Governance Network. All Rights Reserved.

Privacy Management System

Governance and Management System for ISO 27001 Framework Activities

Governance and Management System for ISO 27001 Selected Activity

Governance and Management System for ISO 27001 Linked to Operations

Governance and Management System for ISO 27001 Performed Activity

Vulnerabilities Knowledgebase

Knowledgebase of Safeguards

Tracking Safeguard Implementation

Risk Register For a detailed risk register, the Risk Manager (or another role with access) should select all (or per process) activities of a specified: Vulnerability, and/or Risk type, and/or Risk impact on business, and/or Risk level, and/or Risk response, and/or Remediation priority, and/or Last audit finding

Maintain a Risk Register

Maintain various Controls Library Sources: Controls as per Framework (or framework area) Controls assessed in the operational environment Controls set per tracker = Control

Maintain various Controls Library Cloud Computing:

Workflow status for tracker = Control Control status can be changed by authorized roles Report on number of controls at each status Unreliable Informal Standardized Monitoring Optimized

Repository of evidence supporting performed activities Evidence reviewed by the auditor Uploaded document Attached screen capture Notes written Checklist completed Links to another source.

Audit Planning For each selected COBIT process, and the selected activity: Add a high-level framework to specify scope (POPI, ISO 27001, Legal Register, etc.) and Add one or more audit actions (with tracker = audit) With or without subtasks Per calendar period Per capability level.

Add audit comments Include public and private comments for each audit activity Use pre-defined templates to specify Audit Steps or documentation requirements Use Checklists to refine % Done measurements.

Collect additional information Use custom fields (lists, text, dropdown list, etc.) Business units Special characteristics Additional details.

Collect additional information for the Information Officer (POPI) Needed for a Privacy Impact Assessment

Knowledgebase Used for the IT Legal Register Used for Security Policy Contains relevant sections of the Act Contains link to complete Act Contains links to issues that a address Act Used for Security Policy Contains policy clauses Shows links to implementation activities Used for Control requirements of standard, model Shows links to control implementation.

Knowledgebase Vulnerability Register Register for …. Contains details of threats (by process and category) Register for …. Contains details of …. Process specific practices Work instructions for staff Process specific information Access controlled at process level.

Uploads, Documents, Files Store templates for (forms, checklists) Organised in groups Separate for each process With access control Download the template (e.g. Risk register.xls) Files Distribution of files downloads numbered validation control (hash) version control.

Management Reports Inventory of Risks (by process/activity or theme) Inventory of Controls (by process/activity or theme) Status of Controls (by process or theme) Audit findings reports (by process, theme, activity) Assessor ratings reports (by process, theme, activity) Progress with process execution (activity status).

Centralised document repository By process With access control according to process rights Viewable online or downloadable.

IT Dashboard Status per Process area % Done per life-cycle phase Risk level per Type Risk level per Process Control Status Control % Done Capability level across Processes Assessor rating of % Process Attribute Achieved.

Dashboard Process with Privacy Risk Processes with date Over Due Login per IP address Status per process Time spent per process activity % Done ratio per process activity Target rating Status per Tracker Custom field on Tracker Custom field and Process.

Governance and Management Dashboard POPI ISO 27001 CGICTPF / COBIT

Summary of Features for the POPI Governance and management System System features: Gather information to plan privacy enhancing initiatives Identify new risks and respond to changes in vulnerability React to incidents, track responses and retain history logs Handle data subject complaints and information requests Implement policies across the operational environment Secure, role based access from multiple devices Provision staff with knowledge and work instructions Plan and coordinate privacy management activities Implement risk treatment plans Manage teams, provision work, choreograph workflow Manage resources for the privacy management system Maintain a central repository of artefacts Monitor and control the technical effort and time spent Control processors, service providers and contractors Control access to retained information Promptly respond to security events Validate third party assertions Audit internal controls and assess capability Privacy aware reporting of progress against plans Privacy aware governance and management dashboards.

Target Users A governance and management system is an integrated, multi-purpose system to assist: CEO and responsible parties Achieve strategic objectives and regulatory compliance Retain documented information Verify operator compliance with agreements Information officers Handle data subject complaints and requests Responsible staff (and process owners) Manage assigned responsibilities Operations management Schedule planned work and report progress Maintain history log of privacy events and actions Operators, service providers, contractors and third parties Adhere to instructions and report incidents Legal officer Manage statutory obligations and legal commitments POPI programme management Manage staff and third parties Implement improvements Provide detailed instructions, templates and wikis Information security management Protect personal information and respond to breaches Risk and compliance management Maintain risk and control libraries with status checks Auditors and capability assessors Perform assessments and report findings.

Endless Customisation

Thank you IT Governance Network South Africa, US, UK, Switzerland +27 825588732 +44 – (0)20 81333180 +1 302-5044408 peter@itgovernance.com © 2012 IT Governance Network. All Rights Reserved.