Centro de Convenciones, August 22-23, 2006 4/16/2017 3:15 AM IT Security Summit – 2005 Centro de Convenciones, August 22-23, 2006 Information Technology (IT) Regulatory Compliance Planning John R. Robles President, John R. Robles & Associates 787-647-3961 jrobles@coqui.net www.johnrrobles.com © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM What Is Compliance? The act of complying with a wish, request, or demand A disposition or tendency to yield to the will of others The act of submitting; usually surrendering power to another Acting according to certain accepted standards Happy friendly agreement John R. Robles & Associates 2 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM What Is IT Compliance? Perform IT functions according to a wish, request, or demand Disposition or tendency to yield to the IT will of others The act of submitting; usually surrendering IT power to another Acting according to certain accepted IT standards A disposition or tendency to yield to the IT will of others Happy friendly IT agreement between IT and others John R. Robles & Associates 3 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What is IT Regulatory Compliance? 4/16/2017 3:15 AM What is IT Regulatory Compliance? Perform IT Functions according to a wish, request, or demand of the government or regulatory agency Disposition or tendency to yield to the IT will of others (government or regulatory agency) The act of submitting; usually surrendering IT power to another (government or regulatory agency) Acting according to certain accepted IT standards (of government or regulatory agency) A disposition or tendency to yield to the IT will of others (government or regulatory agency) Happy friendly IT agreement with (government or regulatory agency) John R. Robles & Associates 4 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How do I Comply with Government or Regulatory Agency? 4/16/2017 3:15 AM How do I Comply with Government or Regulatory Agency? Know the IT regulations pertinent to your company or industry Discuss with: Compliance Officer Legal Counsel Internal or External Auditors Executive Management Determine methodology to ensure compliance Perform Self Assessment Improve Compliance Maintain Compliance Officer, Legal Counsel, Internal /External Auditors, and Executive Management informed of self assessment and progress of improvement efforts John R. Robles & Associates 5 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Sample of some IT regulations Financial Services: Financial Institution Letters The IT Compliance Institute has a DataBase of Regulations by Industry and by Country Some known regulations include: Sarbanes-Oxley Act Gramm-Leach Bliley Act HIPAA Base II USA Patriot Act Email/records retention John R. Robles & Associates 6 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM Regulatory Compliance is Above and Beyond Best Practices and General Internal Controls If you do not comply with Best Practices and General Internal Controls you may get an Audit Comment. If you do not comply with Regulatory Compliance you, your company, your company officers, or the Board of Directors may get a Fine or Jail Time. However, Regulatory Compliance is a subset of Best Practices and General Internal Controls. That is, If you run a clean IT shop, most likely you are in compliance. John R. Robles & Associates 7 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
IT Compliance is all about IT Internal Controls. 4/16/2017 3:15 AM IT Compliance is all about IT Internal Controls. How do you set up a compliant IT department? Establish an Internal Controls methodology with includes addressing pertinent IT regulations. Some of the more well-know methodologies include: COSO (Committee of Sponsoring Organizations of the Threadway Commission Cobit (Control Objectives for Information and Related Technologies) ISO-17799 John R. Robles & Associates 8 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
An Internal Controls Methodology 4/16/2017 3:15 AM An Internal Controls Methodology The GAO “Standard for Internal Control in the Federal Government” and COSO define Internal Controls as: “An integral part of an organization’s management that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations” John R. Robles & Associates 9 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
An Internal Controls Methodology 4/16/2017 3:15 AM An Internal Controls Methodology Internal Controls address the following: It is a process It is performed by people It provides only reasonable assurance, not absolute assurance Internal Controls consists of: Control Environment Risk Assessment Control Activities Information and Communications Monitoring John R. Robles & Associates 10 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Regulation with the greatest impact on internal controls and IT 4/16/2017 3:15 AM Regulation with the greatest impact on internal controls and IT Sarbanes-Oxley - Section 404: “It will be (1) the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuers for financial reporting.” John R. Robles & Associates 11 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
IT Internal Controls Frameworks Some IT internal control frameworks: Cobit and IT Control Objectives for Sarbanes-Oxley ISO 17799 IT Infrastructure Library (ITIL) Capability Maturity Model Integration (CMMI) Naional Institute of of Standards and Technology (NIST) John R. Robles & Associates 12 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Unified Compliance Project 4/16/2017 3:15 AM Unified Compliance Project The IT Compliance Institute (www.itcinstitute.com) has the Unified Compliance Project, it addresses the following: Leadership and High-Level Objectives Audit and Risk Management Design and Implementation Technology Acquisition Operational Management IT Staff Management and Outsourcing Records Management Technical Security Physical Security Systems Continuity Monitoring, Measurement, and Reporting Privacy John R. Robles & Associates 13 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT: An IT Control Framework BUSINESS REQUIREMENTS Framework IT PROCESSES IT RESOURCES John R. Robles & Associates 14 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Framework How do they relate? Business Requirements IT Resources IT Processes Data Information Systems Technology Facilities Human Resources Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information Reliability John R. Robles & Associates 15 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to— and built up by—IT COBIT Framework How do they relate? Business Requirements IT Resources IT Processes Data Information Systems Technology Facilities Human Resources Planning and organisation Acquisition and implementation Delivery and Support Monitoring Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information Reliability John R. Robles & Associates 16 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Framework IT Processes Domains Natural grouping of processes, often matching an organisational domain of responsibility Processes A series of joined activities with natural control breaks Activities or tasks Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. John R. Robles & Associates 17 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Framework IT Resources Data: Data objects in their widest sense, i.e., external and internal, structured and unstructured, graphics, sound, etc. Application Systems: Understood to be the sum of manual and programmed procedures Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Resources to house and support information systems People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services John R. Robles & Associates 18 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Framework IT Domains Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT Strategy Policy and Procedures Feasibility Study Acceptance Testing Change Management Contingency Planning Problem Management Activities Record New Problem Analyse Propose Solution Monitor Solution Record Known Problem Etc. Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. John R. Robles & Associates 19 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM Plan and Organise PO 1 Define a Strategic Information Technology Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organisation and Relationships PO 5 Manage the Investment in Information Technology PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality Present the 11 high level objectives contained in the Plan and Organise domain. John R. Robles & Associates 20 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM Acquire and Implement AI 1 Identify Automated Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Infrastructure AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes Present the 6 high level objectives contained in the Acquire and Implement domain. John R. Robles & Associates 21 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Domains Domains Deliver and Support Monitor and Evaluate Topics Delivery of required services Setup of support processes Processing by application systems Questions Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the workforce able to use the IT systems productively and safely? Are adequate security, integrity and availability in place? Topics Assessment over time, delivering assurance Management’s oversight of the control system Performance measurement Questions Can IT’s performance be measured and can problems be detected before it is too late? Is independent assurance needed to ensure that critical areas are operating as intended? John R. Robles & Associates 22 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM Deliver and Support DS 1 Define and Manage Service Levels DS 2 Manage Third-party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Allocate Costs DS 7 Educate and Train Users DS 8 Assist and Advise Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations Present the 13 high level objectives contained in the Delivery and Support domain. John R. Robles & Associates 23 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM Monitor and Evaluate M1 Monitor the Process M2 Assess Internal Control Adequacy M3 Obtain Independent Assurance M4 Provide for Independent Audit The last domain has two processes (M1-2) Monitoring all the other processes, and Obtaining independent assurance (i.e., IS controls and audit) Reference: Pages 16 and 20-24 of Control Objectives John R. Robles & Associates 24 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Framework Waterfall Model The control of IT Processes which satisfy Business Requirements is enabled by Control Statements considering Control Practices 4 Domains - 34 Processes - 318 Control Objectives John R. Robles & Associates 25 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Framework Business Objectives PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Criteria IT RESOURCES Data Application systems Technology Facilities People PLAN AND ORGANISE ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT MONITOR AND EVALUATE M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit DS1 Define service levels DS2 Manage third-party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations AI1 Identify automated solutions AI2 Acquire and maintain application software AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT procedures AI5 Install and accredit systems AI6 Manage changes John R. Robles & Associates 26 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM The Most Important IT Processes PO1 Define a strategic IT plan PO3 Determine the technological direction PO5 Manage the IT investment PO9 Assess risks PO10 Manage projects AI1 Identify solutions AI2 Acquire and maintain applications s/w AI5 Install and accredit systems AI6 Manage changes DS1 Define service levels DS4 Ensure continuous service DS5 Ensure system security DS10 Manage problems and incidents DS11 Manage data M1 Monitor the processes 34 15 7 Survey John R. Robles & Associates 27 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT—Content High-level Control Objective One per process Detailed Control Objectives Three to 30 per process Control Practices Five to seven per control objective John R. Robles & Associates 28 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Control Objectives Based on the 41 primary references Developed following a rigorous research process Three to 30 detailed control objectives for each of the 34 processes Directed to IT management, IT staff, control and audit functions and business process owners For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional. Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers. John R. Robles & Associates 29 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM The COBIT Framework How Is COBIT Used? (Results from Surveys) To improve audit approach/programs To support audit work with detailed audit guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programs John R. Robles & Associates 30 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT—Benefits What Comfort about: Dependence on IT IT risks are mitigated IT delivers value Assurance of: Cost down and revenue up Business operations improved Service levels maintained Who Executive Business manager IT manager Project manager Developer Operations staff User Security officer Auditor John R. Robles & Associates 31 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM COBIT Products Management Guidelines Provide management direction for: Getting the enterprise's information and related processes under control Monitoring achievement of organisational goals Monitoring and improving performance within each IT process Benchmarking organisational achievement Action-oriented and generic Provide answers to typical management questions: How far should we go in controlling IT, and is the cost justified by the benefit? What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare? John R. Robles & Associates 32 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Raise awareness & make decision Analyse values and risks 4/16/2017 3:15 AM IT Governance Implementation Guide Feedback Raise awareness & make decision Analyse values and risks Select processes Identify needs Post- implement. review Define where you are Define where you want to be Analyse gaps Envision the solution Define projects Develop & implement change plan Plan the solution Implementation Road Map Integrate into day-to-day practices Integrate measures into ITBSC Implement the solution John R. Robles & Associates 33 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM Conclusion—COBIT Values PRESENT Sharing knowledge and leveraging expert volunteers Internationally accepted good practices Continually evolves Maintained by reputable not-for-profit organisation Maps strongly onto all major related standards Is management-oriented Is supported by tools and training Maps completely to ISO17799 and COSO Provide action-oriented solutions FUTURE John R. Robles & Associates 34 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM The COBIT Framework IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA +1.847.590.7491 info@itgi.org info@isaca.org www.isaca.org www.itgi.org John R. Robles and Associates 787-647-3961 jrobles@coqui.net www.johnrrobles.com More information can be found at these sites provided by the IT Governance Institute. You also have the address and phone numbers should you wish to communicate in a more traditional manner. John R. Robles & Associates 35 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John R. Robles & Associates 4/16/2017 3:15 AM Thank You! Questions and Answers. More information can be found at these sites provided by the IT Governance Institute. You also have the address and phone numbers should you wish to communicate in a more traditional manner. John R. Robles & Associates 35 / 35 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.