Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Governance and Management System for POPI, ISO 27001, CGICT, King IV

Published byBernadette Curtis Modified over 6 years ago

Similar presentations

Presentation on theme: "A Governance and Management System for POPI, ISO 27001, CGICT, King IV"— Presentation transcript:

1 A Governance and Management System for POPI, ISO 27001, CGICT, King IV
+44-(0) © 2012 IT Governance Network. All Rights Reserved.

2 Bibliography – Peter Hill
Director of the IT Governance Network, Capability Certification Services Previously: partner with Deloitte, director of N:Crypt and zenAptix Worked as an IT auditor, programmer, IT manager, Security R&D and in Privacy Pioneering IT governance since 1992 Extensive knowledge and experience working with COBIT since 1996 First COBIT workshop for ISACA presented at EuroCACS in 1997 20 years of COBIT training: Basics, Fundamentals, Foundation, Assessor, Implementation, Advanced, IT Governance Framework, COBIT Management System, APO 13 Security Management, Using COBIT for POPI (Privacy) POPI / GDPR ( ) POPI Management System Privacy Impact Assessments Information Officers ISO Compliance Management System ISO Information Security Management Sys. ISO Records Management System ISO Risk Management System PROCESS as a foundation for: Governance Framework Management System POPI Implementation Information Security Supplier Management Service Integration (SIAM) COBIT 5 Capability Assessment Tool

3 Agenda What is a Governance and Management System?
Leveraging resources requires accountability and responsibility Governance and Management System for POPI Using ISO to manage Information Security Implementing Cloud Computing and Cyber Security controls Illustrations throughout. © 2012 IT Governance Network. All Rights Reserved. © 2016 IT Governance Network. All Rights Reserved.

4 ISO 38500: A Model for Corporate Governance of IT
Business pressures Corporate Governance of ICT Business needs Evaluate Processes Policies Plans proposals ICT Projects Business processes Direct Monitor conformance performance ICT Operations © 2016 IT Governance Network. All Rights Reserved.

5 Governance and Management Dashboard POPI ISO 27001 CGICTPF / COBIT

6 Corporate Governance of ICT Interrelationship of frameworks
WHAT How King III Corporate Governance ISO/IEC 38500 COBIT 5 Corporate Governance of ICT Governance of ICT Various Operational Frameworks such as ITIL and ISO 27001 ICT Management Operations Scope of Coverage © 2016 IT Governance Network. All Rights Reserved.

7 Governance and management System for CGICT

8 Multiple Layers

9 Separating Governance Roles from Management Roles

10

11 Plan and Execute Monitor Progress

12 Build Capability - level 2.1 and 2.2
Level 2 – 1. Manage Performance and 2. Manage Work Products

13 Continuous Improvement Road at Capability Level 1.1

14 Capability Assessments – Assessor Rating

15 Capability Profile – level 1.1

16 Governance and management System for POPI using COBIT processes

17 A Governance and Management System for POPI using ISO 27001 and COBIT
Policy about “POPI” and Lawful Processing ISO 27001 COBIT 5 CGICT PF

18 Business Relationship
Illustration of a Governance and Management System Evaluate Direct Monitor Corporate Governance WHAT Establish accountability Assign responsibility Align work with outcomes Monitor progress Change Management New/Changed Service Monitor Run Build Plan Budgets and Accounting Security Management Capacity Continuity and Availability Man. Service Level Service Reporting Business Relationship Supplier Configuration Management Problem Incident GOALS . Cyber Security Capability Improvement Value Creation Budgets and Accounting Management Security Capacity Availability Manage. Continuity and Service Level Incident Problem Configuration Change Supplier Business Relationship Service Reporting Privacy (POPI) GOALS HOW

19 A Governance and Management System
Corporate governance is the system by which a governing body exercises ethical and effective leadership to establish an ethical culture; sustainable performance and value-creation; adequate and effective control by the governing body; and trust in the organisation, its reputation and legitimacy. Organisations often use a wide variety of resources and governance mechanisms to achieve their purpose, strategic goals and to fulfil the broader needs of stakeholders. Leveraging resources requires the establishment of accountability, assignment of responsibility and transparency and fairness in the way work gets done. While governing bodies are expected to be pro-active in ensuring that information assets are leveraged for growth there are few tools actually available that provide governing bodies with sufficient oversight. A governance and management system provides an integrated solution that brings the governors and the managers together and provides a holistic approach for them to effectively govern and manage the current and future use of technology and information. Better governance and good management are key requirements of the Protection of Personal Information Act (POPI). © 2016 IT Governance Network. All Rights Reserved.

20 COBIT: GOVERNANCE and MANAGEMENT SYSTEM
KING IV A GOVERNANCE and MANAGEMENT system provides the means to institutionalise the enablers of good corporate governance. People (organisational structure, frameworks, skill and culture), process, technology and information come together in an integrated governance and management system to build capability that enables the creation of value, and support the achievement of the business' and organisation's strategic goals. ISO 38500 ISO 9001 ISO 20000 ISO 21500 ISO 27001 ISO 31000

21 Multiple frameworks to Govern and Manage

22 Privacy Management System
© 2012 IT Governance Network. All Rights Reserved.

23 Privacy Management System

24 Governance and Management System for ISO 27001
Framework Activities

25 Governance and Management System for ISO 27001
Selected Activity

26 Governance and Management System for ISO 27001
Linked to Operations

27 Governance and Management System for ISO 27001
Performed Activity

28 Vulnerabilities Knowledgebase

29 Knowledgebase of Safeguards

30 Tracking Safeguard Implementation

31 Risk Register For a detailed risk register, the Risk Manager (or another role with access) should select all (or per process) activities of a specified: Vulnerability, and/or Risk type, and/or Risk impact on business, and/or Risk level, and/or Risk response, and/or Remediation priority, and/or Last audit finding

32 Maintain a Risk Register

33 Maintain various Controls Library
Sources: Controls as per Framework (or framework area) Controls assessed in the operational environment Controls set per tracker = Control

34 Maintain various Controls Library
Cloud Computing:

35 Workflow status for tracker = Control
Control status can be changed by authorized roles Report on number of controls at each status Unreliable Informal Standardized Monitoring Optimized

36 Repository of evidence supporting performed activities
Evidence reviewed by the auditor Uploaded document Attached screen capture Notes written Checklist completed Links to another source.

37 Audit Planning For each selected COBIT process, and the selected activity: Add a high-level framework to specify scope (POPI, ISO 27001, Legal Register, etc.) and Add one or more audit actions (with tracker = audit) With or without subtasks Per calendar period Per capability level.

38 Add audit comments Include public and private comments for each audit activity Use pre-defined templates to specify Audit Steps or documentation requirements Use Checklists to refine % Done measurements.

39 Collect additional information
Use custom fields (lists, text, dropdown list, etc.) Business units Special characteristics Additional details.

40 Collect additional information for the Information Officer (POPI)
Needed for a Privacy Impact Assessment

41 Knowledgebase Used for the IT Legal Register Used for Security Policy
Contains relevant sections of the Act Contains link to complete Act Contains links to issues that a address Act Used for Security Policy Contains policy clauses Shows links to implementation activities Used for Control requirements of standard, model Shows links to control implementation.

42 Knowledgebase Vulnerability Register Register for ….
Contains details of threats (by process and category) Register for …. Contains details of …. Process specific practices Work instructions for staff Process specific information Access controlled at process level.

43 Uploads, Documents, Files
Store templates for (forms, checklists) Organised in groups Separate for each process With access control Download the template (e.g. Risk register.xls) Files Distribution of files downloads numbered validation control (hash) version control.

44 Management Reports Inventory of Risks (by process/activity or theme)
Inventory of Controls (by process/activity or theme) Status of Controls (by process or theme) Audit findings reports (by process, theme, activity) Assessor ratings reports (by process, theme, activity) Progress with process execution (activity status).

45 Centralised document repository
By process With access control according to process rights Viewable online or downloadable.

46 IT Dashboard Status per Process area % Done per life-cycle phase
Risk level per Type Risk level per Process Control Status Control % Done Capability level across Processes Assessor rating of % Process Attribute Achieved.

47 Dashboard Process with Privacy Risk Processes with date Over Due
Login per IP address Status per process Time spent per process activity % Done ratio per process activity Target rating Status per Tracker Custom field on Tracker Custom field and Process.

48 Governance and Management Dashboard POPI ISO 27001 CGICTPF / COBIT

49 Summary of Features for the POPI Governance and management System
System features: Gather information to plan privacy enhancing initiatives Identify new risks and respond to changes in vulnerability React to incidents, track responses and retain history logs Handle data subject complaints and information requests Implement policies across the operational environment Secure, role based access from multiple devices Provision staff with knowledge and work instructions Plan and coordinate privacy management activities Implement risk treatment plans Manage teams, provision work, choreograph workflow Manage resources for the privacy management system Maintain a central repository of artefacts Monitor and control the technical effort and time spent Control processors, service providers and contractors Control access to retained information Promptly respond to security events Validate third party assertions Audit internal controls and assess capability Privacy aware reporting of progress against plans Privacy aware governance and management dashboards.

50 Target Users A governance and management system is an integrated, multi-purpose system to assist: CEO and responsible parties Achieve strategic objectives and regulatory compliance Retain documented information Verify operator compliance with agreements Information officers Handle data subject complaints and requests Responsible staff (and process owners) Manage assigned responsibilities Operations management Schedule planned work and report progress Maintain history log of privacy events and actions Operators, service providers, contractors and third parties Adhere to instructions and report incidents Legal officer Manage statutory obligations and legal commitments POPI programme management Manage staff and third parties Implement improvements Provide detailed instructions, templates and wikis Information security management Protect personal information and respond to breaches Risk and compliance management Maintain risk and control libraries with status checks Auditors and capability assessors Perform assessments and report findings.

51 Endless Customisation

52 Thank you IT Governance Network
South Africa, US, UK, Switzerland +44 – (0) © 2012 IT Governance Network. All Rights Reserved.

Download ppt "A Governance and Management System for POPI, ISO 27001, CGICT, King IV"

Similar presentations

Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Child Safeguarding Standards

Child Safeguarding Standards
HP Quality Center Overview.

HP Quality Center Overview.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Strategy 2022: A Holistic View Tony Hayes International President ISACA 2013-2014 © 2012, ISACA. All rights reserved.

Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
ASPEC Internal Auditor Training Version 1.0 2013.

ASPEC Internal Auditor Training Version
Quality Representative Training Version 1.0 2014.

Quality Representative Training Version
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
4. Quality Management System (QMS)

4. Quality Management System (QMS)
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.
Project Human Resource Management

Project Human Resource Management
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Continual Service Improvement Process

Continual Service Improvement Process
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.

Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
The Challenge of IT-Business Alignment

The Challenge of IT-Business Alignment

Similar presentations

Ads by Google