Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.

Published byRalf Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS."— Presentation transcript:

1 INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS

2 Relationship between COSO and COBIT

3 What is C OBI T?  A model to implement IT Governance.  An open, widely-known standard.  Comprises 34 process and 220 low level Control Objectives.  It is 100% compatible with ISO 17799, COSO I & II, and other less general standards on which it relies upon.  C OBI T establishes the what and the supporting standards establish the how regarding IT Governance implementation.

4 C OBI T  Stands for Control Objectives for Information and Related Technology.  Is a model developed by ISACA and the IT Governance Institute (ITGI) in order to implement IT Governance in organizations.

5 ISACA  Founded in 1969.  Is a leading organization on IT Governance, Control, Assurance, and Auditing.  Headquartered in Chicago, USA.  It has over 60.000 members in more than 100 countries.  Holds events, conferences and develops standards on IT Governance, Assurance and Security.  C OBI T: 1st Edition in 1996 2nd Edition in 1988 3rd Edition in 2000 4th Edition in 2005 (Nov/Dec)

6 BUSINESS REQUIREMENTS BUSINESS REQUIREMENTS INFORMATION PROCESSES INFORMATION PROCESSES effectiveness efficiency confidentiality integrity availability compliance reliability effectiveness efficiency confidentiality integrity availability compliance reliability INFORMATION CRITERIA INFORMATION CRITERIA ? C OBI T Framework applications information infrastructure personnel applications information infrastructure personnel IT RESOURCES

7 C OBI T 4.0

8 Information Assurance  Information assurance is the basis on which decision-making is built in an organization. Without assurance, companies have no certainty that the information on which they support their critical-mission decisions is reliable, secure and available when needed.  Information Assurance is defined as the use of information operations that protect and defend information and information systems and networks by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation, considering risk impacts due to local or remote threats from communications and Internet.  We will see two important assurance techniques: self- assessment and information systems auditing.

9 C OBI T: Control Self-assessment (Meycor C OBI T CSA)  This management technique ensures to all stakeholders that the internal control system is reliable.  It also ensures that the personnel is aware of the business risks, and that they perform regular and proactive reviews of the controls.

10 C OBI T Audit Guidelines (Meycor C OBI T AG)  The Guidelines provide a simple structure to audit IT controls.  They are general in nature and high-level structured.  They allow to review the Processes against the IT Control Objectives.

11  Obtaining an understanding of the business requirements and associated risks and the relevant control measures.  Evaluating the appropriateness of stated controls.  Assessing compliance to ensure that the control measures established are working as prescribed, consistently and continuously.  Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources. The steps that must be followed in an audit:

12 Generic Audit Guideline Obtaining an Understanding  The audit steps to be performed to document the activities underlying the control objectives as well as to identify the stated control measures/procedures in place.  Interview appropriate management and staff to gain an understanding of: Business requirements and associated risks. Organization’s structure. Roles and responsibilities. Control measures in place. Management reporting (status, performance, action items).  Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, the control implications, e.g., by a process walk through.

13 Generic Audit Guideline Evaluating the Controls  The audit steps to be performed in assessing the effectiveness of control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test.  Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying auditor professional judgment. Document processes exists. Appropriate deliverables exists. Responsibility and accountability are clear and effective. Compensating controls exists, where necessary.  Conclude the degree to which the control objective is met.

14 Generic Audit Guideline Assessing Compliance  The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously and to conclude on the appropriateness of the control environment.  Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence.  Perform a limited review of the adequacy of the process deliverables.  Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.

15 Generic Audit Guideline Substantiating the Risk  The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources.  Document the control weaknesses, and resulting threats and vulnerabilities.  Identify and document the actual and potential impact; e.g., through root-cause analysis.  Provide comparative information, e.g., through benchmarks.

16 Description of the Meycor COBIT CSA and AG tools

17 We must identify for the processes defined by C OBI T their importance and performance, whether they have been audited or not, how they are processed and who is responsible for them. Meycor C OBI T CSA Meycor C OBI T CSA IT Processes Importance

18 Meycor C OBI T CSA Meycor C OBI T CSA Self-assess controls Meycor C OBI T CSA includes the C OBI T 4.0 Control Objectives and additional security questions on specific software platforms.

19 Meycor C OBI T CSA Meycor C OBI T CSA Assessment Report Results are displayed using scores. In this way it is possible to establish target values.

20 Meycor C OBI T CSA Meycor C OBI T CSA IT Processes Diagnosis The red line represent the score obtained. The closer to the center this line is, risks are less covered by the controls.

21 Meycor C OBI T CSA Meycor C OBI T CSA Assessing several Analysis Centers Results can be displayed comparatively (for platforms, branches and technologies)

22 Meycor C OBI T CSA Meycor C OBI T CSA Audit Projects Allows to create audit projects, assign resources and even manage them. The objective is to determine whether the process' controls provide assurance. Allows to create audit projects, assign resources and even manage them. The objective is to determine whether the process' controls provide assurance.

23 Meycor C OBI T CSA Meycor C OBI T CSA Alignment with Business Objectives The alignment between IT Objectives and Business Objectives is clearly identified.

24 Meycor C OBI T AG Meycor C OBI T AG Technology inventory Here we identify how IT resources effectively contribute to the achievement of objectives.

25 Meycor C OBI T AG Meycor C OBI T AG Relationship between C OBI T Processes and Business Processes A heat map is generated based on the IT resources and the required information criteria.

26 Meycor C OBI T AG Meycor C OBI T AG Beginning the Audit Process The process begins when a reviewer creates a project and assigns it to an auditor. It is also possible to record whenever an auditor disagrees with an observation.

27 Meycor C OBI T AG Meycor C OBI T AG Auditing an IT Process Meycor C OBI T AG provides guidance through the different stages (interviewing, etc.), allowing to record tasks and observations as well as attaching evidence.

28 Meycor C OBI T AG Meycor C OBI T AG Audit Guidelines Auditors have audit guidelines available that provide a knowledge base to improve the quality of the audit work.

29 Meycor C OBI T AG Meycor C OBI T AG Record Tasks Here we identify who performed the task, the time invested, any pertinent comments, etc.

30 Meycor C OBI T AG Meycor C OBI T AG Findings and Recommendations The observations are defined in a format that includes the determination of the criteria used to perform the assessment, the consequences, etc.

31 Meycor C OBI T AG Meycor C OBI T AG Work papers Example (I) Report of the audit program sorted by projects.

32 Meycor C OBI T AG Meycor C OBI T AG Work papers Example (II) Report on the degree of strength of the audited controls.

33 Meycor C OBI T AG Meycor C OBI T AG Work papers Example (III) Identification of findings, the auditee's opinion, follow-ups, etc.

34 DATASEC IT Security & Control Patria 716 - CP 11300 - Montevideo - Uruguay Phone: (+598 2) 711-58-78 / 711-04-20 Fax: (+598 2) 711-58-94 www.datasec-soft.com Website: www.datasec-soft.com

Download ppt "INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS."

Similar presentations

COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)

COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
Internal Audit Documentation and Working Papers

Internal Audit Documentation and Working Papers
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP)
COBIT - II.

COBIT - II.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.

S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.
IS Audit Function Knowledge

IS Audit Function Knowledge
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
The Information Systems Audit Process

The Information Systems Audit Process
COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.

COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.
Purpose of the Standards

Purpose of the Standards
ISA 220 – Quality Control for Audits of Historical Financial Information

ISA 220 – Quality Control for Audits of Historical Financial Information
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
TC176/IAF ISO 9001:2000 Auditing Practices Group.

TC176/IAF ISO 9001:2000 Auditing Practices Group.
Conducting the IT Audit

Conducting the IT Audit
REVIEW AND QUALITY CONTROL

REVIEW AND QUALITY CONTROL
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google