Compliance Framework and Risk Management for IT

1
Compliance Framework and Risk Management for IT

• Dave Barnett, CISSP, CISM
• Dave.Barnett_at_computer.org

2
Compliance Framework

• Comprehensive approach to complex regulatory
  environments
• Sarbanes Oxley
• HIPAA
• EU Privacy
• 21 CFR Part 11
• CA SB 1386
• Etc.

3
Advantages of Compliance Framework

• Security and privacy regulations typically have
  common concerns and requirements
• As much as 80 overlap in functional requirements
• Strategy use one approach for all
• Compliance Framework based on standard auditor
  recommendations and regulator expectations
• Heres what wed like to see

4
Advantages of Compliance Framework

• Compliance Framework strategy based on industry
  best practices
• Industry best practices have been tried and
  tested in many organizations
• Efficient and effective (can result in
  competitive advantage)
• Support materials available off the shelf
• Procedures, policies, role descriptions
• Dont have to spend staff and management time
  creating equivalent processes

5
Compliance Framework

• A Compliance Framework is a set of internal
  controls for managing organizations
• This Compliance Framework focuses on IT
• The Compliance Framework is part of a compliance
  architecture, which includes technology controls

6
Compliance Framework

• There are four compatible frameworks, operating
  at different levels of detail and scope, that
  provide a set of controls and governance for IT
• Level 1 COSO
• Organization wide controls
• Level 2 CobiT
• Can satisfy and extend COSO controls relating to
  IT
• Level 3 ITIL
• Can satisfy and extend CobiT controls relating to
  Service Management (Problem Management, Change
  Control, Release Control, etc.)
• Level 3 ISO 17799
• IT Security Controls to meet and extend CobiT
  Security

7
Level 1 What is COSO?

• Committee of Sponsoring Organization (COSO) of
  the Treadway Commission Internal Control
  Integrated Framework
• (http//www.coso.org/)
• Organization-wide applicability
• Reporting target is Executive Board
• Created by professional auditor associations

8
COSO Components

• Five interrelated COSO components, derived from
  the way management runs a business
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communications
• Monitoring
• Each component has an associated set of sample
  audit questions materials

9
COSO Controls

• Control Environment
• Foundation for all other COSO controls
• Does the organization Do the right thing?
• Integrity, ethical values, and competence
• E.g., evaluate Establishment of the tone at the
  topincluding explicit moral guidance about what
  is right and wrongand extent of its
  communication throughout the organization.
• Management style and philosophy
• Authority and responsibility roles
• Attention and direction from Board of Directors

10
COSO Controls

• Risk Assessment
• Objectives
• Traceable links and internal consistency
• Identification and analysis of risks that may
  prevent achieving objectives
• Mechanisms to deal with risks associated with
  change in
• economic, regulatory, industry, and operating
  conditions

11
COSO Controls

• Control Activities
• Policies and procedures
• Approvals, authorizations, verifications,
  reconciliations, reviews of operating
  performance, security of assets, segregation of
  duties

12
COSO Controls

• Information and Communication
• Pertinent information must be identified,
  captured and communicated in a form and timeframe
  that allows people to carry out responsibilities
• Clear and effective communication, flowing up,
  across, and down the organization
• Everyone understands his/her role in internal
  control system

13
COSO Controls

• Monitoring
• Assess the quality of performance over time
• Management and supervisory activities
• Can be ongoing or periodic, depending on
  assessment of risks, and effectiveness of
  monitoring procedures

14
Level 2 What is CobiT?

• Control Objectives for Information and related
  Technology (CobiT)
• (http//www.isaca.org/cobit.html)
• Covers all controls within or relevant to IT
  organization
• Reporting target is CIO
• Created by Information Systems auditors and IT
  Governance Institute

15
What is CobiT?

• Controls for IT Governance
• Add value while balancing risk versus return for
  IT and its processes.
• Format
• The control of IT Processes which satisfy
  Business Requirements is enabled by Control
  Statements considering Control Practices

16
What is CobiT?

• Evaluation of CobiT controls
• Assessment of maturity rating described for each
  control, ranging from 0 (non-existent) to 5
  (optimized),
• Critical Success Factors,
• Key Goal Indicators
• Key Process Indicators (Metrics)

17
The CobiT Cube
18
CobiT Control Domains

• Planning and Organization Controls
• PO1 Define a strategic IT Plan
• PO2 Define the Information Architecture
• PO3 Determine the technological direction
• PO4 Define the IT organization and
  relationships
• PO5 Manage the IT investment
• PO6 Communicate management aims and direction
• PO7 Manage human resources
• PO8 Ensure compliance with external
  requirements
• PO9 Assess risks
• PO10 Manage projects
• PO11 Manage quality

19
CobiT Control Domains

• Acquisition and Implementation Controls
• AI1 Identify automated solutions
• AI2 Acquire and maintain application software
• AI3 Acquire and maintain technology
  infrastructure
• AI4 Develop and maintain procedures
• AI5 Install and accredit systems
• AI6 Manage changes

20
CobiT Control Domains

• Delivery and Support Controls
• DS1 Define and manage service levels
• DS2 Manage third-party services
• DS3 Manage performance and capacity
• DS4 Ensure continuous service
• DS5 Ensure systems security
• DS6 Identify and allocate costs
• DS7 Educate and train users
• DS8 Assist and advise customers
• DS9 Manage the configuration
• DS10 Manage problems and incidents
• DS11 Manage data
• DS12 Manage facilities
• DS13 Manage operations

21
CobiT Control Domains

• Monitoring Controls
• M1 Monitor the processes
• M2 Assess internal control adequacy
• M3 Obtain independent assurance
• M4 Provide for independent audit

22
Level 3 What is ITIL? (eye-till)

• IT Infrastructure Library
• (http//www.ogc.gov.uk/)
• Descriptions of IT processes and controls,
  especially Service Management
• Reporting target is CIO and IT senior management
• Created by British Gov., using set of IT best
  practices from public and private sectors
  worldwide

US pronunciation. In the UK, this is pronounced
it-ill
23
ITIL

• ITIL (IT Infrastructure Library) is the most
  widely accepted approach to IT Service Management
  in the world.
• provides a cohesive set of well defined best
  practices, drawn from the public and private
  sectors internationally.
• It is supported by a comprehensive qualification
  scheme, accredited training organizations, and
  implementation and assessment tools.

24
Service Support Processes

• Incident Management
• Restore normal service as quickly as possible
  following loss of service, and to minimize the
  adverse impact on business operations
• Problem Management
• Minimize the adverse impact of Incidents and
  Problems on the business that are caused by
  errors within the IT Infrastructure, and prevent
  recurrence of Incidents related to these errors
  through root cause analysis and continuous
  improvement.

25
Service Support Processes

• Change Management
• Process of IT Change for all types of Change,
  from the Request for Change, to assessment, to
  scheduling, to implementing, and finally to the
  review.
• Configuration Management
• Identification and relationships of all
  significant components within the IT
  Infrastructure and recording details of these
  components in the Configuration Management
  Database (CMDB). The CMDB is critical to disaster
  recovery.

26
Service Support Processes

• Release Management
• Planning, design, build, and testing of hardware
  and software to create a set of release
  components for a live environment
• Service Desk
• Central point of contact for Customers
• Integrate business processes into the Service
  Management infrastructure
• Customer Change requests, maintenance contracts,
  software licenses, Service Level Agreements and
  Configuration Management.

27
Service Delivery Processes

• Service Level Management
• planning, coordinating, drafting, agreeing,
  monitoring and reporting on Service Level
  Agreements (SLAs), and the ongoing reviewing of
  service achievements to ensure that the required
  and cost-justifiable service quality is
  maintained.
• Financial Management for IT Services
• Budgeting
• IT Accounting
• Charging.

28
Service Delivery Processes

• Capacity Management
• IT performance and capacity issues.
• IT Service Continuity Management
• responsible for taking risk reduction measures to
  reduce the chances of major disasters occurring
• production of an IT recovery plan which
  interfaces into the overall business continuity
  plans.

29
Service Delivery Processes

•  Availability Management
• design, implementation, measurement and
  management of IT infrastructure availability to
  ensure the stated business requirements
• including training, skills, policy, process,
  procedures and tools.

30
Level 3 What is ISO 17799?

• ISO is a widely accepted set of guidelines and
  controls for Information Security
• Controls are either based on essential
  legislative requirements or considered to be
  common best practice for information security.
• Controls considered to be essential to an
  organization from a legislative point of view
  include
• data protection and privacy of personal
  information
• safeguarding of organizational records
• intellectual property rights

31
ISO 17799

• Security Policy
• Documented
• Communicated
• Reviewed regularly
• Organizational Security
• Allocation of roles and responsibilities
• Third party access
• Asset classification and control
• Inventory of assets
• Sensitivity classification

32
ISO 17799

• Personnel Security
• Recruitment and Screening
• Awareness and training
• Incident Reporting
• Physical and Environmental Security
• Secure areas
• Equipment security
• Clear desk, clear screen
• Property removal

33
ISO 17799

• Communications and Operations Management
• Incident Management
• Segregation of duties
• System planning and acceptance
• Network controls
• Electronic media controls
• Antivirus
• eCommerce controls

34
ISO 17799

• Access Control
• Password and ID controls for applications,
  networks, operating systems
• System Development and Maintenance
• Change control
• Building security into applications
• Segregation of environments
• Cryptographic controls

35
ISO 17799

• Business Continuity
• Business continuity planning
• Roles and responsibilities
• Testing continuity plans
• Compliance
• Regulatory compliance
• Compliance with security policy
• Audits

36
Summary

• The Compliance Framework consists of generally
  accepted best practices at a variety of levels,
  designed to meet regulatory requirements in a
  cost effective and efficient manner
• The Compliance Framework is part of the overall
  Risk Management function.

37
Questions?