The document provides information about BPKP's internal participant selection process for 2010 and 2012. It includes the number of participants, pass rates, and other details like participant origins and time taken to pass exams. It shows that in 2010, 30 participants were selected with a 10% pass rate, while in 2012 there were 30 participants selected with a 10% pass rate as well.
4.16.24 21st Century Movements for Black Lives.pptx
Managing IT Processes with COBIT Controls
1.
2.
3. Tahun Seleksi Peserta
Internal BPKP
2010
2012
30
30
8
9
2
11
Biaya Sendiri
NA
Asal Unit
Lulus
%
Lama Lulus
Ujian
NA
3
3
0
10%
10%
NA
Pusdkilatwas,
Widyaisawara
Deputi AN, PFA dan
Kasubdit
DKI Jakarta, PFA
Perwakilan Lainnya,
PFA dan Kabid
Deputi 1, PFA
2 PFA
1 Langsung ,
1 > 6 bulan
1 > 3 bulan
1 PFA
0
2
NA
> 1 tahun
4. COBIT:
Control Objectives for Inf and related Tech,
Represent the consensus of experts,
Published by ITGI
The IT Governance Institute®
ITGI (www.itgi.org) was established in 1998 to advance
international thinking and standards in directing and
controlling an enterprise’s IT.
ITGI
COSO
ISO
COBIT
ICIF
ISO31000
as IT gov’ framework
as IC framework
as RM framework
5. IT governance:
merupakan tanggung jawab eksekutif dan BoD. Terdiri dari kepemimpinan, struktur
organisasi dan proses yang menjamin bahwa enterprise’s IT mendukung dan
mengembangkan tujuan dan strategi organisasi.
COBIT supports IT governance by providing a framework to ensure that:
IT enables the business
and maximises benefits
IT is aligned with the
business
IT transparency is
achieved through
performance
measurement.
IT risks are managed
appropriately
IT resources are used responsibly
6.
7. Business goals
requirements
information
IT goals
IT Processes
Key
Activities
Responsibilities
and
Accountibilities
Chart
Control
Outcomes Test
Performance
Indicators
Outcomes
Measures
Maturity
Models
derived
from
Control
Objectives
Control
Design
Test
based
on
Control
Practices
8.
9. BUSINESS OBJECTIVES
GOVERNANCE OBJECTIVES
ME1 Monitor and evaluate IT
performance.
ME2 Monitor and evaluate
internal control.
ME3 Ensure compliance w/
external
requirements.
ME4 Provide IT governance.
INFORMATION
CRITERIA
•Effectivene
ss
•Efficiency
MONITOR AND
•Confidenti
EVALUATE
ality
•Integrity
DS1 Define and manage
•Availabilit
service levels.
y
DS2 Manage third-party
•Complianc
.
IT RESOURCES
services.
e
•Applicatio
•Reliability
DS3 Manage performance
ns
and capacity.
•Informati
DS4 Ensure continuous
on
service.
DELIVERY AND
•Infrastruct
ACQUIRE AND
DS5 Ensure systems
SUPPORT
ure IMPLEMENT
security.
•People
DS6 Identify and allocate
costs.
DS7 Educate and train
PO1 Define a strategic IT
plan.
PO2 Define the information
architecture.
PO3 Determine
technological direction.
PO4 Define the IT processes,
org and relationship
PO5 Manage the IT
investment.
PO6 Communicate mgt aims
and direction
PO7 Manage IT human
resources.
PO8 Manage quality.
PLAN AND
PO9 Assess and manage IT
ORGANIZE
risks.
PO10 Manage projects.
AI1 Identify automated
solutions.
AI2 Acquire and maintain
application software.
AI3 Acquire and maintain
tech infrastr.
AI4 Enable operation and
use.
AI5 Procure IT resources.
10. A control framework for IT governance defines the reasons IT governance is needed, the
stakeholders, and what it needs to accomplish.
In response to the needs, the COBIT FW was created w/ main characteristics of being:
Basic COBIT Principle
business-focused,
process-oriented,
controls-based, and
which
respond to
Business
Requirements
drive the
investment
in
measurement-driven.
Enterprise
Information
to
deliver
COBIT
IT Processes
IT Resources
that are
used by
11. Business orientation is the main theme of COBIT, designed to: (1) be employed by IT
service providers, users, and auditors, and (2) to provide comprehensive guidance for
mgt and business process owners.
COBIT’S INFORMATION CRITERIA
To satisfy business obj, inf needs to conform to certain control criteria, which refers to
as business requirement for inf. Inf criterias are defined as follows:
1. Effectiveness: inf being relevant and pertinent to business process as well as being
delivered in a timely, correct, consistent, and usable manner.
2. Efficiency: provision of inf through optimal (productive and eco) use of resource.
3. Confidentiality: the protection of sensitive inf from unauthorised disclosure.
4. Integrity: accuracy and completeness of inf as well as to its validity.
5. Availability: inf being available when required by business process now and in future.
6. Compliance: complying with law, regulation and contractual arrangement.
7. Reliability: provision of appropriate inf for mgt to operate entity and exercise its
fiduciary and governance responsibilities.
12. BUSINESS GOALS AND IT GOALS
Defining set of business goal and IT goal provides a business-related and refined
basis for establishing business req and developing measurement.
Defining IT Goals and Enterprise Architecture for IT
IT
Resourc
es
13. An operational model is initial step toward good gov, and also provide FW for measuring
and monitoring IT perf, communicating w/ service providers and integrating best mgt
practices.
Within the COBIT framework, generic process model are within four domains:
Plan and Organise (PO)—Provides direction to solution delivery (AI) and service
delivery (DS)
The Four Interrelated Domains of COBIT
Acquire and Implement (AI)—Provides
solutions and passes them to be
turned into services.
Plan and Organise
Deliver and Support (DS)—Receives
solutions and makes them usable for
end user.
Monitor and Evaluate (ME)—Monitors
all processes to ensure that the
direction provided is followed
Acquire
and
Implement
Deliver
and
Support
Monitor and Evaluate
14. PLAN AND ORGANISE (PO)
PO covers strategy and tactics, and concerns identfication of the way IT can best
contribute to achievement of business objective.
ACQUIRE AND IMPLEMENT (AI)
IT solutions need to be identified, developed or acquired, implemented and integrated
into the business process. Changes in and maintenance of existing system are covered.
DELIVER AND SUPPORT (DS)
DS is concerned w/ actual delivery of services, includes mgt of security and continuity,
service support, and mgt of data and facilities.
MONITOR AND EVALUATE (ME)
ME addresses performance mgt, monitoring of IC, regulatory compliance and gov.
Across these four domains, COBIT has identified 34 IT processes that are generally used
(refer to figure 22 for the complete list).
15. PROCESSES NEED CONTROLS
IT control obj provide a complete set of high-level requirements to be considered by
mgt for effective control of each IT process, they:
Are statements of managerial actions to increase value or reduce risk.
Consist of policies, procedures, practices and organisational structures
Provide reasonable assurance that business obj will be achieved.
Mgt needs to make choices relative to these control objectives by:
Selecting those that are applicable;
Deciding upon those will be implemented;
Choosing how to implement them
(frequency, span, automation, etc.);
Accepting the risk of not implementing.
Standard control has analogy: When room
temperature (standard) for heating system
(process) is set, system will check (compare)
ambient room temp (control inf) and will signal
(act) system to provide more or less heat.
16. PROCESSES NEED CONTROLS
To achieve effective gov, controls need to be implemented by operational managers
within a defined control FW for all IT processes.
The control obj are identified by a 2-character domain reference (PO, AI, DS and ME) +
a process no. and a control obj no. In addition to control obj, each process has
generic control requirements that are identified by PCn (process control no.).
PC1 Process Goals and Objectives
Define and communicate specific, measurable, actionable, realistic, resultsoriented and timely (SMARRT) process goals and objectives. Ensure that they are
linked to the business goals and supported by suitable metrics.
PC2 Process Ownership
Assign owner for each IT process, and clearly define roles and responsibilities of
the process owner. Include, for example, responsibility for process design,
interaction, accountability, measurement, and identification of improvement.
17. PROCESSES NEED CONTROLS
PC3 Process Repeatability
Design and establish each key IT process such that it is repeatable and
consistently produces the expected results.
PC4 Roles and Responsibilities
Define the key activities and end deliverables of the process. Assign and
communicate unambiguous roles and responsibilities for effective and efficient
execution of key activities and their documentation as well as accountability.
PC5 Policy, Plans and Procedures
Define and communicate how all policies, plans and procedures that drive an IT
process are documented, reviewed, maintained, approved, stored, communicated
and used for training.
PC6 Process Performance Improvement
Identify a set of metrics that provides insight into outcomes and performance of
the process. Establish targets that reflect on the process goals and performance
indicators that enable the achievement of process goals.
18. BUSINESS AND IT CONTROLS
The enterprise’s system of IC impacts IT at 3 levels:
1. At the executive mgt level:
The overall approach to governance and control is established by the board and
communicated throughout the enterprise. IT control environment is directed by toplevel set of objectives and policies.
2. At the business process level:
Most business processes are automated and integrated w/ IT application system,
resulting in many of controls at this level being automated. Known as application
control. However, some controls within business process remain as manual
procedures, such as authorisation for trans, separation of duties.
3. To support the business processes:
IT provides IT services, in a shared service to many business processes, and much
of the IT infrastructure is provided as a common service (e.g., networks, databases,
OS and storage). The controls applied to all IT service actv are known as IT general
controls. Poor change mgt could jeopardise reliability of automated integrity check.
19. IT GENERAL CONTROLS AND APPLICATION CONTROLS
General control: controls embedded in IT processes and services, include:
Systems development, Change management, Security, and Computer operation.
Application control: control embedded in business process application, include:
Completeness, Accuracy, Validity, Authorisation, and Segregation of duties
Design and implementation of automated AC is responsibility of IT, covered in AI domain,
based on COBIT’s information criteria. The operational mgt and control responsibility for
AC is not w/ IT, but w/ the business process owner.
Hence, the responsibility for AC is an end-to-end joint responsibility between business
and IT, but the nature of the responsibilities changes as follows:
The business is responsible to properly:
– Define functional and control requirements
– Use automated services
IT is responsible to:
– Automate and implement business functional and control requirements
– Establish controls to maintain the integrity of applications controls.
20.
21. The following list provides a recommended set of Application Control objectives:
AC1 Source Data Preparation and Authorisation
Ensure that source doc are prepared by authorised and qualified personnel following
established procedures, taking into account adequate segregation of duties.
AC2 Source Data Collection and Entry
Establish that data input is performed in timely manner by authorised n qualified staff.
AC3 Accuracy, Completeness and Authenticity Checks
Ensure that transc are accurate, complete, and valid.
AC4 Processing Integrity and Validity
Maintain the integrity and validity of data throughout the processing cycle. Detection
of erroneous transactions does not disrupt the processing of valid transactions.
AC5 Output Review, Reconciliation and Error Handling
Establish procedures and responsibilities, delivered to appr recipient, and protected
during transmission; that verification, detection and correction of accuracy of output.
AC6 Transaction Authentication and Integrity
Before passing transc data b/w internal applications and business/opr functions,
check it for proper addressing, authenticity of origin and integrity of content.
22. Enterprises need to measure where they are and where improvement is required, and
implement a management tool kit to monitor this improvement.
COBIT deals with these issues by providing:
Maturity model to enable benchmark and identify necessary capability improvement.
Perf goals and metric for IT processes, demonstrating how processes meet business
and IT goal and are used for measuring internal process perf based on BSC principle.
Activity goals for enabling effective process performanc
MATURITY MODELS
IT mgt is constantly on lookout for benchmarking and self-assessment tool in response
to the need to know what to do in an efficient manner. This responds to 3 needs:
1. A relative measure of where the enterprise is
2. A manner to efficiently decide where to go
3. A tool for measuring progress against the goal.
Maturity model for mgt and control over IT processes is based on a method of evaluating
organisation, so it can be rated fr a maturity level of non-existent (0) to optimised (5).
23. MATURITY MODELS
The purpose is to identify where issues are and how to set priorities for
improvements, not to assess the level of adherence to the control objectives.
They are not designed for use as a threshold model, where one cannot move to the
next higher level without having fulfilled all conditions of the lower level.
24. Using MM developed for each of COBIT’s 34 IT processes, mgt can identify:
The actual performance of the enterprise—Where the enterprise is today
The current status of the industry—The comparison
The enterprise’s target for improvement—Where the enterprise wants to be
The required growth path between ‘as-is’ and ‘to-be’.
25. Capability, coverage and control are all dimensions of process maturity:
Coverage, depth of
control, and how the
capability is used and
deployed are cost-benefit
decisions. For example, a
high level of security mgt
may have to be focused
only on most critical
enterprise systems.
Another example would be
choice b/w a weekly
manual review and a
continuous automated
control.
26. PERFORMANCE MEASUREMENT
Goals and metrics are defined in COBIT at 3 levels:
1. IT goals and metrics: define what business expects from IT and how to measure it.
2. Process goals and metrics: define what the IT process must deliver to support IT’s
objectives and how to measure it.
3. Activity goals and metrics: establish what needs to happen inside the process to
achieve the required perf and how to measure it
27. PERFORMANCE MEASUREMENT
Two types of metrics:
Outcome measure: indicate whether the goals have been met. These can be
measured only after the fact and, therefore, are called ‘lag indicators’.
Performance indicators: indicate whether goals are likely to be met. They can be
measured before the outcome is clear and, therefore, are called ‘lead indicators’.
Outome measures of lower level become performance indicators for higher level.
Outcome measures of IT function are often expressed in term of inf criteria:
Availability of information needed to support the business needs
Absence of integrity and confidentiality risks
Cost-efficiency of processes and operations
Confirmation of reliability, effectiveness and compliance
Performance indicators (or performance drivers) define measures that determine how
well business, IT function or IT process is performing in enabling the goals to be
reached. They often measure the availability of appropriate capabilities, practices and
skills, and the outcome of underlying activities.
28. Define Goals
Improve and reallign
IT goals
Ensure that IT
services can
resist and
recover from
attacks
Process goals
Detect and resolve
unauthorised
access to
information,
applications and
infrastructure.
Activity goals
Understand
security
requirements,
vulnerabilities
and threats
is measured by
is measured by
is measured by
is measured by
Numbers of incidents
causing public
embarassment
Number of
actual IT
incidents with
business impact
Number of
actual incidents
because of
unauthorised
access
Frequency of
review of the
type of security
events to be
monitored
Outcome
Performance
Business metrics
mesures
indicators
Outcome
mesures
IT metrics
Performance
indicators
Outcome
mesures
Indicate Perfomance
Process metrics
Performance
indicators
Measure Achievement
Business goals
Maintain enterprise
reputation and
leadership
29.
30. Published by oleh International Organisation for Standardisation (ISO)
The standard is focused on security issues and does not cover the full scope of IT
management duties.
Consist of 12 Security Control.
Latest series: ISO 27000 : 2013
31.
32.
33. The need for inf sec is based on the fact that inf and related systems are important
assets for organisations. As organisations face information security threats, the
protection of information is essential to maintain organisational stability.
Sources for the identification of security requirements are:
Risks the organisation faces and the impact on business strategy and objectives
Legal requirements
Specific requirements, principles and objectives for information processing to
support business operations
Controls should be selected and defined considering:
Legal requirements
Business requirements
Cost of implementation
Potential impact of a security breach
34. When implementing a system for inf security mgt, several CSFs be considered to ensure:
That the security policy, its objs and its activities reflect the business objectives;
That the implementation considers cultural aspects of the organisation;
Open support and engagement of senior management;
Thorough knowledge of security requirements, risk assessment and RM;
That effective marketing of security targets all personnel, including members of mgt;
That security policy and sec measures are communicated to contracted III parties
That sufficient and adequate funding is available;
That users are well trained;
That a comprehensive inf security incident mgt process is established;
That a comprehensive and balanced system for performance measurement is
available that supports continuous improvement by giving feedback.
ISO/IEC 17799:2005 is structured into 11 sections (security control chapters), which
contain 39 main security categories.
The main sec categories consist of a control obj and 1 or more controls to achieve the
control obj.
35. 1. Security policy:
1) Information security policy.
Inf sec policy should define direction and contain commitment and support of mgt
The policy should be reviewed periodically and communicated throughout org.
2. Organisation of information security:
2) Internal organization
3) External parties
Inf security should be supported by mgt;
Relevant activities should be co-ordinated throughout the organisation, and responsibilities
for information security should be clearly defined.
Confidentiality agreements should be in place.
Appropriate contacts w/ authority and special interest group should be maintained.
Inf security should be subject to independent review.
Controls should be implemented to manage identified risks related to external party.
Outsourcing arrangements should address information security.
There should be an authorisation process for information processing facilities.
36. 3. Asset management:
4) Responsibility for assets
5) Information classification
An inventory of assets and assignment of the responsibility should be made.
Assets should have a nominated owner, and use of assets, based on defined rules.
Inf should be classified and labeled, thus ensuring appropriate level of protection.
4. Human resources security:
6) Prior to employment
7) During employment
8) Termination or change of employment
Sec requirements for employees should be identified throughout emply life cycle.
Sec responsibilities, confidentiality agreements and contract of employment should be part
of the job responsibility and terms and conditions of employment.
Adequate controls for personnel screening should be in place.
Inf sec education and training should increase sec awareness of all employees.
Formal disciplinary process, be in place for individuals who breach sec policy.
Rules for termination and change of employment should be defined and followed.
37. 5. Physical and environmental security:
9) Secure Areas
10) Equipment Security
Central equipment should be installed only within a secure area where adequate access
controls and damage prevention are implemented.
Equip should be protected against loss, damage or compromise by being sited and
protected in an appropriate manner. Power supplies, an adequate level of cabling sec and
correct maintenance of the equipment should be in place.
Equipment installed off premises and the disposal or reuse of information should be
considered; authorisation for taking equipment off site is recommended.
Special attention is needed at public access, delivery and loading areas where the central
equipment is installed.
38. 6. Communications and operations management:
11)
12)
13)
14)
15)
16)
17)
18)
19)
20)
Operational Procedures and responsibilities
Third party service delivery management
System planning and acceptance
Protection against malicious and mobile code
Backup
Network Security Management
Media handling
Exchange of Information
Electronic Commerce Services
Monitoring
Operations should follow documented procedures.
All changes to facilities should be controlled.
Duties should be segregated, no individual can both initiate and authorise an event.
Development and operational facilities should be separated.
Risks caused by contracted org should be covered, and III party services should be
controlled.
39. 6. Communications and operations management:
System planning and acceptance consider capacity mgt and the definition of acceptance
criteria.
Damage caused by malicious software and mobile code should be prevented, using
preventive and detective controls, formal policies, and defined recovery procedure.
Information should be backed up, and the backup files should be tested regularly.
Networks and network services should be set up and managed with a view to ensuring the
necessary level of security and service levels.
Removable media should be handled with special care.
Media with sensitive information should be disposed of in a secure manner.
Adequate controls in information handling procedures (e.g., labeling of media, ensuring
completeness of inputs, storage of media) should be considered.
System documentation is to be protected, as it may contain sensitive information.
Agreements for exchange of inf and software should be established, including media in
transit, e-commerce transactions, e-mail, electronic office systems.
E-commerce services and their use should be controlled.
Security-relevant activities should be logged and monitored, and the effectiveness of
controls should be assessed.
40. 7. Access control:
21) Business Requirement for Access Control
22) User Access Management
23) User Responsibilities
24) Network Access Control
25) Operating system access control
26) Application and Information Access Control
27)
Mobile Computing and teleworking
Access to inf should be granted in accordance with business and security requirements.
A formal access control policy should be in place.
Access control rules should be specified.
User access mgt should follow a formal process.
User responsibilities concerning PW use and protection of equipment, clearly defined.
Networked services, operating systems and applications should be protected appropriately.
System access and use should be controlled, considering secure logon procedures, user
identification and authentication, PW mgt, usage of system utilities, and session time-out.
Software and information access should be restricted to authorised users.
Mobile computing and teleworking should be performed in a secure manner.
41. 8. Information systems acquisition, development and maintenance:
28)
29)
30)
31)
32)
33)
Security requirements of information systems
Correct processing in applications
Cryptographic controls
Security of system files
Security in development and support processes
Technical Vulnerability Management
Sec issues should be considered when acquiring or implementing inf systems following
defined requirements; security requirements should be specified.
Sec in application system should take into account validation of input data, adequate
controls of internal processing, message integrity and output data validation.
Use of cryptographic systems should follow a defined policy and consider best practices.
Security of and access to system files (including test data and program source code)
should be controlled.
Project and support environments should allow for sec by being rigorously controlled (e.g.,
change mgt procedures, arrangements for outsourced development, inf leakage).
Damage through published vulnerabilities should be prevented.
42. 9. Information security incident management:
34)
35)
Reporting information security events and weaknesses
Management of information security incidents and improvements
Security events and weaknesses should be reported.
Responsibilities and procedures for managing security incidents and improvements should
be defined, and evidence for security incidents should be collected.
10. Business continuity management (BCM):
36)
Information security aspects of business continuity management
Comprehensive BCM process should permit prevention of interruption to business process
Business continuity mgt process should not be restricted to IT-related areas and activities.
An impact analysis should be executed that results in a strategy plan.
Business continuity plans should be developed following a single framework.
Business continuity plans should be tested, maintained and reassessed continuously.
11. Compliance:
37)
38)
39)
Compliance with legal requirements
Compliance with security policies and standards, and technical compliance
Information Systems audit considerations
Relevant legal requirements should be identified and followed.
Any unlawful act (e.g., data protection acts) should be avoided.
Compliance with the security policy should be ensured by periodic reviews.
45. ERM / Enterprise Control
Framework
IT Governance and Control
Framework
Conceptual
Framework
Guide
Practices
IT Security Framework
IT Operational Framework
Quality Control Framewok
46. PO1 Define a strategic IT plan.
PO2 Define the information
architecture.
PO3 Determine technological
direction.
PO4 Define the IT processes, org
and relationship
PO5 Manage the IT investment.
PO6 Communicate mgt aims and
direction
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
ME1 Monitor and evaluate IT
performance.
ME2 Monitor and evaluate
internal control.
ME3 Ensure compliance w/
external
requirements.
ME4 Provide IT governance.
DS1 Define and manage
service levels.
DS2 Manage third-party
services.
DS3 Manage performance
DS5 Ensure systems
security.
DS6 Identify and allocate
costs.
DS7 Educate and train
AI1 Identify automated
solutions.
AI2 Acquire and maintain
application software.
AI3 Acquire and maintain
tech infrastr.
AI4 Enable operation and
use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit
solutions and changes.
DS9 Manage the
configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical