SlideShare a Scribd company logo

Managing IT Processes with COBIT Controls

Download as PPTX, PDF
Mulyadi Yusuf
Mulyadi Yusuf

The document provides information about BPKP's internal participant selection process for 2010 and 2012. It includes the number of participants, pass rates, and other details like participant origins and time taken to pass exams. It shows that in 2010, 30 participants were selected with a 10% pass rate, while in 2012 there were 30 participants selected with a 10% pass rate as well.

Education
1 of 49
Tahun Seleksi Peserta Internal BPKP 2010 2012 30 30 8 9 2 11 Biaya Sendiri NA Asal Unit Lulus % Lama Lulus Ujian NA 3 3 0 10% 10% NA Pusdkilatwas, Widyaisawara Deputi AN, PFA dan Kasubdit DKI Jakarta, PFA Perwakilan Lainnya, PFA dan Kabid Deputi 1, PFA 2 PFA 1 Langsung , 1 > 6 bulan 1 > 3 bulan 1 PFA 0 2 NA > 1 tahun
COBIT: Control Objectives for Inf and related Tech, Represent the consensus of experts, Published by ITGI The IT Governance Institute® ITGI (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s IT. ITGI COSO ISO COBIT ICIF ISO31000 as IT gov’ framework as IC framework as RM framework
IT governance: merupakan tanggung jawab eksekutif dan BoD. Terdiri dari kepemimpinan, struktur organisasi dan proses yang menjamin bahwa enterprise’s IT mendukung dan mengembangkan tujuan dan strategi organisasi. COBIT supports IT governance by providing a framework to ensure that: IT enables the business and maximises benefits IT is aligned with the business IT transparency is achieved through performance measurement. IT risks are managed appropriately IT resources are used responsibly
Business goals requirements information IT goals IT Processes Key Activities Responsibilities and Accountibilities Chart Control Outcomes Test Performance Indicators Outcomes Measures Maturity Models derived from Control Objectives Control Design Test based on Control Practices
BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance w/ external requirements. ME4 Provide IT governance. INFORMATION CRITERIA •Effectivene ss •Efficiency MONITOR AND •Confidenti EVALUATE ality •Integrity DS1 Define and manage •Availabilit service levels. y DS2 Manage third-party •Complianc . IT RESOURCES services. e •Applicatio •Reliability DS3 Manage performance ns and capacity. •Informati DS4 Ensure continuous on service. DELIVERY AND •Infrastruct ACQUIRE AND DS5 Ensure systems SUPPORT ure IMPLEMENT security. •People DS6 Identify and allocate costs. DS7 Educate and train PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, org and relationship PO5 Manage the IT investment. PO6 Communicate mgt aims and direction PO7 Manage IT human resources. PO8 Manage quality. PLAN AND PO9 Assess and manage IT ORGANIZE risks. PO10 Manage projects. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain tech infrastr. AI4 Enable operation and use. AI5 Procure IT resources.
A control framework for IT governance defines the reasons IT governance is needed, the stakeholders, and what it needs to accomplish. In response to the needs, the COBIT FW was created w/ main characteristics of being: Basic COBIT Principle business-focused, process-oriented, controls-based, and which respond to Business Requirements drive the investment in measurement-driven. Enterprise Information to deliver COBIT IT Processes IT Resources that are used by
Business orientation is the main theme of COBIT, designed to: (1) be employed by IT service providers, users, and auditors, and (2) to provide comprehensive guidance for mgt and business process owners. COBIT’S INFORMATION CRITERIA To satisfy business obj, inf needs to conform to certain control criteria, which refers to as business requirement for inf. Inf criterias are defined as follows: 1. Effectiveness: inf being relevant and pertinent to business process as well as being delivered in a timely, correct, consistent, and usable manner. 2. Efficiency: provision of inf through optimal (productive and eco) use of resource. 3. Confidentiality: the protection of sensitive inf from unauthorised disclosure. 4. Integrity: accuracy and completeness of inf as well as to its validity. 5. Availability: inf being available when required by business process now and in future. 6. Compliance: complying with law, regulation and contractual arrangement. 7. Reliability: provision of appropriate inf for mgt to operate entity and exercise its fiduciary and governance responsibilities.
BUSINESS GOALS AND IT GOALS  Defining set of business goal and IT goal provides a business-related and refined basis for establishing business req and developing measurement.  Defining IT Goals and Enterprise Architecture for IT IT Resourc es
An operational model is initial step toward good gov, and also provide FW for measuring and monitoring IT perf, communicating w/ service providers and integrating best mgt practices. Within the COBIT framework, generic process model are within four domains: Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS) The Four Interrelated Domains of COBIT Acquire and Implement (AI)—Provides solutions and passes them to be turned into services. Plan and Organise Deliver and Support (DS)—Receives solutions and makes them usable for end user. Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed Acquire and Implement Deliver and Support Monitor and Evaluate
PLAN AND ORGANISE (PO) PO covers strategy and tactics, and concerns identfication of the way IT can best contribute to achievement of business objective. ACQUIRE AND IMPLEMENT (AI) IT solutions need to be identified, developed or acquired, implemented and integrated into the business process. Changes in and maintenance of existing system are covered. DELIVER AND SUPPORT (DS) DS is concerned w/ actual delivery of services, includes mgt of security and continuity, service support, and mgt of data and facilities. MONITOR AND EVALUATE (ME) ME addresses performance mgt, monitoring of IC, regulatory compliance and gov. Across these four domains, COBIT has identified 34 IT processes that are generally used (refer to figure 22 for the complete list).
PROCESSES NEED CONTROLS IT control obj provide a complete set of high-level requirements to be considered by mgt for effective control of each IT process, they: Are statements of managerial actions to increase value or reduce risk. Consist of policies, procedures, practices and organisational structures Provide reasonable assurance that business obj will be achieved. Mgt needs to make choices relative to these control objectives by: Selecting those that are applicable; Deciding upon those will be implemented; Choosing how to implement them (frequency, span, automation, etc.); Accepting the risk of not implementing. Standard control has analogy: When room temperature (standard) for heating system (process) is set, system will check (compare) ambient room temp (control inf) and will signal (act) system to provide more or less heat.
PROCESSES NEED CONTROLS To achieve effective gov, controls need to be implemented by operational managers within a defined control FW for all IT processes. The control obj are identified by a 2-character domain reference (PO, AI, DS and ME) + a process no. and a control obj no. In addition to control obj, each process has generic control requirements that are identified by PCn (process control no.). PC1 Process Goals and Objectives Define and communicate specific, measurable, actionable, realistic, resultsoriented and timely (SMARRT) process goals and objectives. Ensure that they are linked to the business goals and supported by suitable metrics. PC2 Process Ownership Assign owner for each IT process, and clearly define roles and responsibilities of the process owner. Include, for example, responsibility for process design, interaction, accountability, measurement, and identification of improvement.
PROCESSES NEED CONTROLS PC3 Process Repeatability Design and establish each key IT process such that it is repeatable and consistently produces the expected results. PC4 Roles and Responsibilities Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of key activities and their documentation as well as accountability. PC5 Policy, Plans and Procedures Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. PC6 Process Performance Improvement Identify a set of metrics that provides insight into outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals.
BUSINESS AND IT CONTROLS The enterprise’s system of IC impacts IT at 3 levels: 1. At the executive mgt level: The overall approach to governance and control is established by the board and communicated throughout the enterprise. IT control environment is directed by toplevel set of objectives and policies. 2. At the business process level: Most business processes are automated and integrated w/ IT application system, resulting in many of controls at this level being automated. Known as application control. However, some controls within business process remain as manual procedures, such as authorisation for trans, separation of duties. 3. To support the business processes: IT provides IT services, in a shared service to many business processes, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, OS and storage). The controls applied to all IT service actv are known as IT general controls. Poor change mgt could jeopardise reliability of automated integrity check.
IT GENERAL CONTROLS AND APPLICATION CONTROLS General control: controls embedded in IT processes and services, include:  Systems development, Change management, Security, and Computer operation. Application control: control embedded in business process application, include:  Completeness, Accuracy, Validity, Authorisation, and Segregation of duties Design and implementation of automated AC is responsibility of IT, covered in AI domain, based on COBIT’s information criteria. The operational mgt and control responsibility for AC is not w/ IT, but w/ the business process owner. Hence, the responsibility for AC is an end-to-end joint responsibility between business and IT, but the nature of the responsibilities changes as follows: The business is responsible to properly: – Define functional and control requirements – Use automated services IT is responsible to: – Automate and implement business functional and control requirements – Establish controls to maintain the integrity of applications controls.
The following list provides a recommended set of Application Control objectives: AC1 Source Data Preparation and Authorisation Ensure that source doc are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties. AC2 Source Data Collection and Entry Establish that data input is performed in timely manner by authorised n qualified staff. AC3 Accuracy, Completeness and Authenticity Checks Ensure that transc are accurate, complete, and valid. AC4 Processing Integrity and Validity Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. AC5 Output Review, Reconciliation and Error Handling Establish procedures and responsibilities, delivered to appr recipient, and protected during transmission; that verification, detection and correction of accuracy of output. AC6 Transaction Authentication and Integrity Before passing transc data b/w internal applications and business/opr functions, check it for proper addressing, authenticity of origin and integrity of content.
Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement. COBIT deals with these issues by providing: Maturity model to enable benchmark and identify necessary capability improvement. Perf goals and metric for IT processes, demonstrating how processes meet business and IT goal and are used for measuring internal process perf based on BSC principle. Activity goals for enabling effective process performanc MATURITY MODELS IT mgt is constantly on lookout for benchmarking and self-assessment tool in response to the need to know what to do in an efficient manner. This responds to 3 needs: 1. A relative measure of where the enterprise is 2. A manner to efficiently decide where to go 3. A tool for measuring progress against the goal. Maturity model for mgt and control over IT processes is based on a method of evaluating organisation, so it can be rated fr a maturity level of non-existent (0) to optimised (5).
MATURITY MODELS The purpose is to identify where issues are and how to set priorities for improvements, not to assess the level of adherence to the control objectives. They are not designed for use as a threshold model, where one cannot move to the next higher level without having fulfilled all conditions of the lower level.
 Using MM developed for each of COBIT’s 34 IT processes, mgt can identify: The actual performance of the enterprise—Where the enterprise is today The current status of the industry—The comparison The enterprise’s target for improvement—Where the enterprise wants to be The required growth path between ‘as-is’ and ‘to-be’.
Capability, coverage and control are all dimensions of process maturity: Coverage, depth of control, and how the capability is used and deployed are cost-benefit decisions. For example, a high level of security mgt may have to be focused only on most critical enterprise systems. Another example would be choice b/w a weekly manual review and a continuous automated control.
PERFORMANCE MEASUREMENT Goals and metrics are defined in COBIT at 3 levels: 1. IT goals and metrics: define what business expects from IT and how to measure it. 2. Process goals and metrics: define what the IT process must deliver to support IT’s objectives and how to measure it. 3. Activity goals and metrics: establish what needs to happen inside the process to achieve the required perf and how to measure it
PERFORMANCE MEASUREMENT Two types of metrics: Outcome measure: indicate whether the goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’. Performance indicators: indicate whether goals are likely to be met. They can be measured before the outcome is clear and, therefore, are called ‘lead indicators’. Outome measures of lower level become performance indicators for higher level. Outcome measures of IT function are often expressed in term of inf criteria: Availability of information needed to support the business needs Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability, effectiveness and compliance Performance indicators (or performance drivers) define measures that determine how well business, IT function or IT process is performing in enabling the goals to be reached. They often measure the availability of appropriate capabilities, practices and skills, and the outcome of underlying activities.
Define Goals Improve and reallign IT goals Ensure that IT services can resist and recover from attacks Process goals Detect and resolve unauthorised access to information, applications and infrastructure. Activity goals Understand security requirements, vulnerabilities and threats is measured by is measured by is measured by is measured by Numbers of incidents causing public embarassment Number of actual IT incidents with business impact Number of actual incidents because of unauthorised access Frequency of review of the type of security events to be monitored Outcome Performance Business metrics mesures indicators Outcome mesures IT metrics Performance indicators Outcome mesures Indicate Perfomance Process metrics Performance indicators Measure Achievement Business goals Maintain enterprise reputation and leadership
Published by oleh International Organisation for Standardisation (ISO) The standard is focused on security issues and does not cover the full scope of IT management duties. Consist of 12 Security Control. Latest series: ISO 27000 : 2013
The need for inf sec is based on the fact that inf and related systems are important assets for organisations. As organisations face information security threats, the protection of information is essential to maintain organisational stability. Sources for the identification of security requirements are:  Risks the organisation faces and the impact on business strategy and objectives  Legal requirements  Specific requirements, principles and objectives for information processing to support business operations Controls should be selected and defined considering:  Legal requirements  Business requirements  Cost of implementation  Potential impact of a security breach
When implementing a system for inf security mgt, several CSFs be considered to ensure:  That the security policy, its objs and its activities reflect the business objectives;  That the implementation considers cultural aspects of the organisation;  Open support and engagement of senior management;  Thorough knowledge of security requirements, risk assessment and RM;  That effective marketing of security targets all personnel, including members of mgt;  That security policy and sec measures are communicated to contracted III parties  That sufficient and adequate funding is available;  That users are well trained;  That a comprehensive inf security incident mgt process is established;  That a comprehensive and balanced system for performance measurement is available that supports continuous improvement by giving feedback. ISO/IEC 17799:2005 is structured into 11 sections (security control chapters), which contain 39 main security categories. The main sec categories consist of a control obj and 1 or more controls to achieve the control obj.
1. Security policy: 1) Information security policy.  Inf sec policy should define direction and contain commitment and support of mgt  The policy should be reviewed periodically and communicated throughout org. 2. Organisation of information security: 2) Internal organization 3) External parties  Inf security should be supported by mgt;  Relevant activities should be co-ordinated throughout the organisation, and responsibilities for information security should be clearly defined.  Confidentiality agreements should be in place.  Appropriate contacts w/ authority and special interest group should be maintained.  Inf security should be subject to independent review.  Controls should be implemented to manage identified risks related to external party.  Outsourcing arrangements should address information security.  There should be an authorisation process for information processing facilities.
3. Asset management: 4) Responsibility for assets 5) Information classification  An inventory of assets and assignment of the responsibility should be made.  Assets should have a nominated owner, and use of assets, based on defined rules.  Inf should be classified and labeled, thus ensuring appropriate level of protection. 4. Human resources security: 6) Prior to employment 7) During employment 8) Termination or change of employment  Sec requirements for employees should be identified throughout emply life cycle.  Sec responsibilities, confidentiality agreements and contract of employment should be part of the job responsibility and terms and conditions of employment.  Adequate controls for personnel screening should be in place.  Inf sec education and training should increase sec awareness of all employees.  Formal disciplinary process, be in place for individuals who breach sec policy.  Rules for termination and change of employment should be defined and followed.
5. Physical and environmental security: 9) Secure Areas 10) Equipment Security  Central equipment should be installed only within a secure area where adequate access controls and damage prevention are implemented.  Equip should be protected against loss, damage or compromise by being sited and protected in an appropriate manner. Power supplies, an adequate level of cabling sec and correct maintenance of the equipment should be in place.  Equipment installed off premises and the disposal or reuse of information should be considered; authorisation for taking equipment off site is recommended.  Special attention is needed at public access, delivery and loading areas where the central equipment is installed.
6. Communications and operations management: 11) 12) 13) 14) 15) 16) 17) 18) 19) 20)  Operational Procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious and mobile code Backup Network Security Management Media handling Exchange of Information Electronic Commerce Services Monitoring Operations should follow documented procedures.  All changes to facilities should be controlled.  Duties should be segregated, no individual can both initiate and authorise an event.  Development and operational facilities should be separated.  Risks caused by contracted org should be covered, and III party services should be controlled.
6. Communications and operations management:  System planning and acceptance consider capacity mgt and the definition of acceptance criteria.  Damage caused by malicious software and mobile code should be prevented, using preventive and detective controls, formal policies, and defined recovery procedure.  Information should be backed up, and the backup files should be tested regularly.  Networks and network services should be set up and managed with a view to ensuring the necessary level of security and service levels.  Removable media should be handled with special care.  Media with sensitive information should be disposed of in a secure manner.  Adequate controls in information handling procedures (e.g., labeling of media, ensuring completeness of inputs, storage of media) should be considered.  System documentation is to be protected, as it may contain sensitive information.  Agreements for exchange of inf and software should be established, including media in transit, e-commerce transactions, e-mail, electronic office systems.  E-commerce services and their use should be controlled.  Security-relevant activities should be logged and monitored, and the effectiveness of controls should be assessed.
7. Access control: 21) Business Requirement for Access Control 22) User Access Management 23) User Responsibilities 24) Network Access Control 25) Operating system access control 26) Application and Information Access Control 27)        Mobile Computing and teleworking Access to inf should be granted in accordance with business and security requirements. A formal access control policy should be in place. Access control rules should be specified. User access mgt should follow a formal process. User responsibilities concerning PW use and protection of equipment, clearly defined. Networked services, operating systems and applications should be protected appropriately. System access and use should be controlled, considering secure logon procedures, user identification and authentication, PW mgt, usage of system utilities, and session time-out.  Software and information access should be restricted to authorised users.  Mobile computing and teleworking should be performed in a secure manner.
8. Information systems acquisition, development and maintenance: 28) 29) 30) 31) 32) 33)  Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical Vulnerability Management Sec issues should be considered when acquiring or implementing inf systems following defined requirements; security requirements should be specified.  Sec in application system should take into account validation of input data, adequate controls of internal processing, message integrity and output data validation.  Use of cryptographic systems should follow a defined policy and consider best practices.  Security of and access to system files (including test data and program source code) should be controlled.  Project and support environments should allow for sec by being rigorously controlled (e.g., change mgt procedures, arrangements for outsourced development, inf leakage).  Damage through published vulnerabilities should be prevented.
9. Information security incident management: 34) 35)   Reporting information security events and weaknesses Management of information security incidents and improvements Security events and weaknesses should be reported. Responsibilities and procedures for managing security incidents and improvements should be defined, and evidence for security incidents should be collected. 10. Business continuity management (BCM): 36)      Information security aspects of business continuity management Comprehensive BCM process should permit prevention of interruption to business process Business continuity mgt process should not be restricted to IT-related areas and activities. An impact analysis should be executed that results in a strategy plan. Business continuity plans should be developed following a single framework. Business continuity plans should be tested, maintained and reassessed continuously. 11. Compliance: 37) 38) 39)    Compliance with legal requirements Compliance with security policies and standards, and technical compliance Information Systems audit considerations Relevant legal requirements should be identified and followed. Any unlawful act (e.g., data protection acts) should be avoided. Compliance with the security policy should be ensured by periodic reviews.
Obtain Upper Management Support Define Security Perimeter Create Information Security Policy Select and Implement Controls Perform Risk Assessment Create Information Security Mgt System Document in Statement of Accountability Audit Sumber: Tom Carlson; Information Security Management: Understanding ISO 17799, 2001
ERM / Enterprise Control Framework IT Governance and Control Framework Conceptual Framework Guide Practices IT Security Framework IT Operational Framework Quality Control Framewok
PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, org and relationship PO5 Manage the IT investment. PO6 Communicate mgt aims and direction PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance w/ external requirements. ME4 Provide IT governance. DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain tech infrastr. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical
Managing IT Processes with COBIT Controls
Managing IT Processes with COBIT Controls
Managing IT Processes with COBIT Controls

Recommended

Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 frameworkYulias Sihombing, Ak, MAk, CIA
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzahRizkie Hafizzah
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001Burcu Pelin TELLİ
 
CObIT
CObITCObIT
CObITSophia Abigayle
 
Business IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITILBusiness IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITILAhmad Hafeezi
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 

Recommended

Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 frameworkYulias Sihombing, Ak, MAk, CIA
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzahRizkie Hafizzah
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001Burcu Pelin TELLİ
 
CObIT
CObITCObIT
CObITSophia Abigayle
 
Business IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITILBusiness IT Management - Intro to CobiT & ITIL
Business IT Management - Intro to CobiT & ITILAhmad Hafeezi
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
des
desdes
desDesmond Devendran
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveSayyed Zakir Ali Rizwe
 
It governance
It governanceIt governance
It governanceMahetab Khan
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
IT Governance - OpenThinking Day
IT Governance - OpenThinking DayIT Governance - OpenThinking Day
IT Governance - OpenThinking DayIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2FCA Vikram S Mathur
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisaasrulsani09
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016Hafiz Sheikh Adnan Ahmed
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysiswebmentorman
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
It governance
It governanceIt governance
It governanceLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013Mike Wright
 
COBIT 5 - Principal 3 Applying A Single Integrated Framework
COBIT 5 - Principal 3 Applying A Single Integrated FrameworkCOBIT 5 - Principal 3 Applying A Single Integrated Framework
COBIT 5 - Principal 3 Applying A Single Integrated FrameworkMohammad Reda Katby
 
Cobit 5 used in an information security review
Cobit 5 used in an information security reviewCobit 5 used in an information security review
Cobit 5 used in an information security reviewJohnbarchie
 
Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Slime Argentina
 
Cobit
CobitCobit
Cobitifourkhushbooshah
 
Cobit 5 introduction plgr
Cobit 5 introduction plgrCobit 5 introduction plgr
Cobit 5 introduction plgrPedro Garcia Repetto
 
COBIT 5 Basic Concepts
COBIT 5 Basic ConceptsCOBIT 5 Basic Concepts
COBIT 5 Basic ConceptsSpyros Ktenas
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Humberto Bruno Pontes Silva
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 

More Related Content

What's hot

Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2FCA Vikram S Mathur
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysiswebmentorman
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013Mike Wright
 
COBIT 5 - Principal 3 Applying A Single Integrated Framework
COBIT 5 - Principal 3 Applying A Single Integrated FrameworkCOBIT 5 - Principal 3 Applying A Single Integrated Framework
COBIT 5 - Principal 3 Applying A Single Integrated FrameworkMohammad Reda Katby
 
Cobit 5 used in an information security review
Cobit 5 used in an information security reviewCobit 5 used in an information security review
Cobit 5 used in an information security reviewJohnbarchie
 
Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Slime Argentina
 
COBIT 5 Basic Concepts
COBIT 5 Basic ConceptsCOBIT 5 Basic Concepts
COBIT 5 Basic ConceptsSpyros Ktenas
 

What's hot (20)

des
desdes
des
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT Perspective
 
It governance
It governanceIt governance
It governance
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
 
IT Governance - OpenThinking Day
IT Governance - OpenThinking DayIT Governance - OpenThinking Day
IT Governance - OpenThinking Day
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisa
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
 
CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016CISA Training - Chapter 4 - 2016
CISA Training - Chapter 4 - 2016
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysis
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
 
It governance
It governanceIt governance
It governance
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013
 
COBIT 5 - Principal 3 Applying A Single Integrated Framework
COBIT 5 - Principal 3 Applying A Single Integrated FrameworkCOBIT 5 - Principal 3 Applying A Single Integrated Framework
COBIT 5 - Principal 3 Applying A Single Integrated Framework
 
Cobit 5 used in an information security review
Cobit 5 used in an information security reviewCobit 5 used in an information security review
Cobit 5 used in an information security review
 
Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1
 
Cobit
CobitCobit
Cobit
 
Cobit 5 introduction plgr
Cobit 5 introduction plgrCobit 5 introduction plgr
Cobit 5 introduction plgr
 
COBIT 5 Basic Concepts
COBIT 5 Basic ConceptsCOBIT 5 Basic Concepts
COBIT 5 Basic Concepts
 

Similar to Managing IT Processes with COBIT Controls

Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Processkadhar_masthan
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Meghna Verma
 
Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictabilitytlknecht
 
Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811faau09
 
Cobit 4.1 ivooktavianti
Cobit 4.1 ivooktaviantiCobit 4.1 ivooktavianti
Cobit 4.1 ivooktaviantiIvo Oktavianti
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachMohammad Reda Katby
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsMichael Sim
 
Proposal of a Framework of Lean Governance and Management of Enterprise IT
Proposal of a Framework of Lean Governance and Management of Enterprise ITProposal of a Framework of Lean Governance and Management of Enterprise IT
Proposal of a Framework of Lean Governance and Management of Enterprise ITMehran Misaghi
 
ITIL version 2: Foundation Training
ITIL version 2: Foundation TrainingITIL version 2: Foundation Training
ITIL version 2: Foundation Trainingjogemwind
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 

Similar to Managing IT Processes with COBIT Controls (20)

Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Process
 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
 
01 intro-cobit
01 intro-cobit01 intro-cobit
01 intro-cobit
 
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799
 
Frameworks For Predictability
Frameworks For PredictabilityFrameworks For Predictability
Frameworks For Predictability
 
Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811Marcos cobi t -e-itil-v040811
Marcos cobi t -e-itil-v040811
 
Cobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktaviantiCobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktavianti
 
Cobit 4.1 ivooktavianti
Cobit 4.1 ivooktaviantiCobit 4.1 ivooktavianti
Cobit 4.1 ivooktavianti
 
Cobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktaviantiCobit 4.1 ivo oktavianti
Cobit 4.1 ivo oktavianti
 
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic ApproachPrincipal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic Approach
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced Scorecards
 
Proposal of a Framework of Lean Governance and Management of Enterprise IT
Proposal of a Framework of Lean Governance and Management of Enterprise ITProposal of a Framework of Lean Governance and Management of Enterprise IT
Proposal of a Framework of Lean Governance and Management of Enterprise IT
 
ITIL version 2: Foundation Training
ITIL version 2: Foundation TrainingITIL version 2: Foundation Training
ITIL version 2: Foundation Training
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
It Audit
It AuditIt Audit
It Audit
 
COBIT
COBITCOBIT
COBIT
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and isms
 

More from Mulyadi Yusuf

Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Mulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Mulyadi Yusuf
 
Paper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapcePaper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapceMulyadi Yusuf
 
Peta strategi kementan
Peta strategi kementanPeta strategi kementan
Peta strategi kementanMulyadi Yusuf
 
Mssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMulyadi Yusuf
 
Manstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalManstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraPaper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraMulyadi Yusuf
 
Balanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoBalanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoMulyadi Yusuf
 
10. kertas kerja it audit
10. kertas kerja it audit10. kertas kerja it audit
10. kertas kerja it auditMulyadi Yusuf
 
09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaranMulyadi Yusuf
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaanMulyadi Yusuf
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controlsMulyadi Yusuf
 
05.1 auditing procedure general controls
05.1 auditing procedure general controls05.1 auditing procedure general controls
05.1 auditing procedure general controlsMulyadi Yusuf
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introductionMulyadi Yusuf
 

More from Mulyadi Yusuf (20)

Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
 
Mckinsey kominfo
Mckinsey kominfoMckinsey kominfo
Mckinsey kominfo
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
 
Paper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapcePaper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapce
 
Peta strategi kementan
Peta strategi kementanPeta strategi kementan
Peta strategi kementan
 
Mssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppi
 
Manstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalManstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan final
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraPaper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
 
Balanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoBalanced scorecard amin subiyakto
Balanced scorecard amin subiyakto
 
10. kertas kerja it audit
10. kertas kerja it audit10. kertas kerja it audit
10. kertas kerja it audit
 
09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controls
 
05.1 auditing procedure general controls
05.1 auditing procedure general controls05.1 auditing procedure general controls
05.1 auditing procedure general controls
 
03.2 application control
03.2 application control03.2 application control
03.2 application control
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introduction
 
Erm tm 12
Erm tm 12Erm tm 12
Erm tm 12
 
Erm tm 11
Erm tm 11Erm tm 11
Erm tm 11
 

Recently uploaded

HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 

Recently uploaded (20)

HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 

Managing IT Processes with COBIT Controls

  • 1.
  • 2.
  • 3. Tahun Seleksi Peserta Internal BPKP 2010 2012 30 30 8 9 2 11 Biaya Sendiri NA Asal Unit Lulus % Lama Lulus Ujian NA 3 3 0 10% 10% NA Pusdkilatwas, Widyaisawara Deputi AN, PFA dan Kasubdit DKI Jakarta, PFA Perwakilan Lainnya, PFA dan Kabid Deputi 1, PFA 2 PFA 1 Langsung , 1 > 6 bulan 1 > 3 bulan 1 PFA 0 2 NA > 1 tahun
  • 4. COBIT: Control Objectives for Inf and related Tech, Represent the consensus of experts, Published by ITGI The IT Governance Institute® ITGI (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s IT. ITGI COSO ISO COBIT ICIF ISO31000 as IT gov’ framework as IC framework as RM framework
  • 5. IT governance: merupakan tanggung jawab eksekutif dan BoD. Terdiri dari kepemimpinan, struktur organisasi dan proses yang menjamin bahwa enterprise’s IT mendukung dan mengembangkan tujuan dan strategi organisasi. COBIT supports IT governance by providing a framework to ensure that: IT enables the business and maximises benefits IT is aligned with the business IT transparency is achieved through performance measurement. IT risks are managed appropriately IT resources are used responsibly
  • 6.
  • 7. Business goals requirements information IT goals IT Processes Key Activities Responsibilities and Accountibilities Chart Control Outcomes Test Performance Indicators Outcomes Measures Maturity Models derived from Control Objectives Control Design Test based on Control Practices
  • 8.
  • 9. BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance w/ external requirements. ME4 Provide IT governance. INFORMATION CRITERIA •Effectivene ss •Efficiency MONITOR AND •Confidenti EVALUATE ality •Integrity DS1 Define and manage •Availabilit service levels. y DS2 Manage third-party •Complianc . IT RESOURCES services. e •Applicatio •Reliability DS3 Manage performance ns and capacity. •Informati DS4 Ensure continuous on service. DELIVERY AND •Infrastruct ACQUIRE AND DS5 Ensure systems SUPPORT ure IMPLEMENT security. •People DS6 Identify and allocate costs. DS7 Educate and train PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, org and relationship PO5 Manage the IT investment. PO6 Communicate mgt aims and direction PO7 Manage IT human resources. PO8 Manage quality. PLAN AND PO9 Assess and manage IT ORGANIZE risks. PO10 Manage projects. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain tech infrastr. AI4 Enable operation and use. AI5 Procure IT resources.
  • 10. A control framework for IT governance defines the reasons IT governance is needed, the stakeholders, and what it needs to accomplish. In response to the needs, the COBIT FW was created w/ main characteristics of being: Basic COBIT Principle business-focused, process-oriented, controls-based, and which respond to Business Requirements drive the investment in measurement-driven. Enterprise Information to deliver COBIT IT Processes IT Resources that are used by
  • 11. Business orientation is the main theme of COBIT, designed to: (1) be employed by IT service providers, users, and auditors, and (2) to provide comprehensive guidance for mgt and business process owners. COBIT’S INFORMATION CRITERIA To satisfy business obj, inf needs to conform to certain control criteria, which refers to as business requirement for inf. Inf criterias are defined as follows: 1. Effectiveness: inf being relevant and pertinent to business process as well as being delivered in a timely, correct, consistent, and usable manner. 2. Efficiency: provision of inf through optimal (productive and eco) use of resource. 3. Confidentiality: the protection of sensitive inf from unauthorised disclosure. 4. Integrity: accuracy and completeness of inf as well as to its validity. 5. Availability: inf being available when required by business process now and in future. 6. Compliance: complying with law, regulation and contractual arrangement. 7. Reliability: provision of appropriate inf for mgt to operate entity and exercise its fiduciary and governance responsibilities.
  • 12. BUSINESS GOALS AND IT GOALS  Defining set of business goal and IT goal provides a business-related and refined basis for establishing business req and developing measurement.  Defining IT Goals and Enterprise Architecture for IT IT Resourc es
  • 13. An operational model is initial step toward good gov, and also provide FW for measuring and monitoring IT perf, communicating w/ service providers and integrating best mgt practices. Within the COBIT framework, generic process model are within four domains: Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS) The Four Interrelated Domains of COBIT Acquire and Implement (AI)—Provides solutions and passes them to be turned into services. Plan and Organise Deliver and Support (DS)—Receives solutions and makes them usable for end user. Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed Acquire and Implement Deliver and Support Monitor and Evaluate
  • 14. PLAN AND ORGANISE (PO) PO covers strategy and tactics, and concerns identfication of the way IT can best contribute to achievement of business objective. ACQUIRE AND IMPLEMENT (AI) IT solutions need to be identified, developed or acquired, implemented and integrated into the business process. Changes in and maintenance of existing system are covered. DELIVER AND SUPPORT (DS) DS is concerned w/ actual delivery of services, includes mgt of security and continuity, service support, and mgt of data and facilities. MONITOR AND EVALUATE (ME) ME addresses performance mgt, monitoring of IC, regulatory compliance and gov. Across these four domains, COBIT has identified 34 IT processes that are generally used (refer to figure 22 for the complete list).
  • 15. PROCESSES NEED CONTROLS IT control obj provide a complete set of high-level requirements to be considered by mgt for effective control of each IT process, they: Are statements of managerial actions to increase value or reduce risk. Consist of policies, procedures, practices and organisational structures Provide reasonable assurance that business obj will be achieved. Mgt needs to make choices relative to these control objectives by: Selecting those that are applicable; Deciding upon those will be implemented; Choosing how to implement them (frequency, span, automation, etc.); Accepting the risk of not implementing. Standard control has analogy: When room temperature (standard) for heating system (process) is set, system will check (compare) ambient room temp (control inf) and will signal (act) system to provide more or less heat.
  • 16. PROCESSES NEED CONTROLS To achieve effective gov, controls need to be implemented by operational managers within a defined control FW for all IT processes. The control obj are identified by a 2-character domain reference (PO, AI, DS and ME) + a process no. and a control obj no. In addition to control obj, each process has generic control requirements that are identified by PCn (process control no.). PC1 Process Goals and Objectives Define and communicate specific, measurable, actionable, realistic, resultsoriented and timely (SMARRT) process goals and objectives. Ensure that they are linked to the business goals and supported by suitable metrics. PC2 Process Ownership Assign owner for each IT process, and clearly define roles and responsibilities of the process owner. Include, for example, responsibility for process design, interaction, accountability, measurement, and identification of improvement.
  • 17. PROCESSES NEED CONTROLS PC3 Process Repeatability Design and establish each key IT process such that it is repeatable and consistently produces the expected results. PC4 Roles and Responsibilities Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of key activities and their documentation as well as accountability. PC5 Policy, Plans and Procedures Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. PC6 Process Performance Improvement Identify a set of metrics that provides insight into outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals.
  • 18. BUSINESS AND IT CONTROLS The enterprise’s system of IC impacts IT at 3 levels: 1. At the executive mgt level: The overall approach to governance and control is established by the board and communicated throughout the enterprise. IT control environment is directed by toplevel set of objectives and policies. 2. At the business process level: Most business processes are automated and integrated w/ IT application system, resulting in many of controls at this level being automated. Known as application control. However, some controls within business process remain as manual procedures, such as authorisation for trans, separation of duties. 3. To support the business processes: IT provides IT services, in a shared service to many business processes, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, OS and storage). The controls applied to all IT service actv are known as IT general controls. Poor change mgt could jeopardise reliability of automated integrity check.
  • 19. IT GENERAL CONTROLS AND APPLICATION CONTROLS General control: controls embedded in IT processes and services, include:  Systems development, Change management, Security, and Computer operation. Application control: control embedded in business process application, include:  Completeness, Accuracy, Validity, Authorisation, and Segregation of duties Design and implementation of automated AC is responsibility of IT, covered in AI domain, based on COBIT’s information criteria. The operational mgt and control responsibility for AC is not w/ IT, but w/ the business process owner. Hence, the responsibility for AC is an end-to-end joint responsibility between business and IT, but the nature of the responsibilities changes as follows: The business is responsible to properly: – Define functional and control requirements – Use automated services IT is responsible to: – Automate and implement business functional and control requirements – Establish controls to maintain the integrity of applications controls.
  • 20.
  • 21. The following list provides a recommended set of Application Control objectives: AC1 Source Data Preparation and Authorisation Ensure that source doc are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties. AC2 Source Data Collection and Entry Establish that data input is performed in timely manner by authorised n qualified staff. AC3 Accuracy, Completeness and Authenticity Checks Ensure that transc are accurate, complete, and valid. AC4 Processing Integrity and Validity Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. AC5 Output Review, Reconciliation and Error Handling Establish procedures and responsibilities, delivered to appr recipient, and protected during transmission; that verification, detection and correction of accuracy of output. AC6 Transaction Authentication and Integrity Before passing transc data b/w internal applications and business/opr functions, check it for proper addressing, authenticity of origin and integrity of content.
  • 22. Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement. COBIT deals with these issues by providing: Maturity model to enable benchmark and identify necessary capability improvement. Perf goals and metric for IT processes, demonstrating how processes meet business and IT goal and are used for measuring internal process perf based on BSC principle. Activity goals for enabling effective process performanc MATURITY MODELS IT mgt is constantly on lookout for benchmarking and self-assessment tool in response to the need to know what to do in an efficient manner. This responds to 3 needs: 1. A relative measure of where the enterprise is 2. A manner to efficiently decide where to go 3. A tool for measuring progress against the goal. Maturity model for mgt and control over IT processes is based on a method of evaluating organisation, so it can be rated fr a maturity level of non-existent (0) to optimised (5).
  • 23. MATURITY MODELS The purpose is to identify where issues are and how to set priorities for improvements, not to assess the level of adherence to the control objectives. They are not designed for use as a threshold model, where one cannot move to the next higher level without having fulfilled all conditions of the lower level.
  • 24.  Using MM developed for each of COBIT’s 34 IT processes, mgt can identify: The actual performance of the enterprise—Where the enterprise is today The current status of the industry—The comparison The enterprise’s target for improvement—Where the enterprise wants to be The required growth path between ‘as-is’ and ‘to-be’.
  • 25. Capability, coverage and control are all dimensions of process maturity: Coverage, depth of control, and how the capability is used and deployed are cost-benefit decisions. For example, a high level of security mgt may have to be focused only on most critical enterprise systems. Another example would be choice b/w a weekly manual review and a continuous automated control.
  • 26. PERFORMANCE MEASUREMENT Goals and metrics are defined in COBIT at 3 levels: 1. IT goals and metrics: define what business expects from IT and how to measure it. 2. Process goals and metrics: define what the IT process must deliver to support IT’s objectives and how to measure it. 3. Activity goals and metrics: establish what needs to happen inside the process to achieve the required perf and how to measure it
  • 27. PERFORMANCE MEASUREMENT Two types of metrics: Outcome measure: indicate whether the goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’. Performance indicators: indicate whether goals are likely to be met. They can be measured before the outcome is clear and, therefore, are called ‘lead indicators’. Outome measures of lower level become performance indicators for higher level. Outcome measures of IT function are often expressed in term of inf criteria: Availability of information needed to support the business needs Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability, effectiveness and compliance Performance indicators (or performance drivers) define measures that determine how well business, IT function or IT process is performing in enabling the goals to be reached. They often measure the availability of appropriate capabilities, practices and skills, and the outcome of underlying activities.
  • 28. Define Goals Improve and reallign IT goals Ensure that IT services can resist and recover from attacks Process goals Detect and resolve unauthorised access to information, applications and infrastructure. Activity goals Understand security requirements, vulnerabilities and threats is measured by is measured by is measured by is measured by Numbers of incidents causing public embarassment Number of actual IT incidents with business impact Number of actual incidents because of unauthorised access Frequency of review of the type of security events to be monitored Outcome Performance Business metrics mesures indicators Outcome mesures IT metrics Performance indicators Outcome mesures Indicate Perfomance Process metrics Performance indicators Measure Achievement Business goals Maintain enterprise reputation and leadership
  • 29.
  • 30. Published by oleh International Organisation for Standardisation (ISO) The standard is focused on security issues and does not cover the full scope of IT management duties. Consist of 12 Security Control. Latest series: ISO 27000 : 2013
  • 31.
  • 32.
  • 33. The need for inf sec is based on the fact that inf and related systems are important assets for organisations. As organisations face information security threats, the protection of information is essential to maintain organisational stability. Sources for the identification of security requirements are:  Risks the organisation faces and the impact on business strategy and objectives  Legal requirements  Specific requirements, principles and objectives for information processing to support business operations Controls should be selected and defined considering:  Legal requirements  Business requirements  Cost of implementation  Potential impact of a security breach
  • 34. When implementing a system for inf security mgt, several CSFs be considered to ensure:  That the security policy, its objs and its activities reflect the business objectives;  That the implementation considers cultural aspects of the organisation;  Open support and engagement of senior management;  Thorough knowledge of security requirements, risk assessment and RM;  That effective marketing of security targets all personnel, including members of mgt;  That security policy and sec measures are communicated to contracted III parties  That sufficient and adequate funding is available;  That users are well trained;  That a comprehensive inf security incident mgt process is established;  That a comprehensive and balanced system for performance measurement is available that supports continuous improvement by giving feedback. ISO/IEC 17799:2005 is structured into 11 sections (security control chapters), which contain 39 main security categories. The main sec categories consist of a control obj and 1 or more controls to achieve the control obj.
  • 35. 1. Security policy: 1) Information security policy.  Inf sec policy should define direction and contain commitment and support of mgt  The policy should be reviewed periodically and communicated throughout org. 2. Organisation of information security: 2) Internal organization 3) External parties  Inf security should be supported by mgt;  Relevant activities should be co-ordinated throughout the organisation, and responsibilities for information security should be clearly defined.  Confidentiality agreements should be in place.  Appropriate contacts w/ authority and special interest group should be maintained.  Inf security should be subject to independent review.  Controls should be implemented to manage identified risks related to external party.  Outsourcing arrangements should address information security.  There should be an authorisation process for information processing facilities.
  • 36. 3. Asset management: 4) Responsibility for assets 5) Information classification  An inventory of assets and assignment of the responsibility should be made.  Assets should have a nominated owner, and use of assets, based on defined rules.  Inf should be classified and labeled, thus ensuring appropriate level of protection. 4. Human resources security: 6) Prior to employment 7) During employment 8) Termination or change of employment  Sec requirements for employees should be identified throughout emply life cycle.  Sec responsibilities, confidentiality agreements and contract of employment should be part of the job responsibility and terms and conditions of employment.  Adequate controls for personnel screening should be in place.  Inf sec education and training should increase sec awareness of all employees.  Formal disciplinary process, be in place for individuals who breach sec policy.  Rules for termination and change of employment should be defined and followed.
  • 37. 5. Physical and environmental security: 9) Secure Areas 10) Equipment Security  Central equipment should be installed only within a secure area where adequate access controls and damage prevention are implemented.  Equip should be protected against loss, damage or compromise by being sited and protected in an appropriate manner. Power supplies, an adequate level of cabling sec and correct maintenance of the equipment should be in place.  Equipment installed off premises and the disposal or reuse of information should be considered; authorisation for taking equipment off site is recommended.  Special attention is needed at public access, delivery and loading areas where the central equipment is installed.
  • 38. 6. Communications and operations management: 11) 12) 13) 14) 15) 16) 17) 18) 19) 20)  Operational Procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious and mobile code Backup Network Security Management Media handling Exchange of Information Electronic Commerce Services Monitoring Operations should follow documented procedures.  All changes to facilities should be controlled.  Duties should be segregated, no individual can both initiate and authorise an event.  Development and operational facilities should be separated.  Risks caused by contracted org should be covered, and III party services should be controlled.
  • 39. 6. Communications and operations management:  System planning and acceptance consider capacity mgt and the definition of acceptance criteria.  Damage caused by malicious software and mobile code should be prevented, using preventive and detective controls, formal policies, and defined recovery procedure.  Information should be backed up, and the backup files should be tested regularly.  Networks and network services should be set up and managed with a view to ensuring the necessary level of security and service levels.  Removable media should be handled with special care.  Media with sensitive information should be disposed of in a secure manner.  Adequate controls in information handling procedures (e.g., labeling of media, ensuring completeness of inputs, storage of media) should be considered.  System documentation is to be protected, as it may contain sensitive information.  Agreements for exchange of inf and software should be established, including media in transit, e-commerce transactions, e-mail, electronic office systems.  E-commerce services and their use should be controlled.  Security-relevant activities should be logged and monitored, and the effectiveness of controls should be assessed.
  • 40. 7. Access control: 21) Business Requirement for Access Control 22) User Access Management 23) User Responsibilities 24) Network Access Control 25) Operating system access control 26) Application and Information Access Control 27)        Mobile Computing and teleworking Access to inf should be granted in accordance with business and security requirements. A formal access control policy should be in place. Access control rules should be specified. User access mgt should follow a formal process. User responsibilities concerning PW use and protection of equipment, clearly defined. Networked services, operating systems and applications should be protected appropriately. System access and use should be controlled, considering secure logon procedures, user identification and authentication, PW mgt, usage of system utilities, and session time-out.  Software and information access should be restricted to authorised users.  Mobile computing and teleworking should be performed in a secure manner.
  • 41. 8. Information systems acquisition, development and maintenance: 28) 29) 30) 31) 32) 33)  Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical Vulnerability Management Sec issues should be considered when acquiring or implementing inf systems following defined requirements; security requirements should be specified.  Sec in application system should take into account validation of input data, adequate controls of internal processing, message integrity and output data validation.  Use of cryptographic systems should follow a defined policy and consider best practices.  Security of and access to system files (including test data and program source code) should be controlled.  Project and support environments should allow for sec by being rigorously controlled (e.g., change mgt procedures, arrangements for outsourced development, inf leakage).  Damage through published vulnerabilities should be prevented.
  • 42. 9. Information security incident management: 34) 35)   Reporting information security events and weaknesses Management of information security incidents and improvements Security events and weaknesses should be reported. Responsibilities and procedures for managing security incidents and improvements should be defined, and evidence for security incidents should be collected. 10. Business continuity management (BCM): 36)      Information security aspects of business continuity management Comprehensive BCM process should permit prevention of interruption to business process Business continuity mgt process should not be restricted to IT-related areas and activities. An impact analysis should be executed that results in a strategy plan. Business continuity plans should be developed following a single framework. Business continuity plans should be tested, maintained and reassessed continuously. 11. Compliance: 37) 38) 39)    Compliance with legal requirements Compliance with security policies and standards, and technical compliance Information Systems audit considerations Relevant legal requirements should be identified and followed. Any unlawful act (e.g., data protection acts) should be avoided. Compliance with the security policy should be ensured by periodic reviews.
  • 43. Obtain Upper Management Support Define Security Perimeter Create Information Security Policy Select and Implement Controls Perform Risk Assessment Create Information Security Mgt System Document in Statement of Accountability Audit Sumber: Tom Carlson; Information Security Management: Understanding ISO 17799, 2001
  • 44.
  • 45. ERM / Enterprise Control Framework IT Governance and Control Framework Conceptual Framework Guide Practices IT Security Framework IT Operational Framework Quality Control Framewok
  • 46. PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, org and relationship PO5 Manage the IT investment. PO6 Communicate mgt aims and direction PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance w/ external requirements. ME4 Provide IT governance. DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain tech infrastr. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical