COBIT and IT Policy Presentation

04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 11

IT Policies, Standards IT Policies, Standards and Technical Directivesand Technical Directives

Sarah Cortes, PMP, CISASarah Cortes, PMP, CISAwww.inmantechnologyIT.comwww.inmantechnologyIT.com

Sarah’s blog: SecurityWatchSarah’s blog: SecurityWatchSarah’s ITtechEx columnSarah’s ITtechEx column

twitter: SecuritySpytwitter: SecuritySpyLinkedIn: Sarah CortesLinkedIn: Sarah Cortes


IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives

AgendaAgenda

Who are we?Who are we? Purpose?Purpose? Standards FrameworksStandards Frameworks COBIT FrameworkCOBIT Framework ISACA FrameworkISACA Framework Case StudyCase Study


Sarah Cortes, PMP, CISASarah Cortes, PMP, CISA Clients: Clients:

• Harvard UniversityHarvard University• BiogenBiogen• FidelityFidelity

Professional Associations:Professional Associations:• Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the

Massachusetts Legislature Massachusetts Legislature

Practice expertisePractice expertise• Complex Application Development/ImplementationComplex Application Development/Implementation• IT Security/Privacy/Risk Management/Audit ManagementIT Security/Privacy/Risk Management/Audit Management• Data Center Operations ManagementData Center Operations Management• Disaster Recovery/High AvailabilityDisaster Recovery/High Availability• Program/Project ManagementProgram/Project Management

BackgroundBackground• SVP in charge of Security, DR, IT Audit, and some Data Center Operations at SVP in charge of Security, DR, IT Audit, and some Data Center Operations at

Putnam InvestmentsPutnam Investments• As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan

failed over to our facility from the World Trade Center 99th floor data centerfailed over to our facility from the World Trade Center 99th floor data center• Coordinated over 65 audits per yearCoordinated over 65 audits per year• Previously ran major applications development for Trading/Analytics SystemsPreviously ran major applications development for Trading/Analytics Systems



Standards Overview Standards Overview

ISO/IEC 27000 - ISO/IEC 27000 - International Organization for International Organization for Standardization/International Electrotechnical CommissionStandardization/International Electrotechnical Commission

ITIL ITIL – Information Technology Infrastructure Library– Information Technology Infrastructure Library

NIST NIST - National Institute of Standards and Technology - National Institute of Standards and Technology

PMBOK PMBOK – Project Management Body of Knowledge– Project Management Body of Knowledge

TOGAF - TOGAF - The Open Group Architecture FrameworkThe Open Group Architecture Framework

CMMI for Development - CMMI for Development - Capability Maturity Model IntegrationCapability Maturity Model Integration SEI’s CMM SEI’s CMM (Capability Maturity Model)(Capability Maturity Model) for SW for SW

(US DoD) Software Engineering Institute (US DoD) Software Engineering Institute

COBIT - COBIT - Control Objectives for Information & related TechnologyControl Objectives for Information & related Technology Information Systems Audit and Control AssociationInformation Systems Audit and Control Association



Is the PIs the Purpose to…?urpose to…?

Drive you crazy?Drive you crazy?

Waste your precious resources in a Waste your precious resources in a pointless task that will soon be out of pointless task that will soon be out of date?date?

Serve as evidence to be used against Serve as evidence to be used against you later?you later?



Could policies help….?Could policies help….?

Save you after you have already Save you after you have already gotten into trouble?gotten into trouble?

Attempt, however lamely, to keep Attempt, however lamely, to keep you out of troubleyou out of trouble

Prove that, however obvious the Prove that, however obvious the trouble is, it is not your faulttrouble is, it is not your fault



Calling in the ExpertsCalling in the Experts



Did you know….?Did you know….?

Seven out of ten attacks are from…Seven out of ten attacks are from…



You may be wondering…You may be wondering…

Why develop and document IT policies, Why develop and document IT policies, standards and technical directives?standards and technical directives?

Is it really worth it? What’s in it for Is it really worth it? What’s in it for me?me?

Who will pay for the resources thusly Who will pay for the resources thusly diverted?diverted?


IT IT Policies, Standards and Technical DirectivesPolicies, Standards and Technical Directives COBIT Control ObjectivesCOBIT Control Objectives - - Overview

• PLAN AND ORGANISE - 10PLAN AND ORGANISE - 10

• ACQUIRE AND IMPLEMENT - 7ACQUIRE AND IMPLEMENT - 7

• DELIVER AND SUPPORT - 13DELIVER AND SUPPORT - 13

• MONITOR AND EVALUATE – 4MONITOR AND EVALUATE – 4

• Total - 34Total - 34



COBIT Control ObjectivesCOBIT Control Objectives -- PLAN AND ORGANISE

PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and

Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and

Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects


IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical DirectivesCOBIT Control ObjectivesCOBIT Control Objectives - - ACQUIRE AND IMPLEMENT

AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes



COBIT Control ObjectivesCOBIT Control Objectives -- DELIVER AND SUPPORT

DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations



COBIT Control ObjectivesCOBIT Control Objectives –– MONITOR AND EVALUATE

ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance



COBIT Control Objectives –COBIT Control Objectives – DS5 Ensure Systems Security

DS5.1 Management of IT Security DS5.2 IT Security Plan DS5.3 Identity Management DS5.4 User Account Management DS5.5 Security Testing, Surveillance and Monitoring DS5.6 Security Incident Definition DS5.7 Protection of Security Technology DS5.8 Cryptographic Key Management DS5.9 Malicious SW Prevention, Detection,Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data



ISACA Standards, Guidelines & ProceduresISACA Standards, Guidelines & Procedures

IS Guideline: G18 IT GovernanceIS Guideline: G18 IT Governance IS Guideline: G20 ReportingIS Guideline: G20 Reporting IS Guideline: G21 Enterprise Resource Planning (ERP) SystemsIS Guideline: G21 Enterprise Resource Planning (ERP) Systems IS Guideline: G22 Business to Consumer (B2C) E-commerceIS Guideline: G22 Business to Consumer (B2C) E-commerce IS Guideline: G23 System Development Life Cycle (SDLC)IS Guideline: G23 System Development Life Cycle (SDLC) IS Guideline: G24 Internet BankingIS Guideline: G24 Internet Banking IS Guideline: G25 Review of Virtual Private NetworksIS Guideline: G25 Review of Virtual Private Networks IS Guideline: G26 Business Process Reengineering (BPR) Project IS Guideline: G26 Business Process Reengineering (BPR) Project IS Guideline: G27 Mobile ComputingIS Guideline: G27 Mobile Computing IS Guideline: G28 Computer ForensicsIS Guideline: G28 Computer Forensics IS Guideline: G29 Post Implementation ReviewIS Guideline: G29 Post Implementation Review IS Guideline: G30 CompetenceIS Guideline: G30 Competence IS Guideline: G31 PrivacyIS Guideline: G31 Privacy IS Guideline: G32 Business Continuity Plan (BCP)-IT PerspectiveIS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective IS Guideline: G33 General Considerations on the Use of InternetIS Guideline: G33 General Considerations on the Use of Internet IS Guideline: G34 Responsibility, Authority and AccountabilityIS Guideline: G34 Responsibility, Authority and Accountability IS Guideline: G35 Follow-up ActivitiesIS Guideline: G35 Follow-up Activities



ISACA Standards, Guidelines & ProceduresISACA Standards, Guidelines & Procedures

IS Guideline: G36 Biometric ControlsIS Guideline: G36 Biometric Controls IS Guideline: G38 Access ControlsIS Guideline: G38 Access Controls IS Guideline: G39 IT OrganizationIS Guideline: G39 IT Organization IS Guideline: G40 Review of Security Management PracticesIS Guideline: G40 Review of Security Management Practices IS Procedure: P01 IS Risk Assessment MeasurementIS Procedure: P01 IS Risk Assessment Measurement IS Procedure: P02 Digital SignaturesIS Procedure: P02 Digital Signatures IS Procedure: P03 Intrusion DetectionIS Procedure: P03 Intrusion Detection IS Procedure: P04 Viruses and Other Malicious LogicIS Procedure: P04 Viruses and Other Malicious Logic IS Procedure: P05 Control Risk Self-assessmentIS Procedure: P05 Control Risk Self-assessment IS Procedure: P06 FirewallsIS Procedure: P06 Firewalls IS Procedure: P07 Irregularities and Illegal Acts IS Procedure: P07 Irregularities and Illegal Acts IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis IS Procedure: P09 Mgt Controls Over Encryption Methodologies IS Procedure: P09 Mgt Controls Over Encryption Methodologies IS Procedure: P10 Business Application Change Control IS Procedure: P10 Business Application Change Control IS Procedure: P11 Electronic Funds Transfer (EFT) IS Procedure: P11 Electronic Funds Transfer (EFT)



Company A ProcessCompany A Process

Over 50 subsidiaries Over 50 subsidiaries Over 30,000 employees worldwideOver 30,000 employees worldwide Over 12,000 employees in Boston areaOver 12,000 employees in Boston area Over 250 IT Policy categoriesOver 250 IT Policy categories Over 500 Technical directivesOver 500 Technical directives Periodic Advisory Board Review processPeriodic Advisory Board Review process



Company A IssuesCompany A Issues

Who, specifically by name, is responsible Who, specifically by name, is responsible for ensuring policies & standards are for ensuring policies & standards are applied? (designated scapegoat)applied? (designated scapegoat)

Need to break down policy categories into Need to break down policy categories into specific policy elements (1 policy becomes specific policy elements (1 policy becomes 100 policies)100 policies)

A policy begets formal training and A policy begets formal training and training recordkeeping (applications unto training recordkeeping (applications unto themselves)themselves)



Company A IssuesCompany A Issues

““Required,” “Recommended,” or “Highly Required,” “Recommended,” or “Highly Recommended?” (the shell game)Recommended?” (the shell game)

Need to self-assess at the policy element Need to self-assess at the policy element level (a/k/a your new full-time job)level (a/k/a your new full-time job)

COBIT and IT Policy Presentation

Technology

Transcript of COBIT and IT Policy Presentation