COBIT 5 VENDOR MANAGEMENT MARCH 2019 ISACA MEETING

COBIT 5 & VENDOR MANAGEMENT MARCH 2019 ISACA MEETING PRESENTED BY SHELBY DENNIS & ELENA MARTINEZ

WHAT IS COBIT 5? COBIT 5 (Control Objectives for Information and Related Technologies) is an IT management framework developed by ISACA to help businesses develop, organize, and implement strategies around information management and governance. First released in 1996, COBIT was initially designed as a set of IT control objectives to help the financial audit community better navigate the growth of IT environments. COBIT 5 focuses specifically on security, risk management, and information governance.

COBIT 5 ALLOWS Management to benchmark security and control practices of IT environments Users to be assured that adequate IT security controls exist Auditors to substantiate their internal control opinions and to advise on IT security and control matters

Meeting stakeholder needs Covering the enterprise end-to-end Applying a single, integrated framework Enabling a holistic approach Separating governance from management 5 KEY PRINCIPALS OF IT GOVERNANCE AND MANAGEMENT

MEETING STAKEHOLDER NEEDS Helps users customize business processes and procedures Creates an information system that adds value to its stakeholders Allows the entity to create the proper balance between risk and reward

COVERING THE ENTERPRISE END-TO-END Integrates all IT functions and processes into enterprise-wide functions and processes Creates a cohesive control environment and reinforces the idea that all business processes need to be safeguarded from threats

APPLYING A SINGLE, INTEGRATED FRAMEWORK Consolidates control standards from many different sources into a single framework Can be aligned at a high level with other standards and frameworks to create an overarching framework for IT governance and management

ENABLING A HOLISTIC APPROACH Provides a holistic approach that results in effective governance and management of all IT functions in the entity Allows management to remain cognizant of how Information Systems affect critical business processes (IT Footprint)

SEPARATING GOVERNANCE FROM MANGEMENT The objective of governance is to create value by optimizing the use of organizational resources to produce desired benefits in a manner that effectively addresses risk. Governance is the responsibility of the board of directors who: o Evaluate stakeholder needs o Provide management with direction o Monitor management’s performance

SEPARATING GOVERNANCE FROM MANGEMENT CONT. Management is responsible for planning, building, running, and monitoring the activities and processes used by the organization to pursue the objectives established by the board of directors (operations). Management periodically provides the board of directors with feedback that can be used to monitor achievement of the organization’s objectives and/or modify those objectives.

VENDOR RISK MANAGEMENT

VENDOR RISK MANAGEMENT Vendors play a critical role in increasing the value of an organization. Vendors may derail the organization if not carefully managed or monitored throughout the vendor lifecycle.

COMMON PITFALLS Vendor risk applicable to IT vendors only Risk team not involved early into vendor selection process Limited and/or no background screening Risk management not covered throughout vendor lifecycle Fragmented risk assessments/risk not continually evaluated No holistic view of dependency and risk (i. e. single supplier for good/service) Vendors not factored into cybersecurity

VENDOR-MANAGED INVENTORIES Organization’s inventory is managed by an independent third-party Third-party vendor determines when to replenish organization’s inventory and the quantity needed to replenish the inventory Vendor often has direct access to organization’s sensitive information Organization reliant on vendor’s information security measures to protect company data

HOW DOES THIS APPLY TO HUMBLE ISD? One major risk area: ACCESS! o Having internal controls in place to make sure users have the appropriate access to fulfill their duties is essential. o Ensuring that vendors are only granted access that is necessary to fulfill their contracts and that access is removed in a timely manner when appropriate. o Making sure that firewalls, virus software, and other IT security measures are updated as frequently as possible since Software and technology are constantly changing and growing. How do we verify that access is being properly assigned and removed in a timely fashion? o This is the challenge of IT audit. o Since no two organizations are identical, this area of audit is often very specifically tailored to each one and can be a nebulous. o This is a machine with constantly moving parts. The first step is understanding the risks. o Next we will need understand how onboarding and removal of vendors and employees work within the District, specifically, to determine tests and controls.

THANK YOU