IT Security Summit 2005 Centro de Convenciones August

IT Security Summit – 2005 Centro de Convenciones, August 22 -23, 2006 Information Technology (IT) Regulatory Compliance Planning John R. Robles President, John R. Robles & Associates 787 -647 -3961 jrobles@coqui. net www. johnrrobles. com

What Is Compliance? The act of complying with a wish, request, or demand A disposition or tendency to yield to the will of others The act of submitting; usually surrendering power to another Acting according to certain accepted standards A disposition or tendency to yield to the will of others Happy friendly agreement John R. Robles & Associates 2 / 35

What Is IT Compliance? Perform IT functions according to a wish, request, or demand Disposition or tendency to yield to the IT will of others The act of submitting; usually surrendering IT power to another Acting according to certain accepted IT standards A disposition or tendency to yield to the IT will of others Happy friendly IT agreement between IT and others John R. Robles & Associates 3 / 35

What is IT Regulatory Compliance? Perform IT Functions according to a wish, request, or demand of the government or regulatory agency Disposition or tendency to yield to the IT will of others (government or regulatory agency) The act of submitting; usually surrendering IT power to another (government or regulatory agency) Acting according to certain accepted IT standards (of government or regulatory agency) A disposition or tendency to yield to the IT will of others (government or regulatory agency) Happy friendly IT agreement with (government or regulatory agency) John R. Robles & Associates 4 / 35

How do I Comply with Government or Regulatory Agency? Know the IT regulations pertinent to your company or industry Discuss with: Compliance Officer Legal Counsel Internal or External Auditors Executive Management Determine methodology to ensure compliance Perform Self Assessment Improve Compliance Maintain Compliance Officer, Legal Counsel, Internal /External Auditors, and Executive Management informed of self assessment and progress of improvement efforts John R. Robles & Associates 5 / 35

Sample of some IT regulations Financial Services: Financial Institution Letters The IT Compliance Institute has a Data. Base of Regulations by Industry and by Country Some known regulations include: Sarbanes-Oxley Act Gramm-Leach Bliley Act HIPAA Base II USA Patriot Act Email/records retention John R. Robles & Associates 6 / 35

Regulatory Compliance is Above and Beyond Best Practices and General Internal Controls If you do not comply with Best Practices and General Internal Controls you may get an Audit Comment. If you do not comply with Regulatory Compliance you, your company officers, or the Board of Directors may get a Fine or Jail Time. However, Regulatory Compliance is a subset of Best Practices and General Internal Controls. That is, If you run a clean IT shop, most likely you are in compliance. John R. Robles & Associates 7 / 35

IT Compliance is all about IT Internal Controls. How do you set up a compliant IT department? Establish an Internal Controls methodology with includes addressing pertinent IT regulations. Some of the more well-know methodologies include: COSO (Committee of Sponsoring Organizations of the Threadway Commission) Cobit (Control Objectives for Information and Related Technologies) ISO-17799 John R. Robles & Associates 8 / 35

An Internal Controls Methodology The GAO “Standard for Internal Control in the Federal Government” and COSO define Internal Controls as: “An integral part of an organization’s management that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations” John R. Robles & Associates 9 / 35

An Internal Controls Methodology Internal Controls address the following: It is a process It is performed by people It provides only reasonable assurance, not absolute assurance Internal Controls consists of: Control Environment Risk Assessment Control Activities Information and Communications Monitoring John R. Robles & Associates 10 / 35

Regulation with the greatest impact on internal controls and IT Sarbanes-Oxley - Section 404: “It will be (1) the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuers for financial reporting. ” John R. Robles & Associates 11 / 35

IT Internal Controls Frameworks Some IT internal control frameworks: Cobit and IT Control Objectives for Sarbanes-Oxley ISO 17799 IT Infrastructure Library (ITIL) Capability Maturity Model Integration (CMMI) Naional Institute of of Standards and Technology (NIST) John R. Robles & Associates 12 / 35

Unified Compliance Project The IT Compliance Institute (www. itcinstitute. com) has the Unified Compliance Project, it addresses the following: Leadership and High-Level Objectives Audit and Risk Management Design and Implementation Technology Acquisition Operational Management IT Staff Management and Outsourcing Records Management Technical Security Physical Security Systems Continuity Monitoring, Measurement, and Reporting Privacy John R. Robles & Associates 13 / 35

COBIT: An IT Control Framework BUSINESS REQUIREMENTS IT PROCESSES IT RESOURCES John R. Robles & Associates 14 / 35

How do they relate? COBIT Framework IT Resources Ü Data Ü Information Systems Ü Technology IT Processe s Ü Plan and Organise Ü Acquire and Implement Ü Facilities Ü Deliver and Support Ü Human Resources Ü Monitor and Evaluate John R. Robles & Associates Business Requirements Ü Ü Ü Ü Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information Reliability 15 / 35

COBIT Framework How do they relate? The resources made available to— and built up by—IT IT Resources Ü Data Ü Information Systems Ü Technology How IT is organised to respond to the requirements IT Processe s Ü Planning and organisation Ü Acquisition and implementation Ü Facilities Ü Delivery and Support Ü Human Resources Ü Monitoring John R. Robles & Associates What the stakeholders expect from IT Business Requirements Ü Ü Ü Ü Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information Reliability 16 / 35

IT Processes COBIT Framework Domains Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural control breaks Processes Activities or tasks John R. Robles & Associates Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. 17 / 35

IT Resources COBIT Framework Data: Data objects in their widest sense, i. e. , external and internal, structured and unstructured, graphics, sound, etc. Application Systems: Understood to be the sum of manual and programmed procedures Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Resources to house and support information systems People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services John R. Robles & Associates 18 / 35

COBIT Framework IT Domains • Plan and Organise • Acquire and Implement • Deliver and Support • Monitor and Evaluate Natural grouping of processes, often matching an organisational domain of responsibility IT Processes • • IT Strategy Policy and Procedures Feasibility Study Acceptance Testing Change Management Contingency Planning Problem Management A series of joined activities with natural (control) breaks Activities • • • Record New Problem Analyse Propose Solution Monitor Solution Record Known Problem Etc. Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. John R. Robles & Associates 19 / 35

Plan and Organise PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 PO 11 Define a Strategic Information Technology Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships Manage the Investment in Information Technology Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality John R. Robles & Associates 20 / 35

Acquire and Implement AI 1 Identify Automated Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Infrastructure AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes John R. Robles & Associates 21 / 35

Domains COBIT Domains Deliver and Support Topics Delivery of required services Setup of support processes Processing by application systems Questions Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the workforce able to use the IT systems productively and safely? Are adequate security, integrity and availability in place? John R. Robles & Associates Monitor and Evaluate Topics Assessment over time, delivering assurance Management’s oversight of the control system Performance measurement Questions Can IT’s performance be measured and can problems be detected before it is too late? Is independent assurance needed to ensure that critical areas are operating as intended? 22 / 35

Deliver and Support DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13 John R. Robles & Associates Define and Manage Service Levels Manage Third-party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Allocate Costs Educate and Train Users Assist and Advise Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations 23 / 35

Monitor and Evaluate z. M 1 Monitor the Process z. M 2 Assess Internal Control Adequacy z. M 3 Obtain Independent Assurance z. M 4 Provide for Independent Audit John R. Robles & Associates 24 / 35

Waterfall Model COBIT Framework The control of IT Processes which satisfy Business Requirements is enabled by Control Statements considering Control Practices 4 Domains - 34 Processes - 318 Control Objectives John R. Robles & Associates 25 / 35

COBIT Framework M 1 M 2 M 3 M 4 Business Objectives Criteria • • Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Monitor the process Assess internal control adequacy Obtain independent assurance Provide for independent audit IT RESOURCES • • • PO 1 Define a strategic IT plan PO 2 Define the information architecture PO 3 Determine the technological direction PO 4 Define the IT organisation and relationships PO 5 Manage the IT investment PO 6 Communicate management aims and direction PO 7 Manage human resources PO 8 Ensure compliance with external requirements PO 9 Assess risks PO 10 Manage projects PO 11 Manage quality Data Application systems Technology Facilities People PLAN AND ORGANISE MONITOR AND EVALUATE ACQUIRE AND IMPLEMENT DS 1 Define service levels DS 2 Manage third-party services DS 3 Manage performance and capacity DS 4 Ensure continuous service DS 5 Ensure systems security DS 6 Identify and attribute costs DS 7 Educate and train users DS 8 Assist and advise IT customers DS 9 Manage the configuration DS 10 Manage problems and incidents DS 11 Manage data DS 12 Manage facilities DS 13 Manage operations John R. Robles & Associates DELIVER AND SUPPORT AI 1 AI 2 AI 3 AI 4 AI 5 AI 6 Identify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Develop and maintain IT procedures Install and accredit systems Manage changes 26 / 35

The Most Important IT Processes 34 15 7 Survey John R. Robles & Associates PO 1 PO 3 PO 5 PO 9 PO 10 AI 1 AI 2 AI 5 AI 6 DS 1 DS 4 DS 5 DS 10 DS 11 M 1 Define a strategic IT plan Determine the technological direction Manage the IT investment Assess risks Manage projects Identify solutions Acquire and maintain applications s/w Install and accredit systems Manage changes Define service levels Ensure continuous service Ensure system security Manage problems and incidents Manage data Monitor the processes 27 / 35

COBIT—Content ØHigh-level Control Objective åOne per process ØDetailed Control Objectives åThree to 30 per process ØControl Practices åFive to seven per control objective John R. Robles & Associates 28 / 35

COBIT Control Objectives Ø Based on the 41 primary references Ø Developed following a rigorous research process Ø Three to 30 detailed control objectives for each of the 34 processes Ø Directed to IT management, IT staff, control and audit functions and business process owners Ø For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional. Ø Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers. John R. Robles & Associates 29 / 35

The COBIT Framework How Is COBIT Used? (Results from Surveys) y. To improve audit approach/programs y. To support audit work with detailed audit guidelines y. To provide guidance for IT governance y. As a valuable benchmark for IS/IT control y. To improve IS/IT controls y. To standardise audit approach/programs John R. Robles & Associates 30 / 35

COBIT—Benefits What Who Comfort about: • Dependence on IT • IT risks are mitigated • IT delivers value Assurance of: • Cost down and revenue up • Business operations improved • Service levels maintained • Executive • Business manager • IT manager • Project manager • Developer • Operations staff • User • Security officer • Auditor John R. Robles & Associates 31 / 35

COBIT Products Management Guidelines q Provide management direction for: • • Getting the enterprise's information and related processes under control Monitoring achievement of organisational goals Monitoring and improving performance within each IT process Benchmarking organisational achievement q Action-oriented and generic q Provide answers to typical management questions: • • • How far should we go in controlling IT, and is the cost justified by the benefit? What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare? John R. Robles & Associates 32 / 35

IT Governance Implementation Guide Raise awareness & make decision Feedback Analyse values and risks Select processes Postimplement. review Identify needs Define where you are Define where you want to be Analyse gaps Envision the solution Implementation Road Map Define projects Develop & implement change plan Plan the solution Integrate into day-today practices Integrate measures into ITBSC Implement the solution John R. Robles & Associates 33 / 35

Conclusion—COBIT Values PRESENT FUTURE Sharing knowledge and leveraging expert volunteers Internationally accepted good practices Continually evolves Maintained by reputable not-for-profit organisation Maps strongly onto all major related standards Is management-oriented Is supported by tools and training Maps completely to ISO 17799 and COSO Provide action-oriented solutions John R. Robles & Associates 34 / 35

The COBIT Framework IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA +1. 847. 590. 7491 info@itgi. org info@isaca. org www. itgi. org John R. Robles and Associates 787 -647 -396 jrobles@coqui. net www. johnrrobles. com John R. Robles & Associates 35 / 35

Thank You! Questions and Answers. John R. Robles & Associates 35 / 35