INFORMATION ASSURANCE USING COBIT

1
INFORMATION ASSURANCEUSING COBIT

• MEYCOR COBIT CSA MEYCOR COBIT AG TOOLS

2
Relationship between COSO and COBIT
3
What is COBIT?

• A model to implement IT Governance.
• An open, widely-known standard.
• Comprises 34 process and 220 low level Control
  Objectives.
• It is 100 compatible with ISO 17799, COSO I
  II, and other less general standards on which it
  relies upon.
• COBIT establishes the what and the supporting
  standards establish the how regarding IT
  Governance implementation.

4
COBIT

• Stands for Control Objectives for Information and
  Related Technology.
• Is a model developed by ISACA and the IT
  Governance Institute (ITGI) in order to implement
  IT Governance in organizations.

5
ISACA

• Founded in 1969.
• Is a leading organization on IT Governance,
  Control, Assurance, and Auditing.
• Headquartered in Chicago, USA.
• It has over 60.000 members in more than 100
  countries.
• Holds events, conferences and develops standards
  on IT Governance, Assurance and Security.
• COBIT
• 1st Edition in 1996
• 2nd Edition in 1988
• 3rd Edition in 2000
• 4th Edition in 2005 (Nov/Dec)

6
COBIT Framework
BUSINESS REQUIREMENTS
INFORMATION CRITERIA
INFORMATION PROCESSES

• effectiveness
• efficiency
• confidentiality
• integrity
• availability
• compliance
• reliability

IT RESOURCES

• applications
• information
• infrastructure
• personnel

?
7
COBIT 4.0
8
Information Assurance

• Information assurance is the basis on which
  decision-making is built in an organization.
  Without assurance, companies have no certainty
  that the information on which they support their
  critical-mission decisions is reliable, secure
  and available when needed.
• Information Assurance is defined as the use of
  information operations that protect and defend
  information and information systems and networks
  by ensuring their availability, integrity,
  authentication, confidentiality, and
  nonrepudiation, considering risk impacts due to
  local or remote threats from communications and
  Internet.
• We will see two important assurance techniques
  self-assessment and information systems auditing.

9
COBIT Control Self-assessment (Meycor COBIT CSA)

• This management technique ensures to all
  stakeholders that the internal control system is
  reliable.
• It also ensures that the personnel is aware of
  the business risks, and that they perform regular
  and proactive reviews of the controls.

10
COBIT Audit Guidelines(Meycor COBIT AG)

• The Guidelines provide a simple structure to
  audit IT controls.
• They are general in nature and high-level
  structured.
• They allow to review the Processes against the IT
  Control Objectives.

11
The steps that must be followed in an audit

• Obtaining an understanding of the business
  requirements and associated risks and the
  relevant control measures.
• Evaluating the appropriateness of stated
  controls.
• Assessing compliance to ensure that the control
  measures established are working as prescribed,
  consistently and continuously.
• Substantiating the risk of the control objectives
  not being met by using analytical techniques
  and/or consulting alternative sources.

12
Generic Audit Guideline

• Obtaining an Understanding
• The audit steps to be performed to document the
  activities underlying the control objectives as
  well as to identify the stated control
  measures/procedures in place.
• Interview appropriate management and staff to
  gain an understanding of
• Business requirements and associated risks.
• Organizations structure.
• Roles and responsibilities.
• Control measures in place.
• Management reporting (status, performance, action
  items).
• Document the process-related IT resources
  particularly affected by the process under
  review. Confirm the understanding of the process
  under review, the Key Performance Indicators
  (KPI) of the process, the control implications,
  e.g., by a process walk through.

13
Generic Audit Guideline

• Evaluating the Controls
• The audit steps to be performed in assessing the
  effectiveness of control measures in place or the
  degree to which the control objective is
  achieved. Basically deciding what, whether and
  how to test.
• Evaluate the appropriateness of control measures
  for the process under review by considering
  identified criteria and industry standard
  practices, the Critical Success Factors (CSF) of
  the control measures and applying auditor
  professional judgment.
• Document processes exists.
• Appropriate deliverables exists.
• Responsibility and accountability are clear and
  effective.
• Compensating controls exists, where necessary.
• Conclude the degree to which the control
  objective is met.

14
Generic Audit Guideline

• Assessing Compliance
• The audit steps to be performed to ensure that
  the control measures established are working as
  prescribed, consistently and continuously and to
  conclude on the appropriateness of the control
  environment.
• Obtain direct or indirect evidence for selected
  items/periods to ensure that the procedures have
  been complied with for the period under review
  using both direct and indirect evidence.
• Perform a limited review of the adequacy of the
  process deliverables.
• Determine the level of substantive testing and
  additional work needed to provide assurance that
  the IT process is adequate.

15
Generic Audit Guideline

• Substantiating the Risk
• The audit steps to be performed to substantiate
  the risk of the control objective not being met
  by using analytical techniques and/or consulting
  alternative sources.
• Document the control weaknesses, and resulting
  threats and vulnerabilities.
• Identify and document the actual and potential
  impact e.g., through root-cause analysis.
• Provide comparative information, e.g., through
  benchmarks.

16
Description of the Meycor COBIT CSA and AG tools
17
Meycor COBIT CSA IT Processes Importance
We must identify for the processes defined by
COBIT their importance and performance, whether
they have been audited or not, how they are
processed and who is responsible for them.
18
Meycor COBIT CSA Self-assess controls
Meycor COBIT CSA includes the COBIT 4.0 Control
Objectives and additional security questions on
specific software platforms.
19
Meycor COBIT CSA Assessment Report
Results are displayed using scores. In this way
it is possible to establish target values.
20
Meycor COBIT CSA IT Processes Diagnosis
The red line represent the score obtained. The
closer to the center this line is, risks are less
covered by the controls.
21
Meycor COBIT CSA Assessing several Analysis
Centers
Results can be displayed comparatively (for
platforms, branches and technologies)
22
Meycor COBIT CSA Audit Projects
Allows to create audit projects, assign resources
and even manage them. The objective is to
determine whether the process' controls provide
assurance.
23
Meycor COBIT CSA Alignment with Business
Objectives
The alignment between IT Objectives and Business
Objectives is clearly identified.
24
Meycor COBIT AG Technology inventory
Here we identify how IT resources effectively
contribute to the achievement of objectives.
25
Meycor COBIT AG Relationship between COBIT
Processes and Business Processes
A heat map is generated based on the IT resources
and the required information criteria.
26
Meycor COBIT AG Beginning the Audit Process
The process begins when a reviewer creates a
project and assigns it to an auditor. It is also
possible to record whenever an auditor disagrees
with an observation.
27
Meycor COBIT AG Auditing an IT Process
Meycor COBIT AG provides guidance through the
different stages (interviewing, etc.), allowing
to record tasks and observations as well as
attaching evidence.
28
Meycor COBIT AG Audit Guidelines
Auditors have audit guidelines available that
provide a knowledge base to improve the quality
of the audit work.
29
Meycor COBIT AG Record Tasks
Here we identify who performed the task, the time
invested, any pertinent comments, etc.
30
Meycor COBIT AG Findings and Recommendations
The observations are defined in a format that
includes the determination of the criteria used
to perform the assessment, the consequences, etc.
31
Meycor COBIT AG Work papers Example (I)
Report of the audit program sorted by projects.
32
Meycor COBIT AG Work papers Example (II)
Report on the degree of strength of the audited
controls.
33
Meycor COBIT AG Work papers Example (III)
Identification of findings, the auditee's
opinion, follow-ups, etc.
34
DATASEC IT Security Control
Patria 716 - CP 11300 - Montevideo - Uruguay
Phone (598 2) 711-58-78 / 711-04-20 Fax (598
2) 711-58-94 Website www.datasec-soft.com