A New Approach to Regulatory Compliance

1
IT Security Summit 2005 Centro de Convenciones,
August 22-23, 2006
Information Technology (IT) Regulatory Compliance
Planning
John R. Robles President, John R. Robles
Associates 787-647-3961 jrobles_at_coqui.net www.john
rrobles.com
2
What Is Compliance?

• The act of complying with a wish, request, or
  demand
• A disposition or tendency to yield to the will of
  others
• The act of submitting usually surrendering power
  to another
• Acting according to certain accepted standards
• A disposition or tendency to yield to the will of
  others
• Happy friendly agreement

John R. Robles Associates
2 / 35
3
What Is IT Compliance?

• Perform IT functions according to a wish,
  request, or demand
• Disposition or tendency to yield to the IT will
  of others
• The act of submitting usually surrendering IT
  power to another
• Acting according to certain accepted IT standards
  
• A disposition or tendency to yield to the IT will
  of others
• Happy friendly IT agreement between IT and others

John R. Robles Associates
3 / 35
4
What is IT Regulatory Compliance?

• Perform IT Functions according to a wish,
  request, or demand of the government or
  regulatory agency
• Disposition or tendency to yield to the IT will
  of others (government or regulatory agency)
• The act of submitting usually surrendering IT
  power to another (government or regulatory
  agency)
• Acting according to certain accepted IT standards
  (of government or regulatory agency)
• A disposition or tendency to yield to the IT will
  of others (government or regulatory agency)
• Happy friendly IT agreement with (government or
  regulatory agency)

John R. Robles Associates
4 / 35
5
How do I Comply with Government or Regulatory
Agency?

• Know the IT regulations pertinent to your company
  or industry
• Discuss with
• Compliance Officer
• Legal Counsel
• Internal or External Auditors
• Executive Management
• Determine methodology to ensure compliance
• Perform Self Assessment
• Improve Compliance
• Maintain Compliance Officer, Legal Counsel,
  Internal /External Auditors, and Executive
  Management informed of self assessment and
  progress of improvement efforts

John R. Robles Associates
5 / 35
6
Sample of some IT regulations

• Financial Services
• Financial Institution Letters
• The IT Compliance Institute has a DataBase of
  Regulations by Industry and by Country
• Some known regulations include
• Sarbanes-Oxley Act
• Gramm-Leach Bliley Act
• HIPAA
• Base II
• USA Patriot Act
• Email/records retention

John R. Robles Associates
6 / 35
7
Regulatory Compliance is Above and Beyond Best
Practices and General Internal Controls

• If you do not comply with Best Practices and
  General Internal Controls you may get an Audit
  Comment.
• If you do not comply with Regulatory Compliance
  you, your company, your company officers, or the
  Board of Directors may get a Fine or Jail Time.
• However, Regulatory Compliance is a subset of
  Best Practices and General Internal Controls.
• That is, If you run a clean IT shop, most likely
  you are in compliance.

John R. Robles Associates
7 / 35
8
IT Compliance is all about IT Internal Controls.

• How do you set up a compliant IT department?
• Establish an Internal Controls methodology with
  includes addressing pertinent IT regulations.
• Some of the more well-know methodologies
  include
• COSO (Committee of Sponsoring Organizations of
  the Threadway Commission
• Cobit (Control Objectives for Information and
  Related Technologies)
• ISO-17799

John R. Robles Associates
8 / 35
9
An Internal Controls Methodology

• The GAO Standard for Internal Control in the
  Federal Government and COSO define Internal
  Controls as
• An integral part of an organizations management
  that provides reasonable assurance that the
  following objectives are being achieved
• effectiveness and efficiency of operations
• reliability of financial reporting
• compliance with applicable laws and regulations

John R. Robles Associates
9 / 35
10
An Internal Controls Methodology

• Internal Controls address the following
• It is a process
• It is performed by people
• It provides only reasonable assurance, not
  absolute assurance
• Internal Controls consists of
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communications
• Monitoring

John R. Robles Associates
10 / 35
11
Regulation with the greatest impact on internal
controls and IT

• Sarbanes-Oxley - Section 404
• It will be
• (1) the responsibility of management for
  establishing and maintaining an adequate internal
  control structure and procedures for financial
  reporting, and
• (2) contain an assessment, as of the end of the
  most recent fiscal year of the issuer, of the
  effectiveness of the internal control structure
  and procedures of the issuers for financial
  reporting.

John R. Robles Associates
11 / 35
12
IT Internal Controls Frameworks

• Some IT internal control frameworks
• Cobit and IT Control Objectives for
  Sarbanes-Oxley
• ISO 17799
• IT Infrastructure Library (ITIL)
• Capability Maturity Model Integration (CMMI)
• Naional Institute of of Standards and Technology
  (NIST)

John R. Robles Associates
12 / 35
13
Unified Compliance Project

• The IT Compliance Institute (www.itcinstitute.com)
  has the Unified Compliance Project, it addresses
  the following
• Leadership and High-Level Objectives
• Audit and Risk Management
• Design and Implementation
• Technology Acquisition
• Operational Management
• IT Staff Management and Outsourcing
• Records Management
• Technical Security
• Physical Security
• Systems Continuity
• Monitoring, Measurement, and Reporting
• Privacy

John R. Robles Associates
13 / 35
14
COBIT An IT Control Framework

• BUSINESS
• REQUIREMENTS

Framework
IT PROCESSES
IT RESOURCES
John R. Robles Associates
14 / 35
15
COBIT Framework
How do they relate?
Business Requirements
IT Resources
IT Processes

• Data
• Information Systems
• Technology
• Facilities
• Human Resources

• Plan and Organise
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Information Reliability

John R. Robles Associates
15 / 35
16
What the stakeholders expect from IT
COBIT Framework
How do they relate?
Business Requirements
IT Resources
IT Processes

• Data
• Information Systems
• Technology
• Facilities
• Human Resources

• Planning and organisation
• Acquisition and implementation
• Delivery and Support
• Monitoring

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Information Reliability

John R. Robles Associates
16 / 35
17
COBIT Framework
IT Processes
John R. Robles Associates
17 / 35
18
COBIT Framework
IT Resources
Data Data objects in their widest sense, i.e.,
external and internal, structured and
unstructured, graphics, sound, etc. Application
Systems Understood to be the sum of manual and
programmed procedures Technology Covers
hardware, operating systems, database management
systems, networking, multimedia, etc. Facilities
Resources to house and support information
systems People Staff skills, awareness and
productivity to plan, organise, acquire, deliver,
support and monitor information systems and
services
John R. Robles Associates
18 / 35
19
COBIT Framework

• IT Domains
• Plan and Organise
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

• IT Processes
• IT Strategy
• Policy and Procedures
• Feasibility Study
• Acceptance Testing
• Change Management
• Contingency Planning
• Problem Management

• Activities
• Record New Problem
• Analyse
• Propose Solution
• Monitor Solution
• Record Known Problem
• Etc.

Natural grouping of processes, often matching an
organisational domain of responsibility
A series of joined activities with natural
(control) breaks
Actions needed to achieve a measurable result.
Activities have a life cycle whereas tasks are
discrete.
John R. Robles Associates
19 / 35
20
Plan and Organise

• PO 1 Define a Strategic Information Technology
  Plan
• PO 2 Define the Information Architecture
• PO 3 Determine the Technological Direction
• PO 4 Define the IT Organisation and
  Relationships
• PO 5 Manage the Investment in Information
  Technology
• PO 6 Communicate Management Aims and Direction
  
• PO 7 Manage Human Resources
• PO 8 Ensure Compliance with External
  Requirements
• PO 9 Assess Risks
• PO 10 Manage Projects
• PO 11 Manage Quality

John R. Robles Associates
20 / 35
21
Acquire and Implement

• AI 1 Identify Automated Solutions
• AI 2 Acquire and Maintain Application Software
• AI 3 Acquire and Maintain Technology
  Infrastructure
• AI 4 Develop and Maintain IT Procedures
• AI 5 Install and Accredit Systems
• AI 6 Manage Changes

John R. Robles Associates
21 / 35
22
COBIT Domains
Monitor and Evaluate
Domains
Deliver and Support

• Topics
• Delivery of required services
• Setup of support processes
• Processing by application systems
• Questions
• Are IT services being delivered in line with
  business priorities?
• Are IT costs optimised?
• Is the workforce able to use the IT systems
  productively and safely?
• Are adequate security, integrity and availability
  in place?

• Topics
• Assessment over time, delivering assurance
• Managements oversight of the control system
• Performance measurement
• Questions
• Can ITs performance be measured and can problems
  be detected before it is too late?
• Is independent assurance needed to ensure that
  critical areas are operating as intended?

John R. Robles Associates
22 / 35
23
Deliver and Support

• DS 1 Define and Manage Service Levels
• DS 2 Manage Third-party Services
• DS 3 Manage Performance and Capacity
• DS 4 Ensure Continuous Service
• DS 5 Ensure Systems Security
• DS 6 Identify and Allocate Costs
• DS 7 Educate and Train Users
• DS 8 Assist and Advise Customers
• DS 9 Manage the Configuration
• DS 10 Manage Problems and Incidents
• DS 11 Manage Data
• DS 12 Manage Facilities
• DS 13 Manage Operations

John R. Robles Associates
23 / 35
24
Monitor and Evaluate

• M1 Monitor the Process
• M2 Assess Internal Control Adequacy
• M3 Obtain Independent Assurance
• M4 Provide for Independent Audit

John R. Robles Associates
24 / 35
25
COBIT Framework
Waterfall Model
The control of
IT Processes
which satisfy
Business Requirements
is enabled by
Control Statements
considering
Control Practices
4 Domains - 34 Processes - 318 Control Objectives
John R. Robles Associates
25 / 35
26
Business Objectives
COBIT Framework
PO1 Define a strategic IT plan PO2 Define the
information architecture PO3 Determine the
technological direction PO4 Define the IT
organisation and relationships PO5 Manage the IT
investment PO6 Communicate management aims and
direction PO7 Manage human resources PO8 Ensure
compliance with external requirements PO9 Assess
risks PO10 Manage projects PO11 Manage quality
M1 Monitor the process M2 Assess internal
control adequacy M3 Obtain independent
assurance M4 Provide for independent audit
DS1 Define service levels DS2 Manage
third-party services DS3 Manage performance and
capacity DS4 Ensure continuous service DS5
Ensure systems security DS6 Identify and
attribute costs DS7 Educate and train users DS8
Assist and advise IT customers DS9 Manage the
configuration DS10 Manage problems and
incidents DS11 Manage data DS12 Manage
facilities DS13 Manage operations
AI1 Identify automated solutions AI2 Acquire
and maintain application software AI3 Acquire
and maintain technology infrastructure AI4
Develop and maintain IT procedures AI5 Install
and accredit systems AI6 Manage changes
John R. Robles Associates
26 / 35
27
The Most Important IT Processes
PO1 Define a strategic IT plan PO3 Determine
the technological direction PO5 Manage the IT
investment PO9 Assess risks PO10 Manage
projects AI1 Identify solutions AI2 Acquire and
maintain applications s/w AI5 Install and
accredit systems AI6 Manage changes DS1 Define
service levels DS4 Ensure continuous service DS5
Ensure system security DS10 Manage problems and
incidents DS11 Manage data M1 Monitor the
processes
34
15
7
Survey
John R. Robles Associates
27 / 35
28
COBITContent

• High-level Control Objective
• One per process
• Detailed Control Objectives
• Three to 30 per process
• Control Practices
• Five to seven per control objective

John R. Robles Associates
28 / 35
29
COBIT Control Objectives

• Based on the 41 primary references
• Developed following a rigorous research process
• Three to 30 detailed control objectives for each
  of the 34 processes
• Directed to IT management, IT staff, control and
  audit functions and business process owners
• For each process, detailed control objectives are
  identified as  good practice  that need to be
  in place, and that will be assessed for
  sufficiency by the controls professional.
• Control objectives provide a working document, a
  place to start, from which selections need to be
  made based on the enterprise value and risk
  drivers.

John R. Robles Associates
29 / 35
30
The COBIT Framework
How Is COBIT Used? (Results from Surveys)

• To improve audit approach/programs
• To support audit work with detailed audit
  guidelines
• To provide guidance for IT governance
• As a valuable benchmark for IS/IT control
• To improve IS/IT controls
• To standardise audit approach/programs

John R. Robles Associates
30 / 35
31
COBITBenefits

• What
• Comfort about
• Dependence on IT
• IT risks are mitigated
• IT delivers value
• Assurance of
• Cost down and revenue up
• Business operations improved
• Service levels maintained

• Who
• Executive
• Business manager
• IT manager
• Project manager
• Developer
• Operations staff
• User
• Security officer
• Auditor

John R. Robles Associates
31 / 35
32
COBIT Products

• Management Guidelines
• Provide management direction for
• Getting the enterprise's information and related
  processes under control
• Monitoring achievement of organisational goals
• Monitoring and improving performance within each
  IT process
• Benchmarking organisational achievement
• Action-oriented and generic
• Provide answers to typical management questions
• How far should we go in controlling IT, and is
  the cost justified by the benefit?
• What are the indicators of good performance?
• What are the critical success factors?
• What are the risks of not achieving our
  objectives?
• What do others do? How do we measure and compare?

John R. Robles Associates
32 / 35
33
IT Governance Implementation Guide
Feedback
Post- implement. review
Implementation Road Map
Integrate into day-to-day practices
Integrate measures into ITBSC
Implement the solution
John R. Robles Associates
33 / 35
34
ConclusionCOBIT Values

• Sharing knowledge and leveraging expert
  volunteers
• Internationally accepted good practices
• Continually evolves
• Maintained by reputable not-for-profit
  organisation
• Maps strongly onto all major related standards
• Is management-oriented
• Is supported by tools and training
• Maps completely to ISO17799 and COSO

PRESENT
John R. Robles Associates
34 / 35
35
The COBIT Framework
IT Governance Institute 3701 Algonquin Road,
Suite 1010 Rolling Meadows, IL 60008
USA 1.847.590.7491 info_at_itgi.orginfo_at_isaca.org w
ww.isaca.org www.itgi.org John R. Robles and
Associates 787-647-3961 jrobles_at_coqui.net www.john
rrobles.com
John R. Robles Associates
35 / 35
36
Thank You! Questions and Answers.
John R. Robles Associates
35 / 35