IT Assurance and Reliability

1
IT Assurance and Reliability

• Why Should You Care?

Presented to ISACA Regional Meeting Denver, CO
October 17, 2001
Richard Oppenheim, CPA, CITP President, SysTrust
Services Corporation
2
Todays Discussion

• Valuable Assets need reliable protection 
• Dealing with Uncertainty in Uncertain Times
• Ideas for assuring control

3
Valuable assets need to be reliable

• Overcoming loss of resources
• Average laptops lost / day 1,000
• Identify costs to replace -
• Equipment and Resources
• Data
• What is cost of Data in the hands of someone you
  do not control?

4
Business Systems

• Data is business foundation
• Decision making too much and too little
• IT systems include relationships
• Take inventory of what you have
• Back ups internal and off site
• Data, Applications, Operations, Data Networks
• Documentation, Procedures manuals
• Redundant operations, Hot Sites
• Controls

5
Reliable Systems Are Needed

• More than just financial
• Data to manage business processes
• Control at all levels
• Design
• Development
• Maintenance
• Monitoring
• Data, Applications, Resources
• People, Paper, Procedures

6
Why should you care ?
7 World Trade Center
7
Reliable Systems - Verification

• Beneficiaries
• Board, Management, Staff
• Customers
• Bankers, Insurers, Investors
• Vendors
• Goals
• Opinion for Business Continuity
• On time, On budget, On point

8
Reliable Systems - Verification

• Audit Goals Now Future
• Continuous auditing and reporting
• Understanding IT business process
• Certification opportunity
• Controls determine CRITERIA
• System reliability is goal

9
Reliable Systems - Assurance

• Internal vs External Needs
• Need for consistency
• Price vs Cost
• Spending for prevention
• Cost of recovery
• Resource Access vs Disaster
• Value of assurance
• Principles of SysTrust

10
Reliable Systems
COBIT from ISACA IT GOVERNANCE A structure of
relationships and processes to direct and control
the enterprise in order to achieve the
enterprise's goals by adding value while
balancing risk versus return over IT and its
processes.
SysTrust from AICPA SysTrust is a report issued
by a CPA or CA on the Reliabilityof an entitys
system.
11
Why Get Involved With SysTrust

• When there is a system failure the CEO is going
  to call
• Structure and framework built on platform
  including COBIT
• Can be used to help decide if /when outsourcing
  is appropriate
• Due diligence issues

12
Why is SysTrust Important

• Enterprise Resource Planning (ERP)
• When employees are busy, controls are put aside
  or forgotten
• Company secrets are more vulnerable
• Attacks can cripple business operations
• Outsourcing is a financial alternative

13
SysTrust Services Corp.
Documentation package that provides for

• Definitions of principles, criteria, and controls
• Data center self assessment and description
• Auditor testing, evaluation, conclusion, plan

14
Disasters Happen

• 10 things the SME can do

15
10 Things the SME can do

• 1 Management must be involved executives,
  senior mgmt, operations, IT
• 2 Disaster Plan must be in writing
• 3 Backup data daily and move one copy offsite
• 4 Practice system outage recovery
• 5 Understand who the users of the IT system are
  and where they are located

16
10 Things the SME can do

• 6 IT and business documents, manuals for
  operations, training, etc. must be in writing
• 7 Personnel must also have backups
• 8 Contracts for outsourced support and services
  need review
• 9 IT recovery needs
• 10 Obtain expert support as needed

17
How / Where / When to Begin

• SHORT TERM
• Start NOW
• Create procedures for tasks done regularly
• Assess value related to process
• LONG TERM
• Operations redundancy / Hot site
• Risk assessment
• Continuous auditing

18
Resistance to Implementation
Issues working against IT Assurance and
Reliability

• Management priorities elsewhere
• Lack of personnel
• Lack of resources
• Lack of user participation

19
IT Assurance Reliability

• Something to care about NOW

20
IT Assurance Reliability
Richard Oppenheim, CPA, CITP President, SysTrust
Services Corporation www.systrustservices.com ropp
enheim_at_systrustservices.com 303-795-8847