Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14 - 16 April 2004 Greet Volders Managing Consultant.

Published byGyles Gray Modified over 8 years ago

Similar presentations

Presentation on theme: "How to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14 - 16 April 2004 Greet Volders Managing Consultant."— Presentation transcript:

1 How to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14 - 16 April 2004 Greet Volders Managing Consultant - VOQUALS N.V. Vice President & in charge of Education - ISACA Belux

2 Slide 2Voquals NV Greet Volders ERPA - 14 April 2004 Content of this Presentation u ISACA & CobiT –Introduction ISACA Organisation –IT Audit Process –CobiT Framework u Focus on some CobiT-processes –Relevant to digital preservation –With a focus on reliability, confidentiality and security u Practical guidelines to audit these processes and domains Agenda

3 Slide 3Voquals NV Greet Volders ERPA - 14 April 2004 Mission & Strategy of Voquals u Voquals offers advice on quality management to organisations or more specifically to Information Technology departments. In addition Voquals provides assistance during the implementation of methods for application development and project management. u Voquals was founded in 1996 by Greet Volders & Eddy Volckaerts and indicates ”Volders quality services” or ”Volckaerts quality services” u A pragmatic and contextual approach is at the heart of every project we carry out.

4 Slide 4Voquals NV Greet Volders ERPA - 14 April 2004 Our Core Business We are specialised in : u Quality Management u Project Management u Consultancy, Coordination, Implementation u Quality Audits (ISO, EFQM, TickIT,...) u IT-Audits (CobiT, CMM) u EFQM - Self Assessment u Process Analysis and Development u Transitions to a Project-Based Approach to Work u Electronic Document Management (in general or focused on Quality)

5 Slide 5Voquals NV Greet Volders ERPA - 14 April 2004 Content of this Presentation u ISACA & CobiT –Introduction ISACA Organisation –IT Audit Process –CobiT Framework Agenda

6 Slide 6Voquals NV Greet Volders ERPA - 14 April 2004 CobiT Framework Why the need for CobiT Changing IT Emphasis Ten years ago we were afraid of rockets destroying computing centres…. … right now, we should be aware of software errors destroying rockets

7 Slide 7Voquals NV Greet Volders ERPA - 14 April 2004 Linking management’s IT expectations With management‘s IT responsibilities Business Processes Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Data Application systems Technology Facilities People IT Resources Information What you getWhat you need Do they match Information Criteria CobiT Framework Control Objectives

8 Slide 8Voquals NV Greet Volders ERPA - 14 April 2004 Linking Process, Resource & Criteria to 34 control objectives with 318 DETAILED control objectives Planning & organisation Acquisition & Implementation Delivery & Support Monitoring Business Requirements IT Processes Control Statements Control Practices The control of Which statisfy Is enabled by And considers CobiT Framework Navigation Aids  effectiveness  efficiency  confidentiality  integrity  availability  compliance  reliability  people  applications  technology  facilities  data

9 Slide 9Voquals NV Greet Volders ERPA - 14 April 2004 Content of this Presentation u ISACA & CobiT –Introduction ISACA Organisation –IT Audit Process –CobiT Framework u Focus on some CobiT-processes –Relevant to digital preservation –With a focus on reliability, confidentiality and security u Practical guidelines to audit these processes and domains Agenda

10 Slide 10Voquals NV Greet Volders ERPA - 14 April 2004 CobiT Framework relevant to digital preservation PO1 Define a strategic IT Plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT org. and relationships PO5 Manage the IT investment PO6 Communicate mngt aims and direction PO7 Manage human resources PO8 Ensure compliance with ext. req. PO9 Assess risks PO10 Manage Projects PO11 Manage Quality A I 1 Identify automated solutions A I 2 Acquire and maintain application SW AI3 Acquire and maintain techn. Infrastr. A I 4 Develop and maintain IT procedures A I 5 Install and accredit systems A I 6 Manage changes M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit DS1 Define service levels DS2 Manage third-party services DS3 Manage perform. and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations IT RESOURCES IT RESOURCES data application systems technology facilities people data application systems technology facilities people PLANNING AND ORGANISATION PLANNING AND ORGANISATION ACQUISITION AND IMPLEMENTATION ACQUISITION AND IMPLEMENTATION DELIVERY AND SUPPORT MONITORING effectiveness efficiency confidentiality integrity availability compliance reliability effectiveness efficiency confidentiality integrity availability compliance reliability Criteria Business Objectives

11 Slide 11Voquals NV Greet Volders ERPA - 14 April 2004 PO8 Ensure Compliance with External Requirements Control over the IT process of ensuring compliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligations Is enabled by i dentifying and analysing requirements for their IT impact, and taking appropriate measures to comply with them

12 Slide 12Voquals NV Greet Volders ERPA - 14 April 2004 PO8 Ensure Compliance with External Requirements Develop Audit Plan u Interviewing: –Legal counsel –Human Resources Officer –Senior Management of the IT function u Obtaining: –Relevant government and/or external requirements –Standards, policies and procedures concerning »External requirements reviews »Safety and health (including ergonomics) »Privacy »Security »Sensitivity rating of data being input, processed, stored, outputted and transmitted »Electronic commerce »Insurance –Copies of all IT function related insurance contracts –Audit reports from »External auditors »Third-party service providers »Governmental agencies

13 Slide 13Voquals NV Greet Volders ERPA - 14 April 2004 PO8 Ensure Compliance with External Requirements Evaluating u Policies and procedures for: –Coordinating the external requirements review –Addressing appropriate safeguards –Appropriate safety and health training and education is provided to all employees –Monitoring compliance with applicable safety and health laws and regulations –Providing adequate direction/focus on privacy in order that all legal requirements fall within its scope –Informing the insurers of all material changes to the IT environment –Ensuring compliance with the requirements of the insurance contracts –Ensuring updates are made when applicable u Security procedures are in accordance with all legal requirements and are being adequately addressed, including : –Password protection and software to limit access –Authorisation procedures –Terminal security measures –Data encryption measures –Firewall controls –Virus protection –Timely follow-up of violation reports

14 Slide 14Voquals NV Greet Volders ERPA - 14 April 2004 PO8 Ensure Compliance with External Requirements Substantiate the risk of C.O.’s not being met by: u Performing : –Benchmarking of external requirements compliance –A detailed review of the external requirements review files to ensure corrective actions have been undertaken or are being implemented –A detailed review of security reports to assess whether sensitive/private information is being afforded appropriate security and privacy protections u Identifying –Privacy and security weaknesses related to data flow and/or transborder data flow –Weaknesses in contracts with trading partners related to communications processes, transaction messages, security and/or data storage –Weaknesses in trust relationships of trading partners –Non-compliances with insurance contract terms

15 Slide 15Voquals NV Greet Volders ERPA - 14 April 2004 AI3 Acquire and Maintain Technology Infrastructure Control over the IT process of acquiring and maintaining technology infrastructure that satisfies the business requirement to provide the appropriate platforms for supporting business applications Is enabled by judicious hardware and software acquisition, standardising of software, assessment of hardware and software performance and consistent system administration

16 Slide 16Voquals NV Greet Volders ERPA - 14 April 2004 AI3 Acquire and Maintain Technology Infrastructure Develop Audit Plan u Interviewing: –IT planning/steering committee –Chief information officer –IT senior management u Obtaining: –Policies and procedures relating to hardware and software acquisition, implementation and maintenance –Senior management steering roles and responsibilities –IT objectives and long- and short-range plans –Status reports and minutes of meetings –Vendor hardware and software documentation –Hardware and software rental contracts or lease agreement

17 Slide 17Voquals NV Greet Volders ERPA - 14 April 2004 AI3 Acquire and Maintain Technology Infrastructure Evaluating Policies and procedure to cover u Evaluation plan –Is prepared to assess new hardware and software for any impact on the overall performance of the system u System software –Ability to access without interruption –Set up, installation and maintenance does not jeopardise the security of the data and programmes being stored on the system –Parameters are selected in order to ensure the integrity of the data and programmes –Installed and maintained in accordance with the acquisition and maintenance framework for the technology infrastructure –Vendors provide integrity assurance statements with their software and all modifications to their software

18 Slide 18Voquals NV Greet Volders ERPA - 14 April 2004 DS5 Ensure System Security Control over the IT process of ensuring systems security that satisfies the business requirement to safeguard information against unauthorised use, disclosure or modification, damage or loss Is enabled by logical access controls which ensure that access to systems, data and programmes is restricted to authorised users

19 Slide 19Voquals NV Greet Volders ERPA - 14 April 2004 DS5 Ensure System Security Develop Audit Plan u Interviewing: –Senior security officer of the organisation –IT senior and security management –IT data base administrator –IT security administrator –IT application development management u Obtaining: –Organisation-wide policies and procedures –IT policies and procedures –Relevant policies and procedures, and legal and regulatory body information systems security requirements including »User account management procedures »User security or information protection policy »Data classification schema »Inventory of access control software »Floor pan & schematic of physical access points to IT resources »Security software change control procedures »Security violation reports and management review procedures »Copies of contracts with service providers for data transmission

20 Slide 20Voquals NV Greet Volders ERPA - 14 April 2004 DS5 Ensure System Security Evaluating u Strategic security plan u Cryptographic modules and key maintenance procedures u Password policy includes –Change initial password –Minimum password length –Allowed values (list of not-) u Location control methods are used to apply additional restrictions at specific locations u Security related hardware and software, such as cryptographic modules, are protected against tampering or disclosure, and access is limited to a “need to know” basis u Trusted paths are used to transmit non-encrypted sensitive information

21 Slide 21Voquals NV Greet Volders ERPA - 14 April 2004 DS12 Manage Facilities Control over the IT process of managing facilities that satisfies the business requirement to provide a suitable physical surrounding which protects the IT equipment and people against man-made and natural hazards Is enabled by the installation of suitable environmental and physical controls which are regularly reviewed for their proper functioning

22 Slide 22Voquals NV Greet Volders ERPA - 14 April 2004 DS12 Manage Facilities Develop Audit Plan u Interviewing: –Facility manager –Security officer –Risk manager –IT operations manager –IT security manager u Obtaining: –Organisational policies and procedures relating to facility management, layout, security, safety, fixed asset inventory and capital acquisition/leasing –List of individuals who have access to the facility and floor layout of facility –List of performance, capacity and service level agreements

23 Slide 23Voquals NV Greet Volders ERPA - 14 April 2004 DS12 Manage Facilities Evaluating u Facility location –Is not obvious externally –Is in least accessible area or organisation –Access is limited to least number of people u Logical and physical access procedures are sufficient, including security access profiles u “Key” and “card reader” management procedures and practices are adequate u Organisation is responsible for physical access within the IT function that includes –Security policies and procedures –Relationships with security-oriented vendors –Security awareness –Logical access control u Penetration test procedures and results

24 Slide 24Voquals NV Greet Volders ERPA - 14 April 2004 ISACA & ISACFISACA Belux 3701 Algonquin Road, suite 1010 Rolling Meadows, Illinois 60008 USA Phone +1 708 253 1445 Education@isaca.orgEducation@isaca.be http://www.isaca.orghttp://www.isaca.be Voquals N.V. Greet Volders Diestsebaan 1 3290 Diest - Belgium Phone +32 13 326464 Mobile +32 475 63 45 06 Gvolders@voquals.be www.voquals.be More Information Coordinates

25 The recognized global leaders in IT governance, control and assurance. Information Systems Audit and Control Association ® Information Systems Audit and Control Foundation 

26 Slide 26Voquals NV Greet Volders ERPA - 14 April 2004 Mission: To support enterprise objectives through the development, provision and promotion of research, standards, competencies and practices for the effective governance, control and assurance of information, systems and technology. Information Systems Audit and Control Association (ISACA TM ) Information Systems Audit and Control Foundation (ISACF TM )

27 Slide 27Voquals NV Greet Volders ERPA - 14 April 2004 ISACA Membership Benefits To: L eading-edge research K-NET, an internet-based global knowledge network for IT governance, control and assurance information Through: Local chapters On: CISA exam registration fee and study materials CISM exam registration fee and study materials ISACA-sponsored conferences and Training Weeks COBIT and other publications ACCESS DISCOUNTS NETWORKING AND LEADERSHIP OPPORTUNITIES

28 Slide 28Voquals NV Greet Volders ERPA - 14 April 2004 Do you want to know more? Information Systems Audit and Control Association/ Foundation 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL, USA 60008 Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: info@isaca.org Web site: www.isaca.org

29 Slide 29Voquals NV Greet Volders ERPA - 14 April 2004 Chapter Organization ISACA BeLux Chapter ISACA Belux Board ISACA Belux Education Committee ISACA Belux Luxembourg Development

30 Slide 30Voquals NV Greet Volders ERPA - 14 April 2004 Core activities CISA preparation CISM preparation Round Table Meetings Board meetings Educational Committee meetings Annual General Meeting Miscellaneous events (social) New Year drink Gala Dinner For more information: www.isaca.be ISACA BeLux Chapter

Download ppt "How to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14 - 16 April 2004 Greet Volders Managing Consultant."

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Analisa Proses. Terjemahan model analisis menjadi desain software.

Analisa Proses. Terjemahan model analisis menjadi desain software.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Auditing Computer Systems

Auditing Computer Systems
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
Centro de Convenciones, August 22-23, 2006

Centro de Convenciones, August 22-23, 2006
COBIT - II.

COBIT - II.
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Information Security Policies and Standards

Information Security Policies and Standards
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Similar presentations

Ads by Google