Docstoc

Fundamentals…

Document Sample
Fundamentals… Powered By Docstoc
					 Information Security Governance:
    COBIT or ISO 17799/ BS 7799

                 Presented by-
Abhinav Goyal                    Anju Bhadoria
Charu Sharma                     Khyati Shah
Shivangi Gupta                   Shreeya Dhingra
Sonali Gupta                     Vishal Jain
        Fundamentals….
                      History Of Cobit
IT Governance and     ISACF Control Objectives
                                  in 1992
   its importance
                           1st Edition in 1996
   International          2nd Edition in 1998
      Standards            3rd Edition in 2000
                           4th Edition in 2005




                        Cobit is developed by ISACA
Control Objectives         and the IT Governance
for Information and      Institute (ITGI) in order to
                        implement IT Governance in
Related Technology.             organizations
   COBIT Focuses on What – Not How!
   Proactive, Not Reactive!
   Adaptable to Organizations
   Common Sense – maximize benefits of IT while providing IT
    governance and control.
    1. Executive Summary - “There is a method…”
    2. Framework - “The method is…”
    3. Control Objectives - “The minimum controls are…”
    4. Audit Guidelines - “Here’s how you audit…”
    5. Management Guidelines - “Here’s how you measure your
       performance…”
    6. Implementation Guide - “Here’s how you implement…”
 4 Domains
    – Plan & Organize (PO)
    – Acquire & Implement
      (AI)
    – Deliver & Support (DS)
    – Monitor & Evaluate (ME)
 34 High Level Control
  Objectives
 215 Detailed Control
  Objectives
                                             Information Criteria:
                                             Effectiveness
                                             Efficiency
                                                                      Business
                                             Confidentiality          Processes
                                             Integrity
                                             Availability
                                             Compliance                                       PO1 Define a Strategic IT Plan
                                             Reliability                                      PO2 Define the Information Architecture
                                                                                              PO3 Determine Technological Direction
                                                                                              PO4 Define the IT Organization and Relationships
                                                                                              PO5 Manage the IT Investment
                                                                     IT Resources             PO6 Communicate Management Aims and Direction
                                                                                              PO7 Manage Human Resources
                                                                                              PO8 Ensure Compliance with External Requirements
    ME1   Monitor the Process                                             Data                PO9 Assess Risks
    ME2   Assess Internal Control Adequacy                             Applications           PO10 Manage Projects
    ME3   Obtain Independent Assurance                                 Technology             PO11 Manage Quality
    ME4   Provide for Independent Audit                                 Facilities
                                                                         People

                               Monitor &
                                                                                                   Plan &
                               Evaluate
                                                                                                  Organize

DS1 Define and Manage Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security             Deliver &
DS6 Identify and Allocate Costs
DS7 Educate and Train Users             Support                                       Acquire &
DS8 Assist and Advise Customers                                                       Implement
DS9 Manage the Configuration
DS10 Manage Problems and Incidents                                                                AI1   Identify Automated Solutions
DS11 Manage Data                                                                                  AI2   Acquire and Maintain Application Software
DS12 Manage Facilities                                                                            AI3   Acquire and Maintain Technology Infrastructure
DS13 Manage Operations                                                                            AI4   Develop and Maintain Procedures
                                                                                                  AI5   Install and Accredit Systems
                                                                                                  AI6   Manage Changes
 Management
   – Describes what needs to be taken into account when making IT related
     decisions and investments; helps balance risk and control investment.
 IT Providers
   – Provides clear expectations on minimum controls in IT environments
 IT Users
   – Assurance over security and controls (internal & external providers)
 Auditors
   – List of control objectives and minimum controls
   – Substantiation of opinion
 Self Assessment Tool for All Groups
      ISO 17799 / BS 7799

                  SECURITY PARAMETERS




                                         ORGANISATIONAL AND
  STRUCTURE                             INFORMATION SECURITY


RISK ASSESSMENT AND                             ASSET
     TREATMENT                               MANAGEMENT



SECURITY POLICY                             HUMAN RESOURCE
                                               SECURITY
        ISO 17799 / BS 7799
                          ACQUISITION,
PHYSICAL SECURITY       DEVELOPMENT AND
                          MAINTAINANCE


COMMUNICATION AND          INCIDENTAL
OPERATIONAL SECURITY      MANAGEMENT



   ACCESS CONTROL      BUSINESS CONTINUITY




    INFORMATION
       SYSTEMS            COMPLIANCE
ISO 17799 Overview
ISO 17799 modules
ISO 17799 Controls
ISO 17799 Controls
ISO 17799 Controls
ISO 17799 Controls
DIMENSION                 COBIT                         ISO 17799
Function                  Mapping IT Processes          Information Security
                                                        Framework
Implementation            Information System Audit      Compliance to security
                                                        standard
Area                      4 domain                      10 Domain
Structure                 318 controls/ 34 high level   127 controls/ 36 control
                          objectives                    objectives
Focus                     Information Technology        Information Security
                          Controls
Consultant                Accounting Firm, IT           IT Consulting Firm, Security
                          Consulting Firm               Firm, Network Consultant
Issuer                    ISACA                         ISO
Available Certification   None                          BS 7799-2
Goals                     IT control objectives for day- Guidance for implementing
                          to-day use                     information security
DIMENSION          COBIT                         ISO 17799
Suitability        SOX or Basel II               Organizations with focus
                                                 on Information Security
Taxonomy           Collection of publications,   International Standard
                   classified as best practice
                   for IT control and IT
                   governance
Target Audiences   Management, users and         People responsible for
                   auditors                      information security
What do we want to achieve with IT?
How we can achieve these IT goals
How we can achieve these IT goals
How we can achieve these IT goals:
Where are the methods strong in?
How can we achieve these IT goals:
   continuous IT improvement

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:11
posted:9/29/2012
language:English
pages:25