Get documents about "A New Approach to Regulatory Compliance
W
Shared by: sjb12334
Categories
Tags
regulatory compliance, new approach, risk management, regulatory requirements, corporate governance, conformity assessment, corporate compliance, project planning, compliance program, regulatory innovation, environmental project management, environmental performance, analytical methods, dynamic work, data quality
-
Stats
- views:
- 14
- posted:
- 5/29/2010
- language:
- English
- pages:
- 36
Document Sample
IT Security Summit – 2005
Centro de Convenciones, August 22-23, 2006
Information Technology (IT)
Regulatory Compliance Planning
John R. Robles
President, John R. Robles & Associates
787-647-3961
jrobles@coqui.net
www.johnrrobles.com
What Is Compliance?
The act of complying with a wish, request, or demand
A disposition or tendency to yield to the will of others
The act of submitting; usually surrendering power to another
Acting according to certain accepted standards
A disposition or tendency to yield to the will of others
Happy friendly agreement
John R. Robles & Associates 2 / 35
What Is IT Compliance?
Perform IT functions according to a wish, request, or demand
Disposition or tendency to yield to the IT will of others
The act of submitting; usually surrendering IT power to another
Acting according to certain accepted IT standards
A disposition or tendency to yield to the IT will of others
Happy friendly IT agreement between IT and others
John R. Robles & Associates 3 / 35
What is IT Regulatory Compliance?
Perform IT Functions according to a wish, request, or demand
of the government or regulatory agency
Disposition or tendency to yield to the IT will of others
(government or regulatory agency)
The act of submitting; usually surrendering IT power to another
(government or regulatory agency)
Acting according to certain accepted IT standards
(of government or regulatory agency)
A disposition or tendency to yield to the IT will of others
(government or regulatory agency)
Happy friendly IT agreement with (government or regulatory agency)
John R. Robles & Associates 4 / 35
How do I Comply with Government
or Regulatory Agency?
Know the IT regulations pertinent to your company or industry
Discuss with:
Compliance Officer
Legal Counsel
Internal or External Auditors
Executive Management
Determine methodology to ensure compliance
Perform Self Assessment
Improve Compliance
Maintain Compliance Officer, Legal Counsel, Internal /External
Auditors, and Executive Management informed of self
assessment and progress of improvement efforts
John R. Robles & Associates 5 / 35
Sample of some IT regulations
Financial Services:
Financial Institution Letters
The IT Compliance Institute has a DataBase of Regulations by
Industry and by Country
Some known regulations include:
Sarbanes-Oxley Act
Gramm-Leach Bliley Act
HIPAA
Base II
USA Patriot Act
Email/records retention
John R. Robles & Associates 6 / 35
Regulatory Compliance is Above and Beyond
Best Practices and General Internal Controls
If you do not comply with Best Practices and General Internal
Controls you may get an Audit Comment.
If you do not comply with Regulatory Compliance you, your
company, your company officers, or the Board of Directors may
get a Fine or Jail Time.
However, Regulatory Compliance is a subset of Best Practices
and General Internal Controls.
That is, If you run a clean IT shop, most likely you are in
compliance.
John R. Robles & Associates 7 / 35
IT Compliance is all about IT Internal Controls.
How do you set up a compliant IT department?
Establish an Internal Controls methodology with includes
addressing pertinent IT regulations.
Some of the more well-know methodologies include:
COSO (Committee of Sponsoring Organizations of the Threadway
Commission)
Cobit (Control Objectives for Information and Related Technologies)
ISO-17799
John R. Robles & Associates 8 / 35
An Internal Controls Methodology
The GAO “Standard for Internal Control in the Federal
Government” and COSO define Internal Controls as:
“An integral part of an organization’s management that provides
reasonable assurance that the following objectives are being
achieved:
effectiveness and efficiency of operations
reliability of financial reporting
compliance with applicable laws and regulations”
John R. Robles & Associates 9 / 35
An Internal Controls Methodology
Internal Controls address the following:
It is a process
It is performed by people
It provides only reasonable assurance, not absolute assurance
Internal Controls consists of:
Control Environment
Risk Assessment
Control Activities
Information and Communications
Monitoring
John R. Robles & Associates 10 / 35
Regulation with the greatest impact on
internal controls and IT
Sarbanes-Oxley - Section 404:
“It will be
(1) the responsibility of management for establishing and
maintaining an adequate internal control structure and
procedures for financial reporting, and
(2) contain an assessment, as of the end of the most recent fiscal
year of the issuer, of the effectiveness of the internal control
structure and procedures of the issuers for financial reporting.”
John R. Robles & Associates 11 / 35
IT Internal Controls Frameworks
Some IT internal control frameworks:
Cobit and IT Control Objectives for Sarbanes-Oxley
ISO 17799
IT Infrastructure Library (ITIL)
Capability Maturity Model Integration (CMMI)
Naional Institute of of Standards and Technology (NIST)
John R. Robles & Associates 12 / 35
Unified Compliance Project
The IT Compliance Institute (www.itcinstitute.com) has the Unified
Compliance Project, it addresses the following:
Leadership and High-Level Objectives
Audit and Risk Management
Design and Implementation
Technology Acquisition
Operational Management
IT Staff Management and Outsourcing
Records Management
Technical Security
Physical Security
Systems Continuity
Monitoring, Measurement, and Reporting
Privacy
John R. Robles & Associates 13 / 35
COBIT: An IT Control Framework
BUSINESS
Framework
REQUIREMENTS
IT PROCESSES
IT RESOURCES
John R. Robles & Associates 14 / 35
COBIT Framework
How do they relate?
IT IT Business
Resources Processes Requirements
Data Plan and Organise Effectiveness
Information Acquire and Efficiency
Systems Implement Confidentiality
Technology Deliver and Support Integrity
Facilities Monitor and Availability
Evaluate Compliance
Human
Resources Information
Reliability
John R. Robles & Associates 15 / 35
COBIT Framework
The resources
made available
How IT is
organised to
What the
stakeholders
to— and built up respond to the expect from IT
by—IT requirements
How do they relate?
IT IT Business
Resources Processes Requirements
Data Planning and Effectiveness
organisation Efficiency
Information
Systems Acquisition and Confidentiality
implementation Integrity
Technology
Delivery and Availability
Facilities Support
Compliance
Human Monitoring
Resources Information
Reliability
John R. Robles & Associates 16 / 35
Business
Requirements
COBIT Framework IT
Processes
IT
Resources
IT Processes
Natural grouping of processes,
often matching an organisational
Domains domain of responsibility
A series of joined activities with
natural control breaks
Processes
Actions needed to achieve a
measurable result. Activities have
a life cycle whereas tasks are
Activities discrete.
or tasks
John R. Robles & Associates 17 / 35
Business
Requirements
IT Resources COBIT Framework IT
Processes
IT
Resources
Data: Data objects in their widest sense, i.e., external and
internal, structured and unstructured, graphics, sound, etc.
Application Systems: Understood to be the sum of
manual and programmed procedures
Technology: Covers hardware, operating systems, database
management systems, networking, multimedia, etc.
Facilities: Resources to house and support information
systems
People: Staff skills, awareness and productivity to plan,
organise, acquire, deliver, support and monitor information
systems and services
John R. Robles & Associates 18 / 35
Business
Requirements
COBIT Framework IT
Processes
IT
Resources
IT Domains
• Plan and Organise
• Acquire and IT Processes
Implement • IT Strategy
• Deliver and • Policy and Procedures
Support • Feasibility Study Activities
• Monitor and • Acceptance Testing • Record New Problem
Evaluate • Change Management • Analyse
Natural grouping of processes, • Contingency Planning • Propose Solution
often matching an • Problem Management • Monitor Solution
organisational domain of • Record Known Problem
responsibility
A series of joined activities • Etc.
with natural (control) breaks
Actions needed to achieve a
measurable result. Activities have a
life cycle whereas tasks are
discrete.
John R. Robles & Associates 19 / 35
Plan and Organise
PO 1 Define a Strategic Information Technology Plan
PO 2 Define the Information Architecture
PO 3 Determine the Technological Direction
PO 4 Define the IT Organisation and Relationships
PO 5 Manage the Investment in Information Technology
PO 6 Communicate Management Aims and Direction
PO 7 Manage Human Resources
PO 8 Ensure Compliance with External Requirements
PO 9 Assess Risks
PO 10 Manage Projects
PO 11 Manage Quality
John R. Robles & Associates 20 / 35
Acquire and Implement
AI 1 Identify Automated Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire and Maintain Technology Infrastructure
AI 4 Develop and Maintain IT Procedures
AI 5 Install and Accredit Systems
AI 6 Manage Changes
John R. Robles & Associates 21 / 35
COBIT Domains
Deliver and Support Monitor and Evaluate
Domains
Topics Topics
Assessment over time,
Delivery of required services delivering assurance
Setup of support processes Management’s oversight of the
Processing by application control system
systems Performance measurement
Questions Questions
Are IT services being delivered in Can IT’s performance be
line with business priorities? measured and can problems be
Are IT costs optimised? detected before it is too late?
Is the workforce able to use the Is independent assurance
IT systems productively and needed to ensure that critical
safely? areas are operating as
Are adequate security, integrity intended?
and availability in place?
John R. Robles & Associates 22 / 35
Deliver and Support
DS 1 Define and Manage Service Levels
DS 2 Manage Third-party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Allocate Costs
DS 7 Educate and Train Users
DS 8 Assist and Advise Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
John R. Robles & Associates 23 / 35
Monitor and Evaluate
M1 Monitor the Process
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
John R. Robles & Associates 24 / 35
Waterfall Model COBIT Framework
The control of
IT Processes which satisfy
Business
Requirements is enabled by
Control
Statements considering
Control
Practices
4 Domains - 34 Processes - 318 Control Objectives
John R. Robles & Associates 25 / 35
COBIT PO1 Define a strategic IT plan
PO2 Define the information architecture
Framework
Criteria PO3 Determine the technological direction
• Effectiveness PO4 Define the IT organisation and relationships
• Efficiency PO5 Manage the IT investment
• Confidentiality PO6 Communicate management aims and direction
• Integrity PO7 Manage human resources
• Availability
• Compliance PO8 Ensure compliance with external requirements
• Reliability PO9 Assess risks
PO10 Manage projects
M1 Monitor the process IT PO11 Manage quality
M2 Assess internal control adequacy RESOURCES
M3 Obtain independent assurance
M4 Provide for independent audit • Data
• Application systems
• Technology
• Facilities
• People PLAN AND
ORGANISE
MONITOR AND
EVALUATE
ACQUIRE AND
IMPLEMENT
DS1 Define service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users DELIVER AND
DS8 Assist and advise IT customers SUPPORT AI1 Identify automated solutions
DS9 Manage the configuration
AI2 Acquire and maintain application software
DS10 Manage problems and incidents
AI3 Acquire and maintain technology infrastructure
DS11 Manage data
AI4 Develop and maintain IT procedures
DS12 Manage facilities
AI5 Install and accredit systems
DS13 Manage operations
AI6 Manage changes
John R. Robles & Associates 26 / 35
The Most Important IT Processes
34
PO1 Define a strategic IT plan
PO3 Determine the technological direction
PO5 Manage the IT investment
PO9 Assess risks
PO10 Manage projects
15 AI1
AI2
Identify solutions
Acquire and maintain applications s/w
AI5 Install and accredit systems
AI6 Manage changes
7
DS1 Define service levels
DS4 Ensure continuous service
DS5 Ensure system security
DS10 Manage problems and incidents
DS11 Manage data
Survey M1 Monitor the processes
John R. Robles & Associates 27 / 35
COBIT—Content
High-level Control Objective
One per process
Detailed Control Objectives
Three to 30 per process
Control Practices
Five to seven per control objective
John R. Robles & Associates 28 / 35
COBIT Control Objectives
Based on the 41 primary references
Developed following a rigorous research process
Three to 30 detailed control objectives for each of the 34
processes
Directed to IT management, IT staff, control and audit functions
and business process owners
For each process, detailed control objectives are identified as
« good practice » that need to be in place, and that will be
assessed for sufficiency by the controls professional.
Control objectives provide a working document, a place to start,
from which selections need to be made based on the enterprise
value and risk drivers.
John R. Robles & Associates 29 / 35
The COBIT Framework
How Is COBIT Used? (Results from Surveys)
To improve audit approach/programs
To support audit work with detailed audit
guidelines
To provide guidance for IT governance
As a valuable benchmark for IS/IT control
To improve IS/IT controls
To standardise audit approach/programs
John R. Robles & Associates 30 / 35
COBIT—Benefits
What Who
Comfort about: • Executive
• Dependence on IT • Business manager
• IT risks are mitigated • IT manager
• IT delivers value • Project manager
• Developer
Assurance of:
• Operations staff
• Cost down and revenue up • User
• Business operations improved • Security officer
• Service levels maintained • Auditor
John R. Robles & Associates 31 / 35
Practices
Responsibilities
Executives & Boards
COBIT Products
Performance measures
Critical success factors
Maturity models
Business and Technology Management
What is the IT How to assess the IT How to introduce it
Control Framework ? Control Framework ? in the enterprise ?
Audit, control and security professional
Management Guidelines
Provide management direction for:
• Getting the enterprise's information and related processes under control
• Monitoring achievement of organisational goals
• Monitoring and improving performance within each IT process
• Benchmarking organisational achievement
Action-oriented and generic
Provide answers to typical management questions:
• How far should we go in controlling IT, and is the cost justified by the benefit?
• What are the indicators of good performance?
• What are the critical success factors?
• What are the risks of not achieving our objectives?
• What do others do? How do we measure and compare?
John R. Robles & Associates 32 / 35
IT Governance Implementation Guide
Feedback
Raise
Analyse
awareness Select
values Post-
& make processes
and risks implement.
decision
review
Identify needs
Define Define
Analyse
where you where you
gaps
are want to be
Envision the solution
Develop &
Define
Implementation projects
implement
change plan
Road Map Plan the solution
Integrate
into day-to- Integrate
day measures
practices into ITBSC
Implement the solution
John R. Robles & Associates 33 / 35
Conclusion—COBIT Values
PRESENT Sharing knowledge and leveraging expert volunteers
Internationally accepted good practices
Continually evolves
Maintained by reputable not-for-profit organisation
Maps strongly onto all major related standards
Is management-oriented
Is supported by tools and training
Maps completely to ISO17799 and COSO
FUTURE Provide action-oriented solutions
John R. Robles & Associates 34 / 35
The COBIT Framework
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
+1.847.590.7491
info@itgi.org
info@isaca.org
www.isaca.org
www.itgi.org
John R. Robles and Associates
787-647-396
jrobles@coqui.net
www.johnrrobles.com
John R. Robles & Associates 35 / 35
Thank You!
Questions and Answers.
John R. Robles & Associates 35 / 35
