Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved 1

Author: Sam Lodhi

XXX ORG

Information Technology

Control Framework

2

Figure 1: Sarbanes-Oxley: Internal Control Components Source: IT Control Objectives for Sarbanes Oxley, ISACA

Though not a financial institution we can leverage the lesson learnt in banking and finance to increase controls within IT.

• Control Environment

• Risk Assessment

• Control Activities

• Information & Communication

• Monitoring

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

Monitoring*

Information & Communication*

Control Activities*

Risk Assessment*

Control Environment

3

Inc

rea

se in

Co

ntr

ol M

atu

rity

Risk Level

▀ Very High▀ High▀ Medium▀ Low▀ Very Low

* Not tested but maturity inferred

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

4

Weakness Value

Maturity Level Description

5 Non-existent/ Ad-hoc•Non existent or some control exists however it is informal and ad-hoc

4 Repeatable•Some control is implemented and is repeatedly used.

3 Defined

•Some control is implemented •Is repeatedly used•Plans are formally in place to achieve full compliance•Policy Change or Exception Request

2 Measurable•This control is fully implemented and can be substantiated•Compliance has not been reviewed within the last 2 years

1 Verified Effective•This control is fully compliant and it has been independently reviewed within the last 2 years

NA Not Applicable •This control is not applicable

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

� IT Strategic planning.

� IT Organization and relationship.

� Communication of management aims and direction.

� Management of human resources.

� Management of quality.

� Define and mange service levels.

� Manage thirds-party services.

� Educate and train users.

� Independent assurance.

5

▀ Company level ▀ Activity Level

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

� IT Strategic planning.

� Assessment of risk.

� Manage third-party services.

� Manage facilities.

6

▀ Company level ▀ Activity Level

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

� Information architecture. � Management of quality. � Acquire and develop application software. � Acquire technology infrastructure.� Develop and maintain policies and procedures. � Install and test application software and technology infrastructure. � Manage change. � Define and manage service levels. � Manage third party services. � Manage performance and capacity. � Ensure system security.� Manage configuration. � Manage problems and incidents. � Manage data. � Manage operations.

7

▀ Company level ▀ Activity Level

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

� IT Strategic planning.� Information architecture.� IT Organization and relationships.� Communication of management and aims and direction.� Management of human resources.� Compliance with external requirements.� Management of quality.� Develop and maintain policies and procedures.� Ensure systems security.� Manage configuration.� Manage problems and incidents.� Mange data.� Manage operations.� Monitoring

8

▀ Company level ▀ Activity Level

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

� IT strategic planning.� Communication of management aims & direction.� Compliance with external requirements.� Management of quality.� Manage change.� Define & manage service levels.� Manage third party services.� Manage performance and capacity.� Ensure systems security.� Manage problems and incidents.� Monitoring.� Adequacy of internal controls.� Independent assurance.� Internal Audit.

9

▀ Company level ▀ Activity Level

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

Monitoring

Information & Communication

Control Activities

Risk Assessment

Control Environment

10

Inc

rea

se in

Co

ntr

ol M

atu

rity

Risk Level

▀ Very High▀ High▀ Medium▀ Low▀ Very Low

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

•Gap Analysis•Control

Mitigation

Control Environment

•Gap Analysis•Control

Mitigation

Risk Assessment •Gap Analysis

•Control Mitigation

Control Activities

•Gap Analysis•Control

Mitigation

Info & Comms •Gap Analysis

•Control Mitigation

Monitoring

11

Implementing any major IT Security control activities will be ineffectivedue to the lack of system and control integrity.(Further details in forthcoming report)

▀ Company level - Actions at the company level require a fundamental changes within the business and therefore must be approved by the executive management and pushed downwards.

▀ Activity Level – Action which can be implemented locally but may require departmental changes.

Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved

� For advice & a consultation visit:

http://www.ibrs.com

12

For more information about the Author: Sam Lodhi