getting to grips with cobit - uninett
TRANSCRIPT
Getting to Grips with CobiT
– Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT
Governance and IT Management
Who am I ?
Jan Bjørnsen: Working with this for nearly 20 years. In-depth skills and knowledge in IT Governance, Information Security, counceling and negotiation/contracting.
Author of «Slik får du IT-styring og kontroll» , Universitetsforlaget
1: IT Governance and IT Management The Straw Model
• You need a “Modus Operandi” that will focus on IT Governance and IT Management and I will give a brief presentation of the Straw Model to put everything into perspective.
– We will look at Administrative, non-technical issues vs. Operational, technical activities
– And the balance between Governing Documents vs. Dynamic documents like guidelines, procedures etc
• Some different sketches....
Frameworks and standards – an overview
ISO 38500 COSO COBIT
ITIL v2.5
ITIL v3 ISO 20001
ISO 2700x
ISO 900x
Common Criteria
What do we want…
Administrative, Non-technical
Operative, Technical
Stat
isc
D
ynam
ic
Policy
Principles
Procedures
Guide Lines
Strategy
Straw Model of Architecture Vision
IT/IS ITIL/ISO....
Risk Management
Valued Deliveries
Governance Architecture
Implementation
Functions
Responsibility
Procedures
Policy
Internal ”self - ”control
Cobit Processes
Roles
Plans
Cobit processes
Guidelines Plan Monitor
Report
Detailed ”workbook”
Continuity/ Assessments/etc
Straw Model for Security Architecture
Vision
IT/IS
ContingencyInformation
security
Security
Architecture
Implementation
Security
Functions
Responsibility
Procedures
Policy
Continuity
Policy
Principles
Procedures
Guide Lines
Strategy
Internal
control
ProcessesRoles
Plans
Cobit
processes
Guidelines
IT Operations
Workbook
Instructions
Monitor
Report
Data
RecoveryTerror
Guidelines
Physical
SecurityFraud
Personnel
Security
Perimeter
securityInternal External
Guidelines Guidelines
HSE/
Staff
Guidelines
IT Governance
Tjenester IT Governance
Resource
Management
Governance vs. Management
Tjenester
Resource
•Process management
•Process Implementation
•Operative IT security
•Manage Infrastructure
•Manage Networks
•Incident/Problem handling
•ITIL
•BIA, Criticality Assessments
•Risk Analysis
•Contingency Plans
•Security Standards ISO 2700x
•Personnel Management
•Infrastruktur
•Applications
•Systems
•Actionbased monitoring
•Incident/Problem handling
•Implement Self Control
•IT-strategy
•Organisation potentiale
•Architecture building
IT Governance
Resource
Management
IT Governance vs. IT Management
• Inhouse expertise
• Accountability
• „Provide“ responsibility
• „Supervise“ responsibility
• Outsourced expertise
• Responsibility
• „Execute/maintenance“ responsibility
”The Triangle of Responsibility”
”Provide”-responsibility
«Accountable» in RACI
”Execute”-responsibility
«Responsible» in RACI
-Self Assurance
-Internal Control
”Supervise”-responsibility
«Consulted/Informed» in RACI
-Evaluates Control Design
Management/
Outsourced
Responsibility
Governance/
Inhouse
Responsibility
Cobit – a de facto standard ( for IT governance, security, assurance, audit etc.)
• Cobit as a tool has matured from the introduction in 1996 and are today well adept for understanding, control and measure IT. It covers many facets today: – It is a tool for the CIO for governance and control
– It is a tool for the IT Auditor for assurance
– It is a tool to build a good Control Design
– It is a tool for measure compliance and maturity
– It is a tool for Security officers.
Cobit – Different views
Cobit and ITIL
Practical use of CobiT Security Architecture and The Straw
Model • Information security and other security functions can use the Straw
Model to put everything into perspective.
• How to create governing documents
• How to present a strategy for implementation
• Creating Dynamic documents like security guidelines, implement security in procedures etc.
• Different samples.....
Straw Model of Architecture by Cobit
Straw Model for Security Architecture
Vision
IT/IS
ContingencyInformation
security
Security
Architecture
Implementation
Security
Functions
Responsibility
Procedures
Policy
Continuity
Policy
Principles
Procedures
Guide Lines
Strategy
Internal
control
ProcessesRoles
Plans
Cobit
processes
Guidelines
IT Operations
Workbook
Instructions
Monitor
Report
Data
RecoveryTerror
Guidelines
Physical
SecurityFraud
Personnel
Security
Perimeter
securityInternal External
Guidelines Guidelines
HSE/
Staff
Guidelines
Straw Model of Architecture by organisation
Sample of documents
•Principles of Information Security
•Security Guidelines
•Control activity defined in processes
As an example of the 5 IT Governance areas, I have chosen Risk Management for presentation purposes.
Do Risk Assessment and a Maturity Mapping
• Based on requirements in your SLA you need to know the Criticality of each system to ensure your Continuity plan cover the right systems
(Example SmartRisk Access database)
• You also need to know how mature your organisation are related to Cobit
(Example process DS 4 Ensure Continuous Services- RACI chart Excel)
Risk - CISM manual has a good description of operational risk
• Facilities and operational environment risk
• HSE risk
• Information Security risk
• Control Framework Risk
• Legal and regulatory Compliance risk
• Corporate Govenance risk
• Technology risk
• Project management risk
• Crime and fraud risk
Personnel risk
Supplier risk
Information management risk
Reputation risk
Strategic risk
Process and attitude risk
Ethical risk
Geopolitical risk
Cultural risk
Clima and weather risk
Contingency - on its own or as a part of the security architecture
What are your goal(s)?
• Contingency/Continuity
How to incorporate IT Continuity and IT Disaster Recovery plans into the architecture “Straw Model” with sample of layout and detailed description of time slot activites, Incident Respone Teams, Disaster Recovery Teams and Instructions and decision Gates to move through all phases of a critical situation.
• You need to understand the different levels of Continuity.
– Backup/Restore
– Continuity plans
– IT Disaster Recovery Plans
– Business Continuity Plans
• You also need to know how mature your organisation are related to Cobit process DS 4 Ensure Continuous Services
Our Framework Methodology
Contingency plan
BCP DRP
• BCP – Business Continuity Plan - (Using ISACA’s prinsiples)
• DRP – Disaster Recovery Plan - (Using CobiT’s Continuity process)
The first critical phases can be solved by using Incident Response Team.
• example, (Must be based on your SLA and Criticality Assessments)
Critical Timeslot for FIRST DECISION POINT are 40 minutes Timeslot for SECOND DECISION POINT are 60 minutes (1 hour) Timeslot for THIRD DECISION POINT are 120 minutes (2 hours)
T1 T2 T3
Contingency
If your Continuity plan do not solve the problem you must escalate. The IT Disaster Recovery Plan and BCP have 8 phases
• 1 The Notification phase – First (1) point of decision (further notification of IRT or “all clear/no danger” or move to second decision
point directly)
• 2 The Overview phase – Second (2) point of decision (establish Disaster management Team or decide “all clear/no danger”)
• 3 The Response phase
• 4 The Activity phase
• 5 The Establishing phase – Third (3) point of decision (establish operation/production or further escalation)
• 6 The Operation phase – Fourth (4) point of decision (transition to standard operation or keep the alternately operation)
• 7 Return to Normal Operation phase
• 8 The Termination phase – Fifth (5) point of decision (wind up the Disaster Management Team and re-establish normal operation)
Sample of documents
• Contingency Principles
• Incident Response Team Authorisation Letter
• Continuity plan
• IT Disaster Recovery Plan
• Business Continuity Plan
Questions
Contact Information
Jan Bjørnsen
Scandinavian Business Security Ltd.
Mob: +47 90 18 18 64
E-mail: [email protected]
Web: www.sbsec.com