View
234
Download
2
Category
Preview:
Citation preview
IT General Controls 31
IT General Controls 61
Business Alignment
The IT planning efforts need to be integrated with the organization’s business plans. As business plans change and business priorities evolve, the IT function needs a process to continually refine priorities. IT also needs to acquaint the business with what is currently possible, and at what price.
If not actively involved in the strategic planning processes, IT management at least needs to understand the organization’s strategic directions and plans in detail.
IT can take a leadership role by developing data-driven strategies, integrated application portfolios, and “blue sky” awareness of emerging technologies and competitor activities.
Developing, implementing and continuously improving management systems should be part of IT’s overall quality strategy.
IT General Controls 62
Adequate segregation of
duties
Implemented controls for
recruitment and staff procedures
Adequate and ongoing training
programs
Adherence to enterprise
• Evaluation processes
• PTO processes
Things to Look For....
IT General Controls 32
IT General Controls 63
Main objective for Segregation of Duties in the IT organization:
Responsibility for all
aspects of processing
data does not rest with a
single individual, group
or department
SOD
IT General Controls 64
The user department does not perform its own IT duties. Users sometimes provide its own IT support (e.g., help desk) BUT should not do security, programming and other critical IT duties.
User departments should be expected to provide input into systems and application development and provide a quality assurance function during the testing phase.
Users of a new application must test it before it goes into operation and sign a user acceptance agreement indicating it is performing according to the information requirements.
SOD: IT and User Departments
IT General Controls 33
IT General Controls 65
DBA - critical position requiring high level of
SoD.
• DBA knows everything about the data, database structure and database management system
• Superuser has what security experts refer to as “keys to the kingdom”
• Leads to an extremely high level of assessed risk in the IT function
Segregate the DBAs from everything except what they must have to
perform their duties
• Installation, configuration, upgrade, and migration
• Backup and recovery
• Storage and capacity planning
• Performance monitoring and tuning
IT auditor reviews an organization chart
• The DBA would be in a symbol that looks like an island with no other functions reporting to the DBA
• No responsibilities or interaction with programming, security or computer operations
SOD: DBA vs. Rest of IT
IT General Controls 66
IT functions that should be segregated include:
Initiation Authorization
Input Processing
Checking / Quality
Assurance
Segregating Functions
IT General Controls 34
IT General Controls 67
Primary segregation of duties is between operational areas and systems development areas:
SOD
• Operations is responsible for running production
systems only
SOD
• Systems development is responsible for designing and writing of applications
only
Primary Segregation of Duties
IT General Controls 68
Defining Data Centers
Gartner defines a data center as a department within a business that houses and maintains its back-end IT
systems, mainframe servers and databases.
Previously, centralized IT was the norm and all these systems were housed in one place
With distributed IT models, single-site data centers are much less common
“Data center” still refers to the department responsible for these centers, regardless of how
dispersed they are
IT General Controls 35
IT General Controls 69
Essential Data Center Aspects
On-demand access
• Users specify the service requirements and these are automatically provisioned by the data center.
Measured service
• Service requirements are measureable so consumers can be charged for resource usage.
Network access
• A portal or platform should be supplied to users so they can submit and manage their jobs.
Resource pooling
• Resources in the data center can be shared by consumers with different SLAs.
Virtualization
• The data center topology should not matter to the user. Applications are easily migrated across hardware platforms as demands and usage change automatically.pl ge ng y.
Reliability
• Multiple redundant copies of stored content exist.
Maintenance
• Handled by a professional, dedicated IT team.
IT General Controls 70
IT infrastructure refers to:
§ Mainframes and Servers
§ Network Connectivity
§ IT processes that support them
Very Costly
IT Infrastructure
IT General Controls 36
IT General Controls 71
Policy exists and approved within the last
24 months
Physical access to data center is restricted
Badge authorization for computer room areas
• New User
• Access Review
Pre-Approved contractor list exists
and is approved
Access for individuals without a permanent badge is approved
Individuals requiring access to Data Center
must sign in
Visitor / Supplier is escorted to the Data
Center
Computer room contains environmental devices /
equipment
Backup power sources exist
Physical Security
IT General Controls 72
Security guards
Perimeter fences
Intrusion detection systems
Closed circuit television / security cameras
Access control systems (card keys) with appropriate reporting
tools
Biometric controls
Physical protection of personnel and equipment:
Physical Security
IT General Controls 37
IT General Controls 73
Fire protection and prevention
Halon
CO2
Water
Testing of alarms
Continuity of power supplies
Quality monitoring of power supply
Uninterruptible power supply (UPS)
Dual supply systems -from multiple power
grids and/or providers
Things to Look For….
IT General Controls 74
COBIT – DS 13 Manage Operations
IT General Controls 38
IT General Controls 75
Define, implement and maintain procedures for:
IT operations staff to be familiar with
all tasks
Backup and restoration of
systems, applications, data
Documentation in line with business requirements and the continuity plan
Inventory of stored and
archived media to ensure their usability and
integrity
Operations Management
IT General Controls 76
Store offsite all critical backup media,
documentation and other IT resources necessary for IT recovery and business
continuity
Organize the scheduling of jobs, processes and tasks
into the most efficient sequence, maximizing
throughput and utilization to meet business
requirements
Test the IT disaster recovery plan on a regular basis ensuring IT systems
can be effectively recovered, shortcomings
are addressed and the plan remains relevant
Operations Management
IT General Controls 39
IT General Controls 77
Data is stored securely (based on media type)
Media disposal procedures ensure that the security of corporate data is not compromised
Physical inventory taken of off-site media
Production jobs are prioritized
Rerun / Restart procedures are implemented
Things to Look For….
IT General Controls 78
Things to Look For….
Reporting on how SLAs are met and the results
Number of service levels impacted by operational incidents
Hours of unplanned downtown
Reporting and monitoring of incidents
Rerun / Restart procedures are implemented
IT General Controls 40
IT General Controls 79
Why The Need?
Backward Looking VisibilityBackward Looki
Quickly correlate new incidents back to a change
king Visibilityooki
Ensure the incidents can be remediated
Forward Looking VisibilityForward Look
Avoid technical conflicts with other changes
oking Visibilityok
Avoid resource conflicts with other changes
Governance
Doing the right thing At the right time The right way
Mitigate Risk to The Business
IT General Controls 80
Increased regulatory requirements
• Focus from Audit Committee and Senior Management
• Internal auditors responsible for providing IT controls assurance
Technology is everywhere
• All business decisions result in at least one IT change
• Changes not controlled can impact the entire organization
• According to analysts, 80% of all outages are due to change
Responsibility for IT change management
• Rests with IT
• Covers programs, hardware, software, patches, etc.
Why Audit Change Management?
IT General Controls 41
IT General Controls 81
Business requirements:
high degree of IT uptime
(availability)
Regulatory requirements:
controls to ensure the
confidentiality and integrity of
information
Stable and managed IT production
environments:
changes are implemented
in a predictable
and repeatable manner
IT personnel implementing changes must
follow a controlled
process that is defined,
monitored and enforced
Combination of
Preventative controls
(segregation of duties)
Detective controls
(supervisory)
Understand Change Management
IT General Controls 82
BAI06 Manage Changes
Area: Management
Domain: Build, Acquire and
Implement
Process Description
Manage all changes in a controlled manner, including standard
changes and emergency maintenance relating to business
processes, applications and infrastructure. This includes
change standards and procedures, impact assessment,
prioritization and authorization, emergency changes, tracking,
reporting, closure and documentation.
Process Purpose Statement
Enable fast and reliable delivery of change to the business and
mitigation of the risk of negatively impacting the stability or
integrity of the changed environment.
COBIT – BAI 06
IT General Controls 42
IT General Controls 83
§All requests for changes, system maintenance and supplier maintenance are:
Subject to formal change management procedures
Categorized and prioritized and specific procedures are in place to handle urgent matters
Assessed in a structured way for all possible impacts on the system and its functionality
Change Management
IT General Controls 84
Request
• Capture
• Documentation and tracking
• Filtering and prioritization
• Categorization
Risk
• Impact:
• Business
• IT
• Change reversibility
• External factors
Planning
• Review and approval
• Change scheduling
• Back-out and testing plans
• Change communication
• Change build
Testing
• Resource allocation and coordination
• Change rollout
• Sensitive production information is not used in the development/test environment
Phases of Change
IT General Controls 43
IT General Controls 85
COSO ERM Model For Change & Patch Management
CONTROL ACTIVITIES
RISK ASSESSMENT
MONITORING
INFORMATION &
COMMUNICATION
INTERNAL
ENVIRONMENT
RISK RESPONSE
RISK ASSESSMENT
EVENT IDENTIFICATION
OBJECTIVE SETTING
Control Activities:
• Common process in place and
documented
• Effective Change Control Committee
structure
• Change Control Log used
• SOD between developers and technical
staff
• Automated controls to enforce process of
promoting changes into production
• Automated process to return production
environment to pre-change state
• Approved configurations documented
• Clear delegation of authority documented
• Approvals for changes documented
• Automated system and data backups
• Ability to restore from approved
environment
odel ForCo
•
Change Management Processes
IT General Controls 86
COSO ERM Model For Change & Patch Management
CONTROL ACTIVITIES
RISK ASSESSMENT
MONITORING
INFORMATION &
COMMUNICATION
INTERNAL
ENVIRONMENT
RISK RESPONSE
OBJECTIVE SETTING
Risk Assessment:
• Strategic Risk Assessments consider risks
associated with unintended or unauthorized
changes
• Risks well understood by IT
• Risk Assessment of all proposed changes
performed
• Business Continuity Planning in place
• Internal Audit assessment performed
• Risk factors assessed to determine
classification of the change and level of
testing and approval
Ri
•
Change Management Processes
IT General Controls 44
IT General Controls 87
Changes not being recorded and tracked
Emergency changes implemented without adequate oversight
Lack of priority management of changes
Unauthorized business process changes being introduced into the operations
Financial statements being materially misstated
Inconsistent processing results
Erroneous processes, unauthorized business processes and inefficiencies
Change Management Risks
IT General Controls 88
Additional access authorization not being terminated properly
Unauthorized changes being applied, resulting in compromised security and unauthorized access to corporate information
Failure to comply with compliance requirements
Adverse effects on capacity and performance of the infrastructure
System or application failure, resulting in lack of availability
Reduced system availability
Security intrusions
Change Management Risks
IT General Controls 45
IT General Controls 89
Processes
• Documented and maintained
• Followed
• Controlled
Testing
• Performed on all changes by IT and the user
• Traced to requirements
• Signed off
Emergency Changes
• Follow the same process but at an accelerated pace
• Recorded and authorized by IT management prior to implementation
• Reviewed and approved timely
Things to Look for….
IT General Controls 90
Reviewed and approved at least every two years or as needed
Process to release / promote
changes to the production
environment Mainframe –usually using Endevor
Distributed –various tools like Serena
MausEn
Two main environments
Release Management
IT General Controls 46
IT General Controls 91
Management PracticeInputs Outputs
From Description Description To
BAI07.06 Promote to production and
manage releases. Promote the accepted
solution to the business and operations.
Where appropriate, run the solution as a
pilot implementation or in parallel with the
old solution for a defined period and
compare behavior and results. If
significant problems occur, revert back to
the original environment based on the
fallback/back out plan. Manage releases
of solution components.
Release plan •BAI10.01
Release log •Internal
Activities
1.Prepare for transfer of business procedures and supporting services, applications and infrastructure from testing to the
production environment in accordance with organizational change management standards.
2.Determine the extent of pilot implementation or parallel processing of the old and new systems in line with the implementation
plan.
3.Promptly update relevant business process and system documentation, configuration information and contingency plan
documents, as appropriate.
4.Ensure that all media libraries are updated promptly with the version of the solution component being transferred from testing
to the production environment. Archive the existing version and its supporting documentation. Ensure that promotion to
production of systems, application software and infrastructure is under configuration control.
5.Where distribution of solution components is conducted electronically, control automated distribution to ensure that users are
notified and distribution occurs only to authorized and correctly identified destinations. Include in the release process back out
procedures to enable the distribution of changes to be reviewed in the event of a malfunction or error.
6.Where distribution takes physical form, keep a formal log of what items have been distributed, to whom, where they have
been implemented, and when each has been updated.
COBIT BAI07.06 - Releases
IT General Controls 92
Unauthorized changes
Processes are followed
Developer not moving changes into production
Ability to trace changes from production libraries to Endevor
Things to Look for….
IT General Controls 47
IT General Controls 93
Release and deployment plans appropriately authorized before executed
Communicated to end users and stakeholders
Back-out / roll back plans are developed so the production environment can be restored to the pre-change state
Systems personnel and end users understand the disaster recovery/business continuity procedures to follow
Things to Look for….
IT General Controls 94
Alignment
Aligning IT and Business Priorities is an On-Going Effort
Where does one
start?
The organization’s strategic planning
effort should be the first place to start
What does IT need
to do?
The IT planning efforts need to be integrated with the
organization’s business plans
According to GAO research, high-
performing organizations have
strong IT investment management
processes in addition to robust business planning processes and IT management
practices
IT General Controls 48
IT General Controls 95
Create a strategic plan that defines how IT goals will
contribute to the enterprise’s strategic objectives and related
costs and risks
Create a portfolio of tactical IT plans derived from the IT
strategic plan
Describe required IT initiatives, resource
requirements, and how the use of resources and
achievement of benefits will be monitored and
managed
Assess the current capability and performance
of solution and service delivery to establish a baseline against which
future requirements can be compared
Strategic Planning
IT General Controls 96
Five Critical Issues
Does management have a strategic IT plan in place which
is updated regularly and supports the annual plans,
budgets and prioritization of the various IT efforts?
What level of investment in IT and IT security has occurred
over the past two to three years and over the next two to three
years?
Have the roles and responsibilities for IT
management, including IT investment management, been defined and assigned within the
organization?
Have performance indicators for the IT function and IT security function been developed? Is
performance being periodically reported to the board?
Does management monitor IT’s performance as well as its
capability to continue providing the services upon which the
organization relies?
IT General Controls 49
IT General Controls 97
• Define the initiatives required to close gaps and migrate from the current
to the target environment, including investment/operational budget,
funding sources, sourcing strategy and acquisition strategy.
• Identify and adequately address risk, costs and implications of
organizational changes, technology evolution, regulatory requirements,
business process re-engineering, staffing, insourcing and outsourcing
opportunities, etc., in the planning process.
• Determine dependencies, overlaps, synergies and impacts amongst
initiatives, and prioritize the initiatives.
• Identify resource requirements, schedule and investment/operational
budgets for each of the initiatives.
• Create a road map indicating the relative scheduling and
interdependencies of the initiatives.
• Translate the objectives into outcome measures represented by metrics
(what) and targets (how much) that can be related to enterprise benefits.
• Formally obtain support from stakeholders and obtain approval for the
plan.
COBIT APO 0205
IT General Controls 98
Communicate the IT strategy and direction
Create awareness and understanding of the business and IT objectives and direction, as
captured in the IT strategy, through communication to appropriate stakeholders and users throughout
the enterprise.
COBIT APO 0206
IT General Controls 50
IT General Controls 99
Determine whether:
Significant business priorities are being appropriately identified and assessed on an ongoing basis
Changes to those priorities are monitored
Significant investment management controls are operating effectively and consistently
Risk management techniques are in place and effective
Management and staff have the processes to respond to new business opportunities as they arise
IT-related investments are being effectively and efficiently managed
IT Investment Management
IT General Controls 100
Audit Focus
Provide guidance on process
effectiveness and feedback on managerial
decisions and results
Independently and objectively assess the organization’s
efforts to continually align IT
and business priorities
Provide assurance to
management and the board that all
that should be done is being
done
IT General Controls 51
IT General Controls 101
Business goals mapped to IT goals
Business strategy clearly delineated in IT strategy
Review of both strategies to ensure alignment
Approval of plans at highest level
Things to Look for….
IT General Controls 102
EDM03 Process Practices, Inputs/Outputs and Activities
Governance PracticeInputs Outputs
From Description Description To
EDM03.01 Evaluate risk management.
Continually examine and make judgement
on the effect of risk on the current and
future use of IT in the enterprise. Consider
whether the enterprise’s risk appetite is
appropriate and that risk to enterprise value
related to the use of IT is identified and
managed.
APO12.01Emerging risk issues
and factorsRisk appetite guidance •APO12.03
Outside
COBIT
Enterprise risk
management
principles
Approved risk tolerance
levels•APO12.03
Evaluation of risk
management activities•APO12.01
Activities
1.Determine the level of IT-related risk that the enterprise is willing to take to meet its objectives (risk appetite).
2.Evaluate and approve proposed IT risk tolerance thresholds against the enterprise’s acceptable risk and opportunity levels.
3.Determine the extent of alignment of the IT risk strategy to enterprise risk strategy.
4.Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware
enterprise decisions are made.
5.Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant international and
national standards.
6.Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT-related loss and leadership’s
tolerance of it.
COBIT – Risk Management
IT General Controls 52
IT General Controls 103
Governance PracticeInputs Outputs
From Description Description To
EDM03.02 Direct risk management.
Direct the establishment
of risk management practices to
provide reasonable assurance that
IT risk management practices are
appropriate to ensure that the actual
IT risk does not exceed the board's risk
appetite.
APO12.03
Aggregated ris
k profile,
including status
of risk
management a
ctions
Risk management
policies•APO12.01
Outside COBIT
Enterprise risk
management (
ERM) profiles
and mitigation
plans
Key objectives to be
monitored for risk
management
•APO12.01
Approved process for
measuring risk
management
•APO12.01
Activities
1.Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential
business impacts.
2.Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations.
3.Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans.
4.Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to
appropriate levels of management, supported by agreed-on principles of escalation (what to report, when, where and how).
5.Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be
managed in accordance with published policies and procedures and escalated to the relevant decision makers.
6.Identify key goals and metrics of risk governance and management processes to be monitored, and approve the
approaches, methods, techniques and processes for capturing and reporting the measurement information.
COBIT – Risk Management
IT General Controls 104
Governance PracticeInputs Outputs
From Description Description To
EDM03.03
Monitor risk management.
Monitor the key goals and metrics
of the risk management processes
and establish how deviations or
problems will be identified, tracked
and reported for remediation.
APO12.02Risk analysis
results
Remedial actions to
address risk
management deviati
ons
•APO12.06
APO12.04
• Opportunities
for acceptance
of greater risk
• Results of third-
party risk
assessments
• Risk analysis
and risk profile
reports for
stakeholders
Risk management
issues for the board•EDM05.01
Activities
1.Monitor the extent to which the risk profile is managed within the risk appetite thresholds.
2.Monitor key goals and metrics of risk governance and management processes against targets, analyze the
cause of any deviations, and initiate remedial actions to address the underlying causes.
3.Enable key stakeholders’ review of the enterprise’s progress towards identified goals.
4.Report any risk management issues to the board or executive committee.
COBIT – Risk Management
IT General Controls 53
IT General Controls 105
The risk assessment process has:
• measures to identify risks using qualitative and quantitative metrics
• a strategy to address identified risks
• a strategy for accepting risks
• a strategy for determining the appropriate protection needed to mitigate risks
Management encourages risk assessments as an important tool for providing information on potential
threats and vulnerabilities
• Results are reviewed
• Corrective actions are taken
Risk Management
IT General Controls 106
• Processes documented and maintained
• Processes are followed
• IT performs an annual risk assessment
• Risk definitions consistently used
IT • Remediation plans for all Critical and High Risks
• Appropriate due dates for remediation
Internal Audit partners with IT Risk Management
Things to Look for….
IT General Controls 54
IT General Controls 107
Management Practice
Inputs Outputs
From DescriptionDescriptio
nTo
DSS02.04 Investigate, diagnose
and allocate incidents. Identify
and record incident symptoms,
determine possible causes, and
allocate for resolution.
BAI07.07Supplemental
support plan
Incident
symptoms•Internal
Problem
log•DSS03.01
Activities
• Identify and describe relevant symptoms to establish the most probable causes, of the
incidents. Reference available knowledge resources (including known errors and
problems) to identify possible incident resolutions (temporary workarounds and/or
permanent solutions).
• If a related problem or known error does not already exist and if the incident satisfies
agreed-on criteria for problem registration, log a new problem.
• Assign incidents to specialist functions if deeper expertise is needed, and engage the
appropriate level of management, where and if needed.
COBIT DSS 02.04 – Incident Management
IT General Controls 108
Management Practice
Inputs Outputs
From DescriptionDescriptio
nTo
DSS02.05 Resolve and recover
from incidents. Document,
apply and test the identified
solutions or workarounds and
perform recovery actions to
restore the IT-related service.
APO12.06
Risk-related
incident
response
plans
Incident
resolutions•DSS03.04DSS03.03
Known error
records
DSS03.04
Communica
tion of
knowledge
learned
Activities
• Select and apply the most appropriate incident resolutions (temporary workaround and/or
permanent solution).
• Record whether workarounds were used for incident resolution.
• Perform recovery actions, if required.
• Document incident resolution and assess if the resolution can be used as a future
knowledge source.
COBIT DSS 02.04 – Incident Management
IT General Controls 55
IT General Controls 109
Incident Management
Policy exists to define the functions for all calls, reported incidents, service requests or information demands and reviewed and approved at least once
every two years or as needed
A process exists for managing Service Desk operations and is documented and defines:
• capturing information to determine priority
• the activities for routing tickets
• restoring normal service operation in a timely manner
• minimizing the impact on business operations
IT General Controls 110
Things to Look for….
Incidents are logged and assigned a priority
Resources allocated to incidents
Changes use the change management process
Statistics are reported to management
IT General Controls 56
IT General Controls 111
Methodology
• Helps ensure that the development of an application or system occurs in a formal and controlled manner
Development
• Provides a method for implementing controls during the development of the system, rather than retrofitting the system with necessary controls after it is in production environment
System Development Life Cycle
IT General Controls 112
The system development life cycle (or Solution Delivery Methodology – SDM) is the process:
Which is custom-developed or purchased or a combination of both
Used to convert a management need into an application system
Involving multiple stages (feasibility to carrying out post implementation)
SDLC - Definition
IT General Controls 57
IT General Controls 113
The potential that a given threat
will exploit vulnerabilities of an
asset or group of assets to cause
loss or damage to the assets
Risk Definition
IT General Controls 114
Governance:
Business & IT Alignment
Project Management
Organizational Change
Management
Tactical
IT Solution Readiness
Post Implementation
Business &
IT Alignment
Organizational
Change
Management
Project
ManagementIT Solution
ReadinessPost
Implementation
Areas of Focus
IT General Controls 58
IT General Controls 115
Market
• Disruption of service
• Competitive advantage
• Brand image
Financial
• Loss of revenue
• Loss of ROI
• Loss of shareholders / investors
• Regulatory compliance fines
Technology
• Facility closure
• Facility damage
• System unavailable
People
• Loss of business experts
• Loss of IT people
• Inexperienced people
gu
Project Risks
High Level Risks
IT General Controls 116
Businesses invest heavily in IT Projects to:
Enable business process efficiencies in order to save moneyy
Automate key processes and controls
Manage risk
Meet regulatory and legal requirements
Enable new business models and allow the company to enter new markets
Many other reasons…
Business Investments
IT General Controls 59
IT General Controls 117
Identification of key risks early on in the project
Add value by evaluating the effectiveness of risk management on both IT and Organizational aspects
Offer an independent assessment on whether the project has reached stated objectives
Why Audit IT Projects?
IT General Controls 118
Business Strategy IT Strategy
The vision & objectives of
both IT and the business are
understood and in harmony
The project is in line with the strategy
of the organization
project line withith
Alignment is
maintained throughout the project
vision & ectives of
T and the iness are
tood and harmony
Theis the
Business & IT Alignment
IT General Controls 60
IT General Controls 119
Methodology Assessment
Project Risk Assessment
Readiness Assessment
Key Phase Review
Post-Implementation Review
Advisory Services
Types of Project Engagements
IT General Controls 120
Determine if methodology exists, is complete and meets the needs of the organizationth
Why
Anytime, preferably before any detailed project reviews are conducted
An
When
Coordinate with PMO, research PM best practices, review history of PM problems
How
Methodology Assessment
Recommended