Information Technology (IT) Regulatory Compliance Planning John R. Robles President, John R. Robles & Associates 787-647-3961 [email protected]

Information Technology (IT) Information Technology (IT) Regulatory Compliance Regulatory Compliance

PlanningPlanningJohn R. RoblesJohn R. RoblesPresident, John R. Robles & AssociatesPresident, John R. Robles & [email protected]@coqui.netwww.johnrrobles.comwww.johnrrobles.com

IT Security Summit – 2005Centro de Convenciones, August 22-23, 2006

What Is Compliance?What Is Compliance?

The act of complying with a wish, request, or demandThe act of complying with a wish, request, or demand

A disposition or tendency to yield to the will of othersA disposition or tendency to yield to the will of others

The act of submitting; usually surrendering power to The act of submitting; usually surrendering power to anotheranother

Acting according to certain accepted standardsActing according to certain accepted standards

A disposition or tendency to yield to the will of othersA disposition or tendency to yield to the will of others

Happy friendly agreement Happy friendly agreement

2 / 35John R. Robles & Associates

What Is IT Compliance?What Is IT Compliance?

Perform Perform IT functionsIT functions according to a wish, request, or according to a wish, request, or demanddemand

Disposition or tendency to yield to the Disposition or tendency to yield to the ITIT will of others will of others

The act of submitting; usually surrendering The act of submitting; usually surrendering ITIT power to power to another another

Acting according to certain accepted Acting according to certain accepted ITIT standards standards

A disposition or tendency to yield to the A disposition or tendency to yield to the ITIT will of others will of others

Happy friendly Happy friendly ITIT agreement between IT and others agreement between IT and others


What is IT Regulatory Compliance?What is IT Regulatory Compliance?

Perform Perform IT FunctionsIT Functions according to a wish, request, or according to a wish, request, or demand demand of the government or regulatory agencyof the government or regulatory agency

Disposition or tendency to yield to the Disposition or tendency to yield to the ITIT will of others will of others (government or regulatory agency)(government or regulatory agency)

The act of submitting; usually surrendering The act of submitting; usually surrendering ITIT power to power to another (government or regulatory agency)another (government or regulatory agency)

Acting according to certain accepted Acting according to certain accepted ITIT standards standards (of government or regulatory agency)(of government or regulatory agency)

A disposition or tendency to yield to the A disposition or tendency to yield to the ITIT will of others will of others (government or regulatory agency)(government or regulatory agency)

Happy friendly Happy friendly ITIT agreement with (government or agreement with (government or regulatory agency)regulatory agency)


How do I Comply with Government How do I Comply with Government or Regulatory Agency?or Regulatory Agency?

Know the IT regulations pertinent to your company or Know the IT regulations pertinent to your company or industryindustry

Discuss with: Discuss with:

Compliance OfficerCompliance OfficerLegal CounselLegal CounselInternal or External AuditorsInternal or External AuditorsExecutive ManagementExecutive Management

Determine methodology to ensure complianceDetermine methodology to ensure compliance

Perform Self AssessmentPerform Self Assessment

Improve ComplianceImprove Compliance

Maintain Compliance Officer, Legal Counsel, Internal Maintain Compliance Officer, Legal Counsel, Internal /External Auditors, and Executive Management informed /External Auditors, and Executive Management informed of self assessment and progress of improvement effortsof self assessment and progress of improvement efforts5 / 35John R. Robles & Associates

Sample of some IT regulations Sample of some IT regulations Financial Services:Financial Services:

Financial Institution LettersFinancial Institution Letters

The IT Compliance Institute has a DataBase of The IT Compliance Institute has a DataBase of Regulations by Industry and by CountryRegulations by Industry and by Country

Some known regulations include:Some known regulations include:

Sarbanes-Oxley ActSarbanes-Oxley Act

Gramm-Leach Bliley ActGramm-Leach Bliley Act

HIPAAHIPAA

Base IIBase II

USA Patriot ActUSA Patriot Act

Email/records retentionEmail/records retention


If you do not comply with Best Practices and General If you do not comply with Best Practices and General Internal Controls you may get an Audit Comment.Internal Controls you may get an Audit Comment.

If you do not comply with Regulatory Compliance you, If you do not comply with Regulatory Compliance you, your company, your company officers, or the Board of your company, your company officers, or the Board of Directors may get a Fine or Jail Time.Directors may get a Fine or Jail Time.

However, Regulatory Compliance is a subset of Best However, Regulatory Compliance is a subset of Best Practices and General Internal Controls.Practices and General Internal Controls.

That is, If you run a clean IT shop, most likely you are in That is, If you run a clean IT shop, most likely you are in compliance. compliance.

7 / 35

Regulatory Compliance is Above and Regulatory Compliance is Above and Beyond Best Practices and General Beyond Best Practices and General Internal ControlsInternal Controls

John R. Robles & Associates

How do you set up a compliant IT department?How do you set up a compliant IT department?

Establish an Internal Controls methodology with includes Establish an Internal Controls methodology with includes addressing pertinent IT regulations.addressing pertinent IT regulations.

Some of the more well-know methodologies include:Some of the more well-know methodologies include:

COSO (Committee of Sponsoring Organizations of the COSO (Committee of Sponsoring Organizations of the Threadway CommissionThreadway Commission

Cobit (Control Objectives for Information and Related Cobit (Control Objectives for Information and Related Technologies)Technologies)

ISO-17799ISO-17799

8 / 35

IT Compliance is all about IT Internal IT Compliance is all about IT Internal Controls.Controls.


The GAO “Standard for Internal Control in the Federal The GAO “Standard for Internal Control in the Federal Government” and COSO define Internal Controls as:Government” and COSO define Internal Controls as:

““An integral part of an organization’s management that An integral part of an organization’s management that provides reasonable assurance that the following provides reasonable assurance that the following objectives are being achieved:objectives are being achieved:

effectiveness and efficiency of operationseffectiveness and efficiency of operations

reliability of financial reporting reliability of financial reporting

compliance with applicable laws and regulations”compliance with applicable laws and regulations”

9 / 35

An Internal Controls MethodologyAn Internal Controls Methodology


Internal Controls address the following:Internal Controls address the following:

It is a processIt is a process

It is performed by peopleIt is performed by people

It provides only reasonable assurance, not absolute It provides only reasonable assurance, not absolute assuranceassurance

Internal Controls consists of:Internal Controls consists of:

Control EnvironmentControl Environment

Risk AssessmentRisk Assessment

Control ActivitiesControl Activities

Information and CommunicationsInformation and Communications

MonitoringMonitoring

10 / 35

An Internal Controls MethodologyAn Internal Controls Methodology


Sarbanes-Oxley - Section 404: Sarbanes-Oxley - Section 404:

““It will beIt will be

(1) the responsibility of management for establishing and (1) the responsibility of management for establishing and maintaining an adequate internal control structure and maintaining an adequate internal control structure and procedures for financial reporting, andprocedures for financial reporting, and

(2) contain an assessment, as of the end of the most (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuers internal control structure and procedures of the issuers for financial reporting.”for financial reporting.”

11 / 35

Regulation with the greatest impact on Regulation with the greatest impact on internal controls and ITinternal controls and IT


Some IT internal control frameworks:Some IT internal control frameworks:

Cobit and IT Control Objectives for Sarbanes-OxleyCobit and IT Control Objectives for Sarbanes-Oxley

ISO 17799ISO 17799

IT Infrastructure Library (ITIL)IT Infrastructure Library (ITIL)

Capability Maturity Model Integration (CMMI)Capability Maturity Model Integration (CMMI)

Naional Institute of of Standards and Technology (NIST)Naional Institute of of Standards and Technology (NIST)

12 / 35

IT Internal Controls FrameworksIT Internal Controls Frameworks


The IT Compliance Institute (The IT Compliance Institute (www.itcinstitute.comwww.itcinstitute.com) has ) has the Unified Compliance Project, it addresses the the Unified Compliance Project, it addresses the following:following:

Leadership and High-Level ObjectivesLeadership and High-Level ObjectivesAudit and Risk ManagementAudit and Risk ManagementDesign and ImplementationDesign and ImplementationTechnology AcquisitionTechnology AcquisitionOperational ManagementOperational ManagementIT Staff Management and OutsourcingIT Staff Management and OutsourcingRecords ManagementRecords ManagementTechnical SecurityTechnical SecurityPhysical SecurityPhysical SecuritySystems ContinuitySystems ContinuityMonitoring, Measurement, and ReportingMonitoring, Measurement, and ReportingPrivacyPrivacy

John R. Robles & Associates 13 / 35

Unified Compliance ProjectUnified Compliance Project

http://www.itcinstitute.com/

BUSINESSBUSINESSREQUIREMENTSREQUIREMENTS

BUSINESSBUSINESSREQUIREMENTSREQUIREMENTS

IT PROCESSESIT PROCESSESIT PROCESSESIT PROCESSES

IT RESOURCESIT RESOURCESIT RESOURCESIT RESOURCES

Fra

mew

ork

COBIT: An IT Control Framework


IT Processes

IT Processes

IT Resources

IT Resources

Business Requirements


Data Information

Systems Technology Facilities Human

Resources

Plan and Organise Acquire and

Implement Deliver and Support Monitor and

Evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

Reliability

COBIT Framework H

ow

do t

hey

rela

te?


IT Processes

IT Processes

IT Resources

IT Resources



Data Information

Systems Technology Facilities Human

Resources

Planning and organisation

Acquisition and implementation

Delivery and Support

Monitoring

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

Reliability

COBIT Framework H

ow

do t

hey

rela

te?

How IT is How IT is organised to organised to

respond to the respond to the requirementsrequirements

How IT is How IT is organised to organised to

respond to the respond to the requirementsrequirements

What the What the stakeholders stakeholders

expect from ITexpect from IT

What the What the stakeholders stakeholders

expect from ITexpect from IT

The resources The resources made available tomade available to— and built up by— and built up by

—IT—IT

The resources The resources made available tomade available to— and built up by— and built up by

—IT—IT


Processes

A series of joined activities with natural control breaks

Activities or tasks

Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.

Domains

Natural grouping of processes, often matching an organisational domain of responsibility

COBIT Framework I

T P

rocesses

IT IT ProcessesProcesses

BusinessRequirements

IT IT ResourcesResources





Data: Data objects in their widest sense, i.e., external and internal, structured and unstructured, graphics, sound, etc.

Application Systems: Understood to be the sum of manual and programmed procedures

Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc.

Facilities: Resources to house and support information systems

People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services

COBIT Framework IT

Resou

rces








IT Domains• Plan and

Organise• Acquire and

Implement• Deliver and

Support• Monitor and

Evaluate

IT Processes• IT Strategy• Policy and Procedures• Feasibility Study• Acceptance Testing• Change Management• Contingency Planning• Problem Management

Activities• Record New Problem• Analyse• Propose Solution• Monitor Solution• Record Known Problem• Etc.

Natural grouping of processes, often matching an organisational domain of responsibility

A series of joined activities with natural (control) breaks

Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.

COBIT Framework IT IT ProcessesProcesses







PO 1PO 1 Define a Strategic Information Technology Plan Define a Strategic Information Technology PlanPO 2PO 2 Define the Information Architecture Define the Information ArchitecturePO 3PO 3 Determine the Technological Direction Determine the Technological DirectionPO 4PO 4 Define the IT Organisation and Relationships Define the IT Organisation and Relationships PO 5PO 5 Manage the Investment in Information TechnologyManage the Investment in Information TechnologyPO 6 PO 6 Communicate Management Aims and Direction Communicate Management Aims and Direction PO 7PO 7 Manage Human ResourcesManage Human ResourcesPO 8PO 8 Ensure Compliance with External Requirements Ensure Compliance with External RequirementsPO 9PO 9 Assess Risks Assess Risks PO 10PO 10 Manage Projects Manage Projects PO 11PO 11 Manage QualityManage Quality

Plan and Organise


AI 1AI 1 Identify Automated Solutions Identify Automated Solutions

AI 2AI 2 Acquire and Maintain Application SoftwareAcquire and Maintain Application Software

AI 3AI 3 Acquire and Maintain Technology InfrastructureAcquire and Maintain Technology Infrastructure

AI 4AI 4 Develop and Maintain IT ProceduresDevelop and Maintain IT Procedures

AI 5AI 5 Install and Accredit Systems Install and Accredit Systems

AI 6AI 6 Manage Changes Manage Changes

Acquire and Implement


TopicsTopics

Delivery of required services Delivery of required services Setup of support processesSetup of support processesProcessing by application Processing by application systemssystems

QuestionsQuestionsAre IT services being Are IT services being delivered in line with delivered in line with business priorities?business priorities?Are IT costs optimised?Are IT costs optimised?Is the workforce able to use Is the workforce able to use the IT systems productively the IT systems productively and safely?and safely?Are adequate security, Are adequate security, integrity and availability in integrity and availability in place?place?

Deliver and SupportDeliver and Support

TopicsTopics

Assessment over time, Assessment over time, delivering assurancedelivering assuranceManagement’s oversight of Management’s oversight of the control systemthe control systemPerformance measurementPerformance measurement

QuestionsQuestionsCan IT’s performance be Can IT’s performance be measured and can measured and can problems be detected problems be detected before it is too late?before it is too late?Is independent assurance Is independent assurance needed to ensure that needed to ensure that critical areas are operating critical areas are operating as intended?as intended?

Monitor and EvaluateMonitor and Evaluate

COBIT Domains D

om

ain

s


DS 1DS 1 Define and Manage Service LevelsDefine and Manage Service LevelsDS 2DS 2 Manage Third-party Services Manage Third-party Services DS 3DS 3 Manage Performance and Capacity Manage Performance and Capacity DS 4DS 4 Ensure Continuous Service Ensure Continuous Service DS 5DS 5 Ensure Systems Security Ensure Systems Security DS 6DS 6 Identify and Allocate CostsIdentify and Allocate CostsDS 7DS 7 Educate and Train Users Educate and Train Users DS 8DS 8 Assist and Advise CustomersAssist and Advise CustomersDS 9DS 9 Manage the Configuration Manage the Configuration DS 10DS 10 Manage Problems and Incidents Manage Problems and Incidents DS 11DS 11 Manage Data Manage Data DS 12DS 12 Manage Facilities Manage Facilities DS 13DS 13 Manage OperationsManage Operations

Deliver and Support


M1 Monitor the ProcessM2 Assess Internal Control AdequacyM3 Obtain Independent AssuranceM4 Provide for Independent Audit

Monitor and Evaluate


The control of

IT Processes which satisfy

is enabled byControl

Statements consideringControl

Practices

COBIT Framework W

ate

rfall

Mod

el

4 Domains - 34 Processes - 318 Control Objectives4 Domains - 34 Processes - 318 Control Objectives



PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims and directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risksPO10 Manage projectsPO11 Manage quality

AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT proceduresAI5 Install and accredit systemsAI6 Manage changes

M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit

DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Assist and advise IT customersDS9 Manage the configurationDS10 Manage problems and incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations

IT RESOURCES

IT RESOURCES

• Data• Application systems• Technology• Facilities• People

• Data• Application systems• Technology• Facilities• People PLAN AND

ORGANISEPLAN AND ORGANISE

ACQUIRE ANDIMPLEMENT

ACQUIRE ANDIMPLEMENT

DELIVER AND SUPPORT

DELIVER AND SUPPORT

MONITOR AND EVALUATE

MONITOR AND EVALUATE

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

Criteria

Business ObjectivesCOBITFramework


PO1 PO1 Define a strategic IT planDefine a strategic IT planPO3 Determine the technological directionPO5 Manage the IT investmentPO9 PO9 Assess risksAssess risksPO10 PO10 Manage projectsManage projectsAI1 Identify solutionsAI2 Acquire and maintain applications s/wAI5 Install and accredit systemsAI6 AI6 Manage changesManage changesDS1 Define service levelsDS4 Ensure continuous serviceDS5 DS5 Ensure system securityEnsure system securityDS10 Manage problems and incidentsDS11 DS11 Manage dataManage dataM1 M1 Monitor the processesMonitor the processes

The Most Important IT Processes

3434

1515

77

SurveySurvey


High-level Control ObjectiveOne per process

Detailed Control ObjectivesThree to 30 per process

Control PracticesFive to seven per control objective

COBIT—Content


Based on the 41 primary references

Developed following a rigorous research process

Three to 30 detailed control objectives for each of the 34 processes

Directed to IT management, IT staff, control and audit functions and business process owners

For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional.

Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers.

COBIT Control Objectives


To improve audit approach/programs To support audit work with detailed audit

guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programs

How Is CHow Is COBIOBIT Used?T Used? ( (Results from Surveys)Results from Surveys)

The COBIT Framework


COBIT—Benefits

WhatWhatComfort about:Comfort about:• Dependence on ITDependence on IT• IT risks are mitigatedIT risks are mitigated• IT delivers valueIT delivers valueAssurance of: Assurance of: • Cost down and revenue upCost down and revenue up• Business operations improvedBusiness operations improved• Service levels maintainedService levels maintained

WhoWho• ExecutiveExecutive• Business managerBusiness manager• IT managerIT manager• Project managerProject manager• DeveloperDeveloper• Operations staffOperations staff• UserUser• Security officerSecurity officer• AuditorAuditor


COBIT Products

Management GuidelinesManagement Guidelines Provide management direction for:Provide management direction for:

• Getting the enterprise's information and related processes under control Getting the enterprise's information and related processes under control

• Monitoring achievement of organisational goals Monitoring achievement of organisational goals

• Monitoring and improving performance within each IT processMonitoring and improving performance within each IT process

• Benchmarking organisational achievementBenchmarking organisational achievement Action-oriented and genericAction-oriented and generic Provide answers to typical management questions:Provide answers to typical management questions:

• How far should we go in controlling IT, and is the cost justified by the benefit?How far should we go in controlling IT, and is the cost justified by the benefit?

• What are the indicators of good performance?What are the indicators of good performance?

• What are the critical success factors?What are the critical success factors?

• What are the risks of not achieving our objectives?What are the risks of not achieving our objectives?

• What do others do? How do we measure and compare?What do others do? How do we measure and compare?

PracticesResponsibilities

Executives & BoardsExecutives & Boards

Business and Technology ManagementBusiness and Technology Management

Performance measuresPerformance measures

Critical success factorsCritical success factors

Maturity modelsMaturity models

Audit, control and security professional Audit, control and security professional

What is the ITWhat is the ITControl Framework ?Control Framework ?

How to assess the ITHow to assess the ITControl Framework ?Control Framework ?

How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
































Raise awareness

& make decision

Analyse values

and risks

Select processes

Identify needsIdentify needs

Define projects

Develop & implement

change plan

Plan the solutionPlan the solution

Integrate into day-to-

day practices

Integrate measures into ITBSC

Implement the solutionImplement the solution

Define where you

are

Define where you want to be

Analyse gaps

Envision the solutionEnvision the solution

ImplementationRoad Map

Post- implement.

review

FeedbackFeedback

IT Governance Implementation Guide


Conclusion—COBIT Values

Sharing knowledge and leveraging expert volunteersInternationally accepted good practicesContinually evolvesMaintained by reputable not-for-profit organisationMaps strongly onto all major related standardsIs management-orientedIs supported by tools and trainingMaps completely to ISO17799 and COSO

Provide action-oriented solutionsFUTUREFUTURE

PRESENTPRESENT


IT Governance InstituteIT Governance Institute3701 Algonquin Road, Suite 10103701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USARolling Meadows, IL 60008 [email protected]@[email protected]@isaca.orgwww.isaca.orgwww.isaca.orgwww.itgi.org

John R. Robles and AssociatesJohn R. Robles and Associates787-647-3961787-647-3961jrobles@coqui.netwww.johnrrobles.com

The COBIT Framework


http://www.itgi.org/

mailto:[email protected]

http://www.johnrrobles.com/

Thank You!Thank You!

Questions and Answers.Questions and Answers.


Documents

Information Technology (IT) Regulatory Compliance Planning John R. Robles President, John R. Robles & Associates 787-647-3961 [email protected]