INFORMATION INFORMATION ASSURANCEASSURANCEUSING CUSING COBIOBITT

MEYCOR COBIT CSA & MEYCOR COBIT AG TOOLS

Relationship between COSO and Relationship between COSO and COBITCOBIT

What is CWhat is COBIOBIT?T?

A model to implement IT Governance.

An open, widely-known standard.

Comprises 34 process and 220 low level Control Objectives.

It is 100% compatible with ISO 17799, COSO I & II, and other less general standards on which it relies upon.

COBIT establishes the what and the supporting standards establish the how regarding IT Governance implementation.

CCOBIOBITT

Stands for Control Objectives for Information and Related Technology.

Is a model developed by ISACA and the IT Governance Institute (ITGI) in order to implement IT Governance in organizations.

ISACAISACA Founded in 1969. Is a leading organization on IT Governance,

Control, Assurance, and Auditing. Headquartered in Chicago, USA. It has over 60.000 members in more than 100

countries. Holds events, conferences and develops standards

on IT Governance, Assurance and Security. COBIT:

1st Edition in 1996 2nd Edition in 1988 3rd Edition in 2000 4th Edition in 2005 (Nov/Dec)

BUSINESSREQUIREMENTS

BUSINESSREQUIREMENTS

INFORMATIONPROCESSES

INFORMATIONPROCESSES

• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

INFORMATION CRITERIAINFORMATION CRITERIA

CCOBIOBIT FrameworkT Framework

• applications• information• infrastructure• personnel

• applications• information• infrastructure• personnel

IT RESOURCESIT RESOURCES

CCOBIOBIT 4.0T 4.0

Information AssuranceInformation Assurance Information assurance is the basis on which decision-

making is built in an organization. Without assurance, companies have no certainty that the information on which they support their critical-mission decisions is reliable, secure and available when needed.

Information Assurance is defined as the use of information operations that protect and defend information and information systems and networks by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation, considering risk impacts due to local or remote threats from communications and Internet.

We will see two important assurance techniques: self-assessment and information systems auditing.

CCOBIOBIT: Control Self-T: Control Self-assessment (Meycor assessment (Meycor CCOBIOBIT CSA)T CSA) This management technique ensures

to all stakeholders that the internal control system is reliable.

It also ensures that the personnel is aware of the business risks, and that they perform regular and proactive reviews of the controls.

CCOBIOBIT Audit GuidelinesT Audit Guidelines(Meycor C(Meycor COBIOBIT AG)T AG)

The Guidelines provide a simple structure to audit IT controls.

They are general in nature and high-level structured.

They allow to review the Processes against the IT Control Objectives.

Obtaining an understanding of the business requirements and associated risks and the relevant control measures.

Evaluating the appropriateness of stated controls.

Assessing compliance to ensure that the control measures established are working as prescribed, consistently and continuously.

Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources.

The steps that must be followed in an The steps that must be followed in an audit:audit:

Generic Audit GuidelineGeneric Audit GuidelineObtaining an Understanding The audit steps to be performed to document the activities

underlying the control objectives as well as to identify the stated control measures/procedures in place.

Interview appropriate management and staff to gain an understanding of: Business requirements and associated risks. Organization’s structure. Roles and responsibilities. Control measures in place. Management reporting (status, performance, action items).

Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, the control implications, e.g., by a process walk through.

Generic Audit GuidelineGeneric Audit GuidelineEvaluating the Controls The audit steps to be performed in assessing the

effectiveness of control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test.

Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying auditor professional judgment. Document processes exists. Appropriate deliverables exists. Responsibility and accountability are clear and effective. Compensating controls exists, where necessary.

Conclude the degree to which the control objective is met.

Generic Audit GuidelineGeneric Audit GuidelineAssessing Compliance The audit steps to be performed to ensure that the

control measures established are working as prescribed, consistently and continuously and to conclude on the appropriateness of the control environment.

Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence.

Perform a limited review of the adequacy of the process deliverables.

Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.

Generic Audit GuidelineGeneric Audit Guideline

Substantiating the Risk The audit steps to be performed to substantiate

the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources.

Document the control weaknesses, and resulting threats and vulnerabilities.

Identify and document the actual and potential impact; e.g., through root-cause analysis.

Provide comparative information, e.g., through benchmarks.

Description of the Description of the Meycor COBIT CSAMeycor COBIT CSA and and AG AG

toolstools

We must identify for the processes defined by COBIT their importance and performance, whether they have been audited or not, how they are processed and who is responsible for them.

We must identify for the processes defined by COBIT their importance and performance, whether they have been audited or not, how they are processed and who is responsible for them.

Meycor CMeycor COBIOBIT CSAT CSA IT Processes Importance

Meycor CMeycor COBIOBIT CSAT CSA Self-assess controls

Meycor COBIT CSA includes the COBIT 4.0 Control Objectives and additional security questions on specific software platforms.

Meycor COBIT CSA includes the COBIT 4.0 Control Objectives and additional security questions on specific software platforms.

Meycor CMeycor COBIOBIT CSAT CSA Assessment Report

Results are displayed using scores. In this way it is possible to establish target values.

Results are displayed using scores. In this way it is possible to establish target values.

Meycor CMeycor COBIOBIT CSAT CSA IT Processes Diagnosis

The red line represent the score obtained. The closer to the center this line is, risks are less covered by the controls.

The red line represent the score obtained. The closer to the center this line is, risks are less covered by the controls.

Meycor CMeycor COBIOBIT CSAT CSA Assessing several Analysis Centers

Results can be displayed comparatively (for platforms, branches and technologies)

Results can be displayed comparatively (for platforms, branches and technologies)

Meycor CMeycor COBIOBIT CSAT CSA Audit Projects

Allows to create audit projects, assign resources and even manage them.

The objective is to determine whether the process' controls provide assurance.

Allows to create audit projects, assign resources and even manage them.

The objective is to determine whether the process' controls provide assurance.

Meycor CMeycor COBIOBIT CSAT CSA Alignment with Business Objectives

The alignment between IT Objectives and Business Objectives is clearly identified.

The alignment between IT Objectives and Business Objectives is clearly identified.

Meycor CMeycor COBIOBIT AGT AG Technology inventory

Here we identify how IT resources effectively contribute to the achievement of objectives.

Here we identify how IT resources effectively contribute to the achievement of objectives.

Meycor CMeycor COBIOBIT AGT AG Relationship between COBIT Processes and Business Processes

A heat map is generated based on the IT resources and the required information criteria.

A heat map is generated based on the IT resources and the required information criteria.

Meycor CMeycor COBIOBIT AGT AG Beginning the Audit Process

The process begins when a reviewer creates a project and assigns it to an auditor. It is also possible to record whenever an auditor disagrees with an observation.

The process begins when a reviewer creates a project and assigns it to an auditor. It is also possible to record whenever an auditor disagrees with an observation.

Meycor CMeycor COBIOBIT AGT AG Auditing an IT Process

Meycor COBIT AG provides guidance through the different stages (interviewing, etc.), allowing to record tasks and observations as well as attaching evidence.

Meycor COBIT AG provides guidance through the different stages (interviewing, etc.), allowing to record tasks and observations as well as attaching evidence.

Meycor CMeycor COBIOBIT AGT AG Audit Guidelines

Auditors have audit guidelines available that provide a knowledge base to improve the quality of the audit work.

Auditors have audit guidelines available that provide a knowledge base to improve the quality of the audit work.

Meycor CMeycor COBIOBIT AGT AG Record Tasks

Here we identify who performed the task, the time invested, any pertinent comments, etc.

Here we identify who performed the task, the time invested, any pertinent comments, etc.

Meycor CMeycor COBIOBIT AGT AG Findings and Recommendations

The observations are defined in a format that includes the determination of the criteria used to perform the assessment, the consequences, etc.

The observations are defined in a format that includes the determination of the criteria used to perform the assessment, the consequences, etc.

Meycor CMeycor COBIOBIT AGT AG Work papers Example (I)

Report of the audit program sorted by projects.Report of the audit program sorted by projects.

Meycor CMeycor COBIOBIT AGT AG Work papers Example (II)

Report on the degree of strength of the audited controls.

Report on the degree of strength of the audited controls.

Meycor CMeycor COBIOBIT AGT AG Work papers Example (III)

Identification of findings, the auditee's opinion, follow-ups, etc.

Identification of findings, the auditee's opinion, follow-ups, etc.

DATASEC IT DATASEC IT Security & ControlSecurity & Control

Patria 716 - CP 11300 - Montevideo - Uruguay Phone: (+598 2) 711-58-78 / 711-04-20Fax: (+598 2) 711-58-94Website: www.datasec-soft.comwww.datasec-soft.com