Overview of Frameworks: Cobit, Jennifer F. Alfafara, CISA Consultant
|
|
- Caroline Chandler
- 7 years ago
- Views:
Transcription
1 Overview of Frameworks: Cobit, COSO, ITIL, ISO, and more Jennifer F. Alfafara, CISA Consultant
2 Frameworks vs Standards
3 What is a Framework? Main Entry: frame work Pronunciation: \frām- wərk\ Function: noun Date: a:a a basic conceptional structure (as of ideas) <the framework of the United States Constitution> b: a skeletal, openwork, or structural frame 2: frame of reference 3: the larger branches of a tree that thtdt determine its shape 3
4 What is a Standard? Standard - a rule or principle that is used as a basis for judgment GAAP (FASB) Generally Accepted Accounting Principals (Financial Accounting Standards Board IFRS (IASB) International Financial Reporting Standards (International Accounting Standards Board) PCAOB (Public Companies Accounting Oversight Board) Auditing Standards ISO/IEC (International Organization for Standardization/International Electrotechnical Commission) 4
5 Then, what is HIPAA considered? HIPAA (American Health Insurance Portability and Accountability Act 1996) is a Guideline. More on HIPAA later. 5
6 Why have frameworks been developed? Lack of alignment between business practices and technology Provide guidance to Corporate management to ensure they are in compliance with regulatory requirements 6
7 Why adopt a framework? Regulatory requirement Business requirement Best in class 7
8 What is a Control Framework? Control Framework - A recognized system of control categories that covers all internal controls expected in an organization. 8
9 Control Framework To be comprehensive, the framework must: 1. Provide a favorable control environment 2. Provide for the continuing assessment of risk 3. Provide for the design, implementation, and maintenance of effective controlrelated policies and procedures, 9
10 Control Framework continued 4. Provide for the effective communication of information 5. Provide for the ongoing monitoring of the effectiveness of control-related policies and procedures as well as the resolution of potential problems identified by controls 10
11 SEC on Frameworks The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors." 11
12 Control Frameworks COSO COBIT 4.1 ITIL ISO/IEC (Actually a Standard) ISO/IEC (Guidelines for 27002) 12
13 COSO Committee of Sponsoring Organizations
14 COSO COSO - Committee of Sponsoring Organizations of the Treadway Commission COSO is a U.S. private-sector initiative, formed in
15 COSO Who are the Sponsors? 1. American Institute of Certified Public Accountants (AICPA) 2. American Accounting Association (AAA) 3. Financial Executives Institute (FEI) 4. The Institute of Internal Auditors (IIA) and 5. The Institute of Management Accountants (IMA). 15
16 COSO Major Objectives COSO's main objectives are to assist organizations regarding: 1) effectiveness and efficiency of operations; 2) reliability of financial reporting; 3) compliance with applicable laws and regulations. 16
17 COSO and Healthcare Internal control tools developed by the COSO in 1992 and by the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) highlight the importance of the internal audit function in detecting and preventing violations. Tightened internal controls have helped fight Medicare and Medicaid abuse. 17
18 Medicare Losses 1996 $23 Billion 1999 $12 Billion an improvement; however $12 Billion still demands attention Much of these losses can be attributed to abuse, fraud, and inefficiencies. 18
19 COSO (1992) Internal Control Framework Five Components Monitoring Information & Communication Control Activities Risk Assessment Control Environment 19
20 COSO (2004) Enterprise Risk Management Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. 20
21 COSO (2004) Enterprise Risk Management Framework Eight Components Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring 21
22 COSO Components Internal Environment encompasses the tone of an organization sets the basis for how risk is viewed addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. 22
23 COSO Components Objective Setting Objectives must exist before management can identify potential events affecting their achievement. 23
24 COSO Components Event Identification Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing g between risks and opportunities. 24
25 COSO Components Risk Assessment Analysis of risk Consideration of likelihood and impact How risks should be managed 25
26 COSO Components Risk Response Avoid Risk Accept Risk Reduce Risk Share Risk 26
27 COSO Components Control Activities Policies and procedures are established and implemented. 27
28 COSO Components Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people p to carry out their responsibilities. 28
29 COSO Components Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. 29
30 Financial vs Technical Issues Okay, that addresses issues related to Finance what about other Frameworks and Standards in Healthcare?
31 HIPAA Title II Focused on Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform Title II provides for the enactment of five rules. 31
32 HIPAA Title II Rules Privacy Rule Transactions and Code Sets Rule Security Rule Unique Identifiers Rule (National Provider Identifier) Enforcement Rule 32
33 HIPAA & Technology Challenges for Information Technology (IT) Transactions and Code Sets Privacy Security Rules 33
34 Transactions & Code Sets (X12 Transactions) These transactions and code Sets relate to EDI (Electronic Data Interchange). EDI the structured transmission of data between organizations by electronic means. There are 11 defined code sets. 34
35 Transactions & Code Sets (X12 Transactions) EDI Health Care Claim Transaction set (837) EDI Retail Pharmacy Claim Transaction (835) EDI Benefit Enrollment and Maintenance Set (834) EDI Payroll Deducted and other group Premium Payment for Insurance Products (820) 35
36 Transactions & Code Sets Rule (continued) EDI Health Care Eligibility/Benefit Inquiry (270) EDI Health Care Eligibility/Benefit Response (271) EDI Health Care Claim Status Request (276) EDI Health Care Claim Status Notification (277) EDI Health Care Service Review Information (278) EDI Functional Acknowledgement Transaction Set (997) 36
37 Privacy Rule It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. 37
38 Security Rule Lays out three types of security safeguards required for compliance: Administrative Policies and Procedures Physical Access to Protected Data Technical Access to Computers that store and manage protected data 38
39 Obeying the Rules Implement Control Frameworks that facilitate compliance with the Rules COBIT ITIL ISO/IEC ISO
40 COBIT Control Objectives for Information and Related Technology
41 COBIT The Control Objectives for Information and related Technology (COBIT)) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in COBIT 4.1, the most current version was released in
42 COBIT What COBIT Provides: A set of generally accepted measures Indicators Processes Best practices? 42
43 COBIT Structure Covers four domains 1. Plan and Organize (PO) 2. Acquire and Implement (AI) 3. Deliver and Support (DS) 4. Monitor and Evaluate (ME) 43
44 COBITT Plan and Organize covers: the use of information & technology how best it can be used in a company to help achieve the company s goals and objectives. also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT 44
45 COBITT Acquire and Implement covers: Identification of IT requirements, Acquisition of technology, and Implementation within the company s current business processes. 45
46 COBITT Delivery and Support covers: The delivery aspects of the information technology The execution of the applications within the IT system and its results, The support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues, training, Help Desk, and backup & recovery. 46
47 COBITT Monitor and Evaluate: Deals with a company s strategy in assessing the needs of the company Determines whether or not the current IT system still meets the objectives for which it was designed Identifies the controls necessary to comply with regulatory requirements. Deals with the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the evaluation of the company s control processes by internal and external auditors. 47
48 COBIT, COSO & SOX The most referenced control frameworks for SOX and FIEL (Financial Instruments and Exchange Law aka JSOX ) Not all COBIT controls apply to ICFR (Internal Controls over Financial Reporting) COBIT Lite 48
49 COBIT Lite IT Control Objectives for Sarbanes - Oxley 49
50 ITIL The five ITIL V3 volumes
51 ITIL ITIL is published in a series of books, each of which covers an IT management topic. ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. ITIL has been mapped to COBIT, but reporting requirements are not the same 51
52 ITIL Structure ITIL v3, published in May 2007, comprises 5 key volumes: 1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement 52
53 ITIL ITIL is owned and maintained by the UK Office of Government Commerce (OGC). The names ITIL and IT Infrastructure Library are registered trademarks of the OGC. 53
54 ISO/IEC ISO/IEC 27002:2005 (actually a Standard )
55 ISO/IEC ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. IEC (International Electrotechnical Commission) is the international standards and conformity assessment body for all fields of electrotechnology. 55
56 ISO The standard is comprised in two parts: Part 1: ISO/IEC Contains guidance and explanatory information Formally published as ISO/IEC Code of Practice for Information Security Management 56
57 ISO Part 2: (British Standard) BS7799 / ISO Provides a model that can be used by businesses to set up and run an effective Information Security Management System (ISMS) Formally published as ISO/IEC Information Security Management Systems - Requirements 57
58 ISO This is essentially the set of security controls: the measures and safeguards for potential implementation. After the introduction, scope, terminology and structure sections, the remainder of ISO/IEC specifies control objectives categorized into 11 main sections to protect t information assets against threats to their confidentiality, integrity and availability. 58
59 ISO Security Controls Security Policy Organization of Information Security Asset Management Human Resources Physical and Environmental Security Communications and Operations Management 59
60 ISO Security Controls (cont ) Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance 60
61 ISO This is the specification for an Information Security Management System (ISMS). It is the means to measure, monitor and control security management from the top down perspective. It explains how to apply ISO
62 ISO Defined as a six part process: Define a security ypolicy Define the scope of ISMS Undertake a risk assessment Manage the risk Select control objectives and controls to be implemented Prepare a statement of applicability 62
63 ISO Healthcare Challenges: ISO is extremely difficult to implement for large units Compliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well. 63
64 ISO 27799:2008 Health informatics - Information security management in health using ISO/IEC 27002
65 ISO This International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IEC
66 ISO Health information security Practical Action Plan for Implementing ISO 17799/27002 Healthcare Implications of ISO 17799/27002 Threats Tasks and documentation of the ISMS Potential benefits and tool attributes 66
67 Relationships Between Standards & Regulations Remember: ISO and BS 7799 are ISO HIPAA ISO BS7799 COBIT & ITIL 67
68 Questions?
69 For More Information: Jennifer F. Alfafara Consultant Resources Global Professionals usa.com 69
70 Thank you!
AN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationIT Governance Dr. Michael Shaw Term Project
IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationIntroduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors
Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO
More informationCOSO 2013 Internal Control Framework
COSO 2013 Internal Control A Guide to Implementation July 24, 2014 Justin Adamson Agenda COSO Background Changes to the Roadmap to Implementation Implementation Considerations & Lessons Learned 2 1 Who/What
More informationHarmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology
Harmonizing Your Compliance and Security Objectives Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology Make sure efforts serve multiple purposes Use standards to guide effort Repeatable
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationInformation Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza
Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank
More informationApplying Integrated Risk Management Scenarios for Improving Enterprise Governance
Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used
More informationAHIA HCCA Auditing & Monitoring Focus Group Defining the Key Roles and Responsibilities Corporate Compliance and Internal Audit.
and Requirement: May be required if the organization must comply with Sarbanes-Oxley. Otherwise, is implemented as an organizational governance/business decision and best practice. Purpose: Provide independent
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationSteve Shofner, Moss Adams IT Consultant Debra Mallette, Senior Process Consultant/Specialist, Kaiser Permanente Core Competencies C31
Introduction to COSO & COBIT Steve Shofner, Moss Adams IT Consultant Debra Mallette, Senior Process Consultant/Specialist, Kaiser Permanente Core Competencies C31 Learning Objectives History of Controls
More informationPractical and ethical considerations on the use of cloud computing in accounting
Practical and ethical considerations on the use of cloud computing in accounting ABSTRACT Katherine Kinkela Iona College Cloud Computing promises cost cutting efficiencies to businesses and specifically
More informationHIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles dskyles@mcginnislaw.com
HIPAA Overview Darren Skyles, Partner McGinnis Lochridge HIPAA Health Insurance Portability and Accountability Act of 1996 Electronic transaction and code sets: Adopted standards for electronic transactions
More informationCompliance Program and HIPAA Training For First Tier, Downstream and Related Entities
Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities 09/2011 Training Goals In this training you will gain an understanding of: Our Compliance Program elements Pertinent
More informationWhat Should IS Majors Know About Regulatory Compliance?
What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.
More informationIT Compliance 24.09.2007. After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)
IT Compliance 24.09. AHS After Hours Seminar Zurich Improving IT Risk & Compliance Management (RCM) Bruno J. Wiederkehr Member of the Board ISACA Switzerland Chapter Agenda 1. Understanding the RCM Requirements
More informationCOSO Internal Control Integrated Framework (2013)
COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationHIPAA: AN OVERVIEW September 2013
HIPAA: AN OVERVIEW September 2013 Introduction The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, was enacted on August 21, 1996. The overall goal was to simplify and streamline
More informationSarbanes-Oxley Control Transformation Through Automation
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com
More informationThis article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.
Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international
More informationG21: HIPAA, HITECH, and Latest Trends Scott Morgan and Roy Masatani, Kaiser Permanente
G21: HIPAA, HITECH, and Latest Trends Scott Morgan and Roy Masatani, Kaiser Permanente HIPAA, HITECH, and Latest Trends Scott Morgan: Executive Director, National Compliance Privacy and Security Officer
More informationCOMPLIANCE WITH LAWS AND REGULATIONS (CLR)
Principle: Ensuring compliance with applicable laws, regulations and professional standards of practice implementing systems and processes that prevent fraud and abuse. 91 Compliance with Laws and Regulations
More informationTerms of Reference for an IT Audit of
National Maritime Safety Authority (NMSA) TASK DESCRIPTION PROJECT/TASK TITLE: EXECUTING AGENT: IMPLEMENTING AGENT: PROJECT SPONSOR: PROJECT LOCATION: To engage a professional and qualified IT Auditor
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationGLOBAL STANDARD FOR INFORMATION MANAGEMENT
GLOBAL STANDARD FOR INFORMATION MANAGEMENT Manohar Ganshani Businesses have today expanded beyond local geographies. Global presence demands uniformity within the processes across disparate locations of
More informationUsing COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister
Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationBenchmark of controls over IT activities. 2011 Report. ABC Ltd
www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012 Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company)
More informationInformation Technology Auditing for Non-IT Specialist
Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating
More informationEnabling Compliance Requirements using ISMS Framework (ISO27001)
Enabling Compliance Requirements using ISMS Framework (ISO27001) Shankar Subramaniyan Manager (GRC) Wipro Consulting Services Shankar.subramaniyan@wipro.com 10/21/09 1 Key Objectives Overview on ISO27001
More informationTrends in Information Technology (IT) Auditing
Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015 Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan
More informationHIPAA and Network Security Curriculum
HIPAA and Network Security Curriculum This curriculum consists of an overview/syllabus and 11 lesson plans Week 1 Developed by NORTH SEATTLE COMMUNITY COLLEGE for the IT for Healthcare Short Certificate
More informationHIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996
HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title
More informationInternal Control Integrated Framework. May 2013
Internal Control Integrated Framework May 2013 0 Table of Contents COSO & Project Overview Internal Control-Integrated Framework Illustrative Documents Illustrative Tools for Assessing Effectiveness of
More informationSecuring the Healthcare Enterprise for Compliance with Cloud-based Identity Management
Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Leveraging Common Resources and Investments to Achieve Premium Levels of Security Summary The ecosystem of traditional
More informationStandards of. Conduct. Important Phone Number for Reporting Violations
Standards of Conduct It is the policy of Security Health Plan that all its business be conducted honestly, ethically, and with integrity. Security Health Plan s relationships with members, hospitals, clinics,
More informationHIPAA Privacy and Business Associate Agreement
HR 2011-07 ATTACHMENT D HIPAA Privacy and Business Associate Agreement This Agreement is entered into this day of,, between [Employer] ( Employer ), acting on behalf of [Name of covered entity/plan(s)
More informationENTERPRISE RISK MANAGEMENT POLICY
ENTERPRISE RISK MANAGEMENT POLICY TITLE OF POLICY POLICY OWNER POLICY CHAMPION DOCUMENT HISTORY: Policy Title Status Enterprise Risk Management Policy (current, revised, no change, redundant) Approving
More informationSunday March 30, 2014, 9am noon HCCA Conference, San Diego
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
More informationRoles and Responsibilities Corporate Compliance and Internal Audit
Roles and Responsibilities and By Mark P. Ruppert, CPA, CIA, CISA, CHFP The focus group of Health Care Compliance Association (HCCA) and Association of Healthcare ors (AHIA) members continues to explore
More informationBest Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM
Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, 2004 9:00 AM Agenda Laura Robinson, Industry Analyst, RSA Security Definition of
More information1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
More informationTable of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.
Table of Contents PART I. IS Audit Process. CHAPTER 1. Technology and Audit. Technology and Audit. Batch and On-Line Systems. CHAPTER 2. IS Audit Function Knowledge. Information Systems Auditing. What
More informationHIPAA Administrative Simplification and Privacy (AS&P) Frequently Asked Questions
HIPAA Administrative Simplification and Privacy (AS&P) Frequently Asked Questions ELECTRONIC TRANSACTIONS AND CODE SETS The following frequently asked questions and answers were developed to communicate
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationThe Importance of IT Controls to Sarbanes-Oxley Compliance
Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security- Perspective for Management Information Security Management Program Concept
More informationHIPAA The Law Explained. Click here to view the HIPAA information.
HIPAA The Law Explained Click here to view the HIPAA information. HIPAA - Provisions 5 Major Provisions/Titles Title 1 Title 2 Title 3 Title 4 Title 5 More Information on Administrative Simplification
More informationHIPAA Enforcement Training for State Attorneys General
: State Attorneys General Enforcement of Federal Health Privacy Law HIPAA Enforcement Training for State Attorneys General Module Introduction : Introduction This module of the HIPAA Enforcement Training
More informationUsing Information Shield publications for ISO/IEC 27001 certification
Using Information Shield publications for ISO/IEC 27001 certification In this paper we discuss the role of information security policies within an information security management program, and how Information
More informationState of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO
Policy: Information Security Audit Program Issued by the CTO Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 1 of 12 1.0 PURPOSE The West Virginia Office of Technology (WVOT) will maintain an
More information26 February 2007. Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC 20549-1090
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Ms. Nancy M. Morris, Secretary
More informationGeneral HIPAA Implementation FAQ
General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,
More informationEnhancing IT Governance, Risk and Compliance Management (IT GRC)
Enhancing IT Governance, Risk and Compliance Management (IT GRC) Enabling Reliable eservices Tawfiq F. Alrushaid Saudi Aramco Agenda GRC Overview IT GRC Introduction IT Governance IT Risk Management IT
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationGuide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationWHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements
WHITE PAPER Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements TABLE OF CONTENTS Executive Summary 2 Sarbanes-Oxley Section 404 Internal Controls 3 IT Involvement
More informationCASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link
CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationkamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR)
kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR) June 2015 Table of Contents CASPR... 2 FIPS 140-2: Security Requirements For Cryptographic Modules... 2 Federal
More informationThe Role of Internal Audit In Business Continuity Planning
The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information
More informationJoe Dylewski President, ATMP Solutions
Joe Dylewski President, ATMP Solutions Joe Dylewski President, ATMP Solutions Assistant Professor, Madonna University 20 Years, Technology and Application Implementation Experience Served as Michigan Healthcare
More informationROLE-BASED ACCESS GOVERNANCE AND HIPAA COMPLIANCE: A PRAGMATIC APPROACH
ROLE-BASED ACCESS GOVERNANCE AND HIPAA COMPLIANCE: A PRAGMATIC APPROACH Executive Summary The Health Information Technology for Economic and Clinical Health Act (HITECH) has made significant changes to
More informationThe Information Systems Audit
November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationBuilding A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.
Building A Framework-based Compliance Program Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.com Agenda The compliance process Assembling requirements Useful frameworks
More informationRISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide
RISK BASED AUDITING: A VALUE ADD PROPOSITION Participant Guide About This Course About This Course Adding Value for Risk-based Auditing Seminar Description In this seminar, we will focus on: The foundation
More informationHIPAA. HIPAA and Group Health Plans
HIPAA HIPAA and Group Health Plans CareFirst BlueCross BlueShield is the business name of CareFirst of Maryland, Inc. and is an independent licensee of the Blue Cross and Blue Shield Association. Registered
More informationInternal Auditing Guidelines
Internal Auditing Guidelines Recommendations on Internal Auditing for Lottery Operators Issued by the WLA Security and Risk Management Committee V1.0, March 2007 The WLA Internal Auditing Guidelines may
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More informationGuide to Internal Control Over Financial Reporting
Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationGovernance SPICE. ISO/IEC 15504 for Internal Financial Controls and IT Management. By János Ivanyos, Memolux Ltd. (H)
Governance SPICE ISO/IEC 15504 for Internal Financial Controls and IT Management By János Ivanyos, Memolux Ltd. (H) 1. Evaluating Internal Controls against Governance Frameworks Corporate Governance is
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationHIPAA Compliance and PrintFleet Software Applications
HIPAA Compliance and PrintFleet Software Applications PrintFleet Software Applications Do Not Impact HIPAA Compliance The use of PrintFleet software applications will not have an impact on compliance with
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationGAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.
GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers
More informationHealth Sciences Compliance Plan
INDIANA UNIVERSITY Health Sciences Compliance Plan 12.18.2014 approved by University Clinical Affairs Council Table of Contents Health Sciences Compliance Plan I. INTRODUCTION... 2 II. SCOPE... 2 III.
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationMedicare Advantage and Part D Fraud, Waste, and Abuse Training. October 2010
Medicare Advantage and Part D Fraud, Waste, and Abuse Training October 2010 Introduction 2008: United States spent $2.3 trillion on health care. Federal fiscal year 2010: Medicare expected to cover an
More informationSurviving SOX with Scrum. Integrating Scrum in IT Governance at Allianz
Surviving SOX with Scrum Integrating Scrum in IT Governance at Allianz 1 Who are we? Simon Roberts MBA and Dr. Christoph Mathis Independent Scrum coaches and trainers; Scrum since 2002, XP since late 1990s
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationGAO. Government Auditing Standards. 2011 Revision. By the Comptroller General of the United States. United States Government Accountability Office
GAO United States Government Accountability Office By the Comptroller General of the United States December 2011 Government Auditing Standards 2011 Revision GAO-12-331G GAO United States Government Accountability
More informationACC 215 ETHICS IN ACCOUNTING. Upon completion of this course, the student will be able to:
ACC 215 ETHICS IN ACCOUNTING COURSE DESCRIPTION: Perequisites: ACC 121 Corequistites: None This course introduces students to professional codes of conduct and ethics adopted by professional associations
More informationHealth Insurance Portability and Accountability Act HIPAA. Glossary of Common Terms
Health Insurance Portability and Accountability Act HIPAA Glossary of Common Terms Terms: HIPAA Definition*: PHCS Definition/Interpretation: Administrative Simplification HIPAA Subtitle F It is the purpose
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
More informationAUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives
AUD105-2nd Edition Auditor s Guide to IT - 20 hours Objectives More and more, auditors are being called upon to assess the risks and evaluate the controls over computer information systems in all types
More informationISO/IEC 27001:2013 Your implementation guide
ISO/IEC 27001:2013 Your implementation guide What is ISO/IEC 27001? Successful businesses understand the value of timely, accurate information, good communications and confidentiality. Information security
More informationRecession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change
Recession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI Final Draft for March 2009 CSI Alert I
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationIntegrated Information Management Systems
Integrated Information Management Systems Ludk Novák ludek.novak@anect.com ANECT a.s. Brno, Czech Republic Abstract The article tries to find consensus in these tree different types of the systems the
More informationDeveloping HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant
Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics
More informationChayuth Singtongthumrongkul
IT is complicated. IT Governance doesn t have to be. Chayuth Singtongthumrongkul CISSP, CISA, ITIL Intermediate, PMP, IRCA ISMS (ISO/IEC 27001) Director of International Academic Alliance, ACIS Professional
More informationImplementing COBIT based Process Assessment Model for Evaluating IT Controls
Implementing COBIT based Process Assessment Model for Evaluating IT Controls By János Ivanyos, Memolux Ltd. (H) Introduction New generations of governance models referring to either IT or Internal Control
More information