CobiT,, ITIL and ISO17799 How to use them in conjunction

Transcription

1 CobiT,, ITIL and ISO17799 How to use them in conjunction Angeli Hoekstra & Nicolette Conradie

2 Content Overview IS O Nicolette Overview CobiT Overview ITIL How to us e them in conjunction Conclusion 2

3 Overview IS O Nicolette

4 IS O Overview BS 7799 Provides guidelines and recommendations for s ecurity management. Part 1 - S tandard; and P art 2 - Certification BS7799 ISO SABS IS O Part 1 accepted as International Standard; Part 2 to be accepted end of 2002.

5 IS O Modules Organisational Risks Security Policy Comm / Ops Management Security Organisation Asset Classification and Control Access Control System Development and Maintenance Personnel Security Business Continuity Planning Physical and Environmental Security Compliance 5

6 IS O Controls Security Policy Asset Classification and Control Documented & communicate IS policy R egularly reviewed Allocation of roles & res pons ibilities 3rd-party acces s ris ks /controls Outs ourcing Security Organisation Inventory of As s ets Clas s ification bas ed on s ens itivity/bus ines s impact 6

7 IS O Controls Personnel Security Comm / Ops Management R ecruitment s creening Awareness & training R eporting of incidents Phys ical s ecurity perimeters Equipment siting Clear desk & clear screen Incident procedures Segregation of duties System planning & acceptance Malicious s oftware protection controls Physical and Environmental Security 7

8 IS O Controls Access Control Managing Acces s - Application Level - Operating Level - Network Level 8 Business Continuity Planning Change control procedures Segregation of environments S ecurity requirements System Development and Maintenance Business continuity plans BCP framework and team roles & responsibilities Testing continuity plans Maintaining and updating continuity plans

9 IS O Controls Compliance Copyright controls R etention of records and information Compliance with legis lation - Data protection Compliance with company policy 9

10 Overview CobiT

11 CobiT P roduct F amily EXECUTIVE SUMMARY Implementation Tool Set 11 Management Guidelines Framework with High-Level Control Objectives Detailed Control Objectives Key Performance and Goal Indicators Critical Success Factors Audit Guidelines Maturity Model

12 CobiT Principles IT R E S O U R C E S Planning & Organisation Acquisition & Implementation Delivery & Support Data Applications Technology Facilities People Monitoring Process Domains I N F O R M A T I O N What you get Effectiveness Efficiency Confidentiality Integrity Availibility Compliance Reliability What you need B U S 12 I N E S S

13 CobiT Domains Acquisition & Implementation Processes Per process: Control objectives KPI s: measure of performance CSF s: what do you need to do KGI s: measure of outcome Maturity model 13 AI 1: Identify automated solutions AI 2: Acquire and maintain application software AI 3: Acquire and maintain technology infrastructure AI 4: Develop and maintain procedures AI 5: Install and accredit systems AI 6: Manage Changes AI 6: Manage Changes: Control objectives 6.1: Change request initiation and control 6.2: Impact assessment 6.3: Control of changes 6.4: Emergency changes 6.5: Documentation and procedures 6.6: Authorised maintenance 6.7: Software release policy 6.8: Distribution of software

14 CobiT Key Goal Indicators: Manage Change Reduced number# of errors introduced into systems due to changes Reduced number# of disruptions (loss of availability) caused by poorly managed change Reduced impact of disruptions caused by change Reduced level of resources and time required as a ratio to number# of changes Number# of emergency fixes/time. Key Performance Indicators: Manage Change Number# of different versions installed at the same time Number# of software release/and distribution methods per platform Number# of deviations from the standard configuration Number# of emergency fixes for which the normal change management process was not applied retro-actively Time lag between availability of fix and implementation of it.. ratio of accepted vs refused change implementation requests. 14 Critical Success Factors: Manage Change Expedient and comprehensive acceptance test procedures are applied prior to making the change. There is a reliable hardware and software inventory. There is segregation of duties between production and development.

15 Overview ITIL

16 The ITIL jigsaw what service the business requires of the provider in order to provide adequate support to the business users ensuring that the customer has access to the appropriate services to support the business functions 16 understanding and improving IT service provision, as an integral part of an overall business requirement for high quality IS management Business Continuity Management partnerships and outsourcing surviving change transformation of business practice through radical change. Network Service Management Operations Management Management of Local Processors Computer Installation and Acceptance Systems Management

17 ITIL service support & service delivery processes Service support: S ervice delivery Service desk Incident management Problem management Config uration management Change management Release management capacity management availability management financial management of IT s ervices s ervice level management IT s ervice continuity manag ement 17

18 How can they be used in conjunction?

19 What do we want to achieve with IT? Support business Aligned service quality service cost Better time Cheaper time time Stakeholder Value IT risks delivery time Controlled Secure time Faster time 19

20 How we can achieve these IT goals The assignment of responsibility for performing specified activities to specific groups or individuals The people that support effective and efficient IT service management The assignment of controls to IT processes to ensure that they deliver efficiently and effectively in line with clients requirements People Controls Structure & Roles Technology The technology that is supporting the IT delivery Metrics Processes The assignment of measurements to people, processes, technology and controls to ensure they comply to what they are intended for The interrelated series of activities that combine to produce products or services for internal & external clients 20 13

21 How we can achieve these IT goals ITIL BS limited? CobiT ISO People Controls Structure & Roles Technology ITIL- limited Metrics Processes CobiT v3 ITIL CobiT - limited ISO limited 21 13

22 How we can achieve these IT goals: Where are the methods strong in? ITIL strong in IT processes, but limited in security and system development CobiT s trong in IT controls and IT metrics, but does not s ay how (i.e. process flows) and not that strong in security ISO s trong in s ecurity controls, but does not s ay how (i.e. proces s flows ) Conclusion: No contradictions or real overlaps None identify people requirements Not strong on organisational side (structure & roles) Not s trong on technology s ide 22

23 How can we achieve these IT goals: continuous IT improvement Where do we want to be? Vision & objectives BS15000 ISO CobiT compliant etc. Where are we now? How do we get there? How do we know we have arrived? Assessments IT design Metrics How well does IT support business?: Alignment assessment How controlled is IT?: CobiT compliance check How secure is IT?: ISO Health Check How cost effective is IT?: benchmarking What does the user think of IT?: surveys ITIL ISO CobiT CobiT v3 mngt guidelines 23

24 Control Risk Control Evaluation Effectiveness Efficiciency Confidentiality Integrity Availibility Compliance Reliability Materiality lanning and organisation O 1 Define a strategic IT plan 2 C H O 2 Define the information architecture 1 E C C O O 3 Determine the technological direction 2 C H O 4 Define organisation and relationships 2 C H O 5 Manage the investment 2 C C O O 6 Communicate management aims and direction 1 E O O 7 Manage human resources 1 E E O 8 Ensure compliance with external requirements 1 E c O O 9 Assess risk 1 C C E c c O O O 10 Manage projects 1 E E O 11 Manage quality 1 E E c O cquisition and implementation I 1 Identify automated solutions 1 E C I 2 Acquire and maintain application software 1 E E O O O I 3 Acquire and maintain technology architecture 1 E E O I 4 Develop and maintain procedures 1 E E O O O I 5 Install and accredit systems 1 E O O I 6 Managing changes 2 C C c c O elivery and support S 1 Define service levels 1 E E C O O O O S 2 Manage third-party services 1 E E C O O O O S 3 Manage performance and capacity 1 E E O S 4 Ensure continuous service 2 C H c S 5 Ensure systems security 2 C c O O O S 6 Identify and allocate costs 1 E c S 7 Educate and train users 1 E C S 8 Assist and advice customers 1 E S 9 Manage the configuration 1 E O O S 10 Manage problems and incidents 1 E E O S 11 Manage data 2 c S 12 Manage facilities 2 c c S 13 Manage operations 1 E E O O onitoring 1 Monitor the process 1 E C C O O O O 2 Assess internal control adequacy 1 E E C O O O O 3 Obtain independent assurance 1 E E C O O O O 4 Provide for Independent Audit 1 E E C O O O O CobiT compliance check 24 Legend: E Exposure H Housekeeping C Concern O OK c concern +

25 How can we achieve these IT goals: continuous IT improvement ISO Health Check Graph depicting the level of non-compliance of company XYZ 70% 62.50% 25 60% % Non-compliance 50% 40% 30% 20% 10% 0% 29.03% 18.75% 15.84% 11.39% 9.43% 8.33% 4.88% 4.82% ISO Modules 0.00%

26 Conclusion Us e CobiT and IS O health check to determine current s tatus Identify weaknesses in processes and controls Us e ITIL to improve IT proces s es & controls, us e IS O to improve security processes & controls (although not strong on process side) Us e ITIL to determine technology, although not complete Us e CobiT to define metrics Query ITIL on possible structures? CobiT ISO ITIL ISO limited Structure & Roles People Metrics Controls Technology ITIL-limited Processes CobiT v3 ITIL CobiT - limited ISO limited 26

27 Nicolette Conradie: Angeli Hoekstra Your worlds Our people 2002 PricewaterhouseCoopers LLP. PricewaterhouseCoopers refers to the U.S. firm of PricewaterhouseCoopers LLP and other members of the worldwide PricewaterhouseCoopers organization.