Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice
Size: px
Start display at page:

Download "Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice"

Transcription

1 1 Week #5 CRISC Exam Prep ~ Domain #4 Bill Pankey Tunitas Group CRISC Control Design Domain Job Practice 4.1 Interview process owners and review process design documentation to gain an understanding of the business process objectives. 4.2 Analyze and document business process objectives and design to identify required information systems controls. 4.3 Design information systems controls in consultation with process owners to ensure alignment with business needs and objectives. 4.4 Facilitate the identification of resources (e.g., people, infrastructure, information, architecture) required to implement and operate information systems controls at an optimal level. 4.5 Monitor the information systems control design and implementation process to ensure that it is implemented effectively and within time, budget and scope. 4.6 Provide progress reports on the implementation of information systems controls to inform stakeholders and to ensure that deviations are promptly addressed. 4.7 Test information systems controls to verify effectiveness and efficiency prior to implementation. 4.8 Implement information systems controls to mitigate risk. 4.9 Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of information systems control performance in meeting business objectives Assess and recommend tools to automate information systems control processes Provide documentation and training to ensure information systems controls are effectively performed Ensure all controls are assigned control owners to establish accountability Establish control criteria to enable control life cycle management. 2

2 2 1. Design Control Development LifeCycle* What controls should be in place to prevent detect (name one) adverse effect? Does the system of controls mitigate all the major risks identified by management s risk assessment? How does management ensure expert input / feedback applied to the design of control system How does management ensure that changes or additions to business processes are designed to include necessary controls 2. Implementation 3. Operational effectiveness 4. Monitoring *Tommie Singleton, the CDLC, ISACA Journal Online, V3, Risk IT Risk IT encapsulates control design and implementation in Risk Response Manage Risk RR2.4:: Implement Controls Take appropriate steps to ensure the effective deployment of new controls and adjustments to existing controls. Communicate with key stakeholders early in the process. Before relying on the control, conduct pilot testing and review performance data to verify operation against design. Map new and updated operational controls to monitoring mechanisms that will measure control performance over time, and prompt management corrective action when needed. Identify and train staff on new procedures as they are deployed. Update risk register? 4

3 3 Control theory What is a control? Process controls Application controls Control SDLC Considerations Agenda 5 Control [ISACA Glossary of Terms] The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected 3 essential aspects of a control : 1. risk reduction undesired events will be prevented or detected and corrected 2. non-interference w/ business processes business objectives will be achieved 3. assurance 6

4 4 Risk Reduction Controls reduce risk by changing risk factors: reducing exposure to threat agent limiting threat agent s action responding to incident compensatory deterrent prevent detect correct 7 Organizational Loss Factors e.g. limit loss by stopping exploit in progress e.g. limit productivity loss by rapid recovery 8

5 5 Non-Interference (so called) Controls inherently interfere with business activity e.g. security controls intend to deny service to at least some person, machine, process, agent e.g., require additional steps in a process or activity e.g., create redundancy. but, not so much as to jeopardize achieving the business objective Alignment problem of the need to balance Rate and consequence of adverse events w/ Business cost Reduced productivity / output 9 Assurance (elusive) Differing standards of assurance: [audit] the operation of a control produces evidence of the control s correct operation and effectiveness e.g., change control & documentation e.g., pre-employment background checks [infosec] control assurance determined by recourse to external testing / accreditation / compliance with best practice e.g. FIPS say for crypto-system (140-2) e.g. Common Criteria 10

6 6 Audit Bias Requirement for Evidence [CRISC 2011 Review Manual] Controls can be effectively assessed only be determining how well they achieve the control objective within the environment in which they are operating [CRISC 2011 Review Manual] In the previously mentioned scenario, the control fails because neither quantitative nor qualitative conclusion on the control effectiveness can be reached => no assurance how about Question: What evidence is produced about the effectiveness of message (say ) encryption? Is encryption a control? What assurance does it provide? How? 11 Is a Safeguard a Control? Does a safeguard provide risk reduction without assurance? Reliance on informal guidance of best practices [rebuttable] Presumption that risk will be reduced :: Not all risk will be Controlled Cost of assurance may not be justified even if cost of risk reduction is Risk Management w/o control Risk vs uncertainty management Managed security activity Risk management decision Where is there a requirement for control vs safeguard Balance quality / reliability / & cost effectiveness against assurance 12

7 7 Design Control Criteria Specificity:: the control is defined relative to particular objective and identified risk Completeness:: the control addresses known threats to the objective and provides evidence of operation and effectiveness Compliance (in context):: design anticipates the need for empirical evidence that demonstrates the reliable implementation of control features Effectiveness (in context):: design anticipates the need for empirical evidence that demonstrates that the control accomplishes its objective (stimulus response) 13 Control Design Considerations Not Just a Technical but a Cultural Challenge* Capture evidence of effectiveness during control operation Reduce cost of audit and mitigation Common management of routine and extra-ordinary risks Risk management approach to internal control Better quantification Produce data that support analysis of frequency and strength of threat Behavior change Emphasis on transparency not so Boolean Psychological factors No discounting just to reduce uncertainty Minimize conflict between risk & performance mgmt. Causal model Avoid over-simplification of risk register Multiple causes / multiple effects *Matthew Leitch, Seven frontiers of internal control and risk management 14

8 8 COBIT PCn ITILv3 Generic Process Controls Risk is first addressed and prevented in the definition and design of business and IT processes. Process controls are activities that ensure that a particular process achieves its objectives /reduces risk of that achievement Implemented as part of process lifecycle Control Objective Goal definition and signoff Process ownership / oversight Repeatable activity Roles & responsibilities Documentation Performance measurement Risks Addressed Lack of Business value Business non-alignment Service delivery / completion failures Lack of diligence / accountability Lack of Assurance Excessive cost / inefficiency 15 COBIT ACn Generic Application Controls Controls incorporated within an application that reduce risk Prevent error Increase reliability / quality of application output Control Objective Established procedures for data collection \ authorization Accuracy, completeness & authenticity checks Processing integrity & validity Output review, reconciliation and error handling Transaction authenticity and integrity Risks Addressed Fraudulent data Incomplete or invalid data Loss of processing capability due to unexpected input / data error Erroneous output / mis-direction Accounting error 16

9 9 Advocacy CRISC Role in Control Design Ensure proper communication of business requirements Support business ownership and user representation during key design phases (requirements specification & validation) ~ Protect against a failure to deliver business value Ensure that an adequate system of controls is incorporated into system specifications Challenge: Business owner and user management may not recognize the risk accompanying the system / application Overcome the performance risk dichotomy Ensure monitoring controls are incorporated into system 17 CRISC Role in Development Typically a programmer activity CRISC may play a specialist role with respect to some specific controls to ensure correct implementation and management of high risk situations 18

10 10 CRISC Role in System Testing Ensure that appropriate testing occurs with appropriate data sets and personnel Produce a Final Test Report to Management Similar to an Accreditation package containing evidence that System meets business requirements User Acceptance Testing Implements appropriate controls Functional system tests Recovery testing Security testing Performance testing Ready for migration to production environment Program documentation Security plans Assessment of likely effectiveness of security controls 19 Implementation Stuff CRISC Review Manual provides detail regarding a collection of implementation activities Transition planning (phase out / phase in) SLA for support functions Knowledge transfer User / administrator training Data migration / data conversion Fallback Changeover (parallel / phased / abrupt) Post implementation review Closeout & sponsor signoff What are the risks? Disruption of ongoing operations Corrupted data Incomplete or failed migration 20

11 11 Project Management Stuff CRISC Review Manual provides specialist detail regarding project management Project scope management Change management / requests and approvals Critical path Resource planning & resource metrics Gantt charts Program Evaluation Review Technique (PERT) (optimistic + pessimistic + 4*most likely) / 6 Project management elements Deliverables Budget Resources What is the risk? Quality Money Time 21 CRISC Domain #5 Next Week Control Monitoring & Maintenance 22

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information