Home‎ > ‎

IT Audit Controls Security

Background

Internal controls have existed since the inception of auditing.[1] According to the US Committee of Sponsoring Organisations (COSO), internal control is a process, affected by management, intended to provide assurance related to the objectives, surrounding effectiveness and efficiency of operations, reliability of financial reporting, and organisation systems and process compliance with laws and regulations.

ISO/IEC 27001:2013(E) Clause 9.2 prescribes conducting internal audits at planned intervals to generate evidence on conformance to the organisation’s own requirements, and the requirements of the International Standard.

Auditors review and assess organisation management controls, even as they do not develop nor administer such controls, which are developed by managers, or adopted from standards, such as ISO/IEC 27001:2013.

Information Systems Audit and Control Association (ISACA) and its auditors have provided guidance for IT related internal controls. Most professionals serve as internal auditors.

COSO and Sarbanes-Oxley have became worldwide standards. Though these frameworks have origins in financial reporting, they are important to information systems auditors. Internal auditors have skills in understanding, testing and evaluating control and procedures.

Auditing

Characteristic tasks

·         Technology-based audit design; analysis  and evaluation of enterprise processes to assess internal controls and minimise risk; performing risk analysis of infrastructure and service networks; evaluation of possible risks; documentation of findings and risk assessment; evaluation of management response to findings and risk assessment

·         Independence, and following internal controls

·         Examination of effectiveness of policies and procedures; identification of security and actions to be taken

·         Development and implementation of computer-assisted audit tools and techniques (CAATT)

·         Development and presentation of training workshops on controls and concepts

·         Conducting investigations of misuse

 

Knowledge, skills, abilities and personal characteristics

·         Knowledge of auditing, information systems, and network security

·         Investigation and process flow analysis

·         Interpersonal skills

·         Verbal and written communication

·         Exercise of good judgement

·         Maintenance of confidentiality

·         Familiarity with desktop tools, vulnerability analysis tools, and associated tools

Compliance outcomes

An enterprise unit or process where good internal controls are performing is identified by:

·         Accomplishment of its stated mission, ethically

·         Generation of accurate and reliable data

·         Compliance with applicable laws and enterprise policies

·         Economical and efficient use of resources

·         Asset safety

Committee of Sponsoring Organisations (COSO)

COSO represents five professional auditing and accounting organisations. Their framework is officially Integrated Control-Integrated Framework, the internal control reports or framework.

COSO defines internal control as:

Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

·         Effectiveness and efficiency of operations

·         Reliability of financial reporting

·         Compliance with applicable laws and regulations

 

Figure 1. COSO Internal Controls Framework

 

Internal controls

A COSO internal control environment, reflects the attitude of, awareness of, and actions by the board of directors, management, and others concerning the importance of internal controls. Organisation history and culture play a major role in forming this internal control environment.

 

A history of senior management supported quality controls is reflected in them becoming major internal controls. Where organisations have developed strong codes of conduct emphasising integrity and ethical values, and where stakeholders follow that code, such a code becomes an important part of corporate governance. Ignorance of codes of conduct may result in violations, as much as malfeasance. Where very strict controls or high performance expectations are set, stakeholders may respond by deviating from ethical behaviour.

 

An organisations competence is reflected in how well personnel skills match requirements, including of adequate staffing. Organisations must set required competence levels for various job tasks and translate those into necessary knowledge and skills.

 

The actions, management philosophy and operating style of the board and audit committee influence the organisation’s control environment. The organisation structure, meanwhile, provides a framework for planning, executing, controlling and monitoring activities, to achieve objectives.

 

A strong control environment foundation is necessary for other components of internal control.

Risk assessment controls

Organisations are at risk from a variety of internal and external factors. Understanding and managing risk are essential elements of internal control foundations.

COSO internal controls should be forward-looking, performed at all levels, for all activities within organisations. Risk assessment is a three step process:

1.       Estimate the significance of the risk

2.       Assess the likelihood or frequency of the risk occurring

3.       Determine how to manage the risk, and assess actions to be taken

COSO internal controls recommends control activities for,

·         Top-level review. Management and internal auditors should review the results of their performance, against budgets, competitive statistics, and other benchmarks. Next, follow-up on the results, and undertake corrective action.

·         Direct functional or activity management. Managers should review operational reports from their control systems and take corrective action.

·         Information processing. Exceptions should generate corrective action by automated system procedures. Development of new systems or access to data or applications should be controlled.

·         Physical control.

·         Performance indicators.

·         Separation of duties.

Figure 2. COSO internal controls foundation components

Monitoring controls

Representative routine business functions as monitoring activities:

·         Operating management normal functions. Management reviews operations and financial reports

·         Communications from external parties

·         Organisation structure and supervisory activities

·         Physical inventories and asset reconciliation

Internal control evaluation process

To audit, an IT/IS evaluator must,

1.       Develop an understanding of the system design

2.       Test key controls

3.       Form conclusions based on the test results

COSO also mentions benchmarking.

ISO/IEC 27001:2013 clause 9.2 mandates that an organisation must,

a.       Plan, establish, implement and maintain an audit program, including establishing frequency, methods, responsibilities, planning requirements, and reporting. The audit program (process) should take into consideration existing processes and previous audits.

b.       Define the audit criteria and scope

c.       Select auditors, and ensure objectivity and impartiality

d.       Ensure that the results are reported to senior management

e.       Retain documentation and audit results

Evaluation Action Plans

There is an acknowledgement of informal and undocumented processes. These can be tested and evaluated.

Reporting Internal Control Deficiencies

Prior to SOx, external auditors applied the concept of materiality, and decided that some errors and irregularities were not material to the overall conclusion. With AS 5 rules, materiality and relative risk must now be considered when evaluating efficiency and effectiveness on internal controls. Reports should be reported to the individual responsible for the function or activity involved, and at least one level of management above the directly responsible person.



Figure 3. Monitoring Design and Implementation Process

ISO/IEC 27001:2013 mandates top management review of information security management systems at planned intervals to ensure suitability, adequacy and effectiveness. Management is required to consider,

a.       The status of actions from previous management reviews

b.       Changes in relevant external and internal issues

c.       Feedback on performance, including on nonconformities and corrective actions, monitoring and measurement results, audit results, and fulfilment of objectives

d.       Results of risk assessment and status of risk treatment

e.       Opportunities for continual improvement

According to the standard, nonconformity should be addressed by taking action to control and correct it, and deal with the consequences. Following identification of cause, and possible future triggers, the nonconformity must be reviewed, and potential similar nonconformities identified.

Following identification, any action needed must be implemented, its effectiveness reviewed, and changes made to the information security management system, if necessary.

Sarbanes-Oxley Act

The Public Accounting Reform and Investor Protection Action, the Sarbanes-Oxley Act, or SOx, is a US law enacted in 2002 as a response to accounting deficiencies and failures, to improve financial reporting. The act has had a major impact on IT auditors. A general understanding of SOx, with an emphasis on Section 404 internal accounting control rules, is required of IT auditors.

Additionally the new external auditing standards, Auditing Standard No 5 (AS 5), that are risk-based auditing approaches also emphasise the importance of internal auditing in financial reporting internal control reviews.

According to Section 404, management is responsible for annual assessment of internal controls. SOx established the Public Company Accounting Oversight Board (PCAOB).

Title I defines PCAOB auditing practices for external auditors. The more important rules, relating to internal controls, are that the PCAOB,

1.       Sets their external auditing standards. External auditor’s evaluation must contain a description of material weaknesses as well as any material non-compliance matters found. External auditors are required to update the effectiveness of internal controls, and this being absent is considered a weakness of internal controls.

2.       Sets audit standards rules as workpaper retention. AS 3 mandates that audit workpapers be maintained for a period of not less than seven years.

3.       Scope of internal control testing. External auditors are required to describe the scope of their testing processes and their test findings. Supporting documentation must clearly describe the scope and extent of testing activities.

Title IV mandates management assessment of internal controls, to require senior officer’s codes of conduct, among other matters. Annual 10K reports must contain internal controls report stating management’s responsibility for establishing and maintaining an adequate system of internal controls, involving reviewing, documenting and testing its own internal accounting controls, as well as management’s assessment, as of the fiscal year ending date, of the effectiveness of those installed internal control procedures. External auditors review the supporting material leading up to that internal financial controls report to assert that the report is an accurate description of the internal control environment.

The Section 404 process is an improvement over earlier practice where external auditors built, documented, and then audited their own internal controls, a separation of duties shortcoming.

Planning considerations for a Section 404 Internal Controls Review

1.       Follow work steps to understand, document, and test key processes

2.       Review detailed documentation of prior 404 reviews, including process flow charts, internal control gaps identified and remediated, and project planning for prior review

3.       Review recent PCAOB rules covering Section 404 reviews, and audit changes

4.       Meet external audit firm for current Section 404 attestations, and determine if there are any changes in documentation and testing philosophy, with an emphasis on AS5 rules, from the last review

5.       Take into consideration organisation changes since the last review, including acquisitions and major reorganisations, to modify review coverage

6.       Identify new systems or processes through meetings with senior and IT managements

7.       Review internal control weaknesses identified in the last review, and determine if internal control corrections are effective

8.       Review existing documentation, and assess new documentation necessary

9.       Determine whether appropriately knowledgeable and trained resources are available to perform the upcoming review

10.   Interview all parties involved in the previous review

11.   In consultation with management, determine scope of parameters for the upcoming review

12.   Determine whether software used for past reviews is current, and adequate

13.   Share a detailed project plan for approval by senior management

AS 5 Rules and Internal Audit

1.       Focus internal control audits on the critical. Focus on the greatest risk that an internal control will fail to prevent or detect. Additionally, guidance on lower-risk areas, such as for calibrating the nature, timing and extent of testing based on risk. Work performed by previous auditors may be used by internal auditors, when appropriate.

2.       Eliminate unnecessary audit procedures to achieve intended benefits. AS 5 does not require the evaluation of management’s own evaluation process, nor an opinion on the adequacy of management’s processes.

3.       Tailoring internal control audits to fit the size and complexity of the organisation

While internal auditors are excellent resources to identify, document and test key internal control processes, and they may do so in a support role for the auditor’s attestation reviews. However, pure separation-of-duties independence rules suggest they cannot serve even a support role.

 

Control Objectives for Information and related Technology (CobiT)

CobiT is a toolset for managers bridging control requirements, technical issues, and business risks. ISACA published the current version CobiT 5 in 2012[2] In December 2012, an add-on for information security was released, and in June 2013, another add-on for assurance was released.

CobiT defines a set of generic processes for the management of IT. The framework defines each process with inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.[3] The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. CobiT 5 consolidates CobiT 4.1 Val IT and Risk IT, is interoperable with, and draws from,

1.       ISACA’s IT Assurance Framework (ITAF)

2.       Business Model for Information Security (BMIS)

3.       International Organisation for Standardisation (ISO)

4.       Project Management Book of Knowledge (PMBOK)

5.       PRINCE2

6.       The Open Group Architecture Framework (TOGAF)

7.       Information Technology Infrastructure Library (ITIL).

Val IT

Val IT may be used to create business value from IT investments

Each major process/activity has a responsibility assignment (RACI) matrix:

·         Value Governance

o   VG1 Establish informed and committed leadership

o   VG2 Define and implement processes

o   VG3 Define portfolio characteristics

o   [..]

o   VG6 Continuously improve value management practices

·         Portfolio Management

o   PM1 Establish strategic direction and target investment mix

o   PM6 Optimise portfolio performance

·         Investment Management

o   IM1 Develop and evaluate the initial program concept business case

o   IM6 Launch and manage the program

o   IM9 Monitor and report on the program

 

Risk lT

IT risk is associated with the use, ownership, operation, involvement, influence, and adoption of IT.

Principles:

a.       Align with business objectives

b.       Align IT risk management with ERM

c.       Balance the costs and benefits of IT risk management

d.       Promote fair and open communication of IT risks

e.       Establish the right tone at the top while defining and enforcing accountability

f.        Continuous process

 

ITAF

BMIS

PMBOK

TOGAF

ITIL

CobiT

The CobiT standards and framework are issued and updated by the IT Governance Institute (ITGI), and the Information Systems Audit and Control Association (ISACA). The former focus on research and governance processes, while the latter focus on IT auditing. ISACA administer the Certified Information Systems Auditor (CISA) and Certified Information Systems Manager (CISM) examination.

CobiT may be mapped to other IT initiatives. For example, the software engineering and Capability Maturity Model for integration (CMMi) has linkages to CobiT, as does the ISO 17799 standard.


Figure 4. CobiT IT Governance Focus Areas

1.       Strategic alignment. Efforts to align IT operations and activities with all organisation operations. Establish linkages between business operations and IT plans.

2.       Value delivery. Deliver promised benefits throughout a delivery cycle

3.       Risk management. Management should clearly understand an organisation’s appetite for risk, compliance requirements, and impact of risks. IT and other operations have their own and joint risks that may individually or jointly impact the organisation.

4.       Resource management. There should be adequate investment in critical IT resources, applications, information, infrastructure, and people.

5.       Performance measurement. Processes must track and monitor strategy implementation, project completions, resource usage, process performance, and service delivery.

CobiT Components

IT Resources

1.       Applications, consisting of automated user systems and manual or automated procedures to process information

2.       Information, input, output, and processed data

3.       Technology and facility infrastructure components including hardware, operating systems, databases, networks, and their environments

4.       Key and specialised personnel to plan, organise, acquire, implement, support, monitor, and evaluate IT services

Business Requirements

1.       Effectiveness

2.       Efficiency

3.       Confidentiality

4.       Integrity

5.       Availability

6.       Compliance

7.       Reliability

IT Processes

1.       Domains

a.       Planning and organisation

b.       Acquisition and implementation, solutions identified, acquired, developed, implemented and integrated. Includes, change and maintenance of existing systems

c.       Delivery and support, application and infrastructure; process of application data, and controls

                                                               i.      DS1, define and manage service levels

                                                             ii.      DS2, manage third-party services

                                                           iii.      DS3, manage performance and capability

                                                           iv.      DS4, ensure continuous service

                                                             v.      DS5, ensure systems security

                                                           vi.      DS6, identify and allocate costs

                                                          vii.      DS7, educate and train users

                                                        viii.      DS8 manage service desk and incidents

                                                            ix.      DS9, manage the configuration

                                                             x.      DS10, manage problems

                                                            xi.      DS11, manage data

                                                          xii.      DS12, manage the physical environment

                                                        xiii.      DS13, manage operations

d.       Monitoring and evaluation, including control processes, quality and compliance monitoring, external and internal audit evaluation procedures

                                                               i.      ME1, Monitor and Evaluate IT performance

                                                             ii.      ME2, Monitor and Evaluate Internal Controls

1.       ME2.1 Monitoring of Internal Control Framework. Continuous monitoring of the control environment and framework using industry best practices and benchmarking

2.       ME2.2 Supervisory Review. CobiT requires managers to monitor and report on the effectiveness of IT internal controls, including compliance with policies and standards, information security, change controls and controls in SLAs.

3.       ME2.3 Control exceptions. All control exceptions to be recorded, and analysed for underlying cause and corrective action. Communicated to individual responsible and escalated to management.

4.       ME2.4 Control self-assessments. Evaluate completeness and effectiveness of the internal controls over IT processes, policies, and contracts through continuous self-assessment

5.       ME2.5 Assurance of internal control. Further assurance of the completeness and effectiveness of internal controls through third-party reviews by corporate compliance function, internal audit, outside consultants, or certified bodies

6.       ME2.6 Internal control at third-parties. Assess the status of each internal external provider’s internal controls and confirm they comply with legal and regulatory requirements and contractual obligations

7.       ME2.7 Remedial actions. Identify and act based on control assessments and reporting, including following up on (1) review, negotiation, and establishment of management responses; (2) assignment of responsibility for remediation or risk acceptance; and (3) tracking the results of action taken

                                                           iii.      ME3, Ensure Regulatory Compliance

                                                           iv.      ME4, Provide IT Governance

2.       Processes, evaluated by

a.       The control of [process name]

b.       Which satisfy [list of business requirements]

c.       By focusing on [list of important IT goals]

d.       Is achieved by [list of control statements]

e.       Is measured by [list of key metrics]

3.       Activities, position description

a.       R=Responsible, who owns the problem or process

b.       A=Accountable, who must sign off on the activity before it is effective

c.       C=Consulted, who has the information and/or capability to complete the work

d.       I=Informed, who must be informed of the results but need not be consulted

 

CobiT has a section on assessing the maturity of each internal control, with reference to the Capability Maturity Model for Integration (CMMi). The model has levels for controls that can be assessed from CMMi level 1, that is non-existent controls, level 2, initial or ad hoc controls, to level 5, representing optimised control. There is not a direct correspondence between all COSO Internal Control Components and CobiT objectives, however Sections 404 and 302 cross-cut both.

COSO Monitoring overlaps, almost entirely, with CobiT monitoring, as does the Deliver and Support Control Objective with the Control Activity COSO Component

IIA and ISACA standards for Internal Auditing Professional Practice

Institute of Internal Auditors (IIA) International Professional Standards for the Practice of Internal Auditing, is a pre-Web document known as the Red Book. These guidelines have been revised several times and become internal audit, mandatory and guidance, material called the International Professional Practices Framework (IPPF).

IIA standards define the basic practice of internal auditing. Their International Standards for the Professional Practice of Internal Auditing is designed to,

·         Delineate basic principles for the practice of internal auditing

·         Provide a framework for value-added internal audit activities

·         Suggest the basis for measurement of internal audit performance

·         Improve organisation processes and operations

The IIA standard provides both a guideline for the audit committee and management to measure their internal auditors, and internal auditors to assess themselves. The definition provided for internal auditing is:

Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.



Figure 5. IIA International Professional Practices Framework

Attribute Standards are classified in sections as part of the 1000 series.

Performance standards are classified in the 2000 series.

Implementation standards are further designated as,

1.       (A) for assurance and coded with an “A” following the standard number, e.g. 1000.A1

2.       (C) for consulting and coded with a “C” following the standard number, e.g. 2000.C1

Internal Audit Attribute Standards

·         1000—Purpose, Authority, and Responsibility. Should be formally defined in an internal audit charter, consistent with these standards, and approved by the board of directors. Separate Implementation Standards state that internal auditing assurance and consulting services must be defined in the internal audit charter.

o   1010—Recognition of the Definition of Internal Auditing. Emphasises the importance of the IIA standards, the code of ethics, and an internal audit charter in outlining the auditor’s roles and responsibilities. Audit charters are essential in defining audit groups.

·         1100—Independence and Objectivity. Emphasise the need to disclose any impairment to internal audit independence or objectivity.

o   1110—Organisational independence. The internal audit should be free from any interference in determining the scope of internal auditing, performing work, and communicating results.

§  1110.A1—Interference

o   1111—Direct Interaction with the Board

o   1120—Individual Objectivity

o   1130—Impairment to Independence or Objectivity

§  1130.A1—Impairment due to former responsibilities

§  1130.A2—Audit of functions for which CAE is responsible

§  1130.C1—Scope of impairment for consulting

§  1130.C2—disclosure of impairment when consulting

·         1200—Proficiency and Due Professional Care

o   1210—Proficiency

§  1210.A1—CAE acquiring necessary assurance engagement competencies

§  1210.A2—Identification of fraud indicators

§  1210.A3—Information technology risk controls and tools

§  1210.C1—CAE acquiring necessary consulting engagement competencies

o   1220—Due Professional Care

§  1220.A1—Scoping for assurance engagements

§  1220.A2—Use of technology-based audit techniques

§  1220.A3—Risk identification

§  1220.C1—Scoping for consulting engagements

o   1230—Continuing Professional Development

·         1300—Quality Assurance and Improvement Program

o   1310—Requirements for Quality Assurance and Improvement Program

o   1311—Internal Assessment

o   1312—External Assessment

o   1320—Reporting on the Quality Assurance and Improvement Program

o   1321—Use of conformance with IIA Standards

o   1322—Disclosure of Non-conformance

·         2000—Managing the Internal Audit Activity

o   2010—Planning

o   2010.A1—Annual risk assessment

·         2100—Nature of work

o   2120—Risk Management

ISACA IT Audit Standards Summary

ISACA standards contain the basic, mandatory principles and essential procedures together with related guidance. The IT auditor should evaluate and monitor IT controls that are integral to the internal control environment. The auditor should assist management by providing advice regarding the design, implementation, operation, and improvement of IT controls.

ISACA IT Audit Standards Summary

·         S1 Audit Charter

·         S2 Independence

·         S3 Professional Ethics and Standards

·         S4 Competence

·         S5 Planning

·         S6 Performance of Audit Work

·         S7 Reporting

·         S8 Follow-up activities

·         S9 Irregularities and Illegal Acts

·         S10 IT Governance

·         S11 Use of Risk Assessment in Audit Planning

·         S12 Audit Materiality

·         S13 using the Work of Other Experts

·         S14 Audit Evidence

·         S15 IT Controls

·         S16 E-commerce

 

ISACA IT Audit Standards, S15, IT Controls

Management is accountable for the internal control environment including IT controls. The control environment provides discipline, framework, and structure.

CobiT defines control as “the policies, procedures, practices and organisational structure, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.”

Controls are general, including pervasive IT controls, detailed, and application controls. General IT controls minimise risk to the overall functioning of the organisation’s IT systems and infrastructure, and to automated solutions (applications). Application controls are embedded in applications. Pervasive controls are general, designed to manage and monitor the environment, and are a subset of general IT controls, focusing on management and monitoring of IT. Detailed IT controls are application controls along with general controls that are not pervasive.

IT auditors should use appropriate risk assessment techniques or approaches in developing the IT audit plan, and in determining priorities for the effective allocation of IT audit resources to provide assurance regarding the state of IT control processes. Control processes are policies, procedures and activities that are part of a control environment, designed to ensure that risks are contained within the risk tolerances established by the risk management process.

The IS auditor should consider the use of data analysis techniques including continuous assurance, allowing IT auditors to monitor system reliability on a continuous basis and to gather selective evidence through the computer when reviewing IT controls.

Where third-parties are involved, they are a part of the organisation’s controls and its achievement of related control objectives. The IT auditor should evaluate the role that the third party performs in relation to the IT environment, related controls, and IT control objectives.

ISACA and IT Governance Institute (ITGI) guidance for further information:

·         Guideline G3 Use of Computer Assisted Audit Techniques (CAAT)

·         Guideline G11 Effect of Pervasive IS Controls

·         Guideline G13 Using Risk Assessment in Audit Planning

·         Guideline G15 Planning

·         Guideline G16 Effect of Third Parties on an Organization’s IT Controls

·         Guideline G20 Reporting

·         Guideline G36 Biometric Controls

·         Guideline G38 Access Controls

·         CobiT Framework and Control Objectives

Risk Management through COSO ERM

 

Common Internal Control Frameworks[4]

·         Committee of Sponsoring Organisations of the Treadway Commission’s (COSO) Internal Control—Integrated Framework. Categorises entity-level objectives into

1.       operations,

2.       financial,

3.       reporting, and

4.       compliance

Fundamental concepts

1.       control environment

2.       risk assessment

3.       control activities

4.       information and communication

5.       monitoring

Principles (representative)

1.       integrity and ethical values

2.       authorities and responsibilities

3.       policies and procedures

4.       reporting deficiencies

·         Canadian Institute of Chartered Accountants’ (CICA) Criteria of Control Framework (CoCo)

Twenty criteria in four areas,

1.       Purpose (direction)

2.       Commitment (identity and values)

3.       Capability (competence)

4.       Monitoring and learning (evolution)

·         Basel Committee on Banking Supervision’s Framework for Internal Control Systems

·         Control Objectives for Information and Related Technology (CobiT)

1.       Planning and organisation

2.       Acquisition and implementation

3.       Delivery and support

4.       Monitoring and evaluation

IT resources utilisation, of

1.       Applications

2.       Information

3.       Infrastructure

4.       People

Manage IT domains, processes, activities to respond to business requirements

1.       Compliance

2.       Effectiveness

3.       Efficiency

4.       Confidentiality

5.       Integrity

6.       Availability

7.       Reliability

For compliance with,

1.       Laws

2.       Regulations

3.       Control arrangements

·         International Organisation for Standardisation (ISO)

1.       ISO 14000, environment management systems

2.       ISO 27000, information security management systems

Cobit 5 checklist[5]

Goals


Figure 6. CobiT goals cascade

Principles

·         Principle 1 Meeting Stakeholder needs

·         Principle 2 End-to-end organisation coverage

·         Principle 3 Applying a single integrated framework

·         Principle 4 Holistic approach

·         Principle 5 Separating governance from management


Figure 7. CobiT Areas and Processes

Enterprise (organisation) enablers


Figure 8. Seven organisation enablers

Resources

5. Information attributes,

a.       Physical (carrier, media)

b.       Empirical (user interface)

c.       Syntactic (language, format)

d.       Semantic (meaning)

e.       Type, currency

f.        Pragmatic (use), including retention, status, contingency, novelty

g.       Social (context)

6. Services, infrastructure and applications

a.       Reuse, buy-vs-build, agility, simplicity, openness

b.       Definition of architecture principles

c.       Architecture viewpoints

d.       Service levels

7. People, skills and competencies

a.       Role skill

b.       Requirements

c.       Skill level

d.       Skill categories

e.       Skill definition

Process Capability Model

Capability Model now follows ISO/IEC 15504 (SPICE)

·         Level 0. Incomplete, process is not implemented or fails to achieve its purpose

·         Level 1. Performed (Informed). Implemented and achieves its purpose.

·         Level 2. Managed (Planned and monitored). The process is managed; results are specified, controlled and maintained

·         Level 3. Established (Well defined). A standard process is defined and pervasive

·         Level 4. Predictable (Quantitatively managed). Executed consistently within defined limits

·         Level 5. Optimising (Continuous improvement). Continuously improved to meet relevant current and projected business goals.

Process attributes


Figure 9. CobiT 5 Process Capability Model

Nine Process Attributes are defined:

1.1 Process Performance

2.1 Performance Management

2.2 Work Product Management

3.1 Process Definition

3.2 Process Deployment

4.1 Process Measurement

4.2 Process Control

5.1 Process Innovation

5.2 Process Optimisation

Each Process Attribute is assessed on a four-point scale (N-P-L-F)

a.       Not achieved (0—15%)

b.       Partially achieved (>15%—50%)

c.       Largely achieved (>50%—85%)

d.       Fully achieved (>85%—100%)

CobiT 5

CobiT 5 processes are meant to be used together, as they are interdependent.[6]

Suggested approaches and techniques:

·         Build once, comply many approach to controls. This is practical by basing strategic governance and management processes in CobiT 5 with specific management processes in ISO 27001 (Information Security Management), ISO 20000 (IT Service Management), Information Technology Infrastructure Library (ITIL). Adding AICPA/CICA Generally Accepted Privacy Principles (GAPP) provides a full complement of governance, IT security, IT operations management and privacy controls within an integrated holistic approach.

·         Holistic approach to cost modelling for IT technology

·         Taxonomy for security goals and guidelines

·         Emerging trends for enterprise IT and considerations of controls

·         Governance, Risk management and Compliance (GRC) approach to defining and demonstrating standards for agile and adaptable IT.

 

CobiT enabling processes in the Align, Plan, Organise domain

Shared IT goals,

a.       The enablement and support of business processes by integrated applications and technology impacts the business portfolio of products and services

b.       Security of information, processing infrastructure, and applications together with IT compliance to internal policies impacts the safeguarding of assets, compliance (external and internal), business service continuity, and availability.

c.       Optimisation of IT assets, resources, capabilities, together with program delivery, on time and budget, while meeting requirements and quality standards impacts stakeholder value.

d.       The availability of reliable information impacts decision making.

ISO/IEC 38500 Corporate Governance of Information Technology

For Vendor relations,

·         Principle 1: Responsibility. It is essential that a clear definition of roles and responsibilities is identified, to ensure mutual understanding

·         Principle 2: Strategy. Organisation business strategy should take into consideration IT’s current and future capabilities. Existing capability is measured against a baseline of capability, process, and control. Outsourcing decisions may be made based on their capacity to add transformative value. However, the anticipated value must be described and measured post-migration or implementation. Common pitfalls include:

o   Terms in provider-dictated non-negotiable service agreements may leave the status of residual data following termination of service

o   Where a provider commits to secure provision, insecurities may arise at the point of entry of end-user devices or connected systems.

o   Outsourcing entities retain accountability of location and security of data. This may be difficult to monitor. Nested service provision may alleviate single point of failure concerns, provide greater independence, but add complexity.

o   The burden of compliance remains with the outsourcing organisation, involving strong process definitions. By working with the provider, it is possible to increase visibility of the health of the computing environment, and to clarify roles, responsibilities and procedures, to allow rapid response to anomalous activity.

·         Principle 3: Acquisition. Procurement must be based on needs and documented with sufficient analysis. The balance of opportunity, benefit, cost, and risk must be judiciously evaluated.

·         Principle 4: Performance. Levels of service, quality of service, and end-user experience should instil confidence in IT operations.

·         Principle 5: Conformance.

·         Principle 6: Human behaviour. Polices, practice and decisions should respect people in the process.

ISO/IEC 38500 defines evaluation as, “examining and making judgement on the current and future use of IT, including strategies, proposals and supply arrangements, [internal, external and together].”

Monitoring drivers are based on control objectives,

·         Providing a transparent view of IT’s performance based on reliable information

·         Identifying opportunities for improvement

·         Facilitating achievement of business and compliance objectives

·         Cost-effectiveness

·         Well-informed IT investment decisions, tracking and value delivery

·         Consistent use and integrity of performance indicators

Security

Security is difficult to measure, as the probabilities of events that good controls prevent, or of catastrophic events are difficult or impossible to quantify. This leaves a few risk assessment methods, such as,

·         Asset classification according to sensitivity

·         Detailed asset inventory

·         Vulnerability and threat analysis for each device, and an estimation of impact

Practically, an organisation should attempt to implement the above ideal, described as the baseline approach of information security.

Security assessment, risk evaluation and the utilisation of such information to inform management decisions, implicitly instils a sense of certainty and finality in remediation plans and security architectures. In addition, risk should be benchmarked by reference to anecdotal information from elsewhere.

Risks from new technology adoption

·         Where people are involved as a line of defence, assume inadequacy and build in secondary controls

·         Technology vendors are selective in their communications. What goes unsaid is the real threat.

·         Interdependencies add to complexity and break systems, when the whole ceases to work as advertised

·         Trust, but verify

·         Make no assumptions

·         Build security in, not on

·         Build controls into systems in anticipation of emerging technology opportunities.

·         There are differences in implementation of IT, processes and testing, being sufficiently secure, as opposed to adequately secure

Confidentiality, Integrity and Availability extension

The IT control triad of Confidentiality, Integrity and Availability, should be extended to include possession (ownership), authenticity, and utility.

Ownership describes who or what is or will be in control of information systems elements. For example, knowledge of certain Intellectual Property is retained indefinitely. Authentication involves verifiability. For example, identity may be established by a password (weak control), digital certificate (stronger control) or biometric challenge (stronger still). The castle moat model of information security is archaic. Utility refers to the usefulness of available information. For example, archived records may be in formats that make them unreadable.

Baseline controls must be implemented on a pervasive basis for higher functions of information security to be meaningful and reliable. It is counter-productive to install IDS/IPS without ensuring physical security, asset inventory and platform hardening.

ISO/IEC 27001:2013 serves as a CobiT 5 consistent baseline. Practically, company compliance for those starting from scratch takes two or three years. The shortcoming of relying on ISO 27001 certification of suppliers, is that part of the process relies on establishing scope, so adequacy of scope must be verified.

Hard problems in InfoSec[7]

1.       Scalable trustworthy systems

a.       System integrity, system availability, survivability, data confidentiality, guaranteed real-time performance, accountability, attribution, usability.

2.       Enterprise-level metrics (ELM), to answer

a.       How secure is my organisation?

b.       Has our security posture improved over the last year?

c.       To what degree has security improved in response to changing threats and technology?

d.       How do we compare with our peers on security?

e.       How secure is this developed or purchase product or software?

f.        How does the product or software fit into the existing systems and networks?

g.       What is the marginal change in security? (better or worse, given a new tool or practice)

h.       How should we invest resources to maximise security and minimise risk?

i.         What combination of requirement specification, up-front architecture, formal modelling, detailed analysis, tool building, code review, programmer training, etc. would be the most effective in a given situation?

j.         How much security is enough, given threats?

k.       How robust are our systems against cyber threats, misconfiguration, environmental effects?

l.          

3.       System evaluation Life Cycle

4.       Combatting Insider Threats

5.       Combatting Malware and botnets

6.       Global-scale Identity Management

7.       Survivability of Time-Critical Systems

8.       Situational Understanding and Attack Attribution

9.       Provenance

10.   Privacy-aware security

11.   Usable Security


 

MCX scope statement for certification, and context.

1.       Information and systems are available to authorised users, for business needs, and used effectively

2.       CIA of all assets are protected adequately and appropriately

3.       Formal risk management is established

4.       All stakeholders are aware of their responsibilities

5.       Security incidents are detected, investigated and resolved

6.       Business Continuity and Disaster Recovery plans are established and implemented

7.       Relevant regulatory and statutory requirements regarding collection, storage, processing, transmission, and disclosure are complied with

Vision

1.       Level playfield for all stakeholders from primary producer to end-consumer

2.       Correct historical aberrations in the system

3.       Leverage technology for efficiency to lead to a common world market

4.       MCX as the Exchange of choice

Mission

1.       Enhance awareness and understanding of exchange-enabled trade in derivatives

2.       Minimise price volatility

3.       Provide neutral, secure and transparent trade mechanisms

4.       Formulate quality parameters and trade regulations in consultation with regulators

5.       Zero tolerance policy to unethical trade practices, attempted or real

6.       All-round development of commodity ecosystem

Products and services

1.       Online trading platform for futures trading

2.       Manage risk from trading

3.       Performing surveillance activities over trading on the exchange platform

4.       Provide Clearing and Settlement to Members

5.       Facilitate physical delivery of commodities from trades

Key commodity products

1.       Bullion

2.       Metal

3.       Energy

4.       Agri-commodities

 

Information security requirement

1.       Technology solutions and infrastructure to automate various business processes

2.       Defining, achieving, maintaining, improving information security

3.       Warding off threats from computer-assisted fraud, espionage, sabotage, fire or flood, malicious code, computer hacking, denial of service



[1] Robert R Moeller. IT Audit, Control and Security. Second edition. Wiley Corporate F&A. John Wiley & Sons, 2010.

[2] http://en.wikipedia.org/wiki/COBIT. Last accessed 28 December 2015

[3] Ibid

[5] http://www.minimarisk.com/wp-content/uploads/2015/09/Minimarisk_Cobit5_Cheatsheet_v1_0.pdf

[6] Karen F Worstell. Governance and Internal Controls for Cutting Edge IT. IT Governance Publishing, 2013

[7] Benjamin J Colfer. Defense, Security and Strategies Computer Science, Technology and Applications: The Science of Cybersecurity and a Roadmap to Research. Nova, 2011.

Comments