SlideShare a Scribd company logo

gray_audit_presentation.ppt

Download as PPT, PDF
K
KhalilIdhman

This document discusses policy development based on the COBIT framework. It provides an overview of COBIT, including that it is a globally accepted framework for IT governance and management consisting of 34 processes organized into 4 domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. It also outlines the 7 key information criteria that COBIT addresses: effectiveness, efficiency, availability, integrity, confidentiality, reliability, and compliance.

Software
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Policy Development & The 4 COBIT Domain Processes Policy Development based on COBIT Implementation Craig R. Gray, Director of IS&T cgray@leeuniversity.edu
Agenda  Policy Development: Basis & Application  The Mechanics of Control  COBIT-What?  COBIT-4 Domains  High Level Control Examples?
gray_audit_presentation.ppt
Traditional Tools of the Trade
Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Policy Development Flow
Control Cycle Adjust as Necessary Standards Measurement System Measure Control Focus Identify Key Controls
What is COBIT?  COBIT (Control Objectives for Information and Related Technology) is globally accepted as being the most comprehensive work for IT governance, organization, as well as IT process and risk management  COBIT provides good practices for the management of IT processes in a manageable and logical structure, meeting the multiple needs of enterprise management by bridging the gaps between business risks, technical issues, control needs and performance measurement requirements.  The COBIT mission is to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises,providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of 318 detailed control objectives Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance Planning Acquiring & Implementing Delivery & Support Monitoring
EFFECTIVENESS Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner EFFICIENCY Concerns the provision of the information through the optimal use of resources CONFIDENTIALITY Concerns the protection of sensitive information from unauthorized disclosure INTEGRITY Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations AVAILABILITY Relates to the information being available when required by the business process now and in the future COMPLIANCE Deals with complying with laws, regulations and contractual arrangements. RELIABILITY OF INFORMATION Relates to the provision of appropriate information for the workforce of the organization
EVENTS  Business Operations  Business Opportunities  External Requirements  Regulations PROCESS TECHNOLOGY ORGANIZATION DATA RISK CRITERIA Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability MESSAGE INPUT SERVICE OUTPUT Events can be defined in terms of the processes, technology (systems) and organization (people) that compose them Information Risk Criteria
The 4 COBIT Domains  Planning & Organization  Acquisition & Implementation  Delivery & Support  Monitoring
Planning and Organization  This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives.  Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives.  Finally, a proper organization as well as technological infrastructure must be put in place.
Acquisition and Implementation  To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process.  In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems.
Delivery and Support  This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training.  In order to deliver services, the necessary support processes must be set up.  This domain includes the actual processing of data by application systems, often classified under application controls.
Monitoring  All IT processes need to be regularly assessed over time for their quality and compliance with control requirements.  This domain thus addresses management’s oversight of the organization's control process and independent assurance provided by internal and external audit or obtained from alternative sources.
Executive Summary There is a method… Framework The method is… Control Objectives Minimum controls are… Audit Guidelines Here is how you audit… Implementation Toolset Here is how you implement… Management Guidelines Here is how you measure… COBIT Components
COBIT History  Technical Standards  ISO, EDIFACT  Codes of Conduct  Council of Europe, ISACA, OECD  Qualification Criteria for IT Systems and Processes  ITSEC, TCSEC, ISO 9000, SPICE, TICKIT, Common Criteria  Professional Standards  COSO, IFAC, AICPA, CICA, ISACA, IIA, PCIE, GAO  Industry Practices and Requirements  Industry forums (ESF, 14), Government-sponsored platforms (IBAG, NIST, DTI, BS7799)
Thanks! Questions? cgray@leeuniversity.edu

More Related Content

PPTX
Cobit 41 framework
Yulias Sihombing, Ak, MAk, CIA
 
PPT
Accountability Corbit Overview 06262007
Humberto Bruno Pontes Silva
 
PDF
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
PPTX
FRAMEWORKS AND STANDARDS-GRC,GDPR,SOX,PCI DSS,SOX,ISO
alexangelmary99
 
PPT
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
PDF
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
TRANANHQUAN4
 
PPT
It Governance Methodology Cox
William Cox MBA, QPM, CSM, PMP, CPHIMS
 
PPT
Info Security & PCI(original)
NCTechSymposium
 
Cobit 41 framework
Yulias Sihombing, Ak, MAk, CIA
 
Accountability Corbit Overview 06262007
Humberto Bruno Pontes Silva
 
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
FRAMEWORKS AND STANDARDS-GRC,GDPR,SOX,PCI DSS,SOX,ISO
alexangelmary99
 
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
TRANANHQUAN4
 
It Governance Methodology Cox
William Cox MBA, QPM, CSM, PMP, CPHIMS
 
Info Security & PCI(original)
NCTechSymposium
 

Similar to gray_audit_presentation.ppt (20)

PPTX
rethinking marketing
Navneet Singh
 
PPT
It governance in_higher_education_by_james_yung
norsaidatul_akmar
 
PDF
IT General Controls (ITGC) - A Brief Overview
harinderrastogi884
 
PPTX
02. cobit 41 dan iso 17799
Mulyadi Yusuf
 
PPTX
Risk - IT Services
Nema Chhaya Buch
 
PPTX
Governance and management of IT.pptx
Prashant Singh
 
PPTX
Principal 4 Enabling A Holistic Approach
Mohammad Reda Katby
 
PPT
Msp It Goverance And Service Delivery Process
kadhar_masthan
 
PDF
Introduction to IT compliance program and Discuss the challenges IT .pdf
SALES97
 
PPTX
Frameworks For Predictability
tlknecht
 
PDF
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
PDF
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
PPTX
Government and SOX Compliance for ERP Systems
Dan Aldridge, ERP Software Evangelist, LION
 
PDF
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
PDF
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
PPTX
Marcos cobi t -e-itil-v040811
faau09
 
PPT
Process
meenakshi sv
 
PPT
An IT Governance program
John Goodpasture
 
PDF
Rosetta Stone x Compliance ONETRUST-1.pdf
rossinial
 
PDF
Information assurance /Information security
jorgenajarro3
 
rethinking marketing
Navneet Singh
 
It governance in_higher_education_by_james_yung
norsaidatul_akmar
 
IT General Controls (ITGC) - A Brief Overview
harinderrastogi884
 
02. cobit 41 dan iso 17799
Mulyadi Yusuf
 
Risk - IT Services
Nema Chhaya Buch
 
Governance and management of IT.pptx
Prashant Singh
 
Principal 4 Enabling A Holistic Approach
Mohammad Reda Katby
 
Msp It Goverance And Service Delivery Process
kadhar_masthan
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
SALES97
 
Frameworks For Predictability
tlknecht
 
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
Government and SOX Compliance for ERP Systems
Dan Aldridge, ERP Software Evangelist, LION
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
Marcos cobi t -e-itil-v040811
faau09
 
Process
meenakshi sv
 
An IT Governance program
John Goodpasture
 
Rosetta Stone x Compliance ONETRUST-1.pdf
rossinial
 
Information assurance /Information security
jorgenajarro3
 
Ad

Recently uploaded (20)

PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
AI in Product Development-omnex systems
omnex systems
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
System and Network Administration Chapter 2
jaramharo
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
System and Network Administraation Chapter 3
jaramharo
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Ad

gray_audit_presentation.ppt

  • 1. Policy Development & The 4 COBIT Domain Processes Policy Development based on COBIT Implementation Craig R. Gray, Director of IS&T cgray@leeuniversity.edu
  • 2. Agenda  Policy Development: Basis & Application  The Mechanics of Control  COBIT-What?  COBIT-4 Domains  High Level Control Examples?
  • 5. Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Policy Development Flow
  • 7. What is COBIT?  COBIT (Control Objectives for Information and Related Technology) is globally accepted as being the most comprehensive work for IT governance, organization, as well as IT process and risk management  COBIT provides good practices for the management of IT processes in a manageable and logical structure, meeting the multiple needs of enterprise management by bridging the gaps between business risks, technical issues, control needs and performance measurement requirements.  The COBIT mission is to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.
  • 8. Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises,providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of 318 detailed control objectives Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance Planning Acquiring & Implementing Delivery & Support Monitoring
  • 9. EFFECTIVENESS Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner EFFICIENCY Concerns the provision of the information through the optimal use of resources CONFIDENTIALITY Concerns the protection of sensitive information from unauthorized disclosure INTEGRITY Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations AVAILABILITY Relates to the information being available when required by the business process now and in the future COMPLIANCE Deals with complying with laws, regulations and contractual arrangements. RELIABILITY OF INFORMATION Relates to the provision of appropriate information for the workforce of the organization
  • 10. EVENTS  Business Operations  Business Opportunities  External Requirements  Regulations PROCESS TECHNOLOGY ORGANIZATION DATA RISK CRITERIA Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability MESSAGE INPUT SERVICE OUTPUT Events can be defined in terms of the processes, technology (systems) and organization (people) that compose them Information Risk Criteria
  • 11. The 4 COBIT Domains  Planning & Organization  Acquisition & Implementation  Delivery & Support  Monitoring
  • 12. Planning and Organization  This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives.  Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives.  Finally, a proper organization as well as technological infrastructure must be put in place.
  • 13. Acquisition and Implementation  To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process.  In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems.
  • 14. Delivery and Support  This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training.  In order to deliver services, the necessary support processes must be set up.  This domain includes the actual processing of data by application systems, often classified under application controls.
  • 15. Monitoring  All IT processes need to be regularly assessed over time for their quality and compliance with control requirements.  This domain thus addresses management’s oversight of the organization's control process and independent assurance provided by internal and external audit or obtained from alternative sources.
  • 16. Executive Summary There is a method… Framework The method is… Control Objectives Minimum controls are… Audit Guidelines Here is how you audit… Implementation Toolset Here is how you implement… Management Guidelines Here is how you measure… COBIT Components
  • 17. COBIT History  Technical Standards  ISO, EDIFACT  Codes of Conduct  Council of Europe, ISACA, OECD  Qualification Criteria for IT Systems and Processes  ITSEC, TCSEC, ISO 9000, SPICE, TICKIT, Common Criteria  Professional Standards  COSO, IFAC, AICPA, CICA, ISACA, IIA, PCIE, GAO  Industry Practices and Requirements  Industry forums (ESF, 14), Government-sponsored platforms (IBAG, NIST, DTI, BS7799)