Post on 03-Nov-2014
description
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved 1
Author: Sam Lodhi
XXX ORG
Information Technology
Control Framework
2
Figure 1: Sarbanes-Oxley: Internal Control Components Source: IT Control Objectives for Sarbanes Oxley, ISACA
Though not a financial institution we can leverage the lesson learnt in banking and finance to increase controls within IT.
• Control Environment
• Risk Assessment
• Control Activities
• Information & Communication
• Monitoring
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
Monitoring*
Information & Communication*
Control Activities*
Risk Assessment*
Control Environment
3
Inc
rea
se in
Co
ntr
ol M
atu
rity
Risk Level
▀ Very High▀ High▀ Medium▀ Low▀ Very Low
* Not tested but maturity inferred
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
4
Weakness Value
Maturity Level Description
5 Non-existent/ Ad-hoc•Non existent or some control exists however it is informal and ad-hoc
4 Repeatable•Some control is implemented and is repeatedly used.
3 Defined
•Some control is implemented •Is repeatedly used•Plans are formally in place to achieve full compliance•Policy Change or Exception Request
2 Measurable•This control is fully implemented and can be substantiated•Compliance has not been reviewed within the last 2 years
1 Verified Effective•This control is fully compliant and it has been independently reviewed within the last 2 years
NA Not Applicable •This control is not applicable
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
� IT Strategic planning.
� IT Organization and relationship.
� Communication of management aims and direction.
� Management of human resources.
� Management of quality.
� Define and mange service levels.
� Manage thirds-party services.
� Educate and train users.
� Independent assurance.
5
▀ Company level ▀ Activity Level
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
� IT Strategic planning.
� Assessment of risk.
� Manage third-party services.
� Manage facilities.
6
▀ Company level ▀ Activity Level
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
� Information architecture. � Management of quality. � Acquire and develop application software. � Acquire technology infrastructure.� Develop and maintain policies and procedures. � Install and test application software and technology infrastructure. � Manage change. � Define and manage service levels. � Manage third party services. � Manage performance and capacity. � Ensure system security.� Manage configuration. � Manage problems and incidents. � Manage data. � Manage operations.
7
▀ Company level ▀ Activity Level
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
� IT Strategic planning.� Information architecture.� IT Organization and relationships.� Communication of management and aims and direction.� Management of human resources.� Compliance with external requirements.� Management of quality.� Develop and maintain policies and procedures.� Ensure systems security.� Manage configuration.� Manage problems and incidents.� Mange data.� Manage operations.� Monitoring
8
▀ Company level ▀ Activity Level
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
� IT strategic planning.� Communication of management aims & direction.� Compliance with external requirements.� Management of quality.� Manage change.� Define & manage service levels.� Manage third party services.� Manage performance and capacity.� Ensure systems security.� Manage problems and incidents.� Monitoring.� Adequacy of internal controls.� Independent assurance.� Internal Audit.
9
▀ Company level ▀ Activity Level
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
Monitoring
Information & Communication
Control Activities
Risk Assessment
Control Environment
10
Inc
rea
se in
Co
ntr
ol M
atu
rity
Risk Level
▀ Very High▀ High▀ Medium▀ Low▀ Very Low
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
•Gap Analysis•Control
Mitigation
Control Environment
•Gap Analysis•Control
Mitigation
Risk Assessment •Gap Analysis
•Control Mitigation
Control Activities
•Gap Analysis•Control
Mitigation
Info & Comms •Gap Analysis
•Control Mitigation
Monitoring
11
Implementing any major IT Security control activities will be ineffectivedue to the lack of system and control integrity.(Further details in forthcoming report)
▀ Company level - Actions at the company level require a fundamental changes within the business and therefore must be approved by the executive management and pushed downwards.
▀ Activity Level – Action which can be implemented locally but may require departmental changes.
Copyright 2013. Sam Lodhi & I.B.R.S. plc. All Rights Reserved
� For advice & a consultation visit:
http://www.ibrs.com
12
For more information about the Author: Sam Lodhi