Use of COBIT as a Risk Management & Audit Framework for Access Compliance
Transcript of Use of COBIT as a Risk Management & Audit Framework for Access Compliance
2004
San
Fra
ncisc
o IS
ACA
Fall
Conf
eren
ce
Sess
ion
S23
Use
of C
OBI
T as
a R
isk M
anag
emen
t & A
udit
Fram
ewor
k fo
r Acc
ess C
ompl
ianc
e
Pres
ente
d on
Oct
ober
5, 2
004
byL
ance
M. T
urca
to, C
ISM
, CIS
A, C
PA
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
2
Spea
ker
Lanc
e M
. Tur
cato
, CIS
M, C
ISA
, CPA
Man
agin
g D
irect
or ñ
Acc
ess A
sses
smen
t & P
olic
y C
ompl
ianc
eIn
form
atio
n Se
curit
y A
dmin
istra
tion
Cha
rles S
chw
ab &
Co.
, Inc
.
Emai
l: la
nce.
turc
ato@
schw
ab.c
omPh
one:
602
-977
-437
6
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
3
Gue
st S
peak
er
Mar
ta O
íShe
a, C
ISA
Seni
or M
anag
er ñ
Tech
nolo
gy In
fras
truct
ure
& S
ecur
ity O
vers
ight
Inte
rnal
Aud
it D
epar
tmen
tC
harle
s Sch
wab
& C
o., I
nc.
Emai
l: m
arta
.osh
ea@
schw
ab.c
omPh
one:
415
-636
-734
8
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
4
Aud
ienc
e Po
ll
CO
BIT
Kno
wle
dge
-Firs
t exp
osur
e?-G
ener
al u
nder
stan
ding
?-S
trong
kno
wle
dge
of C
OB
IT fr
amew
ork?
Cur
rent
Use
rs o
f CO
BIT
-Inc
orpo
rate
d In
to A
udit
Proc
ess?
-Ado
pted
by
IT M
anag
emen
t?-U
sers
of a
fram
ewor
k ot
her t
han
CO
BIT
?
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
5
Age
nda
60-D
efin
ing
Secu
rity
Req
uire
men
ts
7-C
OB
IT R
ole
In IT
Gov
erna
nce
6-C
OB
IT M
issi
on, O
bjec
tives
, Sco
pe, &
Com
pone
nts
17-C
ontro
l Obj
ectiv
es
70-A
vaila
ble
Tool
s
47-A
udit
App
roac
h O
verv
iew
CO
BIT
As A
Ris
k Fr
amew
ork
For
Info
rmat
ion
Secu
rity
40-P
roce
ss fo
r Im
plem
entin
g C
OB
IT
Ove
rvie
w o
f CO
BIT
Fra
mew
ork
63-M
easu
ring
Secu
rity
& A
sses
sing
Ris
k
CO
BIT
As A
n A
udit
Fram
ewor
k
30-M
anag
emen
t Gui
delin
es26
-Aud
it G
uide
lines
9-F
ram
ewor
k8
-CO
BIT
Fam
ily
Page
Top
ic
Ove
rvie
w o
f CO
BIT
Fra
mew
ork
Sour
ce o
f Inf
orm
atio
nIT
Gov
erna
nce
Insti
tute
(http
://w
ww
.itgi
.org
/ )
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
7
CO
BIT
ís M
issio
n, S
cope
& O
bjec
tives
Miss
ion:
ìTo
rese
arch
, dev
elop
, pub
liciz
e an
d pr
omot
e an
aut
horit
ativ
e, u
p-to
-dat
e,
inte
rnat
iona
l set
of g
ener
ally
acc
epte
d In
form
atio
n Te
chno
logy
Con
trol
Obj
ectiv
es fo
r day
-to-d
ay u
se b
y bu
sine
ss m
anag
ers
and
audi
tors
.î
Gen
eral
ly a
pplic
able
and
acc
epte
d in
tern
atio
nal s
tand
ard
for
good
pra
ctic
e fo
r In
form
atio
n T
echn
olog
y co
ntro
lsFo
r ap
plic
atio
n to
ent
erpr
ise-
wid
e in
form
atio
n sy
stem
s, re
gard
less
of t
echn
olog
y em
ploy
ed (
gene
ric)
Focu
sed
on b
usin
ess r
equi
rem
ents
for
info
rmat
ion
Scop
e &
Obj
ectiv
es:
Man
agem
ent -
busin
ess p
roce
ss o
wner
-ori
ente
d
Bas
ed o
n IT
Gov
erna
nce
Inst
itute
Con
trol
Obj
ectiv
es!
alig
ned
with
the
de ju
re a
nd d
e fa
cto
stan
dard
s and
reg
ulat
ions
!ba
sed
on c
ritic
al r
evie
w o
f tas
ks a
nd a
ctiv
ities
or
func
tion
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
8
CO
BIT
ís R
ole
In IT
Gov
erna
nce
IT G
over
nanc
e Fr
amew
ork
IT
IT
Man
agem
ent
Man
agem
ent
Sets
Se
ts
Mea
sura
ble
Mea
sura
ble
Goa
lsG
oals
Com
pare
C
ompa
re
Res
ults
Res
ults
Del
iver
D
eliv
er
Aga
inst
A
gain
st
Goa
lsG
oals
App
lyA
pply
Con
sist
ent
Con
sist
ent
Con
trol
C
ontr
ol
Fram
ewor
kFr
amew
ork
Inte
rnal
Inte
rnal
Aud
itA
udit
Add
ress
Gap
sA
ddre
ss G
aps
Mea
sure
M
easu
re
Perf
orm
ance
Perf
orm
ance
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
9
CO
BIT
Fam
ily ñ
3rdE
ditio
n
ìThe
re is
a M
etho
d...î
ìThe
Met
hod
Is...
î
ìMin
imum
Con
trol
s Are
...î
ìHer
eís H
ow Y
ou A
udit.
..îìH
ereí
s How
You
M
easu
re Y
our
Perf
orm
ance
Öî
ìHer
eís H
ow Y
ou
Impl
emen
t...î
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
10
CO
BIT
ñPi
eces
of T
he P
uzzl
e
Exe
cutiv
eSu
mm
ary
Fram
ewor
kC
ontr
olO
bjec
tives
Aud
itG
uide
lines
Man
agem
ent
Gui
delin
esIm
plem
enta
tion
Tool
Set
#E
xecu
tive
Sum
mar
y-S
enio
r Exe
cutiv
es (C
EO, C
IO)
Prov
ides
aw
aren
ess o
n ke
y co
ncep
ts fo
r Sen
ior M
anag
emen
t.
#Fr
amew
ork
-Sen
ior O
pera
tiona
l Man
agem
ent (
Dire
ctor
s of I
T an
d IS
Aud
it / C
ontro
ls)
Des
crib
es 3
4 hi
gh-le
vel o
bjec
tives
.
#C
ontr
ol O
bjec
tives
-Mid
dle
Man
agem
ent (
Mid
-Lev
el IT
Man
agem
ent a
nd IS
A
udit/
Con
trols
Man
ager
s / S
enio
rs)
Stat
emen
ts o
f des
ired
resu
lts b
y im
plem
entin
g 31
8 sp
ecifi
c co
ntro
l obj
ectiv
es.
#A
udit
Gui
delin
es-L
ine
Man
agem
ent a
nd C
ontro
ls P
ract
ition
er (A
pplic
atio
ns o
r O
pera
tions
Man
ager
and
Aud
itor)
Sugg
este
d au
dit p
roce
dure
s.
#M
anag
emen
t Gui
delin
es -
Seni
or O
pera
tiona
l Man
agem
ent,
Dire
ctor
of I
S, M
id-L
evel
IT
Man
agem
ent a
nd IT
Aud
it / C
ontro
l Man
ager
s C
ritic
al S
ucce
ss F
acto
rs, K
ey P
erfo
rman
ce In
dica
tors
, Key
Goa
l Ind
icat
ors,
Mat
urity
Mod
el.
#Im
plem
enta
tion
Too
l Set
-Dire
ctor
of I
S an
d A
udit/
Con
trol,
Mid
-Lev
el IS
M
anag
emen
t and
IS A
udit/
Con
trol M
anag
ers
Sugg
este
d im
plem
enta
tion
tool
s and
impl
emen
tatio
n su
cces
s sto
ries
.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
11
Fram
ewor
k
CO
BIT
As A
n IT
Con
trol
Fra
mew
ork
$St
arts
from
the
prem
ise
that
IT n
eeds
to
deliv
er th
e in
form
atio
nth
at th
e en
terp
rise
need
s to
achi
eve
its o
bjec
tives
$Pr
omot
es p
roce
ss fo
cusa
nd p
roce
ss
owne
rshi
p$
Div
ides
IT in
to 3
4 pr
oces
ses b
elon
ging
to
four
dom
ains
(pro
vidi
ng a
hig
h le
vel c
ontro
l ob
ject
ive
for e
ach
proc
ess)
$Lo
oks a
t fid
ucia
ry, q
ualit
y an
d se
curit
y ne
eds
of e
nter
pris
es, p
rovi
ding
seve
n in
form
atio
n cr
iteria
that
can
be
used
to g
ener
ical
lyde
fine
wha
t the
bus
ines
s req
uire
s fro
m IT
$Is
supp
orte
d by
a se
t of o
ver 3
00 d
etai
led
cont
rol o
bjec
tives
$Pl
anni
ng$
Acq
uirin
g &
Impl
emen
ting
$D
eliv
ery
& S
uppo
rt$
Mon
itorin
g
IT D
omai
ns
$Ef
fect
iven
ess
$Ef
ficie
ncy
$A
vaila
bilit
y$
Inte
grity
$C
onfid
entia
lity
$R
elia
bilit
y$
Com
plia
nce
Info
rmat
ion
Cri
teri
a
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
12
Fram
ewor
k
CO
BIT
Fra
mew
ork
-Com
pone
nts
#IT
Dom
ains
& P
roce
sses
#In
form
atio
n C
riter
ia=
Busi
ness
Req
uire
men
ts#
IT R
esou
rces
IT Resource
s
Qual
ityFi
duci
ary
Secu
rity
Info
rmat
ion
Crit
eria
IT Processes
PeopleApplication Systems
Data
Technology Facilities
Dom
ains
Proc
esse
s
Act
iviti
es
Bus
ines
sR
equi
rem
ents
IT P
roce
sses
IT R
esou
rces
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
13
Fram
ewor
k
CO
BIT
Dom
ains
of P
roce
sses
& A
ctiv
ities
Dom
ains
Proc
esse
s
Act
iviti
es
ï Nat
ural
gro
upin
g of
pr
oces
ses,
ofte
n m
atch
ing
an o
rgan
izat
iona
l dom
ain
of r
espo
nsib
ility
.
ï A se
ries
of j
oine
d ac
tiviti
es w
ith n
atur
al
(con
trol
) bre
aks.
ï Act
ions
nee
ded
to a
chie
ve
a m
easu
rabl
ere
sult.
A
ctiv
ities
hav
e a
life-
cycl
e w
here
as ta
sks a
re
disc
reet
.
Bus
ines
sR
equi
rem
ents
IT
Pro
cess
esIT
R
esou
rces
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
14
Fram
ewor
k
Bus
ines
s Req
uire
men
ts
Bus
ines
s Req
uire
men
ts =
Info
rmat
ion
Cri
teri
a
Qua
lity
Req
uire
men
tsï Q
ualit
yï C
ost
ï Del
iver
y
Fidu
ciar
y R
equi
rem
ents
(CO
SO R
epor
t)ï E
ffec
tiven
ess a
nd E
ffic
ienc
y of
Ope
ratio
nsï R
elia
bilit
y of
Fin
anci
al R
epor
ting
ï Com
plia
nce
with
Law
s and
Reg
ulat
ions
Secu
rity
Req
uire
men
tsï C
onfid
entia
lity
ï Int
egrit
yï A
vaila
bilit
y
Bus
ines
sR
equi
rem
ents
IT
Pro
cess
esIT
R
esou
rces
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
15
Fram
ewor
k
IT R
esou
rces
Dat
a:D
ata
obje
cts i
n th
eir w
ides
t sen
se
(i.e.
, ext
erna
l and
inte
rnal
, stru
ctur
ed a
nd
non-
stru
ctur
ed, g
raph
ics,
soun
d, e
tc.)
App
licat
ion
Syst
ems :
unde
rsto
od to
be
the
sum
of m
anua
l and
pro
gram
med
pr
oced
ures
.T
echn
olog
y :co
vers
har
dwar
e, o
pera
ting
syst
ems,
data
base
man
agem
ent s
yste
ms,
netw
orki
ng, m
ultim
edia
, etc
.Fa
cilit
ies :
Res
ourc
es to
hou
se a
nd su
ppor
t in
form
atio
n sy
stem
s.Pe
ople
:Sta
ff sk
ills,
awar
enes
s and
pr
oduc
tivity
to p
lan,
org
aniz
e, a
cqui
re,
deliv
er, s
uppo
rt an
d m
onito
r inf
orm
atio
n sy
stem
s and
serv
ices
.
Bus
ines
sR
equi
rem
ents
IT P
roce
sses
IT R
esou
rces
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
16
Fram
ewor
k
CO
BIT
Fra
mew
ork
-Exa
mpl
esD
omai
ns
Proc
esse
s
Act
iviti
es
IT
Pro
cess
es
Bus
ines
sR
equi
rem
ents
IT
Res
ourc
es
IT D
omai
nsï P
lann
ing
& O
rgan
izat
ion
ï Acq
uisi
tion
& Im
plem
enta
tion
ï Del
iver
y &
Sup
port
ï Mon
itori
ng
IT P
roce
sses
ïIT
stra
tegy
ïC
hang
e M
anag
emen
tï
Con
tinge
ncy
Plan
ning
ï
Prob
lem
Man
agem
ent
ïPo
licy
& P
roce
dure
sï
Feas
ibili
ty S
tudy
ïA
ccep
tanc
e T
estin
gï
etc.
..
Act
iviti
esï
reco
rd n
ew p
robl
emï
anal
yze
ïpr
opos
e so
lutio
nï
mon
itor
solu
tion
ïre
cord
kno
wn
prob
lem
ïet
c...
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
17
Fram
ewor
k
CO
BIT
Fra
mew
ork
Illus
trat
ed CCO
BI
OB
I Tís
Gol
den
Rul
eT
ís G
olde
n R
ule
In o
rder
to p
rovi
de th
e in
form
atio
n th
at th
e or
gani
zatio
n ne
eds t
o ac
hiev
e its
obj
ectiv
es, I
T re
sour
ces n
eed
to b
e m
anag
ed b
y a
set o
f na
tura
lly g
roup
ed
proc
esse
s.-I
T G
over
nanc
e In
stitu
te
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
18
Link
ing
The
Proc
esse
s To
Con
trol
Obj
ectiv
es(3
4 H
igh-
leve
l and
300
+ D
etai
led
Obj
ectiv
es)
CO
BIT
ís W
ater
fall
and
Nav
igat
ion
Aid
slin
king
Pro
cess
, Res
ourc
e &
Crit
eria
Con
trol
Obj
ectiv
es
Plan
ning
&
Org
anis
atio
n
effec
tiven
ess
effici
ency
confid
entia
lity
integrit
y avail
abilit
y
complia
nce reliab
ility
SSP P
Info
rmat
ion
Cri
teri
aA
cqui
sitio
n &
Im
plem
enta
tion
Con
trol
Stat
emen
ts
Con
trol
Prac
tices
is e
nabl
ed b
y
and
cons
ider
s
IT P
roce
sses
The
cont
rol o
f
Bus
ines
s R
equi
rem
ents
whi
ch sa
tisfy
people
applic
ations
technology fac
ilities
data
%%
Mon
itorin
g
ITR
esou
rces
Proc
ess
Dom
ains
Del
iver
y &
Su
ppor
t
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
19
Link
ing
The
Proc
esse
s To
Con
trol
Obj
ectiv
es(E
xam
ple)
Con
trol
Obj
ectiv
es
Con
trol
ove
r th
e IT
pro
cess
of
DEF
ININ
G A
STR
ATE
GIC
IT P
LAN
that
satis
fies t
he b
usin
ess r
equi
rem
ent
to st
rike
an o
ptim
um b
alan
ce o
f inf
orm
atio
n te
chno
logy
opp
ortu
nitie
s and
IT
bus
ines
s req
uire
men
ts a
s wel
l as e
nsur
ing
its fu
rther
acc
ompl
ishm
ent
is e
nabl
ed b
ya
stra
tegi
c pl
anni
ng p
roce
ss u
nder
take
n at
regu
lar i
nter
vals
giv
ing
rise
to lo
ng-te
rm p
lans
; the
long
-term
pla
ns sh
ould
per
iodi
cally
be
trans
late
d
into
ope
ratio
nal p
lans
setti
ng c
lear
and
con
cret
e sh
ort-t
erm
goa
lsan
d ta
kes i
nto
cons
ider
atio
n:#
ente
rpris
e bu
sine
ss st
rate
gy#
defin
ition
of h
ow IT
supp
orts
the
busi
ness
obj
ectiv
es#
inve
ntor
y of
tech
nolo
gica
l sol
utio
ns a
nd c
urre
nt in
fras
truct
ure
#m
onito
ring
the
tech
nolo
gy m
arke
ts#
timel
y fe
asib
ility
stud
ies a
nd re
ality
che
cks
#ex
istin
g sy
stem
s ass
essm
ents
#en
terp
rise
posi
tion
on ri
sk, t
ime-
to-m
arke
t, qu
ality
#ne
ed fo
r sen
ior m
anag
emen
t buy
-in, s
uppo
rt an
d cr
itica
l rev
iew
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
20
CO
BIT
ñIT
Pro
cess
es/H
igh-
Leve
l Obj
ectiv
esC
ontr
olO
bjec
tives
Plan
ning
and
Org
aniz
atio
n
PO 1
D
efin
e a
Stra
tegi
c IT
Pla
nPO
2
Def
ine
the
Info
rmat
ion
Arc
hite
ctur
ePO
3
Det
erm
ine
Tech
nolo
gica
l Dire
ctio
nPO
4
Def
ine
the
IT O
rgan
izat
ion
and
Rel
atio
nshi
psPO
5
Man
age
the
IT In
vest
men
tPO
6
Com
mun
icat
e M
anag
emen
t Aim
s and
Dire
ctio
nPO
7
Man
age
Hum
an R
esou
rces
PO 8
En
sure
Com
plia
nce
with
Ext
erna
l Req
uire
men
tsPO
9
Ass
ess R
isks
PO 1
0 M
anag
e Pr
ojec
tsPO
11
Man
age
Qua
lity
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
21
CO
BIT
ñIT
Pro
cess
es/H
igh-
Leve
l Obj
ectiv
esC
ontr
olO
bjec
tives
Acq
uisi
tion
and
Impl
emen
tatio
n
AI 1
Id
entif
y A
utom
ated
Sol
utio
nsA
I 2
Acq
uire
and
Mai
ntai
n A
pplic
atio
n So
ftwar
eA
I 3
Acq
uire
and
Mai
ntai
n Te
chno
logy
Infr
astru
ctur
eA
I 4
Dev
elop
and
Mai
ntai
n Pr
oced
ures
AI 5
In
stal
l and
Acc
redi
t Sys
tem
sA
I 6
Man
age
Cha
nges
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
22
CO
BIT
ñIT
Pro
cess
es/H
igh-
Leve
l Obj
ectiv
esC
ontr
olO
bjec
tives
Del
iver
y an
d Su
ppor
t
DS
1
Def
ine
and
Man
age
Serv
ice
Leve
lsD
S 2
M
anag
e Th
ird-P
arty
Ser
vice
sD
S 3
Man
age
Perf
orm
ance
and
Cap
acity
DS
4
Ensu
re C
ontin
uous
Ser
vice
DS
5
Ensu
re S
yste
ms S
ecur
ityD
S 6
Id
entif
y an
d A
lloca
te C
osts
DS
7
Educ
ate
and
Trai
n U
sers
DS
8
Ass
ist a
nd A
dvis
e C
usto
mer
sD
S 9
M
anag
e th
e C
onfig
urat
ion
DS
10
Man
age
Prob
lem
s and
Inci
dent
sD
S 11
M
anag
e D
ata
DS
12
Man
age
Faci
litie
sD
S 13
M
anag
e O
pera
tions
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
23
CO
BIT
ñIT
Pro
cess
es/H
igh-
Leve
l Obj
ectiv
esC
ontr
olO
bjec
tives
Mon
itori
ng
M 1
Mon
itor t
he P
roce
sses
M 2
Ass
ess I
nter
nal C
ontro
l Ade
quac
yM
3 O
btai
n In
depe
nden
t Ass
uran
ceM
4 P
rovi
de fo
r Ind
epen
dent
Aud
it
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
24
Exam
ple
Con
trol
Obj
ectiv
es F
or A
Pro
cess
Con
trol
Obj
ectiv
es
DO
MA
IN:
Plan
ning
and
Org
aniz
atio
n (P
O)
PRO
CE
SS (H
igh-
leve
l Con
trol
Obj
ectiv
e):
Def
ine
a St
rate
gic
IT P
lan
(PO
1)
DE
TA
ILE
D C
ON
TR
OL
OB
JEC
TIV
ES:
PO 1
.1IT
as P
art o
f the
Org
aniz
atio
nís L
ong-
and
Shor
t-Ran
ge P
lan
PO 1
.2
IT L
ong-
Ran
ge P
lan
PO 1
.3IT
Lon
g-R
ange
Pla
nnin
g A
ppro
ach
and
Stru
ctur
ePO
1.4
IT L
ong-
Ran
ge P
lan
Cha
nges
PO 1
.5Sh
ort-R
ange
Pla
nnin
g fo
r the
IT F
unct
ion
PO 1
.6
Com
mun
icat
ion
of IT
Pla
nsPO
1.7
M
onito
ring
and
Eval
uatin
g of
IT P
lans
PO 1
.8
Ass
essm
ent o
f Exi
stin
g Sy
stem
s
Nex
t Slid
e
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
25
DE
FIN
E A
ST
RA
TE
GIC
INFO
RM
AT
ION
T
EC
HN
OL
OG
Y P
LA
N(P
O 1
)
Con
trol
Obj
ectiv
esEx
ampl
e C
ontr
ol O
bjec
tives
For
A P
roce
ss
PO 1
.1 -
IT a
s Par
t of t
he O
rgan
izat
ioní
s Lon
g-an
d Sh
ort-R
ange
Pla
n
CON
TRO
L O
BJEC
TIVE
Seni
or m
anag
emen
t is r
espo
nsib
le fo
r dev
elop
ing
and
impl
emen
ting
long
-and
shor
t-ran
ge p
lans
that
fulfi
ll th
e or
gani
zatio
nís m
issi
on a
nd
goal
s. In
this
resp
ect,
seni
or m
anag
emen
t sho
uld
ensu
re th
atIT
issu
es a
s wel
l as o
ppor
tuni
ties a
re a
dequ
atel
y as
sess
ed a
nd
refle
cted
in th
e or
gani
zatio
nís l
ong-
and
shor
t-ran
ge p
lans
. IT
long
-an
d sh
ort-r
ange
pla
ns sh
ould
be
deve
lope
d to
hel
p en
sure
that
the
use
of IT
is a
ligne
d w
ith th
e m
issi
on a
nd b
usin
ess s
trate
gies
of t
heor
gani
zatio
n.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
26
Sum
mar
y of
CO
BIT
At T
his P
oint
Con
trol
Obj
ectiv
es
#Fr
amew
ork
defin
es a
con
stru
ct fo
r rev
iew
ing
IT.
#Fo
ur d
omai
ns a
re id
entif
ied.
#W
ithin
eac
h do
mai
n th
ere
are
proc
esse
s --3
4 to
tal.
#W
ithin
eac
h pr
oces
s the
re a
re h
igh-
leve
l IT
cont
rol o
bjec
tives
de
finin
g co
ntro
ls th
at sh
ould
be
in p
lace
.#
For e
ach
of th
e 34
pro
cess
es, t
here
are
from
3 to
30
deta
iled
ITco
ntro
l obj
ectiv
es (3
00+
in to
tal).
#IT
con
trol o
bjec
tives
are
gen
eric
and
appl
icab
le to
all
envi
ronm
ents
.#
CO
BIT
is a
syst
emat
ic a
nd lo
gica
l met
hod
for d
efin
ing
and
com
mun
icat
ing
IT c
ontro
l obj
ectiv
es.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
27
CO
BIT
Aud
it G
uide
lines
-Pu
rpos
eA
udit
Gui
delin
es
COBI
T pr
ovid
es d
etai
led
audi
t gui
delin
es fo
r eac
h of
the
34 IT
pro
cess
esÖ
&En
able
s the
aud
itort
o re
view
spec
ific
IT p
roce
sses
ag
ains
t CO
BITí
s Con
trol
Obj
ectiv
es to
det
erm
ine
whe
re c
ontr
ols a
re su
ffici
ent o
r adv
ise
man
agem
ent
whe
re p
roce
sses
nee
d to
be
impr
oved
.
&H
elps
pro
cess
own
ersa
nsw
er q
uest
ions
-ìI
s wha
t Ií
m d
oing
ade
quat
e? A
nd, i
f not
, how
do
I fix
it?î
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
28
CO
BIT
Aud
it G
uide
lines
-O
bjec
tives
Aud
itG
uide
lines
&To
pro
vide
a si
mpl
e, g
ener
ic,a
nd h
igh-
leve
lstru
ctur
e fo
r au
ditin
g IT
con
trols
!ba
sed
on g
ener
ally
acc
epte
d au
dit p
ract
ices
!A
ligne
d w
ith th
e C
OB
IT fr
amew
ork
!ge
neri
cfo
r app
licab
ility
to v
aryi
ng a
udit
obje
ctiv
es a
nd p
ract
ices
!pr
ovid
ing
clea
r pol
icie
s and
goo
d pr
actic
es fo
r sec
urity
and
con
trol o
f inf
orm
atio
n an
d re
late
d te
chno
logi
es!
enab
ling
the
deve
lopm
ent o
f spe
cific
aud
it pr
ogra
ms o
r the
enh
ance
men
t of e
xist
ing
prog
ram
s
&To
ena
ble
audi
tors
to re
view
IT p
roce
sses
aga
inst
CO
BIT
ís
reco
mm
ende
d de
taile
d co
ntro
l obj
ectiv
es to
pro
vide
m
anag
emen
t ass
uran
ce a
nd/o
r adv
ice
for i
mpr
ovem
ent
&Th
e A
udit
Gui
delin
es a
re N
OT
inte
nded
as
!a
tool
for c
reat
ing
the
over
all a
udit
plan
!
a to
ol fo
r pro
vidi
ng a
udit
train
ing
!a
solu
tion
for a
udit
auto
mat
ion
(alth
ough
ther
e ar
e lo
ts o
f opp
ortu
nitie
s)
!ex
haus
tive
or d
efin
itive
Ögu
idel
ines
will
con
tinue
to e
volv
e
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
29
Man
agem
ent
Gui
delin
esC
OB
IT M
anag
emen
t Gui
delin
es
CO
BIT
3rd
Edi
tion
adde
d a
Man
agem
enta
nd
Gov
erna
nce
laye
r, p
rovi
ding
man
agem
ent w
ith a
to
olbo
x co
ntai
ning
Ö
#A
mat
urity
mod
elto
ass
ist i
n be
nchm
arki
ng a
nd d
ecis
ion-
mak
ing
for
cont
rol o
ver I
T
#A
list
of c
ritic
al su
cces
s fac
tors
(CSF
)tha
t pro
vide
s suc
cinc
t non
-te
chni
cal b
est p
ract
ices
for e
ach
IT p
roce
ss
#G
ener
ic a
nd a
ctio
n or
ient
ed p
erfo
rman
ce m
easu
rem
ente
lem
ents
(key
pe
rfor
man
ce in
dica
tors
[KPI
]and
key
goa
l ind
icat
ors [
KG
I]-o
utco
me
mea
sure
s and
per
form
ance
driv
ers f
or a
ll IT
pro
cess
es)
Purp
oseÖ ïI
T C
ontr
ol p
rofil
ing
ñw
hati
sim
port
ant?
ïAw
aren
essñ
whe
reis
the
risk
?ïB
ench
mar
king
-wha
tdo
othe
rsdo
?
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
30
Met
hod
ofsc
orin
gth
em
atur
ityof
IT p
roce
sses
Ö
Man
agem
entí
s T
arge
t Goa
l
GA
P A
naly
sis(C
urre
nt V
s. G
oal)
Man
agem
ent
Gui
delin
esM
atur
ity M
odel
Öde
rived
from
the
mat
urity
mod
elde
fined
by th
eSo
ftwar
e En
gine
erin
g In
stitu
tefo
r the
mat
urity
ofso
ftwar
e de
velo
pmen
t.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
31
Man
agem
ent
Gui
delin
esM
atur
ity M
odel
-G
ENER
IC
Gen
eric
Mat
urit
y M
odel
0N
on-E
xist
ent.
Com
plet
e la
ck o
f any
reco
gnis
able
pro
cess
es. T
he o
rgan
isat
ion
has n
ot e
ven
reco
gnis
ed th
at
ther
e is
an
issu
e to
be
addr
esse
d.1
Initi
al.T
here
is e
vide
nce
that
the
orga
nisa
tion
has r
ecog
nise
d th
at th
eis
sues
exi
st a
nd n
eed
to b
e ad
dres
sed.
Th
ere
are
how
ever
no
stan
dard
ised
pro
cess
es b
ut in
stea
d th
ere
are
ad h
oc a
ppro
ache
s tha
t ten
d to
be
appl
ied
on a
n in
divi
dual
or c
ase
by c
ase
basi
s. Th
e ov
eral
l app
roac
h to
man
agem
ent i
s dis
orga
nise
d.2
Rep
eata
ble.
Proc
esse
s hav
e de
velo
ped
to th
e st
age
whe
re si
mila
r pro
cedu
res a
re fo
llow
ed b
y di
ffer
ent p
eopl
e un
derta
king
the
sam
e ta
sk. T
here
is n
o fo
rmal
trai
ning
or c
omm
unic
atio
n of
stan
dard
pro
cedu
res a
nd re
spon
sibi
lity
is le
ft to
the
indi
vidu
al. T
here
is a
hig
h de
gree
of r
elia
nce
onth
e kn
owle
dge
of in
divi
dual
s and
ther
efor
e er
rors
are
lik
ely.
3 D
efin
ed.P
roce
dure
s hav
e be
en st
anda
rdis
ed a
nd d
ocum
ente
d, a
nd c
omm
unic
ated
thro
ugh
train
ing.
It is
how
ever
le
ft to
the
indi
vidu
al to
follo
w th
ese
proc
esse
s, an
d it
is u
nlik
ely
that
dev
iatio
ns w
ill b
e de
tect
ed. T
he p
roce
dure
s th
emse
lves
are
not
soph
istic
ated
but
are
the
form
alis
atio
n of
exi
stin
g pr
actic
es.
4 M
anag
ed.I
t is p
ossi
ble
to m
onito
r and
mea
sure
com
plia
nce
with
pro
cedu
res a
nd to
take
act
ion
whe
re p
roce
sses
ap
pear
not
to b
e w
orki
ng e
ffec
tivel
y. P
roce
sses
are
und
er c
onst
ant i
mpr
ovem
ent a
nd p
rovi
de g
ood
prac
tice.
A
utom
atio
n an
d to
ols a
re u
sed
in a
lim
ited
or fr
agm
ente
d w
ay.
5 O
ptim
ised
.Pro
cess
es h
ave
been
refin
ed to
a le
vel o
f bes
t pra
ctic
e, b
ased
on
the
resu
lts o
f con
tinuo
us
impr
ovem
ent a
nd m
atur
ity m
odel
ling
with
oth
er o
rgan
isat
ions
. IT
is u
sed
in a
n in
tegr
ated
way
to a
utom
ate
the
wor
kflo
w, p
rovi
ding
tool
s to
impr
ove
qual
ity a
nd e
ffec
tiven
ess,
mak
ing
the
ente
rpris
e qu
ick
to a
dapt
.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
32
Man
agem
ent
Gui
delin
esM
atur
ity M
odel
ñPR
OC
ESS
SPE
CIF
ICD
S5 ñ
Ensu
reSy
stem
Secu
rity
IT se
curit
y is
a jo
int r
espo
nsib
ility
of b
usin
ess a
nd IT
man
agem
ent a
nd is
inte
grat
ed w
ith c
orpo
rate
secu
rity
busi
ness
obj
ectiv
es.
IT se
curit
y re
quire
men
ts a
re c
lear
ly d
efin
ed,
optim
ized
and
incl
uded
in a
ver
ified
secu
rity
plan
. Se
curit
y fu
nctio
ns a
re in
tegr
ated
with
app
licat
ions
at t
he d
esig
n st
age
and
end
user
s are
incr
easi
ngly
acc
ount
able
for m
anag
ing
secu
rity.
IT
secu
rity
repo
rting
pro
vide
s ear
ly w
arni
ng o
f cha
ngin
g an
d em
ergi
ng ri
sk, u
sing
aut
omat
ed a
ctiv
e m
onito
ring
appr
oach
es fo
r crit
ical
syst
ems.
Inci
dent
s are
pro
mpt
ly
addr
esse
d w
ith fo
rmal
ized
inci
dent
resp
onse
pro
cedu
res s
uppo
rted
by a
utom
ated
tool
s. P
erio
dic
secu
rity
asse
ssm
ents
eva
luat
e th
eef
fect
iven
ess o
f im
plem
enta
tion
of th
e se
curit
y pl
an.
Info
rmat
ion
on n
ew th
reat
s and
vul
nera
bilit
ies i
s sys
tem
atic
ally
col
lect
ed a
nd a
naly
zed,
and
ade
quat
e m
itiga
ting
cont
rols
are
prom
ptly
com
mun
icat
ed a
nd im
plem
ente
d.
Intru
sion
test
ing,
root
cau
se a
naly
sis o
f sec
urity
inci
dent
s and
pro-
activ
e id
entif
icat
ion
of ri
sk is
the
basi
s for
con
tinuo
us im
prov
emen
ts. S
ecur
ity p
roce
sses
and
tech
nolo
gies
are
in
tegr
ated
org
aniz
atio
n w
ide.
5 ñ
Opt
imiz
ed
Res
pons
ibili
ties f
or IT
secu
rity
are
clea
rly a
ssig
ned,
man
aged
and
enf
orce
d. IT
secu
rity
risk
and
impa
ct a
naly
sis i
s con
sist
ently
per
form
ed.
Secu
rity
polic
ies a
nd p
ract
ices
are
co
mpl
eted
with
spec
ific
secu
rity
base
lines
. Se
curit
y aw
aren
ess b
riefin
gs h
ave
beco
me
man
dato
ry.
Use
r ide
ntifi
catio
n, a
uthe
ntic
atio
n an
d au
thor
izat
ion
are
bein
g st
anda
rdiz
ed.
Secu
rity
certi
ficat
ion
of st
aff i
s bei
ng e
stab
lishe
d.
Intru
sion
test
ing
is a
stan
dard
and
form
aliz
ed p
roce
ss le
adin
g to
impr
ovem
ents
. C
ost/b
enef
it an
alys
is, s
uppo
rting
the
impl
emen
tatio
n of
secu
rity
mea
sure
s, is
incr
easi
ngly
bei
ng u
tiliz
ed.
IT se
curit
y pr
oces
ses a
re c
o-or
dina
ted
with
the
over
all o
rgan
izat
ion
secu
rity
func
tion.
IT
secu
rity
repo
rting
is
linke
d to
bus
ines
s obj
ectiv
es.
4 ñ
Man
aged
Secu
rity
awar
enes
s exi
sts a
nd is
pro
mot
ed b
y m
anag
emen
t. S
ecur
ity a
war
enes
s brie
fings
hav
e be
en st
anda
rdiz
ed a
nd fo
rmal
ized
. IT
secu
rity
proc
edur
es a
re d
efin
ed a
nd fi
t int
o a
stru
ctur
e fo
r sec
urity
pol
icie
s and
pro
cedu
res.
Res
pons
ibili
ties f
or IT
secu
rity
are
assi
gned
, but
not
con
sist
ently
enf
orce
d. A
n IT
secu
rity
plan
exi
sts,
driv
ing
risk
anal
ysis
and
se
curit
y so
lutio
ns.
IT se
curit
y re
porti
ng is
IT fo
cuse
d, ra
ther
than
bus
ines
s foc
used
. A
d ho
c in
trusi
on te
stin
g is
per
form
ed.
3 ñ
Def
ined
Res
pons
ibili
ties a
nd a
ccou
ntab
ilitie
s for
IT se
curit
y ar
e as
sign
ed to
an
IT se
curit
y co
-ord
inat
orw
ith n
o m
anag
emen
t aut
horit
y. S
ecur
ity a
war
enes
s is f
ragm
ente
dan
d lim
ited.
IT
secu
rity
info
rmat
ion
is g
ener
ated
, but
is n
ot a
naly
zed.
Sec
urity
solu
tions
tend
to re
spon
d re
activ
ely
to IT
secu
rity
inci
dent
s and
by
adop
ting
third
-par
ty o
ffer
ings
, with
out
addr
essi
ng th
e sp
ecifi
c ne
eds o
f the
org
aniz
atio
n. S
ecur
ity p
olic
ies a
re b
eing
dev
elop
ed, b
ut in
adeq
uate
skill
s and
tool
s are
still
bei
ng u
sed.
IT
secu
rity
repo
rting
is in
com
plet
e,
mis
lead
ing
or n
ot p
ertin
ent.
2 ñ
Rep
eata
ble
The
orga
niza
tion
reco
gniz
es th
e ne
ed fo
r IT
secu
rity,
but
secu
rity
awar
enes
s dep
ends
on
the
indi
vidu
al.
IT se
curit
y is
add
ress
ed o
n a
reac
tive
basi
s and
not
mea
sure
d. I
T se
curit
y br
each
es in
voke
"fin
ger p
oint
ing"
resp
onse
s if d
etec
ted,
bec
ause
resp
onsi
bilit
ies a
re u
ncle
ar.
Res
pons
es to
IT se
curit
y br
each
es a
re u
npre
dict
able
.1
ñIn
itial
The
orga
niza
tion
does
not
reco
gniz
e th
e ne
ed fo
r IT
secu
rity.
Res
pons
ibili
ties a
nd a
ccou
ntab
ilitie
s are
not
ass
igne
d fo
r ens
urin
g se
curit
y. M
easu
res s
uppo
rting
the
man
agem
ent
of IT
secu
rity
are
not i
mpl
emen
ted.
The
re is
no
IT se
curit
y re
porti
ng a
nd n
o re
spon
se p
roce
ss to
IT se
curit
y br
each
es.
Ther
e is
a c
ompl
ete
lack
of a
reco
gniz
able
syst
em se
curit
y ad
min
istra
tion
proc
ess.
0 ñ
Non
-Exi
sten
t
Des
crip
tion
Rat
ing
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
33
Man
agem
ent
Gui
delin
esM
easu
ring
Suc
cess
&C
ritic
alSu
cces
sFac
tors
Wha
tare
the
mos
tim
port
ant t
hing
sto
do to
incr
ease
the
prob
abili
tyof
succ
esso
fthe
proc
ess?
!Ex
ampl
e: (D
S4) C
ritic
alin
fras
truct
ure
com
pone
nts a
re id
entif
ied
and
cont
inuo
usly
mon
itore
d.
&K
ey P
erfo
rman
ce In
dica
tors
Mea
sure
show
wel
lthe
proc
essi
sper
form
ing
!Ex
ampl
e: (D
S4) N
umbe
rofo
utst
andi
ngco
ntin
uous
serv
ice
issu
es n
otre
solv
edor
ad
dres
sed.
&K
ey G
oal I
ndic
ator
sM
easu
resw
heth
eran
IT p
roce
ssac
hiev
edits
busi
ness
req
uire
men
ts!
Exam
ples
: (D
S4) N
o in
cide
nts c
ausi
ngpu
blic
em
bara
ssm
ent.
Num
bero
fcrit
ical
busi
ness
pro
cess
esre
lyin
gon
IT th
atha
ve a
dequ
ate
cont
inui
typl
ans.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
34
CSF
ñC
ritic
al S
ucce
ss F
acto
rs
#M
ost i
mpo
rtan
t thi
ngst
hatc
ontr
ibut
eto
the
IT p
roce
ssac
hiev
ing
itsgo
al ïSt
rate
gica
llyï
Tec
hnic
ally
ïO
rgan
izat
iona
llyï
Proc
esso
r Pr
oced
ure
#V
isibl
e an
dm
easu
rabl
esig
nsof
succ
ess
#Co
ntro
l Sta
tem
ents
and
Cons
ider
atio
nsof
the
ëWat
erfa
llí
#Sh
ort,
focu
sed
and
actio
n or
ient
ed-F
ocus
on o
btai
ning
, mai
ntai
ning
and
leve
ragi
ngca
pabi
lity
and
skill
s
Con
trol
Stat
emen
ts
Con
trol
Prac
tices
is e
nabl
ed b
y
and
cons
ider
s
IT P
roce
sses
The
cont
rol o
f
Bus
ines
s R
equi
rem
ents
whi
ch sa
tisfy
Man
agem
ent o
rient
edIT
con
trol i
mpl
emen
tatio
ngu
idan
ce th
atar
e ob
serv
able
ñus
ually
mea
sura
ble
ñch
arac
teris
ticso
fthe
orga
niza
tion
and
proc
esse
s.
Man
agem
ent
Gui
delin
es
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
35
Man
agem
ent
Gui
delin
esK
GI ñ
Key
Goa
l Ind
icat
ors
Mea
sura
ble
indi
cato
rsof
the
proc
essa
chie
ving
itsgo
al.
#D
escr
ibe
the
outc
ome
ofth
epr
oces
sand
are
ther
efor
eëla
gí in
dica
tors
(i.e.
, m
easu
rabl
eaf
ter
the
fact
)#
Are
indi
cato
rsof
the
succ
esso
fthe
proc
ess,
but m
aybe
expr
esse
das
wel
lin
term
soft
hebu
sine
ss c
ontr
ibut
ion,
if th
atco
ntri
butio
n is
spec
ific
to th
atIT
pr
oces
s#
Rep
rese
ntth
epr
oces
sgoa
l (i.e
., a
mea
sure
ofìw
hatî
targ
etto
ach
ieve
)#
Are
IT o
rien
ted,
but
bus
ines
s dri
ven
(Bus
ines
s Req
uire
men
tsfr
omëW
ater
fallí
)#
Are
exp
ress
edin
pre
cise
mea
sura
ble
term
s, w
here
ver
poss
ible
#Fo
cuso
n th
ose
info
rmat
ion
crite
ria
that
have
bee
nid
entif
ied
to b
eof
mos
tim
port
ance
for
the
proc
ess
Con
trol
Stat
emen
ts
Con
trol
Prac
tices
is e
nabl
ed b
y
and
cons
ider
s
IT P
roce
sses
The
cont
rol o
f
Bus
ines
s R
equi
rem
ents
whi
ch sa
tisfy
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
36
KPI
ñK
ey P
erfo
rman
ce In
dica
tors
Man
agem
ent
Gui
delin
es
#A
re a
mea
sure
of ì
how
wel
lî th
e pr
oces
s is p
erfo
rmin
g#
Pred
ict t
he p
roba
bilit
y of
succ
ess o
r fa
ilure
in th
e fu
ture
(, i.
e., ë
LEAD
í in
dica
tors
)#
Are
exp
ress
ed in
pre
cise
, mea
sura
ble
term
s#
How
wel
lman
agm
entl
ever
ages
/ man
ages
the
reso
urce
snee
ded
for
the
proc
ess
#Co
ntro
l Sta
tem
ents
& C
ontro
l Pra
ctic
esfr
omëW
ater
fallí
#A
re p
roce
ss o
rien
ted,
but
IT d
rive
n#
Hel
p in
impr
ovin
g th
e IT
pro
cess
Mea
sura
ble
indi
cato
rsof
perf
orm
ance
ofth
een
ablin
gfa
ctor
s.
Con
trol
Stat
emen
ts
Con
trol
Prac
tices
is e
nabl
ed b
y
and
cons
ider
s
IT P
roce
sses
The
cont
rol o
f
Bus
ines
s R
equi
rem
ents
whi
ch sa
tisfy
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
37
Man
agem
ent
Gui
delin
esC
SF, K
GI,
KPI
ñEx
ampl
es
Crit
ical
Succ
ess
Fact
ors
●IT
per
form
ance
is m
easu
red
in fi
nanc
ial t
erm
s, in
rela
tion
to c
usto
mer
satis
fact
ion,
for p
roce
ss e
ffec
tiven
ess a
nd fo
r fut
ure
capa
bilit
y, a
nd IT
man
agem
ent i
s rew
arde
d ba
sed
on th
ese
mea
sure
s●
The
proc
esse
s are
alig
ned
with
the
IT st
rate
gy a
nd w
ith th
e bu
sines
s goa
ls; t
hey
are
scal
able
and
thei
r res
ourc
es a
re a
ppro
pria
tely
man
aged
and
leve
rage
d●
Ever
yone
invo
lved
in th
e pr
oces
s is g
oal f
ocus
ed a
nd h
as th
e ap
prop
riate
info
rmat
ion
on c
usto
mer
s, on
inte
rnal
pro
cess
es a
nd o
n th
e co
nseq
uenc
es o
f the
ir de
cisi
ons
●A
bus
ines
s cul
ture
is e
stab
lishe
d, e
ncou
ragi
ng c
ross
-div
isio
nal c
o-op
erat
ion
and
team
wor
k, a
s wel
l as c
ontin
uous
pro
cess
impr
ovem
ent
●C
ontro
l pra
ctic
es a
re a
pplie
d to
incr
ease
tran
spar
ency
, red
uce
com
plex
ity, p
rom
ote
lear
ning
, pro
vide
flex
ibili
ty a
nd a
llow
scal
abili
ty●
Goa
ls a
nd o
bjec
tives
are
com
mun
icat
ed a
cros
s all
disc
iplin
es a
ndar
e un
ders
tood
●It
is k
now
n ho
w to
impl
emen
t and
mon
itor p
roce
ss o
bjec
tives
and
who
is a
ccou
ntab
le fo
r pro
cess
per
form
ance
●A
con
tinuo
us p
roce
ss q
ualit
y im
prov
emen
t eff
ort i
s app
lied
●Th
ere
is c
larit
y on
who
the
cust
omer
s of t
he p
roce
ss a
re●
The
requ
ired
qual
ity o
f sta
ff (t
rain
ing,
tran
sfer
of i
nfor
mat
ion,
mor
ale,
etc
.) an
d av
aila
bilit
y of
skill
s (re
crui
t, re
tain
, re-
train
) exi
st
Key
Per
form
ance
Indi
cato
rs●
Syst
em d
ownt
ime
●Th
roug
hput
and
resp
onse
tim
es●
Am
ount
of e
rror
s and
rew
ork
●N
umbe
r of s
taff
trai
ned
in n
ew te
chno
logy
and
cus
tom
er se
rvic
e sk
ills
●B
ench
mar
k co
mpa
rison
s●
Num
ber o
f non
-com
plia
nce
repo
rting
s●
Red
uctio
n in
dev
elop
men
t and
pro
cess
ing
time
Key
Goa
l Ind
icat
ors
●In
crea
sed
leve
l of s
ervi
ce d
eliv
ery
●N
umbe
r of c
usto
mer
s and
cos
t per
cus
tom
er se
rved
●A
vaila
bilit
y of
syst
ems a
nd se
rvic
es●
Abs
ence
of i
nteg
rity
and
conf
iden
tialit
y ris
ks●
Cos
t eff
icie
ncy
of p
roce
sses
and
ope
ratio
ns●
Con
firm
atio
n of
relia
bilit
y an
d ef
fect
iven
ess
●A
dher
ence
to d
evel
opm
ent c
ost a
nd sc
hedu
le●
Cos
t eff
icie
ncy
of th
e pr
oces
s●
Staf
f pro
duct
ivity
and
mor
ale
●N
umbe
r of t
imel
y ch
ange
s to
proc
esse
s and
syst
ems
●Im
prov
ed p
rodu
ctiv
ity (e
.g.,
deliv
ery
of v
alue
per
em
ploy
ee)
CO
BIT
As A
n A
udit
Fram
ewor
kA
Succ
ess S
tory
Add
ition
al In
form
atio
nCO
BIT
Cas
e St
udy
(http
://w
ww
.itgi
.org
/cas
estu
dy4.
htm
)(h
ttp://
ww
w.is
aca.
org/
ctca
se27
.htm
)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
39
Proc
ess F
or Im
plem
entin
g C
OB
IT
Reco
gnize
Nee
d
Inte
grat
ing
C OB
IT
Into
IT
Gov
erna
nce,
Risk
Man
agem
ent,
&
Syste
ms A
udit
Appr
oach
Educ
ate
Seni
or IT
Man
agem
ent
Map
CO
BIT
to F
FIEC
Exa
min
atio
n G
uide
lines
Map
Aud
it U
nive
rse
to C
OBI
T H
igh
Leve
l Con
trol
Obj
ectiv
es
Map
Ann
ual A
udit
Plan
to C
OBI
T D
etai
led
Leve
l Con
trol
Obj
ectiv
es (I
T Ac
tiviti
es)
Dev
elop
Que
stion
naire
/ Jo
int R
isk S
elf-A
sses
smen
t
Faci
litat
e As
sess
men
t Wor
k Se
ssio
ns w
ith C
lient
Anal
yze,
Doc
umen
t, Va
lidat
e Re
sults
, Rep
ort T
o M
anag
emen
t
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
40
The
Nee
d ñ
Incr
ease
d R
egul
ator
y Fo
cus
Reg
ulat
ory
Rat
ings
Ove
rall
(UFI
RS) &
IT-S
peci
fic (U
RSIT
)
UR
SIT
Rat
ing
Crit
eria
1 =
Stro
ng2
= S
atis
fact
ory
3 =
Less
than
Sat
isfa
ctor
y4
= D
efic
ient
5 =
Crit
ical
ly D
efic
ient
Uni
form
Fin
anci
al In
stitu
tion
Rat
ing
Syst
em (U
FIR
S)C
ompo
site
Sco
re (1
-5)
ïUFI
RS
ratin
g re
flect
s in
stitu
tion
safe
ty a
nd s
ound
ness
.ïIT
(UR
SIT
) is
one
of m
any
com
pone
nts
eval
uate
d to
det
erm
ine
the
UFI
RS
sco
re.
Uni
form
Rat
ing
Syst
em fo
r Inf
orm
atio
n Te
chno
logy
(UR
SIT)
Com
posi
te S
core
(1-5
)
Fede
ral R
eser
ve Is
sued
ÖSR
99-
8 (S
UP)
Mar
ch 3
1, 1
999
Öre
fere
nces
CO
BIT
Not
e in
vert
ed
scal
e: F
ed
ratin
g of
5
is deficient
and
CO
BIT
ra
ting
of 5
is
Optimized
CO
BIT
Mat
urity
Rat
ings
0 =
Non
-Exi
sten
t1
= In
itial
2 =
Rep
eata
ble
3 =
Def
ined
4 =
Man
aged
5 =
Opt
imiz
ed
CO
BIT
Mat
urity
Rat
ings
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
41
Edu
catin
g Se
nior
IT M
anag
emen
t
Enc
oura
ging
Sen
ior
IT M
anag
emen
t To
Ado
pt C
OB
IT&
Fram
ewor
k fo
r Ris
k Se
lf-A
sses
smen
t (R
SA) p
roce
ss&
Emph
asiz
e bu
sine
ss o
rient
atio
n (N
OT
audi
t orie
ntat
ion)
&Em
phas
ize
valu
e of
self-
asse
ssm
ent,
perf
orm
ance
mea
sure
men
t and
be
nchm
arki
ng '
prov
ide
real
exam
ples
&K
now
ledg
e th
at C
OB
IT is
bas
ed o
n in
dust
ry st
anda
rds w
ith in
put f
rom
man
y so
urce
s&
Res
ourc
e fo
r reg
ulat
ory
exam
inat
ions
&D
urin
g ro
llout
'm
onito
r pro
gres
s and
repo
rt on
resu
lts
Edu
catin
g IT
Man
agem
ent A
t All
Lev
els
&Ex
ecut
ive
sum
mar
y fo
cus f
or se
nior
man
agem
ent
&W
orks
hops
for l
ine
man
agem
ent a
nd k
ey te
chni
cian
s&
Inte
grat
ion
with
the
audi
t pro
cess
(eng
agem
ent m
emos
, aud
it ki
ck-o
ff
mee
tings
, wor
k se
ssio
ns, r
epor
ting)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
42
Lin
king
CO
BIT
To
Oth
er S
ourc
es o
f ìBe
st P
ract
iceî
CO
BIT
Ref
.C
OB
IT D
omai
ns &
Con
trol O
bjec
tives
FFIE
CR
ef.
FFIE
C C
hapt
er T
itle
& R
elev
ant S
ectio
n
PLAN
NIN
G &
ORG
ANIZ
ATIO
N
PO1
Def
ine
a St
rate
gic
IT P
lan
1.
1 IT
as P
art o
f the
Org
aniz
atio
n's L
ong-
and
Sho
rt-R
ange
Plan
10
-1 C
orpo
rate
Con
tinge
ncy
Plan
ning
Res
pons
ibili
ties
1.2
IT
Lon
g-R
ange
Pla
n
9-6
Plan
ning
1.3
IT
Lon
g-R
ange
Pla
nnin
g, A
ppro
ach
& S
truct
ure
9-
6 Pl
anni
ng 1.
4
IT L
ong-
Ran
ge P
lan
Cha
nges
9-
6 Pl
anni
ng 1.
5
Sho
rt-R
ange
Pla
nnin
g fo
r the
IT F
unct
ion
9-
6 Pl
anni
ng 1.
6
Com
mun
icat
ion
of IT
Pla
ns
9-6
Plan
ning
1.7
M
onito
ring
& E
valu
atin
g of
IT P
lans
9-
8 Co
ntro
ls 1.
8
Ass
essm
ent o
f Exi
stin
g Sy
stem
s
12-2
Syst
em D
evel
opm
ent S
tand
ards
PO2
Def
ine
the
Info
rmat
ion
Arc
hite
ctur
e
2.1
In
form
atio
n A
rchi
tect
ure
Mod
el
2.2
C
orpo
rate
Dat
a D
ictio
nary
& D
ata
Synt
ax R
ules
2.
3
Dat
a C
lass
ifica
tion
Sche
me
2.
4
Sec
urity
Lev
els
14
-1 14
-2 Se
curit
y A
dmin
istra
tion
and
Acc
ount
abili
ty Se
curit
y Pl
an
Illus
trat
ion
Onl
y
COB
ITob
ject
ives
map
ped
tore
leva
ntFF
IEC
exam
inat
ion
crite
ria ÖO
ther
con
sider
atio
ns '
map
to re
leva
nt IS
O st
anda
rds,
tech
nolo
gy sp
ecifi
c pr
oces
s / c
ontro
l met
hodo
logi
es, e
tc.
FFIE
Cñ
Fede
ral F
inan
cial
Inst
itutio
ns E
xam
inat
ion
Cou
ncil
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
43
Alig
nmen
t With
Tec
hnol
ogy
Infr
astr
uctu
re(I
llustr
atio
n O
nly)
Rem
ote
Acc
ess
Mai
nfra
me
Syst
ems
Dat
abas
es &
App
licat
ions
Dis
trib
uted
Sys
tem
sU
NIX
& W
indo
ws
DM
Z
Dat
abas
es&
App
licat
ions
Oth
er S
erve
rs
Fire
wal
ls /
Secu
re
Rou
ting
Exte
rnal
Ris
ksVu
lner
abili
ty to
Hac
kers
Dat
abas
es&
App
licat
ions
ïEm
ail
ïFTP
ïDN
S
Mon
itor
ing,
In
tru
sion
Det
ecti
on &
An
ti-V
iru
s Sy
stem
s
Fire
wal
ls
Inte
rnet
Subs
idia
ries
Rou
ter
Rou
ter
LAN
S
Rou
ter
3rd
Part
ies
VPN
Rem
ote
LA
NS
Inte
rnal
Ris
ksU
naut
hori
zed
Acce
ss b
y In
tern
al U
sers
(em
ploy
ees o
r con
trac
tors
)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
44
Secu
rity
Aud
it U
nive
rse
Acce
ss M
anag
emen
t & C
ompl
ianc
eId
entit
y M
anag
emen
t
Dist
ribut
ed S
ecur
itySe
curit
y G
over
nanc
eM
ainf
ram
e Se
curit
y
Aud
itU
nive
rse
Secu
rity
Mon
itorin
g
Rem
ote
Acce
ss S
ecur
ity
Intru
sion
Det
ectio
n
Viru
s Pre
vent
ion
Phys
ical
Sec
urity
Inci
dent
Res
pons
eSo
ftwar
e M
anag
emen
t
Net
work
& P
erim
eter
Sec
urity
Appl
icat
ion
Secu
rity
Dat
abas
e Se
curit
y
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
45
Map
Aud
it U
nive
rse
To C
OB
IT
Hig
h Le
vel
Obj
ectiv
e(i.
e. P
O2)
Appl
icab
leO
bjec
tives
Not
edW
ith ëX
íIll
ustr
atio
n O
nly
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
46
Aud
it A
ppro
ach
Ove
rvie
w
Rep
ortin
g
Aud
it Pl
anni
ng S
essi
on
Aud
it Te
am
Wor
k Pr
ogra
m
CO
BIT
Man
uals
&
Oth
er B
est
Prac
tice
Mat
eria
l
Clie
nt W
ork
Sess
ions
Aud
it Te
stin
g
1 2
gage
men
t M
emo
Kic
k-O
ff
Mee
ting
Exit
Mee
ting
7
8
CO
BIT
Con
trol
A
sses
smen
t Que
stio
nnai
re
6
4
5
CO
BIT
To A
udit
Map
ping
Tem
plat
e
QA
R9
4
3En
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
47
Map
Aud
it Pl
an T
o C
OBI
T
Appl
icab
leO
bjec
tives
Not
ed In
This
Colu
mn
Risk
Cate
gory
Not
ed In
Th
isCo
lum
n
Hig
hLe
vel
Obj
ectiv
e(i.
e. P
O2)
Det
aile
dLe
vel
Obj
ectiv
e(i.
e. 2
.1)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
48
Usi
ng C
OBI
T Fr
amew
ork
To T
ie It
All
Toge
ther
Ö
Illus
trat
ion
Onl
y
Use
of a
Fram
ewor
ken
sure
s con
sist
ent c
over
age
acro
ss a
udits
and
allo
ws f
ortr
endi
ng th
e ìs
tate
of c
ontr
olsî
ov
er ti
me.
CO
BIT
Con
trol
Ass
essm
ent Q
uest
ionn
aire
Wor
kPr
ogra
mE
ngag
emen
t Mem
o
Aud
it R
epor
t
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
49
CO
BIT
Con
trol
Ass
essm
ent Q
uest
ionn
aire
Prep
lann
ed
Ass
essm
ent
Que
stio
ns
Clie
ntís
Res
pons
e&
Ass
essm
ent R
esul
ts
COBI
T M
atur
ityRa
ting
(0-5
)as
sign
ed b
ased
on
Join
t Ass
essm
ent
Ove
rall
Mat
urity
Rat
ing
for e
ach
Hig
h-Le
vel C
ontro
l Obj
ectiv
eas
sign
ed b
ased
on
resu
lts o
f jo
int a
sses
smen
ts o
f eac
h D
etai
led
Cont
rol O
bjec
tive.
XYZ
Com
pany
Sp
ecifi
c Co
ntro
lO
bjec
tives
One
CO
BIT
Cont
rol O
bjec
tive
Per R
ow
One
Tab
le F
or E
ach
Hig
h-Le
vel C
OBI
TO
bjec
tive
Incl
uded
In S
cope
Que
stion
naire
is u
sed
durin
g jo
int w
ork
sess
ions
hel
d wi
th c
lient
s to
com
plet
e a
join
t ris
k as
sess
men
t of t
he a
rea
unde
r rev
iew.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
50
CO
BIT
Bas
ed A
udit
Rep
ort
Ove
rall
Ratin
gCl
ient
s Tar
get G
oal
Ove
rall
Conc
lusio
nSt
atem
ents
Supp
ortin
gO
vera
ll Ra
ting
Audi
tM
etri
csQ
AR
Conc
ise
Back
grou
nd&
Scop
eRe
spon
sibl
e M
anag
erPr
ovid
ed R
espo
nse
Cont
rol W
eakn
ess
high
light
ing
busin
ess i
mpa
ctD
ue D
ate
Clie
ntPr
ovid
edRe
spon
ses
Issu
e Pr
iori
ty(A
, B, C
)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
51
CO
BIT
Bas
ed A
udit
Rep
ort
Ove
rall
Ratin
gFo
r Hig
h-Le
vel
Cont
rol O
bjec
tive
Hig
hlig
htin
g Ke
yPe
rfor
man
ce In
dica
tors
(i.
e., M
etri
cs)
Stra
tegi
c Fo
cal P
oint
Tab
le(o
ne ro
w fo
r eac
h hi
gh-le
vel
obje
ctiv
e in
clud
ed in
scop
e)
Det
aile
d Co
ntro
l O
bjec
tives
Incl
uded
In S
cope
List
edSu
mm
ary
Conc
lusio
nsan
d Po
ints
Supp
ortin
g Ra
ting
Cont
rol F
ocal
Poi
nt T
able
(hig
hlig
htin
g ke
y co
ntro
ls)
Appl
icab
le D
etai
led
Cont
rol O
bjec
tive
(one
per
row;
corr
espo
nds t
o a
row
in th
e As
sess
men
tQ
uesti
onna
ire)
Hig
hlig
htin
g Ke
yPe
rfor
man
ce In
dica
tors
(i.
e., M
etri
cs)
Sum
mar
y Co
nclu
sions
and
Poin
ts Su
ppor
ting
Ratin
gAs
sign
edM
atur
ity R
atin
g
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
52
CO
BIT
Bas
ed A
udit
Rep
ort
Auto
mat
edor
Man
ual
Cont
rol
Illus
trat
ion
Onl
y
Proc
ess
Wor
kflo
wD
iagr
amFo
rAr
eaA
sses
sed
Tabl
eD
efin
ing
Key
Cont
rol
Poin
tsIn
Proc
ess
Flow
Hig
hlig
htin
g Ke
yPe
rfor
man
ce In
dica
tors
(i.
e., M
etri
cs)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
53
CO
BIT
To
Aud
it M
appi
ng R
epos
itory
Illus
trat
ion
Onl
y
Que
stio
nnai
re
Aud
it R
epor
t
Qua
rter
lyR
epor
t Of
Aud
it R
esul
ts
(QA
R)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
54
Qua
rter
ly A
udit
Rep
ort
Aud
it R
esul
ts M
etri
cs
Dat
e Pr
inte
d: 0
3/24
/200
3Ch
arle
s Sc
hwab
& C
o, I
nc.
6
IAD
Foc
al P
oint
Met
hod
olog
y S
core
card
Ove
rall
Aud
it R
esul
ts
0%10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0 ñ
Non
-Exi
sten
t1
-Ini
tial
5 -O
ptim
ized
4 -M
anag
ed
Lege
nd:
Secu
rity
Aud
its(r
efer
to sl
ide
7)Se
curi
ty A
udits
(ref
er to
slid
e 7)
OV
ER
ALL
OV
ER
ALL
Infr
astr
uctu
re A
udits
(ref
er to
slid
e 6)
Infr
astr
uctu
re A
udits
(ref
er to
slid
e 6)
2 -R
epea
tabl
e3
-Def
ined
60%
Q1
Prio
rYe
arQ
2 2002
Data Not Available For 2001
40%
60% 40%
No Reports Issued
TBD
YTD
Q3
Q4
60% 40%
75%
Q1
Prio
rYe
arQ
2 2002
Data Not Available For 2001
TBD
YTD
Q3
Q4
25%
Q1
Prio
rYe
arQ
2 2002
Data Not Available For 2001
20%
TBD
YTD
Q3
Q4
68%
13%70%
25%
75%25%
75%25%
75%
75%25%
12%
20%68%12%
17%
Ana
lysi
s of K
ey T
echn
olog
y M
etri
cs
May
20,
200
320
03 N
orth
Am
eric
a C
AC
S C
onfe
renc
eSl
ide
77
Exa
mpl
e of
Met
ric
Ana
lysis
To
Incl
ude
In Q
AR
(Illu
strat
ion
Onl
y)
0.0
0%
10
.00
%
20
.00
%
30
.00
%
40
.00
%
50
.00
%
60
.00
%
70
.00
%
80
.00
%
90
.00
%
10
0.0
0%
Q1
, 2
00
2Q
2,
20
02
Q3
, 2
00
2Y
TD
Su
cce
ssfu
l
Faile
d &
Ba
cke
d O
ut
Ca
use
d P
rob
lem
Ca
use
d O
uta
ge
Ca
nce
lled
Un
sta
tuse
d
Alth
ough
targ
et ra
tes h
ave
not b
een
achi
eved
, cha
nge
man
agem
ent
proc
esse
s are
succ
essfu
l on
aver
age
75%
of t
he ti
me.
Les
s the
n 1%
of
appr
opria
tely
reco
rded
cha
nges
resu
lted
in p
robl
ems o
r out
ages
Ö
Inte
rnal
Aud
it O
bser
vatio
ns:
#C
hang
e m
anag
emen
t pro
cess
es a
ppea
r to
be c
onsi
sten
tly a
pplie
d w
ith o
nly
min
or v
aria
nces
in v
olum
e.
#La
rge
perc
enta
ge (~
20%
) of ì
unst
atus
edî
ticke
ts in
dica
tes p
roce
ss a
dher
ence
issu
es. T
rue
resu
lts c
anno
tacc
urat
ely
be d
eter
min
ed; t
here
fore
, add
ition
al m
anag
emen
t scr
utin
y is
app
ropr
iate
for t
he ì
unst
atus
edî
item
s.
#Tr
end
for t
icke
ts w
ith im
plem
enta
tion
prob
lem
s is
incr
easi
ng -
addi
tiona
l ana
lysi
s to
asce
rtain
root
cau
se o
f the
in
crea
se in
this
act
ivity
wou
ld b
e ap
prop
riate
. Roo
t cau
se m
ay re
st w
ith te
stin
g an
d va
lidat
ion
proc
esse
s.
Targ
et R
ate
97%
(Sou
rce:
Te
chno
logy
Man
agem
ent
Bala
nced
Scor
ecar
d)
0.0
0%
5.0
0%
10
.00
%
15
.00
%
20
.00
%
25
.00
%
Q1,
2002
Q2,
2002
Q3,
2002
YTD
Faile
d &
Bac
ked
Out
Caus
ed P
robl
em
Caus
ed O
utag
e
Canc
elle
d
Uns
tatu
sed
Illus
trat
ion
Onl
y
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
55
Bene
fits R
ealiz
edÖ
#IT
man
agem
ent p
artn
ers w
ith In
tern
al A
udit
thro
ugho
ut th
e au
dit l
ife c
ycle
, in
clud
ing
inpu
t int
o th
e au
dit s
ched
ule
and
scop
e.
#IT
man
agem
ent b
ecom
es c
onve
rsan
t in
risk,
con
trol,
and
audi
t con
cept
s.
#R
elat
ions
hips
tran
sfor
med
into
par
tner
ship
s by
join
tly a
sses
sing
cont
rol
proc
edur
es.
#A
udit
Rep
ort s
tream
lined
Öco
ncis
e re
port
supp
orte
d by
det
aile
d qu
estio
nnai
re (i
.e.,
Ris
k Se
lf A
sses
smen
t ñR
SA).
#A
udit
appr
oach
is m
etho
dica
l and
is c
onsi
sten
t with
IT G
over
nanc
e pr
actic
es
impl
emen
ted
thro
ugho
ut th
e co
mpa
nyís
tech
nolo
gy o
rgan
izat
ion.
#M
eani
ngfu
l rep
ortin
g fo
r sen
ior I
T m
anag
emen
t. F
acili
tate
d ef
forts
to
impl
emen
t pro
cess
es n
eces
sary
for S
arba
nes-
Oxl
ey c
ompl
ianc
e.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
56
Add
ition
al A
udit
Res
ourc
es
Tem
plat
es(h
ttp://
ww
w.sf
isac
a.or
g/re
sour
ces/
dow
nloa
ds.h
tm)
COBI
T Ca
se S
tudy
(http
://w
ww
.itgi
.org
/cas
estu
dy4.
htm
)(h
ttp://
ww
w.is
aca.
org/
ctca
se27
.htm
)
CO
BIT
As A
Ris
k M
anag
emen
t Fra
mew
ork
For
Info
rmat
ion
Secu
rity
Cas
e St
udy
Info
rmat
ion
Secu
rity
ñAc
cess
Com
plia
nce
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
58
Dri
vers
of I
nfor
mat
ion
Secu
rity
Req
uire
men
ts
Shor
ter b
usin
ess c
ycle
s
Nee
d to
invo
lve/
conn
ect/t
ie in
with
mor
e pa
rtner
s
Net
wor
k ce
ntric
bus
ines
s mod
els
Leve
rage
VPN
, rem
ote
acce
ss, n
ew to
ols
Reg
ulat
ory
Req
uire
men
ts
Man
age
Risk
!In
tern
et -
UN
IX -
TC
P/IP
!M
ore
hack
ers,
mor
e to
ols
!In
crea
sed
depe
nden
cyon
IT
Lev
erag
eO
ppor
tuni
ties
!E
-cas
h, e
-com
mer
ce, e
-tc.
!O
pen,
mod
ular
, sca
labl
e
!Se
curi
tya
com
mod
ity
Tec
hnol
ogy
Dri
vers
Bus
ines
s D
rive
rs
Man
agem
ent
ìBuy
Inî
ïA
war
enes
s(v
alue
of I
T go
vern
ance
fram
ewor
k)
ïPe
rcei
ved
/ Und
erst
ood
Ris
k
ïC
ost /
Ben
efit
ïB
ench
mar
ks
ïC
larit
y of
Pur
pose
Key
To S
ucce
ss!
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
59
Seni
or M
anag
emen
t Aw
aren
ess ñ
Tone
Fro
m T
op
Que
stio
ns F
rom
Sen
ior
Man
agem
ent /
Boa
rdQ
uest
ions
Fro
m S
enio
r M
anag
emen
t / B
oard
$W
hat d
oes s
ecur
ity c
ost?
$H
ave
we
com
plet
ed a
ris
k as
sess
men
tin
orde
r to
defin
e w
here
the
ente
rpris
e is
mos
t vu
lner
able
(i.e
., w
here
do
we
mos
t app
ropr
iate
ly fo
cus o
ur se
curit
y re
sour
ces)
?$
How
do
we
mea
sure
our ì
stat
eî o
f sec
urity
.$
How
do
we
ensu
re th
at c
usto
mer
dat
a (N
PI) a
nd se
nsiti
ve fi
nanc
ial i
nfor
mat
ion
is
appr
opria
tely
safe
guar
ded
and
only
acc
essi
ble
by u
sers
with
a b
usin
ess ì
need
to k
now
or
useî
the
data
?$
Do
we
know
for c
erta
in h
ow m
any
peop
le a
re a
cces
sing
the
orga
niza
tioní
s sys
tem
s? A
re w
e m
onito
ring
the
acce
ss ñ
are
reso
urce
ow
ners
app
ropr
iate
ly e
ngag
ed?
$W
hat a
re th
e m
ost c
ritic
al in
form
atio
n as
sets
of t
he e
nter
pris
e (d
o w
e ha
ve a
n in
vent
ory)
?
Has
dat
a be
en c
lass
ified
and
secu
red
base
d on
rela
tive
risk?
Do
we
mai
ntai
n an
inve
ntor
y of
al
l sys
tem
dev
ices
that
the
com
pany
ow
ns /
leas
es?
Wou
ld m
anag
emen
t kno
w if
som
e w
ent
mis
sing
?$
Wou
ld p
eopl
e re
cogn
ize
a se
curit
y in
cide
nt w
hen
they
saw
one
? W
ould
they
igno
re it
? W
ould
they
kno
w w
hat t
o do
abo
ut it
?$
Has
the
orga
niza
tion
ever
had
its s
ecur
ity ì
valid
ated
î by
a th
ird p
arty
?
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
60
Cos
t of I
nfor
mat
ion
Secu
rity
Cos
t of S
ecur
ity /
Con
trol
C
ost o
f Sec
urity
/ C
ontr
ol V
ER
SUS
VE
RSU
SIT
Bud
get
IT B
udge
t
Indu
stry
Lead
erLe
ader
ship
Best
Prac
tices
Benc
hmar
king
Base
line
Ope
ratio
nMi
nimum
Re
quire
ments
ìCow
boyî
Ope
ratio
nNo
n-Co
mplia
nce
45 -
50%
55%
20 -
25%
5 -10
%
= D
river
s
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
61
Mon
itori
ng E
mer
ging
Risk
Indi
cato
rs:
Is R
isk W
ell M
anag
ed?
Risk
man
agem
ent i
s con
cern
ed (i
n pa
rt) w
ith p
roce
sses
des
igne
dan
d su
stain
edby
m
anag
emen
t to
redu
ce th
e ri
sk o
f mat
eria
l err
orÖ
#Fr
eque
nt m
easu
rem
ento
f res
ults
is p
rere
quis
ite fo
r a su
stai
ned
and
cont
rolle
d en
viro
nmen
t. #
Stan
dard
izat
ion
and
desi
gn a
re p
rere
quis
ite fo
r rep
eata
bilit
y.
Risk
Driv
ers ñ
Less
ons L
earn
ed F
rom
CO
BIT?
(Ris
k de
crea
ses w
hen
proc
esse
s are
:ïM
atur
e ñ
sust
aina
ble
and
mea
sura
ble
ïRep
eata
ble
and
pred
icta
ble
ïSys
tem
atic
/ au
tom
ated
ïMon
itore
dïS
tand
ardi
zed
(des
igne
d / d
efin
ed)
ïDoc
umen
ted
and
com
mun
icat
ed
(Ris
k in
crea
ses w
hen
proc
esse
s are
:ïI
ncon
sist
ent
ïAd-
hoc
(not
stan
dard
ized
)ïN
ot m
onito
red
ïRel
ying
upo
n th
e kn
owle
dge
of in
divi
dual
s (i.e
., la
ck o
f doc
umen
tatio
n)
ÖIn
line
with
CO
BITí
s Man
agem
ent G
uide
lines
, acc
ess m
anag
emen
t sho
uld
incl
ude
form
al st
eps f
or p
roac
tivel
y ev
alua
ting
com
plia
nce
via
mon
itori
ng a
ctiv
ities
and
m
eani
ngfu
l per
form
ance
indi
cato
rs (i
.e.,
met
rics
)Ö
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
62
Mon
itori
ng E
mer
ging
Risk
Indi
cato
rs:
Ong
oing
Mea
sure
men
t / O
ngoi
ng D
ialo
gue
Mon
itor k
ey p
erfo
rman
ce in
dica
tors
(i.e
. met
rics
) on
an o
ngoi
ng b
asis
Ö
Rea
lity
t1
Control Environment Ass
es 1
Ass
ess 2
Tim
et2
Cha
lleng
es O
f ìPo
int-I
n-T
imeî
Ass
essm
ent
ïEv
alua
tion
of ri
sk a
nd c
ontro
l is a
s of a
poi
nt in
tim
e.ï
Man
agem
ent r
epor
ting
is re
flect
ive
of re
sults
as o
f a p
oint
in
time.
ïPr
iorit
ies m
ay b
e in
fluen
ced
by p
rior r
esul
ts (i
.e.,
focu
s on
past
are
as o
f wea
knes
s). )
Goo
d or
Bad
??ï
If a
risk
ass
essm
ent o
n th
e fu
nctio
n ha
s not
bee
n co
mpl
eted
fo
r a lo
ng ti
me,
ther
e m
ay b
e a
lear
ning
cur
ve.
Exp
ecta
tion
t1
Control Environment Ass
ess 1
Ass
ess 2
t2
Rea
lity
Rep
ort
Rep
ort
Rep
ort
Tim
e
Ong
oing
Mea
sure
men
tE
xpec
tatio
n
Tra
ditio
nal R
isk
Ass
essm
ent A
ppro
ach
(Prio
ritiza
tion
base
d on
ann
ual r
isk a
sses
smen
t of f
unct
ion)
Ong
oing
Mon
itori
ng O
f Ris
k In
dica
tors
(Gai
ning
Effi
cien
cies
Thr
ough
Foc
us O
n H
igh
Risk
Indi
cato
rs)
Ben
efits
of O
ngoi
ng M
onito
ring
ïQ
uarte
rly re
adou
t of a
sses
smen
t res
ults
for t
echn
olog
y m
anag
emen
t.ï
Ong
oing
dia
logu
e re
gard
ing
area
s of s
igni
fican
t or i
ncre
asin
g ris
k.ï
Prio
ritie
s mor
e cl
osel
y as
soci
ated
with
kno
wn
risk
fact
ors
ultim
atel
y le
adin
g to
mor
e co
ntro
lled
risk
miti
gatio
n an
d po
tent
ial p
roce
ss im
prov
emen
ts /
effic
ienc
y ga
ins.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
63
Mon
itori
ng E
mer
ging
Risk
Indi
cato
rs:
Ove
rall
Obj
ectiv
e &
Goa
l
ÖG
oal i
s to
proa
ctiv
ely
mon
itor m
etri
cs o
n an
on
goin
g ba
sis t
o fo
cus r
isk
rem
edia
tion
effo
rts o
n hi
gh-r
isk
proc
esse
s and
task
s whe
re p
erfo
rman
ce
indi
cato
rs in
dica
te p
oten
tial p
robl
ems.
Resu
lts o
f met
ric
anal
ysis
is p
rese
nted
to se
nior
m
anag
emen
t on
a qu
arte
rly
basi
s. Th
e an
alys
is
indi
cate
s pri
oriti
es fo
r rem
edia
tion
effo
rts a
nd
any
requ
ired
cha
nges
to e
xist
ing
proc
esse
s.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
64
Info
rmat
ion
Secu
rity
:Se
curit
y M
etric
s Dev
elop
men
t Pro
cess
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
65
Info
rmat
ion
Secu
rity
:Se
curit
y M
etric
s Im
plem
enta
tion
Proc
ess
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
66
Tool
s&
Tec
hnol
ogy
Pro
cess
Polic
y&
Proc
edur
es
Sec
urity
Man
agem
ent H
uman
Beha
viou
r&
Cul
ture
Sys
tem
Acc
ess
Con
trol
Net
wor
kSe
greg
atio
nAp
plic
atio
nS
ecur
ity
1122
3366
5544
Pol
icy
Info
rmat
ion
Secu
rity
:M
easu
ring
Perf
orm
ance
(illu
strat
ion
only
)
Polic
ies&
Pro
cedu
res
Secu
rity
Man
agem
ent
Beh
avio
r& C
ultu
reA
pplic
atio
n Se
curit
ySy
stem
Acc
ess C
ontro
l N
etw
ork
Segr
egat
ion
1. 2. 3. 4. 5. 6.
0V
ery
poor
1
Poo
r
2 Fair
3
Goo
d
4V
ery
good
5
Exc
el
Lege
ndfo
r ran
king
used
5 -E
xcel
lent
:B
est p
ossi
ble,
hig
hly
inte
grat
ed4
-Ver
ygo
od:
Adv
ance
dle
velo
fpra
ctic
e3
-Goo
d:M
oder
atel
ygo
odle
velo
fpra
ctic
e2
-Fai
r:So
me
effo
rt m
ade
to a
ddre
ssis
sues
1 -P
oor:
Rec
ogni
seth
eis
sues
0 -V
ery
poor
:C
ompl
ete
lack
ofgo
odpr
actic
e
Lege
ndfo
r Sym
bols
Use
dAv
erag
eof
best
secu
rity
perfo
rmer
s in
the
finan
cial
indu
stry
(beg
inë9
6)
Com
pany
stat
usó
Feb
ë97
Com
pany
obje
ctiv
e fo
r 200
1
10 10 20 20 20 20
019
9619
9719
9819
9920
0020
01
20406080100
9288
76
64
4842
96
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
67
Info
rmat
ion
Secu
rity
:M
easu
ring
Perf
orm
ance
(illu
strat
ion
only
)
The
Secu
rity
Offi
cer c
onsi
sten
tly p
erfo
rms b
oth
inte
rnal
and
ext
erna
l vu
lner
abili
ty sc
ans o
n a
mon
thly
bas
is.
The
maj
ority
of v
ulne
rabi
litie
s id
entif
ied
are
low
risk
Ö
0
100
200
300
400
500
600
700
800
900
1000
Q1,
200
2Q
2, 2
002
YTD
Low
Ris
kV
ulne
rabi
litie
sM
ediu
m R
isk
Vul
nera
bilit
ies
Hig
h R
isk
Vul
nera
bilit
ies
Obs
erva
tions
:#
An
incr
ease
in in
tern
alvu
lner
abili
ties o
ccur
red
from
Q1
to Q
2. T
he in
crea
se is
exp
lain
ed d
ue to
new
syst
em
patc
hes c
heck
ed fo
r by
the
vuln
erab
ility
scan
ner t
hat h
ave
not b
een
appl
ied
to th
e X
YZ
com
pany
serv
ers.
Te
chno
logy
man
agem
ent a
ppro
pria
tely
app
lies p
atch
es o
nly
afte
r the
pat
ches
hav
e be
en te
sted
and
cer
tifie
d.
#A
dec
reas
e in
ext
erna
lvul
nera
bilit
ies w
as n
oted
from
Q1
to Q
2. T
hese
resu
lts d
emon
stra
te th
at a
sign
ifica
nt
num
ber o
f Q1
vuln
erab
ilitie
s hav
e be
en re
solv
ed.
0
500
1000
1500
2000
2500
3000
Q1,
200
2Q
2, 2
002
YTD
Low
Ris
kV
ulne
rabi
litie
sM
ediu
m R
isk
Vul
nera
bilit
ies
Hig
h R
isk
Vul
nera
bilit
ies
Inte
rnal
Vu
lner
abili
ty S
can
sEx
tern
al V
uln
erab
ility
Sca
ns
AB
A B
Slig
ht
incr
ease
in h
igh
ris
k vu
lner
abili
ties
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
68
Info
rmat
ion
Secu
rity
:Ke
y In
dica
tors
ñAc
cess
Com
plia
nce
$A
cces
s Adm
inis
tratio
n W
orkf
low
(add
s, ch
ange
s, de
letio
ns, s
peci
al re
ques
ts)
$A
cces
s Adm
inis
tratio
n Se
rvic
e Le
vel A
ttain
men
t (m
easu
red
agai
nstt
arge
t / g
oal)
$Pe
rcen
tage
of I
D re
ques
ts su
bmitt
ed w
ith a
ppro
pria
te a
ppro
vals
$In
activ
e ID
Rem
edia
tion
(per
cent
age
decl
ine
over
tim
e)$
Priv
ilege
d A
cces
s Ove
rsig
ht (p
erce
ntag
e of
tota
l ID
s)$
Shar
ed /
Gen
eric
ID O
vers
ight
(per
cent
age
of to
tal I
Ds)
$Pe
rcen
tage
of c
urre
nt a
cces
s adm
inis
tratio
n po
licie
s / st
anda
rds
$Pe
rcen
tage
of c
urre
nt a
cces
s adm
inis
tratio
n gu
idel
ines
$Pe
rcen
tage
of c
urre
nt a
cces
s adm
inis
tratio
n pr
oced
ures
$N
umbe
r of a
cces
s rel
ated
inci
dent
s rep
orte
d$
Ave
rage
tim
e el
apse
d be
twee
n in
cide
nt d
isco
very
and
impl
emen
tatio
n of
cor
rect
ive
actio
n$
Perc
enta
ge o
f ID
s for
whi
ch su
perv
isor
y re
view
has
bee
n co
mpl
eted
in th
e pa
st q
uarte
r to
valid
ate
that
ac
cess
rem
ains
app
ropr
iate
for t
he u
serí
s job
func
tion
$Pe
rcen
tage
of s
yste
ms f
or w
hich
acc
ess s
ecur
ity p
aram
eter
s hav
e be
en te
sted
and
eva
luat
ed in
the
past
ye
ar &
per
cent
age
of n
on-c
ompl
iant
syst
ems
$Pe
rcen
tage
of s
yste
m re
sour
ces w
ithou
t a d
efin
ed /
acco
unta
ble
reso
urce
ow
ner a
ssig
ned
$Pe
rcen
tage
of s
yste
ms t
hat m
aint
ain
logs
(aud
it tra
il) to
trac
e us
er a
ctiv
ity$
Perc
enta
ge /
Num
ber o
f acc
ess v
iola
tions
to c
ritic
al sy
stem
reso
urce
s$
Perc
enta
ge o
f pas
swor
ds n
ot in
com
plia
nce
with
pol
icy
(pas
swor
d qu
ality
)
Too
ls T
o Fa
cilit
ate
You
r R
isk
Man
agem
ent E
ffort
s
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
70
CO
BIT
Secu
rity
Bas
elin
e
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
71
CO
BIT
Sec
urity
Bas
elin
e (c
ontin
ued)
Focu
sing
atte
ntio
n on
secu
rity
-rel
ated
obj
ectiv
es fr
om th
e en
tire
CO
BIT
fram
ewor
k...
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
72
CO
BIT
Sec
urity
Bas
elin
e (c
ontin
ued)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
73
IT C
ontr
ol P
ract
ice
Stat
emen
tC O
BIT
-DS5
Ens
ure
Syste
m S
ecur
ity
IT c
ontro
l pra
ctic
es e
xpan
d th
e ca
pabi
litie
s of C
OBI
T by
pro
vidi
ng
the
prac
titio
ner w
ith a
n ad
ditio
nal l
evel
of d
etai
l.
The
curr
ent C
OBI
T IT
pro
cess
es, b
usin
ess r
equi
rem
ents
and
deta
iled
cont
rol o
bjec
tives
def
ine
what
nee
ds to
be
done
to
impl
emen
t an
effe
ctiv
e co
ntro
l stru
ctur
e.
The
IT c
ontro
l pra
ctic
es p
rovi
de th
e m
ore
deta
iled
how
and
why
need
ed b
y m
anag
emen
t, se
rvic
e pr
ovid
ers,
end
user
s and
con
trol
prof
essio
nals
to im
plem
ent h
ighl
y sp
ecifi
c co
ntro
ls ba
sed
on a
n an
alys
is of
ope
ratio
nal a
nd IT
risk
s.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
74
IT C
ontr
ol P
ract
ice
Stat
emen
tC O
BIT
-DS5
Ens
ure
Syste
m S
ecur
ity (E
XAM
PLE)
DS
5.4
Use
r A
ccou
nt M
anag
emen
t
Why
do
it?Th
e en
forc
emen
t of a
dequ
ate
user
acc
ount
man
agem
ent i
n lin
e w
ithth
e co
ntro
l pra
ctic
es w
ill h
elp
ensu
re:
ïPro
per a
dmin
istra
tion
of th
e lif
ecyc
le o
f use
r acc
ount
sïC
omm
unic
atio
n to
and
ack
now
ledg
men
t by
user
s of t
he ru
les w
ith w
hich
they
nee
d to
com
ply
Con
trol
Pra
ctic
esïD
S 5.
4.01
Proc
edur
es a
re in
pla
ce to
ens
ure
timel
y ac
tions
in re
latio
n to
requ
estin
g, e
stab
lishi
ng, i
ssui
ng, s
uspe
ndin
g an
d cl
osin
g us
er a
ccou
nts.
All
actio
ns re
quire
form
al a
ppro
val.
ïDS
5.4.
02W
hen
empl
oyee
s are
giv
en th
eir a
ccou
nt, t
hey
are
prov
ided
with
initi
al o
r ref
resh
er tr
aini
ng a
nd a
war
enes
s on
com
pute
r sec
urity
issu
es. U
sers
are
ask
ed to
revi
ew a
set o
f rul
es a
nd re
gula
tions
for s
yste
m a
cces
s.ïD
S 5.
4.03
Use
rs u
se q
ualit
y pa
ssw
ords
as d
eter
min
ed b
y th
e or
gani
zatio
n'sp
assw
ord
guid
elin
es.
Qua
lity
aspe
cts o
f pa
ssw
ords
incl
ude:
enf
orce
men
t of i
nitia
l pas
swor
d ch
ange
on
first
use
, app
ropr
iate
min
imum
pas
swor
d le
ngth
, ap
prop
riate
and
enf
orce
d fr
eque
ncy
of p
assw
ord
chan
ges,
pass
wor
dch
ecki
ng a
gain
st li
st o
f not
-allo
wed
val
ues,
e.g.
, di
ctio
nary
che
ckin
g an
d ad
equa
te p
rote
ctio
n of
em
erge
ncy
pass
wor
ds.
ïDS
5.4.
04Th
ird-p
arty
use
rs a
re n
ot p
rovi
ded
with
use
r cod
es o
r pas
swor
ds u
nles
sthe
y ha
ve si
gned
a n
ondi
sclo
sure
ag
reem
ent.
Third
-par
ty u
sers
are
pro
vide
d w
ith th
e or
gani
zatio
n's s
ecur
ity p
olic
yan
d re
late
d do
cum
ents
and
mus
t sig
n of
f tha
t the
y un
ders
tand
thei
r obl
igat
ions
.ïD
S 5.
4.05
All
cont
ract
s for
out
sour
cing
or c
ontra
ctin
g ad
dres
s the
nee
d fo
r the
pro
vide
r to
com
ply
ïwith
all
secu
rity
rela
ted
polic
ies,
stan
dard
s and
pro
cedu
res.
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
75
Add
ition
al R
esou
rces
& Q
uest
ions
Tem
plat
es &
Res
ourc
es(h
ttp:
//ww
w.sf
isac
a.or
g/re
sour
ces/d
ownl
oads
.htm
)
ïC
OB
IT S
ecur
ity B
asel
ine
ïIT
Con
trol
Pra
ctic
e St
atem
ent ñ
CO
BIT
DS5
Ens
ure
Syst
em S
ecur
ityï
Que
stio
nnai
re fo
r IT
Con
trol
Pra
ctic
e St
atem
ent D
S5ï
Secu
rity
Sel
f-Ass
essm
ent G
uide
for
Info
rmat
ion
Tec
hnol
ogy
Syst
ems
(Nat
iona
l Ins
titut
e of
Sta
ndar
ds &
Tec
hnol
ogy)
ïSe
curi
ty M
etri
cs G
uide
for
Info
rmat
ion
Tec
hnol
ogy
Syst
ems
(Nat
iona
l Ins
titut
e of
Sta
ndar
ds &
Tec
hnol
ogy)
ïA
cces
s Com
plia
nce
Scor
ecar
d ñ
Tem
plat
eï
ISO
177
99 (h
ttp://
ww
w.is
o-17
799.
com
/)ï
FFIE
C In
form
atio
n Se
curi
ty E
xam
inat
ion
Han
dboo
k(h
ttp://
ww
w.ff
iec.
gov/
ffiec
info
base
/htm
l_pa
ges/
it_01
.htm
l)
Oct
ober
5, 2
004
2004
San
Fra
ncis
co IS
AC
A F
all C
onfe
renc
eSl
ide
76
Que
stio
ns? Th
ank
You!