InfoSec Technology Management of User Space and Services Through Security Thr...
Oiac It Audit Wo Cartoons
1. Office of Internal Audit
and Compliance
IT Auditing Overview
CIO Advisory Counsel Meeting
Spring 2011 - Savannah, Ga.
2. Session Guide
Office of Internal Audit
and Compliance
• Erwin (Chris) L. Carrow
IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP,
LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!)
Board of Regents, University System of Georgia
Office of Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: erwin.carrow@usg.edu ecarrow@gmail.com ecarrow@google.com
http://www.linkedin.com/in/thebishop
Twitter: @ecarrow
Skype: erwin.louis.carrow
2
3. Session Agenda
(22 Slides – unless additional needs for clarity)
Office of Internal Audit
and Compliance
Quick Overview – Audit Methodology (slides 1-15)
Assessment Lifecycle & Applying Controls (slides 16-18)
Overview & Summary (slides 19-22)
______________________________________________________________
Terminology & Context of Security Implementation (slides 23-27)
Securing Business Functions
Governance
Business Function Characteristics Vertical (B2S) and Horizontal (B2B) Relationship
Risk Identification & Reconciliation (slides 28-34)
Business Impact Analysis
Risk Assessment Process
Risk Analysis Methodology
Categories and Types (slides 35-37)
Risk – Enterprise Risk Management (BIA, RA, ERM)
Information, Information Systems, & Users
Controls Framework (slides 38-44)
Types of Controls, Skill Sets, and Resources
Criteria Maturity of Controls to Support Outcomes
Procedures Operational Tasks to Implement and Support Controls (low-level)
Example: Identity Management (COBIT, CMMI, & NIST) (slides 45-55) 3
4. Key Takeaways
Office of Internal Audit
and Compliance
Understand OIAC requirements how IT audit
function applies their framework for assessing
controls to compensate for high
impact/probability risks.
Provide a high-level overview of how the
framework applies to institutional and agency
audits / consulting.
Provide a resources for review & dialogue
4
5. Office of Internal Audit
and Compliance
Quick Overview – Audit
Methodology
5
6. Why We Audit – Mission & Charter
Office of Internal Audit
and Compliance
• “Internal auditing provides independent and objective
assurance and consulting services to the Board of Regents
(Board), the Chancellor, and institution leadership in
order to add value and improve operations. The internal
audit activity helps the University System Office (USO)
and USG institutions accomplish their objectives by
bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of governance, risk
management, compliance, and internal control processes.”
- Internal Audit Charter approved by the Board of Regents
*(underline added )
6
7. Types of Audits – Federal, State,
Office of Internal Audit
Campus, and Board of Regents
and Compliance
• Federal Auditors
– Rely on work of state auditors
– May focus on federal compliance (FISMA, FERPA, HIPAA, etc.),
financial aid, and federal grants management
• State Auditors – Financial and Performance
– Financial / Operational auditors - external auditors validating
internal controls and the AFR
– Performance auditors – external auditors focused on specific
system-wide process or policy issue
• Campus Auditors
– Varies by campus
– Generally focused on departmental reviews
– Report to institution President and USO Chief Audit Officer
• Board of Regents Auditors
– Shoot the gaps that other agencies do not address and engage with
specific BOR or Legislative concerns
8. The Audits Selection Process:
OIAC Risk Assessment & Planning Process
Office of Internal Audit
and Compliance
(The “Why Us Syndrome and What We Audit?”)
• OIAC’s Risk Assessment process
– Quantitative Data: previous
findings, financials, etc.
– Qualitative Data: surveys,
interviews, trends, etc.
– Quarterly review and assessment
versus annual approach to be
proactive
• Rolling Audit Plan
– Designed to ensure coverage of
institutions with high risk
– Also designed to ensure OIAC
coverage at all USG institutions at
least once every 3-4 years
– Specifies institution and broad
categories in which to audit
– May also incorporate consulting
engagements and other special
projects
9. Overall Engagement Plan
Summary of Process
Office of Internal Audit
and Compliance
• Top Down methodology for the auditing assessment
– Risk based: High Impact / High Probability – 32 different influencers
– Business Goals to Standards and Practices
– Business Function critical component identification
– Leadership (administrator) to Technician or Staff member (end user)
– Assess Requirements, Resources, and Processes
• The approach focused on key business functions and their associated
Business Goals and Objectives as it relates to the assessed entities.
• Once identified and agreed upon for each business function, the key
associated requirements, resources, and processes were identified and
assessed to determine if high or critical risk is being managed.
• Focus was upon Control Practices and Responsibility / Accountability
associated with key activities with an expected CMMI level 3 criteria
for High Risk Critical processes.
9
10. Methodology, Scope, & Criteria
Office of Internal Audit
and Compliance
• Standards for the Methodology
– Institute of Internal Auditor (IIA - www.theiia.org)
– Information System Audit & Control Association (ISACA -
www.isaca.org)
• Scope of Application: Area of Emphasis (Entity or Process)
– Usually focused on institution-wide processes, e.g., data classification,
IT services, NOC, incident response / emergency planning, strategic
planning, change management, etc.
• Determine what areas of High Risk or Critical Systems exist for the assessed
entities at the institution?
– Risk Analysis (OIAC) & Preliminary Assessment with Institution
– Prior Coordination / Business Impact Analysis / Risk Assessment - Information request
list, based upon audited entities
– Analysis of information provided from pre-audit phase
• Scope of Execution: Area of Emphasis (Entity or Process)
– Business Functions (High Critical Risk)
• Examples: IAM: Identity and Access Control Management & NETSEC: Perimeter & Network Security
– Will incorporate recommended focus areas from institutional leadership
– Scope can change during the course of an audit if warranted
• CMMI Criteria level 3: Process is Defined & Documented and periodically Evaluated
10
11. Those Involved in Areas Reviewed &
Priority of Emphasis (# Personnel – # Meetings)
Office of Internal Audit
and Compliance
Information
Technology
Academic Units
Department
(Limited)
(High)
Administrative
Auxiliaries Units (Medium)
(Low)
11
12. Summary for Plan of Action
Office of Internal Audit
and Compliance
During the engagement we …
• Gather Information / Evidence - related to
implementation of controls to address High
Impact / High Probability risk
– Interviews with key personnel (Business Owner,
Trustees, & Stewards)
– Test and Validate Objectives
• Information - Information systems
• Direct observation & dialogue
• Document initial analysis (informal)
• Dialogue and gain Confirmation of
Observations (validation)
• Dialogue and gain Common Understanding of
Exceptions and Issues
• Identify to Key Shareholders / Leadership
Issues and discuss Solutions
• Up until the final report is completed, dialogue
will continue with audited entity regarding
issues (objections are welcome – it is your
right!)
12
13. The Process We Follow –
From Notification to Reporting
Office of Internal Audit
and Compliance
• 1st Phase: Pre-Campus Work (Preparatory Efforts)
– Announcement / Notification Letter, sent to President upon rolling audit plan approval
(specific 5-month period during which the audit will be conducted)
– Preliminary Survey- Brief visit on campus, approx. 60 prior to start of audit
– Engagement Letter – Sent to President approx. 30 days prior to start of audit
– Data Collection – Initial interviews, data requests, network scans may take place prior to
arrival on campus – the more we get ahead of time the less time we have to spend
onsite
• 2nd Phase: On-Campus Fieldwork (Evidence Gathering Phase)
– Initiated with Entrance Conference (“Line in the Sand”)
– Scope of work may expand / contract
– Campus POC kept informed on audit progress and issues (daily)
– End of field work review, a meeting conducted at close of work summarizing initial
results and implications
• 3rd Phase: Post-Campus Work (Documentation & Publication Phase)
– Draft Report prepared and sent as discussion document
– Exit Conference held either in person or via phone / video conference
– Official Draft Report sent requiring response from institution
– Institution’s response incorporated in report
– Report published and distributed
13
14. Summary of Engagement
Office of Internal Audit
Flow Timeframes
and Compliance
Rolling Risk Assessment & Notification – three times per year 1
Preliminary Survey onsite with Senior Leadership
60 Days Audit Letter with data request sent – preliminary assessment
2
30 Days Entrance meeting & field work
2 to 4 Wks End of field work meeting w/ Key Shareholders
3
4-6 Wks 1-2 Wks 1Wk 30 Days 1Wk 90 Days
14
20. Putting it all together…
Office of Internal Audit
and Compliance
20
21. Thank You for Your Patience &
Office of Internal Audit
and Compliance
Participation - Any Questions?
Understand OIAC requirements and
the IT audit function applies their
framework for assessing controls to
compensate for high
impact/probability risks.
Provide a high-level overview of
how the framework applies to
institutional and agency audits /
consulting.
Provide a resources for review &
dialogue
21
22. Helpful Resources
Office of Internal Audit
and Compliance
CIS Benchmarks - http://www.cisecurity.org/benchmarks.html
IIA - www.theiia.org
ISACA - www.isaca.org
ISC(2) - www.isc2.org
ISO - www.iso.org
ITGI - www.itgi.org
NIST - csrc.nist.gov
NSA - www.nsa.gov
IASE - iase.disa.mil
Web App Consortium - www.webappsec.org
EDUCAUSE - educause.edu/security
Univ. Austin Texas Sec. - security.utexas.edu
Univ. Cornell Sec. - www.cit.cornell.edu/security
Virginia Tech Sec. - security.vt.edu
Ga. Tech Info Sec. Center - www.gtisc.gatech.edu
22
23. Office of Internal Audit
and Compliance
Terminology & Context of the
Audit Implementation
23
24. Securing Business Events
Office of Internal Audit
and Compliance
• It still comes down to …, Business event Needs and Outcomes
– Goals or Objectives – Vision, Mission, & Operations
– Rules and Requirements
• Identifying critical business functions
– Support Infrastructure: Finance and Accounting, Human Resources, Facilities,
Services, other administrative functions or departments
– Production Infrastructure: those folks who actually make the widgets (Instruction)!
• Identify the departments and who are the key personnel, e.g., Business
owners, Trustees and Stewards?
• Identify the vertical (B2S - dependent) and horizontal (B2B -
interdependent) relationships that potentially introduce risk (IT
Governance)
• Identify the systems that support business functions
• Categories and type of information and information systems
• Answer the question … “How are the people and systems integrated into
the business process?”
• Answer the question … “What internal controls exist or need to be
implemented to mitigate risk?”
24
25. Governance Interdependencies &
Value Drivers
Office of Internal Audit
and Compliance
Control Objectives for Information and related Technology (COBIT®)
25
26. Business Functions and
Characteristics
Office of Internal Audit
and Compliance
Control Objectives for Information and related Technology (COBIT®)
26
27. Governance: Business to Stewardship
(B2S) versus Business to Business (B2B)
Office of Internal Audit
and Compliance
27
28. Office of Internal Audit
and Compliance
Risk Identification &
Reconciliation
28
29. Audit Risk Life Cycle Variables
Office of Internal Audit
and Compliance
29
30. Standards of Application
Office of Internal Audit
and Compliance
• Industry Standards / Frameworks
– COBiT 4.1 (Control Objectives for Information Technology)
– NIST (National Institute of Standards and Technology)
– ISO 17799/27001 (International Organization for
Standardization)
– ITIL (Information Technology Infrastructure Library)
• Compliance and Regulatory Requirements (FISMA, FERPA,
HIPAA, PCI, SOX, SCADA, etc.)
• Board of Regents Standards
– Board of Regents Policy
– ITS Security Guidelines
– Business Process Manual
• Institutions’ Local Policies and Procedures
NOT PERSONAL OPINION OR PREFERENCES!!!!!
30
31. Business Impact Analysis
Office of Internal Audit
and Compliance
Must understand …
Business goals and requirements
Internal and external relationships
What resources are involved
Who is in charge and what
interdependencies exist
Vision (Strategic) Mission
(Tactical) Objectives (Operational)
factors for success
KPI’s What are the Key
Performance / Process Indicators?
What distinctions and outcomes exist
for each stage
What is the scope of probability /
impact (Beware “Chicken Little”
effect)
What expectations exist for each key
shareholder
Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 31
32. Assessing for Risk …
Office of Internal Audit
and Compliance
Risk assessment evaluates components of
information, information system security
and compliance as it relates to the business
function
Assess Mitigate / Monitor Re-
Assess
Ongoing risk management program must be
in place
Business owner or key shareholder must
own the process
Establish a standard for considering and
negotiating risk
Annual (periodic) risk assessment
deliverable with recommendations for
corrective action
Clearly define and document accepted risk –
someone needs to sign off on the
responsibility
32
33. Risk Mitigation
Office of Internal Audit
and Compliance
Once risks are identified, they must be
mitigated via internal controls
Internal Controls: a practice approved
by management to mitigate risk or
produce a desired outcome in a
business process for implementing
and enforcing information security
and compliance
Design Document Implement
Document and retain artifacts.
Test the controls prior to implementation
to validate expectations
Monitor results
Re-test controls periodically
33
34. Re-Assess Risks
Office of Internal Audit
and Compliance
Risk Assessments are an on-
going exercise;
Track mitigation strategies, did
they work?
What “Framework(s)” are being applied?
Is there an identifiable “Structure” in place e.g.,
risk management program?
Is the “Methodology” recognizable, e.g.,
documented and not arbitrary?
Are you using tools to monitor, manage, and
validate the associated processes?
Test re-test controls (design
and effectiveness)
Document test results,
corrective actions, changes in
business needs / requirements.
Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 34
36. Risk Categories and Types?
Office of Internal Audit
and Compliance
Determined how the categories of risk may or may
not apply:
Risk Types
Strategic: Affects the entities’ ability to achieve
goals and objectives
Compliance: Affects compliance with laws and
regulations, safety and environmental issues,
litigation, conflicts of interest, etc.
Reputational: Affects reputation, public perception,
political issues, etc.
Financial: Affects loss of assets, technology, etc.
Operational: Affects on-going management
processes and procedures
Risk Management Process
Agreed upon methodology to assess priorities (BIA,
RA, ERM)
Consistency and agreement in identification of risks
Focus upon high probability / high impact risk
Types and classification – Information, Systems, &
People
36
37. Information & Information System Users
(Internal & External) Categories and Types?
Office of Internal Audit
and Compliance
What type of information, on which
systems, are being accessed by which
users?
Public, administrative, sensitive, confidential
Internal: Administrative, Managerial,
Informational
External: General Public or Specific Target
group
What level of access and authorization
of the information is being provided to
those types of users?
Is the risk being managed with
effective controls?
People who use or interact with the
Information include:
Share Holders / Owners / Management
Employees & Business Partners
Service providers / Contractors /
Customers / Clients
Regulators etc…
37
39. Control Objectives for Information
and related Technology (COBIT)
Office of Internal Audit
and Compliance
• Developed by the ITGI (Current v4.1 5.0)
– https://www.isaca.org/
• Value of IT, Risk, and Control
• Links IT service delivery to business requirements
(already defined, right?)
• A lifecycle; constantly adapting, improving, re-adapting
• Four Responsibility Domains:
– Plan and Organize (PO)
– Acquire and Implement (AI)
– Deliver and Support (DS)
– Monitor and Evaluate (ME)
• Make a grocery list of needs and then go shopping
39
41. Audit Controls Definition
Office of Internal Audit
and Compliance
Audit Controls & Assessment
• Provides roadmap to auditor on which areas to focus audit
steps (assess controls)
– Preventive: controls to stop the problem from occurring
– Detective: controls to find the problem
– Corrective: controls to repair the problem after detection
– Administrative: policies, standards, guidelines, &
procedures
– Technical: controls using hardware or software for
processing & analysis
– Physical: controls to implement barriers or deterrents
• Based upon industry standards, requirements, & practices
• Build list of high level objectives and outcomes to address
risks associated with audited entity
41
42. Common Maturity Model
Office of Internal Audit
Integrated (CMMI)
and Compliance
– Variants of the CMMI: CMM & ISO 15504
– Identifies WHERE you are at in the application of IT risk
mitigation controls and HOW to get to the next level
– Levels of Application
• Level 0: No Recognizable Process, though one is needed
• Level 1: Process is Ad-hoc and perform by key individuals
• Level 2: Process is Repeatable , but not controlled
• Level 3: Process is Defined & Documented and
periodically Evaluated
• Level 4: Managed & Measurable; effective Internal
Controls with Risk Management
• Level 5: Optimized Enterprise wide risk and control
program
42
43. Engagement: Application of
Office of Internal Audit
Standards
and Compliance
• Assessment Standards & Identification
– Create assessment program (pre-engagement)
• Identify risk & criteria
• Identify audit resources, skill sets, & personnel
• Develop information requirements for requests
– Share expectations and objectives with institution
• Gather Information / Evidence
– Assess Controls: Strengths / Weaknesses (during
engagement) [validate assurance or identify vulnerabilities / exploitation]
– Calculate Level of Control criteria being applied
(CMMI)
• Analysis to Determine if Compliant with Standards
• Document Variances or Exceptions / Issues [potential issues]
• Report Per Charter Requirements (Ratings)
43
45. Office of Internal Audit
and Compliance
Example: Controls Mapping
11/12/2011 Framework for Information & System Security
45
46. IAM Example:
Office of Internal Audit
Entity to be Assessed for Risk
and Compliance
• IAM: Identity and Access Control Management
– Identity Management; the management of user
credentials and the means by which users might log
onto and use various systems or resources, e.g.,
the provisioning and de-provisioning of student,
faculty, staff, and outside agencies identities
– Access Control; the mechanisms in place to permit
or deny the use of a particular resource by a
particular entity, e.g., technical or administrative
controls to allow or deny access to file shares
46
47. Users Involved in Business Functions and
Types of Information and Systems?
(Provisioning of High Risk or Critical Information)
Office of Internal Audit
and Compliance
Business Functional responsibility for assigning “Rights & Permissions” to
various roles within the organization
Business Owner: Responsible for the provisioning and delegation of the processes or functions and
associated privileges, e.g., Payroll, Finance, HR, etc.
Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated
departments that conduct day to day operations
Stewards: Responsible to service and support the business function, typically provide a technical system
or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.
Audience: What / Who is the use of the information intended.
B2S versus B2B: Vertical and horizontal relationships (IT Governance)
Types of Information (classification) per organization or agency
Unrestricted / Public: No consequence typically general information
Sensitive: typically references’ legal or externally imposed constraints that requires this restriction
Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or
inappropriate use, e.g., FERPA, HIPAA, etc.
Types of Information Systems to support information exchange
Infrastructure and architecture to support business driven events
Classification and type (comparable to the information being managed)
Supply Chain Management (SCM), Enterprise Resource Planning (ERP), Customer Resource Management
(CRM), Business Intelligence (BI), basic communications, etc.
Determine scope of assessment and entities (people, application systems, &
information) to be assessed
47
48. Example associated Key Process –
Office of Internal Audit
Ecommerce e.g., One Card System
and Compliance
• COBIT high level framework for controls relating to the Ecommerce
systems
– Plan and Organize (PO) — Provides direction to solution delivery(AI) and
service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11
– Acquire and Implement (AI) —Provides the solutions and passes them to
be turned into services AI5 and AI4
– Deliver and Support (DS) —Receives the solutions and makes them usable
for end users: DS1, DS5 and DS11
• Map the requirements to your preferred checklist, e.g. NIST or ISO
• Requirements for Ecommerce Compliment other Processes
– Less work required for other system implementations
– No duplication of effort if requirements are properly addressed
• Identity Management applies to many different other process
requirements, e.g., Applications, Operating Systems, and Databases
48
49. Example: Identity and Access
Office of Internal Audit
Control Management (IAM)
and Compliance
COBIT 4.1 DS5.3 Identity Management
• Ensure that all users (internal, external and temporary) and their
activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely identifiable.
Enable user identities via authentication mechanisms.
• Confirm that user access rights to systems and data are in line with
defined and documented business needs and that job requirements
are attached to user identities.
• Ensure that user access rights are requested by user management,
approved by system owners and implemented by the security-
responsible person.
• Maintain user identities and access rights in a central repository.
• Deploy cost-effective technical and procedural measures, and keep
them current to establish user identification, implement
authentication and enforce access rights.
49
50. Example: Identity and Access
Control Management (IAM)
Office of Internal Audit
and Compliance
Logical Didactic Approach - DS5.3 Identity Management (How it is
Evaluated)
• Control over the IT process of Ensure systems security that satisfies the business
requirement for IT of maintaining the integrity of information and processing
infrastructure and minimizing the impact of security vulnerabilities and incidents
• By focusing on
– defining IT security policies, plans and procedures, and monitoring, detecting,
reporting and resolving security vulnerabilities and incidents
• Is achieved by
– Understanding security requirements, vulnerabilities and threats
– Managing user identities and authorizations in a standardized manner
– Testing security regularly
• And is measured by
– Number of incidents damaging the organization's reputation with the public
– Number of systems where security requirements are not met
– Number of violations in segregation of duties
50
51. How to Measure Success?
Maturity Model – CMMI DS5 Snapshot (Criteria)
Office of Internal Audit
and Compliance
DS5 Ensure Systems Security - Management of the process of Ensure systems security that
satisfies the business requirements for IT of maintaining the integrity of information and
processing infrastructure and minimizing the impact of security vulnerabilities and
incidents is:
0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a
complete lack of a recognizable system security administration process.
1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT
security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT
security breaches are unpredictable.
2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority
... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen
primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.
3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy.
Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as
driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed.
Security training is available for IT and the business, but is only informally scheduled and managed.
4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is
consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and
authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized
processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted ….
IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for
security management have been defined but are not yet measured.
5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business
objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly
accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents
are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted
to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and
analyzed. Adequate controls to mitigate risks are promptly communicated ….
51
52. COBIT 4.01 Standards to NIST Mapping –Integration
with other Standards (Alignment of IT Controls to
Mitigate Risk)
Office of Internal Audit
and Compliance
52
53. NIST 800-53, Revision 1 Standards
Terminology and Application
Office of Internal Audit
and Compliance
53
54. Audit Program
Development Life-Cycle
Office of Internal Audit
and Compliance
54
55. COBIT Mappings
Office of Internal Audit
and Compliance
Others besides NIST are currently posted at
www.isaca.org/downloads:
Aligning COBIT, ITIL and ISO 17799 for Business Benefit
COBIT® Mapping: Mapping of CMMI for Development
COBIT® Mapping: Mapping of ISO/IEC 17799:2000
COBIT® Mapping: Mapping of ISO/IEC 17799:2005
COBIT® Mapping: Mapping of ITIL
COBIT® Mapping: Mapping of PMBOK
COBIT® Mapping: Mapping of PRINCE2
COBIT® Mapping: Mapping of SEI’s CMM for Software
COBIT® Mapping: Mapping of TOGAF 8.1
COBIT® Mapping: Overview of International IT Guidance
55