SlideShare ist ein Scribd-Unternehmen logo

COBIT and IT Policy Presentation

Als PPT, PDF herunterladen
Sarah Cortes
Sarah Cortes

How COBIT and Standards framewrks can assist in developing Security and other IT Standards, Policies and technical directives

TechnologieBusiness
1 von 20
IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20

Empfohlen

It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
IT-Governance.pptx
IT-Governance.pptxIT-Governance.pptx
IT-Governance.pptxJayLloyd8
 
ITIL vs. COBIT
ITIL vs. COBITITIL vs. COBIT
ITIL vs. COBITMohsen Yousefi
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
DMBOK and Data Governance
DMBOK and Data GovernanceDMBOK and Data Governance
DMBOK and Data GovernancePeter Vennel PMP,SCEA,CBIP,CDMP
 

Empfohlen

It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
IT-Governance.pptx
IT-Governance.pptxIT-Governance.pptx
IT-Governance.pptxJayLloyd8
 
ITIL vs. COBIT
ITIL vs. COBITITIL vs. COBIT
ITIL vs. COBITMohsen Yousefi
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
DMBOK and Data Governance
DMBOK and Data GovernanceDMBOK and Data Governance
DMBOK and Data GovernancePeter Vennel PMP,SCEA,CBIP,CDMP
 
How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model DATUM LLC
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001Burcu Pelin TELLİ
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Align IT Strategy with Business Strategy
Align IT Strategy with Business StrategyAlign IT Strategy with Business Strategy
Align IT Strategy with Business StrategyMauly Chandra
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherRob Akershoek
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from SymantecArrow ECS UK
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and RoadmapAndrew Byers
 
IT Strategy Tools
IT Strategy ToolsIT Strategy Tools
IT Strategy ToolsSherri Booher
 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
TOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the FamilyTOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the FamilyDanny Greefhorst
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
IT Strategy Framework
IT Strategy FrameworkIT Strategy Framework
IT Strategy FrameworkVishal Sharma
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policiesmrmwood
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policymarindi
 

Weitere ähnliche Inhalte

Was ist angesagt?

How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model DATUM LLC
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Align IT Strategy with Business Strategy
Align IT Strategy with Business StrategyAlign IT Strategy with Business Strategy
Align IT Strategy with Business StrategyMauly Chandra
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherRob Akershoek
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from SymantecArrow ECS UK
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and RoadmapAndrew Byers
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
TOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the FamilyTOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the FamilyDanny Greefhorst
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
IT Strategy Framework
IT Strategy FrameworkIT Strategy Framework
IT Strategy FrameworkVishal Sharma
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 

Was ist angesagt? (20)

How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Align IT Strategy with Business Strategy
Align IT Strategy with Business StrategyAlign IT Strategy with Business Strategy
Align IT Strategy with Business Strategy
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT together
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
 
IT Strategy Tools
IT Strategy ToolsIT Strategy Tools
IT Strategy Tools
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
TOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the FamilyTOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the Family
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
IT Strategy Framework
IT Strategy FrameworkIT Strategy Framework
IT Strategy Framework
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 

Andere mochten auch

3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policiesmrmwood
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policymarindi
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT PolicyClarknuber
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategymrmwood
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Vijay Dalmia
 
Ict policy planning and implementation issues
Ict policy planning and implementation issuesIct policy planning and implementation issues
Ict policy planning and implementation issuesEric Kluijfhout
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobPriyanka Aash
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 

Andere mochten auch (14)

3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policies
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
 
IT Policy
IT PolicyIT Policy
IT Policy
 
It Policies
It PoliciesIt Policies
It Policies
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT Policy
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategy
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour
 
Ict policy planning and implementation issues
Ict policy planning and implementation issuesIct policy planning and implementation issues
Ict policy planning and implementation issues
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 

Ähnlich wie COBIT and IT Policy Presentation

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deckddcomeau
 
Fisher Practice Areas 2012
Fisher Practice Areas 2012Fisher Practice Areas 2012
Fisher Practice Areas 2012fish1960
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization servicesmsikka
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference BriefingJesse Wilkins
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing worldPECB
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest LectureMurthinty
 
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxvrickens
 
AI in the Enterprise
AI in the EnterpriseAI in the Enterprise
AI in the EnterpriseRon Bodkin
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDATAVERSITY
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811faau09
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Ben Rothke
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptxNguyenNM
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"CompTIA
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerCapgemini
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityPriyanka Aash
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceSasha Nunke
 

Ähnlich wie COBIT and IT Policy Presentation (20)

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
 
Fisher Practice Areas 2012
Fisher Practice Areas 2012Fisher Practice Areas 2012
Fisher Practice Areas 2012
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization services
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest Lecture
 
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
 
AI in the Enterprise
AI in the EnterpriseAI in the Enterprise
AI in the Enterprise
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management Technologies
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offer
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 

Mehr von Sarah Cortes

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliverySarah Cortes
 
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam PrepSarah Cortes
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project ManagementSarah Cortes
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And SurveillanceSarah Cortes
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource PresentationSarah Cortes
 

Mehr von Sarah Cortes (7)

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity Delivery
 
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
 
Social Media
Social MediaSocial Media
Social Media
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam Prep
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project Management
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And Surveillance
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Kürzlich hochgeladen (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

COBIT and IT Policy Presentation

  • 1. IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
  • 2. IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
  • 3. Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
  • 4. IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
  • 5. IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
  • 6. IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
  • 7. IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
  • 8. IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
  • 9. IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
  • 10. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
  • 11. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
  • 12. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
  • 13. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
  • 14. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
  • 15. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
  • 16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
  • 17. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
  • 18. IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
  • 19. IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
  • 20. IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20