cobit and iso 27001/2 - · pdf fileregarded frameworks, such as itil,cobit,iso 17799, iso...
TRANSCRIPT
تكنولوجيا المعلومات في أمن وحماية حاكميةدور
المعلومات وتحقيق أهداف المؤسسة من خالل المعايير
الدولية (COBIT and ISO 27001/2)
Nader Qahoush, CISA,CISM,CGEIT
Nader Qahoush, CISA,CISM,CGEIT
Head of Information & Related Technology Supervision Division at the Central organization of Jordan (CBJ), working in the CBJ since 1995
Consultant of the CBJ in the field of information security governance since 2004
Information Systems Audit and Control Association (ISACA - USA) member since 2003
Member of the information security task force of Jordan since 2007
E-government Committee member for the CBJ
Instructor and Consultant in the fields of: Certified Information Systems Auditor (CISA), operational risk management, e-Banking, examination and I.T. Governance, since 2005 in Jordan, Kuwait, Syria, Libya and Sudan
CISA since 2004
Certified in the Governance of Enterprise IT (CGEIT) since 2009
Certified Information Security Manager (CISM) since 2010
Masters degree of Economics since 1998, University of Jordan
Bachelor degree of Economics and Banking and finance since 1995, Yarmouk University – Jordan – first and honor rank.
Author of the Arabic titled book of ―Internet Banking‖ published in 2001
The best employee of the CBJ for years 2006, 2007 and 2010
E-mail: [email protected] Cell: 00962777396981
Nader Qahoush, CISA,CISM,CGEIT 2 Control Risks Consultants
Gartner annual CIO survey
IT governance and associated issues have been
reported as a top 10 CIO management problem area
for at least the past five years.
To better understand the problems, in 2005, Gartner
surveyed a cross section of U.S. CIOs at large multi-
business-unit enterprises to determine:
1) When CIOs use the term "IT governance," what specifically
do they mean?
2) What problems are CIOs experiencing within that
definition?
3) What are CIOs doing to address these problems?
IT Governance & COBIT Nader Qahoush, CISA,CISM,CGEIT 3
The results were:
1) IT governance covers a broad, but not
clearly defined, set of management
processes that are aimed at ensuring the
effective use of IT within that enterprise.
2) The major problem experienced by CIOs is
lack of involvement and engagement by
business management.
3) No focused or consistent set of actions
was being employed to address these issues.
IT Governance & COBIT Nader Qahoush, CISA,CISM,CGEIT 4
Are we doing the right things?
Are we doing it the right way?
Is it being done well?
Are we getting benefits?
Board Members
- What about IT?
IT governance is the responsibility of the board of
directors and consists of the leadership, organizational
structures and processes that ensure that IT sustains and
extends the entity’s strategies and objectives.
Duty of the Board?
Cascading strategy and goals
Organizational alignment
A control framework
Balanced Business Scorecard
How should management
react?
IT Governance & COBIT 5 Nader Qahoush, CISA,CISM,CGEIT
How is Corporate Governance being addressed?
Are Regulatory Corporate Governance rules being
followed?
Is IT governance considered at the Board level?
What should
auditors consider?
IT Governance & COBIT 6 Nader Qahoush, CISA,CISM,CGEIT
Business drivers for the use of IT best
practices
Business managers and boards demanding better
returns from IT investments, i.e., that IT delivers
what the business needs to enhance stakeholder
value
Concern over the generally increasing level of IT
expenditure
The need to meet regulatory requirements for IT
controls
The selection of service providers and the
management of service outsourcing and acquisition
IT Governance & COBIT 7 Nader Qahoush, CISA,CISM,CGEIT
Business drivers for the use of IT best
practices (cont.) Increasingly complex IT-related risks, such as network
security
IT governance initiatives that include adoption of control frameworks and best practices to help monitor and improve critical IT activities to increase business value and reduce business risk
The need to optimize costs by following, where possible, standardized—rather than specially developed—approaches
The growing maturity and consequent acceptance of well-regarded frameworks, such as ITIL,COBIT,ISO 17799, ISO 9002, Capability Maturity Model (CMM)
The need for organizations to assess how they are performing against generally accepted standards and against their peers (benchmarking)
IT Governance & COBIT 8 Nader Qahoush, CISA,CISM,CGEIT
Why best practices are important?
Avoiding re-inventing wheels
Reducing dependency on technology experts
Increasing the potential to utilize less-experienced staff if properly trained
Making it easier to leverage external assistance
Overcoming vertical silos and nonconforming behavior
Reducing risks and errors
Improving quality
Improving the ability to manage and monitor
Increasing standardization leading to cost reduction
Improving trust and confidence from management and partners
Creating respect from regulators and other external reviewers
Safeguarding and proving value
IT Governance & COBIT 9 Nader Qahoush, CISA,CISM,CGEIT
IT Governance Framework
,
IT Value Delivery
Stakeholders
Value Drivers
Performance
Measurement
Risk
Management
Strategic
Alignment
IT Governance & COBIT 10 Nader Qahoush, CISA,CISM,CGEIT
IT Governance & COBIT 11 Nader Qahoush, CISA,CISM,CGEIT
IT Governance & COBIT 12 Nader Qahoush, CISA,CISM,CGEIT
Nader Qahoush, CISA,CISM,CGEIT 13
Information security governance
Within IT Governance, information security
governance should become a focused activity
Confidentiality
Integrity
Availability
IT Governance & COBIT
Nader Qahoush, CISA,CISM,CGEIT 14
Information security policy
Information security management (ISO
27001/2):
Confidentiality
Integrity
Availability
Compliance
IT Governance & COBIT
Nader Qahoush, CISA,CISM,CGEIT 15
Roles and Responsibilities in Information
Security Governance
Board of Directors / Senior Management
Approving policy, monitoring and reporting analysis
Executive Management
Implementation of security governance
Steering Committee
Ensuring alignment of the security program with the
business objectives
Chief Information Security Officer
IT Governance & COBIT
IT Governance & COBIT Nader Qahoush, CISA,CISM,CGEIT 16
COBIT Vs. ISO 27001/2
COBIT can be used at the highest level of IT governance, providing an overall control framework based on an IT process model that is intended by ITGI to generically suit every organization. There is also a need for detailed, standardized practitioner processes. Specific practices and standards, such as ISO 27001/2, cover specific areas and can be mapped to the COBIT framework, thus providing a hierarchy of guidance materials.
IT Governance & COBIT Nader Qahoush, CISA,CISM,CGEIT 17
How Best to Implement COBIT and
ISO 27001
Tailoring
Prioritizing
Planning
Avoiding Pitfalls
Aligning Best Practices
IT Governance Global Status - 2008
IT Governance & COBIT 18 Nader Qahoush, CISA,CISM,CGEIT
References
1. CISA Review Manual 2012
http://www.ISACA.org
2. COBIT 4.1, ISACA
3. ISO 27001/2
4. IT Governance Global Status Survey, 2008.
Nader Qahoush, CISA,CISM,CGEIT 19
Nader Qahoush, CISA,CISM,CGEIT 20
شكرا
CRC-JO