Auditing Information Systems - an MSc Course Part - I. Obuda University John von Neumann Faculty of Informatics Institute Applied Informatics

Auditing Information Systems - an MSc Course Part - I Obuda University John von Neumann Faculty of Informatics Institute Applied Informatics

Dr. Univ. Katalin Szenes CISA, CISM, CGEIT, CISSP, PhD honorary associate professor [email protected] http://users.nik.uni-obuda.hu/szenes/

Disclaimer The followings represent my personal opinion on / interpretation of the subject. Some results of my research are also included, of course, in a marked way. Neither ISACA nor ITGI, NIST, nor the other professional organizations quoted here are liable for the followings or would be bound any way by its contents. A következők saját személyes véleményemet és értelmezésemet tükrözik. Néhány kutatási eredményem is szerepel itt, természetesen jelölve. Sem az ISACA, sem az ITGI, NIST, sem a többi, itt idézett szakmai szervezet nem felelős az itt következőkért, amely számukra semmilyen kötelmet nem jelent. Szenes Katalin note 1: the English formulation doesn't always follows the original either 1. megjegyzés: az angol fogalmazás sem mindig egyezik az eredetivel the comments, where the subjectivity are to be emphasized are denoted by "comment" or [ ] hangsúlyozottan szubjektív megjegyzéseimet a "comment" vezeti be, vagy [ ] -be teszem note 2: the bilinguality - where it is present - is to support the related vocabulary of the Hungarian students 2. megjegyzés: az egyes helyeken alkalmazott kétnyelvűség a magyar hallgatók ide tartozó szókincse fejlesztését szolgálja Szenes

2

goal of education z I hope to contribute to the operational excellence of the firms, where our students work z the goal is to support IT staff in encountering IS audit / auditors o IT is regularly audited both in the government and in the business sector, o every member of the IT staff, even the developers of either data processing applications or embedded systems have to prepare to work with auditors, who check if their results support ‰ governance, ‰ business continuity planning, and ‰ other aspects of IT security o from the viewpoint of ‰ supporting the strategic goals of the institution, ‰ complying both to the national laws and EU directives ‰

and ?

Szenes

3

TOC - tartalom PART - I

o

the sources of these transparents, designations for auditors' & security experts ‰ ISACA, ISC2, designations ‰ one of the most important sources of these transparents: COBIT ‰ COSO, one of the predecessors

o

classifying the problems to be handled: 0 an ISACA asset classification 0 another classification: according to the characteristics of the problem and / or according to the excellence criteria Î problem solving, using: ISACA asset classification & ISACA asset classification !!

Szenes

4

TOC - tartalom

o

examples for the problems to be handled 2015: 0 a typical problem in 2015: the Android mobile 0 social hacking: starting from a LinkedIn invitation - 2015 0 a great fright: APT 0what is this?

o

some examples ‰ the earliest published attack on military research establishments: "The Cuckoo’s Egg" ‰ Moonlight Maze ‰ NASA: National Aeronautics and Space Administration ‰ Titan Rain ‰ Sykipot ‰ Operation Aurora ‰

! etc. !

Szenes

5

TOC - tartalom REMEDIES?

o

the needs - solution: governance

o

a usable governance definition - from my practice

o

corporate governance / IT governance

o

a usable operational security definition

o

governance goals ↔ information security - IT audit methods  consequences of this approach

o

governance ↔ operational security

Szenes

6

TOC - tartalom

o

contributing to the solution - overview only ‰ supporting the fulfillment of the strategic goals:

what / how and their dimensions z suggested "subgoals": ƒ excellence criteria operational excellence criteria: y effectivity, efficiency, compliance, reliability, y risk management excellence, y functionality, y order asset handling excellence criteria:, y availability, integrity, confidentiality

ƒ

operational objective

Szenes

7

TOC - tartalom

o

contributing to the solution - overview only

cont.'d

z 3 pillars of operation - a működés pillérei

:

{pillars} = domain & range of those activities & objectives that contribute to the strategic goals (e.g. to the excellence criteria) Î organizational, technical, regulational (szervezet,szabályozás - technika  detective - preventive - corrective z IT architectural infrastructure elements z operational activity - and its useful attributes

Szenes

8

TOC - tartalom

the "to do" details according to the best practice of ISACA and others my list: "to do" details transparent governance

o o o o o o o o o

corporate governance - OECD corporate governance in COBIT IT governance on COBIT relation of risk - value - IT governance in the CISA study materials COBT 4.1 - COSO / Internal Control—Integrated Framework stakeholders role in IT governance advantages of IT governance problems with IT governance documents relating to IT governance

Szenes

9

TOC - tartalom

o

the predecessors of my excellence criteria: special goals - "evaluative" goals the predecessors of my excellence criteria: ‰ COBIT Î COBIT 4.1 (1998 - 2007) information criteria ‰ COBIT 5 - ? the metrics ‰ ISO requirements ‰

the important characteristics of [corporate operations] in COSO the information [quality] criteria in COSO

‰

COBIT information [quality] criteria 1998 Î 2007: COBIT Î COBIT 4.1

Szenes

10

TOC - tartalom

o

basic audit notions - ellenőrzési alapfogalmak ‰ control objective - ellenőrzési cél - COBIT / magán / COSO ‰ control measure / procedure - ellenőrzési intézkedés / eljárás - COBIT / magán / COSO ‰ what kind of assurance is reasonable? - mi az ésszerű mérték? ‰ predecessors of my pillars ? ƒ resources (COBIT Î COBIT 4.1) and ƒ enablers (COBIT 5) ‰ example for control objectives and measures - példa ellenőrzési célokra és intézkedésekre, és - a 3-féle "ellenőrzési" intézkedésre

Szenes

11

TOC - tartalom

o

on the history of the COBIT domains of IT activities

o

the relationship of the 4 "old" COBIT domains - a 4 "régi" tartomány összefüggései

o

the 5 new COBIT 5 processes - processes for governance of enterprise IT

o

take care ! best practices are not omnipotent

end of PART - I

Szenes

12

TOC - tartalom PART - II

o

risk - kockázat ‰ ‰ ‰ ‰ ‰

traditional definition my new definition for risk the factors, that affect risk value managing risk inherent risk - "elidegeníthetetlen" kockázat

o

procedures concerning contracts

o

auditing contracts - RFP

o

IT governance in the ISACA Audit Standards Framework (S10)

Szenes

13

TOC - tartalom alapfogalmak magyarázata COBIT 4.1 segítségével IS - explanation of some basic notions using COBIT 4.1 when the auditor is awakened at night ... ha az auditort éjjel álmából költik ...

o

COBIT 4.1 process owner - folyamat tulajdonos

o

COBIT roles and responsibilities - szerepkörök és felelősségek

o

segregation / separation of duties - a (jó) kötelességelhatárolás on the organizational hierarchy tasks in the organizational basic pillar

o

Note on the Subject Guideline - Policy - Procedural Rulebook megjegyzés - az irányelvek, politikák, (eljárási) szabályzatok témához

o

authentication - authorization hitelesítés - feljogosítás

o

COBIT Policy, Plans and Procedures - Szabályzatok, irányelvek, tervek, eljárások

Szenes

14

TOC - tartalom

from ISACA CISA ® Review Course transparents:

ƒ

on the audit o audit, information sytems (IS) audit o classification of audits o [some] general audit procedures o [some] procedures for testing & evaluating IS control [systems]; GAS o [on the] phases of audit

Szenes

15

TOC - tartalom

from ISACA CISA ® Review Course transparents:

ƒ

measuring the performance o (possible) phases o (some) considerations

0 special problems o on the outsource - forrás: Az Informatikai biztonság kézikönyv 0 data privacy o laws, examples

Explanations - Magyarázatok References - Irodalomjegyzék Szenes

16

the sources of these transparents, designations for auditors' & security experts www.isaca.org www.isc2.org www.coso.org CISA – Certified Information Systems Auditor, CISM - Certified Information Security Manager, CGEIT - Certified in Governance Enterprise IT designator: ISACA: Information Systems Audit and Control Association - USA CISSP - Certified Information Security Professional designator: ISC2 International Information Systems Security Certification Consortium - USA another best practice: the ISO standards

1 and there are many more Szenes

17

other useful sources

o o

o

Szenes

W3C - World Wide Web Consortium OASIS - Organization for the Advancement of Structured Information Standards - www.oasis-open.org e-business guidelines, non-profit OWASP - Open Web Application Security Project www.owasp.org development of "secure"? - reliable? applications

18

one of the most important sources of these transparents: COBIT

C OB I T

Control OBjectives for Information and Related Technology

the basic terms - alapvető fogalmak: control objectives + control measures ellenőrzési célok + ellenőrzési intézkedések (at first this is the point, where my personal experience will come in ez az, ahol először bejön a személyes tapasztalatom)

Szenes

19

COSO, one of the predecessors - egy előd a source of some basics in the ISACA materials néhány alapvető dolog forrása az ISACA anyagaiban o

The Committee of Sponsoring Organisations of the Treadway Commission - a Treadway bizottságot szponzoráló szervezetek bizottsága.

o

A COSO a magánszektor egy önkéntes szervezete, amely a pénzügyi jelentések minősége fejlesztéséhez kíván hozzájárulni, az üzleti etika, a hatékony belső ellenőrzési intézkedések, és a vállalatirányítási módszerek segítségével.

o

1985-ben alakult, a pénzügyi jelentésekkel kapcsolatos csalások nemzeti bizottságának (National Commission on Fraudulent Financial Reporting) támogatására. Ezt a bizottságot röviden gyakran csak "Treadway bizottságnak" nevezik, első elnökéről, James C. Treadway, Jr.-ról.

o

A Treadway bizottság a magánszektor kezdeményezésére alakult. Annak alapján készít ajánlásokat a tőzsdei társaságok, azok auditorai, a SEC, és más szabályozó szervezetek, és oktatási intézmények részére is, hogy tanulmányozzák a csaló pénzügyi jelentések sajátosságait.

Szenes

20

COSO, one of the predecessors - egy előd organizations supporting COSO - támogató szervezetek A Treadway bizottságot támogató további szervezetek: o o o o o

az AICPA (American Institute of Certified Public Accountants - a Könyvszakértők Amerikai Intézete), az AAA (American Accounting Association - Amerikai Számviteli Szövetség), az FEI (Financial Executives International - a Pénzügyi Vezetők Nemzetközi Társasága), az IIA (Institute of Internal Auditors - a Belső Ellenőrök Intézete), és az IMA (Institute of Management Accountants).

forrás: Szenes Katalin: Az informatikai erőforrás-kihelyezés auditálási szempontjai Az Informatikai biztonság kézikönyve, I. rész: 36. aktualizálás, 8.10. 1. old. – 26. old. (26 oldal) Verlag Dashöfer, Budapest, 2010. február II. rész: 39. aktualizálás, 2010. december 8.10. 27. old. – 158. old. Szenes

21

classifying the problems to be handled

o o o

ways of classifications viewpointys of classifications ways for problem solvingm or rather: ways of exploring, identifying the problems

Szenes

22

classifying the problems to be handled - an ISACA asset classification

o o o o o o o

physical assets financial assets intellectual assets information - see the COBIT resources till 4.1 know-how (I would've put it to info) relationships reputation and brand value

subject for discussion / homework: what do we think about these viewpoints?

Szenes

23

classifying the problems to be handled - classification according to the characteristics of the problem, e.g.: according to the excellence criteria

o

criteria characterizing excellent operations: ‰ effectivity, ‰ efficiency, ‰ compliance, ‰ reliability, ‰ strategy-driven goal & operational risk management excellence, ‰ functionality, ‰ order

o

asset handling excellence criteria: ‰ availability, ‰ confidentiality, ‰ integrity

Szenes

24

problem solving, using: ISACA asset classification & characteristics of the problem !!

o a possibility to design matrices for the research

for example: o rows: asset classifications o columns: asset handling excellence criteria o in the elements of the matrices: o advice on the excellent operations

Szenes

25

examples for the problems to be handled a typical problem in 2015: the Android mobile a GOVCERT alarm notice (6th August, 2015) o

the operating system Android has a vulnerability, that facilitates the remote execution of a code Î the attacker can take over the control of the device o

the way of attack: a specially crafted MMS message

o

homework: o for Hungarian students: http://tech.cert-hungary.hu/vulnerabilities/CH-12489 (Stagefright) o for foreigners: http://www.androidcentral.com/stagefright

Kormányzati Eseménykezelő Központ GovCERT-Hungary Tel: +36-1-336-4833 Fax: +36-1-336-4886 Incidensbejelentés (alarm report): [email protected] Szenes

26

examples for the problems to be handled / social hacking: starting from a LinkedIn invitation - 2015

"You could see them talking about where they were going and where they were in Afghanistan and Iraq ... some were uploading pictures with geolocation information, and we were able to see them," says Thomas Ryan, the mastermind behind the social network experiment and co-founder and managing partner of cyber operations and threat intelligence for Provide Security, who will present the findings later this month at Black Hat USA in his "Getting In Bed With Robin Sage" "Robin's Facebook profile was able to view coordinates information on where the troops were located. "If she was a terrorist, you would know where different [troops'] locations were,"

o

http://www.darkreading.com/risk/robin-sage-profile-duped-militaryintelligence-it-security-pros-/d/d-id/1133926? 7/6/2010 06:21 PM 14 July, 2015

Szenes

27

great fright: APT - what is this? old definition, taken from ISACA materials: "an APT is as an adversary that o possesses sophisticated levels of expertise o and significant resources which allow it to create opportunities to achieve o its objectives using multiple attack vectors (e.g., cyber, physical and o deception). These objectives typically include establishing and extending o footholds within the IT infrastructure of the targeted organizations for o purposes of exfiltrating information, undermining or impeding critical o aspects of a mission, program, or organization; or positioning itself to o carry out these objectives in the future

./. National Institute of Standards and Technology (NIST), Computer Security Incident Handling Guide, Special Publication 800-61, USA, 2008, csrc.nist.gov/publications/PubsSPs.html Szenes

28

great fright: APT - what is this?

cont.'d

" The advanced persistent threat: o (i) pursues its objectives repeatedly over an extended period of time; o (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to o maintain the level of interaction needed to execute its objectives." National Institute of Standards and Technology (NIST), Computer Security Incident Handling Guide, Special Publication 800-61, USA, 2008, csrc.nist.gov/publications/PubsSPs.html instead of this, what I found:

./.

Szenes

29

APT - what is this?

what I could find: advanced persistent threats = a long-term pattern of targeted, sophisticated attacks NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 March 2011 (1st September, 2015) Szenes

30

examples / the earliest published attack on military research establishments: The Cuckoo’s Egg around 1980: origin: West German hacker, Markus Hess, university student penetrated networked computers in California to steal secrets of the “Star Wars” program investigating a minor accounting discrepancy problem in the computer usage accounts Stoll from Lawrence Berkeley National Laboratory noticed an intrusion from a West German university, coming across a satellite link Stoll made a trap with interesting details of a fictional Star Wars contract the West German authorities located the hacker, it turned out, that he had been selling the stolen information to the Soviet KGB he was tried and found guilty of espionage in 1990 and sent to prison Clifford Stoll book: The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage Doubleday, USA, 1989 optional homework: details Szenes

31

examples / Moonlight Maze around 2000: series of attacks, undetected for nearly two years presumed origin: Russia targets: o government sites, o systems at the Pentagon, NASA , US Department of Energy, o universities, research labs, doing military research stealing tens of thousands of files: o maps of military installations o troop configurations o military hardware designs loss: many millions of dollars - the Russian government denied any involvement the information was probably offered for sale to the highest bidder optional homework: details Szenes

32

NASA - https://www.nasa.gov

NASA: National Aeronautics and Space Administration o NASA's Vision: To reach for new heights and reveal the unknown so that what we do and learn wil Topics: o international space station o journey to Mars o Earth o technology o etc. Note: sometimes hackers mix NSA, NSA, NIST

Szenes

33

examples / Titan Rain 2003: presumed origin: China - Chinese government denied any involvement targets: o US defense contractors: Lockheed Martin, Sandia National Laboratories Redstone Arsenal o NASA novelty of this cyberespionage attack: o the level of deception o the use of multiple attack vectors (channels of attack) a combined, well-researched social engineering attack on targeted individuals o stealthy Trojan horse attacks o using malware techniques bypassing contemporary security countermeasures. Î government secrecy Î ? choosing targets from industry: o aerospace, defense, energy, financial services, manufacturing, pharmaceutical optional homework: details

Szenes

34

examples / Sykipot 2006: o spear-phishing emails with malicious attachment or o link to an infected web site, o zero-day exploits found later, and then:

Î

targets: in USA, in UK o defense, computer sector, telecommunications, energy, chemicals, government collecting and stealing secrets and intellectual property, o design, financial, manufacturing and strategic planning information servers mostly China, belonging perhaps to an intelligence agency optional homework: details

Szenes

35

examples / Operation Aurora 2009: o used a zero-day exploit to install a malicious Trojan horse, Hydraq Î : targets: according to McAfee: o to gain access to and modify source code repositories companies: o ! January 2010 Google disclosed the attacks, the others did not dare ! o o o

Adobe, Juniper, ... banks, defense contractors, security vendors, oil and gas companie

o

+ Chinese human rights activists !

optional homework: details Szenes

+ collect more ! 36

REMEDIES - kind of

Szenes

37

the needs what kind of rules and procedures do we need? to serve all of the stakeholders to allocate rights, responsibilities, to support decision planning?

o o o o o

a structure that supports the setting of the goals of the company means of attaining these goals means of avoiding / managing risks meanwhile monitoring performance etc.

solution: adequate governance Szenes

38

a usable corporate governance definition - from my practice enterprise governance o is the responsibility of the whole staff, top management included o top management has to ‰ direct the company the best possible way towards market success, ‰ taking every kind of environmental aspects into consideration as far, and in such a way, as it is in the interest of the enterprise, based on the strategy of the institution ‰ to define and maintain this strategy belongs to the responsibility of the top management, while the staff is responsible for supporting the top management in these issues

Szenes

39

notes to my corporate governance definition o no hidden details are "involved". o the double responsibility of the top management is very important, the strategy is actually the document, on ‰ how do they to perform their work, ‰ in the given inside and ‰ outside circumstances o these have to be kept constantly under surveillance, and o the results have to be taken into consideration

Szenes

40

corporate governance / IT governance

IT governance (my definition)

o one of the necessary conditions of successful enterprise governance, ƒ by directing IT in such a way, that ‰ it serves enterprise governance according to the intentions of the top management. o every member of the IT staff is responsible for it ƒ the weight of their responsibility is directly proportional to their weight in the company hierarchy

ƒ the top management of the company is responsible for the supervision of the IT governance Szenes

41

a usable operational security definition

I define operational security, as such an organizational, regulational, and technical system, o to be established in a company, o by the means of z identifying ‰ strategy-related operational objectives and ‰ operational activities, z and by contributing to the fulfillment of these objectives, that o satisfies the excellence criteria o prioritized by the top management, or by their delegates in the business areas o in a predictable, measurable, and scalable way

Szenes

42

governance goals ↔ information security - IT audit methods  consequences of this approach

relying on the direct connection between governance goals and information security - IT audit methods, this mutual direct support yields: o an effective and efficient support of enterprise strategy by derivating o concrete everyday improving goals and o actions from strategic goals o a possibility of tailoring and o tuning the strategy based on a direct, and operations-related feedback o provided by collecting those basic problems of institutional operations, that are to be solved using information security method

Szenes

43

governance goals ↔ information security - IT audit methods  consequences of this approach trivial example: customers' satisfaction, data confidentiality o without customers there is no success in the market, o success = important goal of corporate strategy Î customers' satisfaction = a strategic base for confidentiality starting from security we got to corporate strategic level other way around: market success = a good reason why confidentiality has to be satisfied 0information security methods contribute to the achievement of strategic goals 0from strategic goals, information security tasks could be derived

Szenes

44

governance ↔ operational security

o direction from security towards corporate governance: = improving the quality of corporate management by the means of information security / IT audit methods o other way around: = serving security by governance = devising governance issues from security requirements top management might accept security requirements as their own, if these requirements are derived from unquestionable governance requirements

Szenes

45

contributing to the solution: supporting the fulfillment of the strategic goals what / how and their dimensions o o o o o

the subgoals, contributing to the strategic goals the activities, contributing to the subgoals & strategic goals the scope of the activities, and the range of the activities their "components", a list of "more atomic" activities z their material & z human resources

‰ executors, ‰ those, who give the necessary permissions ‰ those, who acknowledge ‰ supervisors, etc.

!

all of these will come

Szenes

46

suggested "subgoals": criteria of excellent governance operational excellence criteria: o o o o o o o

effectivity, efficiency, compliance, reliability, risk management excellence, functionality, order

asset handling excellence criteria: o availability, o integrity, o confidentiality Szenes

47

suggested "subgoals": criteria of excellent governance operational excellence criteria An operational activity is effective, o if its result(s) complies with the pre-planned requirements, that had been accepted by every relevant party. An operational activity is efficient, o if it is performed in a pre-planned, documented, and cost/ effective way, concerning the optimal use of human and material resources, and the way of problem solving. A company operates in a compliant way, or, shortly, the operations of a company complies with the compliance criterium, o if it complies, in a documented way, to any requirement of those authorities that have authority to regulate any aspect of the activities of the company. Szenes

48

suggested "subgoals": criteria of excellent governance operational excellence criteria The operations of a company is reliable, o if it is organized in such a way, that it provides for the preliminary agreed service(s) in such a manner, that supports the work of the staff according to the best professional practice. Risk management excellence o a strategy-driven managing of risks, o that are related to given goal, asset and effort o the importance of the excellence criteria should always be evaluated o by the top management / business delegates, o with respect to each other Í there is no stand-alone risk The functionality of the information system of a company is adequate, if o it serves the staff in such a way, that they can fulfill their job requirements in the best possible way. Szenes

49

suggested "subgoals": criteria of excellent governance operational excellence criteria The order is by definition adequate, if o top management takes up the responsibility for the well-being of the institution: o for the determination of the strategy, aligning it to the market success, o for its continuous maintenance, o for ensuring, that the company fulfills these strategic goals. Ð o regulational o documentation, business continuity management planning, dynamic inventory, change / - release management, procedural guidelines, ... o organizational o education, separation of duties Í job / role descriptions, ... o technical o support the enforcing of all these, e.g. access provision management for units / roles / tasks ... o

organizational + regulational: o organized operational processes Î e.g. organized application development, o document throughout lifecycle of every product, planned test process

Szenes

50

operational excellence criteria order to operational excellence criterium: order belong:

• • • • • • • •

documentation separation (segregation) of duties access provision management for units / roles / tasks dynamic inventory management dynamic documentation & change management business continuity planning / IT business continuity planning /

Szenes

51

suggested "subgoals": criteria of excellent governance - asset handling excellence criteria Confidential asset handling, o handling confidentially every information about it - those, and only those have access to it, who have job to do with it. The integrity of an asset is said to be preserved, o if its handling or processing does not change it inadvertently. Availability of an asset means, that o if it has a role in a given matter, then o it is available to every competent employee, who is competent in this matter, o in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility, that have to refer to every qualitative and quantitative prescription, that are relevant in the matter. Szenes

52

a "general" suggested "subgoal": the operational objective this is my generalization for the control objective, towards strategy ! my operational objectives contribute to the fulfillment of the strategic goals by improving operations excellence criteria: special case of the operational objective I define the operational objective, o as an objective of one or more operational area(s) or role(s) to be achieved, in order to contribute to the fulfillment of strategic goal(s) of the company. the "distance of an operational objective from the strategy", o is its degree of importance related to enterprise strategy, o in other words, as its importance in achieving it. note - the real life: instead of evaluations of individual objects always comparisons important systems analysts tool: distance - the strategic "importance" of an operational objective Szenes

53

pillars of operation 3 pillars of operation: o organizational - technical - regulational a működés pillérei: szervezet - szabályozás - technika o

detective - preventive - corrective vizsgálati - megelőző - javító

{pillars} = domain & = range of the activities & objectives that contribute to strategic goals suggested examples for strategic goals: the excellence criteria Î the {pillars} = domain & = range of the fulfillment of the excellence criteria distance: the strategic "importance" of an operational pillar element

Szenes

54

definition of the pillars of operation: through enumerating their elements organizational pillar elements are: o the whole organizational structure, and o its parts, that is • the individual organizational units, together with • the "building parts" of these units, that is ‰ the roles, that are assigned, as duties, to the employees, working in the unit o the members of the staff themselves (actually their job description - except in personal security matters) note: o the description of the assignments themselves, that are part of the job descriptions of the employee belong to the regulational pillar Szenes

55

definition of the pillars of operation: through enumerating their elements regulational pillar elements are: o the procedural rulebooks themselves, that regulate the activities of the staff, o both the intended, and the undesigned relations of these rulebooks to each other o this involves: ‰ the facilities to search for given terms or rules, ‰ the hierarchy of the rulebooks themselves, if any, with the contradictions embedded, o the structure of the whole regulational system with the facilities of its handling o a code of ethics defining the principles of staff behaviour Szenes

56

definition of the pillars of operation: through enumerating their elements Technics covers o all physical, / o infrastructural property assets, that are necessary to perform operational activities, o together with the technical conditions, that determine their use. Example for technical elements are: o the elements of the physical infrastructure, o together with the buildings and other facilities, o machines, o actually the elements of the inventory belong here, o together with their descriptive technical features, o and the actual and best practice technical way of using them. A special subset of the technical elements is the IT architecture of the institution. Szenes

57

IT architectural infrastructure elements IT architectural infrastructure elements, or, shortly, IT infrastructural elements are: o o o o o o

the computers themselves, their software (operating systems, utilities), the application systems serving the business processes, the database management systems, the network communication devices, the defense elements providing for the quality of the IT services

o actually every component of the IT infrastructure belongs here: even those, that have some computer system embedded into them, like the ATM-s of the financial institutions, or other kind of customer serving tools. The service quality, together with the non-IT type of operations, can be characterized by so-called excellence criteria. Szenes

58

pillars of operation

"predecessors":

o

COBIT Î COBIT 4.1 (1998 - 2007) more or less the same so-called resources - see them later, at the traditional notions

o

there is sg. in COBIT 5, which is similar to my pillars: the "enablers": - let's say: alaptényezők? - see them later, at the traditional notions

Szenes

59

operational activity I define the operational activity as such an action, that o contributes to the achievement of operational objective(s) o operates on operational pillar element(s) as subjects. Note: o the subjects here are meant to be elements of any of the three pillars o the range of an operational activity is also the union of the pillars, even if o the goal of an operational activity is actually an operational objective o special case: excellence criterium / criteria o thus the possible contradiction of some of the excellence criteria has to be taken into consideration, too

Szenes

60

useful attributes, characterizing an operational activity o the operational objective, or set of operational objectives, that is / are to be served by this activity o the scope of the activity, the set of its so-called subjects, and o the range of the activity (both scope and range in terms of pillars of operations), o the pillar(s), where the expected result(s) belong o a list of "atomic" activities, comprising the operational activity o the resources, either branches or roles, of course, different ones for each task, that is to provide for: o identification of the goals, then o the activities possibly contributing to its fulfillment, o those of the executors, o the acknowledgements of both the goal and activity, o giving the necessary permissions, o the executors, and their o supervisors, etc. Szenes

61

the "to do" details according to the best practice subjects: o governance, IT governance

o

o o o

special goals - "evaluative" goals the predecessors of my excellence criteria: ‰ ISO requirements / ‰ COBIT Î COBIT 4.1 (1998 - 2007) information criteria ‰ COBIT 5 - ? the metrics "more general" goal: the control objective activity: operational measure, control measure domain of activity - similar to my pillars: ‰ COBIT Î COBIT 4.1: ? resources ‰ COBIT 5 enablers (- are they similar?) ‰ ISACA risk management areas

Szenes

62

governance

in the best professional practice

Szenes

63

corporate governance - OECD corporate governance - corporate wellness, market success, growth OECD:

o

Î "ethical corporate behaviour by directors or others charged with governance in the creation and presentation of wealth for all stakeholders"

o

"the distribution of rights and responsibilities o among different participants in the corporation, such as o board, managers, shareholders and other stakeholders

o

and (it)spells out o the rules and procedures for making decisions on corporate affairs"

[quoted from: CRM]

Szenes

64

corporate governance - OECD

OECD on public governance: “Good, effective public governance helps to strengthen democracy and human rights, promote economic prosperity and social cohesion, reduce poverty, enhance environmental protection and the sustainable use of natural resources, and deepen confidence in government and public administration.” (quoted from CRM: OECD website on Public Governance and Management)

Szenes

65

corporate governance - OECD o

The Organisation for Economic Co-operation and Development (OECD) states: "Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.

o

Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring..” (OECD 2004, OECD Principles of Corporate Governance, p.11)

o

With respect to public governance, the OECD states: “Good, effective public governance helps to strengthen democracy and human rights, promote economic prosperity and social cohesion, reduce poverty, enhance environmental protection and the sustainable use of natural resources, and deepen confidence in government and public administration.” (OECD website on Public Governance and Management).

Szenes

66

corporate governance in COBIT COBIT 4.1: enterprise governance involves: o the need for assurance about the value of IT o the management of IT-related risks o the increased requirements for control over information COBIT 4.1: a vállalat kormányzása megköveteli (többek között ! ): o megbizonyosodjunk, az IT a szükséges értéket adja o az IT-vel kapcsolatos kozkázatok kezelését o törekedjünk az információk fokozott felügyeletére Szenes

67

IT governance in COBIT COBIT 4.1 bases of IT governance: o value o risk o control 0 this is not the control measure but more probably the control system! az IT kormányzás alapjai: o érték o kockázat o ellenőrzési rendszer 0 legalábbis valószínűleg, és nem ellenőrzési intézkedés! Szenes

68

relation of risk - value - IT governance in the CISA study materials Two issues of IT Governance: /1 IT delivers value to the business this is driven by: strategic alignment of IT with the business /2 IT risks are managed this is driven by: embedding accountability into the enterprise

source: CISA® Review Course transparents, ISACA

Szenes

69

relation of risk - value - IT governance in the CISA study materials best practice for IT governance - IT governance focus areas: source of this exhibit is also: CISA® Review Course transparents, ISACA

Szenes

70

COBT 4.1 / COSO / Internal Control—Integrated Framework

• •

Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management should also optimise the use of available IT resources, including applications, information, infrastructure and people.

•

To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control [measures] it should provide. *********** A szervezeteknek az információra ugyanúgy teljesíteniök kell a minőségi, bizalmi, biztonsági követelményeket, mint a többi vagyontárgy esetén.

• • •

A vezetésnek a rendelkezésre álló összes IT erőforrás használatát optimalizáni kell [COBIT:] alk., info., infrastrutúra, emberek. Ahhoz, hogy ennek a felelősségnek megfeleljen, és ahhoz, hogy [üzleti, strat.] céljait elérje, a vezetésnek értenie kell a vállalati IT architektúrát, és el kell döntenie, milyen kormányzási és ellenőrzési lehetőségeket várjon el az IT-től.

Szenes

71

stakeholders role in IT governance

IT governance implies a system where all stakeholders provide input into the decision making process: o Board o Internal customers o Finance

source: CISA® Review Course transparents, ISACA

Szenes

72

advantages of IT governance

IT governance has become significant due to: o Demands for better return from IT investments o Increases in IT expenditures o o o o o

Regulatory requirements for IT controls - control √ Selection of service providers and outsourcing Complexity of network security Adoptions of control frameworks Benchmarking

source: CISA® Review Course transparents, ISACA homework: which control is meant here ? Szenes

73

problems with IT governance

Indicators of potential problems include: o o o o o o o

Unfavorable end-user attitudes Excessive costs Budget overruns Late projects High staff turnover Inexperienced staff Frequent hardware/software errors

source: CISA® Review Course transparents, ISACA

Szenes

74

documents relating to IT governance

The following documents should be reviewed at least: o o o o o o o o o

IT strategies, plans and budgets Security policy documentation Organization/functional charts Job descriptions Steering committee reports System development and program change procedures Operations procedures Human resource manuals Quality assurance procedures

source: CISA® Review Course transparents, ISACA Szenes

75

the predecessors of my operational ! excellence criteria:

the ! quality ! of the information in the best professional practice

Szenes

76

Control Objective for Information Technology - információ kritériumok: o o o o o o o

a célnak való megfelelés - célravezető információ - effectiveness eredményesség - efficiency bizalmasság - confidentiality integritás, sértetlenség - integrity rendelkezésre állás - availability külső követelményeknek való megfelelés - compliance megbízhatóság - reliability [of information]

ISO (first CCITT, then BSI, and then ISO) o availability o integrity o confidentiality Szenes

77

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 effectiveness: the information is o relevant and pertinent to the business process o delivered in a timely, correct, consistent and usable manner megfelelés a célnak, célravezető

Szenes

78

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 efficiency: the provision of information through the optimal (most productive and economical) use of resources eredményesség, hatékonyság: A már meglévő rendszerek javítási értelemben való továbbfejlesztését értékeli. Megköveteli, hogy az információ biztosításához az erőforrásokat optimálisan használják ki, azaz a lehető legtermelékenyebben és leggazdaságosabban. Ez biztosítja tehát az adott esetnek megfelelő költség / haszon megfontolások teljesítését. Annak a döntésnek a meghozatala, hogy a javítás költsége megéri-e azt az eredményt, amit a javító intézkedés / eljárás hoz(hat), a legfelső vezetés felelőssége!

Szenes

79

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 confidentiality: the protection of sensitive information from unauthorised disclosure access according to the roles - job descriptions bizalmasság: vizsgálja, megfelelően védett-e a valamilyen okból érzékenynek tekintett információ az akár szándékos, akár véletlen jogosulatlan hozzáféréssel szemben Î a külső- és a belső támadások elleni védelem követelménye mindenki pontosan ahhoz férjen hozzá, amivel dolga van, azaz amihez szerepköre - munkaköri leírása szerint szükséges

Szenes

80

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 integrity: o accuracy and completeness of information o its validity in accordance with business values and expectations it is frequently mixed with: ... integritás: Ez az információ kritérium az intézmények informatikai rendszerei, sőt, a bármilyen úton, akár kézi feldolgozással közvetített információ o - pontosságát o - teljességét o - az üzleti értékeknek és elvárásoknak megfelelő érvényességét követeli meg. Ez a sértetlenség azt is jelenti, hogy az adatok ne változzanak a feldolgozás során. gyakran összekeverik a: ... Szenes

81

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 availability: o the information is available when required by the business process now and in the future o the safeguarding of necessary resources and o associated capabilities. rendelkezésre állás: o amikor csak szüksége van az üzleti folyamatnak az információra, az rendelkezésre áll - és fog is állni o a szükséges erőforrások biztosítása, o a hozzájuk szükséges képességekkel

Szenes

82

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 compliance: complying with those o laws, o regulations and o contractual arrangements to which the business process is subject, i.e., o externally imposed business criteria, as well as o internal policies - [ ! ] guidelines & procedural rulebooks

Szenes

83

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 + saját értelmezés: megfelelés (külső követelményeknek) Ez az adott üzleti folyamatra vonatkozó külső elvárások teljesítését jelenti. Ilyen elvárások például: o - azon törvények, szabályok, amelyek az adott országban a vizsgált folyamatra vonatkoznak - Magyarországon, például, a személyi adatok kezelése meg kell, hogy feleljen az Adatvédelmi törvény éppen érvényes változatának o az intézmény vonatkozó irányelvei és szabályzatai o azok a szerződéses megállapodások, amelyeknek teljesítését a folyamatért felelős vezető elvállalta o az adott üzleti folyamatra érvényes üzleti követelmények

Szenes

84

COBIT information [quality] criteria - információ [minőségi] kritériumok 1998 Î 2007: COBIT Î COBIT 4.1 reliability o appropriate information for management to operate the entity o to exercise its fiduciary and o governance responsibilities megbízhatóság o menedzsmentnek megfelelően megalapozott információra van szüksége ahhoz, hogy biztosítsa o - az intézmény működését, o és fel tudja vállalni o - a pénzügyi o - és a (most tárgyalt) megfeleléssel kapcsolatos jelentési felelősséget

Szenes

85

special goals - "evaluative" goals / COBIT 5 - ? the metrics

taking these as goal is

o o o o o o

! my interpretation !

percent of coverage of level of number of cost of ...?

example o

Szenes

/

o

86

special goals - "evaluative" goals / COBIT 5 - ? the metrics e.g. let's take Figure 7. IT-related Goal Sample Metrics from the book: Enabling Processes - COBIT 5 ... (see references): this is a table with these columns:

(Bsc) dimensions / IT-related Goal / Metric - let's take this row of the table: dim.: financial / IT-related goal: Realised benefits from IT-enabled investments Metric column is this: o Percent of IT-enabled investments where benefit realisation is monitored through the full economic life cycle o Percent of IT services where expected benefits are realised o Percent of IT-enabled investments where claimed benefits are met or exceeded Szenes

87

the important characteristics of [corporate operations] in COSO

the important characteristics of [corporate operations] - COSO [az intézményi tevékenység] COSO szerinti fontos jellemzői the fiduciary formulation of the Treadway Commission - COSO :

o o o

effectiveness and efficiency of operations reliability of financial reporting compliance to the applicable laws and regulations

COSO versus the usual:

Szenes

./.

88

the information [quality] criteria in COSO COSO requirements: quality + fiduciary + security where: o quality: quality - cost - delivery o fiduciary: effectiveness and efficiency of operations reliability of financial reporting compliance with laws and regulations o security: availability - confidentiality - integrity in Hungarian: Szenes

89

az informatikai [minőségi] kritériumok a COSO-ban

a COSO követelményei: minőség + bizalmi fedezet + biztonság ezek jelentése itt: o minőségi szempontok: minőség - költség - kiszállított eredmény o bizalmi fedezet ("kibocsátó" iránti bizalmon alapuló) a műveletek célravezetőek és eredményesek a pénzügyi jelentések megbízhatóak a törvényeknek és szabályozásnak való megfelelés o biztonság: rendelkezésre állás - bizalmasság - sértetlenség

Szenes

90

basic audit notions - control objective warning: missing from COBIT 5 - COBIT 5-ből hiányzik

official control objectives: generic best practice management objectives for all IT activities IT control objective: statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. COBIT’s control objectives are the [rather :a kind of ! ] minimal requirements for [the geffective control of each IT process. (this is the verb "control" here) COBIT’s control objectives are the minimum, that should be prescribed, in order to be able to effectively implement, operate & supervise the IT processes.

Szenes

91

basic audit notions - control objective

private interpretation control objective: an objective, derived from corporate strategy generic taking best practice into consideration - such an objective that the top management wants to achieve IT control objective: an objective for IT that is derived from a generic control objective in the form of a statement expressing a desired result. It can be achieved by implementing control measures / procedures concerning IT activities.

Szenes

92

ellenőrzési alapfogalmak - ellenőrzési cél hivatalos ellenőrzési cél: legjobb szakmai gyakorlatot követő általános cél, amit az IT-nek tűz ki a legfelső vezetés IT ellenőrzési cél: az a kívánt eredmény v. szándék, amit az adott IT tevékenységre vonatkozó ellenőrzési eljárással lehet elérni. Az informatikai folyamatok hatékony irányításához a COBIT ellenőrzési céljait kell teljesíteni. saját értelmezés általános ellenőrzési cél: a legfelső vezetés az intézményi stratégiából levezetett, a legjobb szakmai gyakorlatnak megfelelő ellenőrzési célja IT ellenőrzési cél: általános ellenőrzési célból levezetett, az informatikai működésre vonatkozó ellenőrzési cél. A kívánt eredményt kifejező állítás. Az informatikai tevékenységekre vonatkozó ellenőrzési intézkedésekkel / eljárásokkal érhető el. Szenes

93

basic audit notions - control measure / procedure private control measure / procedure:

series of measure: procd.

0 the organisational structures with their operational procedures and practices 0 the guidelines and procedural rulebooks ≠ policy! 0 the technical developments and measures designed to provide reasonable assurance } that the business objectives will be achieved, and } that undesired events will be prevented / detected / corrected preventive - detective - corrective ∃ mitigation, too

Szenes

94

ellenőrzési alapfogalmak - ellenőrzési intézkedés / eljárás magán ellenőrzési intézkedés / eljárás:

intézkedés sorozat: eljárás

0 a szervezeti struktúrák, működési gyakorlatukkal és eljárásaikkal 0 az irányelvek és szabályzatok ≠ politika! 0 a technikai fejlesztések és intézkedések amelyeket ésszerű mértékű biztosítéknak alakítottak ki } az üzleti célok elérése, } a nem kívánt események megakadályozása / észrevétele / kijavítása céljából megakadályozó - vizsgálati - javító

∃ hatás csökkentés

Szenes

95

ellenőrzési alapfogalmak - ellenőrzési intézkedés / eljárás basic audit notions - control measure / procedure reasonable assurance what is reasonable? that is efficient; we spend effort, money, HR, etc., while it is worth to spend it ésszerű mértékű biztosíték mi az ésszerű? ami eredményes, hatékony; addig költünk, amíg megéri

Szenes

96

basic audit notions - control objective - COSO - ellenőrzési cél COSO control objectives: (fiduciary) • effectiveness and efficiency of operations • reliability of financial reporting • compliance to the applicable laws and regulations ellenőrzési célok a COSO szerint: (a v.mit nyújtó fél iránti bizalmon alapuló - pl. fiduciary loan: fedezet nélküli kölcsön) • az [üzleti] céloknak megfelelő és eredményes működés • a pénzügyi jelentések megbízhatósága • az adott esetre alkalmazható törványeknek és szabályozásnak való megfelelés

Szenes

97

basic audit notions - internal control [measure] - COSO ellenőrzési intézkedés COSO internal control [measure]: a process effected by an entity's board of directors management and other personnel designed to provide reasonable assurance regarding the achievement of the (COSO) control objectives COSO belső ellenőrzés[i intézkedés]: az igazgatótanács a vezetőség a többi dolgozó folyamata, amelyet arra terveztek, hogy ésszerű mértékben meg lehessen bizonyosodni a COSO ellenőrzési célok eléréséről Szenes

98

predecessors of my pillars? / so called IT resources (COBIT Î COBIT 4.1)

o COBIT, in 1998: ‰ data: data objects ‰ application systems: manual and programmed procedures ‰ technology: HW, operating systems, DBMS, networking, multimedia, etc. ‰ facilities: that "house" the systems [and staff] ‰ people: the staff with its skills, awareness and productivity... o COBIT 4.1, in 2007: ‰ organisation: network of interacting people ‰ process:structured activities created to achieve a given outcome ‰ technology: practical application of knowledge ‰ people: human resources - including the outsource partners ! these are not the exact definitions ! Szenes

99

predecessors of my pillars? / COBIT 5 "enablers" - alaptényezők? COBIT 5 "enablers" are factors that, individually and collectively, influence whether something will work—in this case, governance and management of enterprise IT source: a 2012 ISACA book on Enabling Processes - see References here Achieving IT-related goals requires the successful application and use of a number of enablers. Enablers include: o Principles, policies and frameworks are the vehicles to translate a desired behaviour into practical guidance for day-to-day management. o Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.

./. Szenes

100

COBIT 5 "enablers" - cont'd

COBIT 5 "enablers" - cont'd o Organisational structures are the key decision-making entities in an enterprise. o Culture, ethics and behaviour of individuals and the enterprise are often underestimated as a success factor in governance and management activities. o Information is pervasive throughout any organisation and includes all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is often the key product of the enterprise. ./.

Szenes

101

COBIT 5 "enablers" - cont'd

COBIT 5 "enablers" - cont'd o Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with IT processing and services. o People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions. For each enabler a set of specific, relevant goals can be defined in support of the IT-related goals.

Szenes

102

example for control objective and control measure példa ellenőrzési célra és ellenőrzési intézkedésre a COBIT 34 informatikai folyamatából egy: AI2 Acquire and Maintain Application Software Alkalmazói rendszerek beszerzése és karbantartása

egy COBIT szerinti ellenőrzési cél az ehhez rendelt 10-ből: AI2.6 Major Upgrades to Existing Systems hozzá van fűzve a control procedure: In the event of major changes to existing systems that result in significant change in current designs and/or functionality, follow a similar development process as that used for the development of new systems.

Szenes

103

example for control objective and control measure példa ellenőrzési célra és ellenőrzési intézkedésre példa fejlesztési ellenőrzési intézkedésekre: o a fejlesztés minden fázisában jóváhagyandó: o a rendszer funkcionalitása megfelel ‰ a tervezési specifikációnak, ‰ a fejlesztési és a dokumentációs szabványoknak, és ‰ a minőségi követelményeknek o a változtatási igények jóváhagyása o outsource esetén: jogi, szerződési követelmények kezelése

Szenes

104

example for the 3 types of "control" measures példa a 3-féle "ellenőrzési" intézkedésre warning: the type depends on the interpretation vigyázat: kiszerelés kérdése, hogy melyik fajta preventive - detective - corrective control measures: order, discipline, maintenance, testing, scanning, logs, preventive reviews, encryption, digital signature - PKI megakadályozó – vizsgálati – kárenyhítő intézkedések: rendezettség, fegyelem, karbantartás, tesztelés, szkennelés, naplózás, megelőző vizsgálatok, titkosítás, digitális aláírás - PKI 0 Q: why stand here "quotes" ? kérdés: miért tettem idézőjelbe? Szenes

105

on the history of the COBIT domains of IT activities

COBIT alap, 2000, 4, 4.1 1998 - 2007 COBIT 5 COBIT® 5 Design Paper Exposure Draft - 2010

COBIT generic process model = 4 domain of IT activities: plan and organise - PO acquire and implement - AI deliver and support - DS monitor and evaluate - ME to the process – resource – criteria triple Ä control objectives are assigned, and to these: Ä control measures / procedures that realize these goals

Szenes

106

a COBIT IT tevékenységei történetéből

COBIT 1998 - 2007 a COBIT átfogó folyamatmodellje az informatikai tevékenységeket 4 tartományra osztja: tervezés és szervezet - PO beszerzés és megvalósítás - AI kiszállítás és támogatás - DS felügyelet és értékelés - ME a folyamat - erőforrás - kritérium hármashoz ellenőrzési célokat, és ezekhez pedig az e célokat megvalósító ellenőrzési intézkedéseket / eljárásokat rendelünk.

Szenes

107

the 4 "old" COBIT domains - a 4 "régi" COBIT tartomány

o Plan and Organise (PO) Provides direction to solution delivery (AI) and service delivery (DS) o Acquire and Implement (AI) Provides the solutions and passes them to be turned into services o Deliver and Support (DS) Receives the solutions and makes them usable for end users o Monitor and Evaluate (ME) Monitors all processes to ensure that the direction provided is followed

Szenes

108

the relationship of the 4 "old" COBIT domains - a 4 "régi" tartomány összefüggései o

o

o

o

Tervezés és szervezet (PO) a megoldás- és a szolgáltatás kiszállításnak, azaz a "Beszerzéshez és megvalósításhoz", illetve a "Kiszállításhoz és támogatáshoz" az útmutatást a "Tervezés és szervezés" adja. Beszerzés és megvalósítás (AI) a megoldásokat "beszerzésből" vagy "megvalósításból" nyerjük, AI támogatja a megoldások létrehozását, és továbbadja [DS-nek], hogy szolgáltatásokká alakítsák ezeket Kiszállítás és támogatás (DS) megkapja a megoldásokat, és a végfelhasználók számára felhasználhatóvá alakítja át ezeket, a megoldásokat "szolgáltatássá" a "Kiszállítás és támogatás" csiszolja, hiszen ezek a fázisok teszik hozzá a már kész megoldáshoz azt, aminek eredményeképpen a végfelhasználó már valódi terméket fog kapni. Felügyelet és értékelés (ME) felügyeli a folyamatokat, hogy biztosítsa, a megadott irányt [PO] követik, A "Tervezési és szervezési" folyamat során született specifikációk betartását pedig a " Felügyelet és értékelés" biztosítja

Szenes

109

the 5 new COBIT 5 processes - processes for governance of enterprise IT

a COBIT alap Î 4.1 domain-eknek megfelelő COBIT 5 Processes for Governance of Enterprise IT o o o o o

Evaluate, Direct and Monitor Align, Plan, and Organise Build, Acquire and Imlement Deliver, Service and Support Monitor, Evaluate and Assess

Szenes

110

take care ! best practices are not omnipotent! even if my favourite excellence criterium Ä documentation Ä etc. one of the possible common mistakes adopting COBIT 5: o "Making implementation all about policy and process documentation. Many organizations believe documenting their processes equals GEIT implementation. In reality, documentation is only 10% or less of the overall GEIT journey. The remaining 90% is about managing the organizational changes by educating people, helping them to follow new processes and practices, reviewing and refining the processes, and reviewing the effectiveness of the change." Sreechith Radhakrishnan, COBIT Certified Assessor, ISO/IEC 20000 LA, ISO/IEC 27001 LA, ISO22301 LA, ITIL Expert, PMP: 5 Common Mistakes in Adopting COBIT 5 COBIT Focus | 11 May, ISACA Szenes

111

PART - II

Szenes

112