Auditing Information Systems - an MSc Course Part - I. Obuda University John von Neumann Faculty of Informatics Institute Applied Informatics

Átírás

1 Auditing Infrmatin Systems - an MSc Curse Part - I Obuda University Jhn vn Neumann Faculty f Infrmatics Institute Applied Infrmatics Dr. Univ. Katalin Szenes CISA, CISM, CGEIT, CISSP, PhD hnrary assciate prfessr szenes.katalin@nik.uni-buda.hu Disclaimer The fllwings represent my persnal pinin n / interpretatin f the subject. Sme results f my research are als included, f curse, in a marked way. Neither ISACA nr ITGI, NIST, nr the ther prfessinal rganizatins quted here are liable fr the fllwings r wuld be bund any way by its cntents. A következők saját személyes véleményemet és értelmezésemet tükrözik. Néhány kutatási eredményem is szerepel itt, természetesen jelölve. Sem az ISACA, sem az ITGI, NIST, sem a többi, itt idézett szakmai szervezet nem felelős az itt következőkért, amely számukra semmilyen kötelmet nem jelent. Szenes Katalin nte 1: the English frmulatin desn't always fllws the riginal either 1. megjegyzés: az angl fgalmazás sem mindig egyezik az eredetivel the cmments, where the subjectivity are t be emphasized are dented by "cmment" r [ ] hangsúlyzttan szubjektív megjegyzéseimet a "cmment" vezeti be, vagy [ ] -be teszem nte 2: the bilinguality - where it is present - is t supprt the related vcabulary f the Hungarian students 2. megjegyzés: az egyes helyeken alkalmaztt kétnyelvűség a magyar hallgatók ide tartzó szókincse fejlesztését szlgálja Szenes 2

2 gal f educatin I hpe t cntribute t the peratinal excellence f the firms, where ur students wrk the gal is t supprt IT staff in encuntering IS audit / auditrs IT is regularly audited bth in the gvernment and in the business sectr, every member f the IT staff, even the develpers f either data prcessing applicatins r embedded systems have t prepare t wrk with auditrs, wh check if their results supprt gvernance, business cntinuity planning, and ther aspects f IT security frm the viewpint f supprting the strategic gals f the institutin, cmplying bth t the natinal laws and EU directives and? Szenes 3 TOC - tartalm PART - I the surces f these transparents, designatins fr auditrs' & security experts ISACA, ISC2, designatins ne f the mst imprtant surces f these transparents: COBIT COSO, ne f the predecessrs classifying the prblems t be handled: an ISACA asset classificatin anther classificatin: accrding t the characteristics f the prblem and / r accrding t the excellence criteria prblem slving, using: ISACA asset classificatin & ISACA asset classificatin!! Szenes 4

3 TOC - tartalm examples fr the prblems t be handled 2015: a typical prblem in 2015: the Andrid mbile scial hacking: starting frm a LinkedIn invitatin a great fright: APT what is this? sme examples the earliest published attack n military research establishments: "The Cuck s Egg" Mnlight Maze NASA: Natinal Aernautics and Space Administratin Titan Rain Sykipt Operatin Aurra! etc.! Szenes 5 TOC - tartalm REMEDIES? the needs - slutin: gvernance a usable gvernance definitin - frm my practice crprate gvernance / IT gvernance a usable peratinal security definitin gvernance gals infrmatin security - IT audit methds cnsequences f this apprach gvernance peratinal security Szenes 6

4 TOC - tartalm cntributing t the slutin - verview nly supprting the fulfillment f the strategic gals: what / hw and their dimensins suggested "subgals": excellence criteria peratinal excellence criteria: effectivity, efficiency, cmpliance, reliability, risk management excellence, functinality, rder asset handling excellence criteria:, availability, integrity, cnfidentiality peratinal bjective Szenes 7 TOC - tartalm cntributing t the slutin - verview nly cnt.'d 3 pillars f peratin - a működés pillérei {pillars} = dmain & range f thse activities & bjectives that cntribute t the strategic gals (e.g. t the excellence criteria) : rganizatinal, technical, regulatinal (szervezet,szabályzás - technika detective - preventive - crrective IT architectural infrastructure elements peratinal activity - and its useful attributes Szenes 8

5 TOC - tartalm the "t d" details accrding t the best practice f ISACA and thers my list: "t d" details transparent gvernance crprate gvernance - OECD crprate gvernance in COBIT IT gvernance n COBIT relatin f risk - value - IT gvernance in the CISA study materials COBT COSO / Internal Cntrl Integrated Framewrk stakehlders rle in IT gvernance advantages f IT gvernance prblems with IT gvernance dcuments relating t IT gvernance Szenes 9 TOC - tartalm the predecessrs f my excellence criteria: special gals - "evaluative" gals - the predecessrs f my excellence criteria: COBIT COBIT 4.1 ( ) infrmatin criteria COBIT 5 -? the metrics ISO requirements the imprtant characteristics f [crprate peratins] in COSO the infrmatin [quality] criteria in COSO COBIT infrmatin [quality] criteria : COBIT COBIT 4.1 Szenes 10

6 TOC - tartalm basic audit ntins - ellenőrzési alapfgalmak cntrl bjective - ellenőrzési cél - COBIT / magán / COSO cntrl measure / prcedure - ellenőrzési intézkedés / eljárás - COBIT / magán / COSO what kind f assurance is reasnable? - mi az ésszerű mérték? predecessrs f my pillars? resurces (COBIT COBIT 4.1) and enablers (COBIT 5) example fr cntrl bjectives and measures - példa ellenőrzési célkra és intézkedésekre, és - a 3-féle "ellenőrzési" intézkedésre Szenes 11 TOC - tartalm n the histry f the COBIT dmains f IT activities the relatinship f the 4 "ld" COBIT dmains - a 4 "régi" tartmány összefüggései the 5 new COBIT 5 prcesses - prcesses fr gvernance f enterprise IT take care! best practices are nt mniptent end f PART - I Szenes 12

7 TOC - tartalm PART - II risk - kckázat traditinal definitin my new definitin fr risk the factrs, that affect risk value managing risk inherent risk - "elidegeníthetetlen" kckázat prcedures cncerning cntracts auditing cntracts - RFP IT gvernance in the ISACA Audit Standards Framewrk (S10) Szenes 13 TOC - tartalm - alapfgalmak magyarázata COBIT 4.1 segítségével IS - explanatin f sme basic ntins using COBIT 4.1 when the auditr is awakened at night... ha az auditrt éjjel álmából költik... COBIT 4.1 prcess wner - flyamat tulajdns COBIT rles and respnsibilities - szerepkörök és felelősségek segregatin / separatin f duties - a (jó) kötelességelhatárlás n the rganizatinal hierarchy tasks in the rganizatinal basic pillar Nte n the Subject Guideline - Plicy - Prcedural Rulebk megjegyzés - az irányelvek, plitikák, (eljárási) szabályzatk témáhz authenticatin - authrizatin hitelesítés - feljgsítás COBIT Plicy, Plans and Prcedures - Szabályzatk, irányelvek, tervek, eljárásk Szenes 14

8 TOC - tartalm frm ISACA CISA Review Curse transparents: n the audit audit, infrmatin sytems (IS) audit classificatin f audits [sme] general audit prcedures [sme] prcedures fr testing & evaluating IS cntrl [systems]; GAS [n the] phases f audit Szenes 15 TOC - tartalm frm ISACA CISA Review Curse transparents: measuring the perfrmance (pssible) phases (sme) cnsideratins special prblems n the utsurce - frrás: Az Infrmatikai biztnság kézikönyv data privacy laws, examples Explanatins - Magyarázatk References - Irdalmjegyzék Szenes 16

9 the surces f these transparents, designatins fr auditrs' & security experts CISA Certified Infrmatin Systems Auditr, CISM - Certified Infrmatin Security Manager, CGEIT - Certified in Gvernance Enterprise IT designatr: ISACA: Infrmatin Systems Audit and Cntrl Assciatin - USA CISSP - Certified Infrmatin Security Prfessinal designatr: ISC2 Internatinal Infrmatin Systems Security Certificatin Cnsrtium - USA anther best practice: the ISO standards and there are many mre Szenes 17 ther useful surces W3C - Wrld Wide Web Cnsrtium OASIS - Organizatin fr the Advancement f Structured Infrmatin Standards - e-business guidelines, nn-prfit OWASP - Open Web Applicatin Security Prject develpment f "secure"? - reliable? applicatins Szenes 18

10 ne f the mst imprtant surces f these transparents: COBIT C OB I T Cntrl OBjectives fr Infrmatin and Related Technlgy the basic terms - alapvető fgalmak: cntrl bjectives + cntrl measures ellenőrzési célk + ellenőrzési intézkedések (at first this is the pint, where my persnal experience will cme in ez az, ahl először bejön a személyes tapasztalatm) Szenes 19 COSO, ne f the predecessrs - egy előd a surce f sme basics in the ISACA materials néhány alapvető dlg frrása az ISACA anyagaiban The Cmmittee f Spnsring Organisatins f the Treadway Cmmissin - a Treadway bizttságt szpnzráló szervezetek bizttsága. A COSO a magánszektr egy önkéntes szervezete, amely a pénzügyi jelentések minősége fejlesztéséhez kíván hzzájárulni, az üzleti etika, a hatékny belső ellenőrzési intézkedések, és a vállalatirányítási módszerek segítségével ben alakult, a pénzügyi jelentésekkel kapcslats csalásk nemzeti bizttságának (Natinal Cmmissin n Fraudulent Financial Reprting) támgatására. Ezt a bizttságt röviden gyakran csak "Treadway bizttságnak" nevezik, első elnökéről, James C. Treadway, Jr.-ról. A Treadway bizttság a magánszektr kezdeményezésére alakult. Annak alapján készít ajánláskat a tőzsdei társaságk, azk auditrai, a SEC, és más szabályzó szervezetek, és ktatási intézmények részére is, hgy tanulmányzzák a csaló pénzügyi jelentések sajátsságait. Szenes 20

11 COSO, ne f the predecessrs - egy előd rganizatins supprting COSO - támgató szervezetek A Treadway bizttságt támgató tvábbi szervezetek: az AICPA (American Institute f Certified Public Accuntants - a Könyvszakértők Amerikai Intézete), az AAA (American Accunting Assciatin - Amerikai Számviteli Szövetség), az FEI (Financial Executives Internatinal - a Pénzügyi Vezetők Nemzetközi Társasága), az IIA (Institute f Internal Auditrs - a Belső Ellenőrök Intézete), és az IMA (Institute f Management Accuntants). frrás: Szenes Katalin: Az infrmatikai erőfrrás-kihelyezés auditálási szempntjai Az Infrmatikai biztnság kézikönyve, I. rész: 36. aktualizálás, ld. 26. ld. (26 ldal) Verlag Dashöfer, Budapest, február II. rész: 39. aktualizálás, december ld ld. Szenes 21 classifying the prblems t be handled ways f classificatins viewpintys f classificatins ways fr prblem slvingm r rather: ways f explring, identifying the prblems Szenes 22

12 classifying the prblems t be handled - an ISACA asset classificatin physical assets financial assets intellectual assets infrmatin - see the COBIT resurces till 4.1 knw-hw (I wuld've put it t inf) relatinships reputatin and brand value subject fr discussin / hmewrk: what d we think abut these viewpints? Szenes 23 classifying the prblems t be handled - classificatin accrding t the characteristics f the prblem, e.g.: accrding t the excellence criteria criteria characterizing excellent peratins: effectivity, efficiency, cmpliance, reliability, strategy-driven gal & peratinal risk management excellence, functinality, rder asset handling excellence criteria: availability, cnfidentiality, integrity Szenes 24

13 prblem slving, using: ISACA asset classificatin & characteristics f the prblem!! a pssibility t design matrices fr the research fr example: rws: asset classificatins clumns: asset handling excellence criteria in the elements f the matrices: advice n the excellent peratins Szenes 25 examples fr the prblems t be handled a typical prblem in 2015: the Andrid mbile a GOVCERT alarm ntice (6th August, 2015) the perating system Andrid has a vulnerability, that facilitates the remte executin f a cde the attacker can take ver the cntrl f the device the way f attack: a specially crafted MMS message hmewrk: fr Hungarian students: (Stagefright) fr freigners: Krmányzati Eseménykezelő Közpnt GvCERT-Hungary Tel: Fax: Incidensbejelentés (alarm reprt): cert@cert-hungary.hu Szenes 26

14 examples fr the prblems t be handled / scial hacking: starting frm a LinkedIn invitatin "Yu culd see them talking abut where they were ging and where they were in Afghanistan and Iraq... sme were uplading pictures with gelcatin infrmatin, and we were able t see them," says Thmas Ryan, the mastermind behind the scial netwrk experiment and c-funder and managing partner f cyber peratins and threat intelligence fr Prvide Security, wh will present the findings later this mnth at Black Hat USA in his "Getting In Bed With Rbin Sage" "Rbin's Facebk prfile was able t view crdinates infrmatin n where the trps were lcated. "If she was a terrrist, yu wuld knw where different [trps'] lcatins were," 7/6/ :21 PM 14 July, 2015 Szenes 27 great fright: APT - what is this? ld definitin, taken frm ISACA materials: "an APT is as an adversary that pssesses sphisticated levels f expertise and significant resurces which allw it t create pprtunities t achieve its bjectives using multiple attack vectrs (e.g., cyber, physical and deceptin). These bjectives typically include establishing and extending fthlds within the IT infrastructure f the targeted rganizatins fr purpses f exfiltrating infrmatin, undermining r impeding critical aspects f a missin, prgram, r rganizatin; r psitining itself t carry ut these bjectives in the future. /. Natinal Institute f Standards and Technlgy (NIST), Cmputer Security Incident Handling Guide, Special Publicatin , USA, 2008, csrc.nist.gv/publicatins/pubssps.html Szenes 28

15 great fright: APT - what is this? cnt.'d " The advanced persistent threat: (i) pursues its bjectives repeatedly ver an extended perid f time; (ii) adapts t defenders effrts t resist it; and (iii) is determined t maintain the level f interactin needed t execute its bjectives." Natinal Institute f Standards and Technlgy (NIST), Cmputer Security Incident Handling Guide, Special Publicatin , USA, 2008, csrc.nist.gv/publicatins/pubssps.html instead f this, what I fund:. /. Szenes 29 APT - what is this? what I culd find: advanced persistent threats = a lng-term pattern f targeted, sphisticated attacks NIST Special Publicatin Managing Infrmatin Security Risk Organizatin, Missin, and Infrmatin System View Cmputer Security Divisin Infrmatin Technlgy Labratry Natinal Institute f Standards and Technlgy Gaithersburg, MD March 2011 (1st September, 2015) Szenes 30

16 examples / the earliest published attack n military research establishments: The Cuck s Egg arund 1980: rigin: West German hacker, Markus Hess, university student penetrated netwrked cmputers in Califrnia t steal secrets f the Star Wars prgram investigating a minr accunting discrepancy prblem in the cmputer usage accunts Stll frm Lawrence Berkeley Natinal Labratry nticed an intrusin frm a West German university, cming acrss a satellite link Stll made a trap with interesting details f a fictinal Star Wars cntract the West German authrities lcated the hacker, it turned ut, that he had been selling the stlen infrmatin t the Sviet KGB he was tried and fund guilty f espinage in 1990 and sent t prisn Cliffrd Stll bk: The Cuck s Egg: Tracking a Spy Thrugh the Maze f Cmputer Espinage Dubleday, USA, 1989 ptinal hmewrk: details Szenes 31 examples / Mnlight Maze arund 2000: series f attacks, undetected fr nearly tw years presumed rigin: Russia targets: gvernment sites, systems at the Pentagn, NASA, US Department f Energy, universities, research labs, ding military research stealing tens f thusands f files: maps f military installatins trp cnfiguratins military hardware designs lss: many millins f dllars - the Russian gvernment denied any invlvement the infrmatin was prbably ffered fr sale t the highest bidder ptinal hmewrk: details Szenes 32

17 NASA - NASA: Natinal Aernautics and Space Administratin NASA's Visin: T reach fr new heights and reveal the unknwn s that what we d and learn wil Tpics: internatinal space statin jurney t Mars Earth technlgy etc. Nte: smetimes hackers mix NSA, NSA, NIST Szenes 33 examples / Titan Rain 2003: presumed rigin: China - Chinese gvernment denied any invlvement targets: US defense cntractrs: Lckheed Martin, Sandia Natinal Labratries Redstne Arsenal NASA nvelty f this cyberespinage attack: the level f deceptin the use f multiple attack vectrs (channels f attack) a cmbined, well-researched scial engineering attack n targeted individuals stealthy Trjan hrse attacks using malware techniques bypassing cntemprary security cuntermeasures. gvernment secrecy? chsing targets frm industry: aerspace, defense, energy, financial services, manufacturing, pharmaceutical ptinal hmewrk: details Szenes 34

18 examples / Sykipt 2006: spear-phishing s with malicius attachment r link t an infected web site, zer-day explits fund later, and then: targets: in USA, in UK defense, cmputer sectr, telecmmunicatins, energy, chemicals, gvernment cllecting and stealing secrets and intellectual prperty, design, financial, manufacturing and strategic planning infrmatin servers mstly China, belnging perhaps t an intelligence agency ptinal hmewrk: details Szenes 35 examples / Operatin Aurra 2009: used a zer-day explit t install a malicius Trjan hrse, Hydraq : targets: accrding t McAfee: t gain access t and mdify surce cde repsitries cmpanies:! January 2010 Ggle disclsed the attacks, the thers did nt dare! Adbe, Juniper,... banks, defense cntractrs, security vendrs, il and gas cmpanie + Chinese human rights activists! ptinal hmewrk: details + cllect mre! Szenes 36

19 REMEDIES - kind f Szenes 37 the needs what kind f rules and prcedures d we need? t serve all f the stakehlders t allcate rights, respnsibilities, t supprt decisin planning? a structure that supprts the setting f the gals f the cmpany means f attaining these gals means f aviding / managing risks meanwhile mnitring perfrmance etc. slutin: adequate gvernance Szenes 38

20 a usable crprate gvernance definitin - frm my practice enterprise gvernance is the respnsibility f the whle staff, tp management included tp management has t direct the cmpany the best pssible way twards market success, taking every kind f envirnmental aspects int cnsideratin as far, and in such a way, as it is in the interest f the enterprise, based n the strategy f the institutin t define and maintain this strategy belngs t the respnsibility f the tp management, while the staff is respnsible fr supprting the tp management in these issues Szenes 39 ntes t my crprate gvernance definitin n hidden details are "invlved". the duble respnsibility f the tp management is very imprtant, the strategy is actually the dcument, n hw d they t perfrm their wrk, in the given inside and utside circumstances these have t be kept cnstantly under surveillance, and the results have t be taken int cnsideratin Szenes 40

21 crprate gvernance / IT gvernance IT gvernance (my definitin) ne f the necessary cnditins f successful enterprise gvernance, by directing IT in such a way, that it serves enterprise gvernance accrding t the intentins f the tp management. every member f the IT staff is respnsible fr it the weight f their respnsibility is directly prprtinal t their weight in the cmpany hierarchy the tp management f the cmpany is respnsible fr the supervisin f the IT gvernance Szenes 41 a usable peratinal security definitin I define peratinal security, as such an rganizatinal, regulatinal, and technical system, t be established in a cmpany, by the means f identifying strategy-related peratinal bjectives and peratinal activities, and by cntributing t the fulfillment f these bjectives, that satisfies the excellence criteria priritized by the tp management, r by their delegates in the business areas in a predictable, measurable, and scalable way Szenes 42

22 gvernance gals infrmatin security - IT audit methds cnsequences f this apprach relying n the direct cnnectin between gvernance gals and infrmatin security - IT audit methds, this mutual direct supprt yields: an effective and efficient supprt f enterprise strategy by derivating cncrete everyday imprving gals and actins frm strategic gals a pssibility f tailring and tuning the strategy based n a direct, and peratins-related feedback prvided by cllecting thse basic prblems f institutinal peratins, that are t be slved using infrmatin security methd Szenes 43 gvernance gals infrmatin security - IT audit methds cnsequences f this apprach trivial example: custmers' satisfactin, data cnfidentiality withut custmers there is n success in the market, success = imprtant gal f crprate strategy custmers' satisfactin = a strategic base fr cnfidentiality starting frm security we gt t crprate strategic level ther way arund: market success = a gd reasn why cnfidentiality has t be satisfied infrmatin security methds cntribute t the achievement f strategic gals frm strategic gals, infrmatin security tasks culd be derived Szenes 44

23 gvernance peratinal security directin frm security twards crprate gvernance: = imprving the quality f crprate management by the means f infrmatin security / IT audit methds ther way arund: = serving security by gvernance = devising gvernance issues frm security requirements tp management might accept security requirements as their wn, if these requirements are derived frm unquestinable gvernance requirements Szenes 45 cntributing t the slutin: supprting the fulfillment f the strategic gals what / hw and their dimensins the subgals, cntributing t the strategic gals the activities, cntributing t the subgals & strategic gals the scpe f the activities, and the range f the activities their "cmpnents", a list f "mre atmic" activities their material & human resurces executrs, thse, wh give the necessary permissins thse, wh acknwledge supervisrs, etc.! all f these will cme Szenes 46

24 suggested "subgals": criteria f excellent gvernance peratinal excellence criteria: effectivity, efficiency, cmpliance, reliability, risk management excellence, functinality, rder asset handling excellence criteria: availability, integrity, cnfidentiality Szenes 47 suggested "subgals": criteria f excellent gvernance peratinal excellence criteria An peratinal activity is effective, if its result(s) cmplies with the pre-planned requirements, that had been accepted by every relevant party. An peratinal activity is efficient, if it is perfrmed in a pre-planned, dcumented, and cst/ effective way, cncerning the ptimal use f human and material resurces, and the way f prblem slving. A cmpany perates in a cmpliant way, r, shrtly, the peratins f a cmpany cmplies with the cmpliance criterium, if it cmplies, in a dcumented way, t any requirement f thse authrities that have authrity t regulate any aspect f the activities f the cmpany. Szenes 48

25 suggested "subgals": criteria f excellent gvernance peratinal excellence criteria The peratins f a cmpany is reliable, if it is rganized in such a way, that it prvides fr the preliminary agreed service(s) in such a manner, that supprts the wrk f the staff accrding t the best prfessinal practice. Risk management excellence a strategy-driven managing f risks, that are related t given gal, asset and effrt the imprtance f the excellence criteria shuld always be evaluated by the tp management / business delegates, with respect t each ther there is n stand-alne risk The functinality f the infrmatin system f a cmpany is adequate, if it serves the staff in such a way, that they can fulfill their jb requirements in the best pssible way. Szenes 49 suggested "subgals": criteria f excellent gvernance peratinal excellence criteria The rder is by definitin adequate, if tp management takes up the respnsibility fr the well-being f the institutin: fr the determinatin f the strategy, aligning it t the market success, fr its cntinuus maintenance, fr ensuring, that the cmpany fulfills these strategic gals. regulatinal dcumentatin, business cntinuity management planning, dynamic inventry, - change / - release management, prcedural guidelines,... rganizatinal educatin, separatin f duties jb / rle descriptins,... technical supprt the enfrcing f all these, e.g. access prvisin management fr units / rles / tasks... rganizatinal + regulatinal: rganized peratinal prcesses e.g. rganized applicatin develpment, dcument thrughut lifecycle f every prduct, planned test prcess Szenes 50

26 peratinal excellence criteria rder t peratinal excellence criterium: rder belng: dcumentatin separatin (segregatin) f duties access prvisin management fr units / rles / tasks dynamic inventry management dynamic dcumentatin & change management business cntinuity planning / IT business cntinuity planning / Szenes 51 suggested "subgals": criteria f excellent gvernance - asset handling excellence criteria Cnfidential asset handling, handling cnfidentially every infrmatin abut it - thse, and nly thse have access t it, wh have jb t d with it. The integrity f an asset is said t be preserved, if its handling r prcessing des nt change it inadvertently. Availability f an asset means, that if it has a rle in a given matter, then it is available t every cmpetent emplyee, wh is cmpetent in this matter, in a planned, predictable, and dcumented way, accrding t the preliminary agreements n its accessibility, that have t refer t every qualitative and quantitative prescriptin, that are relevant in the matter. Szenes 52

27 a "general" suggested "subgal": the peratinal bjective this is my generalizatin fr the cntrl bjective, twards strategy! my peratinal bjectives cntribute t the fulfillment f the strategic gals by imprving peratins excellence criteria: special case f the peratinal bjective I define the peratinal bjective, as an bjective f ne r mre peratinal area(s) r rle(s) t be achieved, in rder t cntribute t the fulfillment f strategic gal(s) f the cmpany. the "distance f an peratinal bjective frm the strategy", is its degree f imprtance related t enterprise strategy, in ther wrds, as its imprtance in achieving it. nte - the real life: instead f evaluatins f individual bjects always cmparisns imprtant systems analysts tl: distance - the strategic "imprtance" f an peratinal bjective Szenes 53 pillars f peratin 3 pillars f peratin: rganizatinal - technical - regulatinal a működés pillérei: szervezet - szabályzás - technika detective - preventive - crrective vizsgálati - megelőző - javító {pillars} = dmain & = range f the activities & bjectives that cntribute t strategic gals suggested examples fr strategic gals: the excellence criteria the {pillars} = dmain & = range f the fulfillment f the excellence criteria distance: the strategic "imprtance" f an peratinal pillar element Szenes 54

28 definitin f the pillars f peratin: thrugh enumerating their elements rganizatinal pillar elements are: the whle rganizatinal structure, and its parts, that is the individual rganizatinal units, tgether with the "building parts" f these units, that is the rles, that are assigned, as duties, t the emplyees, wrking in the unit the members f the staff themselves (actually their jb descriptin - except in persnal security matters) nte: the descriptin f the assignments themselves, that are part f the jb descriptins f the emplyee belng t the regulatinal pillar Szenes 55 definitin f the pillars f peratin: thrugh enumerating their elements regulatinal pillar elements are: the prcedural rulebks themselves, that regulate the activities f the staff, bth the intended, and the undesigned relatins f these rulebks t each ther this invlves: the facilities t search fr given terms r rules, the hierarchy f the rulebks themselves, if any, with the cntradictins embedded, the structure f the whle regulatinal system with the facilities f its handling a cde f ethics defining the principles f staff behaviur Szenes 56

29 definitin f the pillars f peratin: thrugh enumerating their elements Technics cvers all physical, / infrastructural prperty assets, that are necessary t perfrm peratinal activities, tgether with the technical cnditins, that determine their use. Example fr technical elements are: the elements f the physical infrastructure, tgether with the buildings and ther facilities, machines, actually the elements f the inventry belng here, tgether with their descriptive technical features, and the actual and best practice technical way f using them. A special subset f the technical elements is the IT architecture f the institutin. Szenes 57 IT architectural infrastructure elements IT architectural infrastructure elements, r, shrtly, IT infrastructural elements are: the cmputers themselves, their sftware (perating systems, utilities), the applicatin systems serving the business prcesses, the database management systems, the netwrk cmmunicatin devices, the defense elements prviding fr the quality f the IT services actually every cmpnent f the IT infrastructure belngs here: even thse, that have sme cmputer system embedded int them, like the ATM-s f the financial institutins, r ther kind f custmer serving tls. The service quality, tgether with the nn-it type f peratins, can be characterized by s-called excellence criteria. Szenes 58

30 pillars f peratin "predecessrs": COBIT COBIT 4.1 ( ) mre r less the same s-called resurces - see them later, at the traditinal ntins there is sg. in COBIT 5, which is similar t my pillars: the "enablers": - let's say: alaptényezők? - see them later, at the traditinal ntins Szenes 59 peratinal activity I define the peratinal activity as such an actin, that cntributes t the achievement f peratinal bjective(s) perates n peratinal pillar element(s) as subjects. Nte: the subjects here are meant t be elements f any f the three pillars the range f an peratinal activity is als the unin f the pillars, even if the gal f an peratinal activity is actually an peratinal bjective special case: excellence criterium / criteria thus the pssible cntradictin f sme f the excellence criteria has t be taken int cnsideratin, t Szenes 60

31 useful attributes, characterizing an peratinal activity the peratinal bjective, r set f peratinal bjectives, that is / are t be served by this activity the scpe f the activity, the set f its s-called subjects, and the range f the activity (bth scpe and range in terms f pillars f peratins), the pillar(s), where the expected result(s) belng a list f "atmic" activities, cmprising the peratinal activity the resurces, either branches r rles, f curse, different nes fr each task, that is t prvide fr: identificatin f the gals, then the activities pssibly cntributing t its fulfillment, thse f the executrs, the acknwledgements f bth the gal and activity, giving the necessary permissins, the executrs, and their supervisrs, etc. Szenes 61 the "t d" details accrding t the best practice subjects: gvernance, IT gvernance special gals - "evaluative" gals - the predecessrs f my excellence criteria: ISO requirements / COBIT COBIT 4.1 ( ) infrmatin criteria COBIT 5 -? the metrics "mre general" gal: the cntrl bjective activity: peratinal measure, cntrl measure dmain f activity - similar t my pillars: COBIT COBIT 4.1:? resurces COBIT 5 enablers (- are they similar?) ISACA risk management areas Szenes 62

32 gvernance in the best prfessinal practice Szenes 63 crprate gvernance - OECD crprate gvernance - crprate wellness, market success, grwth OECD: "ethical crprate behaviur by directrs r thers charged with gvernance in the creatin and presentatin f wealth fr all stakehlders" "the distributin f rights and respnsibilities amng different participants in the crpratin, such as bard, managers, sharehlders and ther stakehlders and (it)spells ut the rules and prcedures fr making decisins n crprate affairs" [quted frm: CRM] Szenes 64

33 crprate gvernance - OECD OECD n public gvernance: Gd, effective public gvernance helps t strengthen demcracy and human rights, prmte ecnmic prsperity and scial chesin, reduce pverty, enhance envirnmental prtectin and the sustainable use f natural resurces, and deepen cnfidence in gvernment and public administratin. (quted frm CRM: OECD website n Public Gvernance and Management) Szenes 65 crprate gvernance - OECD The Organisatin fr Ecnmic C-peratin and Develpment (OECD) states: "Crprate gvernance invlves a set f relatinships between a cmpany s management, its bard, its sharehlders and ther stakehlders. Crprate gvernance als prvides the structure thrugh which the bjectives f the cmpany are set, and the means f attaining thse bjectives and mnitring perfrmance are determined. Gd crprate gvernance shuld prvide prper incentives fr the bard and management t pursue bjectives that are in the interests f the cmpany and its sharehlders and shuld facilitate effective mnitring.. (OECD 2004, OECD Principles f Crprate Gvernance, p.11) With respect t public gvernance, the OECD states: Gd, effective public gvernance helps t strengthen demcracy and human rights, prmte ecnmic prsperity and scial chesin, reduce pverty, enhance envirnmental prtectin and the sustainable use f natural resurces, and deepen cnfidence in gvernment and public administratin. (OECD website n Public Gvernance and Management). Szenes 66

34 crprate gvernance in COBIT COBIT 4.1: enterprise gvernance invlves: the need fr assurance abut the value f IT the management f IT-related risks the increased requirements fr cntrl ver infrmatin COBIT 4.1: a vállalat krmányzása megköveteli (többek között! ): megbiznysdjunk, az IT a szükséges értéket adja az IT-vel kapcslats kzkázatk kezelését törekedjünk az infrmációk fkztt felügyeletére Szenes 67 IT gvernance in COBIT COBIT bases f IT gvernance: value risk cntrl this is nt the cntrl measure but mre prbably the cntrl system! az IT krmányzás alapjai: érték kckázat ellenőrzési rendszer legalábbis valószínűleg, és nem ellenőrzési intézkedés! Szenes 68

35 relatin f risk - value - IT gvernance in the CISA study materials Tw issues f IT Gvernance: /1 IT delivers value t the business this is driven by: strategic alignment f IT with the business /2 IT risks are managed this is driven by: embedding accuntability int the enterprise surce: CISA Review Curse transparents, ISACA Szenes 69 relatin f risk - value - IT gvernance in the CISA study materials best practice fr IT gvernance - IT gvernance fcus areas: surce f this exhibit is als: CISA Review Curse transparents, ISACA Szenes 70

36 COBT 4.1 / COSO / Internal Cntrl Integrated Framewrk Organisatins shuld satisfy the quality, fiduciary and security requirements fr their infrmatin, as fr all assets. Management shuld als ptimise the use f available IT resurces, including applicatins, infrmatin, infrastructure and peple. T discharge these respnsibilities, as well as t achieve its bjectives, management shuld understand the status f its enterprise architecture fr IT and decide what gvernance and cntrl [measures] it shuld prvide. *********** A szervezeteknek az infrmációra ugyanúgy teljesíteniök kell a minőségi, bizalmi, biztnsági követelményeket, mint a többi vagyntárgy esetén. A vezetésnek a rendelkezésre álló összes IT erőfrrás használatát ptimalizáni kell - [COBIT:] alk., inf., infrastrutúra, emberek. Ahhz, hgy ennek a felelősségnek megfeleljen, és ahhz, hgy [üzleti, strat.] céljait elérje, a vezetésnek értenie kell a vállalati IT architektúrát, és el kell döntenie, milyen krmányzási és ellenőrzési lehetőségeket várjn el az IT-től. Szenes 71 stakehlders rle in IT gvernance IT gvernance implies a system where all stakehlders prvide input int the decisin making prcess: Bard Internal custmers Finance surce: CISA Review Curse transparents, ISACA Szenes 72

37 advantages f IT gvernance IT gvernance has becme significant due t: Demands fr better return frm IT investments Increases in IT expenditures Regulatry requirements fr IT cntrls - cntrl Selectin f service prviders and utsurcing Cmplexity f netwrk security Adptins f cntrl framewrks Benchmarking surce: CISA Review Curse transparents, ISACA hmewrk: which cntrl is meant here? Szenes 73 prblems with IT gvernance Indicatrs f ptential prblems include: Unfavrable end-user attitudes Excessive csts Budget verruns Late prjects High staff turnver Inexperienced staff Frequent hardware/sftware errrs surce: CISA Review Curse transparents, ISACA Szenes 74

38 dcuments relating t IT gvernance The fllwing dcuments shuld be reviewed at least: IT strategies, plans and budgets Security plicy dcumentatin Organizatin/functinal charts Jb descriptins Steering cmmittee reprts System develpment and prgram change prcedures Operatins prcedures Human resurce manuals Quality assurance prcedures surce: CISA Review Curse transparents, ISACA Szenes 75 the predecessrs f my peratinal! excellence criteria: the! quality! f the infrmatin in the best prfessinal practice Szenes 76

39 Cntrl Objective fr Infrmatin Technlgy - infrmáció kritériumk: a célnak való megfelelés - célravezető infrmáció - effectiveness eredményesség - efficiency bizalmasság - cnfidentiality integritás, sértetlenség - integrity rendelkezésre állás - availability külső követelményeknek való megfelelés - cmpliance megbízhatóság - reliability [f infrmatin] ISO (first CCITT, then BSI, and then ISO) availability integrity cnfidentiality Szenes 77 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT 4.1 effectiveness: the infrmatin is relevant and pertinent t the business prcess delivered in a timely, crrect, cnsistent and usable manner megfelelés a célnak, célravezető Szenes 78

40 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT 4.1 efficiency: the prvisin f infrmatin thrugh the ptimal (mst prductive and ecnmical) use f resurces eredményesség, hatéknyság: A már meglévő rendszerek javítási értelemben való tvábbfejlesztését értékeli. Megköveteli, hgy az infrmáció biztsításáhz az erőfrráskat ptimálisan használják ki, azaz a lehető legtermelékenyebben és leggazdaságsabban. Ez biztsítja tehát az adtt esetnek megfelelő költség / haszn megfntlásk teljesítését. Annak a döntésnek a meghzatala, hgy a javítás költsége megéri-e azt az eredményt, amit a javító intézkedés / eljárás hz(hat), a legfelső vezetés felelőssége! Szenes 79 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT 4.1 cnfidentiality: the prtectin f sensitive infrmatin frm unauthrised disclsure access accrding t the rles - jb descriptins bizalmasság: vizsgálja, megfelelően védett-e a valamilyen kból érzékenynek tekintett infrmáció az akár szándéks, akár véletlen jgsulatlan hzzáféréssel szemben a külső- és a belső támadásk elleni védelem követelménye mindenki pntsan ahhz férjen hzzá, amivel dlga van, azaz amihez szerepköre - munkaköri leírása szerint szükséges Szenes 80

41 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT 4.1 integrity: accuracy and cmpleteness f infrmatin its validity in accrdance with business values and expectatins it is frequently mixed with:... integritás: Ez az infrmáció kritérium az intézmények infrmatikai rendszerei, sőt, a bármilyen útn, akár kézi feldlgzással közvetített infrmáció - pntsságát - teljességét - az üzleti értékeknek és elvárásknak megfelelő érvényességét követeli meg. Ez a sértetlenség azt is jelenti, hgy az adatk ne váltzzanak a feldlgzás srán. gyakran összekeverik a:... Szenes 81 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT 4.1 availability: the infrmatin is available when required by the business prcess nw and in the future the safeguarding f necessary resurces and assciated capabilities. rendelkezésre állás: amikr csak szüksége van az üzleti flyamatnak az infrmációra, az rendelkezésre áll - és fg is állni a szükséges erőfrrásk biztsítása, a hzzájuk szükséges képességekkel Szenes 82

42 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT 4.1 cmpliance: cmplying with thse laws, regulatins and cntractual arrangements t which the business prcess is subject, i.e., externally impsed business criteria, as well as internal plicies - [! ] guidelines & prcedural rulebks Szenes 83 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT saját értelmezés: megfelelés (külső követelményeknek) Ez az adtt üzleti flyamatra vnatkzó külső elvárásk teljesítését jelenti. Ilyen elvárásk például: - azn törvények, szabályk, amelyek az adtt rszágban a vizsgált flyamatra vnatkznak - Magyarrszágn, például, a személyi adatk kezelése meg kell, hgy feleljen az Adatvédelmi törvény éppen érvényes váltzatának az intézmény vnatkzó irányelvei és szabályzatai azk a szerződéses megállapdásk, amelyeknek teljesítését a flyamatért felelős vezető elvállalta az adtt üzleti flyamatra érvényes üzleti követelmények Szenes 84

43 COBIT infrmatin [quality] criteria - infrmáció [minőségi] kritériumk : COBIT COBIT 4.1 reliability apprpriate infrmatin fr management t perate the entity t exercise its fiduciary and gvernance respnsibilities megbízhatóság menedzsmentnek megfelelően megalapztt infrmációra van szüksége ahhz, hgy biztsítsa - az intézmény működését, és fel tudja vállalni - a pénzügyi - és a (mst tárgyalt) megfeleléssel kapcslats jelentési felelősséget Szenes 85 special gals - "evaluative" gals / COBIT 5 -? the metrics taking these as gal is! my interpretatin! percent f cverage f level f number f cst f...? example / Szenes 86

44 special gals - "evaluative" gals / COBIT 5 -? the metrics e.g. let's take Figure 7. IT-related Gal Sample Metrics frm the bk: Enabling Prcesses - COBIT 5... (see references): this is a table with these clumns: (Bsc) dimensins / IT-related Gal / Metric - let's take this rw f the table: dim.: financial / IT-related gal: Realised benefits frm IT-enabled investments Metric clumn is this: Percent f IT-enabled investments where benefit realisatin is mnitred thrugh the full ecnmic life cycle Percent f IT services where expected benefits are realised Percent f IT-enabled investments where claimed benefits are met r exceeded Szenes 87 the imprtant characteristics f [crprate peratins] in COSO the imprtant characteristics f [crprate peratins] - COSO [az intézményi tevékenység] COSO szerinti fnts jellemzői the fiduciary frmulatin f the Treadway Cmmissin - COSO : effectiveness and efficiency f peratins reliability f financial reprting cmpliance t the applicable laws and regulatins COSO versus the usual:. /. Szenes 88

45 the infrmatin [quality] criteria in COSO COSO requirements: quality + fiduciary + security where: quality: quality - cst - delivery fiduciary: effectiveness and efficiency f peratins reliability f financial reprting cmpliance with laws and regulatins security: availability - cnfidentiality - integrity in Hungarian: Szenes 89 az infrmatikai [minőségi] kritériumk a COSO-ban a COSO követelményei: minőség + bizalmi fedezet + biztnság ezek jelentése itt: minőségi szempntk: minőség - költség - kiszállíttt eredmény bizalmi fedezet ("kibcsátó" iránti bizalmn alapuló) a műveletek célravezetőek és eredményesek a pénzügyi jelentések megbízhatóak a törvényeknek és szabályzásnak való megfelelés biztnság: rendelkezésre állás - bizalmasság - sértetlenség Szenes 90

46 basic audit ntins - cntrl bjective warning: missing frm COBIT 5 - COBIT 5-ből hiányzik fficial cntrl bjectives: generic best practice management bjectives fr all IT activities IT cntrl bjective: statement f the desired result r purpse t be achieved by implementing cntrl prcedures in a particular IT activity. COBIT s cntrl bjectives are the [rather :a kind f! ] minimal requirements fr [the geffective cntrl f each IT prcess. (this is the verb "cntrl" here) COBIT s cntrl bjectives are the minimum, that shuld be prescribed, in rder t be able t effectively implement, perate & supervise the IT prcesses. Szenes 91 basic audit ntins - cntrl bjective private interpretatin cntrl bjective: an bjective, derived frm crprate strategy generic taking best practice int cnsideratin - such an bjective that the tp management wants t achieve IT cntrl bjective: an bjective fr IT that is derived frm a generic cntrl bjective in the frm f a statement expressing a desired result. It can be achieved by implementing cntrl measures / prcedures cncerning IT activities. Szenes 92

47 ellenőrzési alapfgalmak - ellenőrzési cél hivatals ellenőrzési cél: legjbb szakmai gyakrlatt követő általáns cél, amit az IT-nek tűz ki a legfelső vezetés IT ellenőrzési cél: az a kívánt eredmény v. szándék, amit az adtt IT tevékenységre vnatkzó ellenőrzési eljárással lehet elérni. Az infrmatikai flyamatk hatékny irányításáhz a COBIT ellenőrzési céljait kell teljesíteni. saját értelmezés általáns ellenőrzési cél: a legfelső vezetés az intézményi stratégiából levezetett, a legjbb szakmai gyakrlatnak megfelelő ellenőrzési célja IT ellenőrzési cél: általáns ellenőrzési célból levezetett, az infrmatikai működésre vnatkzó ellenőrzési cél. A kívánt eredményt kifejező állítás. Az infrmatikai tevékenységekre vnatkzó ellenőrzési intézkedésekkel / eljáráskkal érhető el. Szenes 93 basic audit ntins - cntrl measure / prcedure private cntrl measure / prcedure: series f measure: prcd. the rganisatinal structures with their peratinal prcedures and practices the guidelines and prcedural rulebks plicy! the technical develpments and measures designed t prvide reasnable assurance that the business bjectives will be achieved, and that undesired events will be prevented / detected / crrected preventive - detective - crrective mitigatin, t Szenes 94

48 ellenőrzési alapfgalmak - ellenőrzési intézkedés / eljárás magán ellenőrzési intézkedés / eljárás: intézkedés srzat: eljárás a szervezeti struktúrák, működési gyakrlatukkal és eljárásaikkal az irányelvek és szabályzatk plitika! a technikai fejlesztések és intézkedések amelyeket ésszerű mértékű biztsítéknak alakítttak ki az üzleti célk elérése, a nem kívánt események megakadályzása / észrevétele / kijavítása céljából megakadályzó - vizsgálati - javító hatás csökkentés Szenes 95 ellenőrzési alapfgalmak - ellenőrzési intézkedés / eljárás basic audit ntins - cntrl measure / prcedure reasnable assurance what is reasnable? that is efficient; we spend effrt, mney, HR, etc., while it is wrth t spend it ésszerű mértékű biztsíték mi az ésszerű? ami eredményes, hatékny; addig költünk, amíg megéri Szenes 96

49 basic audit ntins - cntrl bjective - COSO - ellenőrzési cél COSO cntrl bjectives: (fiduciary) effectiveness and efficiency f peratins reliability f financial reprting cmpliance t the applicable laws and regulatins ellenőrzési célk a COSO szerint: (a v.mit nyújtó fél iránti bizalmn alapuló - pl. fiduciary lan: fedezet nélküli kölcsön) az [üzleti] célknak megfelelő és eredményes működés a pénzügyi jelentések megbízhatósága az adtt esetre alkalmazható törványeknek és szabályzásnak való megfelelés Szenes 97 basic audit ntins - internal cntrl [measure] - COSO ellenőrzési intézkedés COSO internal cntrl [measure]: a prcess effected by an entity's bard f directrs management and ther persnnel designed t prvide reasnable assurance regarding the achievement f the (COSO) cntrl bjectives COSO belső ellenőrzés[i intézkedés]: az igazgatótanács a vezetőség a többi dlgzó flyamata, amelyet arra terveztek, hgy ésszerű mértékben meg lehessen biznysdni a COSO ellenőrzési célk eléréséről Szenes 98

50 predecessrs f my pillars? / s called IT resurces (COBIT COBIT 4.1) COBIT, in 1998: data: data bjects applicatin systems: manual and prgrammed prcedures technlgy: HW, perating systems, DBMS, netwrking, multimedia, etc. facilities: that "huse" the systems [and staff] peple: the staff with its skills, awareness and prductivity... COBIT 4.1, in 2007: rganisatin: netwrk f interacting peple prcess:structured activities created t achieve a given utcme technlgy: practical applicatin f knwledge peple: human resurces - including the utsurce partners! these are nt the exact definitins! Szenes 99 predecessrs f my pillars? / COBIT 5 "enablers" - alaptényezők? COBIT 5 "enablers" are factrs that, individually and cllectively, influence whether smething will wrk in this case, gvernance and management f enterprise IT surce: a 2012 ISACA bk n Enabling Prcesses - see References here Achieving IT-related gals requires the successful applicatin and use f a number f enablers. Enablers include: Principles, plicies and framewrks are the vehicles t translate a desired behaviur int practical guidance fr day-t-day management. Prcesses describe an rganised set f practices and activities t achieve certain bjectives and prduce a set f utputs in supprt f achieving verall IT-related gals.. /. Szenes 100

51 COBIT 5 "enablers" - cnt'd COBIT 5 "enablers" - cnt'd Organisatinal structures are the key decisin-making entities in an enterprise. Culture, ethics and behaviur f individuals and the enterprise are ften underestimated as a success factr in gvernance and management activities. Infrmatin is pervasive thrughut any rganisatin and includes all infrmatin prduced and used by the enterprise. Infrmatin is required fr keeping the rganisatin running and well gverned, but at the peratinal level, infrmatin is ften the key prduct f the enterprise.. /. Szenes 101 COBIT 5 "enablers" - cnt'd COBIT 5 "enablers" - cnt'd Services, infrastructure and applicatins include the infrastructure, technlgy and applicatins that prvide the enterprise with IT prcessing and services. Peple, skills and cmpetencies are linked t peple and are required fr successful cmpletin f all activities and fr making crrect decisins and taking crrective actins. Fr each enabler a set f specific, relevant gals can be defined in supprt f the IT-related gals. Szenes 102

52 example fr cntrl bjective and cntrl measure példa ellenőrzési célra és ellenőrzési intézkedésre a COBIT 34 infrmatikai flyamatából egy: AI2 Acquire and Maintain Applicatin Sftware Alkalmazói rendszerek beszerzése és karbantartása egy COBIT szerinti ellenőrzési cél az ehhez rendelt 10-ből: AI2.6 Majr Upgrades t Existing Systems hzzá van fűzve a cntrl prcedure: In the event f majr changes t existing systems that result in significant change in current designs and/r functinality, fllw a similar develpment prcess as that used fr the develpment f new systems. Szenes 103 example fr cntrl bjective and cntrl measure példa ellenőrzési célra és ellenőrzési intézkedésre példa fejlesztési ellenőrzési intézkedésekre: a fejlesztés minden fázisában jóváhagyandó: a rendszer funkcinalitása megfelel a tervezési specifikációnak, a fejlesztési és a dkumentációs szabványknak, és a minőségi követelményeknek a váltztatási igények jóváhagyása utsurce esetén: jgi, szerződési követelmények kezelése Szenes 104