COBIT IT Assessment Tool/Audit - Best Practice Help

1 COBIT IT Assessment / audit tool Introduction The goal of information technology certification programs is to provide alignment for IT infrastructure with the business goals of the corporation. Optimal configurations : for performance and return-on-investment Scalability and flexibility : to meet rapidly growing or changing business conditions Performance engineering : for mission-critical systems Predictable cost control : for projects, operations and planning Risk analysis : for information technology and capital investment This Assessment / audit tool contains, within 4 areas of IT control, a total of 34. high-level control objectives: Planning and Organization - IT Controls Acquisition and Implementation - IT Controls Delivery and Support - IT Controls Monitoring - IT Controls This Assessment / audit tool 's detailed-control statements are graded on a scale of 0-5: 0 Non-existent - no recognizable process 1 Initial - no standardized process 2 Repeatable - standardized process in place 3 Defined - policy/procedures are standardized and documented 4 Managed - compliance monitors are in place and utilized 5 Optimized -processes are refined _____.

2 Overview Three levels of IT management .. domains, processes, activities +. tasks Utilize IT resources .. people, application systems, technology, facilities, data To produce information measured by criteria .. quality .. fiduciary .. security Domains are management groupings within an organization's structure ( division). Page 1 of 1. Processes are joined activities/tasks with natural control breaks ( department). Activities are joined tasks with a defined life-cycle designed to produce a measurable result(s). Tasks are discrete actions required to achieve measurable business goals note: activities and tasks require a different type of control than domains and processes This Assessment tool is based on the COBIT Framework for certification of performance in the management, security and control of information technology - as developed by the IT Governance Institute (. and ). COBIT is an acronym which stands for "Control Objectives for Information and related Technology".

3 Planning and Organization .. IT Controls High-Level Control Statements PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Define the Technological Direction PO4 Define the IT Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO10 Manage Projects PO11 Manage Quality _____. Detailed Control Objectives Page 2 of 2. Define a Strategic IT Plan IT as Part of the Organization's Long- and Short-Range Plan IT Long-Range Plan IT Long-Range Planning - Approach and Structure IT Long-Range Plan Changes Short-Range Planning for the IT Function Communication of IT Plans Monitoring and Evaluation of IT Plans Assessment of Existing Systems Define the Information Architecture Information Architecture Model Corporate Data Dictionary and Data Syntax Rules Data Classification Scheme Security Levels Determine Technological Direction Technological Infrastructure Planning Monitoring Future Trends and Regulations Technological Infrastructure Contingency Hardware and Software Acquisition Plans Technology Standards Define the IT Organization and Relationships IT Planning or Steering Committee Organizational Placement of the IT Function Review of Organizational Achievements Roles and Responsibilities Responsibility for Quality Assurance Responsibility for Logical and Physical Security

4 Ownership and Custodianship Data and System Ownership Supervision Segregation of Duties IT Staffing Job or Position Descriptions for IT Staff Key IT Personnel Contracted Staff Policies and Procedures Relationships Page 3 of 3. Manage the IT Investment Annual IT Operating Budget Cost and Benefit Monitoring Cost and Benefit Justification Communicate Management Aims and Direction Positive Information Control Environment Management's Responsibility for Policies Communication of Organizational Policies Policy Implementation Resources Maintenance of Policies Compliance with Policies, Procedures and Standards Quality Commitment Security and Internal Control Framework Policy Intellectual Property Rights Issue-Specific Policies Communication of IT Security Awareness Manage Human Resources Personnel Recruitment and Promotion Personnel Qualifications Roles and Responsibilities Personnel Training Cross-Training or Staff Back-up Personnel Clearance Procedures Employee Job Performance Evaluation Job Change and Termination Ensure Compliance with External Requirements External Requirements Review Practices and Procedures for Complying with External Requirements Safety and Ergonomic Compliance Privacy, Intellectual Property and Data Flow Electronic Commerce Compliance with Insurance Contracts Assess Risks Business Risk Assessment Risk Assessment Approach Page 4 of 4.

5 Risk Identification Risk Measurement Risk Action Plan Risk Acceptance Safeguard Selection Risk Assessment Commitment Manage Projects Project Management Framework User Department Participation in Project Initiation Project Team Membership and Responsibilities Project Definition Project Approval Project Phase Approval Project Master Plan System Quality Assurance Plan Planning of Assurance Methods Formal Project Risk Management Test Plan Training Plan Post-Implementation Review Plan Manage Quality General Quality Plan Quality Assurance Approach Quality Assurance Planning Quality Assurance Review of Adherence to IT Standards and Procedures System Development Life Cycle Methodology System Development Life Cycle Methodology for Major Changes to Existing Technology Updating of the System Development Life Cycle Methodology Coordination and Communication Acquisition and Maintenance Framework for the Technology Infrastructure Third-Party Implementor Relationships Program Documentation Standards Program Testing Standards System Testing Standards Parallel/Pilot Testing System Testing Documentation Quality Assurance Evaluation of Adherence to Development Standards Quality Assurance Review of the Achievement of IT Objectives Quality Metrics Page 5 of 5.

6 Reports of Quality Assurance Reviews Acquisition and Implementation - IT Controls High-Level Control Statements A11 Identify Automated Solutions A12 Acquire and Maintain Application Software A13 Acquire and Maintain Technology Infrastructure A14 Develop and Maintain Procedures A15 Install and Accredit Systems A16 Manage Changes _____. Detailed Control Objectives Identify Automated Solutions Definition of Information Requirements Formulation of Alternative Courses of Action Formulation of Acquisition Strategy Third-Party Service Requirements Technological Feasibility Study Economic Feasibility Study Information Architecture Risk Analysis Report Cost-Effective Security Controls audit Trails Design Ergonomics Selection of System Software Procurement Control Software Product Acquisition Third-Party Software Maintenance Contract Application Programming Acceptance of Facilities Acceptance of Technology Acquire and Maintain Application Software Page 6 of 6. Design Methods Major Changes to Existing Systems Design Approval File Requirements Definition and Documentation Program Specifications Source Data Collection Design Input Requirements Definition and Documentation Definition of Interfaces User-Machine Interface Processing Requirements Definition and Documentation Output Requirements Definition and Documentation Controllability Availability as a Key Design Factor IT Integrity Provisions in Application Program Software Application Software Testing User Reference and Support Materials Reassessment of System Design Acquire and Maintain Technology Infrastructure Assessment of New Hardware and Software Preventive Maintenance for Hardware System Software Security System Software Installation System Software Maintenance System Software Change Controls Use and Monitoring of System Utilities Develop and Maintain Procedures Operational Requirements and Service Levels User Procedures Manual Operations Manual Training

7 Materials Install and Accredit Systems Training Application Software Performance Sizing Implementation Plan System Conversion Data Conversion Testing Strategies and Plans Testing of Changes Parallel/Pilot Testing Criteria and Performance Final Acceptance Test Page 7 of 7. Security Testing and Accreditation Operational Test Promotion to Production Evaluation of Meeting User Requirements Management's Post-Implementation review Manage Changes Change Request Initiation and Control Impact Assessment Control of Changes Emergency Changes Documentation and Procedures Authorized Maintenance Software Release Policy Distribution of Software Delivery and Support .. IT Controls High-Level Control Statements DS1 Define and Manage Service Levels DS2 Manage Third-Party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Assist and Advise Customers DS9 Manage the Configuration DS10 Manage Problems and Incidents DS11 Manage Data DS12 Manage Facilities Page 8 of 8.

8 DS13 Manage Operations _____. Detailed Control Objectives Define and Manage Service Levels Service Level Agreement Framework Aspects of Service Level Agreements Performance Procedures Monitoring and Reporting Review of Service Level Agreements and Contracts Chargeable Items Service Improvement Program Manage Third-Party Services Supplier Interfaces Owner Relationships Third-Party Contracts Third-Party Qualifications Outsourcing Contracts Continuity of Services Security Relationships Monitoring Manage Performance and Capacity Availability and Performance Requirements Availability Plan Monitoring and Reporting Modeling Tools Proactive Performance Management Workload Forecasting Capacity Management of Resources Resources Availability Resources Schedule Ensure Continuous Service IT Continuity Framework IT Continuity Plan Strategy and Philosophy IT Continuity Plan Contents Minimizing IT Continuity Requirements Maintaining the Continuity Plan Page 9 of 9. Testing the IT Continuity Plan IT Continuity Plan Training IT Continuity Plan Distribution User Department Alternative Processing Back-up Procedures Critical IT Resources Back-up Site and Hardware Off-site Back-up Storage Wrap-up Procedures Ensure Systems Security Manage Security Measures Identification, Authentication and Access Security of Online Access to Data User Account Management Management Review of User Accounts User Control of User Accounts Security Surveillance Data Classification Central Identification and Access Rights Management Violation and Security Activity Reports Incident Handling Re-accreditation Counter-party Trust Transaction Authorization Non-Repudiation Trusted Path Protection of Security Functions Cryptographic Key Management Malicious Software Prevention.

9 Detection and Correction Firewall Architectures and Connections with Public Networks Protection of Electronic Value Identify and Allocate Costs Chargeable Items Costing Procedures User Billing and Charge-back Procedures Educate and Train Users Identification of Training Needs Training Organization Security Principles and Awareness Training Page 10 of 10. Assist and Advise Customers Help Desk Registration of Customer Queries Customer Query Escalation Monitoring of Clearance Trend Analysis and Reporting Manage the Configuration Configuration Recording Configuration Baseline Status Accounting Configuration Control Unauthorized Software Software Storage Configuration Management Procedures Software Accountability 10. Manage Problems and Incidents Problem Management System Problem Escalation Problem Tracking and audit Trail Emergency and Temporary Access Authorizations Emergency Processing Priorities Manage Data Data Preparation Procedures Source Document Authorization Procedures Source Document Data Collection Source Document Error Handling Source Document Retention Data Input Authorization Procedures Accuracy, Completeness and Authorization Checks Data Input Error Handling Data Processing Integrity Data Processing Validation and Editing Data Processing Error Handling Output Handling and Retention Output Distribution Output Balancing and Reconciliation Output Review and Error Handling Security Provision for Output Reports Page 11 of 11.

10 Protection of Sensitive Information During Transmission and Transport Protection of Disposed Sensitive Information Storage Management Retention Periods and Storage Terms Media Library Management System Media Library Management Responsibilities Back-up and Restoration Back-up Jobs Back-up Storage Archiving Protection of Sensitive Messages Authentication and Integrity Electronic Transaction Integrity Continued Integrity of Stored Data Manage Facilities Physical Security Low Profile of the IT Site Visitor Escort Personnel Health and Safety Protection Against Environmental Factors Uninterruptible Power Supply Manage Operations Processing Operations Procedures and Instructions Manual Start-up Process and Other Operations Documentation Job Scheduling Departures from Standard Job Schedules Processing Continuity Operations Logs Safeguard Special Forms and Output Devices Remote Operations Monitoring - IT Controls High-Level Control Statements M1 Monitor the Processes M2 Assess Internal Control Adequacy Page 12 of 12.