02. cobit 41 dan iso 17799

COBIT 4.1

ISO17799 - 2005

CIA Examination, How Difficult Is It?

Tahun Seleksi Internal BPKP

Peserta Asal Unit Lulus % Lama Lulus Ujian

2010 30 NA 3 10% NA2012 30 3 10%

8 Pusdkilatwas, Widyaisawara

0

9 Deputi AN, PFA dan Kasubdit

2 PFA 1 Langsung , 1 > 6 bulan

2 DKI Jakarta, PFA 1 PFA 1 > 3 bulan11 Perwakilan Lainnya,

PFA dan Kabid0

Biaya Sendiri NA Deputi 1, PFA 2 NA > 1 tahun

COBIT:Control Objectives for Inf and related Tech, Represent the consensus of experts, Published by ITGI

The IT Governance Institute®ITGI (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s IT.

ITGI COBIT as IT gov’ frameworkCOSO ICIF as IC frameworkISO ISO31000 as RM framework

http://www.itgi.org/












IT governance:

merupakan tanggung jawab eksekutif dan BoD. Terdiri dari kepemimpinan, struktur organisasi dan proses yang menjamin bahwa enterprise’s IT mendukung dan mengembangkan tujuan dan strategi organisasi.

COBIT supports IT governance by providing a framework to ensure that:

Executive Overview

IT is aligned with the business

IT resources are used responsibly

IT transparency is achieved through

performance measurement.

IT risks are managed appropriately

IT enables the business and maximises benefits

Cobit Content Diagram

All Cobit component interrelated, providing support for governance, management, control, and assurance needs of different audiences

Business goals

IT goalsIT Processes

Key Activities

requirements information

Control Outcomes Test

Control Objectives

Responsibilities and

Accountibilities Chart

Performance Indicators

Outcomes Measures

Control Design

Test

Control Practices

based on

audit

ed w

ith

implemented with

Maturity Models

derived from

broken down into

measu

red by

audited with

controlled by

perfo

rmed

by

for pe

rform

ance for matuirty

for outcome

•Effectiveness•Efficiency•Confidentiality•Integrity•Availability•Compliance•Reliability

•Applications•Information•Infrastructure•People

Overall COBIT FrameworkPO1 Define a strategic IT plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, org and relationshipPO5 Manage the IT investment.PO6 Communicate mgt aims and directionPO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

ME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance w/ external requirements.ME4 Provide IT governance.

DS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.

AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain tech infrastr.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.

BUSINESS OBJECTIVES

GOVERNANCE OBJECTIVES

INFORMATION CRITERIA

PLAN AND ORGANIZE

ACQUIRE AND IMPLEMENT

DELIVERY AND SUPPORT

MONITOR AND EVALUATE

IT RESOURCES

.

A control framework for IT governance defines the reasons IT governance is needed, the stakeholders, and what it needs to accomplish.

In response to the needs, the COBIT FW was created w/ main characteristics of being:

business-focused,

process-oriented,

controls-based, and

measurement-driven.

How COBIT Meets The Need

drive the

investment in

Business Requirements

IT Resources

IT Processes

Enterprise Information COBIT

Basic COBIT Principle

that are used by

todeliver

whichrespond

to

Business orientation is the main theme of COBIT, designed to: (1) be employed by IT service providers, users, and auditors, and (2) to provide comprehensive guidance for mgt and business process owners.

COBIT’S INFORMATION CRITERIA

To satisfy business obj, inf needs to conform to certain control criteria, which refers to as business requirement for inf. Inf criterias are defined as follows:

1. Effectiveness: inf being relevant and pertinent to business process as well as being delivered in a timely, correct, consistent, and usable manner.

2. Efficiency: provision of inf through optimal (productive and eco) use of resource.

3. Confidentiality: the protection of sensitive inf from unauthorised disclosure.

4. Integrity: accuracy and completeness of inf as well as to its validity.

5. Availability: inf being available when required by business process now and in future.

6. Compliance: complying with law, regulation and contractual arrangement.

7. Reliability: provision of appropriate inf for mgt to operate entity and exercise its fiduciary and governance responsibilities.

Business - Focused

BUSINESS GOALS AND IT GOALS

Defining set of business goal and IT goal provides a business-related and refined basis for establishing business req and developing measurement.

Defining IT Goals and Enterprise Architecture for IT

Business - Focused

IT Resources

An operational model is initial step toward good gov, and also provide FW for measuring and monitoring IT perf, communicating w/ service providers and integrating best mgt practices.

Within the COBIT framework, generic process model are within four domains:

Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS)

Process – Oriented

Acquire and Implement (AI)—Provides solutions and passes them to be turned into services.

Deliver and Support (DS)—Receives solutions and makes them usable for end user.

Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed

The Four Interrelated Domains of COBIT

Plan and Organise

Monitor and Evaluate

Acquire and

Implement

Deliver and

Support

PLAN AND ORGANISE (PO)

PO covers strategy and tactics, and concerns identfication of the way IT can best contribute to achievement of business objective.

ACQUIRE AND IMPLEMENT (AI)

IT solutions need to be identified, developed or acquired, implemented and integrated into the business process. Changes in and maintenance of existing system are covered.

DELIVER AND SUPPORT (DS)

DS is concerned w/ actual delivery of services, includes mgt of security and continuity, service support, and mgt of data and facilities.

MONITOR AND EVALUATE (ME)

ME addresses performance mgt, monitoring of IC, regulatory compliance and gov.

Across these four domains, COBIT has identified 34 IT processes that are generally used (refer to figure 22 for the complete list).

Process – Oriented

PROCESSES NEED CONTROLS

IT control obj provide a complete set of high-level requirements to be considered by mgt for effective control of each IT process, they:

Are statements of managerial actions to increase value or reduce risk.

Consist of policies, procedures, practices and organisational structures

Provide reasonable assurance that business obj will be achieved.

Mgt needs to make choices relative to these control objectives by:

Selecting those that are applicable;

Controls – Based

Deciding upon those will be implemented;

Choosing how to implement them (frequency, span, automation, etc.);

Accepting the risk of not implementing.

Standard control has analogy: When room temperature (standard) for heating system (process) is set, system will check (compare) ambient room temp (control inf) and will signal (act) system to provide more or less heat.


To achieve effective gov, controls need to be implemented by operational managers within a defined control FW for all IT processes.

The control obj are identified by a 2-character domain reference (PO, AI, DS and ME) + a process no. and a control obj no. In addition to control obj, each process has generic control requirements that are identified by PCn (process control no.).

PC1 Process Goals and Objectives

Define and communicate specific, measurable, actionable, realistic, results-oriented and timely (SMARRT) process goals and objectives. Ensure that they are linked to the business goals and supported by suitable metrics.

PC2 Process Ownership

Assign owner for each IT process, and clearly define roles and responsibilities of the process owner. Include, for example, responsibility for process design, interaction, accountability, measurement, and identification of improvement.

Controls – Based


PC3 Process Repeatability

Design and establish each key IT process such that it is repeatable and consistently produces the expected results.

PC4 Roles and Responsibilities

Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of key activities and their documentation as well as accountability.

PC5 Policy, Plans and Procedures

Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training.

PC6 Process Performance Improvement

Identify a set of metrics that provides insight into outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals.

Controls – Based

BUSINESS AND IT CONTROLS

The enterprise’s system of IC impacts IT at 3 levels:

1. At the executive mgt level:

The overall approach to governance and control is established by the board and communicated throughout the enterprise. IT control environment is directed by top-level set of objectives and policies.

2. At the business process level:

Most business processes are automated and integrated w/ IT application system, resulting in many of controls at this level being automated. Known as application control. However, some controls within business process remain as manual procedures, such as authorisation for trans, separation of duties.

3. To support the business processes:

IT provides IT services, in a shared service to many business processes, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, OS and storage). The controls applied to all IT service actv are known as IT general controls. Poor change mgt could jeopardise reliability of automated integrity check.

Controls – Based

IT GENERAL CONTROLS AND APPLICATION CONTROLS

General control: controls embedded in IT processes and services, include: Systems development, Change management, Security, and Computer operation.

Application control: control embedded in business process application, include: Completeness, Accuracy, Validity, Authorisation, and Segregation of duties

Design and implementation of automated AC is responsibility of IT, covered in AI domain, based on COBIT’s information criteria. The operational mgt and control responsibility for AC is not w/ IT, but w/ the business process owner.

Hence, the responsibility for AC is an end-to-end joint responsibility between business and IT, but the nature of the responsibilities changes as follows:

The business is responsible to properly:

– Define functional and control requirements

– Use automated services

IT is responsible to:

– Automate and implement business functional and control requirements

– Establish controls to maintain the integrity of applications controls.

Controls – Based

The following list provides a recommended set of Application Control objectives:

AC1 Source Data Preparation and Authorisation

Ensure that source doc are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties.

AC2 Source Data Collection and Entry

Establish that data input is performed in timely manner by authorised n qualified staff.

AC3 Accuracy, Completeness and Authenticity Checks

Ensure that transc are accurate, complete, and valid.

AC4 Processing Integrity and Validity

Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions.

AC5 Output Review, Reconciliation and Error Handling

Establish procedures and responsibilities, delivered to appr recipient, and protected during transmission; that verification, detection and correction of accuracy of output.

AC6 Transaction Authentication and Integrity

Before passing transc data b/w internal applications and business/opr functions, check it for proper addressing, authenticity of origin and integrity of content.

Controls – Based

Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement.

COBIT deals with these issues by providing:

Maturity model to enable benchmark and identify necessary capability improvement.

Perf goals and metric for IT processes, demonstrating how processes meet business and IT goal and are used for measuring internal process perf based on BSC principle.

Activity goals for enabling effective process performanc

MATURITY MODELS

IT mgt is constantly on lookout for benchmarking and self-assessment tool in response to the need to know what to do in an efficient manner. This responds to 3 needs:

1. A relative measure of where the enterprise is

2. A manner to efficiently decide where to go

3. A tool for measuring progress against the goal.

Maturity model for mgt and control over IT processes is based on a method of evaluating organisation, so it can be rated fr a maturity level of non-existent (0) to optimised (5).

Measurement – Driven

MATURITY MODELS

The purpose is to identify where issues are and how to set priorities for improvements, not to assess the level of adherence to the control objectives.

They are not designed for use as a threshold model, where one cannot move to the next higher level without having fulfilled all conditions of the lower level.


Using MM developed for each of COBIT’s 34 IT processes, mgt can identify:

The actual performance of the enterprise—Where the enterprise is today

The current status of the industry—The comparison

The enterprise’s target for improvement—Where the enterprise wants to be

The required growth path between ‘as-is’ and ‘to-be’.


Capability, coverage and control are all dimensions of process maturity:


Coverage, depth of control, and how the capability is used and deployed are cost-benefit decisions. For example, a high level of security mgt may have to be focused only on most critical enterprise systems. Another example would be choice b/w a weekly manual review and a continuous automated control.

PERFORMANCE MEASUREMENT

Goals and metrics are defined in COBIT at 3 levels:

1. IT goals and metrics: define what business expects from IT and how to measure it.

2. Process goals and metrics: define what the IT process must deliver to support IT’s objectives and how to measure it.

3. Activity goals and metrics: establish what needs to happen inside the process to achieve the required perf and how to measure it


PERFORMANCE MEASUREMENT

Two types of metrics:

Outcome measure: indicate whether the goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’.

Performance indicators: indicate whether goals are likely to be met. They can be measured before the outcome is clear and, therefore, are called ‘lead indicators’.

Outome measures of lower level become performance indicators for higher level. Outcome measures of IT function are often expressed in term of inf criteria:

Availability of information needed to support the business needs

Absence of integrity and confidentiality risks

Cost-efficiency of processes and operations

Confirmation of reliability, effectiveness and compliance

Performance indicators (or performance drivers) define measures that determine how well business, IT function or IT process is performing in enabling the goals to be reached. They often measure the availability of appropriate capabilities, practices and skills, and the outcome of underlying activities.


Relationship among Process, Goals, and Metrics (DS 5)

Maintain enterprise reputation and

leadership

Ensure that ITservices can

resist andrecover from

attacks

Detect and resolveunauthorised

access toinformation,

applications andinfrastructure.

Understandsecurity

requirements,vulnerabilities

and threats

Numbers of incidents causing public embarassment

Number ofactual IT

incidents withbusiness impact

Number ofactual incidents

because ofunauthorised

access

Frequency ofreview of the

type of securityevents to bemonitored

is measured by is measured by is measured by is measured by

Business goals IT goals Process goals Activity goals

Define Goals

Measure A

chievement

Indicate Perfomance

Impr

ove

and

real

lign

Outcome mesures Business metrics Performance

indicators

Outcome mesures IT metrics Performance

indicators

Outcome mesures Process metrics Performance

indicators

ISO 17799 – 2005 (renamed/withdrawn)

Renamed as ISO 27002 – 2005 (withdrawn)

Revised with ISO 27002 - 2013

Published by oleh International Organisation for Standardisation (ISO)

The standard is focused on security issues and does not cover the full scope of IT management duties.

Consist of 12 Security Control.

Latest series: ISO 27000 : 2013

What is ISO 17799-2005 (revised with ISO 27000 series)

ISO 27000 Series: Information Security Frameworks

ISO 27002 – Security Control

The need for inf sec is based on the fact that inf and related systems are important assets for organisations. As organisations face information security threats, the protection of information is essential to maintain organisational stability.

Sources for the identification of security requirements are:

Risks the organisation faces and the impact on business strategy and objectives Legal requirements Specific requirements, principles and objectives for information processing to

support business operations

Controls should be selected and defined considering:

Legal requirements Business requirements Cost of implementation Potential impact of a security breach

Description and Its Content

When implementing a system for inf security mgt, several CSFs be considered to ensure:

That the security policy, its objs and its activities reflect the business objectives; That the implementation considers cultural aspects of the organisation; Open support and engagement of senior management; Thorough knowledge of security requirements, risk assessment and RM; That effective marketing of security targets all personnel, including members of mgt; That security policy and sec measures are communicated to contracted III parties That sufficient and adequate funding is available; That users are well trained; That a comprehensive inf security incident mgt process is established; That a comprehensive and balanced system for performance measurement is

available that supports continuous improvement by giving feedback.

ISO/IEC 17799:2005 is structured into 11 sections (security control chapters), which contain 39 main security categories.

The main sec categories consist of a control obj and 1 or more controls to achieve the control obj.

Description and Its Content

1. Security policy:

1) Information security policy. Inf sec policy should define direction and contain commitment and support of mgt The policy should be reviewed periodically and communicated throughout org.

2. Organisation of information security:

2) Internal organization

3) External parties Inf security should be supported by mgt; Relevant activities should be co-ordinated throughout the organisation, and responsibilities

for information security should be clearly defined. Confidentiality agreements should be in place. Appropriate contacts w/ authority and special interest group should be maintained. Inf security should be subject to independent review. Controls should be implemented to manage identified risks related to external party. Outsourcing arrangements should address information security. There should be an authorisation process for information processing facilities.

Information Security Control, Categories, and Controls

3. Asset management:

4) Responsibility for assets

5) Information classification An inventory of assets and assignment of the responsibility should be made. Assets should have a nominated owner, and use of assets, based on defined rules. Inf should be classified and labeled, thus ensuring appropriate level of protection.

4. Human resources security:

6) Prior to employment

7) During employment

8) Termination or change of employment Sec requirements for employees should be identified throughout emply life cycle. Sec responsibilities, confidentiality agreements and contract of employment should be part

of the job responsibility and terms and conditions of employment. Adequate controls for personnel screening should be in place. Inf sec education and training should increase sec awareness of all employees. Formal disciplinary process, be in place for individuals who breach sec policy. Rules for termination and change of employment should be defined and followed.


5. Physical and environmental security:

9) Secure Areas

10) Equipment Security Central equipment should be installed only within a secure area where adequate access

controls and damage prevention are implemented. Equip should be protected against loss, damage or compromise by being sited and

protected in an appropriate manner. Power supplies, an adequate level of cabling sec and correct maintenance of the equipment should be in place.

Equipment installed off premises and the disposal or reuse of information should be considered; authorisation for taking equipment off site is recommended.

Special attention is needed at public access, delivery and loading areas where the central equipment is installed.


6. Communications and operations management:

11) Operational Procedures and responsibilities12) Third party service delivery management13) System planning and acceptance14) Protection against malicious and mobile code15) Backup16) Network Security Management17) Media handling18) Exchange of Information19) Electronic Commerce Services20) Monitoring Operations should follow documented procedures. All changes to facilities should be controlled. Duties should be segregated, no individual can both initiate and authorise an event. Development and operational facilities should be separated. Risks caused by contracted org should be covered, and III party services should be

controlled.


6. Communications and operations management:

System planning and acceptance consider capacity mgt and the definition of acceptance criteria.

Damage caused by malicious software and mobile code should be prevented, using preventive and detective controls, formal policies, and defined recovery procedure.

Information should be backed up, and the backup files should be tested regularly. Networks and network services should be set up and managed with a view to ensuring the

necessary level of security and service levels. Removable media should be handled with special care. Media with sensitive information should be disposed of in a secure manner. Adequate controls in information handling procedures (e.g., labeling of media, ensuring

completeness of inputs, storage of media) should be considered. System documentation is to be protected, as it may contain sensitive information. Agreements for exchange of inf and software should be established, including media in

transit, e-commerce transactions, e-mail, electronic office systems. E-commerce services and their use should be controlled. Security-relevant activities should be logged and monitored, and the effectiveness of

controls should be assessed.


7. Access control:21) Business Requirement for Access Control

22) User Access Management

23) User Responsibilities

24) Network Access Control

25) Operating system access control

26) Application and Information Access Control

27) Mobile Computing and teleworking Access to inf should be granted in accordance with business and security requirements. A formal access control policy should be in place. Access control rules should be specified. User access mgt should follow a formal process. User responsibilities concerning PW use and protection of equipment, clearly defined. Networked services, operating systems and applications should be protected appropriately. System access and use should be controlled, considering secure logon procedures, user

identification and authentication, PW mgt, usage of system utilities, and session time-out. Software and information access should be restricted to authorised users. Mobile computing and teleworking should be performed in a secure manner.


8. Information systems acquisition, development and maintenance:

28) Security requirements of information systems29) Correct processing in applications30) Cryptographic controls31) Security of system files32) Security in development and support processes33) Technical Vulnerability Management Sec issues should be considered when acquiring or implementing inf systems following

defined requirements; security requirements should be specified. Sec in application system should take into account validation of input data, adequate

controls of internal processing, message integrity and output data validation. Use of cryptographic systems should follow a defined policy and consider best practices. Security of and access to system files (including test data and program source code) should

be controlled. Project and support environments should allow for sec by being rigorously controlled (e.g.,

change mgt procedures, arrangements for outsourced development, inf leakage). Damage through published vulnerabilities should be prevented.


9. Information security incident management:

34) Reporting information security events and weaknesses35) Management of information security incidents and improvements Security events and weaknesses should be reported. Responsibilities and procedures for managing security incidents and improvements should

be defined, and evidence for security incidents should be collected.

10. Business continuity management (BCM):

36) Information security aspects of business continuity management Comprehensive BCM process should permit prevention of interruption to business process Business continuity mgt process should not be restricted to IT-related areas and activities. An impact analysis should be executed that results in a strategy plan. Business continuity plans should be developed following a single framework. Business continuity plans should be tested, maintained and reassessed continuously.

11. Compliance:

37) Compliance with legal requirements38) Compliance with security policies and standards, and technical compliance39) Information Systems audit considerations Relevant legal requirements should be identified and followed. Any unlawful act (e.g., data protection acts) should be avoided. Compliance with the security policy should be ensured by periodic reviews.


ISO 17799 Process

Obtain Upper Management

Support

Define Security

Perimeter

Create Information

Security Policy

Create Information Security Mgt

System

Perform Risk Assessment

Select and Implement Controls

Document in Statement of

AccountabilityAudit

Sumber: Tom Carlson; Information Security Management: Understanding ISO 17799, 2001

Correlation

IT Operational FrameworkIT Security Framework

IT Governance and Control Framework

Quality Control Framewok

ERM / Enterprise Control Framework

Guide Practices

Conceptual Framework

PO1 Define a strategic IT plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, org and relationshipPO5 Manage the IT investment.PO6 Communicate mgt aims and directionPO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain tech infrastr.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.

DS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.

ME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance w/ external requirements.ME4 Provide IT governance.

DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.

DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.

Mapping: COBIT – ISO 27002

Informasi Lebih Lanjut,Hubungi:

02. cobit 41 dan iso 17799

Education