*This topic includes the current COBIT information from the COBIT 4.0 edition.
COBIT is not specific to Information Security, but it covers IT in general. COBIT provides a reference framework for management, users, IS audit, control and security practitioners comprising of 4 domains, 34 IT processes and 318 detailed control objectives.
The diagram below outlines the COBIT objectives organized by the following four domains:
There are several security related objectives throughout the domains, such as DS5.3 Identity Management and DS5.9 Malicious Software Prevention, Detection and Correction which are part of the DS5 Ensure System Security process. (For your convenience, PowerTech has provided links to relevant sections of the COBIT standards throughout the PowerTech Compliance Guide.)
COBIT - Objectives by Domain
COBIT Control Objectives
In a typical test matrix for Sarbanes-Oxley compliance, control activities are mapped to COBIT Control Objectives. Management Assertions are identified for each control activity, and a risk description is documented for each control objective. Testing is performed to determine if controls are operating as expected. This eventually leads to test results documentation and gap exposure documentation.
So What are Auditors Looking For?
Your external auditor can only provide limited guidance since Section 201 of the act restricts the type of consulting and advice that public accounting firms can provide to their clients.
In fact, many companies hire one firm to conduct the audit and another firm to provide consulting services in preparation for the audit. Many Fortune 1000 corporations are even now appointing Chief Governance Officers or Chief Risk Officers. However, the good news is that the big four firms are now using the same basic COBIT objectives as a framework to evaluate internal controls over IT.
About Testing Controls
Testing has been the most difficult SOX related task for many companies. It is important to note that there are two things a good plan will test:
The process works as intended (the test
of the process)
Everything follows the
process (the test of the risk)
PowerTech products can help companies to comply with the COBIT objectives
After a thorough review of the COBIT objectives by PowerTech security experts, the security related objectives have been compiled here for easy reference. Click on the links in the COBIT Objectives/Topic table below to view specific objective descriptions and recommended PowerTech reports - or scroll through the entire summary of security related COBIT objectives that follows.
COBIT Objectives/Topic
|
Objectives |
Topic |
|
Control Self-Assessment | |
|
Data Classification Scheme | |
|
Technological Direction Planning | |
|
Personnel Training | |
|
Job Change and Termination | |
|
Event Identification | |
|
Risk Assessment | |
|
Infrastructure Resource Protection and Availability | |
|
Emergency Changes | |
|
Identity Management | |
|
User Account Management | |
|
Security Testing, Surveillance and Monitoring | |
|
Security Incident Definition | |
|
Protection of Security Technology | |
|
Malicious Software Prevention, Detection and Correction | |
|
Exchange of Sensitive Data | |
|
Physical Access | |
|
Operations Procedures and Instructions | |
|
Security Provision of Output Reports | |
|
Authenticity and Integrity |
Summary: COBIT 4.0 Objectives and PowerTech recommendations
|
Evaluate the completeness and effectiveness of management’s internal controls over IT processes, policies and contracts through a continuing program of self-assessment.
PowerTech Recommendations PowerTech Compliance Monitor provides the capability to generate regularly scheduled assessments of the security status of System i systems, highlighting any exceptions to corporate policy.
|
|
Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme includes details about data ownership, definition of appropriate security levels and protection controls, and a brief description of data retention and destruction requirements, criticality and sensitivity. It is used as the basis for applying controls such as access controls, archiving or encryption.
PowerTech Recommendations A sound security policy is the first step in any security plan or compliance initiative. PowerTech recommends that your Information Security Policy should specifically address your System i systems. The Compliance Guide (included with PowerTech Compliance Monitor) provides a wealth of useful information that provides guidance on creating security policy for the System i, along with a sample System i security policy.
|
|
Analyse existing and emerging technologies and plan which technological direction is appropriate to realise the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.
|
|
Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organisational goals.
PowerTech Recommendations PowerTech provides regular training classes and web seminars on System i security issues.
|
|
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer needs to be arranged, responsibilities reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed.
PowerTech Recommendations PowerTech Compliance Monitor 'Inactive Profiles' report can identify any old, unused or dormant accounts.
|
|
Identify any event (threat and vulnerability) with a potential impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact — positive, negative or both—and maintain this information.
|
|
Assess on a recurrent basis the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined individually, by category and on a portfolio basis.
|
|
Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.
PowerTech Recommendations Users with special authorities in OS/400 have responsibilities for 'sensitive infrastructure components'. Run the PowerTech Compliance Monitor 'Profiles with Special Authorities' report to learn who these users are. PowerTech Authority Broker allows you to monitor, control, and audit the use of special authorities.
|
|
Establish a process for defining, raising, assessing and authorising emergency changes that do not follow the established change process. Documentation and testing should be performed, possibly after implementation of the emergency change.
|
|
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements. User access rights are requested by user management, approved by system owner and implemented by the security-responsible person. User identities and access rights are maintained in a central repository. Cost-effective technical and procedural measures are deployed and kept current to establish user identification, implement authentication and enforce access rights.
PowerTech recommendations Run PowerTech Compliance Monitor 'User' and 'Log File' reports on a regular basis: User: - Profiles with Expired Password - Profiles with Default Passwords - Profiles with Special Authorities Log File:
|
|
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
PowerTech Recommendations Run PowerTech Compliance Monitor 'User' and 'Log File' reports on a regular basis: User: - Profiles with Expired Password - Profiles with Default Passwords - Profiles with Special Authorities Log File:
|
|
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. Access to the logging information is in line with business requirements in terms of access rights and retention requirements.
PowerTech Recommendations OS/400 level security auditing allows you to turn on detailed auditing for system objects including creation and deletion of the objects. PowerTech software simplifies the management and interpretation of these logs using regularly scheduled reporting.
PowerTech Compliance Monitor (release 2.0) provides comprehensive reporting capability of all audit information on the System i. • Creation and deletion of objects
|
|
Ensure that the characteristics of potential security incidents are clearly defined and communicated so security incidents can be properly treated by the incident or problem management process. Characteristics include a description of what is considered a security incident and its impact level. A limited number of impact levels are defined and for each, the specific actions required and the people who need to be notified are identified.
|
|
Ensure that important security-related technology is made resistant to tampering and security documentation is not disclosed unnecessarily, i.e., it keeps a low profile. However, do not make security of systems reliant on secrecy of security specifications.
PowerTech Recommendations The OS/400 security audit journal is tamperproof. Once an event has been written to the audit journal it cannot be changed.
|
|
DS5.9 Malicious Software Prevention, Detection and Correction |
|
Ensure that preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (viruses, worms, spyware, spam, internally developed fraudulent software, etc.).
PowerTech Recommendations Save and Restore category of system values on the OS/400 (QALWOBJRST, QVFYOBJRST, QFRCCNVRST) can be used to control the restoration of programs to the system. PowerTech Compliance Monitor “All System Values” report can be used to verify that these system values are set to their appropriate values on all systems in the enterprise. Any exceptions to corporate policy will be highlighted in a single enterprise wide report.
|
|
Ensure sensitive transaction data are exchanged only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
PowerTech Recommendations PowerTech Encryption can be used to exchange sensitive data like credit card numbers, bank account details, and Social Security Numbers between partners.
|
|
Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs, including emergencies. Access to premises, buildings and areas should be justified, authorised, logged and monitored. This applies to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.
|
|
Define, implement and maintain standard procedures for IT operations and ensure the operations staff is familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedures and reports on current responsibilities) to ensure continuous operations.
|
|
Data Output Controls |
|
Procedures are in place to assure that the security of output reports is maintained for those awaiting distribution as well as those already distributed to users.
|
|
Boundary Controls |
|
The authenticity and integrity of information originated outside the organisation, whether received by telephone, voice mail, paper document, fax or e-mail, are appropriately checked before potentially critical action is taken.
|