Description
With the current emphasis on enterprise governance, successful organizations are integrating IT with business strategies to achieve their objectives, optimize information value and capitalize on today’s technologies. To that end, COBIT®, the internationally recognized set of IT management best practices, provides a powerful framework for IT governance, control and audit. In this three-day seminar, you will review the COBIT® 5 Framework and focus on how you can use this globally-recognized framework to evaluate the effectiveness of IT activities. You will explore the significant changes incorporated in COBIT 5 that can be utilized in executing IT audits. You will also discover how to use COBIT 5 in conjunction with other internationally recognized standards and frameworks.
As examples during the seminar you will explore using COBIT 5 to plan and execute audits for IT governance, risk management, security management and business continuity. As a result of these exercises, you will fully understand how to use COBIT 5 to perform a process capability assessment and how to integrate COBIT 5 into your audit activities.
Prerequisite: IT Auditing and Controls (ITG101), IT Audit School (ITG121) or equivalent experience
Advanced Preparation: None
Learning Level: Intermediate
Field: Auditing
Delivery Method: Group Live
What you will learn
1. COBIT® Background
• COBIT® history
• COBIT® Version 4.1
• COBIT® 4.1 Control Practices & Assurance Guide
2. Summary of COBIT® 5
• COBIT® 5 significant changes
• COBIT® 5 principles
- meeting stakeholder needs
- covering the enterprise end-to-end
- applying a Single Integrated Framework
- enabling a holistic approach
- separating governance / management
• COBIT® 5 enabling processes
• enabling processes vs. control objectives
• goals cascade
• RACI charts
• inputs and outputs
• process capability model
• mapping COBIT® 4.1 to COBIT® 5
3. International Security Standards, Frameworks
• using COBIT® 5 in conjunction with other standards and frameworks
• IIA Global Technology Audit Guides
• ISO 27001–ISMS–Information Security Management System
• ISO 27002–Security Code of Practice
• ISO 27005–Security Risk Management
• ITIL–IT Infrastructure Library
• FISMA–FIPS 199, NIST 800-53
4. Assessing IT Governance using COBIT® 5
• IIA governance definitions
• defining IT governance
• linking enterprise and IT governance
• IT governance practices
• ISO 38500–Corporate Governance of IT
• governance frameworks, standards and guidelines
• using COBIT® 5 to assess IT governance
• COBIT® 5–Evaluate, Direct and Monitor (EDM)
- EDM–01–Ensure Governance Framework Setting and Maintenance
- EDM–02–Ensure Benefits Delivery
- EDM–03–Ensure Risk Optimisation
- EDM–04–Ensure Resource Optimisation
- EDM–05–Ensure Stakeholder Transparency
5. Risk Management
• risk definitions & risk analysis
• COSO Risk Assessment Definitions
• COSO Enterprise Risk Management
• COBIT® 5 Risk Management
• COBIT® 5–EDM-03–Ensure Risk Optimization
- 03.01–Evaluate Risk Management
- 03.02–Direct Risk Management
- 03.03–Monitor Risk Management
• COBIT® 5–APO–12–Manage Risk
- 12.01–Collect Data
- 12.02–Analyze Risk
- 12.03–Maintain a Risk Profile
- 12.04–Articulate Risk
- 12.05–Define a Risk Management Action Portfolio
- 12.06–Respond to Risk
• IIA GTAG–Developing the IT Audit Plan
• ISACA–Risk IT Framework
• ISO 27001–ISMS Risk Assessment / Management
• ISO 27002–Section 4–Risk Assessment
• ISO 27005–Information Security Risk Management
• NIST 800-30–Risk Management Guide for IT Systems
• ISACA Risk Standards / Guidelines
6. Security Management
• COBIT® 5 Security Management
• COBIT® 5–APO-13–Manage Security
- 13.01–Establish and Maintain an ISMS
- 13.02–Define and Manage an Information Security Risk Treatment Plan
- 13.03–Monitor and Review the ISMS
• COBIT® 5–DSS-05–Manage Security Services
- 05.01–Protect Against Malware
- 05.02–Manage Network and Connectivity Security
- 05.03–Manage Endpoint Security
- 05.04–Manage User Identity and Logical Access
- 05.05–Manage Physical Access to IT Assets
- 05.06–Manage Sensitive Documents and Output Devices
- 05.07–Monitor the Infrastructure for Security Related Events
• COBIT® 5 for Information Security
- security processes enablers
- organizational structures enablers
- information security responsibilities
- culture, ethics and behavior enablers
- desirable information security behaviors
- services, infrastructure and applications enablers
- people, skills and competencies enablers
• Information Security Resources
- IIA GTAG
- ISO 27001–ISMS Security Management
- ISO 27002–Security Code of Practice
- NIST 800-53–Security Controls
7. Manage Continuity
• COBIT® 5 DSS-04–Manage Continuity
- 04.01–Define the Business Continuity Policy Objectives and Scope
- 04.02–Maintain a Continuity Strategy
- 04.03–Develop and Implement a Business Continuity Response
- 04.04–Exercise, Test and Review the BCP
- 04.05–Review, Maintain and Improve the Continuity Plan
- 04.06–Conduct Continuity Plan Training
- 04.07–Manage Backup Arrangements
- 04.08–Conduct Post-Resumption Review
• IIA GTAG–Business Continuity Management
• ISO 27002–Section 14–Business Continuity Management
• NIST 800-53–Section CP–Contingency Planning
8. Integrating the COBIT 5 Process Capability Model
• the six capability levels
• the nine attributes
• the rating scale
• Scoping and the Process Assessment Model (PAM)
• implementing a Process Reference Model with COBIT® 5
9. COBIT® Related Resources
• COBIT® 5 Product Family
• self-assessment guide: using COBIT 5
• process assessment model: Using COBIT 5
• risk IT framework
• Val IT™ Framework
• IT Assurance Framework™ (ITAF™)
• board briefing on IT governance