Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
COSO ITIL
COSO, ITIL, ISO,
ISO
andd more
oe
Jennifer F. Alfafara, CISA
Consultant
Frameworks vs Standards
What is a Framework?
Main Entry:
framework
Pronunciation:
P i ti
\ frm- wrk\
Function:
noun
Date:
1578
1 a: a basic conceptional structure (as of ideas) <the
the framework of
the United States Constitution> b: a skeletal, openwork, or
structural frame
2: frame of reference
3 the
3: th larger
l branches
b h off a tree
t that
th t determine
d t i its
it shape
h
3
What is a Standard?
Standard - a rule or principle that is used as a
basis for judgment
GAAP (FASB) Generally Accepted Accounting
Principals (Financial Accounting Standards Board
IFRS (IASB) International Financial Reporting
Standards (International Accounting Standards
Board)
PCAOB (Public Companies Accounting Oversight
Board) Auditing Standards
ISO/IEC 27000 (International Organization for
Standardization/International Electrotechnical
Commission)
4
Then, what is HIPAA
Then
considered?
HIPAA (American Health Insurance
Portability and Accountability Act 1996) is a
Guideline.
5
Why have frameworks
been developed?
Lack of alignment between business
practices and technology
p gy
Provide guidance to Corporate management
to ensure they are in compliance with
regulatory requirements
6
Why adopt a framework?
Regulatory requirement
Business requirement
Best in class
7
What is a Control
Framework?
Control Framework - A recognized system
of control categories that covers all
internal controls expected in an
organization.
organization
8
Control Framework
To be comprehensive, the framework
must:
1. Provide a favorable control environment
2 Provide for the continuing assessment
2.
of risk
3 Provide for the design
3. design, implementation
implementation,
and maintenance of effective control-
related p
policies and p
procedures,
9
Control Framework
continued
10
SEC on Frameworks
The COSO Framework satisfies our criteria and may
be used as an evaluation framework for purposes of
management's
management s annual internal control evaluation and
disclosure requirements. However, the final rules do not
mandate use of a particular framework, such as the
COSO Framework
Framework, in recognition of the fact that other
evaluation standards exist outside of the United States,
and that frameworks other than COSO may be
developed within the United States in the future
future, that
satisfy the intent of the statute without diminishing the
benefits to investors."
11
Control Frameworks
COSO
COBIT 4.1
ITIL
ISO/IEC 27002 (Actually a Standard)
ISO/IEC 27799 (Guidelines for 27002)
12
COSO
Committee of Sponsoring Organizations
COSO
COSO - Committee of Sponsoring
Organizations of the Treadway
Commission
14
COSO
Who are the Sponsors?
1. American Institute of Certified Public
Accountants (AICPA)
( )
2. American Accounting Association (AAA)
3. Financial Executives Institute (FEI)
( )
4. The Institute of Internal Auditors (IIA) and
5. The Institute of Management
Accountants (IMA).
15
COSO Major Objectives
16
COSO and Healthcare
17
Medicare Losses
1996 $23 Billion
1999 $12 Billion an improvement; however
$12 Billion still demands attention
Much of these losses can be attributed to
abuse, fraud, and inefficiencies.
18
COSO (1992)
Internal Control Framework
Five Components
p
Monitoring
Information &
Communication
Control Activities
Risk
Ri k A
Assessmentt
Control Environment
19
COSO (2004)
Enterprise Risk Management
Framework
This COSO ERM framework defines
essential components
components, suggests a common
language, and provides clear direction and
guidance for enterprise risk management.
20
COSO (2004)
Enterprise
p Risk Management
g
Framework Eight Components
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information &
Communication
Monitoring
21
COSO Components
Internal Environment
encompasses the tone of an organization
sets the basis for how risk is viewed
addressed by an entitys
entity s people
people, including
risk management philosophy and risk
appetite, integrity and ethical values, and the
environment in which they operate.
22
COSO Components
Objective Setting
Objectives must exist before management
can identify potential events affecting their
achievement.
23
COSO Components
Event Identification
Internal and external events affecting
achievement of an entitys objectives must be
identified,, distinguishing
g g between risks and
opportunities.
24
COSO Components
Risk Assessment
Analysis of risk
Consideration of likelihood and impact
How risks should be managed
25
COSO Components
Risk Response
Avoid Risk
Accept Risk
Reduce Risk
Share Risk
26
COSO Components
Control Activities
Policies and procedures are established and
implemented.
27
COSO Components
Information and Communication
Relevant information is identified
identified, captured
captured,
and communicated in a form and timeframe
that enable ppeople
p to carry
y out their
responsibilities.
28
COSO Components
Monitoring
The entirety of enterprise risk management is
monitored and modifications made as
necessary.
y
29
Financial vs Technical Issues
31
HIPAA Title II Rules
Privacy Rule
Transactions and Code Sets Rule
Security Rule
Unique Identifiers Rule (National Provider
Identifier)
Enforcement Rule
32
HIPAA & Technology
Challenges for Information Technology (IT)
Transactions and Code Sets
Privacy
Security Rules
33
Transactions & Code
Sets (X12 Transactions)
These transactions and code Sets relate to
EDI ((Electronic Data Interchange).
g )
EDI the structured transmission of data
between organizations by electronic means.
There are 11 defined code sets.
34
Transactions & Code
Sets (X12 Transactions)
EDI Health Care Claim Transaction set (837)
EDI Retail Pharmacy Claim Transaction (835)
EDI Benefit Enrollment and Maintenance Set (834)
EDI Payroll Deducted and other group Premium Payment
for Insurance Products (820)
35
Transactions & Code
Sets Rule (continued)
EDI Health Care Eligibility/Benefit Inquiry (270)
EDI Health Care Eligibility/Benefit
g y Response ((271))
EDI Health Care Claim Status Request (276)
EDI Health Care Claim Status Notification (277)
( )
EDI Health Care Service Review Information (278)
EDI Functional Acknowledgement Transaction Set (997)
36
Privacy Rule
It establishes regulations for the use and
disclosure of Protected Health Information
(PHI). PHI is any information held by a
covered entity which concerns health status
status,
provision of health care, or payment for
health care that can be linked to an
individual.
37
Security Rule
Lays out three types of security safeguards
required for compliance:
Administrative Policies and Procedures
Physical Access to Protected Data
Technical Access to Computers that
store and manage protected data
38
Obeying the Rules
Implement Control Frameworks that
facilitate compliance with the Rules
Rules
COBIT
ITIL
ISO/IEC 27002
ISO 27799
39
COBIT
Control Objectives for
Information
and Related Technology
COBIT
The Control Objectives for Information and related
Technology
gy ((COBIT)) is a set of best p
practices
(framework) for information technology (IT)
management created by the Information Systems
A dit and
Audit dCControl
t lAAssociation
i ti (ISACA)
(ISACA), and d th
the IT
Governance Institute (ITGI) in 1992.
42
COBIT Structure
Covers four domains
1.
1 Plan and Organize (PO)
2. Acquire and Implement (AI)
3
3. Deliver and Support (DS)
4. Monitor and Evaluate (ME)
43
COBIT
Plan and Organize covers:
the use of information & technology
how best it can be used in a company to help
achieve the companys
company s goals and objectives
objectives.
also highlights the organizational and
infrastructural form IT is to take in order to
achieve the optimal results and to generate
the most benefits from the use of IT
44
COBIT
Acquire and Implement covers:
Identification of IT requirements
requirements,
Acquisition of technology, and
Implementation within the companys
company s current
business processes.
45
COBIT
Delivery and Support covers:
The deliveryy aspects
p of the information technology gy
The execution of the applications within the IT
system and its results,
The support processes that enable the effective and
efficient execution of these IT systems. These
support
pp p processes include securityy issues,, training,
g,
Help Desk, and backup & recovery.
46
COBIT
Monitor and Evaluate:
Deals with a companys strategy in assessing the
needs of the company
Determines whether or not the current IT system still
meets the objectives for which it was designed
Identifies the controls necessary to comply with
regulatory requirements.
Deals with the issue of an independent assessment
of the effectiveness of IT system in its ability to meet
business objectives and the evaluation of the
companys control processes by internal and
external auditors.
47
COBIT, COSO & SOX
The most referenced control frameworks for
SOX and FIEL ((Financial Instruments and
Exchange Law aka JSOX)
Not all COBIT controls apply to ICFR
(Internal Controls over Financial Reporting)
COBIT Lite
48
COBIT Lite
IT Control
Objectives for
Sarbanes - Oxley
49
ITIL
51
ITIL Structure
ITIL v3, published in May 2007, comprises
5 keyy volumes:
1. Service Strategy
g
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
52
ITIL
ITIL is owned and maintained by the UK
Office of Government Commerce (OGC).
( )
53
ISO/IEC 27002:2005
27002 2005
(actually a Standard)
ISO/IEC
ISO (International Organization for
Standardization)) is the world's largest
g
developer and publisher of International
Standards.
IEC (International Electrotechnical
Commission) is the international standards
and conformity assessment body for all
fields of electrotechnology.
55
ISO 27002
The standard is comprised in two parts:
56
ISO 27002
57
ISO 17799
This is essentially the set of security controls:
the measures and safeguards
g for p
potential
implementation.
After the introduction, scope, terminology
and structure sections, the remainder of
ISO/IEC 17799 specifies control objectives
categorized
t i d iinto
t 11 maini sections
ti tto protect
t t
information assets against threats to their
confidentiality integrity and availability
confidentiality, availability.
58
ISO 17799
Security Controls
Security Policy
Organization of Information Security
Asset Management
Human Resources
Physical and Environmental Security
Communications and Operations
Management
59
ISO 17799
Security Controls (cont)
Access Control
Information Systems Acquisition,
Development and Maintenance
Information Securityy Incident Management
g
Business Continuity Management
Compliance
60
ISO 27001
This is the specification for an Information
Securityy Management
g System
y ((ISMS).
) It is
the means to measure, monitor and control
security management from the top down
perspective.
ti It explains
l i h how tto apply
l ISO
17799.
61
ISO 27001
Defined as a six part process:
Define a securityy p
policy
y
Define the scope of ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be
implemented
Prepare a statement of applicability
62
ISO 27002
Healthcare Challenges:
ISO 27002 is extremely difficult to implement
for large units
Compliance scopes that cover no more than
two to three sites or approximately 50 staff or
approximately ten processes have been
found to work very well.
63
ISO 27799:2008
65
ISO 27799
Health information security
Practical Action Plan for Implementing ISO
17799/27002
Healthcare Implications
p of ISO 17799/27002
Threats
Tasks and documentation of the ISMS
Potential benefits and tool attributes
66
Relationships Between
Standards & Regulations
HIPAA
ISO 17799
BS7799
COBIT & ITIL
Remember: ISO
17799 and BS 7799
are ISO 27002
67
Questions?
For More Information:
Jennifer F. Alfafara
Consultant
Resources Global Professionals
jalfafara@resources-usa
jalfafara@resources usa.com
com
69
Thank you!
y