Professional Documents
Culture Documents
Cobit VS Gtag
Cobit VS Gtag
Cobit VS Gtag
Presented by:
Janice Richards, CPA, CISA
Alexandra Fercak, MPA
PMBOK PCI-DSS
ISO/IEC SSAE
IPPF FISCAM
ITAF COSO
GTAG NIST 2
Roadmap
Relationship to Audit
Standards
Overview of the frameworks
Broad frameworks
Specific frameworks
3
Relationship to Audit Standards
Yellow Book
Multiple references to information system
controls and reliability of data
General Standards
Fieldwork Standards
4
Relationship to Audit Standards
Red Book
Several references to information technology
1210 Proficiency
1220 Due professional care
2110 Governance
5
Relationship to Audit Standards
Broad or specific?
(How) do they relate to each other?
7
Broad framework: COBIT
Intended use:
Business, IT, Audit
Entire IT lifecycle
8
Broad framework: COBIT (v 4.1)
9
COBIT Example 1 (v 4.1)
Audit: Business System Software Implementation:
Expensive, late, and incomplete (Nov 2010)
Planned Actual
Number of shadow
222 unknown
systems eliminated:
NIST SP 800-53
17
Broad framework: FISCAM
18
FISCAM Example 1
Audit: City Financial Transactions: Issues warrant
management attention (September 2012)
continuing appropriateness
FISCAM Example 2
Audit: City Financial Transactions: Issues warrant
management attention (September 2012)
Issue: Excessive privileged access
Criteria: AC-4, Adequately protect sensitive system
resources
FISCAM Control technique Condition
AC-4.1.1, Access to sensitive/privileged Privileged access was not removed
accounts is restricted to individuals or when there was no longer a
processes having a legitimate need for the business need.
purposes of accomplishing a valid business
purpose. Management did not regularly
review privileged access rights.
AC-4.1.2, Use of sensitive/privileged
accounts is adequately monitored. 20
Broad framework: GTAG
Global Technology Audit Guide
21
Broad framework: GTAG
22
GTAG Example 1
Audit: Business System Software Implementation: Expensive, late,
and incomplete (Nov 2010)
24
GTAG Example 2
Audit: Public Safety Systems Revitalization Program:
Management problems impact cost and schedule goals (Apr 2013)
Project Management
Issue: Use of independent quality assurance
reports
COBIT FISCAM GTAG
Project Management
Issue: No user testing in public safety
vehicles
29
Broad frameworks compared:
COBIT <->FISCAM <-> GTAG
32
Other broad framework
Gray Book
Guidance for meeting Yellow Book standards
for assessing data reliability
Risk-based approach
33
Specific frameworks and
standards
PCI-DSS
HIPAA
SSAE 16
34
Specific standard: PCI - DSS
Payment Card Industry Data Security Standard
35
Specific standard: PCI - DSS
36
Specific standard: PCI - DSS
37
PCI DSS Example
City of Portland Compliance with PCI DSS
38
PCI DSS Example
39
Specific standard: HIPAA
Example: Broad frameworks relate to HIPAA rule
Limiting Uses and DS5.3, Identity and AC-3, Implement Practice Guide 9,
Disclosures to the Access effective Identity and Access
Minimum Necessary Management authorization Management
controls
Restrict access Access rights for all Access is limited The access is
and uses of health users on a need-to- to individuals with appropriate for the
information based know/need-to- a valid business job being
on the specific have basis purpose (least performed
roles of the privilege)
members of the
workforce 40
Specific standard: HIPAA
HIPAA violations that resulted in the illegal exposure of personal data
41
44
For more information
Broad Frameworks
COBIT: http://www.isaca.org/
COBIT example -- Office of the City Auditor, City of San Diego
Audit of the Enterprise Resource Planning System Implementation
FISCAM: http://www.gao.gov/fiscam/overview
FISCAM example Oregon Secretary of State Audits Division
Department of Administrative Services: State Data Center Computer
Controls Review
GTAG: http://www.theiia.org
GTAG examples -- Multnomah County Auditor
SAP Follow-up, Identity and Access Management (January 2013)
45
Audit of SAP Identity and Access Management (April 2009)
For more information
Other frameworks/standards
ISO: http://www.iso.org/iso/home/standards/management-
standards/mss-list.htm
COSO: http://www.coso.org/
NIST: http://www.nist.gov/
ITIL: http://itilfoundation.org/
PCI Security Standards Council:
https://www.pcisecuritystandards.org/
SSAE 16: https://www.ssae-16.com/
HIPAA:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/in
dex.html
46
Questions?
Janice Richards
Senior Management Auditor
Janice.Richards@portlandoregon.gov
503-823-4007
Alexandra Fercak
Senior Management Auditor
Alexandra.Fercak@portlandoregon.gov
503-823-3545
47