IT Frameworks -

What are they and when to use them

Presented by:
Janice Richards, CPA, CISA
Alexandra Fercak, MPA

City of Portland, Office of the City Auditor

Alphabet soup
COBIT
HIPAA ITIL

PMBOK PCI-DSS

ISO/IEC SSAE

IPPF FISCAM

ITAF COSO

GTAG NIST 2
Roadmap

Relationship to Audit
Standards
Overview of the frameworks
Broad frameworks
Specific frameworks

3
Relationship to Audit Standards

Yellow Book
Multiple references to information system
controls and reliability of data
General Standards
Fieldwork Standards

4
Relationship to Audit Standards

Red Book
Several references to information technology

1210 Proficiency
1220 Due professional care
2110 Governance

5
Relationship to Audit Standards

Frameworks provide specific guidance

for meeting standards
For example:

FISCAM provides a methodology for performing

information system (IS) control audits in accordance
with generally accepted government auditing
standards (GAGAS), as presented in Government
Auditing Standards (also known as the Yellow Book)
6
Overview of the frameworks

Broad or specific?
(How) do they relate to each other?

7
Broad framework: COBIT

Control Objectives for Information Technology

Janices favorite!

Intended use:
Business, IT, Audit

Entire IT lifecycle

8
Broad framework: COBIT (v 4.1)

9
COBIT Example 1 (v 4.1)
Audit: Business System Software Implementation:
Expensive, late, and incomplete (Nov 2010)
Planned Actual

Cost: $14.2 million $47.4 million

Schedule: 14 months 30 months

Number of functions 10 Financial 10 Financial

implemented: 9 Payroll 4 Payroll

Number of shadow
222 unknown
systems eliminated:

Overall issue: Project management weaknesses

Overall Criteria: PO10, Manage Projects
10
COBIT Example 1 (v 4.1)
Issues: Decision-making and project manager expertise
Criteria: PO10.8, Project resources
COBIT Control Practice
1) Identify resource needs for the project
and clearly map out appropriate roles
and responsibilities, with escalation and
decision-making authorities agreed
upon and understood.
3) Utilize experienced project
management and team leader resources
with skills appropriate to the size,
complexity and risk of the project.
(continued)
Condition
Decentralized organizational structure
led to project decisions by consensus
of many participants. Many layers of
project governance, each participating in
decision-making.
According to City officials, the initial
consultant did not have sufficient
leadership skills, experience in
managing a project this size, or the
resources necessary to ensure a
successful project.
11
 COBIT Example 1 (v 4.1) (continued)

Issue: Use of independent quality assurance reports

Criteria: PO10.13, Project performance measurement,
reporting and monitoring
COBIT Control Practice
2) Measure project performance against
keycriteria. Analyze deviations from
established key project performance criteria
for cause, and assess positive and negative
effects on the program and its component
projects. Report to identified key
stakeholders
4) Recommend, implement and monitor
remedial action, when required, in line with
the program and project governance
framework.
Condition
The City hired an independent firm with
public sector technology experience to
provide QA services throughout the
project. The QA firm provided monthly
reports to City leaders.
The reports documented QAs
independent observations and
recommendations on the Citys progress
in implementing a new ERP system. QA
provided ways for the City to improve
12
the rating, when needed.
 COBIT Example 2 (v 4.1)
Audit: Public Safety Systems Revitalization Program:
Management problems impact cost and schedule goals
(Apr 2013)

Issue: No user testing in public safety vehicles

Criteria: AI7.4, Test environment
COBIT Control Practice
1) Ensure that the test environment is
representative of the future operating
landscape, including likely workload stress,
operating systems, necessary application
software, database management systems,
and network and computing infrastructure
found in the production environment.
Condition
User testing did not occur in Police, Fire,
or other vehicles prior to go-live. All
testing occurred in an office or classroom-
type setting.
13
 COBIT Example 3 (v 4.1)
Audit: City Financial Transactions: Issues warrant
management attention (September 2012)

Issue: User roles and access not based on need

Criteria: DS5.3, Identity management

COBIT Control Practice Condition

1) Establish and communicate policies and
procedures access rights for all users on
a need-to-know/need-to-have basis,
based on predetermined and preapproved
roles.
High number of users with privileged
access, four of which were finance
staff.
The access of these four users was
more than what was needed to
complete their job responsibilities.
14
 COBIT Example 3 (v 4.1) (continued)
Audit: City Financial Transactions: Issues warrant
management attention (September 2012)
Issue: Excessive privileged access
Criteria: DS5.4, User account management

COBIT Control Practice Condition

2) Ensure that management reviews or reallocates Management did not
user access rights at regular intervals using a formal regularly review privileged
process. User access rights should be reviewed access rights.
or reallocated after any job changes, such as
transfer, promotion, demotion or termination of Access did not change when
employment. Authorizations for special privileged job responsibilities changed
access rights should be reviewed independently for one user.
at more frequent intervals.
15
Broad framework: FISCAM
Federal Information Systems Control Audit
Manual
Intended use:
Audits of federal and other governmental entities
Yellow Book

Federal Information Security Modernization Act

NIST SP 800-53

General and application controls

16
Broad framework: FISCAM

17
Broad framework: FISCAM

User-friendly for auditors with limited exposure to IT

Overview of information system controls

objectives (pages 11-13)
Overview of IT Audit steps (pages 14-15)

Specific guidance for testing general and

application controls (chapters 2, 3 and 4)

18
 FISCAM Example 1
Audit: City Financial Transactions: Issues warrant
management attention (September 2012)

Issue: User roles and access not based on need

Criteria: AC-3, Implement effective authorization controls
FISCAM Control technique Condition
AC-3.1.6, Access is limited to High number of users with privileged
individuals with a valid business access, four of which were finance
purpose (least privilege) staff.
AC-3.1.3, Security managers review
access authorizations and discuss any The access of these four users was
questionable authorizations with more than what was needed to
resource owners complete their job responsibilities.
AC-3.1.5, Resource owners periodically Access did not change when job
review access authorizations for responsibilities changed for one user.
19

continuing appropriateness
 FISCAM Example 2
Audit: City Financial Transactions: Issues warrant
management attention (September 2012)
Issue: Excessive privileged access
Criteria: AC-4, Adequately protect sensitive system
resources
FISCAM Control technique Condition
AC-4.1.1, Access to sensitive/privileged Privileged access was not removed
accounts is restricted to individuals or when there was no longer a
processes having a legitimate need for the business need.
purposes of accomplishing a valid business
purpose. Management did not regularly
review privileged access rights.
AC-4.1.2, Use of sensitive/privileged
accounts is adequately monitored. 20
Broad framework: GTAG
Global Technology Audit Guide

For internal auditors with

limited exposure to IT
Series of audit guides on
IT risks and
recommended practices

21
Broad framework: GTAG

22
 GTAG Example 1
Audit: Business System Software Implementation: Expensive, late,
and incomplete (Nov 2010)

Issue: Use of independent quality assurance reports

Criteria: 3.5, Project communication and coordination current status
(GTAG Practice Guide 12, Auditing IT Projects)
GTAG Criteria Condition
Understand the current status of the The City hired an independent firm with public
project with regard to time, cost, and sector technology experience to provide QA
scope, and whether there are any services throughout the project. The QA firm
deviations from the project definition. provided monthly reports to City leaders.
Understand the key concerns with respect
The reports documented QAs independent
to status.
observations and recommendations on the
Understand why deviations have occurred. Citys progress in implementing a new ERP
system. QA provided ways for the City to
improve the rating, when needed. 23
GTAG Example 1 (continued)
Audit: Business System Software Implementation: Expensive,
late, and incomplete (Nov 2010)

Issue: Use of independent quality assurance reports

Criteria: 3.5, Project communication and coordination
current status (GTAG Practice Guide 12, Auditing IT Projects)

GTAG Criteria Condition

Corrective actions have been Issues remained outstanding for
taken to address deviations, risks several months before the City
and issues. took corrective action.

24
GTAG Example 2
Audit: Public Safety Systems Revitalization Program:
Management problems impact cost and schedule goals (Apr 2013)

Issue: No user testing in public safety vehicles

Criteria: 6.1, User acceptance tests (GTAG Practice Guide
12, Auditing IT Projects)

GTAG Criteria Condition

All business scenarios are User testing did not occur in Police,
successfully executed and signed- Fire, or other vehicles prior to go-
off. All user acceptance tests are live. All testing occurred in an office
complete and scripts signed-off. or classroom-type setting.

There is adequate business

involvement to ensure realistic
testing. 25
 GTAG Example 3
Audit: City Financial Transactions: Issues warrant management
attention (September 2012)
Issue: User roles and access not based on need
Criteria: Identity and Access Management (GTAG Practice Guide 9,
Identity and Access Management)

GTAG Criteria Condition

The access is appropriate for the job being
performed. The access is correct and defined
appropriately to support a specific job function. (2.2)
The IAM process should be designed to initiate, modify,
track, record and terminate the access permissions
assigned to user accounts. (3.1.2)
Identities that are no longer require access rightsare
identified, disabled, or deactivated (3.2.3)
High number of users with privileged access,
four of which were finance staff.
The access of these four users was more than
what was needed to complete their job
responsibilities.
Access did not change when job
responsibilities changed for one user.
Privileged access was not removed when there
was no longer a business need. 26
 GTAG Example 3 (continued)
Audit: City Financial Transactions: Issues warrant
management attention (September 2012)

Issue: Excessive privileged access

Criteria: Identity and Access Management (GTAG Practice
Guide 9, Identity and Access Management)

GTAG Criteria Condition

Privileged accounts are normally assigned
to the person within the IT department
responsible for administering IT systems.
(3.3.2)
IT management should periodically review
the list of users with privileged access.
(3.3.2)
High number of users with
privileged access, four of which
were finance staff.
Management did not regularly
review privileged access rights.
27
Broad frameworks compared:
COBIT <->FISCAM <-> GTAG

Project Management
Issue: Use of independent quality assurance
reports
COBIT FISCAM GTAG

PO10.13, Project N/A GTAG 12, Auditing

performance IT Projects
measurement,
reporting and
monitoring
28
Broad frameworks compared:
COBIT <->FISCAM <-> GTAG

Project Management
Issue: No user testing in public safety
vehicles

COBIT FISCAM GTAG

AI7.1, Test N/A GTAG 12, Auditing

environment IT Projects

29
Broad frameworks compared:
COBIT <->FISCAM <-> GTAG

Identity and access management

Issue: User roles and access not based on
need

COBIT FISCAM GTAG

DS5.3, Identity AC-3, Implement GTAG 9, Identity

management effective and Access
authorization Management
controls
30
Broad frameworks compared:
COBIT <->FISCAM <-> GTAG

Identity and access management

Issue: Excessive privileged access

COBIT FISCAM GTAG

DS5.4, User AC-4, Adequately GTAG 9,

account protect sensitive Identity and
management system resources Access
Management
31
Other broad frameworks and
standards
Gray Book
COSO
ITIL
ISO 27001
NIST 800-xx addresses computer security
- Mapped to FISCAM

32
Other broad framework
Gray Book
Guidance for meeting Yellow Book standards
for assessing data reliability
Risk-based approach

Goal is to determine whether you can use the

data for the intended purpose

33
Specific frameworks and
standards

PCI-DSS
HIPAA

SSAE 16

34
Specific standard: PCI - DSS
Payment Card Industry Data Security Standard

35
Specific standard: PCI - DSS

36
Specific standard: PCI - DSS

Standard created and maintained by the PCI

Security Standards Council, representing the
major card brands network (Visa, MC, Amex,
Discover, etc.)
Ensures merchants protect cardholder data
Covers all forms of payment cards
Enforced by the major card brands network

37
 PCI DSS Example
City of Portland Compliance with PCI DSS

PCI Compliance identified in a risk assessment

External IT Auditors conduct annual onsite audits
(since 2009)
Assumption was the City is PCI DSS compliant

Performance measure reported 100% compliance every year since 2009

38
PCI DSS Example

City has never complied with PCI DSS (since 2009)

No follow-up to PCI DSS remediation steps and
deadlines
City did not enforce compliance with the standard
City flew under the bank and card networks
compliance radar

39
 Specific standard: HIPAA
Example: Broad frameworks relate to HIPAA rule

HIPAA COBIT FISCAM GTAG

Limiting Uses and DS5.3, Identity and AC-3, Implement Practice Guide 9,
Disclosures to the Access effective Identity and Access
Minimum Necessary Management authorization Management
controls

Restrict access Access rights for all Access is limited The access is
and uses of health users on a need-to- to individuals with appropriate for the
information based know/need-to- a valid business job being
on the specific have basis purpose (least performed
roles of the privilege)
members of the
workforce 40
Specific standard: HIPAA
HIPAA violations that resulted in the illegal exposure of personal data

41

Source: Compliance and Safety LLC, http://complianceandsafety.com

 42
See: Identity Theft Resource Center 2015 Data Breaches
43
The End
Broad frameworks Specific frameworks
Choose a broad
framework and
become familiar with it
Use others to augment
as needed
Ok to use more than
one framework to
meet audit standards
Awareness!
Verify compliance!
Review the audits
Know standards
applicable to your
environment
Research as needed
44
 For more information
Broad Frameworks
COBIT: http://www.isaca.org/
COBIT example -- Office of the City Auditor, City of San Diego
Audit of the Enterprise Resource Planning System Implementation

FISCAM: http://www.gao.gov/fiscam/overview
FISCAM example Oregon Secretary of State Audits Division
Department of Administrative Services: State Data Center Computer
Controls Review

GTAG: http://www.theiia.org
GTAG examples -- Multnomah County Auditor
SAP Follow-up, Identity and Access Management (January 2013)
45
Audit of SAP Identity and Access Management (April 2009)
For more information
Other frameworks/standards
ISO: http://www.iso.org/iso/home/standards/management-
standards/mss-list.htm
COSO: http://www.coso.org/
NIST: http://www.nist.gov/
ITIL: http://itilfoundation.org/
PCI Security Standards Council:
https://www.pcisecuritystandards.org/
SSAE 16: https://www.ssae-16.com/
HIPAA:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/in
dex.html
46
Questions?
Janice Richards
Senior Management Auditor
Janice.Richards@portlandoregon.gov
503-823-4007

Alexandra Fercak
Senior Management Auditor
Alexandra.Fercak@portlandoregon.gov
503-823-3545

47