SlideShare a Scribd company logo

it grc

ā€¢Download as PPTX, PDFā€¢
ā€¢
9
9535814851

1 st sem mcom it grc module ppt

Education
1 of 73
INTRODUCTION Information technology has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. It for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly runs under the label of governance, risk management and compliance (GRC IS). Information systems such as enterprise resource planning systems separate financial from nan-financial data and therefore enable better financial accounting. On the other hand, they provide new potential for management control as ā€œdata become accurate, shareable and available to many different parties but does hardly create the panoptic dreams of visibility and action at a distanceā€.
Governance The process by which policy is set and decision making is executed. Governance is the of policies, laws, culture, and institutions that define how an organization should be managed.
ā€¢ The process for preventing an unacceptable level of uncertainty in business objectives with a balance of avoidance through reconsideration of objectives, mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms. It is also the process to ensure that important business processes and behaviors remain within the tolerances associated with policies and decisions set through the provenance process. Risk management is coordinate activities that direct and control an organization forecasting and managing events/risks that might have a negative impact on the business.
The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Compliance is the act of adhering to regulations as well as corporate policies and procedures.
ļ¶ Create and distribute policies and controls and map them to regulations and internal compliance requirements. ļ¶ Assess whether the controls are actually in place and working and fix them if they are not. ļ¶ Ease risk assessment and mitigation. ļ¶ IT GRC provide coordination and standardization of policies and controls. ļ¶ Automate information gathering. ļ¶ It enable enterprises to rapidly adapt to change.
governance ļƒ˜Enterprise risk management and assessment ļƒ˜Board compliance capabilities such as options policy compliance, ethics and policy compliance, etc. ļƒ˜Business performance reporting such as balanced scorecards, risk scorecards, operational controls dashboards, etc ļƒ˜Policy management, documentation and communication
ā€¢ Risk assessment ā€¢ Risk analysis and prioritization ā€¢ Root cause analysis of issues and mitigation ā€¢ Risk analytics and trend analysis
ā€¢ Flexible controls hierarchy ā€¢ Assessments and audits ā€¢ Issues tracking and remediation ā€¢ analytics
Importance of IT-GRC ā€¢ An improvement in the quality and availability of information; ā€¢ A reduction in breaches and errors; ā€¢ A reduction in costs and greater efficiencies; ā€¢ A more flexible and externally focused workforce capable of rapid change to meet customer and organizational needs; ā€¢ A greater assurance for the organization and its board and senior management that grace issues are being appropriately dealt with and the organization remains ā€œon targetā€ with its performance objectives; and ā€¢ Improved levels of communication across the organization the organization.
BUSINESS IS MORE DEPENDENT ON IT ā€¢ IT environment is more complex. ā€¢ Less time between IT failures and organizational impact. ā€¢ Increase in threats related to IT. ā€¢ Increase in threats related to IT. ā€¢ Increase in regulations, standards and controls.
IT GRC Challenges ā€¢ Mapping the policies and control ā€¢ Audit fatigue ā€¢ Security exposure ā€¢ Redundancy and inefficiency
Other Challenges ā€¢ A perception by staff that the initiative may have an ulterior motive, for example a cost recovery drive or head count reduction. ā€¢ Business unit managers or middle management are fearful of being marginalized as GRC responsibilities are devolved to those in lower levels of the hierarchy. ā€¢ Organizations are sometimes skeptical regarding the targeting and measurement systems proposed and are concerned that there will not ultimately be an appropriate return on investment given the establishment and maintenance costs involved. ā€¢ Corporate cynicism and skepticism around the outcomes and results achieved from past planned organizational change (and management ā€œfadsā€ generally).
Factors to be consider at the time of implementation of IT GRC ā€¢ Strategy ā€¢ Reporting and audit ā€¢ Legal function ā€¢ Information technology ā€¢ Ethics and corporate social responsibility ā€¢ Corporate culture ā€¢ Business process management
Information system audit standards
Introduction Information systems auditing involves using technical tools and expertise to evaluate the adequacy and effectiveness of information systems in an organization. Further, it involves working with management to identify weak controls and risk, which arises due to the application of technology in a business. It also suggests ways to enhance these weak controls to increase the reliability of IS, which will help an organization to achieve its strategic objectives.
Meaning Information systems audit is a process to collect and evaluate evidence to determine whether the information systems safeguard assets, maintain data integrity, achieve organizational goals effectively and consume resources efficiently. The common element between any manual audit and IS audit is data integrity. All type of audits (information audits) have to evaluate the data integrity. Since IS audit involves efficiency and effectiveness, it includes some elements of management and proprietary audit too.
IS auditing methodology ā€¢ Step 1: define objectives of the audit. ā€¢ Step 2: obtain basic understanding of systems and flow of transactions. ā€¢ Step 3 : Detailed information gathering ā€¢ Step 4 : Search for exposures that exist under the system and suggest the control in eliminate the exposure. ā€¢ Step 5 : Define Auditing procedures to verify controls. ā€¢ Step 6 : Perform audit test using various techniques and tools. ā€¢ Step 7 : Evaluation of findings. ā€¢ Step 8 : Generation of Report.
Scope of IS audit ā€¢ Data ā€¢ Application systems ā€¢ Technology ā€¢ Facilities ā€¢ People
Elements of IS audit Exposures Causes Controls Physical and environmental review System administration review System administration review Application software review Network security review Business continuity review Data integrity review
Need for IS audit ā€¢ Confidentiality ā€¢ Integrity ā€¢ Availability ā€¢ Reliability
Categories of IS audits ā€¢ Systems and applications ā€¢ Information processing facilities ā€¢ Systems development ā€¢ Management of IT and enterprise architecture ā€¢ Telecommunications intranets and extranets
Information Security and management standard Meaning information security relates to the physical and logical protection of data or information recorded, processed, shared, transmitted or received from an electronic from. The protection is provided against joss, inaccessibility, alternation, or unauthorized disclosure. The protection is achieved through physical safeguard such as locks, security guard, insurance etc. and logical safeguard as user identifiers, passwords, firewalls.
Information security ā€¢ Meaning: ā€¢ It is the practice of defending information from unauthorized access, use discloser, disruption modification, perusal, inspection recording or destruction ā€¢ Definition ā€¢ ā€œInformation security is the process of protecting the intellectual property of an organizationā€ ā€¢ IT security: it is referred to as computer security .a computer is any device with a processor and some memory such device can range from non-networked standalone device as simple as calculator to networked mobile computing device such as smart phone ad tablet .IT security is mainly used in major enterprise establishment due to the nature and value of the data within larger business
Information assurance ā€¢ The act of ensuring that data is not lost when critical issues aries.thes issues include but are not limited to natural disaster computer server malfunction physical theft or any other instance where data potential of being lost.
Threats Computer system threats come in many different forms. some of the most common threats today are software attack, theft of intellectual property identity theft of equipment or info are common example of software attack Key concept of information security Confidentiality Integrity Availability
Risk management ā€˜Risk management is the process of identifying vulnerabilities and threats to the information resources ā€˜
control Selecting proper control and implementing those will initially help an organization to bring down risk to acceptable level. Control selection should follow and should be based on the risk assessment .control can vary in nature but they are fundamentally they are ways of protecting the confidentially. Types of control are ā€¢ Administrative control ā€¢ Logical control ā€¢ Physical control
Security organization structure 1. Information security forum (ISF) 2. Information security management group (ISMG) 3. Assistant group security officer (AGSO) 4. System owner 5. Personal security officer (PSO) 6. Line manager 7. Users
Standards For Information Securities The international organization for standardization[ISO] established in 1947, is a non-governmental international body that collaborates with the international commission technology[ITC] standard. The following is commonly referenced ISO security standards.
Introduction to ISO 27001 ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
Framework of ISO 27001 implementation of ISO 27001 is an ideal response legal requirements and potential security threats such as: ā€¢ Vandalism/Terrorism ā€¢ Fire ā€¢ Misuse ā€¢ Theft ā€¢ Viral attack
Features of ISO 27001 ā€¢ Adopted PDCA(PLAN-DO-CHECK-ACT) model. ā€¢ Adopted a process approach. ā€¢ Identify-manage actives-function effectively. ā€¢ Stress on continual process improvements ā€¢ Scope covers information security not only IT security. ā€¢ Focused on people, process, technology. ā€¢ Combination of management control, operational controls and technical control.
Benefits of ISMS ISO 27001 certification: ā€¢ Independent framework that will take account of all legal and regulatory requirements. ā€¢ Helps provide a competitive edge to the company. ā€¢ Helps to identify and meet contractual and regulatory requirements. ā€¢ Independently verifies that risks to the company are properly identified and managed. ā€¢ Demonstrates to customers that security of three information is taken seriously.
CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT) INTRODUCTION: COBIT was first released in 1996; the current vision, COBIT 5 was published in 2012. Its mission is ā€œto research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.
Theframeworkprovidesgoodpracticesacrossadomainandprocessframework: ā€œThe business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement and identifying the associated responsibilitiesofbusinessandIT processowners.ā€ COBIT is a framework of generally applicable information systems security and control. The framework allows: 1) Benchmarking of the security andcontrol arrangement. 2) Auditor to review internal controls and advise on ITsecurity matters. 3) Users of IT services to beassured that adequate security and control exist
The framework addresses the issue of control from 3 vantage points
IT Processes Controls are required to be implemented in all the processes, which are broken into 4 domains: ļƒ˜ Planning and organization ļƒ˜ Acquisition and implementation. ļƒ˜ Delivery and support and ļƒ˜ Monitoring.
Business objectives To satisfy business objectives, information must satisfy some criteria that COBIT refers to as business requirement for information. The criteria are divided into seven categories: ļ¶ Effectiveness ļ¶ Efficiency ļ¶ Confidentiality ļ¶ Integrity
IT RESOURCES To protect the IT resources must be developed which includes: ļƒ¼ People ļƒ¼ Application system ļƒ¼ Hardware devices ļƒ¼ Facilities and data ļƒ¼ Security controls.
Advantages of COBIT I. COBIT is aligned with other standards and best practices and should be used together with them. II. Itā€™s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. III. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. IV. It provides tools to help manage IT activities.
1) Strategic alignment focuses on ensuring the linkage of business and IT plans; defining maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. 2) Value delivery is about executing the value proposition throughout delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing cost and providing the intrinsic value of IT. Cobit has five IT governance areas of concentration
3) Resource management is about the optimum investment and proper management of critical IT resources: applications. Information, infrastructure and people. 4) Risk management is a clear understanding of the enterprises, appetite for risk, understanding of compliance requirements, and transparency into the organization 5) Performance measurements track and monitors strategy implementation, project completion, resource usage, process performance and service delivery, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Cobit has five IT governance areas of concentration
Health Insurance Portability And Act(HIPAA)
Introduction ā€¢ The health insurance portability and accountability act (HIPAA) became law in 1996. The purpose of the HIPAA is to improve the efficiency and effectiveness of healthcare transactions by standardizing the exchange of administrative and financial data, as well as protecting the privacy and security of individual health information that is maintained or transmitted.
ā€¢ HIPAA imposes stringent privacy and security requirements on health plans, healthcare providers, and healthcare clearinghouses that maintain and/or transmit individual health information in electronic form. The term ā€œhealthcare providerā€ includes individual physicians, physician group practices, dentists, other healthcare practitioners, hospitals, and nursing facilities.
Specific objectives of the regulations are: ā€¢ Standardizing the format and content of primary commercial and administrative electronic healthcare transactions. ā€¢ Developing standards to protect confidential patient information from improper use or disclosure and establishing patients rights to control such uses. ā€¢ Developing standards for computer systems and networks to ensure the security, integrity, and availability of patient data.
HIPAA is also know as public law. The Act has five top-level titles: ā€¢ Title 1. health access, portability, and renewability. ā€¢ Title 2. preventing health care fraud and abuse (administrative simplification0, which includes: ā€¢ (1) transaction and code sets (2) identifiers (3) privacy (4) security. ā€¢ Title 3. Tax-related health previsions (medical savings accounts and health insurance tax deductions for self-employed individuals).
ā€¢ Title 4. Group health plan provisions ā€¢ Title 5. Revenue offset provisions.
HIPAA Transaction And Codes ā€¢ HIPAA is named for its contribution to portability of insurance and accountability for insurance claims. The administrative simplification section of HIPAA requires the standardization of identifiers, code sets and, transactions. HIPAA provides various limits to the exclusions that insurers may use, provides credit for past insurance, and attempts to assure that insurance can be purchased. As stated previously, HIPAA ensures only that insurance is available, not that it is inexpensive.
The Security Rule: ā€¢ The security lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.
The Standards And Specifications Are As Follows: ā€¢ Covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. ā€¢ The policies and procedures nust reference management oversight and organizational buy-in to compliance with the documented security controls. ā€¢ Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). ā€¢ The procedures must address access authorization, establishment, modification, and termination
ā€¢ A contingency plan should be in place for responding to emergencies. ā€¢ Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. ā€¢ Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
Technical Safeguards: ā€¢ Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. ā€¢ Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized.
ā€¢ Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. ā€¢ Data corroboration, including the use of check sum, double-keying, message authentication, and signature may be used to ensure data integrity. ā€¢ Covered entities must also authenticate entities it communicates with authentication consists password systems, two or three-way handshakes, telephone call-back, and token systems.
Physical safeguards: ā€¢ Controlling physical access to protect against inappropriate access to protected data ā€¢ Controls must govern the introduction and removal of hardware and software from the network. ā€¢ Access to equipment containing health information should be carefully controlled and monitored. ā€¢ Access to hardware and software must be limited to properly authorized individuals.
STATEMENT OF AUDITING STANDARDS FOR SERVICE ORGANISATION
Introduction Statement on Auditing Standards No.70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of American Institute of Certified Public Accountants(AICPA), officially titled ā€œReports on the Processing of Transactions by Service Organizationsā€. SAS 70 defines the professional standards used by a service auditor to assess the internal control of a service organization and issue a service auditorā€™s report.
Meaning of SAS SAS 70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to asses the contracted internal controls of a service organization. Service organizations, such as hosted data centers , insurance claims processors and credit processing companies, provide outstanding services that affect the operation of the contracting enterprise.
Under SAS 70 (the Statement on Auditor reports are classified as either Type I or Type II. In a Type I report the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluate the likelihood that those efforts will produce the future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports also incorporate data complied during a specific time period, usually a minimum of six months.
1. Statement on Auditing Standards (SAS) No. 70, Service Organizations, in an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants(AICPA). 2. SAS 70 provides guidance to enable an independent auditor (ā€œservice auditorā€) to issue an opinion on a service organizationā€™s description of controls through a Service Auditorā€™s Report. 3. Service auditors are required to follow the AICPAā€™s standards for fieldwork, quality control, and reporting. 4. A formal report including the auditorā€™s opinion (ā€œService Auditorā€™s Reportā€) is issued to the service organization at the conclusion of a 70 examination. CHARACTERSTICS or STATEMENT OF AUDITING standards for service organizations
5. A SAS 70 examination is not a ā€œchecklistā€ audit. SAS No. 70 is generally applicable when an auditor (ā€œuser auditorā€) is auditing the financial statements of an entity (ā€œuser organizationā€) that obtains services from another organization (ā€œservice organizationā€). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. 6. A SAS 70 audit or service auditorā€™s examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities which generally include controls over information technology and related processes.
Type I SAS 70 audits opinion on controls that are in place of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type II SAS 70 audits opinion on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with fairness of presentation of the controls, the design of the controls in terms of their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports since verification is provided regarding these matters for a substantial period of time. Type I and type ii audit standards
1. A service auditorā€™s report ensure that all user organization and their auditors have access to the same information and in many cases this will satisfy the user auditorā€™s requirements. 2. SAS 70 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. 3. A service auditorā€™s report with an unqualified opinion that is issued by an independent accounting firm differentiate the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. 4. A SAS 70 engagement allows a service organization who have its control policies procedures evaluated and tested (in the case of a TYPEII engagement) by an independent party 5. A service auditorā€™s report also helps a service organization build trust with its users organizations (I.e. Customers). Benefits of the service organization
CAPABILTY MATURITY MODEL(CMM) INTRODUCTION: The CMM was developed from 1984 by Watts Humphrey and the Software Engineering Institute(SEI). The SEI is a part of Carnegie Mellon University. The work was funded and continues to be funded by the Department of Defense(DoD), which was originally looking for ways to compare and measure the various contractors that were developing software for the DoD.
Meaning : ā€œA Capability of Maturity Model(CMM) is a formal archetype of the levels through which an organization evolves as it defines, implements , measures, controls and improves its processes in a particular area of operation. It thus enables the organization to consciously choose a certain target level ofmaturityandthen toworktowardsthatlevel.ā€ Definition: ā€œThe definition implies that the CMM concept is mainly applicable to organizational processes, such as development processes or business processes. This process orientation underlies the model described in this paper and thus with knowledge within the framework of business processes.
PROCESS OF CAPABILITY MATURITY MODEL(CMM) INITIAL MATURITY LEVEL REPEATABLE MATURITY LEVEL DEFINED MATURITY LEVEL MANAGED MATURITY LEVEL OPTIMIZING MATURITY LEVEL
INITIALMATURITY LEVEL The software process is characterized as inconsistent and occasionally even chaotic. Defined processes and standard practices that exist are abandoned during a crisis. Success of the organization majorly depends on an individual effort, talent and heroics. The heroes eventually move on to other organizations taking their wealth of knowledge or lessons learnt with them.
REPEATABLE MATURITY LEVEL This level of Software Development Organization has a basic and consistent project management processes to track cost, schedule and functionality. The process is in place to replace the earlier successes on projects with similar applications. Program management is a key characteristics of a level two organization.
DEFINED MATURITY LEVEL The software process for both management and engineering activities and documented, standardized and integrated into a standard software process for the entire organization and all projects across the organization use an approved, tailored version of the organizationā€™s standard software process for developing, testing and maintaining the application.
MANAGED MATURITY LEVEL Management can effectively control the software development effort using precise measurements. At this level, organization set a quantitative quality goal for both software process and software maintenance. At this maturity level, the performance of processes is controlled using statistical and other quantitative techniques and is quantitatively predictable.
The key characteristics of this level is focusing on continually improving process performance through both incremental and innovative technological improvements. At this level changes to the process are to improve the process performance and at the same time maintaining statistical probability to achieve the established quantitative process - improvement objectives. OPTIMIZING MATURITY LEVEL
it grc

Recommended

What is GRC ā€“ Governance, Risk and Compliance
What is GRC ā€“ Governance, Risk and Compliance What is GRC ā€“ Governance, Risk and Compliance
What is GRC ā€“ Governance, Risk and Compliance BOC Group
Ā 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
Ā 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
Ā 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
Ā 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
Ā 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
Ā 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
Ā 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaFahmi Albaheth
Ā 

Recommended

What is GRC ā€“ Governance, Risk and Compliance
What is GRC ā€“ Governance, Risk and Compliance What is GRC ā€“ Governance, Risk and Compliance
What is GRC ā€“ Governance, Risk and Compliance BOC Group
Ā 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
Ā 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
Ā 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
Ā 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
Ā 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
Ā 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
Ā 
Iso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaIso27001- Nashwan Mustafa
Iso27001- Nashwan MustafaFahmi Albaheth
Ā 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
Ā 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
Ā 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
Ā 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
Ā 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
Ā 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessƃsÄ§Ć¢r ĆƒĆ¢lĆ¢m
Ā 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
Ā 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
Ā 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
Ā 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
Ā 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
Ā 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
Ā 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCPKarthikeyan Dhayalan
Ā 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
Ā 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
Ā 
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging Risks
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging RisksC-Suiteā€™s Guide to Enterprise Risk Management and Emerging Risks
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
Ā 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
Ā 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
Ā 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
Ā 
Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
Ā 
jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply
Ā 

More Related Content

What's hot

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
Ā 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
Ā 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
Ā 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
Ā 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
Ā 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
Ā 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
Ā 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
Ā 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
Ā 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
Ā 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
Ā 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
Ā 
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging Risks
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging RisksC-Suiteā€™s Guide to Enterprise Risk Management and Emerging Risks
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
Ā 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
Ā 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
Ā 

What's hot (20)

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
Ā 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ā 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Ā 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
Ā 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance framework
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Ā 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ā 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
Ā 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Ā 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
Ā 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Ā 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Ā 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
Ā 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Ā 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Ā 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Ā 
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging Risks
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging RisksC-Suiteā€™s Guide to Enterprise Risk Management and Emerging Risks
C-Suiteā€™s Guide to Enterprise Risk Management and Emerging Risks
Ā 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
Ā 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Ā 
IT Governance
IT GovernanceIT Governance
IT Governance
Ā 

Viewers also liked

Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, incFixNix Inc.,
Ā 
jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply
Ā 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay
Ā 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceSPAN Infotech (India) Pvt Ltd
Ā 
Expertool GRC Accelerator
Expertool GRC AcceleratorExpertool GRC Accelerator
Expertool GRC Acceleratorslideshareneilj
Ā 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
Ā 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?CML Group
Ā 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5justinklooster
Ā 
Software Evaluation Checklist
Software Evaluation ChecklistSoftware Evaluation Checklist
Software Evaluation ChecklistSalina Saharudin
Ā 
The Evaluation Checklist
The Evaluation ChecklistThe Evaluation Checklist
The Evaluation Checklistwmartz
Ā 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpointsmcmanus3
Ā 

Viewers also liked (11)

Fix nix, inc
Fix nix, incFix nix, inc
Fix nix, inc
Ā 
jComply grc_platform_v1.0
jComply grc_platform_v1.0jComply grc_platform_v1.0
jComply grc_platform_v1.0
Ā 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
Ā 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
Ā 
Expertool GRC Accelerator
Expertool GRC AcceleratorExpertool GRC Accelerator
Expertool GRC Accelerator
Ā 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
Ā 
CMLGroup - What is GRC?
CMLGroup - What is GRC?CMLGroup - What is GRC?
CMLGroup - What is GRC?
Ā 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
Ā 
Software Evaluation Checklist
Software Evaluation ChecklistSoftware Evaluation Checklist
Software Evaluation Checklist
Ā 
The Evaluation Checklist
The Evaluation ChecklistThe Evaluation Checklist
The Evaluation Checklist
Ā 
Corporate compliance powerpoint
Corporate compliance powerpointCorporate compliance powerpoint
Corporate compliance powerpoint
Ā 

Similar to it grc

Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
Ā 
Maclearā€™s IT GRC Tools ā€“ Key Issues and Trends
Maclearā€™s IT GRC Tools ā€“ Key Issues and TrendsMaclearā€™s IT GRC Tools ā€“ Key Issues and Trends
Maclearā€™s IT GRC Tools ā€“ Key Issues and TrendsMaclear LLC
Ā 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
Ā 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfDanteHayashi
Ā 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
Ā 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
Ā 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
Ā 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
Ā 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
Ā 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
Ā 
insider threat research
insider threat researchinsider threat research
insider threat researchAsma Al-maskaria
Ā 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Security Experts
Ā 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
Ā 
vertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAvertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAarjunnegi34
Ā 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
Ā 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
Ā 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsMaria Macri
Ā 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
Ā 

Similar to it grc (20)

Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Ā 
Maclearā€™s IT GRC Tools ā€“ Key Issues and Trends
Maclearā€™s IT GRC Tools ā€“ Key Issues and TrendsMaclearā€™s IT GRC Tools ā€“ Key Issues and Trends
Maclearā€™s IT GRC Tools ā€“ Key Issues and Trends
Ā 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance Program
Ā 
Ch2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdfCh2-CIISA_IT Governance.pdf
Ch2-CIISA_IT Governance.pdf
Ā 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
Ā 
Task 2
Task 2Task 2
Task 2
Ā 
Grc and is audit
Grc and is auditGrc and is audit
Grc and is audit
Ā 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
Ā 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Ā 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
Ā 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
Ā 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
Ā 
insider threat research
insider threat researchinsider threat research
insider threat research
Ā 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Ā 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
Ā 
vertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISAvertical in CISA certification and Five Domains are in CISA
vertical in CISA certification and Five Domains are in CISA
Ā 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
Ā 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
Ā 
Seven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance ProgramsSeven Elements Of Effective Compliance Programs
Seven Elements Of Effective Compliance Programs
Ā 
gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
Ā 

More from 9535814851

Wireless application prorocol
Wireless application prorocolWireless application prorocol
Wireless application prorocol9535814851
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
Ā 
Information technology govenance
Information technology govenanceInformation technology govenance
Information technology govenance9535814851
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
Ā 
human resource information system
human resource information system human resource information system
human resource information system 9535814851
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
Ā 
Software development life cycle copy
Software development life cycle copySoftware development life cycle copy
Software development life cycle copy9535814851
Ā 
Database management system
Database management system Database management system
Database management system 9535814851
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
Ā 
information system and computers
information system and computers information system and computers
information system and computers 9535814851
Ā 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)29535814851
Ā 
Information system
Information systemInformation system
Information system9535814851
Ā 
Mc card new product launch
Mc card new product launchMc card new product launch
Mc card new product launch9535814851
Ā 
marketing information system
marketing information system marketing information system
marketing information system9535814851
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers9535814851
Ā 
2007 mcom mis module 1.0
2007 mcom mis module 1.02007 mcom mis module 1.0
2007 mcom mis module 1.09535814851
Ā 

More from 9535814851 (17)

Wireless application prorocol
Wireless application prorocolWireless application prorocol
Wireless application prorocol
Ā 
it act
it act it act
it act
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers
Ā 
Information technology govenance
Information technology govenanceInformation technology govenance
Information technology govenance
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers
Ā 
human resource information system
human resource information system human resource information system
human resource information system
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers
Ā 
Software development life cycle copy
Software development life cycle copySoftware development life cycle copy
Software development life cycle copy
Ā 
Database management system
Database management system Database management system
Database management system
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers
Ā 
information system and computers
information system and computers information system and computers
information system and computers
Ā 
Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2Health insurance portability and act(hipaa)2
Health insurance portability and act(hipaa)2
Ā 
Information system
Information systemInformation system
Information system
Ā 
Mc card new product launch
Mc card new product launchMc card new product launch
Mc card new product launch
Ā 
marketing information system
marketing information system marketing information system
marketing information system
Ā 
information system and computers
information system and computersinformation system and computers
information system and computers
Ā 
2007 mcom mis module 1.0
2007 mcom mis module 1.02007 mcom mis module 1.0
2007 mcom mis module 1.0
Ā 

Recently uploaded

Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
Ā 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
Ā 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
Ā 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
Ā 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
Ā 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
Ā 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
Ā 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
Ā 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
Ā 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
Ā 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
Ā 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
Ā 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
Ā 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
Ā 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
Ā 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
Ā 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
Ā 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
Ā 

Recently uploaded (20)

Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
Ā 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Ā 
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Model Call Girl in Bikash Puri Delhi reach out to us at šŸ”9953056974šŸ”
Ā 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
Ā 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
Ā 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Ā 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
Ā 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
Ā 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
Ā 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
Ā 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Ā 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
Ā 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
Ā 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Ā 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
Ā 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)ā€”ā€”ā€”ā€”IMP.OF KSHARA ...
Ā 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
Ā 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
Ā 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
Ā 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Ā 

it grc

  • 1.
  • 2. INTRODUCTION Information technology has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. It for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly runs under the label of governance, risk management and compliance (GRC IS). Information systems such as enterprise resource planning systems separate financial from nan-financial data and therefore enable better financial accounting. On the other hand, they provide new potential for management control as ā€œdata become accurate, shareable and available to many different parties but does hardly create the panoptic dreams of visibility and action at a distanceā€.
  • 3. Governance The process by which policy is set and decision making is executed. Governance is the of policies, laws, culture, and institutions that define how an organization should be managed.
  • 4. ā€¢ The process for preventing an unacceptable level of uncertainty in business objectives with a balance of avoidance through reconsideration of objectives, mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms. It is also the process to ensure that important business processes and behaviors remain within the tolerances associated with policies and decisions set through the provenance process. Risk management is coordinate activities that direct and control an organization forecasting and managing events/risks that might have a negative impact on the business.
  • 5. The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Compliance is the act of adhering to regulations as well as corporate policies and procedures.
  • 6. ļ¶ Create and distribute policies and controls and map them to regulations and internal compliance requirements. ļ¶ Assess whether the controls are actually in place and working and fix them if they are not. ļ¶ Ease risk assessment and mitigation. ļ¶ IT GRC provide coordination and standardization of policies and controls. ļ¶ Automate information gathering. ļ¶ It enable enterprises to rapidly adapt to change.
  • 7. governance ļƒ˜Enterprise risk management and assessment ļƒ˜Board compliance capabilities such as options policy compliance, ethics and policy compliance, etc. ļƒ˜Business performance reporting such as balanced scorecards, risk scorecards, operational controls dashboards, etc ļƒ˜Policy management, documentation and communication
  • 8. ā€¢ Risk assessment ā€¢ Risk analysis and prioritization ā€¢ Root cause analysis of issues and mitigation ā€¢ Risk analytics and trend analysis
  • 9. ā€¢ Flexible controls hierarchy ā€¢ Assessments and audits ā€¢ Issues tracking and remediation ā€¢ analytics
  • 10. Importance of IT-GRC ā€¢ An improvement in the quality and availability of information; ā€¢ A reduction in breaches and errors; ā€¢ A reduction in costs and greater efficiencies; ā€¢ A more flexible and externally focused workforce capable of rapid change to meet customer and organizational needs; ā€¢ A greater assurance for the organization and its board and senior management that grace issues are being appropriately dealt with and the organization remains ā€œon targetā€ with its performance objectives; and ā€¢ Improved levels of communication across the organization the organization.
  • 11. BUSINESS IS MORE DEPENDENT ON IT ā€¢ IT environment is more complex. ā€¢ Less time between IT failures and organizational impact. ā€¢ Increase in threats related to IT. ā€¢ Increase in threats related to IT. ā€¢ Increase in regulations, standards and controls.
  • 12. IT GRC Challenges ā€¢ Mapping the policies and control ā€¢ Audit fatigue ā€¢ Security exposure ā€¢ Redundancy and inefficiency
  • 13. Other Challenges ā€¢ A perception by staff that the initiative may have an ulterior motive, for example a cost recovery drive or head count reduction. ā€¢ Business unit managers or middle management are fearful of being marginalized as GRC responsibilities are devolved to those in lower levels of the hierarchy. ā€¢ Organizations are sometimes skeptical regarding the targeting and measurement systems proposed and are concerned that there will not ultimately be an appropriate return on investment given the establishment and maintenance costs involved. ā€¢ Corporate cynicism and skepticism around the outcomes and results achieved from past planned organizational change (and management ā€œfadsā€ generally).
  • 14. Factors to be consider at the time of implementation of IT GRC ā€¢ Strategy ā€¢ Reporting and audit ā€¢ Legal function ā€¢ Information technology ā€¢ Ethics and corporate social responsibility ā€¢ Corporate culture ā€¢ Business process management
  • 16. Introduction Information systems auditing involves using technical tools and expertise to evaluate the adequacy and effectiveness of information systems in an organization. Further, it involves working with management to identify weak controls and risk, which arises due to the application of technology in a business. It also suggests ways to enhance these weak controls to increase the reliability of IS, which will help an organization to achieve its strategic objectives.
  • 17. Meaning Information systems audit is a process to collect and evaluate evidence to determine whether the information systems safeguard assets, maintain data integrity, achieve organizational goals effectively and consume resources efficiently. The common element between any manual audit and IS audit is data integrity. All type of audits (information audits) have to evaluate the data integrity. Since IS audit involves efficiency and effectiveness, it includes some elements of management and proprietary audit too.
  • 18. IS auditing methodology ā€¢ Step 1: define objectives of the audit. ā€¢ Step 2: obtain basic understanding of systems and flow of transactions. ā€¢ Step 3 : Detailed information gathering ā€¢ Step 4 : Search for exposures that exist under the system and suggest the control in eliminate the exposure. ā€¢ Step 5 : Define Auditing procedures to verify controls. ā€¢ Step 6 : Perform audit test using various techniques and tools. ā€¢ Step 7 : Evaluation of findings. ā€¢ Step 8 : Generation of Report.
  • 19. Scope of IS audit ā€¢ Data ā€¢ Application systems ā€¢ Technology ā€¢ Facilities ā€¢ People
  • 20. Elements of IS audit Exposures Causes Controls Physical and environmental review System administration review System administration review Application software review Network security review Business continuity review Data integrity review
  • 21. Need for IS audit ā€¢ Confidentiality ā€¢ Integrity ā€¢ Availability ā€¢ Reliability
  • 22. Categories of IS audits ā€¢ Systems and applications ā€¢ Information processing facilities ā€¢ Systems development ā€¢ Management of IT and enterprise architecture ā€¢ Telecommunications intranets and extranets
  • 23. Information Security and management standard Meaning information security relates to the physical and logical protection of data or information recorded, processed, shared, transmitted or received from an electronic from. The protection is provided against joss, inaccessibility, alternation, or unauthorized disclosure. The protection is achieved through physical safeguard such as locks, security guard, insurance etc. and logical safeguard as user identifiers, passwords, firewalls.
  • 24. Information security ā€¢ Meaning: ā€¢ It is the practice of defending information from unauthorized access, use discloser, disruption modification, perusal, inspection recording or destruction ā€¢ Definition ā€¢ ā€œInformation security is the process of protecting the intellectual property of an organizationā€ ā€¢ IT security: it is referred to as computer security .a computer is any device with a processor and some memory such device can range from non-networked standalone device as simple as calculator to networked mobile computing device such as smart phone ad tablet .IT security is mainly used in major enterprise establishment due to the nature and value of the data within larger business
  • 25. Information assurance ā€¢ The act of ensuring that data is not lost when critical issues aries.thes issues include but are not limited to natural disaster computer server malfunction physical theft or any other instance where data potential of being lost.
  • 26. Threats Computer system threats come in many different forms. some of the most common threats today are software attack, theft of intellectual property identity theft of equipment or info are common example of software attack Key concept of information security Confidentiality Integrity Availability
  • 27. Risk management ā€˜Risk management is the process of identifying vulnerabilities and threats to the information resources ā€˜
  • 28. control Selecting proper control and implementing those will initially help an organization to bring down risk to acceptable level. Control selection should follow and should be based on the risk assessment .control can vary in nature but they are fundamentally they are ways of protecting the confidentially. Types of control are ā€¢ Administrative control ā€¢ Logical control ā€¢ Physical control
  • 29. Security organization structure 1. Information security forum (ISF) 2. Information security management group (ISMG) 3. Assistant group security officer (AGSO) 4. System owner 5. Personal security officer (PSO) 6. Line manager 7. Users
  • 30. Standards For Information Securities The international organization for standardization[ISO] established in 1947, is a non-governmental international body that collaborates with the international commission technology[ITC] standard. The following is commonly referenced ISO security standards.
  • 31. Introduction to ISO 27001 ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
  • 32. Framework of ISO 27001 implementation of ISO 27001 is an ideal response legal requirements and potential security threats such as: ā€¢ Vandalism/Terrorism ā€¢ Fire ā€¢ Misuse ā€¢ Theft ā€¢ Viral attack
  • 33. Features of ISO 27001 ā€¢ Adopted PDCA(PLAN-DO-CHECK-ACT) model. ā€¢ Adopted a process approach. ā€¢ Identify-manage actives-function effectively. ā€¢ Stress on continual process improvements ā€¢ Scope covers information security not only IT security. ā€¢ Focused on people, process, technology. ā€¢ Combination of management control, operational controls and technical control.
  • 34. Benefits of ISMS ISO 27001 certification: ā€¢ Independent framework that will take account of all legal and regulatory requirements. ā€¢ Helps provide a competitive edge to the company. ā€¢ Helps to identify and meet contractual and regulatory requirements. ā€¢ Independently verifies that risks to the company are properly identified and managed. ā€¢ Demonstrates to customers that security of three information is taken seriously.
  • 35. CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT) INTRODUCTION: COBIT was first released in 1996; the current vision, COBIT 5 was published in 2012. Its mission is ā€œto research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.
  • 36. Theframeworkprovidesgoodpracticesacrossadomainandprocessframework: ā€œThe business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement and identifying the associated responsibilitiesofbusinessandIT processowners.ā€ COBIT is a framework of generally applicable information systems security and control. The framework allows: 1) Benchmarking of the security andcontrol arrangement. 2) Auditor to review internal controls and advise on ITsecurity matters. 3) Users of IT services to beassured that adequate security and control exist
  • 37. The framework addresses the issue of control from 3 vantage points
  • 38. IT Processes Controls are required to be implemented in all the processes, which are broken into 4 domains: ļƒ˜ Planning and organization ļƒ˜ Acquisition and implementation. ļƒ˜ Delivery and support and ļƒ˜ Monitoring.
  • 39. Business objectives To satisfy business objectives, information must satisfy some criteria that COBIT refers to as business requirement for information. The criteria are divided into seven categories: ļ¶ Effectiveness ļ¶ Efficiency ļ¶ Confidentiality ļ¶ Integrity
  • 40. IT RESOURCES To protect the IT resources must be developed which includes: ļƒ¼ People ļƒ¼ Application system ļƒ¼ Hardware devices ļƒ¼ Facilities and data ļƒ¼ Security controls.
  • 41. Advantages of COBIT I. COBIT is aligned with other standards and best practices and should be used together with them. II. Itā€™s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. III. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. IV. It provides tools to help manage IT activities.
  • 42. 1) Strategic alignment focuses on ensuring the linkage of business and IT plans; defining maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. 2) Value delivery is about executing the value proposition throughout delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing cost and providing the intrinsic value of IT. Cobit has five IT governance areas of concentration
  • 43. 3) Resource management is about the optimum investment and proper management of critical IT resources: applications. Information, infrastructure and people. 4) Risk management is a clear understanding of the enterprises, appetite for risk, understanding of compliance requirements, and transparency into the organization 5) Performance measurements track and monitors strategy implementation, project completion, resource usage, process performance and service delivery, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Cobit has five IT governance areas of concentration
  • 45. Introduction ā€¢ The health insurance portability and accountability act (HIPAA) became law in 1996. The purpose of the HIPAA is to improve the efficiency and effectiveness of healthcare transactions by standardizing the exchange of administrative and financial data, as well as protecting the privacy and security of individual health information that is maintained or transmitted.
  • 46. ā€¢ HIPAA imposes stringent privacy and security requirements on health plans, healthcare providers, and healthcare clearinghouses that maintain and/or transmit individual health information in electronic form. The term ā€œhealthcare providerā€ includes individual physicians, physician group practices, dentists, other healthcare practitioners, hospitals, and nursing facilities.
  • 47. Specific objectives of the regulations are: ā€¢ Standardizing the format and content of primary commercial and administrative electronic healthcare transactions. ā€¢ Developing standards to protect confidential patient information from improper use or disclosure and establishing patients rights to control such uses. ā€¢ Developing standards for computer systems and networks to ensure the security, integrity, and availability of patient data.
  • 48. HIPAA is also know as public law. The Act has five top-level titles: ā€¢ Title 1. health access, portability, and renewability. ā€¢ Title 2. preventing health care fraud and abuse (administrative simplification0, which includes: ā€¢ (1) transaction and code sets (2) identifiers (3) privacy (4) security. ā€¢ Title 3. Tax-related health previsions (medical savings accounts and health insurance tax deductions for self-employed individuals).
  • 49. ā€¢ Title 4. Group health plan provisions ā€¢ Title 5. Revenue offset provisions.
  • 50. HIPAA Transaction And Codes ā€¢ HIPAA is named for its contribution to portability of insurance and accountability for insurance claims. The administrative simplification section of HIPAA requires the standardization of identifiers, code sets and, transactions. HIPAA provides various limits to the exclusions that insurers may use, provides credit for past insurance, and attempts to assure that insurance can be purchased. As stated previously, HIPAA ensures only that insurance is available, not that it is inexpensive.
  • 51. The Security Rule: ā€¢ The security lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.
  • 52. The Standards And Specifications Are As Follows: ā€¢ Covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. ā€¢ The policies and procedures nust reference management oversight and organizational buy-in to compliance with the documented security controls. ā€¢ Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). ā€¢ The procedures must address access authorization, establishment, modification, and termination
  • 53. ā€¢ A contingency plan should be in place for responding to emergencies. ā€¢ Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. ā€¢ Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
  • 54. Technical Safeguards: ā€¢ Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. ā€¢ Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized.
  • 55. ā€¢ Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. ā€¢ Data corroboration, including the use of check sum, double-keying, message authentication, and signature may be used to ensure data integrity. ā€¢ Covered entities must also authenticate entities it communicates with authentication consists password systems, two or three-way handshakes, telephone call-back, and token systems.
  • 56. Physical safeguards: ā€¢ Controlling physical access to protect against inappropriate access to protected data ā€¢ Controls must govern the introduction and removal of hardware and software from the network. ā€¢ Access to equipment containing health information should be carefully controlled and monitored. ā€¢ Access to hardware and software must be limited to properly authorized individuals.
  • 57. STATEMENT OF AUDITING STANDARDS FOR SERVICE ORGANISATION
  • 58. Introduction Statement on Auditing Standards No.70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of American Institute of Certified Public Accountants(AICPA), officially titled ā€œReports on the Processing of Transactions by Service Organizationsā€. SAS 70 defines the professional standards used by a service auditor to assess the internal control of a service organization and issue a service auditorā€™s report.
  • 59. Meaning of SAS SAS 70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to asses the contracted internal controls of a service organization. Service organizations, such as hosted data centers , insurance claims processors and credit processing companies, provide outstanding services that affect the operation of the contracting enterprise.
  • 60. Under SAS 70 (the Statement on Auditor reports are classified as either Type I or Type II. In a Type I report the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluate the likelihood that those efforts will produce the future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports also incorporate data complied during a specific time period, usually a minimum of six months.
  • 61. 1. Statement on Auditing Standards (SAS) No. 70, Service Organizations, in an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants(AICPA). 2. SAS 70 provides guidance to enable an independent auditor (ā€œservice auditorā€) to issue an opinion on a service organizationā€™s description of controls through a Service Auditorā€™s Report. 3. Service auditors are required to follow the AICPAā€™s standards for fieldwork, quality control, and reporting. 4. A formal report including the auditorā€™s opinion (ā€œService Auditorā€™s Reportā€) is issued to the service organization at the conclusion of a 70 examination. CHARACTERSTICS or STATEMENT OF AUDITING standards for service organizations
  • 62. 5. A SAS 70 examination is not a ā€œchecklistā€ audit. SAS No. 70 is generally applicable when an auditor (ā€œuser auditorā€) is auditing the financial statements of an entity (ā€œuser organizationā€) that obtains services from another organization (ā€œservice organizationā€). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. 6. A SAS 70 audit or service auditorā€™s examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities which generally include controls over information technology and related processes.
  • 63. Type I SAS 70 audits opinion on controls that are in place of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type II SAS 70 audits opinion on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with fairness of presentation of the controls, the design of the controls in terms of their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports since verification is provided regarding these matters for a substantial period of time. Type I and type ii audit standards
  • 64. 1. A service auditorā€™s report ensure that all user organization and their auditors have access to the same information and in many cases this will satisfy the user auditorā€™s requirements. 2. SAS 70 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. 3. A service auditorā€™s report with an unqualified opinion that is issued by an independent accounting firm differentiate the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. 4. A SAS 70 engagement allows a service organization who have its control policies procedures evaluated and tested (in the case of a TYPEII engagement) by an independent party 5. A service auditorā€™s report also helps a service organization build trust with its users organizations (I.e. Customers). Benefits of the service organization
  • 65. CAPABILTY MATURITY MODEL(CMM) INTRODUCTION: The CMM was developed from 1984 by Watts Humphrey and the Software Engineering Institute(SEI). The SEI is a part of Carnegie Mellon University. The work was funded and continues to be funded by the Department of Defense(DoD), which was originally looking for ways to compare and measure the various contractors that were developing software for the DoD.
  • 66. Meaning : ā€œA Capability of Maturity Model(CMM) is a formal archetype of the levels through which an organization evolves as it defines, implements , measures, controls and improves its processes in a particular area of operation. It thus enables the organization to consciously choose a certain target level ofmaturityandthen toworktowardsthatlevel.ā€ Definition: ā€œThe definition implies that the CMM concept is mainly applicable to organizational processes, such as development processes or business processes. This process orientation underlies the model described in this paper and thus with knowledge within the framework of business processes.
  • 67. PROCESS OF CAPABILITY MATURITY MODEL(CMM) INITIAL MATURITY LEVEL REPEATABLE MATURITY LEVEL DEFINED MATURITY LEVEL MANAGED MATURITY LEVEL OPTIMIZING MATURITY LEVEL
  • 68. INITIALMATURITY LEVEL The software process is characterized as inconsistent and occasionally even chaotic. Defined processes and standard practices that exist are abandoned during a crisis. Success of the organization majorly depends on an individual effort, talent and heroics. The heroes eventually move on to other organizations taking their wealth of knowledge or lessons learnt with them.
  • 69. REPEATABLE MATURITY LEVEL This level of Software Development Organization has a basic and consistent project management processes to track cost, schedule and functionality. The process is in place to replace the earlier successes on projects with similar applications. Program management is a key characteristics of a level two organization.
  • 70. DEFINED MATURITY LEVEL The software process for both management and engineering activities and documented, standardized and integrated into a standard software process for the entire organization and all projects across the organization use an approved, tailored version of the organizationā€™s standard software process for developing, testing and maintaining the application.
  • 71. MANAGED MATURITY LEVEL Management can effectively control the software development effort using precise measurements. At this level, organization set a quantitative quality goal for both software process and software maintenance. At this maturity level, the performance of processes is controlled using statistical and other quantitative techniques and is quantitatively predictable.
  • 72. The key characteristics of this level is focusing on continually improving process performance through both incremental and innovative technological improvements. At this level changes to the process are to improve the process performance and at the same time maintaining statistical probability to achieve the established quantitative process - improvement objectives. OPTIMIZING MATURITY LEVEL