COBIT Case Study

1、COBITCaseStudy:ITRiskManagementinaBankThiscasestudyisareal-lifeexampleofusingCOBIT®forITriskmanagementwithinaglobalbank.COBITwasusedeffectivelyformanagingriskwithinthetechnologyteamstoensurethatappropriateITgovernanceandITassuranceprocesseswereutilisedthroughoutthebank.BackgroundThebankinthegivencaseisaglobalconglomeratewithoperationsinmorethan50countriesandwithmorethan125,000employeesacrosstheglobe.Thebank’stechnologyteamsarelocatedthroughouttheworldtosupportgloballinesofbusiness.TheITteamsinc。

2、ludedevelopmentcentresthatarepartofthebankandothersthatareoutsourcedtovendors,aswellastechnologybackofficesthatsupportITinfrastructureandservices.Thebankhadahistoryofmultiplegovernanceandassurancetemplatesandprocessesfollowedbydifferentteams,regionsandlocations.Hence,thekeychallengewastocreateacommongovernanceandassuranceprocessacrosstechnologyteams.Thetechnologygovernanceandassuranceprogrammewasdesignedthroughariskmanagementframeworktoensureeffectiveriskandcontrolmanagement.Theframeworkwasdefin。

3、edtoaddressexistingriskandcontrolmanagementweaknesses,suchas:ImmatureprocessesforassessingandtestingcomplianceLackofasinglecontrolrepository,resultingincontrolduplicationLackofaclear,repeatableprocessforcompletingriskassessmentsThenewframeworkwasexpectedtoenabletechnologyteamstounderstandthesignificantoperationalrisksandtheirimpactonthewiderorganisationby:AddressingareasinwhichriskswerenoteffectivelycontrolledAllowingtechnologyexecutivestodemonstrateregulatoryresponsibilitiesefficientlyUsi。

4、ngacommonplatformforreportingallregulatoryrequirementsacrossregionsandcountriesEffectivelyreportingtechnologyriskandcontrolweaknessesthatmayimpactthebusinessImplementingastandardprocessacrossregionsandofficestoensureconsistencyandavoidduplicationofreportingUseofCOBITThegovernanceteamdecidedtouseCOBITasastandardframework.Ateamofprofessionals—includingrisk,ITsecurityandUSSarbanes-OxleyActprocessexperts—wassetuptodefinetheprocessesandtemplates.Theteamprimarilyworkedonthreeareas:1.Definingaframewo。

5、rktouse—Controlobjectiveframework(COF)2.Identifyingastandarddefinitionof‘entities’againstwhichrisksandcontrolsweretobeevaluated—Keyentitymanagementmodel3.Identifyingariskmanagementprocess—Riskandcontrolassessment(RCA)Keystepsintheprocessofdevelopinganewriskmanagementframeworkaredescribedinthefollowingsections.Step1—DefiningCOFTheCOFwasdefinedtolinkrisksaffectingtechnologyofficesandindustrystandardbestpracticecontrolsasdefinedbyCOBIT.ThreeobjectivesweresetwhilstdefiningtheCOF:1.Itshouldactasatool。

6、tofacilitatetheeffectiveassessmentofrisksandcontrolswithintechnology.2.Itshouldactasareportingframeworktodemonstratehowtechnologysatisfiesreportingregulatoryrequirements,includingthoseofSarbanes-Oxley.3.Itshouldactasanaidtodrivemanagementassurance.ThestepsinimplementingCOFusingCOBITincluded:Identifyprincipalrisks—TheprincipalrisksoflevelIweredefinedandfrozenbasedonearlierinformation.Thoseidentifiedincludedrisksrelatedtotechnology,operations,people,legalandregulatory,financialreporting,financial。

7、crime,brand,andchange.IdentifylevelIIrisks—TheprincipalriskwasfurtherbrokendownintolevelIIrisks.Asanexample,the‘technologyprincipalrisk’wasfurtherdrilleddownto:-Inadequatedesign/testingofITsystems-UnavailabilityofITsystems-LackofITsecurityIdentifycontrolobjectives—ForeachofthelevelIIrisks,controlobjectiveswereidentifiedusingCOBIT.Figure1indicatesthemappingofthelevelIIriskswiththecontrolobjectivesidentifiedagainsteachofthetechnologyrisks.BenefitofStep1Priortoimplementingthisframework,eachentity。

8、,organisationandlocationhaditsownsetofcontrols.COBIThelpedindevelopingandmanagingasinglelistofcontrolsforeachtypeofriskthroughthemappingofneededcontrolstoCOBIT.Inturn,thisassistedwiththeattestationofeachtypeofrisk,whichprovidedconfidencetoseniorexecutivesonthereportingandattestationprocess.Subsequently,ariskassessmentprocesswasdevelopedtodefinerisksandcontrols.ThishelpedinensuringthatadequatecontrolsweredeployedtocovertheprincipalrisksandlevelIIrisks.Step2—IdentifyingEntitiesforManagingRisksandC。

9、ontrolsThekeyentitymanagementmodelwasdefinedtoincludeITbuildingblocks,againstwhichriskandcontrolassessmentsweretobeperformed.TheITbuildingblocksarelogicallylinkedtogetherforreportingpurposestoprovideariskandcontrolassessmentforallsupportingserviceswithinthepurviewofthetechnologyoffice.TheITbuildingblocksweredefinedas:Processentities—Theserepresenttheprocessesusedtosupport,controlandmanagetheITenvironment.AnycontrolissuesinaprocessentitywouldaffectmanyITservices,e.g.,changecontrolispervasiveacro。

10、ssmostITservices.Supportingservicesentities—Linkingwithprocessandtechnologyentitiesallowsforacompleteend-to-endriskandcontrolassessmentforthatsupportingservice,e.g.,interfacingrisksamongsttechnologyentities,service-levelrisksforend-to-endITservice,andintegrationrisks(themanagementofhandoffsbetweendepartments).Technologyentities—Theserepresentthe‘traditional’ITcomponents,e.g.,servers,applications,networksandfirewalls.TheservicemapsandtheRCAprocesswereusedtofacilitatetheidentificationofthekeytech。