Demonstrating compliance

Scenario

You are an IT compliance professional that owns three projects:

• GDPR Compliance Risk Assessment
• Cybersecurity Review
• IT General Controls Review

You recently recognized that similar risks and controls can apply to the Cybersecurity Review and IT General Controls Review projects.

Previously, you created a project from a project template called IT General Controls Review (IA Context). You want to use this template to create a single set of risks and controls that can be used in both the Cybersecurity Review and IT General Controls Review projects.

Process

Help topics

• Creating projects
• Using project templates
• Managing information using frameworks
• Cloning and importing objectives

First, you create a blank GDPR Compliance Risk Assessment – you'll be using this later to develop a compliance risk inventory and conduct the initial phases of the compliance risk assessment.

Then, you create a new framework called IT General Controls Framework, and import the objectives (containing risks and controls) from the project template to the framework.

Finally, you import the objectives from the framework into the Cybersecurity Review and IT General Controls Review projects.

Result

The GDPR Compliance Risk Assessment is set up, and you can begin defining the audit and risk areas that are relevant to the organization.

The objectives, risks, and controls in the IT General Controls Framework are linked to the objectives, risks, and controls in the Cybersecurity Review and IT General Controls Review projects. You can now update the projects as needed, optionally apply those updates back up to the framework, and also ensure that updates made in the framework propagate to the appropriate projects by syncing projects with frameworks.

Scenario

You want to ensure that the terminology displayed in the GDPR Compliance Risk Assessment aligns with your organization's preferred lexicon.

Process

Help topic Customizing terms, fields, and notifications

You navigate to the Compliance Investigation / Examination project type, and configure the following terms on each tab:

Risk and Procedures tab:

• Term for project plan → Compliance Risk Inventory
• Abbreviation for project plan → CRI
• Term for risk → Requirement
• Term for procedure → Planned Project
• Term for procedure ID → Planned Project ID

Execute Procedures tab:

• Term for execute procedures tab → Prioritized Projects
• Term for execute procedure → Prioritized Projects

Result

The custom terms are applied to the GDPR Compliance Risk Assessment:

Scenario

Your organization needs to comply with General Data Protection Regulation (GDPR) (EU) 2016/679, a regulation that provides requirements to protect personal data, which can include typical personal or account data that identifies a person.

You recognize that GDPR can be satisfied by adopting existing best practices, such as COBIT, ITIL, NIST, and ISO. To adopt the elements required to meet GDPR requirements, your organization has decided to leverage the COBIT® 5 Framework, a comprehensive IT audit framework that helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.

Process

Help topic Importing standards and regulations

You import the COBIT® 5 Framework to your Compliance Map.

Result

Your Compliance Map is populated with a list of requirements:

Scenario

Before you can interpret and rationalize requirements in the COBIT® 5 Framework, you need to develop a compliance risk inventory to identify and rank risks, and specify which planned projects will serve to address or minimize the key risk areas.

The compliance risk inventory will list risks that the organization has faced in the past, or is expected to face in the future. Risks should be ranked based on impact and likelihood on a three-point scale (1-Low, 2-Medium, 3-High).

Process

Help topics

• Defining objectives
• Defining risks and controls

Within the GDPR Compliance Risk Assessment, you define the first requirement: Report Data Breaches. In the Report Data Breaches requirement, you define and assess the first risk that is in scope for your organization:

DP-1: Failure to protect data systems against misuse or unauthorized access by employees Employees can breach systems with the intent to steal data or obtain personal data about co-workers.

• Impact Medium
• Likelihood High

Finally, you specify that two planned projects that will cover the risk area:

• Cybersecurity Review
• IT General Controls Review

Result

The first risk area of focus is assessed. The compliance risk assessment will help to determine which requirements within the COBIT® 5 Framework are applicable to the organization.

Scenario

The results of the compliance risk assessment now allow you to interpret and rationalize requirements within the COBIT® 5 Framework. You need to apply professional judgment and rationalize optimal coverage that's sufficient for the organization.

Process

Help topic Create a compliance map

In Compliance Maps, you mark each requirement that is applicable to your organization, provide a rationale stating why the requirement is applicable.

You capture information for requirement DSS05.04 Manage user identity and logical access as follows:

• Applicable Yes
• Covered Yes
• Rationale As a result of the compliance risk assessment, this requirement has been identified as applicable to the organization.

Finally, you map the following existing controls to requirement DSS05.04:

Result

You have addressed everything exactly as the requirement dictates and implemented two direct controls accordingly. Any testing results and issues associated with the controls are aggregated to the Compliance Map for reporting purposes.

Scenario

Your organization has a mature and refined operational risk assessment process, and evaluates risk across two dimensions (Likelihood and Impact) on a three-point scale:

• 1 - Low
• 2 - Medium
• 3 - High

Now, you need to evaluate the inherent risk score to determine the raw risk the organization faces if no controls or other mitigating factors have been put in place.

Process

Help topics

• Defining risks and controls
• Tracking assurance using frameworks

You capture the following information in the Cybersecurity Review and IT General Controls Review projects:

Result

The inherent risk assessment is completed. Inherent risk scores are aggregated to the framework for reporting purposes.

Scenario

Now that you have assessed inherent risk, you also want to be able to determine the residual risk, or how much risk remains after controls have been put in place.

Process

Help topics

• Executing procedures and testing controls
• Tracking assurance using frameworks
• Create a compliance map

You capture the following information and test the design and operational effectiveness of each control in both the Cybersecurity Review and IT General Controls Review projects:

Project: Cybersecurity Review

• Risk: LA-: Untitled Risk
• Controls:
  • LA-008
    • Control Attributes:
      • Description: Access to the databases supporting the production application is restricted to only those individuals that require such access to their database administration job functions.
      • Weight: 50%
    • Walkthrough Results: Designed Appropriately
    • Testing Results: Operating Effectively
  • LA-009
    • Control Attributes:
      • Description: The databases supporting the production application enforce appropriate password and security parameters relative to the data stored on the system.
      • Weight: 50%
    • Walkthrough Results: Designed Appropriately
    • Testing Results: Operating Effectively

Project: IT General Controls Review

• Risk: LA-: Untitled Risk
• Controls:
  • LA-008
    • Control Attributes:
      • Description: Access to the databases supporting the production application is restricted to only those individuals that require such access to their database administration job functions.
      • Weight: 50%
    • Walkthrough Results: Designed Appropriately
    • Testing Results: Exception(s) Noted
  • LA-009
    • Control Attributes:
      • Description: The databases supporting the production application enforce appropriate password and security parameters relative to the data stored on the system.
      • Weight: 50%
    • Walkthrough Results: Designed Appropriately
    • Testing Results: Operating Effectively

Result

Testing results associated with the control are aggregated to the framework and Compliance Map for reporting purposes:

Scenario

Since one of the control tests failed in the IT General Controls Review, you need to note the exception by logging an issue. You also want to create a specific follow-up measure that is associated with an identified issue, and assign it to the appropriate staff member.

Process

Help topics

• Recording issues
• Recording actions

You document the following issue and actions in the IT General Controls Review:

Issue

• Title/Headline Unauthorized employees may have access to critical systems
• Description There is no process in place to ensure that only authorized employees have access to critical systems
• Owner IT Manager
• Issue Type Deficiency
• Date Identified Date
• Severity High
• Published Published

Action

• Title Monitor privileged access to critical systems on a regular basis
• Owner IT Manager
• Description Monitor production access logs and compare logged events with a sanctioned user list
• Due Date Date
• Status Opened
• Priority High

Result

The issue and action are captured. At a later date, Audit can review the remediation plan, and document retesting results to determine whether or not the issue has been truly remediated.

Scenario

You need to track overall how well your organization is doing in mitigating compliance risk so that resources can be allocated appropriately. Luckily, the testing results and issues you captured in the attestation projects are aggregated to your Compliance Map, allowing you to track and report on compliance status in real-time.

Process

Help topic Create a compliance map

You open Compliance Maps and view the aggregated and summarized information:

To obtain further details about DSS05.04, you click the requirement and view the mapped controls and aggregated testing results:

To demonstrate compliance progress, you share the Coverage metric with management, and export the Excel report. This provides management with an instant understanding of the degree to which the organization is compliant with the COBIT® 5 Framework.

Result

You quickly get insight into the current state of compliance for your organization.