Standard Bodies
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Standard Bodies as PDF for free.
More details
- Words: 1,179
- Pages: 5
ITIL— Information Technology Infrastructure Library is a set of best practices standards for Information Technology (IT) service management. The United Kingdom's Central Computer and Telecommunications Agency (CCTA) created ITIL in response to the growing dependence on Information Technology to meet business needs and goals. ITIL provides businesses with a customizable framework of best practices to achieve quality service and overcome difficulties associated with the growth of IT systems. COBIT—Published by ITGI and positioned as a high-level governance and control framework ISO/IEC 17799: 2000—Published by the International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) and derived from the UK government’s BS 7799 to provide a framework of a standard for information security management FFIEC Business Continuity Planning Booklet - This Federal Financial Institutions Examination Council (FFIEC) Business Continuity Planning booklet provides guidance and examination procedures to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. SAS 70 Overview Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit or service auditor's examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over
information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on effective internal controls at service organizations.
ITIL The Service Management section of ITIL is made up of eleven different disciplines, split into two sections, Service Support and Service Delivery: Service Support Configuration Management Change Management Release Management Incident Management Problem Management Service Desk Service Delivery Service Level Management Capacity Management Financial Management for IT Services Availability Management IT Service Continuity Management
Service Level Management The object of SLM is to maintain and gradually improve business aligned IT service quality, through a constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and through instigating actions to eradicate unacceptable levels of service. SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and monitors and reviews the actual service levels achieved against their SLA targets. SLM should also be trying to proactively improve all service levels within the imposed cost constraints. SLM is
the process that manages and improves agreed level of service between two parties, the provider and the receiver of a service. SLM is responsible for negotiating and agreeing service requirements and expected service characteristics with the Customer, measuring and reporting of Service Levels actually being achieved against target, resources required, cost of service provision. SLM is also responsible for continuously improving service levels in line with business processes, with a SIP, co-ordinating other Service Management and support functions, including third party suppliers, reviewing SLAs to meet changed business needs or resolving major service issues and producing, reviewing and maintaining the Service Catalogue. IT Service Continuity Management The object of IT Service Continuity Management is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales. IT Service Continuity Management is concerned with managing an organisation's ability to continue to provide a pre-determined and agreed level of IT services to support the minimum business requirements, following an interruption to the business. This included ensuring business survival by reducing the impact of a disaster or major failure, reducing the vulnerability and risk to the business by effective risk analysis and risk management, preventing the loss of Customer and User confidence, and producing IT recovery plans that are integrated with and fully support the organisation's overall Business Continuity plan. IT Service Continuity is responsible for ensuring that the available IT Service Continuity options are understood and the most appropriate solution is chosen in support of the business requirements. It is also responsible for identifying roles and responsibilities and making sure these are endorsed and communicated from a senior level to ensure respect and commitment for the process. Finally IT Service Continuity is responsible for guaranteeing that the IT recovery plans and the Business Continuity Plans are aligned , and are regularly reviewed, revised and tested.
COBIT Control Objectives for Information and related Technology, is a framework for information security created by ISACA, the Information Systems Audit and Control Association, and the ITGI (IT Governance Institute). Control Objectives for Information and Related Technology, or COBIT, provides managers, auditors, and IT users with a set of generally accepted information technology control objectives to assist them in maximizing the benefits derived through the use of information technology and developing the appropriate IT governance and control in a company. In its 3rd edition, COBIT has 34 high level objectives that cover 318 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitor.
HIGH LEVEL CONTROL OBJECTIVES Planning and Organization PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO10 Manage Projects PO11 Manage Quality HIGH LEVEL CONTROL OBJECTIVES Delivery and Support DS1 Define and Manage Service Levels DS2 Manage Third-Party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Assist and Advise Customers DS9 Manage the Configuration DS10 Manage Projects DS11 Manage Data DS12 Manage Facilities DS13 Manage Operations
ISO 17799 ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
• • • • • • • • • • •
security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance.
THE PROCESS Sub-section 11.1.1 focuses upon the management process for developing and maintaining continuity. IMPACT ANALYSIS Sub-section 11.1.2 states the requirement for impact analysis and risk assessment. PLANNING Sub-section 11.1.3 covers the development and implementation of the plan itself. FRAMEWORK Sub-section 11.1.4 describes the framework in which the plans exist.
DRII Ten Professional Practice Areas • • • • • • • • • •
Subject Area 1: Project Initiation and Management Subject Area 2: Risk Evaluation and Control Subject Area 3: Business Impact Analysis Subject Area 4: Developing Business Continuity Strategies Subject Area 5: Emergency Response and Operations Subject Area 6: Developing and Implementing Business Continuity Plans Subject Area 7: Awareness and Training Programs Subject Area 8: Exercising and Maintaining Business Continuity Plans Subject Area 9: Public Relations and Crisis Coordination Subject Area 10: Coordination With External Agencies
information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on effective internal controls at service organizations.
ITIL The Service Management section of ITIL is made up of eleven different disciplines, split into two sections, Service Support and Service Delivery: Service Support Configuration Management Change Management Release Management Incident Management Problem Management Service Desk Service Delivery Service Level Management Capacity Management Financial Management for IT Services Availability Management IT Service Continuity Management
Service Level Management The object of SLM is to maintain and gradually improve business aligned IT service quality, through a constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and through instigating actions to eradicate unacceptable levels of service. SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and monitors and reviews the actual service levels achieved against their SLA targets. SLM should also be trying to proactively improve all service levels within the imposed cost constraints. SLM is
the process that manages and improves agreed level of service between two parties, the provider and the receiver of a service. SLM is responsible for negotiating and agreeing service requirements and expected service characteristics with the Customer, measuring and reporting of Service Levels actually being achieved against target, resources required, cost of service provision. SLM is also responsible for continuously improving service levels in line with business processes, with a SIP, co-ordinating other Service Management and support functions, including third party suppliers, reviewing SLAs to meet changed business needs or resolving major service issues and producing, reviewing and maintaining the Service Catalogue. IT Service Continuity Management The object of IT Service Continuity Management is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales. IT Service Continuity Management is concerned with managing an organisation's ability to continue to provide a pre-determined and agreed level of IT services to support the minimum business requirements, following an interruption to the business. This included ensuring business survival by reducing the impact of a disaster or major failure, reducing the vulnerability and risk to the business by effective risk analysis and risk management, preventing the loss of Customer and User confidence, and producing IT recovery plans that are integrated with and fully support the organisation's overall Business Continuity plan. IT Service Continuity is responsible for ensuring that the available IT Service Continuity options are understood and the most appropriate solution is chosen in support of the business requirements. It is also responsible for identifying roles and responsibilities and making sure these are endorsed and communicated from a senior level to ensure respect and commitment for the process. Finally IT Service Continuity is responsible for guaranteeing that the IT recovery plans and the Business Continuity Plans are aligned , and are regularly reviewed, revised and tested.
COBIT Control Objectives for Information and related Technology, is a framework for information security created by ISACA, the Information Systems Audit and Control Association, and the ITGI (IT Governance Institute). Control Objectives for Information and Related Technology, or COBIT, provides managers, auditors, and IT users with a set of generally accepted information technology control objectives to assist them in maximizing the benefits derived through the use of information technology and developing the appropriate IT governance and control in a company. In its 3rd edition, COBIT has 34 high level objectives that cover 318 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitor.
HIGH LEVEL CONTROL OBJECTIVES Planning and Organization PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO10 Manage Projects PO11 Manage Quality HIGH LEVEL CONTROL OBJECTIVES Delivery and Support DS1 Define and Manage Service Levels DS2 Manage Third-Party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Assist and Advise Customers DS9 Manage the Configuration DS10 Manage Projects DS11 Manage Data DS12 Manage Facilities DS13 Manage Operations
ISO 17799 ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
• • • • • • • • • • •
security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance.
THE PROCESS Sub-section 11.1.1 focuses upon the management process for developing and maintaining continuity. IMPACT ANALYSIS Sub-section 11.1.2 states the requirement for impact analysis and risk assessment. PLANNING Sub-section 11.1.3 covers the development and implementation of the plan itself. FRAMEWORK Sub-section 11.1.4 describes the framework in which the plans exist.
DRII Ten Professional Practice Areas • • • • • • • • • •
Subject Area 1: Project Initiation and Management Subject Area 2: Risk Evaluation and Control Subject Area 3: Business Impact Analysis Subject Area 4: Developing Business Continuity Strategies Subject Area 5: Emergency Response and Operations Subject Area 6: Developing and Implementing Business Continuity Plans Subject Area 7: Awareness and Training Programs Subject Area 8: Exercising and Maintaining Business Continuity Plans Subject Area 9: Public Relations and Crisis Coordination Subject Area 10: Coordination With External Agencies
Related Documents
Standard Bodies
April 2020 5
Immortal Bodies
May 2020 11
Luminous Bodies
November 2019 23
Scary Bodies
May 2020 12
Imaginary Bodies
December 2019 26