Cross Border and Articles on Standards-VIV-6

8/14/2019 Cross Border and Articles on Standards-VIV-6

1/55

The European Journal for the Informatics Professionalhttp://www.upgrade-cepis.orgVol. IV, No. 6, December 2003

IT Contingency Planning& Business Continuity


2/55

An accepted EuropeanICT certification standard

promoted by CEPIS

(Council of European ProfessionalInformatics Societies)


3/55

1

UPGRADE

is the European Journal for theInformatics Professional, published bimonthly at

Publisher

UPGRADE is published on behalf of CEPIS (Council ofEuropean Professional Informatics Societies,) by NOVTICA, journal of the Spanish CEPISsociety ATI (Asociacin de Tcnicos de Informtica).UPGRADE is also published in Spanish (full issue printed, somearticles online) by NOVTICA, and in Italian (abstracts and somearticles online) by the Italian CEPIS society ALSI and the Italian IT portal Tecnoteca.UPGRADE was created in October 2000 by CEPIS and was firstpublished by NOVTICA and INFORMATIK/INFORMATIQUE,bimonthly journal of SVI/FSI (Swiss Federation of ProfessionalInformatics Societies, ).

Editorial Team

Chief Editor: Rafael Fernndez Calvo, Spain, Associate Editors: Franois Louis Nicolet, Switzerland, Roberto Carniel, Italy,

Editorial Board

Prof. Wolffried Stucky, CEPIS Past PresidentFernando Piera Gmez andRafael Fernndez Calvo, ATI (Spain)Franois Louis Nicolet, SI (Switzerland)Roberto Carniel, ALSI Tecnoteca (Italy)

English Editors:

Mike Andersson, Richard Butchart, DavidCash, Arthur Cook, Tracey Darch, Laura Davies, Nick Dunn,Rodney Fennemore, Hilary Green, Roger Harris, Michael Hird,Jim Holder, Alasdair MacLeod, Pat Moody, Adam David Moss,Phil Parkin, Brian Robson.

Cover page

designed by Antonio Crespo Foix, ATI 2003

Layout:

Pascale Schrmann

E-mail addresses for editorial correspondence:, or

E-mail address for advertising correspondence:

Upgrade Newslist

available at

Copyright

NOVTICA 2003. All rights reserved. Abstracting is permittedwith credit to the source. For copying, reprint, or republicationpermission, write to the editors.

The opinions expressed by the authors are their exclusiveresponsibility.

ISSN 1684-5285

Vol. IV, No. 6, December 2003

2 EditorialUPGRADE, the European Informatics Journal of CEPIS Jouko Ruissalo,President of CEPISThe recently appointed President of CEPIS describes the latest achievements of UPGRADE,reaffirms the commitment of CEPIS to UPGRADE, and transmits all the readers his best wishes for

a fruitful 2004.

Joint issue with N

OVTICA

*

3 PresentationIT Contingency Plans: More than Technology Roberto Moya-Quiles andStefano Zanero

The guest editors present the issue, explaining what Information Technologies Contingency Plansare and mean, looking not only into their technologic aspects but also into the business continuityand regulatory ones, since computer and network infrastructures are becoming increasinglyimportant for the normal operation of organizations and for the development of our InformationSocieties as a whole.

6 Empirical Study of the Evolution of Computer Security and Auditing in Spanish

Companies

Francisco-Jos Martnez-Lpez, Paula Luna-Huertas, FranciscoJ. Martnez-Lpez, and Luis Martnez-Lpez

The authors offer us the fruits of their research into medium size and large enterprises, whichalthough it was conducted in Spain is to a large extent equally applicable to other countries.

12 Information Systems Auditing of Business Continuity Plans

Agatino Grillo

With particular reference to the financial sector, the author describes how Continuity Plans are notonly a corporate requirement in as much as service continuity is vital to business, but are alsogradually becoming a legal requirement.

17 Business Continuity Controls in ISO 17799 and COBIT

Jos-FernandoCarvajal-Vin and Miguel Garca-Menndez

This article includes a detailed comparison between the two most important standards in the worldfor controlling business continuity from the ICT perspective.

24 Implementation of a Contingency Plan Audit

Marina Tourio-Troitio

The author advocates the need for ICT contingency plans to be audited as well, given the importantrole they play in guaranteeing business continuity.

26 Public Initiatives in Europe and the USA to Protect against Contingencies in

Information Infrastructures

Miguel Garca-Mnendez and Jos-FernandoCarvajal-Vin

This article shows the importance that public institutions give to the uninterrupted working of theirinformation infrastructures which are key to the economic and social life of developed countries bydescribing US and European government plans in this regard.

30 Business Continuity and IT Contingency Planning in the Mobile TelephonyIndustry

Miguel-Andrs Santisteban-Garca

This article reviews Business Continuity Plans in the mobile operator industry, where the rapidgrowth of the telecommunication industry has meant that non-customer focused processes, inparticular network protection and availability, have been often neglected.

32 ICT Contingency Plans and Regulatory Legislation of e-Commerce and DataProtection Paloma Llaneza-Gonzlez

The author explains that any ICT Contingency Plan must take into consideration applicable legaland regulatory requirements, and analyses Spanish regulations in the fields of e-Commerce andData Protection, which are very similar to those of other EU countries, all of them being based onthe same European Directives.

39 Information Technologies and Privacy Protection in Europe

David DAgostini

and Antonio Piva

The authors give their assessment of European Directive 95/46/EC on Protection of Personal Data,with special emphasis on spamming, a phenomenon which poses an ever increasing threat to thecorrect functioning of the Internet.

42 Legal Analysis of a Case of Cross-border Cyber-crime

Nadina Foggetti

Based on a practical case, in this article the author reveals in a detailed way how the divergence oflegislations governing system and network intrusions open up legal loopholes for technologicalcriminals.

52 The European Network and Information Security Agency (ENISA) BoostingSecurity and Confidence

Erkki Liikanen

The author, member of the European Commission, responsible for Enterprise and the InformationSociety, closes the issue proclaiming that security and continuity of ITC resources must be preservedbecause they are vital for the progress of our Information Society, and explains the role that ENISAwill play in this respect.

* This monograph will be also published in Spanish (full issue printed; summary, abstracts and somearticles online) by NOVTICA, journal of the Spanish CEPIS society ATI (Asociacin de Tcnicos deInformtica) at , and in Italian (online edition only, containing summary

abstracts and some articles) by the Italian CEPIS society ALSI and the Italian IT portal Tecnoteca at.

IT Contingency Planning & Business Continuity

Guest Editors: Roberto Moya-Quiles and Stefano Zanero

Next issue (January 2004):Wireless Networks
http://www.upgrade-cepis.org/http://www.ati.es/novatica/infonovatica_eng.htmlhttp://www.ati.es/novatica/infonovatica_eng.htmlhttp://www.upgrade-cepis.org/http://www.ati.es/novatica/infonovatica_eng.html


4/55


2

UP

GRADE

Vol. IV, No. 6, December 2003 Novtica

Editorial

UPGRADE, the European Informatics Journal of CEPIS

As most of our readers will already know, this digital journalis an initiative of CEPIS (Council of European ProfessionalSocieties, ), an organisation founded in1989, bringing together 36 professional informatics societiesthroughout 32 European countries, and representing more than200,000 ICT professionals.

UPGRADE was created in October 2000 as a result of adecision on the part of CEPIS to complement the existingpublications of its member societies with a European-widejournal providing a valuable source of updated knowledge viaarticles written by recognised experts.

Three years on, UPGRADE has made some very significantsteps forward and, while it is still far from realizing all of itspotential, our journal can already boast some outstandingachievements. I will especially highlight three facts:1. By the end of the current year, nearly 650,000 articles in

PDF from the 19 issues published so far will have beenaccessed. The journal has been visited most from Europeancountries, with Italy being the most frequent visitor,though other continents have also been significantly repre-sented.

2. According to the info provided by the US companySEVENtwentyfour Inc., specialised in Internet rankings,and also according to data collected from our ownresearch, the UPGRADE site is amongst the top ones listed

by some of the main search engines when searching for thesignificant string european informatics journal

. Morespecifically, UPGRADE is ranked as number 1 in Google,Lycos and All the Web, number 2 in MSN Search andHotbot, number 4 in Yahoo, and number 5 in AOL.

3. The UPGRADE Newslist, a non-automated, non-commer-cial list the purpose of which is to distribute relevant newsabout our digital journal such as publication of new issues,calls for papers, etc., has reached almost 1,000 subscriberssince its creation in February 2003.

As we bring this year to a close, as president of CEPISappointed at the Council meeting held in Budapest last Novem-ber I would like to reaffirm the commitment of CEPIS (andespecially its new Executive Committee) to UPGRADE, inorder to ensure the journals continuing progress.

Thanks also go to our multinational Editorial Team for all

their hard work; to the Spanish CEPIS society ATI (

Asociacinde Tcnicos de Informtica

) and its journal NOVTICA forproviding the means and infrastructure for the operation ofUPGRADE; to the English language editors who ensure idio-matic correctness in a multilingual environment; and to a largenumber of authors and guest editors for their generosity insharing their knowledge and expertise with the tens of thou-sands of annual visitors to our website .

Last but not least, special thanks must also go to my prede-cessor, Prof. Wolffried Stucky

, during whose tenure UP-GRADE was born as a result of his vision and efforts.

Finally, let me wish all the readers of UPGRADE a fruitful2004.

Jouko Ruissalo

President of CEPIS

CEPIS, Council of European Professional Informatics Societies, is a non-profit organisationseeking to improve and promote high standards among informatics professionals inrecognition of the impact that informatics has on employment, business and society.

CEPIS unites 36 professional informatics societies over 32 European countries,representing more than 200.000 ICT professionals.

CEPIS promotes
http://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.ati.es/novatica/infonovatica_eng.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.ati.es/novatica/infonovatica_eng.html


5/55


Novtica

UP

GRADE


3

Presentation

IT Contingency Plans: More than Technology

Roberto Moya-Quiles and Stefano Zanero

Introduction

IT Contingency Plans have become one of the commonconcerns of all organisations, especially those of a certain size medium to large which, like practically every organisationthese days, base their business processes on informationsystems and technologies. The scope of these plans, which inthe past were often erroneously considered as being the soleresponsibility of the operations section of Data ProcessingCentres (largely due to the negligence or ignorance of the

management of the enterprises) has undergone a major evolu-tion and they are now an integral part of Business RecoveryPlans and Business Continuity Plans.

Nevertheless, the basic conceptual aims of ContingencyPlans have remained unchanged over the years: assessment ofspecific risks, response time to a wide range of incidents, toler-ance to data loss and to the time service is degraded, reliabilityof processes with regard to transaction and information integri-ty in the event of interruptions or incidents, synchronizationand backup of data, cost of implementing and maintaining theplan, etc. SAL (Service Level Agreement) contracts with Back-up Services, and Service Continuity using outsourced technol-ogy and communications suppliers are also becoming increas-ingly more important.

However, the many and far-reaching changes in availabletechnologies have been shaping these plans and making themharder to implement, due to the need to take into account a hugeand ever growing number of details for each particular applica-tion configuration and architecture. Furthermore, regulations ata number of different levels are adding their requirements tothese plans. There are not only Directives and Regulations, butalso sectorial rules, the most important of which come from thefinancial sector, such as the Bank for International Settlementsin Basle () and the US Federal Reserve,or the Fed as it is popularly known, ().

Three ScenariosWe can break down the kind of situations currently

emerging into at least three typical scenarios:1. In the first scenario, data processing centres make their

backup copies in duplicate and keep one of the copies in apurpose built outsourced centre at an appropriately securesite. The most important obligation of the contract (ServiceLevel Agreement) signed with the Alternative Centre serv-ice provider is basically that of restoring the copies storedin the purpose built outsourced centre and restart serviceswhen required. This scenario is typical of centres dealing

mostly with batch processes.

2. A second scenario consists of adding permanent communi-cation to the alternative centre via lines (VLANs, Internet,ISDN, etc.), thereby keeping the most critical databases upto date and enabling a faster response for services involv-ing communication, as tends to be reflected in the contract.

3. Finally, the third scenario could be the use of multiplat-form disk technology with direct connection by opticalfibre between the two centres, something which is notalways possible as limitations imposed by distance may

mean that the backup centre faces similar risks to the oneit is backing up, for example natural disasters. This scenar-io is the one which is best suited to responding to seriousincidents in major operational centres with front-end webservices.

1

2

Roberto Moya-Quiles is a Doctor of Physical Sciences,specialising in Computational Science, and is also a graduate inComputer Science and a CISA (Certified Information SystemsAuditor) auditor. He has 34 years experience in a variety ofmanagerial roles in the field of Information Systems (IT manage-ment, consulting, training, security and control, auditing, andcomputer applications, etc.) in major computer manufacturingand software companies as well as energy supply enterprises. Hetakes part as a speaker in seminars and participates in forumsrelated to the Information Technology Security in private institu-tions and in public universities. He is on the Sub-Committee ofISO/IEC SC 27 (Security Techniques for Information Technolo-gy) and coordinates the IT Security Interest Group (GISI, ) of the Spanish CEPIS society ATI(Asociacin de Tcnicos de Informtica).

Stefano Zanero has a MSc in Computer Engineering, andgraduated cum laude from the Politecnico of Milano school ofengineering, with a BSc thesis on the development of an Intru-

sion Detection System based on unsupervised learning algo-rithms. He is currently a Ph.D. student in the Dipartimento diElettronica e Informazione of the same university. Among hiscurrent research interests, besides Intrusion Detection Systems,are the performances of security systems and the behaviour engi-neering techniques. He is a member of the IEEE (Institute ofElectrical and Electronics Engineers) and the ACM (Associationfor Computing Machinery). He is Information Security Analystfor IDG Corporation, and as such participated in national andinternational conferences. He is the author of the weekly Secu-rity Manager's Journal on Computer World Italy, and has beenrecently awarded a journalism award. In addition, he has experi-ence as network and information security consultant.
http://www.ati.es/novatica/infonovatica_eng.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.ati.es/novatica/infonovatica_eng.html


6/55


4

UP

GRADE


The subject we are dealing with in this issue contains a longlist of references, which has doubtless grown as a result of thefateful events of September 11, 2001 (as a search by Google orAltavista will confirm), as has the bibliography related to bothdraft plans, and the resulting plans themselves. The main sourc-es are computer manufacturers and specialist consultancy

firms. At this juncture we should perhaps mention the SpanishMAGERIT methodology which provides a model for drawingup a Recovery Plan (available at ).

In order to draw up a plan and put it in place, the choice ofwhich solution to implement depends unquestionably on theservices available (both in terms of processes and communica-tions) at each geographical location, since although we maylive in a global world, clearly services are not the same all overthe world, neither in terms of availability, quality, nor price.The great many small details that need to be taken into account,some apparently trivial (such as where to keep the keys tocupboard where the safety copies are kept, changing the pass-words on a real production machine after it has been tested, andso on and so forth) together with others which are not so simple(such as nominating the people authorised to give the order toput the plan into action or test it), should lead us to the conclu-sion that testing is an absolute necessity, however much it costs.

With regard to the frequency of testing, the standard answeris

once a year is not enough and twice is too much

, but in anyevent, it is advisable to carry out a test whenever alterations aremade either to the configuration of the architecture or to theapplications themselves. Our long experience in this field hasshown us that one of the advantages of having an annual test ofthe plan is that it becomes incorporated naturally into the

culture of an organizations staff. User area managers and soft-ware developers alike take major contingencies and the testingitself into consideration when working on their designs.

As professionals working in this trade know only too well,changes invariably tend to suffer from teething troubles, sothere is a natural reluctance to make more than a bare minimumof changes to the day to day operational procedures, especiallyin the case of the alternative centres.

Finally we should bear in mind that no test can be a 100%faithful replica of the real situation since it is simply not feasi-ble to carry out a TOTAL test, given the major disruption sucha test would cause the organization. For this reason, so as not to

harm real services, only certain applications and places arechosen, times outside the normal working day are used,segments of network are isolated by changing DNS addresses,etc. Testing, therefore, could be said to have an asymptoticnature, in that it is a necessary requirement but there is neverquite enough of it.

The Content of this Monograph

Bearing in mind all the above we asked several Europeanexperts on the matter (Spanish and Italian) to let us have theirpoints of view, covering a limited but significant cross section

of some of the most interesting aspects of the subject, includingthe legal aspect.

In their article Empirical Study of the Evolution of Compu-ter Security and Auditing in Spanish Companies

,Francisco- Jos Martnez-Lpez, Paula Luna-Huertas, Francisco J.

Martnez-Lpez

andLuis Martnez-Lpez

offer us the fruits of

their research into medium size and large enterprises, whichalthough it was conducted in Spain is to a large extent equallyapplicable to other countries.

Agatino Grillo

contributes with his article

Information

Systems Auditing of Business Continuity Plan

in which, withparticular reference to the financial sector, he describes howthese plans are not only a corporate requirement in as much asservice continuity is vital to business, but are also graduallybecoming a legal requirement.

The detailed comparison between the two most importantstandards in the world for controlling business continuity fromthe ICT perspective is the aim of the article Business Continu-ity Controls in ISO 17799 and COBIT

by Jos-FernandoCarvajal-Vin

andMiguel Garca- Menndez

.

Implementation of a Contingency Plan Audit

is the title of

Marina Tourio-Troitio

s contribution in which she advo-cates the need for ICT contingency plans to be audited as well,given the important role they play in guaranteeing businesscontinuity.

The article Public Initiatives in Europe and the USA toProtect against Contingencies in Information Infrastructures

,again by Miguel Garca-Menndez

and Jos Fernando-Carvajal Vin

, shows the importance that public institutionsgive to the uninterrupted working of their information infra-structures which are key to the economic and social life of

developed countries by describing US and European govern-ment plans in this regard.

Business Continuity and IT Contingency Planning in the

Mobile Telephony Industry

, by Miguel-Andrs Santisteban-Garca

, reviews Business Continuity Plans in the mobile oper-ator industry, where the rapid growth of the telecommunicationindustry has meant that non-customer focused processes, inparticular network protection and availability, have been oftenneglected.

Paloma Llaneza-Gonzlez

s article ICT Contingency Plansand Regulatory Legislation of e-Commerce and Data Protec-

tion

is based on the fact that any ICT contingency plan must

take into consideration applicable legal and regulatory require-ments, and analyses Spanish standards which are very similarto those of other EU countries, all of them being based on thesame European Directives.

In Information Technologies and Privacy Protection in Eu-rope

, David D'Agostini

and Antonio Piva

give us theirassessment of European Directive 95/46/EC on Protection ofPersonal Data, with special emphasis on spamming, a phenom-enon which poses an ever increasing threat to the correct func-tioning of the Internet.

3


7/55


Novtica

UP

GRADE


5

Legal Analysis of a Case of Cross-border Cyber-crime

by

Nadina Foggetti

, in which, analysing a practical case, shereveals in full detail how the divergence of legislations govern-ing system and network intrusions open up legal loopholes fortechnological criminals.

The monograph finishes with an article written by Erkki

Liikanen

, member of the European Commission, responsiblefor Enterprise and the Information Society; in "The European

Network and Information Security Agency (ENISA) Boosting

Security and Confidence he proclaims that security and conti-nuity of ITC resources must be preserved because they are vitalfor the progress of our Information Society.

And we would like to finish this presentation by thanking allthe authors for their collaboration in the hope that their work,

and the work of the editors of UPGRADE and NOVTICA,will be of interest and use to readers of both journals.


8/55


6

UP

GRADE


Empirical Study of the Evolution of Computer Security andAuditing in Spanish Companies

Francisco-Jos Martnez-Lpez, Paula Luna-Huertas, Francisco J. Martnez-Lpez, and Luis Martnez-Lpez

In this paper we present a series of statistics with which we aim to obtain a better understanding of the real

situation of Spanish companies in regard to such matters as Security and IT Auditing, in the hope that this

data will serve as a useful reference for future work in greater depth on these issues. The main purpose of

this work is to obtain statistically significant data to work with, since there have been few studies capable of

supporting our empirical data. We conducted our research in two periods of time, 1992 and 2002, in order

to see how the analysed variables had evolved. A total of 851 companies collaborated, broken down into

different groups.

Keywords:

Information Systems, IT Audit, IT Security,Enterprise, Evolution, Statistics.

Introduction: Research into Security and IT Audit

Security and IT Audit are factors that are becoming moreand more important in an environment where dependence oncomputers and telematics is increasing, to the extent that wefeel it would be more appropriate to call the subject securityand auditing of info-communications.

The subject has, in fact, already seen a number of namechanges, from Electronic Data Processing Audit (EDPA),

focused on the physical media, to the one which is perhaps themost appropriate for our Information Age, Security and Auditof Information Systems (SAIS). The most important and

pioneering association was founded in 1969 as the EDP Audi-tors Association (EDPAA) but later its name evolved into itscurrent one; the Information Systems Audit and Control Asso-ciation (ISACA, ).

The importance of this issue has given rise to an abundanceof business and IT literature, though neither the academic ofbusiness world has yet paid it same degree of attention as it hasto other more developed matters such as Information Systems(IS) or other factors related to business computerisation.

As can be seen in Table 1, in the early 80s such literatureaccounted for an important percentage of all research into IS

around the world, though as time went by the subject lostpopularity, and its weighting dropped as low as 1% in someyears. However it is now once again gaining in importance, due

1

Francisco-Jos Martnez-Lpez is a full professor of the Univer-sidad de Huelva, Spain, lecturing in Information Technologies, ITand Information Systems, in the Faculty of Business Sciences. Heis a graduate and Doctor in Economic and Business Sciences (witha doctoral prize). He has lectured at several institutions at a masterand doctorate level, and has lectured on 30 doctoral courses invarious Spanish and American universities. He has been the directorand chief researcher for a number of national and internationalscientific projects and has authored more than a hundred scientificpapers. He is a member of the Spanish CEPIS society ATI (Asoci-acin de Tcnicos de Informtica).

Paula Luna-Huertas lectures in Information Systems at theUniversidad de Sevilla, Spain. She holds a doctorate in Economicand Business Sciences. She has been guest lecturer and researcherat several universities (Lyon II, France; Vladivostok, Russia; SantaF (Argentina); etc.). Director of the ICT research group of the com-pany GITICE. She has taken part in several business researchprojects at a domestic and European level. She has also worked in aconsultancy and training capacity for a number of national andmultinational companies. She is a member of the Spanish CEPISsociety ATI (Asociacin de Tcnicos de Informtica).

Francisco J. Martnez-Lpezis an assistant lecturer in marketingat the Universidad de Granada, Spain. He was awarded his DEA( Diplme d'Etudes Approfondies) in marketing in 2001. He iscurrently writing his doctoral thesis in marketing at the Universidadde Granada. Among his main areas of interest are consumer behav-iour on the Internet, consumer behaviour modelling and marketresearch. He has also collaborated as a technical advisor on marketresearch projects and he has authored chapters of books and contri-butions to international conferences organised by the The Academyof Marketing Science, and The International Association for Fuzzy-Set Management and Economy.

Luis Martnez-Lpezis a Doctor in Computer Science from theUniversidad de Granada, Spain, and is a university lecturer in theComputer Science Department at the Universidad de Jan, Spain.His current lines of research include linguistic preference model-ling, fuzzy decision making, decision support systems, electroniccommerce and computer aided learning. He has published in SoftComputing, Fuzzy Sets and Systems, IEEE Transactions onSystems, Man and Cybernetics. Part B: Cybernetics, InternationalJournal of Uncertainty, Fuzziness and Knowledge-Based Systems,IEEE Transactions on Fuzzy Systems and Information Sciences.


9/55


Novtica

UP

GRADE


7

to the auditing of telematic systems and recent major securityproblems, especially Internet related ones, although by 2002 ithad still only climbed back to 2.66%.

Judging by the above results, the subject of Security and ITAudit has aroused some scientific interest, albeit a little late,but it still requires a greater number of empirical academic

works, since at the moment these are few and far between, usebiased samples, and rarely yield statistically significant data.This is what prompted us to carry out our own research, theresults of which we present in this article.

Research MethodologyIn order to analyse the situation of Information Systems

& Technologies in Spanish companies, we conducted a studyinto different groups of companies (see Tables 2 and 3 forfurther information on technical specifications). The first group(SEG92-E and SEG-E) comprises Spanish enterprises with anannual turnover of over a million Euros (SEG92-E = 134; SEG-E = 395). The second group (SEG-G = 91) is made up of largeSpanish companies which either have high turnovers or are

ranked in the top five of their respective sectors. A randomsample was thus obtained from a list of 1,000 firms generatedby combining those of higher turnover with the top five fromeach of the 66 economic sectors in the classification providedby the database from the Spanish market research firm Fomen-to de la Produccin, . This al-lowed us to collect data from companies leading in theirrespective sectors but not usually included in lists of majorcompanies. If we had focused exclusively on the top 1,000 byturnover, the sample obtained would have been mainly made upof companies belonging to just a limited number of sectors

such as energy or communications.The third group of companies

1

(SEG-F) is made up of 44financial institutions registered with the Bank of Spain, onefifth of the total number. This kind of enterprise was notanalysed in the 1992 study.

A fourth group of companies which was primarily used totest and validate the questionnaires and to fine tune the qualita-tive variables, was eventually used as a control group

2

. Theyare actually all companies operating within the Spanish prov-ince of Huelva (SEG92-H = 92; SEG-H = 87).

Results Analysis

3.1 Analysis of the Evolution of Target Variables between1992 and 2002 3

The results from the 1992 study show us the relative impor-tance given to computer security and they would appear toindicate that contingency plans or written guidelines were prac-tically non-existent in all but some of the larger companies.

2

1. We wanted to include this type of enterprise in our study as theyare not usually included in lists of companies.

2. This category is not used as it was in the fieldwork. This kind ofcompany was primarily used as a control group to test the ques-tionnaires. However, as they were mainly small firms, they have

made it easier to analyse the effect of the size of companies onsecurity and computer audits.

3

Year Security andIT Audit (1)

InformationSystems (2)

(1) / (2) InformationSystems in titleor abstract(3)

(1) / (3)

1980 29 540 5.37% 326 8.90%

1981 32 275 11.64% 477 6.71%

1982 40 475 8.42% 608 6.58%

1983 43 566 7.60% 700 6.14%

1984 55 894 6.15% 1027 5.36%

1985 52 1034 5.03% 1343 3.87%

1986 59 1109 5.32% 1558 3.79%

1987 46 1100 4.18% 1629 2.82%

1988 49 1503 3.26% 1750 2.80%

1989 11 1607 0.68% 1665 0.66%

1990 14 1818 0.77% 1770 0.79%

1991 26 1831 1.42% 2642 0.98%

1992 24 2054 1.17% 4774 0.50%

1993 45 2269 1.98% 5851 0.77%

1994 27 1910 1.41% 6299 0.43%

1995 30 2406 1.25% 7167 0.42%

1996 24 2297 1.04% 8462 0.28%

1997 33 2400 1.38% 8974 0.37%

1998 22 1577 1.40% 6942 0.32%

1999 13 1765 0.74% 8118 0.16%

2000 23 777 2.96% 5212 0.44%

2001 28 856 3.27% 4282 0.65%

2002 15 564 2.66% 3791 0.40%

Total 740 31627 2.34% 85367 0.87%

Table 1: Articles on Security and IT Audit and InformationSystems in the ABI/INFORM Database. (Source: owncompilation.)

Group SEG92-E SEG92-H

Universe Spanish companies Control group

Made up of smallerlocally basedcompanies

Target population Spanish companies with anannual turnover of morethan a million Euros

Sampling error +/ 0.1 +/ 0.1

Confidence level 95.5% 95.5%Hypothesis ofparameters

P = Q = 0,5 P = Q = 0,5

Sample size 134 100

Samplingprocedure

Random Sampling Random Sampling

Survey method Questionnaire by mail,telephone, fax, or personalinterview

Questionnaire bymail, telephone, fax,or personal interview

Table 2: Technical Specifications of the 1992 Study. (Source:own compilation.)


10/55


8 UPGRADEVol. IV, No. 6, December 2003 Novtica

Similarly, the scenario with regard to IT Audit was similar tothat of computer security, with just 26.12% of the companieshaving schemes in place (see Table 4). Where IT Audit did takeplace it was performed once a year by consultants brought infrom outside, either people connected with the auditing ofaccounts or external IT auditors. The results from the controlgroup, comprising less developed companies in terms of theiradoption of computer technologies, show that IT Audit isconducted by slightly less than 10% of all those that havecomputerised their IS.

A decade later, in 2002, a we can see there has been a changein both quantitative numbers of firms and qualitative implementation of contingency plans terms. This is due to thepresence of a series of factors which is causing companies tochange the way they design, develop and use their IS. Theymay adopt an integrated approach and do everything internally,within the company itself, or they may decide to outsource partor all of those functions to outside specialists, a policy whichplaces the IT function at the very eye of the outsourcing storm

which is currently affecting organisations at practically everylevel. Among issues affected are IT Audit, computer security,privacy, compatibility and outsourcing policies: in our articlewe focus on the first two.

3.2 Analysis of Computer Security (2002)As we have commented previously, one of the main concerns

of companies today with regard to their computer systems ishow to guarantee the security of the various day to day process-es on which their organizations are increasingly more depend-

ent. This is doubtless one of the greatest challenges faced by ISprofessionals.

The importance of computer security can be clearly seen inFigure 1 which shows how companies consider it as a veryimportant or essential issue.

Most companies (93.52%) give this issue an importancewhich varies from average to vital, there being relatively fewcompanies that ignore this problem or consider it to be of littleor no importance.

The same situation can be found for the largest companies,where more than a third (35.16%) consider this matter as vitalfor survival. Furthermore, there were no cases in which the

importance of this problem was considered to be none, and just1.10% of this group considered it to have not much importance.However it is the financial institutions which believe this

issue to be the most pressing, as nearly half of them rate it asvital, and none of them thinks of it as something with not muchimportance or whose importance is none.

Finally, with regard to the case of companies belonging to thecontrol group, this problem is viewed with less concern:11.49% understand it to be something ofnot much importanceand 3.45% think that its relevance is none. However, it shouldbe noted that a third of the firms in this group give it a lotofimportance, and 12.64% consider its solution to be vital.

Therefore, concern about computer security is ever moredeeply rooted in organisational culture, since matters such as

3. This comparative analysis focused on the companies from whichdata was taken in both periods; that is to say, groups of ordinaryand locally focused companies (SEG-E and SEG-H).

Group SEG-E SEG-G SEG-F SEG-H

Universe Spanish companies Large Spanish companies Spanish financialinstitutions

Control group

Made up of smaller locallybased companiesTarget population Spanish companies with an

annual turnover of more thana million Euros

Spanish companies in the top five oftheir respective economic sectors,completed with those with thehighest turnover

Financial institutionsregistered with the Bankof Spain

Sampling error +/ 0.05 +/ 0.01 As the total number of institutions is not large,1 out of 5 were sampled

+/ 0.1

Confidence level 95.5% 95.5% 95.,5%

Hypothesis of parameters P = Q = 0.5 P = Q = 0.5 P = Q = 0.5

Sample size 395 91 44 87

Sampling procedure Random Sampling Random Sampling Systematic Sampling Random Sampling

Survey method Questionnaire by mail,telephone, fax, or personalinterview

Questionnaire by mail, telephone,fax, or personal interview

Questionnaire by mail,telephone, fax, orpersonal interview

Questionnaire by mail,telephone, fax, or personalinterview

Table 3: Additional Technical Specifications of the 2002 Study. (Source: own compilation.)

Questions SEG92-EDo you perform IT audits? 26.12% (35/134)

How often? Annually 74.36%

Not periodically 7.69%

Biannually 12.82%

More than once a year 5.13%

Who performs them?

Members of the company 37.04%

Consultants connected with theauditing of accounts

40.74%

External IT auditors 22.22%

Table 4: IT Audit (SEG92-E). (Source: own compilation.)
http://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.ati.es/novatica/infonovatica_eng.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.ati.es/novatica/infonovatica_eng.html


11/55


Novtica UPGRADEVol. IV, No. 6, December 2003 9

solutions for computer viruses or continuity of IS are issues

that companies whose business processes depend on the use ofInformation and Communication Technologies (ICT) arefacing every day. In fact this is so important that it has givenrise to a new economic sector made up of a considerablenumber of businesses that depend on this activity4.

We were therefore interested to see whether the concernshown by companies with regard to this variable had promptedthem to take specific action in the matter of computer security.In figure 2 we can see that virtually all the companies have setup guidelines for computer security. Taking the companies by

groups, 81.80% of the companies in group SEG-E, and almost

all the large firms (SEG-G) and financial institutions (SEG-F)have chosen to adopt security measures of this type. In thegroup made up of smaller-sized firms, which, as we mentioned,showed little concern for these matters, 56.30% are now awareof this problem and have established appropriate securitymeasures.

Given the importance of this issue, we do not believe it isenough merely to establish security guidelines: these rulesshould be drawn up explicitly in writing in the form of acontingency plan, something that has in fact already been doneby nearly half the companies that had guidelines in place in the2002 study. This percentage rises with regard to large compa-nies and financial institutions which have drawn up contingen-cy plans in 79.12% and 84.09% of the cases respectively.

4. One particularly significant case is that of businesses focused on

offering solutions for computer viruses. This sector is increas-ingly important and generates more than 5 billion Euros a year.

Importance of computer security

0%

10%

20%

30%

40%50%

60%

Vital

Alot

Averag

e

Not

much

Non

e

SEG-E SEG-G SEG-F SEG-H

Figure 1: Comparative Analysis of the Importance Given to Computer Security.

0%

10%20%

30%

40%

50%

60%

70%

80%

90%

100%

Security guidelines 81,80% 98,90% 95,50% 56,30%

Contingency plans 45,06% 79,12% 84,09% 16,09%


Figure 2: Extent Of Explicit Establishment of Computer Security Guidelines and Contingency Plans.
http://www.ati.es/novatica/infonovatica_eng.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.ati.es/novatica/infonovatica_eng.html


12/55



Nevertheless, contingency plans are still relatively uncommonamong the small local organizations based in the Huelva region(16.09%)

3.3 Descriptive Analysis of IT Audit (2002)The increasing dependence on ICTs and automated links

between companies IS has created a need for managers toknow whether their systems will work as they are expected to,hence the need for IT Audits.

Results show that, with regard to the implementation of ITAudit, the size of the company is very important. 29.87% of theSEG-E type of Spanish companies have put IT audits in place,while around three quarters of the large companies and finan-cial institutions (SEG-G and SEG-F) already have them inplace (see Figure 3). Finally, as has been the norm in our study,the small firms group (SEG-H) have adopted IT Audit to amuch lesser extent slightly more than 10% of the group havetaken the plunge.

We were also interested to know who, if anyone, performs ITaudits. If we look at Table 5 we can see that audits are mainlyperformed by the companies themselves, with the exception of

financial institutions where 54.94% of firms carrying out thisactivity make use of external IT auditors.

ConclusionsAs we said in the first part of this paper, our main aim was

to obtain and analyse quantitative data to reveal the real situa-tion of Spanish enterprises with regard to computer securityand auditing, in order to provide a basis for more in-depthstudies into these issues.

Nevertheless, we have been able to draw some conclusionsfrom the data we have gathered, as they give us an importantinsight into the extent to which computer security and auditing

has been adopted in Spain. The results indicate that the chal-lenge has been taken up and met by the larger companies, butneeds to be paid more attention to by small and medium-sizedfirms.

Computer security is thus one of the major concerns facingcorporations with regard to IS and one of the most importantchallenges that organizations have to address on a day to daybasis. This is evidenced by the fact that a large percentage ofthe companies in our study considered the solution to thispotential problem to be of great importance or vital, while thenumber of companies giving it little or no importance wasinsignificant. More revealing still is the fact that it is the group

of financial institutions who attach the greatest importance tothis issue, as can be seen by the number of them who rate it asvital. As a result, four out of five companies in the SEG-Egroup, virtually all large firms and financial institutions, not tomention half of the small companies, had drawn up computersecurity guidelines. Given the importance of this issue, it is notenough just to set up security guidelines; companies need todraw up contingency plans. This has been already been done byalmost half the companies in the SEG-E group, almost all thelarge firms and financial institutions, and a sixth of smallcompanies that have adopted guidelines.

The size of the company also plays an important role in thedecision to introduce IT Audit procedures. Our results showthat most large companies and financial institutions carry out

4

29,87%

76,92% 77,27%

13,79%

0%

10%

20%

30%

40%

50%

60%

70%

80%


Figure 3: Extent of Adoption of IT Audit.

Type of IT Audit SEG-E SEG-G SEG-F SEG-H

IT auditors linked to theauditing of accounts

16.37% 25.71% 17.65% 9.09%

Internal IT auditors belonging tothe company

43.97% 40.00% 29.41% 54.55%

External IT auditors 39.66% 34.29% 52.94% 36.36%

Table 5: Personnel Who Perform IT Audits. (Source: owncompilation.)


13/55



this activity, while, for the other group of companies understudy, only around a third of them adopt such procedures, andin the group of local small companies the figure is a low as10%. With regard to who is responsible for performing audits,it would seem that they are mainly the responsibility of thecompanies themselves, except in the case of financial institu-

tions who tend to outsource it to external IT auditors. However,if we look at the evolution of IT Audit over time (consideringonly SEG-E type enterprises and small companies for whichdata series were available for both years) we can see that the

extent to which IT Audit has been introduced by either categoryof company has been almost insignificant. More attentiontherefore needs to be paid to this activity both from theviewpoint of businesses (users) and computer organizations(supply).

In conclusion, companies are already aware of the impor-

tance of this issue, but have not yet done everything in theirpower to address it.Translation by Steve Turpin


14/55



Information Systems Auditing of Business Continuity Plans

Agatino Grillo

Business Continuity Planning (BCP) is a process to be governed by top management. BCP audit is a

fundamental element of the IT governance process; it represents an independent assessment of IT for

stakeholders, business-partners and regulatory authorities. BCP audits are compulsory for financial

institutions. In order to ensure a structured and auditable approach, a recognised BCP methodology should

be adopted. This contribution introduces IS Auditing and explains the BCP approach based on the COBIT

model, a general IT Governance framework developed by ISACA (Information Systems Audit and Control

Association), with a special mention to the initiatives of important banking institutions to this regard.

Keywords: Business Continuity Planning (BCP), COBIT, ISAuditing, ISACA, IT Governance

Information Systems AuditingInformation Systems Auditing (ISA) analyses the corpo-

rate Information Technologies (IT) assets in order to measurethe existing degree of control and to identify the potentiallycritical areas and risks. The analysis also defines the way toassure the desired control level. The activities include ITcontrol evaluation at both system and application level; theformer includes the Business Continuity Plan (BCP) of thefirm.

ISA should be used to review BCPs because such plans are

necessary to business and required by a growing number ofregulatory requirements.

Enterprises such as financial institutions or government andpublic infrastructure agencies must face new and stringent reg-ulations about business continuity planning. In Italy, for exam-ple, a new Personal Data Protection Code will enter into forceon 1 January 2004 and it requires a high level of protection forbusiness continuity and disaster recovery too1.

In the following pages, BCP requirements for financial insti-tutions will be explained and a BCP audit approach will beproposed.

BCP and Financial InstitutionsIn Italy the Banca d'Italia2, in line with the guidelines laid

down at international level following the events of 11 Septem-ber 2001, has launched a series of initiatives aimed at verifyingthe ability of the Italian financial system to cope with disastersand to improve the operational security of the leading financialintermediaries and payment system infrastructure.

On the one hand the Banca d'Italia, in collaboration with ABI(Italian Banking Association), has required intermediariesfound to have shortcomings to make the necessary adjustmentsover a reasonable time period. On the other hand it has releaseda consultation document indicating the minimum requirementsthat all intermediaries should satisfy and the higher standardsto be met by those of systemic significance3.

In July 2003, the European System of Central Banks(ESCB)4 and the Committee of European Securities Regulators(CESR)5 published a document entitled Standards for securi-ties clearing and settlement systems in the European Union

1. The Code consolidates all the various legal provisions so far regu-lating personal data protection in Italy; note that the safeguardsafforded to all the entities involved have been enhanced further, inaccordance with the policy followed ever since the 1996 ItalianData Protection Act (no. 675/1996) was promulgated. Finally, theCode transposes EC Directive 2002/58 into Italian law. For exam-ple, about Business continuity the Code says: Processing personal data by electronic means shall only be allowed if theminimum security measures are adopted to ensure () safekeep-ing backup copies and restoring data and system availability.Note that additional measures must be applied to processing of

sensitive or judicial data to ensure data availability.

1

2. Banca d'Italia is the Italian supervisory authority of banks and theItalian member of European System of Central Banks (ESCB).

3. Banca d'Italia, Ordinary general meeting of shareholders, May2003 available at .

4. The European System of Central Banks (ESCB) is composed ofthe European Central Bank (ECB) and the national central banks(NCBs) of all 15 EU Member States. Eurosystem is the termused to refer to the ECB and the NCBs of the Member States

which have adopted the euro.

2

Agatino Grillo (CISA, CISSP) is responsible for e-securitypractice at Euros Consulting. Previously, he worked at Ernst &Young and Arthur Andersen as an IS auditor and IT Securityconsultant. He has more than 10 years of experience as an IT/ISconsultant and IS auditor. He is lecturer in e-business and securitysubjects at several national business conferences and businessschool seminars. He published several articles and white papersabout IS Auditing and IT Security; they are available at.


15/55



which aims to increase the safety, soundness and efficiency ofsecurities clearing and settlement systems in the EuropeanUnion.

The document contains a lot of recommendation about BCPfor financial institutions. For example: business continuityplans and backup facilities should be established to ensure,

with a reasonable degree of certainty, timely business resump-tion with a high level of integrity and sufficient capacity; busi-ness continuity and disaster recovery arrangements should betested on a regular basis and after major modifications to thesystem; adequate crisis management structures and contactlists (both at local and cross-border level) should be availablein order to deal efficiently and promptly with operationalfailure that may have local or cross-border systemic conse-quences.

Finally, in July 2003 the Basel Committee6 of Bank of Inter-national Settlements published its principles for electronicbanking; principle number 13 declares Banks should haveeffective capacity, business continuity and contingency plan-

ning processes to help ensure the availability of e-banking

systems and services7; the Committee underlines that banksshould also ensure that periodic independent internal and/orexternal audits are conducted about business continuity andcontingency planning.

A structured and Auditable ApproachBusiness Continuity Management is therefore a critical

component of any financial organisation. New legislation,shareholder expectations and investor requirements demand asolid business continuity plan as part of the global businessprocess.

In order to ensure a structured and auditable approach, arecognised BCP methodology should be adopted. Nowadaysthere is a significant number of standards related to BCM: themost important have been developed by the Disaster RecoveryInternational Institute (DRII), the Business Continuity Institute(BCI), the National Institute of Standards and Technology(NIST), and the Information Systems Audit and ControlAssociation (ISACA)8.

All these organizations agree on the following minimal setof best practices when developing and implementing a businesscontinuity management process:

A BCP budget should be formalized and approved by seniormanagement,

Formal disaster declaration authorities, which will beresponsible for implementing the continuity strategies in theevent of a disaster or business interruption, should be iden-tified,

The organization should implement an incident manage-ment system or process for stabilizing, monitoring andrecovering from a disaster or business interruption,

The plan should be reviewed periodically and benchmarkedagainst industry regulations and other organizations' proc-esses.

In the following, ISACAs BCP audit approach will beexplained; it is based on the COBIT model, a general ITGovernance framework developed by ISACA.

ISACA

The Information Systems Audit and Control Association(ISACA) started in 1967 in the USA and today has more than28,000 associates in IS auditing and IT Security relatedpositions.

ISACA publishes IS auditing standards, a technical journal inthe information control field (the Information Systems ControlJournal) and hosts a series of international conferences focus-ing on both technical and managerial topics pertinent to the ISassurance, control, security and IT governance professions.

ISACA has local chapters in more than 60 countries world-wide; in Italy there are two chapters: Milan and Rome.

Last but not least, ISACA manages two professional certifi-

cations: the Certified Information Systems Auditor (CISA) andCertified Information Security Manager (CISM.)

COBITControl Objectives for Information and related Technol-

ogy (COBIT), now in its 3rd edition, is a framework developedby ISACA that helps organizations balance their risks vs.returns in an IT environment and ensure alignment of businessneeds with overall IT processes.

The COBIT mission is to research, develop, publicise andpromote an authoritative, up-to-date, international set of gener-ally accepted information technology control objectives forday-to-day use by business managers and auditors.

5. CESR is an independent Committee regrouping senior represent-atives from national public authorities competent in the field ofsecurities; the Italian member of CESR is Commissione Nazion-ale per le Societa e la Borsa (CONSOB).

6. The Basel Committee, established by the central-bank Governorsof the Group of Ten countries at the end of 1974, formulates broadsupervisory standards and guidelines and recommends statementsof best practice for financial institutions.

7. Risk management principles for electronic banking, BaselCommittee Publications No. 98, July 2003 available at.

8. A complete review and comparison of these BCP approach isavailable in: Business Continuity Management Standards ASide-by-side Comparison by Brian Zawada and Jared Schwartz in

Information Systems Control Journal, Volume 2, 2003.

3

4

5

Figure 1: COBIT Framework.


16/55



Most of the components of COBIT are available in openstandard format, available for complimentary download by thepublic.

COBIT is a business orientated framework that identifies 34information technology processes, grouped in 4 domains, andis supported by 318 detailed control objectives (see Figure 1.)Each one of the 34 processes references IT resources, and thequality, fiduciary and security requirements for information.

Further, the COBIT Management Guidelines are generic andaction orientated for the purpose of addressing the followingtypes of management concerns:1. Performance measurement What are the indicators of

good performance?

2. IT control profiling What is important? What are thecritical success factors for control?3. Awareness What are the risks of not achieving our

objectives?4. Benchmarking What do others do? How do we measure

and compare?The COBIT family of products is shown in Figure 2.

Maturity ModelsFor each of the 34 COBIT IT processes, there is an incre-

mental measurement scale based on a rating of 0 through 5. Thescale is associated with generic qualitative maturity modeldescriptions ranging from Non Existent to Optimised

6

EXECUTIVE SUMMARY

FRAMEWORKwith High-Level Control Objectives

IMPLEMENTATION TOOL SET

Executive OverviewCase StudiesFAQsPower Point PresentationsImplementation Guide

Management Awareness Diagnostics IT Control Diagnostics

MANAGEMENTGUIDELINES

DETAILED CONTROLOBJECTIVES

AUDIT GUIDELINES

MaturityModels

Critical SuccessFactors

Key GoalIndicators

Key PerformanceIndicators

Figure 2: COBIT Family of Products.

Figure 3: COBIT Maturity Models.


17/55



derived by the Capability Maturity Models of the SoftwareEngineering Institute SEI9.

Whatever the model, the scales should not be too granular asthat would render the system difficult to use and suggest aprecision that is not justifiable.

In contrast, one should concentrate on maturity levels basedon a set of conditions that can be unambiguously met (seeFigure 3.)

Against levels developed for each of CobiT's 34 IT process-es, management can map: The current status of the organisation where the organisa-

tion is today; The current status of (best-in-class in) the industry the

comparison; The current status of international standard guidelines

additional comparison; The organisation's strategy for improvement where the

organisation wants to be.The high-level control objectives of COBIT are shown in

Table 1.

9. The US Software Engineering Institute (SEI) is a federally funded

research and development centre sponsored by the U.S. Depart-ment of Defense

Planning & Organisation PO1 Define a strategic IT plan

PO2 Define the information architecture

PO3 Determine technological direction

PO4 Define the IT organisation and relationships

PO5 Manage the IT investment

PO6 Communicate management aims and directionPO7 Manage human resources

PO8 Ensure compliance with external requirements

PO9 Assess risks

PO10 Manage projects

PO11 Manage quality

Acquisition & Implementation AI1 Identify automated solutions

AI2 Acquire and maintain application software

AI3 Acquire and maintain technology infrastructure

AI4 Develop and maintain procedures

AI5 Install and accredit systems

AI6 Manage changes

Delivery & Support DS1 Define and manage service levels

DS2 Manage third-party services

DS3 Manage performance and capacity

DS4 Ensure continuous service

DS5 Ensure systems security

DS6 Identify and allocate costs

DS7 Educate and train users

DS8 Assist and advise customers

DS9 Manage the configuration

DS10 Manage problems and incidentsDS11 Manage data

DS12 Manage facilities

DS13 Manage operations

Monitoring M1 Monitor the processes

M2 Assess internal control adequacy

M3 Obtain independent assurance

M4 Provide for independent audit

Table 1: COBIT High-Level Control Objectives.

1. IT Continuity Framework

2. IT Continuity Plan Strategy andPhilosophy

3. IT Continuity Plan Contents

4. Minimising IT Continuity Requirements

5. Maintaining the IT Continuity Plan

6. Testing the IT Continuity Plan7. IT Continuity Plan Training

8. IT Continuity Plan Distribution

9. User Department Alternative ProcessingBack-up Procedures

10. Critical IT Resources

11. Back-up Site and Hardware

12. Off-site Back-up Storage

13. Wrap-up Procedures

Table 2: BCP Specific Controls.


18/55



One of the high-level control objectives is focused on BCP;it is DS4 Ensure Continuous Service. DS4's objective is thecontrol over the IT process ensuring continuous service tomake sure IT services are available as required and to ensure aminimum business impact in the event of a major disruption.

DS4 is enabled by having an operational and tested IT conti-

nuity plan which is in line with the overall business continuityplan and its related business requirements; the continuity planshould take consideration: Critically classification, Alternative procedures, Back-up and recovery, Systematic and regular testing and training, Monitoring and escalation processes, Internal and external organisational responsibilities, Business continuity activation, fallback and resumption

plans, Risk management activities, Assessment of single points of failure, Problem management, Monitoring.

Finally, objective DS4 is translated into the 13 specificcontrols for the BCP shown in Table 2.

The first two items, for example, should be evaluated regard-ing the following:1. IT Continuity Framework: information services function

management is to create a continuity framework whichdefines the roles, responsibilities, the risk basedapproach/methodology to be adopted, and the rules andstructures to document the plan as well as the approvalprocedures.

2. IT Continuity Plan and Philosophy: management shouldensure that the information technology continuity plan is inline with the overall business continuity plan to ensureconsistency. Furthermore, the information technologycontinuity plan should take account of the informationtechnology long- and medium-range plans to ensureconsistency. The disaster recovery/contingency planshould minimize the effect of disruptions.

The complete directory of specific controls is available in theControl Objective document of COBIT10.

ConclusionsBusiness Continuity Planning (BCP) is a process to be

governed by top management. This is important because anorganisation needs to first define its planning objectives forbusiness continuity. BCP audit is also a fundamental element ofthe IT governance process; it represents an independent assess-

ment of IT for stakeholders, business-partners and regulatoryauthorities.

Links Italian Data Protection Commission:

. Italys New Personal Data Protection Code:

. Banca d'Italia: . ABI Italian Banking Association: . ESCB The European System of Central Banks:

. CESR Committee of European Securities Regulators:

. CONSOB Commissione Nazionale per le Societ e la Borsa:

. The Basel Committee on Banking Supervision:

. BCI The Business Continuity Institute: . DRII Disaster Recovery International Institute:

. DRJ Disaster Recovery Journal: . ISACA Information Systems Audit and Control Association:

. NIST National Institute of Standards and Technology:

. ISACA Milan chapter: .

ISACA Rome chapter: . SEI Software Engineering Institute: .

BibliographyKen Doughty. Business Continuity: A Business Survival Strategy,

Information Systems Control Journal, Volume 1, 2002Yusufali F. Musaji. Disaster Recovery and Business Continuity

Planning: Testing an Organization's Plans, Information SystemsControl Journal, Volume 1, 2002

Brian Zawada and Jared Schwartz. Business Continuity ManagementStandards A Side-by-side Comparison, Information SystemsControl Journal, Volume 2, 2003

10. , for registered users only.

7


19/55



Business Continuity Controls in ISO 17799 and COBIT

Jos-Fernando Carvajal-Vin and Miguel Garca-Menndez

In this article the sets of control included in the two major codes of practice on Information Technology

Security worldwide, that are needed to lay the foundations for the security policies that business continuity

requires, are described and compared. In fact, Section eleven of the Code of Practice for Information

Security Management, the ISO/IEC standard 17799, deals with aspects related to business continuity;

similarly, the COBIT framework (Control Objectives for Information and Related Technology) for

Information Systems (IS) Auditing sets out what an organization needs to bear in mind in order to achieve

its business goals.

Keywords: Audit, CISA, COBIT, Contingency, ControlObjectives, Disaster, Good Practices, Information Systems,ISO 17799, Security.

IntroductionSurvival is one of the primary objectives of living beings.

In a way a company, like a candle flame, could be compared toa living being if we apply, with a certain degree of artisticlicence, the definition for living organisms that we learned atschool: it is born, it grows, it reproduces and it dies. Looking atit in a simplistic way, reproduction can be seen as the transmis-sion of the information we have. Death would then be the lossor lack of control over that information, which hopefully we

have managed to transmit to those who will follow in our steps.Nowadays, we understand that the success and survivabili-

ty of organizations depends to a great extent on the effectiveadministration of their information and, of course, on the Infor-mation Technology (IT) systems that support it: valuable assetsthat are important to safeguard and preserve.

We can achieve this safeguard by establishing the necessaryobjectives and control mechanisms for the information systemswithin our organization to allow us to preserve the most valua-ble aspects of our information: integrity, confidentiality andavailability.

In order to implement a continuity plan it is necessary to

establish a set of controls; this means that either we have toobtain them from the intrinsic knowledge we have of our busi-ness or we must adopt them from some existing standard orbest practices in the industry sector. These controls must beendowed with the following properties [1]:1. Valuable: that is, they are of genuine use to our business in

accordance with good practices recognised in our industry.2. Complete: they cover all the necessary areas.3. Auditable: they can be defined and evaluated as to their

compliance, effectiveness and efficiency.Control sets of this kind can be found in the ISO/IEC 17799

[2] standard and in COBIT, Control Objectives for Informationand related Technology [3]. By control and control objectivewe understand the following definitions provided by COBIT:

Control:The policies, procedures, practices and organi-sational structures designed to provide reasonable assur-

ance that business objectives will be achieved and that un-

desired events will be prevented or detected and corrected. Control Objectives: A statement of the desired result or

purpose to be achieved by implementing control procedures

within a particular IT activity.Both sets of controls are auditable by means of their own

audit procedures, are complete, or at least they tend towardscompletion, and they are also good practices that can be certi-

1

Jos-Fernando Carvajal-Vinhas a BSc degree in Biology,

specializing in biochemistry, from the Universidad Autnoma deMadrid, Spain. He has taken post graduate courses in InformationSystems at the Universidad Carlos III de Madrid as part of hisdoctoral thesis in the field of computer immune systems. He hasmore than fourteen years experience in information systemstechnologies, mainly in the energy sector, and is a Certified Infor-mation System Auditor (CISA) by the ISACA (Information AuditSystems and Association Control) which he has been a memberof since 2000. He is currently responsible for InformationSystems Security at the company Soluziona. He is also a memberof the SpanishAsociacin de Tcnicos de Informtica (ATI) andof the Information Systems Auditors Association (ASIA) inwhich he participates actively in their respective Security InterestGroups.

Miguel Garca-Menndezhas a BSc degree in ComputerScience from the Universidad de Oviedo (Gijn campus), Spain.From 1994 to 2000 he was head of the Software Engineering andSystems Dept. in the industrial processes control firm Ensilectricand in March 2000 he joined Schlumberger, where he currentlyworks as an Information Security Management advisor, mainlyserving organisations in the public sector. He is also a CertifiedInformation Systems Auditor (CISA) and is member of ISACA(Information Systems Audit and Control Association) and ASIA(Asociacin de Auditores y Auditora y Control de Sistemas y Tec-nologas de la Informacin y las Comunicaciones) a Spanish As-sociation of Information Systems Auditors in which he acts asmember of the Security and Audit Standards Commission.


20/55



fied. In the worst of cases, if disaster should strike, they allowus to demonstrate that our work was done with due diligenceand that any damage was not the result of deficient processesand/or a lack of security.

It should be stressed that neither set of controls refers only tobusiness upsets classed as a Disaster Plan (Disaster Recovery)

but rather they refer in a broader sense to multiple ContinuityPlans (Business Continuity) which together make up a DisasterPlan [4]. For both it is necessary to establish a business conti-nuity management process by which, depending on the magni-tude of the event, we will activate different courses of action inour Disaster Plan.

For both standards the first thing we need to do is understandand evaluate business risks from the organizations point ofview.

ISO/IEC 17799 StandardThe standard consists of 12 sections (including objectives

and definitions) in which each has up to four levels of controls.There are 36 control objectives at the second level and acombined total of 127 at the third and fourth levels. Sectioneleven of this standard establishes as an objective to counter-act interruptions to business activities and to protect critical

business processes from the effects of major failures or disas-

ters. To achieve this goal it focuses on the establishment of aset of controls with the following objectives:1. To implement a business continuity management process.2. Risk / impact analysis.3. Documentation and implementation of continuity plans.4. To establish a single continuity framework assigning

responsibilities; how, where and when.

5. Maintenance, testing and reappraisal of the plans.The standard stresses the importance of developing a plan for

the maintenance and recovery of business operations, though atno time does it mention servers. Thinking about servers as ifthey were business processes shows the lack of co-ordinationand collaboration there is between the people in charge ofinformation systems and the people responsible for the criticalbusiness processes involved.

COBITCOBIT (Control for Objectives Information and related

Technology) is a reference framework used as a basis for estab-

lishing a method of internal control over matters of a compa-nys information technology and information systems. COBITis based on the control objectives set out by the InformationAudit Systems and Control Foundation (ISACF) and has beendrawn up and developed using international technical, profes-sional, regulatory and industry specific standards as a basis. Asin the case of the ISO standard, the resulting control objectivesare considered to be good or best practices, i.e. they areagreed on by experts, applicable and generally accepted for theinformation systems of any company. Both COBIT and ISO17799 tend to be pragmatic and to meet the needs of business-es, while being independent of the technological platform usedby the organization.

The COBIT structure is based on the premise that, in order toprovide the information necessary for an organization toachieve its business objectives, its IT resources must bemanaged by means of a set of naturally grouped processes.COBIT is a three level hierarchy (domains, processes andactivities or tasks), with 4 domains in the uppermost level

(Planning and Organization PO , Acquisition and Imple-mentation AI, Delivery and Support DS , and Monitoring M .). There are 34 control objectives in the middle (process-es) level, and 318 detailed control objectives in the lowest(task) level. It also provides an Audit Guideline for each ofthese 34 high-level control objectives to match the review ofthe organisations existing IT processes against the recom-mended detailed control objectives to provide managementassurance and/or advice for improvement.

COBIT is designed not to be only used by users and audi-tors, but also, and more importantly, as a general checklistfor business process owners. In business nowadays, more andmore responsibility is delegated to business process owners forevery aspect of the business process. In particular, this includesthe provision of suitable controls and tools to help businessprocess owners to fulfil their responsibilities.

Control Objectives for Business ContinuityTable 1, shown at the end of this article segmented in

several pieces due to its large size, shows ISO/IEC-17799standard. Whereas the standard specifies controls mainly insection eleven, COBIT spreads them across all its domains dueto its marked business orientation. This is especially true of thecontrol objectives for risk evaluation (PO9) and business conti-nuity assurance (DS4) processes referring to the domains of

planning and support respectively.

ConclusionsCOBIT undoubtedly provides more control objectives

(both organisational and technical) that are more widely appli-cable to the information systems of an organisation than thoseprovided by the ISO 17799 standard, which leans more to thetechnical side of things, although it is also imbued with acertain business oriented pragmatism.

As we see it, the control objectives specified by COBIT arecloser to the organization whereas the equivalent ISO standardsare closer to the operational implementation of those objec-

tives. We should consider both of them when designing anddeveloping our companys continuity policy in which somefactors, such as organization size, budget, materials and, ofcourse, the risks we are facing, will determine the how rigidlyand to what degree we implement these internal controls forour IT systems. These controls are also applicable to the newlyemerging concept of survivality [5][6][7][8].

Finally, we would like to say that the task of implementingthe two sets of controls in a business continuity plan is one tobe performed jointly between IT management and technicianson the one hand, and business process owners on the other, andnot by just one of them independently. The selection and imple-mentation of controls must, therefore, be made by generalconsensus using any available risk evaluation methodology

2

3

4

5


21/55



which enables business impact to be determined. Unfortunate-ly, many organizations ignore or bypass this point, creating agulf between information owners and managers, made worseby the lack of any risk evaluation methodology able to mini-mise it. Business continuity must be an integral part of a com-panys security policy and be kept up to date so as to be useful

and effective.

References[1]

Philip L. Campbell. Survivability via Control Objectives. Posi-tion Paper for 3rd IEEE Information Survivability Workshop(ISW-2000).

[2]Information Security Management, Code of Practice for Informa-tion Security Management. International Standard ISO/IEC17799:2000.

[3]ISACA. COBIT: Control Objectives for Information and relatedTechnology, .

[4]CISSP All in One Certification Exam Guide, Shon Harris,McGraw-Hill Ryerson/Osborne, 2002.

[5]Towards A Definition Of Survivability, John C. Knight and KevinJ. Sullivan..

[6] Survivability, A New Technical and Business Perspective onSecurity. Proceedings of the 1999 New Security ParadigmsWorkshop. Association for Computing Machinery. New York,1999..

[7]Information Survivability: Required Shifts in Perspective. JuliaH. Allen and Carol A. Sledge..

[8]Survivability A New Security Paradigm..

Table 1: ISO/IEC 17799 vs. COBIT (1 of 8).

Control ISO 17799 Objectives Control COBIT Objectives

A.11.1 Aspects of business continuity management

Control objective: To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.

11.1.1 Business continuitymanagement process.

To assess and understandrisks and their impact on thebusiness.

To establish an appropriateinsurance policy.

To formulate and document acontinuity strategyappropriate to the business.

To formulate and documentcontinuity plans aligned withbusiness strategy.

To test and update plans.

To incorporate continuitymanagement in businessprocesses and organizationstructures and assignresponsibilities for it.

PO9.1 Business Risk Assessment.

PO9.6 Risk Acceptance.

DS4.1 IT Continuity framework.

DS4.2 IT Continuity Plan Strategy

and Philosophy. DS4.3 IT Continuity Plan Contents.

DS4.5 Maintaining IT ContinuityPlan.

DS4.6 Testing IT Continuity Plan.

DS4.7 IT Continuity Plan Training.

DS4.1 IT Continuity framework.

DS4.2 IT Continuity Plan Strategyand Philosophy.

PO9.1 Business Risk Assessment. Managementshould establish a systematic risk assessmentframework that incorporate a regular assessment ofthe relevant information risks to the achievement ofthe business objectives. The process shouldprovide for risk assessments updated regularly atglobal level and of the system.

PO9.6 Risk Acceptance. The risk assessmentapproach should ensure the formal acceptance ofthe residual risk, depending on risk identificationand measurement, organisational pol icy,uncertainty incorporated in the risk assessmentapproach itself and the cost effectiveness ofimplementing safeguards and controls. Theresidual risk should be offset with adequateinsurance coverage, contractually negotiatedliabilities and self-insurance.

DS4.1 IT Continuity Framework IT management, inco-operation with business process owners, shouldestablish a continuity framework which defines theroles, responsibilities and the risk-based approach /

methodology to be adopted, and the rules andstructures to document the continuity plan as wellas the approval procedures.

DS 4.2 IT Continuity Plan Strategy and PhilosophyManagement should ensure that the IT continuityplan is in line with the overall business continuityplan to ensure consistency. Furthermore, the ITcontinuity plan should take into account the IT long-and short-range plans to ensure consistency.
http://www.ati.es/novatica/infonovatica_eng.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/issues/2003/6/upgrade-vIV-6.htmlhttp://www.upgrade-cepis.org/i

Documents

Cross Border and Articles on Standards-VIV-6