Overview of Frameworks: Cobit, COSO ITIL ISOCOSO, ITIL, ISO,

and mored o eJennifer F. Alfafara, CISA

Consultant

Frameworks vs StandardsFrameworks vs Standards

What is a Framework?

Main Entry: • frame·work

P i tiPronunciation: • \ frām- wərk\

Function: • noun• noun

Date: • 1578

1 a: a basic conceptional structure (as of ideas) <the framework of1 a: a basic conceptional structure (as of ideas) the framework of the United States Constitution> b: a skeletal, openwork, or structural frame

2: frame of reference3 th l b h f t th t d t i it h

3

3: the larger branches of a tree that determine its shape

What is a Standard?

Standard - a rule or principle that is used as a basis for judgment

GAAP (FASB) Generally Accepted AccountingGAAP (FASB) – Generally Accepted Accounting Principals (Financial Accounting Standards BoardIFRS (IASB) – International Financial Reporting Standards (International Accounting StandardsStandards (International Accounting Standards Board)PCAOB (Public Companies Accounting Oversight Board) Auditing StandardsBoard) Auditing StandardsISO/IEC 27000 (International Organization for Standardization/International Electrotechnical Commission)

4

Commission)

Then what is HIPAAThen, what is HIPAA considered?HIPAA (American Health Insurance Portability and Accountability Act 1996) is aPortability and Accountability Act 1996) is a “Guideline”.

More on HIPAA later….

5

Why have frameworksWhy have frameworks been developed?

Lack of alignment between business practices and technologyp gyProvide guidance to Corporate management to ensure they are in compliance with regulatory requirements

6

Why adopt a framework?

Regulatory requirementBusiness requirementBusiness requirementBest in class

7

What is a ControlWhat is a Control Framework?

Control Framework - A recognized system of control categories that covers allof control categories that covers all internal controls expected in an organizationorganization.

8

Control Framework

To be comprehensive, the framework must:must:

1. Provide a favorable control environment2 Provide for the continuing assessment2. Provide for the continuing assessment

of risk3 Provide for the design implementation3. Provide for the design, implementation,

and maintenance of effective control-related policies and procedures,

9

p p

Control FrameworkControl Frameworkcontinued

4. Provide for the effective communication of information

5. Provide for the ongoing monitoring of the effectiveness of control-related policies and procedures as well as the resolution of potential problems identified by

t lcontrols

10

SEC on Frameworks

“The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation andmanagement s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework in recognition of the fact that otherCOSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future thatdeveloped within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors."

11

Control Frameworks

COSO COBIT 4.1COBIT 4.1ITILISO/IEC 27002 (Actually a Standard)ISO/IEC 27002 (Actually a Standard)ISO/IEC 27799 (Guidelines for 27002)

12

COSOCOSOCommittee of Sponsoring Organizations

COSO

COSO - Committee of Sponsoring Organizations of the TreadwayOrganizations of the Treadway Commission

COSO is a U.S. private-sector initiative, formed in 1985in 1985.

14

COSOCOSOWho are the Sponsors?

1. American Institute of Certified Public Accountants (AICPA)( )

2. American Accounting Association (AAA)3. Financial Executives Institute (FEI)( )4. The Institute of Internal Auditors (IIA) and 5. The Institute of Management5. The Institute of Management

Accountants (IMA).

15

COSO Major Objectives

COSO's main objectives are to assist organizations regarding:organizations regarding:

1) effectiveness and efficiency of operations;operations;

2) reliability of financial reporting; 3) compliance with applicable laws and3) compliance with applicable laws and

regulations.

16

COSO and Healthcare

Internal control tools developed by the COSO in 1992 and by the Department of Health and y pHuman Services (HHS) Office of the Inspector General (OIG) highlight the i t f th i t l dit f ti iimportance of the internal audit function in detecting and preventing violations. Ti ht d i t l t l h h l d fi htTightened internal controls have helped fight Medicare and Medicaid abuse.

17

Medicare Losses

1996 $23 Billion1999 $12 Billion – an improvement; however1999 $12 Billion an improvement; however $12 Billion still demands attentionMuch of these losses can be attributed to abuse, fraud, and inefficiencies.

18

COSO (1992)Internal Control Framework

Five ComponentspMonitoringInformation & CommunicationControl ActivitiesRi k A tRisk AssessmentControl Environment

19

COSO (2004)

Enterprise Risk Management FrameworkFramework

This COSO ERM framework defines essential components suggests a commonessential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.guidance for enterprise risk management.

20

COSO (2004)Enterprise Risk Management

Eight ComponentsInternal Environment

p gFramework

Objective SettingEvent IdentificationRisk AssessmentRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoring

21

Monitoring

COSO Components

Internal Environmentencompasses the tone of an organizationencompasses the tone of an organizationsets the basis for how risk is viewedaddressed by an entity’s people includingaddressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and theappetite, integrity and ethical values, and the environment in which they operate.

22

COSO Components

Objective SettingObjectives must exist before managementObjectives must exist before management can identify potential events affecting their achievement.

23

COSO Components

Event IdentificationInternal and external events affectingInternal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and , g gopportunities.

24

COSO Components

Risk AssessmentAnalysis of riskAnalysis of risk Consideration of likelihood and impact How risks should be managedHow risks should be managed

25

COSO Components

Risk ResponseAvoid RiskAvoid RiskAccept RiskReduce RiskReduce RiskShare Risk

26

COSO Components

Control ActivitiesPolicies and procedures are established andPolicies and procedures are established and implemented.

27

COSO Components

Information and CommunicationRelevant information is identified capturedRelevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their p p yresponsibilities.

28

COSO Components

MonitoringThe entirety of enterprise risk management isThe entirety of enterprise risk management is monitored and modifications made as necessary. y

29

Financial vs Technical IssuesFinancial vs Technical Issues

Okay, that addresses issues related to “Finance” what about other

Frameworks and Standards inFrameworks and Standards in Healthcare?

HIPAA Title II

Focused on Preventing Healthcare Fraud and Abuse; Administrative Simplification;and Abuse; Administrative Simplification; Medical Liability Reform

Title II provides for the enactment of five lrules.

31

HIPAA Title II Rules

Privacy Rule Transactions and Code Sets RuleTransactions and Code Sets Rule Security Rule Unique Identifiers Rule (National ProviderUnique Identifiers Rule (National Provider Identifier) Enforcement RuleEnforcement Rule

32

HIPAA & Technology

Challenges for Information Technology (IT)Transactions and Code SetsTransactions and Code Sets PrivacySecurity RulesSecurity Rules

33

Transactions & CodeTransactions & Code Sets (X12 Transactions)

These transactions and code Sets relate to EDI (Electronic Data Interchange).( g )EDI – the structured transmission of data between organizations by electronic means.There are 11 defined code sets.

34

Transactions & CodeTransactions & Code Sets (X12 Transactions)• EDI Health Care Claim Transaction set (837) • EDI Retail Pharmacy Claim Transaction (835) • EDI Benefit Enrollment and Maintenance Set (834)• EDI Payroll Deducted and other group Premium Payment

for Insurance Products (820)for Insurance Products (820)

35

Transactions & CodeTransactions & Code Sets Rule (continued)• EDI Health Care Eligibility/Benefit Inquiry (270)

• EDI Health Care Eligibility/Benefit Response (271)g y ( )

• EDI Health Care Claim Status Request (276)

• EDI Health Care Claim Status Notification (277)( )

• EDI Health Care Service Review Information (278)

• EDI Functional Acknowledgement Transaction Set (997)EDI Functional Acknowledgement Transaction Set (997)

36

Privacy Rule

It establishes regulations for the use and disclosure of Protected Health Informationdisclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health statuscovered entity which concerns health status, provision of health care, or payment for health care that can be linked to anhealth care that can be linked to an individual.

37

Security Rule

Lays out three types of security safeguards required for compliance:required for compliance:

Administrative – Policies and ProceduresPhysical Access to Protected DataPhysical – Access to Protected DataTechnical – Access to Computers that store and manage protected datastore and manage protected data

38

Obeying the “Rules”

Implement Control Frameworks that facilitate compliance with the “Rules”facilitate compliance with the Rules

COBITITILITILISO/IEC 27002ISO 27799

39

COBITControl Objectives for

Information and Related Technology

COBIT

The Control Objectives for Information and related Technology (COBIT) is a set of best practices gy ( ) p(framework) for information technology (IT) management created by the Information Systems A dit d C t l A i ti (ISACA) d th ITAudit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992.

COBIT 4.1, the most current version was released in 2007

41

in 2007.

COBIT

What COBIT Provides:A set of generally accepted measuresA set of generally accepted measuresIndicatorsProcessesProcessesBest practices?

42

COBIT Structure

Covers four domains1 Plan and Organize (PO)1. Plan and Organize (PO)2. Acquire and Implement (AI)3 Deliver and Support (DS)3. Deliver and Support (DS)4. Monitor and Evaluate (ME)

43

C TCOBIT

Plan and Organize covers:the use of information & technologythe use of information & technologyhow best it can be used in a company to help achieve the company’s goals and objectivesachieve the company s goals and objectives. also highlights the organizational and infrastructural form IT is to take in order toinfrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT

44

C TCOBIT

Acquire and Implement covers:Identification of IT requirementsIdentification of IT requirements, Acquisition of technology, andImplementation within the company’s currentImplementation within the company s current business processes.

45

C TCOBITDelivery and Support covers:

The delivery aspects of the information technologyy p gyThe execution of the applications within the IT system and its results, The support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues, training, pp p y , g,Help Desk, and backup & recovery.

46

C TCOBITMonitor and Evaluate:

Deals with a company’s strategy in assessing the needs of the companyneeds of the companyDetermines whether or not the current IT system still meets the objectives for which it was designedIdentifies the controls necessary to comply withIdentifies the controls necessary to comply with regulatory requirements. Deals with the issue of an independent assessment of the effectiveness of IT system in its ability to meetof the effectiveness of IT system in its ability to meet business objectives and the evaluation of the company’s control processes by internal and external auditors.

47

external auditors.

COBIT, COSO & SOX

The most referenced control frameworks for SOX and FIEL (Financial Instruments and (Exchange Law – aka “JSOX”)Not all COBIT controls apply to ICFR (Internal Controls over Financial Reporting)COBIT “Lite”

48

COBIT “Lite”

IT Control Objectives for Sarbanes Oxley

49

Sarbanes - Oxley

ITIL

The five ITIL V3 volumesThe five ITIL V3 volumes

ITIL

ITIL is published in a series of books, each of which covers an IT management topic.g pITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.ITIL has been mapped to COBIT, but reporting requirements are not the same

51

ITIL Structure

ITIL v3, published in May 2007, comprises 5 key volumes:y

1. Service Strategy 2. Service Design g3. Service Transition 4. Service Operation4. Service Operation 5. Continual Service Improvement

52

ITIL

ITIL is owned and maintained by the UK Office of Government Commerce (OGC). ( )

The names ITIL and IT Infrastructure Library are registered trademarks of the OGC.

53

ISO/IEC 27002 2005ISO/IEC 27002:2005 (actually a ‘Standard’)

ISO/IEC

• ISO (International Organization for Standardization) is the world's largest ) gdeveloper and publisher of International Standards.

• IEC (International Electrotechnical Commission) is the international standards and conformity assessment body for all fields of electrotechnology.

55

ISO 27002

The standard is comprised in two parts:

Part 1: ISO/IEC 17799• Contains guidance and explanatory information• Contains guidance and explanatory information• Formally published as ISO/IEC 27002 Code of

Practice for Information Security Management y g

56

ISO 27002

Part 2: (British Standard) BS7799 / ISO ( )27001 • Provides a model that can be used by

businesses to set up and run an effectivebusinesses to set up and run an effective Information Security Management System (ISMS)F ll bli h d ISO/IEC 27001• Formally published as ISO/IEC 27001 Information Security Management Systems -Requirements

57

ISO 17799

This is essentially the set of security controls: the measures and safeguards for potential g pimplementation. After the introduction, scope, terminology and structure sections, the remainder of ISO/IEC 17799 specifies control objectives

t i d i t 11 i ti t t tcategorized into 11 main sections to protect information assets against threats to their confidentiality integrity and availability

58

confidentiality, integrity and availability.

ISO 17799ISO 17799Security Controls

Security Policy Organization of Information SecurityOrganization of Information Security Asset Management Human ResourcesHuman ResourcesPhysical and Environmental Security Communications and OperationsCommunications and Operations Management

59

ISO 17799ISO 17799Security Controls (cont’)

Access Control Information Systems Acquisition,Information Systems Acquisition, Development and Maintenance Information Security Incident Management y gBusiness Continuity Management ComplianceCompliance

60

ISO 27001

This is the ‘specification’ for an Information Security Management System (ISMS). It is y g y ( )the means to measure, monitor and control security management from the top down

ti It l i h t l ISOperspective. It explains how to apply ISO 17799.

61

ISO 27001

Defined as a six part process:Define a security policyy p yDefine the scope of ISMSUndertake a risk assessmentManage the riskSelect control objectives and controls to be implementedPrepare a statement of applicability

62

ISO 27002

Healthcare Challenges:ISO 27002 is extremely difficult to implementISO 27002 is extremely difficult to implement for large unitsCompliance scopes that cover no more thanCompliance scopes that cover no more than two to three sites or approximately 50 staff or approximately ten processes have been found to work very well.

63

ISO 27799:2008ISO 27799:2008

Health informatics - Information security management in health y g

using ISO/IEC 27002

ISO 27799

This International Standard provides guidance to healthcare organizations andguidance to healthcare organizations and other custodians of personal health information on how best to protect theinformation on how best to protect the confidentiality, integrity and availability of such information by implementing ISO/IECsuch information by implementing ISO/IEC 27002.

65

ISO 27799

Health information security Practical Action Plan for Implementing ISOPractical Action Plan for Implementing ISO 17799/27002 Healthcare Implications of ISO 17799/27002 pThreats Tasks and documentation of the ISMSTasks and documentation of the ISMS Potential benefits and tool attributes

66

Relationships BetweenRelationships Between Standards & Regulations

ISO 17799HIPAA

ISO 17799BS7799COBIT & ITILCOBIT & ITIL

Remember: ISO 17799 and BS 7799 are ISO 27002

67

are ISO 27002

Questions?Questions?

For More Information:

Jennifer F. AlfafaraConsultantConsultantResources Global Professionalsjalfafara@resources-usa comjalfafara@resources usa.com

69

Thank you!y