Overview of Frameworks: Cobit,

COSO ITIL
COSO, ITIL, ISO,
ISO
andd more
oe
Jennifer F. Alfafara, CISA
Consultant
Frameworks vs Standards
What is a Framework?

Main Entry:
framework
Pronunciation:
P i ti
\ frm- wrk\
Function:
noun
Date:
1578
1 a: a basic conceptional structure (as of ideas) <the
the framework of
the United States Constitution> b: a skeletal, openwork, or
structural frame
2: frame of reference
3 the
3: th larger
l branches
b h off a tree
t that
th t determine
d t i its
it shape
h
3
What is a Standard?
Standard - a rule or principle that is used as a
basis for judgment
GAAP (FASB) Generally Accepted Accounting
Principals (Financial Accounting Standards Board
IFRS (IASB) International Financial Reporting
Standards (International Accounting Standards
Board)
PCAOB (Public Companies Accounting Oversight
Board) Auditing Standards
ISO/IEC 27000 (International Organization for
Standardization/International Electrotechnical
Commission)
4
Then, what is HIPAA
Then
considered?
HIPAA (American Health Insurance
Portability and Accountability Act 1996) is a
Guideline.

More on HIPAA later.

5
Why have frameworks
been developed?
Lack of alignment between business
practices and technology
p gy
Provide guidance to Corporate management
to ensure they are in compliance with
regulatory requirements

6
Why adopt a framework?

Regulatory requirement
Business requirement
Best in class

7
What is a Control
Framework?
Control Framework - A recognized system
of control categories that covers all
internal controls expected in an
organization.
organization

8
Control Framework
To be comprehensive, the framework
must:
1. Provide a favorable control environment
2 Provide for the continuing assessment
2.
of risk
3 Provide for the design
3. design, implementation
implementation,
and maintenance of effective control-
related p
policies and p
procedures,
9
Control Framework
continued

4. Provide for the effective communication

of information
5. Provide for the ongoing monitoring of the
effectiveness of control-related policies
and procedures as well as the resolution
of potential problems identified by
controls
t l

10
SEC on Frameworks
The COSO Framework satisfies our criteria and may
be used as an evaluation framework for purposes of
management's
management s annual internal control evaluation and
disclosure requirements. However, the final rules do not
mandate use of a particular framework, such as the
COSO Framework
Framework, in recognition of the fact that other
evaluation standards exist outside of the United States,
and that frameworks other than COSO may be
developed within the United States in the future
future, that
satisfy the intent of the statute without diminishing the
benefits to investors."

11
Control Frameworks
COSO
COBIT 4.1
ITIL
ISO/IEC 27002 (Actually a Standard)
ISO/IEC 27799 (Guidelines for 27002)

12
 COSO
Committee of Sponsoring Organizations
COSO
COSO - Committee of Sponsoring
Organizations of the Treadway
Commission

COSO is a U.S. private-sector initiative, formed

in 1985
1985.

14
COSO
Who are the Sponsors?
1. American Institute of Certified Public
Accountants (AICPA)
( )
2. American Accounting Association (AAA)
3. Financial Executives Institute (FEI)
( )
4. The Institute of Internal Auditors (IIA) and
5. The Institute of Management
Accountants (IMA).

15
COSO Major Objectives

COSO's main objectives are to assist

organizations regarding:
1) effectiveness and efficiency of
operations;
2) reliability of financial reporting;
3) compliance with applicable laws and
regulations.

16
COSO and Healthcare

Internal control tools developed by the COSO

in 1992 and byy the Department
p of Health and
Human Services (HHS) Office of the
Inspector General (OIG) highlight the
i
importance
t off the
th internal
i t l audit
dit ffunction
ti ini
detecting and preventing violations.
Tightened
Ti ht d internal
i t l controls
t l have
h helped
h l d fifight
ht
Medicare and Medicaid abuse.

17
Medicare Losses
1996 $23 Billion
1999 $12 Billion an improvement; however
$12 Billion still demands attention
Much of these losses can be attributed to
abuse, fraud, and inefficiencies.

18
COSO (1992)
Internal Control Framework

Five Components
p
Monitoring
Information &
Communication
Control Activities
Risk
Ri k A
Assessmentt
Control Environment

19
COSO (2004)
Enterprise Risk Management
Framework
This COSO ERM framework defines
essential components
components, suggests a common
language, and provides clear direction and
guidance for enterprise risk management.

20
COSO (2004)
Enterprise
p Risk Management
g
Framework Eight Components
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information &
Communication
Monitoring
21
COSO Components
Internal Environment
encompasses the tone of an organization
sets the basis for how risk is viewed
addressed by an entitys
entity s people
people, including
risk management philosophy and risk
appetite, integrity and ethical values, and the
environment in which they operate.

22
COSO Components
Objective Setting
Objectives must exist before management
can identify potential events affecting their
achievement.

23
COSO Components
Event Identification
Internal and external events affecting
achievement of an entitys objectives must be
identified,, distinguishing
g g between risks and
opportunities.

24
COSO Components
Risk Assessment
Analysis of risk
Consideration of likelihood and impact
How risks should be managed

25
COSO Components
Risk Response
Avoid Risk
Accept Risk
Reduce Risk
Share Risk

26
COSO Components
Control Activities
Policies and procedures are established and
implemented.

27
COSO Components
Information and Communication
Relevant information is identified
identified, captured
captured,
and communicated in a form and timeframe
that enable ppeople
p to carry
y out their
responsibilities.

28
COSO Components
Monitoring
The entirety of enterprise risk management is
monitored and modifications made as
necessary.
y

29
Financial vs Technical Issues

Okay, that addresses issues related to

Finance what about other
Frameworks and Standards in
Healthcare?
HIPAA Title II
Focused on Preventing Healthcare Fraud
and Abuse; Administrative Simplification;
Medical Liability Reform

Title II provides for the enactment of five

rules.
l

31
HIPAA Title II Rules
Privacy Rule
Transactions and Code Sets Rule
Security Rule
Unique Identifiers Rule (National Provider
Identifier)
Enforcement Rule

32
HIPAA & Technology
Challenges for Information Technology (IT)
Transactions and Code Sets
Privacy
Security Rules

33
Transactions & Code
Sets (X12 Transactions)
These transactions and code Sets relate to
EDI ((Electronic Data Interchange).
g )
EDI the structured transmission of data
between organizations by electronic means.
There are 11 defined code sets.

34
Transactions & Code
Sets (X12 Transactions)
EDI Health Care Claim Transaction set (837)
EDI Retail Pharmacy Claim Transaction (835)
EDI Benefit Enrollment and Maintenance Set (834)
EDI Payroll Deducted and other group Premium Payment
for Insurance Products (820)

35
Transactions & Code
Sets Rule (continued)
EDI Health Care Eligibility/Benefit Inquiry (270)
EDI Health Care Eligibility/Benefit
g y Response ((271))
EDI Health Care Claim Status Request (276)
EDI Health Care Claim Status Notification (277)
( )
EDI Health Care Service Review Information (278)
EDI Functional Acknowledgement Transaction Set (997)

36
Privacy Rule
It establishes regulations for the use and
disclosure of Protected Health Information
(PHI). PHI is any information held by a
covered entity which concerns health status
status,
provision of health care, or payment for
health care that can be linked to an
individual.

37
Security Rule
Lays out three types of security safeguards
required for compliance:
Administrative Policies and Procedures
Physical Access to Protected Data
Technical Access to Computers that
store and manage protected data

38
Obeying the Rules
Implement Control Frameworks that
facilitate compliance with the Rules
Rules
COBIT
ITIL
ISO/IEC 27002
ISO 27799

39
 COBIT
Control Objectives for
Information
and Related Technology
COBIT
The Control Objectives for Information and related
Technology
gy ((COBIT)) is a set of best p
practices
(framework) for information technology (IT)
management created by the Information Systems
A dit and
Audit dCControl
t lAAssociation
i ti (ISACA)
(ISACA), and d th
the IT
Governance Institute (ITGI) in 1992.

COBIT 4.1, the most current version was released

in 2007
2007.
41
COBIT
What COBIT Provides:
A set of generally accepted measures
Indicators
Processes
Best practices?

42
COBIT Structure
Covers four domains
1.
1 Plan and Organize (PO)
2. Acquire and Implement (AI)
3
3. Deliver and Support (DS)
4. Monitor and Evaluate (ME)

43
COBIT
Plan and Organize covers:
the use of information & technology
how best it can be used in a company to help
achieve the companys
company s goals and objectives
objectives.
also highlights the organizational and
infrastructural form IT is to take in order to
achieve the optimal results and to generate
the most benefits from the use of IT

44
COBIT
Acquire and Implement covers:
Identification of IT requirements
requirements,
Acquisition of technology, and
Implementation within the companys
company s current
business processes.

45
COBIT
Delivery and Support covers:
The deliveryy aspects
p of the information technology gy
The execution of the applications within the IT
system and its results,
The support processes that enable the effective and
efficient execution of these IT systems. These
support
pp p processes include securityy issues,, training,
g,
Help Desk, and backup & recovery.

46
COBIT
Monitor and Evaluate:
Deals with a companys strategy in assessing the
needs of the company
Determines whether or not the current IT system still
meets the objectives for which it was designed
Identifies the controls necessary to comply with
regulatory requirements.
Deals with the issue of an independent assessment
of the effectiveness of IT system in its ability to meet
business objectives and the evaluation of the
companys control processes by internal and
external auditors.
47
COBIT, COSO & SOX
The most referenced control frameworks for
SOX and FIEL ((Financial Instruments and
Exchange Law aka JSOX)
Not all COBIT controls apply to ICFR
(Internal Controls over Financial Reporting)
COBIT Lite

48
COBIT Lite

IT Control
Objectives for
Sarbanes - Oxley
49
 ITIL

The five ITIL V3 volumes

ITIL
ITIL is published in a series of books, each of
which covers an IT management
g topic.
p
ITIL gives a detailed description of a number
of important IT practices with comprehensive
checklists, tasks and procedures that any IT
organization can tailor to its needs.
ITIL has been mapped to COBIT, but
reporting requirements are not the same

51
ITIL Structure
ITIL v3, published in May 2007, comprises
5 keyy volumes:
1. Service Strategy
g
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement

52
ITIL
ITIL is owned and maintained by the UK
Office of Government Commerce (OGC).
( )

The names ITIL and IT Infrastructure Library are registered

trademarks of the OGC.

53
ISO/IEC 27002:2005
27002 2005
(actually a Standard)
ISO/IEC
ISO (International Organization for
Standardization)) is the world's largest
g
developer and publisher of International
Standards.
IEC (International Electrotechnical
Commission) is the international standards
and conformity assessment body for all
fields of electrotechnology.

55
ISO 27002
The standard is comprised in two parts:

Part 1: ISO/IEC 17799

Contains guidance and explanatory information
Formally published as ISO/IEC 27002 Code of
Practice for Information Securityy Management
g

56
ISO 27002

Part 2: ((British Standard)) BS7799 / ISO

27001
Provides a model that can be used by
businesses to set up and run an effective
Information Security Management System
(ISMS)
Formally
F ll published
bli h d as ISO/IEC 27001
Information Security Management Systems -
Requirements

57
ISO 17799
This is essentially the set of security controls:
the measures and safeguards
g for p
potential
implementation.
After the introduction, scope, terminology
and structure sections, the remainder of
ISO/IEC 17799 specifies control objectives
categorized
t i d iinto
t 11 maini sections
ti tto protect
t t
information assets against threats to their
confidentiality integrity and availability
confidentiality, availability.
58
ISO 17799
Security Controls
Security Policy
Organization of Information Security
Asset Management
Human Resources
Physical and Environmental Security
Communications and Operations
Management

59
ISO 17799
Security Controls (cont)
Access Control
Information Systems Acquisition,
Development and Maintenance
Information Securityy Incident Management
g
Business Continuity Management
Compliance

60
ISO 27001
This is the specification for an Information
Securityy Management
g System
y ((ISMS).
) It is
the means to measure, monitor and control
security management from the top down
perspective.
ti It explains
l i h how tto apply
l ISO
17799.

61
ISO 27001
Defined as a six part process:
Define a securityy p
policy
y
Define the scope of ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be
implemented
Prepare a statement of applicability

62
ISO 27002
Healthcare Challenges:
ISO 27002 is extremely difficult to implement
for large units
Compliance scopes that cover no more than
two to three sites or approximately 50 staff or
approximately ten processes have been
found to work very well.

63
 ISO 27799:2008

Health informatics - Information

securityy management
g in health
using ISO/IEC 27002
ISO 27799
This International Standard provides
guidance to healthcare organizations and
other custodians of personal health
information on how best to protect the
confidentiality, integrity and availability of
such information by implementing ISO/IEC
27002.

65
ISO 27799
Health information security
Practical Action Plan for Implementing ISO
17799/27002
Healthcare Implications
p of ISO 17799/27002
Threats
Tasks and documentation of the ISMS
Potential benefits and tool attributes

66
 Relationships Between
Standards & Regulations

HIPAA
ISO 17799
BS7799
COBIT & ITIL
Remember: ISO
17799 and BS 7799
are ISO 27002

67
Questions?
For More Information:
Jennifer F. Alfafara
Consultant
Resources Global Professionals
jalfafara@resources-usa
jalfafara@resources usa.com
com

69
Thank you!
y