Controles internos de segurança em banco de dados para certificação da Lei SOX

SILVEIRA, Kamilla Dória da

13 November 2015

Submitted by Irene Nascimento (irene.kessia@ufpe.br) on 2016-09-19T18:40:20Z No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) Dissertação_Kamilla_Doria_v3 CD.pdf: 2299055 bytes, checksum: 917d4a23b010d4a6fcc6d29a00151c78 (MD5) / Made available in DSpace on 2016-09-19T18:40:20Z (GMT). No. of bitstreams: 2 license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5) Dissertação_Kamilla_Doria_v3 CD.pdf: 2299055 bytes, checksum: 917d4a23b010d4a6fcc6d29a00151c78 (MD5) Previous issue date: 2015-11-13 / Em resposta a uma série de escândalos por fraudes contábeis, o governo dos Estados Unidos criou a Lei Sarbanes-Oxley (SOX), em 30 de Julho de 2002. Esta lei visa responsabilizar os dirigentes de empresas em relação à eficácia de seus controles internos de TI e de negócio sobre a segurança e confiabilidade de seus dados contábeis. A avaliação desses controles é feita por meio de uma auditoria externa e do órgão regulador americano chamado SEC, o qual recomenda o uso do framework COSO para a implementação desses controles. No entanto, o COSO é um framework estratégico, ou seja, não oferece orientações para a implementação tática e operacional de controles, e principalmente não é comumente aplicado na área de TI, sendo normalmente aplicado na área de negócios. Tendo como escopo a área de segurança em banco de dados, e dado que o COSO não oferece detalhamento operacional para garantir o cumprimento da lei SOX nesta área, este trabalho propõe um guia de controles internos para este fim. O guia proposto baseia-se no COBIT 5 e na norma ISO 27002. Como prova de conceito do guia proposto, este foi utilizado como base para desenvolver a ferramenta SOXSecurity4DB, a qual foi usada em uma empresa multinacional do ramo de varejo, que havia contratado um projeto para garantir o cumprimento com a Lei SOX. Como resultado da aplicação da ferramenta, foi observado que alguns controles precisavam de ajuste, pois ainda haviam problemas para serem resolvidos. / Responding to a series of accounting fraud scandals, the American government created SOX Act, on July 30, 2002. This law aims at empowering business leaders regarding the effectiveness of their internal IT controls and business on the safety and reliability of its accounting data. The evaluation of these controls is done by an external audit and the American regulatory body called SEC which recommends using the COSO framework for the implementation of these controls. Considering the database security scope, and that in this scope, COSO does not provide operational details to ensure compliance with the SOX law, this paper proposes a guide of internal controls for this purpose. The proposed guide is based on the COBIT 5 and ISO 27002. As the proposed standard guide proof of concept, this was used as a basis to develop SOXSecurity4DB tool, which was used in a multinational company in the retail business, which had hired a project to ensure compliance with the SOX Act. As a result of application of the tool, it was observed that some controls needed adjustment, because there were still problems to be solved.

COBIT. ISO 27002. Auditing. Database

Best practices for implementing multiple concurrent IT frameworks (CMMI, ITIL, Six-Sigma, CobiT and PMBOK)

Harryparshad, Nirvasha

20 August 2012

This research report aims to provide an insight into the implementation of multiple concurrent IT frameworks, and how to best implement each of the chosen frameworks resulting in a hybrid of best practices for implementing multiple concurrent IT frameworks

IT frameworks

CMMI

ITIL

Six-Sigma

CobiT

PMBOK

Best practices for implementing multiple concurrent IT frameworks (CMMI, ITIL, Six-Sigma, CobiT and PMBOK)

Harryparshad, Nirvasha

20 August 2012

This research report aims to provide an insight into the implementation of multiple concurrent IT frameworks, and how to best implement each of the chosen frameworks resulting in a hybrid of best practices for implementing multiple concurrent IT frameworks

IT frameworks

CMMI

ITIL

Six-Sigma

CobiT

PMBOK

Dodávka informatických služeb - technologické a procesní zajištění dostupnosti a kontinuity služeb ve vazbě na podnikání a sjednané parametry služeb. / Information Service Delivery - IT Service Continuity Managment

Lipčák, Peter

January 2009

This thesis deals with the aspects of managing the business continuity by the methodologies of ITIL and Cobit. The main thesis objective is to find out if there exists one general aplicable solution of the business continuity managment process based on the relative approach comparison and integration of both methodologies and afterwards to define this general solution. The secondary thesis objective is to try to specify the problem issue, which is not covered neither one of those methodologies and then integrate it into this general solution. The purpose of first chapter is to analyze and generally describe the business continuity managment area, its relation with IT Service Managment, to define all key issue terms and to give a best practice review dealing with this field. In the following chapters there is a detailed look at the concrete individual approaches of metodics ITIL and Cobit to the area of business continuity managment. The final chapter deals with approach comparison of both methodologies based on by author defined key fields as target group, enterprise type, terminology, mature models, metrics, concept and relative mapping of relevant points. The chapter provides the general complex solution guideline of this issue by simultaneous implementation of both methodologies as well. This is the main contribution of this work. The next contribution consists in the definition of irrational employee behaviour problem during disaster and its integration to this general guidelines.

Information technology governance frameworks in higher education in South Africa : a paradigm shift / Elsabe Botha

Botha, Elsabe

January 2012

Good corporate governance has, in recent years, been placed on centre stage worldwide and several frameworks have been put in place to enable organisations as well as higher education institutions to adhere to effective IT governance with regards to IT service delivery and support. At the same time, demand from users for access to corporate resources with their own personal devices other than desktop or laptop computers and options such as cloud computing, social media and mobility have converged into a renewed driving force influencing all IT decisions regarding service delivery and support, whilst higher education institutions attempt to comply with governance regulations. The aim of this study was to investigate whether ITIL as an IT governance framework is still applicable and relevant to a changed service delivery context in IT service delivery departments in the higher education sector in South Africa. Higher education in South Africa has not been excluded from adhering to good governance and the draft Regulations for Reporting by Higher Education Institutions have been updated with the recommendations of King III which, for the first time, addressed IT governance and insisted on management to implement an IT governance framework. ITIL is one of the most widely used governance frameworks, however its position as a technology on the Gartner Hype Cycles for Education for 2011 and 2012 displayed a move backwards from being widely understood to a display of waning interest amongst institutions in the education sector worldwide. Exploratory research found that ITIL is still valued as a governance framework in higher education in South Africa however staff members in IT support departments displayed a resistance to change and also found it difficult to implement ITIL processes. This is, however, not primarily due to a changing IT service delivery context. Findings also indicated that ITIL should be considered as a set of guidelines and best practices and not a governance framework as such. Recommendations towards a paradigm shift regarding ITIL as a governance framework per se as well as a proposal towards a possible alternative conceptual IT governance framework incorporating only ITIL guidelines and best practices as well as COBIT for risk management were put forward. / Thesis (MBA)--North-West University, Potchefstroom Campus, 2013

ITIL

COBIT

IT governance

King III

Higher education

Information technology governance frameworks in higher education in South Africa : a paradigm shift / Elsabe Botha

Botha, Elsabe

January 2012

Good corporate governance has, in recent years, been placed on centre stage worldwide and several frameworks have been put in place to enable organisations as well as higher education institutions to adhere to effective IT governance with regards to IT service delivery and support. At the same time, demand from users for access to corporate resources with their own personal devices other than desktop or laptop computers and options such as cloud computing, social media and mobility have converged into a renewed driving force influencing all IT decisions regarding service delivery and support, whilst higher education institutions attempt to comply with governance regulations. The aim of this study was to investigate whether ITIL as an IT governance framework is still applicable and relevant to a changed service delivery context in IT service delivery departments in the higher education sector in South Africa. Higher education in South Africa has not been excluded from adhering to good governance and the draft Regulations for Reporting by Higher Education Institutions have been updated with the recommendations of King III which, for the first time, addressed IT governance and insisted on management to implement an IT governance framework. ITIL is one of the most widely used governance frameworks, however its position as a technology on the Gartner Hype Cycles for Education for 2011 and 2012 displayed a move backwards from being widely understood to a display of waning interest amongst institutions in the education sector worldwide. Exploratory research found that ITIL is still valued as a governance framework in higher education in South Africa however staff members in IT support departments displayed a resistance to change and also found it difficult to implement ITIL processes. This is, however, not primarily due to a changing IT service delivery context. Findings also indicated that ITIL should be considered as a set of guidelines and best practices and not a governance framework as such. Recommendations towards a paradigm shift regarding ITIL as a governance framework per se as well as a proposal towards a possible alternative conceptual IT governance framework incorporating only ITIL guidelines and best practices as well as COBIT for risk management were put forward. / Thesis (MBA)--North-West University, Potchefstroom Campus, 2013

ITIL

COBIT

IT governance

King III

Higher education

Audit informačního systému v obchodní společnosti / Information system audit in a wholesale company

Smetana, Jan

January 2017

The thesis deals with information system audit in a company. The main goal is to compile the final report of information system audit in the small company which is engaged in wholesale distribution of goods. The necessary elements for the fulfillment of the main goal are collecting knowledges about available methods and procedures of auditing, planning and processing the audit. The final audit report contains a number of identified deficiencies with recommendations for their elimination. The benefit of this thesis is a list of these recommendations that could be applied by the company to get the working processes more effective.

Možnosti hodnocení kvality informačních systémů / Assessment of Information systems quality

Weberová, Pavla

January 2009

This thesis is engaged in Information Systems quality, because the accent on quality is present trend. In this thesis is defined the term of "Quality of Information System" and the most important standards are described. Further the ways of quality assessment -- certification and audit are put near. The procedure of the quality audit is proposed. Also this thesis containes patterns of the checklists for the quality audit

Řízení informační bezpečnosti v metodikách ITIL a Cobit / IT security management by the ITIL and COBIT methodologies

Štolbová, Milena

January 2008

IT security management is one of the essential processes in the company. This thesis deals with aspects of managing the IT security by the methodology of ITIL and COBIT. First part is focused on covering the IT security, defining the terms and concept necessary for indicating the impact of the IT security breach, the common threads which the company needs to resist and stance of methodology ITIL, COBIT and ISO/IEC 27002:2005 for managing the IT security and its specifics. In the following chapter there is a sentencious look at the structure of methodology of COBIT and more detailed depiction of COBIT Security Baseline document. The next chapter defines the methodology of ITIL, briefly compares the ITIL v2 and ITIL v3 versions, and what is more, comes up with structured view into the document of Security management which details the concept of IT security management within the company by the ITIL standards. The main thesis objective located in the last chapter is to compare the main features of both methodologies, the range of their aplicability within the company, and which is the most important, comparing them in the field of managing the IT security.

Metodiky řízení informatických procesů / IT processes management methodics

Řenč, Leoš

January 2008

This thesis deals with the IT processes management methodics, their comparison in terms of content, aim and support offered during implementation, employee training and in terms of international recognition and spread among businesses. The thesis also deals with mutual methodics relation and their respective use in business practice. The first part includes the characteristics of individual methodics and their basic concepts and relations description. The possible future development trend and the spread of individual methodics in selected countries are also mentioned in this section. The following part deals with the possibilities of certification and training for all mentioned methodics and methodics support during implementation. The current offer state of the training and IT processes management methodics support in the Czech Republic is characterized there. Contribution of these first two parts is arranged comparison of methodics to defined criteria of comparison. The final part is aimed at practical application of IT management methodics in their interrelationship. It contains raw analysis of the use of individual methodics at Česká pojišťovna and the consequent detailed analysis of the selected IT processes. Following proposals for the optimization are made for processes which were detail analyzed. This is the main contribution of this work according to following update of selected IT processes.The current valid approaches to these problems in Česká pojišťovna as well as expected future development are described in this section as well.