The first rule of survival:
Don’ t Cross the Street Blindfolded

Companies spend money on the wrong things.

Commonly Stolen:
Personal Information
Credit Information
Medical Records
Intellectual Property
Customer/Partner Data
Network Credentials
Email Addresses/Passwords

The second rule of survival:
Diamonds vs. Toothbrush

Risk Mitigation: Pre-Planning
What’ s Most Important?
Banking Credentials
Cloud Storage
Vendor Access
Remote Management
Employee PII
Credit Information
Medical Records
Social Media Presence
Intellectual Property
Customer Data
Supply Chain Data
Network Credentials
Email Addresses
Legal Data
Financial Records
Payroll and Accounting Data

The third rule of survival:
Don’ t Go to Costco the Day of the Storm

Risk Mitigation: Response

Risk Mitigation: Response

Risk Mitigation: Compliance

Risk Mitigation: Insurance

Risk Mitigation: Exercise

The fifth rule of survival:
It’ s best to solve the problem with the simplest method.

Data Breach: When it’ s not a drill

There are two kinds of companies in America: those who’ ve been breached and those who don’ t know they’ ve been breached.
FBI Director James Comey

[Rider revised as of 26 November 2012. The confidentiality terms stated in this Rider are required in any contract with a vendor who processes credit card information, primarily names and credit card numbers, on behalf of Harvard in connection with credit card transactions. If the vendor provides no other services, this Rider will generally be sufficient. If the vendor provides any other services involving credit card information or other HRCI, the contract must also include the terms of the Rider for the Protection of Personally Identifiable Information. Please delete this head note before transmitting.]

Contract Rider:
Requirements for the Protection of Credit Card Data

Effective as of _____________, this Rider is added to and incorporated as part of the [name of Agreement] (in this Rider, the “Agreement”), dated as of _____________, between [identify Harvard party] (in this Rider, “Harvard”) and [identify consultant] (in this Rider, “Consultant”). In the event of any conflict between the terms of this Rider and the Agreement, the terms of this Rider shall govern.

“PCI Data” is comprised of cardholder account numbers, security codes and personal identification (PIN) numbers, and any other categories of data subsequently identified by the PCI Security Standards Council, LLC as being subject to the then current version of the Payment Card Industry (“PCI”) Data Security Standard (together with any successor or other applicable PCI standards, the “PCI Standard”), the contemporaneous version of which is available through the following URL:  HYPERLINK “https://www.pcisecuritystandards.org” www.pcisecuritystandards.org .

Consultant acknowledges that it is responsible for the security of PCI Data that Consultant receives from or processes on behalf of Harvard.

In addition to complying with other provisions of the Agreement requiring the protection of confidential information, the Consultant shall at all times during the term of the Agreement comply with all applicable provisions of the PCI Standard with respect to PCI Data to which Consultant is provided access pursuant to the Agreement.

Consultant represents and warrants that it has been certified as “PCI Compliant” by a PCI Security Standards Council approved “Qualified Security Assessor” (QSA) and that it shall maintain such designation during the term of the Agreement. Without limiting the foregoing, Consultant represents and warrants that it has in place, and shall maintain in place for as long as it has possession of or access to PCI Data, a system for transmission, reception, storage and use of such PCI Data that complies with the PCI Standard from time to time in effect. 

Consultant shall use PCI Data obtained pursuant to the Agreement only for completing transactions and performing other obligations as called for by the Agreement, providing fraud control services and for uses specifically required by law, but not for marketing purposes. 

In the event of an actual or suspected breach of security regarding PCI Data obtained pursuant to the Agreement, Consultant shall immediately notify Harvard and cooperate with the investigative actions of PCI, PCI’s card brand members, Harvard and/or its affiliates, and any appropriate law enforcement entity.
Consultant agrees to provide Harvard on request the results of any SSAE 16 audit (Type I or Type II) of Consultant’s services (but Consultant is not obliged hereby to conduct such an audit).

403686

Data Center Colocation Services
House your valued IT assets
Secure and reliable environment
Managed Service Options
Customer Managed
EarthLink Managed
Multiple Access Methods
EarthLink Private MPLS Network
Carrier Neutral
IPsec

Data Center Colocation Services
Tier 4 and 3 data centers, SSAE 16, SOC 2 audited with 99.999% uptime guarantee
Scalable infrastructure based on need
Secure operations with 24/7/365 monitoring, monitored access, employee background checks
High reliability with redundant cooling, power, filtering, and interconnected 10 Gig networks
Business mobility with secure access from anywhere
SSAE 16, SOC 2 Enterprise Class Data Center
Colocation Availability – Current

Colocation available
Rochester, NY
Marlborough, MA
Colocation Availability – Future
Colocation Packages
Managed Colocation Service Levels
Data Center Colocation Benefits
SSAE 16 , SOC 2 certification to help you meet industry security compliance requirements
Protect your network infrastructure assets
Fully managed options to reduce your complexity
Flexible scalable space options
Direct access to EarthLink Private MPLS network
99.999% uptime guarantee to keep your business running
Disaster Recovery and Backup protection minimizes risk from natural and man made disasters

COBIT 5 for Assurance 1. Understand the drivers, benefits and target audiences from an assurance perspective.
Drivers for Assurance
The main drivers for assurance in its different forms include:
Providing interested parties substantiated opinions on governance and management of enterprise IT as per assurance objectives
Defining assurance objectives in line with enterprise objectives, thus maximising the value of assurance initiatives
Satisfying regulatory or contractual requirements for enterprises to provide assurance over their IT arrangements

To achieve these aims, the COBIT 5
for Assurance professional guide:
Provides guidance on how to use the COBIT 5 framework to establish and sustain assurance provisioning and an assurance function for the enterprise
Provides a structured approach on how to provide assurance over enablers (all of COBIT 5′ s defined enablers, e.g., processes, information, organisational structures)
Illustrates the structured approach with a number of concrete examples of assurance programmes

Benefits of the Guidance
Assurance providers can rely on the consistency, structure, context and vocabulary of the COBIT 5 framework and its related products.
If assurance professionals base their reviews on the same framework as that used by business and IT managers who are improving value of IT for the enterprise, everyone involved will be using a common language and it will be easier to agree on and implement any necessary improvements to governance and management arrangements.
This guide can be used by the assurance professional for many different purposes, including:
Obtaining a view (based on COBIT 5 concepts such as the enablers) on current good practices on assurance
Learning how to use different COBIT 5 components and related concepts for planning, scoping, executing and reporting on various types of IT assurance initiatives
Obtaining a view of the extent to which the value objective of the enterprise îdelivering benefits whilst optimising risk and resource use îis achieved
Target Audiences
The target audience for this publication is broad, and includes:
Assurance professionals at various governance and management layers
Boards and audit committees, as stakeholders who commission assurance activities
Business and IT management, as responsible parties
External stakeholders, including external auditors, regulators and customers
The intended audience for COBIT 5 for Assurance is extensive, as are the reasons for adopting and using the framework, and the benefits each group can find in it.
Assurance professionals also have specific standards to follow in providing their services. Section 5 of this presentation looks briefly at this aspect of assurance service provision.
COBIT 5 for Assurance 2. Understand the components of assurance activities.
Assurance Components
Assurance Components
Three-party relationship
Subject matter
Suitable criteria
Execution
Conclusion
The assurance process (ties together the above components)
Scope of the Assurance Publication
In this publication, two perspectives on assurance are identified:
Assurance function perspective îDescribes what is needed in an enterprise to build and provide assurance function(s). COBIT 5 is an end-to-end framework, meaning that it considers the provisioning and use of assurance as part of the overall governance and management of enterprise IT.
Assessment perspective îDescribes the subject matter over which assurance needs to be provided. In this case, the subject matter is enterprise IT, which is described in ample detail in the COBIT 5 framework and COBIT 5: Enabling Processes and is therefore not covered in detail in the assurance guide itself.

Section 3 of this presentation addresses the assurance function
perspective, Section 4 addresses the assessment perspective
Two Perspectives on Assurance Provided by COBIT 5
Both perspectives are built on the seven common governance and management enablers of the COBIT 5 framework.
COBIT 5 for Assurance 3. Comprehend how to use COBIT 5 enablers for governing and managing assurance activities.
The Assurance Function Perspective
The assurance function perspective describes how each enabler contributes to the overall provisioning of assurance, e.g.:
Which organisational structures are required to provide assurance (board/audit committee, audit function, etc.)
Which information flows are required to provide assurance (audit universe, audit plan, audit reports, etc.)
Section 2A of the publication contains examples of contributions to assurance practices for each of the enablers and further elaboration on each example is provided in an appendix.
The assurance publication introduces an expanded form of audit programme, explicitly acknowledging and addressing the seven governance and management enablers to support effective assessment and assurance provision against the COBIT 5 framework elements.
COBIT 5 for Assurance 4. Comprehend how to provide assurance over COBIT 5 enabler use in enterprises.
The Assessment Perspective
The assessment perspective deals with the actual subject of assurance, i.e., performing actual assurance engagements, where assurance needs to be provided over the subject matter of IT.
This subject matter is described in full detail in the COBIT 5 framework and COBIT 5: Enabling Processes publications; the framework consists of the interconnected and interacting COBIT 5 enablers, and the process enabler is fully described in COBIT 5: Enabling Processes. Therefore, the assurance publication describes only at a high level how an assurance professional can approach providing assurance over enablers. 
Section 2B of the assurance publication, provides:
A detailed description of the core assurance processes, which includes a more in-depth level of detail on the COBIT 5 processes MEA01, MEA02 and MEA03
A generic approach on how to provide assurance over COBIT 5 enablers

COBIT 5 for Assurance 5. Understand how COBIT 5 for Assurance relates to other standards.
How COBIT 5 for Assurance Relates to Other Standards
COBIT 5 for Assurance îmuch like COBIT 5 itself îis an umbrella approach for the provisioning of assurance. This section illustrates the umbrella positioning by positioning COBIT 5 for Assurance in context with a number of (IT) assurance-related standards.
The list of standards considered includes:
ISACA ITAF, 2nd Edition, a professional practices framework for IS audit/assurance
The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) Standards 2013
American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) 16

Chapter 10
E-business and Enterprise Resource Planning Systems
Outline
Expected outcomes
E-business
ERP systems
Application service providers

Expected outcomes
Explain the nature of e-business, comparing and contrasting it with traditional brick-and-mortar organizations.
Discuss major forms of e-business.
Describe the basic nature, purpose and structure of ERP systems.

Give examples and analyze the causes of ERP system failures.
List and discuss steps associated with successful ERP implementations.
Discuss the role of application service providers in e-business.
E-business
Defining feature
Business is transacted via computer networks.
Benefits
Expanded marketing
Reduced operating costs
Streamlined operations
Product / service delivery
Costs
Network setup
Different internal controls
Customer distrust potential
Consequences of technology breakdowns
E-business
Five major categories
Business to consumer
www.travelocity.com
Business to business
www.officedepot.com
Government to consumer
www.sec.gov

Government-to-business
www.sba.gov
Consumer-to-consumer
www.angieslist.com
ERP systems
Relational databases designed to provide comprehensive, integrated information about an organization
One form of event-driven AIS
Common modules
Customer relationship management
Human resource management
Supply chain management
Financial management
ERP systems
Failure causes
Human resource related
Poor top management leadership
Poor project management
Inadequate education & training
Unrealistic expectations
Project seen as IT only
Business process related
Trying to maintain status quo
Automating poor processes
Bad match between processes and system
Technology related
Inaccurate data
Technical issues
ERP systems
Conditions for success
Organizational commitment
Clear communication
View as enterprise-wide venture
Select compatible system
Resolve multi-site issues
Ensure data accuracy
Lecture break 10-2
Working with a group of three to five students, explain how one of the following could relate to ERP projects:
Database normalization
Expectancy theory
Systems development life cycle
COSO frameworks
Application service providers
Description
Third-party entity
Deploys, hosts & manages access to packaged application
Delivers software-based services over a network
Examples
Web hosting
E-mail providers
Transaction processing
E-mail security
Virtual offices
Application service providers
ASPs can present additional internal control challenges and issues
Service organization audits can address some of them
Old standard
Statement of Auditing Standards 70 (SAS 70)
Replaced since text was published
Application service providers
New standard
Statement on Standards for Attestation Engagements 16 (SSAE 16)
Motivated by two forces
Misuse of SAS 70
Convergence with international standards

Classroom assessment
This chapter has focused on e-business, ERP systems and application service providers.
Form a group of three to five students.
Select one of those three topics.
As a group, write down:
Three things you know about the topic.
Three things you want to know about the topic.