← All talks

Poliksena Berisha - Governance, Risk and Compliance (GRC) and role of IT Auditing - BSides Prishtina

BSides Prishtina · 202214:20262 viewsPublished 2022-05Watch on YouTube ↗
Speakers
Poliksena Berisha
Tags
CategoryPolicy
TopicGRC
StyleTalk
Mentioned in this talk
Standard
COBITISO 27001
Concepts
CAATs
About this talk
Poliksena Berisha examines governance, risk, and compliance (GRC) frameworks and their application to IT auditing in Kosovo's public institutions. She traces the development of IT governance since 2013, explains the roles of key agencies including the National Audit Office, and details the methodologies (COBIT, ITIL, ISO 27001) used to evaluate IT systems across 92 budget organizations.
Show original YouTube description
Poliksena Berisha - Governance, Risk and Compliance (GRC) and role of IT Auditing in the Republic of Kosovo Public Institutions - BSides Prishtina 2022 Governance, risk, and compliance or known as GRC – is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity. The basic purpose of GRC is to instill good business practices into everyday life. GRC has grown in stature as risks have become more numerous, complex, and more damaging. GRC today spans multiple disciplines, including enterprise risk management, compliance, third-party risk management, internal audit, and more. Governance stands for good governance with the core concepts of transparency, accountability and control. Successfully achieving goals can only be achieved if the frameworks are clear, the risk profile is known and the controls are effectively in place. Risk. By definition, doing business requires taking risks. The balance between risk taking and control is essential in this regard. Risk management enables the organization to prioritize and steer with a healthy dose of guts. Compliance. Complying with legal frameworks and standards increasingly plays a role in an organization. Integrity and reliability are requirements for customers, third parties and regulators to do business. Compliance offers the tools for this. Audit. While the GRC abbreviation does not provide an A for audit, it is a fundamental part of Governance, Risk & Compliance. Audit can provide assurance that the other three GRC foundations are met. Audits provide proof of competence. An IT Audit is an investigation and evaluation of IT systems, infrastructures, policies, and operations. Through IT audits, a company can determine if the existing IT controls protect corporate assets, ensure data integrity and align with the organization’s business and financial controls. Assembly of Republic of Kosovo, has approved Law on Information Society Government Bodies, which law determines bodies responsible for development of information society services at the institutions of the Republic of Kosovo, and their competencies, responsibilities, organization and functioning. This Law determines establishment of Agency for Information Society, as well as consolidation of functions and responsibilities in the field of Information and Communication Technology (ICT). Responsible structures for information society in institutions of the Republic of Kosovo are: Agency for Information Society; and Relevant organizational structure or Official for ICT management. Besides Governance of IT, Republic of Kosovo has started with conducting IT Audits since 2016, as part of its Supreme Audit Institution -National Audit Office. Currently at the National Audit Office of the Republic of Kosovo are two IT Audit teams, which conducts around 4 audits per year. Evaluation and identification of findings during these audits was carried out using: • Control Objectives for Information and Related Technology (COBIT); • Information Technology Infrastructure Library (ITIL); • Handbook on IT Audit for Supreme Audit Institutions; • IT Auditing Standards: • ISSAI 5300; • ISO 27001/2 etc. • Laws and Regulations of the Republic of Kosovo; • Internal Policies, procedures and regulations of the audited institutions; • Referring to similar research models conducted by SAIs in different countries; • Using digital and technological tools such as CAATs; • Questionnaire prepared for the audit/evaluation process.
Show transcript [en]

about the compliance it's all the rules regulations laws it's how the organization controls so three of them make the performance of organization three of them make good governance and three of them make the i.t security if three of them are met together and are well together than there we will gonna have in our organization i.t security i tried to show you some definitions and with representative pictures about each one of them what is governance is having in your hands everything in control of your organization and i focus on the governance of i.t the governance is ethical management of organization with approved business plans and strategies governance means transparency means ethics and it means the monitoring of your organization

hand risk i choose again another picture to represent the risk the management of risk management of risk it's the balance that you should keep in mind when you're deciding how much risk you should take and how much risk you should keep it in your organization why is that because if you mitigate all the risk then it means you can isolate your organization and that doesn't mean performance so the management of risk means good performance and compliance compliance it helps both of them managing the risk and governing with the compliance the organization has all the regulations all the procedures policies and the way it monetize and no come the one that goes further it goes deeper as the iceberg

it goes deeper in three of them it audits make sure and provides that three of them are met and three of them are functioning well with it audits in general with the audits you make sure that your level of organization it's in good performance that's the definition of it audit it's investigation and evaluation of i.t systems infrastructure policies and operations so with it audit you will make sure that your organization it's functioning and in control but it's not what penetration testers do let's not confuse both of them i.t of it makes the risk management and evaluates the risk and it works with risk assessment and not a 100 percent penetration testing and making sure that

every part of the organization works only the critical parts based on risk i know who i'm gonna talk more about institutions of republic of kosovo which i may say a lot more about them because i have a very much experience almost more than eight years working on the institutions of republic of kosovo so i'm going to talk about grc and it auditing in the institutions of republic of kosovo uh in the beginning as well in in 2000s in the early 2000s uh institutions of republic of kosovo has been focused mostly in development developing systems and infrastructure and functionalizing electronic services for citizens but they haven't thought about making a structural organization and laws and policies until 2013. that's an

event of 2013 even if in early 2000s they started functioning lots of systems and electronic services in 2013 assembly of republic of kosovo has implemented and developed the law on information society government this law determines which are the bodies that manage every it determines the units which manage with ite governance and the main body is ais or agency for information society and we're going to talk in the next slides for the governance i choose the two main representatives which are ministry of internal affairs and ais agency for information society the ais firstly i'm going to talk about ministry of internal affairs which has its mission to secure the citizens of kosovo in every aspect and as well in aspect of i.t security

and it has the most of data and systems organized inside this institution and as well with its agencies the biggest one with the largest data and the most critical data as it it is kosovo police uh kosovo forensic agency civil registry agency and ais of course agency for information society agency for information society it's one of the main agency and it's the centralized part of the i.t in kosovo it says it is executive agency that it's me it means it's under the mission of government it works under the ministry of public administration and now it's under the ministry of internal affairs it responds to ministry of internal affairs agency is state administration and central body and the other units in

other ministries and other agencies responds and collaborates together with ais that's the two main institution for governance and now i choose the other two for risk which are regulatory authority of electronic and postal communications which works under the law for communications and the main unit of this regulatory its national computer security unit or cossart key role for this unit is safeguarding of electronic communications networks and services and in kosovo and this manages not only the public sector but also the private companies and most of them are the companies that provide network services for compliance and it outdates its kosovo national audit office and information and privacy agency those two institutions they help with the compliance

especially national audit office which conducts it audits and other kind of audits that it's in the biggest institution for economic and financial control uh course of a national audit office its independent office it responds to the assembly of kosovo as well as agency for information and privacy it responds to the assembly of republic of kosovo and its indebtedness agency and its mission is to implement and to control the implementation of law on access public documents as well as the law of personal data protection which is it's its mission and it's very important and now i'm going to go with the last part of the presentation for today which is the role of it auditing in

institution of republic of kosovo and i'm going to talk more about kosovo national audit office i i had some bullet points here to to talk more about the it audit part in kosovo national audit office as i said in 2013 uh it was the implementation of the law in information society bodies and in 2016 kosovo has started conducting it audits the first time that kosovo started with the compliance in it field it's in 2016. information a system audits are relevant and they provide for the citizens and for the assembly of republic of kosovo that they are azure the assurance and they they uh met the the control and the objectives of the services that they have

kosovo national audit office as well did a success that developed the manual of itr updating it's it did developed with error aeroside working group that it's a supreme audit institution of europe and kosovo it's full member of irosai and intersai which are the supreme audit institutions of the world and of europe so this is a picture of proud auditors after they have been fully members of intersyev and aerosai and with their tireless work they they did because of a fully member of this world organizations in uh supreme of supreme audit institutions the methodology that kosovo national audit office uses while conducting i.t audits its evaluation in while they do evaluate and identify the findings it's the framework of cobit

itil handbook of it audits for supreme audits institutions i.t auditing standard and also security standards like iso 27 000 and laws and regulations that are enforced in republic of kosovo internal policies procedures and regulation regulations that those entities that they are doing they are conducting audits as well because they are a member of into interscientist they exchange experiences with other sides of the world and they can take research models conducted by other supreme audit institutions um as well they use technology tools and of course while they're doing their work they they do the papers of their work like questionnaires and other things and uh i'm presenting know that they they did realized an evaluation in the early of their the in the

beginning of the itr datings uh they did evaluation of the systems in the republic of kosovo and for this evaluation they prepared and analyzed internal i.t policies and procedures of entities they used evaluate central i.t services and security of information systems for this evaluation the scope of this evaluation was 92 budget organization of republic of kosovo 24 of them were sent in central level uh 38 local level and 30 other independent agencies so this evolution was made for 92 budget organization they as well prepared a survey for self-assessment and that was in that survey was included planning an organization a valuability and implementation delivery and support monitoring and evaluation and from this assessment the main deficiencies were in i.t

governing monitoring and managing i.t investments and data protection in business organization budget organizations so that is the part for uh it auditing role and thank you

you

Related talks

28:41
Measuring Cybersecurity Maturity with the NIST CSF
BSides Vancouver · 2021
50:26
Anti-Checklist Culture: Building Useful Security Compliance
BSides Seattle · 2020
39:37
Lessons Learned While Building a Privacy Operations Center at Headspace Health
BSidesSF · 2023
50:27
Achieving HITRUST on a Budget
BSidesSF · 2022
24:00
Security Compliance as Code
BSidesSF · 2023
33:03
The CISO Is Dead. Long Live The CCSO
BSides Dublin