KIRMA2 EN

[Audio] Welcome to Lecture 2 of the (I-T ) Quality Assurance and Audit course, on the implementation and standards of auditing..

[Audio] Auditing standards are of paramount importance to the audit process as a whole. These standards provide standards and guidelines to help auditors plan and conduct an audit effectively. An audit is a process by which auditors examine an organization's or system's operations, data and procedures to determine whether they comply with applicable legal and industry requirements and the organization's internal policies. Auditing standards play an extremely important role in this process, without which the audit process would not be consistent and transparent. First, auditing standards set out the requirements and procedures that auditors must follow during audits. This is particularly important when auditing information systems, where the security, data integrity, reliability and availability of systems are key considerations. Audits of information systems include an examination of the handling and protection of data, and in these situations the auditing standards provide clear guidance on the steps to be taken to ensure an appropriate level of control. In addition, the auditing standards specify the methodologies and techniques to be used during the audit. This allows audits to be consistent and for organisations and auditors to follow the same principles and practices regardless of which organisation or system is being audited. Secondly, auditing standards are not only helpful for auditors, but also for the organisations they audit. The application of standards ensures that the organisation operates transparently and efficiently. This is particularly important when an organisation is undergoing external or internal audits, as auditing standards ensure that the processes being audited are transparent and verifiable. The procedures and requirements set out in the standards help organisations to ensure that their systems and processes comply with relevant legislation and regulations. This is particularly important in industries where there are strict regulatory requirements for operations, such as the financial, healthcare or (I-T ) sectors. The use of auditing standards also ensures that auditors always carry out an audit based on uniform and objective principles. During the audit process, it is essential that auditors work according to clearly defined criteria, as this ensures that the audit results are objective and reliable. If standards are not followed during an audit, auditors may use different methods and techniques, which may lead to different results. The application of auditing standards therefore contributes to transparency in the auditee's operations and helps auditors to make informed decisions. Auditing standards also ensure that processes are verifiable. This means that each audited step, activity and result must be documented so that it can be retrieved and verified at a later stage. The auditing standards require auditors to produce detailed reports that include the deficiencies identified during the audit and recommendations for resolving problems. These reports are essential as they allow organisations to improve their operations and avoid future problems. In addition, audit reports ensure that the organisation's senior management and other stakeholders, such as investors or regulators, can gain insight into the organisation's operations and compliance. Auditing standards therefore not only ensure transparency and controllability of the process, but also provide a clear framework for organisations on how to carry out audits. Following these standards is essential for organisations to comply with legal requirements and to ensure that their systems and processes operate effectively. Auditing standards also help to ensure that audited organisations avoid errors and deficiencies that could pose a risk to the organisation's operations or regulatory compliance..

[Audio] Auditing standards and guidelines are central to auditing information systems, especially for successful implementation. These guidelines are not just general guidelines, but set out specific principles, requirements and methods to be followed in all audits. The auditing standards ensure that a comprehensive and thorough examination of audited systems is carried out, regardless of the organisation or sector being audited. One of the most important roles of auditing standards is to ensure the reliability and comparability of the information gathered during the process. This is particularly critical when auditing information systems, which are essential to the day-to-day operations of organisations. Information systems not only manage the organisation's data but also perform essential functions such as data security, availability and maintaining system stability. Auditing standards therefore set out what aspects of these systems need to be assessed and how to ensure that they meet regulatory and industry requirements. These standards provide clear guidelines on the methods auditors should use when auditing. This helps to ensure that auditors adopt a consistent approach and do not give room for subjective interpretations or different practices. The procedures laid down by the standards increase the efficiency and reliability of auditors' work, as they know exactly what steps they need to take to ensure that the audit is comprehensive and thorough. The use of auditing standards also benefits auditors by helping them to apply best practices. The methodologies provided by the guidelines increase the effectiveness of auditors' work by giving them clear guidance on the steps they should take when auditing the various systems and processes audited. This not only makes audits faster and more efficient, but also increases their credibility. Auditors can then produce robust and objective reports to help organisations improve their operational efficiency and ensure compliance with regulatory requirements. Furthermore, following auditing standards ensures that audited information is comparable with other audited systems. This is particularly important when comparing multiple organizations or systems, or when the organization conducts internal or external audits at different times. Comparability allows the organisation to monitor its progress and any shortcomings on an ongoing basis and to take corrective action where necessary. Finally, the use of auditing standards also increases the transparency of audits. Auditors are not only responsible for auditing systems, but also for reporting on the results of the audit, clearly showing any shortcomings and recommendations for improvements. With the help of auditing standards, these reports will be accurate and understandable, enabling the organisation's management and other stakeholders to clearly understand the audit findings and the actions required..

[Audio] The key role of auditing standards is not only to provide a common framework for auditing different organisations, but also to promote transparency and credibility of the audited processes. The use of standards allows all organisations, regardless of their size or industry, to conduct audits using the same principles and methods, thus ensuring the reliability and comparability of results. This is particularly important as the information gathered during the audit process is often used to optimise organisational operations, monitor regulatory compliance and inform external and internal stakeholders. Auditing standards specify the procedures and techniques auditors should use to ensure that the information obtained during the audit process is consistent and reliable. This is particularly important in comparisons between organisations where audit results from several different entities need to be interpreted and analysed in a consistent manner. If all entities follow the same standards, auditors can be assured that the audited data is not only accurate and complete, but also comparable with the results of other entities. This provides an opportunity for organisations to benchmark audit results and improve their own processes in line with industry best practice. The harmonisation of standards is of particular importance for international organisations that operate in several countries and have to comply with different jurisdictions. One of the biggest challenges for global organisations is applying audit findings in different countries, where different regulatory environments and market conditions may apply. However, auditing standards can help to ensure that audits conducted in different countries follow the same principles and requirements, thus guaranteeing consistency and reliability of results. This allows organisations to compare their own performance more easily with that of other entities and to ensure that audits carried out in different countries are consistent and comparable. This unification also has other benefits. Firstly, by applying common auditing standards, organisations can minimise the risk of audit variation and error. When all organisations follow the same standards, auditors know exactly what steps to follow and what methods to use during audits. This not only increases the efficiency of processes, but also ensures that the audited results are consistent and transparent. Auditors can thus make more informed decisions and provide a more accurate picture of the audited organisations' operations. Secondly, common auditing standards contribute to strengthening international cooperation. In a global economic environment, organisations are increasingly interdependent and there are more and more situations where organisations in different countries need to work together. Auditing standards ensure that these organisations operate according to the same principles, which facilitates cooperation and compliance with international regulatory requirements. This is particularly important for international companies, financial institutions and regulators, which have strict requirements to ensure transparency and compliance. Uniform auditing standards play a particularly important role in the functioning of global markets, as they ensure that organisations operate in a transparent and comparable way, regardless of the country or region in which they operate. This will help investors and other stakeholders to get an accurate picture of the performance and operations of organisations, regardless of the market or industry in which they operate. Uniform standards will allow international organisations to be more transparent and ensure that they comply with the relevant rules and regulations in each country or region. The use of auditing standards therefore helps to ensure that organisations operate within a common framework, ensuring that audited results are comparable and reliable. Standardisation of audits promotes more efficient operations, enhances the credibility and transparency of organisations and ensures that international cooperation is strengthened. By following standards, organisations not only comply with legal requirements but can also apply best practices, optimising their own operations and increasing their competitiveness in the global market. Finally, auditing standards ensure that organisations are continuously improving by providing the opportunity to analyse results, identify any gaps and correct them. The comparability of audited information makes it easier for organisations to identify where improvements are needed and where they are performing well. In this way, standards not only increase the efficiency of the audit process, but also contribute to the continuous improvement and long-term success of organisations. 4o.

[Audio] Auditing information systems is an extremely complex and comprehensive task that requires considerable preparation and proper planning. In these types of audits, it is important that organisations use a well-constructed set of rules to guide the auditors and help them to ensure that all details of the process are properly examined and assessed. Due to the complexity of information systems, it is particularly important that audits are well planned and that all critical areas are considered during the audit. To this end, the use of a set of rules not only ensures the effectiveness of the audit, but also helps to ensure that auditors are clear about the key elements they need to examine. One of the best-known and most widely accepted standards for auditing is the kobit standard system recommended by the I-S-S-A Information Systems Audit and Control Association, which is widely used and widely adopted in many parts of the world, particularly in the auditing of information systems. kobit aims to provide a well-defined framework for organisations to design and manage their own control systems. Control systems play a fundamental role in ensuring that an organisation can ensure that its information systems operate properly, are secure and comply with regulatory and industry requirements. The kobit set of standards not only focuses on the control of information systems, but also provides comprehensive guidance on how to establish and maintain a control system that can support an organization's (I-T ) processes over the long term. It provides a detailed description of how to manage (I-T ) risks, how to ensure the continuity and reliability of systems, and how to maintain information security. Following these guidelines will not only increase the effectiveness of (I-T ) audits, but will also help to make the organisation more transparent and controllable. The methodology provided by kobit also allows auditors to work according to clear guidelines. This helps to ensure that the audit process is consistent and transparent and that all auditors conduct the audit according to the same principles and rules. This is particularly important when auditing information systems, where accurate and detailed documentation is essential. Following the guidelines of the kobit Standards Framework, auditors will be able to produce reliable, objective and accurate reports that will help organisations to better understand the status of their own systems and areas where improvements are needed. One of the outstanding advantages of the kobit standards system is that it supports not only the implementation of audits, but also the continuous improvement of organisations. The framework provided by the standards system enables organisations to maintain and improve their own control systems in the long term. This will allow them to focus not only on solving the problems identified during audits, but also on how to prevent these problems in the future. kobit's methodology helps organisations to continuously monitor and evaluate their own processes and to use these evaluations to continuously improve their operations. It is important to note that the kobit standards framework is not a rigid rulebook, but a flexible framework that allows organisations to adapt it to their own needs and environment. This is particularly important in a rapidly changing technological environment where (I-T ) systems are constantly evolving and facing new challenges. The flexible application of the kobit framework allows organisations to react quickly to changes and to manage emerging risks and issues appropriately..

[Audio] Kobit is essentially an integration experiment that brings the control, management and governance of (I-T ) systems under a single framework. This methodology is of great help not only to (I-T ) professionals, but also to management, as it allows (I-T ) processes and governance objectives to be aligned. Kobit is a set of standards and international best practices covering the development, procurement, operation and security of (I-T ) systems. It is important to note that these standards are not only technological, but also address governance issues, allowing (I-T ) processes to operate in a consistent manner in line with the objectives set by the management. In this way, Kobit helps to ensure that (I-T ) systems and processes are not only technically efficient, but also business efficient. A key element of the methodology is to integrate the different (I-T ) systems and processes into a single framework. This framework provides guidelines on how to establish and maintain (I-T ) control mechanisms and how to perform ongoing management of (I-T ) processes. Kobit also supports the development and operation of (I-T ) systems within a framework that complies with international best practices. From an (I-T ) management perspective, Kobit is particularly important because it focuses not only on technical details, but also on ensuring that (I-T ) processes and business objectives are aligned. The focus is therefore not only on (I-T ) auditing and (I-T ) details, but on the coherent management of technology and management aspects. This is important because the (I-T ) systems of modern companies are increasingly integrated with corporate strategic objectives, and Kobit helps to ensure that these systems function properly not only at a technical level, but also from a business perspective. The use of Kobit can be particularly useful for organisations where (I-T ) and business processes are closely linked and where the reliability and efficiency of (I-T ) systems are key to the success of the business. A unified framework ensures that the various (I-T ) systems and processes are working in harmony and that management is able to properly manage and control these processes. Finally, Kobit allows (I-T ) process audits to be performed in a consistent manner at international level, ensuring reliable and comparable results for international organisations. By taking business objectives into account, Kobit enables (I-T ) management to be integrated not only from a technical but also from a strategic perspective, which is key in the modern enterprise environment..

[Audio] The diagram shows the main elements of the Kobit system, which are closely interlinked. The central element is Kobit, which serves as the framework for (I-T ) governance and is surrounded by four key areas: business requirements, (I-T ) resources, (I-T ) processes and (I-T ) information. First, business requirements determine the (I-T ) needs of the organisation and these needs drive (I-T ) investments. Defining business goals and requirements is of paramount importance as they drive (I-T ) activities and thus the overall (I-T ) environment. Second, (I-T ) resources are the tools, systems and technology infrastructures that companies use to deliver (I-T ) services. These resources ensure the efficient functioning of (I-T ) processes. The proper management of (I-T ) resources is essential for an organisation to properly support its business objectives. Third, (I-T ) processes are the steps and procedures by which (I-T ) resources are used to achieve business goals. These processes ensure that (I-T ) services function properly and that business needs are met. Effective management of (I-T ) processes is key to optimising (I-T ) system performance. Finally, enterprise information is the data and information that contains the information produced, managed and transmitted by (I-T ) processes and resources. This information plays an important role in corporate decision making, as accurate, up-to-date and reliable data can be used to fine-tune corporate strategy and operations. The diagram therefore illustrates how Kobit links business requirements with (I-T ) processes, resources and information to ensure the efficient operation of the organisation and continuous improvement..

[Audio] The third edition of kobit represents the latest version of the control guidelines for the management of information and (I-T ) systems. The ongoing development and publication of the guidelines is important because (I-T ) systems are becoming increasingly complex and the associated risks are changing rapidly. (I-T ) governance and control is of increasing importance, especially in an environment where technological innovation is determining the way companies operate and compete. The first edition of kobit was published in 1996 by the Information Systems Audit and Control Foundation. This first version laid the foundation for the control processes required to audit information systems. The Foundation's goal was to create a set of standards that would enable organizations to effectively audit and control their information systems. kobit has since become a widely used tool for (I-T ) auditing and governance, as the application of its methodology contributes greatly to the transparency of organisations' operations and the maintenance of the security of their systems. The third edition was published in 1998, when the standard was further developed by the Information Technology Governance Institute (I-T-G-I-) and ISAKA. The new version was designed to further support the understanding and application of the principles of (I-T ) governance. This edition has placed particular emphasis on the ongoing management and control of (I-T ) systems, as these systems have become a critical element in the day-to-day operations of organisations. The third version of kobit has included a number of new guidelines and recommendations to help organisations to operate their (I-T ) systems as efficiently as possible and to ensure that they comply with the latest standards and regulations. This third edition has confirmed kobit's role as one of the most important international standard systems for (I-T ) auditing and governance. Since then, kobit has evolved further and has become a global standard for (I-T ) governance, used in many different sectors and countries. As the complexity of (I-T ) systems has increased, kobit has also expanded and refined to meet new challenges and the ever-changing technological environment..

[Audio] This edition of kobit has been supplemented by a Management Guide section, which has significantly broadened the scope of the standards system, with particular attention to the issue of (I-T ) governance. The aim of the new guide was to provide clear guidance to management on how to effectively manage and control (I-T ) systems. This change has further emphasised the role of the (I-T ) Governance Institute I-T-G-I in the preparation of the new editions and has promoted the widespread application of (I-T ) governance principles in corporate management. The original version of kobit was based on the control guidelines defined by the I-S-A-C-S Information Systems Audit and Control Foundation, but has been continuously expanded and developed in subsequent editions. It has adapted to international technical and (I-T ) standards and integrated them with the latest information technology, professional and regulatory requirements. kobit aims not to be limited to a specific sector, but to offer comprehensive, industry-independent solutions that can be applied in different sectors. In particular, the end-to-end approach has been emphasised, ensuring that the management and control of (I-T ) systems covers the entire operational process of companies. This comprehensive approach is designed to ensure that the framework provided by kobit is applied at all levels, from strategic decision-making to day-to-day operational processes. kobit therefore focuses not only on the technical control of (I-T ) systems, but also extends its scope to the entire governance of the enterprise, ensuring that (I-T ) processes are aligned with the business objectives and strategies of the organisation. kobit also places great emphasis on compliance with professional and regulatory requirements. In an ever-changing regulatory environment, it is essential that (I-T ) systems comply with the latest regulations, and kobit helps organisations not only to meet these requirements, but also to proactively adapt to changes. The integrated framework ensures that the various regulatory requirements can be managed and controlled within a single system, enabling organisations to ensure transparent and auditable operations. kobit is therefore a dynamically evolving framework that continuously adapts to global technological and regulatory trends while providing a comprehensive solution for (I-T ) governance and control..

[Audio] The fourth version of Kobit was released in 2009, marking an important milestone in the development of the framework. This version improved on previous releases in many ways and adapted even further to new technological and business challenges. The Hungarian version was also completed and published by the end of the year by I-S-A-C-A Hungary. This was particularly significant for Hungarian organisations, as the Kobit framework is now available in the Hungarian language, allowing for easier application and implementation for Hungarian companies. I-T-G-I has conducted extensive research in the field of (I-T ) governance to make sure that version four is in line with the latest trends and expectations. This research not only looked at technical aspects, but also focused on the role of (I-T ) governance in business management and strategic decision-making. I-T-G-I also used feedback from Kobi users. This user feedback was particularly important because it helped identify areas where Kobit needed further refinement. The experience gained from the feedback and the comprehensive research results formed the basis for the release of the fourth version. This version of Kobit has enabled wider adoption and more effective use of (I-T ) governance, ensuring that organisations' (I-T ) processes and business objectives are more closely aligned. This version has paid particular attention to ensuring that the framework is both comprehensive and flexible to different organisational needs and industry specifications..

[Audio] kobit has been developed based on various international standards and guidelines in order to create a comprehensive and coherent framework that takes the control and management of (I-T ) systems to the highest level. The use of technical standards has been a fundamental pillar of this process. Iso standards cover many areas of information technology, including security, quality management, risk management and continuous improvement. These standards define the technical requirements that an (I-T ) system must meet in order to operate reliably, securely and efficiently. In the area of electronic data interchange, EDIFACT, the electronic data interchange format, is also a key standard that helps companies to communicate with other systems in an efficient and standardised way. (I-T ) auditing also requires the application of codes of conduct, which set out the basic rules of ethical and responsible behaviour. Codes of this type have been developed by international organisations such as the Council of Europe, the Organisation for Economic Co-operation and Development and the Information Systems Audit and Control Association. These codes ensure that all participants in the audit process, be they auditors or audited organisations, adhere to ethical standards and principles of responsible behaviour. The application of such codes is also crucial because (I-T ) auditing involves the examination of sensitive data and systems, and it is therefore of paramount importance that auditors always keep transparency and reliability in mind. In the area of certification criteria, kobit takes into account standards such as the Information Technology Security Assessment Criteria, which ensure that (I-T ) systems meet security requirements. The iso 9000 standard sets out the requirements for quality management systems, ensuring that (I-T ) systems are not only secure but also efficient and reliable. The Software Process Improvement and Capability Evaluation Model, also known as SPICE, is another important element of the certification criteria, which allows software development processes to be evaluated and improved. And the common criteria represent a global standard for (I-T ) security, ensuring that systems meet international requirements. Internal control and auditing standards also play a key role in the development of the kobit framework. The C-O-S-O report, for example, provides a comprehensive control framework to help organisations design and operate internal control systems effectively. The Standards issued by the International Federation of Accountants are also of paramount importance, as they provide the highest level of guidelines for auditing practices to ensure that the audit process is transparent, reliable and based on best practices. Sectoral standards and requirements are also an important part of the development of kobit. These standards focus on industry-specific requirements developed by industry fora and government-sponsored organisations. Such standards are tailored to the specific regulations and requirements of, for example, the financial sector, health services or the information technology industry, and ensure that organisations operating in those sectors comply with industry standards. The inclusion of industry-specific standards allows the kobit framework to be applied across different sectors, taking into account their specific needs and challenges. Newly formulated sector-specific requirements, such as banking, e-commerce, and the production of (I-T ) tools and software, have also contributed significantly to the development of kobit. In the banking sector, for example, strict regulations such as the Basel II requirements are in place to ensure the stability of the financial system. And in the area of electronic commerce, regulations and guidelines have been established to ensure that electronic commerce systems are secure and reliable and comply with international standards and expectations. In the area of (I-T ) tools and software manufacturing, a number of new standards have been developed to ensure the efficiency of manufacturing processes and the quality of products..

[Audio] Kobit 3 is a complex framework based on three main pillars: framework and guidelines, objectives of control procedures and audit guidelines. Together, these elements ensure effective (I-T ) governance and audit processes. The first element is the framework and policies, which include high-level control mechanisms that define expectations for (I-T ) areas. This part of Kobit 3 describes the purpose of 34 high-level control mechanisms to be applied in parallel with business processes. These mechanisms are essential to ensure that (I-T ) systems meet the business objectives of the company and to ensure the transparency, reliability and auditability of (I-T ) processes. The second key element is the objectives of the control procedures. These objectives provide detailed guidance on the results that can be achieved through the control processes. Control objectives focus on specific and measurable results to be taken into account in the audit and (I-T ) governance. This part of Kobit helps organisations to clearly define specific expectations and to conduct the audit against these. Finally, the audit guidelines provide detailed guidance that auditors can use to conduct a comprehensive audit of (I-T ) systems. These guidelines specify the steps to be followed during the audit and the aspects to be considered to ensure the quality of the audit. The audit guidelines help to standardise processes and ensure that audit results are comparable and reliable, regardless of the organisation being audited. Together, these pillars form a solid foundation for Kobit 3 and ensure that the management and control of (I-T ) processes meet the highest standards and expectations..

[Audio] Kobit is one of the most widely used frameworks for auditing information systems, the first version of which was released in 1996. The main purpose of the first version was to support (I-T ) auditing, but over the years the framework has been significantly extended. In 1998, the second version of Kobit took into account the internal controls of (I-T ) systems, while the third version, released in 2000, responded to the needs of management. This version helped (I-T ) management to manage and control their processes. Version 4 of Kobit, which was released in 2005, further extended the scope of the framework, no longer focusing on auditing and controlling (I-T ) systems, but also covering (I-T ) management and governance. As a result, the use of Kobit has not only enabled the control of (I-T ) processes, but has also facilitated their effective management and the achievement of strategic objectives at enterprise level. As Kobit evolved, more and more organisations adopted it for (I-T ) governance, as it provided a comprehensive framework for auditing, managing and governing (I-T ) processes. Kobit is designed to help organisations ensure that their information systems are reliable, secure and compliant, while supporting the achievement of business objectives..

[Audio] Kobit 5, released in April 2012, brought a major innovation in (I-T ) management. This version not only integrates previous versions of Kobit, but also incorporates a number of other internationally recognised frameworks and standards to provide organisations with more comprehensive and effective solutions. For example, I-T-I-L has become an integral part of Kobit 5, which covers best practices in (I-T ) service management. I-T-I-L enables organisations to effectively manage their (I-T ) services and ensure that these services are aligned with the business objectives of the organisation. Another important element of Kobit 5 is the integration of iso 27001, the international standard for information security. This is particularly important for modern businesses, as cyber-attacks and data leaks are an increasing threat. Iso 27001 helps organisations manage security risks and ensure that their information is protected in accordance with legal and business requirements. Kobit 5 integrates this standard to ensure that security is firmly embedded into the way the business operates at all levels. Another significant standard that Kobit 5 includes is iso 38500, which is the international standard for (I-T ) governance. This standard ensures that (I-T ) is managed not only at a technical level, but also at a strategic level. With iso 38500, companies can establish an (I-T ) governance framework that directly supports the achievement of business objectives and ensures that (I-T ) developments and investments are aligned with the company's long-term strategy. In addition, Kobit 5 also incorporates Enterprise Architecture frameworks that enable organizations to build a structured and comprehensive view of their (I-T ) infrastructure. This framework helps organisations to more effectively integrate their (I-T ) systems and processes with their business strategy, ensuring that (I-T ) is not only a support function but also an active player in the delivery of business objectives. Perhaps the biggest innovation of Kobit 5 is that it takes a much broader approach to (I-T ) management and governance. While previous versions focused primarily on (I-T ) processes and their control, Kobit 5 now covers the entire organization and treats (I-T ) as a strategic asset of the company. This version also focuses on how (I-T ) systems and processes contribute to the achievement of the business goals set by the organisation. This means that (I-T ) can no longer be treated as an isolated technical entity, but needs to be integrated into the functioning of the business as a whole. Kobit 5 also introduced a new value chain model that shows how (I-T ) creates value within the organisation. This model helps to understand how (I-T ) can contribute to the success of the organisation and how to optimise the use of (I-T ) resources to achieve maximum business value. The value chain model also emphasises that (I-T ) systems and processes not only support operations, but also have a direct impact on the long-term strategy and growth potential of the business. These new elements of Kobit 5 are particularly relevant for modern enterprises, where the role of (I-T ) is constantly growing and becoming more and more integrated into business processes. By adopting a broader approach and integrating key international standards and frameworks, Kobit 5 ensures that companies can effectively manage their (I-T ) systems while meeting their business objectives..

[Audio] According to Kobit, the resources of an (I-T ) organisation can be divided into different categories, all of which are vital for the effective operation and management of (I-T ) systems. These resources include data, application systems, technology, facilities and people, and each category has its own role to play in the operation of (I-T ) services and systems. The first important resource is data, which is information in the broadest sense, including structured and unstructured data such as graphical, audio or any other kind of data. Data is the foundation of any (I-T ) system, as it provides the organisation with the information it needs to make decisions and operate. The effectiveness of data management directly affects the performance and security of an organisation's (I-T ) systems. Application systems are the second key resource. These systems include both the manual and programmed procedures that support the organisation's operations and (I-T ) processes. Application systems ensure that data can be properly managed, processed and analysed, and that the day-to-day operations of the organisation run smoothly. This includes a variety of software, database managers and other (I-T ) solutions that help automate and optimise business processes. Technology refers to the hardware and software infrastructure of (I-T ) systems, including operating systems, database management systems, networks, multimedia and all other technological tools needed to provide (I-T ) services. Technology plays a vital role in enabling organisations to use modern (I-T ) solutions, including cloud services, virtualisation and mobility, which are now essential for competitive operations. Facilities are also critical resources, as they provide the physical location and operation of (I-T ) systems. They include data centres, server rooms, cooling and power systems, which are essential for the stable and secure operation of the (I-T ) infrastructure. Ensuring the right physical environment is key to the reliability and continued availability of (I-T ) systems. Finally, people are the workforce needed to design, develop, operate and monitor (I-T ) systems and services. People include everyone involved in the operation of (I-T ) systems, including developers, administrators, (I-T ) security experts and users. The knowledge, skills and abilities of (I-T ) professionals have a crucial impact on the efficiency and security of (I-T ) systems. The skills and experience of people are critical to an organisation's ability to adapt to a rapidly changing technology environment and to deal with the problems and challenges that arise..

[Audio] Kobit looks at information in two important ways. First, it views information as an element that is necessary to support and achieve business objectives. On the other hand, information is the element managed by (I-T ) resources and processes that is key to the functioning of (I-T ) systems. This dual approach ensures that information is not only an asset but also a strategic factor in the operation of the organisation. But information must meet certain organisational and business needs to be of real value to the company. First, the information must be relevant and material to the business processes. This means that data must have content that actually contributes to decision making and business operations. Information must be consistent and available in a form that is easy to use. If the data is complex, difficult to interpret or deviates from expectations, it can hinder the effective functioning of the company. Another important requirement is that the information is prepared in the most optimal and efficient way possible. This means that data should be produced, collected and processed in a way that minimises the use of time and resources, while providing the greatest possible value to the organisation. Furthermore, confidential and secret information must be handled in an appropriate manner so that it is not disclosed without authorisation. This is particularly important in systems where sensitive data such as financial or personal information is handled. The Kobit framework is closely linked to international standards such as iso 17799 and iso 27000, which provide guidelines for information security and privacy. The availability of information is also a critical factor. Information must always be available at the right time and in the right format when the company needs it. This means that (I-T ) systems must be able to ensure the continuous availability of data, even when external factors such as server downtime or network problems threaten operations. It is also important that the information complies with legal and contractual obligations. This is particularly important in sectors where there are strict regulatory requirements, such as the financial sector or healthcare. (I-T ) systems and the data they handle must comply with applicable laws and industry standards. Finally, the information must be reliable. This means that the data must be accurate, credible and verifiable. If information is not reliable, it can compromise the company's decision-making processes and pose risks to the organisation..

[Audio] Kobit discusses the management of (I-T ) resources at three different levels, categorised as lower, middle and upper. Each of these levels involves different processes and activities that need to be carried out at different levels of the organisation in order to optimise (I-T ) operations. The lower level includes the activities and tasks needed to achieve the desired results. These activities are directly linked to the operational (I-T ) function and support the day-to-day tasks. The lower level often includes specific tasks that are performed by (I-T ) professionals within the organisation, such as processing data, network maintenance or providing user support. The middle level organises these activities and tasks into processes. Here, a number of successive activities are integrated into a coherent process chain, which ensures the efficiency and consistency of the activities. Middle level processes may include elements such as managing (I-T ) system upgrades, coordinating backup procedures or expanding the corporate (I-T ) infrastructure. These processes are closely linked to lower-level activities and ensure that each step can be monitored and managed. The top level groups the processes into higher topics or so-called domains. Kobit groups these top-level processes into four broad themes: planning and organisation, procurement and implementation, service and support, and monitoring. The planning and organisation processes are designed to align the organisation's (I-T ) strategy with its business objectives and ensure the long-term development of the (I-T ) infrastructure. During procurement and implementation, the organisation makes decisions that relate to the acquisition and implementation of (I-T ) assets and services. Service and support supports the day-to-day (I-T ) operations, ensuring that (I-T ) systems run smoothly and deliver services that meet business needs. Finally, monitoring is the process by which the organisation monitors and evaluates (I-T ) processes.

[Audio] The figure shows the structure of (I-T ) resources and processes at three different levels: activities, processes and domains, while taking into account (I-T ) resources and (I-T ) criteria. The figure shows a three-dimensional structure that visually highlights the interrelationships of (I-T ) systems and processes at different levels. Along the vertical axis are the processes of the (I-T ) department, which can be divided into three layers. The first layer is the activities layer, which contains the basic (I-T ) operations. These are the day-to-day tasks that contribute to the operation of the (I-T ) systems, such as network maintenance or performing backups. The next level is processes, where separate activities are organised into processes to ensure that they operate systematically and efficiently. This level links the individual activities and provides a more comprehensive view of (I-T ) operations. The hierarchical structure shown in the diagram indicates how these processes are interlinked. The top layer is the functional layer, which is the level of (I-T ) governance and strategic decision-making. This is where (I-T ) processes are integrated into the operation of the business as a whole, and these decisions determine the long-term (I-T ) strategy of the organisation. This layer coordinates the various processes and ensures that (I-T ) systems support the achievement of business objectives. On the right-hand side of the diagram are the (I-T ) resources, which include people, facilities, technology, application systems and data. These resources are necessary for (I-T ) systems to work and play an important role at all levels. People, as the workforce, manage and oversee the operation of the systems, while the technology assets provide the infrastructure on which the (I-T ) systems are built. Application systems and data are the tools that enable (I-T ) processes to operate and manage the information they require. Finally, at the top of the chart are the (I-T ) criteria, which include quality, financial discipline and security. These criteria define the basic criteria for assessing and monitoring (I-T ) systems, ensuring that (I-T ) resources and processes meet the organisation's expectations. The quality of (I-T ) means that systems are operating efficiently and reliably, while financial discipline refers to the fact that (I-T ) costs are kept under control. And security ensures that (I-T ) systems are protected against a variety of threats..

[Audio] The key components of a cobit are made up of several different elements, each of which plays an essential role in the design and operation of the (I-T ) management system. The first element is the executive summary, which provides the senior management of the organisation with an overview of the background and framework of kobit. This summary ensures that managers understand how (I-T ) systems work and can make appropriate decisions in defining (I-T ) strategies. As kobit is a comprehensive management framework, the executive summary helps to link (I-T ) to the business objectives of the company. The second key element is the framework, which sets out the organisational and business requirements for (I-T ) systems. This framework provides guidelines on how (I-T ) systems can support the organisation's objectives while ensuring that systems operate efficiently and securely. The framework defines the governance structure for (I-T ) processes and the interfaces between processes. The control guidelines set out the objectives of the control mechanisms. These policies help ensure that the organisation operates its (I-T ) systems as securely and efficiently as possible. The objectives of controls are generally to enable the organisation to achieve its business objectives while minimising the risks associated with (I-T ) systems. These guidelines provide concrete steps on how to implement and monitor controls effectively. The audit guide provides the guidelines for developing an audit plan. It is closely linked to the objectives of the control and governance arrangements and helps auditors to establish transparent and consistent audit processes. During the audit, organisations can use the kobit guidelines to assess the reliability, security and compliance of their (I-T ) systems with industry standards. The implementation methods provide a toolkit for the practical application of kobit. This toolkit includes methods, procedures and tools to implement the kobit guidelines at different levels of the organisation. The implementation tools will help the organisation to seamlessly integrate its (I-T ) systems with its business processes, while ensuring the effectiveness of controls and processes. Finally, management policies provide guidance to help organisations assess the health and performance of their (I-T ) systems. These guidelines measure the results of (I-T ) processes and help the organization determine where interventions or improvements are needed..

[Audio] This diagram shows a Kobit executive summary illustrating the basic elements of the use of frameworks and implementation methods. The central element is the framework, which contains general control guidelines. These guidelines ensure that organisations manage the audit and control of (I-T ) systems and processes in a comprehensive and controlled manner. The framework consists of three basic components: management guidelines, detailed control guidelines and audit guidance. Together, these elements ensure that the organisation has appropriate guidelines for the management and control of (I-T ) systems and that the audit process is transparent and consistent. The management guidelines set out the overall strategic objectives and approaches, while the detailed control guidelines ensure that individual processes and systems meet the standards set by the organisation. Audit guidelines focus on the audit methods and procedures required to control systems. At the bottom level are the maturity models, critical success factors, critical target indicators and critical performance indicators. These tools help the organisation to measure and evaluate the effectiveness of its processes and the achievement of its goals. The maturity models show where the organisation is positioned in terms of (I-T ) governance and control. Critical success factors are essential elements that are essential to the success of the organisation. The target indicators and performance indicators provide measures of the organisation's ability to meet its objectives and to operate effectively. The implementation methods page contains several important tools to help you use the framework. These include, for example, a summary overview, case studies, frequently asked questions, presentations, application guides, management skills and (I-T ) audit. These tools make it easier for organisations to apply the framework effectively and to ensure that processes are transparent and well documented. Case studies, for example, provide practical examples, while frequently asked questions help to quickly solve potential problems..

[Audio] the figure shows the basic components of kobit 5, which define the framework for (I-T ) governance and management. kobit 5 aims to provide a comprehensive and integrated approach to help organisations align (I-T ) processes and systems with business objectives, while ensuring transparency and regulatory compliance. The first important component is meeting the needs of stakeholders. (I-T ) systems must not only work well from a technology perspective, but also support the business objectives of the company. By stakeholders we mean different groups in the company, such as investors, customers, employees or regulators. kobit 5 ensures that (I-T ) governance is aligned with the needs and expectations of stakeholders. The second component is the coverage of the whole body. kobit 5 focuses not only on the management of individual departments or processes, but also on the entire company. This end-to-end approach allows (I-T ) processes and systems to be integrated into the business at all levels, and ensures that all areas meet both regulatory requirements and business objectives. The use of a single, integrated framework is also key. kobit 5 aims to provide a single framework that integrates different standards, policies and practices. This ensures that (I-T ) is managed in a unified way, minimising redundancies and ensuring transparency. Allowing a holistic approach is also an essential element. This means that (I-T ) systems and processes are managed with a holistic approach that takes into account all operational aspects of the company. (I-T ) governance should focus not only on technology issues but also on the overall business of the company and its context. The final key component is the separation of governance and management. kobit 5 differentiates between (I-T ) governance and management, ensuring that strategic decision-making and day-to-day operational management can be handled separately. Governance focuses on long-term goals, policies and decision-making, while management focuses on ensuring and monitoring day-to-day operations. This separation is important to ensure that the company can manage (I-T ) risks appropriately and that (I-T ) continuously supports the corporate strategy..

[Audio] (I-T ) security problems and challenges are now an integral part of everyday life in the information society. Data protection, information security and network security are challenges that are demanding increasing attention from legislators, companies and everyday users. As the digital world evolves rapidly, more and more data and information is moving into virtual space, increasing the risks and the potential for attacks. While the protection of archival data has long been subject to a solid legal framework, the protection of digital data is still a relatively new area for legal regulation. In many cases, legislation is lagging behind technological developments, which raises a number of questions regarding digital privacy and security. We are increasingly confronted with new phenomena for which there is not yet a complete legal solution. Just think of data management issues for cloud services, data protection liability for online platforms or international data transfers. These new problems often create uncertainty in the application of the law, as existing laws do not always keep pace with innovation. It is therefore becoming increasingly important to work together at international level to develop appropriate guidelines and recommendations. Many international organisations, such as the EU or the O-E-C-D-, are constantly working to publish guidelines and recommendations for member countries to address various information security issues. These organisations not only help to develop legal frameworks, but also provide practical guidance to help companies and governments better prepare for data protection challenges. Such recommendations aim to establish a set of common principles that can be applied in all member countries, while taking into account local specificities and regulations. Solving security problems is therefore not only a technical task, but also a legal and regulatory challenge that requires a continuous dialogue between legislators, experts and technology companies. For the information society to function securely, comprehensive regulations and policies are needed that not only respond to the current situation but also prepare for future challenges..

[Audio] The standards listed on this slide are among the most widely used and accepted guidelines in the field of (I-T ) security and service management. The first standard mentioned is the iso 27000 series of standards, which lays the foundation for information security, formerly known as iso 17999. This standard provides a comprehensive framework for managing information security, particularly in the protection of confidential data. Systrust is another important standard to ensure the reliability and control of (I-T ) systems. This standard focuses on the stability and continuity of business (I-T ) systems. The Orange Book, also known as the TCSEC, which contains the U-S Department of Defense's general (I-T ) security criteria. This standard covers all aspects of (I-T ) security, in particular reliability and encryption. ITSEC and Common Criteria are also used to assess security systems. These standards also cover the assessment of software and hardware security and provide general guidelines for the secure operation of (I-T ) systems. Iso 15408 deals with general security criteria, which are intended to set globally uniform requirements for (I-T ) security. This standard defines how security requirements are to be specified and met. Finally, I-T-I-L is one of the most widely used standards for (I-T ) service management. I-T-I-L aims to improve the efficiency and quality of (I-T ) services and ensure that (I-T ) systems are aligned with business objectives..

[Audio] BS7799, also known as the British Standard, provides guidelines and recommendations in the area of information security for those involved in building, implementing or maintaining security systems within organisations. This standard pays particular attention to international best practices and best practices covering various areas of information security. The first area is business continuity planning to ensure that the organisation's operations are not disrupted by emergencies or other events. Access control is also a priority, ensuring that only authorised individuals have access to sensitive information and systems. System development and operation requires continuous monitoring to ensure that new technologies and developments are introduced safely. In addition, the security of the physical environment plays an essential role, as physical locations of (I-T ) systems, such as server rooms, must be adequately protected. The standard also addresses human resources security issues, including training of employees and strengthening the internal security culture of the organisation. The importance of security organisations is also addressed, as these units are responsible for managing and maintaining the information security of the organisation. Computer and network management is another priority area, which involves the continuous monitoring and maintenance of systems to ensure that security threats are minimised. The classification and management of (I-T ) assets is also part of the standard, ensuring that all assets are adequately protected. Finally, the development of security policies and organisational security policies is also an essential element, as these policies ensure that information security regulations are enforced at all levels of the organisation..

[Audio] SysTrust is a set of requirements and criteria designed to provide a reliable way of assessing the operation of an enterprise (I-T ) infrastructure. It focuses on four key areas, ensuring that (I-T ) systems meet business requirements and security expectations. The SysTrust foundation was developed by the A-I-C-P-A and C-I-C-A and is designed to ensure that the operation of enterprise systems supports a secure, reliable and transparent (I-T ) infrastructure. SysTrust's requirements are defined by a number of criteria, which focus on guaranteeing the secure operation of (I-T ) systems. The first basic criterion is the protection of the system against unauthorised access. This requirement is designed to ensure that corporate data and systems are protected from unauthorised access, thus preventing data theft, data loss or compromise of the (I-T ) system. The next important criterion is to ensure that the system is available to meet business needs. This means that business systems are always available and users can access the information and services they need without any obstacles or downtime. The smooth operation of systems is essential for business continuity. Furthermore, an important part of the SysTrust framework is the accurate and complete processing of data. This criterion ensures that the data handled in the enterprise systems is accurate, complete and valid, avoiding any incorrect or incomplete processing. Maintaining data quality is key to business decision-making and day-to-day operations. Finally, the protection of sensitive information from unauthorised access is also an essential requirement. This means that all confidential information, including financial data, customer data and intellectual property, must be properly protected and only accessible to authorised persons. These criteria all contribute to ensuring that enterprise (I-T ) systems are secure, reliable and meet business needs with SysTrust. The system provides comprehensive protection and monitoring of (I-T ) infrastructure, enabling companies to use their (I-T ) resources efficiently to achieve their business goals. SysTrust thus plays a key role in ensuring that enterprise (I-T ) systems meet the challenges and expectations of today's complex business environment..

[Audio] The TCSEC, a system that assesses and classifies (I-T ) systems from a security perspective, determining the level of protection that information processing systems provide. This classification is extremely important as it helps organisations to align the systems they use or develop with appropriate levels of protection. The T-C-S-E-C divides systems into four basic security classes, and these classes are further subdivided into sub-groups, taking into account the level of detail and effectiveness of the security mechanisms provided by the system. The first class, Class D, provides minimal protection. This class includes systems that do not meet stringent security requirements and provide only basic protection functions. These systems are generally not appropriate in environments where critical or sensitive information needs to be handled, as they do not guarantee an adequate level of security for data and processes. The second class is Class C, which provides selective and controlled protection. This class comprises two subgroups: classes C1 and C2. Class C1 systems provide limited access protection, where access to data is controlled and monitored, but this is not yet a fully controlled process. Class C2 represents a more stringent level, which provides uncontrolled but controlled access. This means that the system logs accesses and keeps track of who has access to the data and when, which increases the security of the system. The third class is Class B, which already provides mandatory protection. This class contains three subclasses: B1, B2 and B3. Class B1 systems are labelled and provide mandatory access protection. This means that all data and users are tagged, and these tags determine the level of access to the data. This is a significant improvement in security, as the system controls exactly who can do what in the system. Class B2 provides structured access, which introduces even more detailed security rules, allowing each system element to have its own security mechanisms. Class B3 provides separate security areas where different parts of the system are physically or logically separated to minimise access risks. This level applies to systems that face serious security threats and where data security is key. The highest level is Class A, which offers proven protection. These systems meet the highest security requirements and all access and data management processes are fully controlled and documented. For Class A systems, the necessary security measures have been demonstrably implemented for each process, guaranteeing data protection in the most stringent environments. These systems are often used in areas where even the smallest security breach would pose an unacceptable risk, such as military or government systems where data protection is critical. In the T-C-S-E-C classification system, each class is further refined by increasing numbering, indicating the existence of increasingly stringent requirements. This means that within a given class, such as C or B, the higher numbered sub-groups impose more stringent requirements on systems. This system allows organisations to select the solutions that best fit their security needs and to determine exactly what level of protection they require. The currently used designations are D, C1, C2, B1, B2, B3, and A levels. While Class D provides minimal protection and is not recommended for critical systems, Class A provides the highest level of proven security, taking into account all possible risk factors and implementing all necessary security measures. Intermediate classes, such as Class C and B, offer more flexible solutions that balance security requirements with practical implementation, taking into account the budgetary and operational needs of the organisation..

[Audio] The T-C-S-E-C classification system is presented with its different levels of protection, which is used to determine the level of security of (I-T ) systems. The different classes denote different security requirements and access policies that are used to progressively increase the security of (I-T ) systems. Class D represents the lowest level of protection, with minimal protection. This class is not considered adequate for (I-T ) security as it does not meet the most important security requirements. Such systems provide only a basic level of protection and do not provide satisfactory access management or data protection. Class C levels already provide selective and controlled access protection. Class C1 means restricted access, which controls who can access the data and how. Class C2 is no longer regulated but controlled access, meaning that access processes are monitored and controlled, but there is no strict regulatory framework. Class B provides a higher level of mandatory protection. Class B1 provides tagged and mandatory access protection, which means that all data and users are assigned a specific tag and this determines who has access to the data. Class B2 is structured access, which builds in additional security mechanisms to manage access. Class B3 provides separate protection areas, which allows for the creation of separate high-security areas within the system. Class A represents the highest level of security, providing proven protection. This class applies to systems that meet the highest security standards and have demonstrable controls over all their access and data management processes. Such systems also meet the highest standards of risk management. According to the TCSEC, Class D is inadequate from an (I-T ) security point of view, as it does not provide sufficient protection in controlling and monitoring access to data. Class A, on the other hand, requires specifications that can only be implemented at very high cost and with very high resources, so that in practice, Class B and C guidelines are the most realistic starting point for ensuring the security of systems..

[Audio] The I-T-S-E-C is essentially based on the basic security functions defined by the TCSEC, but unlike the TCSECs, it always highlights the requirements specific to the type of system. This means that the I-T-S-E-C does not provide a generic security framework, but takes into account the specific characteristics, operation and use of the system, ensuring that the security requirements are tailored to the specific needs of the system. The I-T-S-E-C classification provides a significant aid to the evaluation of systems and their components by defining ten classes of functionality and eight levels of certification. The functionality classes refer to the functional capabilities of each system, while the classification levels define the level of security of the system. These categories allow organisations to define exactly what level of security they wish to achieve and what functional requirements a system must meet. Users or organisations are free to choose systems that meet the desired functionality classes. They may also mandate the deployment of a system that complies with the I-T-S-E-C specifications and that can be subject to a certification process by the authorities authorised to issue certificates. This means that the I-T-S-E-C framework not only regulates the security level of systems, but also ensures that systems comply with international certification requirements and are certified to demonstrate the appropriate security level. The I-T-S-E-C is therefore a very comprehensive and flexible framework that ensures that the security level of (I-T ) systems is adapted to the specific needs of the system, while at the same time giving users the possibility to select and build a system that meets their requirements. This is particularly important in a rapidly changing technological environment where the security needs of different systems can vary widely. I-T-S-E-C ensures that each system achieves the highest possible level of security, taking into account specific environmental and functional requirements..

[Audio] ITSEC's eight core functions cover a broad spectrum of security requirements for (I-T ) systems. These core functions ensure that systems meet key security requirements and provide protection against data loss, unauthorised access and misuse The first core function is designed to provide unambiguous identification of subjects, such as users and processes, and objects, such as files and other (I-T ) system components. This means that each user and system component must have a clear and unique identifier to track who has access to data and what operations are performed on the system The second basic function is to control access to subjects and objects. This function ensures that only authorised users have access to specific objects, such as files or databases, thus guaranteeing the reliability and integrity of the system. Access control is designed to minimise the risk of unauthorised access and to prevent misuse of data. The third basic function detects if user rights are being abused or if an attempt is being made to apply unauthorised rights. This function helps to detect possible attacks or misuse where a user tries to access data or functions to which he/she is not authorised. Detecting and logging such attempts is key to maintaining system security. The fourth basic function is designed to prevent unauthorised information flow to reusable operating devices such as disks or tapes. This function is particularly important when using older technologies where data stored on portable devices can be easily accessible if not properly protected. Preventing such information flows helps to maintain system reliability and protects data from unauthorised use..

[Audio] The fifth basic function of I-T-S-E-C is to ensure the availability of the system or its specific functions, especially for systems where failure, malfunction or malfunctioning could not only cause material damage but also endanger human lives. These critical systems, such as power plants, systems responsible for water supply, traffic control systems or air traffic management, are part of the basic infrastructure of modern societies. Any failure or malfunction of one of these systems can have serious consequences not only for services but also for society. For example, the failure of a power station could threaten the energy supply of an entire region, while a failure in air traffic control could have catastrophic consequences for the safety of aircraft. For such systems, the I-T-S-E-C requirements are particularly high, as it is not only a question of data security, but also of the continuous and uninterrupted availability of these systems. System failures, loss of service, software failures or hardware problems all carry significant risks, and ITSEC's fundamental objective is to minimise the risk of these failures. Compliance with accessibility requirements is critical to ensure that systems are kept up and running and that users, including operators and other critical stakeholders, always have access to system functions. The sixth I-T-S-E-C core function relates to specific requirements for the security of data transmissions. Data transmission is one of the most vulnerable points in modern systems, as data often travels over different networks and can be subject to multiple threats. The data transmission process can be subject to a variety of attacks, such as data theft, network eavesdropping, data tampering and denial of service attacks. This core I-T-S-E-C functionality focuses on three main areas during data transmission: confidentiality, integrity and availability. Data confidentiality ensures that only those users with the appropriate rights have access to the data. This prevents data from falling into unauthorised hands, which is particularly important for sensitive or personal information such as banking data or health information. Breaches of confidentiality can have serious consequences, such as data theft or loss of user trust. Data integrity ensures that data is not modified in transit and arrives at the destination exactly as it was sent. A breach of data integrity can result in data being altered or corrupted, with serious consequences for the operation of systems. For example, during a financial transaction, if data is compromised, it can result in severe financial losses. I-T-S-E-C ensures that the system is able to detect and prevent attempts to manipulate data. Availability is the third key element of data transmission, ensuring that data can always be accessed, regardless of whether there are technical problems or attacks. Availability is critical for systems where the continuous availability of data is essential, such as healthcare systems, banking systems or online services. Systems must be able to withstand denial of service attacks and restore services quickly and efficiently in the event of a failure. The core functions defined by I-T-S-E-C therefore not only protect data and systems, but also ensure their continuous and smooth operation. The availability of systems and the security of data transmission are central to the operation of modern (I-T ) infrastructures and are essential to maintain the trust of users, customers and partners, while meeting the most stringent security requirements..

[Audio] By the end of the 1980 seconds, with the rapid development of information technology and the rapid spread of computer networks, experts in different countries realised that information security could not be confined to the national level. The emergence of personal computers and local area networks brought new challenges, especially for large companies and government organisations, which were increasingly dependent on the security of (I-T ) systems and networks. Previously, each country had developed its own security standards, but these were not harmonised internationally, which raised a number of problems, especially with the emergence of global markets and the cross-border flow of information. One of the key realisations was that (I-T ) security requirements can no longer be dealt with in isolation. National regulations no longer met the needs of a globalising economy and an increasingly interconnected world. (I-T ) security had become an international issue, as a weakness within a network could cause damage not only to a single country, but also on a global scale. Against this backdrop, the need to develop an international standard that would provide a common framework for assessing the security of (I-T ) systems and defining security measures has become increasingly urgent. The response to this challenge came from the U-S Department of Defense, which in 1983 published a document called TCSEC, later known as the Orange Book. This document was a landmark in the history of information security, as it was the first to formally define security requirements for computer systems. The T-C-S-E-C was primarily intended for U-S military and government contractors to help define security levels for systems and to provide a standardized framework for assessing their reliability. The T-C-S-E-C formulated principles that later served as a model for regulations and standards in other countries. However, the T-C-S-E-C was developed mainly to meet the needs of U-S national security, which was not yet sufficient for international standardisation. At the same time, the iso has also started to develop its standards for the security of (I-T ) systems. The aim of the izo was to harmonise national security standards developed by each country and to create internationally recognised standards. However, the process of standardisation by the iso was slow, as there were significant differences between the different security needs and requirements in different countries. In addition to the U-S TCSEC, many other countries had their own standards and procedures, which were difficult to reconcile. For example, European countries had long had their own safety standards, but these were not consistent with U-S and other national standards. As part of iso's standardisation work in the early 1990 seconds, increasing emphasis was placed on harmonising national standards and developing a common framework that could be adopted and applied worldwide. The European Union has played a major role in this process, taking a leading role in the field of information security. With the support of the European Union and the governments of the United States and Canada, work has begun on a draft Common Criteria document. The aim of the Common Criteria was to bring together standards from different countries to create a global standard that could be used to assess the security of (I-T ) systems everywhere. The Common Criteria document basically tried to harmonise the differences in content and technical aspects of the previous recommendations, while taking into account the specific requirements of each field of application. The Common Criteria not only provided technical guidelines, but also a flexible framework that allowed for the consideration of specific requirements in different industries and applications. This flexibility has made the Common Criteria a success at international level by allowing different users to adapt the standard to their own needs and security challenges. With the Common Criteria, the security assessment of (I-T ) systems has been standardised, allowing international cooperation, trade and integration of different systems without the barriers of different standards. With the globalisation of IT, this international standard has become vital to ensure that systems used anywhere in the world meet globally recognised security requirements. This standard has therefore played a crucial role in developing and maintaining the security of information systems and in ensuring that security cooperation between different countries is smooth and effective..

[Audio] One of the most important elements of the Common Criteria is that it allows products and systems to be assessed in a way that allows the safety requirements to be applied repeatedly, ensuring that the results can be reproduced and used in other environments. Common Criteria maintains a register of certified products, which includes operating systems, access control systems, databases and key management systems. This registry ensures that users and organisations can choose security solutions that have been proven to meet internationally recognised security requirements, based on information from a trusted source. Maintaining a list of certified products helps to ensure compliance with global security standards and helps to ensure compatibility between products, especially where systems operate in different countries. The Common Criteria use two main categories of assessment to define security requirements: Protection Profiles and Protection Targets. Security Profiles are documents that define, in an implementation-independent way, the security requirements for a specific product type or category. These profiles define the functional and security requirements that meet the security needs of users. Protection Profiles provide general guidelines that allow a wide range of safety products to be assessed and certified without being tied to a specific implementation. This means that products from different manufacturers can be assessed against the same security profile, ensuring comparability and compatibility between products. Protection Objectives, on the other hand, refer to a specific product or system. These documents detail the specific safety objectives and requirements for a particular product and the safety class that the product must meet. The Protection Objectives contain the information necessary to assess the product, including the functional requirements and the intended safety functions of the system. These documents play a key role in ensuring that products can be accurately and reliably assessed against the Common Criteria standards, ensuring that they meet the expectations of users and the market..

[Audio] The Information Technology Infrastructure Library is a well-structured and widely used documentation system that incorporates best practices and procedures from the (I-T ) industry. This comprehensive framework not only aims at the efficient management of (I-T ) services, but also contributes to the management of (I-T ) systems by different organisations on the basis of uniform and standardised procedures. The application of I-T-I-L helps organisations to improve the quality of their (I-T ) services and to better align them with business objectives. I-T-I-L is fundamentally based on the premise that keeping (I-T ) services running efficiently is essential to business success. The smooth running of (I-T ) systems is not only an integral part of day-to-day operations, but is also essential to achieving business objectives. The I-T-I-L framework provides best practices for managing (I-T ) infrastructure to help organisations continuously meet business requirements while minimising the risks of (I-T ) systems failure or malfunction. Hundreds of organisations around the world now use I-T-I-L-, which provides a complete philosophy for managing and operating (I-T ) systems. The I-T-I-L philosophy is not only a theoretical framework, but also provides a set of practical guidelines for managing different (I-T ) services. ITIL-related literature and guides provide detailed descriptions of the steps required to achieve adequate support for (I-T ) systems and how to maintain high standards of (I-T ) services on an ongoing basis. The I-T-I-L principles help organisations to ensure that (I-T ) services are stable and efficient, contributing to the long-term success of the business. I-T-I-L was developed in recognition of the growing dependence of companies and organisations on their (I-T ) activities. As (I-T ) has become increasingly embedded in the day-to-day operations of companies, it has become clear that effective management of (I-T ) infrastructure is essential to achieving business objectives. Almost all activities in modern organisations are linked in some way to (I-T ) systems, be it production, financial processes or even customer service. Accordingly, the continuous operation of (I-T ) services has become a key factor for business success. With I-T-I-L-, organisations can standardise the management of their (I-T ) systems to ensure their long-term viability and sustainability. I-T-I-L is also the most widely used standard in (I-T ) service management. Many other standards and codes are based on the I-T-I-L guidelines, as it provides a widely accepted and applied set of methodologies that meet the requirements of the global business environment. I-T-I-L is a standard that is used worldwide in various industries, including finance, manufacturing, public services and healthcare. It is a widely accepted standard that helps companies to ensure that their (I-T ) systems not only work, but also support business operations effectively. By using the I-T-I-L framework, organisations will gain a more comprehensive view of how their (I-T ) systems work and a better understanding of how (I-T ) services can be used to support business goals. I-T-I-L enables organisations not only to react to problems in (I-T ) systems, but also to proactively manage and improve them, ensuring the long-term reliability and effectiveness of systems. I-T-I-L is therefore more than a simple standard, it is a comprehensive philosophy and practical guide that contributes to the long-term success and competitiveness of organisations in the global marketplace..

[Audio] According to I-T-I-L recommendations, infrastructure management consists of a number of different activities, each of which contributes to ensuring that (I-T ) services are reliable, efficient and well organised. These activities cover critical areas of the overall operation and maintenance of (I-T ) services to ensure that business needs are continuously served. The first key area is configuration management, which is the complete recording and tracking of (I-T ) assets and systems. The aim of configuration management is to keep up-to-date details of all (I-T ) elements, such as hardware, software and network devices, and to track changes. The next important element is customer service, where the support or helpdesk is the primary point of contact between customers and the organisation. This area is responsible for resolving problems with (I-T ) systems quickly and efficiently and for dealing with customer queries and requests. Problem management is one of the most critical elements of I-T-I-L-, ensuring that (I-T ) systems failures can be quickly identified and corrected. It aims to minimise the impact of system downtime and failures on business operations and prevent their recurrence. Change management is also an important part of (I-T ) management, which focuses on the effective management of changes to systems and processes. Change management aims to ensure that all changes are planned in advance, well documented and with minimal risk to operations. Software maintenance and support involves the installation, updating and maintenance of (I-T ) software. The aim of these activities is to ensure that all software in the organisation is up-to-date and meets security and performance requirements. Capacity management is responsible for monitoring the performance and load of (I-T ) systems. Capacity management aims to ensure that (I-T ) systems always have sufficient resources to meet business needs without being overloaded or undersized. Availability management focuses on ensuring the continuous availability of (I-T ) services. This activity aims to ensure that (I-T ) services are available to the business with as little disruption as possible. Disaster recovery planning aims to ensure that the organisation is prepared in the event of unexpected events such as natural disasters, hardware failures or other major problems. Proper planning ensures that in such situations, the company can quickly restore (I-T ) systems, minimising losses. Cost management addresses the financial aspects of (I-T ) services, ensuring that (I-T ) systems and services are cost-effective and meet the financial objectives of the organisation. Service level management is responsible for ensuring that the performance of (I-T ) services meets predefined service level objectives. This ensures that (I-T ) services perform to the agreed level and support the business appropriately. Outsourcing of services, also known as outsourcing, is an increasingly common activity whereby organisations use external service providers to perform certain (I-T ) tasks. This allows organisations to focus on their own resources while routine or specialised (I-T ) tasks are performed by external partners. Finally, I-T-I-L has a strong focus on managing the interrelationship of standards, ensuring that different (I-T ) activities work in harmony with each other and comply with international standards and expectations. The I-T-I-L modules are all designed to facilitate the high-quality management of (I-T ) services and (I-T ) infrastructure, and to ensure that organisations can operate their (I-T ) systems smoothly, reliably and efficiently..

[Audio] In the following we will discuss the iso standard in more detail..

[Audio] The slide refers to Act XXVIII of 1995, which regulates national standardisation and emphasises that the use of standards is essentially voluntary for market players. This means that companies are not in principle obliged to comply with certain standards unless a specific law requires them to do so. In practice, as long as there is no law specifically requiring the application of a standard, companies are free to decide whether to comply with the relevant standards. However, in many cases it is legislation that makes it mandatory for certain industries or activities to comply with these standards. This can be seen particularly in regulated industries such as food, pharmaceuticals or even in industries dealing with various safety systems, where compliance with standards is essential to maintain safety and quality. However, in the modern market environment, it is often worthwhile to apply standards voluntarily, even if this is not legally required. In the second point, it is explained that in most industries today it is almost impossible to compete in a sustainable way without modern quality management systems. This is particularly true in sectors where competition is fierce and quality and reliability are key to consumer retention. The purpose of quality management systems is to provide a transparent, well-organised, standards-compliant framework that enables a company to maintain a high level of quality in its products or services. These systems are typically based on industry-specific standards and specifications. Each industry has specific standards that are tailored to the needs and requirements of that particular area. Think of the automotive industry, where manufacturers have to comply with strict international standards for safety, environmental protection and manufacturing processes. Or take the food industry, where iso 22000 or H-A-C-C-P systems ensure that food safety standards are met and safe products are offered to consumers. If a company fails to comply with these standards, it can quickly find itself at a competitive disadvantage in the market, as without quality management systems there is no guarantee that they can continue to operate their processes to a high standard. Particular emphasis will be placed on the (I-T ) sector, one of the fastest growing industries, where compliance with standards is particularly important. In the (I-T ) world, standards apply not only to hardware or software, but also to security procedures. Think of cybersecurity, where compliance with international standards is essential for a company to protect its data, customers and processes from external threats. Standards such as iso 27001 not only make companies safer, but can also give them a competitive edge in the international market by providing a security guarantee for partners and customers..

[Audio] iso is an international organisation established to promote the harmonisation and standardisation of industry and industry standards at a global level. This is a very important mission, as different standards existed in different parts of the world, which hindered international trade and cooperation. The aim of iso is therefore to eliminate these differences and create a common set of standards that can be easily applied by all countries and companies, wherever they operate. Since the 1960 seconds, izo has been increasingly asked to develop standards in new technological and industrial areas. This change meant that the original objective of the iso, the harmonisation of national standards, was broadened to focus more and more on new technologies and industries. However, the development of new standards has continued to aim to ensure that different industries in different parts of the world operate according to similar principles, thereby reducing problems arising from regional differences. It is important to note that the application of the iso standards is essentially voluntary, meaning that companies and organisations have discretion as to whether or not to comply with these standards. However, there are priority areas, such as health, environment and consumer protection, where European legislation already requires the standards to be applied. In these cases, the legislation clearly stipulates that in certain areas, compliance is only possible if the standards are strictly adhered to. In this type of area, standards cannot therefore remain voluntary: they are made compulsory by law, as they ensure the safety and health of people and the protection of the environment. EU regulations often require industries to operate to the latest standards, and failure to do so can have serious legal consequences..

[Audio] Documentation is an essential element of auditing, as every step and process that an organisation performs becomes traceable and verifiable through proper documentation. The standards listed here all support this goal, in different disciplines. iso 9000 2000 is one of the best known standards in quality management. This standard is used worldwide to ensure that products and services are of the right quality and that companies' processes are traceable and documented. This is key for auditing, as a well-documented quality management system ensures that processes are transparent and can be easily checked during an audit. The iso 12207 2000 standard regulates the software lifecycle, in particular how each step of the software development process should be documented and tracked. In (I-T ) audits, this standard helps to assess the development and maintenance of software by specifying all the important steps in the software life cycle and how they are documented. 6592 is the standard for program documentation, which specifies the proper documentation procedures for programs and software. Program documentation is important because it is the basis for understanding and tracing the operation of software, especially during an audit. A well documented system allows auditors to understand the operation of the software and assess its compliance with standards. 9126 defines quality criteria for information systems. This standard helps to determine the extent to which an (I-T ) system meets quality requirements and how these quality criteria can be properly documented and verified. When auditing (I-T ) systems, it is particularly important that quality criteria are taken into account and properly documented. A77381 1994 covers the specification of information systems products and the application of the S-S-A-D-M methodology. Standards of this type help in the design and development of systems, while allowing these systems to be audited and verified. The 19501 standard regulates its application. U-M-L is widely used in software development to visually represent the structure and processes of systems. In the audit process, this standard provides a means to make the structure and operation of systems more transparent, making it easier to evaluate and document systems. The PRINCE Project Management Methodology standard applies to documentation used in project management. This methodology helps to ensure that project processes and documents are structured and verifiable, so that each project step can be traced during the audit. Finally, the 15504 standard, which is used to assess and measure (I-T ) processes using indicators. It is one of the most important tools to ensure that an organisation's (I-T ) processes are properly documented and assessed, and thus easily verifiable during an audit..

[Audio] The first standards of the iso 9000 system were published by the International Organization for Standardization in 1987. The iso 9000 family of standards summarises common management, organisation and governance management practices that provide an internationally accepted framework for companies. It aims to provide companies with a basis for continuously and consistently meeting the quality requirements of their customers, whether for products or services. The practices set out in the standard are designed to ensure that organisations around the world can operate under a single quality management system, regardless of their size or whether they are in the private or public sector. This is equally important for large companies, small and medium-sized enterprises and public institutions. The standard provides a framework within which organisations must meet quality expectations to ensure that their products and services are of consistently high quality. Using the iso 9000 standard helps companies to continuously improve their processes and systems. This continuous improvement is key to staying competitive as customers demand ever higher quality standards. The standard encourages companies to focus on customer satisfaction and to provide products or services that meet internationally recognised quality standards. In addition, the standard contains requirements that apply to all organisations, regardless of the industry they operate in. Applying the standard ensures that organisations meet customer needs as well as legal and regulatory requirements, which is particularly important to maintain a presence in global markets..

[Audio] The iso 9000 series of standards is intended to provide an internationally consistent framework for quality management systems, regardless of the industry or organisation in which they are used. The iso standards help organisations to manage their processes efficiently and transparently, to improve the quality of their products and services and to ensure that they meet international standards. iso 9000 1 provides principles and guidelines for quality and quality assurance standards, with particular emphasis on selection and application. This standard provides guidelines for organisations to select the quality system that is right for them and to apply it to their processes. iso 9001 is one of the most well-known standards for quality systems, covering the quality assurance model for design, development, manufacturing, installation and after-sales service. This standard specifies how organisations should ensure a high level of quality of their products and services throughout the entire process, from design to after-sales service. iso 9002 also deals with quality systems, but focuses specifically on the quality assurance model for manufacturing, installation and after-sales service. This standard provides guidance for organizations that are not involved in product development but want to ensure high quality in their manufacturing and service processes. Iso 9003 is the quality assurance model for final inspection and testing. In particular, this standard focuses on quality control processes and specifies how final inspection and testing of products should be carried out to ensure that they meet the specified quality requirements. ISO 9004 1 specifies guidelines for quality management and quality system elements, especially in the field of services. This standard helps organisations in the service sector to establish effective quality management systems that ensure high quality of their services. Iso 9004 2 deals with quality management and system elements, in particular for processed materials. This standard sets out the guidelines that companies in the manufacturing industry must follow to ensure that the quality of their products meets expectations. And iso 9004 3 deals with the development of quality management and quality system elements. This standard focuses on how to continuously improve the efficiency and effectiveness of quality management systems and how to ensure that organisations continue to meet changing market and regulatory requirements.

[Audio] When the iso 900 2000 standard was introduced, eight principles were defined which form the basis of the quality management system. The first principle is customer focus, which clearly states that customer satisfaction is the key driver for companies. Organisations must do their utmost to ensure that customer expectations are met on an ongoing basis, thus ensuring their long-term success. The second principle emphasises the importance of good governance. Management is responsible for setting the company's objectives and creating the right working environment. Managers are responsible for providing an environment that supports employee engagement and effective performance, thereby contributing to the development of the organisation. Employee involvement is also key according to iso 9001 2000. The motivation and active involvement of employees is essential for the continuous development of the company. Employees should have a vested interest in the success of the organisation and be involved in achieving quality goals. The next principle emphasises the importance of the process approach. This means that organisations should treat production and business processes as interlinked parts. The output of a process is often the input to another process, so to ensure the efficiency of the whole system, each step must be treated in its context. Finally, the systems approach to management is also a key principle, according to which organisations should see and manage individual processes as part of a coherent system. A systems approach helps to make processes transparent, efficient and easier to manage, as all processes interact with each other. This comprehensive approach ensures that companies can maintain consistently high quality while continuously improving their systems and increasing customer satisfaction..

[Audio] The iso 9001 2000 standard is characterised by evidence-based decision making, which means that decisions must be made objectively, carefully examining all possible aspects and data. A data-driven approach ensures that companies deal with problems in an informed and effective manner, minimising the potential for error and helping to maintain quality at all times. Continuous improvement is also of paramount importance according to iso 9001 2000. It is in the interest of companies to use existing resources to improve quality time and time again. With this approach, companies not only maintain their market position but also evolve, keeping pace with changing customer needs and market conditions. And the iso 9004 2000 standard encourages a mutually good relationship with suppliers. According to the standard, it is essential for companies to develop beneficial and long-term partnerships with their suppliers, as a stable and reliable supply chain is key to ensuring quality products and services. The iso 9000 2000 standard can be characterised by its specifications for production and service processes. It covers the entire production or service system and, although it is not mandatory, companies that commit themselves to the requirements of the standard voluntarily undertake to comply with it. The standard sets out the requirements in general terms, leaving the user to work out the details, and is therefore flexible for different industries. The standard pays particular attention to the relationship between the buyer and the supplier and regulates this relationship from the buyer's perspective. This ensures that buyers' needs are accurately identified and met, minimising the potential for misunderstandings and errors in the supply chain. Quality management systems based on iso 9000 can be certified by a third party, such as a certification body. The existence of certification can result in significant cost savings for the customer, as it can eliminate the need for a customer audit of the quality management system. The certificate is valid for three years and can be renewed. It is important to note that it focuses on system specifications, rather than defining specific product standards, thus ensuring continuous quality maintenance and improvement within the company..

[Audio] For every producer and service provider, the key objective is to gain the trust of consumers. Without customer trust, the long-term survival of organisations may be at risk, as customer satisfaction is one of the most important factors in the success of a company. Iso standards therefore have a dual function: on the one hand, they protect the consumer, who understands quality not only in terms of the colour, taste or shape of products, but also in terms of the reliability of products and services. Standards ensure that consumers get exactly what they expect and that products and services are produced to a consistently high standard. On the other hand, iso standards also protect producers by providing a regulated, documented system that makes the entire production or service process more transparent and verifiable. This documented system allows organisations to work according to a well-established framework that minimises the possibility of errors and omissions. Implementing the requirements of the iso 9000 series of standards can bring many benefits to organisations. One of the most important of these is the competitive advantage in the market. Companies that comply with the iso standards will be in a better position in the market, as customers will have more confidence in them. In addition, more precise production and service is a major advantage, as precisely controlled and consistently applied processes increase efficiency and quality. By using standards, companies can get better, more accurate management information, which enables more effective decision-making and management. With more transparent processes, managers can react more quickly to emerging issues and plan future actions more effectively. More effective management and work not only improves the efficiency of internal operations, but also makes the organisation more organised. The use of iso standards makes business processes more structured, which ultimately helps organisations to be more successful in the market. In addition, the use of iso standards can also reduce operating costs. More efficient processes result in fewer errors and less unnecessary expenditure, which means cost savings for companies in the long run..

[Audio] The description of the characteristics of the information systems can be based on any internationally accepted methodology, but it is particularly advantageous to document and deliver it in electronic form. Electronic documentation allows for faster access, easier storage and easier updating, which is particularly important in today's dynamically changing (I-T ) environment. The documentation of application systems should take into account the requirements of iso 9000. These specifications specify that the documentation should include more specific rules, templates and elements of a "documentation standard". For example, U-M-L is a widely used methodology, used as a customised version by many manufacturers, and has become a de facto industry standard. U-M-L is a visual modelling language that helps to represent the structure and operation of information systems, thus facilitating documentation and clarity. Another example is the SSADM, which has become known as a British standard and contains much more detailed specifications for the analysis and design of information systems. In particular, the S-S-A-D-M emphasises an object-oriented approach and places great emphasis on a structured, analytical approach to systems. Both U-M-L and S-S-A-D-M are object-oriented standards that allow for transparent and well-structured documentation of system elements. This approach helps to make the development and maintenance of information systems easier and more efficient, as the object-oriented model makes the different elements of the systems more transparent and reusable..

[Audio] The S-S-A-D-M diagram depicts a well-structured process for efficient modelling and optimisation of business processes. The SSADM, or Structured Systems Development Methodology, is designed to describe the process of developing and designing (I-T ) systems in a logical, systematic way. The diagram shows the links between data and processes, and the flow of data between different departments and systems. At the heart of the diagram is the furniture ordering process that drives the whole system. The process starts with the customer ordering the furniture and the data from this order flows to several different departments. The information is sent to the logistics department and the furniture store, which are responsible for the service and fulfilment of the order. Another important part of the diagram is inventory management, which is closely linked to the ordering process. Inventory data flows as the order is processed, ensuring that sufficient stock is available to fulfil the order. If a stock shortage occurs, the information is passed on to the supplier who provides new stock. Reporting is another key part of the system that helps the company to monitor the status of processes, performance and potential problems. These reports are generated for the sales manager, who uses them to make business decisions to optimise ordering and inventory management. The diagram illustrates the interconnections within the system, the continuous flow of data and how all departments work in harmony to ensure a smooth ordering process. Through this diagram, the S-S-A-D-M methodology makes it clear that data links between systems and collaboration between different departments are key to successful business operations and effective (I-T ) systems design..

[Audio] This figure shows a U-M-L diagram, which is a tool used in object-oriented design. The purpose of U-M-L diagrams is to provide a visual representation of the different elements of a system and their relationships, helping to understand how the system is built and how it works. The figure shows a class diagram with different classes, their properties and the relationships between the classes. The classes are represented by rectangles divided into two parts: the upper part contains the class name and attributes, while the lower part contains the behaviour or methods. At the heart of the diagram is the Person class, which contains the basic properties of individuals, such as ID, name, gender. Several other classes are derived from this class, such as Employee or Customer. These classes inherit the properties of the Person class, but also have their own specific attributes and methods. Within the Employee department, there are different types of employees, such as Hourly Employee, Salaried Employee and Commission Employee. These classes reflect the fact that employees may work in different pay systems and each have different characteristics, but basically all come from the Employee class. The Customer department is also an important part of the diagram, as it manages customer data and financial transactions. Linked to the Client class are the Account and Invoice classes, which manage financial transactions and the issuing of invoices. The Accounts class keeps track of the customer's financial balance, while the Invoice class keeps track of the invoicing of purchases. In summary, this U-M-L class diagram represents a complex system in which the data of different actors, customers, employees and their relationships are represented. The diagram is intended to help you understand the logical structure of the system and the development process, facilitating the design and maintenance of the system's operation..

[Audio] The iso 12207 standard is intended to provide assurance that software quality is maintained throughout the software lifecycle. This includes checking that software products and software processes are in compliance with the specified requirements and follow the established plans. Due to the complexity of software, it is essential that quality requirements are properly documented and monitored at all stages of development to ensure that the end result meets expectations. Quality assurance must be independent of the development process to ensure objective and unbiased control. This means that the quality assurance organisation must be independent of the persons responsible for software development and the implementation of the processes, so that it can be guaranteed that the quality assurance processes are credible and reliable. The quality assurance activities defined by the standard include process design, where software development processes are designed to ensure that quality requirements are met. In addition, product assurance involves checking the conformity of software products against requirements. Process assurance ensures that all development and testing steps follow the required procedures, thus minimising the occurrence of defects. Finally, the provision of a quality management system is also a fundamental requirement to ensure that the quality management system of the organisation as a whole is functioning properly and that the quality of software products is continuously monitored and improved..

[Audio] The iso 9126 standard is specifically designed to assess and characterise the quality of software products and information systems. This standard helps to objectively measure the quality of software and systems to ensure that they meet user expectations and industry requirements. Quality characterisation and assessment is a key element in the development of software, as reliable, well-functioning software is essential to the efficiency of businesses. For many software and (I-T ) features, well-defined measurement procedures have already been developed to allow accurate and reliable evaluation. These procedures ensure that the performance, functionality, usability, reliability and other critical properties of software and systems can be properly measured and analysed. For a more detailed explanation of the quality characteristics defined by iso 9126, see iso 25000. This standard further details the specific indicators and measurement methods that can be used to assess software quality and how these methods can help developers and users to continuously improve and maintain software quality..

[Audio] According to the iso 9126 standard, the measurement of quality characteristics of (I-T ) systems is based on several criteria. One of the most important aspects is efficiency, which measures the performance of a system or a component of a system using the available resources. Efficiency is related to, among other things, the temporal behaviour of the system, such as response time, data processing time and throughput of system tasks. In addition, the way in which the system uses resources, including the time of use and the amount of resources, is also important. Functionality is also a key characteristic that measures how well the system's functions meet the operational needs of the organisation. It includes explicitly defined functions that must meet the organisation's objectives and be designed to be clearly useful to users. Security looks at the system's ability to prevent unauthorised access, whether intentional or accidental. The software must be able to protect the integrity of users and system data and ensure their secure management. One of the most important elements of reliability is the ability of the system to continuously deliver the specified performance under the specified conditions over a specified time interval. Other characteristics of reliability include fault-tolerance, in other words the ability to withstand unexpected failures, and recoverability, which ensures that the system can return to its previous operational state in the event of a failure. In addition, the availability of the system and its readiness to reduce service must also be measured to ensure the continued and reliable availability of services. Finally, a mature state means that the system maintains its stability over time, minimising the chance of failures and interruptions..

[Audio] According to iso 9126, maintainability is one of the basic quality attributes that assesses the level of effort required to modify all or part of a system. This includes bug fixes, specification improvements and adaptive improvements. Other important characteristics for maintainability are: ease of analysis, changeability or modifiability, stability, testability, and manageability, which refers to the ability to monitor and reuse the system while it is running. Portability is the ability of a system to be easily transferred to other environments, whether technological or organisational. Other characteristics of portability include adaptability, ease of deployment, and interchangeability or substitutability, which allows parts of the system to be easily replaced by other similar elements. Usability is also a key feature, looking at how easy and intuitive the system is for users to use. Other aspects of usability include understandability, learnability, operability, and the transparency and openness of the system. Other important factors are customisation, visual appeal, clarity of operation and the level of help and support services provided to users. The user-friendly design ensures that the system is easy to learn and can be used effectively in everyday tasks..

[Audio] The iso 15504 standard, which is commonly used to define and assess the maturity level of software development processes, provides a comprehensive framework for quality control and improvement of software development processes. The standard is designed to help organizations objectively assess their own processes, determine how effective they are, and use the results to develop recommendations for further improvement. The iso 15504 standard is particularly important in the software development industry, where standardisation and optimisation of processes is essential to increase productivity, reduce errors and deliver projects successfully and efficiently. In software development projects, it is often the case that projects exceed planned budgets, timeframes or even quality expectations due to inadequate control or monitoring of development processes. The use of the iso 15504 standard helps to minimise these risks by providing an opportunity for regular review and evaluation of processes. The standard consists of five parts, each of which approaches the evaluation of software development processes from a different perspective. The first part contains definitions and introductory guidelines. This section defines the concepts used in the evaluation and how they are applied in practice. This section provides the necessary basis for all actors in the evaluation process to use a common basis of understanding, which facilitates effective communication and consistent interpretation. The second section discusses how the evaluation will be carried out. This section provides a detailed description of the steps needed to properly implement the evaluation. Evaluation is a structured process that must be carried out according to strict standards and methodologies to ensure that the results are reliable and objective. It is important that all those involved in the evaluation follow the prescribed steps precisely and do not overlook any important factor during the evaluation. This section gives guidance to evaluators on how to collect data, how to analyse it and how to produce reliable reports on the processes. The third section provides further guidance on how to carry out the evaluation, with concrete examples and tools to help evaluators to do their job effectively and accurately. This detailed methodology ensures that the evaluation is not only theoretical but also guarantees its practical applicability. The guidelines presented here will help evaluators to identify more accurately problems and opportunities for improvement in software development processes. The fourth part deals with how the standard can be applied to process development and improvement. Software development is a constantly changing and evolving field where technology and methodologies are developing rapidly. It is therefore of paramount importance that organisations continuously improve their own processes in order to keep pace with industry requirements and technological innovations. Part Four provides practical guidance to help organisations assess their own processes and then make targeted improvements based on the results. The aim is not just to eliminate failures, but to increase efficiency and productivity and remain competitive. Finally, the fifth part presents an example process evaluation model. This section is particularly important as it provides practical examples of how the standard works in practice. The example model will help organisations to better understand how to apply the standard in their own processes. The examples will help to identify potential problems and improvement opportunities that organisations can use to increase efficiency, reduce the potential for error and ensure continuous process improvement..

[Audio] Process models provide a framework that organisations can use to standardise, optimise and bring transparency to their various activities. These models describe in detail how a process should be implemented: inputs, outputs, activities, steps, roles and responsibilities. The process models are designed to ensure compliance with standards and provide clear guidance for the implementation of organisational processes. One of their main features is standardisation, which ensures that everyone follows the same procedures, regardless of who carries out the process. This not only leads to a standardisation of workflows, but also increases efficiency by reducing the possibility of errors and improving the quality of processes. In addition, process models provide transparency, as it is clear to all participants what is happening in the process and what their individual role is. And consistency means that processes can be executed in the same way over and over again, regardless of the actual implementer. Process models also provide opportunities for continuous improvement. Organisations can regularly review and improve their processes to achieve more effective results. The iso 12207 and 15288 standards describe lifecycle processes for software development and systems management that enable consistent management of processes throughout the lifecycle. Human-centred development processes are described in iso 9241-210, which focuses on the needs of users during product development. The OOSPICE model supports component-based development, while S-P-I-C-E can be applied to various industries such as automotive. Medical instrumentation processes also have their own process support model to ensure compliance with medical standards. These different process models can not only be based on iso standardisation procedures, but their only basic condition is that they are consistent with the standards at some level. In order to create and maintain efficient and reliable processes, the use of process models is essential for any organisation seeking to continuously improve quality and efficiency..

[Audio] The SSE-CMM model focuses fundamentally on the design processes of safe systems, with the aim of enabling an organisation to achieve engineering precision and design systems that meet safety requirements. The adoption and application of such a model is particularly important for modern organisations, as the digital world places increasing emphasis on security and safety, especially in the design and operation of (I-T ) systems. With the SSE-CMM model, an organisation can optimise its design processes to meet the highest security requirements, thereby minimising the risk of security vulnerabilities. There are many different factors to consider in the design process of such systems. On the one hand, ensuring that hardware and software assets are properly protected is key, as these systems form the foundation of an organisation's information infrastructure. The proper design and protection of hardware and software components ensures that they are not vulnerable to external attacks or internal failures, which is one of the most important cornerstones for the long-term reliability of systems. In addition, data protection is also of paramount importance, as one of the main goals of secure systems is to maintain the confidentiality, integrity and availability of data. Design processes must also take into account data security requirements to ensure that they meet the standards and specifications set by the organisation. To ensure data security, systems must be able to prevent unauthorised access, loss or manipulation of data. One of the great advantages of the SSE-CMM model is that it offers a comprehensive and system-oriented approach to secure system design. This model focuses not only on technology solutions, but also on organisational and human factors, ensuring that the design of systems truly meets the needs of the organisation. The model enables organisations to design (I-T ) systems around structured, well thought-out processes that allow for continuous improvement and flexibility in the face of changing environmental conditions. For organisations, establishing and maintaining security processes is not only a technological issue, but also a strategic one. Well-designed security processes ensure that the organisation is able to comply with industry standards and regulations, as well as international standards. This is particularly important in a globalised world where organisations are increasingly operating on an international scale and need to comply with safety requirements in different countries and regions. When applying the SSE-CMM model, organisations should regularly review their security processes to ensure that they are always in line with current threats and risks. Such regular checks and reviews ensure that the organisation's systems are always up to date and able to respond to emerging challenges. In addition to regular reviews, process improvement and fine-tuning is also essential as the technological environment is constantly changing and new threats emerge to which organisations need to be able to respond. Overall, the SSE-CMM model is an effective tool for organisations to design and operate high-level security systems. This model helps organisations to develop secure and reliable systems that are not only prepared for current challenges, but also for future ones, ensuring the long-term success and sustainability of the organisation. By applying the SSE-CMM model, organizations are able to guarantee a high level of security for their (I-T ) systems while continuously improving and enhancing them to keep pace with technological advances and changing threats..

[Audio] The sse cmm is a comprehensive methodology that governs all steps in the design and development of secure information systems. This model has been developed to help organisations build secure systems following a transparent and systematic process. The model emphasises that security considerations should be taken into account from the earliest stages of the development lifecycle and should be carried through the entire process, including system operation and maintenance. The sse cmm aims not only to optimise technical solutions, but also to ensure long-term stability by minimising security risks. The development life cycle concept is one of the key pillars of the model. The development of secure (I-T ) systems is not a one-off activity, but a process that covers the entire life cycle of the system. This process includes the definition of security needs and objectives, a detailed analysis of requirements, and the design and development phases. During integration and commissioning, the components of the system must be assembled to meet the highest security requirements. The process does not end with the implementation of the system, as the sse cmm also regulates the maintenance and ultimately the decommissioning of the system. During maintenance, care must be taken to ensure that the system always meets current security challenges, while decommissioning must ensure that data and information are handled appropriately. Another important element of the model is organisational involvement. The design of secure systems is not the responsibility of a single department, but requires collaboration across the whole organisation. Management, the engineering team, the designers, and the operators and users of the system are all involved in implementing and maintaining security measures. The sse cmm emphasises that security requirements cannot be met without the active involvement of people at different levels of the organisation. All stakeholders need to be aware of their role in creating security, whether at the design stage or during operation. Designing secure systems requires close cooperation with other methodologies. (I-T ) systems do not work in isolation, and the sse cmm model takes into account the interaction between different technological areas and professional methodologies. This includes, for example, systems engineering, software development, hardware design and human factors management. When integrating different systems, it is essential that security requirements are addressed at all stages from initial design to testing. The model ensures that the exchange of information between the different disciplines is continuous and efficient, so that security risks are minimised and systems meet the highest standards. Furthermore, the sse cmm model places particular emphasis on interactions and communication in the development of secure systems. Different methods, such as system design, software development, or testing, must work closely together to ensure that the highest level of security is maintained at all levels of the system. This model therefore ensures that security considerations are integrated into every aspect of the development process and that these considerations can be continuously reviewed and improved in the light of changes in organisational culture and technology..

[Audio] The SSE CMM model approaches the design of secure systems not only from a technical perspective, but also emphasises the importance of close collaboration with functional areas. Ensuring interaction and exchange of information is essential for an organisation to operate effectively, especially in terms of security requirements. This includes, for example, procurement processes, organisational-level system administration tasks, and quality and safety certification, accreditation and evaluation of systems. All these areas are closely interlinked, as the creation of a secure system can only be effective if all related functions work together harmoniously and there is good communication and cooperation between the different areas. The applicability of the SSE CMM model is extremely broad, regardless of the type and size of the organisation. Whether the model is used by a market player, a government or commercial organisation, a university or a research institute, the aim is to put the design aspects of secure information systems into practice. The model does not discriminate between the size of organisations, but rather encourages all organisations, regardless of type or size, to apply security requirements and principles to improve the reliability and efficiency of their (I-T ) systems..

Thank you for your attention!. Question(s)???. Quality assurance and audit of critical systems DUEN-ISR-155 Dr. Attila Kővári.