Your SlideShare is downloading. ×
Introducing cobit 5-may2012_v1.0
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Introducing cobit 5-may2012_v1.0

5,529
views

Published on

I had the honor of presenting an Introduction to COBIT 5 at the Rocky Mountain Information Security Conference on May 18, 2012 in Denver, Colorado. This is the deck I used.

I had the honor of presenting an Introduction to COBIT 5 at the Rocky Mountain Information Security Conference on May 18, 2012 in Denver, Colorado. This is the deck I used.

Published in: Business, Technology

2 Comments
7 Likes
Statistics
Notes
  • THANK YOU FOR YOUR PRESENTATION TO COBIT5
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Good information, but it's hard to implement.

    very thank you.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
5,529
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
725
Comments
2
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • COBIT 4.1 had great acceptance, but a number of stakeholder drivers were identified that led the new framework.Determine value from information and related technology (what benefits at what acceptable level of risk and costs) and the priorities in ensuring that expected value is actually being delivered—a big demand from stakeholders. Deliver transparency to stakeholders on how the delivery will occur and the actual results that will be achieved. Address the increasing dependency of the enterprise’s success on external business and IT parties such as outsourcers, suppliers, consultants, clients, and cloud and other service providers. Manage the ever-increasing amount of information that is pervasive within the enterprise. Work more effectively with information technology, which has become an integral part of the business and business processes. Deliver guidance for innovation and emerging technologies. Cover the end-to-end business and IT functional responsibilities. Separate the governance and management domains.
  • WHAT IS IT?? WHAT IS OPTIMIZE??
  • These issues point to an area in which GEIT could have a significant impact—improving the management of IT demand vs. supply. Enterprises should ensure that they have the right enablers to ensure transparency of demand and supply so that decisions on demand and its prioritisation can be made, involving all the right stakeholders. GEIT can also help to highlight and bring forward synergies between geographic locations or business units, by ensuring an enterprise-wide portfolio view is taken across projects and initiatives.
  • Principle 1. Meeting Stakeholder Needs:Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them.Governance is about negotiating and deciding amongst different stakeholders’ value interests.The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.For each decision, the following can and should be asked: Who receives the benefits? Who bears the risk? What resources are required?
  • Principle 1. Meeting Stakeholder Needs:Benefits of the COBIT 5 goals cascade:It allows the definition of priorities for implementation, improvement and assurance of enterprise governance of IT based on (strategic) objectives of the enterprise and the related risk. In practice, the goals cascade:Defines relevant and tangible goals and objectives at various levels of responsibility.Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects.Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals.
  • Research conducted by the University of Antwerp Management School IT Alignment and Governance Research Institute
  • Principle 2. Covering the Enterprise End-to-end:COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.This means that COBIT 5: Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance.Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.*This governance system is an illustration of ISACA’s Taking Governance Forward (TGF) initiative; more information on TGF can be found at www.takinggovernanceforward.orgIn addition to the governance objective, the other main elements of the governance approach include enablers; scope; androles, activities, and relationships.Governance EnablersGovernance enablers are the organisational resources for governance, such as frameworks, principles, structures, processesand practices, through or towards which action is directed and objectives can be attained. Enablers also include theenterprise’s resources—e.g., service capabilities (IT infrastructure, applications, etc.), people and information. A lack ofresources or enablers may affect the ability of the enterprise to create value.Given the importance of governance enablers, COBIT 5 includes a single way of looking at and dealing with enablers(see chapter 5).Governance ScopeGovernance can be applied to the entire enterprise, an entity, a tangible or intangible asset, etc. That is, it is possible todefine different views of the enterprise to which governance is applied, and it is essential to define this scope of thegovernance system well. The scope of COBIT 5 is the enterprise—but in essence COBIT 5 can deal with any ofthe different views.Roles, Activities and RelationshipsA last element is governance roles, activities and relationships. It defines who is involved in governance, how they areinvolved, what they do and how they interact, within the scope of any governance system. In COBIT 5, clear differentiationis made between governance and management activities in the governance and management domains, as well as theinterfacing between them and the role players that are involved. Figure 9 details the lower part of figure 8, listing theinteractions between the different roles.For more information on this generic view on governance please see Taking Governance Forward atwww.takinggovernanceforward.org.
  • WHAT DOES THIS MEAN FOR YOUR ORGANIZATION??Principle 3. Applying a Single Integrated Framework:COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises: Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMIEtc.This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references.
  • Guiding Principles?? Enterprise-wide Policies??
  • Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
  • The first two questions & metrics address actual outcomes.The second two questions and metrics address the actual functioning of the enabler.
  • Mapping to standards includes:ISO 38500ITIL & ISO 20000ISO 27000 seriesISO 31000 risk managementTOGAFCMMI (DEV)
  • Each enterprise must define its own process set, taking into account the specific situation.
  • Detailed process-related content structure●Process identification—On the first page:– Process label—The domain prefix (EDM, APO, BAI, DSS, MEA) and the process number– Process name—A short description, indicating the main subject of the process– Area of the process—Governance or management– Domain name●Process description—An overview of what the process does and a high-level overview of how the processaccomplishes its purpose●Process purpose statement—A description of the overall purpose of the process●Goals cascade information—Reference and description of the IT-related goals that are primarily supported by theprocess,6 and metrics to measure the achievement of the IT-related goals●Process goals and metrics—A set of process goals and a limited number of example metrics●RACI chart—A suggested assignment of level of responsibility for process practices to different roles and structures.The enterprise roles listed are shaded darker than the IT roles. The different levels of involvement are:– R(esponsible)—Who is getting the task done? This refers to the roles taking the main operational stake in fulfillingthe activity listed and creating the intended outcome– A(ccountable)—Who accounts for the success of the task? This assigns the overall accountability for getting thetask done (Where does the buck stop?). Note that the role mentioned is the lowest appropriate level of accountability;there are, of course, higher levels that are accountable, too. To enable empowerment of the enterprise, accountabilityis broken down as far as possible. Accountability does not indicate that the role has no operational activities; it is verylikely that the role gets involved in the task. As a principle, accountability cannot be shared.– C(onsulted)—Who is providing input? These are key roles that provide input. Note that it is up to the accountable andresponsible role(s) to obtain information from other units or external partners, too. However, inputs from the roles listedare to be considered and, if required, appropriate action has to be taken for escalation, including the information of theprocess owner and/or the steering committee.– I(nformed)—Who is receiving information? These are roles who are informed of the achievements and/ordeliverables of the task. The role in ‘accountable’, of course, should always receive appropriate information to overseethe task, as does the responsible roles for their area of interest.●Detailed description of the process practices—For each practice:– Practice title and description– Practice inputs and outputs, with indication of origin and destination– Process activities, further detailing the practices●Related guidance—References to other standards and direction to additional guidance
  • Detailed process-related content structure●Process identification—On the first page:– Process label—The domain prefix (EDM, APO, BAI, DSS, MEA) and the process number– Process name—A short description, indicating the main subject of the process– Area of the process—Governance or management– Domain name●Process description—An overview of what the process does and a high-level overview of how the processaccomplishes its purpose●Process purpose statement—A description of the overall purpose of the process●Goals cascade information—Reference and description of the IT-related goals that are primarily supported by theprocess,6 and metrics to measure the achievement of the IT-related goals
  • ●Goals cascade information—Reference and description of the IT-related goals that are primarily supported by theprocess, and metrics to measure the achievement of the IT-related goals
  • ●Process goals and metrics—A set of process goals and a limited number of example metrics
  • RACI chart—A suggested assignment of level of responsibility for process practices to different roles and structures.The enterprise roles listed are shaded darker than the IT roles. The different levels of involvement are:– R(esponsible)—Who is getting the task done? This refers to the roles taking the main operational stake in fulfillingthe activity listed and creating the intended outcome– A(ccountable)—Who accounts for the success of the task? This assigns the overall accountability for getting thetask done (Where does the buck stop?). Note that the role mentioned is the lowest appropriate level of accountability;there are, of course, higher levels that are accountable, too. To enable empowerment of the enterprise, accountabilityis broken down as far as possible. Accountability does not indicate that the role has no operational activities; it is verylikely that the role gets involved in the task. As a principle, accountability cannot be shared.– C(onsulted)—Who is providing input? These are key roles that provide input. Note that it is up to the accountable andresponsible role(s) to obtain information from other units or external partners, too. However, inputs from the roles listedare to be considered and, if required, appropriate action has to be taken for escalation, including the information of theprocess owner and/or the steering committee.– I(nformed)—Who is receiving information? These are roles who are informed of the achievements and/ordeliverables of the task. The role in ‘accountable’, of course, should always receive appropriate information to overseethe task, as does the responsible roles for their area of interest.
  • Detailed description of the process practices—For each practice:– Practice title and description– Practice inputs and outputs, with indication of origin and destination– Process activities, further detailing the practices
  • Detailed description of the process practices—For each practice:– Practice title and description– Practice inputs and outputs, with indication of origin and destination– Process activities, further detailing the practices
  • ●Related guidance—References to other standards and direction to additional guidance
  • Transcript

    • 1. Slide Heading ®Introducing COBIT 5 Bob Frelinger, CGEIT May 18, 2012
    • 2. Learning ObjectivesAppreciate the Background Behind COBIT® 5Understand the Five COBIT® 5 PrinciplesUnderstand the Seven COBIT® 5 EnablersKnow How to Navigate the “COBIT® 5” framework documentKnow How to Navigate “COBIT® 5: Enabling Processes”
    • 3. What’s Behind COBIT® 5Some History…
    • 4. What’s Behind COBIT® 5References and Influencers… ISO Standards: OGC (UK) Best Management Practice Portfolio IT Service Management Managing Successful Programmes (MSP) Quality Management PRINCE2® Risk Management Information Technology Infrastructure Library (ITIL®), Information Security Risk Management Corporate Governance of Information Technology Process Assessment British Standards: Federal Enterprise Business Continuity Management Architecture (FEA) (USA) APM Introduction to Programme Management (UK) TOGAF® 9 COBIT 5 Product Family PMBOK2® Leading Change OECD Principles of by John Kotter Existing ISACA/ITGI Material: Balanced Corporate Governance COBIT 4.1 Scorecard (France) Val IT The [European] Commission Risk IT Enterprise IT Architecture BMIS BABOK® Guide Framework (CEAF) (Belgium) IT Assurance Framework Board Briefing on IT Governance King Code of Governance Principles Combined Code on (King III) (South Africa) Corporate Governance’ (UK) COSO
    • 5. What’s Behind COBIT® 5Global Expertise and Collaboration… • Overseen by the ISACA/ITGI Framework Committee (FC) • Research results were quality-controlled throughout the development process. • Preliminary research involved several COBIT development groups based around the world. • Before being issued, the draft documents were distributed to more than 100 subject matter experts around the world to obtain their professional review comments. • Once ready, draft versions of COBIT 5 and COBIT 5: Enabling Processes were made available to the general public. Thousands of comments were received.
    • 6. Importance of IT Importance of IT to the Delivery of Business Strategy and VisionSource: Global Status Report on theGovernance of Enterprise IT (GEIT) – 2011.Rolling Meadows, IL: ISACA & ITGI, 2011.
    • 7. Why & What is COBIT® 5The Business Case… Enterprises, large and small, commercial, not-for-profit or public sector, must create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. Information and related technology needs to: • Be governed and managed in a holistic manner for the entire enterprise, • Take in the full end-to-end business and IT functional areas of responsibility, • Consider the IT-related interests of internal and external stakeholders A BUSINESS FRAMEWORK FOR THE GOVERNANCE AND MANAGEMENT OF ENTERPRISE IT
    • 8. IT-Related IssuesSource: Global Status Report on the Governance of Enterprise IT (GEIT) – 2011. Rolling Meadows,IL: ISACA & ITGI, 2011.
    • 9. Drivers for GEIT ActivitiesSource: Global Status Report on the Governance of Enterprise IT (GEIT) – 2011. RollingMeadows, IL: ISACA & ITGI, 2011.
    • 10. Enterprise Readiness for GEITSource: Global Status Report on the Governance of Enterprise IT (GEIT) – 2011. Rolling Meadows,IL: ISACA & ITGI, 2011.
    • 11. What is COBIT® 5The Product Family… Source: COBIT® 5, figure 1. © 2012 ISACA® All rights reserved.
    • 12. Making It Real – Just Try ItEmbrace the Concepts Embedded in COBIT 5… • Integrate best, good and common industry practices • Cascade goals and objectives • Measure both performance toward, and achievement of, goals • Take the holistic approach; end-to-end view • Link inputs and outputs of key management practices • Enable success through integration and alignment of seemingly disconnected governance and management activities
    • 13. COBIT® 5 Principles Based on five key principles for governanceand management of enterprise IT Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
    • 14. COBIT® 5 – Principle 1Principle 1. Meeting Stakeholder Needs Enterprises exist to create value for their stakeholders. Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.
    • 15. COBIT® 5 – Principle 1Principle 1. Meeting Stakeholder Needs The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customized goals within the context of the: • Enterprise goals, • IT-related goals and • Enabler goals. Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
    • 16. COBIT® 5 – Goals CascadeGeneric Model – Based on Sound Global ResearchMapping Stakeholder Needs to COBIT 5 Enterprise GoalsAppendix DMapping COBIT 5 Enterprise Goals to IT-related GoalsAppendix BMapping COBIT 5 IT-related Goals to ProcessesAppendix C Process Goals and Suggested Metrics COBIT 5: Enabling Processes
    • 17. COBIT® 5 – Principle 2Principle 2. Covering the Enterprise End-to-end• Enterprisewide, end-to- end perspective• Information and related technology wherever that information is being Governance System processed Key• NOT just the IT function Components Source: COBIT® 5, figure 8 & 9 combined. © 2012 ISACA® All rights reserved.
    • 18. COBIT® 5 – Principle 3Principle 3. Applying a Single Integrated Framework• Aligns with other standards and frameworks• Complete in enterprise coverage• Simple architecture for: • structuring guidance materials • producing a consistent product set• Integrates all knowledge previously dispersed over different ISACA/ITGI Source: COBIT® 5, figure 10. © frameworks 2012 ISACA® All rights reserved.
    • 19. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach• Driven by the goals cascade – goals define what enablers should achieve• To achieve enterprise objectives consider an interconnected set of enablers• Some enablers are the enterprise resources Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 20. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach1. The vehicles totranslate the desiredbehavior into practicalguidance for day-to-daymanagement Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 21. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach2. Describe an organizedset of practices andactivities to achievecertain objectives andproduce a set of outputsin support of achievingoverall IT-related goals Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 22. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach3. Are the key decision-making entities in anenterprise. They can bethe traditional verticalstructures or horizontal(or lateral structures). Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 23. Organizational StructureFormal org structure supported by cross-org structures
    • 24. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach4. Applies to bothindividuals and of theenterprise; very oftenunderestimated as asuccess factor ingovernance andmanagement activities Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 25. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach5. Pervasive throughoutany organization andincludes all theinformation produced andused by the enterprise. Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 26. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach6. The infrastructure,technology andapplications that providethe enterprise withinformation technologyprocessing and services Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 27. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach7. People, and their skillsand competencies, arerequired for:• successful completion of all activities and• for making correct decisions and• taking corrective actions Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
    • 28. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic ApproachEnabler Dimensions All enablers have a set of common dimensions. Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved. This common set of dimensions: • Provides a common, simple and structured way to deal with enablers • Allows an entity to manage its complex interactions • Facilitates successful outcomes of the enablers
    • 29. COBIT® 5 – Principle 4Principle 4. Enabling a Holistic Approach Enabler Performance Management Actual Outcomes Actual Functioning Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.
    • 30. COBIT® 5 – Principle 5Principle 5. Separating Governance from Management• Different activities (EDM) and different responsibilities• Interactions between them are facilitated through the Enablers (PBRM) Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.
    • 31. Implementation Guidance Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved.
    • 32. Process Capability Model Source: COBIT® 5, figure 19. © 2012 ISACA® All rights reserved.
    • 33. What is COBIT® 5 – TOCThe Framework document…breaking it down A Business Framework for the Governance and Management of Enterprise IT • Executive Summary 2 pages • Overview of COBIT 5 2 pages • A chapter on each of the five principles 17 pages; 2 to 6 pages each • Implementation Guidance 5 pages – intro to the Guide • The COBIT 5 Process Capability Model 5 pages – intro to the Model • Appendices: – References 1 page – Goals Maps 5 pages – Stakeholder Needs and Enterprise Goals 2 pages – Mapping with the Most Relevant Related Standards and Frameworks 5 pages – COBIT 5 Information Model and COBIT 4.1 Information Criteria 1 page – Detailed Description of seven COBIT 5 Enablers 23 pages; 2 to 6 pages each – Glossary 5 pages
    • 34. COBIT® 5: Enabling ProcessesEnabling Processes Enabler Guide…breaking it down A detailed reference guide to the processes that are defined in the COBIT 5 process reference model. • Introduction • Goals Cascade and Metrics • Process Model • Process Reference Model • Process Reference Guide Contents – Detailed process-related content structure – Inputs and Outputs – Generic Guidance for Processes – Detailed process content for each process • Appendices: – Mapping COBIT 5 with legacy ISACA Frameworks – Goals Maps
    • 35. What is COBIT® 5Enabling Processes Enabler Guide…breaking it down A detailed reference guide to the processes that are defined in the COBIT 5 process reference model. • Introduction 1 page • Goals Cascade and Metrics 6 pages repeats & extends • Process Model 3 pages framework • Process Reference Model 2 pages • Process Reference Guide Contents 3 pages – Detailed process-related content structure See slide 36 for structure – Inputs and Outputs Broad or universal inputs and outputs – Generic Guidance for Processes one link to the Process Capability Model – Detailed process content for each process 186 pages; 3- 9 pages each • Appendices: – Mapping COBIT 5 with legacy ISACA Frameworks 8 pages – Goals Maps 5 pages; repeat of maps in the framework
    • 36. Enabling ProcessesEnabler Dimensions – Processes Each process is defined, Process Goals driven by created, operated, and Reference RACI charts goals cascade adjusted / updated or retired. Model Process Capability Limited Model number of example Process metrics Capability Assessments Source: COBIT® 5: Enabling Processes, figure 8. © 2012 ISACA® All rights reserved.
    • 37. Process Reference Model
    • 38. Process ContentEnabling Processes: Content Structure for All Processes • Process Identification • Process Description • Process Purpose Statement • Goal Cascade Information • Process Goals and Metrics • RACI Chart • Detailed Description of Process Practices – Practice title and description but remember the – Practice inputs and outputs w/indication of origin & destination broad or universal – Process activities further detailing the practices inputs • Related Guidance
    • 39. An Example ProcessAPO05 – Manage Portfolio Process Identification, Process Description, Process Purpose Statement
    • 40. An Example ProcessAPO05 – Manage Portfolio Goal Cascade Information
    • 41. An Example ProcessAPO05 – Manage Portfolio Process Goals and Metrics
    • 42. An Example Process
    • 43. An Example ProcessAPO05 – Manage Portfolio Detailed Description of Process Practices
    • 44. An Example ProcessAPO05 – Manage Portfolio Detailed Description of Process Practices
    • 45. An Example ProcessAPO05 – Manage Portfolio Related Guidance
    • 46. Learning ObjectivesAppreciate the Background Behind COBIT® 5Understand the Five COBIT® 5 PrinciplesUnderstand the Seven COBIT® 5 EnablersKnow How to Navigate the “COBIT® 5” framework documentKnow How to Navigate “COBIT® 5: Enabling Processes”
    • 47. Implementation ChallengesSource: Global Status Report on the Governance of Enterprise IT (GEIT) – 2011. Rolling Meadows,IL: ISACA & ITGI, 2011.
    • 48. Questions?bob.frelinger@oracle.com orbob.frelinger@itgovhelp.com