Cobi t riskmanagementframework_iac


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • SKIP
  • Cobi t riskmanagementframework_iac

    1. 1. John W. Lainhart IV CISA, CISM, CGEIT, CIPP/G Partner, Security, Privacy, Wireless & IT GovernanceIBM Global Business Services Principal Advisory to IT Governance Institute 301-803-2745C OBI T ® as a Risk ManagementFramework
    2. 2. In This Presentation...The Governance EnvironmentAn introduction to IT GovernanceAn introduction to Control Objectives for Information and related Technology (COBIT®)Overview of COBIT® Supporting MaterialsCOBIT® Mappings to Other StandardsAn introduction to ValIT™An introduction to RiskIT™Recently Announced Certification Program – CGEITQuestions
    3. 3. IT Governance, C OBI T, Val IT andRisk IT Are Brought to You by …
    4. 4. IT Governance Institute IT Governance Institute is a non-profitresearch think-tank associated with ISACA®
    5. 5. IT Governance InstituteProduct Suite Governance Business and Technology Management Governance, Security and Assurance Management ITOBIT Control Governance C Information on Board Briefing IT Assurance CValTIT OBI 4.1 Implementation ITPractices Security Governance Governance Guide Guide
    6. 6. The Governance Environment
    7. 7. Forces DrivingIT Governance Business/IT Compliance Alignment ROI Project Execution Security
    8. 8. What Makes IT Governance soimportant? Drivers • Strategic importance of IT • Extended Enterprise • Regulatory requirements • Cost optimisation • Return on investment • Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects • Standish Group – about • Low return from high-cost IT investments, and transparency of IT’s 20% of projects fail outright, performance are two top issues 50% are challenged and • More than 30% claim negative return from IT investments targeting only 30% are successful efficiency gains • ITGI 2005 Survey early • 40% do not have good alignment between IT plans and business strategy findings confirm concerns • Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)
    9. 9. What makes IT Governance so important? Shareholders want protection for the Enterprise’s Share Price“…if not filed, auditor must include aparagraph in its annual report that itcannot vouch for the enterprise’sability as a going concern…” “…financial reporting system is not up to speed…”“…the company has lost a third more ofits market value yesterday as it revealeda virtual collapse of its financialreporting system…” “…data entry problems…”
    10. 10. Global Business ServicesThe Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for 2008# 1 on this list is IT Governance, including business alignment From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc. IBM Confidential| © Copyright IBM Corporation 2005
    11. 11. An Overview of IT Governance
    12. 12. What is IT Governance?“IT governance is the responsibility of theboard of directors and executive management.It is an integral part of enterprise governanceand consists of the leadership andorganisational structures and processes thatensure that the organisation’s IT sustains andextends the organisation’s strategies andobjectives.”ITGI, Board Briefing on IT Governance
    13. 13. IT Governance Needs aManagement Framework C GI T V DE AL Driving Forces E N R AT ME LI U E VE ST IGN RY AL Map Onto the PER UREME IT T MEA IT Governance M EN GOVERNANCE FOR S MAN RISK AGE MAN NT Focus Areas CE RESOURCE MANAGEMENT
    14. 14. IT Governance Focus Areas Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to • Add value and competitive positioning to the enterprise’s products and services • Contain costs while improving administrative efficiency and managerial effectiveness Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
    15. 15. IT Governance Focus Areas Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc) Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme ten Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
    16. 16. IT Governance Focus Areas Risk management requires risk awareness of senior corporate officers, a clear under- standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme ten Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
    17. 17. IT Governance Focus Areas Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
    18. 18. IT Governance Focus Areas Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow. Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
    19. 19. IT Governance Life Cycle
    20. 20. IT Governance Control Cycle
    21. 21. IT Governance Control Cycle Assess Environment •Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy •Establish risk management strategy •Formally document existing processes
    22. 22. IT Governance Control Cycle Maintain IT Controls Framework •Develop controls framework to supports sound business decisions •Document integration points in the current environment •Create an organizational mechanism to support the governance of IT •Mitigate identified risks through the IT controls framework
    23. 23. IT Governance Control Cycle Develop & Refine Governing Documents •Utilize a central repository for governing documents •Develop a consistent approach for creating governing documents •Consistently apply processes and procedures •Gain executive commitment for IT governance frameworks and structure
    24. 24. IT Governance Control Cycle Communicate and Train •Provide “Tone at the Top” •Develop a strategic communication plan for mission objectives and overall management direction •Execute strategic communication plan •Implement a standard training program to avoid unnecessary and redundant training
    25. 25. IT Governance Control Cycle Implement and Operate •Align staff responsibilities with IT control objectives •Achieve sustainability of IT controls in the operational environment •Support continuous improvement of operational effectiveness and accountability
    26. 26. IT Governance Control Cycle Measure and Validate •Revise current metrics program to include newly defined controls •Verify the sustainability of defined controls •Develop cost effective automated measurements •Measure all processes to include Applications, Databases, Platforms and Networks
    27. 27. IT Governance Control Cycle Monitor and Report •Report on continued effectiveness of controls •Increase transparency to auditors of issues and actions taken •Accurately attest to IT’s compliance with policy, laws, and regulations •Improve existing processes using metrics trending
    28. 28. IT Governance Control Cycle Enforce •Reinforce required policy compliance and standards conformance •Define a consistent approach for enforcement across all processes
    29. 29. An Overview of C OBI T
    30. 30. C OBI T 4.1—The ITGovernance Framework CobiT Internationally accepted good practices C OBI T best practices Management-oriented Freely available Sharing knowledge and leveraging expert volunteers repository for Continually evolving Maintained by reputable not-for-profit organisation IT Processes Maps 100% to COSO IT Management Processes Maps strongly to all major related standards IT Governance Processes Is a reference, set of best practices, not an “off-the-shelf” cure Enterprises still needs to analyse their The only IT management control requirements and customise based on: and control framework Value driversthat covers the end-to-end Risk profile IT infrastructure, organisation and IT life cycle project portfolio
    31. 31. COBIT: An IT Control Framework  Starts from the premise that IT needs to Domains: 1. Plan & Organize deliver the information that the enterprise 2. Acquire & Implement needs to achieve its objectives 3. Delivery & Support  Promotes process focus and process 4. Monitor & Evaluate ownership Information Criteria:  Divides IT into 4 domains and 34 processes, 1. Effectiveness 2. Efficiency with a total of 210 control objectives 3. Availability 4. Integrity  Looks at fiduciary, quality and security needs 5. Confidentiality of enterprises and provides for seven 6. Reliability information criteria that can be used to 7. Compliance generically define what the business requires IT Resources: from IT 1. Applications 2. Information  Addresses the resources made available to 3. Infrastructure and built up by IT 4. People
    32. 32. Key Driving Forces forC OBI T How IT is What the The resources The resources How IT is What the made available to— organised to organised to stakeholders stakeholders made available to— respond to the Business expect from IT and built up by—IT and built up by—IT respond to the Requirements expect from IT requirements IT requirements Processes IT Resources IT IT Business Resources Processes Requirements  Applications  Plan and  Effectiveness Organise  Information  Efficiency  Aquire and  Infrastructure  Confidentiality Implement  Integrity  People  Deliver and Support  Availability  Compliance  Monitor and Evaluate  Information reliability
    33. 33. C OBI T Business Objectives CriteriaFramework • • • Effectiveness Efficiency Confidentiality • Integrity • Availability • Compliance • Reliability IT Resources • Applications • Information • Infrastructure Monitor and • People Evaluate Plan and IT Life Organise Deliver and Cycle Support Acquire and Implement
    34. 34. C OBI T Processes PO1 Define an IT Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships Plan and PO5 Manage the IT Investment Organise PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure Acquire and AI4 Enable Operation and Use Implement AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
    35. 35. C OBI T Processes DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs Deliver and DS7 Educate and Train Users Support DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations ME1 Monitor and Evaluate IT Performance Monitor and ME2 Monitor and Evaluate Internal Control Evaluate ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance
    36. 36. C OBI T PC and ACProcesses PC1 Process Goals and Objectives PC2 Process Ownership PC3 Process Responsibility Process Controls PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures PC6 Process Performance Improvement AC1 Source Data Preparation and Authorization AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks Application Controls AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transmission Authentication and Integrity
    37. 37. Process LevelNavigating in C OBI T
    38. 38. Control ObjectivesP09.6 Maintenance and Monitoring of a Risk Action PlanPrioritise and plan the control activities at all levels to implement the risk responsesidentified as necessary, including identification of costs, benefits and responsibility forexecution. Obtain approval for recommended actions and acceptance of any residualrisks, and ensure that committed actions are owned by the affected process owner(s).Monitor execution of the plans, and report on any deviations to senior management.
    39. 39. Management Guidelines
    40. 40. Management Guidelines
    41. 41. Maturity Model
    42. 42. Maturity Levels in C OBI TNon-existent Initial Repeatable Defined Managed Optimised 0 1 2 3 4 5 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.
    43. 43. Dimensions of ProcessMaturity in C OBI T We capture process maturity data on each of six dimensions:  Awareness and communication  Policies, standards and procedures  Tools and automation  Skills and expertise  Responsibility and accountability  Goal setting and measurement
    44. 44. Leverage COBIT ® SupportingMaterials ...
    45. 45. Implementation Guide
    46. 46. Implementation GuideIT Governance Implementation Guide, 2nd Edition Detailed, structured guidance to the implementation of IT governance Generic IT governance implementation guidance, not just COBIT
    47. 47. Control Practices
    48. 48. Control PracticesCOBIT Control Practices, 2nd Edition Detailed guidance on each of the control objectives Management-oriented From three to 12 control practices per control objective
    49. 49. Assurance Guide
    50. 50. Assurance GuideIT Assurance Guide: Using COBIT Detailed guidance to support assurance practitioners in:  Financial statement audit  Internal audit  Value for money  Operational improvement Guidance on:  How to leverage COBIT for assurance  Detailed assurance testing steps
    51. 51. Quickstart
    52. 52. QuickstartFor small and medium sized organizations and larger organizations wanting to quickstart IT governance Selection of components from the complete COBIT framework Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT
    53. 53. C OBI T Security Baseline
    54. 54. C OBI T Security Baseline -44 Steps Toward Security 44 Steps Toward Security Define the security strategy - 1  Define the IT organisation and relationships - 1  Communicate management aims and direction - 1  Manage IT human resources - 4  Assess and manage IT risks - 3  Identify automated solutions - 1  Acquire and maintain application and technology infrastructure - 3  Enable operation and use - 1  Manage changes - 2  Install and accredit solutions and changes - 2  Define and manage service levels - 1  Manage third-party services - 3  Ensure continuous service - 3  Ensure systems security - 8  Manage the configuration - 2  Manage data - 3  Manage the physical environment - 2  Monitor and evaluate IT performance—assess internal control adequacy - 1  Obtain independent assurance - 1  Ensure regulatory compliance – 1 6 Information Security Survival Kits  Home Users  Professional Users  Managers  Executives  Senior Executives  Board of Directors/Trustees
    55. 55. C OBI T Mappings to OtherFrameworks and Standards
    56. 56. Where C OBI TTypically Sits Governance COS King Management Governance Layer O C OBI T Layer ITIL IT 17799 CMM TickIT Layer IT
    57. 57. How C OBI T Relates toFrameworks and Standards Strategic COBIT Process Control XY XY XY XY XY 99771 ## ## ## ## ## Process Execution CMM ITIL Work Instruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction •2 •2 •2 •2 •2 •3 •3 •3 •3 •3 • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….
    58. 58. How C OBI T Relates toFrameworks and Standards Strategic COBIT Process Control XY XY XY XY XY 99771 ## ## ## ## ##Process Execution CMM ITIL Work Instruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction •2 •2 •2 •2 •2 •3 •3 •3 •3 •3 • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….
    59. 59. An Overview of Val IT
    60. 60. The Information Paradox The value of IT is being increasingly questioned... ?? ? …yet organizations continue to spend more and more on IT 60
    61. 61. The Fundamental Question Are we maximizing the value of our IT- enabled business investments such that:  we are getting optimal benefits;  at an affordable cost; and  with an acceptable level of risk? Over the full economic life-cycle of the investment
    62. 62. Without Effective Governance Situation Situation Leads to.. Leads to.. Results in.. Results in.. Budget overruns S Reluctance to say no Project delays to projects Too many projects Business needs M Lack of Strategic Focus not met O Benefits not received T Can’t kill projects Quality of execution Increased P Projects are “sold” on suffers emotional basis -- not Complexity selected M Sub-optimal Underestimation of use of Y resources No strong review process risks and costs S Finger Overemphasis on pointing Projects not aligned Financial ROI to strategy Lack of No clear confidence (in strategic criteria for selection IT) Source: Fujitsu
    63. 63. Continuously Need to Question The strategic question. Is the investment: In the value question. Do we have: In line with our vision? A clear and shared understanding of the expected Consistent with our business principles? benefits? Contributing to our strategic objectives? Clear accountability for realising the benefits? Providing optimal value, at affordable cost, at Relevant metrics? an acceptable level of risk? An effective benefits realisation process? Are we Are we doing getting the right the Some things? benefits? about the fundamental value enabled questions by IT Are we Are we doing them getting the right them done way? well? The architecture question. Is the investment: The delivery question. Do we have: In line with our architecture? Effective and disciplined delivery and change management processes? Consistent with our architectural principles? Competent and available technical and business Contributing to the population of our resources to deliver: architecture? the required capabilities; and the organisational changes required to leverage the In line with other initiatives? capabilities? Source: The Information Paradox
    64. 64. Val ITProcesses & Key Management Practices VG1 Ensure informed and committed leadership VG2 Define and implement processes Value VG3 Define roles & responsibilities VG4 Ensure appropriate and accepted Governance accountability (VG) VG5 Define information requirements VG6 Establish reporting requirements VG7 Establish organisational structures VG8 Establish Strategic Direction VG9 Define investment categories VG10 Determine target portfolio mix VG11 Define evaluation criteria by category PM1 Maintain human resource Portfolio inventory PM2 Identify resource requirements Management PM3 Perform gap analysis (PM) PM4 Develop resourcing plan PM5 Monitor resource requirements Investment and utilisation PM6 Establish investment threshold Management PM7 Evaluate initial programme (IM) concept business case PM8 Evaluate & assign relative score to programme business case IM1 Develop a high-level definition of investment opportunity PM9 Create overall portfolio view IM2 Develop initial programme concept business case PM10 Make and communicate IM3 Develop clear understanding of candidate programmes investment decision IM4 Perform Alternatives Analysis PM11 Stage-gate (and fund) selected IM5 Develop Programme plan programmes IM6 Develop Benefits Realisation plan PM12 Optimize portfolio performance IM7 Identify Full life cycle costs & benefits PM13 Re-prioritise portfolio IM8 Develop detailed programme business case PM14 Monitor and report on portfolio IM9 Assign clear accountability & ownership performance IM10 Initiate, plan and launch the programme IM11 Manage programme IM12 Manage/track benefits IM13 Update business case IM14 Monitor and report on programme performance IM15 Retire programme
    65. 65. P3M -Projects, Programs, and Portfolios Portfolio – a suite of business programmes managed to optimise overall enterprise value Portfolio Management Programme – a structured grouping of projects designed to Programme produce clearly identified Management business value Project Management Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget
    66. 66. Val ITRelationship between Processes & Practices VG1- Establish governance framework 4, 6 -7 Establish Provide strategic direction portfolio parameters VG5, VG VG8 9-11 PM1-5 PM6 Maintain Maintain resource funding profile profile Evaluate & Move selected Manage Monitor & PM14 PM7- prioritize investments to overall report on 10 investments active portfolio portfolio portfolio performance PM PM11 PM12-13 Analyse alternatives Assign Document Identify business case business Define candidate accountability req’ts programme IM4 IM9 IM1-2 IM8, IM3, 5-7 13 Launch Manage Monitor & Retire programme programme report on programme execution programme performance IM15 IM IM10 IM 11- 12 IM14
    67. 67. Val IT Initiative …a value lens intoC T™COBI T Are we doing VG Val IT PM Are we getting the right the benefits? things? Va Governance & management ic eg t Deli lue of a portfolio of business at men Are we doing r St ign Al ve ry them the right way? IM Are we doing them well? change programmes IT IT Gover nance Governance ent P f s e e P f s e e P f s e e Per f sureme M a M a M a Mea Dom ains agem Man isk o o o orm R anc t c c ce Resource n n n n Management Are we doing Are we getting the right the benefits? things? Are we doing Are we doing them the right them well? way? Are we doing COBIT the right Are we getting ME the benefits? things? Governance & management PO of a portfolio of technology Are we doing Are we doing projects, services, systems & supporting infrastructure AI them the right way? DS them well?
    68. 68. Val IT Initiative Status DONE Framework Business Case Case Study (initial) IN PROCESS Extend FW to services & other IT assets/ resources & Simplify Maturity Models Management Guidelines Taxonomy QuickStart Guide 1st Qtr. of 2008 PLANNE D Business Case v2.0 Empirical Analysis Available for free download from: Benchmarking or
    69. 69. The Business Challenge  Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that:  Ensures clarity of, and accountability for the desired outcomes  Enables understanding of the full scope of effort  Breaks down the “silos” and “connects the dots”  Manage the full economic life-cycle  Senses and responds to changes and deviations This is a significant leadership challenge, opportunity and responsibility!
    70. 70. The Risk IT Initiative
    71. 71. RISK IT DESCRIPTIONA risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val ITA number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)
    72. 72. RISK IT ACTIONS ITGI Board discussion on this initiative and decision to proceedwith full business case development (July 2007) Business Case development, (October 2007) including Market survey Feasibility study High-level design of the product/service Set-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources Define high-level development and roll-out plan ITGI Board approved detailed business case and decision toproceed with full project (November 2007) RiskIT Task Force members appointed (December 2007) First RiskIT Task Force meeting held in Ghent, Belgium on 18-19January 2008 First draft RiskIT planned to be issued by December 2008
    73. 73. Risk ITProcesses & Key Management Practices As of 19 January 2008 first Task Force meeting in Ghent, Belgium Risk Governance Glossary Risk Risk Inventory Repository Risk Risk Monitoring Management & Reporting High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc
    74. 74. RISK IT Product Family – Proposed Content & Lifecycle
    75. 75. RELATIONSHIP OF COBIT/ VAL IT/ RISK IT ValIT IT GOVERNANCE Set Objectives • Align business and IT RiskIT • Enable the business and maximise benefits • Ensure effective and efficient use of resources Evaluate • Manage IT risk as part of ERM Provide performance • Fulfil compliance requirements direction Measure and Translate report direction into performance Translate strategy into action strategy • Make the business effective • Make the business efficient • Manage risks (security, reliability & compliance) CobiT • Manage service delivery consistency IT MANAGEMENT
    76. 76. Certified in the Governance of Enterprise IT(CGEIT)
    77. 77. Questions
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.