Published on

metodologia para auditar sistemas de informacion

Published in: Technology, Business
1 Comment
1 Like
  • It seems to be a complete and useful presentation.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This summarises the different types of audience
  • Explain that there are many management challenges relating to the use of IT. The slide identifies some examples (the same as in the C OBI T ® Foundation Course). To manage this range of issues, a sound management approach is needed. The goals include agreed and aligned objectives for IT, effective controls, and effective tracking of performance. These are the main drivers for IT governance.
  • This slide summarises the main attributes of the C OBI T framework.
  • Strategic alignment focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations. • Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. • Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. • Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities into the organisation. • Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
  • It is normal for C OBI T to be used in conjunction with other good practices, standards and in-house developed guidance. C OBI T can act like an umbrella providing the framework for everything else.
  • CobiT focuses on 5 key areas which we will see during this course are the main elements of IT Governance as well as the issues all commentators and analysts agree are key to IT success Read through each bullet to reinforce each one, saying these will be come clearer as we progress through the two days
  • Control Practices go to the next level down and are a guide for implementation, explaining how to address each objective providing practical considerations. But they are not specific solutions and are therefore generic. Note that during 2003 not all of these are available as they are under development
  • This diagram which is taken from the Management Guidelines book, describes one of the basic principles of IT Governance. Objectives have to be clear and well understood. Management should direct activities to meet these objectives and regularly measure and compare to detect variances that can then be corrected. The diagram shows how the various elements of CobiT support these stages The working of a central heating thermostat as an example
  • COBIT 4.0

    1. 1. CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007
    2. 2. <ul><li>Deputy State Auditor, Commonwealth of Massachusetts </li></ul><ul><li>Adjunct faculty at Bentley College </li></ul><ul><li>Co-Chair of Commonwealth’s Enterprise Security Board </li></ul><ul><li>Member of Information Systems Auditing Standards Board and Assurance Board </li></ul><ul><li>Member of CobiT Steering Committee, 1993-2003 </li></ul><ul><li>International President of ISACA/F, 1994-1995 </li></ul><ul><li>Served as member of IT Commission, Governor’s Commission on Computer Crime, Governor’s Commission on Computer Technology and Law, & Governor’s Task Force on E-Commerce </li></ul><ul><li>e-mail: [email_address] </li></ul>John Beveridge, CISA, CISM, CGFM, CFE, CQA
    3. 3. <ul><li>Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. </li></ul><ul><li>Structured and organized to provide a powerful control model and evaluative tool </li></ul>What is CobiT?
    4. 4. <ul><li>Focuses on information having integrity, being secure, and available. </li></ul><ul><li>Management-oriented </li></ul><ul><li>Supports corporate and IT governance </li></ul><ul><li>Process-oriented </li></ul><ul><li>Controls-based </li></ul><ul><li>Measurement-driven </li></ul><ul><li>Based on a Strong Foundation and Sound Principles of Internal Control </li></ul>CobiT's Scope
    5. 5. C OBI T <ul><li>Promotes an improved focus on business information requirements </li></ul><ul><li>Helps ensure that IT processes are defined and that responsibilities are assigned </li></ul><ul><li>Supports management’s efforts to demonstrate due diligence </li></ul><ul><li>Serves as excellent criteria for evaluation </li></ul><ul><li>Strengthens the understanding, design, implementation, exercise, and evaluation of internal control </li></ul>
    6. 6. <ul><li>“ Right ” information, to only the “ right ” party, in the “ right ” format, at the “ right ” time, at the “ right ” cost. </li></ul><ul><li>Information that is relevant, reliable, secure, and available. </li></ul><ul><li>Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment . </li></ul>Focus on Information and IT Management
    7. 7. <ul><li>To Those Individuals Who are Interested in and Responsible for the Management and Evaluation of Information Technology </li></ul><ul><ul><li>Management </li></ul></ul><ul><ul><li>IT & Business Users </li></ul></ul><ul><ul><li>Auditors / Advisors </li></ul></ul><ul><ul><li>Academics & Students of Management and IT </li></ul></ul><ul><ul><li>Legislators, Regulators, Oversight Bodies </li></ul></ul><ul><ul><li>Vendors </li></ul></ul><ul><ul><li>Who is C OBI T aimed at? </li></ul></ul>
    8. 8. <ul><li>Need for better operational controls </li></ul><ul><li>Importance of technology </li></ul><ul><li>Risks associated with an ever changing technology environment </li></ul><ul><li>Demand for recognizable value </li></ul><ul><li>Need to hold senior management accountable and strengthen governance </li></ul>CobiT was Driven from Recognition of
    9. 9. <ul><li>Achieving sufficient value from IT to support the entity’s mission within a complex, vulnerable and ever changing environment </li></ul><ul><li>Adequately managing risk with increasing IT dependence </li></ul><ul><li>Effectively dealing with the scale and cost of current and future IT investments </li></ul><ul><li>Protecting operations and IT resources against increasing vulnerabilities and a wide spectrum of threats </li></ul>The Challenge of Managing IT
    10. 10. <ul><li>Being able to adequately track and measure IT performance in support of business objectives </li></ul><ul><li>Obtaining adequate assurance for the integrity, security and availability of IT systems </li></ul><ul><li>Being able to demonstrate due diligence in meeting IT governance objectives </li></ul>The Challenge of Managing IT
    11. 11. <ul><li>Today, we are no longer just automating an established business process. </li></ul><ul><li>Instead, we are using technology to expand business process capabilities and management decision making -- It is about IT-enabled change. </li></ul><ul><li>Poorly-managed IT places the integrity, security, and availability of data and systems at risk and increases the likelihood of unrealized benefit. </li></ul>Criticality of Managing IT
    12. 12. Management Issues <ul><li>Difficulty of obtaining adequate assurance that operational and control objectives are being addressed and will be met </li></ul><ul><li>Not being sufficiently aware of the impact of technology on control assessment </li></ul><ul><li>Not knowing who is really responsible for system integrity, security, and availability </li></ul><ul><li>Having cluttered or defused points of accountability for IT processes across the organization </li></ul>
    13. 13. Management Issues <ul><li>Not recognizing that we often manage IT as if it were separate from the enterprise when in fact it is highly integrated with business operations </li></ul><ul><li>Uncoordinated strategic planning between business and IT operations </li></ul><ul><li>Outsourcing without adequate monitoring and evaluation </li></ul>
    14. 14. Management Issues <ul><li>There are a whole host of folks who pose a real danger to IT systems </li></ul><ul><li>Meeting privacy requirements </li></ul><ul><li>Failing to meet regulatory or legal requirements </li></ul><ul><li>Having a false sense of security </li></ul><ul><li>Achieving adequate value to support the entity’s mission </li></ul>
    15. 15. Management Questions <ul><li>Is IT well managed? </li></ul><ul><ul><li>Are we doing the right things? </li></ul></ul><ul><ul><li>Are we doing them the best way? </li></ul></ul><ul><ul><li>Are they being done well? </li></ul></ul><ul><ul><li>Are we achieving desired benefits? </li></ul></ul><ul><li>Is IT properly controlled? </li></ul><ul><li>Do we exercise and can we demonstrate due diligence? </li></ul><ul><li>Are the information technology drivers in sync with the agency’s mandates and business goals? </li></ul>
    16. 16. <ul><li>How do responsible managers keep the ship on course? …… keep it afloat? </li></ul><ul><li>How do we achieve satisfactory results for our citizens and stake-holders? </li></ul><ul><li>How do we adapt in a timely manner to “best practices” for our organization’s environment? </li></ul>Management Questions
    17. 17. <ul><li>To establish and maintain course . . . and afloat </li></ul><ul><ul><li>Strategic and tactical planning, monitoring and evaluation – dashboards with indicators – </li></ul></ul><ul><ul><li>Disaster recovery and BCP to keep it afloat </li></ul></ul><ul><li>To achieve satisfactory results for our customers and stake-holders </li></ul><ul><ul><li>Measurement processes, balanced scorecard, etc. </li></ul></ul><ul><li>To adapt in a timely manner to “best practices” for our organization’s environment </li></ul><ul><ul><li>Benchmarking, CMM comparisons </li></ul></ul>Assessing the Entity's Ability:
    18. 18. IT Value <ul><li>How do we manage to achieve acceptable IT value? </li></ul><ul><li>What policies, practices and assurance mechanisms do we apply to the “right” resources to achieve value? </li></ul><ul><li>What guidance is there to assist management in understanding IT processes and how to achieve IT process results? </li></ul><ul><li>What standards should be applied to our IT environment? </li></ul><ul><li>How do we address governance? </li></ul>
    19. 19. <ul><li>Many organizations recognize the potential benefits of technology </li></ul><ul><li>The successful organizations: </li></ul><ul><ul><li>Understand that IT is more than an enabler </li></ul></ul><ul><ul><li>Understand and manage the risks associated with implementing new technologies </li></ul></ul><ul><ul><li>Keep a keen eye on the mission and goals, and </li></ul></ul><ul><ul><li>Know where they are through measured progress and monitoring and evaluation </li></ul></ul>Need for IT Governance Control Framework
    20. 20. Organizations require a structured approach for managing these and other challenges. Need to ensure that IT objectives are agreed to, good management controls are in place, and there is effective monitoring of performance to keep on track and avoid unexpected outcomes. <ul><ul><li>The Need for IT Governance </li></ul></ul>Keeping IT Running Security Value/Cost Managing Complexity Aligning IT with Business Regulatory Compliance
    21. 21. <ul><li>CobiT underscores the importance to recognize: </li></ul><ul><ul><li>Optimizing value, safeguarding, and ensuring the availability of technology is an entity or senior management issue, not just an IT management issue </li></ul></ul><ul><ul><li>Business and IT goals depend on our understanding of how to dynamically apply IT, measure results, and engage IT and business process management </li></ul></ul><ul><ul><li>Requires understanding of what we want the technology to do, and how we are going to measure success </li></ul></ul>Need for IT Governance Control Framework
    22. 22. <ul><li>COBIT: </li></ul><ul><li>Starts from business requirements </li></ul><ul><li>Is process-oriented, organizing IT activities into a generally accepted process model </li></ul><ul><li>Identifies the major IT resources to be leveraged </li></ul><ul><li>Defines the management control objectives to be considered </li></ul><ul><li>Incorporates major international standards </li></ul><ul><li>Has become the de facto standard for overall control of IT </li></ul>COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. IT resources need to be managed by a set of naturally grouped processes. C OBI T provides a framework that achieves this objective. <ul><ul><li>COBIT Provides a Framework for IT Governance </li></ul></ul>
    23. 23. How Does C OBI T View IT Governance? <ul><li>Consists of leadership, organizational structures, and processes that ensure that IT sustains and extends the enterprise’s strategies and objectives </li></ul><ul><li>IT governance is the responsibility of executives and the board of directors </li></ul>
    24. 24. IT Governance Objectives <ul><li>IT is aligned with the business and enables the business to maximize benefit </li></ul><ul><li>IT resources are safeguarded and used in a responsible and ethical manner </li></ul><ul><li>IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure </li></ul>
    25. 25. IT Governance <ul><li>Integrates and institutionalizes good practices to ensure that IT supports the business objectives. </li></ul><ul><li>Enables the enterprise to take advantage of its information and IT resources to maximize benefit and capitalize on opportunities. </li></ul>
    26. 26. C OBI T IT Governance <ul><li>IT is aligned with the business </li></ul><ul><li>IT enables the business and maximizes benefits </li></ul><ul><li>IT resources are used responsibly </li></ul><ul><li>IT risks are managed appropriately </li></ul>
    27. 27. IT Governance Focus Areas <ul><li>Strategic alignment </li></ul><ul><li>Value delivery </li></ul><ul><li>Resource management </li></ul><ul><li>Risk management </li></ul><ul><li>Performance measurement </li></ul>
    28. 28. IT Governance Focus Areas <ul><li>Strategic Alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. </li></ul><ul><li>Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. </li></ul>
    29. 29. IT Governance Focus Areas <ul><li>Resource Management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure. </li></ul><ul><li>Risk Management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization. </li></ul>
    30. 30. IT Governance Focus Areas <ul><li>Performance Measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. </li></ul>
    31. 31. What Should Management Do? <ul><li>Inquire : Ask the right questions </li></ul><ul><li>Focus on IT’s </li></ul><ul><ul><li>Alignment with the agency objectives </li></ul></ul><ul><ul><li>Value delivery </li></ul></ul><ul><ul><li>Risk management </li></ul></ul><ul><li>Adopt an IT governance framework </li></ul><ul><li>Focus on important IT processes and core IT competencies </li></ul><ul><li>Embed responsibilities for IT security and management in the organization </li></ul><ul><li>Measure performance and results </li></ul>
    32. 32. To Manage and Control IT, C OBI T Recommends : <ul><li>Employing fundamentals of IT governance </li></ul><ul><li>Understanding strategic value of IT </li></ul><ul><li>Understanding and managing associated risks </li></ul><ul><li>Exercising appropriate frameworks of control </li></ul><ul><li>Having mechanisms to provide adequate assurance that IT governance objectives are addressed </li></ul>
    33. 33. Agencies Need Assurance <ul><li>That information and systems can be relied upon </li></ul><ul><li>That operations are adequately controlled </li></ul><ul><li>That information has integrity, is protected, and will be available </li></ul><ul><li>That due diligence and compliance with good business practices can be demonstrated. </li></ul><ul><li>CobiT provides the control criteria and evaluation methodology </li></ul>
    34. 34. CobiT is an Authoritative Source <ul><li>Built on a sound framework of control and IT-related control practices. </li></ul><ul><li>Aligned with de jure and de facto standards and regulations. </li></ul><ul><li>Subject to extensive review and exposure. </li></ul><ul><li>Aligned with control models, standards and best practices for IT management </li></ul>
    35. 35. C OBI T’s View of the Definition of Control Why Control Information Systems? <ul><li>The answer lies in the realm of what the business wants: </li></ul><ul><ul><li>to accomplish and </li></ul></ul><ul><ul><li>avoid </li></ul></ul><ul><li>It therefore falls to the spectrum of: </li></ul><ul><ul><li>objectives and </li></ul></ul><ul><ul><li>risks </li></ul></ul>
    36. 36. C OBI T’s View of the Definition of Control <ul><li>The Objectives and Risks become </li></ul><ul><li>Value Drivers and Risk Drivers in C OBI T </li></ul>
    37. 37. Control (as defined by COBIT) <ul><li>The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. </li></ul>
    38. 38. To Achieve Business Objectives To Avoid Risks, Threats and Exposures Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. P. 12.
    39. 39. CobiT promotes a healthy understanding about “reasonable assurance” and “residual risk” Knowing the acceptable levels for reasonable assurance and residual risk is a critical success factor for designing and managing an adequate framework of control
    40. 40. Assurance Level 100% Residual Risk 0% Reasonable Assurance
    41. 41. Relation to Other Control Models <ul><li>CobiT is in alignment with other control models: </li></ul><ul><ul><li>COSO </li></ul></ul><ul><ul><li>COCO </li></ul></ul><ul><ul><li>Cadbury </li></ul></ul><ul><ul><li>King </li></ul></ul>
    42. 42. Organizations will consider and use a variety of IT models, standards and best practices. They must be understood to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). C OBI T ISO 9000 ISO 17799 ITIL COSO WHAT HOW <ul><ul><li>C OBI T and Other IT Management Frameworks </li></ul></ul>SCOPE OF COVERAGE
    43. 43. C OBI T Cube The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives. For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube. Business Requirements for Information Criteria IT Resources IT Processes
    44. 44. C OBI T: Premise <ul><li>The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives. </li></ul><ul><li>The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance. </li></ul>i IT Resources and Processes Information Business Processes Business Objectives provide to for achieving
    45. 45. IT Resource Management <ul><li>CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality of information required to achieve organizational objectives. </li></ul>
    46. 46. C OBI T C OBI T is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.
    47. 48. <ul><li>Addresses key attributes of information produced by IT. </li></ul><ul><li>Links recommended control practices for IT to business and control objectives. </li></ul><ul><li>Provides guidance in implementing and evaluating the appropriateness of IT-related management control practices. </li></ul>CobiT
    48. 49. Where is C OBI T Today?
    49. 50. How is CobiT Focused? <ul><li>IT Governance – better coverage with governance practices </li></ul><ul><li>Business requirements – better business to IT linkages with cascading goals and supporting metrics </li></ul><ul><li>Harmonization – improved integration with key practices </li></ul><ul><li>Value Creation – extended focus on IT investment </li></ul><ul><li>Enterprise architecture - process structure and resources </li></ul><ul><li>Process definitions and process flows – improved descriptions, activities, inputs and output </li></ul><ul><li>Language and presentation – more concise in presentation, action-oriented, control model and management guidelines are consolidated into one document </li></ul>
    50. 51. What are the key COBIT Documents? <ul><li>Control Objectives define what needs to be done to implement an effective control structure to improve IT performance and address IT solutions and service delivery risks. </li></ul><ul><li>Control Practices provides guidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how to implement the objective. </li></ul><ul><li>IT Assurance Guide provides guidance for the assurance team with a structured assurance approach linked to the C OBI T framework that is understandable for business and IT professionals </li></ul>
    51. 52. C OBI T and Related Products Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives IT Assurance Guide Provide guidance on why the control objectives are worth implementing and how to implement them Control Practices Provides a generic road map for implementing IT governance using the COBIT and Val IT resources IT Governance Implementation Guide COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks. C OBI T 4.1 To help overcome these barriers by explaining information security in business terms. It comes complete with tools and techniques to help managers uncover security-related problems Information Security Governance To help executives understand why IT governance is important, what its issues are and what their responsibility is for managing it Board Briefing on IT Governance
    52. 53. C OBI T and Related Products To overview and various mappings of COBIT to other international guidance have been published by ITGI, such as CMM, ISO17799. COBIT Mapping Series To explain to business users and senior management the value of IT best practices and how harmonization, implementation and integration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made easier. Aligning COBIT, ITIL and ISO 17799 To provides guidance on how to ensure compliance for the IT environment based on the COBIT control objectives related to financial reporting. IT Control Objectives for Sarbanes-Oxley To summarized version of the COBIT resources, focusing on the most crucial IT processes, control objectives and metrics, all presented in an easy-to-follow format to help users gain the benefits of COBIT quickly. COBIT Quickstart To provides guidance for managing an organization’s portfolio of IT-enabled business investments and for maximizing the quality of business cases for IT-enabled business investments. Val IT To focuses on IT security risk in a way that is simple to follow and implement for everyone, from the home user or small- to medium-sized enterprise to executives and board members of larger organizations. COBIT Security Baseline (available 3rd quarter 2007)
    53. 54. C OBI T and Related Products
    54. 56. Control Objectives Framework Control Objectives Management Guidelines Maturity Models
    55. 57. <ul><li>Focus on IT Alignment by linking Information Criteria, IT Resources and IT Goals to Business Goals </li></ul><ul><li>Focus on Value Delivery by using value-oriented IT goals to focus on the IT processes that are critical to deliver effectively </li></ul><ul><li>Focus on Risk Management by using risk-oriented IT goals to focus on the IT processes that are needed to manage risk </li></ul><ul><li>Focus on Resource Management by using Maturity Models to ensure there is a capability to deliver </li></ul><ul><li>Focus on Performance Management by using metrics and scorecards to ensure plans are on track and deviations are identified and corrected </li></ul><ul><ul><li>C OBI T Objectives - IT Governance Topics </li></ul></ul>
    56. 59. Concise Control Objectives CobiT 4.1 CobiT 4.0 PO5.1 Financial Management Framework Establish a financial framework for IT that drives budgeting and cost/benefit analysis, based on investment, service and asset portfolios. Maintain the portfolios of IT-enabled investment programmers, IT services and IT assets, which form the basis for the current IT budget. Provide input to business cases for new investments, taking into account current IT asset and service portfolios. New investments and maintenance to service and asset portfolios will influence the future IT budget. Communicate the cost and benefit aspects of these portfolios to the budget prioritization, cost management and benefit management processes. PO5.1 Financial Management Framework Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT enabled investments, business cases and IT budgets. PO1.2 Business-IT Alignment Educate executives on current technology capabilities and future directions, the opportunities that IT provides, and what the business has to do to capitalize on those opportunities. Make sure the business direction to which IT is aligned is understood. The business and IT strategies should be integrated, clearly linking enterprise goals and IT goals and recognizing opportunities as well as current capability limitations, and broadly communicated. Identify where the business (strategy) is critically dependent on IT and mediate between imperatives of the business and the technology, so agreed priorities can be established. PO1.2 Business-IT Alignment Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration. Mediate between business and IT imperatives so priorities can be mutually agreed.
    57. 62. Framework Update
    58. 63. C OBI T Framework <ul><li>Documents relationships among information criteria, IT resources, and IT processes </li></ul><ul><li>Links control objectives and control practices to business processes and business objectives </li></ul><ul><li>Assists in confirming that appropriate IT processes (and practices) are in place </li></ul><ul><li>Facilitates evaluation and assurance methods </li></ul>
    59. 64. Information Criteria -- The 1st Component <ul><li>Effectiveness </li></ul><ul><li>Efficiency </li></ul><ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Availability </li></ul><ul><li>Compliance </li></ul><ul><li>Reliability </li></ul>
    60. 65. IT Resources -- The 2nd Component <ul><li>Application Systems </li></ul><ul><li>Information </li></ul><ul><li>Infrastructure </li></ul><ul><li>People </li></ul>
    61. 66. IT Process Domains -- The 3rd Component <ul><li>Plan and Organize </li></ul><ul><li>Acquire and Implement </li></ul><ul><li>Deliver and Support </li></ul><ul><li>Monitor and Evaluate </li></ul>
    62. 67. C OBI T Process Model <ul><li>Subdivides IT into four domains </li></ul><ul><li>34 processes in line with the domains </li></ul><ul><li>Responsibility areas of plan, build, run and monitor, providing an end-to-end </li></ul><ul><li>Enterprise architecture concepts help identify the resources essential for process success </li></ul>
    63. 68. What Are the Main Changes?
    64. 69. C OBI T Domains : Information Processes (3rd Component) Feedback Feedback Feedback Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
    65. 70. C OBI T Framework <ul><li>To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes in order to provide the services that deliver the required enterprise information. </li></ul>Basic COBIT Principle
    66. 71. CobiT Framework <ul><li>Helps one understand the: </li></ul><ul><ul><li>relationship of controls to control objectives, </li></ul></ul><ul><ul><li>importance of focusing on control objectives and their relationship to the business organization and its business processes, and </li></ul></ul><ul><ul><li>value of managed processes and resources to attain data integrity, security and availability. </li></ul></ul>
    67. 73. CobiT is Business-focused <ul><li>Business orientation is the main theme of C OBI T. </li></ul><ul><li>Designed to be used by IT service providers, users and auditors, and to also provide comprehensive guidance for management and business process owners. </li></ul>
    68. 74. Business Orientation of C OBI T <ul><li>Links business goals to IT goals </li></ul><ul><li>Provides metrics and maturity models to measure their achievement </li></ul><ul><li>Identifies the associated responsibilities of business and IT process owners. </li></ul>
    69. 75. Business Goals <ul><li>Financial Perspective </li></ul><ul><ul><li>Expand market share </li></ul></ul><ul><ul><li>Increase revenue </li></ul></ul><ul><ul><li>Return on Investment </li></ul></ul><ul><ul><li>Optimize asset utilization </li></ul></ul><ul><ul><li>Manage business risks </li></ul></ul><ul><li>Customer Perspective </li></ul><ul><ul><li>Improve customer orientation and service </li></ul></ul><ul><ul><li>Offer competitive products and service </li></ul></ul><ul><ul><li>Service availability </li></ul></ul><ul><ul><li>Agility in responding to changing business requirements </li></ul></ul><ul><ul><li>Cost optimization of service delivery </li></ul></ul>
    70. 76. Business Goals <ul><li>Internal Perspective </li></ul><ul><ul><li>Automate and integrate the business value chain </li></ul></ul><ul><ul><li>Improve and maintain business process functionality </li></ul></ul><ul><ul><li>Lower process costs </li></ul></ul><ul><ul><li>Compliance with external laws and regulations </li></ul></ul><ul><ul><li>Transparency </li></ul></ul><ul><ul><li>Compliance with internal policies </li></ul></ul><ul><ul><li>Improve and maintain operational and staff productivity </li></ul></ul><ul><li>Learning and Growth Perspective </li></ul><ul><ul><li>Product and business innovation </li></ul></ul><ul><ul><li>Obtain reliable and useful information for strategic decision making </li></ul></ul><ul><ul><li>Acquire and maintain skilled and motivated personnel </li></ul></ul>
    71. 77. IT Goals <ul><li>Respond to business requirements in alignment with business strategy </li></ul><ul><li>Respond to governance requirements in line with board direction </li></ul><ul><li>Ensure the satisfaction of end users with service offerings and service levels </li></ul><ul><li>Optimize the use of information </li></ul><ul><li>Create IT agility </li></ul><ul><li>Define how business function and control requirements are translated in effective and efficient automated solutions </li></ul><ul><li>Acquire and maintain integrated and standardized application systems </li></ul><ul><li>Acquire and maintain and integrated and standardized infrastructure </li></ul>
    72. 78. IT Goals <ul><li>Acquire and maintain IT skills that respond to the IT strategy </li></ul><ul><li>Ensure mutual satisfaction of third-party relationships </li></ul><ul><li>Seamlessly integrate applications and technology solutions into business processes </li></ul><ul><li>Ensure transparency and understanding of IT cost, benefits, strategy, policies and service levels </li></ul><ul><li>Ensure proper use and performance of the applications and technology solutions </li></ul><ul><li>Account for and protect all IT assets </li></ul><ul><li>Optimize the IT infrastructure, resources and capabilities </li></ul><ul><li>Reduce solution and service delivery defects and rework </li></ul><ul><li>Protect the achievement of IT objectives </li></ul><ul><li>Establish clarity of business impact of risks to IT objectives and resources </li></ul>
    73. 79. IT Goals <ul><li>Ensure critical and confidential information is withheld from those who should not have access to it </li></ul><ul><li>Ensure automated business transactions and information exchanges can be trusted </li></ul><ul><li>Ensure IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster </li></ul><ul><li>Ensure minimum business impact in the event of an IT service disruption or change </li></ul><ul><li>Make sure that IT service are available as required </li></ul><ul><li>Improve IT’s cost-efficiency and its contribution to business profitability </li></ul><ul><li>Deliver projects on time and on budget meeting quality standards </li></ul><ul><li>Maintain the integrity of information and processing infrastructure </li></ul><ul><li>Ensure IT compliance with laws and regulations </li></ul><ul><li>Ensure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change </li></ul>
    74. 81. Linking Business Goals to IT Goals <ul><li>An Example: </li></ul><ul><ul><li>The business goal of increasing revenue is linked to IT goals numbers 25 and 28, which are: </li></ul></ul><ul><ul><ul><li>“ Deliver projects on time and on budget meeting quality standards” and </li></ul></ul></ul><ul><ul><ul><li>“ Ensure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change” </li></ul></ul></ul>
    75. 83. Linking IT Goals to IT Processes <ul><li>Example of linking IT goals to IT processes: </li></ul><ul><ul><li>The IT goal of optimizing the use of information is linked to IT processes PO2 and DS11 (information architecture and managing data) </li></ul></ul>
    76. 85. The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process High-Level Control Objective Users satisfaction Is measured by The control of which satisfy is focusing on Is achieved by IT Processes Business Requirements Control Statements Control Practices
    77. 87. “ RACI” Chart <ul><li>Identifies who is R esponsible, A ccountable, C onsulted and/or I nformed </li></ul><ul><li>Addresses considerations for points of accountability </li></ul><ul><li>Addresses issues of communication and desired input (who would be consulted) </li></ul><ul><li>Rather than titles, think of positions in terms of roles </li></ul><ul><li>Depending on the size of the organization or the IT function, several roles may be combined </li></ul>
    78. 88. Primary Inputs and Outputs <ul><li>CobiT identifies from where primary inputs are obtained for each process </li></ul><ul><li>The inputs are identifies and where they came from </li></ul><ul><li>Also identifies to which IT processes the process provides output to </li></ul><ul><li>The outputs (from the process) are identified to where they would be directed </li></ul>
    79. 90. Metrics <ul><li>Performance measurement is essential for IT governance. </li></ul><ul><li>Requires setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). </li></ul>
    80. 91. Metrics <ul><li>Activity Goals tells us how well the process is performing </li></ul><ul><ul><li>Measured by KPIs </li></ul></ul><ul><li>Process Goals tell us what IT must deliver </li></ul><ul><ul><li>Measured by Key Goal indicators </li></ul></ul><ul><li>IT Goals tell us what we expect from IT </li></ul><ul><ul><li>Measured by Key Goal Indicators </li></ul></ul>
    81. 95. Use of Maturity Models <ul><li>The assessment of process capability based on the C OBI T maturity models is a key part of IT governance implementation. </li></ul><ul><li>Enables gaps in capability to be identified and demonstrated to management. </li></ul><ul><li>Action plans can then be developed </li></ul>
    82. 97. Control Practices Control Practices Control Objectives Value Drivers Risk Drivers
    83. 98. Control Design <ul><li>Necessary and sufficient steps </li></ul><ul><li>Roles & responsibilities </li></ul><ul><li>Characteristics </li></ul><ul><li>Generic and specific practices </li></ul><ul><li>Active and passive </li></ul><ul><li>Input, outputs, activities </li></ul>
    84. 99. IT Control Practices <ul><li>Provides guidance on risks to avoided and value to be gained </li></ul><ul><li>Provides detailed guidance on specific controls needed to address high-level and detailed control objectives </li></ul><ul><li>Provides guidance on how, why and what to implement to improve IT performance </li></ul><ul><li>Includes key elements of value and risk statements and control practices </li></ul>
    85. 100. IT Control Practices <ul><li>Describing the different necessary and sufficient steps to achieve a control objective </li></ul><ul><li>Action-oriented, enabling timely execution and measurable </li></ul><ul><li>Relevant to the purpose of the control objective </li></ul><ul><li>Supporting clear roles and responsibility including segregation </li></ul>
    86. 101. <ul><li>The benefits listed under ‘why do it’ are tangible and motivate to implement controls </li></ul><ul><li>The set of control practices is complete (e.g. key controls) and implementation satisfies the control objective </li></ul><ul><li>Control practices listed are generally accepted as good business practice </li></ul><ul><li>Control practices suggest sustainable solutions </li></ul><ul><li>The control practices are effective in addressing the risk linked to not achieving the detailed control objective </li></ul><ul><li>The control practices suggest efficient solutions </li></ul><ul><li>The wording of the control practices is concise while providing clear and unambiguous guidance on what is expected for implementation </li></ul><ul><li>The control practices are realistic </li></ul><ul><ul><li>Control Practices Characteristics: </li></ul></ul>
    87. 102. IT Assurance Guide Need for IT Governance and Assurance The CobiT Framework IT Assurance Approaches How CobiT Supports IT Assurance Activities
    88. 103. Approach <ul><li>Testing of a control approach covering 4 assurance objectives </li></ul><ul><ul><ul><li>Existence </li></ul></ul></ul><ul><ul><ul><li>Design effectiveness </li></ul></ul></ul><ul><ul><ul><li>Operating effectiveness (implemented, consistent application and proper use) </li></ul></ul></ul><ul><ul><ul><li>Design and operating efficiency (cost/benefit and possible use of automation) </li></ul></ul></ul><ul><li>Providing 3 types of assurance guidance </li></ul><ul><ul><ul><li>Testing the suggested control design </li></ul></ul></ul><ul><ul><ul><li>Testing control objective achievement </li></ul></ul></ul><ul><ul><ul><li>Documenting impact of control weaknesses </li></ul></ul></ul>IT Assurance Steps
    89. 104. Approach <ul><li>Tests based on a documented taxonomy of relevant assurance methods </li></ul><ul><ul><ul><li>Enquire and confirm (via different source) </li></ul></ul></ul><ul><ul><ul><li>Inspect (walk-through, search, compare, review) </li></ul></ul></ul><ul><ul><ul><li>Observe (confirmation is inherent) </li></ul></ul></ul><ul><ul><ul><li>Re-perform or re-calculate and analyze (often based on a sample) </li></ul></ul></ul><ul><ul><ul><li>Automated evidence collection (sample, trace, extract) and analyze </li></ul></ul></ul>IT Assurance Steps
    90. 108. 1 Using CobiT
    91. 109. <ul><ul><li>CobiT provides the basis for IT Governance </li></ul></ul>CobiT Links business goals to IT Goals CobiT Framework provides a common understanding of IT’s role CobiT IT Processes and Maturity Models focus on IT capability CobiT KGIs and KPIs enable measurement Provide Direction Compare Measure Performance IT Activities <ul><li>Increase automation (make the business </li></ul><ul><li>effective) </li></ul><ul><li>Decrease cost </li></ul><ul><li>(make the enterprise efficient) </li></ul><ul><li>Manage risks </li></ul><ul><li>(security, reliability and compliance) </li></ul><ul><li>IT is aligned with the </li></ul><ul><li>business </li></ul><ul><li>IT enables the </li></ul><ul><li>business and </li></ul><ul><li>maximizes benefits </li></ul><ul><li>IT resources are used </li></ul><ul><li>responsibly </li></ul><ul><li>IT-related risks are </li></ul><ul><li>managed appropriately </li></ul>Set Objectives
    92. 110. Using CobiT <ul><li>From an organizational perspective, entities should use control models such as COSO and CobiT along with generally accepted control practices to build and exercise appropriate controls to help manage their entities. </li></ul>
    93. 111. Strong Basis for Policy Development <ul><li>Use CobiT as a basis to develop or strengthen policies and control practices </li></ul><ul><li>Compare existing policies and standard procedures against CobiT </li></ul><ul><li>Conduct high-level and detailed policy reviews </li></ul>
    94. 112. Using CobiT Matrices to Focus on: <ul><li>IT Functions </li></ul><ul><ul><li>Their importance? </li></ul></ul><ul><ul><li>Level of performance? </li></ul></ul><ul><ul><li>Control documentation? </li></ul></ul><ul><li>Responsible Parties of IT </li></ul><ul><ul><li>Performed by? </li></ul></ul><ul><ul><li>Contracted services? </li></ul></ul><ul><ul><li>Primary responsible party? </li></ul></ul><ul><li>Risk Assessment </li></ul><ul><ul><li>Importance, level of risk, control documentation? </li></ul></ul>
    95. 113. CobiT’s Evaluation Focus <ul><li>What is most critical to the business? </li></ul><ul><li>What are the CSFs? </li></ul><ul><li>What are the risks and threats? </li></ul><ul><li>How robust and appropriate does the internal control structure appear? </li></ul><ul><li>What are management’s concerns? </li></ul>
    96. 114. Risks to the Entity? <ul><li>Unaware of the risks </li></ul><ul><li>Poor understanding of CSFs </li></ul><ul><li>Absence of KPIs </li></ul><ul><li>No “scorecard” or basis of measurement </li></ul><ul><li>Absence of monitoring and evaluation </li></ul><ul><li>Weak IT control environment </li></ul><ul><li>Unknown loss of data or system integrity </li></ul>
    97. 115. C OBI T Focuses on Risk-Based Approach <ul><li>Focuses on the entity from a management perspective </li></ul><ul><li>Emphasis on knowledge of the business and the technology </li></ul><ul><li>Focus on assessing the effectiveness of a “combination” of controls </li></ul><ul><li>Linkage between risk assessment and testing focusing on control objectives </li></ul>
    98. 116. To Address Outsourced Services <ul><li>Determine whether desired processes are in place and establish accountability </li></ul><ul><li>Agree on levels of control, measurement and evaluation </li></ul><ul><li>Use CobiT to help design service contracts by identifying deliverables and responsibilities </li></ul><ul><li>Use CobiT for ongoing monitoring and evaluation of providers and partners </li></ul>
    99. 117. Recap: CobiT Recognizes <ul><li>IT is an integral part of the organization </li></ul><ul><li>IT governance is an integral part of corporate governance </li></ul><ul><li>Focus on control objectives can strengthen appropriateness and use of internal controls </li></ul><ul><li>Measurement is crucial to internal control </li></ul><ul><li>Monitoring and evaluation are integral to a system of internal control </li></ul>
    100. 119. Interrelationships of CobiT Components
    101. 120. C OBI T Content Diagram CobiT and Val IT frameworks Control Objectives Key Management Pratices IT Governance Implementation Guide, 2 nd Edition CobiT Control Practices 2 nd Edition IT Assurance Guide
    102. 121. CobiT Update <ul><li>Freely downloadable from: </li></ul><ul><li>For questions and assistance: </li></ul><ul><li>John W. Beveridge </li></ul><ul><li>617-727-6200 x 135 </li></ul><ul><li>Best to email me at: </li></ul><ul><li>[email_address] </li></ul><ul><ul><ul><li>Thank You </li></ul></ul></ul>