• Save
Governance and Management of Enterprise IT with COBIT 5 Framework
Upcoming SlideShare
Loading in...5
×
 

Governance and Management of Enterprise IT with COBIT 5 Framework

on

  • 1,400 views

This courseware was designed for the training entitled 'Governance and Management of Enterprise IT with COBIT 5 Framework' with the objective of understanding COBIT 5 Framework as well as achieving IT ...

This courseware was designed for the training entitled 'Governance and Management of Enterprise IT with COBIT 5 Framework' with the objective of understanding COBIT 5 Framework as well as achieving IT Governance effectiveness using the respective framework.

Statistics

Views

Total Views
1,400
Views on SlideShare
1,388
Embed Views
12

Actions

Likes
3
Downloads
0
Comments
1

2 Embeds 12

https://twitter.com 9
https://tasks.crowdflower.com 3

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Hi,

    Can you please share the link to download your slide decks, they are really worth peaceful reading.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Governance and Management of Enterprise IT with COBIT 5 Framework Governance and Management of Enterprise IT with COBIT 5 Framework Presentation Transcript

  • March 2014Governance and Management of Enterprise IT with COBIT 5 Governance and Management of Enterprise IT with COBIT 5 Framework Goutama Bachtiar IT Advisor, Auditor and Consultant v2.2 as of March 2014
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Profile of Training Lead Advisor at six companies. ISACA International Chapter Subject Matter Expert. ISACA International Chapter Journal Reviewer. ISACA International Chapter Certification Exam and QAE Developer. Reviewer Panel at two international journals. Have audited and consulted 30+ companies. Have written 300+ manuscripts, articles and pieces in IT space. 2
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Importance of Information  Information is a key resource for all enterprises.  Information is created, used, retained, disclosed and destroyed.  Technology plays a key role in these actions.  Technology is becoming pervasive in all aspects of business and personal life. What benefits do information and technology bring to enterprises? 3
  • March 2014Governance and Management of Enterprise IT with COBIT 5 WhyDoes IT Need a Control Framework? Any of these conditions sound familiar?  Increasing pressure to leverage technology in business strategies  Growing complexity of IT environments  Fragmented IT infrastructures  Communication gap between business and IT managers  IT service levels that are disappointing from internal IT functions and from increasingly outsourced IT providers  IT costs perceived to be out of control  Marginal ROI/productivity gains on technology investments  Impaired organizational flexibility and nimbleness to change 4
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Increasing dependence on information and systems delivering this information Increasing vulnerabilities and a wide spectrum of threats Scale and cost of current and future investments in information and information systems Need for complying with regulations Potential for technologies to dramatically change organizations and business practices, create new opportunities and reduce costs Recognition by many organizations of potential benefits technology can yield Successful organizations understand and manage risks associated with implementing new technologies WhyDoes IT Need a Control Framework? (cont’d) 5
  • March 2014Governance and Management of Enterprise IT with COBIT 5 IT provides value Cost, time and functionality are as expected  IT does not provide surprises Risks are mitigated  IT pushes the envelope New opportunities and innovations for process, product and services To ensure that Management needs to get IT under control. WhyDoes IT Need a Control Framework? (cont’d) 6
  • March 2014Governance and Management of Enterprise IT with COBIT 5  Board and Executive •To ensure management follows and implements the strategic direction for IT Management •To make IT investment decisions •To balance risk and control investment •To benchmark existing and future IT environment Who Needs a Control Framework? 7
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Users • To obtain assurance on security and control of products and services they acquire internally or externally  Auditors • To substantiate opinions to management on internal controls • To advise on what minimum controls are necessary Who Needs a Control Framework? (cont’d) 8
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Increase acceptance and reduce time to implement IT governance A guide for formal audits and reviews Use results of audits to plan improvements Achieving primary goals for IT governance: transform organizational practices and pursue improved processes A credible source for management's decision on controls Impresses and helps IT operations managers with its ability to assist in understanding what auditors want For business to communicate requirements and concerns Reference to ensure identification of all major risk areas Improves communications and relations with IT management Why and How COBIT is Used? 9
  • March 2014Governance and Management of Enterprise IT with COBIT 5  To improve audit approach/programmes  To support audit work with detailed audit guidelines  To provide guidance for IT governance  As a valuable benchmark for IS/IT control  To improve IS/IT controls  To standardise audit approach/programmes Why and How COBIT is Used? (cont’d) 10
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Enterprise Benefits Enterprises and their executives strive to:  Maintain quality information to support business decisions.  Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.  Achieve operational excellence through reliable and efficient application of technology.  Maintain IT-related risk at an acceptable level.  Optimise the cost of IT services and technology. How can these benefits be realized to create enterprise stakeholder value? 11
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Stakeholder Value Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets. Enterprise boards, executives and management have to embrace IT like any other significant part of the business. External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. 12
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT. 13
  • March 2014Governance and Management of Enterprise IT with COBIT 5 ►Has internationally accepted good practices ►Is management-oriented and supported by tools and training ►Is freely downloadable and continually evolves ►Allows the knowledge of expert volunteers to be shared and leveraged ►Is maintained by a reputable not-for-profit organization ►Fully maps to COSO and all major, related standards ►Is a reference, not an ‘off-the-shelf’ cure Enterprises still need to analyze control requirements and customize COBIT based on: ►Value drivers ►Risk profile ►IT infrastructure, organization and project portfolio COBIT: Value and Limitations 14
  • March 2014Governance and Management of Enterprise IT with COBIT 5 An organization depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information. Business Strategy Information Criteria IT Resources IT Processes COBIT Components 15
  • March 2014Governance and Management of Enterprise IT with COBIT 5 ►Aligned with other standards and good practices and should be used together with them. ►COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. ►Provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. ►Provides tools to manage IT activities. COBIT Advantages 16
  • March 2014Governance and Management of Enterprise IT with COBIT 5 ►Focuses on improving IT governance in organizations. ►Provides a framework to manage and control IT activities and supports five requirements for a control framework. Has general acceptability amongst organizations Helps meet regulatory requirements Control Framework Defines a common language Provides sharper business Ensures process orientation focus COBIT and IT Governance 17
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Business Focus ►Achieves sharper business focus by aligning IT with business objectives. ►Measurement of IT performance focus on IT’s contribution to enabling and extending the business strategy. ►Ensuring the primary focus is value delivery and not technical excellence as an end in itself. Has general acceptability amongst organizations Defines a common language Ensures process orientation Helps meet regulatory requirements Provides sharper business Control Framework focus COBIT and IT Governance (cont’d)18
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Process Orientation ►When organizations implement COBIT, their focus is more process- oriented. ►Incidents and problems no longer divert attention from processes. ►Exceptions can be clearly defined as part of standard processes. ►With process ownership defined, assigned and accepted, better to maintain control through periods of rapid change or organizationalcrisis. Has general acceptability amongst organizations Defines a common language Helps meet regulatory requirements Provides sharper business Ensures process orientation Control Framework focus COBIT and IT Governance (cont’d)19
  • March 2014Governance and Management of Enterprise IT with COBIT 5 General Acceptability ►A proven and globally accepted standard for increasing contribution of IT to organizational success. ►It continues to improve and develop to keep pace with good practices. ►IT professionals from all over the world contribute their ideas and time to regular review meetings. Has general acceptability amongst organisations Defines a common language Helps meet regulatory requirements Provides sharper business Ensures process orientation Control Framework focus COBIT and IT Governance (cont’d)20
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Regulatory Requirements ►Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. ►Organizations constantly need to improve IT performance and demonstrate adequate controls over their IT activities. ►De facto response to regulatory IT requirements. Has general acceptability amongst organizations Defines a common language Provides sharper business Ensures process orientation Helps meet regulatory requirements Control Framework focus COBIT and IT Governance (cont’d)21
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Common Language ►Everybody on the same page by defining critical terms and providing a glossary. ►Co-ordination within and across project teams and organizations can play a key role in the success of any project. ►Common language helps build confidence and trust. Has general acceptability amongst organisations Provides sharper business Ensures process orientation Defines a common language Helps meet regulatory requirements Control Framework focus COBIT and IT Governance (cont’d)22 Has general acceptability amongst organizations Defines a common language Provides sharper business Ensures process orientation Helps meet regulatory requirements Control Framework
  • March 2014Governance and Management of Enterprise IT with COBIT 5 It is based on premise that IT needs to deliver information that an enterprise requires to achieve its objectives. i IT Resources and Processes Information Business Processes Business Objectives provide to for achieving It helps align IT with the business by focusing on business information requirements and organizing IT resources. COBIT provides the framework and guidance to implement IT governance. COBIT: Premise 23
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Link management’s IT expectations with management’s IT responsibilities The objective is to facilitate IT governance to deliver IT value whilst managing IT risks. Business Strategy Information Criteria IT Resources IT Processes COBIT: Principle 24
  • March 2014Governance and Management of Enterprise IT with COBIT 5 As a control and governance framework for IT, it focuses on two key areas: ► Providing info required to support business objectives and requirements ► Treating info as the result of combined application of IT-related resources needed to be managed by IT processes Processes Activities Domains IT Processes Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources Applications Information Infrastructure People IT Process Business Requirement Control Approach Consideration • …………………………… • …………………………… • ……………………..…….. Information Criteria COBIT: Premise 25
  • March 2014Governance and Management of Enterprise IT with COBIT 5 It describes how IT processes deliver information the business needs to achieve its objectives. For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube. Business Requirements for Information Criteria IT Resources IT Processes COBIT: Cube 26
  • March 2014Governance and Management of Enterprise IT with COBIT 5 ► COBIT describes the IT life cycle with the help of four domains:  Plan and Organize  Acquire and Implement  Deliver and Support  Monitor and Evaluate ► Processes are series of activities with natural control breaks. ► 34 processes across the four domains specifying what business needs to achieve its objectives. ► Activities are actions that are required to achieve measurable results. Moreover, activities have life cycles and include many discrete tasks. Processes Activities Domains IT Resources Information Criteria IT Processes COBIT Cube: IT Processes 27
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Plan and Organize (PO) ► Objectives  Formulating strategy and tactics  Identifying how IT can best contribute to achieving business objectives  Planning, communicating and managing the realization of the strategic vision  Implementing organizational and technological infrastructure ► Scope  Are IT and the business strategically aligned?  Is the enterprise achieving optimum use of its resources?  Does everyone in the organization understand the IT objectives?  Are IT risks understood and being managed?  Is the quality of IT systems appropriate for business needs? IT and Business COBIT Cube: IT Domains 28
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Have a look at COBIT process model PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Plan and Organise Plan and Organize Deliver and Support Acquire and Implement Monitor and Evaluate IT Processes COBIT Cube: IT Domains (cont’d)29
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Acquire and Implement (AI) ► Objectives:  Identifying, developing, acquiring, implementing and integrating IT solutions  Changes in and maintenance of existing systems ► Scope:  Are new projects likely to deliver solutions that meet business needs?  Are new projects likely to be delivered on time and within budget?  Will the new systems work properly when implemented?  Will changes be made without upsetting current business operations? New Projects Organization ? COBIT Cube: IT Domains (cont’d)30
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Plan and Organize Deliver and Support Acquire and Implement Monitor and Evaluate IT Processes AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. Acquire and Implement COBIT Cube: IT Domains (cont’d)31
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Deliver and Support (DS) ►Objectives:  The actual delivery of required services, including service delivery  The management of security, continuity, data and operational facilities  Service support for users ►Scope:  Are IT services being delivered in line with business priorities?  Are IT costs optimized?  Is the workforce able to use IT systems productively and safely?  Are adequate confidentiality, integrity and availability in place? IT Services Business Priorities COBIT Cube: IT Domains (cont’d)32
  • March 2014Governance and Management of Enterprise IT with COBIT 5 DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Deliver and Support Plan and Organise Deliver and Support Acquire and Implement Monitor and Evaluate IT Processes COBIT Cube: IT Domains (cont’d)33
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Monitor and Evaluate (ME) ►Objectives:  Performance management  Monitoring of internal control  Regulatory compliance  Governance ►Scope:  Is IT’s performance measured to detect problems before too late?  Does management ensure internal controls are effective and efficient?  Can IT performance be linked to business goals?  Are risk, control, compliance and performance measured and reported? IT Performance COBIT Cube: IT Domains (cont’d)34
  • March 2014Governance and Management of Enterprise IT with COBIT 5 ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. Monitor and Evaluate Plan and Organize Deliver and Support Acquire and Implement Monitor and Evaluate IT Processes COBIT Cube: IT Domains (cont’d)35
  • March 2014Governance and Management of Enterprise IT with COBIT 5 ►To satisfy business objectives, information needs to conform to specific control criteria, which COBIT refers to as business requirements for information. ►Broadly, information criteria are based on the following requirements:  Quality  Fiduciary  Security Fiduciary Requirements Security Requirements Quality Requirements Information Criteria IT Resources IT Processes COBIT Cube: Information Criteria 36
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Efficiency Concerns the provision of information through the optimal (most productive and economical) use of resources Confidentiality Concerns the protection of sensitive information from unauthorised disclosure Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Availability Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies Reliability Relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities Fiduciary Requirement Security Requirements Quality Requirements Information Criteria IT Resources IT Processes COBIT Cube: Information Criteria (cont’d) 37
  • March 2014Governance and Management of Enterprise IT with COBIT 5 ► IT processes manage IT resources to generate, deliver and store the information that the organization needs to achieve its objectives. ► The IT resources identified in COBIT are defined as:  Applications are automated user systems and manual procedures that process information.  Information is data that are input, processed and output by information systems, in whatever form used by the business.  Infrastructure includes the technology and facilities, such as hardware, operating systems and networking, that enable the processing of applications.  People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate information systems and services. They may be internal, outsourced or contracted, as required. Applications Information Infrastructure People IT Resources Information Criteria IT Processes COBIT Cube: IT Resources 38
  • March 2014Governance and Management of Enterprise IT with COBIT 5 IT resources are managed by IT processes to achieve IT goals that respond to the business requirements COBIT 5 Cube
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Interrelationships with COBIT Components 40
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Principles 41
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Enablers 42
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Governance and Management Governance ensures that enterprise objectives are achieved by: Evaluating stakeholder needs, conditions and options Setting direction through prioritisation and decision making Monitoring performance, compliance and progress against agreed-on direction and objectives (EDM) Managementplans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM) 43
  • March 2014Governance and Management of Enterprise IT with COBIT 5 In Short… It brings together the five principles that allow the enterprise to build an effective governance and management framework Based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders 44
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Navigating COBIT 5
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Governance of Enterprise IT COBIT 5 IT Governance COBIT4.0/4.1 Management COBIT3 Control COBIT2 Audit COBIT1 COBIT 5: Complete Business Framework 2005/720001998 Evolutionofscope 1996 2012 Val IT 2.0 (2008) Risk IT (2009) 46
  • March 2014Governance and Management of Enterprise IT with COBIT 5 47 COBIT 5 Product Family
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Five COBIT 5 Principles 1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-end 3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach 5. Separating Governance From Management 48
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Meeting Stakeholder Needs Enterprises exist to create value for their stakeholders 49
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Meeting Stakeholder Needs Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting— things to each of them. Governance is about negotiating and deciding amongst different stakeholders’ value interests. The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions. For each decision, the following can and should be asked: -Who receives the benefits? -Who bears the risk? -What resources are required? 50
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Meeting Stakeholder Needs Stakeholder needs have to be transformed into an enterprise’s practical strategy. The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals. 51
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Meeting Stakeholder Needs(cont.) Benefits of the COBIT 5 goals cascade:  It allows the definition of priorities for implementation, improvement and assurance of enterprise governance of IT based on enterprise strategic objectives and related risk  In practice, the goals cascade:  Defines relevant and tangible goals and objectives at various levels of responsibility  Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects  Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals 52
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Covering the Enterprise End-to-end  It addresses the governance and management of information and related technology from an enterprise wide, end-to-end perspective  It means:  Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance  Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise 53
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Covering the Enterprise End-to-end 54
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Applying a Single Integrated Framework  It aligns with the latest relevant other standards and frameworks:  Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000  IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI  Use it as the overarching governance and management framework integrator  ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references 55
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Enabling a Holistic Approach COBIT 5 enablers are: Factors that, individually and collectively, influence whether something will work—in the case of COBIT, governance and management over enterprise IT Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve Described by COBIT 5 framework in seven categories 56
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Enabling a Holistic Approach (cont’d) 57
  • March 2014Governance and Management of Enterprise IT with COBIT 5 1. Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals 2. Organisational structures—Are the key decision-making entities in an organisation 3. Culture, ethics and behaviour—Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities 4. Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management 5. Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services 7. People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions 58 Enabling a Holistic Approach (cont’d)
  • March 2014Governance and Management of Enterprise IT with COBIT 5  Systemic governance and management through interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:  Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour  Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient  This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS). 59 Enabling a Holistic Approach (cont’d)
  • March 2014Governance and Management of Enterprise IT with COBIT 5  All enablers have a set of common dimensions:  Provides a common, simple and structured way to deal with enablers  Allows an entity to manage its complex interactions  Facilitates successful outcomes of the enablers 60 Source: COBIT® 5, figure 13. © 2012 ISACA® Enabling a Holistic Approach (cont’d)
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Separating Governance From Management  These two disciplines: Encompass different types of activities Require different organisational structures Serve different purposes  Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.  Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. 61
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Separating Governance From Management 62 • Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM) • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM)
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Separating Governance From Management COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown. 63 Source: COBIT® 5, figure 15. © 2012 ISACA®
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Separating Governance From Management  COBIT 5 framework describes seven categories of enablers(Principle #4).  An enterprise can organise its processes as it sees fit, as long as all necessary governance and management objectives are covered  Smaller enterprises may have fewer processes while larger and more complex enterprises may have many processes, all to cover the same objectives.  COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes. 64
  • March 2014Governance and Management of Enterprise IT with COBIT 5 The Need for IT Governance 65 Organizations require a structured approach for managing these and other challenges This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes Keeping IT Running Security Value/Cost Managing Complexity Aligning IT with Business Regulatory Compliance
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: • Providing strategic direction • Ensuring that objectives are achieved • Ascertaining that risks are managed appropriately • Verifying that the enterprise’s resources are used responsibly RESOURCE MANAGEMENT www.itgi.orgwww.itgi.org The Need for IT Governance (cont’d) 66
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Enterprise governance is about: Conformance • Adhering to legislation, internal policies, audit requirements, etc. Performance • Improving profitability, efficiency, effective ness, growth, etc. Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Performance Conformance Enterprise Governance Drives IT Governance 67
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Value delivery Focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organisation Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting Performance measurement Risk management Resource management Strategic alignment IT Governance Focus Areas 68
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Making IT Governance Work Make IT governance a workable solution—able to deal with the challenges and pitfalls presented by IT. Focus as much on improving performance and enabling competitive advantage as preventing problems. Make IT governance a shared responsibility between the business (customer) and the IT service provider, with the full commitment and direction of the board. Align IT governance within a wider enterprise governance scheme. Boards and executive management need to extend enterprise governance to include IT, provide the necessary leadership and organisational structures, and insist on well-managed and properly controlled processes. 69
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Business Management Set direction for IT, monitor results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Delivers and improves IT services as required by the business Provides independent assurance to demonstrate that IT delivers what is needed Measures compliance with policies and focuses on alerts to new risks Risk and Compliance IT Audit IT Management Board and Executive IT Governance Stakeholders 70
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT:  Starts from business requirements  Is process-oriented, organizing IT activities into a generally accepted process model  Identifies the major IT resources to be leveraged  Defines the management control objectives to be considered  Incorporates major international standards  Has become the de facto standard for overall control of IT Bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective. Framework for IT Governance 71
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT Help Implementing Effective IT Governance It brings following advantages to an IT governance implementation effort: Enables mapping of IT goals to business goals and vice versa Better alignment, based on a business focus A view of what IT does that is understandable to management Clear ownership and responsibilities based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders, based on a common language Fulfilment of the COSO requirements for the IT control environment
  • March 2014Governance and Management of Enterprise IT with COBIT 5 We will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). COBIT ISO 9000 ISO 17799 ITIL COSO WHAT HOW SCOPE OF COVERAGE COBIT and Other IT Management Frameworks 73
  • March 2014Governance and Management of Enterprise IT with COBIT 5 PERFORMANCE: Business Goals CONFORMANCE Basel II, SOX, etc. Enterprise Governance IT Governance ISO 9001:2000 ISO 17799 ISO 20000 Best Practice Standards QA Procedures Processes and Procedures Drivers COBIT COSO Security Principles ITIL Balanced Scorecard Where Does COBIT Fit? 74
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Governance, Risk and Compliance An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities. These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs. 75
  • March 2014Governance and Management of Enterprise IT with COBIT 5 GRC Definitions Governance—Exercise of authority; control; government; arrangement. Risk (management )—Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control) Compliance—The act of complying; a yielding; as to a desire, demand, or proposal; concession; submission  Webster’s Online Dictionary 76
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Types of Governance Different types of governance exist:  Corporate governance  Project governance  Information technology governance  Environmental governance  Economic and financial governance Each type has one or more sources of guidance, each with similar goals but often varying terms and techniques for their achievement. 77
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Implementing Governance Integration of GRC activities implementation within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders. Such approaches are typically based on enablers of various types i.e. principles, policies, frameworks, organi zational structures. 78
  • March 2014Governance and Management of Enterprise IT with COBIT 5 A GRC Model Example From OCEG Red Book GRC Capability Model version 2.1. 79
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Corporate Governance of IT ISO/IEC 38500: 2008 on Corporate governance of information technology 1.1 Scope It provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. It applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization. 80
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Corporate Governance of IT (cont’d) ISO/IEC 38500: 2008 Corporate governance of information technology 2.1 Principles 2.1.1 Principle 1: Responsibility 2.1.2 Principle 2: Strategy 2.1.3 Principle 3: Acquisition 2.1.4 Principle 4: Performance 2.1.5 Principle 5: Conformance 2.1.6 Principle 6: Human Behavior 81
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Corporate Governance of IT (cont’d) ISO/IEC 38500: 2008 Corporate governance of information technology 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans. 82
  • March 2014Governance and Management of Enterprise IT with COBIT 5 GRC in COBIT 5
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Governance in COBIT 5 Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives(EDM). Managementplans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). 84
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Governance in COBIT 5 (cont’d) • The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimization. •04 Ensure resource optimization. •05 Ensure stakeholder transparency. 85
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Governance in COBIT 5 (cont’d) 86
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Risk Management in COBIT 5 • GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk- related objectives: EDM03 Ensure risk optimization. • Process Description Ensurethe enterprise’s risk appetite and toleranceare understood, articulated and communicated. Risk to enterprise value related to use of IT is identified and managed. • Process Purpose Statement EnsureIT-related enterprise risk doesn’t exceed risk appetite and risk tolerance. Impact of IT risk to enterprise value is identified and managed. The potential for compliance failures is minimized. 87
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Risk Management in COBIT 5 (cont’d) • MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement Integrate management of IT-relatedenterprise risk with overall ERM, and balance costs and benefits of managing IT-related enterprise risk. 88
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Risk Management in COBIT 5 (cont’d)89
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Risk Management in COBIT 5 (cont’d) • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimization Ensuresenterprise stakeholders approach torisk is articulated to direct how risks facing enterprise will be treated. • APO12 Manage risk ProvidesERM arrangements to ensure stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept). 90
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Risk Management in COBIT 5 (cont’d) COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk- related roles. 91
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Compliance in COBIT 5 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement Ensure that the enterprise is compliant with all applicable external requirements. 92
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Compliance in COBIT 5(cont’d) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 93
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Compliance in COBIT 5 (cont’d) • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures. 94
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Compliance in COBIT 5 (cont’d) COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. 95
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Summary • COBIT 5 framework includes necessary guidance to support enterprise GRC objectives and supporting activities: • Governance activities related to GEIT (5 processes) • Risk management process—and supporting guidance for risk management across the GEIT space • Compliance—a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture • Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements—silos of activity! 96
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Implementation
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Implementation 98 • The improvement of GEIT is widely recognised by top management as an essential part of enterprise governance. • Information and pervasiveness of IT are increasingly part of every aspect of business and public life. • The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater. • Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment.
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Implementation (cont’d) 99 • ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. • Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5. • Frameworks, best practices and standards are useful only if they are adopted and adapted effectively. • There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully.
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Implementation (cont’d) 100 It covers the following subjects: • Positioning GEIT within an enterprise • Taking the first steps towards improving GEIT • Implementation challenges and success factors • Enabling GEIT-related organisational and behavioural change • Implementing continual improvement that includes change enablement and programme management • Using COBIT 5 and its components
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Implementation (cont’d) 101
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Future Supporting Products
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Product Family 103
  • March 2014Governance and Management of Enterprise IT with COBIT 5 COBIT 5 Future Supporting Products 104 • Professional Guides • COBIT 5 for Information Security • COBIT 5 for Assurance • COBIT 5 for Risk • Enabler Guides • COBIT 5: Enabling Information • COBIT Online Replacement • COBIT Assessment Programme • Process Assessment Model (PAM): Using COBIT 5 • Assessor Guide: Using COBIT 5 • Self-assessment Guide: Using COBIT 5
  • March 2014Governance and Management of Enterprise IT with COBIT 5 Thank You! 105