IT Governance
November, 2013
@CarlosChalicoT
#ISACA_ITG
2
IT Governance
@CarlosChalicoT
#ISACA_ITG
3
IT Governance
@CarlosChalicoT
#ISACA_ITG
4
IT Governance
@CarlosChalicoT
#ISACA_ITG
5
IT Governance
@CarlosChalicoT
#ISACA_ITG
6
Quote
Robert Frost
“The brain is a wonderful organ; it
starts working the moment you get up
i...
@CarlosChalicoT
#ISACA_ITG
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA,
PbD Ambassador	

Ouest Business So...
@CarlosChalicoT
#ISACA_ITG
What´s in this for you?
By the end of this session you will:	

!
• Understand the concept of go...
@CarlosChalicoT
#ISACA_ITG
First things first
9
Title: 
Elephant In The Room
Artist: 
Leah Saulnier The Painting Maniac
Med...
@CarlosChalicoT
#ISACA_ITG
10
Quote
“Management must manage”
Harold S. Geneen
@CarlosChalicoT
#ISACA_ITG
So, what does this mean?
Governance
11
@CarlosChalicoT
#ISACA_ITG
FromWikipedia
Governance is the act of governing. It relates to
decisions that define expectatio...
@CarlosChalicoT
#ISACA_ITG
FromWikipedia
Governance is the act of governing. It relates to
decisions that define expectatio...
@CarlosChalicoT
#ISACA_ITG
From OECD
14
Corporate governance is one key element
in improving economic efficiency and
growth...
@CarlosChalicoT
#ISACA_ITG
From OECD
15
Corporate governance is one key element
in improving economic efficiency and
growth...
@CarlosChalicoT
#ISACA_ITG
Other Sources
16
@CarlosChalicoT
#ISACA_ITG
Key Points
17
!
•Relationships
!
•Management
•Board
•Shareholders
•Stakeholders
!
•Structure
!
...
@CarlosChalicoT
#ISACA_ITG
18
Quote
Alison Holt
“Organizations with good governance
practices in place can be shown to be ...
@CarlosChalicoT
#ISACA_ITG
Turning Risk Into Results
19
@CarlosChalicoT
#ISACA_ITG
Turning Risk Into Results
20
@CarlosChalicoT
#ISACA_ITG
21
Quote
“Corporate governance is the system by which
companies are directed and controlled”
Ad...
@CarlosChalicoT
#ISACA_ITG
22
So, what does this mean?
IT Governance
@CarlosChalicoT
#ISACA_ITG
23
So, what does this mean?
@CarlosChalicoT
#ISACA_ITG
24
So, what does this mean?
HBRHarvard Business Review
http://blogs.hbr.org/2013/08/todays-cto-...
@CarlosChalicoT
#ISACA_ITG
So, what does this mean?
CIO Information
Innovation
@CarlosChalicoT
#ISACA_ITG
So, what does this mean?
CTO Technology
Transformation
@CarlosChalicoT
#ISACA_ITG
27
So, what does this mean?
Innovate Transform
Value
@CarlosChalicoT
#ISACA_ITG
28
So, what does this mean?
Know
Control
Measure
Rely
IT
Processes
Infrastructure
Elements
@CarlosChalicoT
#ISACA_ITG
29
So, what does this mean?
In essence, the governance of IT is the
theory that enables an orga...
@CarlosChalicoT
#ISACA_ITG
30
So, what does this mean?
• Governance ensures that enterprise objectives are
achieved by eva...
@CarlosChalicoT
#ISACA_ITG
31
So, what does this mean?
The action of the board
or governing body to
direct IT activities a...
@CarlosChalicoT
#ISACA_ITG
32
Why IT Governance?
• “Due diligence”	

• IT is critical to the business (and pervasive)	

• ...
@CarlosChalicoT
#ISACA_ITG
33
Why IT Governance?
IT Governance
FrameworkCulture
Goals
Characteristics
Organization
@CarlosChalicoT
#ISACA_ITG
34
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
35
Why IT Governance?
834
@CarlosChalicoT
#ISACA_ITG
36
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
37
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
38
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
39
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
40
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
41
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
42
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
43
Why IT Governance?
GEIT
IT value delivery
Mitigation of
• Strategic alignment
• Resources av...
@CarlosChalicoT
#ISACA_ITG
44
Why IT Governance?
ITGI identifies five focus areas of GEIT:	

• Strategic alignment	

• Value...
@CarlosChalicoT
#ISACA_ITG
45
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
46
Why IT Governance?
@CarlosChalicoT
#ISACA_ITG
Available Frameworks
47
ISO 38500
COBIT 5
@CarlosChalicoT
#ISACA_ITG
48
Quote
Alison Holt
“A tool is only a tool if it helps you
and your business”
IT Governance
November, 2013
Break!
@CarlosChalicoT
#ISACA_ITG
Why IT Governance?
50
@CarlosChalicoT
#ISACA_ITG
51
Quote
Alison Holt
“Where there is poor organisational governance
practice in place, it will ...
@CarlosChalicoT
#ISACA_ITG
What is ISO?
52
• International Organization for Standardization	

• World’s largest developer ...
@CarlosChalicoT
#ISACA_ITG
What is a Standard?
53
“A document that provides
requirements, specifications,
guidelines or cha...
@CarlosChalicoT
#ISACA_ITG
What are the benefits?
54
“ISO International Standards ensure that products
and services are saf...
@CarlosChalicoT
#ISACA_ITG
ISO/IEC 38500:2008
55
• Provides guiding principles for directors of organizations
(owners, boa...
@CarlosChalicoT
#ISACA_ITG
ISO/IEC 38500:2008
56
• Based on Australian Standard AS 8015-2005	

• Submitted for Fast Track ...
@CarlosChalicoT
#ISACA_ITG
57
Quote
Alison Holt
“Implementing IT governance is not
necessarily a quick process, but it is
...
@CarlosChalicoT
#ISACA_ITG
58
ISO/IEC 38500:2008
@CarlosChalicoT
#ISACA_ITG
59
Process
1
Process
2
Process
3
Process
n
Information Technology Processes
Pervasiveness
ISO/I...
@CarlosChalicoT
#ISACA_ITG
60
Quote
“May the Force be with you”
Obi Wan Kenobi
@CarlosChalicoT
#ISACA_ITG
IT potential problems
61
• Different areas of the organisation have different relationships
wit...
@CarlosChalicoT
#ISACA_ITG
62
ISO/IEC 38500:2008
ISO
38500
Scope, Application,
Objectives
Framework
Guidance
@CarlosChalicoT
#ISACA_ITG
Scope,Application, Objectives
63
Goal
ISO 38500
Guidelines
Directors
Senior Executives
Effectiv...
@CarlosChalicoT
#ISACA_ITG
64
ISO/IEC 38500:2008
ISO
38500
Scope, Application,
Objectives
Framework
Guidance
@CarlosChalicoT
#ISACA_ITG
Framework
65
ISO
38500
Six Principles
Model
IT Governance IT Management
1. Responsibility
2. St...
@CarlosChalicoT
#ISACA_ITG
Responsibility
66
• Everyone understands and accepts his or her
responsibility	

!
• This inclu...
@CarlosChalicoT
#ISACA_ITG
Responsibility
67
@CarlosChalicoT
#ISACA_ITG
Responsibility
68
• The CIO that was not respected, even with an ISSP
communicated and authoriz...
@CarlosChalicoT
#ISACA_ITG
Strategy
69
• Organisation’s business strategy considers current
and future capabilities of IT	...
@CarlosChalicoT
#ISACA_ITG
Strategy
70
• “With that money I can setup a new branch”	

• “Hey, that IT strategy made me thi...
@CarlosChalicoT
#ISACA_ITG
71
Strategy
?
@CarlosChalicoT
#ISACA_ITG
Acquisition
72
• IT acquisitions are made for valid reasons	

!
• Appropriate analysis is made ...
@CarlosChalicoT
#ISACA_ITG
Acquisition
73
• Some suggestions:	

• Understand required benefits	

• Informal chats with vend...
@CarlosChalicoT
#ISACA_ITG
Acquisition
74
Time and budget are important, but…	

!
…having the organisation understanding t...
@CarlosChalicoT
#ISACA_ITG
Performance
75
• IT fits the requirements to support the organisation	

!
• IT provides services...
@CarlosChalicoT
#ISACA_ITG
Performance
76
• Under-PerformanceVs. Over-Performance	

• We often over-procure for reasons of...
@CarlosChalicoT
#ISACA_ITG
Conformance
77
• IT complies and supports compliance	

!
• Policies and practices are clearly d...
@CarlosChalicoT
#ISACA_ITG
Conformance
78
• How easy has been for your company to configure
the systems to comply with laws...
@CarlosChalicoT
#ISACA_ITG
Human Behaviour
79
• IT policies, practices and decisions show respect for
human behaviour 	

!...
@CarlosChalicoT
#ISACA_ITG
Human Behaviour
80
• Have you defined policies to make clear how you
want your IT systems to be ...
@CarlosChalicoT
#ISACA_ITG
81
ISO/IEC 38500:2008
ISO
38500
Scope, Application,
Objectives
Framework
Guidance
@CarlosChalicoT
#ISACA_ITG
Guidance
82
• Provides examples for the application of each one of
the six principles
@CarlosChalicoT
#ISACA_ITG
Guidance
83
• Additional documents:	

• Cloud computing	

• IT Audit	

• Digital forensics	

• ...
@CarlosChalicoT
#ISACA_ITG
84
Quote
“Nothing will work unless you do”
Maya Angelou
@CarlosChalicoT
#ISACA_ITG
Implementing ISO 38500
85
Implementation
Design and
Definition
Communication
and awareness
IT c...
IT Governance
November, 2013
Break!
@CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
87
Source: COBIT® 5, figure 2. © 2012 ISACA® All rights...
@CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
88
• Governance ensures that enterprise objectives are
...
@CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
89
COBIT 5 brings together the five principles that
allo...
@CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
90
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control...
@CarlosChalicoT
#ISACA_ITG
COBIT Principles
91
• Meeting stakeholder needs	

• Covering the enterprise end-to-end	

• Appl...
@CarlosChalicoT
#ISACA_ITG
Meeting Stakeholder Needs
92
Enterprises exist to create value for their stakeholders.
@CarlosChalicoT
#ISACA_ITG
9393
• Enterprises have many stakeholders, and ‘creating value’ means
different—and sometimes c...
@CarlosChalicoT
#ISACA_ITG
9494
Meeting Stakeholder Needs
• Stakeholder needs have to be
transformed into an enterprise’s
...
@CarlosChalicoT
#ISACA_ITG
9595
Meeting Stakeholder Needs
• Benefits of the COBIT 5 goals cascade:	

• It allows the definit...
@CarlosChalicoT
#ISACA_ITG
9696
Covering the enterprise ent-to-end
• COBIT 5 addresses the governance and management of
in...
@CarlosChalicoT
#ISACA_ITG
9797
Covering the enterprise ent-to-end
Key Components of	

a governance	

system
Source: COBIT...
@CarlosChalicoT
#ISACA_ITG
98
Applying a single integrated framework
• COBIT 5 aligns with the latest relevant other stand...
@CarlosChalicoT
#ISACA_ITG
99
Enabling a holistic approach
• COBIT 5 enablers are:	

• Factors that, individually and coll...
@CarlosChalicoT
#ISACA_ITG
100
Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
Enabling a holistic approach
@CarlosChalicoT
#ISACA_ITG
101
Enabling a holistic approach
• Processes—Describe an organised set of practices and
activit...
@CarlosChalicoT
#ISACA_ITG
102
Enabling a holistic approach
• Principles, policies and frameworks—Are the vehicles
to tran...
@CarlosChalicoT
#ISACA_ITG
103
Enabling a holistic approach
• Services, infrastructure and applications—Include the
infras...
@CarlosChalicoT
#ISACA_ITG
104
Enabling a holistic approach
• Systemic governance and management through
interconnected en...
@CarlosChalicoT
#ISACA_ITG
105
Enabling a holistic approach
COBIT 5 Enabler Dimensions:	

• All enablers have a set of com...
@CarlosChalicoT
#ISACA_ITG
Separating Government from Management
106
• The COBIT 5 framework makes a clear distinction bet...
@CarlosChalicoT
#ISACA_ITG
Separating Government from Management
107
• Governance ensures that stakeholders needs, conditi...
@CarlosChalicoT
#ISACA_ITG
Separating Government from Management
108
COBIT 5 is not prescriptive, but it advocates that or...
@CarlosChalicoT
#ISACA_ITG
Separating Government from Management
109
• The COBIT 5 framework describes seven categories of...
@CarlosChalicoT
#ISACA_ITG
110
Quote
“It’s a trap!”
Admiral Ackbar
@CarlosChalicoT
#ISACA_ITG
Implementing GEIT with COBIT
111
@CarlosChalicoT
#ISACA_ITG
112
Implementing GEIT with COBIT
Source: COBIT® 5, © 2012 ISACA® All rights reserved.
@CarlosChalicoT
#ISACA_ITG
113
Implementing GEIT with COBIT
@CarlosChalicoT
#ISACA_ITG
114
• The improvement of the governance of enterprise IT (GEIT)
is widely recognized by top man...
@CarlosChalicoT
#ISACA_ITG
115
Implementing GEIT with COBIT
• ISACA has developed the COBIT 5 framework to help
enterprise...
@CarlosChalicoT
#ISACA_ITG
116
Implementing GEIT with COBIT
• COBIT 5: Implementation covers the following subjects:	

• P...
@CarlosChalicoT
#ISACA_ITG
117
Value of GEIT
@CarlosChalicoT
#ISACA_ITG
TheValue of CGEIT
118
CGEIT recognizes a wide range of professionals for their
knowledge and ap...
@CarlosChalicoT
#ISACA_ITG
TheValue of CGEIT
119
@CarlosChalicoT
#ISACA_ITG
GRC
120
@CarlosChalicoT
#ISACA_ITG
GRC Magic Quadrant
121
@CarlosChalicoT
#ISACA_ITG
Top 10 GRC challenges
122
1. Management complexity of risk and compliance programs	

2. Organis...
@CarlosChalicoT
#ISACA_ITG
123
Quote
“The only place success comes
before work is in the dictionary”
Vince Lombardi
@CarlosChalicoT
#ISACA_ITG
124
Case Study
Please follow instructions to review
the Case Study.
@CarlosChalicoT
#ISACA_ITG
Conclusions
125
• The world is changing and the IT departments need to
get adapted to that	

• ...
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
126
http://www.slideshare.net/sap/99-facts-on-the-future-of-business
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
127
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
128
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
129
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
130
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
131
SAP & Vuzix Augmented Reality
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
132
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
133
@CarlosChalicoT
#ISACA_ITG
FinalThoughts
134
@CarlosChalicoT
#ISACA_ITG
Questions and Answers
135
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA,
PbD Amba...
IT Governance
November, 2013
Thank You!
Upcoming SlideShare
Loading in …5
×

IT Governance

1,519 views

Published on

Presentation on IT Governance delivered for the ISACA Toronto Chapter

IT Governance

  1. 1. IT Governance November, 2013
  2. 2. @CarlosChalicoT #ISACA_ITG 2 IT Governance
  3. 3. @CarlosChalicoT #ISACA_ITG 3 IT Governance
  4. 4. @CarlosChalicoT #ISACA_ITG 4 IT Governance
  5. 5. @CarlosChalicoT #ISACA_ITG 5 IT Governance
  6. 6. @CarlosChalicoT #ISACA_ITG 6 Quote Robert Frost “The brain is a wonderful organ; it starts working the moment you get up in the morning and does not stop until you get into the office”
  7. 7. @CarlosChalicoT #ISACA_ITG Carlos Chalico CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador Ouest Business Solutions Inc. Director Eastern Region 7 IT Governance
  8. 8. @CarlosChalicoT #ISACA_ITG What´s in this for you? By the end of this session you will: ! • Understand the concept of governance, IT governance and its difference against IT management • Know the advantages of defining an effective IT Governance model • Know some frameworks available to define IT Governance (COBIT, ISO 38500) 8
  9. 9. @CarlosChalicoT #ISACA_ITG First things first 9 Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil
  10. 10. @CarlosChalicoT #ISACA_ITG 10 Quote “Management must manage” Harold S. Geneen
  11. 11. @CarlosChalicoT #ISACA_ITG So, what does this mean? Governance 11
  12. 12. @CarlosChalicoT #ISACA_ITG FromWikipedia Governance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes. In modern nation-states, these processes and systems are typically administered by a government. 12
  13. 13. @CarlosChalicoT #ISACA_ITG FromWikipedia Governance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes. In modern nation-states, these processes and systems are typically administered by a government. 13
  14. 14. @CarlosChalicoT #ISACA_ITG From OECD 14 Corporate governance is one key element in improving economic efficiency and growth as well as enhancing investor confidence. Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are se, and the means of attaining those objectives and monitoring performance are determined. http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf
  15. 15. @CarlosChalicoT #ISACA_ITG From OECD 15 Corporate governance is one key element in improving economic efficiency and growth as well as enhancing investor confidence. Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf
  16. 16. @CarlosChalicoT #ISACA_ITG Other Sources 16
  17. 17. @CarlosChalicoT #ISACA_ITG Key Points 17 ! •Relationships ! •Management •Board •Shareholders •Stakeholders ! •Structure ! •Objectives of the organization ! •Monitoring performance ! •Economic efficiency and growth ! •Confidence
  18. 18. @CarlosChalicoT #ISACA_ITG 18 Quote Alison Holt “Organizations with good governance practices in place can be shown to be more successful than organizations without”
  19. 19. @CarlosChalicoT #ISACA_ITG Turning Risk Into Results 19
  20. 20. @CarlosChalicoT #ISACA_ITG Turning Risk Into Results 20
  21. 21. @CarlosChalicoT #ISACA_ITG 21 Quote “Corporate governance is the system by which companies are directed and controlled” Adrian Cadbury
  22. 22. @CarlosChalicoT #ISACA_ITG 22 So, what does this mean? IT Governance
  23. 23. @CarlosChalicoT #ISACA_ITG 23 So, what does this mean?
  24. 24. @CarlosChalicoT #ISACA_ITG 24 So, what does this mean? HBRHarvard Business Review http://blogs.hbr.org/2013/08/todays-cto-needs-to-become/ http://blogs.hbr.org/cs/2013/07/todays_cio_needs_to_be_the_chi.html CIO CTO
  25. 25. @CarlosChalicoT #ISACA_ITG So, what does this mean? CIO Information Innovation
  26. 26. @CarlosChalicoT #ISACA_ITG So, what does this mean? CTO Technology Transformation
  27. 27. @CarlosChalicoT #ISACA_ITG 27 So, what does this mean? Innovate Transform Value
  28. 28. @CarlosChalicoT #ISACA_ITG 28 So, what does this mean? Know Control Measure Rely IT Processes Infrastructure Elements
  29. 29. @CarlosChalicoT #ISACA_ITG 29 So, what does this mean? In essence, the governance of IT is the theory that enables an organisation’s principal decision makers to make better decisions around IT and, at the same time, provides guidance for IT managers who are tasked with IT operations and the design, development and implementation of IT solutions.
  30. 30. @CarlosChalicoT #ISACA_ITG 30 So, what does this mean? • Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives. • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
  31. 31. @CarlosChalicoT #ISACA_ITG 31 So, what does this mean? The action of the board or governing body to direct IT activities and to build a decision-making model, combined with the action of the IT management teams to develop supporting systems, processes and procedures, result in the development of an IT governance framework. What to do How to do it
  32. 32. @CarlosChalicoT #ISACA_ITG 32 Why IT Governance? • “Due diligence” • IT is critical to the business (and pervasive) • IT is strategic to the business • Expectations and reality don’t match • IT hasn’t gotten the attention it deserves (yet) • IT may involve huge investments and large risks
  33. 33. @CarlosChalicoT #ISACA_ITG 33 Why IT Governance? IT Governance FrameworkCulture Goals Characteristics Organization
  34. 34. @CarlosChalicoT #ISACA_ITG 34 Why IT Governance?
  35. 35. @CarlosChalicoT #ISACA_ITG 35 Why IT Governance? 834
  36. 36. @CarlosChalicoT #ISACA_ITG 36 Why IT Governance?
  37. 37. @CarlosChalicoT #ISACA_ITG 37 Why IT Governance?
  38. 38. @CarlosChalicoT #ISACA_ITG 38 Why IT Governance?
  39. 39. @CarlosChalicoT #ISACA_ITG 39 Why IT Governance?
  40. 40. @CarlosChalicoT #ISACA_ITG 40 Why IT Governance?
  41. 41. @CarlosChalicoT #ISACA_ITG 41 Why IT Governance?
  42. 42. @CarlosChalicoT #ISACA_ITG 42 Why IT Governance?
  43. 43. @CarlosChalicoT #ISACA_ITG 43 Why IT Governance? GEIT IT value delivery Mitigation of • Strategic alignment • Resources availability & Mgt • Monitoring Objectives IT-related risks to the business
  44. 44. @CarlosChalicoT #ISACA_ITG 44 Why IT Governance? ITGI identifies five focus areas of GEIT: • Strategic alignment • Value delivery • Risk management • Resource management • Performance measurement
  45. 45. @CarlosChalicoT #ISACA_ITG 45 Why IT Governance?
  46. 46. @CarlosChalicoT #ISACA_ITG 46 Why IT Governance?
  47. 47. @CarlosChalicoT #ISACA_ITG Available Frameworks 47 ISO 38500 COBIT 5
  48. 48. @CarlosChalicoT #ISACA_ITG 48 Quote Alison Holt “A tool is only a tool if it helps you and your business”
  49. 49. IT Governance November, 2013 Break!
  50. 50. @CarlosChalicoT #ISACA_ITG Why IT Governance? 50
  51. 51. @CarlosChalicoT #ISACA_ITG 51 Quote Alison Holt “Where there is poor organisational governance practice in place, it will be difficult to implement good IT and information practice that delivers consistent quality deliverables”
  52. 52. @CarlosChalicoT #ISACA_ITG What is ISO? 52 • International Organization for Standardization • World’s largest developer of voluntary standards • Founded in 1947 • 19,500 standards released • Members from 164 countries • Headquartered in Geneva, Switzerland The Boys. 65 delegates from 25 countries. London, 1946. http://www.iso.org
  53. 53. @CarlosChalicoT #ISACA_ITG What is a Standard? 53 “A document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. ISO standards can be purchased from the ISO store or from our members” Office in La Voie Creuse, Geneva, Switzerland, 2007. http://www.iso.org
  54. 54. @CarlosChalicoT #ISACA_ITG What are the benefits? 54 “ISO International Standards ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors, and increasing productivity.They help companies to access new markets, level the playing field for developing countries and facilitate free and fair global trade” http://www.iso.org
  55. 55. @CarlosChalicoT #ISACA_ITG ISO/IEC 38500:2008 55 • Provides guiding principles for directors of organizations (owners, board members, partners, senior executives) on the effective, efficient, and acceptable use of IT within their organizations • Applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization.These processes could be controlled by IT specialists within the organization, external service providers, or business units within the organization. • It also provides guidance to those advising, informing, or assisting directors (this includes IT auditors) http://www.iso.org
  56. 56. @CarlosChalicoT #ISACA_ITG ISO/IEC 38500:2008 56 • Based on Australian Standard AS 8015-2005 • Submitted for Fast Track ISO adoption • Alison Holt • New Zealand • Longitude 174 • Co-chaired ISO’s working group for IT Governance Framework standards http://www.ramin.com.au/itgovernance/as8015.html
  57. 57. @CarlosChalicoT #ISACA_ITG 57 Quote Alison Holt “Implementing IT governance is not necessarily a quick process, but it is effective”
  58. 58. @CarlosChalicoT #ISACA_ITG 58 ISO/IEC 38500:2008
  59. 59. @CarlosChalicoT #ISACA_ITG 59 Process 1 Process 2 Process 3 Process n Information Technology Processes Pervasiveness ISO/IEC 38500:2008 Goal ISO 38500 Guidelines Directors Senior Executives Effective Efficient Acceptable ICTUse
  60. 60. @CarlosChalicoT #ISACA_ITG 60 Quote “May the Force be with you” Obi Wan Kenobi
  61. 61. @CarlosChalicoT #ISACA_ITG IT potential problems 61 • Different areas of the organisation have different relationships with different IT vendors • IT systems evolve independently with no united direction or strategy • IT systems under/over-perform • IT managers don’t understand the operation • Operational managers don’t understand IT • No sense of ownership on data, infrastructure and processes • Users frustrated for, apparently, not having enough resources • Nobody thinks or wants the CIO, except when there is a problem.
  62. 62. @CarlosChalicoT #ISACA_ITG 62 ISO/IEC 38500:2008 ISO 38500 Scope, Application, Objectives Framework Guidance
  63. 63. @CarlosChalicoT #ISACA_ITG Scope,Application, Objectives 63 Goal ISO 38500 Guidelines Directors Senior Executives Effective Efficient Acceptable ICTUse Confidence Stakeholders
  64. 64. @CarlosChalicoT #ISACA_ITG 64 ISO/IEC 38500:2008 ISO 38500 Scope, Application, Objectives Framework Guidance
  65. 65. @CarlosChalicoT #ISACA_ITG Framework 65 ISO 38500 Six Principles Model IT Governance IT Management 1. Responsibility 2. Strategy 3. Acquisition 4. Performance 5. Conformance 6. Human Behaviour
  66. 66. @CarlosChalicoT #ISACA_ITG Responsibility 66 • Everyone understands and accepts his or her responsibility ! • This includes supply of and demand for IT ! • Those with responsibility for actions also have the authority to perform those actions
  67. 67. @CarlosChalicoT #ISACA_ITG Responsibility 67
  68. 68. @CarlosChalicoT #ISACA_ITG Responsibility 68 • The CIO that was not respected, even with an ISSP communicated and authorized • The “Perfect” Operational Director • The “jumping” requirements • The eternal “Yes” CIO • The 24x7x52xFOREVER HR requirement
  69. 69. @CarlosChalicoT #ISACA_ITG Strategy 69 • Organisation’s business strategy considers current and future capabilities of IT ! • Strategic plans for IT satisfy the current and ongoing needs of the organisation
  70. 70. @CarlosChalicoT #ISACA_ITG Strategy 70 • “With that money I can setup a new branch” • “Hey, that IT strategy made me think that the operational strategy needs to be re-visited”
  71. 71. @CarlosChalicoT #ISACA_ITG 71 Strategy ?
  72. 72. @CarlosChalicoT #ISACA_ITG Acquisition 72 • IT acquisitions are made for valid reasons ! • Appropriate analysis is made to support purchasing decisions ! • There is a balance among benefits, opportunities, costs and risks in the short and long term
  73. 73. @CarlosChalicoT #ISACA_ITG Acquisition 73 • Some suggestions: • Understand required benefits • Informal chats with vendors • Define a formal purchasing process • Visit other organisations that are doing what you want to do • Understand the “do nothing” option • Check out references
  74. 74. @CarlosChalicoT #ISACA_ITG Acquisition 74 Time and budget are important, but… ! …having the organisation understanding the motives is critical
  75. 75. @CarlosChalicoT #ISACA_ITG Performance 75 • IT fits the requirements to support the organisation ! • IT provides services, levels of service and service quality required to meet the organisation’s current and future requirements
  76. 76. @CarlosChalicoT #ISACA_ITG Performance 76 • Under-PerformanceVs. Over-Performance • We often over-procure for reasons of convenience • How would you react if your main server starts running out of space?
  77. 77. @CarlosChalicoT #ISACA_ITG Conformance 77 • IT complies and supports compliance ! • Policies and practices are clearly defined, implemented and enforced
  78. 78. @CarlosChalicoT #ISACA_ITG Conformance 78 • How easy has been for your company to configure the systems to comply with laws and regulations? Compliance on IT Systems Process Process 2 Process Process Change Change
  79. 79. @CarlosChalicoT #ISACA_ITG Human Behaviour 79 • IT policies, practices and decisions show respect for human behaviour ! • This includes current and evolving needs of all of the people in the processes
  80. 80. @CarlosChalicoT #ISACA_ITG Human Behaviour 80 • Have you defined policies to make clear how you want your IT systems to be used? • How are you balancing personalVs. professional use of the corporate IT resources? • Is your management team setting the tone? • How are you connecting with customers, providers, authority?
  81. 81. @CarlosChalicoT #ISACA_ITG 81 ISO/IEC 38500:2008 ISO 38500 Scope, Application, Objectives Framework Guidance
  82. 82. @CarlosChalicoT #ISACA_ITG Guidance 82 • Provides examples for the application of each one of the six principles
  83. 83. @CarlosChalicoT #ISACA_ITG Guidance 83 • Additional documents: • Cloud computing • IT Audit • Digital forensics • Interoperability • Business frameworks
  84. 84. @CarlosChalicoT #ISACA_ITG 84 Quote “Nothing will work unless you do” Maya Angelou
  85. 85. @CarlosChalicoT #ISACA_ITG Implementing ISO 38500 85 Implementation Design and Definition Communication and awareness IT controls Policies and procedures Plan development Business processes improvements Current State Assessment Continuous Improvement Auditing Operation Monitoring Third parties considerations Extended IT governance IT processes improvements Problems identification Training and testing Adjustments Monitoring controls Reporting Audit guidelines Responsibility assignment
  86. 86. IT Governance November, 2013 Break!
  87. 87. @CarlosChalicoT #ISACA_ITG How has COBIT dealt with IT Governance? 87 Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
  88. 88. @CarlosChalicoT #ISACA_ITG How has COBIT dealt with IT Governance? 88 • Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM) • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM)
  89. 89. @CarlosChalicoT #ISACA_ITG How has COBIT dealt with IT Governance? 89 COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
  90. 90. @CarlosChalicoT #ISACA_ITG How has COBIT dealt with IT Governance? 90 IT Governance COBIT4.0/4.1 Management COBIT3 Control COBIT2 A business framework from ISACA, at www.isaca.org/cobit Audit COBIT1 2005/720001998 Evolutionofscope 1996 2012 Val IT 2.0 (2008) Risk IT (2009) © 2012 ISACA® All rights reserved.
  91. 91. @CarlosChalicoT #ISACA_ITG COBIT Principles 91 • Meeting stakeholder needs • Covering the enterprise end-to-end • Applying a single integrated framework • Enabling a holistic approach • Separating governance from management
  92. 92. @CarlosChalicoT #ISACA_ITG Meeting Stakeholder Needs 92 Enterprises exist to create value for their stakeholders.
  93. 93. @CarlosChalicoT #ISACA_ITG 9393 • Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them. • Governance is about negotiating and deciding amongst different stakeholders’ value interests. • The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions. • For each decision, the following can and should be asked: • Who receives the benefits? • Who bears the risk? • What resources are required? Meeting Stakeholder Needs
  94. 94. @CarlosChalicoT #ISACA_ITG 9494 Meeting Stakeholder Needs • Stakeholder needs have to be transformed into an enterprise’s actionable strategy. • The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customised goals within the context of the enterprise, IT- related goals and enabler goals. Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
  95. 95. @CarlosChalicoT #ISACA_ITG 9595 Meeting Stakeholder Needs • Benefits of the COBIT 5 goals cascade: • It allows the definition of priorities for implementation, improvement and assurance of enterprise governance of IT based on (strategic) objectives of the enterprise and the related risk. • In practice, the goals cascade: • Defines relevant and tangible goals and objectives at various levels of responsibility. • Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects. • Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals.
  96. 96. @CarlosChalicoT #ISACA_ITG 9696 Covering the enterprise ent-to-end • COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective. • This means that COBIT 5: • Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance. • Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
  97. 97. @CarlosChalicoT #ISACA_ITG 9797 Covering the enterprise ent-to-end Key Components of a governance system Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved. Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.
  98. 98. @CarlosChalicoT #ISACA_ITG 98 Applying a single integrated framework • COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises: • Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000 • IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,TOGAF, PMBOK/PRINCE2, CMMI • This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. • ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references.
  99. 99. @CarlosChalicoT #ISACA_ITG 99 Enabling a holistic approach • COBIT 5 enablers are: • Factors that, individually and collectively, influence whether something will work—in the case of COBIT, governance and management over enterprise IT • Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve • Described by the COBIT 5 framework in seven categories
  100. 100. @CarlosChalicoT #ISACA_ITG 100 Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved. Enabling a holistic approach
  101. 101. @CarlosChalicoT #ISACA_ITG 101 Enabling a holistic approach • Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals • Organizational structures—Are the key decision- making entities in an organization • Culture, ethics and behavior—Of individuals and of the organization; very often underestimated as a success factor in governance and management activities
  102. 102. @CarlosChalicoT #ISACA_ITG 102 Enabling a holistic approach • Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management • Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
  103. 103. @CarlosChalicoT #ISACA_ITG 103 Enabling a holistic approach • Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services • People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions
  104. 104. @CarlosChalicoT #ISACA_ITG 104 Enabling a holistic approach • Systemic governance and management through interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler: • Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour • Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient • This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS).
  105. 105. @CarlosChalicoT #ISACA_ITG 105 Enabling a holistic approach COBIT 5 Enabler Dimensions: • All enablers have a set of common dimensions.This set of common dimensions: • Provides a common, simple and structured way to deal with enablers • Allows an entity to manage its complex interactions • Facilitates successful outcomes of the enablers Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.
  106. 106. @CarlosChalicoT #ISACA_ITG Separating Government from Management 106 • The COBIT 5 framework makes a clear distinction between governance and management. • These two disciplines: • Encompass different types of activities • Require different organisational structures • Serve different purposes • Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson. • Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.
  107. 107. @CarlosChalicoT #ISACA_ITG Separating Government from Management 107 • Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM). • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
  108. 108. @CarlosChalicoT #ISACA_ITG Separating Government from Management 108 COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown. Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.
  109. 109. @CarlosChalicoT #ISACA_ITG Separating Government from Management 109 • The COBIT 5 framework describes seven categories of enablers (Principle 4). Processes are one category. • An enterprise can organise its processes as it sees fit, as long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives. • COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes.The details of this specific enabler model can be found in the COBIT 5: Enabling Processes volume.
  110. 110. @CarlosChalicoT #ISACA_ITG 110 Quote “It’s a trap!” Admiral Ackbar
  111. 111. @CarlosChalicoT #ISACA_ITG Implementing GEIT with COBIT 111
  112. 112. @CarlosChalicoT #ISACA_ITG 112 Implementing GEIT with COBIT Source: COBIT® 5, © 2012 ISACA® All rights reserved.
  113. 113. @CarlosChalicoT #ISACA_ITG 113 Implementing GEIT with COBIT
  114. 114. @CarlosChalicoT #ISACA_ITG 114 • The improvement of the governance of enterprise IT (GEIT) is widely recognized by top management as an essential part of enterprise governance • Information and the pervasiveness of IT are increasingly part of every aspect of business and public life • The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater • Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment Implementing GEIT with COBIT
  115. 115. @CarlosChalicoT #ISACA_ITG 115 Implementing GEIT with COBIT • ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5 • Frameworks, best practices and standards are useful only if they are adopted and adapted effectively.There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully. • COBIT 5: Implementation provides guidance on how to do this
  116. 116. @CarlosChalicoT #ISACA_ITG 116 Implementing GEIT with COBIT • COBIT 5: Implementation covers the following subjects: • Positioning GEIT within an enterprise • Taking the first steps towards improving GEIT • Implementation challenges and success factors • Enabling GEIT-related organisational and behavioural change • Implementing continual improvement that includes change enablement and programme management • Using COBIT 5 and its components
  117. 117. @CarlosChalicoT #ISACA_ITG 117 Value of GEIT
  118. 118. @CarlosChalicoT #ISACA_ITG TheValue of CGEIT 118 CGEIT recognizes a wide range of professionals for their knowledge and application of enterprise IT governance principles and practices.As a CGEIT certified professional, you demonstrate that you are capable of bringing IT governance into an organization—that you grasp the complex subject holistically, and therefore, enhance value to the enterprise.  http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-enterprise-it/Pages/default.aspx
  119. 119. @CarlosChalicoT #ISACA_ITG TheValue of CGEIT 119
  120. 120. @CarlosChalicoT #ISACA_ITG GRC 120
  121. 121. @CarlosChalicoT #ISACA_ITG GRC Magic Quadrant 121
  122. 122. @CarlosChalicoT #ISACA_ITG Top 10 GRC challenges 122 1. Management complexity of risk and compliance programs 2. Organisational alignment of risk and compliance metrics and control across functional domains 3. Managing regulatory complexity to reduce the cost of compliance 4. Privacy and intelectual property protection 5. Cybersecurity risks 6. BYOD and mobile strategy 7. Supplyvalue chain risk 8. Building out infrastructure to enable situational awareness and predictive analytics 9. Aligning operational security with risk and compliance programs 10. Aligning business continuity and availability with risk management
  123. 123. @CarlosChalicoT #ISACA_ITG 123 Quote “The only place success comes before work is in the dictionary” Vince Lombardi
  124. 124. @CarlosChalicoT #ISACA_ITG 124 Case Study Please follow instructions to review the Case Study.
  125. 125. @CarlosChalicoT #ISACA_ITG Conclusions 125 • The world is changing and the IT departments need to get adapted to that • Governance of Enterprise IT is mandatory, complexity in compliance, value requirements, innovation and transformation needs, support its implementation • Effective governance requires a committed organisation • ISO 38500 and COBIT 5 can be the frameworks for implementing this
  126. 126. @CarlosChalicoT #ISACA_ITG FinalThoughts 126 http://www.slideshare.net/sap/99-facts-on-the-future-of-business
  127. 127. @CarlosChalicoT #ISACA_ITG FinalThoughts 127
  128. 128. @CarlosChalicoT #ISACA_ITG FinalThoughts 128
  129. 129. @CarlosChalicoT #ISACA_ITG FinalThoughts 129
  130. 130. @CarlosChalicoT #ISACA_ITG FinalThoughts 130
  131. 131. @CarlosChalicoT #ISACA_ITG FinalThoughts 131 SAP & Vuzix Augmented Reality
  132. 132. @CarlosChalicoT #ISACA_ITG FinalThoughts 132
  133. 133. @CarlosChalicoT #ISACA_ITG FinalThoughts 133
  134. 134. @CarlosChalicoT #ISACA_ITG FinalThoughts 134
  135. 135. @CarlosChalicoT #ISACA_ITG Questions and Answers 135 Carlos Chalico CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador Ouest Business Solutions Inc. carlos.chalico@ouestsolutions.com (647)6388062 twitter: @CarlosChalicoT LinkedIn: ca.linkedin.com/in/carloschalico/
  136. 136. IT Governance November, 2013 Thank You!

×