Accountability Corbit Overview 06262007

2,641 views

Published on

Published in: Economy & Finance
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,641
On SlideShare
0
From Embeds
0
Number of Embeds
717
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Accountability Corbit Overview 06262007

    1. 1. CobiT 4.1 Information Technology Control Objectives & Control Practices John W. Beveridge Office of the State Auditor Enterprise Security Board Security Awareness Day June 26, 2007
    2. 2. <ul><li>Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business and IT managers and assurance professionals. </li></ul><ul><li>Structured and organized to provide a powerful control model </li></ul>CobiT
    3. 3. <ul><li>Focuses on information having integrity, being secure, and available. </li></ul><ul><li>Management-oriented </li></ul><ul><li>Supports corporate and IT governance </li></ul><ul><li>Serves as excellent criteria for evaluation </li></ul><ul><li>Process-oriented </li></ul><ul><li>Controls-based </li></ul><ul><li>Measurement-driven </li></ul><ul><li>Based on a Strong Foundation and Sound Principles of Internal Control </li></ul>CobiT's Scope
    4. 4. Perspective on CobiT’s Control Definition Information Systems Need to Be Controlled <ul><li>The answer lies in the realm of what the agency wants: </li></ul><ul><ul><li>to accomplish and </li></ul></ul><ul><ul><li>avoid </li></ul></ul><ul><li>It therefore falls to the spectrum of: </li></ul><ul><ul><li>objectives and </li></ul></ul><ul><ul><li>risks </li></ul></ul>
    5. 5. Control ( as defined by COBIT ) <ul><li>The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. </li></ul>
    6. 6. To Achieve Business Objectives To Avoid Risks, Threats and Exposures Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. P. 12.
    7. 7. CobiT promotes a healthy understanding about “reasonable assurance” and “residual risk” Knowing the acceptable levels for reasonable assurance and residual risk is a critical success factor for designing and managing an adequate framework of control
    8. 8. Assurance Level 100% Residual Risk 0% Reasonable Assurance
    9. 9. <ul><li>To Individuals Who are Interested in Successful Business and IT Management </li></ul><ul><ul><li>Management : </li></ul></ul><ul><ul><li>IT & Business Users </li></ul></ul><ul><ul><li>Auditors / Advisors </li></ul></ul><ul><ul><li>Academics </li></ul></ul><ul><ul><li>Vendors </li></ul></ul><ul><ul><li>Who is CobiT aimed at? </li></ul></ul>
    10. 10. IT Management <ul><li>Is IT well managed? </li></ul><ul><ul><li>Are we doing the right things? </li></ul></ul><ul><ul><li>Are we doing them the best way? </li></ul></ul><ul><ul><li>Are they being done well? </li></ul></ul><ul><ul><li>Are we achieving desired benefits? </li></ul></ul><ul><li>Do we exercise due diligence? </li></ul><ul><li>Is IT properly controlled to meet integrity, security and availability requirements? </li></ul>
    11. 11. IT Management Issues <ul><li>Not recognizing that we often manage IT as if it were separate from the enterprise when in fact it is highly integrated with business operations </li></ul><ul><li>Uncoordinated strategic planning between business and IT operations </li></ul><ul><li>Outsourcing without adequate monitoring and evaluation </li></ul><ul><li>Obtaining value from IT </li></ul>
    12. 12. IT Value <ul><li>How do we manage to achieve acceptable IT value? </li></ul><ul><li>What policies, practices and assurance mechanisms do we apply to the “right” resources to achieve value? </li></ul><ul><li>What guidance is there to assist management in understanding IT processes and how to achieve IT process results? </li></ul><ul><li>What standards should be applied to our IT environment? </li></ul><ul><li>What about governance? </li></ul>
    13. 13. <ul><li>Many organizations recognize the potential benefits of technology </li></ul><ul><li>Successful organizations </li></ul><ul><ul><li>Understand that IT is more than an enabler </li></ul></ul><ul><ul><li>Understand and manage the risks associated with implementing new technologies </li></ul></ul><ul><ul><li>Keep a keen eye on the goal, and </li></ul></ul><ul><ul><li>Know where they are through measured progress and monitoring and evaluation </li></ul></ul>Need for IT Governance Control Framework
    14. 14. To Manage and Control IT, The Answer Lies In : <ul><li>Having clear understandings of the strategic value of technology </li></ul><ul><li>Having appropriate frameworks of control </li></ul><ul><li>Employing the fundamentals of IT governance </li></ul><ul><li>Building mechanisms to provide adequate assurance that IT governance objectives are addressed </li></ul>
    15. 15. Organizations require a structured approach for managing these and other challenges. This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes. <ul><ul><li>The Need for IT Governance </li></ul></ul>Keeping IT Running Security Value/Cost Managing Complexity Aligning IT with Business Regulatory Compliance
    16. 16. <ul><li>Enterprise governance is a set of responsibilities and practices exercised by the </li></ul><ul><li>board and executive management with the goal of: </li></ul><ul><li>Providing strategic direction </li></ul><ul><li>Ensuring that objectives are achieved </li></ul><ul><li>Ascertaining that risks are managed appropriately </li></ul><ul><li>Verifying that the enterprise’s resources are used responsibly </li></ul><ul><ul><li>The Need for IT Governance </li></ul></ul>PERFORMANCE MEASUREMENT RESOURCE MANAGEMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT www.itgi.org www.itgi.org
    17. 17. IT Governance Focus Areas <ul><li>Strategic alignment </li></ul><ul><li>Value delivery </li></ul><ul><li>Resource management </li></ul><ul><li>Risk management </li></ul><ul><li>Performance measurement </li></ul>
    18. 18. <ul><li>C OBI T: </li></ul><ul><li>Starts from business requirements </li></ul><ul><li>Is process-oriented, organizing IT activities into a generally accepted process model </li></ul><ul><li>Identifies the major IT resources to be leveraged </li></ul><ul><li>Defines the management control objectives to be considered </li></ul><ul><li>Incorporates major international standards </li></ul><ul><li>Has become the de facto standard for overall control of IT </li></ul>COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. IT resources need to be managed by a set of naturally grouped processes. C OBI T provides a framework that achieves this objective. <ul><ul><li>COBIT Provides a Framework for IT Governance </li></ul></ul>
    19. 19. CobiT is an Authoritative Source <ul><li>Built on a sound framework of control and IT-related control practices. </li></ul><ul><li>Aligned with de jure and de facto standards and regulations. </li></ul><ul><li>Subject to extensive review and exposure. </li></ul><ul><li>Aligned with control models, standards and best practices for IT management </li></ul>
    20. 20. Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). C OBI T ISO 9000 ISO 17799 ITIL COSO WHAT HOW <ul><ul><li>COBIT and Other IT Management Frameworks </li></ul></ul>SCOPE OF COVERAGE
    21. 21. PERFORMANCE: Business Goals CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Enterprise Governance IT Governance ISO 9001:2000 ISO 17799 ISO 20000 Best Practice Standards QA Procedures Processes and Procedures Drivers C OBI T COSO Security Principles ITIL Balanced Scorecard <ul><ul><li>Where Does COBIT Fit? </li></ul></ul>
    22. 22. COBIT Cube The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives. For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube. Business Requirements for Information Criteria IT Resources IT Processes
    23. 23. COBIT: Premise <ul><li>The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives. </li></ul><ul><li>The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance. </li></ul>i IT Resources and Processes Information Business Processes Business Objectives provide to for achieving
    24. 24. IT Resource Management <ul><li>CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality of information required to achieve organizational objectives. </li></ul>
    25. 25. COBIT Domains : Information Processes (3rd Component) Feedback Feedback Feedback Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
    26. 26. <ul><ul><li>Interrelationship of the C OBI T Components </li></ul></ul>
    27. 27. CobiT is Easily Available <ul><li>Freely downloadable from: </li></ul><ul><li>www.isaca.org </li></ul><ul><li>If you need guidance or training contact us </li></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul><ul><ul><ul><li>or </li></ul></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul><ul><ul><ul><li>Thank You </li></ul></ul></ul>

    ×