Governance and Management of Enterprise IT with COBIT 5 Framework

5,534 views

Published on

This courseware was designed for the training entitled 'Governance and Management of Enterprise IT with COBIT 5 Framework'.

Published in: Technology
  • Be the first to comment

Governance and Management of Enterprise IT with COBIT 5 Framework

  1. 1. Governance and Management of Enterprise IT with COBIT 5 Framework March 2013 Goutama Bachtiar W: www.linkedin.com/in/goutama T: @goudotmobi
  2. 2. Profile of Training Lead 2  Advisor at six companies.  ISACA International Chapter Subject Matter Expert.  ISACA International Chapter Journal Reviewer.  ISACA International Chapter Certification Exam and QAE Developer.  Reviewer Panel at two international journals.  Have audited and consulted 32 companies.  Have written 300+ manuscripts, articles and pieces in IT space.  65+ international certifications on technology and management under his belt.
  3. 3. Importance of Information 3 Information is a key resource for all enterprises. Information is created, used, retained, disclosed and destroyed. Technology plays a key role in these actions. Technology is becoming pervasive in all aspects of business and personal life. What benefits do information and technology bring to enterprises?
  4. 4. Why Does IT Need a Control Framework? 4 Any of these conditions sound familiar?  Increasing pressure to leverage technology in business strategies  Growing complexity of IT environments  Fragmented IT infrastructures  Communication gap between business and IT managers  IT service levels that are disappointing from internal IT functions and from increasingly outsourced IT providers  IT costs perceived to be out of control  Marginal ROI/productivity gains on technology investments  Impaired organizational flexibility and nimbleness to change  User frustration leading to ad-hoc solutions
  5. 5. Why Does IT Need a Control Framework? (cont’d) 5 Increasing dependence on information and systems delivering this information Increasing vulnerabilities and a wide spectrum of threats Scale and cost of current and future investments in information and information systems Need for complying with regulations Potential for technologies to dramatically change organizations and business practices, create new opportunities and reduce costs Recognition by many organizations of potential benefits technology can yield Successful organizations understand and manage risks associated with implementing new technologies
  6. 6. Why Does IT Need a Control Framework? (cont’d) 6 To ensure that  IT provides value  Cost, time and functionality are as expected  IT does not provide surprises  Risks are mitigated  IT pushes the envelope  New opportunities and innovations for process, product and services Management needs to get IT under control.
  7. 7. Who Needs a Control Framework? 7  Board and Executive •To ensure management follows and implements the strategic direction for IT Management •To make IT investment decisions •To balance risk and control investment •To benchmark existing and future IT environment
  8. 8. Who Needs a Control Framework? (cont’d) Users •To obtain assurance on security and control of products and services they acquire internally or externally  Auditors •To substantiate opinions to management on internal controls •To advise on what minimum controls are necessary 8
  9. 9. Why and How COBIT is Used? 9  Increase acceptance and reduce time to implement IT governance  A guide for formal audits and reviews  Use results of audits to plan improvements  Achieving primary goals for IT governance: transform organizational practices and pursue improved processes  A credible source for management's decision on controls  Impresses and helps IT operations managers with its ability to assist in understanding what auditors want  For business to communicate requirements and concerns  Reference to ensure identification of all major risk areas  Improves communications and relations with IT management
  10. 10. Why and How COBIT is Used? (cont’d)  To improve audit approach/programmes  To support audit work with detailed audit guidelines  To provide guidance for IT governance  As a valuable benchmark for IS/IT control  To improve IS/IT controls  To standardise audit approach/programmes 10
  11. 11. Enterprise Benefits 11 Enterprises and their executives strive to: Maintain quality information to support business decisions. Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT. Achieve operational excellence through reliable and efficient application of technology. Maintain IT-related risk at an acceptable level. Optimise the cost of IT services and technology. How can these benefits be realized to create enterprise stakeholder value?
  12. 12. Stakeholder Value 12  Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets.  Enterprise boards, executives and management have to embrace IT like any other significant part of the business.  External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached.
  13. 13. 13 COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of
  14. 14. COBIT: Value and Limitations ► Has 14 internationally accepted good practices ► Is management-oriented and supported by tools and training ► Is freely downloadable and continually evolves ► Allows ► Is maintained by a reputable not-for-profit organization ► Fully ► Is the knowledge of expert volunteers to be shared and leveraged maps to COSO and all major, related standards a reference, not an ‘off-the-shelf’ cure Enterprises still need to analyze control requirements and customize COBIT based on: ► Value ► Risk ► IT drivers profile infrastructure, organization and project portfolio
  15. 15. COBIT Components 15 An organization depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information. IT Resources Business Strategy IT Processes Information Criteria
  16. 16. COBIT Advantages 16 ►Aligned with other standards and good practices and should be used together with them. ►COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. ►Provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. ►Provides tools to manage IT activities.
  17. 17. COBIT and IT Governance ► Focuses 17 on improving IT governance in organizations. ► Provides a framework to manage and control IT activities and supports five requirements for a control framework. Provides focus sharper business Ensures process orientation Defines a common language Control Framework Has general acceptability amongst organisations Helps meet regulatory requirements
  18. 18. COBIT and IT Governance (cont’d) 18 Business Focus ► Achieves sharper business focus by aligning IT with business objectives. of IT performance focus on IT’s contribution to enabling and extending the business strategy. Provides sharper business focus Defines a common language ► Measurement ► Ensuring the primary focus is value delivery and not technical excellence as an end in itself. Ensures process orientation Control Framework Has general acceptability amongst organisations Helps meet regulatory requirements
  19. 19. COBIT and IT Governance (cont’d) Process Orientation 19 ► When organizations implement COBIT, their focus is more process-oriented. and problems no longer divert attention from processes. Provides sharper business focus Defines a common language ► Incidents ► Exceptions can be clearly defined as part of standard processes. ► With process ownership defined, assigned and accepted, better to maintain control through periods of rapid change or organizational crisis. Ensures process orientation Control Framework Has general acceptability amongst organisations Helps meet regulatory requirements
  20. 20. COBIT and IT Governance (cont’d) 20 General Acceptability ►A proven and globally accepted standard for increasing contribution of IT to organizational success. ► It continues to improve and develop to keep pace with good practices. ► IT professionals from all over the world contribute their ideas and time to regular review meetings. Provides sharper business focus Ensures process orientation Defines a common language Control Framework Has general acceptability amongst organisations Helps meet regulatory requirements
  21. 21. COBIT and IT Governance (cont’d) 21 Regulatory Requirements ► Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. ► Organizations constantly need to improve IT performance and demonstrate adequate controls over their IT activities. ► De facto response to regulatory IT requirements. Provides sharper business focus Ensures process orientation Defines a common language Control Framework Has general acceptability amongst organizations Helps meet regulatory requirements
  22. 22. COBIT and IT Governance (cont’d) 22 Common Language ►Everybody on the same page by defining critical terms and providing a glossary. ►Co-ordination within and across project teams and organizations can play a key role in the success of any project. ►Common language helps build confidence and trust. Provides Provides sharper sharper business business focus Ensures Ensures process process orientation orientation Defines aa Defines common common language language Control Framework Has general Has general acceptability acceptability amongst amongst organisations organizations Helps meet Helps meet regulatory regulatory requirements requirements
  23. 23. COBIT: Premise 23 It is based on premise that IT needs to deliver information that an enterprise requires to achieve its objectives. for achieving i to Business Objectives Business Processes Information provide IT Resources and Processes It helps align IT with the business by focusing on business information requirements and organizing IT resources. COBIT provides the framework and guidance to implement IT governance.
  24. 24. COBIT: Principle Link management’s responsibilities IT expectations 24 with management’s IT The objective is to facilitate IT governance to deliver IT value whilst managing IT risks. IT Resources Business Strategy IT Processes Information Criteria
  25. 25. COBIT: Premise 25 As a control and governance framework for IT, it focuses on two key areas: ► Providing info required to support business objectives and requirements ► Treating info as the result of combined application of IT-related resources needed to be managed by IT processes Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Process Business Requirement Control Approach IT Resources IT Processes Consideration • …………………………… • …………………………… • ……………………..…….. Domains Processes Activities Applications Information Infrastructure People
  26. 26. COBIT: Cube 26 It describes how IT processes deliver information the business needs to achieve its objectives. For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube. Business Requirements for Information Criteria IT Resources IT Processes
  27. 27. COBIT Cube: cycle with the help of four domains: IT Processes COBIT describes the IT life 27 ►  Plan and Organize  Acquire and Implement  Deliver and Support  Monitor and Evaluate ► Processes are series of activities with natural control breaks. ► 34 processes across the four domains specifying what business needs to achieve its objectives. ► Activities are actions that are required to achieve measurable results. Moreover, activities have life cycles and include many discrete tasks. Information Criteria IT Resources Domains Processes Activities IT Processes
  28. 28. COBIT Cube: IT Domains 28 Plan and Organize (PO) ► Objectives  Formulating strategy and tactics  Identifying how IT can best contribute to achieving business objectives  Planning, communicating and managing the realization of the strategic vision  Implementing organizational and technological infrastructure ► Scope  Are IT and the business strategically aligned?  Is the enterprise achieving optimum use of its resources?  Does everyone in the organization understand the IT objectives?  Are IT risks understood and being managed?  Is the quality of IT systems appropriate for business needs? IT and Business
  29. 29. COBIT Cube: IT Domains (cont’d) 29 Have a look at COBIT process model Plan and Organise Acquire and Implement Plan and Organize IT Processes Deliver and Support Monitor and Evaluate PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects.
  30. 30. COBIT Cube: IT Domains (cont’d) 30 Acquire and Implement (AI) ► Objectives:  Identifying, developing, acquiring, implementing and integrating IT solutions  Changes in and maintenance of existing systems ► Scope:  Are new projects likely to deliver solutions that meet business needs?  Are new projects likely to be delivered on time and within budget?  Will the new systems work properly when implemented?  Will changes be made without upsetting current business operations? ? New Projects Organization
  31. 31. COBIT Cube: IT Domains (cont’d) 31 Acquire and Implement Plan and Organize Acquire and Implement IT Processes Deliver and Support Monitor and Evaluate AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes.
  32. 32. COBIT Cube: IT Domains (cont’d) 32 Deliver and Support (DS) ► Objectives:  The actual delivery of required services, including service delivery  The management of security, continuity, data and operational facilities  Service support for users ► Scope:  Are IT services being delivered in line with business priorities?  Are IT costs optimized?  Is the workforce able to use IT systems productively and safely?  Are adequate confidentiality, integrity and availability in place? IT Services Business Priorities
  33. 33. COBIT Cube: IT Domains (cont’d) 33 Deliver and Support DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Plan and Organise IT Processes Deliver and Support Acquire and Implement Monitor and Evaluate
  34. 34. COBIT Cube: IT Domains (cont’d) 34 Monitor and Evaluate (ME) ► Objectives:  Performance management  Monitoring of internal control  Regulatory compliance  Governance ► Scope:  Is IT’s performance measured to detect problems before too late?  Does management ensure internal controls are effective and efficient?  Can IT performance be linked to business goals?  Are risk, control, compliance and performance measured and reported? IT Performance
  35. 35. COBIT Cube: IT Domains (cont’d) 35 Monitor and Evaluate ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. Acquire and Implement Plan and Organise IT Processes Deliver and Support Monitor and Evaluate
  36. 36. COBIT Cube: Information Criteria ►To 36 satisfy business objectives, information needs to conform to specific control criteria, which COBIT refers to as business requirements for information. ►Broadly, information criteria are based on the following requirements: Quality Requirements  Quality Fiduciary Requirements  Fiduciary Security Requirements  Security Information Criteria IT Resources IT Processes
  37. 37. COBIT Cube: Information Criteria (cont’d) Effectiveness Efficiency Confidentiality Integrity Availability 37 Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, Quality Requirements Fiduciary Requirements correct, consistent and usable manner Security Requirements Concerns the provision of information through the optimal (most productive and economical) use of Information Criteria resources Concerns the protection of sensitive information from unauthorised disclosure IT Resources IT Processes Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies Reliability Relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities
  38. 38. COBIT Cube: IT Resources 38 ► IT processes manage IT resources to generate, deliver and store the information that the organization needs to achieve its objectives. ► The IT resources identified in COBIT are defined as:  Applications are automated user systems and manual procedures that process information.  Information is data that are input, processed and output by information systems, in whatever form used by the business.  Infrastructure includes the technology and facilities, such as hardware, operating systems and networking, that enable the processing of applications.  People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate information systems and services. They may be internal, outsourced or contracted, as required. Information Criteria IT Processes Applications Information Infrastructure People IT Resources
  39. 39. COBIT 5 Cube IT resources are managed by IT processes to achieve IT goals that respond to the business requirements
  40. 40. 40 Interrelationships with COBIT Components
  41. 41. COBIT 5 Principles 41
  42. 42. COBIT 5 Enablers 42
  43. 43. Governance and Management 43 Governance ensures that enterprise objectives are achieved by: Evaluating stakeholder needs, conditions and options Setting direction through prioritisation and decision making Monitoring performance, compliance and progress against agreed-on direction and objectives (EDM) Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM)
  44. 44. In Short… 44 It brings together the five principles that allow the enterprise to build an effective governance and management framework Based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders
  45. 45. Navigating COBIT 5
  46. 46. COBIT 5: Complete Business Framework 46 IT Governance Val IT 2.0 Management (2008) epocs f o not u ov E i l Control Risk IT (2009) Audit COBIT1 1996 COBIT2 1998 COBIT3 2000 COBIT4.0/4.1 2005/7 2012
  47. 47. COBIT 5 Product Family 47
  48. 48. Five COBIT 5 Principles 48 1.Meeting Stakeholder Needs 2.Covering the Enterprise End-to-end 3.Applying a Single Integrated Framework 4.Enabling a Holistic Approach 5.Separating Governance From Management
  49. 49. Meeting Stakeholder Needs Enterprises exist to create value for their stakeholders 49
  50. 50. Meeting Stakeholder Needs 50 Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting— things to each of them. Governance is about negotiating and deciding amongst different stakeholders’ value interests. The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions. For each decision, the following can and should be asked: ­Who receives the benefits? ­Who bears the risk? ­What resources are required?
  51. 51. Meeting Stakeholder Needs Stakeholder needs have to be transformed into an enterprise’s practical strategy. The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals. 51
  52. 52. Meeting Stakeholder Needs 52 (cont.) Benefits of the COBIT 5 goals cascade: It allows the definition of priorities for implementation, improvement and assurance of enterprise governance of IT based on enterprise strategic objectives and related risk In practice, the goals cascade: Defines relevant and tangible goals and objectives at various levels of responsibility Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals
  53. 53. Covering the Enterprise End-to-end 53 It addresses the governance and management of information and related technology from an enterprise wide, end-to-end perspective It means: Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise
  54. 54. Covering the Enterprise End-to-end 54
  55. 55. 55 Applying a Single Integrated Framework It aligns with the latest relevant other standards and frameworks: Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI Use it as the overarching governance and management framework integrator ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references
  56. 56. Enabling a Holistic Approach 56 COBIT 5 enablers are:  Factors that, individually and collectively, influence whether something will work—in the case of COBIT, governance and management over enterprise IT  Driven by the goals cascade, i.e., higher-level ITrelated goals define what the different enablers should achieve  Described by COBIT 5 framework in seven categories
  57. 57. Enabling a Holistic Approach 57
  58. 58. Enabling a Holistic Approach 58 1. Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals 2. Organisational structures—Are the key decision-making entities in an organisation 3. Culture, ethics and behaviour —Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities 4. Principles, policies and frameworks —Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management 5. Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications —Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services 7. People, skills and competencies —Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions
  59. 59. Enabling a Holistic Approach. 59  Systemic governance and management through interconnected enablers —To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler: Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient  This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS).
  60. 60. Enabling a Holistic Approach 60  All enablers have a set of common dimensions:  Provides a common, simple and structured way to deal with enablers  Allows an entity to manage its complex interactions  Facilitates successful outcomes of the enablers Source: COBIT® 5, figure 13. © 2012 ISACA®
  61. 61. Separating Governance From Management 61 These two disciplines: Encompass different types of activities Require different organisational structures Serve different purposes Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson. Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.
  62. 62. Separating Governance From Management 62 • Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM) • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM)
  63. 63. Separating Governance From Management (cont.) 63 COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown. Source: COBIT® 5, figure 15. © 2012 ISACA®
  64. 64. Separating Governance From Management 64 COBIT 5 framework describes seven categories of enablers (Principle #4). An enterprise can organise its processes as it sees fit, as long as all necessary governance and management objectives are covered Smaller enterprises may have fewer processes while larger and more complex enterprises may have many processes, all to cover the same objectives. COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes.
  65. 65. The Need for IT Governance Aligning IT with Business Value/Cost Security Keeping IT Running 65 Managing Complexity Regulatory Compliance Organizations require a structured approach for managing these and other challenges This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes
  66. 66. 66 The Need for IT Governance (cont’d) IC EG NT AT E TR GNM S I AL DE VAL LI U E VE RY Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: CE MAN NT FO R E PER SUREM MEA www.itgi.org www.itgi.org RESOURCE MANAGEMENT MAN RISK AGE MEN T •Providing strategic direction •Ensuring that objectives are achieved •Ascertaining that risks are managed appropriately •Verifying that the enterprise’s resources are used responsibly
  67. 67. Enterprise Governance Drives IT Governance 67 Enterprise governance is about:  Conformance •Adhering to legislation, internal policies, audit requirements, etc. Performance Conformance  Performance •Improving profitability, efficiency, effectiveness, growth, etc. Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.
  68. 68. IT Governance Focus Areas Strategic alignment Value delivery Resource management Risk management Performance measurement 68 Focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organisation Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting
  69. 69. Making IT Governance Work 69  Make IT governance a workable solution—able to deal with the challenges and pitfalls presented by IT.  Focus as much on improving performance and enabling competitive advantage as preventing problems.  Make IT governance a shared responsibility between the business (customer) and the IT service provider, with the full commitment and direction of the board .  Align IT governance within a wider enterprise governance scheme.  Boards and executive management need to extend enterprise governance to include IT, provide the necessary leadership and organisational structures, and insist on well-managed and properly controlled processes.
  70. 70. IT Governance Stakeholders 70 Board and Executive Set direction for IT, monitor results and insist on corrective measures Business Management Defines business requirements for IT and ensures that value is delivered and risks are managed IT Management Delivers and improves IT services as required by the business IT Audit Risk and Compliance Provides independent assurance to demonstrate that IT delivers what is needed Measures compliance with policies and focuses on alerts to new risks
  71. 71. Framework for IT Governance 71 Bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT:  Starts from business requirements  Is process-oriented, organizing IT activities into a generally accepted process model  Identifies the major IT resources to be leveraged  Defines the management control objectives to be considered  Incorporates major international standards  IT become the de to be managed by a set of Has resources need facto standard for overall naturally grouped processes. COBIT provides a framework that achieves this control of IT objective.
  72. 72. COBIT Help Implementing Effective IT Governance It brings following advantages to an IT governance implementation effort:  Enables mapping of IT goals to business goals and vice versa  Better alignment, based on a business focus  A view of what IT does that is understandable to management  Clear ownership and responsibilities based on process orientation  General acceptability with third parties and regulators  Shared understanding amongst all stakeholders, based on a common language  Fulfilment of the COSO requirements for the IT control environment
  73. 73. 73 COBIT and Other IT Management Frameworks We will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). COSO COBIT ISO 17799 ISO 9000 WHAT ITIL SCOPE OF COVERAGE HOW
  74. 74. Where Does COBIT Fit? Drivers Enterprise Governance 74 CONFORMANCE Basel II, SOX, etc. PERFORMANCE: Business Goals Balanced Scorecard COSO COBIT IT Governance Best Practice Standards ISO 9001:2000 Processes and Procedures QA Procedures ISO 17799 ISO 20000 Security Principles ITIL
  75. 75. Governance, Risk and Compliance 75 An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities. These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.
  76. 76. GRC Definitions 76 Governance—Exercise of authority; control; government; arrangement.  Risk (management )—Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control) Compliance—The act of complying; a yielding; as to a desire, demand, or proposal; concession; submission  Webster’s Online Dictionary
  77. 77. Types of Governance Different types of governance exist: Corporate governance Project governance Information technology governance Environmental governance Economic and financial governance Each type has one or more sources of guidance, each with similar goals but often varying terms and techniques for their achievement. 77
  78. 78. Implementing Governance 78 Integration of GRC activities implementation within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders. Such approaches are typically based on enablers of various types i.e. principles, policies, frameworks, organizational structures.
  79. 79. A GRC Model Example 79 From OCEG Red Book GRC Capability Model version 2.1.
  80. 80. Corporate Governance of IT 80 ISO/IEC 38500: 2008 on Corporate governance of information technology 1.1 Scope It provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. It applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.
  81. 81. Corporate Governance of IT ISO/IEC 38500: 2008 Corporate governance of information technology 2.1 Principles 2.1.1 Principle 1: 2.1.2 Principle 2: 2.1.3 Principle 3: 2.1.4 Principle 4: 2.1.5 Principle 5: 2.1.6 Principle 6: Responsibility Strategy Acquisition Performance Conformance Human Behavior 81
  82. 82. Corporate Governance of IT 82 ISO/IEC 38500: 2008 Corporate governance of information technology 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans.
  83. 83. GRC in COBIT 5
  84. 84. Governance in COBIT 5 84  Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM).  Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
  85. 85. Governance in COBIT 5 85 • The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimization. •04 Ensure resource optimization. •05 Ensure stakeholder transparency.
  86. 86. Governance in COBIT 5 86
  87. 87. Risk Management in COBIT 5 87 • The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimization. • Process Description Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. • Process Purpose Statement Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimized.
  88. 88. Risk Management in COBIT 5 88 • The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.
  89. 89. Risk Management in COBIT 5 89
  90. 90. Risk Management in COBIT 5 90 • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimization Ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. • APO12 Manage risk Provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept).
  91. 91. Risk Management in COBIT 5 91 COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include riskrelated roles.
  92. 92. Compliance in COBIT 5 92 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description • Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement • Ensure that the enterprise is compliant with all applicable external requirements.
  93. 93. Compliance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 93
  94. 94. Compliance in COBIT 5 94 • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures.
  95. 95. Compliance in COBIT 5 95 COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role.
  96. 96. Summary 96 • COBIT 5 framework includes necessary guidance to support enterprise GRC objectives and supporting activities: • Governance activities related to GEIT (5 processes) • Risk management process—and supporting guidance for risk management across the GEIT space • Compliance—a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture • Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements—silos of activity!
  97. 97. COBIT 5 Implementation
  98. 98. COBIT 5 Implementation 98 • The improvement of GEIT is widely recognised by top management as an essential part of enterprise governance. • Information and pervasiveness of IT are increasingly part of every aspect of business and public life. • The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater. • Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment.
  99. 99. COBIT 5 Implementation 99 • ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. • Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5. • Frameworks, best practices and standards are useful only if they are adopted and adapted effectively. • There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully.
  100. 100. COBIT 5 Implementation 100 It covers the following subjects: • Positioning GEIT within an enterprise • Taking the first steps towards improving GEIT • Implementation challenges and success factors • Enabling GEIT-related organisational and behavioural change • Implementing continual improvement that includes change enablement and programme management • Using COBIT 5 and its components
  101. 101. COBIT 5 Implementation 101
  102. 102. COBIT 5 Future Supporting Products
  103. 103. COBIT 5 Product Family 103
  104. 104. 104 COBIT 5 Future Supporting Products • Professional Guides • COBIT 5 for Information Security • COBIT 5 for Assurance • COBIT 5 for Risk • Enabler Guides • COBIT 5: Enabling Information • COBIT Online Replacement • COBIT Assessment Programme • Process Assessment Model (PAM): Using COBIT 5 • Assessor Guide: Using COBIT 5 • Self-assessment Guide: Using COBIT 5

×