Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cobit 5 introduction plgr

1,373 views

Published on

Cobit 5 Introduction
ISACA

Published in: Technology
  • Hello there! Get Your Professional Job-Winning Resume Here! http://bit.ly/topresum
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Cobit 5 introduction plgr

  1. 1. Jordan, 5-8 April 2015 The author (prepetto@hotmail.com) has permission of ISACA to use the ISACA © Material
  2. 2. PLGR. 2 Agenda Framework Principles Enabling processes Implementation Product family
  3. 3. PLGR. 3 Information! Information is a key resource for all enterprises. ¿What is its Life cycle? Created Used Retained Disclosed Destroyed
  4. 4. © 2014 ISACA. All rights reserved. Used by permission. Information!  Does Technology play a key role in the actions of the information life cycle? 4  Is Technology becoming pervasive in all aspects of business and personal life?  What benefits do information and technology bring to enterprises?
  5. 5. © 2014 ISACA. All rights reserved. Used by permission. Enterprise Benefits Enterprises and their executives strive to:  Maintain quality information to support business decisions.  Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.  Achieve operational excellence through reliable and efficient application of technology.  Maintain IT-related risk at an acceptable level.  Optimise the cost of IT services and technology. 5 How can these benefits be realised to create enterprise stakeholder value?
  6. 6. PLGR. Governance of Enterprise IT COBIT 5 IT Governance COBIT4.0/4.1 Management COBIT3 Control COBIT2 An business framework from ISACA, at www.isaca.org/cobit Audit COBIT1 COBIT 5: Now One Complete Business Framework for 2005/720001998 Evolutionofscope 1996 2012 Val IT 2.0 (2008) Risk IT (2009) 6 © 2012 ISACA® All rights reserved.
  7. 7. PLGR. 7 Stakeholder Who or what is an “Stakeholder”? - Exercise 01 Presidents, directors, managers, Business process owners Internal audit, IT users Privacy officers, IT managers, Business managers, Risk managers A person, group or organization that has interest or concern in an organization Are the stakeholders internal o external? Both Business partners, Suppliers Shareholders Regulators/government External users, Customers Standardisation organisations External auditors, Consultants Examples? Internal External
  8. 8. © 2014 ISACA. All rights reserved. Used by permission. Governance and Management  Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM). 8 Evalu- ate Direct Moni- tor
  9. 9. © 2014 ISACA. All rights reserved. Used by permission. Governance and Management  Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). 9 Plan Build Run Moni- tor
  10. 10. © 2014 ISACA. All rights reserved. Used by permission. COBIT 5 Framework 10
  11. 11. © 2014 ISACA. All rights reserved. Used by permission. COBIT 5 Framework  The main, overarching COBIT 5 product  Contains the executive summary and the full description of all of the COBIT 5 framework components:  The five COBIT 5 principles  The seven COBIT 5 enablers plus  An introduction to the implementation guidance provided by ISACA (COBIT 5 Implementation)  An introduction to the COBIT Assessment Programme (not specific to COBIT 5) and the process capability approach being adopted by ISACA for COBIT 11
  12. 12. © 2014 ISACA. All rights reserved. Used by permission. 12 COBIT 5 Product Family Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved. www.isaca.org ProcessesInformation
  13. 13. © 2014 ISACA. All rights reserved. Used by permission. In Summary … COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders. 14
  14. 14. PLGR. 15 Five COBIT 5 Principles COBIT 5 Principle 5 Principle 4 Principle 3 Principle 2 Principle 1
  15. 15. © 2014 ISACA. All rights reserved. Used by permission. Five COBIT 5 Principles 16 1-Meeting Stakeholder Needs 2-Covering the Enterprise End-to-end 3-Applying a Single Integrated Framework 4- Enabling a Holistic Approach 5-Separating Governance From Management
  16. 16. PLGR. 17 1. Meeting Stakeholder Needs Who or what is an “Stakeholder”? - Exercise 01 (Repetition) Presidents, directors, managers, Business process owners Internal audit, IT users Privacy officers, IT managers, Business managers, Risk managers A person, group or organization that has interest or concern in an organization Are the stakeholders internal o external? Both Business partners, Suppliers Shareholders Regulators/government External users, Customers Standardisation organisations External auditors, Consultants Examples? Internal External
  17. 17. © 2014 ISACA. All rights reserved. Used by permission. 1. Meeting Stakeholder Needs Principle 1. Meeting Stakeholder Needs  Enterprises exist to create value for their stakeholders. 18 Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.
  18. 18. © 2014 ISACA. All rights reserved. Used by permission. 1. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs:  Enterprises have many stakeholders, and „creating value‟ means different—and sometimes conflicting—things to each of them.  Governance is about negotiating and deciding amongst different stakeholders’ value interests.  The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.  For each decision, the following can and should be asked: - Who receives the benefits? - Who bears the risk? - What resources are required? 19
  19. 19. © 2014 ISACA. All rights reserved. Used by permission. 1. Meeting Stakeholder Needs (cont.) Chief executive officer (CEO) How do I get value from the use of IT? Are end users satisfied with the quality of the IT service? Chief information officer (CIO) How do I best build and structure my IT department? Am I running an efficient and resilient IT operation? Business executives What critical business processes are dependent on IT, and what are the requirements of business processes External users How do I know the enterprise is compliant with applicable rules and regulations? 20 Page 22
  20. 20. PLGR. 21 1. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs:  Stakeholder needs have to be transformed into an enterprise’s practical strategy.  The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals. Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
  21. 21. PLGR. 22 1. Meeting Stakeholder Needs (cont.) Chief information officer (CIO) Am I running an efficient and resilient IT operation? 7. Business service continuity and availability 10. Security of information, processing infraestructure and applications APO12 Manage Risk APO13 Manage Security DSS05 Manage Security/Service
  22. 22. PLGR. 1. Meeting Stakeholder Needs (cont.) Page 22 Page 55-56 Page 19 Page 19 Page 50 Page 52-53
  23. 23. PLGR. 24 1. Meeting Stakeholder Needs (Exercise 2) The CIO of an internet sales enterprise is worried about the assurance over IT. Using Cobit 5 cascade, ¿in which IT goals must the CIO focus? How do I get assurance over IT? 4. Compliance with external laws and regulations 02 IT compliance & support for business compliance with external laws and regulations 15. Compliance with internal policies 10 Security of information, processing infrastructure and applications 15 5 IT compliance with internal policies Page 50 Page 55-56
  24. 24. PLGR. 25 1. Meeting Stakeholder Needs (Exercise 3) An internet sales enterprise has defined for itself a number of strategic goals, of which improving customer satisfaction through service continuity is the most important. From there, it wants to know where it needs to improve in all things related to IT 7. Business service continuity and availability 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making 10 Security of information, processing infrastructure and applications Page 50
  25. 25. © 2014 ISACA. All rights reserved. Used by permission. 2. Covering the Enterprise End-to-end Principle 2. Covering the Enterprise End-to-end:  COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.  This means that COBIT 5:  Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance.  Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the „IT function‟, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. 26
  26. 26. © 2014 ISACA. All rights reserved. Used by permission. 2. Covering the Enterprise End-to-end (cont.) Principle 2. Covering the Enterprise End-to-end Key components of a governance system 27Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.
  27. 27. © 2014 ISACA. All rights reserved. Used by permission. 2. Covering the Enterprise End-to-end (cont.) Principle 2. Covering the Enterprise End-to-end 28 Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved. Key components of a governance system
  28. 28. © 2014 ISACA. All rights reserved. Used by permission. 3. Applying a Single Integrated Framework Principle 3. Applying a Single Integrated Framework:  COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:  Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000, ISO/IEC 19011, ISO/IEC 15504  IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI  This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. 29
  29. 29. © 2014 ISACA. All rights reserved. Used by permission. 4. Enabling a Holistic Approach Principle 4. Enabling a Holistic Approach COBIT 5 enablers are:  Factors that, individually and collectively, influence whether something will work—in the case of COBIT, governance and management over enterprise IT  Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve  Described by the COBIT 5 framework in seven categories 30
  30. 30. © 2014 ISACA. All rights reserved. Used by permission. 4. Enabling a Holistic Approach (cont.) Principle 4. Enabling a Holistic Approach 31 Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
  31. 31. PLGR. 32 4. Enabling a Holistic Approach (cont.) 1. Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management Exercise 4 An enterprise is considering how to deal with the fast-rising use of social media and pressure from its staff to have full access Until now, the organisation has been conservative or restrictive in granting access to this kind of service for security reasons What actions can the organization develops? Define a policy on the use of social media
  32. 32. PLGR. 33 4. Enabling a Holistic Approach (cont.) 1. Principles, policies and frameworks Exercise 4 (Cont.) Define a policy on the use of social media Communication is developed to explain the reasons for the new policy ¿Impact on others enablers? Staff members need to learn how to deal with the new media. They need to learn the appropriate behaviour. Processes with regard to security need to be changed.
  33. 33. PLGR. 34 4. Enabling a Holistic Approach (cont.) 2. Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals ProcessINPUTS OUPUTS
  34. 34. PLGR. 35 4. Enabling a Holistic Approach (cont.) 3. Organisational structures—Are the key decision- making entities in an organisation Exercise 5 Board Directors CEO , CIO, CFO, CRO, COO, CSO, CISO DPO, PMO BCM, ISM Audit and compliance IT Arquitecture, IT develops, IT operations … What “Roles and Organisational Structures” do you know?
  35. 35. PLGR. 36 4. Enabling a Holistic Approach (cont.) 4. Culture, ethics and behaviour—Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities Communication Example behaviour exercised by senior management Incentives to encourage desired behaviour Rules and norms, which provide more guidance Exercise 6: ¿Good practices for creating, encouraging and maintaining desired behaviour?
  36. 36. PLGR. 37 4. Enabling a Holistic Approach (cont.) 5. Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. Exercise 7 ¿Do you think that there is an information cycle? ¿How do you organize the next concepts in the Information Cycle? BUSINESS PROCESESS DATA INFORMATION KNOWLEDGE VALUE
  37. 37. © 2014 ISACA. All rights reserved. Used by permission. 4. Enabling a Holistic Approach (cont.) Exercise 7 (Cont.) - Information Cycle 38
  38. 38. © 2014 ISACA. All rights reserved. Used by permission. 4. Enabling a Holistic Approach (cont.) 6. Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services External frameworks (What Cobit principle is applied?) Principle 3. Applying a Single Integrated Framework TOGAF provides a Technical Reference Model and an Integrated Information Infrastructure Reference Model. ITIL provides comprehensive guidance on how to design and operate services. 39
  39. 39. © 2014 ISACA. All rights reserved. Used by permission. 4. Enabling a Holistic Approach (cont.) 7. People, skills and competencies - Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions 40 Practices: Role Skill Requirements, Skill Levels, Skill Categories Quality: Education Qualifications Experience, Knowledge, Behavioural Skill, Availability, Turnover
  40. 40. © 2014 ISACA. All rights reserved. Used by permission. 4. Enabling a Holistic Approach (cont). Principle 4. Enabling a Holistic Approach:  Systemic governance and management through interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:  Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour  Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient 41
  41. 41. PLGR. 42 4. Enabling a Holistic Approach (cont). Principle 4. Enabling a Holistic Approach:  Inputs and outputs of enablers Process I N P U T S O U P U T S I N P U T S = = = = = = Process O U P U T S
  42. 42. © 2014 ISACA. All rights reserved. Used by permission. 4. Enabling a Holistic Approach (cont.) Principle 4. Enabling a Holistic Approach 43 Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved. Exercise 7 - Interactions and relations among enablers?
  43. 43. © 2014 ISACA. All rights reserved. Used by permission. 5. Separating Governance From Management Principle 5. Separating Governance From Management:  The COBIT 5 framework makes a clear distinction between governance and management.  These two disciplines:  Encompass different types of activities  Require different organisational structures  Serve different purposes  Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.  Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. 44
  44. 44. © 2014 ISACA. All rights reserved. Used by permission. 5. Separating Governance From Management (cont.) Principle 5. Separating Governance From Management: • Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM). • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). 45
  45. 45. © 2014 ISACA. All rights reserved. Used by permission. 5. Separating Governance From Management (cont.) Principle 5. Separating Governance From Management: COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown. 46 Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.
  46. 46. © 2014 ISACA. All rights reserved. Used by permission. COBIT 5: Enabling Processes  COBIT 5: Enabling Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 process reference model:  In Chapter 2, the COBIT 5 goals cascade is recapitulated and complemented with a set of example metrics for the enterprise goals and the IT-related goals.  In Chapter 3, the COBIT 5 process model is explained and its components defined.  Chapter 4 shows the diagram of this process reference model.  Chapter 5 contains the detailed process information for all 37 COBIT 5 processes in the process reference model. 48
  47. 47. PLGR. 49 COBIT 5: Enabling Processes (cont.) Source: COBIT® 5, figure 29. © 2012 ISACA® All rights reserved. Stakeholders Goals Practices-Activities Metrics
  48. 48. © 2014 ISACA. All rights reserved. Used by permission. COBIT 5: Enabling Processes (Cont.) COBIT 5: Enabling Processes: • The COBIT 5 process reference model subdivides the IT- related practices and activities of the enterprise into two main areas—governance and management— with management further divided into domains of processes: • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). 50
  49. 49. PLGR. 51 COBIT 5: Enabling Processes EMD01 • Governance, framework setting and Maintenance EMD02 • Benefits Delivery EMD03 • Risk optimization EMD04 • Resource optimization EDM05 • Stakeholders transparency Governance: 1 domain EDM – 5 process
  50. 50. PLGR. 52 COBIT 5: Enabling Processes APO • Align, Plan and Organise 13 BAI • Build, Acquire and Implement 10 DSS • Deliver, Service and Support 6 MEA • Monitor, Evaluate and Assess 3 Management: 4 domains – 32 processes
  51. 51. © 2014 ISACA. All rights reserved. Used by permission. COBIT 5: Enabling Processes (cont.) 53 Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
  52. 52. PLGR. 54 COBIT 5: Enabling Processes – Exercise 8 Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 02 IT compliance & support for business compliance with external laws and regulations Page 52-53 Our organization is concerned about the compliance with external laws and regulations. From an IT point of view, what Cobit Process would you implement? APO01 Manage the IT Management Framework APO12 Manage Risk APO13 Manage Security BAI10 Manage Configuration DSS05 Manage Security Services MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance With External Requirements
  53. 53. PLGR. 56 COBIT 5 Implementation (cont.) Exercise 9 - From which factors depends your strategy implementation of your company?  Ethics and culture  Applicable laws, regulations and policies  Mission, vision and values  Governance policies and practices  Industry practices  Business plan and strategic intentions  Operating model and level of maturity  Management style  Risk appetite  Capabilities and available resources
  54. 54. PLGR. 57 COBIT 5 Implementation (cont.) Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved. 1 What are the drivers 2 Where are we now? 3 Where do we want to be? 4 What needs to be done? 5 How do we get there? 6 Did we get there? 7 How do we keep going?
  55. 55. © 2014 ISACA. All rights reserved. Used by permission. COBIT 5 Product Family 59 Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.
  56. 56. © 2014 ISACA. All rights reserved. Used by permission. COBIT 5 Supporting Products • A Business Framework for the Governance and Management of Enterprise IT • Professional Guides: • COBIT 5 Implementation • COBIT 5 for Information Security • COBIT 5 for Assurance, COBIT 5 for Risk • Enabler Guides: • COBIT 5: Enabling Processes • COBIT 5: Enabling Information • COBIT Assessment Programme: • Process Assessment Model (PAM): Using COBIT 5 • Assessor Guide: Using COBIT 5 • Self-assessment Guide: Using COBIT 5 60

×