Accountability Corbit Overview 06262007

CobiT 4.1 Information Technology Control Objectives & Control Practices John W. Beveridge Office of the State Auditor Enterprise Security Board Security Awareness Day June 26, 2007

Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business and IT managers and assurance professionals. Structured and organized to provide a powerful control model CobiT

Focuses on information having integrity, being secure, and available. Management-oriented Supports corporate and IT governance Serves as excellent criteria for evaluation Process-oriented Controls-based Measurement-driven Based on a Strong Foundation and Sound Principles of Internal Control CobiT's Scope

Perspective on CobiT’s Control Definition Information Systems Need to Be Controlled The answer lies in the realm of what the agency wants: to accomplish and avoid It therefore falls to the spectrum of: objectives and risks

Control ( as defined by COBIT ) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

To Achieve Business Objectives To Avoid Risks, Threats and Exposures Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. P. 12.

CobiT promotes a healthy understanding about “reasonable assurance” and “residual risk” Knowing the acceptable levels for reasonable assurance and residual risk is a critical success factor for designing and managing an adequate framework of control

Assurance Level 100% Residual Risk 0% Reasonable Assurance

To Individuals Who are Interested in Successful Business and IT Management Management : IT & Business Users Auditors / Advisors Academics Vendors Who is CobiT aimed at?

IT Management Is IT well managed? Are we doing the right things? Are we doing them the best way? Are they being done well? Are we achieving desired benefits? Do we exercise due diligence? Is IT properly controlled to meet integrity, security and availability requirements?

IT Management Issues Not recognizing that we often manage IT as if it were separate from the enterprise when in fact it is highly integrated with business operations Uncoordinated strategic planning between business and IT operations Outsourcing without adequate monitoring and evaluation Obtaining value from IT

IT Value How do we manage to achieve acceptable IT value? What policies, practices and assurance mechanisms do we apply to the “right” resources to achieve value? What guidance is there to assist management in understanding IT processes and how to achieve IT process results? What standards should be applied to our IT environment? What about governance?

Many organizations recognize the potential benefits of technology Successful organizations Understand that IT is more than an enabler Understand and manage the risks associated with implementing new technologies Keep a keen eye on the goal, and Know where they are through measured progress and monitoring and evaluation Need for IT Governance Control Framework

To Manage and Control IT, The Answer Lies In : Having clear understandings of the strategic value of technology Having appropriate frameworks of control Employing the fundamentals of IT governance Building mechanisms to provide adequate assurance that IT governance objectives are addressed

Organizations require a structured approach for managing these and other challenges. This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes. The Need for IT Governance Keeping IT Running Security Value/Cost Managing Complexity Aligning IT with Business Regulatory Compliance

Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: Providing strategic direction Ensuring that objectives are achieved Ascertaining that risks are managed appropriately Verifying that the enterprise’s resources are used responsibly The Need for IT Governance PERFORMANCE MEASUREMENT RESOURCE MANAGEMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT www.itgi.org www.itgi.org

IT Governance Focus Areas Strategic alignment Value delivery Resource management Risk management Performance measurement

C OBI T: Starts from business requirements Is process-oriented, organizing IT activities into a generally accepted process model Identifies the major IT resources to be leveraged Defines the management control objectives to be considered Incorporates major international standards Has become the de facto standard for overall control of IT COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. IT resources need to be managed by a set of naturally grouped processes. C OBI T provides a framework that achieves this objective. COBIT Provides a Framework for IT Governance

CobiT is an Authoritative Source Built on a sound framework of control and IT-related control practices. Aligned with de jure and de facto standards and regulations. Subject to extensive review and exposure. Aligned with control models, standards and best practices for IT management

Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). C OBI T ISO 9000 ISO 17799 ITIL COSO WHAT HOW COBIT and Other IT Management Frameworks SCOPE OF COVERAGE

PERFORMANCE: Business Goals CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Enterprise Governance IT Governance ISO 9001:2000 ISO 17799 ISO 20000 Best Practice Standards QA Procedures Processes and Procedures Drivers C OBI T COSO Security Principles ITIL Balanced Scorecard Where Does COBIT Fit?

COBIT Cube The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives. For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube. Business Requirements for Information Criteria IT Resources IT Processes

COBIT: Premise The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives. The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance. i IT Resources and Processes Information Business Processes Business Objectives provide to for achieving

IT Resource Management CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality of information required to achieve organizational objectives.

COBIT Domains : Information Processes (3rd Component) Feedback Feedback Feedback Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate

Interrelationship of the C OBI T Components

CobiT is Easily Available Freely downloadable from: www.isaca.org If you need guidance or training contact us [email_address] or [email_address] Thank You

Accountability Corbit Overview 06262007

More Related Content

What's hot

Viewers also liked

Similar to Accountability Corbit Overview 06262007

More from Humberto Bruno Pontes Silva

Recently uploaded

Accountability Corbit Overview 06262007