7. PLGR.
7
Stakeholder
Who or what is an “Stakeholder”? - Exercise 01
Presidents, directors, managers,
Business process owners
Internal audit, IT users
Privacy officers,
IT managers, Business
managers, Risk managers
A person, group or organization that has interest or
concern in an organization
Are the stakeholders internal o external? Both
Business partners, Suppliers
Shareholders
Regulators/government
External users, Customers
Standardisation organisations
External auditors, Consultants
Examples?
Internal External
17. PLGR.
17
1. Meeting Stakeholder Needs
Who or what is an “Stakeholder”? - Exercise 01 (Repetition)
Presidents, directors, managers,
Business process owners
Internal audit, IT users
Privacy officers,
IT managers, Business
managers, Risk managers
A person, group or organization that has interest or
concern in an organization
Are the stakeholders internal o external? Both
Business partners, Suppliers
Shareholders
Regulators/government
External users, Customers
Standardisation organisations
External auditors, Consultants
Examples?
Internal External
22. PLGR.
22
1. Meeting Stakeholder Needs (cont.)
Chief information officer (CIO)
Am I running an efficient and
resilient IT operation?
7. Business service continuity and
availability
10. Security of information,
processing infraestructure and
applications
APO12 Manage Risk
APO13 Manage Security
DSS05 Manage Security/Service
24. PLGR.
24
1. Meeting Stakeholder Needs (Exercise 2)
The CIO of an internet sales enterprise is worried about the
assurance over IT. Using Cobit 5 cascade, ¿in which IT goals must
the CIO focus?
How do I get assurance over IT?
4. Compliance with
external laws
and regulations
02 IT compliance & support
for business compliance with
external laws and regulations
15. Compliance with
internal policies
10 Security of information,
processing infrastructure and
applications
15 5 IT compliance
with internal policies
Page 50
Page 55-56
25. PLGR.
25
1. Meeting Stakeholder Needs (Exercise 3)
An internet sales enterprise has defined for itself a number of
strategic goals, of which improving customer satisfaction
through service continuity is the most important. From there, it
wants to know where it needs to improve in all things related to IT
7. Business service continuity and
availability
04 Managed IT-related business risk
14 Availability of reliable and useful
information for decision making
10 Security of information, processing
infrastructure and applications
Page 50
32. PLGR.
32
4. Enabling a Holistic Approach (cont.)
1. Principles, policies and frameworks—Are the vehicles
to translate the desired behaviour into practical
guidance for day-to-day management
Exercise 4
An enterprise is considering how to deal with the fast-rising use
of social media and pressure from its staff to have full access
Until now, the organisation has been conservative or restrictive
in granting access to this kind of service for security reasons
What actions can the organization develops?
Define a policy on the use of social media
33. PLGR.
33
4. Enabling a Holistic Approach (cont.)
1. Principles, policies and frameworks
Exercise 4 (Cont.)
Define a policy on the use of social media
Communication is developed to explain the reasons for the
new policy
¿Impact on others enablers?
Staff members need to learn how to deal with the new
media. They need to learn the appropriate behaviour.
Processes with regard to security need to be changed.
34. PLGR.
34
4. Enabling a Holistic Approach (cont.)
2. Processes—Describe an organised set of practices and
activities to achieve certain objectives and produce a set
of outputs in support of achieving overall IT-related
goals
ProcessINPUTS OUPUTS
35. PLGR.
35
4. Enabling a Holistic Approach (cont.)
3. Organisational structures—Are the key decision-
making entities in an organisation
Exercise 5
Board Directors
CEO , CIO, CFO, CRO, COO, CSO, CISO
DPO, PMO
BCM, ISM
Audit and compliance
IT Arquitecture, IT develops, IT operations …
What “Roles and Organisational Structures” do you know?
36. PLGR.
36
4. Enabling a Holistic Approach (cont.)
4. Culture, ethics and behaviour—Of individuals and of
the organisation; very often underestimated as a
success factor in governance and management activities
Communication
Example behaviour exercised by senior management
Incentives to encourage desired behaviour
Rules and norms, which provide more guidance
Exercise 6: ¿Good practices for creating, encouraging and
maintaining desired behaviour?
37. PLGR.
37
4. Enabling a Holistic Approach (cont.)
5. Information—Is pervasive throughout any organisation,
i.e., deals with all information produced and used by the
enterprise. Information is required for keeping the
organisation running and well governed, but at the
operational level, information is very often the key product
of the enterprise itself.
Exercise 7
¿Do you think that there is an information cycle?
¿How do you organize the next concepts in the Information
Cycle?
BUSINESS PROCESESS
DATA INFORMATION KNOWLEDGE VALUE
42. PLGR.
42
4. Enabling a Holistic Approach (cont).
Principle 4. Enabling a Holistic Approach:
Inputs and outputs of enablers
Process
I
N
P
U
T
S
O
U
P
U
T
S
I
N
P
U
T
S
=
=
=
=
=
=
Process
O
U
P
U
T
S
52. PLGR.
52
COBIT 5: Enabling Processes
APO
• Align, Plan and Organise 13
BAI
• Build, Acquire and Implement 10
DSS
• Deliver, Service and Support 6
MEA
• Monitor, Evaluate and Assess 3
Management: 4 domains – 32 processes
56. PLGR.
56
COBIT 5 Implementation (cont.)
Exercise 9 - From which factors depends your
strategy implementation of your company?
Ethics and culture
Applicable laws,
regulations and policies
Mission, vision and
values
Governance policies
and practices
Industry practices
Business plan and
strategic intentions
Operating model and
level of maturity
Management style
Risk appetite
Capabilities and
available resources