This document provides an overview of using COBIT 4.1 for assurance assignments. It introduces COBIT, describing its evolution and key strengths in incorporating international standards. It outlines the COBIT framework, including its business requirements, IT processes, and IT resources domains. It also describes some of the specific IT processes within the Planning and Organization, Acquisition and Implementation, and Delivery and Support domains.
E-Mail Compliance Frameworks in the Real WorldChris Byrne
The document discusses why corporate governance and compliance are important. It notes that there are over 200 international regulatory and legal compliance requirements that must be met. Compliance is required in many areas like Sarbanes-Oxley, HIPAA, privacy laws, and more. Strong IT governance is needed to support corporate governance objectives and compliance requirements as technology is so embedded in business operations. IT should support business goals and requirements, not drive them. Various frameworks for compliance and governance are discussed like COBIT, which provides principles and guidelines.
4. it governance a compass without a map v.2.6 pink elephantaventia
The document discusses IT governance and service management. It notes that as business needs for IT services increase in complexity and rate of change, there is a growing "risk gap" between business goals and IT capabilities. Effective IT governance is needed to close this gap and ensure IT supports business objectives. The document then covers various aspects of IT governance, including defining governance and its components, governance models and frameworks, the relationship between governance and business value, and evolving IT service delivery models.
Valuendo cyberwar and security (okt 2011) handoutMarc Vael
This document discusses cybersecurity threats to critical infrastructure organizations. It notes that cyberattacks can come from criminals, malware, phishers, spammers, negligent or unethical employees, hackers, and nation states. The document also summarizes that cyberattacks are difficult to execute but governments have the resources to conduct them, and that cyberattacks are a real danger that many organizations are unprepared for. It concludes by outlining various cyberattack mitigation strategies organizations can implement including governance, policies, education, funding, and incident management.
The Relationship Between ITG and ITSM Lifecycles PradeepBhanot
The document discusses the relationship between IT governance and IT service management lifecycles. It notes that both areas have evolved from being operations focused to becoming more risk and value focused. A key point is that IT governance and IT service management have similar drivers of business alignment, transparency, best practices, rigor, formality, policy and compliance. The document advocates taking a holistic view and creating a unified service model to bring more transparency and value to both IT and the business.
infra Benelux allows organisations to put Cobit in practice. The presentation shows you some highlights of the infra solution and which Cobit processes are supported by it.
1. This document discusses how to achieve ISO/IEC 20000 certification for IT service management. It covers key implementation issues, the auditing process and criteria, and common problems organizations face.
2. Key implementation issues include properly defining the scope, establishing policies and objectives, implementing the required 13 service management processes, and defining roles and responsibilities. The auditing process involves initial assessments, surveillance assessments, and triennial re-assessments.
3. Common problems organizations face include an inappropriate scope definition, lack of clear roles and responsibilities, not implementing all requirements, and not establishing a service management culture. Metrics and service reporting are recommended to evaluate service capability and address issues.
Data lifecycle management and destruction involves identifying an organization's information, governing its use through policies and standards, and managing the data from creation to disposal. Information exists in both physical and electronic forms and passes through various stages of sensitivity over its lifecycle. Proper data governance requires classification, retention policies, and security controls tailored to the risk and value of the information. Effective data lifecycle management can help organizations comply with regulations and avoid the unauthorized disclosure of proprietary information.
E-Mail Compliance Frameworks in the Real WorldChris Byrne
The document discusses why corporate governance and compliance are important. It notes that there are over 200 international regulatory and legal compliance requirements that must be met. Compliance is required in many areas like Sarbanes-Oxley, HIPAA, privacy laws, and more. Strong IT governance is needed to support corporate governance objectives and compliance requirements as technology is so embedded in business operations. IT should support business goals and requirements, not drive them. Various frameworks for compliance and governance are discussed like COBIT, which provides principles and guidelines.
4. it governance a compass without a map v.2.6 pink elephantaventia
The document discusses IT governance and service management. It notes that as business needs for IT services increase in complexity and rate of change, there is a growing "risk gap" between business goals and IT capabilities. Effective IT governance is needed to close this gap and ensure IT supports business objectives. The document then covers various aspects of IT governance, including defining governance and its components, governance models and frameworks, the relationship between governance and business value, and evolving IT service delivery models.
Valuendo cyberwar and security (okt 2011) handoutMarc Vael
This document discusses cybersecurity threats to critical infrastructure organizations. It notes that cyberattacks can come from criminals, malware, phishers, spammers, negligent or unethical employees, hackers, and nation states. The document also summarizes that cyberattacks are difficult to execute but governments have the resources to conduct them, and that cyberattacks are a real danger that many organizations are unprepared for. It concludes by outlining various cyberattack mitigation strategies organizations can implement including governance, policies, education, funding, and incident management.
The Relationship Between ITG and ITSM Lifecycles PradeepBhanot
The document discusses the relationship between IT governance and IT service management lifecycles. It notes that both areas have evolved from being operations focused to becoming more risk and value focused. A key point is that IT governance and IT service management have similar drivers of business alignment, transparency, best practices, rigor, formality, policy and compliance. The document advocates taking a holistic view and creating a unified service model to bring more transparency and value to both IT and the business.
infra Benelux allows organisations to put Cobit in practice. The presentation shows you some highlights of the infra solution and which Cobit processes are supported by it.
1. This document discusses how to achieve ISO/IEC 20000 certification for IT service management. It covers key implementation issues, the auditing process and criteria, and common problems organizations face.
2. Key implementation issues include properly defining the scope, establishing policies and objectives, implementing the required 13 service management processes, and defining roles and responsibilities. The auditing process involves initial assessments, surveillance assessments, and triennial re-assessments.
3. Common problems organizations face include an inappropriate scope definition, lack of clear roles and responsibilities, not implementing all requirements, and not establishing a service management culture. Metrics and service reporting are recommended to evaluate service capability and address issues.
Data lifecycle management and destruction involves identifying an organization's information, governing its use through policies and standards, and managing the data from creation to disposal. Information exists in both physical and electronic forms and passes through various stages of sensitivity over its lifecycle. Proper data governance requires classification, retention policies, and security controls tailored to the risk and value of the information. Effective data lifecycle management can help organizations comply with regulations and avoid the unauthorized disclosure of proprietary information.
Structured Approach To It Business System Availability And Continuity Plannin...guest1c9378
This document outlines a structured approach to analyzing availability and continuity requirements for IT systems. It discusses availability management and continuity management processes. The key steps include:
1) Analyzing availability requirements based on business goals and validating them.
2) Documenting the system and application architecture, including critical components and their relationships.
3) Performing gap analyses to identify risks and evaluating alternative approaches.
The overall goal is to design availability into systems to meet recovery time and point objectives, while ensuring cost effectiveness and ongoing improvement of availability reporting and management.
This document discusses how Lean IT principles can help IT organizations maximize value while minimizing costs. It describes pressures on IT from executives, compliance needs, and the need to improve customer experience. Lean IT is defined as focusing resources on high value deliverables to reduce waste and increase productivity. The document argues that CA's Enterprise IT Management solutions can uniquely enable Lean IT by helping to visualize, automate and optimize systems and processes across the IT lifecycle from infrastructure to customers. It provides examples of how CA solutions address key IT disciplines like security, project portfolio management and service management to deliver Lean IT.
Development Platform as a Service - erfarenheter efter ett års användning - ...IBM Sverige
Presentation från IBM Smarter Business 2011. Spår: Utveckla produkter och tjänster kostnadseffektivt.
Ta del av Tietos erfarenheter inom implementation av agil utveckling och Application Lifecycle Management med IBM Rationals lösningar. Presentationen visar på ett antal olika exempel på implementationer, och en representant från en svensk kund berättar om sina erfarenheter från ett års användning av IBM och Tietos Cloudbaserad utvecklingsplattform, DpaaS.
Talare: Per Engman, Business Development, Tieto.
Mer information på www.smarterbusiness.se
The document discusses service operation and provides guidance on achieving efficiency and effectiveness in service delivery and support. It covers topics like incident management, request fulfillment, problem management, access management, and event management. The purpose of service operation is to coordinate and carry out activities required to deliver and manage services at agreed levels for users and customers.
The Road to Transformation: Ensuring your enterprise infrastructure will meet your business vision both today and tomorrow.
Blue Slate won the attendee's choice award for best case study at the Health IT Insight Summit, in Boston, 2010.
The Webinar held on May 5, 2010 on "Enterprise Mobility Strategy" by Endeavour - The Mobility Company. It provides insights to Enterprises on what they should do when implementing a mobility strategy.
Guerilla Marketing of Enterprise Architecture ManagementChristian Kählig
Marketing Enterprise Architecture Management is hard. This presentation deals with effective marketing building blocks to make your initiative successful. This does not mean you need a lot of money. Guerilla marketing allows you to achieve big results with only little resources.
This presentation discusses SOA governance essentials. It defines SOA as services being shared across organizational boundaries, requiring governance to establish rules for service creation, usage, and management. It outlines the need for both run-time governance, enforced by systems to monitor service usage, and design-time governance, enforced by processes to guide service development. Finally, it addresses organizational issues in coordinating governance across multiple projects and establishing an enterprise architecture function to manage overall SOA adoption.
The document discusses HP's IT Performance Suite, which includes Executive Scorecard (XS) and Enterprise Collaboration (EC). It focuses on using metrics to measure and improve IT performance across planning, building, and operating phases. The suite provides solutions for areas like financial management, security, application lifecycle management, and more to help organizations understand, execute systematically, and continuously improve business outcomes and IT.
Adaptive software development processes epitomized by Agile methodologies are based on continual improvement – incremental changes that emerge as teams iterate and learn about the product they are developing. This appears to conflict with the world of the program office, responsible for defining the software development lifecycle (SDLC), in which a stable and repeatable development process with well-defined ownership and controls is a common objective. Using recent examples in which agile methods have been successfully introduced into large organizations with existing SDLCs, we consider the difficulties of creating a verifiable process when the process itself is continually being modified, and look at how software development can be managed and controlled without stifling the benefits of adaptive software development processes.
An information governance consultant presented on integrating TRIM records management software with SharePoint. They discussed that information governance establishes how organizations handle information over its lifecycle from creation to final disposition. They analyzed where different organizations store their information, often in many disparate locations, and that most are not fully compliant with information management standards. The presentation recommended organizations integrate their systems like TRIM and SharePoint, reduce the number of information stores, and address training and data tracking needs to improve governance.
S3Edge is a software company that provides real-time visibility systems to connect enterprise applications to physical operations. Their solutions are delivered on-device, on-premise, or on-demand using a 3-tier architecture. They demonstrated a slide tracking solution using RFID tags, readers and their RTVS platform to quickly locate and track specimen slides.
Solvency II -The Practicalities Around Programme Governance & Data gainline
Solvency II is the largest regulatory change to bring insurers and reinsurers under one regime. It impacts all areas of business operations. Early adopters are helping set industry standards. Each company's Solvency II solution will depend on inputs from various functions and disciplines. The presentation discusses the importance of governance, risk management, and high-quality data integration across all business lines to ensure compliance.
Enpower Process Consultants Pvt. Ltd. is an alternative to large management consulting firms that provides services to assist clients in building high performance businesses. It has expertise in areas such as IT, energy, environment, and human resources and utilizes best practices and frameworks to identify challenges, design solutions, and implement improvements for its clients.
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
The document discusses 7 common mistakes made in IT security compliance including: decentralized policy management, failing to establish a common definition of compliance, treating compliance as a tactical issue rather than strategic, failing to test solutions before implementing them, seeing audits as a nuisance, lacking buy-in from administrators, and being unaware of hidden costs of compliance solutions. The document provides examples and effects of each mistake and recommends centralizing policy management, establishing common definitions, taking a strategic approach, thorough testing, viewing audits positively, gaining administrator support, and understanding total solution costs.
This document summarizes a presentation about how information integration can enable enterprise risk management and regulatory compliance. The presentation was given by Rajeev Rawat, President of BI Results, and Damian Trzebunia from IBM WebSphere Information Integration Solutions. They discussed how information integration can help satisfy various compliance initiatives by transforming and connecting content from disparate backend systems. They also explained how information integration improves financial reporting in compliance with regulations like Sarbanes-Oxley by maintaining controls, transparent reporting, record retention, and internal auditing.
Effectively capturing and managing requirements is critical in any IT project. Business analysts and others gathering requirements know how to capture and document processes, data and user tasks. But what about the decisions at the heart of your business? How can you effectively identify, document and model the repeatable, operational decisions crucial to success with business rules and predictive analytics? In this webinar we will share practical advice developed from real-world customer projects.
Omnitech InfoSolutions Ltd. aims to be a global leader in providing technology services for business availability and continuity. It offers infrastructure management, technology services, and enterprise solutions to help organizations increase productivity, predictability, and profitability. Omnitech has over 1000 professionals, a technology center in Mumbai, and a presence in India and countries like the US, Middle East, and Europe.
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStormSolutions
"Credibility and Collaboration to achieve excellence in IT Governance"
So how are we at SilverStorm helping CIO´s Transform IT?
For us it´s simple, Transforming IT means raising the credibility of IT to gain the collaboration of others throughout the organization.
The first step: Increase “CREDIBILITY”.
The second step: Increase “COLLABORATION”.
Without “Credibility” there can never be “Collaboration”
We are helping our customers achieve measurable benefits by combing processes, people and technology.
The document discusses the purpose, roles, and process of the Change Management process. It aims to provide a consistent method for implementing changes that impact production environments. Key roles include the Change Request Review Board, Coordinator, and Service Provider Group. The process defines artifacts, policies, and documentation required. It also establishes a weekly review board meeting to approve all change requests.
Structured Approach To It Business System Availability And Continuity Plannin...guest1c9378
This document outlines a structured approach to analyzing availability and continuity requirements for IT systems. It discusses availability management and continuity management processes. The key steps include:
1) Analyzing availability requirements based on business goals and validating them.
2) Documenting the system and application architecture, including critical components and their relationships.
3) Performing gap analyses to identify risks and evaluating alternative approaches.
The overall goal is to design availability into systems to meet recovery time and point objectives, while ensuring cost effectiveness and ongoing improvement of availability reporting and management.
This document discusses how Lean IT principles can help IT organizations maximize value while minimizing costs. It describes pressures on IT from executives, compliance needs, and the need to improve customer experience. Lean IT is defined as focusing resources on high value deliverables to reduce waste and increase productivity. The document argues that CA's Enterprise IT Management solutions can uniquely enable Lean IT by helping to visualize, automate and optimize systems and processes across the IT lifecycle from infrastructure to customers. It provides examples of how CA solutions address key IT disciplines like security, project portfolio management and service management to deliver Lean IT.
Development Platform as a Service - erfarenheter efter ett års användning - ...IBM Sverige
Presentation från IBM Smarter Business 2011. Spår: Utveckla produkter och tjänster kostnadseffektivt.
Ta del av Tietos erfarenheter inom implementation av agil utveckling och Application Lifecycle Management med IBM Rationals lösningar. Presentationen visar på ett antal olika exempel på implementationer, och en representant från en svensk kund berättar om sina erfarenheter från ett års användning av IBM och Tietos Cloudbaserad utvecklingsplattform, DpaaS.
Talare: Per Engman, Business Development, Tieto.
Mer information på www.smarterbusiness.se
The document discusses service operation and provides guidance on achieving efficiency and effectiveness in service delivery and support. It covers topics like incident management, request fulfillment, problem management, access management, and event management. The purpose of service operation is to coordinate and carry out activities required to deliver and manage services at agreed levels for users and customers.
The Road to Transformation: Ensuring your enterprise infrastructure will meet your business vision both today and tomorrow.
Blue Slate won the attendee's choice award for best case study at the Health IT Insight Summit, in Boston, 2010.
The Webinar held on May 5, 2010 on "Enterprise Mobility Strategy" by Endeavour - The Mobility Company. It provides insights to Enterprises on what they should do when implementing a mobility strategy.
Guerilla Marketing of Enterprise Architecture ManagementChristian Kählig
Marketing Enterprise Architecture Management is hard. This presentation deals with effective marketing building blocks to make your initiative successful. This does not mean you need a lot of money. Guerilla marketing allows you to achieve big results with only little resources.
This presentation discusses SOA governance essentials. It defines SOA as services being shared across organizational boundaries, requiring governance to establish rules for service creation, usage, and management. It outlines the need for both run-time governance, enforced by systems to monitor service usage, and design-time governance, enforced by processes to guide service development. Finally, it addresses organizational issues in coordinating governance across multiple projects and establishing an enterprise architecture function to manage overall SOA adoption.
The document discusses HP's IT Performance Suite, which includes Executive Scorecard (XS) and Enterprise Collaboration (EC). It focuses on using metrics to measure and improve IT performance across planning, building, and operating phases. The suite provides solutions for areas like financial management, security, application lifecycle management, and more to help organizations understand, execute systematically, and continuously improve business outcomes and IT.
Adaptive software development processes epitomized by Agile methodologies are based on continual improvement – incremental changes that emerge as teams iterate and learn about the product they are developing. This appears to conflict with the world of the program office, responsible for defining the software development lifecycle (SDLC), in which a stable and repeatable development process with well-defined ownership and controls is a common objective. Using recent examples in which agile methods have been successfully introduced into large organizations with existing SDLCs, we consider the difficulties of creating a verifiable process when the process itself is continually being modified, and look at how software development can be managed and controlled without stifling the benefits of adaptive software development processes.
An information governance consultant presented on integrating TRIM records management software with SharePoint. They discussed that information governance establishes how organizations handle information over its lifecycle from creation to final disposition. They analyzed where different organizations store their information, often in many disparate locations, and that most are not fully compliant with information management standards. The presentation recommended organizations integrate their systems like TRIM and SharePoint, reduce the number of information stores, and address training and data tracking needs to improve governance.
S3Edge is a software company that provides real-time visibility systems to connect enterprise applications to physical operations. Their solutions are delivered on-device, on-premise, or on-demand using a 3-tier architecture. They demonstrated a slide tracking solution using RFID tags, readers and their RTVS platform to quickly locate and track specimen slides.
Solvency II -The Practicalities Around Programme Governance & Data gainline
Solvency II is the largest regulatory change to bring insurers and reinsurers under one regime. It impacts all areas of business operations. Early adopters are helping set industry standards. Each company's Solvency II solution will depend on inputs from various functions and disciplines. The presentation discusses the importance of governance, risk management, and high-quality data integration across all business lines to ensure compliance.
Enpower Process Consultants Pvt. Ltd. is an alternative to large management consulting firms that provides services to assist clients in building high performance businesses. It has expertise in areas such as IT, energy, environment, and human resources and utilizes best practices and frameworks to identify challenges, design solutions, and implement improvements for its clients.
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
The document discusses 7 common mistakes made in IT security compliance including: decentralized policy management, failing to establish a common definition of compliance, treating compliance as a tactical issue rather than strategic, failing to test solutions before implementing them, seeing audits as a nuisance, lacking buy-in from administrators, and being unaware of hidden costs of compliance solutions. The document provides examples and effects of each mistake and recommends centralizing policy management, establishing common definitions, taking a strategic approach, thorough testing, viewing audits positively, gaining administrator support, and understanding total solution costs.
This document summarizes a presentation about how information integration can enable enterprise risk management and regulatory compliance. The presentation was given by Rajeev Rawat, President of BI Results, and Damian Trzebunia from IBM WebSphere Information Integration Solutions. They discussed how information integration can help satisfy various compliance initiatives by transforming and connecting content from disparate backend systems. They also explained how information integration improves financial reporting in compliance with regulations like Sarbanes-Oxley by maintaining controls, transparent reporting, record retention, and internal auditing.
Effectively capturing and managing requirements is critical in any IT project. Business analysts and others gathering requirements know how to capture and document processes, data and user tasks. But what about the decisions at the heart of your business? How can you effectively identify, document and model the repeatable, operational decisions crucial to success with business rules and predictive analytics? In this webinar we will share practical advice developed from real-world customer projects.
Omnitech InfoSolutions Ltd. aims to be a global leader in providing technology services for business availability and continuity. It offers infrastructure management, technology services, and enterprise solutions to help organizations increase productivity, predictability, and profitability. Omnitech has over 1000 professionals, a technology center in Mumbai, and a presence in India and countries like the US, Middle East, and Europe.
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStormSolutions
"Credibility and Collaboration to achieve excellence in IT Governance"
So how are we at SilverStorm helping CIO´s Transform IT?
For us it´s simple, Transforming IT means raising the credibility of IT to gain the collaboration of others throughout the organization.
The first step: Increase “CREDIBILITY”.
The second step: Increase “COLLABORATION”.
Without “Credibility” there can never be “Collaboration”
We are helping our customers achieve measurable benefits by combing processes, people and technology.
The document discusses the purpose, roles, and process of the Change Management process. It aims to provide a consistent method for implementing changes that impact production environments. Key roles include the Change Request Review Board, Coordinator, and Service Provider Group. The process defines artifacts, policies, and documentation required. It also establishes a weekly review board meeting to approve all change requests.
This document provides an overview of the COBIT and ITIL frameworks for IT governance and service management. It describes the key components, terms, and alignment of each framework. COBIT focuses on IT processes and controls, while ITIL focuses on best practices for IT service management. The document discusses how the frameworks can be used together to guide IT governance and improve organizational processes and compliance.
My presentation (in EN) from itSMF Pomorze (Poland) meeting. It shows how to combine SCRUM agility in product development with Corporate Governance controls from COBIT.
Cobit from Mars ITIL from Venus - alignmentKathryn Howard
The document discusses how COBIT and ITIL are frameworks that approach IT governance and management from different perspectives but with the shared goal of delivering business value. It provides overviews of key aspects of each framework such as COBIT's focus on principles, goals cascade, and processes, and ITIL's emphasis on the service lifecycle and continual service improvement. The document suggests that while COBIT and ITIL have differences, comparisons can be useful and aligning the two frameworks can help organizations effectively govern and manage their IT.
MSP Best Practice | Using Strategic IT Roadmaps to Get More ContractsDavid Castro
MSP best practices. How to use strategic IT roadmaps to win more business and get larger managed services contracts. Presented by Kaseya and Ant Farm. May 2012.
This presentation is dedicated to PCMM maturity model. People Capability Maturity Model is about restructuring organizations based on organization involved persons' capabilities which is one of the best methods in its own.
This document provides an overview of an IT project report that aligned metrics from COBIT v4.1 to processes in ITIL v3 related to event, incident and problem management. It summarizes the history and components of both ITIL and COBIT frameworks. The project methodology identified 28 specific COBIT metrics mapped to 3 ITIL processes for event, incident and problem management. The alignment of metrics provides a way to measure service quality and identify areas for improvement across relevant ITIL processes.
The document defines problem management according to ITIL. Problem management is responsible for managing the lifecycle of all problems and aims to prevent incidents, eliminate recurring incidents, and minimize the impact of incidents. It involves diagnosing the root cause of incidents, determining and implementing resolutions, and maintaining a known error database. Problem management consists of reactive and proactive processes and aims to close problems once resolved.
COBIT 4.1 explained. What is COBIT? What is Val IT? How does COBIT assist IT governance and IT auditing? What are the COBIT processes? How does COBIT use Business goals to drive IT goals and in turn IT processes? What COBIT training courses and certificates exist? Dr Geoff Harmer, an accredited COBIT trainer explains in 20 slides
Best ITIL Certification Training Program by IBM - Providing Quality Education to People. People who have enrolled with ThinkFaculty ITIL Program have successfully passed the examinations.
The document introduces the BiSL framework, which provides guidance for organizations on business information management (BIM). It discusses how BIM addresses the growing complexity of managing information and IT from a business perspective. The framework consists of best practices across strategic, tactical, and operational levels to help customers effectively govern their relationship with IT suppliers and ensure business information needs are met.
ASL BiSL Foundation (formerly ASL Foundation) has managed ASL and BiSL’s key ideas for several years, and is now developing them further. In doing so, it is seeking to bring business and IT closer together. The supply of information – perhaps by its very nature – needs to take place via an integrated chain.
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...TRANANHQUAN4
CoBit is a framework for IT governance and management. It was developed in 1996 and provides best practices for IT processes, including over 200 control objectives across 34 IT processes organized into 4 domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The goals of CoBit are to ensure IT alignment with business objectives and deliver value while managing risks, resources, and performance.
John Beveridge is an expert in IT governance and controls. The document discusses CobiT, a framework for IT governance and control. It provides an overview of what CobiT is, its history and development, components, and how auditors and organizations can use it. CobiT aims to help organizations ensure the integrity of information systems and provide assurance through generally accepted IT control standards and objectives.
Understanding COBIT 5.0 (IT Governance) by Mr. Avinash Totade
President of Information Systems Audit and Control Association (ISACA) UAE Chapter
OpenThinking Day 2012
COBIT is a framework for IT governance and management that was first released in 1996. Its goal is to provide generally accepted IT control objectives and good practices. It addresses controls from three perspectives: IT processes, business objectives, and IT resources. The framework breaks IT processes into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. It defines seven categories for business requirements for information: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability. COBIT also provides tools to help manage IT activities and focuses on five areas of IT governance: strategic alignment, value delivery, resource management, risk management, and performance measurement.
The document discusses IT governance and the COBIT framework. It provides definitions of IT governance, explains why IT governance is needed, and discusses some common IT governance frameworks. It focuses on explaining the COBIT framework, including the history and generations of COBIT, how COBIT is structured and organized, and how organizations can implement COBIT using a comprehensive, process-oriented approach.
IT governance is the set of organizational regulations and standards that provide strategic direction for IT and ensure objectives are achieved and risks managed. Governance ensures stakeholder voices are heard in quality decision making and complex IT projects are effectively implemented. Benefits include better business alignment, risk control, cost savings, service quality and delivery times. Frameworks like ITIL and COBIT provide best practices for implementation through areas like service strategy, design and continual improvement. A business case shows enhanced help desk performance and cost savings through governance.
IT governance is the set of organizational regulations and standards that provide strategic direction for IT and ensure objectives are achieved and risks managed. Governance ensures stakeholder voices are heard in quality decision making and complex IT projects are effectively implemented. Benefits include better business alignment, risk control, cost savings, service quality and delivery times. Frameworks like ITIL and COBIT provide best practices for implementation through areas like service strategy, design and continual improvement. A business case shows enhanced help desk performance and cost savings through governance.
John Bernhard will present on identity management at Airline Company. Identity management (IdM) provides a federated infrastructure to manage access for employees, contractors, business partners, and customers. It aims to consistently enforce business and security policies regardless of how users access the network. IdM gives Airline Company competitive advantages like an agile infrastructure and enables compliance with regulations like SOX and PCI. The presentation will cover what IdM is, the business rationale and benefits, and IdM service architecture concepts.
IDBI Intech - RBI Working Group ConsultingIDBI Intech
The RBI Working Group examined issues arising from IT use in banks and made recommendations in 9 areas: IT governance, information security, IS audit, IT operations, IT outsourcing, cyber frauds, business continuity planning, customer awareness programs, and legal aspects. The document discusses RBI penalties against banks for non-compliance and introduces IDBI Intech, which provides compliance consultancy services focusing on the 9 areas to help banks achieve compliance.
Business IT Management - Intro to CobiT & ITILAhmad Hafeezi
Part 1 of the whole presentation on Business IT Management. This slide touches on the CobiT Framework.
This framework is mainly used as a framework for IT Governance and as a Control Methodology on an organization's IT. But, for those who have never heard of CobiT, it can be a great reference material for understanding what aspects of IT should we know about when it comes to managing IT.
CobiT is a public and highly customizable framework. Business owners do not need to follow everything that has been spelled out in the framework. They can pick and choose the processes that are relevant to them and even customize the bits and parts to suit their needs.
How to implement interoperability. Advantages and disadvantages. Presentation held by Mr. Johan Sys, within the first session of the FORUM „INFORMATION TECHNOLOGY IN GOVERNMENT”, dedicated to interoperability, held at Chisinau, January 16th 2012.
The document discusses establishing key IT governance processes for small and medium businesses. It covers establishing a CIO view of IT governance and the need for governance. Frameworks for IT governance like COBIT, ITIL, COSO and CMMI are reviewed. The evolution of IT governance processes and how they can become more embedded is examined. Specific IT governance workflows, tools and benefits at different maturity levels are outlined. Case studies of implementing governance at large retailers are also provided.
The document discusses establishing key IT governance processes for small and medium businesses. It covers establishing a CIO view of IT governance and frameworks for IT governance like COBIT, ITIL, COSO and CMMI. It discusses how IT governance processes evolve over time through various maturity levels from initial to optimized. It provides examples of workflows for IT governance and case studies of how large retailers have established IT governance processes to improve efficiency, effectiveness and enable transformation.
1. Using COBIT 4.1 for
Assurance Assignments
Prof. dr. Wim Van Grembergen
University of Antwerp (UA)
University of Antwerp Management School (UAMS)
IT Alignment and Governance research institute (ITAG)
wim.vangrembergen@ua.ac.be
www.uams.be/itag
2. Agenda
• COBIT introduction
• COBIT framework
• COBIT elements
- High-level and detailed Control Objectives
- IT control practices
- Management Guidelines
- Maturity models
• IT assurance using COBIT
• IT assurance assignments in practice (templates)
2
5. Some key
strenghts
Incorporates major
International Standards
Has become the de facto
standard for overall control
over IT CobiT
best practices
Starting from business repository for
requirements
Process oriented IT Processes
IT
IT Management Processes
IT Governance Processes
5
6. COBIT and other
standards
Gartner Research Note
BS7799 CobiT
Control
Security
WHAT
ITIL
Activities HOW
6
7. Who needs an IT Control Framework ?
• Board and Executive
- to ensure management follows and implements the strategic
direction for IT
• Management
- IT investment decisions
- balance risk and control investment
- benchmark existing and future IT environment
• Users
- to obtain assurance on security and control of products and
services they acquire internally or externally
• Auditors
- to substantiate opinions to management on internal controls
- to advise on what minimum controls are necessary
7
9. COBIT Framework
Business
Requirements
IT
Processes
IT
Resources
BUSINESS
REQUIREMENTS
IT PROCESSES
s no ti n f e D
IT RESOURCES
i i
“In order to provide the information that the organisation needs
to achieve its objectives, IT resources need to be managed by a
set of naturally grouped processes.”
9
10. Business requirements
Business
Requirements
IT
Processes
IT
Resources
Quality Requirements:
• Quality, Effectiveness
• Delivery
• Cost Efficiency
Security Requirements
• Confidentiality
Confidentiality
• Integrity
• Availability
Fiduciary Requirements
Integrity
(COSO Report)
• Effectiveness and Efficiency Availability
of Operations
• Compliance with Laws and Compliance
s en s uB
Regulations Reliability of
• Reliability of Financial
Reporting Information
i
10
11. Business requirements
effectiveness - deals with information being relevant and
pertinent to the business process as well as being delivered in
a timely, correct, consistent and usable manner.
efficiency - concerns the provision of information through the
optimal (most productive and economical) usage of resources
confidentiality - concerns protection of sensitive information
from unauthorized disclosure.
integrity - relates to the accuracy and completeness of
information as well as to its validity in accordance with the
business' set of values and expectations
availability - relates to information being available when
required by the business process, and hence also concerns the
safeguarding of resources
compliance - deals with complying with those laws, regulations
and contractual arrangements to which the business process is
subject; i.e., externally imposed business criteria
ss e n s u B
reliability of information - relates to systems providing
management with appropriate information for it to use in
operating the entity, in providing financial reporting to users of
i
the financial information, and in providing information to
report to regulatory bodies with regard to compliance with
laws and regulations. 11
12. Linking business goals - IT
goals – IT processes
Maintain enterprise
reputation and leadership
Business Goal
Ensure IT services can
Ensure IT services can
resist and recover from
resist and recover from
attacks
attacks
drives
IT Goal
Understanding security
drives requirements,
vulnerabilities and threats
Process Goal
12
15. IT processes
Business
Requirements
IT
Processes
IT
Resources
Domains Natural grouping of processes,
often matching an organisational
domain of responsibility
Processes
A series of joined activities
with natural control breaks.
ess ec or P TI
Activities Actions needed to achieve a
or tasks measurable result. Activities
have a life-cycle whereas tasks
are discrete.
15
16. COBIT IT Processes
Planning and Organisation
PO1. Define a strategic IT plan
PO2. Define the information architecture
PO3. Determine technological direction
PO4. Define the IT processes, organization and relationships
PO5. Manage the IT investment
PO6. Communicate management aims and direction
PO7. Manage IT human resources
PO8. Manage quality
PO9. Assess and manage IT risks
PO10. Manage projects
16
17. COBIT IT Processes
Acquisition and Implementation
AI1. Identify automated solutions
AI2. Acquire and maintain application software
AI3. Acquire and maintain technology infrastructure
AI4. Enable operation and use
AI5. Procure IT resources
AI6. Manage changes
AI7. Install and accredit solutions and changes
17
18. COBIT IT Processes
Delivery and Support
DS1. Define and manage service levels
DS2. Manage third-party services
DS3. Manage performance and capacity
DS4. Ensure continuous service
DS5. Ensure systems security
DS6. Identify and allocate costs
DS7. Educate and train users
DS8. Manage service desk and incidents
DS9. Manage the configuration
DS10. Manage problems
DS11. Manage data
DS12. Manage the physical environment
DS13.Manage operations
18
19. COBIT IT Processes
Monitor an Evaluate
ME1. Monitor and evaluate IT performance
ME2. Monitor and evaluate internal control
ME3. Ensure regulatory compliance
ME4. Provide IT governance
19
20. Linking business goals - IT goals
– IT processes
Assignment
Maintain enterprise
reputation and leadership
Business Goal
Ensure IT services can
Ensure IT services can
resist and recover from
resist and recover from
attacks
attacks
drives
IT Goal
????
drives
Process Goal
20
21. Linking IT goals
business goals to IT goals
Linking Business goals
to IT goals
Business goals
21
22. Linking IT goals
business goals to IT goals
Linking IT goals to IT
processes
IT processes
22
23. The most important IT Processes (COBIT3.2)
34
PO1 define a strategic IT plan
PO3 determine the technological direction
PO5 manage the IT investment
PO9 assess risks
PO10 manage projects
15 AI1
AI2
identify solutions
acquire and maintain applications s/w
AI5 install and accredit systems
AI6 manage changes
7
DS1 define service levels
DS4 ensure continuous service
DS5 ensure system security
DS10 manage problems and incidents
DS11 manage data
Survey M1 monitor the processes
23
24. IT Resources
Business
Requirements
IT
Processes
IT
Resources
Data : Data objects in their widest sense, i.e., external and
internal, structured and non-structured, graphics, sound, etc.
Application Systems : understood to be the sum of
manual and programmed procedures.
Infrastructure : covers hardware, operating systems,
s ecr u os e R TI
database management systems, networking, multimedia,
facilities, etc..
People : Staff skills, awareness and productivity to plan,
organise, acquire, deliver, support and monitor information
systems and services.
24
25. COBIT Framework
IT IT Business
Resources Processes Requirements
Data Planning and Effectiveness
organisation Efficiency
Application
Systems Aquisition and Confidentiality
implementation
Infrastructure Integrity
Delivery and Availability
People Support
Compliance
t od w H
Monitor and
o
Information
evaluate Reliability
25
26. The resources How IT is What the
What the
The resources How IT is
made available to
made available to organised to
organised to
stakeholders
stakeholders
- -and built up by - -
and built up by respond to the
respond to the expect from IT
expect from IT
IT
IT requirements
requirements
IT IT Business
Resources Processes Requirements
Data Planning and Effectiveness
organisation Efficiency
Application
Systems Aquisition and Confidentiality
implementation
Infrastructure Integrity
Delivery and Availability
People Support
Compliance
Monitor and Information
evaluate Reliability
26
27. PO1. define a strategic IT plan
Business and
COBIT
PO2. define the information architecture
Governance PO3. determine technological direction
Objectives PO4. define the IT processes, organization and relationships
Framework PO5. manage the IT investment
PO6.communicate management aims and direction
PO7. manage IT human resources
PO8. manage quality
PO9. assess and manage risk
INFORMATION PO10. manage projects
ME1. monitor and evaluate IT performance
ME2. monitor and evaluate internal control Criteria
ME3. ensure regulatory compliance • effectiveness
• efficiency
ME4. provide IT governance • confidentiality
• integrity
• availability
• compliance
• reliability
MONITOR AND PLANNING AND
EVALUATE ORGANISATION
IT RESOURCES
• data
• application systems
• Infrastructure
• people
DS1. define and manage service levels
DS2. manage third party services
DS3. manage performance and capacity
DS4. ensure continuous service DELIVERY AND ACQUISITION AND
DS5. ensure systems security SUPPORT IMPLEMENTATION
DS6. identify and allocate costs
DS7. educate and train users
DS8. manage service desk and incidents AI1. identify automated solutions
DS9. manage the configuration AI2. acquire and maintain application software
DS10. manage problems AI3. acquire and maintain technology infrastructure
DS11. manage data AI4. enable operation and use
DS12. manage the physical environment AI5. procure IT resources
DS13.manage operations AI6. manage changes
AI7. install and accredit solutions and changes 27
28. The Major Elements of COBIT
High-level and detailed Control Objectives
Management Guidelines
Inputs – outputs
RACI chart
Goals and metrics
Maturity models
Assurance Guidelines – Implementation Guidelines
28
30. COBIT Control Objectives
The policies, procedures, practices and organisational
Definition of structures, designed to provide reasonable assurance that
Control business objectives will be achieved and that undesired
events will be prevented or detected and corrected
IT control objectives provide a complete set of high-level
Definition of requirements to be considered by management for
IT Control effective control of each IT process. They:
Objective • Are statements of managerial actions to increase value
or reduce risk
• Consist of policies, procedures, practices and
organisational structures
• Are designed to provide reasonable assurance that
business objectives will be achieved and undesired
events will be prevented or
detected and corrected 30
31. Example: Detailed Control Objectives
for Manage Changes (AI6)
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardised manner all
requests (including maintenance and patches) for changes to applications, procedures,
processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritisation and Authorisation
Ensure that all requests for change are assessed in a structured way for impacts on the
operational system and its functionality. This assessment should include categorisation and
prioritisation of changes. Prior to migration to production, changes are authorized by the
appropriate stakeholder.
AI6.3 Emergency Changes
Establish a process for defining, raising, assessing and authorising emergency changes that do
not follow the established change process. Documentation and testing should be performed,
possibly after implementation of the emergency change.
AI6.4 Change Status Tracking and Reporting
Establish a tracking and reporting system for keeping change requestors and relevant
stakeholders up to date about the status of the change to applications, procedures, processes,
system and service parameters, and the underlying platforms.
AI6.5 Change Closure and Documentation
Whenever system changes are implemented, update the associated system and user
documentation and procedures accordingly. Establish a review process to ensure complete
implementation of changes.
31
32. Generic process controls
• Each COBIT process has generic control requirements
that are identified by generic process controls within
the Process Control (PC) domain. These are applicable
for all COBIT processes and should be considered
together with the detailed COBIT control objectives to
have a complete view of control requirements.
• PC1 Process goals and objectives
• PC2 Process ownership
• PC3 Process repeatability
• PC4 Roles and responsibilities
• PC5 Policy, plans and procedures
• PC6 Process performance improvement
32
33. Application controls
• Application controls relate to the transactions and standing data
pertaining to each automated application system and are specific to
each such application. They ensure the completeness and accuracy
of the records and the validity of the entries made in transactions
and standing data resulting from both manual and automated
processing.
• COBIT assumes the design and implementation of automated
application controls to be the responsibility of IT, covered in the
Acquire and Implement (AI) domain. The operational management
and control responsibility for application controls is not with IT, but
with the business process owner. Therefore, the COBIT IT processes
cover general IT controls but not application controls.
• AC1 Source document preparation and authorisation
• AC2 Source document collection and data entry
• AC3 Accuracy, completeness, authenticity checks
• AC4 Data processing integrity and validity
• AC5 Output review, reconciliation and error handling
• AC6 Transaction authentication and integrity 33
35. COBIT - IT Control
Practices
• For each of the control objectives, a list of specific control
practices is defined. In addition, three generic control practices
are defined, which are applicable to all control objectives. (Design
control approach, Accountability and responsibility,
Communication and understanding)
• The complete set of generic and specific control practices
provides one control approach, consisting of practices that are
necessary for achieving the control objective. They provide high-
level generic guidance, at a more detailed level under the control
objective, for assessing process maturity, considering potential
improvements and implementing the controls.
• They do not describe specific solutions, and further guidance may
need to be obtained from specific, relevant standards and best
practices, such as ITIL or PRINCE2. 35
36. COBIT - IT Control
Practices
DS8.1 Service Desk
Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch
and analyse all calls, reported incidents, service requests and information demands. There should be
monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate
SLA that allow classification and prioritisation of any reported issue as an incident, service request or
information request. Measure end users’ satisfaction with the quality of the service desk and IT services.
1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and
resolution of customer requests and incidents. Develop business requirements for the service desk,
based on service definitions and SLAs, including hours of operation and expected response time to
a call. Ensure that service desk requirements include identifying staffing, tools and integration with
other processes, such as change management and problem management.
2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately
resolved by service desk personnel. Establish time thresholds to determine when escalation should
occur based on the categorisation/prioritisation of the request or incident.
3. Implement the necessary support software and tools (e.g., incident management, knowledge
management, incident escalation systems, automated call monitoring) required for operation of the
service desk and configured in accordance with SLA requirements, to facilitate automated
prioritisation of incidents and rapid resolution.
4. Advise customers of the existence of the service desk and the standards of service they can expect.
Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the
effectiveness of the service desk operation.
5. Using the service desk software, create service desk performance reports to enable performance
monitoring and continuous improvement of the service desk. 36
39. Each process has primary inputs and
outputs with process linkages
Inputs
Outputs
Mission and Goals
Strategic Plan
Understanding of the
business context, PO1 Tactical Plan
capability and Project Portfolio
capacity
Service Portfolio
Business Strategy
Risk Appetite
39
40. Inputs / ouputs
• Process:
Input from: Output to:
Process what Process what
40
43. RACI chart providing roles
and responsibilities
CEO
CARS
CFO Business CIO
Executive
Head of
Business Head of Chief Head of
IT Admin PMO
Sr Management Operations Architect or CTO Development
HR, Fin, etc
PO1
43
44. Activities
RACI Chart
Functions
CEO
CFO
Bus
ine
ss
E xe
c
CIO
Bus
ine
ss
Sr
Mn
He gm
ad t
Op
era
tio
Chi ns
ef A
rch
ite
ct
He
ad
De
vel
opm
He ent
CARS includes Risk, Security, Audit and Compliance
ad
IT
Adm
in
PM
O
CA
RS
44
47. COBIT Management Guidelines
Goals an Metrics
Key Goal Indicators (KGIs)
• lag indicator
• is an indicator of the success of the process and
its business contribution
• describes the outcome of the process, i.e.
measurable after the fact; a measure of “what”;
may describe the impact of not reaching the
process goal
• focuses on the customer and financial dimensions
of the balanced scorecard
47
48. COBIT Management Guidelines
Goals an Metrics
Examples of Key Goal Indicators (KGIs)
- Increased level of service delivery
- Reduced time and effort required to make changes
- Availability of systems and services
- Absence of integrity and confidentiality risks
- Cost efficiency of processes and operations
- Confirmation of reliability and effectiveness
- Adherence to development cost and schedule
- Cost efficiency of the process
- Staff productivity and morale
- Number of timely changes to processes and systems
- Improved productivity (e.g., delivery of value per
employee) 48
49. COBIT Management Guidelines
Goals an Metrics
Key Performance Indicators (KPIs)
• lead indicator
• are a measure of “how well” the process is
performing
• predict the probability of success or failure
• focus on the process and learning dimensions of
the balanced scorecard
• are expressed in precise measurable terms
• should help in improving the IT process
49
50. COBIT Management Guidelines
Goals an Metrics
Examples of Key Performance Indicators (KPIs)
- System downtime
- Throughput and response times
- Amount of errors and rework
- Number of staff trained in new technology
- customer service skills
- Benchmark comparisons
- Number of non-compliance reportings
- Reduction in development and processing time
50
51. KGI’s/KPI’s “Ensure System Security”
(DS5)
These KGIs represent the
goals of the IT manager and
KPI KGI can be derived from the list
of IT goals. Together with
Security expertise number of the KPIs (horizontal arrow)
incidents because they are building blocks for
the IT manager’s BSC. The
of unauthorised KGIs at the IT manager’s
access level are in the same time
KPIs at the business
Metrics for BSC of KPI KGI manager’s level (vertical
IT process owner lines).
Number of
security
breaches
Metrics for BSC
of IT manager KPI KGI
These metrics represent the Number of incidents
KPIs and KGIs of the IT causing public
embarrassment These KGIs represent the
process owner and can be
goals of the business
used as building blocks for a
manager and can be derived
BSC at process level. They Metrics for BSC of
from the list of business
map on the current KGIs business manager goals. Together with the
and KPIs of COBIT. The
KPIs (horizontal arrow) they
KGIs at process level are in
are building blocks for the
the same time KPIs at the
business manager’s BSC
IT manager’s level (vertical
lines) 51
52. Cascade of metrics
KPI
KPI Metrics for BSC A KGI at
KGI of IT manager business level is
KPI supported by
many other
KPI KPIs at IT and
KPI process level.
KGI KGI
Metrics for BSC of
IT process owner KPI KPI
KGI KGI
KPI KPI KGI
Metrics for BSC of
business manager
52
53. Cascade of metrics
for “Ensure System Security” (DS5)
Understanding security
Understanding security
requirements,
requirements, GOALS
vulnerabilities and threats
vulnerabilities and threats
Process Goal
Ensure IT services can
Ensure IT services can
resist and recover from
resistand recoverfrom
attacks
attacks
drives
IT Goal
KPI KGI
Maintain enterprise
Maintain enterprise
Nr and type of Nr of incidents
new security because of reputation and leadership
reputation and leadership
incidents unauthorised
access
drives
Process Goal Business Goal
KPI
KPI KGI
Nr of IT
security
incidents
IT Goal
KPI KGI
Number of incidents
METRICS causing public
embarrassment
Business Goal
53
59. Maturity Models
• refers to business requirements (KGI) and the enabling
aspects (KPI) at the different levels
• are a scale that lends itself to pragmatic comparison, where
the difference can be made measurable in an easy manner
• are recognisable as a “profile” of the enterprise in relation to
IT governance and control
• assist in determining As-Is and To-Be positions relative to IT
governance and control maturity and analyse the gap
• are not industry specific nor generally applicable, the nature
of the business will determine what is an appropriate level
59
60. Maturity Models: Goal setting and
measurement
Non-
Existent Initial Repeatable Defined Managed Optimised
0 1 2 3 4 5
Legend for symbols used Legend for rankings used
Enterprise current status 0 - Management processes are not applied at all
1 - Processes are ad hoc and disorganised
International standard guidelines
2 - Processes follow a regular pattern
Industry practice 3 - Processes are documented and communicated
4 - Processes are monitored and measured
Enterprise target 5 - Best practices are followed and automated
60
61. Maturity models
are improved starting from a new generic qualitative model
based on the following attributes:
•awareness and communication
•policies, standards and procedures
•tools and automation
•skills and expertise
•responsibility and accountability
•goal setting and measurement
61
62. Example: Maturity Model
for Manage Changes (AI6)
0 Non-existent when
There is no defined change management process and changes can be made with virtually no control. There is no awareness
that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.
1 Initial/ Ad Hoc when
It is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take
place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable.
Errors are likely to occur together with interruptions to the production environment caused by poor change management.
2 Repeatable but Intuitive when
There is an informal change management process in place and most changes follow this approach; however, it is unstructured,
rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact
assessment takes place prior to a change.
3 Defined Process when
There is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures,
change authorisation and release management, and compliance is emerging. Workarounds take place and processes are often
bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes on
business operations is becoming formalised, to support planned rollouts of new applications and technologies.
4 Managed and Measurable when
The change management process is well developed and consistently followed for all changes, and management is confident
that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and
controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimise
the likelihood of post-production problems. An approval process for changes is in place. Change management documentation is
current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change
management planning and implementation are becoming more integrated with changes in the business processes, to ensure
that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between
IT change management and business process redesign. There is a consistent process for monitoring the quality and
performance of the change management process.
5 Optimised when
The change management process is regularly reviewed and updated to stay in line with good practices. The review process
reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of
changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is
integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new
business opportunities for the organisation.
62
63. COBIT4.1
• Released May 2007
• Incremental updates, no fundamental changes
• CobiT 4.1 features
- an enhanced Executive Overview introduction and explanation of goals and
metrics in the framework section and better definitions of the core concepts.
- improved control objectives resulting from updated control practices and Val
IT development activity.
- A new definition of a control objectives, shifting more towards management
practices statements
- Grouping/rewording of some control objectives to avoid overlaps and make
the list of control objectives within a process more consistent and action-
oriented
• AI5.4, AI5.5 and AI5.6 were combined
• AI7.9, AI7.10 and AI7.11 were combined
• Changes were also made to ME3 to include compliance with contractual requirements
in addition to legal and regulatory.
- reworded application controls, to support financial controls effectiveness
assessment and reporting.
• six Application Controls replacing the 18 in COBIT 4.0, with further detail being
provided in the COBIT Control Practices.
- An updated list of business goals and IT goals, based on new insights obtained
during validation research executed by UAMS
- an expanded pull-out to provide amongst others a quick reference list of the
COBIT processes
63
65. mplementation Guide - IT Assurance Guide
WHAT
HOW HOW
Framework
Management
Board Guidelines Board
Briefing Control Briefing
Briefing
Objectives Maturity
Models
Executive
CIO Audit CIO
Director
Baseline for Baseline for
Baseline for
IT Governance Control IT Governance
IT Governance
Value Risk
Objective
IT Governance Control Assurance IT Governance
IT
Implementation Practices Approach Implementation
Assurance
Guide using CobiT Guide using CobiT
Guide using CobiT
65
66. Assurance & audit
• Assurance Guide instead of Audit Guide
- Assurance also covers evaluation activities not
governed by internal and/or external audit
standards.
66
68. Assurance planning
• IT audit universe
- 34 IT processes
- 4 IT resources
• Risk based assurance planning
- The assurance professional should use an appropriate risk
assessment technique or approach in developing the
overall plan for the effective allocation of IT assurance
resources.
- Risk assessment is a technique used to examine units in
the assurance universe and select those areas for review
that have the greatest risk exposure, by analysing
• Risk
• impact
68
69. Assurance planning
• High-level assessment can provide support
in assurance planning by identifying
processes where the maturity/control gap
between as-is and to-be is the most
significant.
• The results of such high-level assessment
can be used to prioritise the IT assurance
work. Specific benefits of such high-level
assessments are:
- Making members of IT management
aware of their accountability for
controlling IT and gaining their buy-in
- High-level checking of compliance with
established IT control requirements
- Optimising and prioritising IT
assurance resources
- Bridging to IT governance
69
70. Assurance planning
• Define the scope and objectives
- define the scope and objectives of the assurance work and perform a
preliminary assessment of internal control/maturity of the function/activities
being reviewed to provide reasonable assurance that all material items will be
adequately covered during the assurance initiative.
70
71. Assurance scoping
• Define the scope and objectives
- Business goals – IT goals – IT processes / IT resources – control
objectives – customized control objectives
71
72. Assurance execution
Derived from control practices
Originally 1 ITCP translated into 1 testing step. Later all individual
testing steps grouped into three blocks:
1. Testing control design (design effectiveness)
2. Testing outcome of the objective (operational effectiveness)
3. Document impact of control weaknesses
72
73. The audit steps to be performed in
assessing the adequacy of the
design of controls.
AI6: Change Management
Testing control design
• Enquire whether and confirm that the change management process allows
business process owners and IT to request changes to infrastructure,
systems or applications.
• Enquire whether and confirm that the overall change management process
includes emergency change procedures (e.g., defining, raising, testing,
documenting, assessing and authorising emergency changes).
• Enquire whether and confirm that processes and procedures for contracted
services providers (e.g., infrastructure, application development, application
service providers, shared services) are included in the change management
process.
• Determine if the process and procedures include the contractual terms and
SLAs.
73
74. The audit steps to be performed to
ensure that the control measures
established are working as
prescribed, consistently and
continuously and to conclude on
the appropriateness of the control
environment.
AI6: Change Management
Testing CO outcome
• Inspect a selection of changes and determine if requests have been categorised.
• Inspect a selection of changes and determine if changes have been prioritised based on
predefined criteria.
• Inspect a selection of changes and determine if changes have been assessed in a
structured method (e.g., security, legal, contractual and compliance implications are
considered and business owners are involved).
• Inspect a sample of emergency changes and verify that they have been processed in
accordance with the change management framework. Verify that procedures have been
followed to authorise, document and revoke access after the change has been applied.
• Inspect a sample of emergency changes and determine if a post-implementation review
has been conducted after the changes were applied. Consider implications for further
application system maintenance, impact on development and test environments,
application software development quality, documentation and manuals, and data
integrity.
74
75. The audit steps to be
performed to substantiate
the risk of the control
AI6: Change Management objective not being met by
using analytical techniques
Document impact
and/or consulting alternative
sources.
• Assess the time and cost of lack of formal change management
standards and procedures (e.g., improper resource allocation,
unclear roles and responsibilities, security breaches, lack of rollback
procedures, lack of documentation and audit trails, inadequate
training).
• Assess the time and cost of lack of formal impact assessment to
prioritise and authorise changes.
• Assess the time and cost of lack of formal emergency change
standards and procedures (e.g., compromised security, failure to
• properly terminate additional access authorisations, unauthorised
access to corporate information).
75
82. Assurance assignment
1. Scoping
1.1 Processes
1.2 Control objectives
1.3 Control practices
2. Testing
2.1 Evaluate Design Effectiveness (testing control design)
2.2 Evaluate Operating Effectiveness (testing outcome of the control process)
3. Findings and recommendations
82
83. 1.1 Scoping: processes
• Define cascade of business goals – IT goals –
IT processes
Goal:
first list of IT processes
83
84. 1.1 Scoping: processes
• Define/refine list of IT processes based on risk
based scoping
- Risk and value drivers
Goal:
refined list of IT processes
84
85. 1.1 Scoping: processes
• Define/refine list of IT processes based on risk
based scoping Goal:
refined list of IT processes
- Maturity assessment
85
86. 1.2 Scoping: control objectives
• Define control framework for 1 process based
on control objectives attributes
Goal:
Set of important control
objectives for one IT
process
86
87. 1.3 Scoping: control practices
• Define control design for 1 control objectives
Goal:
Mininum and sufficient set
of control practices to
achieve a control objective
87
88. 2. Testing
• Structured approach for each of the control objectives /
control practices
COBIT 4
Control Practices
RACI CHART
AUDIT PLANS:
Assurance Guide
Inputs/outputs
….
88
89. 2.1 Evaluate design effectiveness
• Translate control practices into assurance
steps to evaluate design effectiveness
COBIT 4
Control Practices
AUDIT PLANS:
RACI CHART Assurance guide
….
89
95. Findings & Recommendations
Example
FINDING
Description Detection
DS8.1 : There is no monitoring process in place that focuses on the quality of the Service Desk and the end
users’ satisfaction.
RISK
Description Classification
IT management is not informed on how the business percepts the Service Desk in particular and the IT
department in general. This lack of information can cause a disconnection/misalignment between business
and IT (i.e. no perception of added value by IT). It also prevents the implementation of an effective
continuous improvement process.
RECOMMENDATION
Description Priority
Organize regular user satisfaction surveys via the different available media (intranet, phone, direct…) and use
this information to compare the responses of the satisfied users with the dissatisfied users. This information
can also be used to enable continuous improvement.
95
Briefing door programmaleiding -nadruk op afstemming van IT en business, dus daar is het verhaal op gericht -agenda ziet er als volgt
Standards and Regulations Covered Technical standards from ISO, EDIFACT, etc. Codes of Conduct issued by Council of Europe, OECD, ISACA, etc. Qualification criteria for IT systems and processes: ITSEC, TCSEC, ISO 9000, SPICE, TickIT, Common Criteria, etc. Professional standards in internal control and auditing: COSO report, CICA, IFAC, IIA, AICPA, GAO, PCIE, ISACA standards, etc. Industry practices and requirements from industry forums ( ESF, I4,) and government-sponsored platforms (IBAG, NIST, DTI, BS7799), etc. Emerging industry specific requirements such as from banking, electronic commerce, health and pharmaceutical and IT manufacturing generally applicable & accepted int’lly standard for good practice for IT controls for application to enterprise-wide information systems, regardless of technology starting from business requirements for information management - business process owner - oriented b ased on ISACA's Control Objectives aligned with the jure and de facto standards and regulations based on critical review of tasks and activities or process focus i ncludes existing standards and regulations: ISO, EDIFACT, and others Codes of Conduct issued by Council of Europe Professional standards in Auditing: COSO, IFAC, IIA, ISACA, AICPA etc f irst published in April 1996, 2nd edition issued in 1998, 3rd edition in July 2000 h as become the de facto standard for control over IT f undamental in achieving IT Governance CobiT's basic principles
Mention the research project and mapping peter de bruyne
Mention that it enables all the audiences to use the same language.
This slide shows the basic idea of COBIT, if we understand this picture, we have captured the basic premise of COBIT. Actually it shows that there are three entry points in COBIT, which in the same time emphasis the focus of the framework Process orientation Business orientation IT resources
To satisfy business objectives, information needs to conform to certain criteria which COBIT refers to as “business requirements for information.” In establishing the list of requirements, COBIT combines the principles embedded in existing and known reference models: QUALITY requirements include quality, cost, and delivery. This is no different than the historical “better, cheaper, and faster” approach. FIDUCIARY requirements recently have been outlined by the Committee of Sponsoring Organisations (Treadway Commission) indicating that management must attest to its Organisation’s Effectiveness and Efficiency of Operations, Reliability of Financial Reporting (not Financial Reports ), and Compliance with Laws and Regulations. SECURITY requirements require Confidentiality, Integrity and Availability of all information.
As mentioned before, the information criteria establish the link between the business and IT. There are developed in a way that they are very generic, and can be applied in any organisation. On the one hand, this high level of abstraction is the strenght of COBIT, as it in this way can go hand in hand with other standards, and can be applied in any organisaiton. On the other hand, it makes it more difficult to use. The danger exists that it remains on a very high level of abstraction, not being appicable in a concrete situation. Nevertheless, the inforamtion criteria contain a lot of very valuable information. Recently, we were assigned a research project which should help improving the insight between the business goals and COBIT processes. Basically, we did interviews in eight different interviews…. This is a bit more easy to understand, but of course a bit oversimplified. In reality, the relationship is much more complex, for example Revenue growth->satisfied cust->reliability IT systems->disaster recovery->…
Present the 13 high level objectives contained in the Delivery and Support Domain.
Present the 13 high level objectives contained in the Delivery and Support Domain.
Present the 13 high level objectives contained in the Delivery and Support Domain.
Present the 13 high level objectives contained in the Delivery and Support Domain.
You can of course use other ways to categorise IT resources, this is just the way COBIT has chosen to do it. Important is that not only technology is covered, but also people.
Now we know all the elements of the framwork. COBIT developed a whole list of products/book around this framework, more specifically around the 34 grouped processes. The products provide guidance to better control and manage IT. The most important products are: