SlideShare a Scribd company logo

Using COBIT PO9 to perform Project Risk Analysis

Download as PPTX, PDF
W
webmentorman

How to Approach an Issue Using COBIT: Start by looking over the 34 Processes to see if one seems like a logical fit for the issue Review Description and Control Objectives to validate this is the right Process for the issue Consult the inputs/outputs to see what other processes are related to this issue Review the RACI chart to begin organizing team members around resolution activities Consult the Goals & Objectives and Maturity Model to identify current capability and steps needed to reach desired level

1 of 12
IT Governance with COBIT and Risk Management by Michael Curry
Outline • Review: need for IT Controls & COBIT • The COBIT Framework • How COBIT is Used • Making a Case for BIS Acquisition • Calculating ROI (CBRA) – Cost – Benefit – Risk – Analysis and Recommendations
Review: The Need for IT Controls • Organizations heavily depend on IT systems – They are complex and difficult to manage – Increasing disconnects between business goals and IT (Cost, reliability, security, accuracy, availability, performance, complexity, etc.) • Controls are needed to better connect IT with business goals and objectives • COBIT is one such framework that is unique because: – It is suggestive, not prescriptive – Takes into account different points of view (Management, IT teams and Auditors)
Digging Deeper: How COBIT works • Business goals should be closely linked to IT goals • This link is complex involving: – Applications – Information – Infrastructure – People – And IT Process
Digging Deeper: How COBIT works COBIT separates business and IT processes down into 4 distinct areas: And assigns responsibility for those processes IT: Implements the requirements AND provides control indicators of service quality Business: Defines requirements & uses IT services
How to Approach an Issue Using COBIT 1. Start by looking over the 34 Processes to see if one seems like a logical fit for the issue 2. Review Description and Control Objectives to validate this is the right Process for the issue 3. Consult the inputs/outputs to see what other processes are related to this issue 4. Review the RACI chart to begin organizing team members around resolution activities 5. Consult the Goals & Objectives and Maturity Model to identify current capability and steps needed to reach desired level
• PO9.3 Event Identification – Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects • PO9.4 Risk Assessment – Assess the likelihood and impact of risks, using qualitative and quantitative methods • PO9.5 Risk Response – Develop a response designed to mitigate exposure to each risk – Identify risk strategies such as avoidance, reduction, acceptance – determine associated responsibilities; and consider risk tolerance levels
• Control Objectives for PO9 – PO9.1 IT Risk Management Framework – PO9.2 Establishment of Risk Context – PO9.3 Event Identification – PO9.4 Risk Assessment – PO9.5 Risk Response – PO9.6 Maintenance and Monitoring of a Risk Action Plan • Which objectives should we be focused on?
Risk Management: Why Bother? • Protect the company’s reputation • Meet increasing expectations by customers, legislators, regulators, investors, et c. • Manage real crisis situations to best outcome • Create a culture that anticipates and resolves risks before they happen • A responsible measure for business to take “fail to plan is a plan to fail”
Sources of Risk • Processes: events related to business operations • People: events caused by employee errors or misdeeds • Systems: disruption due to technology failure • External events: outside factors threatening operations • -OR- a combination of one or more of the above! A programming error causesIT system and causing fire occurs destroying the miscalculation in prices: disruption to the business: External event Systems (program) → Processes (pricing) (fire) → Systems (unavailable) → Processes (disrupted)
COBIT Maturity • Maturity is a measure of management practices • Primarily depends on IT controls and the underlying business needs they support • Each process is rated on a scale of 0 to 5 0—Management processes are not applied at all 1—Processes are ad hoc and disorganized 2—Processes follow a regular pattern 3—Processes are documented and communicated 4—Processes are monitored and measured 5—Good practices are followed and automated • Not all processes need the same maturity goals across the entire IT environment (a poor use of resources)
Take Away • Understand how COBIT’s 34 processes help unify business goals with IT goals and why that is a desirable result • Given a Business and IT issue use COBIT to identify steps to resolve the issue • Complete a risk assessment as recommended by PO9 (risks, KRI & mitigation) • Understand how the Maturity Model is used to measure management and IT capabilities

Recommended

IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1Richard Willis
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementChristian F. Nissen
 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and RoadmapAndrew Byers
 
What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) CBIZ, Inc.
 
IT Infrastructure Management Powerpoint Presentation Slides
IT Infrastructure Management Powerpoint Presentation SlidesIT Infrastructure Management Powerpoint Presentation Slides
IT Infrastructure Management Powerpoint Presentation SlidesSlideTeam
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 

Recommended

IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1Richard Willis
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementChristian F. Nissen
 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and RoadmapAndrew Byers
 
What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) CBIZ, Inc.
 
IT Infrastructure Management Powerpoint Presentation Slides
IT Infrastructure Management Powerpoint Presentation SlidesIT Infrastructure Management Powerpoint Presentation Slides
IT Infrastructure Management Powerpoint Presentation SlidesSlideTeam
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuitymascot4u
 
It Audit
It AuditIt Audit
It Auditrobinslides
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
A tailored enterprise architecture maturity model
A tailored enterprise architecture maturity modelA tailored enterprise architecture maturity model
A tailored enterprise architecture maturity modelPaul Sullivan
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITMark Constable
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdfmohammed539963
 
Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour... Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour...Mart Rovers
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Effectively Planning for an Enterprise-Scale CMDB Implementation
Effectively Planning for an Enterprise-Scale CMDB ImplementationEffectively Planning for an Enterprise-Scale CMDB Implementation
Effectively Planning for an Enterprise-Scale CMDB ImplementationAntonio Rolle
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Togaf 9 overview
Togaf 9 overviewTogaf 9 overview
Togaf 9 overviewEnterpriseArchitects
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Intro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit AnalysisIntro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit Analysiswebmentorman
 
PO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIPO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIBlue Delacour
 

More Related Content

What's hot

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuitymascot4u
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
A tailored enterprise architecture maturity model
A tailored enterprise architecture maturity modelA tailored enterprise architecture maturity model
A tailored enterprise architecture maturity modelPaul Sullivan
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITMark Constable
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdfmohammed539963
 
Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour... Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour...Mart Rovers
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Effectively Planning for an Enterprise-Scale CMDB Implementation
Effectively Planning for an Enterprise-Scale CMDB ImplementationEffectively Planning for an Enterprise-Scale CMDB Implementation
Effectively Planning for an Enterprise-Scale CMDB ImplementationAntonio Rolle
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 

What's hot (20)

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuity
 
It Audit
It AuditIt Audit
It Audit
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
A tailored enterprise architecture maturity model
A tailored enterprise architecture maturity modelA tailored enterprise architecture maturity model
A tailored enterprise architecture maturity model
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdf
 
Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour... Business continuity management per ISO 22301 - a certification training cour...
Business continuity management per ISO 22301 - a certification training cour...
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
Effectively Planning for an Enterprise-Scale CMDB Implementation
Effectively Planning for an Enterprise-Scale CMDB ImplementationEffectively Planning for an Enterprise-Scale CMDB Implementation
Effectively Planning for an Enterprise-Scale CMDB Implementation
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Togaf 9 overview
Togaf 9 overviewTogaf 9 overview
Togaf 9 overview
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 

Viewers also liked

Intro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit AnalysisIntro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit Analysiswebmentorman
 
PO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIPO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIBlue Delacour
 
Bluevibe@Fsc1
Bluevibe@Fsc1Bluevibe@Fsc1
Bluevibe@Fsc1OESYNE
 
PO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIPO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIBlue Delacour
 
PO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la GerenciaPO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la GerenciaBlue Delacour
 
Contador Era Conocimiento
Contador Era ConocimientoContador Era Conocimiento
Contador Era ConocimientoBlue Delacour
 
DS8 Administrar la mesa de servicio y los incidentes
DS8 Administrar la mesa de servicio y los incidentesDS8 Administrar la mesa de servicio y los incidentes
DS8 Administrar la mesa de servicio y los incidentesBlue Delacour
 
PO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la GerenciaPO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la GerenciaBlue Delacour
 
PO6:; Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6:; Comunicar las Aspiraciones y la Dirección de la GerenciaPO6:; Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6:; Comunicar las Aspiraciones y la Dirección de la GerenciaBlue Delacour
 
Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Vyom Labs
 
2.3 fases de cobit
2.3 fases de cobit2.3 fases de cobit
2.3 fases de cobitNena Patraca
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk ManagementRamiro Cid
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Goutama Bachtiar
 
Metodología de la Planeacion Estratégica
Metodología de la Planeacion EstratégicaMetodología de la Planeacion Estratégica
Metodología de la Planeacion EstratégicaJuan Carlos Fernandez
 

Viewers also liked (20)

Intro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit AnalysisIntro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit Analysis
 
PO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIPO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TI
 
COBIT - CURNE - UASD.pptx
COBIT - CURNE - UASD.pptxCOBIT - CURNE - UASD.pptx
COBIT - CURNE - UASD.pptx
 
PO5 Y PO6 DE COBIT
PO5 Y PO6 DE COBITPO5 Y PO6 DE COBIT
PO5 Y PO6 DE COBIT
 
Cobit
CobitCobit
Cobit
 
Bluevibe@Fsc1
Bluevibe@Fsc1Bluevibe@Fsc1
Bluevibe@Fsc1
 
COBIT 5 FAQ
COBIT 5 FAQCOBIT 5 FAQ
COBIT 5 FAQ
 
PO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TIPO7: Adminsitrar Recursos Humanos de TI
PO7: Adminsitrar Recursos Humanos de TI
 
PO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la GerenciaPO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
 
Contador Era Conocimiento
Contador Era ConocimientoContador Era Conocimiento
Contador Era Conocimiento
 
DS8 Administrar la mesa de servicio y los incidentes
DS8 Administrar la mesa de servicio y los incidentesDS8 Administrar la mesa de servicio y los incidentes
DS8 Administrar la mesa de servicio y los incidentes
 
PO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la GerenciaPO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6: Comunicar las Aspiraciones y la Dirección de la Gerencia
 
PO6:; Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6:; Comunicar las Aspiraciones y la Dirección de la GerenciaPO6:; Comunicar las Aspiraciones y la Dirección de la Gerencia
PO6:; Comunicar las Aspiraciones y la Dirección de la Gerencia
 
Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?Thinking of COBIT implementation – Where to start?
Thinking of COBIT implementation – Where to start?
 
Dominio del cobit
Dominio del cobitDominio del cobit
Dominio del cobit
 
2.3 fases de cobit
2.3 fases de cobit2.3 fases de cobit
2.3 fases de cobit
 
Segunda parte
Segunda parteSegunda parte
Segunda parte
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk Management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
Metodología de la Planeacion Estratégica
Metodología de la Planeacion EstratégicaMetodología de la Planeacion Estratégica
Metodología de la Planeacion Estratégica
 

Similar to Using COBIT PO9 to perform Project Risk Analysis

Pmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewPmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewAlan McSweeney
 
Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!Continuity and Resilience
 
Critical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsCritical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsRachid Meziani, PhD, CGEIT, PMP
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008ssusera19f45
 
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...TRANANHQUAN4
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
Cobit 5 used in an information security review
Cobit 5 used in an information security reviewCobit 5 used in an information security review
Cobit 5 used in an information security reviewJohnbarchie
 
Cobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorialCobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorialseveman
 
Framing the business case service provider v1 2
Framing the business case service provider v1 2Framing the business case service provider v1 2
Framing the business case service provider v1 2pskoularikos
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013Mike Wright
 
Isaca presentation
Isaca presentationIsaca presentation
Isaca presentationmangsur_ali
 

Similar to Using COBIT PO9 to perform Project Risk Analysis (20)

Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT Perspective
 
Pmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment OverviewPmi, Opm3 And Cmmi Assessment Overview
Pmi, Opm3 And Cmmi Assessment Overview
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the Lens
 
Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!Business Continuity and Information Security- An Excellent Fit!
Business Continuity and Information Security- An Excellent Fit!
 
Critical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsCritical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance Implementations
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Cobit5 and-grc
Cobit5 and-grcCobit5 and-grc
Cobit5 and-grc
 
IT Risk Assessments
IT Risk AssessmentsIT Risk Assessments
IT Risk Assessments
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
 
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
Cobit 5 used in an information security review
Cobit 5 used in an information security reviewCobit 5 used in an information security review
Cobit 5 used in an information security review
 
Cobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorialCobit, itil and cmmi - a tutorial
Cobit, itil and cmmi - a tutorial
 
Framing the business case service provider v1 2
Framing the business case service provider v1 2Framing the business case service provider v1 2
Framing the business case service provider v1 2
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Isaca presentation
Isaca presentationIsaca presentation
Isaca presentation
 

Using COBIT PO9 to perform Project Risk Analysis

  • 1. IT Governance with COBIT and Risk Management by Michael Curry
  • 2. Outline • Review: need for IT Controls & COBIT • The COBIT Framework • How COBIT is Used • Making a Case for BIS Acquisition • Calculating ROI (CBRA) – Cost – Benefit – Risk – Analysis and Recommendations
  • 3. Review: The Need for IT Controls • Organizations heavily depend on IT systems – They are complex and difficult to manage – Increasing disconnects between business goals and IT (Cost, reliability, security, accuracy, availability, performance, complexity, etc.) • Controls are needed to better connect IT with business goals and objectives • COBIT is one such framework that is unique because: – It is suggestive, not prescriptive – Takes into account different points of view (Management, IT teams and Auditors)
  • 4. Digging Deeper: How COBIT works • Business goals should be closely linked to IT goals • This link is complex involving: – Applications – Information – Infrastructure – People – And IT Process
  • 5. Digging Deeper: How COBIT works COBIT separates business and IT processes down into 4 distinct areas: And assigns responsibility for those processes IT: Implements the requirements AND provides control indicators of service quality Business: Defines requirements & uses IT services
  • 6. How to Approach an Issue Using COBIT 1. Start by looking over the 34 Processes to see if one seems like a logical fit for the issue 2. Review Description and Control Objectives to validate this is the right Process for the issue 3. Consult the inputs/outputs to see what other processes are related to this issue 4. Review the RACI chart to begin organizing team members around resolution activities 5. Consult the Goals & Objectives and Maturity Model to identify current capability and steps needed to reach desired level
  • 7. • PO9.3 Event Identification – Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects • PO9.4 Risk Assessment – Assess the likelihood and impact of risks, using qualitative and quantitative methods • PO9.5 Risk Response – Develop a response designed to mitigate exposure to each risk – Identify risk strategies such as avoidance, reduction, acceptance – determine associated responsibilities; and consider risk tolerance levels
  • 8. • Control Objectives for PO9 – PO9.1 IT Risk Management Framework – PO9.2 Establishment of Risk Context – PO9.3 Event Identification – PO9.4 Risk Assessment – PO9.5 Risk Response – PO9.6 Maintenance and Monitoring of a Risk Action Plan • Which objectives should we be focused on?
  • 9. Risk Management: Why Bother? • Protect the company’s reputation • Meet increasing expectations by customers, legislators, regulators, investors, et c. • Manage real crisis situations to best outcome • Create a culture that anticipates and resolves risks before they happen • A responsible measure for business to take “fail to plan is a plan to fail”
  • 10. Sources of Risk • Processes: events related to business operations • People: events caused by employee errors or misdeeds • Systems: disruption due to technology failure • External events: outside factors threatening operations • -OR- a combination of one or more of the above! A programming error causesIT system and causing fire occurs destroying the miscalculation in prices: disruption to the business: External event Systems (program) → Processes (pricing) (fire) → Systems (unavailable) → Processes (disrupted)
  • 11. COBIT Maturity • Maturity is a measure of management practices • Primarily depends on IT controls and the underlying business needs they support • Each process is rated on a scale of 0 to 5 0—Management processes are not applied at all 1—Processes are ad hoc and disorganized 2—Processes follow a regular pattern 3—Processes are documented and communicated 4—Processes are monitored and measured 5—Good practices are followed and automated • Not all processes need the same maturity goals across the entire IT environment (a poor use of resources)
  • 12. Take Away • Understand how COBIT’s 34 processes help unify business goals with IT goals and why that is a desirable result • Given a Business and IT issue use COBIT to identify steps to resolve the issue • Complete a risk assessment as recommended by PO9 (risks, KRI & mitigation) • Understand how the Maturity Model is used to measure management and IT capabilities