How to Approach an Issue Using COBIT: Start by looking over the 34 Processes to see if one seems like a logical fit for the issue
Review Description and Control Objectives to validate this is the right Process for the issue
Consult the inputs/outputs to see what other processes are related to this issue
Review the RACI chart to begin organizing team members around resolution activities
Consult the Goals & Objectives and Maturity Model to identify current capability and steps needed to reach desired level
2. Outline
• Review: need for IT Controls & COBIT
• The COBIT Framework
• How COBIT is Used
• Making a Case for BIS Acquisition
• Calculating ROI (CBRA)
– Cost
– Benefit
– Risk
– Analysis and Recommendations
3. Review: The Need for IT Controls
• Organizations heavily depend on IT systems
– They are complex and difficult to manage
– Increasing disconnects between business goals and IT
(Cost, reliability, security, accuracy, availability,
performance, complexity, etc.)
• Controls are needed to better connect IT with business
goals and objectives
• COBIT is one such framework that is unique because:
– It is suggestive, not prescriptive
– Takes into account different points of view (Management,
IT teams and Auditors)
4. Digging Deeper: How COBIT works
• Business goals
should be closely
linked to IT goals
• This link is complex
involving:
– Applications
– Information
– Infrastructure
– People
– And IT Process
5. Digging Deeper: How COBIT works
COBIT separates business and IT processes down into 4 distinct areas:
And assigns responsibility for
those processes
IT: Implements
the requirements
AND provides
control indicators
of service quality
Business: Defines
requirements & uses IT
services
6. How to Approach an Issue Using COBIT
1. Start by looking over the 34 Processes to see if one seems like a
logical fit for the issue
2. Review Description and Control Objectives to validate this is the
right Process for the issue
3. Consult the inputs/outputs to see what other processes are
related to this issue
4. Review the RACI chart to begin organizing team members around
resolution activities
5. Consult the Goals & Objectives and Maturity Model to identify
current capability and steps needed to reach desired level
7. • PO9.3 Event Identification
– Identify threats with potential negative impact on the
enterprise, including
business, regulatory, legal, technology, trading partner, human
resources and operational aspects
• PO9.4 Risk Assessment
– Assess the likelihood and impact of risks, using qualitative and
quantitative methods
• PO9.5 Risk Response
– Develop a response designed to mitigate exposure to each risk
– Identify risk strategies such as avoidance, reduction, acceptance
– determine associated responsibilities; and consider risk
tolerance levels
8. • Control Objectives for PO9
– PO9.1 IT Risk Management Framework
– PO9.2 Establishment of Risk Context
– PO9.3 Event Identification
– PO9.4 Risk Assessment
– PO9.5 Risk Response
– PO9.6 Maintenance and Monitoring of a Risk
Action Plan
• Which objectives should we be focused on?
9. Risk Management: Why Bother?
• Protect the company’s reputation
• Meet increasing expectations by
customers, legislators, regulators, investors, et
c.
• Manage real crisis situations to best outcome
• Create a culture that anticipates and resolves
risks before they happen
• A responsible measure for business to take
“fail to plan is a plan to fail”
10. Sources of Risk
• Processes: events related to business operations
• People: events caused by employee errors or
misdeeds
• Systems: disruption due to technology failure
• External events: outside factors threatening
operations
• -OR- a combination of one or more of the above!
A programming error causesIT system and causing
fire occurs destroying the miscalculation in prices:
disruption to the business: External event
Systems (program) → Processes (pricing) (fire) →
Systems (unavailable) → Processes (disrupted)
11. COBIT Maturity
• Maturity is a measure of management practices
• Primarily depends on IT controls and the
underlying business needs they support
• Each process is rated on a scale of 0 to 5
0—Management processes are not applied at all
1—Processes are ad hoc and disorganized
2—Processes follow a regular pattern
3—Processes are documented and communicated
4—Processes are monitored and measured
5—Good practices are followed and automated
• Not all processes need the same maturity goals
across the entire IT environment (a poor use of
resources)
12. Take Away
• Understand how COBIT’s 34 processes help
unify business goals with IT goals and why
that is a desirable result
• Given a Business and IT issue use COBIT to
identify steps to resolve the issue
• Complete a risk assessment as recommended
by PO9 (risks, KRI & mitigation)
• Understand how the Maturity Model is used
to measure management and IT capabilities