Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
COBIT 4.0
1. CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38. To Achieve Business Objectives To Avoid Risks, Threats and Exposures Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. P. 12.
39. CobiT promotes a healthy understanding about “reasonable assurance” and “residual risk” Knowing the acceptable levels for reasonable assurance and residual risk is a critical success factor for designing and managing an adequate framework of control
43. C OBI T Cube The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives. For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube. Business Requirements for Information Criteria IT Resources IT Processes
44.
45.
46. C OBI T C OBI T is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.
52. C OBI T and Related Products Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives IT Assurance Guide Provide guidance on why the control objectives are worth implementing and how to implement them Control Practices Provides a generic road map for implementing IT governance using the COBIT and Val IT resources IT Governance Implementation Guide COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks. C OBI T 4.1 To help overcome these barriers by explaining information security in business terms. It comes complete with tools and techniques to help managers uncover security-related problems Information Security Governance To help executives understand why IT governance is important, what its issues are and what their responsibility is for managing it Board Briefing on IT Governance
53. C OBI T and Related Products To overview and various mappings of COBIT to other international guidance have been published by ITGI, such as CMM, ISO17799. COBIT Mapping Series To explain to business users and senior management the value of IT best practices and how harmonization, implementation and integration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made easier. Aligning COBIT, ITIL and ISO 17799 To provides guidance on how to ensure compliance for the IT environment based on the COBIT control objectives related to financial reporting. IT Control Objectives for Sarbanes-Oxley To summarized version of the COBIT resources, focusing on the most crucial IT processes, control objectives and metrics, all presented in an easy-to-follow format to help users gain the benefits of COBIT quickly. COBIT Quickstart To provides guidance for managing an organization’s portfolio of IT-enabled business investments and for maximizing the quality of business cases for IT-enabled business investments. Val IT To focuses on IT security risk in a way that is simple to follow and implement for everyone, from the home user or small- to medium-sized enterprise to executives and board members of larger organizations. COBIT Security Baseline (available 3rd quarter 2007)
59. Concise Control Objectives CobiT 4.1 CobiT 4.0 PO5.1 Financial Management Framework Establish a financial framework for IT that drives budgeting and cost/benefit analysis, based on investment, service and asset portfolios. Maintain the portfolios of IT-enabled investment programmers, IT services and IT assets, which form the basis for the current IT budget. Provide input to business cases for new investments, taking into account current IT asset and service portfolios. New investments and maintenance to service and asset portfolios will influence the future IT budget. Communicate the cost and benefit aspects of these portfolios to the budget prioritization, cost management and benefit management processes. PO5.1 Financial Management Framework Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT enabled investments, business cases and IT budgets. PO1.2 Business-IT Alignment Educate executives on current technology capabilities and future directions, the opportunities that IT provides, and what the business has to do to capitalize on those opportunities. Make sure the business direction to which IT is aligned is understood. The business and IT strategies should be integrated, clearly linking enterprise goals and IT goals and recognizing opportunities as well as current capability limitations, and broadly communicated. Identify where the business (strategy) is critically dependent on IT and mediate between imperatives of the business and the technology, so agreed priorities can be established. PO1.2 Business-IT Alignment Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration. Mediate between business and IT imperatives so priorities can be mutually agreed.
69. C OBI T Domains : Information Processes (3rd Component) Feedback Feedback Feedback Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85. The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process High-Level Control Objective Users satisfaction Is measured by The control of which satisfy is focusing on Is achieved by IT Processes Business Requirements Control Statements Control Practices
120. C OBI T Content Diagram CobiT and Val IT frameworks Control Objectives Key Management Pratices IT Governance Implementation Guide, 2 nd Edition CobiT Control Practices 2 nd Edition IT Assurance Guide
121.
Notas do Editor
This summarises the different types of audience
Explain that there are many management challenges relating to the use of IT. The slide identifies some examples (the same as in the C OBI T ® Foundation Course). To manage this range of issues, a sound management approach is needed. The goals include agreed and aligned objectives for IT, effective controls, and effective tracking of performance. These are the main drivers for IT governance.
This slide summarises the main attributes of the C OBI T framework.
Strategic alignment focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations. • Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. • Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. • Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities into the organisation. • Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
It is normal for C OBI T to be used in conjunction with other good practices, standards and in-house developed guidance. C OBI T can act like an umbrella providing the framework for everything else.
CobiT focuses on 5 key areas which we will see during this course are the main elements of IT Governance as well as the issues all commentators and analysts agree are key to IT success Read through each bullet to reinforce each one, saying these will be come clearer as we progress through the two days
Control Practices go to the next level down and are a guide for implementation, explaining how to address each objective providing practical considerations. But they are not specific solutions and are therefore generic. Note that during 2003 not all of these are available as they are under development
This diagram which is taken from the Management Guidelines book, describes one of the basic principles of IT Governance. Objectives have to be clear and well understood. Management should direct activities to meet these objectives and regularly measure and compare to detect variances that can then be corrected. The diagram shows how the various elements of CobiT support these stages The working of a central heating thermostat as an example