AWS Community Day CPH - Three problems of Terraform
Governance and Management of Enterprise IT with COBIT 5 Framework
1. Governance and Management of
Enterprise IT with COBIT 5
Framework
March 2013
Goutama Bachtiar
W: www.linkedin.com/in/goutama
T: @goudotmobi
2. Profile of Training Lead
2
Advisor at six companies.
ISACA International Chapter Subject Matter Expert.
ISACA International Chapter Journal Reviewer.
ISACA International Chapter Certification Exam and
QAE Developer.
Reviewer Panel at two international journals.
Have audited and consulted 32 companies.
Have written 300+ manuscripts, articles and pieces
in IT space.
65+ international certifications on technology and
management under his belt.
3. Importance of Information
3
Information is a key resource for all enterprises.
Information is created, used, retained, disclosed
and destroyed.
Technology plays a key role in these actions.
Technology is becoming pervasive in all aspects
of business and personal life.
What benefits do information and
technology bring to enterprises?
4. Why Does IT Need a Control
Framework?
4
Any of these conditions sound familiar?
Increasing pressure to leverage technology in business
strategies
Growing complexity of IT environments
Fragmented IT infrastructures
Communication gap between business and IT managers
IT service levels that are disappointing from internal IT
functions and from increasingly outsourced IT providers
IT costs perceived to be out of control
Marginal ROI/productivity gains on technology
investments
Impaired organizational flexibility and nimbleness to
change
User frustration leading to ad-hoc solutions
5. Why Does IT Need a Control
Framework? (cont’d)
5
Increasing dependence on information and systems delivering
this information
Increasing vulnerabilities and a wide spectrum of threats
Scale and cost of current and future investments in information
and information systems
Need for complying with regulations
Potential for technologies to dramatically change organizations
and business practices, create new opportunities and reduce
costs
Recognition by many organizations of potential benefits
technology can yield
Successful organizations understand and
manage risks associated with implementing
new technologies
6. Why Does IT Need a Control
Framework? (cont’d)
6
To ensure that
IT provides value
Cost, time and functionality are as expected
IT does not provide surprises
Risks are mitigated
IT pushes the envelope
New opportunities and innovations for process,
product and services
Management needs to get IT under control.
7. Who Needs a Control
Framework?
7
Board and Executive
•To ensure management follows and
implements the strategic direction for IT
Management
•To make IT investment decisions
•To balance risk and control investment
•To benchmark existing and future IT
environment
8. Who Needs a Control
Framework? (cont’d)
Users
•To obtain assurance on security and control
of products and services they acquire
internally or externally
Auditors
•To substantiate opinions to management on
internal controls
•To advise on what minimum controls are
necessary
8
9. Why and How COBIT is Used?
9
Increase acceptance and reduce time to implement IT
governance
A guide for formal audits and reviews
Use results of audits to plan improvements
Achieving primary goals for IT governance: transform
organizational practices and pursue improved processes
A credible source for management's decision on controls
Impresses and helps IT operations managers with its ability to
assist in understanding what auditors want
For business to communicate requirements and concerns
Reference to ensure identification of all major risk areas
Improves communications and relations with IT management
10. Why and How COBIT is Used?
(cont’d)
To improve audit approach/programmes
To support audit work with detailed audit
guidelines
To provide guidance for IT governance
As a valuable benchmark for IS/IT control
To improve IS/IT controls
To standardise audit approach/programmes
10
11. Enterprise Benefits
11
Enterprises and their executives strive to:
Maintain quality information to support business
decisions.
Generate business value from IT-enabled
investments, i.e., achieve strategic goals and realise
business benefits through effective and innovative
use of IT.
Achieve operational excellence through reliable and
efficient application of technology.
Maintain IT-related risk at an acceptable level.
Optimise the cost of IT services and technology.
How can these benefits be realized to create
enterprise stakeholder value?
12. Stakeholder Value
12
Delivering enterprise stakeholder value requires
good governance and management of
information and technology (IT) assets.
Enterprise boards, executives and management
have to embrace IT like any other significant part
of the business.
External legal, regulatory and contractual
compliance requirements related to enterprise
use of information and technology are increasing,
threatening value if breached.
13. 13
COBIT 5 provides a
comprehensive framework
that assists enterprises
to achieve their goals
and deliver value
through effective
governance and
management of
14. COBIT: Value and Limitations
► Has
14
internationally accepted good practices
► Is
management-oriented and supported by tools and training
► Is
freely downloadable and continually evolves
► Allows
► Is
maintained by a reputable not-for-profit organization
► Fully
► Is
the knowledge of expert volunteers to be shared and leveraged
maps to COSO and all major, related standards
a reference, not an ‘off-the-shelf’ cure
Enterprises still need to analyze control requirements and customize
COBIT based on:
► Value
► Risk
► IT
drivers
profile
infrastructure, organization and project portfolio
15. COBIT Components
15
An organization depends on reliable and timely data and
information. COBIT components provide a comprehensive
framework for delivering value while managing risk and control
over data and information.
IT Resources
Business Strategy
IT Processes
Information
Criteria
16. COBIT Advantages
16
►Aligned
with other standards and good practices and
should be used together with them.
►COBIT’s
framework and supporting best practices
provide a well-managed and flexible IT environment in an
organization.
►Provides
a control environment that is responsive to
business needs and serves management and audit
functions in terms of their control responsibilities.
►Provides
tools to manage IT activities.
17. COBIT and IT Governance
► Focuses
17
on improving IT governance in organizations.
► Provides
a framework to manage and control IT activities and supports five requirements for
a control framework.
Provides
focus
sharper
business
Ensures
process
orientation
Defines a
common
language
Control
Framework
Has general
acceptability
amongst
organisations
Helps meet
regulatory
requirements
18. COBIT and IT Governance (cont’d)
18
Business Focus
► Achieves
sharper business
focus by aligning IT with
business objectives.
of IT
performance focus on IT’s
contribution to enabling and
extending the business
strategy.
Provides
sharper
business
focus
Defines a
common
language
► Measurement
► Ensuring
the primary focus is
value delivery and not
technical excellence as an
end in itself.
Ensures
process
orientation
Control
Framework
Has general
acceptability
amongst
organisations
Helps meet
regulatory
requirements
19. COBIT and IT Governance (cont’d)
Process Orientation
19
► When
organizations
implement COBIT, their focus
is more process-oriented.
and problems no
longer divert attention from
processes.
Provides
sharper
business
focus
Defines a
common
language
► Incidents
► Exceptions
can be clearly
defined as part of standard
processes.
► With
process ownership
defined, assigned and
accepted, better to maintain
control through periods of
rapid change or
organizational crisis.
Ensures
process
orientation
Control
Framework
Has general
acceptability
amongst
organisations
Helps meet
regulatory
requirements
20. COBIT and IT Governance (cont’d)
20
General Acceptability
►A
proven and globally
accepted standard for
increasing contribution of
IT to organizational
success.
► It
continues to improve and
develop to keep pace with
good practices.
► IT
professionals from all
over the world contribute
their ideas and time to
regular review meetings.
Provides
sharper
business
focus
Ensures
process
orientation
Defines a
common
language
Control
Framework
Has general
acceptability
amongst
organisations
Helps meet
regulatory
requirements
21. COBIT and IT Governance (cont’d)
21
Regulatory Requirements
► Recent
corporate scandals
have increased regulatory
pressures on boards of
directors to report their status
and ensure that internal
controls are appropriate.
► Organizations
constantly need
to improve IT performance
and demonstrate adequate
controls over their IT
activities.
► De
facto response to
regulatory IT requirements.
Provides
sharper
business
focus
Ensures
process
orientation
Defines a
common
language
Control
Framework
Has general
acceptability
amongst
organizations
Helps meet
regulatory
requirements
22. COBIT and IT Governance (cont’d)
22
Common Language
►Everybody
on the same
page by defining critical
terms and providing a
glossary.
►Co-ordination
within and
across project teams
and organizations can
play a key role in the
success of any project.
►Common
language helps
build confidence and
trust.
Provides
Provides
sharper
sharper
business
business
focus
Ensures
Ensures
process
process
orientation
orientation
Defines aa
Defines
common
common
language
language
Control
Framework
Has general
Has general
acceptability
acceptability
amongst
amongst
organisations
organizations
Helps meet
Helps meet
regulatory
regulatory
requirements
requirements
23. COBIT: Premise
23
It is based on premise that IT needs to deliver information
that an enterprise requires to achieve its objectives.
for achieving
i
to
Business
Objectives
Business
Processes
Information
provide
IT Resources
and Processes
It helps align IT with the business by focusing on business
information requirements and organizing IT resources. COBIT
provides the framework and guidance to implement IT
governance.
25. COBIT: Premise
25
As a control and governance framework for IT, it focuses on two key areas:
► Providing
info required to support business objectives and requirements
► Treating
info as the result of combined application of IT-related resources
needed to be managed by IT processes
Information Criteria
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Process
Business Requirement
Control Approach
IT Resources
IT Processes
Consideration
• ……………………………
• ……………………………
• ……………………..……..
Domains
Processes
Activities
Applications
Information
Infrastructure
People
26. COBIT: Cube
26
It describes how IT processes deliver information the business
needs to achieve its objectives.
For controlling this delivery, COBIT provides three key
components, each forming a dimension of the COBIT cube.
Business Requirements for Information Criteria
IT Resources
IT Processes
27. COBIT Cube: cycle with the help of four domains:
IT Processes
COBIT describes the IT life
27
►
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
► Processes
are series of activities with natural control breaks.
► 34
processes across the four domains specifying what business needs to
achieve its objectives.
► Activities
are actions that are required to achieve measurable results.
Moreover, activities have life cycles and include many discrete tasks.
Information Criteria
IT Resources
Domains
Processes
Activities
IT Processes
28. COBIT Cube: IT Domains
28
Plan and Organize (PO)
► Objectives
Formulating strategy and tactics
Identifying how IT can best contribute to achieving business objectives
Planning, communicating and managing the realization of the strategic vision
Implementing organizational and technological infrastructure
► Scope
Are IT and the business strategically aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organization understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
IT and Business
29. COBIT Cube: IT Domains (cont’d)
29
Have a look at COBIT process model
Plan and Organise
Acquire and
Implement
Plan and
Organize
IT Processes
Deliver and
Support
Monitor and
Evaluate
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation
and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and
direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
30. COBIT Cube: IT Domains (cont’d)
30
Acquire and Implement (AI)
► Objectives:
Identifying, developing, acquiring, implementing and integrating IT
solutions
Changes in and maintenance of existing systems
► Scope:
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?
?
New Projects
Organization
31. COBIT Cube: IT Domains (cont’d)
31
Acquire and Implement
Plan and
Organize
Acquire and
Implement
IT Processes
Deliver and
Support
Monitor and
Evaluate
AI1 Identify automated solutions.
AI2 Acquire and maintain application
software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
32. COBIT Cube: IT Domains (cont’d)
32
Deliver and Support (DS)
► Objectives:
The actual delivery of required services, including service delivery
The management of security, continuity, data and operational
facilities
Service support for users
► Scope:
Are IT services being delivered in line with business priorities?
Are IT costs optimized?
Is the workforce able to use IT systems productively and safely?
Are adequate confidentiality, integrity and availability in place?
IT Services
Business Priorities
33. COBIT Cube: IT Domains (cont’d)
33
Deliver and Support
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Plan and
Organise
IT Processes
Deliver and
Support
Acquire
and
Implement
Monitor
and
Evaluate
34. COBIT Cube: IT Domains (cont’d)
34
Monitor and Evaluate (ME)
► Objectives:
Performance management
Monitoring of internal control
Regulatory compliance
Governance
► Scope:
Is IT’s performance measured to detect problems before too late?
Does management ensure internal controls are effective and
efficient?
Can IT performance be linked to business goals?
Are risk, control, compliance and performance measured and
reported?
IT
Performance
35. COBIT Cube: IT Domains (cont’d)
35
Monitor and Evaluate
ME1 Monitor and evaluate IT
performance.
ME2 Monitor and evaluate internal
control.
ME3 Ensure compliance with
external requirements.
ME4 Provide IT governance.
Acquire and
Implement
Plan and
Organise
IT Processes
Deliver and
Support
Monitor and
Evaluate
36. COBIT Cube: Information Criteria
►To
36
satisfy business objectives, information needs to conform to
specific control criteria, which COBIT refers to as business
requirements for information.
►Broadly,
information criteria are based on the following
requirements:
Quality Requirements
Quality
Fiduciary Requirements
Fiduciary
Security Requirements
Security
Information Criteria
IT Resources
IT Processes
37. COBIT Cube: Information Criteria (cont’d)
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
37
Deals with information being relevant and pertinent to the
business process as well as being delivered in a timely,
Quality Requirements
Fiduciary Requirements
correct, consistent and usable manner
Security Requirements
Concerns the provision of information through the
optimal (most productive and economical) use of
Information Criteria
resources
Concerns the protection of sensitive
information from unauthorised disclosure
IT Resources
IT Processes
Relates to the accuracy and completeness of
information as well as to its validity in accordance
with business values and expectations
Relates to information being available when required by the business
process now and in the future. It also concerns the safeguarding of
necessary resources and associated capabilities.
Compliance
Deals with complying with those laws, regulations and contractual arrangements to
which the business process is subject, i.e., externally imposed business criteria as
well as internal policies
Reliability
Relates to the provision of appropriate information for management to operate the
entity and to exercise its fiduciary and governance responsibilities
38. COBIT Cube: IT Resources
38
►
IT processes manage IT resources to generate, deliver and store the information that the
organization needs to achieve its objectives.
►
The IT resources identified in COBIT are defined as:
Applications are automated user systems and manual procedures that process
information.
Information is data that are input, processed and output by information systems, in
whatever form used by the business.
Infrastructure includes the technology and facilities, such as hardware, operating systems
and networking, that enable the processing of applications.
People are the personnel required to plan, organize, acquire, implement, deliver, support,
monitor and evaluate information systems and services. They may be internal, outsourced
or contracted, as required.
Information Criteria
IT Processes
Applications
Information
Infrastructure
People
IT Resources
39. COBIT 5 Cube
IT resources are managed by IT processes to
achieve IT goals that respond to the business
requirements
43. Governance and Management
43
Governance ensures that enterprise objectives are
achieved by:
Evaluating stakeholder needs, conditions and
options
Setting direction through prioritisation and decision
making
Monitoring performance, compliance and progress
against agreed-on direction and objectives (EDM)
Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM)
44. In Short…
44
It brings together the five principles that
allow the enterprise to build an effective
governance and management framework
Based on a holistic set of seven enablers
that optimises information and technology
investment and use for the benefit of
stakeholders
46. COBIT 5: Complete Business
Framework
46
IT Governance
Val IT 2.0
Management
(2008)
epocs f o not u ov E
i l
Control
Risk IT
(2009)
Audit
COBIT1
1996
COBIT2
1998
COBIT3
2000
COBIT4.0/4.1
2005/7
2012
48. Five COBIT 5 Principles
48
1.Meeting Stakeholder Needs
2.Covering the Enterprise End-to-end
3.Applying a Single Integrated Framework
4.Enabling a Holistic Approach
5.Separating Governance From
Management
50. Meeting Stakeholder Needs
50
Enterprises have many stakeholders, and ‘creating
value’ means different—and sometimes conflicting—
things to each of them.
Governance is about negotiating and deciding amongst
different stakeholders’ value interests.
The governance system should consider all
stakeholders when making benefit, resource and risk
assessment decisions.
For each decision, the following can and should be
asked:
Who receives the benefits?
Who bears the risk?
What resources are required?
51. Meeting Stakeholder Needs
Stakeholder needs have
to be transformed into an
enterprise’s practical
strategy.
The COBIT 5 goals
cascade translates
stakeholder needs into
specific, practical and
customised goals within
the context of the
enterprise, IT-related
goals and enabler goals.
51
52. Meeting Stakeholder Needs
52
(cont.)
Benefits of the COBIT 5 goals cascade:
It allows the definition of priorities for implementation,
improvement and assurance of enterprise governance
of IT based on enterprise strategic objectives and
related risk
In practice, the goals cascade:
Defines relevant and tangible goals and objectives at
various levels of responsibility
Filters the knowledge base of COBIT 5, based on
enterprise goals to extract relevant guidance for
inclusion in specific implementation, improvement or
assurance projects
Clearly identifies and communicates how
(sometimes very operational) enablers are important
to achieve enterprise goals
53. Covering the Enterprise End-to-end
53
It addresses the governance and management of
information and related technology from an enterprise
wide, end-to-end perspective
It means:
Integrates governance of enterprise IT into enterprise
governance, i.e., the governance system for enterprise
IT proposed by COBIT 5 integrates seamlessly in any
governance system because COBIT 5 aligns with the
latest views on governance
Covers all functions and processes within the
enterprise; COBIT 5 does not focus only on the
‘IT function’, but treats information and related
technologies as assets that need to be dealt with just
like any other asset by everyone in the enterprise
55. 55
Applying a Single Integrated Framework
It aligns with the latest relevant other standards and
frameworks:
Enterprise: COSO, COSO ERM, ISO/IEC 9000,
ISO/IEC 31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000
series, TOGAF, PMBOK/PRINCE2, CMMI
Use it as the overarching governance and
management framework integrator
ISACA plans a capability to facilitate COBIT user
mapping of practices and activities to third-party
references
56. Enabling a Holistic Approach
56
COBIT 5 enablers are:
Factors that, individually and collectively, influence
whether something will work—in the case of COBIT,
governance and management over enterprise IT
Driven by the goals cascade, i.e., higher-level ITrelated goals define what the different enablers
should achieve
Described by COBIT 5 framework in seven
categories
58. Enabling a Holistic Approach
58
1. Processes—Describe an organised set of practices and activities to
achieve certain objectives and produce a set of outputs in support of
achieving overall IT-related goals
2. Organisational structures—Are the key decision-making entities in an
organisation
3. Culture, ethics and behaviour —Of individuals and of the organisation;
very often underestimated as a success factor in governance and
management activities
4. Principles, policies and frameworks —Are the vehicles to translate the
desired behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise. Information is required for
keeping the organisation running and well governed, but at the operational
level, information is very often the key product of the enterprise itself.
6. Services, infrastructure and applications —Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies —Are linked to people and are
required for successful completion of all activities and for making correct
decisions and taking corrective actions
59. Enabling a Holistic Approach.
59
Systemic governance and management through
interconnected enablers —To achieve the main objectives of the
enterprise, it must always consider an interconnected set of enablers,
i.e., each enabler:
Needs the input of other enablers to be fully
effective, e.g., processes need information,
organisational structures need skills and behaviour
Delivers output to the benefit of other enablers,
e.g., processes deliver information, skills and
behaviour make processes efficient
This is a KEY principle emerging from the ISACA development work
around the Business Model for Information Security (BMIS).
61. Separating Governance From Management
61
These two disciplines:
Encompass different types of activities
Require different organisational structures
Serve different purposes
Governance—In most enterprises, governance
is the responsibility of the board of directors
under the leadership of the chairperson.
Management—In
most
enterprises,
management is the responsibility of the
executive management under the leadership of
the CEO.
62. Separating Governance From Management
62
• Governance ensures that stakeholders needs,
conditions and options are evaluated to determine
balanced, agreed-on enterprise objectives to be
achieved; setting direction through prioritisation
and decision making; and monitoring performance
and compliance against agreed-on direction and
objectives (EDM)
• Management
plans,
builds,
runs
and
monitors activities in alignment with the direction
set by the governance body to achieve the enterprise
objectives (PBRM)
64. Separating Governance From Management
64
COBIT 5 framework describes seven categories of
enablers (Principle #4).
An enterprise can organise its processes as it sees fit,
as long as all necessary governance and management
objectives are covered
Smaller enterprises may have fewer processes while
larger and more complex enterprises may have many
processes, all to cover the same objectives.
COBIT 5 includes a process reference model
(PRM), which defines and describes in detail a
number of governance and management processes.
65. The Need for IT Governance
Aligning
IT with
Business
Value/Cost
Security
Keeping
IT Running
65
Managing
Complexity
Regulatory
Compliance
Organizations require a structured approach for managing
these and other challenges
This will ensure that there are agreed objectives for IT,
good management controls in place and effective
monitoring of performance to keep on track and avoid
unexpected outcomes
66. 66
The Need for IT Governance (cont’d)
IC
EG NT
AT E
TR GNM
S I
AL
DE VAL
LI U E
VE
RY
Enterprise governance is a set
of responsibilities and
practices exercised by the
board and executive
management with the goal of:
CE
MAN NT
FO R
E
PER SUREM
MEA
www.itgi.org
www.itgi.org
RESOURCE
MANAGEMENT
MAN RISK
AGE
MEN
T
•Providing strategic direction
•Ensuring that objectives are
achieved
•Ascertaining that risks are
managed appropriately
•Verifying that the enterprise’s
resources are used
responsibly
67. Enterprise Governance Drives IT
Governance
67
Enterprise governance is about:
Conformance
•Adhering to legislation, internal
policies, audit requirements,
etc.
Performance
Conformance
Performance
•Improving profitability,
efficiency, effectiveness, growth,
etc.
Enterprise governance and IT governance require a balance between
conformance and performance goals directed by the board.
68. IT Governance Focus Areas
Strategic
alignment
Value delivery
Resource
management
Risk management
Performance
measurement
68
Focuses on ensuring the linkage of business and IT plans;
on defining, maintaining and validating the IT value
proposition; and on aligning IT operations with enterprise
operations
Is about executing the value proposition throughout the delivery
cycle, ensuring that IT delivers the promised benefits against
the strategy, concentrating on optimising costs and proving the
intrinsic value of IT
Is about the optimal investment in, and the proper
management of, critical IT resources: applications,
information, infrastructure and people. Key issues relate to
the optimisation of knowledge and infrastructure.
Requires risk awareness by senior corporate officers, a
clear understanding of the enterprise’s appetite for risk,
understanding of compliance requirements, transparency
about the significant risks to the enterprise, and embedding
of risk management responsibilities in the organisation
Tracks and monitors strategy implementation, project
completion, resource usage, process performance and
service delivery, using, for example, balanced scorecards
that translate strategy into action to achieve goals
measurable beyond conventional accounting
69. Making IT Governance Work
69
Make IT governance a workable solution—able to deal with
the challenges and pitfalls presented by IT.
Focus as much on improving performance and enabling
competitive advantage as preventing problems.
Make IT governance a shared responsibility between the
business (customer) and the IT service provider, with the full
commitment and direction of the board .
Align IT governance within a wider enterprise governance
scheme.
Boards and executive management need to extend enterprise
governance to include IT, provide the necessary leadership
and organisational structures, and insist on well-managed
and properly controlled processes.
70. IT Governance Stakeholders
70
Board and Executive
Set direction for IT, monitor results and
insist on corrective measures
Business Management
Defines business requirements for IT and
ensures that value is delivered and risks are
managed
IT Management
Delivers and improves IT services as
required by the business
IT Audit
Risk and Compliance
Provides independent assurance to
demonstrate that IT delivers what is
needed
Measures compliance with policies and
focuses on alerts to new risks
71. Framework for IT Governance
71
Bridge the gaps between business risks, control needs and
technical issues. It provides good practices across a domain and
process framework and presents activities in a manageable and
logical structure.
COBIT:
Starts from business requirements
Is process-oriented, organizing IT activities into a
generally accepted process model
Identifies the major IT resources to be leveraged
Defines the management control objectives to be
considered
Incorporates major international standards
IT become the de to be managed by a set of
Has resources need facto standard for overall naturally grouped
processes. COBIT provides a framework that achieves this
control of IT
objective.
72. COBIT Help Implementing Effective IT
Governance
It brings following advantages to an IT governance
implementation effort:
Enables mapping of IT goals to business goals and vice versa
Better alignment, based on a business focus
A view of what IT does that is understandable to management
Clear ownership and responsibilities based on process orientation
General acceptability with third parties and regulators
Shared understanding amongst all stakeholders, based on a common
language
Fulfilment of the COSO requirements for the IT control environment
73. 73
COBIT and Other IT Management Frameworks
We will consider and use a variety of IT models, standards and
best practices. These must be understood in order to consider
how they can be used together, with COBIT acting as the
consolidator (‘umbrella’).
COSO
COBIT
ISO 17799
ISO 9000
WHAT
ITIL
SCOPE OF COVERAGE
HOW
74. Where Does COBIT Fit?
Drivers
Enterprise Governance
74
CONFORMANCE
Basel II, SOX, etc.
PERFORMANCE:
Business Goals
Balanced
Scorecard
COSO
COBIT
IT Governance
Best Practice Standards
ISO
9001:2000
Processes and Procedures
QA
Procedures
ISO
17799
ISO
20000
Security
Principles
ITIL
75. Governance, Risk and Compliance
75
An increasingly used ‘umbrella term’
that covers these three areas of
enterprise activities.
These areas of activity are
progressively being more aligned and
integrated to improve enterprise
performance
and
delivery
of
stakeholder needs.
76. GRC Definitions
76
Governance—Exercise of authority; control;
government; arrangement.
Risk (management )—Hazard; danger; peril;
exposure to loss, injury, or destruction (The act or art
of managing; the manner of treating, directing,
carrying on, or using, for a purpose; conduct;
administration; guidance; control)
Compliance—The act of complying; a yielding;
as to a desire, demand, or proposal; concession;
submission
Webster’s Online Dictionary
77. Types of Governance
Different types of governance exist:
Corporate governance
Project governance
Information technology governance
Environmental governance
Economic and financial governance
Each type has one or more sources of
guidance, each with similar goals but
often varying terms and techniques for
their achievement.
77
78. Implementing Governance
78
Integration
of
GRC
activities
implementation within an enterprise
requires a systemic approach for reliably
achieving the business goals of its
stakeholders.
Such approaches are typically based on
enablers of various types i.e. principles,
policies, frameworks, organizational
structures.
79. A GRC Model Example
79
From OCEG Red Book GRC Capability Model
version 2.1.
80. Corporate Governance of IT
80
ISO/IEC 38500: 2008 on Corporate governance of
information technology
1.1 Scope
It provides guiding principles for directors of organizations
(including owners, board members, directors, partners, senior
executives, or similar) on the effective, efficient, and
acceptable use of Information Technology (IT) within their
organizations.
It applies to the governance of management processes (and
decisions) relating to the information and communication
services used by an organization
These processes could be controlled by IT specialists within
the organization or external service providers, or by business
units within the organization.
81. Corporate Governance of IT
ISO/IEC 38500: 2008
Corporate governance of information technology
2.1 Principles
2.1.1 Principle 1:
2.1.2 Principle 2:
2.1.3 Principle 3:
2.1.4 Principle 4:
2.1.5 Principle 5:
2.1.6 Principle 6:
Responsibility
Strategy
Acquisition
Performance
Conformance
Human Behavior
81
82. Corporate Governance of IT
82
ISO/IEC 38500: 2008
Corporate governance of information technology
2.2 Model
Directors should govern IT through three main
tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of plans
and policies to ensure that use of IT meets business
objectives.
c) Monitor conformance to policies, and
performance against the plans.
84. Governance in COBIT 5
84
Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation and
decision making; and monitoring performance,
compliance and progress against agreed direction and
objectives (EDM).
Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM).
85. Governance in COBIT 5
85
• The COBIT 5 process reference model subdivides the
IT-related practices and activities of the enterprise into
two main areas—governance and management—with
management further divided into domains of processes
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and
monitor (EDM) practices are defined.
•01 Ensure governance framework setting and maintenance.
•02 Ensure benefits delivery.
•03 Ensure risk optimization.
•04 Ensure resource optimization.
•05 Ensure stakeholder transparency.
87. Risk Management in COBIT 5
87
• The GOVERNANCE domain contains five governance
processes, one of which focuses on stakeholder risk-related
objectives: EDM03 Ensure risk optimization.
• Process Description
Ensure that the enterprise’s risk appetite and tolerance
are understood, articulated and communicated, and
that risk to enterprise value related to the use of IT is
identified and managed.
• Process Purpose Statement
Ensure that IT-related enterprise risk does not exceed
risk appetite and risk tolerance, the impact of IT risk to
enterprise value is identified and managed, and the
potential for compliance failures is minimized.
88. Risk Management in COBIT 5
88
• The MANAGEMENT Align, Plan and Organise domain
contains a risk-related process: APO12 Manage risk.
• Process Description
Continually identify, assess and reduce IT-related
risk within levels of tolerance set by enterprise
executive management.
• Process Purpose Statement
Integrate the management of IT-related enterprise
risk with overall ERM, and balance the
costs and
benefits of managing IT-related
enterprise risk.
90. Risk Management in COBIT 5
90
• All enterprise activities have associated risk exposures
resulting from environmental threats that exploit enabler
vulnerabilities
• EDM03 Ensure risk optimization
Ensures that the enterprise stakeholders approach to
risk is articulated to direct how risks facing the
enterprise will be treated.
• APO12 Manage risk
Provides the enterprise risk management (ERM)
arrangements that ensure that the stakeholder
direction is followed by the enterprise.
• All other processes include practices and activities
that are designed to treat related risk (avoid,
reduce/mitigate/control, share/transfer/accept).
91. Risk Management in COBIT 5
91
COBIT 5 suggests accountabilities, and responsibilities for
enterprise roles and governance/management structures
(RACI charts) for each process. These include riskrelated roles.
92. Compliance in COBIT 5
92
• The MANAGEMENT Monitor, Evaluate and Assess domain
contains a compliance focused process:
MEA03
Monitor, evaluate and assess compliance with
external requirements.
• Process Description
• Evaluate that IT processes and IT-supported business
processes are compliant with laws, regulations and
contractual requirements. Obtain assurance that the
requirements have been identified and complied with, and
integrate IT compliance with overall enterprise
compliance.
• Process Purpose Statement
• Ensure that the enterprise is compliant with all applicable
external requirements.
94. Compliance in COBIT 5
94
• Legal and regulatory compliance is a key part of the
effective governance of an enterprise, hence its
inclusion in the GRC term and in the COBIT 5
Enterprise Goals and supporting enabler process
structure (MEA03).
• In addition to MEA03, all enterprise activities
include control activities that are designed to
ensure compliance not only with externally imposed
legislative or regulatory requirements but also with
enterprise
governance-determined
principles,
policies and procedures.
95. Compliance in COBIT 5
95
COBIT 5 suggests accountabilities, and responsibilities for
enterprise roles and governance/management structures
(RACI charts) for each process. These include a
compliance-related role.
96. Summary
96
• COBIT 5 framework includes necessary guidance to
support enterprise GRC objectives and supporting
activities:
• Governance activities related to GEIT (5 processes)
• Risk
management
process—and
supporting
guidance for risk management across the GEIT
space
• Compliance—a specific focus on compliance
activities within the framework and how they fit
within the complete enterprise picture
• Inclusion of GRC arrangements within the business
framework for GEIT helps enterprises to avoid the main
issue with GRC arrangements—silos of activity!
98. COBIT 5 Implementation
98
• The improvement of GEIT is widely recognised by top
management as an essential part of enterprise
governance.
• Information and pervasiveness of IT are increasingly
part of every aspect of business and public life.
• The need to drive more value from IT investments and
manage an increasing array of IT-related risk has never
been greater.
• Increasing regulation and legislation over business use
of information is also driving heightened awareness of
the importance of a well-governed and managed IT
environment.
99. COBIT 5 Implementation
99
• ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers.
• Indeed, implementing good GEIT is almost impossible
without engaging an effective governance framework.
Best practices and standards are also available to
underpin COBIT 5.
• Frameworks, best practices and standards are useful
only if they are adopted and adapted effectively.
• There are challenges that need to be overcome and
issues that need to be addressed if GEIT is to be
implemented successfully.
100. COBIT 5 Implementation
100
It covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and
behavioural change
• Implementing continual improvement that includes
change enablement and programme management
• Using COBIT 5 and its components
104. 104
COBIT 5 Future Supporting Products
• Professional Guides
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• Enabler Guides
• COBIT 5: Enabling Information
• COBIT Online Replacement
• COBIT Assessment Programme
• Process Assessment Model (PAM): Using COBIT 5
• Assessor Guide: Using COBIT 5
• Self-assessment Guide: Using COBIT 5
Notas do Editor
This shows the framework from a different perspective using the cube.
This shows all the components of COBIT and how they relate to each other.
Walk everyone through the diagram.
This and the next slide provide definitions (as provided by ITGI) of ‘enterprise governance’ and ‘IT governance’. The diagram introduces the five focus areas of IT governance, which we will describe in more detail in a moment.
Emphasise the key aspects of enterprise governance and that they apply to IT and should include IT.
Governance is about meeting strategic objectives (performance) while meeting legal and regulatory, contractual and other obligatory requirements often supported by policies (conformance). The goal is to achieve both in a balanced way.
This slide highlights the five focus areas of IT governance as defined by ITGI.
The implementation of IT governance practices requires a practical and pragmatic approach. IT departments and service providers have a challenging function to provide services in complex environments and within demanding timescales. IT governance must help, not hinder, the services IT provides within these real-life constraints and be an enabler for better performance—not a blocker or administrative burden. Getting the business side and management involved is a critical success factor.
There are different groups of stakeholders who have (or should have) an interest in IT governance. These groups will be referred to throughout the course, with explanations of the roles they can play. Getting these groups involved at an early stage can make all the difference between a successful initiative and one that struggles to get significant attention.
Driving initiatives like this top-down vs. bottom-up is key—like the analogy of coming down a hill rather than climbing up against obstacles. However, in practice, it is not unusual for some IT functions to develop their IT governance ideas and techniques before exposing the concept to wider stakeholders.
This slide summarises the main attributes of the COBIT framework.
These are the main benefits gained by using COBIT to implement IT governance.
You could ask the class for their opinions and experiences.
It is normal for COBIT to be used in conjunction with other good practices, standards and in-house developed guidance. COBIT can act like an umbrella providing the framework for everything else.
This slide shows how COBIT fits into the hierarchy—from business drivers at the top, down to specific governance processes and procedures. COBIT is the bridge between business and enterprise governance requirements and specific IT governance practices.