View
22
Download
0
Category
Preview:
Citation preview
How to get Agile ITwith Smart IT Governance
José Ángel PEÑA IBARRA, CGEIT, CRISC
COBIT 5 Acreddited Trainer
japi@ccisa.com.mx
ISACA Curacao Conference 2017
japi@ccisa.com.mx
Curaçao Chapter
Former International Vice-President of ISACAand the IT Governance Institute,(2007-2011).
Vice-President of ISACA Monterrey Chapter(2015-2017).
Partner of CCISA México since 2002. Former
partner of PricewaterhouseCoopers in México.
35+ years of experience in IT, including 11 years
in managerial positions in IT, and about 25
years in consulting, auditing and training , with
assignments in 20+ countries.September 2017
I AM MEXICAN
I AM ISACAN
I AM IN CURACAO
José Ángel Peña Ibarra, CGEIT, CRISC,COBIT 5 Accredited Trainer.
japi@ccisa.com.mx
Curaçao Chapter
INTRODUCTION
LEVERAGE ON EXISTING TOOLS
HOLISTIC APPROACH AND PRM
01
02
03CONTINUAL IMPROVEMENT 04
Content
ENCORE: COBIT 5 FOR RISKOpt.
japi@ccisa.com.mx
Curaçao Chapter
INTRODUCTION
LEVERAGE ON EXISTING TOOLS
HOLISTIC APPROACH AND PRM
01
02
03CONTINUAL IMPROVEMENT 04
Content
japi@ccisa.com.mx
Curaçao ChapterIntroduction
What isAgile IT?
japi@ccisa.com.mx
Curaçao Chapter
Agile IT means IT can support the
enterprise innovation capabilities andsatisfy the business´s changing needs.
Introduction
japi@ccisa.com.mx
Curaçao Chapter
What is
Smart IT Governance?
Introduction
japi@ccisa.com.mx
Curaçao Chapter
Smart IT governance meansleveraging on existing tools, asthe family of COBIT products,ISACA resources and otherframeworks and methodologies.
Introduction
japi@ccisa.com.mx
Curaçao Chapter
Key Message:
Do not try to reinvent the wheel !
Introduction
japi@ccisa.com.mx
Curaçao Chapter
EXPLORE
KNOWLEDGE VALUE
EXPLOIT
Introduction
japi@ccisa.com.mx
Curaçao Chapter
INTRODUCTION
LEVERAGE ON EXISTING TOOLS
HOLISTIC APPROACH AND PRM
01
02
03CONTINUAL IMPROVEMENT 04
Content
japi@ccisa.com.mx
Curaçao ChapterLeverage on existing tools
ISACA Products and Resources
japi@ccisa.com.mx
Curaçao Chapter
Complement with other frameworks,
methodologies and standards
COBIT
ISO 9000
ISO 27002
ITILWHAT?
HOW?
SCOPE
SCRUM
japi@ccisa.com.mx
Curaçao ChapterISACA Products
• COBIT 5 is an overarching framework
www.isaca.org
japi@ccisa.com.mx
Curaçao ChapterCOBIT 5 Practical Guidance
• COBIT 5 for Business benefits realisation
• Vendor Management using COBIT 5
• IT Control Objectives for SOX using COBIT 5
• Controls and Assurance in the Cloud, using COBIT 5.
japi@ccisa.com.mx
Curaçao ChapterCOBIT 5 Practical Guidance
• Risk Scenarios using COBIT 5 for Risk
• Securing mobile devices using COBIT 5 for Information
• Transforming Cybersecurity using COBIT 5
• Configuration Management using COBIT 5
japi@ccisa.com.mx
Curaçao ChapterAudit Programs using COBIT 5
• Audit Programs using COBIT 5
– Evaluate, Direct and Monitor
– Align, Plan and Organize
– Build, Acquaire and Implement
– Deliver, Service and Support
japi@ccisa.com.mx
Curaçao ChapterAudit Programs using COBIT 5
• ITAF: Professional Practices Framework for Audit/Assurance
japi@ccisa.com.mx
Curaçao Chapter
� The COBIT Assessment Program includes:
– COBIT Process Assessment Model (PAM) Using COBIT 5
– COBIT Assessor’s Guide – using COBIT 5
– COBIT Self Assessment Guide – Using COBIT 5
The Process Capability Model based on ISO
15504 replaces the Process Capability Maturity
Model used in earlier COBIT versions.
COBIT 5 Assessment Program
© 2012 ISACA® All rights reserved.
japi@ccisa.com.mx
Curaçao Chapter
• COBIT 5/CMMI Practices Pathway Tool
japi@ccisa.com.mx
Curaçao Chapter
INTRODUCTION
LEVERAGE ON EXISTING TOOLS
HOLISTIC APPROACH AND PRM
01
02
03CONTINUAL IMPROVEMENT 04
Content
japi@ccisa.com.mx
Curaçao ChapterCOBIT 5 Principles
© 2012 ISACA. All rights reserved. 22
COBIT 5 Generic Enterprise Enablers
1. Principles, Policies and Frameworks
3. Organisational
Structures
4. Culture, Ethics
and Behaviour2. Processes
5. Information
Resources
6. Services,
Infrastructure and
Applications
7. People, Skills
and Competencies
23COBIT 5© 2012 ISACA All rights reserved
japi@ccisa.com.mx
Curaçao Chapter
24
5 domains,
37 processes
© 2012 ISACA. All Rights Reserved.
Management Practices
Activities
Inputs Outputs
From Description DescriptionFrom
RACI Chart:
The process supports the achievement of a set of primary IT-related goals:
IT-related Goal Related Metrics
Process Goals and Metrics
Process Goal Related Metrics
Process Name Area:Domain:
Process Purpose Statement
Process Description
Related Guidance
Related Standard Detailed Reference
COBIT 5© 2012 ISACA All rights
reserved25
japi@ccisa.com.mx
Curaçao ChapterScenario
• A big retailer company, focused in sport shoes, recentlyhired a Marketing and Sales VP because they want toimprove their revenues and also protect its market againstnew competitors. The company has about 600 stores inseveral countries in Latin America.
• The new Marketing and Sales VP has some very innovativeideas and is working with the Operations Director to almostcompletely renovate the concept of their stores. He alsowants to initiate the sales using e-commerce, because untilnow the sales were only through their chain of stores.
japi@ccisa.com.mx
Curaçao ChapterScenario (Cont.)
• These two business initiatives, renovated stores and e-commerce, bring important challenges to the IT department,amongst them:
– To improve the customer buying satisfaction in the store, they need tosolve some issues in the inventory management process. Until now ifsome client is asking for some product that is not in the store, it takesone or two days to know if they have this product in other store orthey need to order it. Now they want to tell the client immediatelywhen they will have the product in the store.
– They want also improve the invoicing process. At the moment, when aclient asks for an electronic invoice, they give him/her an internet linkto download the e-invoice. This is not simple and for many customersis so complicated that they prefer not to get the invoice. Now theywant to send the invoice via email at the very moment he/she ispaying the product.
japi@ccisa.com.mx
Curaçao Chapter
• Therefore, IT department needs to develop and implement a newinventory management system and a new billing system.
• The e-commerce initiative requires not only to find out a good e-commerce solution, but also to manage all the security risks inherent tothe new platform.
• Additionally they have discovered that the Disaster Recovery Plan isobsolete and not adequate for the new business continuity needs.
• To assure the success of the new initiatives, the CIO decided to use COBIT5 to improve some of the IT processes, and also decided to use RiskScenarios based in COBIT 5 to identify the main risks.
END of SCENARIO
Scenario (Cont.)
29COBIT 5© 2012 ISACA All rights reserved
Delegate Activity, (Teamwork )
Using the provided scenario:
1. Define which processes the IT director needs to select from the COBIT 5 Process Reference Model
2. Explain why you selected those processes
3. Explain also the procedure you think must be followed to select the processes
japi@ccisa.com.mx
Curaçao Chapter
INTRODUCTION
LEVERAGE ON EXISTING TOOLS
HOLISTIC APPROACH AND PRM
01
02
03CONTINUAL IMPROVEMENT 04
Content
31COBIT 5© 2012 ISACA All rights
reserved
japi@ccisa.com.mx
Curaçao ChapterPhases 1 and 2
Business Goals
Generic Pain Points
Specific Pain Points
IT Goals
Procesos Seleccionados
TOP DOWN
BOTTOM UP
Next PhaseIT Risks
Phase 1
Phase2
Phase2
Phase 1
Phase2 output
japi@ccisa.com.mx
Curaçao Chapter
GRACIAS !
japi@ccisa.com.mx
Curaçao Chapter
INTRODUCTION
LEVERAGE ON EXISTING TOOLS
HOLISTIC APPROACH AND PRM
01
02
03CONTINUAL IMPROVEMENT 04
Content
05 COBIT 5 FOR RISK
35
COBIT 5
JA
36
COBIT 5
JA
RISK SCENARIOS
Toolkit
japi@ccisa.com.mx
Curaçao ChapterRisk
ISO Guide 73:
• Risk is the combination of the probability of a
given event and its consequences (impact).
Note about quantitative Risk Analysis
Impact x prob.=RL
1x1=1
1x2=2
1x3=3
2x1=2
2x2=4
2x3=6
3x1=3
3x2=6
3x3=9
Ris
k L
eve
ls 5
,7 y
8 a
re m
isse
d
6 8 9
3 5 7
1 2 4
Probability
Impact
1 2
1
2
3
3
japi@ccisa.com.mx
6 8 9
3 5 7
1 2 4
Probability
Impact
1 2
1
2
3
3
Imp. Prob.= RL
1 X 2 = 2
2 X 1 = 3
Note about quantitative Risk Analysis
japi@ccisa.com.mx
japi@ccisa.com.mx
Curaçao Chapter
japi@ccisa.com.mx
Curaçao Chapter
japi@ccisa.com.mx
Curaçao ChapterRisk Scenarios
01 Portfolio establishment and
maintenance
02 Programme/projects life cycle
management
03 IT investment decision making
04 IT expertise and skills
05 Staff operations
06 Information
07 Architecture
08 Infrastructure
09 Software
10 Business ownership of IT
11 Suppliers
12 Regulatory compliance
13 Geopolitical
14 Infrastructure theft or
destruction
15 Malware
16 Logical attacks
17 Industrial action
18 Environmental
19 Acts of nature
20 Innovation
43
Escenarios de riesgo genéricos
44
Escenarios de riesgo genéricos
45
Escenarios de riesgo genéricos
japi@ccisa.com.mx
Curaçao ChapterJoin us!
japi@ccisa.com.mx
Curaçao ChapterGRACIAS !
José Ángel PEÑA IBARRA, CGEIT, CRISC
COBIT 5 Acreddited Trainer
japi@ccisa.com.mx
Recommended