Upload
milo-obrien
View
214
Download
0
Embed Size (px)
Citation preview
© ITGI 2004 - not for commercial use. 1
A High-level Overview of the COBIT Principles,
Structure, and Framework
John R. [email protected]
Reliable Financial Services
COBIT Framework
“This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden.
It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not-for-profit basis.”
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
© ITGI 2004 - not for commercial use. 2
COBIT Introduction
Why does IT need an IT control Why does IT need an IT control framework?framework?
Who needs an IT control framework?Who needs an IT control framework?
How and why is CHow and why is COBIOBIT used?T used?
© ITGI 2004 - not for commercial use. 3
Why does IT need a control framework?
Do any of these conditions sound familiar?Do any of these conditions sound familiar? Increasing pressure to leverage technology in
business strategies
Growing complexity of IT environments
Fragmented IT infrastructures
Communication gap between business and IT managers
IT service levels that are disappointing from internal IT functions and from increasingly outsourced IT providers
IT costs perceived to be out of control
Marginal ROI/productivity gains on technology investments
Impaired organisational flexibility and nimbleness to change
User frustration leading to ad hoc solutions
© ITGI 2004 - not for commercial use. 4
Increasing dependence on information and the systems that deliver this information
Increasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfare
Scale and cost of the current and future investments in information and information systems
The need to comply with regulations The potential for technologies to dramatically change
organisations and business practices, create new opportunities and reduce costs
Recognition by many organisations of the potential benefits that technology can yield
Successful organisations understand and Successful organisations understand and manage the risks associated with implementing manage the risks associated with implementing
new technologies.new technologies.
Why does IT need a control framework?
© ITGI 2004 - not for commercial use. 5
IT provides value Cost, time and functionality are as
expected
IT does not provide surprises Risks are mitigated
IT pushes the envelope New opportunities and innovations for
process, product and services
Why does IT need a control framework?
To ensure thatTo ensure that
management needs to get IT under management needs to get IT under control.control.
© ITGI 2004 - not for commercial use. 6
Board and Executive• To ensure management follows and implements the
strategic direction for IT Management
• To make IT investment decisions• To balance risk and control investment• To benchmark existing and future IT environment
Users• To obtain assurance on security and control of products and
services they acquire internally or externally Auditors
• To substantiate opinions to management on internal controls
• To advise on what minimum controls are necessary
Who needs a control framework?
© ITGI 2004 - not for commercial use. 7
Incorporates major international standards
Has become the de facto standard for overall control over IT
Starts from business requirements
Is process-orientedIT ProcessesIT Processes
IT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
COBITCOBITbest practices repository for
CCOBIOBIT as a response to the needsT as a response to the needs
Why and how is COBIT used?
© ITGI 2004 - not for commercial use. 8
Helps substantially increase acceptance and reduce time to implement IT governance program
Provides a guide for formal audits/reviews Helps use results of audits as an opportunity to plan improvements Is a strong factor in achieving primary goals for IT governance:
transform organisational practices and pursue improved processes Provides economical continuous improvement framework Provides a credible source for management's decision on controls Impresses and helps IT operations managers with its ability to
assist in understanding what auditors want Is ideal for business management to communicate requirements
and concerns Is recognised as a reliable source reference that ensures
identification of all major risk areas Improves communications and relations with IT management
Testimonials from Case Testimonials from Case StudiesStudies
Why and how is COBIT used?
© ITGI 2004 - not for commercial use. 9
To improve audit approach/programmes To support audit work with detailed audit
guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programmes
Results from SurveysResults from Surveys
Why and how is COBIT used?
© ITGI 2004 - not for commercial use. 10
The COBIT Framework
The CThe COBIOBIT framework explained:T framework explained:
Business focusBusiness focus
Process orientationProcess orientation
IT resourcesIT resources
© ITGI 2004 - not for commercial use. 11
• Generally applicable and accepted international standard for good practice for IT controls
• For application to enterprisewide information systems• Technology-independent• Starting from business requirements for information• Management- and business process owner-oriented• Based on ISACA's Control Objectives
Aligned with de jure and de facto standards and regulations Based on critical review of tasks and activities or process focus
• Includes existing standards and regulations ISO, EDIFACT and others Codes of Conduct issued by Council of Europe Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA,
etc.
• First published in April 1996, second edition in 1998, third in July 2000
• Has become the de facto standard for control over IT• Fundamental in achieving IT governance
• Generally applicable and accepted international standard for good practice for IT controls
• For application to enterprisewide information systems• Technology-independent• Starting from business requirements for information• Management- and business process owner-oriented• Based on ISACA's Control Objectives
Aligned with de jure and de facto standards and regulations Based on critical review of tasks and activities or process focus
• Includes existing standards and regulations ISO, EDIFACT and others Codes of Conduct issued by Council of Europe Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA,
etc.
• First published in April 1996, second edition in 1998, third in July 2000
• Has become the de facto standard for control over IT• Fundamental in achieving IT governance
COBIT: An IT Control Framework P
rin
cip
les
© ITGI 2004 - not for commercial use. 12
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives
Promotes process focus and process ownership
Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each
Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
Is supported by a set of over 300 detailed control objectives
Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance
Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate
COBIT: An IT Control Framework C
on
cep
ts
© ITGI 2004 - not for commercial use. 13
ITIT
DomainsDomains
ProcessesProcesses
IT Control IT Control ObjectivesObjectives
Critical Success FactorsCritical Success Factors
Outcome MeasuresOutcome Measures
Key Performance IndicatorsKey Performance Indicators
Maturity ModelMaturity ModelIT Control IT Control PracticesPractices
• IT is an important element of corporate governance and management accountability.
• Ensure business-oriented solutions. • Framework for risk assessment• As a means to communicate with all
stakeholders• Authoritative basis (internationally
accepted, exhaustive, evolving)
Why should an organisation adopt Why should an organisation adopt CCOBIOBIT?T?
COBIT: An IT Control Framework
© ITGI 2004 - not for commercial use. 14
“In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”
Relates to business requirements (expressed as information criteria)
Links to business processes Empowers business owners
Decomposes IT into four domains and 34 processes
Domains: (plan-build-run) + monitor Control, audit, implementation and
performance management knowledge structured by process
Bu
sin
es
sP
roces
s
Business Orientation and Process Focus
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
© ITGI 2004 - not for commercial use. 15
COBIT Framework Definition
“To provide the information that the organisation needs to achieve its objectives,
IT resources need to be managed by a set of naturally grouped processes.”
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
IT RESOURCESIT RESOURCESIT RESOURCES
IT PROCESSESIT PROCESSESIT PROCESSES
BUSINESSREQUIREMENTS
BUSINESSBUSINESS
REQUIREMENTSREQUIREMENTS
IT RESOURCESIT RESOURCESIT RESOURCES
IT PROCESSESIT PROCESSESIT PROCESSES
BUSINESSREQUIREMENTS
BUSINESSBUSINESS
REQUIREMENTSREQUIREMENTS
IT RESOURCESIT RESOURCESIT RESOURCES
IT PROCESSESIT PROCESSESIT PROCESSES
BUSINESSREQUIREMENTS
BUSINESSBUSINESS
REQUIREMENTSREQUIREMENTS
A process orientation is a proven management approach to A process orientation is a proven management approach to efficiently exercise efficiently exercise responsibilities, achieve set goals and reasonably manage risks.responsibilities, achieve set goals and reasonably manage risks.
WHYWHY
© ITGI 2004 - not for commercial use. 16
Quality RequirementsQuality Requirements: • Quality • Delivery• Cost
Security Security RequirementsRequirements• Confidentiality• Integrity• Availability
Fiduciary Fiduciary RequirementsRequirements (COSO Report)• Effectiveness and
efficiency of operations• Compliance with laws and
regulations • Reliability of financial
reporting
Effectiveness
Efficiency
Confidentialit
y
Integrity
Availability
Compliance
Reliability of
information
Business RequirementsIT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 17
Effectiveness –Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable mannerEfficiency –Concerns the provision of information through the optimal (most productive and economical) usage of resourcesConfidentiality –Concerns protection of sensitive information from unauthorised disclosureIntegrity –Relates to the accuracy and completeness of information as well as to its validity in accordance with the business‘s set of values and expectationsAvailability –Relates to information being available when required by the business process, and hence also concerns the safeguarding of resourcesCompliance –Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteriaReliability of information–Relates to systems providing management with appropriate information for it to use in operating the entity, providing financial reporting to users of the financial information, and providing information to report to regulatory bodies with regard to compliance with laws and regulations
Business RequirementsIT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 18
Processes
A series of joined activities with natural control breaks
Activities or Tasks
Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete.
Domains
Natural grouping of processes, often matching an organisational domain of responsibility
Process OrientationIT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 19
IT Domains• Plan and
Organise• Acquire and
Implement• Deliver and
Support• Monitor and
Evaluate
IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management
Activities• Record new problem• Analyse• Propose solution• Monitor solution• Record known problem• Etc.
Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities
with natural (control) breaks Actions needed to achieve a
measurable result. Activities have a life cycle, whereas tasks are discrete.
Process OrientationIT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 20
Description This domain covers strategy and tactics, and concerns the
identification of how IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.
Topics Strategy and tactics Vision planned Organisation and infrastructure
Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?
D
om
ain
s
Process Orientation Plan and OrganisePlan and Organise
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 21
.
Process Orientation Plan and OrganisePlan and Organise
PO 1 Define a Strategic Information Technology Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organisation and Relationships PO 5 Manage the Investment in Information Technology PO 6 Communicate Management Aims and Direction PO 7 Manage IT Human Resources PO 8 Manage Quality PO 9 Assess and Manage IT Risks PO 10 Manage Projects
© ITGI 2004 - not for commercial use. 22
Acquire and ImplementAcquire and Implement Description To realise the IT strategy, IT solutions need to be identified, developed or
acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems.
Topics IT solutions Changes and maintenance
Questions Are new projects likely to deliver solutions that meet business
needs? Are new projects likely to deliver on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business
operations?
D
om
ain
s
Process OrientationIT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 23
Process Orientation
Acquire and ImplementAcquire and Implement
AI 1 Identify Automated Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire and Maintain Technology Infrastructure
AI 4 Enable Operation and Use
AI 5 Procure IT Resources
AI 6 Manage Changes
AI 7 Install and Accredit Solutions and Changes
© ITGI 2004 - not for commercial use. 24
Description This domain is concerned with the actual delivery of required services,
which range from traditional operations over security and continuity aspects to training. To deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls.
Topics Delivery of required services Setup of support processes Processing by application systems
Questions Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the work force able to use the IT systems productively and
safely? Are adequate security, integrity and availability in place?
D
om
ain
s
Process Orientation Deliver and SupportDeliver and Support
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 25
Process Orientation
Deliver and SupportDeliver and Support DS 1 Define and Manage Service Levels DS 2 Manage Third-party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Allocate Costs DS 7 Educate and Train Users DS 8 Manage service desk and incidents DS 9 Manage the Configuration DS 10 Manage Problems DS 11 Manage Data DS 12 Manage the physical environment DS 13 Manage Operations
© ITGI 2004 - not for commercial use. 26
Description All IT processes need to be regularly assessed over time for their
quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources.
Topics Assessment over time, delivering assurance Management’s oversight of the control system Performance measurement
Questions Can IT’s performance be measured and can problems be
detected before it is too late? Is independent assurance needed to ensure critical areas are
operating as intended?
D
om
ain
s
Process Orientation Monitor and EvaluateMonitor and Evaluate
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 27
Process Orientation
Monitor and EvaluateMonitor and Evaluate
ME1 Monitor and evaluate IT performanceME2 Monitor and evaluate internal controlME3 Ensure compliance with external requirementsME4 Provide IT Governance
© ITGI 2004 - not for commercial use. 28
Data: Data objects in their widest sense, i.e., external and internal, structured and nonstructured, graphics, sound, etc.
Application Systems: Understood to be the sum of manual and programmed procedures
Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc.
Facilities: Resources to house and support information systems
People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support, monitor and evaluate information systems and services
IT ResourcesIT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 29
IT Processes
IT Resources
Business Requirements
Data Application
systems Technology Facilities People
Plan and Organise Aquire and
Implement Deliver and Support Monitor and
Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
reliability
How do they relate?IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
© ITGI 2004 - not for commercial use. 30
IT Processes
IT Resources
Business Requirements
Data Application
systems Technology Facilities People
Plan and Organise Aquire and
Implement Deliver and
Support Monitor and
Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
reliability
How IT is organised How IT is organised to respond to the to respond to the
requirementsrequirements
How IT is organised How IT is organised to respond to the to respond to the
requirementsrequirements
What the What the stakeholders stakeholders
expect from ITexpect from IT
What the What the stakeholders stakeholders
expect from ITexpect from IT
The resources The resources made available to—made available to—and built up by—ITand built up by—IT
The resources The resources made available to—made available to—and built up by—ITand built up by—IT
© ITGI 2004 - not for commercial use. 31
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims and directionPO7 Manage IT human resourcesPO8 Manage qualityPO9 Assess and manage IT risksPO10 Manage projects
AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructure AI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage changesAI7 Install and accredit solutions and changes
M1 Monitor and evaluate It performanceM2 Monitor and evaluate internal controlM3 Ensure compliance with external requirementsM4 Provide IT governance
DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problemsDS11 Manage dataDS12 Manage the physical environmentDS13 Manage operations
IT RESOURCES
IT RESOURCES
• Data• Application systems• Technology• Facilities• People
• Data• Application systems• Technology• Facilities• People PLAN AND
ORGANISEPLAN AND ORGANISE
ACQUIRE ANDIMPLEMENT
ACQUIRE ANDIMPLEMENT
DELIVER AND SUPPORT
DELIVER AND SUPPORT
MONITOR AND EVALUATE
MONITOR AND EVALUATE
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
Criteria
Business ObjectivesCOBITFramework
© ITGI 2004 - not for commercial use. 32
COBIT FrameworkIT Governance Focus Areas
© ITGI 2004 - not for commercial use. 33
COBIT Framework
© ITGI 2004 - not for commercial use. 34
IT Governance Focus Areas
© ITGI 2004 - not for commercial use. 35
Summarising up to now IT is indispensable for the survival and growth of
enterprises. Management is responsible for control. That responsibility needs a framework:
Business requirements can be expressed as information criteria.IT is generally organised in a set of processes.IT needs a set of resources.
COBIT is an internationally accepted standard.
To provide the information that the organisation To provide the information that the organisation needs to achieve its objectives, IT resources need needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped to be managed by a set of naturally grouped processes.processes.
COBIT Framework
© ITGI 2004 - not for commercial use. 36
The COBIT Cube
© ITGI 2004 - not for commercial use. 37
Navigational Aids
© ITGI 2004 - not for commercial use. 38
SummarSummaryy
Processes, Processes, Criteria Criteria
and and ResourcesResources
© ITGI 2004 - not for commercial use. 39
Eff
ectiv
enes
sE
ffic
ienc
yC
onfid
entia
lity
Inte
grity
Ava
ilabi
lity
Com
plia
nce
Rel
iabi
lity
Peo
ple
App
licat
ions
Tech
nolo
gyFa
cilit
ies
Dat
a
Domain ProcessAcquire andImplement
AI1 Identify automated solutions P S AI2 Acquire and maintain application software P P S S S AI3 Acquire and maintain technology infrastructure P P S AI4 Develop and maintain procedures P P S S S AI5 Install and accredit systems P S S AI6 Manage changes P P P P S
COBIT Summary of Processes, Criteria and Resources
AI6
© ITGI 2004 - not for commercial use. 40
Assignment
The most important CThe most important COBIOBIT T processesprocesses
““For a business with which you are familiar, For a business with which you are familiar, what would be the most important IT what would be the most important IT
processes? Why?”processes? Why?”
© ITGI 2004 - not for commercial use. 41
PO1 PO1 Define a strategic IT planDefine a strategic IT planPO3 Determine the technological directionPO5 Manage the IT investmentPO9 PO9 Assess and manage IT risksAssess and manage IT risksPO10 PO10 Manage projectsManage projectsAI1 Identify solutionsAI2 Acquire and maintain applications s/wAI7 Install and accredit solutions and changesAI6 AI6 Manage changesManage changesDS1 Define service levelsDS4 Ensure continuous serviceDS5 DS5 Ensure system securityEnsure system securityDS10 Manage problemsDS11 DS11 Manage dataManage dataME1 ME1 Monitor and evaluate IT performanceMonitor and evaluate IT performance
The Most Important IT Processes
3434
1515
77
SurveySurvey
© ITGI 2004 - not for commercial use. 42
Control and Control Objective Definitions
The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
Definition of Definition of ControlControl
Definition of IT Definition of IT Control ObjectiveControl Objective
A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity
© ITGI 2004 - not for commercial use. 43
High-level control objective• One per process
Detailed control objectives• Three to 30 per process
Control practices• Five to seven per control objective
Control Objectives and Control Practices
© ITGI 2004 - not for commercial use. 44
The control of
IT Processes which satisfy
is enabled byControl
Statements consideringControl
Practices
COBIT Framework W
ate
rfall
Mod
el
4 Domains - 34 Processes - 318 Control Objectives4 Domains - 34 Processes - 318 Control Objectives
BusinessRequirements
© ITGI 2004 - not for commercial use. 45
AI6AI6 Manage changes Manage changes
Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorisation, release, and distribution policies and procedures.
High-level Control Objective
© ITGI 2004 - not for commercial use. 46
AI6High-level
Control Objective
© ITGI 2004 - not for commercial use. 47
Based on the 41 primary references Developed following a rigorous research process Three to 30 detailed control objectives for each of the 34
processes Directed to IT management, IT staff, control and audit
functions and business process owners For each process, detailed control objectives are
identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional.
Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers.
COBIT Control Objectives
© ITGI 2004 - not for commercial use. 48
AI6 Manage Changes
6.1 Change request initiation and controlIT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised, and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request.
6.2 Impact assessmentA procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality.
6.3 Control of changesIT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems.
6.4 Emergency changesIT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation.
Detailed Control Objectives
© ITGI 2004 - not for commercial use. 49
Detailed Control Objectives
AI6 Manage Changes (continued)
6.5 Documentation and proceduresThe change process should ensure that, whenever system changes are implemented, the associated documentation and procedures are updated accordingly.
6.6 Authorised maintenanceIT management should ensure that maintenance personnel have specific assignments and their work is properly monitored. In addition, their system access rights should be controlled to avoid risks of unauthorised access to automated systems.
6.7 Software release policyIT management should ensure that the release of software is governed by formal procedures—ensuring sign-off, packaging, regression testing, handover, etc.
6.8 Distribution of softwareSpecific internal control measures should be established to ensure distribution of the correct software element to the right place, with integrity, in a timely manner and with adequate audit trails.
© ITGI 2004 - not for commercial use. 50
COBIT
AI6Detailed Control
Objectives
© ITGI 2004 - not for commercial use. 51
Control practices are key control mechanisms that support the:• Achievement of control objectives• Prevention, detection and correction of
undesired eventsControl practices achieve that through:
• Responsible use of resources• Appropriate management of risk • Alignment of IT with business
Translate CTranslate COBIOBIT’s control objectives into detailed, T’s control objectives into detailed, implementable practices and provide the business implementable practices and provide the business argumentation for implementation, from a value and a risk argumentation for implementation, from a value and a risk perspectiveperspective
Control Practices
© ITGI 2004 - not for commercial use. 52
1. Management defines parameters, characteristics and procedures that identify and declare emergencies.
2. All emergency changes are documented, if not before, then after, implementation.
3. All emergency changes are tested, if not before, then after, implementation.
4. All emergency changes are formally authorised by the system owner and management before implementation.
5. Before and after images as well as intervention logs are retained for subsequent review.
Controlling emergency changes by implementing the control practices will : Ensure that emergency procedures are used in declared emergencies only Ensure that urgent changes can be implemented without compromising integrity, availability, reliability, security, confidentiality or accuracy
AI6 Manage changeAI6 Manage changeAI6.4 Emergency changesAI6.4 Emergency changesIT management should establish parameters defining emergency changes and IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to emergency changes should be recorded and authorised by IT management prior to implementation.implementation.
Control Practices Why do it?
Control Practices
© ITGI 2004 - not for commercial use. 53
COBIT IT Control Practices
© ITGI 2004 - not for commercial use. 54
Important COBIT Products
Control Objectives—Control Objectives—““Minimum controls are...”Minimum controls are...”
Management Guidelines Management Guidelines ––““Here is how you Here is how you measure…”measure…”
Audit Guidelines—Audit Guidelines—““Here is how you audit...”Here is how you audit...”
© ITGI 2004 - not for commercial use. 55
IT Governance Model
IT governance helps ascertain how automated systems:• Simplify operations• Cut costs• Increase revenue
Needs an IT control framework
© ITGI 2004 - not for commercial use. 56
How Does COBIT Link to IT Governance?
Goals ResponsibilitiesControl
Objectives
Requirements
BusinessBusiness ITIT GovernanceGovernance
Information the Business Needs to
Achieve Its Objectives
Information Executives and Board Need to Exercise Their
Responsibilities
Direction and Resourcing
© ITGI 2004 - not for commercial use. 57
IT GovernanceIT Governance
Goals ResponsibilitiesControl
Objectives
Requirements
BusinessBusiness ITIT Governance
Information theBusiness Needs to
Achieve Its Objectives
Direction(IT Strategy and Policy)
Information (ITControl, Risk and
Assurance)
How Does COBIT Link to IT Governance?
© ITGI 2004 - not for commercial use. 58
However, management has questions that go beyond a control
framework: How do responsible managers "keep the ship on
course"?
DASHBOARD
How to achieve results that are satisfactory for the largest possible segment of our stakeholders ?
SCORECARDS
How to adapt the organisation in a timely manner to trends and developments in the enterprise's environment ?
BENCHMARKING
Indicators?Indicators?
Measures?Measures?
Scales?Scales?
Management Guidelines
© ITGI 2004 - not for commercial use. 59
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
Process Description
Critical Success Factors
Key Goal Indicators
Key Performance Indicators
InformationCriteria
Resources
00 - Management processes are not applied at all.
11 - Processes are ad hoc and disorganised.22 - Processes follow a regular pattern.33 - Processes are documented and
communicated.44 - Processes are monitored and measured.55 - Best practices are followed and
automated.
Maturity Model
Management Guidelines Framework
© ITGI 2004 - not for commercial use. 60
Describe the outcome of the process (i.e., measurable after the fact); are measures of “what,” and may describe the impact of not reaching the process goal
Are indicators of the success of the process and its business contribution
Focus on the customer and financial dimensions of the balanced scorecard
Key Goal Indicators
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
Definitions
© ITGI 2004 - not for commercial use. 61
Increased level of service delivery Number of customers and cost per customer served Availability of systems and services Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability and effectiveness Adherence to development cost and schedule Cost-efficiency of the process Staff productivity and morale Number of timely changes to processes and systems Improved productivity (e.g., delivery of value per
employee)
Key Goal Indicators
Examples
© ITGI 2004 - not for commercial use. 62
Are measures of “how well” the process is performing
Predict the probability of success or failure
Focus on the process and learning dimensions of the balanced scorecard
Are expressed in precise, measurable terms
Should help in improving the IT process
Key Performance Indicators
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
Definitions
© ITGI 2004 - not for commercial use. 63
• Number of IT customers
• Cost per IT customer• Cost-efficiency of IT
processes up• Delivery of IT value per
employee
Information
• Availability of systems and services
• Developments on schedule and budget
• Throughput and response times
• Amount of errors and rework
• Level of service delivery
• Satisfaction of existing customers
• Number of new customers reached
• Number of new service delivery channels
FFinancial
CCustomer
• Staff productivity and morale
• Number of staff trained in new techno/services
• Value delivery per employee
• Increased availability knowledge systems
LLearning
PProcess
Key Performance Indicators
Examples
© ITGI 2004 - not for commercial use. 64
Are the most important things to do to increase the probability of success of the process
Are observable—usually measurable—characteristics of the organisation and process
Focus on obtaining, maintaining and leveraging capability, skills and behaviour
Critical Success Factors
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
Definitions
© ITGI 2004 - not for commercial use. 65
• The IT strategic plan clearly states a risk position such as leading-edge or road-tested, innovator or follower, and the required balance between time-to-market, cost of ownership and service quality.
• If you are not ready to enforce the policy, do not issue the policy.
• A building permit programme for building IT systems and a “driver’s licence” programme for those doing the building
• A good security plan takes time to evolve.
StrategyStrategy
PolicyPolicy
ComplianceCompliance
SecuritySecurity
Examples
Critical Success Factors
© ITGI 2004 - not for commercial use. 66
Refer to business requirements (KGIs) and the enabling aspects (KPIs) at the different levels
Are a scale that lend themselves to pragmatic comparison, where the difference can be made measurable in an easy manner
Are recognisable as a profile of the enterprise in relation to IT governance and control
Assist in determining as-is and to-be positions relative to IT governance and control maturity and analyse the gap
Are not industry-specific nor generally applicable. The nature of the business determines what is an appropriate level.
Maturity Models
Definitions
© ITGI 2004 - not for commercial use. 67
0 1 2 3 4 5
Nonexistent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Legend for Symbols Used Legend for Rankings Used
0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.
Maturity Models
Usage
© ITGI 2004 - not for commercial use. 68
AI6Management
Guideline
© ITGI 2004 - not for commercial use. 69
AI6Management
Guideline
© ITGI 2004 - not for commercial use. 70
Provide management with reasonable assurance that control objectives are being met
Where there are significant control weaknesses, substantiate the resulting risks
Advise management on corrective actions
Objectives of Auditing
““Am I all right? And, if not, how do I fix Am I all right? And, if not, how do I fix it? it? ”” ““Am I all right? And, if not, how do I fix Am I all right? And, if not, how do I fix it? it? ””
© ITGI 2004 - not for commercial use. 71
Structure of the Audit Process
Identification and
DocumentationEvaluation Compliance
TestingSubstantive
Testing
© ITGI 2004 - not for commercial use. 72
An IT process is audited by:
• Obtaining an understandingObtaining an understanding of business requirements-related risks, and relevant control measures
• Evaluating the appropriatenessEvaluating the appropriateness of stated controls
• Assessing complianceAssessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously
• Substantiating the riskSubstantiating the risk of the control objectives
not being met by using analytical techniques and/or consulting alternative sources
© ITGI 2004 - not for commercial use. 73
OneOne Generic Guideline and Generic Guideline and 34 Process34 Process--orientedoriented Guidelines Guidelines
A generic guideline identifies various tasks to be performed in assessing any control objective within a process. This generic guideline is a model for all control objectives.
Others are specific, process-oriented task suggestions to provide management assurance that a control exists and has a reasonable level of effectiveness.
COBIT Audit Guidelines
© ITGI 2004 - not for commercial use. 74
Obtaining an UnderstandingThe audit steps to be performed to document the activities underlying the control objectives as well as to identify the control measures/procedures put in place
Interview appropriate management and staff to obtain and gain an understanding of:
• Business requirements and associated risks• Organisation structure• Roles and responsibilities• Policies and procedures• Laws and regulations• Control measures in place• Management reporting (status, performance, actions)
Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the control implications, e.g., by a process walkthrough.
Generic Audit Guideline (1 of 4)
© ITGI 2004 - not for commercial use. 75
Evaluating the ControlsThe audit steps to be performed, in light of assessing the effectiveness of control measures in place or the degree to which the control objective is achieved
Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices and applying professional judgement. Determine whether: • Documented processes exist. • Appropriate deliverables exist. • Responsibility and accountability are clear and effective. • Compensating controls exist, where necessary.
Conclude the degree to which the control objective is met.
Generic Audit Guideline (2 of 4)
© ITGI 2004 - not for commercial use. 76
Assessing ComplianceThe audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously
Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review, using both direct and indirect evidence.
Perform a limited review of the adequacy of the process deliverables.
Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.
Generic Audit Guideline (3 of 4)
© ITGI 2004 - not for commercial use. 77
Substantiating the RiskThe audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources
Document the control weaknesses and resulting threats and vulnerabilities.
Identify and document the actual and potential impact.
Generic Audit Guideline (4 of 4)
© ITGI 2004 - not for commercial use. 78
AI6Audit
Guideline
© ITGI 2004 - not for commercial use. 79
AI6Audit
Guideline
© ITGI 2004 - not for commercial use. 80
AI6Audit
Guideline
© ITGI 2004 - not for commercial use. 81
How Audit Guidelines and Control Objectives Are Linked
Obtaining an Obtaining an understandingunderstanding
Evaluating the Evaluating the appropriatenessappropriateness
Assessing complianceAssessing compliance
Substantiating the riskSubstantiating the risk
Control objectives translated to verify whether they are addressed and take into account the appropriateness for the enterprise and management claims about their presence
Control objectives translated to test and/or measure whether controls in support of the control objectives are present as claimed and whether they operate satisfactorily
• Collect background information referencing business drivers, risks, infrastructure, etc.
• Illustrate missed business objectives, losses, etc., due to absence of adequate control.
© ITGI 2004 - not for commercial use. 82
Business
IT Processes
Audit Guidelines
Control Objectives
Control Practices
Critical Success Factors
Key Performance
Indicators
Key Goal Indicators
Maturity Models
requirements information
mea
sure
d by
controlled by
implem
ented
with
audited by
for p
erfo
rman
ce
for
outc
om
e for maturity
made e
ffective
and e
fficie
nt w
ith
tran
slate
d in
to
= takes into consideration
How Audit Guidelines and All Other COBIT Elements Are Linked
© ITGI 2004 - not for commercial use. 83
To improve audit approach/programs To support audit work with detailed audit
guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programs
How Is CHow Is COBIOBIT Used?T Used? ( (Results from Surveys)Results from Surveys)
The COBIT Framework
© ITGI 2004 - not for commercial use. 84
COBIT—Benefits
WhatWhatComfort about:• Dependence on IT• IT risks are mitigated• IT delivers valueAssurance of: • Cost down and revenue up• Business operations improved• Service levels maintained
WhoWho• Executive• Business manager• IT manager• Project manager• Developer• Operations staff• User• Security officer• Auditor
© ITGI 2004 - not for commercial use. 85
Helps substantially increase acceptance and reduce time needed to implement IT governance program
Provides a guide for formal audits/reviews
Helps use results of audits as an opportunity to plan improvements
Strong factor in achieving primary goals for IT governance—transform organisational practices and pursue improved processes
Provides economical continuous improvement framework
Management's decision on controls needed was based on a credible source (COBIT)
IT operations manager impressed with COBIT's ability to help him understand what auditors want
Ideal for business management
Reliable source reference that ensures identification of all major risk areas
Improves communications and relations with IT management
Why Is CWhy Is COBIOBIT Used?T Used? ( (Testimonials from Case Studies)Testimonials from Case Studies)
The COBIT Framework
© ITGI 2004 - not for commercial use. 86
COBIT Products
Management GuidelinesManagement Guidelines Provide management direction for:
• Getting the enterprise's information and related processes under control • Monitoring achievement of organisational goals • Monitoring and improving performance within each IT process• Benchmarking organisational achievement
Action-oriented and generic Provide answers to typical management questions:
• How far should we go in controlling IT, and is the cost justified by the benefit?• What are the indicators of good performance?• What are the critical success factors?• What are the risks of not achieving our objectives?• What do others do? How do we measure and compare?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
© ITGI 2004 - not for commercial use. 87
Biggest Challenge = Sustainable Solutions Establish policy, objectives and targets Implement policy, responsibilities, processes and
procedures Measure performance against policy and external best
practice Take corrective and preventive action and continuously
improve Measure success of the change projects Provide feedback into other improvement projects
• Identify needsIdentify needs• Envision the solutionEnvision the solution• Plan the solutionPlan the solution• Implement the solutionImplement the solution
Road Map Approach Business value and risk
analysis As-is and to-be positions Gap analysis Project identification and
initiation
IT Governance Implementation Guide
© ITGI 2004 - not for commercial use. 88
Raise awareness
& make decision
Analyse values
and risks
Select processes
Identify needsIdentify needs
Define projects
Develop & implement
change plan
Plan the solutionPlan the solution
Integrate into day-to-
day practices
Integrate measures into ITBSC
Implement the solutionImplement the solution
Define where you
are
Define where you want to be
Analyse gaps
Envision the solutionEnvision the solution
ImplementationImplementationRoad MapRoad Map
Post- implement.
review
FeedbackFeedback
IT Governance Implementation Guide
© ITGI 2004 - not for commercial use. 89
ImplementationImplementationManualManual
IT Governance Implementation Guide
© ITGI 2004 - not for commercial use. 90
Conclusion—COBIT Values
Sharing knowledge and leveraging expert volunteersInternationally accepted good practicesContinually evolvesMaintained by reputable not-for-profit organisationMaps strongly onto all major related standardsIs management-orientedIs supported by tools and trainingMaps completely to ISO17799 and COSO
Provide action-oriented solutionsFUTUREFUTURE
PRESENTPRESENT
© ITGI 2004 - not for commercial use. 91
IT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 [email protected]@isaca.orgwww.isaca.orgwww.itgi.org
John R. Robles and [email protected]
The COBIT Framework