Upload
ellen-bryant
View
213
Download
0
Embed Size (px)
Citation preview
© ITGI, ISACA - not for commercial use.
A High-level Overview of the COBIT Principles,
Structure, and Framework
John R. [email protected]
ISACA PR - 5th Symposium
COBIT Framework
“This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden.
It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not-for-profit basis.”
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
© ITGI, ISACA - not for commercial use.
Why does IT need a control and governance framework?
Do any of these conditions sound familiar?Increasing pressure to leverage technology in business strategies
Growing complexity of IT environments
Fragmented IT infrastructures
Demand for technologists outstripping supply
Communication gap between business and IT managers
IT service levels that are disappointing
IT costs perceived to be out of control
Marginal ROI/productivity gains on technology investments
Impaired organisational flexibility and nimbleness to change
User frustration leading to ad hoc solutions
IT managers operating like firefighters
© ITGI, ISACA - not for commercial use.
PO AI DS MO
IT Governance Model
IT governance helps ascertain how automated systems: --Simplify operations --Cut costs --Increase revenue
Needs an IT Control Framework
© ITGI, ISACA - not for commercial use.
• Generally applicable and accepted international standard for good practice for IT controls
• For application to enterprisewide information systems• Technology-independent• Starting from business requirements for information• Management- and business process owner-oriented• Based on ISACA's Control Objectives
Aligned with de jure and de facto standards and regulations Based on critical review of tasks and activities or process focus
• Includes existing standards and regulations ISO, EDIFACT and others Codes of Conduct issued by Council of Europe Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA,
etc.
• First published in April 1996, second edition in 1998, third in July 2000
• Has become the de facto standard for control over IT• Fundamental in achieving IT governance
• Generally applicable and accepted international standard for good practice for IT controls
• For application to enterprisewide information systems• Technology-independent• Starting from business requirements for information• Management- and business process owner-oriented• Based on ISACA's Control Objectives
Aligned with de jure and de facto standards and regulations Based on critical review of tasks and activities or process focus
• Includes existing standards and regulations ISO, EDIFACT and others Codes of Conduct issued by Council of Europe Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA,
etc.
• First published in April 1996, second edition in 1998, third in July 2000
• Has become the de facto standard for control over IT• Fundamental in achieving IT governance
COBIT: An IT Control Framework P
rin
cip
les
© ITGI, ISACA - not for commercial use.
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives
Promotes process focus and process ownership Divides IT into 34 processes belonging to four
domains and provides a high-level control objective for each
Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
Is supported by a set of over 300 detailed control objectives
EffectivenessEfficiencyAvailabilityIntegrityConfidentialityReliabilityCompliance
Plan and OrganiseAcquire and ImplementDeliver and SupportMonitor and Evaluate
COBIT: An IT Control Framework C
on
cep
ts
© ITGI, ISACA - not for commercial use.
ITIT
DomainsDomains
ProcessesProcesses
IT Control IT Control ObjectivesObjectives
Critical Success FactorsCritical Success Factors
Outcome MeasuresOutcome Measures
Key Performance IndicatorsKey Performance Indicators
Maturity ModelMaturity ModelIT Control IT Control PracticesPractices
• IT is an important element of corporate governance and management accountability.
• Ensure business-oriented solutions. • Framework for risk assessment• As a means to communicate with all
stakeholders• Authoritative basis (internationally
accepted, exhaustive, evolving)
Why should an organisation adopt COBIT?
COBIT: An IT Control Framework
© ITGI, ISACA - not for commercial use.
“To provide the information the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”
Relates to business requirements Links to business processes Empowers business owners
Decomposed IT into four domains and 34 processes Domains: (plan-build-run) + monitor Control, audit, implementation and performance
management knowledge structured by process
Bu
sin
es
sP
roces
s
COBIT: An IT Control Framework
© ITGI, ISACA - not for commercial use.
Fra
mew
ork
COBIT: An IT Control Framework
BUSINESSREQUIREMENTS
IT PROCESSES
IT IT RESOURCES
© ITGI, ISACA - not for commercial use.
Data Information
Systems Technology Facilities Human
Resources
Plan and Organise Acquire and
Implement Deliver and Support Monitor and
Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
Reliability
COBIT Framework H
ow
do t
hey
rela
te?
ITProcesses
BusinessRequirements
ITResources
© ITGI, ISACA - not for commercial use.
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Data Information
Systems Technology Facilities Human
Resources
Planning and organisation
Acquisition and implementation
Delivery and Support
Monitoring
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
Reliability
COBIT Framework H
ow
do t
hey
rela
te?
How IT is organised to
respond to the requirements
How IT is organised to
respond to the requirements
What the stakeholders
expect from IT
What the stakeholders
expect from IT
The resources made available to— and built up by
—IT
The resources made available to— and built up by
—IT
© ITGI, ISACA - not for commercial use.
Processes
A series of joined activities with natural control breaks
Activities or tasks
Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.
Domains
Natural grouping of processes, often matching an organisational domain of responsibility
COBIT Framework I
T P
rocesses
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
© ITGI, ISACA - not for commercial use.
Data: Data objects in their widest sense, i.e., external and internal, structured and unstructured, graphics, sound, etc.
Application Systems: Understood to be the sum of manual and programmed procedures
Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc.
Facilities: Resources to house and support information systems
People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services
COBIT Framework IT
Resou
rces
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
© ITGI, ISACA - not for commercial use.
IT Domains• Plan and
Organise• Acquire and
Implement• Deliver and
Support• Monitor and
Evaluate
IT Processes• IT Strategy• Policy and Procedures• Feasibility Study• Acceptance Testing• Change Management• Contingency Planning• Problem Management
Activities• Record New Problem• Analyse• Propose Solution• Monitor Solution• Record Known Problem• Etc.
Natural grouping of processes, often matching an organisational domain of responsibility
A series of joined activities with natural (control) breaks
Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.
COBIT Framework IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
© ITGI, ISACA - not for commercial use.
Topics Strategy and tactics Vision planned Organisation and infrastructure
Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?
Domain: Plan and Organise (PO)
COBIT Domains
© ITGI, ISACA - not for commercial use.
PO1—Define a strategic IT plan PO2—Define the information architecture PO3—Determine the technological direction PO4—Define the IT processes, organization
and relationships PO5—Manage the IT investment PO6—Communicate management aims and
direction PO7—Manage IT human resources PO8—Manage quality PO9—Assess and manage IT risks PO10—Manage projects.
Plan and Organise
© ITGI, ISACA - not for commercial use.
Topics
IT solutions Changes and maintenance
Questions Are new projects likely to deliver solutions that meet business needs? Are new projects likely to deliver on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations?
Domain: Acquire and Implement (AI)
COBIT Domains
© ITGI, ISACA - not for commercial use.
AI1—Identify automated solutions
AI2—Acquire and maintain application software
AI3—Acquire and maintain technology infrastructure
AI4—Enable operation and use
AI5—Procure IT resources
AI6—Manage changes
AI7—Install and accredit solutions and changes
Acquire and Implement
© ITGI, ISACA - not for commercial use.
Topics
Delivery of required services Setup of support processes Processing by application systems
Questions Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the workforce able to use the IT systems productively and safely? Are adequate security, integrity and availability in place?
Domain: Deliver and Support (DS)
COBIT Domains
© ITGI, ISACA - not for commercial use.
DS1—Define and manage service levels DS2—Manage third-party services DS3—Manage performance and capacity DS4—Ensure continuous service DS5—Ensure systems security DS6—Identify and allocate costs DS7—Educate and train users DS8—Manage service desk and incidents DS9—Manage the configuration DS10—Manage problems DS11—Manage data DS12—Manage the physical environment DS13—Manage operations
Deliver and Support
© ITGI, ISACA - not for commercial use.
Topics
Assessment over time, delivering assurance Management’s oversight of the control system Performance measurement
Questions Can IT’s performance be measured and can problems be detected
before it is too late? Is independent assurance needed to ensure that critical areas are
operating as intended?
Domain: Monitor and Evaluate (ME)
COBIT Domains
© ITGI, ISACA - not for commercial use.
ME1—Monitor and evaluate IT performanceME2—Monitor and evaluate internal controlME3—Ensure regulatory complianceME4—Provide IT governance
Monitor and Evaluate
© ITGI, ISACA - not for commercial use.
The control of
IT Processes which satisfy
is enabled byControl
Statements consideringControl
Practices
COBIT Framework W
ate
rfall
Mod
el
4 Domains - 34 Processes - 215 Control Objectives
BusinessRequirements
© ITGI, ISACA - not for commercial use.
PO1—Define a strategic IT planPO2—Define the information architecturePO3—Determine the technological directionPO4—Define the IT processes, organization and relationshipsPO5—Manage the IT investment PO6—Communicate management aims and directionPO7—Manage IT human resourcesPO8—Manage qualityPO9—Assess and manage IT risksPO10—Manage projects
AI1—Identify automated solutionsAI2—Acquire and maintain application softwareAI3—Acquire and maintain technology infrastructure AI4—Enable operation and useAI5—Procure IT resourcesAI6—Manage changesAI7—Install and accredit solutions and changes
ME1—Monitor and evaluate IT performanceME2—Monitor and evaluate internal controlME3—Ensure regulatory complianceME4—Provide IT governance
DS1—Define and manage service levelsDS2—Manage third-party servicesDS3—Manage performance and capacityDS4—Ensure continuous serviceDS5—Ensure systems securityDS6—Identify and allocate costsDS7—Educate and train usersDS8—Manage service desk and incidentsDS9—Manage the configurationDS10—Manage problemsDS11—Manage dataDS12—Manage the physical environmentDS13—Manage operations
MONITOR AND EVALUATE
MONITOR AND EVALUATE
Business Objectives
IT RESOURCES
IT RESOURCES
• Data• Application systems• Technology• Facilities• People
• Data• Application systems• Technology• Facilities• People PLAN AND
ORGANISEPLAN AND ORGANISE
ACQUIRE ANDIMPLEMENT
ACQUIRE ANDIMPLEMENT
DELIVER AND SUPPORT
DELIVER AND SUPPORT
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
CriteriaCOBIT
Framework
© ITGI, ISACA - not for commercial use.
PO1 Define a strategic IT planPO3 Determine the technological directionPO5 Manage the IT investmentPO9 Assess and manage IT risksPO10 Manage projectsAI1 Identify automated solutionsAI2 Acquire and maintain application s/wAI5 Procure IT resourcesAI6 Manage changesDS1 Define and manage service levelsDS4 Ensure continuous serviceDS5 Ensure systems securityDS10 Manage problemsDS11 Manage dataME1 Monitor and evaluate IT performance
The Most Important IT Processes
3434
1515
77
SurveySurvey
© ITGI, ISACA - not for commercial use.
High-level Control ObjectiveOne per process
Detailed Control ObjectivesThree to 30 per process
Control PracticesFive to seven per control objective
COBIT—Content
© ITGI, ISACA - not for commercial use.
Based on the 41 primary references
Developed following a rigorous research process
Three to 30 detailed control objectives for each of the 34 processes
Directed to IT management, IT staff, control and audit functions and business process owners
For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional.
Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers.
COBIT Control Objectives
© ITGI, ISACA - not for commercial use.
AI6 MANAGE CHANGES
6.1 Change Request Initiation and ControlIT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request.
6.2 Impact AssessmentA procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality.
6.3 Control of ChangesIT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems.
6.4 Emergency ChangesIT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation.
COBIT Control Objectives
© ITGI, ISACA - not for commercial use.
IT control practices are key control mechanisms that support: The achievement of control objectives The prevention, detection and correction of undesired events
IT control practices achieve that through: Responsible use of resources Appropriate management of risk Alignment of IT with business
Translate COBIT ’s control objectives into detailed, implementable practices and provide the business argumentation for implementation, from a value and a risk perspective
COBIT IT Control Practices
© ITGI, ISACA - not for commercial use.
COBIT IT Control Practices
© ITGI, ISACA - not for commercial use.
1. Management has defined parameters, characteristics and procedures that allow it to identify and declare emergencies.
2. All emergency changes are documented, if not before, then after implementation.
3. All emergency changes are tested, if not before, then after implementation.
4. All emergency changes are formally authorised by the system owner and management, before implementation.
5. Before and after images as well as intervention logs are retained for subsequent review.
Controlling emergency changes by implementing the control practices will : Ensure emergency procedures are used in declared emergencies only Ensure urgent changes can be implemented without compromising confidentiality, integrity, availability, reliability and accuracy
AI6 Manage ChangeAI6.4 Emergency ChangesIT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation.
IT Control Practices Why do it?
COBIT—Example Process
© ITGI, ISACA - not for commercial use.
To improve audit approach/programs To support audit work with detailed audit
guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programs
How Is COBIT Used? (Results from Surveys)
The COBIT Framework
© ITGI, ISACA - not for commercial use.
COBIT—Benefits
WhatComfort about:• Dependence on IT• IT risks are mitigated• IT delivers valueAssurance of: • Cost down and revenue up• Business operations improved• Service levels maintained
Who• Executive• Business manager• IT manager• Project manager• Developer• Operations staff• User• Security officer• Auditor
© ITGI, ISACA - not for commercial use.
Helps substantially increase acceptance and reduce time needed to implement IT governance program
Provides a guide for formal audits/reviews
Helps use results of audits as an opportunity to plan improvements
Strong factor in achieving primary goals for IT governance—transform organisational practices and pursue improved processes
Provides economical continuous improvement framework
Management's decision on controls needed was based on a credible source (COBIT)
IT operations manager impressed with COBIT's ability to help him understand what auditors want
Ideal for business management
Reliable source reference that ensures identification of all major risk areas
Improves communications and relations with IT management
Why Is COBIT Used? (Testimonials from Case Studies)
The COBIT Framework
© ITGI, ISACA - not for commercial use.
COBIT Products
Management Guidelines Provide management direction for:
• Getting the enterprise's information and related processes under control
• Monitoring achievement of organisational goals
• Monitoring and improving performance within each IT process
• Benchmarking organisational achievement Action-oriented and generic Provide answers to typical management questions:
• How far should we go in controlling IT, and is the cost justified by the benefit?
• What are the indicators of good performance?
• What are the critical success factors?
• What are the risks of not achieving our objectives?
• What do others do? How do we measure and compare?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
© ITGI, ISACA - not for commercial use.
Biggest Challenge = Sustainable Solutions Establish policy, objectives and targets Implement policy, responsibilities, processes and
procedures Measure performance against policy and external best
practice Take corrective and preventive action and continuously
improve Measure success of the change projects Provide feedback into other improvement projects
•Identify needs•Envision the solution•Plan the solution•Implement the solution
Road Map Approach Business value and risk
analysis As-is and to-be positions Gap analysis Project identification and
initiation
IT Governance Implementation Guide
© ITGI, ISACA - not for commercial use.
Raise awareness
& make decision
Analyse values
and risks
Select processes
Identify needs
Define projects
Develop & implement
change plan
Plan the solution
Integrate into day-to-
day practices
Integrate measures into ITBSC
Implement the solution
Define where you
are
Define where you want to be
Analyse gaps
Envision the solution
ImplementationRoad Map
Post- implement.
review
Feedback
IT Governance Implementation Guide
© ITGI, ISACA - not for commercial use.
ImplementationImplementationManualManual
IT Governance Implementation Guide
© ITGI, ISACA - not for commercial use.
Conclusion—COBIT Values
Sharing knowledge and leveraging expert volunteersInternationally accepted good practicesContinually evolvesMaintained by reputable not-for-profit organisationMaps strongly onto all major related standardsIs management-orientedIs supported by tools and trainingMaps completely to ISO17799 and COSO
Provide action-oriented solutionsFUTURE
PRESENT
© ITGI, ISACA - not for commercial use.
Summary of CobiT 4.0 Domains and Processes
PLAN AND ORGANISE PO1—Define a strategic IT plan PO2—Define the information architecture PO3—Determine the technological direction PO4—Define the IT processes, organization
and relationships PO5—Manage the IT investment PO6—Communicate management aims and
direction PO7—Manage IT human resources PO8—Manage quality PO9—Assess and manage IT risks PO10—Manage projects
ACQUIRE AND IMPLEMENT AI1—Identify automated solutions AI2—Acquire and maintain application
software AI3—Acquire and maintain technology
infrastructure AI4—Enable operation and use AI5—Procure IT resources AI6—Manage changes AI7—Install and accredit solutions and changes
DELIVER AND SUPPORT DS1—Define and manage service levels DS2—Manage third-party services DS3—Manage performance and capacity DS4—Ensure continuous service DS5—Ensure systems security DS6—Identify and allocate costs DS7—Educate and train users DS8—Manage service desk and incidents DS9—Manage the configuration DS10—Manage problems DS11—Manage data DS12—Manage the physical environment DS13—Manage operations
MONITOR AND EVALUATE ME1—Monitor and evaluate IT performance ME2—Monitor and evaluate internal control ME3—Ensure regulatory compliance ME4—Provide IT governance
© ITGI, ISACA - not for commercial use.
IT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 [email protected]@isaca.orgwww.isaca.orgwww.itgi.org
John R. Robles and [email protected]
The COBIT Framework