Embed Size (px)
Citation preview
Concepts of Governance and Management of Information Systems
Final Course Paper 6 Information Systems Audit & Control
Chapter 1, Part 4 of 5
CA A.Rafeq, FCA
1
Topics Covered: Part-4
1.11 COBIT 5 - A GEIT
Framework
Integrate and implement
COBIT
Using COBIT for GRC
2
1.11 COBIT 5 - A GEIT Framework
As per COBIT 5, Information is the currency of the 21st century enterprise
Use COBIT 5 as a benchmark for reviewing and implementing governance and management of enterprise IT
Best practices of COBIT 5 help enterprises to create optimal value from IT by maintaining a balance between realizing benefits, optimizing risk levels and resource use
COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise
COBIT 5 helps enterprises to manage IT related risk and ensures compliance, continuity, security and privacy
3
Value delivery
Strategic
Alignment
Risk
Management
Resource
Management
Performance
Measurement
Fundamental objective
Ensure Value is delivered
Ensure value Is delivered
within level of Acceptable risk
Objectives are being met and when not, take appropriate
action
IT Governance Focus area: Inter-relationship
4
Necessary elements of IT governance framework 5
Structures Roles and responsibilities, IT organization structure,
CIO on Board, IT strategy committee,
IT steering committee (s)
Processes Strategic information systems planning,
IT (BSC), information economies, SLA, COBIT and ITIL,
IT Alignment Governance maturity models
IT Governance framework
Relational Mechanisms Active participation and collaboration
between principle stakeholders, Partnership rewards and incentives,
Business/IT co-location, Cross functional business/IT training and
rotation
Layers of IT Governance responsibility
Board of Directors
Executive Management (CEO, CFO, CIO..)
IT and Business Management
(line management)
6
Strategic level
Management level
Operational level
IT Governance Stakeholders
Business management
Set direction for IT, monitor results and insist on corrective measures
Defines business requirements for IT and ensures that value is delivered and risks are managed
Delivers and improves IT services as required by the business
Provides independent assurance to demonstrate that IT delivers what is needed
Measures compliance with policies and focuses on alerts to new risks
Risk and compliance
IT audit
IT management
Board and Executive
7
`
Organisational view
8
Stakeholder
CFO
IT Governance
OPs AD SD
CIO CMO CxO
CEO
IT Management
Enterprise Benefits
• Maintain quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.
• Achieve operational excellence through reliable and efficient application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimise the cost of IT services and technology.
Enterprises and their executives strive to:
How can these benefits be realised to create enterprise stakeholder value?
9
Stakeholder Value
Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets.
Enterprise boards, executives and management have to embrace IT like any other significant part of the business.
External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached.
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
10
Governance in COBIT 5
The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas: Governance and Management: further divided into domains of processes
The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined.
• 01 Ensure governance framework setting and maintenance. • 02 Ensure benefits delivery. • 03 Ensure risk optimisation. • 04 Ensure resource optimisation. • 05 Ensure stakeholder transparency.
The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor
11
Key benefits of implementing IT Governance
Establishes and clarifies accountability and decision rights (clearly define roles and authority)
Manages risks, changes and contingencies proactively
Improves IT organizational performance, compliance, maturity and staff development
Improves customer service and overall responsiveness
Key benefits of implementing IT Governance
Aligns IT investments and priorities more closely with the business
Manages, evaluates, prioritizes, fund, measure and monitor requests for IT services and the resulting work and deliverables, in a more consistent and repeatable manner that optimizes returns to the business
Manages the responsible utilization of resources and assets
Ensures that IT delivers on its plans, budgets and commitments
14
Three key requirements for IT Governance
15
It must be positioned as
an integral part of the
enterprise governance framework
There must be clear definitions
of roles and responsibilities;
and
There must be an ongoing
implementation and continuity
plan
Three key requirements that must be fulfilled for IT governance to work:
1.11.1 Need for Enterprises to use COBIT 5
• Increased value creation from use of IT.
• User satisfaction with IT engagement and services.
• Reduced IT related risks and compliance with laws, regulations and contractual requirements.
• Development of more business-focused IT solutions and services
• Increased enterprise wide involvement in IT-related activities.
Business benefits to enterprises
16
1.11.2 Integrating COBIT 5 with other frameworks
17
Evaluate, direct and monitor
Align, plan and organize
ISO/IEC 38500
ISO/IEC
31000
TOGAF
ISO/IEC
27000
ITIL® V3 2011 AND ISO/IEC20000
PRINCE2®/PMBOK®
CMMI Build, acquire and implement
Deliver, service and support
Monitor, evaluate and assess
1.11.3 Customizing COBIT 5 as per Requirement
18
Tailored to meet an enterprise’s specific:
• Business Model • Technology
Environment • Industry • Location • Corporate Culture
Applied to meet needs related to:
• Information Security • Risk Management • Governance and
management of enterprise IT
• Assurance Activities • Legislative &
Regulatory Compliance • Financial Processing or
CSR Reporting
1.11.4 Five Principles of COBIT 5
19
Principle 1: Meeting Stakeholder Needs
Enterprises exist to create value for their stakeholders
COBIT 5 provides all of the required processes and other enablers to support business value creation through the use of IT
COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customized enterprise goals, IT related goals and enabler goals
20
Principle 2: Covering the Enterprise End-to-End
COBIT 5 integrates GEIT into Enterprise Governance
It covers all functions and processes within the enterprise and does not focus only on the ‘IT function’
It considers all IT related governance and management enablers to be enterprise-wide and end-to-end
21
Principle 2: Covering the Enterprise End-to-End
22
Governance and Management Establishing the scope and responsibility
23
Roles, Activities and Relationships
24
Owners and Stakeholders
Governing Body Management
Operations and
Execution
Delegate Set
Direction Instruct
and Align
Accountable Monitor Report
Principle 3: Applying a Single Integrated Framework
COBIT 5 is a single and integrated framework as it aligns with other latest relevant standards and frameworks.
It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used.
25
Principle 4: Enabling a Holistic Approach
COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT.
Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise.
26
Principle 5: Separating Governance from Management
Governance
• Responsibility of the board of directors under the leadership of the chairperson.
• Evaluates stakeholder needs.
• Determine balanced, agreed-on enterprise objectives.
• Sets direction through prioritization & decision making.
• Monitor performance & compliance .
Management
• Responsibility of the executive management under the leadership of the CEO.
• Plans, builds, runs and monitors activities.
• Performs activities in alignment with the direction set by the governance body.
27
Principle 5: Separating Governance from Management
28
1.11.5 Seven Enablers of COBIT 5
29
Common Enabler Dimensions
30
Stakeholders • Internal
Stakeholders • External
Stakeholders
Goals • Intrinsic Quality • Contextual
Quality (Relevance, Effectiveness)
• Access and Security
Life Cycle • Plan • Design • Build/Acquire/
Create/ Implement
• Use/Operate • Evaluate/
Monitor • Update/
Dispose
Good Practices
• Practices • Work
Products (Inputs/ Outputs)
Principle 4. Enabling a Holistic Approach
1.)Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals
2)Organisational structures—Are the key decision-making entities in an organisation
3)Culture, ethics and behaviour—Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities
4)Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management
5)Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.
6)Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services
7)People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions
31
1.11.6 COBIT 5 Process Reference Model
• Process reference model defines and describes in detail a number of governance and management processes.
• It represents all of the processes normally found in an enterprise relating to IT activities.
• It also provides a framework for measuring and monitoring IT performance, providing IT assurance, communicating with service providers, and integrating best management practices.
32
33
Governance
Describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures.
Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.
34
Risk management
Set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization's business objectives.
The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party.
Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.
35
Assess Risks, Determine Needs
Monitor and Evaluate
Implement Policies And Controls
Promote Awareness
Central Focal Point MP/A
Risk Management Process
Compliance
Conforming with stated requirements
At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.
37
1.11.7 Using COBIT 5 Best Practices for GRC
• Defining clearly what GRC requirements are applicable.
• Identifying regulatory and compliance landscape.
• Reviewing the current GRC status.
• Determining most optimal approach.
GRC program Implementation requires:
38
1.11.7 Using COBIT 5 Best Practices for GRC
• Setting out key parameters on which success will be measured.
• Using a process oriented approach. • Adapting global best practices as
applicable • • Using uniform and structured approach
which is auditable.
GRC program Implementation requires:
39
1.11.7 Using COBIT 5 Best Practices for GRC
• Ensures that all aspects of GRC are implemented.
• Ensures that appropriate governance processes and other enablers are developed and optimized so that GEIT operates effectively.
Using COBIT 5 for GRC
40
1.11.7 Using COBIT 5 Best Practices for GRC
• The reduction of redundant controls and related time to execute (audit, test and remediate).
• The reduction in control failures in all key areas.
• The reduction of expenditure relating to legal, regulatory and review areas.
• Reduction in overall time required for audit for key business areas.
Goals & Metrics to measure success of GRC
41
1.11.7 Using COBIT 5 Best Practices for GRC
• Improvement through streamlining of processes and reduction in time through automation of control and compliance measures.
• Improvement in timely reporting of regular compliance issues and remediation measures; and
• Dashboard of overall compliance status and key issues to senior management on a real-time basis as required.
Goals & Metrics to measure success of GRC
42
Customizing COBIT best practices
43
Enterprise Goals
IT Related Goals IT Processes
Business Processes
Regulatory requirements
Organization Structure
Technology Deployed
Enterprise Polices,
procedures and practices
Monitor and evaluate
Tips for implementing IT Governance
Implement IT governance as a workable and practical approach able to deal with the challenges and pitfalls presented by IT.
Focus as much on improving performance and enabling competitive advantage as preventing problems.
Make IT governance a shared responsibility between business and IT, with the full commitment and direction of the board.
Align IT governance within wider enterprise governance.
Boards and executive management need to extend enterprise governance to include IT, provide the necessary leadership and organisational structures and insist on well-managed and properly controlled processes.
44
Tips for implementing COBIT
What are the drivers?
Where are we now and where do we want to be?
What needs to be done?
How do we get there?
Did we get there and how do we keep the momentum going?
Learn how to use COBIT 5 Resources including COBIT 5 Toolkit and keep on improving
45
Practice Questions 1. Explain how to use COBIT 5 framework as a tool for implmenting Governance of Enterprise IT?
2. Explain briefly the key elements of IT Governance Framework.
3. List the five IT Governance statkeholders and explain their role in IT Governance.
4. What are the key benefits of implementing IT governance?
5. Explain five principles of COBIT 5?
6. Explain in brief the seven enablers of COBIT 5?
7. Describe how COBIT 5 can be used for implementing Governance, Risk and Compliance?
46
Summary: Part-4
1.11 COBIT 5 - A GEIT
Framework
Integrate and implement
COBIT
Using COBIT for GRC
47
Thank you
48
