View
148
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Sharing the Fundamental Aspects of COBIT 4 that can be Implemented for Stock Exchange Organisation
Citation preview
Fundamental of COBIT Control Objectives for Information and Related Technology
JJSSXX
IT Problems Faced by Management
Costs allocated do not justify the benefits Do not align with business needs and strategy Slow development and deployment processes High failure rates on implementation stage Changing so fast, as new technology emerges Expensive by default, difficult to get supports Complex in nature, avoid people to deal with it etc.
WWoorrllddCCoomm aanndd EEnnrroonn CCaasseess
Global Assignment Initiative
ffoorrmm SStteeeerriinngg CCoommmmiitttteeee
The Supporting Team Research for the 1st and 2nd editions
Free University of Amsterdam California Polytechnic University University of New South Wales
Research for the 3rd and 4th editions 40 experts from industry, academia, government and the IT security and control profession Fully supported by Gartner Group and Pricewaterhouse Coopers
The Endevours
The Result is
Cobit version 1 by ISACAF in 1996 Cobit version 2 by ISACA in 1998 Cobit version 3 by ITGI in 2000 Cobit version 4 by ITGI in 2005
CCoonnttrrooll OObbjjeeccttiivveess ffoorr IInnffoorrmmaattiioonn aanndd RReellaatteedd TTeecchhnnoollooggyy ®®
Cobit in Depth
COBIT is globally accepted as being the most comprehensive work for IT governance, organization, as well as IT process and risk management (read: best practice)
COBIT provides good practices for the management of IT processes in a manageable and logical structure, meeting the multiple needs of enterprise management by bridging the gaps between business risks, technical issues, control needs and performance measurement requirements.
Approaches in Using Cobit
As an open methodology, Cobit can be utilised through several approaches: 1. Expected business value of information technology development 2. Information technology risk management process conduct 3. Information technology audit practices 4. Cost-benefit analysis on information technology investment 5. Information technology governance structure determination 6. Information technology controls and policies establishment 7. Information management requirement analysis
etc.
IINNFFOORRMMAATTIIOONN iiss TTHHEE KKEEYY TTrraannssaaccttiioonnss
DDeecciissiioonn MMaakkiinngg
CCoommmmuunniiccaattiioonn
Business and IT Strategy Alignment
Business Information Technology
ddrriivveess tthhee nneeeeddss aanndd rreeqquuiirreemmeennttss ooff
eennaabblleess tthhee aaccttiivviittiieess wwhhiicchh ggiivvee vvaalluuee ttoo tthhee
Converting Strategy into Action
Determine Expected Business Value of
IT
Set the Appropriate IT Goals in Business
Define Related
IT Process to be
Focused
Understand the Control Objectives and Other
Process Characters
Audit the Process for Increasing Maturity
Level
Let’s use this stages to understand COBIT Anatomy and Architecture
11 22 33 44 55
#1 What is the Business Value of IT ?
1. Expand market share 2. Increase revenue 3. Return on investment 4. Optimise asset utilisation 5. Manage business risks 6. Improve customer orientation and service 7. Offer competitive products and services 8. Service availability 9. Agility in responding to changing business
requirements 10. Cost optimisation of service delivery
#1 What is the Business Value of IT ?
11. Automate and integrate the enterprise value chain
12. Improve and maintain business process functionality
13. Lower process costs
14. Compliance with external laws and regulations
15. Transparency
16. Compliance with internal policies
17. Improve and maintain operational and staff productivity
18. Product/business innovation
19. Obtain reliable and useful information for strategic
decision making
20. Acquire and maintain skilled and motivated personnel
#2 The List of IT Goals 1. Respond to business requirements in alignment with
the business strategy 2. Respond to governance requirements in line with
board direction 3. Ensure satisfaction of end users with service offerings
and service levels 4. Optimise the use of information 5. Create IT agility 6. Define how business functional and control
requirements are translated in effective and efficient automated solutions
7. Acquire and maintain integrated and standardised application systems
#2 The List of IT Goals 8. Acquire and maintain an integrated and standardised
IT infrastructure 9. Acquire and maintain IT skills that respond to the
IT strategy 10. Ensure mutual satisfaction of third-party relationships 11. Seamlessly integrate applications and technology
solutions into business processes 12. Ensure transparency and understanding of IT cost,
benefits, strategy, policies and service levels 13. Ensure proper use and performance of the application
s and technology solutions 14. Account for and protect all IT assets
#2 The List of IT Goals 15. Optimise the IT infrastructure, resources and
capabilities 16. Reduce solution and service delivery defects and
rework 17. Protect the achievement of IT objectives 18. Establish clarity of business impact of risks to IT
objectives and resources 19. Ensure critical and confidential information is
withheld from those who should not have access to it 20. Ensure automated business transactions and information
exchanges can be trusted 21. Ensure IT services and infrastructure can properly
resist and recover from failures due to error, delivery attack or disaster
#2 The List of IT Goals 22. Ensure minimum business impact in the event of an IT
service disruption or change 23. Make sure that IT services are available as required 24. Improve IT’s cost-efficiency and its contribution to
business profitability 25. Deliver projects on time and on budget meeting
quality standards 26. Maintain the integrity of information and processing
infrastructure 27. Ensure IT compliance with laws and regulations 28. Ensure that IT demonstrates cost-efficient service
quality, continuous improvement and readiness for future change
#3 The Set of IT Processes
PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects.
#3 The Set of IT Processes
AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes.
#3 The Set of IT Processes DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations.
#3 The Set of IT Processes
ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure regulatory compliance. ME4 Provide IT governance.
#4 The IT Control Objective(s)
A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity Providing generic best practice management objective(s) for all IT activities
• PPOO11..11 IITT VVaalluuee MMaannaaggeemmeenntt • PPOO11..22 BBuussiinneessss--IITT AAlliiggnnmmeenntt • PPOO11..33 AAsssseessssmmeenntt ooff CCuurrrreenntt PPeerrffoorrmmaannccee • PPOO11..44 IITT SSttrraatteeggiicc PPllaann • PPOO11..55 IITT TTaaccttiiccaall PPllaannss • PPOO11..66 IITT PPoorrttffoolliioo MMaannaaggeemmeenntt
#4 The IT Control Objective(s)
CCoobbiitt PPrroocceessss IINNPPUUTT((ss)) OOUUTTPPUUTT((ss))
AAccttiivviittyy 11 AAccttiivviittyy 22 AAccttiivviittyy NN ……....
#4 The IT Control Objective(s)
CCoobbiitt PPrroocceessss
#4 The IT Control Objective(s)
Relationships Inter Components
#4 The IT Control Objective(s)
#4 The IT Control Objective(s)
#5 IT Maturity Level
1 Initial/ Ad Hoc when
IT activities and functions are reactive and inconsistently implemented. IT is involved in business projects only in later stages. The IT function is considered a support function, without an overall organisation perspective. There is an implicit understanding of the need for an
IT organisation; however, roles and responsibilities are neither formalised nor enforced.
#5 IT Maturity Level
In Summary
Cobit Cube Perspective
In order to provide the information that the
organisation needs to achieve its objectives, IT resources
need to be managed by a set of naturally grouped processes.
CCOOBBIITT’’ss GGoollddeenn RRuullee
Overall Cobit Framework
Aftermath of Cobit Implementation
time
serv
ice
qual
ity
supp
ort
busi
ness
time
serv
ice
cost
time
deliv
ery
time
time
stakeholder value
Aligned
Better
Cheaper Faster
time
IT ri
sks
Secured Controlled
The End