Upload
enterprisegrc-solutions-inc
View
250
Download
1
Embed Size (px)
Citation preview
http://www.enterprisegrc.com
CobiT™ Overview Training
EnterpriseGRC Solutions, Inc. is a certified ITPreneurs Partner and ISACA Training Partner – This course if Presented by:Robin Basham, M.Ed, M.IT, CISA, ITSM, CGEIT, CRISC, ACCManaging Partner EnterpriseGRC Solutions, Inc.President, Association Certified Green Technology Association
Materials used to train for the CobiT Foundation ™ are only available through our accredited ITPreneurs partner purchase program, which is licensed for Distribution as an ISACA® certification course. This presentation is heavily adapted by EnterpriseGRC Solutions, representing summary of main points and is not available for sale or distribution. Individuals or Organizations may contact us to purchase the entire set of materials. For additional information please visit http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan Woertman ([email protected])
http://www.enterprisegrc.com
Governance in Your Context - Introductions
2
If this were a live or online interactive training, we would begin by sharing your unique:
involvement and need for Governance
issues you hope to resolve through best practice in Governance Risk and Compliance
and providing our best answers to the question “Why CobiT©”
Materials used to train for the CobiT Foundation ™ Are only available through our accredited ITPreneurs partner purchase program, which is licensed for Distribution as an ISACA certification course. This presentation is heavily adapted by EnterpriseGRC Solutions a summary of main points and is not available for sale or distribution. To purchase the entire set of materials from ITPreneurs, please visit http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan Woertman ([email protected])
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
http://www.enterprisegrc.com
3
Session AgendaCOBIT Foundation Course ™ Published for distribution by ITPreneurs on behalf of ISACA, materials for
the CobiT course are the product of many years of committee contribution. Formal training requires purchase of the complete training materials
This session is an overview to prepare students for the full 8 to 20 hour course. CobiT Foundation™ is a program of study that results in capacity to both pass an external examination and to successfully implement CobiT in a work environment. Live training involves interactive exercises.
EnterpriseGRC Solutions, Inc. is authorized to provide CobiT training. By the end of today’s half day, you will have new found appreciation for the value in extended study and application of the CobiT Framework, as well as other ITGI authorized courses ranging from introductory to advanced Governance Topics.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
http://www.enterprisegrc.com
4
Course Introduction COBIT was developed by IT Governance
Institute (ITGI™). Our objective today is to achieve a basic
understanding of COBIT and how you might apply it in practice.
This training consists of the following sections IT Governance and Governance as a
Framework Introduction to COBIT: A Control
Framework Overview of COBIT Components COBIT: Resources
For a current set of CobiT materials, please visit http://www.isaca.org/Content/NavigationMen
u/Members_and_Leaders1/COBIT6/Obtain_COBIT/Obtain_COBIT.htm
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com http://www.enterprisegrc.com
http://www.enterprisegrc.com
5
ISACA - With more than 70,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized, worldwide leader in IT governance, control, security, and assurance. Founded in 1969, ISACA:
Sponsors international conferences. Publishes the Information Systems Control journal. Develops international information systems auditing and control standards. Administers the globally respected Certified Information Systems Auditor (CISA) and
Certified Information Security Manager (CISM) designations. ITGI - The IT Governance Institute (ITGI) (www.itgi.org) was established by ISACA in
1998 to advance international thinking and standards in directing and controlling an enterprise's information technology. ITGI:
Developed COBIT, now in its fifth edition. Offers original research and case studies to assist enterprise leaders and boards of
directors in their IT governance responsibilities.
About ISACA and ITGI
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
6
Topics of This SessionMain points in our session will cover IT management issues affect organizations. Principles of IT governance Need for a control framework driven by the need for IT
governance. How COBIT meets requirements for IT governance framework. How COBIT is used with other standards and best practices. The COBIT framework and all the components of COBIT —
control objectives, control practices, management guidelines, and assurance guide.
How to apply COBIT in a practical situation. The benefits of using COBIT. The products and support that ITGI provides.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
7
The COBIT Framework
COBIT’s main characteristics are:
The acronym COBIT stands for Control Objectives for Information and related Technology.
Business-focused
Process-oriented Controls-based Measurement-
driven
COBIT Framework Characteristics
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
8
For latest updates on COBIT, log on to www.isaca.org
Governance
COBIT 4
2005
COBIT 3
Management
2000
COBIT 2
Control
1998
COBIT 1
Audit
1996
Evolution
COBIT: An IT Control Framework
COBIT 5
Process and Application Controls, ValIT, RiskIT Framework
2010
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
9
Activities
Domains
IT Resources
Information Criteria
IT Processes
COBIT describes the IT life cycle with the help of four domains:
Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
Processes are series of activities with natural control breaks. 34 processes across the four domains, specify what the business needs to achieve its objectives. The delivery of information is controlled through 34 high-level control objectives, one for each process.
Activities are actions that achieve measurable results, have life cycles and include many discrete tasks.
The COBIT Cube: IT Processes
Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
10
Key Objectives of Foundation Knowledge
The principles of IT governance. Who is responsible for IT governance. How IT governance resolves management issues. The scope of IT governance. The need for a control framework driven by IT governance.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
11
Many organizations invest significant amounts of money and resources in IT. They rely on IT to support business operations and meet strategic objectives. Increasingly, organizations are faced with the challenge of adapting to dynamic business
demands while handling technology-related risks and complexities.
Keeping IT Running
Value
Costs
Mastering Complexity
Aligning IT With Business
Regulatory Compliance
Security
IT Resources and Expenses
Organization
IT Challenges
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
12
As a result, organizations need to guarantee the continuity of IT services for business-critical services
Keeping IT Running Discontinuity of IT Services
IT Challenges – Keep The Enterprise Running
Typically, the following problems may arise because of technical failure:
Critical business processes, such as order processing, being disrupted
Administrative personnel unable to handle diaries, mail, or documents
Customers unable to contact call centers The above problems may result in lost
business, reduced profits, and damage to the organization’s reputation.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
13
Given the significant investments made in IT and the strategic importance of IT projects, organizations need to ensure that IT provides value. In most IT projects that exceed budgetary expectations or deadlines, the typical problems are: Poorly defined requirements Systems too complex to implement Underestimation of the effort required Poor project management
As a result, organizations need to identify the right IT projects and execute them within time and budget to deliver the expected value.
Value
Business Value
Project Execution Time
IT Challenges – Provide Strategic Value
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
14
As a result, organizations need to manage IT costs as carefully as they do other significant costs of business. This requires efficient and effective processes and allocation of resources such as people
and technology. In addition, it requires effective vendor relationships.
Costs
IT Expenditure
IT Asset Cost
Increasing Expenditure
IT Challenges Manage Costs
Typically, the reasons for higher expenditure are: The costs associated with IT assets are not
understood. Operational budgets are increasing because of
complex licensing, maintenance, and outsourcing contracts.
There is a shortage of skilled resources. Large financial losses are incurred because of failed
projects. IT spending by business units and central IT
departments is not coordinated.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
15
As a result, the IT function should be organized and managed so that organizations are able to handle complexities and avoid excessive costs.
Mastering Complexity Handling External Relationships
IT Challenges – Master Complexity
The typical problems arising because of these complexities are:
Maintaining technical competence Managing diverse technical
infrastructures Adapting to rapid changes and new
developments Managing external relationships and
service providers
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
16
As a result, organizations need to ensure that IT partners with the business to deliver value.
Aligning IT With Business
IT
Strategic Alignment
Business
IT Challenges – Alignment with the Business
In most organizations, the gap between what users expect and what IT can provide continues to exist because of the following reasons:
Poorly defined business requirements Inability to set priorities Complexity of projects Lack of committed business sponsors Lack of clear business drivers for solutions Communication gaps between business
and IT
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
17
Therefore, organizations need to ensure compliance in legal and contractual requirements with service providers and trading partners.
Regulatory ComplianceCompliance
Regulations
IT Systems
Business Operations
Govern
Impact
Aware
IT Challenges – Regulatory Compliance
Regulations that govern business operations impact IT systems. The IT function needs to be aware of national and international legal and regulatory requirements that relate to, for example:
Corporate governance and financial reporting
Privacy and security
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
18
As a result, organizations need to ensure adequate security in their IT environment. This entails increasing the awareness of management and users regarding their
responsibilities and possible risks.
Security
Internet
Firewall
IT Challenges - Security
Unfortunately, the desire to make information readily available through the use of technology carries security risks. These risks have increased because of several factors: The use of the Internet and networking, which
exposes internal systems to the world. Viruses and hackers. The increasing misuse of information. The technical complexities of IT environments
and the associated problems of security.Poor awareness of security issues in computer users.
Cloud
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
19
What Is Enterprise Governance?
Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of: Providing strategic direction. Ensuring that objectives are
achieved. Establishing that risks are
managed appropriately. Verifying that the enterprise’s
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
20
Governance Is About BalanceGovernance is about Performance
and Conformance Governance requires a balance
between the conformance and performance goals, as directed by the board.
IT governance is part of enterprise governance. It is defined as a structure of relationships and processes to direct and control the enterprise toward achieving its goals by adding value while balancing risk versus return over IT and its processes.
Performance Conformance
Improving profitability, efficiency,
effectiveness, and
growth
Adhering to legislation,
internal policies,
and audit requiremen
ts
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
The board of directors and executive management are responsible for IT governance, which involves structures and processes that direct the organization toward achieving its objectives.
Principles of IT Governance
21
Direct and Control
Accountability
Activities
Responsibility
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
22
SetsDirection
Sets Objectives and Measures
PerformsActivities
Compares
Reports
Reports
Measures
Measures
Direct Control
Board
IT Organization
Direct and Control
Principles of IT Governance – Direct and Control
Direct: The management provides direction to implement a change. To provide effective direction, the management needs to understand the intended change. In addition, the management directs another person to bring about the change.Control: Control ensures that the objective
is achieved and no undesired incidents occur.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Direct and Control can be related to the functioning of a thermostat. A thermostat regulates room temperature without producing any heating or cooling effect itself. It only compares the room temperature with its own set point and switches on or off the heater or cooler.
The thermostat directs the heating/cooling system based on the temperature setting.The heating/cooling system controls the room temperature by providing the right amount of additional heating or cooling, based on instructions from the thermostat.
Heater
Cooler
72
Thermostat
75
80
70
65
60
Controls
Directs
Principles of IT Governance – Direct and Control
23© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
24
Responsibility
The CEO is ultimately responsible for overall internal control. Senior managers assign responsibility for the establishment of specific internal control policies and procedures to the personnel performing a unit's functions. Internal control is the responsibility of everyone in an organization and should be an explicit or implicit part of job descriptions.
SetsDirection
Sets Objectives and Measures
PerformsActivities
Compares
Reports
Reports
Measures
Measures
Direct Control
Board
IT Organization
Principles of IT Governance - Responsibility
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Accountability
Accountability is related to responsibility but specifically focuses on having the authority to make decisions and give approval. For the final outcome of a set of activities, the responsibility cannot be passed to anyone else. For example, responsibility for the process of defining the IT strategy will be shared by several people, each responsible for certain tasks and activities. Ultimately, it may be the CEO who decides on key issues and approves the final version. He is then accountable for the IT strategy.
Direct ControlAccountable
SetsDirection
Sets Objectives and Measures
PerformsActivities
Compares
Reports
Reports
Measures
Measures
Board
IT Organization
Principles of IT Governance - Accountability
25© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
26
Activities
IT is not about technological excellence; it’s about meeting service requirements.
IT Function in an Organization
Principles of IT Governance – Activities - Actions
IT activities are effective when there is good IT governance. Typically, IT departments must align with the organization’s business needs. This alignment is a much better performance indicator than any technical parameter.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Internal Stakeholders and Their Concerns
IT AuditorHow do we provide independent assurance of IT value delivery and risk mitigation?
Risk and Compliance Manager
How do we ensure that policies, regulations, and laws
are complied with and new risks identified?
Board, Executive, and Business ManagerHow do we define business direction for IT, deliver value, and manage risks?
IT Manager How do we deliver IT services, as required by the business and directed by the board?
IT Governance Stakeholders - Internal
27
InternalStakeholders
Organization
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
External Stakeholders and Their Concerns
External Stakeholders
Organization
External AuditorI need to know whether or not
the automated banking reconciliation system works in
order to clear the audit.
RegulatorsHow can we be assured
that the organization has a business continuity
plan? If it does not, regulators may retract
the banking license.
SuppliersDo we have assurance that confidential information about our company is not sent to our competitors?
CustomersI need you to keep my banking details secure on your computer system.
IT Governance Stakeholders - External
28© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Strategic Alignment
Risk Management
Resource Management
Performance Measurement
Value Delivery $
IT Governance: Focus Areas
29© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
30
Strategic Alignment
IT Governance: Strategic Alignment
Focuses on ensuring the linkage of business and IT plans; on defining, maintaining, and validating the IT value proposition; and on aligning IT operations with enterprise operations.
Ensures that an enterprise‘s investment in IT is in harmony with the enterprise’s strategic objectives.
Aligning IT with Business
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Value Delivery
IT Governance: Value Delivery
Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs, and proving the intrinsic value of IT.
31
Business Value
Return on Investment (ROI)© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
32
Risk Management
Risk Management
IT Governance: Risk Management
Requires: Risk awareness by senior corporate
officers A clear understanding of the
enterprise’s appetite for risk An understanding of compliance
requirements Transparency about significant risks to
the enterprise Embedding of risk management
responsibilities into the organization
Risks can be managed by: Risk mitigation Risk transfer Risk acceptance Risk avoidance
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
33
IT Governance Helps Optimize Costs and Resources
$
Resource Management
A look-ahead strategy will help manage for the present and develop and build
competencies and capacity for the future.
IT Governance: Resource Management
Is about the optimal investment in and the proper management of critical IT resources, such as:
Applications Information Infrastructure People
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Performance Measurement
Performance Management
If you cannot measure it, you
cannot manage it.
IT Governance: Performance Management
Tracks and monitors strategy implementation, project completion, process performance, and service delivery.
If there is no way to measure and evaluate IT activities, it is not possible to govern IT and ensure the alignment, value delivery, risk management, and effective use of resources.
34© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
35
Benefits
IT Governance$
$Benefits of IT Governance
IT governance offers the following benefits: More reliable services More transparency Responsiveness of IT to
business Confidence of the top
management Higher
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
36
Governance
Control
Need for a Control Framework for IT Governance
Enterprises cannot deliver effectively against business and governance requirements without adopting and implementing a governance and control framework for IT to: Link to business requirements. Make performance against these
requirements transparent. Organize IT activities into a generally
accepted process model. Identify the major resources to be
leveraged. Define the management control objectives
to be considered.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
37
Organizations typically face the following IT challenges that drive the need for IT governance:
IT governance is a structure of relationships and processes that helps direct and control the achievement of enterprise goals. IT governance is an integral part of enterprise governance.
Summary IT Governance
Keeping
IT running
Delivering value
to customers
Managing IT
costs
Mastering complexi
ty
Aligning IT with business
Ensuring
regulatory compliance
Managin
g security
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
38
Organizations typically face the following IT challenges that drive the need for IT governance: Keeping IT running Delivering value to customers Managing IT costs Mastering complexity Aligning IT with business Ensuring regulatory compliance Managing securityIT governance is a structure of relationships and processes that helps direct and control the achievement of enterprise goals. IT governance is an integral part of enterprise governance.
The focus areas of IT governance are: Strategic alignment Value delivery Risk management Resource management Performance measurement
Governance and control frameworks are becoming part of IT management best practices and are enablers for establishing IT governance and complying with continually increasing regulatory requirements.
Summary IT Governance
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Can You Name The Players in this Slide?
39© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
40
Objectives
Identify
• how COBIT supports the characteristics of a control framework.
Understand
• the premise of the COBIT framework.
Explain
• the components and functions of the COBIT framework.
Demonstrate
• the role of COBIT IT processes and the four IT domains.
Apply
• IT resources and information criteria.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Topics for the CobiT Control Framework
41
Characteristics of a Control Framework
The COBIT Framework
The COBIT Cube
Introduction to Val IT
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
What do We Get from A Compliance Framework?
42
define
execute
measureCom
plia
nce
Reso
urce
s
Serv
ices
Risk
Compliance frameworks are designed to make companies more successful by reducing operating cost and risk while optimizing service delivery. If a framework can’t achieve this, it is the wrong framework.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
5 Characteristics of a Control Framework
43
Has General Acceptability
Among Organizations
Helps Meet Regulatory
Requirements
Control
Framework
Defines a Common Language
Provides Sharper Business Focus
Ensures Process Orientation
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
44
Characteristics – Business Focus
Business Focus COBIT achieves sharper
business focus by aligning IT with business objectives.
The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy.
COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself.
Has General Acceptability
Among Organizations
Helps Meet Regulatory Requirements
Control Framework
Defines a Common Language
Provides Sharper Business
Focus
Ensures Process
Orientation
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Characteristics – Process OrientationProcess Orientation When organizations
implement COBIT, their focus is more process-oriented.
Incidents and problems no longer divert attention from processes.
Exceptions can be clearly defined as part of standard processes.
With process ownership defined, assigned, and accepted, the organization is better able to maintain control through periods of rapid change or organizational
45
Has General Acceptability
Among Organizations
Helps Meet Regulatory Requirements
Control Framework
Defines a Common Language
Provides Sharper Business
Focus
Ensures Process
Orientation
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
46
Characteristics – General Acceptability
General Acceptability COBIT is a proven and
globally accepted standard for increasing the contribution of IT to organizational success.
The framework continues to improve and develop to keep pace with best practices.
IT professionals from all over the world contribute their ideas and time to regular review meetings.
Has General Acceptability
Among Organizations
Helps Meet Regulatory Requirements
Control Framework
Defines a Common Language
Provides Sharper Business
Focus
Ensures Process
Orientation
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
47
Characteristics – Regulatory RequirementsRegulatory Requirements Recent corporate scandals
have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This covers IT controls as well.
Organizations constantly need to improve IT performance and demonstrate adequate controls over their IT activities.
Many IT managers, advisors, and auditors are turning to COBIT as the de facto response to regulatory IT requirements
Has General Acceptability
Among Organizations
Helps Meet Regulatory Requirements
Control Framework
Defines a Common Language
Provides Sharper Business
Focus
Ensures Process
Orientation
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
48
Characteristics – Common Language
Common Language A framework helps get
everybody on the same page by defining critical terms and providing a glossary.
Coordination within and across project teams and organizations can play a key role in the success of any project.
A common language builds confidence and trust.
Has General Acceptability
Among Organizations
Helps Meet Regulatory Requirements
Control Framework
Defines a Common Language
Provides Sharper Business
Focus
Ensures Process
Orientation
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
What are Compliance Components? (Object Model)
49
There are four domains,Four records, 1 of possible 4to all objects
Domains
There are thirty four control objectives.1 of 34 associated to all objects
Control Objectives
Each control obj.has N number of CSF list
Critical Success Factors (CSF)
Each control obj.has N number of KGI list
Key GoalIndicators (KGI)
Each control obj.has N number of KPI list
Key PerformanceIndicators (KPI)
List is a single object that inherits domain and control object
34 sets of Five item rows Maturity Profile
Maturity Level
Item inherits its Domain and Control object
Highest level Process Profile owner
Company NameAccounting Oversight Board
Department OwnerAudit owner
Department
Audit Results:34 control objects
352+ Detail Objectives34 maturity rating
supported by Performance reports
Process ProfilesDetailed summary of Deficiencies and Risk
Stated Corporate Critical Success Factors Support
Ongoing Process Optimization
Domain/Process Champions
Assign Control object owners
34 Sets of 3 to 24 detailed objectives defining Control Object Tasks and Proficiencies
Detail Control Objectives
Item inherits its Domain and Control object
Business has unlimited High level Mangement Functions, but are typically limited to fewer than 10
Management FunctionsParent Process
Business has unlimited Component Level Processes SubProcess are typically fewer than 10
Component Process
Item inherits its Domain
Process inherits Domain, Control Object
Detail ControlKGI, CSF, KPI
Handbooks, Legal Contracts
Policy
Diagrams, Inventories, Systems
Architecture
Items inherit Domain, Control Object
Detail ControlKGI, CSF, KPI, Parent Process
Actual step by stepprocedures, Corporate Communications, PortalsTraining materials
Work InstructionsOperation Process Book
Work Instruction is associated to Process
Ownership Accounting Oversight Board
Sponsor: Department Management
Audits
substantiatedmaturity rating
evidence of process
evidence of process
evidence of process
Auditresults
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
50
COBIT - Bridging Gaps
COBIT Provides a Framework for IT Governance
COBIT helps bridge the gaps among business risks, control needs, and technical issues. It provides good practices across a domain and a process framework and presents activities in a manageable and logical structure. COBIT:
Starts from business requirements. Is process-oriented, organizing IT activities into a
generally accepted process model. Identifies the major IT resources to be leveraged. Defines the management control objectives to be
considered. Incorporates major international standards. Has become the de facto framework for overall
control over IT.
IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
51
COBIT: Product for Many Audiences
COBIT – Designed for Management, Auditors, and IT The COBIT framework helps not only technical users but also those who are
responsible for the effective use of IT, such as the management or auditors. The COBIT framework helps these users by ensuring that:
Their requirements are properly understood and defined. Everyone is “on the same page,” using a commonly understood reference model.
Management
Audit
Information Technology
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
52
The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.
The COBIT framework helps align IT with the business by focusing on business information requirements and organizing IT resources. The objective is to facilitate IT governance — to deliver IT value while managing IT risks.
i
IT Resources and Processes
InformationBusiness Processes Business Objectives
Provide
To
For achieving
COBIT: Premise
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
53
An organization depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.
As a control and governance framework for IT, COBIT focuses on two key areas:1. Providing the information required to support business objectives and requirements2. Treating information as the result of the combined application of IT-related resources
that need to be managed by IT processes
IT Processes
COBIT Components
COBIT
BusinessRequirements
EnterpriseInformation IT Resources
which responds to
drive the investment in
to deliver that are used by
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
54
Business Requirements IT Resources
IT Processes
The COBIT Cube
The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives.
For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube.
Information Criteria
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
55
COBIT describes the IT life cycle with the help of four domains:
1. Plan and Organize 2. Acquire and Implement 3. Deliver and Support 4. Monitor and Evaluate
Processes are series of activities with natural control breaks. There are 34 processes across the four domains. These processes specify what the business needs to achieve its objectives. The delivery of information is controlled through 34 high-level control objectives, one for each process.
Activities are actions that are required to achieve measurable results. Moreover, activities have life cycles and include many discrete tasks.
Processes
Activities
Domains IT Resources
Information Criteria
IT Processes
The COBIT Cube: IT Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
56
IT and Business
The COBIT Cube: IT Domains
PLAN AND ORGANIZE (PO) Objectives:
Formulating strategy and tactics Identifying how IT can best contribute to achieving business objectives Planning, communicating, and managing the realization of the strategic vision Implementing organizational and technological infrastructure
Scope: Are IT and the business strategically aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
Let's look at the COBIT process model, which consists of 34 IT processes defined within the four IT domains.
PO1: Define a strategic IT plan.PO2: Define the information
architecture.PO3: Determine technological direction.PO4: Define the IT processes,
organization, and relationships.PO5: Manage the IT investment.PO6: Communicate management aims
and direction.PO7: Manage IT human resources.PO8: Manage quality.PO9: Assess and manage IT risks.PO10: Manage projects.
Plan and Organize
COBIT Cube Domains – Plan and Organize
57
Deliver and Support
Plan and Organize Acquire and Implement
Monitor and Evaluate
IT Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
58
New Projects Organization
?
The COBIT Cube: IT Domains (Contd.)ACQUIRE AND IMPLEMENT (AI)
Objectives: Identifying, developing or acquiring, implementing, and integrating IT
solutions Changing and maintaining existing systems
Scope: Are new projects likely to deliver solutions that meet business needs? Are new projects likely to be delivered on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations?
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
59
Acquire and Implement
COBIT Cube Domains – Acquire and Implement
AI1: Identify automated solutions.
AI2: Acquire and maintain application software.
AI3: Acquire and maintain technology infrastructure.
AI4: Enable operation and use.
AI5: Procure IT resources.
AI6: Manage changes.
AI7: Install and accredit solutions and changes.
Deliver and Support
Plan and Organize Acquire and Implement
Monitor and Evaluate
IT Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
60
IT Services Business Priorities
COBIT Cube Domains – Deliver and SupportDELIVER AND SUPPORT (DS)
Objectives: The actual delivery of required services, including service delivery The management of security, continuity, data, and operational facilities Service support for users
Scope: Are IT services being delivered in line with business priorities? Are IT costs optimized? Is the workforce able to use IT systems productively and safely? Are adequate confidentiality, integrity, and availability in place?
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
61
Deliver and Support
Deliver and Support
Plan and Organize Acquire and Implement
Monitor and Evaluate
IT Processes
COBIT Cube Domains Deliver and Support
DS1: Define and manage service levels.
DS2: Manage third-party services.
DS3: Manage performance and capacity.
DS4: Ensure continuous service.
DS5: Ensure systems security.
DS6: Identify and allocate costs.
DS7: Educate and train users.
DS8: Manage the service desk and incidents.
DS9: Manage the configuration.
DS10: Manage problems.
DS11: Manage data.
DS12: Manage the physical environment.
DS13: Manage operations.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
62
COBIT Cube Domains – Monitor and Evaluate
MONITOR AND EVALUATE (ME) Objectives:
Performance management Monitoring of internal control Regulatory compliance Governance
Scope: Is performance of IT measured to detect problems before it is too late? Does management ensure that internal controls are effective and efficient? Can IT performance be linked to business goals? Are risk, control, compliance, and performance measured and reported?
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
63
Monitor and Evaluate
COBIT Cube Domains - Monitor and Evaluate
ME1: Monitor and evaluate IT performance.
ME2: Monitor and evaluate internal control.
ME3: Ensure compliance with external requirements.
ME4: Provide IT governance.
Deliver and Support
Plan and Organize Acquire and Implement
Monitor and Evaluate
IT Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
64
The COBIT Cube: Business Requirements
To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information.
Based on broader quality, fiduciary, and security requirements, seven distinct information criteria are defined.
Information Criteria are: Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
Business Requirements
IT ResourcesIT Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
EffectivenessDeals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner.
Efficiency Concerns the provision of information through the optimal ─ most productive and economical ─ use of resources.
Confidentiality Concerns the protection of sensitive information from unauthorized disclosure.
IntegrityRelates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
AvailabilityRelates to information being available ,when required by the business process, at present and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies.
Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities.
Information Criteria
IT ResourcesIT Processes
The COBIT Cube: Business Requirements
65© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
66
The COBIT Cube – IT Resources
IT processes manage IT resources to generate, deliver, and store the information that the organization needs to achieve its objectives. The IT resources identified in COBIT can be defined as:
Applications
•automated user systems and manual procedures that process information.
Information
•data that is input, processed, and output by information systems, in whatever form used by the business.
Infrastructure
•includes the technology and facilities such as hardware, operating systems, and networking that enable the processing of applications.
People•personnel required to plan, organize, acquire, implement, deliver, support, monitor, and evaluate information systems and services. They may be internal, outsourced, or contracted, as required.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
67
BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES
Efficiency
ApplicationsInformation
InfrastructurePeopleDELIVER
ANDSUPPORT
MONITORAND
EVALUATE
ACQUIREAND
IMPLEMENT
INFORMATION
ITRESOURCES
EffectivenessConfidentiality
IntegrityAvailability
Compliance
DS1 Define and manage service levels.
DS2 Manage third-party services.DS3 Manage performance and
capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage the service desk and
incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical
environment.DS13 Manage operations.
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
PO1 Define a strategic IT plan.PO2 Define the information
architecture.PO3 Determine technological
direction.PO4 Define the IT processes,
organization, and relationships.
PO5 Manage the IT investment.PO6 Communicate management
aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.
AI1 Identify automated solutions.AI2 Acquire and maintain
application software.AI3 Acquire and maintain
technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions
and change.
PLANAND
ORGANIZE
Reliability
COBIT Framework
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
68
COBIT — Value and LimitationsCOBIT:
Has internationally accepted good practices. Is management-oriented. Is supported by tools and training. Is freely available as an open standard. Allows the sharing and leveraging of the knowledge of expert volunteers. Continually evolves. Is maintained by a reputable nonprofit organization. Maps 100 percent to COSO. Maps strongly to all major, related standards. Is a reference, not an “off-the-shelf” cure.
Enterprises still need to analyze the control requirements and customize COBIT based on the enterprise’s:
Value drivers. Risk profile. IT infrastructure, organization, and project portfolio.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
69
COBIT: Advantages
Some of the advantages of adopting COBIT are: COBIT is aligned with other standards and best practices and should be used
together with them. COBIT’s framework and supporting best practices provide a well-managed and
flexible IT environment in an organization. COBIT provides a control environment that is responsive to business needs
and serves management and audit functions in terms of their control responsibilities.
COBIT provides tools to help manage IT activities.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
70
Val ITIntroducing Val IT Val IT is based on COBIT and extends and complements it, focusing on the value
delivery dimension. Specifically, Val IT focuses on the: Re-investment decision (are we doing the right things?) Realization of benefits (are we getting the benefits?)The goal of the Val IT initiative is to help management ensure that organizations
realize optimal value from IT-enabled business investments at an affordable cost, with a known and acceptable level of risk.
Helps ManagementAchieve
Optimal Value
VAL IT
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
71
Val IT – PrinciplesThe principles of Val IT are outlined below: IT-enabled investments will be managed as a portfolio
of investments. IT-enabled investments will include the full scope of
activities that are required to achieve business value. IT-enabled investments will be managed through their
full economic life cycle. Value delivery practices will recognize that there are
different categories of investments that will be evaluated and managed differently.
Value delivery practices will define and monitor key metrics and will respond quickly to any changes or deviations.
Value delivery practices will engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits.
Value delivery practices will be continually monitored, evaluated, and improved.
VAL IT
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
72
Val IT – Areas
Val IT is based on the “Four Rs” highlighted below.
Some fundamental questions about the value delivered by IT.Strategic - R
WeDoing Right
Things?
Value - R WeGetting the Benefits?
Delivery - R We
Doing Them Well?
Architecture - R We
Doing Them The Right
Way?
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
73
Val IT Value Governance
This diagram below shows the structure of the three VAL IT processes and management practices.
Value Governance
VG1 Ensure informed and committed leadership.
VG2 Define and implement processes. VG3 Define Roles and Responsibilities. VG4 Ensure appropriate and accepted accountability. VG5 Define information requirements. VG6 Establish reporting requirements. VG7 Establish organizational structures. VG8 Establish strategic direction. VG9 Define investment categories. VG10 Determine a target portfolio mix. VG11 Define evaluation criteria by category.
Figure 8-Key Management Practices Supporting the Three Val IT Processes
Value Governance
(VG)
Portfolio Management
(PM)
Investment Management
(IM)
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
74
Val IT – Investment Management
Investment Management
IM1 Develop a high-level definition of investment opportunity. IM2 Develop an initial program concept business case. IM3 Develop a clear understanding of candidate programs. IM4 Perform an alternative analysis. IM5 Develop a program plan. IM6 Develop a benefits realization plan. IM7 Identify full lifecycle costs and benefits. IM8 Develop a detailed program business case. IM9 Assign clear accountability and ownership. IM10 Initiate, plan, and launch the program. IM11 Manage the program. IM12 Manage and track benefits IM13 Update the business case. IM14 Monitor and report on program performance. IM15 Retire the program.
Figure 8-Key Management Practices Supporting the Three Val IT Processes
Value Governance
(VG)
Portfolio Management
(PM)
Investment Management
(IM)
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
75
Value Governance
(VG)
Portfolio Management
(PM)
Investment Management
(IM)
Val IT – Portfolio Management
Portfolio Management PM1 Maintain a human resource inventory. PM2 Identify resource requirements. PM3 Perform a gap analysis. PM4 Develop a resource plan. PM5 Monitor resource requirements and utilization. PM6 Establish an investment threshold. PM7 Evaluate the initial program concept business
case. PM8 Evaluate and assign a relative score to the
program business case. PM9 Create an overall portfolio view. PM10 Make and communicate the investment
decision. PM11 Stage-gate (and fund ) the selected program. PM12 Optimize portfolio performance. PM13 Reprioritize the portfolio. PM14 Monitor and report on portfolio performance.
Figure 8-Key Management Practices Supporting the Three Val IT Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
76
Val IT – Processes
The processes listed on the earlier slides expand COBIT’s PO and ME processes, especially those relating to:
Business and IT strategy Investment management Portfolio, program, and project management Monitoring and evaluating value deliveryThe Val IT framework provides a cross-reference to COBIT.
VAL IT
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
77
Management Guidelines Framework
Process Input and Output
Key Activities and RACI Charts
Goals and Metrics
Outcome Measures
Performance Indicators
Maturity Models
COBIT Management Guidelines Goals and metrics show how processes
should be measured. These are defined at three levels:
IT goals and metrics: Define what the business expects from IT, that is, what the business would use to measure IT.
Process goals and metrics: Define what the IT process must deliver to support the IT goals, that is, how the IT process owner would be measured.
Process performance metrics: Measure how well the process is performing to indicate if the goals are likely to be met.
Maturity models help organizations measure process capability from nonexistent (0) to optimized (5).
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
78
Functions
Activities
CEO CFO Business Exec CFO
Bus Proces
s Owner
Head Operations
Chief Archite
ct
Head Development
Head IT
Administratio
n
PMO
Compliance,
Audit,
Risk, and
Security
Define a program/portfolio management framework for IT investments. C C A R C C
Establish and maintain an IT project management framework. I I I A/R I C C C C R C
Establish and maintain an IT project monitoring, measurement, and management system. I I I R C C C C A/R C
Build project charters, schedules, quality plans, budgets, and communication and risk management
plans.C C C C C C C A/R C
Assure the participation and commitment of project stakeholders. I A R C C
Assure the effective control of projects and project changes. C C C C C A/R C
Define and implement project assurance and review methods. I C I A/R C
Key Activities and RACI Charts RACI Chart for PO10
A RACI chart identifies who is Responsible, Accountable, Consulted, and Informed.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
79
Input
Project portfolio
Updated IT project portfolio
IT skills matrix
Development standards
Post-implementation review
Output
Project performance reports
Project risk management plan
Project management guidelines
Detailed project plans
Updated IT project portfolio
From
P01
P05
P07
P08
Al7
To
ME1
P09
Al1
P08
P01
Example: P010: Manage Projects
Al7
Al1
P05
Al7 DS6
Process Input and Output
Process Input and Output Each process is linked to other processes. Inputs are the
deliverables that a process requires from other processes.
Outputs are the deliverables that a process provides to others.
In some cases, the input and output are outside the scope of the COBIT framework.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
80
Outcome Measures
Components of Management Guidelines: Outcome Measures
Outcome Measures (Key Goal Indicators in COBIT 4.0): Define measures that inform the management — after the fact — whether an IT function, process, or activity has achieved its goals. Outcome measures of the IT functions are often expressed in terms of information criteria, such as:
Availability of the information needed to support the business needs Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability, effectiveness, and compliance
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
81
Performance Indicators
Components of Management Guidelines: Performance Indicators
Performance indicators (Key Performance Indicators in COBIT 4.0): Performance indicators define measures that determine how well the business, IT function, or IT process is performing in enabling the reaching of goals. They are lead indicators of whether goals will be reached, driving the higher-level goals. They often measure the availability of appropriate capabilities, practices, and skills, and the outcome of underlying activities.
Note: The outcome measures of the lower level become the performance indicators of the higher level.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
82
Process and Activity Goals Example: PO10
Goals and Metrics
IT
Respond to business requirements in alignment with the business strategy.
Define projects on time and within budget, meeting quality standards.
Respond to governance requirements, in line with board directors.
Percent of projects meeting stakeholders expectations (on time, within budget, and meeting requirements, weighed by importance)
Process
Establish project tracking and cost/time control mechanisms.
Provide transparency of project status.
Make timely project management decisions at critical milestones.
Percent of projects on time and within budget
Percent of projects meeting stakeholder expectations
Activities
Define and enforce program and project frameworks and approaches.
Issue project management guidelines.
Perform project planning for each project in the project portfolio.
Percent of projects following project management standards and practices
Percent of certified or trained project managers
Percent of projects receiving post-implementation reviews
Percent of stakeholders participating in projects (involvement index)
measures measures measuresDriv
e
Driv
e
GoalsM
etrics
set set
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
83
IT Outcome Measure: Percentage of projects meeting stakeholder expectations — on
time, within budget, and meeting requirements — weighed by importance
Process Outcome Measure: Percentage of projects on time and within budget Percentage of projects meeting stakeholder expectations
Example PO10: Manage Projects
Key Goal Indicators – PO10COBIT defines two levels of outcome measures: One for the IT department
(IT outcome measure) and one for the IT process (process outcome measure).
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
84
Percentage of projects following project management standards and practices
Percentage of certified or trained project managers Percentage of projects receiving post implementation
reviews Percentage of stakeholders participating in projects,
which represents the involvement index
Performance Indicators – PO10
Note: These are outcome measures for the activities and performance indictors of the PO10 process.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
85
The above scale shows the status of the current and the proposed position of the organization in relation to industry best practices, standards, and guidelines.
BenchmarkingMaturity models provide a scale to benchmark company practices against industry standards and guidelines. A maturity model is a measure that enables an organization to grade its maturity for a specific process from nonexistent (0) to optimized (5).
Nonexistent Initial Repeatable Defined Managed Optimized0 1 2 3 4
Legend for Symbols Used Legend for Ranking Used0-Management processes are not applied at all.1-Processes are ad hoc and disorganized.2-Processes follow a regular pattern.3-Processes are documented and communicated.4-Processes are monitored and measured.5-Good practices are followed and automated.
Enterprise current status
Industry average
Enterprise target
5
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
The COBIT Maturity Model
86
Goal settingand measurement
Management processes are not applied at all.
Processes are ad hoc and disorganized.
Processes follow a regular pattern.
Processes are documented and communicated.
Processes are monitored and measured.
Good practices are followed and automated.
Attributes Rankings
O – Nonexistent
1 – Initial
2 – Repeatable
3 – Defined
4 – Managed
5 – Optimized
Responsibility and accountability
Skills and expertise
Tools and automation
Policies, standards,and procedures
Awareness and communication
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
87
O – Nonexistent
1 – Initial
2 – Repeatable
3 – Defined
4 – Managed
5 – Optimized
Maturity Model for PO10 Nonexistant
Project management techniques are not used and the organization does not consider the business impacts associated with project mismanagement and project development failures.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
88
O – Nonexistent
1 – Initial
2 – Repeatable
3 – Defined
4 – Managed
5 – Optimized
Maturity Model for PO10 Initial
The use of project management techniques and approaches within IT is a decision left to individual IT managers. There is a lack of management commitment to project ownership and project management. Critical decisions on project management are made without user management or customer input. There is little or no customer and user involvement in defining IT projects. There is no clear organization within IT for the management of projects. Roles and responsibilities for the management of projects are not defined. Projects, schedules, and milestones are poorly defined, if at all. Project staff time and expenses are not tracked and compared to budgets.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
O – Nonexistent
1 – Initial
2 – Repeatable
3 – Defined
4 – Managed
5 – Optimized
Maturity Model for PO10 Repeatable
89
Senior management has gained and communicated an awareness of the need for IT project management. The organization is in the process of developing and utilizing some techniques and methods from project to project. IT projects have informally defined business and technical objectives. There is limited stakeholder involvement in IT project management. Initial guidelines have been developed for many aspects of project management. Application of project management guidelines is left to the discretion of the individual project manager.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
90
O – Nonexistent
1 – Initial
2 – Repeatable
3 – Defined
4 – Managed
5 – Optimized
Maturity Model for PO10 Defined
The IT project management process and methodology have been established and communicated. IT projects are defined, with appropriate business and technical objectives. Senior IT and business management are beginning to be committed to and involved in the management of IT projects. A project management office is established within IT, with initial roles and responsibilities defined. IT projects are monitored, with defined and updated milestones, schedules, and budget and performance measurements. Project management training is available and is primarily a result of individual staff initiatives. Quality assurance procedures and post-system-implementation activities have been defined but are not broadly applied by IT managers. Projects are beginning to be managed as portfolios.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
91
O – Nonexistent
1 – Initial
2 – Repeatable
3 – Defined
4 – Managed
5 – Optimized
Maturity Model for PO10 Managed
The management requires formal and standardized project metrics and the review of lessons learned at project completion. Project management is measured and evaluated throughout the organization and not just within IT. Enhancements to the project management process are formalized and communicated with project team members trained on enhancements. IT management has implemented a project organization structure with documented roles, responsibilities, and staff performance criteria. Criteria for evaluating success at each milestone have been established. Value and risk are measured and managed before, during, and after the completion of projects. Projects increasingly address organization goals, rather than only IT-specific ones. There is strong and active project support from senior management sponsors as well as stakeholders. Relevant project management training is planned for employees in the project management office and across the IT function.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
92
O – Nonexistent
1 – Initial
2 – Repeatable
3 – Defined
4 – Managed
5 – Optimized
Maturity Model for PO10 Optimized
A proven, full lifecycle project and program methodology is implemented, enforced, and integrated into the culture of the entire organization. An ongoing initiative to identify and institutionalize the best project management practices has been implemented. An IT strategy for sourcing development and operational projects is defined and implemented. An integrated project management office is responsible for projects and programs from inception to post implementation. Organization-wide planning of programs and projects ensures that user and IT resources are best utilized to support strategic initiatives.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
93
Assurance Roadmap
Execution Roadmap
Detailed Testing Advice
IT Assurance GuideThe objective of the IT Assurance Guide is to: Demonstrate how to use COBIT to support a variety of IT assurance
activities. Enable the users to leverage COBIT when planning and performing
assurance reviews, so that the business, IT, and assurance professionals are all aligned around a common framework and objectives.
Guide planning, scoping, and executing assurance reviews using a roadmap based on well-accepted assurance approaches, supported by detailed tests that are based on COBIT’s processes and control objectives.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
94
Assurance Guide RoadmapThe Assurance Guide roadmap consists of the following three stages:
Planning:•The establishment of the IT assurance universe for the assurance assignment serves as the beginning of every assurance initiative.
Scoping:•The scoping process starts from defining business and IT goals for the environment under review and identifying the set of IT processes and resources (that is, the assurance universe) required to support those goals.
Execution:•The third stage of the IT assurance road map describes an approach that assurance professionals can follow, including the core testing activities as they execute a particular assurance initiative.
Assurance Roadmap
Execution Roadmap
Detailed Testing Advice© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
95
The Execution Roadmap Consists Of The Following Six Stages:
Refine the understanding of the IT assurance subject
Refine the scope of key control objectives of
the IT assurance subject
Test the effectiveness of the control design of the
key control objectives
Test the outcome of the key control
objectives
Document the impact of control
weaknesses
Develop and communicate the
overall conclusion and recommendations
Execution Roadmap
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
http://www.enterprisegrc.com
96
Thank You For Your Time and Interest
For more information about CPE and Certification accredited training, please visit our training information pages at http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821