CobiT Foundation Free Training

http://www.enterprisegrc.com

CobiT™ Overview Training

EnterpriseGRC Solutions, Inc. is a certified ITPreneurs Partner and ISACA Training Partner – This course if Presented by:Robin Basham, M.Ed, M.IT, CISA, ITSM, CGEIT, CRISC, ACCManaging Partner EnterpriseGRC Solutions, Inc.President, Association Certified Green Technology Association

Materials used to train for the CobiT Foundation ™ are only available through our accredited ITPreneurs partner purchase program, which is licensed for Distribution as an ISACA® certification course. This presentation is heavily adapted by EnterpriseGRC Solutions, representing summary of main points and is not available for sale or distribution. Individuals or Organizations may contact us to purchase the entire set of materials. For additional information please visit http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan Woertman ([email protected])

http://www.enterprisegrc.com/



http://enterprisegrc.com/index.php?option=com_content&view=article&id=49:edu&catid=37:edu&Itemid=68


Governance in Your Context - Introductions

2

If this were a live or online interactive training, we would begin by sharing your unique:

involvement and need for Governance

issues you hope to resolve through best practice in Governance Risk and Compliance

and providing our best answers to the question “Why CobiT©”

Materials used to train for the CobiT Foundation ™ Are only available through our accredited ITPreneurs partner purchase program, which is licensed for Distribution as an ISACA certification course. This presentation is heavily adapted by EnterpriseGRC Solutions a summary of main points and is not available for sale or distribution. To purchase the entire set of materials from ITPreneurs, please visit http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan Woertman ([email protected])

© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821






3

Session AgendaCOBIT Foundation Course ™ Published for distribution by ITPreneurs on behalf of ISACA, materials for

the CobiT course are the product of many years of committee contribution. Formal training requires purchase of the complete training materials

This session is an overview to prepare students for the full 8 to 20 hour course. CobiT Foundation™ is a program of study that results in capacity to both pass an external examination and to successfully implement CobiT in a work environment. Live training involves interactive exercises.

EnterpriseGRC Solutions, Inc. is authorized to provide CobiT training. By the end of today’s half day, you will have new found appreciation for the value in extended study and application of the CobiT Framework, as well as other ITGI authorized courses ranging from introductory to advanced Governance Topics.








4

Course Introduction COBIT was developed by IT Governance

Institute (ITGI™). Our objective today is to achieve a basic

understanding of COBIT and how you might apply it in practice.

This training consists of the following sections IT Governance and Governance as a

Framework Introduction to COBIT: A Control

Framework Overview of COBIT Components COBIT: Resources

For a current set of CobiT materials, please visit http://www.isaca.org/Content/NavigationMen

u/Members_and_Leaders1/COBIT6/Obtain_COBIT/Obtain_COBIT.htm


http://www.enterprisegrc.com http://www.enterprisegrc.com


http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/COBIT6/Obtain_COBIT/Obtain_COBIT.htm







5

ISACA - With more than 70,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized, worldwide leader in IT governance, control, security, and assurance. Founded in 1969, ISACA:

Sponsors international conferences. Publishes the Information Systems Control journal. Develops international information systems auditing and control standards. Administers the globally respected Certified Information Systems Auditor (CISA) and

Certified Information Security Manager (CISM) designations. ITGI - The IT Governance Institute (ITGI) (www.itgi.org) was established by ISACA in

1998 to advance international thinking and standards in directing and controlling an enterprise's information technology. ITGI:

Developed COBIT, now in its fifth edition. Offers original research and case studies to assist enterprise leaders and boards of

directors in their IT governance responsibilities.

About ISACA and ITGI





6

Topics of This SessionMain points in our session will cover IT management issues affect organizations. Principles of IT governance Need for a control framework driven by the need for IT

governance. How COBIT meets requirements for IT governance framework. How COBIT is used with other standards and best practices. The COBIT framework and all the components of COBIT —

control objectives, control practices, management guidelines, and assurance guide.

How to apply COBIT in a practical situation. The benefits of using COBIT. The products and support that ITGI provides.





7

The COBIT Framework

COBIT’s main characteristics are:

The acronym COBIT stands for Control Objectives for Information and related Technology.

Business-focused

Process-oriented Controls-based Measurement-

driven

COBIT Framework Characteristics





8

For latest updates on COBIT, log on to www.isaca.org

Governance

COBIT 4

2005

COBIT 3

Management

2000

COBIT 2

Control

1998

COBIT 1

Audit

1996

Evolution

COBIT: An IT Control Framework

COBIT 5

Process and Application Controls, ValIT, RiskIT Framework

2010



http://www.isaca.org/



9

Activities

Domains

IT Resources

Information Criteria

IT Processes

COBIT describes the IT life cycle with the help of four domains:

Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate

Processes are series of activities with natural control breaks. 34 processes across the four domains, specify what the business needs to achieve its objectives. The delivery of information is controlled through 34 high-level control objectives, one for each process.

Activities are actions that achieve measurable results, have life cycles and include many discrete tasks.

The COBIT Cube: IT Processes

Processes





10

Key Objectives of Foundation Knowledge

The principles of IT governance. Who is responsible for IT governance. How IT governance resolves management issues. The scope of IT governance. The need for a control framework driven by IT governance.





11

Many organizations invest significant amounts of money and resources in IT. They rely on IT to support business operations and meet strategic objectives. Increasingly, organizations are faced with the challenge of adapting to dynamic business

demands while handling technology-related risks and complexities.

Keeping IT Running

Value

Costs

Mastering Complexity

Aligning IT With Business

Regulatory Compliance

Security

IT Resources and Expenses

Organization

IT Challenges





12

As a result, organizations need to guarantee the continuity of IT services for business-critical services

Keeping IT Running Discontinuity of IT Services

IT Challenges – Keep The Enterprise Running

Typically, the following problems may arise because of technical failure:

Critical business processes, such as order processing, being disrupted

Administrative personnel unable to handle diaries, mail, or documents

Customers unable to contact call centers The above problems may result in lost

business, reduced profits, and damage to the organization’s reputation.





13

Given the significant investments made in IT and the strategic importance of IT projects, organizations need to ensure that IT provides value. In most IT projects that exceed budgetary expectations or deadlines, the typical problems are: Poorly defined requirements Systems too complex to implement Underestimation of the effort required Poor project management

As a result, organizations need to identify the right IT projects and execute them within time and budget to deliver the expected value.

Value

Business Value

Project Execution Time

IT Challenges – Provide Strategic Value





14

As a result, organizations need to manage IT costs as carefully as they do other significant costs of business. This requires efficient and effective processes and allocation of resources such as people

and technology. In addition, it requires effective vendor relationships.

Costs

IT Expenditure

IT Asset Cost

Increasing Expenditure

IT Challenges Manage Costs

Typically, the reasons for higher expenditure are: The costs associated with IT assets are not

understood. Operational budgets are increasing because of

complex licensing, maintenance, and outsourcing contracts.

There is a shortage of skilled resources. Large financial losses are incurred because of failed

projects. IT spending by business units and central IT

departments is not coordinated.





15

As a result, the IT function should be organized and managed so that organizations are able to handle complexities and avoid excessive costs.

Mastering Complexity Handling External Relationships

IT Challenges – Master Complexity

The typical problems arising because of these complexities are:

Maintaining technical competence Managing diverse technical

infrastructures Adapting to rapid changes and new

developments Managing external relationships and

service providers





16

As a result, organizations need to ensure that IT partners with the business to deliver value.

Aligning IT With Business

IT

Strategic Alignment

Business

IT Challenges – Alignment with the Business

In most organizations, the gap between what users expect and what IT can provide continues to exist because of the following reasons:

Poorly defined business requirements Inability to set priorities Complexity of projects Lack of committed business sponsors Lack of clear business drivers for solutions Communication gaps between business

and IT





17

Therefore, organizations need to ensure compliance in legal and contractual requirements with service providers and trading partners.

Regulatory ComplianceCompliance

Regulations

IT Systems

Business Operations

Govern

Impact

Aware

IT Challenges – Regulatory Compliance

Regulations that govern business operations impact IT systems. The IT function needs to be aware of national and international legal and regulatory requirements that relate to, for example:

Corporate governance and financial reporting

Privacy and security





18

As a result, organizations need to ensure adequate security in their IT environment. This entails increasing the awareness of management and users regarding their

responsibilities and possible risks.

Security

Internet

Firewall

IT Challenges - Security

Unfortunately, the desire to make information readily available through the use of technology carries security risks. These risks have increased because of several factors: The use of the Internet and networking, which

exposes internal systems to the world. Viruses and hackers. The increasing misuse of information. The technical complexities of IT environments

and the associated problems of security.Poor awareness of security issues in computer users.

Cloud





19

What Is Enterprise Governance?

Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of: Providing strategic direction. Ensuring that objectives are

achieved. Establishing that risks are

managed appropriately. Verifying that the enterprise’s





20

Governance Is About BalanceGovernance is about Performance

and Conformance Governance requires a balance

between the conformance and performance goals, as directed by the board.

IT governance is part of enterprise governance. It is defined as a structure of relationships and processes to direct and control the enterprise toward achieving its goals by adding value while balancing risk versus return over IT and its processes.

Performance Conformance

Improving profitability, efficiency,

effectiveness, and

growth

Adhering to legislation,

internal policies,

and audit requiremen

ts





The board of directors and executive management are responsible for IT governance, which involves structures and processes that direct the organization toward achieving its objectives.

Principles of IT Governance

21

Direct and Control

Accountability

Activities

Responsibility





22

SetsDirection

Sets Objectives and Measures

PerformsActivities

Compares

Reports

Reports

Measures

Measures

Direct Control

Board

IT Organization

Direct and Control

Principles of IT Governance – Direct and Control

Direct: The management provides direction to implement a change. To provide effective direction, the management needs to understand the intended change. In addition, the management directs another person to bring about the change.Control: Control ensures that the objective

is achieved and no undesired incidents occur.





Direct and Control can be related to the functioning of a thermostat. A thermostat regulates room temperature without producing any heating or cooling effect itself. It only compares the room temperature with its own set point and switches on or off the heater or cooler.

The thermostat directs the heating/cooling system based on the temperature setting.The heating/cooling system controls the room temperature by providing the right amount of additional heating or cooling, based on instructions from the thermostat.

Heater

Cooler

72

Thermostat

75

80

70

65

60

Controls

Directs

Principles of IT Governance – Direct and Control

23© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821




24

Responsibility

The CEO is ultimately responsible for overall internal control. Senior managers assign responsibility for the establishment of specific internal control policies and procedures to the personnel performing a unit's functions. Internal control is the responsibility of everyone in an organization and should be an explicit or implicit part of job descriptions.

SetsDirection


PerformsActivities

Compares

Reports

Reports

Measures

Measures

Direct Control

Board

IT Organization

Principles of IT Governance - Responsibility





Accountability

Accountability is related to responsibility but specifically focuses on having the authority to make decisions and give approval. For the final outcome of a set of activities, the responsibility cannot be passed to anyone else. For example, responsibility for the process of defining the IT strategy will be shared by several people, each responsible for certain tasks and activities. Ultimately, it may be the CEO who decides on key issues and approves the final version. He is then accountable for the IT strategy.

Direct ControlAccountable

SetsDirection


PerformsActivities

Compares

Reports

Reports

Measures

Measures

Board

IT Organization

Principles of IT Governance - Accountability





26

Activities

IT is not about technological excellence; it’s about meeting service requirements.

IT Function in an Organization

Principles of IT Governance – Activities - Actions

IT activities are effective when there is good IT governance. Typically, IT departments must align with the organization’s business needs. This alignment is a much better performance indicator than any technical parameter.





Internal Stakeholders and Their Concerns

IT AuditorHow do we provide independent assurance of IT value delivery and risk mitigation?

Risk and Compliance Manager

How do we ensure that policies, regulations, and laws

are complied with and new risks identified?

Board, Executive, and Business ManagerHow do we define business direction for IT, deliver value, and manage risks?

IT Manager How do we deliver IT services, as required by the business and directed by the board?

IT Governance Stakeholders - Internal

27

InternalStakeholders

Organization





External Stakeholders and Their Concerns

External Stakeholders

Organization

External AuditorI need to know whether or not

the automated banking reconciliation system works in

order to clear the audit.

RegulatorsHow can we be assured

that the organization has a business continuity

plan? If it does not, regulators may retract

the banking license.

SuppliersDo we have assurance that confidential information about our company is not sent to our competitors?

CustomersI need you to keep my banking details secure on your computer system.

IT Governance Stakeholders - External





Strategic Alignment

Risk Management

Resource Management

Performance Measurement

Value Delivery $

IT Governance: Focus Areas





30

Strategic Alignment

IT Governance: Strategic Alignment

Focuses on ensuring the linkage of business and IT plans; on defining, maintaining, and validating the IT value proposition; and on aligning IT operations with enterprise operations.

Ensures that an enterprise‘s investment in IT is in harmony with the enterprise’s strategic objectives.

Aligning IT with Business





Value Delivery

IT Governance: Value Delivery

Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs, and proving the intrinsic value of IT.

31

Business Value

Return on Investment (ROI)© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821




32

Risk Management

Risk Management

IT Governance: Risk Management

Requires: Risk awareness by senior corporate

officers A clear understanding of the

enterprise’s appetite for risk An understanding of compliance

requirements Transparency about significant risks to

the enterprise Embedding of risk management

responsibilities into the organization

Risks can be managed by: Risk mitigation Risk transfer Risk acceptance Risk avoidance





33

IT Governance Helps Optimize Costs and Resources

$

Resource Management

A look-ahead strategy will help manage for the present and develop and build

competencies and capacity for the future.

IT Governance: Resource Management

Is about the optimal investment in and the proper management of critical IT resources, such as:

Applications Information Infrastructure People





Performance Measurement

Performance Management

If you cannot measure it, you

cannot manage it.

IT Governance: Performance Management

Tracks and monitors strategy implementation, project completion, process performance, and service delivery.

If there is no way to measure and evaluate IT activities, it is not possible to govern IT and ensure the alignment, value delivery, risk management, and effective use of resources.





35

Benefits

IT Governance$

$Benefits of IT Governance

IT governance offers the following benefits: More reliable services More transparency Responsiveness of IT to

business Confidence of the top

management Higher





36

Governance

Control

Need for a Control Framework for IT Governance

Enterprises cannot deliver effectively against business and governance requirements without adopting and implementing a governance and control framework for IT to: Link to business requirements. Make performance against these

requirements transparent. Organize IT activities into a generally

accepted process model. Identify the major resources to be

leveraged. Define the management control objectives

to be considered.





37

Organizations typically face the following IT challenges that drive the need for IT governance:

IT governance is a structure of relationships and processes that helps direct and control the achievement of enterprise goals. IT governance is an integral part of enterprise governance.

Summary IT Governance

Keeping

IT running

Delivering value

to customers

Managing IT

costs

Mastering complexi

ty

Aligning IT with business

Ensuring

regulatory compliance

Managin

g security





38

Organizations typically face the following IT challenges that drive the need for IT governance: Keeping IT running Delivering value to customers Managing IT costs Mastering complexity Aligning IT with business Ensuring regulatory compliance Managing securityIT governance is a structure of relationships and processes that helps direct and control the achievement of enterprise goals. IT governance is an integral part of enterprise governance.

The focus areas of IT governance are: Strategic alignment Value delivery Risk management Resource management Performance measurement

Governance and control frameworks are becoming part of IT management best practices and are enablers for establishing IT governance and complying with continually increasing regulatory requirements.

Summary IT Governance





Can You Name The Players in this Slide?





40

Objectives

Identify

• how COBIT supports the characteristics of a control framework.

Understand

• the premise of the COBIT framework.

Explain

• the components and functions of the COBIT framework.

Demonstrate

• the role of COBIT IT processes and the four IT domains.

Apply

• IT resources and information criteria.





Topics for the CobiT Control Framework

41

Characteristics of a Control Framework

The COBIT Framework

The COBIT Cube

Introduction to Val IT





What do We Get from A Compliance Framework?

42

define

execute

measureCom

plia

nce

Reso

urce

s

Serv

ices

Risk

Compliance frameworks are designed to make companies more successful by reducing operating cost and risk while optimizing service delivery. If a framework can’t achieve this, it is the wrong framework.





5 Characteristics of a Control Framework

43

Has General Acceptability

Among Organizations

Helps Meet Regulatory

Requirements

Control

Framework

Defines a Common Language

Provides Sharper Business Focus

Ensures Process Orientation





44

Characteristics – Business Focus

Business Focus COBIT achieves sharper

business focus by aligning IT with business objectives.

The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy.

COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself.


Among Organizations

Helps Meet Regulatory Requirements

Control Framework


Provides Sharper Business

Focus

Ensures Process

Orientation





Characteristics – Process OrientationProcess Orientation When organizations

implement COBIT, their focus is more process-oriented.

Incidents and problems no longer divert attention from processes.

Exceptions can be clearly defined as part of standard processes.

With process ownership defined, assigned, and accepted, the organization is better able to maintain control through periods of rapid change or organizational

45


Among Organizations


Control Framework



Focus

Ensures Process

Orientation





46

Characteristics – General Acceptability

General Acceptability COBIT is a proven and

globally accepted standard for increasing the contribution of IT to organizational success.

The framework continues to improve and develop to keep pace with best practices.

IT professionals from all over the world contribute their ideas and time to regular review meetings.


Among Organizations


Control Framework



Focus

Ensures Process

Orientation





47

Characteristics – Regulatory RequirementsRegulatory Requirements Recent corporate scandals

have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This covers IT controls as well.

Organizations constantly need to improve IT performance and demonstrate adequate controls over their IT activities.

Many IT managers, advisors, and auditors are turning to COBIT as the de facto response to regulatory IT requirements


Among Organizations


Control Framework



Focus

Ensures Process

Orientation





48

Characteristics – Common Language

Common Language A framework helps get

everybody on the same page by defining critical terms and providing a glossary.

Coordination within and across project teams and organizations can play a key role in the success of any project.

A common language builds confidence and trust.


Among Organizations


Control Framework



Focus

Ensures Process

Orientation





What are Compliance Components? (Object Model)

49

There are four domains,Four records, 1 of possible 4to all objects

Domains

There are thirty four control objectives.1 of 34 associated to all objects

Control Objectives

Each control obj.has N number of CSF list

Critical Success Factors (CSF)

Each control obj.has N number of KGI list

Key GoalIndicators (KGI)

Each control obj.has N number of KPI list

Key PerformanceIndicators (KPI)

List is a single object that inherits domain and control object

34 sets of Five item rows Maturity Profile

Maturity Level

Item inherits its Domain and Control object

Highest level Process Profile owner

Company NameAccounting Oversight Board

Department OwnerAudit owner

Department

Audit Results:34 control objects

352+ Detail Objectives34 maturity rating

supported by Performance reports

Process ProfilesDetailed summary of Deficiencies and Risk

Stated Corporate Critical Success Factors Support

Ongoing Process Optimization

Domain/Process Champions

Assign Control object owners

34 Sets of 3 to 24 detailed objectives defining Control Object Tasks and Proficiencies

Detail Control Objectives

Item inherits its Domain and Control object

Business has unlimited High level Mangement Functions, but are typically limited to fewer than 10

Management FunctionsParent Process

Business has unlimited Component Level Processes SubProcess are typically fewer than 10

Component Process

Item inherits its Domain

Process inherits Domain, Control Object

Detail ControlKGI, CSF, KPI

Handbooks, Legal Contracts

Policy

Diagrams, Inventories, Systems

Architecture

Items inherit Domain, Control Object

Detail ControlKGI, CSF, KPI, Parent Process

Actual step by stepprocedures, Corporate Communications, PortalsTraining materials

Work InstructionsOperation Process Book

Work Instruction is associated to Process

Ownership Accounting Oversight Board

Sponsor: Department Management

Audits

substantiatedmaturity rating

evidence of process

evidence of process

evidence of process

Auditresults





50

COBIT - Bridging Gaps

COBIT Provides a Framework for IT Governance

COBIT helps bridge the gaps among business risks, control needs, and technical issues. It provides good practices across a domain and a process framework and presents activities in a manageable and logical structure. COBIT:

Starts from business requirements. Is process-oriented, organizing IT activities into a

generally accepted process model. Identifies the major IT resources to be leveraged. Defines the management control objectives to be

considered. Incorporates major international standards. Has become the de facto framework for overall

control over IT.

IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective.





51

COBIT: Product for Many Audiences

COBIT – Designed for Management, Auditors, and IT The COBIT framework helps not only technical users but also those who are

responsible for the effective use of IT, such as the management or auditors. The COBIT framework helps these users by ensuring that:

Their requirements are properly understood and defined. Everyone is “on the same page,” using a commonly understood reference model.

Management

Audit

Information Technology





52

The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.

The COBIT framework helps align IT with the business by focusing on business information requirements and organizing IT resources. The objective is to facilitate IT governance — to deliver IT value while managing IT risks.

i

IT Resources and Processes

InformationBusiness Processes Business Objectives

Provide

To

For achieving

COBIT: Premise





53

An organization depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.

As a control and governance framework for IT, COBIT focuses on two key areas:1. Providing the information required to support business objectives and requirements2. Treating information as the result of the combined application of IT-related resources

that need to be managed by IT processes

IT Processes

COBIT Components

COBIT

BusinessRequirements

EnterpriseInformation IT Resources

which responds to

drive the investment in

to deliver that are used by





54

Business Requirements IT Resources

IT Processes

The COBIT Cube

The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives.

For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube.






55

COBIT describes the IT life cycle with the help of four domains:

1. Plan and Organize 2. Acquire and Implement 3. Deliver and Support 4. Monitor and Evaluate

Processes are series of activities with natural control breaks. There are 34 processes across the four domains. These processes specify what the business needs to achieve its objectives. The delivery of information is controlled through 34 high-level control objectives, one for each process.

Activities are actions that are required to achieve measurable results. Moreover, activities have life cycles and include many discrete tasks.

Processes

Activities

Domains IT Resources


IT Processes

The COBIT Cube: IT Processes





56

IT and Business

The COBIT Cube: IT Domains

PLAN AND ORGANIZE (PO) Objectives:

Formulating strategy and tactics Identifying how IT can best contribute to achieving business objectives Planning, communicating, and managing the realization of the strategic vision Implementing organizational and technological infrastructure

Scope: Are IT and the business strategically aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?





Let's look at the COBIT process model, which consists of 34 IT processes defined within the four IT domains.

PO1: Define a strategic IT plan.PO2: Define the information

architecture.PO3: Determine technological direction.PO4: Define the IT processes,

organization, and relationships.PO5: Manage the IT investment.PO6: Communicate management aims

and direction.PO7: Manage IT human resources.PO8: Manage quality.PO9: Assess and manage IT risks.PO10: Manage projects.

Plan and Organize

COBIT Cube Domains – Plan and Organize

57

Deliver and Support

Plan and Organize Acquire and Implement

Monitor and Evaluate

IT Processes





58

New Projects Organization

?

The COBIT Cube: IT Domains (Contd.)ACQUIRE AND IMPLEMENT (AI)

Objectives: Identifying, developing or acquiring, implementing, and integrating IT

solutions Changing and maintaining existing systems

Scope: Are new projects likely to deliver solutions that meet business needs? Are new projects likely to be delivered on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations?





59

Acquire and Implement

COBIT Cube Domains – Acquire and Implement

AI1: Identify automated solutions.

AI2: Acquire and maintain application software.

AI3: Acquire and maintain technology infrastructure.

AI4: Enable operation and use.

AI5: Procure IT resources.

AI6: Manage changes.

AI7: Install and accredit solutions and changes.

Deliver and Support



IT Processes





60

IT Services Business Priorities

COBIT Cube Domains – Deliver and SupportDELIVER AND SUPPORT (DS)

Objectives: The actual delivery of required services, including service delivery The management of security, continuity, data, and operational facilities Service support for users

Scope: Are IT services being delivered in line with business priorities? Are IT costs optimized? Is the workforce able to use IT systems productively and safely? Are adequate confidentiality, integrity, and availability in place?





61

Deliver and Support

Deliver and Support



IT Processes

COBIT Cube Domains Deliver and Support

DS1: Define and manage service levels.

DS2: Manage third-party services.

DS3: Manage performance and capacity.

DS4: Ensure continuous service.

DS5: Ensure systems security.

DS6: Identify and allocate costs.

DS7: Educate and train users.

DS8: Manage the service desk and incidents.

DS9: Manage the configuration.

DS10: Manage problems.

DS11: Manage data.

DS12: Manage the physical environment.

DS13: Manage operations.





62

COBIT Cube Domains – Monitor and Evaluate

MONITOR AND EVALUATE (ME) Objectives:

Performance management Monitoring of internal control Regulatory compliance Governance

Scope: Is performance of IT measured to detect problems before it is too late? Does management ensure that internal controls are effective and efficient? Can IT performance be linked to business goals? Are risk, control, compliance, and performance measured and reported?





63


COBIT Cube Domains - Monitor and Evaluate

ME1: Monitor and evaluate IT performance.

ME2: Monitor and evaluate internal control.

ME3: Ensure compliance with external requirements.

ME4: Provide IT governance.

Deliver and Support



IT Processes





64

The COBIT Cube: Business Requirements

To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information.

Based on broader quality, fiduciary, and security requirements, seven distinct information criteria are defined.

Information Criteria are: Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

Business Requirements

IT ResourcesIT Processes





EffectivenessDeals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, and usable manner.

Efficiency Concerns the provision of information through the optimal ─ most productive and economical ─ use of resources.

Confidentiality Concerns the protection of sensitive information from unauthorized disclosure.

IntegrityRelates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.

AvailabilityRelates to information being available ,when required by the business process, at present and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Compliance Deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria as well as internal policies.

Reliability Relates to the provision of appropriate information for the management to operate the entity and to exercise its fiduciary and governance responsibilities.


IT ResourcesIT Processes

The COBIT Cube: Business Requirements





66

The COBIT Cube – IT Resources

IT processes manage IT resources to generate, deliver, and store the information that the organization needs to achieve its objectives. The IT resources identified in COBIT can be defined as:

Applications

•automated user systems and manual procedures that process information.

Information

•data that is input, processed, and output by information systems, in whatever form used by the business.

Infrastructure

•includes the technology and facilities such as hardware, operating systems, and networking that enable the processing of applications.

People•personnel required to plan, organize, acquire, implement, deliver, support, monitor, and evaluate information systems and services. They may be internal, outsourced, or contracted, as required.





67

BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES

Efficiency

ApplicationsInformation

InfrastructurePeopleDELIVER

ANDSUPPORT

MONITORAND

EVALUATE

ACQUIREAND

IMPLEMENT

INFORMATION

ITRESOURCES

EffectivenessConfidentiality

IntegrityAvailability

Compliance

DS1 Define and manage service levels.

DS2 Manage third-party services.DS3 Manage performance and

capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage the service desk and

incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical

environment.DS13 Manage operations.

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

PO1 Define a strategic IT plan.PO2 Define the information

architecture.PO3 Determine technological

direction.PO4 Define the IT processes,

organization, and relationships.

PO5 Manage the IT investment.PO6 Communicate management

aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain

application software.AI3 Acquire and maintain

technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions

and change.

PLANAND

ORGANIZE

Reliability

COBIT Framework





68

COBIT — Value and LimitationsCOBIT:

Has internationally accepted good practices. Is management-oriented. Is supported by tools and training. Is freely available as an open standard. Allows the sharing and leveraging of the knowledge of expert volunteers. Continually evolves. Is maintained by a reputable nonprofit organization. Maps 100 percent to COSO. Maps strongly to all major, related standards. Is a reference, not an “off-the-shelf” cure.

Enterprises still need to analyze the control requirements and customize COBIT based on the enterprise’s:

Value drivers. Risk profile. IT infrastructure, organization, and project portfolio.





69

COBIT: Advantages

Some of the advantages of adopting COBIT are: COBIT is aligned with other standards and best practices and should be used

together with them. COBIT’s framework and supporting best practices provide a well-managed and

flexible IT environment in an organization. COBIT provides a control environment that is responsive to business needs

and serves management and audit functions in terms of their control responsibilities.

COBIT provides tools to help manage IT activities.





70

Val ITIntroducing Val IT Val IT is based on COBIT and extends and complements it, focusing on the value

delivery dimension. Specifically, Val IT focuses on the: Re-investment decision (are we doing the right things?) Realization of benefits (are we getting the benefits?)The goal of the Val IT initiative is to help management ensure that organizations

realize optimal value from IT-enabled business investments at an affordable cost, with a known and acceptable level of risk.

Helps ManagementAchieve

Optimal Value

VAL IT





71

Val IT – PrinciplesThe principles of Val IT are outlined below: IT-enabled investments will be managed as a portfolio

of investments. IT-enabled investments will include the full scope of

activities that are required to achieve business value. IT-enabled investments will be managed through their

full economic life cycle. Value delivery practices will recognize that there are

different categories of investments that will be evaluated and managed differently.

Value delivery practices will define and monitor key metrics and will respond quickly to any changes or deviations.

Value delivery practices will engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits.

Value delivery practices will be continually monitored, evaluated, and improved.

VAL IT





72

Val IT – Areas

Val IT is based on the “Four Rs” highlighted below.

Some fundamental questions about the value delivered by IT.Strategic - R

WeDoing Right

Things?

Value - R WeGetting the Benefits?

Delivery - R We

Doing Them Well?

Architecture - R We

Doing Them The Right

Way?





73

Val IT Value Governance

This diagram below shows the structure of the three VAL IT processes and management practices.

Value Governance

VG1 Ensure informed and committed leadership.

VG2 Define and implement processes. VG3 Define Roles and Responsibilities. VG4 Ensure appropriate and accepted accountability. VG5 Define information requirements. VG6 Establish reporting requirements. VG7 Establish organizational structures. VG8 Establish strategic direction. VG9 Define investment categories. VG10 Determine a target portfolio mix. VG11 Define evaluation criteria by category.

Figure 8-Key Management Practices Supporting the Three Val IT Processes

Value Governance

(VG)

Portfolio Management

(PM)

Investment Management

(IM)





74

Val IT – Investment Management


IM1 Develop a high-level definition of investment opportunity. IM2 Develop an initial program concept business case. IM3 Develop a clear understanding of candidate programs. IM4 Perform an alternative analysis. IM5 Develop a program plan. IM6 Develop a benefits realization plan. IM7 Identify full lifecycle costs and benefits. IM8 Develop a detailed program business case. IM9 Assign clear accountability and ownership. IM10 Initiate, plan, and launch the program. IM11 Manage the program. IM12 Manage and track benefits IM13 Update the business case. IM14 Monitor and report on program performance. IM15 Retire the program.


Value Governance

(VG)


(PM)


(IM)





75

Value Governance

(VG)


(PM)


(IM)

Val IT – Portfolio Management

Portfolio Management PM1 Maintain a human resource inventory. PM2 Identify resource requirements. PM3 Perform a gap analysis. PM4 Develop a resource plan. PM5 Monitor resource requirements and utilization. PM6 Establish an investment threshold. PM7 Evaluate the initial program concept business

case. PM8 Evaluate and assign a relative score to the

program business case. PM9 Create an overall portfolio view. PM10 Make and communicate the investment

decision. PM11 Stage-gate (and fund ) the selected program. PM12 Optimize portfolio performance. PM13 Reprioritize the portfolio. PM14 Monitor and report on portfolio performance.






76

Val IT – Processes

The processes listed on the earlier slides expand COBIT’s PO and ME processes, especially those relating to:

Business and IT strategy Investment management Portfolio, program, and project management Monitoring and evaluating value deliveryThe Val IT framework provides a cross-reference to COBIT.

VAL IT





77

Management Guidelines Framework

Process Input and Output

Key Activities and RACI Charts

Goals and Metrics

Outcome Measures

Performance Indicators

Maturity Models

COBIT Management Guidelines Goals and metrics show how processes

should be measured. These are defined at three levels:

IT goals and metrics: Define what the business expects from IT, that is, what the business would use to measure IT.

Process goals and metrics: Define what the IT process must deliver to support the IT goals, that is, how the IT process owner would be measured.

Process performance metrics: Measure how well the process is performing to indicate if the goals are likely to be met.

Maturity models help organizations measure process capability from nonexistent (0) to optimized (5).





78

Functions

Activities

CEO CFO Business Exec CFO

Bus Proces

s Owner

Head Operations

Chief Archite

ct

Head Development

Head IT

Administratio

n

PMO

Compliance,

Audit,

Risk, and

Security

Define a program/portfolio management framework for IT investments. C C A R C C

Establish and maintain an IT project management framework. I I I A/R I C C C C R C

Establish and maintain an IT project monitoring, measurement, and management system. I I I R C C C C A/R C

Build project charters, schedules, quality plans, budgets, and communication and risk management

plans.C C C C C C C A/R C

Assure the participation and commitment of project stakeholders. I A R C C

Assure the effective control of projects and project changes. C C C C C A/R C

Define and implement project assurance and review methods. I C I A/R C

Key Activities and RACI Charts RACI Chart for PO10

A RACI chart identifies who is Responsible, Accountable, Consulted, and Informed.





79

Input

Project portfolio

Updated IT project portfolio

IT skills matrix

Development standards

Post-implementation review

Output

Project performance reports

Project risk management plan

Project management guidelines

Detailed project plans

Updated IT project portfolio

From

P01

P05

P07

P08

Al7

To

ME1

P09

Al1

P08

P01

Example: P010: Manage Projects

Al7

Al1

P05

Al7 DS6

Process Input and Output

Process Input and Output Each process is linked to other processes. Inputs are the

deliverables that a process requires from other processes.

Outputs are the deliverables that a process provides to others.

In some cases, the input and output are outside the scope of the COBIT framework.





80

Outcome Measures

Components of Management Guidelines: Outcome Measures

Outcome Measures (Key Goal Indicators in COBIT 4.0): Define measures that inform the management — after the fact — whether an IT function, process, or activity has achieved its goals. Outcome measures of the IT functions are often expressed in terms of information criteria, such as:

Availability of the information needed to support the business needs Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability, effectiveness, and compliance





81

Performance Indicators

Components of Management Guidelines: Performance Indicators

Performance indicators (Key Performance Indicators in COBIT 4.0): Performance indicators define measures that determine how well the business, IT function, or IT process is performing in enabling the reaching of goals. They are lead indicators of whether goals will be reached, driving the higher-level goals. They often measure the availability of appropriate capabilities, practices, and skills, and the outcome of underlying activities.

Note: The outcome measures of the lower level become the performance indicators of the higher level.





82

Process and Activity Goals Example: PO10

Goals and Metrics

IT

Respond to business requirements in alignment with the business strategy.

Define projects on time and within budget, meeting quality standards.

Respond to governance requirements, in line with board directors.

Percent of projects meeting stakeholders expectations (on time, within budget, and meeting requirements, weighed by importance)

Process

Establish project tracking and cost/time control mechanisms.

Provide transparency of project status.

Make timely project management decisions at critical milestones.

Percent of projects on time and within budget

Percent of projects meeting stakeholder expectations

Activities

Define and enforce program and project frameworks and approaches.

Issue project management guidelines.

Perform project planning for each project in the project portfolio.

Percent of projects following project management standards and practices

Percent of certified or trained project managers

Percent of projects receiving post-implementation reviews

Percent of stakeholders participating in projects (involvement index)

measures measures measuresDriv

e

Driv

e

GoalsM

etrics

set set





83

IT Outcome Measure: Percentage of projects meeting stakeholder expectations — on

time, within budget, and meeting requirements — weighed by importance

Process Outcome Measure: Percentage of projects on time and within budget Percentage of projects meeting stakeholder expectations

Example PO10: Manage Projects

Key Goal Indicators – PO10COBIT defines two levels of outcome measures: One for the IT department

(IT outcome measure) and one for the IT process (process outcome measure).





84

Percentage of projects following project management standards and practices

Percentage of certified or trained project managers Percentage of projects receiving post implementation

reviews Percentage of stakeholders participating in projects,

which represents the involvement index

Performance Indicators – PO10

Note: These are outcome measures for the activities and performance indictors of the PO10 process.





85

The above scale shows the status of the current and the proposed position of the organization in relation to industry best practices, standards, and guidelines.

BenchmarkingMaturity models provide a scale to benchmark company practices against industry standards and guidelines. A maturity model is a measure that enables an organization to grade its maturity for a specific process from nonexistent (0) to optimized (5).

Nonexistent Initial Repeatable Defined Managed Optimized0 1 2 3 4

Legend for Symbols Used Legend for Ranking Used0-Management processes are not applied at all.1-Processes are ad hoc and disorganized.2-Processes follow a regular pattern.3-Processes are documented and communicated.4-Processes are monitored and measured.5-Good practices are followed and automated.

Enterprise current status

Industry average

Enterprise target

5





The COBIT Maturity Model

86

Goal settingand measurement

Management processes are not applied at all.

Processes are ad hoc and disorganized.

Processes follow a regular pattern.

Processes are documented and communicated.

Processes are monitored and measured.

Good practices are followed and automated.

Attributes Rankings

O – Nonexistent

1 – Initial

2 – Repeatable

3 – Defined

4 – Managed

5 – Optimized

Responsibility and accountability

Skills and expertise

Tools and automation

Policies, standards,and procedures

Awareness and communication





87

O – Nonexistent

1 – Initial

2 – Repeatable

3 – Defined

4 – Managed

5 – Optimized

Maturity Model for PO10 Nonexistant

Project management techniques are not used and the organization does not consider the business impacts associated with project mismanagement and project development failures.





88

O – Nonexistent

1 – Initial

2 – Repeatable

3 – Defined

4 – Managed

5 – Optimized

Maturity Model for PO10 Initial

The use of project management techniques and approaches within IT is a decision left to individual IT managers. There is a lack of management commitment to project ownership and project management. Critical decisions on project management are made without user management or customer input. There is little or no customer and user involvement in defining IT projects. There is no clear organization within IT for the management of projects. Roles and responsibilities for the management of projects are not defined. Projects, schedules, and milestones are poorly defined, if at all. Project staff time and expenses are not tracked and compared to budgets.





O – Nonexistent

1 – Initial

2 – Repeatable

3 – Defined

4 – Managed

5 – Optimized

Maturity Model for PO10 Repeatable

89

Senior management has gained and communicated an awareness of the need for IT project management. The organization is in the process of developing and utilizing some techniques and methods from project to project. IT projects have informally defined business and technical objectives. There is limited stakeholder involvement in IT project management. Initial guidelines have been developed for many aspects of project management. Application of project management guidelines is left to the discretion of the individual project manager.





90

O – Nonexistent

1 – Initial

2 – Repeatable

3 – Defined

4 – Managed

5 – Optimized

Maturity Model for PO10 Defined

The IT project management process and methodology have been established and communicated. IT projects are defined, with appropriate business and technical objectives. Senior IT and business management are beginning to be committed to and involved in the management of IT projects. A project management office is established within IT, with initial roles and responsibilities defined. IT projects are monitored, with defined and updated milestones, schedules, and budget and performance measurements. Project management training is available and is primarily a result of individual staff initiatives. Quality assurance procedures and post-system-implementation activities have been defined but are not broadly applied by IT managers. Projects are beginning to be managed as portfolios.





91

O – Nonexistent

1 – Initial

2 – Repeatable

3 – Defined

4 – Managed

5 – Optimized

Maturity Model for PO10 Managed

The management requires formal and standardized project metrics and the review of lessons learned at project completion. Project management is measured and evaluated throughout the organization and not just within IT. Enhancements to the project management process are formalized and communicated with project team members trained on enhancements. IT management has implemented a project organization structure with documented roles, responsibilities, and staff performance criteria. Criteria for evaluating success at each milestone have been established. Value and risk are measured and managed before, during, and after the completion of projects. Projects increasingly address organization goals, rather than only IT-specific ones. There is strong and active project support from senior management sponsors as well as stakeholders. Relevant project management training is planned for employees in the project management office and across the IT function.





92

O – Nonexistent

1 – Initial

2 – Repeatable

3 – Defined

4 – Managed

5 – Optimized

Maturity Model for PO10 Optimized

A proven, full lifecycle project and program methodology is implemented, enforced, and integrated into the culture of the entire organization. An ongoing initiative to identify and institutionalize the best project management practices has been implemented. An IT strategy for sourcing development and operational projects is defined and implemented. An integrated project management office is responsible for projects and programs from inception to post implementation. Organization-wide planning of programs and projects ensures that user and IT resources are best utilized to support strategic initiatives.





93

Assurance Roadmap

Execution Roadmap

Detailed Testing Advice

IT Assurance GuideThe objective of the IT Assurance Guide is to: Demonstrate how to use COBIT to support a variety of IT assurance

activities. Enable the users to leverage COBIT when planning and performing

assurance reviews, so that the business, IT, and assurance professionals are all aligned around a common framework and objectives.

Guide planning, scoping, and executing assurance reviews using a roadmap based on well-accepted assurance approaches, supported by detailed tests that are based on COBIT’s processes and control objectives.





94

Assurance Guide RoadmapThe Assurance Guide roadmap consists of the following three stages:

Planning:•The establishment of the IT assurance universe for the assurance assignment serves as the beginning of every assurance initiative.

Scoping:•The scoping process starts from defining business and IT goals for the environment under review and identifying the set of IT processes and resources (that is, the assurance universe) required to support those goals.

Execution:•The third stage of the IT assurance road map describes an approach that assurance professionals can follow, including the core testing activities as they execute a particular assurance initiative.

Assurance Roadmap

Execution Roadmap

Detailed Testing Advice© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821




95

The Execution Roadmap Consists Of The Following Six Stages:

Refine the understanding of the IT assurance subject

Refine the scope of key control objectives of

the IT assurance subject

Test the effectiveness of the control design of the

key control objectives

Test the outcome of the key control

objectives

Document the impact of control

weaknesses

Develop and communicate the

overall conclusion and recommendations

Execution Roadmap





96

Thank You For Your Time and Interest

For more information about CPE and Certification accredited training, please visit our training information pages at http://www.enterprisegrc.com




