An Introduction to Cobi T 4 1

An Introduction to Cobi. T 4. 1 & Mapping Cobi. T to other Frameworks and Standards Jimmy Heschl [Senior Manager, KPMG Austria]

Some Personal Information • • • KPMG Austria – Senior Manager – IRM - Information Risk Management – IT Advisory – Implementation of IT processes, based on COSO, Cobi. T, ITIL, …) Board member of ISACA Austria Member of the Cobi. T Steering Committee Book: IT Governance Involved in creation of Cobi. T 4. 0 & 4. 1 Responsible for Cobi. T Mapping Project(s) Author of – Cobi. T Mapping – Overview of International IT Guidance, 2 nd Edition – Cobi. T Mapping – Mapping of ISO/IEC 17799: 2000 with Cobi. T – Cobi. T Mapping – Mapping of ITIL with Cobi. T Translation of Cobi. T into German Language CISA, CISM, ITIL Foundation, ITIL Service Management, . . . Jimmy Heschl [Senior Manager, KPMG Austria]

Agenda • IT Governance • Cobi. T – Content – Updates • Integration of Standards – ITIL – ISO 17799 – others Jimmy Heschl [Senior Manager, KPMG Austria]

What is IT Governance? • Terminology – kybernân – „To guide / steer a boat“ • Corporate Governance – is the system by which companies are directed and controlled. (Cadbury Report) • IT Governance – is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. (IT Governance Institute) Jimmy Heschl [Senior Manager, KPMG Austria]

What is IT Governance? Provide Direction Set Objectives IT Activities i. IT is aligned with the business i. IT enables the business & maximises benefits i. IT resources are used responsibly i. IT-related risks are managed appropriately i. Increase automation Compare Measure Performance Jimmy Heschl [Senior Manager, KPMG Austria] (make the business effective) i. Decrease cost (make the enterprise efficient) i. Manage risks (security, reliability & compliance)

Other IT management practices • In theory – IT Management – IT Service Management – IT Project Management – IT/Information Security Management – IT Audit Jimmy Heschl [Senior Manager, KPMG Austria]

Other disciplines • • • IT Management IT Service Management IT Project Management IT Security Management IT Audit … Jimmy Heschl [Senior Manager, KPMG Austria]

Organisational view CEO Stakeholder CFO CIO CMO OPs AD SD Jimmy Heschl [Senior Manager, KPMG Austria] IT Governance Cx. O IT xyz Management

IT Governance Standards • Demanding – Legislation concerning Internal Control Over Financial Reporting – Risk management – Special legislation – Your customers Jimmy Heschl [Senior Manager, KPMG Austria]

IT Governance Standards • Demanding – Legislation concerning Internal Control Over Financial Reporting – Risk management – Special legislation – Your customers • Supporting – Cobi. T – ITIL – ISO 17799 / 2700 x – CMMI – PMBOK – PRINCE 2 – … and many more Jimmy Heschl [Senior Manager, KPMG Austria]

• Cobi. T COBIT® = Control OBjectives for Information and Related Technology • Process-oriented framework for IT Governance • Focused on business goals and how IT supports their achievement • A tool for – Business management – IT process managers • First developed in 1992 • Issued by IT Governance Institute • Accepted globally as the de facto standard for a IT control framework • Documents can be downloaded from www. isaca. org Jimmy Heschl [Senior Manager, KPMG Austria]

How is Cobi. T Developed and Maintained? • ITGI‘s independent status and desire to promote openly available guidance is a key influencing factor • Cobi. T Steering Committee of volunteers and a management team drive the Cobi. T strategy and developments • Over 100 experts from around the world (members, industry players) and eight volunteer teams form a unique support team (BE, UK, DK, AU, ZA plus Chicago, San Francisco and DC in the US) • Development teams create new content with no commercial pressures • ISACA/ITGI International HQ provide support services to produce and distribute the finished products • Cobi. T 4. 0 has been a two-year effort with many interconnected projects Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T History • Cobi. T has evolved from an auditor‘s tool to an IT governance framework, used increasingly by IT management Governance Management Control Audit Cobi. T 1 Cobi. T 2 Cobi. T 3 Cobi. T 4 1996 1998 2000 2005 Jimmy Heschl [Senior Manager, KPMG Austria]

Where has Cobi. T 4. 0 Focused? – IT Governance – Better coverage with governance practices in key processes to enable executives and the business to take their responsibility – Business Requirements – Better business to IT linkages with cascading goals and supporting metrics – Harmonisation – Improved integration with other key practices – Value Creation – Extended focus on risk-adjusted IT investments – Enterprise Architecture – Process structure and resources – Process Definitions and Process Flows – Improved process descriptions, activities, inputs and outputs – Language and Presentation – More concise, action-oriented and consolidate into one book – Feedback – Responded to user comments Jimmy Heschl [Senior Manager, KPMG Austria]

Top-down approach Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T 4. 0 Focus Businessrequirements Governancerequirements influence Information Services require Information Criteria deliver Business Goals for IT IT Goals IT Processes run (with responsibilities) require Information Applications Infrastructure and staff Business Architecture for IT Jimmy Heschl [Senior Manager, KPMG Austria]

Linking Business Goals to IT Goals Jimmy Heschl [Senior Manager, KPMG Austria]

Linking IT Goals to IT Processes Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T Components Business requirements information con tro lled by Control Objectives ity Maturity Models Jimmy Heschl [Senior Manager, KPMG Austria] ns l to ate d tra by ed su r ea m e for outcom Key Goal Indicators Activity Goals ur ted Key Performance Indicators rm at men imple ith w f er rp fo m or fo by ce an d te di au made effective an efficient with d IT Processes Audit Guidelines Control Practices

Cobi. T Components Business information Key Goal Indicators ity Control Objectives ns l to ate d by ed su r ea for outcom e m Key Performance Indicators ur Activity Goals by ted rf pe rm at lled men imple ith w r fo m or fo tro by ce an con d te di au d made effective an icient with eff IT Processes tra requirements Audit Guidelines Control Practices Management focus Maturity Models Jimmy Heschl [Senior Manager, KPMG Austria] Audit focus

Cobi. T IT Processes PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 Information ME 1 ME 2 ME 3 ME 4 Monitor and evaluate IT performance. Monitor and evaluate internal control. Ensure regulatory compliance. Provide IT governance. PO 7 PO 8 PO 9 PO 10 Monitor and Evaluate DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13 Define and manage service levels. Manage third-party services. Manage performance and capacity. Ensure continuous service. Ensure systems security. Identify and allocate costs. Educate and train users. Manage service desk and incidents. Manage the configuration. Manage problems. Manage data. Manage the physical environment. Manage operations. Define a strategic IT plan. Define the information architecture. Determine technological direction. Define the IT processes, organisation and relationships. Manage the IT investment. Communicate management aims and direction. Manage IT human resources. Manage quality. Assess and manage IT risks. Manage projects. Plan and Organise Deliver and Support Acquire and Implement Jimmy Heschl [Senior Manager, KPMG Austria] AI 1 AI 2 AI 3 AI 4 AI 5 AI 6 AI 7 Identify automated solutions. Acquire and maintain application software. Acquire and maintain technology infrastructure. Enable operation and use. Procure IT resources. Manage changes. Install and accredit solutions and changes.

Cobi. T Core Content • Framework • 34 Cobi. T IT Processes – Process overview – Control Objectives – Management Guidelines • RACI-Chart • Inputs & Outputs • Goals & Metrics • Specific Maturity Model Jimmy Heschl [Senior Manager, KPMG Austria] Framework Control Objectives Management Guidelines Maturity Models

For 34 IT processes you have … Process description • Process Overview IT domain & Information indicators IT goals Process goals Key practices Key metrics IT Governance & IT Resource indicators Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • RACI chart Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • Inputs • Outputs Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • IT Goals • Metrics Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • Process Goals • Metrics Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • Activity Goals • Metrics Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • A complete measurement system Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • Control Objectives Jimmy Heschl [Senior Manager, KPMG Austria]

For 34 IT processes you have … • Specific Maturity model – From – Via – to Jimmy Heschl [Senior Manager, KPMG Austria]

Generic Maturity Model Overall Process Maturity Attributes Policies, Awareness and Standards and Communication Procedures Tools and Automation Skills and Expertise Responsibility Goal Setting and Measurement Accountability 5 4 3 2 1 to-be improvement measures as-is Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T Core Content WHAT Framework Control Objectives Management Guidelines Maturity Models Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T More Content WHAT Framework Control Objectives Control Objective Control Practices Management Guidelines Maturity Models Value Risk Assurance Approach Steps Jimmy Heschl [Senior Manager, KPMG Austria]

Implementation WHAT HOW Board Briefing Executive CIO Baseline for IT Governance Implementation Guide using Cobi. T Framework Control Objectives Control Objective Control Practices Management Guidelines Maturity Models Value Risk Assurance Approach Steps Jimmy Heschl [Senior Manager, KPMG Austria]

Assurance WHAT HOW Board Briefing Executive CIO Baseline for IT Governance Implementation Guide using Cobi. T HOW Framework Control Objectives Control Objective Control Practices Management Guidelines Maturity Models Value Risk Assurance Approach Steps Jimmy Heschl [Senior Manager, KPMG Austria] Board Briefing CIO Audit Director Baseline for IT Governance IT IT Governance Assurance Implementation Guide using Cobi. T

Cobi. T 4. 0 and 4. 1 • Changes in the Core Content – No fundamental update to the framework but finetuning – Executive Overview enhanced – Better explanation of Performance Measurement – Control Objectives • Control Practices • Val. IT development • Grouped / reworded control objectives – Application Controls – List of Business and IT Goals (appendix I) Jimmy Heschl [Senior Manager, KPMG Austria]

Future developments • No radical changes of Cobi. T in the next years • Ongoing update and improvement • Alignment of Cobi. T-Products – Cobi. T Online – Quick Start – Mapping – Slicing & Dicing – Val. IT & Risk. IT • Cobi. T has a BIG impact – Relationship Governance, Business and IT – Control Objectives for Business and IT Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T Mapping Project • • • Started in 2003 Integration of Standards Update of Cobi. T Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T Mapping Project • • Started in 2003 Integration of Standards Update of Cobi. T Further mappings – In progress • TOGAF (Architecture) • COSO ERM • GBPM – On our radar • ITIL v 3 • FFEIC (US banking) • NIAC (Insurance) • NIST SP 800 -53 • FISMA • IAIS Framework (Solvency II) • HIPAA (Health Insurance) • GLBA (Privacy) • ISO 19770 -1 (SW Asset Mgmt) • ISO 20000 (Service Mgmt) • ISO 27005 (Risk Mgmt) • ISO 27002 (ISO 17799) Jimmy Heschl [Senior Manager, KPMG Austria]

ITIL • • IT Infrastructure Library Issued by OGC Best practice for IT service management Certification – Personnel – Organisations • BS 15000 • ISO 20000 • ITIL v 3 Jimmy Heschl [Senior Manager, KPMG Austria]

ITIL Overview Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

ISO/IEC 17799: 2005 • Issued by ISO • Best Practice for Information Security • Defines – Security Categories – Control Objectives – Illustrative Controls • History – Co. P for Security Management – BS 7799 Part 1 – ISO/IEC 17799: 2000 • Future – ISO/IEC 27002 • Certification for organisations available – ISO/IEC 27001: 2005 – BS 7799 Part 2 Jimmy Heschl [Senior Manager, KPMG Austria]

ISO/IEC 17799: 2005 • Security Categories – Security policy – Organisation of information security – Asset management – Human resources security – Physical and environmental security – Communications and operations management – Access control – Information systems acquisition, development and maintenance – Information security incident management – Business continuity management – Compliance Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T & ISO/IEC 17799: 2005 Jimmy Heschl [Senior Manager, KPMG Austria]

Cobi. T and many others … Jimmy Heschl [Senior Manager, KPMG Austria]

Qualitative comparison Jimmy Heschl [Senior Manager, KPMG Austria]

Qualitative comparison Governance COSO TOGAF ISO 17799 Cobi. T 4. 1 CMMI additions Operative Jimmy Heschl [Senior Manager, KPMG Austria] Run Plan Management Build Cobi. T 4. 1 Core Content ITIL

Qualitative comparison Operative Jimmy Heschl [Senior Manager, KPMG Austria] Run Plan Management Build Governance

Qualitative comparison Build Plan Management Operative Jimmy Heschl [Senior Manager, KPMG Austria] Run COSO Governance

Qualitative comparison TOGAF Operative Jimmy Heschl [Senior Manager, KPMG Austria] Run Plan Management Build COSO Governance

Qualitative comparison TOGAF Run Plan Management Build COSO Governance ITIL Operative Jimmy Heschl [Senior Manager, KPMG Austria]

Qualitative comparison Build Plan Management TOGAF ISO 17799 Run COSO Governance ITIL Operative Jimmy Heschl [Senior Manager, KPMG Austria]

Qualitative comparison COSO Governance TOGAF ISO 17799 Operative Jimmy Heschl [Senior Manager, KPMG Austria] Run Plan Management Build Cobi. T 4. 1 Core Content ITIL

Qualitative comparison COSO Governance Cobi. T 4. 1 additions TOGAF ISO 17799 Operative Jimmy Heschl [Senior Manager, KPMG Austria] Run Build Management Plan Cobi. T 4. 1 Core Content ITIL

Gartner‘s Advise • Combine Cobit and ITIL for Powerful IT Governance • Strong framework tools are essential for ensuring IT resources are aligned with an enterprise‘s business objectives, and that services and information meet quality, fiduciary and security needs. • Bottom Line: Cobi. T and ITIL are not mutually exclusive and can be combined to provide a powerful IT governance, control and best-practice framework in IT service management. Enterprises that want to put their ITIL program into the context of a wider control and governance framework should use Cobi. T. • Source: Technical Guidelines, TG-16 -1849, S. Mingay, S. Bittinger Jimmy Heschl [Senior Manager, KPMG Austria]

Forrester‘s Advise • Establish frameworks to ease Governance Implementation – First Cobi. T for overall governance – Then ITIL for service delivery and management – Then ISO 17799 for information security – Balanced Scorecard for measurement and communication • Source: Helping Business Thrive On Technology Change, A Road Map To Comprehensive IT Governance, Craig Symons Jimmy Heschl [Senior Manager, KPMG Austria]

Conclusion • An overall control framework should be applied for IT governance and management • A wide range of Good & Best Practices is available • Cobi. T is an excellent Framework • IT should not re-invent the wheel • Good & Best Practices can be integrated into Cobi. T • It is possible • It can be done • External, independent support is beneficial Jimmy Heschl [Senior Manager, KPMG Austria]

For More Information: Jimmy Heschl, CISA, CISM Senior Manager KPMG Austria jheschl@kpmg. at ntrol! u! der co trol yo IT un ill con t your ‘t, IT w Ge u don If yo Jimmy Heschl [Senior Manager, KPMG Austria]

Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit send. Jimmy Heschl [Senior Manager, KPMG Austria]