- Количество слайдов: 33
Basic principles of IT Governance Lukáš Neduchal FCCA, CISA, CRISC - člen Správnej rady ISACA Slovensko - Riaditeľ | Poradenské služby | Ernst & Young, k. s.
Content IT Governance – expected knowledge? Used practices (COBIT 5), Goals, Domains, Basic principles, IT alignment – what does it mean? IT Security within IT Governance ? Suggested activities for board members
ISACA & ITGI
ISACA History and Mission ISACA was incorporated in 1969 by a small group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer systems. Today, ISACA has more than 110, 000 constituents worldwide. As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. ISACA. org © ISACA. Used with permission
ISACA Certifications The certification is worldrenowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. The management-focused is the globally accepted standard for individuals who design, build and manage enterprise information security programs. CISM is the leading credential for information security managers. ISACA. org © ISACA. Used with permission recognizes a range of professionals for their knowledge and application of enterprise IT governance principles and practices. CGEIT provides you the credibility to discuss critical issues around governance and strategic alignment based on your recognized skills, knowledge and business experience. (pronounced “see-risk”) is the only certification that positions IT professionals for future career growth by linking IT risk management to enterprise risk management, and positioning them to become strategic partners to the business.
ITGI (The IT Governance Institute ) ISACA formed the ITGI to focus on original research, publications, resources and symposia on IT governance and related topics. History and Mission The IT Governance Institute (ITGI) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. ITGI offers original research on global practices and perceptions relative to governance and management of IT. Activities Conducts original research on governance of enterprise IT and offers several publications as complimentary downloads on the ITGI web site
Governance of Enterprise IT and COBIT 5
The Importance of IT Boards usually expect management to: Deliver IT solutions of the right quality, on time and on budget Harness and exploit IT to return business value Leverage IT to increase efficiency and productivity while managing IT risks The ultimate reason why IT governance is important is that expectations and reality often do not match Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 13. Used with permission
Signs of ineffective IT governance? Business losses, damaged reputations or weakened competitive positions Deadlines not met, costs higher than expected and quality lower than anticipated Enterprise efficiency and core processes negatively impacted by poor quality of IT deliverables Failures of IT initiatives to bring innovation or deliver the promised benefits or even to be delivered at all
The Purpose and Objectives of IT governance practices aim at ensuring that expectations for IT are met, IT's performance is measured, its resources are managed and its risks are mitigated. to understand the issues and the strategic importance of IT to ensure that the enterprise can sustain its operations to ascertain that it can implement the strategies required to extend its activities into the future Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 7. Used with permission
Enterprise governance and IT governance Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: providing strategic direction ensuring that objectives are achieved ascertaining that risks are managed appropriately and verifying that the enterprise’sonresources are. ISACA p. 7. Used with permission Source: Board Briefing IT Governance 2. edition © used responsibly. nd Aligning IT strategy with the business strategy Cascading strategy and goals down into the enterprise Providing organizational structures that facilitate the implementation of strategy and goals
COBIT 5 In Summary … COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders. Source: COBIT® 5, © 2013 ISACA ® Used with permission.
COBIT 5 Product Family Source: COBIT® 5, figure 11. © 2013 ISACA ® Used with permission.
COBIT 5: Now One Complete Business Framework for Governance of Enterprise IT IT Governance Val IT 2. 0 Management (2008) Control Risk IT (2009) Evolution of scope Audit COBIT 1 1996 COBIT 2 1998 COBIT 3 2000 COBIT 4. 0/4. 1 2005/7 A business framework from ISACA, at www. isaca. org/cobit COBIT 5 -Introduction-1. pptx © ISACA. SL 13 Used with permission COBIT 5 2012
ISO/IEC 38500: 2008 (Corporate governance of information technology) 1. 1 Scope … This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization… 2. 2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans. Source: COBIT 5 -Introduction-1. pptx © ISACA. Used with permission
Governance and Management in COBIT 5 Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities. • • 02 Ensure benefits delivery. • 03 Ensure risk optimization. • 04 Ensure resource optimization. • Source: COBIT 5 -and-GRC. pptx © ISACA. SL 20. Used with permission 01 Ensure governance framework setting and maintenance. 05 Ensure stakeholder transparency.
EDM - five governance processes - and management domains of processes GRC P M B R Source: COBIT® 5, figure 16. © 2012 ISACA ® Used with permission.
Source: COBIT 5 -Framework-English. pdf, figure 25 © 2012 ISACA ® Used with permission.
Example Source: COBIT® 5, © ISACA® Used with permission.
EDM 01 Activities Source: COBIT® 5, © ISACA® Used with permission. Example
EDM 01 RACI Chart Example In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source: COBIT® 5, © ISACA® Used with permission.
COBIT 5…IT Governance Fundamentally, IT governance is concerned about two things: IT’s delivery of value to the business driven by strategic alignment of IT with the business. mitigation of IT risks. driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained. Source: COBIT 5 -Introduction-1. pptx © ISACA. Used with permission
5 Focus Areas of IT Governance This leads to the five main focus areas for IT governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk management. Three of them are drivers: strategic alignment, resource management (which overlays them all) and performance measurement D O D Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 19 -p. 20. Used with permission O D
Understanding IT Governance as a process for IT governance is also a process in which the IT strategy drives the IT processes, which obtain resources necessary to execute their responsibilities. The IT processes report against these responsibilities on process outcome, performance, risks mitigated and accepted, and resources consumed. These reports should either confirm that the strategy is properly executed or provide indications that strategic redirection is required. Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 19 -p. 20. Used with permission
The board should drive enterprise alignment by: Ascertaining that IT strategy is aligned with enterprise strategy. Ascertaining that IT delivers against the strategy through clear expectations and measurement. Directing IT strategy by addressing the level and allocation of investments, balancing the investments between supporting and growing the enterprise and by making considered decisions about where IT resources should be focused. Ensuring a culture of openness and collaboration among the business, geographical and functional units of the enterprise. Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 17. Used with permission
IT Strategic Alignment But who should be responsible for strategic alignment between IT and the business? Should it be the chief information officer (CIO) and the IT function or should it be the CEO and the business executives or equally shared between both? Casca ding To help enable this: Board members should take an active role in IT strategy or similar committees. CEOs should provide organizational structures to support the implementation of IT strategy. Source: Board Briefing on IT Governance 2. edition © ISACA p. 15. Used with permission CIOs must be business-oriented and provide a bridge between nd
The board should direct management to deliver measurable value through IT by: Delivering solutions and services with the appropriate quality, on time and on budget. Enhancing reputation, product leadership and costefficiency. Providing customer trust and competitive time-tomarket. Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 17. Used with permission
The board should manage enterprise risk by: Ascertaining that there is transparency about the significant risks to the enterprise and being aware that the final responsibility for risk management rests with the board. Being conscious that risk mitigation can generate costefficiencies. Considering that a proactive risk management approach can create competitive advantage. Insisting that risk management be embedded in the operation of the enterprise. Ascertaining that management has put processes, technology and assurance in place for information security to ensure that: Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 17. Used with permission
and growth and manage resources by: Maintaining awareness of new IT developments and opportunities. Ensuring that IT resources are able to support current and expected business requirements. Committing to improving the efficiency and effectiveness of the IT infrastructure. Sustaining an adequate investment in staff education, development and training for IT operations and developments. Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 17. Used with permission
The board should also measure performance by: Defining and monitoring measures together with management to verify that objectives are achieved and measure performance to eliminate surprises. Leveraging a system of balanced business scorecards maintained by management. Note: “Pragmatic practices in support of the board’s governance requirements are listed in appendix B, Board IT Governance Tool Kit”. Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 17. Used with permission
How Should Executive Management Address the Expectations? Cascade strategy, policies and goals down into the enterprise and align the IT organization with the enterprise goals. Provide organizational structures to support the implementation of IT strategies and an IT infrastructure to facilitate the creation and sharing of business information. Embed clear accountabilities for risk management and control over IT into the organization, based on a clear risk policy and comprehensive control framework. Measure performance by having outcome measures for business value and competitive advantage that IT delivers and performance drivers to show well IT performs. Use few but precise performance measures, directly and demonstrably linked to strategy. Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 18. Used with permission
How Should Executive Management Address the Expectations? continued Focus on core business competencies IT must support, which are those business processes that add customer value, differentiate the enterprise’s products and services in the marketplace, and add value across multiple products and services over time Focus on important IT processes that improve business value, such as change applications and problem management. Management must become aggressive in defining these processes and their associated responsibilities. Focus on core IT competencies that usually relate to planning and overseeing the management of IT assets, risks, projects, customers and vendors (also supported by an IT Source: Board Briefing on IT Governance 2 nd. edition © ISACA p. 18. Used with permission