COBIT Framework ISACA PR - 5 th Symposium John R. Robles 787 -647 -3961 jrobles@coqui. net www. johnrrobles. com A High-level Overview of the COBIT Principles, Structure, and Framework “This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden. It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not-for -profit basis. ” © ITGI, ISACA - not for commercial use.
Why does IT need a control and governance framework? Do any of these conditions sound familiar? Increasing pressure to leverage technology in business strategies Growing complexity of IT environments Fragmented IT infrastructures Demand for technologists outstripping supply Communication gap between business and IT managers IT service levels that are disappointing IT costs perceived to be out of control Marginal ROI/productivity gains on technology investments Impaired organisational flexibility and nimbleness to change User frustration leading to ad hoc solutions IT managers operating like firefighters © ITGI, ISACA - not for commercial use.
IT Governance Model PO AI DS MO IT governance helps ascertain how automated systems: Needs an IT Control Framework --Simplify operations --Cut costs --Increase revenue © ITGI, ISACA - not for commercial use.
Principles COBIT: An IT Control Framework • • • Generally applicable and accepted international standard for good practice for IT controls For application to enterprisewide information systems Technology-independent Starting from business requirements for information Management- and business process owner-oriented Based on ISACA's Control Objectives • Includes existing standards and regulations y Aligned with de jure and de facto standards and regulations y Based on critical review of tasks and activities or process focus y ISO, EDIFACT and others y Codes of Conduct issued by Council of Europe y Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA, etc. • • • First published in April 1996, second edition in 1998, third in July 2000 Has become the de facto standard for control over IT Fundamental in achieving IT governance © ITGI, ISACA - not for commercial use.
Concepts COBIT: An IT Control Framework u. Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives u. Promotes process focus and process ownership u. Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each u. Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT u. Is supported by a set of over 300 detailed control objectives © ITGI, ISACA - not for commercial use. u. Plan and Organise u. Acquire and Implement u. Deliver and Support u. Monitor and Evaluate u. Effectiveness u. Efficiency u. Availability u. Integrity u. Confidentiality u. Reliability u. Compliance
COBIT: An IT Control Framework Why should an organisation adopt COBIT? • IT is an important element of IT Domains corporate governance and management accountability. Processes • Ensure business-oriented solutions. • Framework for risk h. Critical Success IT Control assessment Factors Objectives • As a means to communicate h. Outcome Measures with all stakeholders h. Key Performance IT Control Indicators Practices • Authoritative basis h. Maturity Model (internationally accepted, exhaustive, evolving) © ITGI, ISACA - not for commercial use.
COBIT: An IT Control Framework Business z Relates to business requirements z Links to business processes z Empowers business owners Process “To provide the information the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. ” z Decomposed IT into four domains and 34 processes z Domains: (plan-build-run) + monitor z Control, audit, implementation and performance management knowledge structured by process © ITGI, ISACA - not for commercial use.
Framework COBIT: An IT Control Framework BUSINESS REQUIREMENTS IT PROCESSES IT RESOURCES © ITGI, ISACA - not for commercial use.
How do they relate? COBIT Framework IT Resources Ü Data Ü Information Systems Ü Technology IT Processes Ü Plan and Organise Ü Acquire and Implement Ü Facilities Ü Deliver and Support Ü Human Resources Ü Monitor and Evaluate © ITGI, ISACA - not for commercial use. Business Requirements Ü Ü Ü Ü Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information Reliability
COBIT Framework How do they relate? The resources made available to— and built up by—IT IT Resources Ü Data Ü Information Systems Ü Technology How IT is organised to respond to the requirements IT Processe s Ü Planning and organisation Ü Acquisition and implementation Ü Facilities Ü Delivery and Support Ü Human Resources Ü Monitoring © ITGI, ISACA - not for commercial use. What the stakeholders expect from IT Business Requirements Ü Ü Ü Ü Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information Reliability
IT Processes COBIT Framework Domains Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural control breaks Processes Activities or tasks Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. © ITGI, ISACA - not for commercial use.
IT Resources COBIT Framework Data: Data objects in their widest sense, i. e. , external and internal, structured and unstructured, graphics, sound, etc. Application Systems: Understood to be the sum of manual and programmed procedures Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Resources to house and support information systems People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services © ITGI, ISACA - not for commercial use.
COBIT Framework IT Domains • Plan and Organise • Acquire and Implement • Deliver and Support • Monitor and Evaluate Natural grouping of processes, often matching an organisational domain of responsibility IT Processes • • IT Strategy Policy and Procedures Feasibility Study Acceptance Testing Change Management Contingency Planning Problem Management A series of joined activities with natural (control) breaks Activities • • • Record New Problem Analyse Propose Solution Monitor Solution Record Known Problem Etc. Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. © ITGI, ISACA - not for commercial use.
COBIT Domains Domain: Plan and Organise (PO) Topics z Strategy and tactics z Vision planned z Organisation and infrastructure Questions z z z Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? © ITGI, ISACA - not for commercial use.
Plan and Organise z PO 1—Define a strategic IT plan z PO 2—Define the information architecture z PO 3—Determine the technological direction z PO 4—Define the IT processes, organization and relationships z PO 5—Manage the IT investment z PO 6—Communicate management aims and direction z PO 7—Manage IT human resources z PO 8—Manage quality z PO 9—Assess and manage IT risks z PO 10—Manage projects. © ITGI, ISACA - not for commercial use.
COBIT Domains Domain: Acquire and Implement (AI) Topics z IT solutions z Changes and maintenance Questions z z Are new projects likely to deliver solutions that meet business needs? Are new projects likely to deliver on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations? © ITGI, ISACA - not for commercial use.
Acquire and Implement z AI 1—Identify automated solutions z AI 2—Acquire and maintain application software z AI 3—Acquire and maintain technology infrastructure z AI 4—Enable operation and use z AI 5—Procure IT resources z AI 6—Manage changes z AI 7—Install and accredit solutions and changes © ITGI, ISACA - not for commercial use.
COBIT Domains Domain: Deliver and Support (DS) Topics z Delivery of required services z Setup of support processes z Processing by application systems Questions z z Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the workforce able to use the IT systems productively and safely? Are adequate security, integrity and availability in place? © ITGI, ISACA - not for commercial use.
Deliver and Support z z z z DS 1—Define and manage service levels DS 2—Manage third-party services DS 3—Manage performance and capacity DS 4—Ensure continuous service DS 5—Ensure systems security DS 6—Identify and allocate costs DS 7—Educate and train users DS 8—Manage service desk and incidents DS 9—Manage the configuration DS 10—Manage problems DS 11—Manage data DS 12—Manage the physical environment DS 13—Manage operations © ITGI, ISACA - not for commercial use.
COBIT Domains Domain: Monitor and Evaluate (ME) Topics z Assessment over time, delivering assurance z Management’s oversight of the control system z Performance measurement Questions z Can IT’s performance be measured and can problems be detected before it is too late? z Is independent assurance needed to ensure that critical areas are operating as intended? © ITGI, ISACA - not for commercial use.
Monitor and Evaluate z. ME 1—Monitor and evaluate IT performance z. ME 2—Monitor and evaluate internal control z. ME 3—Ensure regulatory compliance z. ME 4—Provide IT governance © ITGI, ISACA - not for commercial use.
Waterfall Model COBIT Framework The control of IT Processes which satisfy Business Requirements is enabled by Control Statements considering Control Practices 4 Domains - 34 Processes - 215 Control Objectives © ITGI, ISACA - not for commercial use.
COBIT Framework Business Objectives Criteria • • Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability ME 1—Monitor and evaluate IT performance ME 2—Monitor and evaluate internal control ME 3—Ensure regulatory compliance ME 4—Provide IT governance IT RESOURCES • • • PO 1—Define a strategic IT plan PO 2—Define the information architecture PO 3—Determine the technological direction PO 4—Define the IT processes, organization and relationships PO 5—Manage the IT investment PO 6—Communicate management aims and direction PO 7—Manage IT human resources PO 8—Manage quality PO 9—Assess and manage IT risks PO 10—Manage projects Data Application systems Technology Facilities People PLAN AND ORGANISE MONITOR AND EVALUATE DS 1—Define and manage service levels DS 2—Manage third-party services DS 3—Manage performance and capacity DS 4—Ensure continuous service DS 5—Ensure systems security DS 6—Identify and allocate costs DS 7—Educate and train users DS 8—Manage service desk and incidents DS 9—Manage the configuration DS 10—Manage problems DS 11—Manage data DS 12—Manage the physical environment DS 13—Manage operations ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT AI 1—Identify automated solutions AI 2—Acquire and maintain application software AI 3—Acquire and maintain technology infrastructure AI 4—Enable operation and use AI 5—Procure IT resources AI 6—Manage changes AI 7—Install and accredit solutions and changes © ITGI, ISACA - not for commercial use.
The Most Important IT Processes 34 15 7 Survey PO 1 PO 3 PO 5 PO 9 PO 10 AI 1 AI 2 AI 5 AI 6 DS 1 DS 4 DS 5 DS 10 DS 11 ME 1 Define a strategic IT plan Determine the technological direction Manage the IT investment Assess and manage IT risks Manage projects Identify automated solutions Acquire and maintain application s/w Procure IT resources Manage changes Define and manage service levels Ensure continuous service Ensure systems security Manage problems Manage data Monitor and evaluate IT performance © ITGI, ISACA - not for commercial use.
COBIT—Content ØHigh-level Control Objective å One per process ØDetailed Control Objectives å Three to 30 per process ØControl Practices å Five to seven per control objective © ITGI, ISACA - not for commercial use.
COBIT Control Objectives Ø Based on the 41 primary references Ø Developed following a rigorous research process Ø Three to 30 detailed control objectives for each of the 34 processes Ø Directed to IT management, IT staff, control and audit functions and business process owners Ø For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional. Ø Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers. © ITGI, ISACA - not for commercial use.
COBIT Control Objectives AI 6 MANAGE CHANGES 6. 1 Change Request Initiation and Control IT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request. 6. 2 Impact Assessment A procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality. 6. 3 Control of Changes IT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems. 6. 4 Emergency Changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The © ITGI, ISACA - not for commercial use. emergency changes should be recorded and authorised by IT management prior to
COBIT IT Control Practices Translate COBIT ’s control objectives into detailed, implementable practices and provide the business argumentation for implementation, from a value and a risk perspective z IT control practices are key control mechanisms that support: y. The achievement of control objectives y. The prevention, detection and correction of undesired events z IT control practices achieve that through: y. Responsible use of resources y. Appropriate management of risk y. Alignment of IT with business © ITGI, ISACA - not for commercial use.
COBIT IT Control Practices © ITGI, ISACA - not for commercial use.
COBIT—Example Process AI 6 Manage Change AI 6. 4 Emergency Changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation. 1. 2. 3. 4. 5. Management has defined parameters, characteristics and procedures that allow it to identify and declare emergencies. All emergency changes are documented, if not before, then after implementation. All emergency changes are tested, if not before, then after implementation. All emergency changes are formally authorised by the system owner and management, before implementation. Before and after images as well as intervention logs IT Control Practices are retained for subsequent review. Controlling emergency changes by implementing the control practices will : p Ensure emergency procedures are used in declared emergencies only p Ensure urgent changes can be implemented without compromising confidentiality, Why do it? integrity, availability, reliability and accuracy © ITGI, ISACA - not for commercial use.
The COBIT Framework How Is COBIT Used? (Results from Surveys) y. To improve audit approach/programs y. To support audit work with detailed audit guidelines y. To provide guidance for IT governance y. As a valuable benchmark for IS/IT control y. To improve IS/IT controls y. To standardise audit approach/programs © ITGI, ISACA - not for commercial use.
COBIT—Benefits What Who Comfort about: • Dependence on IT • IT risks are mitigated • IT delivers value Assurance of: • Cost down and revenue up • Business operations improved • Service levels maintained • Executive • Business manager • IT manager • Project manager • Developer • Operations staff • User • Security officer • Auditor © ITGI, ISACA - not for commercial use.
The COBIT Framework Why Is COBIT Used? (Testimonials from Case Studies) y Helps substantially increase acceptance and reduce time needed to implement IT governance program y Provides a guide formal audits/reviews y Helps use results of audits as an opportunity to plan improvements y Strong factor in achieving primary goals for IT governance—transform organisational practices and pursue improved processes y Provides economical continuous improvement framework y Management's decision on controls needed was based on a credible source (COBIT) y IT operations manager impressed with COBIT's ability to help him understand what auditors want y Ideal for business management y Reliable source reference that ensures identification of all major risk areas y Improves communications and relations with IT management © ITGI, ISACA - not for commercial use.
COBIT Products Management Guidelines q Provide management direction for: • • Getting the enterprise's information and related processes under control Monitoring achievement of organisational goals Monitoring and improving performance within each IT process Benchmarking organisational achievement q Action-oriented and generic q Provide answers to typical management questions: • • • How far should we go in controlling IT, and is the cost justified by the benefit? What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare? © ITGI, ISACA - not for commercial use.
IT Governance Implementation Guide Road Map • Identify needs • Envision the solution • Plan the solution • Implement the solution Approach l l Business value and risk analysis As-is and to-be positions Gap analysis Project identification and initiation Biggest Challenge = Sustainable Solutions l l l Establish policy, objectives and targets Implement policy, responsibilities, processes and procedures Measure performance against policy and external best practice Take corrective and preventive action and continuously improve Measure success of the change projects Provide feedback into other improvement projects © ITGI, ISACA - not for commercial use.
IT Governance Implementation Guide Raise awareness & make decision Feedback Analyse values and risks Select processes Postimplement. review Identify needs Define where you are Define where you want to be Analyse gaps Envision the solution Implementation Road Map Develop & implement change plan Define projects Plan the solution Integrate into day-today practices Integrate measures into ITBSC Implement the solution © ITGI, ISACA - not for commercial use.
IT Governance Implementation Guide Implementation Manual © ITGI, ISACA - not for commercial use.
Conclusion—COBIT Values PRESENT FUTURE Sharing knowledge and leveraging expert volunteers Internationally accepted good practices Continually evolves Maintained by reputable not-for-profit organisation Maps strongly onto all major related standards Is management-oriented Is supported by tools and training Maps completely to ISO 17799 and COSO Provide action-oriented solutions © ITGI, ISACA - not for commercial use.
Summary of Cobi. T 4. 0 Domains and Processes z z z PLAN AND ORGANISE PO 1—Define a strategic IT plan PO 2—Define the information architecture PO 3—Determine the technological direction PO 4—Define the IT processes, organization and relationships PO 5—Manage the IT investment PO 6—Communicate management aims and direction PO 7—Manage IT human resources PO 8—Manage quality PO 9—Assess and manage IT risks PO 10—Manage projects z z z z ACQUIRE AND IMPLEMENT AI 1—Identify automated solutions AI 2—Acquire and maintain application software AI 3—Acquire and maintain technology infrastructure AI 4—Enable operation and use AI 5—Procure IT resources AI 6—Manage changes AI 7—Install and accredit solutions and changes z z z z z DELIVER AND SUPPORT DS 1—Define and manage service levels DS 2—Manage third-party services DS 3—Manage performance and capacity DS 4—Ensure continuous service DS 5—Ensure systems security DS 6—Identify and allocate costs DS 7—Educate and train users DS 8—Manage service desk and incidents DS 9—Manage the configuration DS 10—Manage problems DS 11—Manage data DS 12—Manage the physical environment DS 13—Manage operations z z z MONITOR AND EVALUATE ME 1—Monitor and evaluate IT performance ME 2—Monitor and evaluate internal control ME 3—Ensure regulatory compliance ME 4—Provide IT governance © ITGI, ISACA - not for commercial use.
The COBIT Framework IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA +1. 847. 590. 7491 info@itgi. org info@isaca. org www. itgi. org John R. Robles and Associates 787 -647 -3961 jrobles@coqui. net www. johnrrobles. com © ITGI, ISACA - not for commercial use.
Скачать презентацию COBIT Framework ISACA PR — 5 th Symposium
5f5c8f9b4acecfb4b8fb8693442b2cda.ppt