ISACA’s COBIT Assessment ’s COBIT Assessment …€¢ An alignment of COBIT’smaturity model...

Capitolo di Milano

ISACA’s COBIT Assessment

Programme

ISACAISACA’’ss COBIT Assessment COBIT Assessment

Programme Programme

2

Capitolo di Milano

What is the new COBIT assessment process?

� The COBIT process programme is described in COBIT® Process Assessment

Model (PAM): Using COBIT ® 4.1.

� PAM brings together two proven ‘heavyweights’ in the IT arena, ISO and

ISACA.

� The COBIT PAM adapts the existing COBIT 4.1 content into an ISO 15504

compliant process assessment model.

Copyright ISACA 2011. All rights reserved Slide 2

3

Capitolo di Milano

What’s different?

� But don’t we already have maturity models for COBIT 4.1 processes?

� The new COBIT assessment programme is:

• A robust assessment process based on ISO 15504

• An alignment of COBIT’s maturity model scale with the international standard

• A new capability-based assessment model which includes:

• Specific process requirements derived from COBIT 4.1

• Ability of process to achieve process attributes based on ISO 15504

• Evidence requirements

• Assessor qualifications and experiential requirements

� Results in a more robust, objective and repeatable assessment

� Assessment results will likely vary from existing COBIT maturity models!


4

Capitolo di Milano

Assessment Overview

This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.

Process Assessment Model

Assessment Process


5

Capitolo di Milano

Process Reference Model

6

Capitolo di Milano

PRM Based on COBIT 4.1Process ID DS1

Process Name Define and Manage Service Levels

Purpose Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.Outcomes (Os) Number Description

DS1-O1 A service management framework is in place to define the organisational structure for service level management, covering the base definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.

DS1-O2 Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.DS1-O3 Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.DS1-O4 Processes are in place to monitor (and periodically review) SLAs and achievements.

Base Practices (BPs) Number Description SupportsDS1-BP1 Create a framework for defining IT services. DS1-O1DS1-BP2 Build an IT service catalogue. DS1-O1, O2DS1-BP3 Define SLAs for critical IT services. DS1-O2DS1-BP4 Define OLAs for meeting SLAs. DS1-O3DS1-BP5 Monitor and report end-to-end service level performance. DS1-O4DS1-BP6 Review SLAs and underpinning contracts. DS1-O4DS1-BP7 Review and update the IT service catalogue. DS1-O1DS1-BP8 Create a service improvement plan. DS1-O1

Work Products (WPs)Inputs

Number Description SupportsPO1-WP1 Strategic IT plan DS1-O1, O2, O3, O4PO1-WP4 IT service portfolio DS1-O1, O2, O3, O4PO2-WP5 Assigned data classifications DS1-O1PO5-WP3 Updated IT service portfolio DS1-O4AI2-WP4 Initial planned SLAs DS1-O3AI3-WP7 Initial planned OLAs DS1-O3DS4-WP5 Disaster service requirements, including roles and responsibilities DS1-O1ME1-WP1 Performance input to IT planning DS1-O1, O2

OutputsNumber Description Input To Supports

DS1-WP1 Contract review report DS2 DS1-O1, O4DS1-WP2 Process performance reports ME1 DS1-O4DS1-WP3 New/updated service requirements PO1 DS1-O2, O3DS1-WP4 SLAs AI1, DS2, DS3, DS4, DS6, DS8, DS13 DS1-O2DS1-WP5 OLAs DS4 to DS8, DS11, DS13 DS1-O3DS1-WP6 Updated IT service portfolio PO1 DS1-O1, O4


7

Capitolo di Milano

Assessment Overview


7Copyright ISACA 2011. All rights reserved Slide 7

8

Capitolo di Milano

Measurement Framework

� COBIT assessment process measures the extent to which a given process

achieves specific attributes relative to that process— ‘process attributes’.

� COBIT assessment process defines 9 process attributes (based on ISO/IEC

15504-2)

• PA 1.1 Process performance

• PA 2.1 Performance management

• PA 2.2 Work product management

• PA 3.1 Process definition

• PA 3.2 Process deployment

• PA 4.1 Process measurement

• PA 4.2 Process control

• PA 5.1 Process innovation

• PA 5.2 Continuous optimization


9

Capitolo di Milano

Process Capability

Base Practice and Work Products

Generic Practice and Generic Work Products

Instance view /

individual knowledge

Enterprise view /

corporate knowledge

10

Capitolo di Milano

Process Attributes (example)

� PA 1.1 Process performance

• The process performance attribute is a measure of the extent to which the

process purpose is achieved.

• As a result of full achievement of this attribute, the process achieves its

defined outcomes.


11

Capitolo di Milano

Process Attributes (example)

� PA 2.1 Performance management

• A measure of the extent to which the performance of the process is managed. As a result of full

achievement of this attribute:

a. Objectives for the performance of the process are identified.

b. Performance of the process is planned and monitored.

c. Performance of the process is adjusted to meet plans.

d. Responsibilities and authorities for performing the process are defined, assigned and communicated.

e. Resources and information necessary for performing the process are identified, made available, allocated and used.

f. Interfaces between the involved parties are managed to ensure effective communication and clear assignment of

responsibility.

� PA 2.2 Work product management

• A measure of the extent to which the work products produced by the process are appropriately

managed. As a result of full achievement of this attribute:

a. Requirements for the work products of the process are defined.

b. Requirements for documentation and control of the work products are defined.

c. Work products are appropriately identified, documented and controlled.

d. Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet

requirements.


12

Capitolo di Milano

Process Attribute Rating Scale

N Not achieved—0 to 15% achievement There is little or no evidence of achievement of the defined attribute in the assessed process.

P Partially achieved—> 15% to 50% achievementThere is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable.

L Largely achieved—> 50% to 85% achievement There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process.

F Fully achieved—> 85% to 100% achievement There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process.


13

Capitolo di Milano

Per gli attributi vale la Guttman Scaling

1. I would permit a child of mine to marry an immigrant.

2. I believe that this country should allow more immigrants in.

3. I would be comfortable if a new immigrant moved nextdoor to me.

4. I would be comfortable with new immigrants movinginto my community.

5. It would be fine with me if new immigrants moved ontomy block.

6. I would be comfortable if my child dated a newimmigrant.

14

Capitolo di Milano

Process Capability Levels

Level 0 Incomplete processLevel 0 Incomplete processIncomplete

The process is not implemented or fails to

achieve its purpose.

Level 1 Performed processPA 1.1 Process performance attribute

Level 1 Performed processPA 1.1 Process performance attribute

Performed

The process is implemented and

achieves its process purpose.

Level 2 Managed processPA 2.1 Performance management attributePA 2.2 Work product management ttribute

Level 2 Managed processPA 2.1 Performance management attributePA 2.2 Work product management ttribute

Managed

The process is managed and work

products are established,

controlled and maintained.

Level 4 Predictable processPA 4.1 Process measurement attributePA 4.2 Process control attribute

Level 4 Predictable processPA 4.1 Process measurement attributePA 4.2 Process control attribute

Predictable

The process is enacted consistently

within defined limits.

Level 5 Optimizing processPA 5.1 Process innovation attributePA 5.2 Process optimization attribute

Level 5 Optimizing processPA 5.1 Process innovation attributePA 5.2 Process optimization attribute

Optimizing

The process is continuously improved to meet relevant

current and projected business goals.

Level 3 Established processPA 3.1 Process definition attributePA 3.2 Process deployment attribute

Level 3 Established processPA 3.1 Process definition attributePA 3.2 Process deployment attribute

Established

A defined process is used based on a

standard process.


15

Capitolo di Milano

COBIT Assessment Process Overview



16

Capitolo di Milano

Process Attributes and Capability Levels

This figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.

Incomplete

Performed

Managed

Established

Predictable

Optimizing

16

9 Process Attributes Process Attribute Indicators (PAI)


17

Capitolo di Milano

Process Attribute Rating

�Assessment indicators in the PAM are used to

support the assessors’ judgement in rating process

attributes:

• Provide the basis for repeatability across assessments

�A rating is assigned based on objective, validated

evidence for each process attribute.

�Traceability needs to be maintained between an

attribute rating and the objective evidence used in

determining that rating.


18

Capitolo di Milano

Where Have All the Control Objectives

Gone?

19

Capitolo di Milano

Vediamo il tutto graficamente

ProcessoDescrizione

ProcessoDescrizione

Maturity

Model

Maturity

ModelControl Objectives

+ PC1÷6

Control Objectives

+ PC1÷6

ActivitiesActivities

Outputs

to

Inputs

from

Control

Practices

Control

Practices

Practices

(BPs)

Practices

(BPs)

OutcomesOutcomes

PAMPAM

WP out

to

WP out

toWP In

from

WP In

from

CobiT 4.1CobiT 4.1CobiT 4.1PAM-medCobiT 4.1PAM-medCOBIT 5.0 COBIT 5.0

ActivitiesActivities

20

Capitolo di Milano

Outcomes/ WP: sequenze e Process Capability

• It should be noted that WPs for some processes providehigher capability requirements for other processes. This willresult in a progressive implementation of processes.

• The initial focus on any process assessment would be the coreprocesses (sometimes called primary processes) which are primarily part of the AI and DS domains.

• Processes in the PO and ME domains will be required tosupport improvement in the capability of these coreprocesses past level 1.

• An example is PO4 Define the IT processes, organisation and relationships, which is required as part of establishing the IT process framework, documented roles and responsibilitiesrequired by processes at capability level 2.

21

Capitolo di Milano

Assessor Certification

� COBIT process assessment roles:

• Lead assessor—a ‘competent’ assessor responsible for overseeing the

assessment activities

• Assessor—an individual, developing assessor competencies, who performs the

assessment activities

� Assessor competencies:

• Knowledge, skills and experience:

• With the process reference model; process assessment model, methods and tools;

and rating processes

• With the processes/domains being assessed

• Personal attributes that contribute to effective performance

� A training and certification scheme is being developed for COBIT 4.1 and

will also be established for COBIT 5, following publication in January 2012.


22

Capitolo di Milano

COBIT Mapping e Assessment Class

ISACA (e AIEA Milano) hanno pubblicato una serie di “Mappature” del COBIT. Tali mappature

si riferiscono ai processi ed in particolare agli Obiettivi di Controllo che corrispondono agli

Outcomes del PAM !

Alcune Mappature disponibili

• Business Goals

• Governance Focus Areas and COSO

• Sorbanes – Oxley Act

• Basilea II

• Cloud Computing• Public

• Private

• Hibrid

• Sistema di Controllo Interno della Legge 262/2005

• Altri Standard (ISO 27001, ITIL, ecc.)

Sono definite e formalizzate tre classi di assessment con obiettivi e precisione differenti.

Rigore, e di conseguenza costo, crescono dal livello 1 al livello 3

1. Confronto con altre organizzazioni

2. Internal reporting formale ed affidabile da usare, ad esempio, come base per un piano di

miglioramento

3. Test e comprensione del Processo in esame e base per assessment di classe 2 o 3

23

Capitolo di Milano

Nuovo COBIT Capability Model

• Il maturity model di COBIT 4.1 (e quindi anche del COBIT 5) viene sostituito dal

Capability Model basato sull’ISO/IEC 15504 , secondo la nuova iniziativa ISACA:

COBIT Assessment Program (CAP).

• Vantaggi:

– Mantiene l’attenzione al risultato del processo di controllo (Outcome), non ai

WP in output

– Semplifica, evitando duplicazioni (MM, Control Objectives, Proc. Controls).

– Migliore affidabilità e ripetibilità delle valutazione eliminando ambiguità di

interpretazione. Metodo rigoroso e formale, proponibile all’interno ma anche

all’esterno.

– Conforme ad uno standard affermato (SPICE), applicabile anche ad altri

contesti : COSO, ITIL, Basel II,…

– Adattabile ad esigenze specifiche

– E’ prevista formazione e certificazione ad hoc per gli “assessors”

24

Capitolo di Milano

… non solo COBIT

Managing and Monitoring EU Structural Funds.

25

Capitolo di Milano

COSO SPICE assessment results(COSO 2006 Guidance)

• The assessment delivers a process capability profile …..

• Such a profile illustrates the compliance with the COSO framework. It also illustrates whichaspects need improvement.

• Not achieving level 1 means that compliance is generally missing.

• Achieving level 1 and failing in process attribute performance management means thatgenerally compliance is there but is not well tracked against targets (e.g. coverage of people knowing the ethical and integrity level).

• Achieving level 1 and failing in process attribute work product management means thatgenerally compliance is there but the results of successful departments are not kept in a structured way that they can be accessed and re-used as good practice.

• Achieving levels 1 and 2 and failing in process attribute process definition means that the compliance is there, targets are tracked, results are accessible, but there is no agreedstandard process across all departments. Etc.

• Thus from a capability level profile auditors can read levels of compliance and becomeexperts using defined measurement tools to establish improvement plans for firms.

• There is a shift then from pure audit to continuous improvement thinking.

Process Name Integrity and Ethical Values

Process Purpose Sound integrity and ethical values, particularly of top management,

are developed and understood and set the standard of conduct for

financial reporting.

26

Capitolo di Milano

Internal Financial Control Assessment

27

Capitolo di Milano

Si presta all’automazione

28

Capitolo di Milano

29

Capitolo di Milano

30

Capitolo di Milano

31

Capitolo di Milano

32

Capitolo di Milano

33

Capitolo di Milano

34

Capitolo di Milano

Pubblicità

• Il 4 aprile a Milano e l’8 maggio a Roma c’è un

corso AIEA su questi argomenti….

– 1 gg

– Teoria + esercitazioni pratiche

– Free tools

– …

Capitolo di Milano

Affrettatevi, ultimi posti ancora disponibili …… !Affrettatevi, ultimi posti ancora disponibili …… !

ISACA’s COBIT Assessment ’s COBIT Assessment …€¢ An alignment of COBIT’smaturity model...

Documents

Transcript of ISACA’s COBIT Assessment ’s COBIT Assessment …€¢ An alignment of COBIT’smaturity model...