Overview of COBIT standards

75%Loading . Loading . . 25%50%Loading . . .

100%Loading . .

IT Audit and Risk Management Presentation

Presentation was last accessed on Thursday, October 8 2009 10:23:11 PM

IT Audit and Risk Management Presentation

Group 2:Group 2:PGPM508_12 Gunvel Sivaram PGPM508_52 On Ali AbbasiPGPM508_41 Saurav SwapnilPGPM508_33 Prasath L Krishna PGPM508_59 Malviya Prashant

= we need

Governance

Will it Work???Will it Work???

It may actually work: Experience Luck A culture of “Quick and Dirty”

It may actually work: Experience Luck A culture of “Quick and Dirty”

But What happens when we need to DocumentImproveFix/Find an errorTransfer responsibility

Linkage of Business and IT Plans

Optimal investment

Track & monitor- implementation

Value Proposition: promised benefit against strategy

Clear understanding, risk appetite, compliance

Focus AreasFocus Areas

is a set of best practices (framework) for information technology (IT) management

created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)

Mission: “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.”

COBIT 1COBIT 1

COBIT 2

COBIT 3

COBIT 4 & 4.1

History

COBIT 4 & 4.1

COBIT 3

COBIT 2

COBIT 1 1996: Audit

COBIT 3

COBIT 4 & 4.1

COBIT 2

COBIT 1 1996: Audit

1998: Control

COBIT 1

COBIT 2

COBIT 3

COBIT 4 & 4.1

1996: Audit

1998: Control

2K: Management; ‘03: Online version

COBIT 1

COBIT 2

COBIT 3

COBIT 4 & 4.1

1996: Audit

1998: Control

2K: Management; ‘03: Online version

2005: Governance; ‘07: 4.1

Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.

Basic COBIT PrincipleBasic COBIT Principle

Where COBIT fits in


COBIT is Business focused

Drive the investments in

that are used by

which responds

to

to deliver

Basic COBIT FrameworkBasic COBIT Framework

COBIT CubeCOBIT Cube

IT resources are managed by IT processes to achieve IT goals that respond to the business requirements.


Where COBIT fits in


COBIT is Controls based

NormsStandardsObjectives Process

Compare

ACT

CONTROL INFORMATION

Statements of managerial actions to increase value or reduce risk

Consist of the policies, procedures, practices and organizational structures

Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected


Where COBIT fits in


COBIT is measurement driven

Maturity models to enable benchmarking and identification of necessary capability improvements

Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles

Activity goals for enabling effective process performance


Where COBIT fits in

Basic COBIT 4.1 PrincipleBasic COBIT 4.1 Principle

COBIT is process oriented

• Provides direction to solution delivery (AI) and service delivery (DS)

Plan & Organize

COBIT Structure:Plan & OrganizeCOBIT Structure:Plan & Organize

IT processes

The PO domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives.

It also highlights the organizational and infrastructural form IT needs to take in order to achieve the optimal results and to generate the most benefits from the use of IT.


PO1 Define a Strategic IT Plan and direction -

PO2 Define the Information Architecture +

PO3 Determine Technological Direction -

PO4 Define the IT Processes, Organization and Relationships -

PO5 Manage the IT Investment +

PO6 Communicate Management Aims and Direction +

PO7 Manage IT Human Resources +

PO8 Manage Quality +

PO9 Assess and Manage IT Risks -

PO10 Manage Projects -

IT processes

Mapping of ISO/IEC 27002:2007 objectives to a COBIT process+ Good Match (more than 2) - No or Minor Match


Summary

Inputs = Requirements;

Outputs = DS and AI;

Core Activities = iterative strategic definition stage;

Sub Core Activities = managing the purse strings, people and communication;

Other Activities = managing the quality, IT risks and projects and lots of monitoring & evaluation techniques

COBIT Structure:Acquire & ImplementCOBIT Structure:Acquire & Implement

IT processes

The AI domain covers:• identifying IT requirements, • acquiring the technology, and • implementing it within the company’s current business processes.

This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.

COBIT Structure:Acquire & ImplementCOBIT Structure:Acquire & Implement

Summary

Inputs = Requirements and PO activities;

Outputs = DS and PO;

Core Activities = identifying the solution, maintaining software & infrastructure, change and configuration management, enabling its use, and implementing the result into the operational environment;

Other Activities = managing quality, IT risks and projects and lots of monitoring & evaluation techniques and finally procuring those IT resources

DS Levels

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

Concerned with the actual delivery of required services - service delivery, management of security and continuity, service support for users, management of data, operational facilities.

It typically addresses the following management questions:

• Are IT services being delivered in line with business priorities?

• Are IT costs optimized?

• Is the workforce able to use the IT systems productively and safely?

• Are adequate confidentiality, integrity and availability in place?

COBIT Structure: Deliver & SupportCOBIT Structure: Deliver & Support

DS1 Define and Manage Service Levels

Effective communication between IT management and business customers regarding services required is enabled by a documented definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business requirements.

Deliver & Support exampleDeliver & Support example

DS1.6 Review of Service Level Agreements and Contracts

DS1.1 Service Level Management Framework

DS1.5 Monitoring and Reporting of Service Level Achievements

DS1.4 Operating Level Agreements

DS1.3 Service Level Agreements

DS1.2 Definition of Services

DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels

DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels

COBIT Structure:Monitor & EvaluateCOBIT Structure:Monitor & Evaluate

IT processes

ME1: Monitor and Evaluate IT Performance ME2: Monitor and Evaluate Internal Control ME3: Ensure Regulatory Compliance ME4: Provide IT Governance

COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate

ME 1: Monitor and Evaluate IT Performance

Monitoring ApproachEstablishment of general monitoring framework and approach that define the

scope, methodology and process to be followed for monitoring IT’s contributionDefinition and Collection of Monitoring Data

Defining a balanced set of performance objectives, measures, targets and benchmarks, and have them signed off by stakeholdersMonitoring Method

Deployment of a method that provides a succinct, all around view of IT performances and fit s within the enterprise monitoring system Performance Assessment

Periodic review of performance against targets, perform remedial action against initial deviationsBoard and Executive Reporting

Management reports containing progress against set targetsRemedial Actions

Identification and initiation of remedial actions based on the performance monitoring, assessment and reporting.


ME 2: Monitor and Evaluate Internal Control

Monitoring of Internal Control FrameworkContinuous assessment against industry best practices and benchmarks to

improve IT control environmentSupervisory Review

Compliance with policies and standards, information security, change controlsControl Exceptions

Record information of exceptions, and ensure proper analysis of underling issuesControl Self-assessment

Evaluate the completeness and effectiveness of management’s internal controls through a continuing program of self assessment.Assurance of Internal Control

Third party reviewRemedial Actions

Identify and initiate remedial actions based on control assessment and reporting; Review negotiation and understanding of management responses


ME 3: Ensure Regulatory Compliance

Identification of Laws and Regulations Having Potential Impact on ITDefine and implement process to ensure timely identification of local and

international regulatory requirement, policies related to information and information service deliveryOptimization of Response to Regulatory Requirements

Review and optimize IT policies, standards and procedures to ensure legal requirements are coveredEvaluation of Compliance with Regulatory RequirementsPositive Assurance of Compliance

Regularly reporting of corrective actions being taken by process ownersIntegrated Reporting

Integrate IT reporting on regulatory requirements with similar output from other business functions


ME 4: Provide IT Governance

Establishment of an IT Governance FrameworkDefine framework including leadership, processes, roles and responsibilities,

information requirements, organizational structureStrategic Alignment

Develop shared understanding of business and IT.Resource Management

Optimize the investment, use and allocation of IT assets through regular assessmentsPerformance Measurement

Report performance to board in timely fashionIndependent Assurance

SummarySummary

How do you align an IT risk assessment with COBIT controls?How do you align an IT risk assessment with COBIT controls?

CoBiTCoBiTvsvsCOSOCOSO

Targets management controls Targets IT controls specifically

Useful for management at large

Useful for IT management, users, and auditors

How to do What to do

Supporting Applications and Related Infrastructure

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring

Plan & Organize

Acquire & Implement

Delivery & Support

Monitor & Evaluate

CoBiT vs COSOCoBiT vs COSO

COSOCOSO COBITCOBIT

Your Security

Check

Thank You

Logout when you are finished

Who knows your password

References

new COBiT Version 4.1 available: http://www.isaca.org/cobit

http://itknowledgeexchange.techtarget.com/it-compliance/how-do-you-align-an-it-risk-assessment-with-cobit-controls/

http://www.mahindrasatyam.net/services/business_value_enhancement/enterprise_risk_complaince_mngt.asp

Ben KallandITIL Expert and Cobit Foundation certified [email protected]

Overview of COBIT standards

Education

Transcript of Overview of COBIT standards