Overview of COBIT standards
-
Upload
swapnil-saurav -
Category
Education
-
view
14.805 -
download
0
description
Transcript of Overview of COBIT standards
75%Loading . Loading . . 25%50%Loading . . .
100%Loading . .
IT Audit and Risk Management Presentation
Presentation was last accessed on Thursday, October 8 2009 10:23:11 PM
IT Audit and Risk Management Presentation
Group 2:Group 2:PGPM508_12 Gunvel Sivaram PGPM508_52 On Ali AbbasiPGPM508_41 Saurav SwapnilPGPM508_33 Prasath L Krishna PGPM508_59 Malviya Prashant
= we need
Governance
Will it Work???Will it Work???
It may actually work: Experience Luck A culture of “Quick and Dirty”
It may actually work: Experience Luck A culture of “Quick and Dirty”
But What happens when we need to DocumentImproveFix/Find an errorTransfer responsibility
Linkage of Business and IT Plans
Optimal investment
Track & monitor- implementation
Value Proposition: promised benefit against strategy
Clear understanding, risk appetite, compliance
Focus AreasFocus Areas
is a set of best practices (framework) for information technology (IT) management
created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)
Mission: “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.”
COBIT 1COBIT 1
COBIT 2
COBIT 3
COBIT 4 & 4.1
History
COBIT 4 & 4.1
COBIT 3
COBIT 2
COBIT 1 1996: Audit
COBIT 3
COBIT 4 & 4.1
COBIT 2
COBIT 1 1996: Audit
1998: Control
COBIT 1
COBIT 2
COBIT 3
COBIT 4 & 4.1
1996: Audit
1998: Control
2K: Management; ‘03: Online version
COBIT 1
COBIT 2
COBIT 3
COBIT 4 & 4.1
1996: Audit
1998: Control
2K: Management; ‘03: Online version
2005: Governance; ‘07: 4.1
Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
Basic COBIT PrincipleBasic COBIT Principle
COBIT is Business focused
Drive the investments in
that are used by
which responds
to
to deliver
Basic COBIT FrameworkBasic COBIT Framework
COBIT CubeCOBIT Cube
IT resources are managed by IT processes to achieve IT goals that respond to the business requirements.
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
Basic COBIT PrincipleBasic COBIT Principle
COBIT is Controls based
NormsStandardsObjectives Process
Compare
ACT
CONTROL INFORMATION
Statements of managerial actions to increase value or reduce risk
Consist of the policies, procedures, practices and organizational structures
Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
Basic COBIT PrincipleBasic COBIT Principle
COBIT is measurement driven
Maturity models to enable benchmarking and identification of necessary capability improvements
Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles
Activity goals for enabling effective process performance
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
Basic COBIT 4.1 PrincipleBasic COBIT 4.1 Principle
COBIT is process oriented
• Provides direction to solution delivery (AI) and service delivery (DS)
Plan & Organize
COBIT Structure:Plan & OrganizeCOBIT Structure:Plan & Organize
IT processes
The PO domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives.
It also highlights the organizational and infrastructural form IT needs to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
COBIT Structure:Plan & OrganizeCOBIT Structure:Plan & Organize
PO1 Define a Strategic IT Plan and direction -
PO2 Define the Information Architecture +
PO3 Determine Technological Direction -
PO4 Define the IT Processes, Organization and Relationships -
PO5 Manage the IT Investment +
PO6 Communicate Management Aims and Direction +
PO7 Manage IT Human Resources +
PO8 Manage Quality +
PO9 Assess and Manage IT Risks -
PO10 Manage Projects -
IT processes
Mapping of ISO/IEC 27002:2007 objectives to a COBIT process+ Good Match (more than 2) - No or Minor Match
COBIT Structure:Plan & OrganizeCOBIT Structure:Plan & Organize
Summary
Inputs = Requirements;
Outputs = DS and AI;
Core Activities = iterative strategic definition stage;
Sub Core Activities = managing the purse strings, people and communication;
Other Activities = managing the quality, IT risks and projects and lots of monitoring & evaluation techniques
COBIT Structure:Acquire & ImplementCOBIT Structure:Acquire & Implement
IT processes
The AI domain covers:• identifying IT requirements, • acquiring the technology, and • implementing it within the company’s current business processes.
This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
COBIT Structure:Acquire & ImplementCOBIT Structure:Acquire & Implement
Summary
Inputs = Requirements and PO activities;
Outputs = DS and PO;
Core Activities = identifying the solution, maintaining software & infrastructure, change and configuration management, enabling its use, and implementing the result into the operational environment;
Other Activities = managing quality, IT risks and projects and lots of monitoring & evaluation techniques and finally procuring those IT resources
DS Levels
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
Concerned with the actual delivery of required services - service delivery, management of security and continuity, service support for users, management of data, operational facilities.
It typically addresses the following management questions:
• Are IT services being delivered in line with business priorities?
• Are IT costs optimized?
• Is the workforce able to use the IT systems productively and safely?
• Are adequate confidentiality, integrity and availability in place?
COBIT Structure: Deliver & SupportCOBIT Structure: Deliver & Support
DS1 Define and Manage Service Levels
Effective communication between IT management and business customers regarding services required is enabled by a documented definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business requirements.
Deliver & Support exampleDeliver & Support example
DS1.6 Review of Service Level Agreements and Contracts
DS1.1 Service Level Management Framework
DS1.5 Monitoring and Reporting of Service Level Achievements
DS1.4 Operating Level Agreements
DS1.3 Service Level Agreements
DS1.2 Definition of Services
DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels
DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels
COBIT Structure:Monitor & EvaluateCOBIT Structure:Monitor & Evaluate
IT processes
ME1: Monitor and Evaluate IT Performance ME2: Monitor and Evaluate Internal Control ME3: Ensure Regulatory Compliance ME4: Provide IT Governance
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 1: Monitor and Evaluate IT Performance
Monitoring ApproachEstablishment of general monitoring framework and approach that define the
scope, methodology and process to be followed for monitoring IT’s contributionDefinition and Collection of Monitoring Data
Defining a balanced set of performance objectives, measures, targets and benchmarks, and have them signed off by stakeholdersMonitoring Method
Deployment of a method that provides a succinct, all around view of IT performances and fit s within the enterprise monitoring system Performance Assessment
Periodic review of performance against targets, perform remedial action against initial deviationsBoard and Executive Reporting
Management reports containing progress against set targetsRemedial Actions
Identification and initiation of remedial actions based on the performance monitoring, assessment and reporting.
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 2: Monitor and Evaluate Internal Control
Monitoring of Internal Control FrameworkContinuous assessment against industry best practices and benchmarks to
improve IT control environmentSupervisory Review
Compliance with policies and standards, information security, change controlsControl Exceptions
Record information of exceptions, and ensure proper analysis of underling issuesControl Self-assessment
Evaluate the completeness and effectiveness of management’s internal controls through a continuing program of self assessment.Assurance of Internal Control
Third party reviewRemedial Actions
Identify and initiate remedial actions based on control assessment and reporting; Review negotiation and understanding of management responses
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 3: Ensure Regulatory Compliance
Identification of Laws and Regulations Having Potential Impact on ITDefine and implement process to ensure timely identification of local and
international regulatory requirement, policies related to information and information service deliveryOptimization of Response to Regulatory Requirements
Review and optimize IT policies, standards and procedures to ensure legal requirements are coveredEvaluation of Compliance with Regulatory RequirementsPositive Assurance of Compliance
Regularly reporting of corrective actions being taken by process ownersIntegrated Reporting
Integrate IT reporting on regulatory requirements with similar output from other business functions
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 4: Provide IT Governance
Establishment of an IT Governance FrameworkDefine framework including leadership, processes, roles and responsibilities,
information requirements, organizational structureStrategic Alignment
Develop shared understanding of business and IT.Resource Management
Optimize the investment, use and allocation of IT assets through regular assessmentsPerformance Measurement
Report performance to board in timely fashionIndependent Assurance
SummarySummary
How do you align an IT risk assessment with COBIT controls?How do you align an IT risk assessment with COBIT controls?
CoBiTCoBiTvsvsCOSOCOSO
Targets management controls Targets IT controls specifically
Useful for management at large
Useful for IT management, users, and auditors
How to do What to do
Supporting Applications and Related Infrastructure
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Plan & Organize
Acquire & Implement
Delivery & Support
Monitor & Evaluate
CoBiT vs COSOCoBiT vs COSO
COSOCOSO COBITCOBIT
Your Security
Check
Thank You
Logout when you are finished
Who knows your password
References
new COBiT Version 4.1 available: http://www.isaca.org/cobit
http://itknowledgeexchange.techtarget.com/it-compliance/how-do-you-align-an-it-risk-assessment-with-cobit-controls/
http://www.mahindrasatyam.net/services/business_value_enhancement/enterprise_risk_complaince_mngt.asp
Ben KallandITIL Expert and Cobit Foundation certified [email protected]