The BaaO psic COBIT Principle - isaca-malta.org Practices for...based on CobiT ®–content©ISACA...

IT Governancefor Small and Medium-sized Enterprisesfor Small and Medium sized Enterprises

ISACA Malta – 22 April 2010

Erik GuldentopsExecutive Professor

Uni ersit of Ant erp Management School

based on CobiT® – content ©ISACA – foils ©eg_consult

ErikGuldentops IT Governance Seminars

Pg 1

University of Antwerp – Management School

The Basic COBIT PrincipleThe Basic COBIT Principlea O pa O p

Business Requirements

drive the investments in

which responds to

Business Requirements

drive the investments in

which responds to

CCOBIOBITTIT

ResourcesEnterprise

Information CCOBIOBITTIT

ResourcesEnterprise

Information

ITthat are used

byto deliverIT

that are used byto deliver

ProcessesProcesses



Pg 2

The Basic COBIT PrincipleThe Basic COBIT Principle• Financial soundness• Customer perception• Operational excellence• Growth capability

Managing the full economic life-cycle of IT-enabled business initiatives and their risk-adjusted returns

Enterprise Requirements

DELIVERBENEFITS

INVESTMONEY

• Skills• Knowledge • Attitude

People

Infrastructure

IT processes aligned with

business processes

USE

Resources Processes• Resilience• Functional• Maintainable • Objectives

• ResponsibilitiesM



Pg 3

• Measures

BUSINESS OBJECTIVESThe The CCOBIOBIT T

BUSINESS OBJECTIVESGOVERNANCE OBJECTIVES

C O B I TME1 Monito and e al ate IT

PO1 Define a strategic IT plan.PO2 Define the information

architecture

FrameworkFramework

Efficiency

INFORMATION

C O B I TF R A M E W O R K

EffectivenessConfidentiality

Integrity

AvailabilityCompliance

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure regulatory compliance.

ME4 Provide IT governance.

architecture.PO3 Determine technological

direction.PO4 Define the IT processes,

organisation and relationships.

PO5 Manage the IT investment.PO6 Communicate management

MONITORAND

EVALUATE

ITRESOURCES

DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and

PO6 Communicate management aims and direction.

PO7 Manage IT human resources.

PO8 Manage quality.PO9 Assess and manage IT

risks.PO10 Manage projects.

PLANAND

ORGANISE

Reliability

ApplicationsInformation

InfrastructurePeople

DELIVER ACQUIRE

DS3 Manage performance and capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.DS6 Identify and allocate

costs.DS7 Educate and train users.

g p j

AI1 Identify automated solutions.

AI2 Acquire and maintain DELIVER AND

SUPPORT

ACQUIREAND

IMPLEMENTDS8 Manage service desk and

incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical

environment.

qapplication software.

AI3 Acquire and maintain technology infrastructure.

AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit



Pg 4

DS13 Manage operations. solutions and change.

CobiT for Small and Medium-sized Enterprises



Pg 5

CobiT for Small and Medium-sized E t i

It d dIt d dEnterprises

It depends...It depends...pp



Pg 6

CobiT QuickStart

11223344SCSSCS

SCPSCPSEGSEG

Suitability Assessment (1)

•Is the control environment

representative of an SME and

is IT not really critical or

00SOCSOC

ITSITSITLITL

ITEITE

« Stay in the Blue Zone »

strategic?

•Are there indicators that a broader assessment of IT

Suitability Assessment (2)

governance requirements are

needed?« Stay out of the Heat »



Pg 7

simple command structure (CS)1. CS is strictly informal and verbal, short-term & tactical2. CS is primarily informal and verbal, some what short-term but largely

medium-term oriented, and analytical3. CS is primarily formal and documented, somewhat long-term but more

Suitability Assessment (1)Suitability Assessment (1)

CobiT Quickstart

short communications path1. HOE (Head of the entity) knows

everyone’s IT related

medium-term oriented, and tactical4. CS is strictly formal and documented, long-term & strategic

segregationh h h

Suitability Assessment (1)Suitability Assessment (1)« Stay in the Blue Zone »

yresponsibilities

2. HOE knows most people’s IT related resp

3. HOE only knows for key personnel4. HOE does not know all IT related

responsibilities of key personnel

1. Those who monitor have at least two other functions (build, operate, or influence).

2. Those who monitor have at most ‘building’ or ‘operating’ as other functions. Those who influence can also have

223344SCSSCS

SCPSCPSEGSEG

span of control1. HOE direct and monitor

everyone’s IT related responsibilities

2. HOE direct and monitors most l ’ IT l t d

influence can also have ‘building’ and ‘operating’ functions.

3. Monitoring is totally segregated, but ‘building’ and‘operating’ can be executed by the same person. Those who influence

0011

SOCSOCITEITE

people’s IT related resp.3. HOE only direct and monitors key

personnel4. HOE does not direct and monitor

all IT related responsibilities of key personnel

have at most ‘operating’ or ‘building’ as other functions.

4. At most ‘influencing’ and ‘monitoring’ is executed by one person

ITLITLITSITS

IT Expenditure1. IT Expenditure is not more than profits

and not much different from peers2. IT Expenditure is different from peers and

only marginally increasing every year3 IT Expenditure is more that profits or

IT Leadership1. Laggard, i.e. well behind in

technology adoption2. Follower, i.e. adopting technology

after peers have done so3 Leader i e adopting technology

IT’s Strategic Importance1.Reliable IT is not critical to the functioning of the enterprise and is

not likely to become strategically important2.Reliable IT support is critical to the enterprise's current operation,

but the application development portfolio is not fundamental to the firm's ability to compete



Pg 8

3. IT Expenditure is more that profits or significantly different from peers and is showing an annual increasing trend

4. IT Expenditure is significantly more than the entity’s profits

3. Leader, i.e. adopting technology before peers have done so

4. Pioneer, i.e. early adopter of new emerging technology well ahead of the industry

3.Uninterrupted functioning of IT is not absolutely vital to achieving current objectives but applications and technology under development will be critical to future competitive success

4.Reliable IT support is critical to the enterprise's current operation, and applications and technology under development are critical to future competitive success

S it bilit A t (2)S it bilit A t (2)

CobiT Quickstart

« Stay out of the Heat »


The IT infrastructure is an open as opposed to closed system (interconnections with customers, suppliers etc)ConnectivityConnectivity( pp )

There are IT related regulations or contractual requirements applying to the enterprise

There is a need to provide outside assurance about IT

ConnectivityConnectivity

RegulationsRegulationsEnterprise management is aware of IT issues and wonders whether a minimum baseline is sufficient

Enterprise Management has identified the need for significant formal training relative to IT

S IT ti d d h b d fi d t d di d d

AssuranceAssurance

Skills & CapabilitySkills & CapabilitySome IT practices and procedures have been defined, standardized and documented in a sustainable manner

Enterprise Management knows that common tools wouldmake some IT processes more effective and efficient

The IT ‘expert(s)’ of the enterprise are needed for developing/improving

Skills & CapabilitySkills & Capability

Risk HistoryRisk History



Pg 9

The IT expert(s) of the enterprise are needed for developing/improving business processes

S it bilit A t (2)S it bilit A t (2)

CobiT Quickstart

« Stay out of the Heat »


The IT infrastructure is an open as opposed to closed system (interconnections with customers, suppliers etc)( pp )

There are IT related regulations or contractual requirements applying to the enterprise

There is a need to provide outside assurance about IT

Enterprise management is aware of IT issues and wonders whether a minimum baseline is sufficient

Enterprise Management has identified the need for significant formal training relative to IT

S IT ti d d h b d fi d t d di d d Some IT practices and procedures have been defined, standardized and documented in a sustainable manner

Enterprise Management knows that common tools wouldmake some IT processes more effective and efficient

The IT ‘expert(s)’ of the enterprise are needed for developing/improving



Pg 10

The IT expert(s) of the enterprise are needed for developing/improving business processes

CobiT for Small and Medium-sized Enterprises

Can we learn something from research?

•Business and IT Goals in CobiT4.1•Research into the most important Business and IT Goals3‐phased Delphi method with 30+ international subject matter experts

• Refining the business and IT goals• Identifying the most important by industry

•Research into the Relationship between Enterprise Benefits and IT Governance Practices

C l ti b t IT d b i l f 540 lid t dCorrelation between process, IT and business goal from 540 validated survey responses providing 94 metrics



Pg 11

Business lGoals

COBIT4.1



Pg 12

Research into the most important Business and IT Goals

The prioritised list of business goals over all sectors:

Business and IT Goals

The prioritised list of business goals over all sectors: 1. Improve customer orientation and service

2. Provide compliancy with external laws and regulations

3. Establish service continuity and availability

4. Manage (IT related) business risks

5. Offer competitive products and services

6. Improve and maintain business process functionality

7. Provide a good return on investment of (IT enabled) business investments

8. Acquire, develop and maintain skilled and motivated people

9. Create agility in responding to changing business requirements

10. Obtain reliable and useful information for strategic decision making



Pg 13

Research on

mportan

ce

earch on Goal

Impact

ority for Sm

all

Medium Sized

TOTA

LAssign

R I

Res

Prio

& MBusiness Goals

Improve and maintain business process functionality

5

Achieve cost optimisation of service delivery

Optimise business process costs

weights to most

p p

Establish service continuity and availability 8

Obtain reliable and useful information for strategic decision making

1

Improve customer orientation and service 10

P id li ith t l l d

important

Provide compliancy with external laws and regulations

9

Enable and Manage business change

Improve and maintain operational and staff productivity

Manage (IT related) business risks 7Manage (IT related) business risks 7

Offer competitive products and services 6

Provide a good return on investment of (IT enabled) business investments

4

Acquire, develop and maintain skilled and motivated people

3motivated peopleCreate agility in responding to changing business requirements

2

Improve financial transparency

Provide compliancy with internal policies

Id tif bl d d t d b i



Pg 14

Identify, enable and manage product and business innovation

55 55 55

Research into Practices and their

•Correlation

impact on the bottom-line

Correlation•Clustering



Pg 15

Research into Practices and their i t th b tt liimpact on the bottom-line

•8 high impact IT Goals•6 high impacted Business Goals•6 high impacted Business Goals

High impact IT Goals- Improve IT’s cost-efficiency (IT_Corp5)- Align the IT strategy to the business strategy (IT Corp6)g t e st ategy to t e bus ess st ategy ( _Co p6)- Translate business functional and control requirements in effective and efficient automated solutions (IT_User3)- Accomplish proper use of applications, information and technology solutions (IT_User4)- Provide IT agility (in responding to changing business needs) (IT_Oper4)- Seamlessly integrate applications and technology solutions into business processes (IT_Oper5)Acquire develop and maintain IT skills that respond to the IT strategy (IT Fut1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)

- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)

Highly impacted Business Goals–-Achieve cost optimisation of service delivery (B_Cust4)–-Obtain reliable and useful information for strategic decision making (B_Cust6)–-Improve and maintain business process functionality (B_Int1)

Improve and maintain operational and staff productivity (B Int2)



Pg 16

–-Improve and maintain operational and staff productivity (B_Int2)–-Enable and Manage business change (B_Int3)–-Optimise business process costs (B_Int5)

Research on

Importan

ce

esearch on Goal

Impact

riority for Sm

all

& M

edium Sized

TOTA

L

Business Goals

Divide the

Re Pr &Business Goals


5 9

Achieve cost optimisation of service delivery 9

Optimise business process costs 10

same weight over most



1 9

Improve customer orientation and service 10

Provide compliancy with external laws and

impacted goals


9

Enable and Manage business change 9


9

Manage (IT related) business risks 7Manage (IT related) business risks 7

Offer competitive products and services 6


4


3p p

Create agility in responding to changing business requirements

2

Improve financial transparency

Provide compliancy with internal policies

Identify enable and manage product and business



Pg 17


55 55 55

What are the key business goals for IT in a small & medium‐sized enterprise?

1. IT Cost optimisation2. Business process functionality3. Business process cost4. Service continuity5 Reliable data to do business5. Reliable data to do business



Pg 18

Research on

Importan

ce

esearch on Goal

Impact

riority for Sm

all

Medium Sized

TOTA

L

B i G l

Divide the

Re Pr &

Business GoalsImprove and maintain business process functionality

5 9 13 27

Achieve cost optimisation of service delivery 9 15 24

Optimise business process costs 10 11 21

same weight over most

Establish service continuity and availability 8 9 17


1 9 7 17

Improve customer orientation and service 10 10

Provide compliancy with external laws and

appropriate goals


9 9

Enable and Manage business change 9 9


9 9

Manage (IT related) business risks 7 7Manage (IT related) business risks 7 7

Offer competitive products and services 6 6


4 4


3 3motivated peopleCreate agility in responding to changing business requirements

2 2

Improve financial transparency 0

Provide compliancy with internal policies 0



Pg 19


0

55 55 55

Key Business Goals

oal

ll &

d

for small & medium‐sized

Research on

mportan

ce

earch on Go

Impact

rity for Sm

aledium Sized

TOTA

Lenterprises

R I

Res e

Prior

M

Business GoalsImprove and maintain business process functionality

5 9 13 27

Achieve cost optimisation of service delivery 9 15 24

Optimise business process costs 10 11 21

Establish service continuity and availability 8 9 17


1 9 7 17



Pg 20

IT GoalsCOBIT4.1



Pg 21

Research into the most important B i d IT G l

The prioritised list of IT goals over all sectors:

Business and IT Goals

The prioritised list of IT goals over all sectors: 1. Align the IT strategy to the business strategy

2. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructureprocessing infrastructure

3. Make sure that IT services are reliable and secure

4. Provide service offerings and service levels in line with business requirements

5 Provide IT compliancy with laws and regulations5. Provide IT compliancy with laws and regulations

6. Translate business functional and control requirements in effective and efficient automated solutions

7. Deliver projects on time and on budget meeting quality standards

8. Drive commitment and support of executive management

9. Improve IT’s cost-efficiency

10. Account for and protect all IT assets



Pg 22

Research on

Importan

ce

Research on

Process Im

pact

Research on

Goal Im

pact

Business Goal

Linkage

Priority for

mall &

Medium

Sized

TOTA

L

IT GOALS

Assign

P SIT GOALS

6Translate business functional and control requirements in effective and efficient automated solutions

5

24 Improve IT’s cost‐efficiency 2

9Acquire, develop and maintain IT skills that respond to the IT strategy

weights to most

3Provide service offerings and service levels in line with business requirements

7

1 Align the IT strategy to the business strategy 10

28Ensure that IT demonstrates continuous improvement and readiness for future changeAcquire and maintain integrated and standardised

important

7Acquire and maintain integrated and standardised application systems.

25Deliver projects on time and on budget meeting quality standards

4

11Seamlessly integrate applications and technology solutions into business processes

10 Ensure mutual satisfaction of third‐party relationships.

8Acquire and maintain integrated and standardised IT infrastructure.

5Provide IT agility (in responding to changing business needs)Accomplish proper use of applications, information and

4p p p pp ,

technology solutions

27Provide IT compliancy with laws and regulations 6

14Account for and protect all IT assets 1

XMaintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure



Pg 23

Xavaliability) of information and processing infrastructure

XMake sure that IT services are reliable and secure

The information security challenge in SME’s

X =

y g

Ensure that critical and confidential information is withheld from those who should not have access to it.

Ensure that automated business transactions and information exchanges can be trusted Ensure that automated business transactions and information exchanges can be trusted.

Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster.

Ensure minimum business impact in the event of an IT service disruption or change.

Make sure that IT services are available as required.



Pg 24

Research into Practices and their i t th b tt li

•7 high impact COBIT processes•5 high impact Val IT processes

impact on the bottom-line

5 high impact Val IT processes•4 high impacted IT Goals

High impact COBIT processesD fi St t i IT l (PO1)

High impact Val IT processes- Define a Strategic IT plan (PO1)- Manage the IT investment (PO5)- Communicate Management Aims and Direction (PO6)- Assess and manage IT risks (PO9)- Identify Automated Solutions (AI1)

- Define and Implement Processes (VG2)- Establish Effective Governance Monitoring (VG5)- Continuously Improve Value Management Practices (VG6)- Establish Strategic Direction and Targety ( )

- Acquire and Maintain Application Software (AI2)- Acquire and Maintain Technology Infrastructure (AI3)

Establish Strategic Direction and Target Investment Mix (PM1)- Update Operational IT Portfolios (IM7)

High impacted IT Goals- Align the IT strategy to the business strategy (IT_Corp6)- Provide service offerings and service levels in line with business requirements (IT_User1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)- Ensure that IT demonstrates continuous improvement and readiness for future change (IT Fut3)



Pg 25


arch on

ortan

ce

arch on

ss Im

pact

arch on

Impact

ess Goal

nkage

rity for

& M

edium

ized

OTA

LAssign same

Rese

Impo

Rese

Proces

Rese

Goal

Busin Lin

Prio

Small & S TO

IT GOALS


5


weights to highly


14


7 14

1 Align the IT strategy to the business strategy 10 14

E th t IT d t t ti i t

impacted IT

goals28

Ensure that IT demonstrates continuous improvement and readiness for future change

14



4

S l l i t t li ti d t h l11

Seamlessly integrate applications and technology solutions into business processes


8Acquire and maintain integrated and standardised IT infrastructure.Provide IT agility (in responding to changing business

5Provide IT agility (in responding to changing business needs)

4Accomplish proper use of applications, information and technology solutions





Pg 26

14 p

Research into Practices and their i t th b tt liimpact on the bottom-line

•8 high impact IT Goals•6 high impacted Business Goals•6 high impacted Business Goals

High impact IT Goals- Improve IT’s cost-efficiency (IT_Corp5)- Align the IT strategy to the business strategy (IT Corp6)g t e st ategy to t e bus ess st ategy ( _Co p6)- Translate business functional and control requirements in effective and efficient automated solutions (IT_User3)- Accomplish proper use of applications, information and technology solutions (IT_User4)- Provide IT agility (in responding to changing business needs) (IT_Oper4)- Seamlessly integrate applications and technology solutions into business processes (IT_Oper5)Acquire develop and maintain IT skills that respond to the IT strategy (IT Fut1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)


Highly impacted Business Goals–-Achieve cost optimisation of service delivery (B_Cust4)–-Obtain reliable and useful information for strategic decision making (B_Cust6)–-Improve and maintain business process functionality (B_Int1)

Improve and maintain operational and staff productivity (B Int2)



Pg 27

–-Improve and maintain operational and staff productivity (B_Int2)–-Enable and Manage business change (B_Int3)–-Optimise business process costs (B_Int5)

ch on

ance

ch on

Impact

ch on

mpact

s Goal

age

y for

Medium

ed AL

Assign same

Researc

Import

Researc

Process I

Researc

Goal Im

Business

Linka

Priority

Small &

MSize

TOTA

IT GOALS


5 7

I IT’ t ffi i 2 7

weights to high impact

24 Improve IT’s cost‐efficiency 2 7


14 7


7 14

1 Align the IT strategy to the business strategy 10 14 7

IT goals


28Ensure that IT demonstrates continuous improvement and readiness for future change

14 7



425 standards


7




7

4Accomplish proper use of applications, information and technology solutions

7




Pg 28


Linking Business and IT Goals



Pg 29


27

Achieve cost optimisation of service delivery 24


1 2 3 4 6 7 8 9 10 11 12 13 15 16 20 22 23 24 28B i G l

Optimise business process costs 21



17


1 2 3 4 6 7 8 9 10 11 12 13 15 16 20 22 23 24 28

1 10 9 1 9 1 1

1 1 1 6 6 1 6 7 1

1 1 4 4 1 4 4 6 1

Business Goals10 Improve and maintain business

process functionality

8 Achieve cost optimisation of service delivery

11 Optimise business process costs 1 1 4 4 1 4 4 6 1

1 1 1 4 4 5 4 1 1

1 3 3 1 1 3 4 1 5

5 3 1 3 14 19 10 5 10 9 3 4 4 4 4 5 4 16 9

11 Optimise business process costs

6 Establish service continuity and availability

9 Obtain reliable and useful information for strategic decision making

5 3 1 3 14 19 10 5 10 9 3 4 4 4 4 5 4 16 9

6 7 8 10 11 24 28

10 9 9 1 1

Business Goals

10 Improve and maintain business process functionality

A hi t ti i ti f i 1 6 6 6 7 1

1 4 4 6 1

1 4 1 1

8 Achieve cost optimisation of service delivery

11 Optimise business process costs

6 Establish service continuity and availability



Pg 301 1 5

14 19 10 10 9 16 9

9 Obtain reliable and useful information for strategic decision making

Research on

Importan

ce

Research on

Process Im

pact

Research on

Goal Im

pact

Business Goal

Linkage

Priority for

mall &

Medium

Sized

TOTA

L

IT GOALS

Analysis

P SIT GOALS


5 7 14

24 Improve IT’s cost‐efficiency 2 7 16


14 7

Business IT Goals for


7 14



14 7 9

Acquire and maintain integrated and standardised

SME’s


19


4


7 9

10 Ensure mutual satisfaction of third‐party relationships. 10


10


7

Accomplish proper use of applications, information and 7

4p p p pp ,

technology solutions7






Pg 31



What are the key IT goals in a small & medium‐sized enterprise?

1. Functional applications2. Cost‐efficiency

k ll b ff / ff l3. Skills to obtain effective/efficient IT solutions4. Service that responds to business needs5 Deliver solutions on time and budget5. Deliver solutions on time and budget



Pg 32

Research on

Importan

ce

Research on

Process Im

pact

Research on

Goal Im

pact

Business Goal

Linkage

Priority for

mall &

Medium

Sized

TOTA

L

IT GOALS

Score IT

P SIT GOALS


5 7 14 12 38

24 Improve IT’s cost‐efficiency 2 7 16 12 37


14 7 12 33

goals typical for SME’s


7 14 12 33

1 Align the IT strategy to the business strategy 10 14 7 31


14 7 9 30

Acquire and maintain integrated and standardised7

Acquire and maintain integrated and standardised application systems.

19 19


4 12 16


7 9 16

10 Ensure mutual satisfaction of third‐party relationships. 10 10


10 10


7 7

Accomplish proper use of applications, information and 7 7

4p p p pp ,

technology solutions7 7

27Provide IT compliancy with laws and regulations 6 6

14Account for and protect all IT assets 1 1




Pg 33



Linking IT Goals to IT Processes


38




33

3Provide service offerings and service levels in line with business

333requirements

33

1 Align the IT strategy to the business strategy 31


30readiness for future change


19

25 Deliver projects on time and on budget meeting quality standards 16

Seamlessly integrate applications and technology solutions into11


16

10 Ensure mutual satisfaction of third‐party relationships. 10

8 Acquire and maintain integrated and standardised IT infrastructure. 10



Pg 34

Acquire and maintain integrated and standardised IT infrastructure.

Linking IT Goals to IT ProcessesLinking IT Goals to IT Processes

Distribute goal weight across applicable processesRemove ‘light’ columns

PO1 PO2 PO3 PO4 PO5 PO7 PO8 PO10 AI1 AI2 AI3 AI4 AI5 AI6 AI7 DS1 DS2 DS3 DS6 DS7 DS8 DS10 ME1 ME4

15 10 13

22 15

13 20

2 3 8 8 2 3 4 32 3 8 8 2 3 4 3

8 4 3 5 4 4 1 1 1

7 8 9 6

5 7 7

6 106 10

3 5 8

10

6 4

8 7 5 3 34 13 8 10 19 17 6 8 31 17 8 9 18 1 23 2 3 4 13 6



Pg 35

8 7 5 3 34 13 8 10 19 17 6 8 31 17 8 9 18 1 23 2 3 4 13 6


PO5 AI1 AI2 AI5 AI6 DS2 DS6 ME1

Translate business functional and

gRemove ‘light’ rows

6control requirements in effective and efficient automated solutions

5 7 14 12 38 15 10 13 38

24 Improve IT’s cost‐efficiency 2 7 16 12 37 22 15 37


14 7 12 33 20 20

3

Provide service offerings and service levels in line with business requirements

7 14 12 33 8 3 11

1Align the IT strategy to the business strategy

10 14 7 31 5 4 4 1 14

Ensure that IT demonstrates

28continuous improvement and readiness for future change

14 7 9 30 7 8 9 24


19 19 7 7 14


4 12 16 0

11


7 9 16 0

10Ensure mutual satisfaction of third‐party relationships.

10 10 10 10

Acquire and maintain integrated and 10 10 4 4



Pg 36

8 standardised IT infrastructure.10 10 4 4

34 19 17 31 17 18 23 13




6

Translate business functional and control requirements in effective and efficient automated solutions

5 7 14 12 38 15 10 13 38

24Improve IT’s cost‐efficiency 2 7 16 12 37 22 15 37

9

Acquire, develop and maintain IT skills that respond to the IT strategy

14 7 12 33 20 20

3


7 14 12 33 8 3 11

Align the IT strategy to the business

1

Align the IT strategy to the business strategy

10 14 7 31 5 4 4 1 14

28


14 7 9 30 7 8 9 24

7Acquire and maintain integrated and t d di d li ti t

19 19 7 7 147 standardised application systems.

10Ensure mutual satisfaction of third‐party relationships.

10 10 10 10

34 19 17 27 17 18 23 13



Pg 37


With focus established, practices can be identified

Translate business functional and control require‐ments in effective and efficient automated solutions

15 10 13

Improve IT’s cost‐efficiency22 15

Acquire, develop and maintain IT skills that respond to the IT strategy

20


8 3

Align the IT strategy to the business strategy 5 4 4 1


7 8 9

Acquire and maintain integrated and standardisedAcquire and maintain integrated and standardised application systems.

7 7

Ensure mutual satisfaction of third‐party relationships.

10



Pg 38

CobiT Quickstart v1CobiT Quickstart v1

As Is

Status

To BePO PO –– Planning & OrganisationPlanning & Organisation



Pg 39

CobiT Quickstart v2CobiT Quickstart v2

POPO –– Planning & OrganisationPlanning & Organisation1. Management is not aware2 Management is awarePO PO Planning & OrganisationPlanning & Organisation 2. Management is aware3. There is commitment to resolve4. Implementation has started5. Implementation is well under way6. Solution is implemented7. Solution is sustainable8 S l ti i ti i d8. Solution is optimised



Pg 40

The information security challenge in SME’s

X =

y g

Ensure that critical and confidential information is withheld from those who should not have access to it.

Ensure that automated business transactions and information exchanges can be trusted Ensure that automated business transactions and information exchanges can be trusted.

Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster.

Ensure minimum business impact in the event of an IT service disruption or change.

Make sure that IT services are available as required.



Pg 41

The information security challenge in SME’sy g



Pg 42

CobiTCobSecurityBaselineBaseline



Pg 43

COBIT for Small and Medium‐sized Enterprises

Input from IT Governance Practices

o Strategic Alignment & Resource Management

Some suggestions

Val e Managemento Value Management

Val IT Principles, Research, Key Processes

o Risk Managemento Risk Management

RiskIT IT IT GovernanceGovernance

DomainsDomains

IT Governance

FocusCobiT

Resource Management

Resource Management

Areas



Pg 44

Strategic Alignment & Resource Management



Pg 45

SME Management should optimise IT resources by :

Acquiring and developing the necessary skillsAcquiring and developing the necessary skills • Understanding• Negotiating• Acquisition

Understanding what is appropriate for the business• Acquire and maintain the right technology• Make them work efficiently and effectively• Define and communicate simple usage rulesDefine and communicate simple usage rules

Investing in the IT infrastructure• Need to be done timely• Accept there is usually is no internal capability and that external supply is most

probably more cost effectiveprobably more cost-effective• Accept the outcome is not certain but manage uncertainty• Dispose of old or unused equipment readily



Pg 46

Value ManagementVal IT Principles Research Key ProcessesVal IT Principles, Research, Key Processes

•• Much anecdotal evidence to suggest Much anecdotal evidence to suggest that ITthat IT--related investments are related investments are reviewed and approved with less reviewed and approved with less reviewed and approved with less reviewed and approved with less vigour than other investmentsvigour than other investments

BenefitsBenefits RiskRiskCostCost

•• Hard evidence that ITHard evidence that IT--related business related business investments have the potential to investments have the potential to CostCostppdeliver far greater returns than almost deliver far greater returns than almost any other investmentany other investment



Pg 47

Value ManagementVal IT Principles Research Key Processes

The strategic question. Is the investment:In line with our vision

The value question. Do we have:• A clear and shared understanding of the expected


Consistent with our business principlesContributing to our strategic objectivesProviding optimal value, at affordable cost, at an acceptable level of risk

benefits• Clear accountability for realizing the benefits• Relevant metrics• An effective benefits realization process

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?Some

fundamental about the

value delivered

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

them donewell?

fundamental questions

value deliveredby IT

The architecture question. Is the investment:• In line with our architecture• Consistent with our architectural principles

C t ib ti t th l ti f

The delivery question. Do we have:Effective and disciplined delivery and change management processesCompetent and available technical and business

d li

way?way? well?well?way?way?way?way? well?well?well?well?



Pg 48

• Contributing to the population of our architecture

• In line with other initiatives

resources to deliver:The required capabilitiesThe organizational changes required to leverage the capabilities


IT‐enabled investments will be managed as a portfolio of investments.

IT‐enabled investments will include the full scope of activities that are required to

achieve business value.

IT‐enabled investments will be managed through their full economic life cycle.

Value delivery practices will recognize that there are different categories of

investments that will be evaluated and managed differently.

Value delivery practices will define and monitor key metrics and will respond

i kl h d i iquickly to any changes or deviations.

Value delivery practices will engage all stakeholders and assign appropriate

accountability for the delivery of capabilities and the realization of business

benefitsbenefits.

Value delivery practices will be continually monitored, evaluated and improved.



Pg 49




Pg 50


DATA FOR EACH INITIATIVECost- human resources- infrastructure- tools, licenses etc-

Intermediate Benefits

BUSINESS CASEOverall costsEnd benefitsK tiIntermediate Benefits

- capabilities (technical,operational, business)

- financial- enterprise competitiveness

t i i k iti ti

Key assumptions

Key dependenciesMajor risksHigh level timeline

Summarise

- enterprise risk mitigation-

AssumptionsDependenciesRisks

g

AlternativesDegree of strategic alignmentDegree of architectural alignmentEnabling opportunities

Add



Pg 51

TimeframeEnabling opportunities

Value ManagementVal IT Principles Research Key Processes

Careful with investments under the CEO’s radar screen


Careful with investments under the CEO s radar screen

Key success factors Fit with strategy

Synergy with existing infrastructure

Top management’s commitment

Don’t overestimate functionality achieved or underestimate cost and time it will take

Don’t forget how you did in the past Don t forget how you did in the past

Stopping an initiative in time is a success



Pg 52

Risk Management

RiskIT

Awareness and Understanding Leverage internal knowledgeBrainstorm with your key peopleRegularly challenge the status quoRegularly challenge the status quo



Pg 53

Questions ?

[email protected]



Pg 54

The BaaO psic COBIT Principle - isaca-malta.org Practices for...based on CobiT ®–content©ISACA...

Documents

Transcript of The BaaO psic COBIT Principle - isaca-malta.org Practices for...based on CobiT ®–content©ISACA...