The BaaO psic COBIT Principle - isaca-malta.org Practices for...based on CobiT ®–content©ISACA...
Transcript of The BaaO psic COBIT Principle - isaca-malta.org Practices for...based on CobiT ®–content©ISACA...
IT Governancefor Small and Medium-sized Enterprisesfor Small and Medium sized Enterprises
ISACA Malta – 22 April 2010
Erik GuldentopsExecutive Professor
Uni ersit of Ant erp Management School
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 1
University of Antwerp – Management School
The Basic COBIT PrincipleThe Basic COBIT Principlea O pa O p
Business Requirements
drive the investments in
which responds to
Business Requirements
drive the investments in
which responds to
CCOBIOBITTIT
ResourcesEnterprise
Information CCOBIOBITTIT
ResourcesEnterprise
Information
ITthat are used
byto deliverIT
that are used byto deliver
ProcessesProcesses
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 2
The Basic COBIT PrincipleThe Basic COBIT Principle• Financial soundness• Customer perception• Operational excellence• Growth capability
Managing the full economic life-cycle of IT-enabled business initiatives and their risk-adjusted returns
Enterprise Requirements
DELIVERBENEFITS
INVESTMONEY
• Skills• Knowledge • Attitude
People
Infrastructure
IT processes aligned with
business processes
USE
Resources Processes• Resilience• Functional• Maintainable • Objectives
• ResponsibilitiesM
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 3
• Measures
BUSINESS OBJECTIVESThe The CCOBIOBIT T
BUSINESS OBJECTIVESGOVERNANCE OBJECTIVES
C O B I TME1 Monito and e al ate IT
PO1 Define a strategic IT plan.PO2 Define the information
architecture
FrameworkFramework
Efficiency
INFORMATION
C O B I TF R A M E W O R K
EffectivenessConfidentiality
Integrity
AvailabilityCompliance
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure regulatory compliance.
ME4 Provide IT governance.
architecture.PO3 Determine technological
direction.PO4 Define the IT processes,
organisation and relationships.
PO5 Manage the IT investment.PO6 Communicate management
MONITORAND
EVALUATE
ITRESOURCES
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.PO9 Assess and manage IT
risks.PO10 Manage projects.
PLANAND
ORGANISE
Reliability
ApplicationsInformation
InfrastructurePeople
DELIVER ACQUIRE
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.DS6 Identify and allocate
costs.DS7 Educate and train users.
g p j
AI1 Identify automated solutions.
AI2 Acquire and maintain DELIVER AND
SUPPORT
ACQUIREAND
IMPLEMENTDS8 Manage service desk and
incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical
environment.
qapplication software.
AI3 Acquire and maintain technology infrastructure.
AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 4
DS13 Manage operations. solutions and change.
CobiT for Small and Medium-sized Enterprises
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 5
CobiT for Small and Medium-sized E t i
It d dIt d dEnterprises
It depends...It depends...pp
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 6
CobiT QuickStart
11223344SCSSCS
SCPSCPSEGSEG
Suitability Assessment (1)
•Is the control environment
representative of an SME and
is IT not really critical or
00SOCSOC
ITSITSITLITL
ITEITE
« Stay in the Blue Zone »
strategic?
•Are there indicators that a broader assessment of IT
Suitability Assessment (2)
governance requirements are
needed?« Stay out of the Heat »
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 7
simple command structure (CS)1. CS is strictly informal and verbal, short-term & tactical2. CS is primarily informal and verbal, some what short-term but largely
medium-term oriented, and analytical3. CS is primarily formal and documented, somewhat long-term but more
Suitability Assessment (1)Suitability Assessment (1)
CobiT Quickstart
short communications path1. HOE (Head of the entity) knows
everyone’s IT related
medium-term oriented, and tactical4. CS is strictly formal and documented, long-term & strategic
segregationh h h
Suitability Assessment (1)Suitability Assessment (1)« Stay in the Blue Zone »
yresponsibilities
2. HOE knows most people’s IT related resp
3. HOE only knows for key personnel4. HOE does not know all IT related
responsibilities of key personnel
1. Those who monitor have at least two other functions (build, operate, or influence).
2. Those who monitor have at most ‘building’ or ‘operating’ as other functions. Those who influence can also have
223344SCSSCS
SCPSCPSEGSEG
span of control1. HOE direct and monitor
everyone’s IT related responsibilities
2. HOE direct and monitors most l ’ IT l t d
influence can also have ‘building’ and ‘operating’ functions.
3. Monitoring is totally segregated, but ‘building’ and‘operating’ can be executed by the same person. Those who influence
0011
SOCSOCITEITE
people’s IT related resp.3. HOE only direct and monitors key
personnel4. HOE does not direct and monitor
all IT related responsibilities of key personnel
have at most ‘operating’ or ‘building’ as other functions.
4. At most ‘influencing’ and ‘monitoring’ is executed by one person
ITLITLITSITS
IT Expenditure1. IT Expenditure is not more than profits
and not much different from peers2. IT Expenditure is different from peers and
only marginally increasing every year3 IT Expenditure is more that profits or
IT Leadership1. Laggard, i.e. well behind in
technology adoption2. Follower, i.e. adopting technology
after peers have done so3 Leader i e adopting technology
IT’s Strategic Importance1.Reliable IT is not critical to the functioning of the enterprise and is
not likely to become strategically important2.Reliable IT support is critical to the enterprise's current operation,
but the application development portfolio is not fundamental to the firm's ability to compete
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 8
3. IT Expenditure is more that profits or significantly different from peers and is showing an annual increasing trend
4. IT Expenditure is significantly more than the entity’s profits
3. Leader, i.e. adopting technology before peers have done so
4. Pioneer, i.e. early adopter of new emerging technology well ahead of the industry
3.Uninterrupted functioning of IT is not absolutely vital to achieving current objectives but applications and technology under development will be critical to future competitive success
4.Reliable IT support is critical to the enterprise's current operation, and applications and technology under development are critical to future competitive success
S it bilit A t (2)S it bilit A t (2)
CobiT Quickstart
« Stay out of the Heat »
Suitability Assessment (2)Suitability Assessment (2)
The IT infrastructure is an open as opposed to closed system (interconnections with customers, suppliers etc)ConnectivityConnectivity( pp )
There are IT related regulations or contractual requirements applying to the enterprise
There is a need to provide outside assurance about IT
ConnectivityConnectivity
RegulationsRegulationsEnterprise management is aware of IT issues and wonders whether a minimum baseline is sufficient
Enterprise Management has identified the need for significant formal training relative to IT
S IT ti d d h b d fi d t d di d d
AssuranceAssurance
Skills & CapabilitySkills & CapabilitySome IT practices and procedures have been defined, standardized and documented in a sustainable manner
Enterprise Management knows that common tools wouldmake some IT processes more effective and efficient
The IT ‘expert(s)’ of the enterprise are needed for developing/improving
Skills & CapabilitySkills & Capability
Risk HistoryRisk History
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 9
The IT expert(s) of the enterprise are needed for developing/improving business processes
S it bilit A t (2)S it bilit A t (2)
CobiT Quickstart
« Stay out of the Heat »
Suitability Assessment (2)Suitability Assessment (2)
The IT infrastructure is an open as opposed to closed system (interconnections with customers, suppliers etc)( pp )
There are IT related regulations or contractual requirements applying to the enterprise
There is a need to provide outside assurance about IT
Enterprise management is aware of IT issues and wonders whether a minimum baseline is sufficient
Enterprise Management has identified the need for significant formal training relative to IT
S IT ti d d h b d fi d t d di d d Some IT practices and procedures have been defined, standardized and documented in a sustainable manner
Enterprise Management knows that common tools wouldmake some IT processes more effective and efficient
The IT ‘expert(s)’ of the enterprise are needed for developing/improving
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 10
The IT expert(s) of the enterprise are needed for developing/improving business processes
CobiT for Small and Medium-sized Enterprises
Can we learn something from research?
•Business and IT Goals in CobiT4.1•Research into the most important Business and IT Goals3‐phased Delphi method with 30+ international subject matter experts
• Refining the business and IT goals• Identifying the most important by industry
•Research into the Relationship between Enterprise Benefits and IT Governance Practices
C l ti b t IT d b i l f 540 lid t dCorrelation between process, IT and business goal from 540 validated survey responses providing 94 metrics
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 11
Business lGoals
COBIT4.1
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 12
Research into the most important Business and IT Goals
The prioritised list of business goals over all sectors:
Business and IT Goals
The prioritised list of business goals over all sectors: 1. Improve customer orientation and service
2. Provide compliancy with external laws and regulations
3. Establish service continuity and availability
4. Manage (IT related) business risks
5. Offer competitive products and services
6. Improve and maintain business process functionality
7. Provide a good return on investment of (IT enabled) business investments
8. Acquire, develop and maintain skilled and motivated people
9. Create agility in responding to changing business requirements
10. Obtain reliable and useful information for strategic decision making
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 13
Research on
mportan
ce
earch on Goal
Impact
ority for Sm
all
Medium Sized
TOTA
LAssign
R I
Res
Prio
& MBusiness Goals
Improve and maintain business process functionality
5
Achieve cost optimisation of service delivery
Optimise business process costs
weights to most
p p
Establish service continuity and availability 8
Obtain reliable and useful information for strategic decision making
1
Improve customer orientation and service 10
P id li ith t l l d
important
Provide compliancy with external laws and regulations
9
Enable and Manage business change
Improve and maintain operational and staff productivity
Manage (IT related) business risks 7Manage (IT related) business risks 7
Offer competitive products and services 6
Provide a good return on investment of (IT enabled) business investments
4
Acquire, develop and maintain skilled and motivated people
3motivated peopleCreate agility in responding to changing business requirements
2
Improve financial transparency
Provide compliancy with internal policies
Id tif bl d d t d b i
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 14
Identify, enable and manage product and business innovation
55 55 55
Research into Practices and their
•Correlation
impact on the bottom-line
Correlation•Clustering
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 15
Research into Practices and their i t th b tt liimpact on the bottom-line
•8 high impact IT Goals•6 high impacted Business Goals•6 high impacted Business Goals
High impact IT Goals- Improve IT’s cost-efficiency (IT_Corp5)- Align the IT strategy to the business strategy (IT Corp6)g t e st ategy to t e bus ess st ategy ( _Co p6)- Translate business functional and control requirements in effective and efficient automated solutions (IT_User3)- Accomplish proper use of applications, information and technology solutions (IT_User4)- Provide IT agility (in responding to changing business needs) (IT_Oper4)- Seamlessly integrate applications and technology solutions into business processes (IT_Oper5)Acquire develop and maintain IT skills that respond to the IT strategy (IT Fut1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)
- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)
Highly impacted Business Goals–-Achieve cost optimisation of service delivery (B_Cust4)–-Obtain reliable and useful information for strategic decision making (B_Cust6)–-Improve and maintain business process functionality (B_Int1)
Improve and maintain operational and staff productivity (B Int2)
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 16
–-Improve and maintain operational and staff productivity (B_Int2)–-Enable and Manage business change (B_Int3)–-Optimise business process costs (B_Int5)
Research on
Importan
ce
esearch on Goal
Impact
riority for Sm
all
& M
edium Sized
TOTA
L
Business Goals
Divide the
Re Pr &Business Goals
Improve and maintain business process functionality
5 9
Achieve cost optimisation of service delivery 9
Optimise business process costs 10
same weight over most
Establish service continuity and availability 8
Obtain reliable and useful information for strategic decision making
1 9
Improve customer orientation and service 10
Provide compliancy with external laws and
impacted goals
Provide compliancy with external laws and regulations
9
Enable and Manage business change 9
Improve and maintain operational and staff productivity
9
Manage (IT related) business risks 7Manage (IT related) business risks 7
Offer competitive products and services 6
Provide a good return on investment of (IT enabled) business investments
4
Acquire, develop and maintain skilled and motivated people
3p p
Create agility in responding to changing business requirements
2
Improve financial transparency
Provide compliancy with internal policies
Identify enable and manage product and business
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 17
Identify, enable and manage product and business innovation
55 55 55
What are the key business goals for IT in a small & medium‐sized enterprise?
1. IT Cost optimisation2. Business process functionality3. Business process cost4. Service continuity5 Reliable data to do business5. Reliable data to do business
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 18
Research on
Importan
ce
esearch on Goal
Impact
riority for Sm
all
Medium Sized
TOTA
L
B i G l
Divide the
Re Pr &
Business GoalsImprove and maintain business process functionality
5 9 13 27
Achieve cost optimisation of service delivery 9 15 24
Optimise business process costs 10 11 21
same weight over most
Establish service continuity and availability 8 9 17
Obtain reliable and useful information for strategic decision making
1 9 7 17
Improve customer orientation and service 10 10
Provide compliancy with external laws and
appropriate goals
Provide compliancy with external laws and regulations
9 9
Enable and Manage business change 9 9
Improve and maintain operational and staff productivity
9 9
Manage (IT related) business risks 7 7Manage (IT related) business risks 7 7
Offer competitive products and services 6 6
Provide a good return on investment of (IT enabled) business investments
4 4
Acquire, develop and maintain skilled and motivated people
3 3motivated peopleCreate agility in responding to changing business requirements
2 2
Improve financial transparency 0
Provide compliancy with internal policies 0
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 19
Identify, enable and manage product and business innovation
0
55 55 55
Key Business Goals
oal
ll &
d
for small & medium‐sized
Research on
mportan
ce
earch on Go
Impact
rity for Sm
aledium Sized
TOTA
Lenterprises
R I
Res e
Prior
M
Business GoalsImprove and maintain business process functionality
5 9 13 27
Achieve cost optimisation of service delivery 9 15 24
Optimise business process costs 10 11 21
Establish service continuity and availability 8 9 17
Obtain reliable and useful information for strategic decision making
1 9 7 17
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 20
IT GoalsCOBIT4.1
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 21
Research into the most important B i d IT G l
The prioritised list of IT goals over all sectors:
Business and IT Goals
The prioritised list of IT goals over all sectors: 1. Align the IT strategy to the business strategy
2. Maintain the security (confidentiality, integrity and availability) of information and processing infrastructureprocessing infrastructure
3. Make sure that IT services are reliable and secure
4. Provide service offerings and service levels in line with business requirements
5 Provide IT compliancy with laws and regulations5. Provide IT compliancy with laws and regulations
6. Translate business functional and control requirements in effective and efficient automated solutions
7. Deliver projects on time and on budget meeting quality standards
8. Drive commitment and support of executive management
9. Improve IT’s cost-efficiency
10. Account for and protect all IT assets
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 22
Research on
Importan
ce
Research on
Process Im
pact
Research on
Goal Im
pact
Business Goal
Linkage
Priority for
mall &
Medium
Sized
TOTA
L
IT GOALS
Assign
P SIT GOALS
6Translate business functional and control requirements in effective and efficient automated solutions
5
24 Improve IT’s cost‐efficiency 2
9Acquire, develop and maintain IT skills that respond to the IT strategy
weights to most
3Provide service offerings and service levels in line with business requirements
7
1 Align the IT strategy to the business strategy 10
28Ensure that IT demonstrates continuous improvement and readiness for future changeAcquire and maintain integrated and standardised
important
7Acquire and maintain integrated and standardised application systems.
25Deliver projects on time and on budget meeting quality standards
4
11Seamlessly integrate applications and technology solutions into business processes
10 Ensure mutual satisfaction of third‐party relationships.
8Acquire and maintain integrated and standardised IT infrastructure.
5Provide IT agility (in responding to changing business needs)Accomplish proper use of applications, information and
4p p p pp ,
technology solutions
27Provide IT compliancy with laws and regulations 6
14Account for and protect all IT assets 1
XMaintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 23
Xavaliability) of information and processing infrastructure
XMake sure that IT services are reliable and secure
The information security challenge in SME’s
X =
y g
Ensure that critical and confidential information is withheld from those who should not have access to it.
Ensure that automated business transactions and information exchanges can be trusted Ensure that automated business transactions and information exchanges can be trusted.
Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster.
Ensure minimum business impact in the event of an IT service disruption or change.
Make sure that IT services are available as required.
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 24
Research into Practices and their i t th b tt li
•7 high impact COBIT processes•5 high impact Val IT processes
impact on the bottom-line
5 high impact Val IT processes•4 high impacted IT Goals
High impact COBIT processesD fi St t i IT l (PO1)
High impact Val IT processes- Define a Strategic IT plan (PO1)- Manage the IT investment (PO5)- Communicate Management Aims and Direction (PO6)- Assess and manage IT risks (PO9)- Identify Automated Solutions (AI1)
- Define and Implement Processes (VG2)- Establish Effective Governance Monitoring (VG5)- Continuously Improve Value Management Practices (VG6)- Establish Strategic Direction and Targety ( )
- Acquire and Maintain Application Software (AI2)- Acquire and Maintain Technology Infrastructure (AI3)
Establish Strategic Direction and Target Investment Mix (PM1)- Update Operational IT Portfolios (IM7)
High impacted IT Goals- Align the IT strategy to the business strategy (IT_Corp6)- Provide service offerings and service levels in line with business requirements (IT_User1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)- Ensure that IT demonstrates continuous improvement and readiness for future change (IT Fut3)
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 25
- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)
arch on
ortan
ce
arch on
ss Im
pact
arch on
Impact
ess Goal
nkage
rity for
& M
edium
ized
OTA
LAssign same
Rese
Impo
Rese
Proces
Rese
Goal
Busin Lin
Prio
Small & S TO
IT GOALS
6Translate business functional and control requirements in effective and efficient automated solutions
5
24 Improve IT’s cost‐efficiency 2
weights to highly
9Acquire, develop and maintain IT skills that respond to the IT strategy
14
3Provide service offerings and service levels in line with business requirements
7 14
1 Align the IT strategy to the business strategy 10 14
E th t IT d t t ti i t
impacted IT
goals28
Ensure that IT demonstrates continuous improvement and readiness for future change
14
7Acquire and maintain integrated and standardised application systems.
25Deliver projects on time and on budget meeting quality standards
4
S l l i t t li ti d t h l11
Seamlessly integrate applications and technology solutions into business processes
10 Ensure mutual satisfaction of third‐party relationships.
8Acquire and maintain integrated and standardised IT infrastructure.Provide IT agility (in responding to changing business
5Provide IT agility (in responding to changing business needs)
4Accomplish proper use of applications, information and technology solutions
27Provide IT compliancy with laws and regulations 6
14Account for and protect all IT assets 1
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 26
14 p
Research into Practices and their i t th b tt liimpact on the bottom-line
•8 high impact IT Goals•6 high impacted Business Goals•6 high impacted Business Goals
High impact IT Goals- Improve IT’s cost-efficiency (IT_Corp5)- Align the IT strategy to the business strategy (IT Corp6)g t e st ategy to t e bus ess st ategy ( _Co p6)- Translate business functional and control requirements in effective and efficient automated solutions (IT_User3)- Accomplish proper use of applications, information and technology solutions (IT_User4)- Provide IT agility (in responding to changing business needs) (IT_Oper4)- Seamlessly integrate applications and technology solutions into business processes (IT_Oper5)Acquire develop and maintain IT skills that respond to the IT strategy (IT Fut1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)
- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)
Highly impacted Business Goals–-Achieve cost optimisation of service delivery (B_Cust4)–-Obtain reliable and useful information for strategic decision making (B_Cust6)–-Improve and maintain business process functionality (B_Int1)
Improve and maintain operational and staff productivity (B Int2)
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 27
–-Improve and maintain operational and staff productivity (B_Int2)–-Enable and Manage business change (B_Int3)–-Optimise business process costs (B_Int5)
ch on
ance
ch on
Impact
ch on
mpact
s Goal
age
y for
Medium
ed AL
Assign same
Researc
Import
Researc
Process I
Researc
Goal Im
Business
Linka
Priority
Small &
MSize
TOTA
IT GOALS
6Translate business functional and control requirements in effective and efficient automated solutions
5 7
I IT’ t ffi i 2 7
weights to high impact
24 Improve IT’s cost‐efficiency 2 7
9Acquire, develop and maintain IT skills that respond to the IT strategy
14 7
3Provide service offerings and service levels in line with business requirements
7 14
1 Align the IT strategy to the business strategy 10 14 7
IT goals
1 Align the IT strategy to the business strategy 10 14 7
28Ensure that IT demonstrates continuous improvement and readiness for future change
14 7
7Acquire and maintain integrated and standardised application systems.
25Deliver projects on time and on budget meeting quality standards
425 standards
11Seamlessly integrate applications and technology solutions into business processes
7
10 Ensure mutual satisfaction of third‐party relationships.
8Acquire and maintain integrated and standardised IT infrastructure.
5Provide IT agility (in responding to changing business needs)
7
4Accomplish proper use of applications, information and technology solutions
7
27Provide IT compliancy with laws and regulations 6
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 28
14Account for and protect all IT assets 1
Linking Business and IT Goals
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 29
Improve and maintain business process functionality
27
Achieve cost optimisation of service delivery 24
Linking Business and IT Goals
1 2 3 4 6 7 8 9 10 11 12 13 15 16 20 22 23 24 28B i G l
Optimise business process costs 21
Establish service continuity and availability 17
Obtain reliable and useful information for strategic decision making
17
Linking Business and IT Goals
1 2 3 4 6 7 8 9 10 11 12 13 15 16 20 22 23 24 28
1 10 9 1 9 1 1
1 1 1 6 6 1 6 7 1
1 1 4 4 1 4 4 6 1
Business Goals10 Improve and maintain business
process functionality
8 Achieve cost optimisation of service delivery
11 Optimise business process costs 1 1 4 4 1 4 4 6 1
1 1 1 4 4 5 4 1 1
1 3 3 1 1 3 4 1 5
5 3 1 3 14 19 10 5 10 9 3 4 4 4 4 5 4 16 9
11 Optimise business process costs
6 Establish service continuity and availability
9 Obtain reliable and useful information for strategic decision making
5 3 1 3 14 19 10 5 10 9 3 4 4 4 4 5 4 16 9
6 7 8 10 11 24 28
10 9 9 1 1
Business Goals
10 Improve and maintain business process functionality
A hi t ti i ti f i 1 6 6 6 7 1
1 4 4 6 1
1 4 1 1
8 Achieve cost optimisation of service delivery
11 Optimise business process costs
6 Establish service continuity and availability
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 301 1 5
14 19 10 10 9 16 9
9 Obtain reliable and useful information for strategic decision making
Research on
Importan
ce
Research on
Process Im
pact
Research on
Goal Im
pact
Business Goal
Linkage
Priority for
mall &
Medium
Sized
TOTA
L
IT GOALS
Analysis
P SIT GOALS
6Translate business functional and control requirements in effective and efficient automated solutions
5 7 14
24 Improve IT’s cost‐efficiency 2 7 16
9Acquire, develop and maintain IT skills that respond to the IT strategy
14 7
Business IT Goals for
3Provide service offerings and service levels in line with business requirements
7 14
1 Align the IT strategy to the business strategy 10 14 7
28Ensure that IT demonstrates continuous improvement and readiness for future change
14 7 9
Acquire and maintain integrated and standardised
SME’s
7Acquire and maintain integrated and standardised application systems.
19
25Deliver projects on time and on budget meeting quality standards
4
11Seamlessly integrate applications and technology solutions into business processes
7 9
10 Ensure mutual satisfaction of third‐party relationships. 10
8Acquire and maintain integrated and standardised IT infrastructure.
10
5Provide IT agility (in responding to changing business needs)
7
Accomplish proper use of applications, information and 7
4p p p pp ,
technology solutions7
27Provide IT compliancy with laws and regulations 6
14Account for and protect all IT assets 1
XMaintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 31
Xavaliability) of information and processing infrastructure
XMake sure that IT services are reliable and secure
What are the key IT goals in a small & medium‐sized enterprise?
1. Functional applications2. Cost‐efficiency
k ll b ff / ff l3. Skills to obtain effective/efficient IT solutions4. Service that responds to business needs5 Deliver solutions on time and budget5. Deliver solutions on time and budget
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 32
Research on
Importan
ce
Research on
Process Im
pact
Research on
Goal Im
pact
Business Goal
Linkage
Priority for
mall &
Medium
Sized
TOTA
L
IT GOALS
Score IT
P SIT GOALS
6Translate business functional and control requirements in effective and efficient automated solutions
5 7 14 12 38
24 Improve IT’s cost‐efficiency 2 7 16 12 37
9Acquire, develop and maintain IT skills that respond to the IT strategy
14 7 12 33
goals typical for SME’s
3Provide service offerings and service levels in line with business requirements
7 14 12 33
1 Align the IT strategy to the business strategy 10 14 7 31
28Ensure that IT demonstrates continuous improvement and readiness for future change
14 7 9 30
Acquire and maintain integrated and standardised7
Acquire and maintain integrated and standardised application systems.
19 19
25Deliver projects on time and on budget meeting quality standards
4 12 16
11Seamlessly integrate applications and technology solutions into business processes
7 9 16
10 Ensure mutual satisfaction of third‐party relationships. 10 10
8Acquire and maintain integrated and standardised IT infrastructure.
10 10
5Provide IT agility (in responding to changing business needs)
7 7
Accomplish proper use of applications, information and 7 7
4p p p pp ,
technology solutions7 7
27Provide IT compliancy with laws and regulations 6 6
14Account for and protect all IT assets 1 1
XMaintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 33
Xavaliability) of information and processing infrastructure
XMake sure that IT services are reliable and secure
Linking IT Goals to IT Processes
6Translate business functional and control requirements in effective and efficient automated solutions
38
Linking IT Goals to IT Processes
24 Improve IT’s cost‐efficiency 37
9Acquire, develop and maintain IT skills that respond to the IT strategy
33
3Provide service offerings and service levels in line with business
333requirements
33
1 Align the IT strategy to the business strategy 31
28Ensure that IT demonstrates continuous improvement and readiness for future change
30readiness for future change
7Acquire and maintain integrated and standardised application systems.
19
25 Deliver projects on time and on budget meeting quality standards 16
Seamlessly integrate applications and technology solutions into11
Seamlessly integrate applications and technology solutions into business processes
16
10 Ensure mutual satisfaction of third‐party relationships. 10
8 Acquire and maintain integrated and standardised IT infrastructure. 10
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 34
Acquire and maintain integrated and standardised IT infrastructure.
Linking IT Goals to IT ProcessesLinking IT Goals to IT Processes
Distribute goal weight across applicable processesRemove ‘light’ columns
PO1 PO2 PO3 PO4 PO5 PO7 PO8 PO10 AI1 AI2 AI3 AI4 AI5 AI6 AI7 DS1 DS2 DS3 DS6 DS7 DS8 DS10 ME1 ME4
15 10 13
22 15
13 20
2 3 8 8 2 3 4 32 3 8 8 2 3 4 3
8 4 3 5 4 4 1 1 1
7 8 9 6
5 7 7
6 106 10
3 5 8
10
6 4
8 7 5 3 34 13 8 10 19 17 6 8 31 17 8 9 18 1 23 2 3 4 13 6
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 35
8 7 5 3 34 13 8 10 19 17 6 8 31 17 8 9 18 1 23 2 3 4 13 6
Linking IT Goals to IT Processes
PO5 AI1 AI2 AI5 AI6 DS2 DS6 ME1
Translate business functional and
gRemove ‘light’ rows
6control requirements in effective and efficient automated solutions
5 7 14 12 38 15 10 13 38
24 Improve IT’s cost‐efficiency 2 7 16 12 37 22 15 37
9Acquire, develop and maintain IT skills that respond to the IT strategy
14 7 12 33 20 20
3
Provide service offerings and service levels in line with business requirements
7 14 12 33 8 3 11
1Align the IT strategy to the business strategy
10 14 7 31 5 4 4 1 14
Ensure that IT demonstrates
28continuous improvement and readiness for future change
14 7 9 30 7 8 9 24
7Acquire and maintain integrated and standardised application systems.
19 19 7 7 14
25Deliver projects on time and on budget meeting quality standards
4 12 16 0
11
Seamlessly integrate applications and technology solutions into business processes
7 9 16 0
10Ensure mutual satisfaction of third‐party relationships.
10 10 10 10
Acquire and maintain integrated and 10 10 4 4
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 36
8 standardised IT infrastructure.10 10 4 4
34 19 17 31 17 18 23 13
Linking IT Goals to IT Processes
PO5 AI1 AI2 AI5 AI6 DS2 DS6 ME1
Linking IT Goals to IT Processes
6
Translate business functional and control requirements in effective and efficient automated solutions
5 7 14 12 38 15 10 13 38
24Improve IT’s cost‐efficiency 2 7 16 12 37 22 15 37
9
Acquire, develop and maintain IT skills that respond to the IT strategy
14 7 12 33 20 20
3
Provide service offerings and service levels in line with business requirements
7 14 12 33 8 3 11
Align the IT strategy to the business
1
Align the IT strategy to the business strategy
10 14 7 31 5 4 4 1 14
28
Ensure that IT demonstrates continuous improvement and readiness for future change
14 7 9 30 7 8 9 24
7Acquire and maintain integrated and t d di d li ti t
19 19 7 7 147 standardised application systems.
10Ensure mutual satisfaction of third‐party relationships.
10 10 10 10
34 19 17 27 17 18 23 13
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 37
PO5 AI1 AI2 AI5 AI6 DS2 DS6 ME1
With focus established, practices can be identified
Translate business functional and control require‐ments in effective and efficient automated solutions
15 10 13
Improve IT’s cost‐efficiency22 15
Acquire, develop and maintain IT skills that respond to the IT strategy
20
Provide service offerings and service levels in line with business requirements
8 3
Align the IT strategy to the business strategy 5 4 4 1
Ensure that IT demonstrates continuous improvement and readiness for future change
7 8 9
Acquire and maintain integrated and standardisedAcquire and maintain integrated and standardised application systems.
7 7
Ensure mutual satisfaction of third‐party relationships.
10
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 38
CobiT Quickstart v1CobiT Quickstart v1
As Is
Status
To BePO PO –– Planning & OrganisationPlanning & Organisation
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 39
CobiT Quickstart v2CobiT Quickstart v2
POPO –– Planning & OrganisationPlanning & Organisation1. Management is not aware2 Management is awarePO PO Planning & OrganisationPlanning & Organisation 2. Management is aware3. There is commitment to resolve4. Implementation has started5. Implementation is well under way6. Solution is implemented7. Solution is sustainable8 S l ti i ti i d8. Solution is optimised
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 40
The information security challenge in SME’s
X =
y g
Ensure that critical and confidential information is withheld from those who should not have access to it.
Ensure that automated business transactions and information exchanges can be trusted Ensure that automated business transactions and information exchanges can be trusted.
Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster.
Ensure minimum business impact in the event of an IT service disruption or change.
Make sure that IT services are available as required.
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 41
The information security challenge in SME’sy g
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 42
CobiTCobSecurityBaselineBaseline
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 43
COBIT for Small and Medium‐sized Enterprises
Input from IT Governance Practices
o Strategic Alignment & Resource Management
Some suggestions
Val e Managemento Value Management
Val IT Principles, Research, Key Processes
o Risk Managemento Risk Management
RiskIT IT IT GovernanceGovernance
DomainsDomains
IT Governance
FocusCobiT
Resource Management
Resource Management
Areas
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 44
Strategic Alignment & Resource Management
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 45
SME Management should optimise IT resources by :
Acquiring and developing the necessary skillsAcquiring and developing the necessary skills • Understanding• Negotiating• Acquisition
Understanding what is appropriate for the business• Acquire and maintain the right technology• Make them work efficiently and effectively• Define and communicate simple usage rulesDefine and communicate simple usage rules
Investing in the IT infrastructure• Need to be done timely• Accept there is usually is no internal capability and that external supply is most
probably more cost effectiveprobably more cost-effective• Accept the outcome is not certain but manage uncertainty• Dispose of old or unused equipment readily
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 46
Value ManagementVal IT Principles Research Key ProcessesVal IT Principles, Research, Key Processes
•• Much anecdotal evidence to suggest Much anecdotal evidence to suggest that ITthat IT--related investments are related investments are reviewed and approved with less reviewed and approved with less reviewed and approved with less reviewed and approved with less vigour than other investmentsvigour than other investments
BenefitsBenefits RiskRiskCostCost
•• Hard evidence that ITHard evidence that IT--related business related business investments have the potential to investments have the potential to CostCostppdeliver far greater returns than almost deliver far greater returns than almost any other investmentany other investment
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 47
Value ManagementVal IT Principles Research Key Processes
The strategic question. Is the investment:In line with our vision
The value question. Do we have:• A clear and shared understanding of the expected
Val IT Principles, Research, Key Processes
Consistent with our business principlesContributing to our strategic objectivesProviding optimal value, at affordable cost, at an acceptable level of risk
benefits• Clear accountability for realizing the benefits• Relevant metrics• An effective benefits realization process
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wedoing
the rightthings?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?
Are wegetting
thebenefits?Some
fundamental about the
value delivered
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wegetting
them donewell?
Are wegetting
them donewell?
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wedoing them
the rightway?
Are wegetting
them donewell?
Are wegetting
them donewell?
Are wegetting
them donewell?
Are wegetting
them donewell?
fundamental questions
value deliveredby IT
The architecture question. Is the investment:• In line with our architecture• Consistent with our architectural principles
C t ib ti t th l ti f
The delivery question. Do we have:Effective and disciplined delivery and change management processesCompetent and available technical and business
d li
way?way? well?well?way?way?way?way? well?well?well?well?
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 48
• Contributing to the population of our architecture
• In line with other initiatives
resources to deliver:The required capabilitiesThe organizational changes required to leverage the capabilities
Value ManagementVal IT Principles Research Key ProcessesVal IT Principles, Research, Key Processes
IT‐enabled investments will be managed as a portfolio of investments.
IT‐enabled investments will include the full scope of activities that are required to
achieve business value.
IT‐enabled investments will be managed through their full economic life cycle.
Value delivery practices will recognize that there are different categories of
investments that will be evaluated and managed differently.
Value delivery practices will define and monitor key metrics and will respond
i kl h d i iquickly to any changes or deviations.
Value delivery practices will engage all stakeholders and assign appropriate
accountability for the delivery of capabilities and the realization of business
benefitsbenefits.
Value delivery practices will be continually monitored, evaluated and improved.
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 49
Value ManagementVal IT Principles Research Key ProcessesVal IT Principles, Research, Key Processes
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 50
Value ManagementVal IT Principles Research Key ProcessesVal IT Principles, Research, Key Processes
DATA FOR EACH INITIATIVECost- human resources- infrastructure- tools, licenses etc-
Intermediate Benefits
BUSINESS CASEOverall costsEnd benefitsK tiIntermediate Benefits
- capabilities (technical,operational, business)
- financial- enterprise competitiveness
t i i k iti ti
Key assumptions
Key dependenciesMajor risksHigh level timeline
Summarise
- enterprise risk mitigation-
AssumptionsDependenciesRisks
g
AlternativesDegree of strategic alignmentDegree of architectural alignmentEnabling opportunities
Add
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 51
TimeframeEnabling opportunities
Value ManagementVal IT Principles Research Key Processes
Careful with investments under the CEO’s radar screen
Val IT Principles, Research, Key Processes
Careful with investments under the CEO s radar screen
Key success factors Fit with strategy
Synergy with existing infrastructure
Top management’s commitment
Don’t overestimate functionality achieved or underestimate cost and time it will take
Don’t forget how you did in the past Don t forget how you did in the past
Stopping an initiative in time is a success
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 52
Risk Management
RiskIT
Awareness and Understanding Leverage internal knowledgeBrainstorm with your key peopleRegularly challenge the status quoRegularly challenge the status quo
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 53
Questions ?
based on CobiT® – content ©ISACA – foils ©eg_consult
ErikGuldentops IT Governance Seminars
Pg 54