1
Transforming Transforming Enterprise ITEnterprise IT
Ref: www.isaca.org/cobit
IT Governance Is the Key IssueIT Governance Is the Key Issue
• Enterprises are giving money, productivity and competitive advantage by not implementing effective IT governance
• A better way to:– Direct IT for optimal advantage– Measure the value provided by IT– Manage IT-related risks
IT Governance
The purpose of IT governance is to direct IT endeavors, to ensure that IT’s performance meets the following objectives:
• Alignment of IT with the enterprise and realisation of the promised benefits
• Use of IT to enable the enterprise by exploiting opportunities and maximising benefits
• Responsible use of IT resources• Appropriate management of IT-related risks
Why do we need a Framework?
Increasing dependence on information and the systems that deliver this informationIncreasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfareScale and cost of the current and future investments in information and information systemsThe need to comply with regulationsThe potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costsRecognition by many organisations of the potential benefits that technology can yield
Who Needs a Framework?
Board and Executive
To ensure management follows and implements the strategic direction for ITManagement
To make IT investment decisionsTo balance risk and control investmentTo benchmark existing and future IT environment
Users
To obtain assurance on security and control of products and services they acquire internally or externally
Auditors
To substantiate opinions to management on internal controlsTo advise on what minimum controls are necessary
COBIT
Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for IT management created by the Information systems audit and control association (ISACA),
1. Incorporates major international standards2.Has become the de facto standard for overall control over IT3.Starts from business requirements4. Is process-oriented
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives
Promotes process focus and process ownership
Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each
Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
Is supported by a set of over 300 detailed control objectives
Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance
Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate
COBIT: Basics?
Then what is CobiT?
It is the Control Objectives for Information and related Technology
A methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment.
The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September 1996.
A tool that for IT professionals that has linked information technology and control practices
CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors.
Overview of CobiT
Overview of CobiT
CobiT represents A control framework,a set of generally accepted control objectives, andthe CobiT Audit Guidelines.
CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.
CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment.
Overview of CobiT
What is the purpose of CobiT?To provide management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT.
CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle.
It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.
Components of CobiT
The 4 Domains of CobiT
MONITORING (MO)
PLANNING & ORGANIZATION (PO)
ACQUISITION & IMPLEMENTATION (AI)
DELIVERY & SUPPORT (DS)
Components of CobiT
M1- Monitor the processM2- Obtain independent assurance
MONITORING (MO)All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements
Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls.
Components of CobiT
PO1- Define a strategic IT planPO2- Define the Information architecturePO3- Determine technical directionPO4- Define IT Organization and relationshipsPO5- Manage the investment in IT
PLANNING & ORGANIZATION (PO)Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives.
Is the IT strategy be effectively controlled and will it contribute to the business objectives?
PO6- Communicate management aims and directionsPO7- Manage Human ResourcesPO8- Ensure compliance with external requirementsPO9- Assess risksPO10- Manage projectsPO11- Manage quality
Components of CobiT
AI1- Identify solutionsAI2- Acquire and maintain application softwareAI3- Acquire and maintain technology architectureAI4- Develop and maintain IT proceduresAI5- Install and accredit systemsAI6- Managing changes
ACQUISITION & IMPLEMENTATION (AI)To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process. Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards?
Components of CobiT
DS1- Define service levelsDS2- Manage Third Party servicesDS3- Manage performance capacityDS4- Ensure continuous serviceDS5- Ensure systems securityDS6- Identify and allocate costsDS7- Educate and train users
DS8- Assist and advise IT customersDS9- Manage the configuration of IT systemsDS10- Manage problems and incidentsDS11- Manage dataDS12- Manage facilitiesDS13- Manage operations
DELIVERY & SUPPORT (DS)Addresses the actual delivery of required information services.
Are information related services delivered in a controlled manner?
2009 ISACA All Rights reserved. 18
CCOBIOBITT is a Road Map is a Road Map for an easyfor an easy IT Governance IT Governance
• Accepted globally as a set of tools that ensures IT is working effectively
• Functions as an overarching framework • Provides common language to communicate goals, objectives
and expected results to all stakeholders• Based on, and integrates, industry standards and good
practices in:– Strategic alignment of IT with business goals– Value delivery of services and new projects– Risk management– Resource management– Performance measurement
2009 ISACA All Rights reserved. 19
Business BenefitsBusiness Benefits
COBIT® provides guidance for executive management to govern IT within the enterprise
• More effective tools for IT to support business goals
• More transparent and predictable full life-cycle IT costs
• More timely and reliable information from IT
• Higher quality IT services and more successful projects
• More effective management of IT-related risks
2009 ISACA All Rights reserved. 20
Harmonizing the Elements of IT GovernanceHarmonizing the Elements of IT Governance
IT Governance
ResourceManagement
Strate
gic
Alignment Value
Delivery
Performan
ce
Measu
remen
tR
isk
Man
agem
ent
The high-level approach diagram of information system audits
Approch
Ref- http://www.isaca.org/Knowledge-Center/cobit/Pages/Government-of-Dubai.aspx
Ref- http://www.emeraldinsight.com/journals.htm?articleid=1954554&show=html
Operationalising CMMI: integrating CMMI and CoBIT perspective
The COBIT model groups all information and IT activities into four domains, which are articulated into 34 processes
Ref: http://www.isaca.org/Journal/Past-Issues/2008/Volume-4/Pages/Case-Study-Better-to-Prevent-Than-Cure-A-New-Way-to-Enhance-IT-and-Business-Governance-Collaboration.aspx
2009 ISACA All Rights reserved. 26
CCOBIOBITT® ® Defines Processes, Goals and MetricsRelationship Amongst Process, Goals and Metrics (DS5)
2009 ISACA All Rights reserved. 27
Defined Responsibilities for Each ProcessDefined Responsibilities for Each Process
Link business goals to IT goals. C IA/R
I C
Identify critical dependencies and current performance.
C C RA/R
C C C C C C
Build an IT strategic plan. A C C R I C C C C I C
Build IT tactical plans. C I A C C C C C R I
Analyse programme portfolios and manage project and service portfolios.
C I I A R R C R C C I
RACI Chart
Activities Funct
ionsA RACI chart identifies who is Responsible,
Accountable, Consulted and/or Informed.
2009 ISACA All Rights reserved. 28
CCOBIOBITT®® Products and Their Primary Audience Products and Their Primary Audience
COBIT, Risk IT and Val IT frameworks Implementing and
Continually Improving IT Governance
COBIT User Guide for Service Managers
COBIT and Application Controls
... IT Governance Focus Areas
Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.
• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.
• Resource management is about the optimal investment in, and the proper management of,critical IT resources: applications, information, infrastructure and people. Key issues relate tothe optimisation of knowledge and infrastructure.
• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
Management statement onIT Governance
“IT governance is the responsibility of Telco’s executives to install a
system of management control that ensures that Telco’s business
objectives are achieved through end-to-end processes, quality of
information and the supportive IT. This consists in our opinion of directing
Telco’s IT resources towards optimal performance aiming for:
- IT to be aligned with the business and the business processes;
- IT resources to be used in a controlled structure;
- IT risks to be assessed and to be managed appropriately.”
“Further formalisation of goal setting and performance monitoring of the overall IT program could be enforced by regular internal audits.”
ITITGovernanceGovernance
Forces influencing IT GovernanceIT Governance Institute
Erik Guldentops
TrustTrust(McKinsey)(McKinsey)
ValueValue(Brookings Institute)(Brookings Institute)
SurvivalSurvival(Alan Greenspan)(Alan Greenspan)
AssuranceAssurance(Turnbull)(Turnbull)
Regulations establishing responsibility of enterprise officers for internal control
and risk transparency.
Institutional investors willing to pay up to 20% premium for
shares of enterprises that have governance framework
Trust can vanish overnight. A factory cannot.
85% of market value of enterprises is intangible (knowledge, information,
capability…)
www.itgi.org
IT Governance Institute approach
IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the board of directors). It consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.
Definition
EnvironmentEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices…...
Alignment
Valu
e
Delivery
Man
agem
ent
of R
isk
Monitoring &
ReportingEvalu
ati
on
LifecycleProvide Provide DirectionDirection
CompareCompare
Measure Measure PerformancePerformance
IT ActivitiesIT Activities
Increase automation (make the business
effective) Decrease cost (make the enterprise
efficient) Manage risks (security, reliability and
compliance)
IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed appropriately
Set ObjectivesSet Objectives
Framework
Implementation
Structure
Strategy
InformationTechnology
InformationSystems
Business
BusinessAlignment
DemandManagement
IT Governance framework
pro
du
ct, p
roce
ss,
org
an
isa
tion
IT p
rodu
cts,
se
curi
tyIT
man
ag
emen
t
use
of i
nfo
rma
tion
and
tran
spo
rt
DIO focus CIO focus
Expertise in IT Governance
BusinessAlignment
DemandManagement
IT Service Management
Information architecture
User/Applicationcontrols
Security/Operations
SourcingInformation Economics
Compliancemanagement
Third PartyAssurance
Managementof changeStructure
Information Systems
Implementation
Strategy
InformationTechnologyBusiness
IT Governance is ...... IT management
IT Governance
IT Management
Business orientatie
Intern
Extern
Tijds dimensieToekomstHeden
Ontleend aan IT Governance mechanismen: Wim van Grembergen en Steven de Haes, Kluwer 2004
IT Control
2009 ISACA All Rights reserved. 38
Getting StartedGetting StartedVisit www.isaca.org/cobit to download the COBIT® framework
Notifications Trouble Reports, Status reports
Problem HandlingQoS & SLA terms, Profiles
- Receive trouble notif- Determine cause &resolve- Track progress of resolution- Initiate action to reconfigure- Generate TT to suppliers- Confirm trouble cleared- Notify cust. trouble cleared
Trouble reports
Completion notification
INPUTS
SLA violations, Planned mtc. scheduling and notification
Problem reports
SLA/QoS violations, Trouble reports
OUTPUTS
Request to re-configure
Trouble report, Trouble cleared
Trouble report*
Trouble report
Trouble report,Trouble cleared
- Schedule with and notify customer of planned work
QoS Violations
Major Trouble Reports
Customer
CustomerInterface
Man.
OrderHandling
ServiceConfiguration
OtherProvider(s)
ServiceProblem
Resolution
CustomerQoSMan. Service
QualityMan.
Customer
CustomerInterface
Man.
Sales
CustomerQoSMan.
ServiceConfiguration
OtherProvider(s)
ServiceProblem
ResolutionRating &
Discounting
TOM detail: Spider Diagrams
Governance - architectuur1. Domains:
2. Governance structure :• Company wide steering committee; chair RvB member• Board responsibilities like wise (Fixed, Mobile, CFO)• Clear domain accountability (domain manager)• Linkage to business via sponsor,
steer by domain management:
3. Roles /responsibilities in conformance with baseline document:• Domain manager (reporting to DIO), DIO & CIO• Program office per division chaired by DIO• Architectural board chaired by CIO (with participation of division)
Service Backbone
Sales Fulfillment Billing
Operations Purchasing
Enterprise mgmt.
Marketing
Service Backbone
Sales Fulfillment Billing
Operations Purchasing
Enterprise mgmt.
Marketing
Service Backbone
Sales Fulfillment Billing
Operations Purchasing
Enterprise mgmt.
Marketing
fixed mobile corporate
businesssponsor
(MT member)
operationalmngt
domainmngr
working mode
Different Levels of IT Control
Strategic
Tactic
OperationalPossible OutsourcingPossible Outsourcing
CorCoree
Clear governance relationships
Business view
Technology view
Business processes
Business rules
Domain structure
Functional architecture
Data architecture
Domain services
Governance model
Application programs and modules
Databases
Connectivity
Hardware, opera-ting systems, net-works
Middleware, data-base management systems
Domains/servicesProcesses TechnologyApplications
Strategic aspiration
Business plan
Value proposition
Going-to-market model
Business strategy
Business IT Demand(CIO/DIO)
IT Supply (IT Service organizations)
Demand Mngt - “Broker” - Functional characteristics - Quality Assurance - Maintenance documentation
Demand Management
Business- Functional requirements- Usage- Money
-Operations-Softwaremaintenance/supply
- Infrastructure
IT- Axioms- Portfolio- Target architecture
Purchasing- Contract standards- Preferred Suppliers- Legal guidelines
Selection functionalityImplementation/Control SLA
Organization Supply
BUSINESSPROCESSESBUSINESS
PROCESSES
INFORMATIONINFORMATION
• effectiveness• efficiency• confidenciality• integrity• availability• compliance• reliability
• effectiveness• efficiency• confidenciality• integrity• availability• compliance• reliability
Criteria
COBITCOBIT
IT RESOURCES
IT RESOURCES
• data• aplication systems• technology• facilities• people
• data• aplication systems• technology• facilities• people PLANNING AND
ORGANISATIONPLANNING AND ORGANISATION
AQUISITION ANDIMPLEMENTATIONAQUISITION AND
IMPLEMENTATION
DELIVERY AND SUPPORT
DELIVERY AND SUPPORT
MONITORINGMONITORING
Example:Telco adoption of CobiT Framework
In order to provide In order to provide the information the information
that the that the organization needs organization needs
to achieve its to achieve its objectives, IT objectives, IT
resources need to resources need to be managed by a be managed by a set of naturally set of naturally
grouped grouped processes. processes.
supply
Business
alignme
nt
deman
d
Gartner Advisory on CobiT and ITIL
ITILITILActivitiesActivities
BS7799BS7799SecuritySecurity
CobiTCobiTControlControl
WHATWHAT
HOWHOW
Ref: itgi.org,
Ex-IT Control Framework
1. Manage Changes
2. Manage IT-configurations
3. Manage IT incidents and problems
4. Manage Security
5. Manage Service levels
6. Manage Business Continuity
7. Manage IT Costs
8. Manage Business Information Planning
9. Manage Releases (Project Management)
10. Manage IT Sourcing
Top Related