05/05/2305/05/23

Leveraging IT Governance and COBIT

Chip Council, PhD, CGEIT, CISM, CISA Matt Schmidt, MS, CISSP, CISAAdjunct Professors, University of Minnesota

05/05/23

Agenda Introduction – 2:40 – 3:00 IT Governance – 3:00 – 3:45

The Problem What Is IT Governance How to evaluate it How to Deploy it

Frameworks – 3:45 – 4:20 COBIT/ValIT (Chip) ISO 2700x/ITIL (Matt)

Future Directions – 4:20 – 4:30 ISO/IEC DIS 29382 (Chip)

05/05/23

The Problem – Current IT Issues IT Strategy Not Aligned With the Business

Staffing Issues

High IT Cost – Low ROI

Service Delivery Problems

05/05/23

What Is IT GovernanceSpecifying the decision rights and

accountability framework to encourage desirable behavior in the use of IT.

Peter Weill and Jeanne W. RossIT Governance: How Top Performers Manage IT Decision Rights for Superior Results (2004)

05/05/23

Another DefinitionIT governance is the responsibility of

the board of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.

- IT Governance Institute

05/05/23

IT Governance Focus• Risk Management• Value Delivery• Strategic Alignment• Resource Management• Performance Measurement

- IT Governance Institute

05/05/23

How to evaluate it? Weill and Ross

Survey to quickly assess the effectiveness of an enterprise’s IT governance.

Recommended to have at least 10 senior managers take the survey.

Four Objectives To Assess

Cost-effective use of IT Effective use of IT for asset utilization Effective use of IT for growth Effective use of IT for business flexibility

05/05/23

How to evaluate it? Question 1 – Outcomes

How important are the following outcomes of your IT governance, on a scale from 1 (Not Important) to 5 (Very Important)

05/05/23

How to evaluate it? Question 2 - Success

What is the influence of the IT governance in your business on the following measures of success, on a scale from 1 (Not Successful) to 5 (Very Successful)

05/05/23

How to evaluate it? Calculating Governance Performance

Not all firms rank the outcomes with the same importance, so the answers to the first question are used to weight the answers to the second question.

05/05/23

How to deploy it? Ad Hoc Approach Use a Standard or Framework A Combination of the Two

IMPORTANT: Any standard approach must be customized to meet the needs of the organization (Don’t be that guy or gal!)

05/05/23

Benefits of the Standard Approach1. The Wheel Exists 2. Structured3. Best Practices 4. Knowledge Sharing5. Auditable

-George Spafford

05/05/23

COBIT

05/05/23

COBIT Information Criteria Efficiency Effectiveness Availability Integrity Confidentiality Compliance Reliability

05/05/23

COBIT Framework

05/05/23

Tools COBIT 4.1 Control Objectives COBIT 4.1 Assurance Guide COBIT Implementation Guide

Worksheets Sample Reports Management Concerns Diagnostics Risk Assessments

05/05/23

ISO 2700x/ITIL ISO/IEC 17799/27002 – Code of Practice for Information

Security Management

Twelve main sections with specialized recommendations for risk assessment, security policy, governance, compliance, etc.

Based heavily on C-I-A Triad Principles

ITIL (IT Infrastructure Library)

IT Operations and Service Delivery Best Practices

Security recommendations based heavily on ISO/IEC 17799/27002

05/05/23

Leveraging Multiple Frameworks Typical driver for implementing multiple frameworks is regulatory

compliance, however, that does not have to be the driver.

One size does not fit all.

Consider available mapping guidance to address overlap.

Underlying Themes

Understand your environment Understand risks to your environment Manage the risks to an acceptable level (acceptable level

05/05/23

ISO/IEC 29382 Corporate Governance of Information Technology Standard

The ISO/IEC 29382 Corporate Governance of Information Technology Standard An updated version of the Australian Standard AS8015, published in 2005. This standard expresses six principles for good governance of IT use:

Responsibility Strategy Acquisition Performance, Conformance Human Behavior

It is intended to guide the behavior of the organization, Provides a lens or framework through which the behavior can be evaluated. Describes the tasks that must be implemented in the governance system – at a much higher level than

one finds in frameworks like ITIL and COBIT Makes no reference to frameworks such as ITIL and COBIT but compliments many of them It specifically acknowledges that organizations should select appropriate frameworks.

-Mark ToomeyManaging Director Infonomics Pty LtdMelbourne, Australia

05/05/23

Acknowledgements- Bob Frelinger, CISA, CSSGB - Common Issues in

Implementing IT Governance and How to Resolve Them (Presentation)

- Peter Weill and Jeanne W. Ross IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (2004) (Book)

- IT Governance Institute, COBIT 4.1 Framework (2007)- George Spafford: The Benefits of Standard IT

Governance Frameworks: Datamation (2003)- Mark Toomey Managing Director Infonomics Pty Ltd

05/05/23

Discussion