isaca presentation 10-9-08 submitted

8/3/2019 ISACA Presentation 10-9-08 Submitted

1/84

IntroductiontoCOBIT

PresentationfortheISACAKansas

City

Chapter

10/12/2008 1ISACAKansasCityChapterPresentation


2/84

Agenda

Introduction

ITChallenges

GovernanceOverview

TheCOBITFramework

COBITMappingstoVarious

Frameworks

Closing

10/12/2008 ISACAKansasCityChapterPresentation 2


3/84

Introduction

ITChallenges

GovernanceOverview

TheCOBITFramework

COBITMappingstoVariousFrameworks

Closing



4/84

Introduction

PurposeofPresentation

ProvideahighleveloverviewoftheCOBITframework

fortheISACAKansasCitychapter

Provideanoverviewofbasicprinciplesofgovernance

thatsupporttheframework

Describethe

high

level

Val

IT

framework

IllustratehowCOBITmapstootherpopular

frameworks


ThispresentationwasdevelopedfortheISACAKansasCity

chapterforeducationalanddiscussionpurposesonly. Itisour

intenttodayto:


5/84

Introduction

TodaysSpeakers


MarkThomas

Withover18yearsofprofessionalexperience,

Marksbackground

spans

leadership

roles

from ITDirectortoManagementandIT

Consulting.Markhasledlargeteamsin

outsourcedITarrangements,conductedPMO,

ServiceManagement andgovernanceactivities

formajorprojectteams,managedenterprise

applicationsimplementations,

and

implementedgovernanceprocessesacross

multipleindustries.

Markhasawidearrayofindustryexperience

with

Big

Five type consulting

in

the

health

care,manufacturinganddistribution,services,

hightechnology,andgovernmentverticals. As

thepresidentofEscouteConsulting,Markhas

forgedareputablecompetencyasa

consultativetrainerandspeakerinthe

governancespace

including

ITIL

and

COBIT.

DavidUpsdell

DavidUpsdellscareerintheITServices

industryis

rich

and

varied.

He

has

developed

applicationsoftware,managedtheISfunction

atvariouscompanies,consultedininformation

systemstoclientcompaniesandmanageda

portfolioofITprojects.

Hisindustry

experience

includes

high

technology,dotcomstartups,publishing,

telecommunicationsandfinancialservices.In

thepastyear,Daviddesignedandimplemented

anInformationSecurityProgramforafinancial

services

company

in

metropolitan

Kansas

City.

DavidearnedhisBSinInformationSystemsand

postgraduateDiplomainBusinessandhas

sincebeencertifiedCGEIT,CISMandPMP.He

hastraveledto49ofthe50statesoftheUSA,

Europe,UK,

Australia,

New

Zealand

and

Asia

andhasactuallylivedinseveralofthem.


6/84

Introduction

ITChallenges

GovernanceOverview

TheCOBITFramework


Closing

ISACAKansasCityChapterPresentation


7/84

ITChallenges

ClassicITChallenges

1. KeepingITRunning

2. Costs3. Value

4. MasteringComplexity

5. AligningITwithBusiness

6. RegulatoryCompliance

7. Security8. Staffing(HR,Skills,Retention)

9.

Resources

10/12/2008 7

From itgi.org



8/84

ITChallenges

1.KeepingITRunning

Risks:

Missioncriticalprocessescanbeadversely

impactedProductivityloss

Lostbusiness,customers,revenue,profits

Reputationalrisk

ControlObjective:

AssureContinuityandQualityofITservices

10/12/2008 8

From itgi.org



9/84

ITChallenges

2.Costs

Risks:ExcessivespendonITGartner

Group

estimates

that

organizations

waste

US

$600

billion

a

yearonillconceivedITprojectsandthatincludesonly"sunk"cost,notunrealizedvalue.

Gartner,TheElusiveBusinessValueofIT,August2002

LackofunderstandingofITcosts

Increasingcomplexity

of

IT

assets/services

MismatchofITspendingbyITDept&Businessunits

Resourceskills

lacking

or

non

aligned

ControlObjective:Managecostsandvendorsascarefullyas

possible

10/12/2008 9

From itgi.org



10/84

ITChallenges

3.Value

Risks:

Costof

IT

investments

outweigh

the

benefits

ExpectedoutcomesofITinvestments

Users

expectations

not

metImpairedbusinessperformance

ControlObjective:

IdentifyrightITinvestments,executewith

excellence

10/12/2008 10

From itgi.org



11/84

ITChallenges

4.MasteringComplexity

Risks:

Notmaintaining

technical

competencies

Integrationofnewsystems/businessunits

Lack

of

standardizationNotadaptabletochange

Nottakingadvantageoftechnologyimprovements

Notmanaging

vendors

&

service

providers

ControlObjective:

Organize&

manage

IT

to

be

adaptable

&

flexible

10/12/2008 11

From itgi.org



12/84

ITChallenges

5.AligningITWithBusiness

Risks:

Poorlydefined

business

requirements

and/or

businessdrivers

PrioritizationmismatchbetweenIT&business

Increasingcomplexity beyondabilitytomanage

LackofBusinessUnitsponsorship

Communicationgaps

between

business

&

IT

ControlObjective:

Ensure

ITlinks

with

the

business

to

deliver

value

10/12/2008 12

From itgi.org



13/84

ITChallenges

6.RegulatoryCompliance

Risks:

Abilityto

do

business

at

all!

Cease

&

desist!

PenaltyCosts

Reputational

riskControlObjective:

Ensure compliancewithallrelevantregulationsand

contracts

10/12/2008 13

From itgi.org



14/84

ITChallenges

7.Security

Risks:

Exposure/corruptionof

information

Takedownsystemsandapplications

Loss

of

IP

and

business

intelligenceAbuse/misuseofinformation

Abilitytodobusiness

ControlObjective:

Ensure ITsecurityissufficienttoreducerisktoan

acceptablelevel

10/12/2008 14

From itgi.org



15/84

ITChallenges

8.Staffing

Risks:

Insufficientcoverage

can

expose

the

business

to

poorperformanceinallotherareas

Notadaptabletochange

Attracting,retainingandmaintainingrequiredskills

Skillsnotadequatetogrownewbusinessdemands

Abilityto

do

business

ControlObjective:

Ensure

ITstaffing

is

skilled

and

adequate

in

cover

10/12/2008 15

From itgi.org



16/84

ITChallenges

9.Resources

Risks:

Adverseperformance

in

all

previous

challenges

Abilitytodobusiness

Objective:Ensure ITresourcesaresufficient

10/12/2008 16

From itgi.org



17/84

ITChallenges

BestPracticesforIS

KeycomponentprocessesperformedbyallIS

organizations(Dr

Colin

Boswell,

DECUS

conference1993)

10/12/2008 17

From Dr. Colin Boswell



18/84

ITChallenges

ProvisionofUserServices

ServiceLevelmonitoring

Usersatisfaction

surveys

Training

DocumentationHelpDesk

10/12/2008 18




19/84

ITChallenges

StrategyandPlanning

Managementcommitment

ISStrategic

Plan

Auditandreview

Internationalstandards

Reportingprocedures

10/12/2008 19




20/84

ITChallenges

ServiceLevelManagement

Servicelevelagreements

Agreeingservice

levels

Performancemonitoringandreporting

Externalservice

providers

10/12/2008 20




21/84

ITChallenges

ServiceAvailabilityandSecurity

Computeroperations

Networkoperations

Capacityplanningandmanagement

Softwareavailability

Hardwareavailabilityandmaintenance

Environmentalservices

Riskmanagement

and

disaster

recovery

planning

Security

10/12/2008 21




22/84

ITChallenges

CostManagement

Thecostofserviceprovision

Costreporting

Costjustification

ProcurementThirdpartyserviceproviders

10/12/2008 22




23/84

ITChallenges

HumanResources

Humanresourcesissues

Contractvs.

permanent

staff

10/12/2008 23




24/84

ITChallenges

SystemsDevelopmentandAcquisitions

Theprojectapproachtosystemsdevelopmentor

acquisitionsSystemsdevelopment

Systemacquisition

Usercontrol

Auditrequirementsandsecurity

Costjustification

Qualityandstandards

UserdevelopedPCsystems

10/12/2008 24




25/84

ITChallenges

TestingandImplementation

Testing

ImplementationDocumentation

TrainingUseracceptanceandsignoff

Postimplementation

review

10/12/2008 25




26/84

ITChallenges

ProjectManagement

Projectownership

Projectscope

Projectplanning

Projectmonitoring,

control

and

reporting

Userinvolvement

10/12/2008 26




27/84

ITChallenges

ProblemManagement

Problemmanagementprocedures

HelpDesk

10/12/2008 27




28/84

ITChallenges

ChangeManagement

Coordination

Priorityand

urgency

Spanofauthority

10/12/2008 28




29/84

Introduction

ITChallenges

GovernanceOverview

TheCOBITFramework


Closing



30/84

GovernanceOverview

EnterpriseGovernance

Strategicdirectiontothe

organization

Achieving

objectivesManagingrisks

Responsibleuseofresources

Balancingperformance

and

conformance

10/12/2008 30

EnterpriseGovernanceisasetofresponsibilitiesandpractices

exercisedbytheboardandtheexecutivemanagement.

Reference: ITGovernanceInstitute,COBIT4.1

Investors,too,realizethe

importanceofgovernance

becausethey

are

willing

to

pay

morethan20percentpremium

forenterprisesshowntohave

goodgovernance

practices

in

place.

(McKinseyInvestorsOpinionSurvey,June2000)



31/84

GovernanceOverview

ITGovernance


ITGovernanceistheresponsibilityofexecutivesandtheboard

ofdirectors,andconsistsoftheleadership,organizational

structuresandprocessesthatensurethatenterpriseITsustains

theorganization's

strategies

and

objectives.


Integrateandinstitutionalize

goodpractices

Takefulladvantageof

information

Satisfyquality,

fiduciary

and

securityrequirements

Optimizeresources

Balancerisk

versus

return

Only38%ofexecutives/senior

managementcan

describe

their

organizationsITGovernance

process.Inmostcases,IT

Governancehasnotbeen

designed it

has

just

developed

piecemealinresponseto

specificissues

PeterWeillandJeannieW.Ross,ITGovernance


32/84

GovernanceOverview

WhyITGovernance

EffectiveITGovernanceisthesinglemostimportant

predictor

of

the

value

an

organization

generates

from

IT

Firmswith

focused

strategies

and

above

average

IT

Governancehadmorethan20%higherprofitsthan

otherfirmsfollowingthesamestrategies

PeterWeillandJeannieW.Ross,ITGovernance



33/84

GovernanceOverview

WhyITGovernance

85%oforganizationsdemandbusinesscasesfor

change

projectsOnly40%ofapprovedprojectshavevalid(realistic)

benefitstatements

Lessthan10%oforganizationsensurebenefitsare

realizedpostproject

Lessthan

5%

of

organizations

hold

project

stakeholders

responsibleforbenefitattainment

MetaGroup

July

2004



34/84

GovernanceOverview

ITmanagementvsgovernance

ITManagement ITGovernance

DoingIT

right Doing

the

right

IT

SponsoredbyIT NeedsCIO and

executivesponsorship



35/84

GovernanceOverview

ITGovernanceGlobalStatusReport2008

In2007,PricewaterhouseCoopers(PwC)wascommissionedby

theITGovernanceInstitute(ITGI)toconductthethirdglobal

surveyon

IT

governance.

Results

published

at

itgi.org.

The

followingpagescommunicatethe13keyfindings.

10/12/2008 35

IT Governance Global Status Report2008



36/84

GovernanceOverview

13KeyFindings

1. AlthoughchampionshipforITgovernance

withintheenterprisecomesfromtheC

level,in

daily

practice

IT

governance

is

still

verymuchaCIO/ITdirectorissue.Thefew

nonITpeopleinthesamplehaveamuch

morepositive

view

of

IT

than

do

the

IT

professionalsthemselves.

2. TheimportanceofITcontinuesto

increase.

3. SelfassessmentregardingITgovernance

has

increased

and

is

quite

positive.


i


37/84

GovernanceOverview

13KeyFindings

4. CommunicationbetweenITandusersis

improving,butslowly.

5. ThereisstillsubstantialroomforimprovementinalignmentbetweenITgovernanceand

corporategovernanceaswellasforIT

strategyand

business

strategy.

6. ITrelatedproblemspersist.While

security/complianceisanissue,peoplearethe

mostcriticalproblem.

7. GoodITgovernancepracticesareknownand

applied,but

not

universally.

10/12/2008 37 ISACAKansasCityChapterPresentation

G O i


38/84

GovernanceOverview

13KeyFindings

8. Organizationsknowwhocanhelp

themimplementITgovernance,

butappreciation

for

the

available

expertiseanddeliverycapability

isonlyaverage.

9. ActionisbeingtakenorplansareunderwaytoimplementIT

governanceactivities.Alarge

increaseis

evident

when

comparedtothe2006report.


G O i


39/84

GovernanceOverview

13KeyFindings

10. Organizationsusethewellknownframeworksandsolutions.

11. COBITawareness

has

exceeded

50

percent,

and

adoption

anduseremainaround30percent.

a) a.25to35percentofrespondentsapplyCOBITtothe

letteror

are

very

strict.

b) b.50%ofrespondentsindicatethatCOBITisoneofthe

referencesources.

c) c.Ingeneral,thereishighappreciationofCOBIT,ashas

beenseeninpriorreports.


G O i


40/84

GovernanceOverview

13KeyFindings

12. Morethanhalfofthe

respondentsapplyorplanto

applyVal

IT

principles,

but

are

notfamiliarwiththeValIT

branditself.

13. MajorobstaclestoadoptionanduseofValITprinciplesinclude

uncertaintyregardingthereturn

oninvestment

(ROI)

and

lack

of

knowledge/expertise.


G O i


41/84

GovernanceOverview

PrinciplesofITGovernance

Direct

and

ControlResponsibility

Accountability

Activities


ITGovernanceinvolvesstructuresand

processesthatdirectorganizations

towardsachievingobjectives. There

arefour

essential

principles:


G O i


42/84

GovernanceOverview

ITGovernanceFocusAreas

LinkingbusinessandITPlans

Executingthevalueproposition

Optimalinvestmentandproper

management

Riskawarenessandappetite

Trackandmonitor


ITGovernancearegroupedintothefollowingfivefocusareas:

StrategicAlignment,ValueDelivery,RiskManagement,

ResourceManagement,

and

Performance

Measurement.



43/84

Introduction

ITChallenges

Governance

TheCOBIT

Framework


Closing


Th COBIT F k


44/84

TheCOBITFramework

TheNeedforaControlFramework

Acontrol

framework

for

IT

Governance

definesthereasonsITGovernanceis

needed,the

stakeholders

and

what

it

needstoaccomplish.



Th COBIT F k


45/84

TheCOBITFramework

DefinitionandMission


COBITstandsforControlObjectivesforInformationandRelated

Technology.

Developed

by

the

IT

Governance

Institute

(ITGI)

ISACA,isastandardsettingbodyintheareasofinformationgovernance,

control,andsecurityforprofessionals.

COBITMission:

To

research,

develop,

publicize

and

promote

an

authoritative,uptodate,internationallyacceptedITgovernancecontrol

frameworkforadoptionbyenterprisesanddaytodayusebybusiness

managers,ITprofessionalsandassuranceprofessionals

COBIT'ssuccessasanincreasinglyinternationallyacceptedsetofguidancematerialsforITgovernancehasresultedinthecreationofagrowingfamily

ofpublicationsandproductsdesignedtoassistintheimplementationof

effectiveITgovernancethroughoutanenterprise.


The COBIT Framework
http://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Den


46/84

TheCOBITFramework

CharacteristicsofaControlFramework

10/12/2008 46

Sharper

BusinessFocus

Common

Language

Regulatory

Requirements

Generally

Accepted

Process

Orientation

COBITfocuseson

improvingIT

governancein

organizationsand

providesa

frameworkto

manageandcontrol

ITactivitiesand

supportsfive

requirementsfora

controlframework.

COBITisdrivenbybusinessneeds

Agenericmodelsuitablefor

anysize

organization

Asound

framework

for

ensuring

IT

compliance

Areliableandusefulsource

basedon

best

practices

Astandardized

process

model,

objectives,

andtools



The COBIT Framework


47/84

TheCOBITFramework

Relationships

10/12/2008 47

OrganizationswillconsideranduseavarietyofITmodels,standardsandbestpractices.Thesemustbeunderstoodinorder

toconsiderhowtheycanbeusedtogether,withCOBITactingas

theconsolidator

(umbrella).

COBIT

ISO 9000

ISO 17799

ITIL

COSO

WHAT HOW

SCOPE OF COVERAGE


The COBIT Framework


48/84

TheCOBITFramework

Introduction

10/12/2008 48

Originatesfrombusinessrequirements

Process

orientedIdentifiesITresources

Definesmanagementcontrolobjectives

Incorporatesmajorinternationalstandards

DeFactostandardforcontroloverIT

ControlObjectivesforInformationandRelatedTechnology

(COBIT)helpsorganizationsbridgecriticalgapsthatareoften

assumed

satisfied

within

an

enterprise

framework.



The COBIT Framework


49/84

TheCOBITFramework

GeneralAcceptability


Toachievealignment,itcanbeusedasastartingpointfor

tailoringspecificprocedures. COBITappealstodifferentusers:

Executive

Management

Business

Management

IT

Management Auditors

Obtainvaluefrom

ITinvestments

andbalance

risk

andcontrol

investment

Obtainassurance

onthe

managementand

controlofIT

services

ProvidetheIT

servicesthatthe

businessrequires

tosupport

strategyina

controlledmanner

Substantiate

opinionsand

provideadvice

to

managementon

internalcontrols


The COBIT Framework


50/84

TheCOBITFramework

AdditionalStandards


PotentialusersoftheCOBITcontentcanleveragethe

frameworkincoordinationwithotherstandardstoinclude:

COSO

ITIL for service deliveryCMM for solution delivery

ISO for information

security

PMBOK or PRINCE2 forproject management


The COBIT Framework


51/84

TheCOBITFramework

Evolution


1996


1998 2000 2002 2004 2006 2008

COBIT1

Audit

COBIT2

Control

COBIT3

Management

COBIT4

Governance

COBIT4.1

The COBIT Framework


52/84

TheCOBITFramework

AligningwiththeBusiness

10/12/2008 52

COBIT

COBI T f r a m e w o r k h e lp s I T d el iv e r t h e i n f o r m a t i on t h a t a n e n t e r p r i se r equ i r es by he lp i ng a l i gn I T w i th t he business.

Business

Requirements

IT

Processes

COBITEnterprise

Information

IT

Resources

Drivetheinvestmentin

ThatareusedbyToDeliver

Whichrespondsto



The COBIT Framework


53/84

TheCOBITFramework

TheCOBITCube


Applications

Information

Infras

tructure P

eople

Domains

Processes

Activities

IT

PROCESSES

BUSINESSREQUIREMENTSTheCOBITframeworkhas

three

key

components

that

assistorganizations

organizeprocessesand

deliverthe

information

thatthebusinessneedsto

achieveitsobjectives. This

isillustratedinthe

followingCOBITCube.


The COBIT Framework


54/84

BusinessGoals

TheCOBITFramework

MappingGoalsandProcesses


ITGoals

ITProcesses

ITGoalsmappeddirectlyto

businessgoals

UsetheBalancedScorecard

asaguide

Leverageinformationcriteria


34processesintheCOBIT

Framework

Theseprocessesdeliverand

runinformationand

applications,andneed

infrastructureandpeople

BusinessRequirements

GovernanceRequirements

InformationServices

InformationCriteria

The COBIT Framework


55/84

TheCOBITFramework

Essentials

10/12/2008 55

BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES

ITRESOURCES

DELIVERAND

SUPPORT

MONITOR

ANDEVALUATE

ACQUIREAND

IMPLEMENT

INFORMATION

PLAN

ANDORGANIZE

This is the classic model

of the COBIT framework,showing the domainmodel supported by ITresources, driven by

business and governanceobjectives, and based oninformation criteria.

4 Domains, 34 processes

7 information criteria

4 IT resources




56/84

The COBIT Framework


57/84

TheCOBITFramework

ITResources


IT

RESOURCES

DELIVER

AND

SUPPORT

MONITOR

AND

EVALUATE

ACQUIRE

AND

IMPLEMENT

INFORMATION

PLAN

AND

ORGANIZE

ITResourcesaremanagedbyITprocessestoprovidethe

informationthattheorganizationneedstoachieveitsobjectives.

TherearefourelementsofITResources:


ApplicationsInformation

InfrastructurePeople

The COBIT Framework


58/84

TheCOBITFramework

Domains PO


IT

RESOURCES

DELIVER

AND

SUPPORT

MONITOR

AND

EVALUATE

ACQUIRE

AND

IMPLEMENT

INFORMATION

PLAN

AND

ORGANIZE

ThePlan

and

Organize

Domain

(PO)

covers

strategy

and

tactics

associatedwiththewayITcontributestobusinessgoal

objectives. ItprovidesdirectiontotheAIandDSdomainswith

tenprocesses.

PO 1 Define a strategic IT plan.

PO 2 Define the Information architecture.

PO 3 Determine technological direction.

PO 4 Define the IT Processes, organization, andrelationships.

PO 5 Manage the IT investment.

PO 6 Communicate management aims and

direction.PO 7 Manage IT human resources.

PO 8 Manage quality.

PO 9 Assess and manage IT risks.

PO 10 Manage projects.


The COBIT Framework


59/84

TheCOBITFramework

Domains AI


IT

RESOURCES

DELIVER

AND

SUPPORT

MONITOR

AND

EVALUATE

ACQUIRE

AND

IMPLEMENT

INFORMATION

PLAN

AND

ORGANIZE

Acquireand

Implement

Domain

(AI)

realizes

the

IT

strategy

and

solutionsandintegratesthem. Itprovidesthesolutionsand

transitionspassesthemtobeturnedintoservicesusingseven

processes.

AI 1 Identify automated solutions.

AI 2 Acquire and maintain application software.

AI 3 Acquire and maintain technologyinfrastructure.

AI 4 Enable operation and use.

AI 5 Procure IT resources.

AI 6 Manage Changes.

AI 7 Install and accredit solutions and change.


The COBIT Framework


60/84

TheCOBITFramework

Domains DS


IT

RESOURCES

DELIVER

AND

SUPPORT

MONITOR

AND

EVALUATE

ACQUIRE

AND

IMPLEMENT

INFORMATION

PLAN

AND

ORGANIZE

Deliverand

Support

(DS)

is

concerned

with

the

actual

delivery

of

services,aswellasthemanagementofsecurity,continuity,data,

servicesupport,andoperationalfacilities.

DS 1 Define and manage service levels.

DS 2 Manage 3rd party services.

DS 3 Manage performance and capacity.

DS 4 Ensure continuous service.

DS 5 Ensure systems security.

DS 6 Identify and allocate costs.

DS 7 Educate and train users.

DS 8 Manage the service desk and incidents.DS 9 Manage the configuration.

DS 10 Manage problems.

DS 11 Manage data.

DS 12 Manage the physical environment.DS 13 Manage operations.


The COBIT Framework


61/84

TheCOBITFramework

Domains ME


IT

RESOURCES

DELIVER

AND

SUPPORT

MONITOR

AND

EVALUATE

ACQUIRE

AND

IMPLEMENT

INFORMATION

PLAN

AND

ORGANIZE

Monitorand

evaluate

(ME)

combines

performance

management,

monitoringofinternalcontrol,regulatorycomplianceand

governance.

ME 1 Monitor and evaluate IT performance.

ME 2 Monitor and evaluate internal control.

ME 3 Ensure regulatory compliance.

ME 4 Provide IT governance.


The COBIT Framework


62/84

TheCOBITFramework

DomainsandProcesses

10/12/2008 62

PLAN AND

ORGANIZE

PO 1 Define a strategic IT plan.

PO 2 Define the Information

architecture.

PO 3 Determine technologicaldirection.

PO 4 Define the IT Processes,organization, andrelationships.

PO 5 Manage the ITinvestment.

PO 6 Communicatemanagement aims anddirection.

PO 7 Manage IT humanresources.

PO 8 Manage quality.

PO 9 Assess and manage ITrisks.

PO 10 Manage projects.

ACQUIRE AND

IMPLEMENT

AI 1 Identify automatedsolutions.

AI 2 Acquire and maintainapplication software.

AI 3 Acquire and maintaintechnology infrastructure.

AI 4 Enable operation and use.

AI 5 Procure IT resources.

AI 6 Manage Changes.

AI 7 Install and accreditsolutions and change.

MONITOR AND

EVALUATE

ME 1 Monitor and evaluate ITperformance.

ME 2 Monitor and evaluateinternal control.

ME 3 Ensure regulatorycompliance.

ME 4 Provide IT governance.

DELIVER AND

SUPPORT

DS 1 Define and manageservice levels.

DS 2 Manage 3rd

party services.

DS 3 Manage performance andcapacity.

DS 4 Ensure continuousservice.

DS 5 Ensure systems security.

DS 6 Identify and allocatecosts.

DS 7 Educate and train users.

DS 8 Manage the service deskand incidents.

DS 9 Manage the configuration.

DS 10 Manage problems.

DS 11 Manage data.

DS 12 Manage the physicalenvironment.

DS 13 Manage operations.



The COBIT Framework


63/84

TheCOBITFramework

ControlRequirements


Inadditiontothedetailedcontrolobjectives,eachprocessinthe

COBITFrameworkhassixgenericcontrolrequirements.

PC1

ProcessOwner

PC2

Repeatability

PC3

Goals&

Objectives

PC4

Roles&

Responsibilities

PC5

Process

Performance

PC6

Policy,Plans&

Procedures


Owner

assignedfor

eachprocess.

Clear

responsibility.

Eachprocess

definedso

that

itis

repeatable.

Eachprocess

hasclear

goals

andobjectives

toensure

repeatability.

Noambiguous

roles,activities

and

responsibilities

toensure

efficient

execution.

Eachprocessis

measured

againstits

goals.

Document,

review,update,

andapproveall

communications

toinvolved

parties.

The COBIT Framework


64/84

TheCOBITFramework

ManagementGuidelines

Toolkitsandtechniques

Dashboards,scorecards,benchmarking

Goalsandmetrics

Outcomemeasuresandperformanceindicators

BalancedScorecard(Financial,Customer,Internal,Learning/Innovation)

Resources

Inputsandoutputs

RACI


Foreach

process

in

COBIT,

Management

guidelinesprovidetoolstomeasureand

comparecapabilities.


The COBIT Framework


65/84

TheCOBITFramework

ManagementGuidelines BalanceScorecard



Financial

COBITsuggestsusingthebalancedscorecardapproachfor

providingmetricsonITgoalachievement. Therearefour

dimensionstothescorecardthatmaptogoalandperformance

indicators.

Customer

Internal

Process

Learning&

Innovation

The COBIT Framework


66/84

TheCOBITFramework

ManagementGuidelines GoalsandMetrics


SampleGoalsandMetricsforPO10,ManageProjects Reference: ITGovernanceInstitute,COBIT4.1

ThebusinessandITgoalsusedinthegoalsandmetricssection

ofCOBIT,includingtheirrelationship,areprovidedinappendixI

ofCOBIT4.1. ForeachITprocessinCOBIT,thegoalsandmetrics

arepresented,

as

noted

in

the

figure

below.

The COBIT Framework


67/84

TheCOBITFramework

ManagementGuidelines MaturityModel


TheMaturity

Model

can

help

measure

management

processes.

IntheCOBITframework,eachprocesshasdetaileddescriptions

ofeachclassification.

0 NonExistent

1 Initial/AdHoc

2 Repeatablebut

Intuitive

3 DefinedProcess

4 Managedand

Measureable

5 Optimized


TheCOBITFramework


68/84

The CO IT Framework

ManagementGuidelines RACI


SampleRACIChartforPO1,DefineaStrategicITPlan


TheCOBITFramework


69/84

ControlPractices

10/12/2008 69

ITControlPracticesextendtheCOBITFrameworkbyproviding

anadditionallevelofhelpwhenaddressingcontrolobjectives.

The

34

IT

processes

and

control

objectives

define

what

needstobedone.Thecontrolpracticesprovidethedetailed

howandwhythatmaybeneeded.


IT

Process

Control

Objective

Control

Practice


ValIT


70/84

Introduction


ThegoaloftheValITinitiative,whichincludes

research,publications

and

supporting

services,

is

to

helpmanagementensurethatorganizationsrealize

optimalvaluefromITenabledbusinessinvestmentsat

an

affordable

cost

with

a

known

and

acceptable

level

ofrisk. ValITprovidesguidelines,processesand

supportingpracticestoassisttheboardandexecutive

managementinunderstandingandcarryingouttheir

rolesrelated

to

such

investments.

Reference: ITGovernanceInstitute,ValITBusinessCase

ValIT


71/84

Introduction

10/12/2008 71

ValITisbasedonCOBIT,focusingonthevaluedelivery

dimensionthatsupportsprocessesrelatedtotheevaluationand

selectionofinvestmentsandrealizedbenefitsofthedeliveryof

thoseinvestments.

TheValITframeworkisbasedontheCOBITframework

ForROI,

the

Val

IT

principles

are

applied

to

management

processes

including

valuegovernance,portfoliomanagement,andinvestmentmanagement.

Manageanorganization'sportfolioofITenabledbusinessinvestments;and

Maximizethe

quality

of

business

cases

for

IT

enabled

business

investments

withemphasisonkeyfinancialindicators,thequantificationof"soft"benefits

andappraisalofthedownsiderisk

Reference: ITGovernanceInstitute,ValIT2.0


ValIT


72/84

Publications


ValITaddressesassumptions,costs,risksandoutcomesrelated

toabalancedportfolioofITenabledbusinessinvestments.

The

series

"Enterprise

Value:

Governance

of

IT

Investments,"

containsthreepublications:

Reference: www.isaca.org

ValIT


73/84

Questions

Thestrategicquestion.Istheinvestment:

Inlinewithourvisionandconsistentwithourbusiness

principles?

Contributing

to

our

strategic

objectives

and

providing

optimalvalue,ataffordablecost,atanacceptablelevel

ofrisk?

Thearchitecturequestion.Istheinvestment:

Inlinewithourarchitecturearchitecturalprinciples?

Inline

with

other

initiatives?

Thevaluequestion.Dowehave:

Aclearandsharedunderstandingoftheexpected

benefits?

Clearaccountabilityforrealizingthebenefits?

Thedelivery

question.

Do

we

have:

Effectiveanddisciplinedmanagement,deliveryand

changemanagementprocesses?

Competentandavailableresourcestodeliverthe

requiredcapabilities?


Arewe

doingthe

rightthings?

Arewe

gettingthe

benefits?

Arewe

doingthem

the

right

way?

Arewe

getting

them

done

well?

StrategicQuestion ValueQuestion

ArchitectureQuestion Delivery Question

Reference: ITGovernanceInstitute,ValITBusinessCase

ValIT


74/84

ProcessFramework


ValueGovernance(VG)

Establishinformedandcommittedleadership

Defineand

implement

processes

Defineportfoliocharacteristics

Alignandintegratevaluemanagementwithenterprise

financialplanning

Establisheffectivegovernancemonitoring

Continuouslyimprovevaluemanagementpractices

PortfolioManagement(PM)

Establishstrategicdirectionandtargetinvestmentmix

Determinethe

availability

and

sourcesoffunds

Managetheavailabilityofhumanresources

Evaluateandselectprogramstofund

Monitorandreportoninvestmentportfolioperformance

Optimizeinvestmentportfolio

performance

InvestmentManagement(IM)

Developandevaluatetheinitialprogrambusinesscase

Understandthe

candidate

programandimplementation

options

Developtheprogramplan

Developfulllifecyclecostsandbenefits

Developthedetailedcandidateprogrambusinesscase

Launchandmanagetheprogram

Updateoperational

IT

portfolios

Updatethebusinesscase

Monitorandreportontheprogram

Retire

the

program

Reference: ITGovernanceInstitute,ValIT2.0


75/84

Introduction

ITChallenges

Governance

TheCOBIT

Framework


Closing


GovernanceOverview


76/84

ExecutionofITprojects

10/12/2008 76

Fromitgi.org


GovernanceOverview


77/84

ExecutionofITprojects


Fromitgi.org



78/84

PMBOKprocessescycle

10/12/2008 78

Frompmi.org




79/84

PMBOK

10/12/2008 79

Fromitgi.org




80/84

ProjectManagementProcesses

10/12/2008 80

Example

12.1

Frompmi.org


CobiT Processes


81/84

CobiTProcesses


DS2

Example

Fromitgi.org



82/84

MappingExample

10/12/2008 82

NoteDS2

ofCobiT

here

AndthePMBOK

Procurement

Management12.1

here

Fromitgi.org



83/84

Introduction

ITChallenges

Governance

TheCOBIT

Framework


Closing


Closing


84/84

Closing

Thankyouforthe

opportunityto

provide

thisinformationforyou

today.

Wehope

you

enjoyedthepresentation

andit

met

your

expectations.

isaca presentation 10-9-08 submitted

Documents