isaca presentation 10-9-08 submitted
TRANSCRIPT
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
1/84
IntroductiontoCOBIT
PresentationfortheISACAKansas
City
Chapter
10/12/2008 1ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
2/84
Agenda
Introduction
ITChallenges
GovernanceOverview
TheCOBITFramework
COBITMappingstoVarious
Frameworks
Closing
10/12/2008 ISACAKansasCityChapterPresentation 2
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
3/84
Introduction
ITChallenges
GovernanceOverview
TheCOBITFramework
COBITMappingstoVariousFrameworks
Closing
10/12/2008 ISACAKansasCityChapterPresentation 3
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
4/84
Introduction
PurposeofPresentation
ProvideahighleveloverviewoftheCOBITframework
fortheISACAKansasCitychapter
Provideanoverviewofbasicprinciplesofgovernance
thatsupporttheframework
Describethe
high
level
Val
IT
framework
IllustratehowCOBITmapstootherpopular
frameworks
10/12/2008 ISACAKansasCityChapterPresentation 4
ThispresentationwasdevelopedfortheISACAKansasCity
chapterforeducationalanddiscussionpurposesonly. Itisour
intenttodayto:
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
5/84
Introduction
TodaysSpeakers
10/12/2008 ISACAKansasCityChapterPresentation 5
MarkThomas
Withover18yearsofprofessionalexperience,
Marksbackground
spans
leadership
roles
from ITDirectortoManagementandIT
Consulting.Markhasledlargeteamsin
outsourcedITarrangements,conductedPMO,
ServiceManagement andgovernanceactivities
formajorprojectteams,managedenterprise
applicationsimplementations,
and
implementedgovernanceprocessesacross
multipleindustries.
Markhasawidearrayofindustryexperience
with
Big
Five type consulting
in
the
health
care,manufacturinganddistribution,services,
hightechnology,andgovernmentverticals. As
thepresidentofEscouteConsulting,Markhas
forgedareputablecompetencyasa
consultativetrainerandspeakerinthe
governancespace
including
ITIL
and
COBIT.
DavidUpsdell
DavidUpsdellscareerintheITServices
industryis
rich
and
varied.
He
has
developed
applicationsoftware,managedtheISfunction
atvariouscompanies,consultedininformation
systemstoclientcompaniesandmanageda
portfolioofITprojects.
Hisindustry
experience
includes
high
technology,dotcomstartups,publishing,
telecommunicationsandfinancialservices.In
thepastyear,Daviddesignedandimplemented
anInformationSecurityProgramforafinancial
services
company
in
metropolitan
Kansas
City.
DavidearnedhisBSinInformationSystemsand
postgraduateDiplomainBusinessandhas
sincebeencertifiedCGEIT,CISMandPMP.He
hastraveledto49ofthe50statesoftheUSA,
Europe,UK,
Australia,
New
Zealand
and
Asia
andhasactuallylivedinseveralofthem.
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
6/84
Introduction
ITChallenges
GovernanceOverview
TheCOBITFramework
COBITMappingstoVariousFrameworks
Closing
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
7/84
ITChallenges
ClassicITChallenges
1. KeepingITRunning
2. Costs3. Value
4. MasteringComplexity
5. AligningITwithBusiness
6. RegulatoryCompliance
7. Security8. Staffing(HR,Skills,Retention)
9.
Resources
10/12/2008 7
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
8/84
ITChallenges
1.KeepingITRunning
Risks:
Missioncriticalprocessescanbeadversely
impactedProductivityloss
Lostbusiness,customers,revenue,profits
Reputationalrisk
ControlObjective:
AssureContinuityandQualityofITservices
10/12/2008 8
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
9/84
ITChallenges
2.Costs
Risks:ExcessivespendonITGartner
Group
estimates
that
organizations
waste
US
$600
billion
a
yearonillconceivedITprojectsandthatincludesonly"sunk"cost,notunrealizedvalue.
Gartner,TheElusiveBusinessValueofIT,August2002
LackofunderstandingofITcosts
Increasingcomplexity
of
IT
assets/services
MismatchofITspendingbyITDept&Businessunits
Resourceskills
lacking
or
non
aligned
ControlObjective:Managecostsandvendorsascarefullyas
possible
10/12/2008 9
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
10/84
ITChallenges
3.Value
Risks:
Costof
IT
investments
outweigh
the
benefits
ExpectedoutcomesofITinvestments
Users
expectations
not
metImpairedbusinessperformance
ControlObjective:
IdentifyrightITinvestments,executewith
excellence
10/12/2008 10
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
11/84
ITChallenges
4.MasteringComplexity
Risks:
Notmaintaining
technical
competencies
Integrationofnewsystems/businessunits
Lack
of
standardizationNotadaptabletochange
Nottakingadvantageoftechnologyimprovements
Notmanaging
vendors
&
service
providers
ControlObjective:
Organize&
manage
IT
to
be
adaptable
&
flexible
10/12/2008 11
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
12/84
ITChallenges
5.AligningITWithBusiness
Risks:
Poorlydefined
business
requirements
and/or
businessdrivers
PrioritizationmismatchbetweenIT&business
Increasingcomplexity beyondabilitytomanage
LackofBusinessUnitsponsorship
Communicationgaps
between
business
&
IT
ControlObjective:
Ensure
ITlinks
with
the
business
to
deliver
value
10/12/2008 12
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
13/84
ITChallenges
6.RegulatoryCompliance
Risks:
Abilityto
do
business
at
all!
Cease
&
desist!
PenaltyCosts
Reputational
riskControlObjective:
Ensure compliancewithallrelevantregulationsand
contracts
10/12/2008 13
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
14/84
ITChallenges
7.Security
Risks:
Exposure/corruptionof
information
Takedownsystemsandapplications
Loss
of
IP
and
business
intelligenceAbuse/misuseofinformation
Abilitytodobusiness
ControlObjective:
Ensure ITsecurityissufficienttoreducerisktoan
acceptablelevel
10/12/2008 14
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
15/84
ITChallenges
8.Staffing
Risks:
Insufficientcoverage
can
expose
the
business
to
poorperformanceinallotherareas
Notadaptabletochange
Attracting,retainingandmaintainingrequiredskills
Skillsnotadequatetogrownewbusinessdemands
Abilityto
do
business
ControlObjective:
Ensure
ITstaffing
is
skilled
and
adequate
in
cover
10/12/2008 15
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
16/84
ITChallenges
9.Resources
Risks:
Adverseperformance
in
all
previous
challenges
Abilitytodobusiness
Objective:Ensure ITresourcesaresufficient
10/12/2008 16
From itgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
17/84
ITChallenges
BestPracticesforIS
KeycomponentprocessesperformedbyallIS
organizations(Dr
Colin
Boswell,
DECUS
conference1993)
10/12/2008 17
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
18/84
ITChallenges
ProvisionofUserServices
ServiceLevelmonitoring
Usersatisfaction
surveys
Training
DocumentationHelpDesk
10/12/2008 18
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
19/84
ITChallenges
StrategyandPlanning
Managementcommitment
ISStrategic
Plan
Auditandreview
Internationalstandards
Reportingprocedures
10/12/2008 19
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
20/84
ITChallenges
ServiceLevelManagement
Servicelevelagreements
Agreeingservice
levels
Performancemonitoringandreporting
Externalservice
providers
10/12/2008 20
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
21/84
ITChallenges
ServiceAvailabilityandSecurity
Computeroperations
Networkoperations
Capacityplanningandmanagement
Softwareavailability
Hardwareavailabilityandmaintenance
Environmentalservices
Riskmanagement
and
disaster
recovery
planning
Security
10/12/2008 21
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
22/84
ITChallenges
CostManagement
Thecostofserviceprovision
Costreporting
Costjustification
ProcurementThirdpartyserviceproviders
10/12/2008 22
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
23/84
ITChallenges
HumanResources
Humanresourcesissues
Contractvs.
permanent
staff
10/12/2008 23
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
24/84
ITChallenges
SystemsDevelopmentandAcquisitions
Theprojectapproachtosystemsdevelopmentor
acquisitionsSystemsdevelopment
Systemacquisition
Usercontrol
Auditrequirementsandsecurity
Costjustification
Qualityandstandards
UserdevelopedPCsystems
10/12/2008 24
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
25/84
ITChallenges
TestingandImplementation
Testing
ImplementationDocumentation
TrainingUseracceptanceandsignoff
Postimplementation
review
10/12/2008 25
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
26/84
ITChallenges
ProjectManagement
Projectownership
Projectscope
Projectplanning
Projectmonitoring,
control
and
reporting
Userinvolvement
10/12/2008 26
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
27/84
ITChallenges
ProblemManagement
Problemmanagementprocedures
HelpDesk
10/12/2008 27
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
28/84
ITChallenges
ChangeManagement
Coordination
Priorityand
urgency
Spanofauthority
10/12/2008 28
From Dr. Colin Boswell
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
29/84
Introduction
ITChallenges
GovernanceOverview
TheCOBITFramework
COBITMappingstoVariousFrameworks
Closing
10/12/2008 ISACAKansasCityChapterPresentation 29
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
30/84
GovernanceOverview
EnterpriseGovernance
Strategicdirectiontothe
organization
Achieving
objectivesManagingrisks
Responsibleuseofresources
Balancingperformance
and
conformance
10/12/2008 30
EnterpriseGovernanceisasetofresponsibilitiesandpractices
exercisedbytheboardandtheexecutivemanagement.
Reference: ITGovernanceInstitute,COBIT4.1
Investors,too,realizethe
importanceofgovernance
becausethey
are
willing
to
pay
morethan20percentpremium
forenterprisesshowntohave
goodgovernance
practices
in
place.
(McKinseyInvestorsOpinionSurvey,June2000)
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
31/84
GovernanceOverview
ITGovernance
10/12/2008 ISACAKansasCityChapterPresentation 31
ITGovernanceistheresponsibilityofexecutivesandtheboard
ofdirectors,andconsistsoftheleadership,organizational
structuresandprocessesthatensurethatenterpriseITsustains
theorganization's
strategies
and
objectives.
Reference: ITGovernanceInstitute,COBIT4.1
Integrateandinstitutionalize
goodpractices
Takefulladvantageof
information
Satisfyquality,
fiduciary
and
securityrequirements
Optimizeresources
Balancerisk
versus
return
Only38%ofexecutives/senior
managementcan
describe
their
organizationsITGovernance
process.Inmostcases,IT
Governancehasnotbeen
designed it
has
just
developed
piecemealinresponseto
specificissues
PeterWeillandJeannieW.Ross,ITGovernance
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
32/84
GovernanceOverview
WhyITGovernance
EffectiveITGovernanceisthesinglemostimportant
predictor
of
the
value
an
organization
generates
from
IT
Firmswith
focused
strategies
and
above
average
IT
Governancehadmorethan20%higherprofitsthan
otherfirmsfollowingthesamestrategies
PeterWeillandJeannieW.Ross,ITGovernance
10/12/2008 32ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
33/84
GovernanceOverview
WhyITGovernance
85%oforganizationsdemandbusinesscasesfor
change
projectsOnly40%ofapprovedprojectshavevalid(realistic)
benefitstatements
Lessthan10%oforganizationsensurebenefitsare
realizedpostproject
Lessthan
5%
of
organizations
hold
project
stakeholders
responsibleforbenefitattainment
MetaGroup
July
2004
10/12/2008 33ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
34/84
GovernanceOverview
ITmanagementvsgovernance
ITManagement ITGovernance
DoingIT
right Doing
the
right
IT
SponsoredbyIT NeedsCIO and
executivesponsorship
10/12/2008 34ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
35/84
GovernanceOverview
ITGovernanceGlobalStatusReport2008
In2007,PricewaterhouseCoopers(PwC)wascommissionedby
theITGovernanceInstitute(ITGI)toconductthethirdglobal
surveyon
IT
governance.
Results
published
at
itgi.org.
The
followingpagescommunicatethe13keyfindings.
10/12/2008 35
IT Governance Global Status Report2008
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
36/84
GovernanceOverview
13KeyFindings
1. AlthoughchampionshipforITgovernance
withintheenterprisecomesfromtheC
level,in
daily
practice
IT
governance
is
still
verymuchaCIO/ITdirectorissue.Thefew
nonITpeopleinthesamplehaveamuch
morepositive
view
of
IT
than
do
the
IT
professionalsthemselves.
2. TheimportanceofITcontinuesto
increase.
3. SelfassessmentregardingITgovernance
has
increased
and
is
quite
positive.
10/12/2008 36ISACAKansasCityChapterPresentation
i
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
37/84
GovernanceOverview
13KeyFindings
4. CommunicationbetweenITandusersis
improving,butslowly.
5. ThereisstillsubstantialroomforimprovementinalignmentbetweenITgovernanceand
corporategovernanceaswellasforIT
strategyand
business
strategy.
6. ITrelatedproblemspersist.While
security/complianceisanissue,peoplearethe
mostcriticalproblem.
7. GoodITgovernancepracticesareknownand
applied,but
not
universally.
10/12/2008 37 ISACAKansasCityChapterPresentation
G O i
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
38/84
GovernanceOverview
13KeyFindings
8. Organizationsknowwhocanhelp
themimplementITgovernance,
butappreciation
for
the
available
expertiseanddeliverycapability
isonlyaverage.
9. ActionisbeingtakenorplansareunderwaytoimplementIT
governanceactivities.Alarge
increaseis
evident
when
comparedtothe2006report.
10/12/2008 38ISACAKansasCityChapterPresentation
G O i
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
39/84
GovernanceOverview
13KeyFindings
10. Organizationsusethewellknownframeworksandsolutions.
11. COBITawareness
has
exceeded
50
percent,
and
adoption
anduseremainaround30percent.
a) a.25to35percentofrespondentsapplyCOBITtothe
letteror
are
very
strict.
b) b.50%ofrespondentsindicatethatCOBITisoneofthe
referencesources.
c) c.Ingeneral,thereishighappreciationofCOBIT,ashas
beenseeninpriorreports.
10/12/2008 39ISACAKansasCityChapterPresentation
G O i
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
40/84
GovernanceOverview
13KeyFindings
12. Morethanhalfofthe
respondentsapplyorplanto
applyVal
IT
principles,
but
are
notfamiliarwiththeValIT
branditself.
13. MajorobstaclestoadoptionanduseofValITprinciplesinclude
uncertaintyregardingthereturn
oninvestment
(ROI)
and
lack
of
knowledge/expertise.
10/12/2008 40ISACAKansasCityChapterPresentation
G O i
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
41/84
GovernanceOverview
PrinciplesofITGovernance
Direct
and
ControlResponsibility
Accountability
Activities
10/12/2008 ISACAKansasCityChapterPresentation 41
ITGovernanceinvolvesstructuresand
processesthatdirectorganizations
towardsachievingobjectives. There
arefour
essential
principles:
Reference: ITGovernanceInstitute,COBIT4.1
G O i
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
42/84
GovernanceOverview
ITGovernanceFocusAreas
LinkingbusinessandITPlans
Executingthevalueproposition
Optimalinvestmentandproper
management
Riskawarenessandappetite
Trackandmonitor
10/12/2008 ISACAKansasCityChapterPresentation 42
ITGovernancearegroupedintothefollowingfivefocusareas:
StrategicAlignment,ValueDelivery,RiskManagement,
ResourceManagement,
and
Performance
Measurement.
Reference: ITGovernanceInstitute,COBIT4.1
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
43/84
Introduction
ITChallenges
Governance
TheCOBIT
Framework
COBITMappingstoVariousFrameworks
Closing
10/12/2008 ISACAKansasCityChapterPresentation 43
Th COBIT F k
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
44/84
TheCOBITFramework
TheNeedforaControlFramework
Acontrol
framework
for
IT
Governance
definesthereasonsITGovernanceis
needed,the
stakeholders
and
what
it
needstoaccomplish.
10/12/2008 ISACAKansasCityChapterPresentation 44
Reference: ITGovernanceInstitute,COBIT4.1
Th COBIT F k
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
45/84
TheCOBITFramework
DefinitionandMission
10/12/2008 ISACAKansasCityChapterPresentation 45
COBITstandsforControlObjectivesforInformationandRelated
Technology.
Developed
by
the
IT
Governance
Institute
(ITGI)
ISACA,isastandardsettingbodyintheareasofinformationgovernance,
control,andsecurityforprofessionals.
COBITMission:
To
research,
develop,
publicize
and
promote
an
authoritative,uptodate,internationallyacceptedITgovernancecontrol
frameworkforadoptionbyenterprisesanddaytodayusebybusiness
managers,ITprofessionalsandassuranceprofessionals
COBIT'ssuccessasanincreasinglyinternationallyacceptedsetofguidancematerialsforITgovernancehasresultedinthecreationofagrowingfamily
ofpublicationsandproductsdesignedtoassistintheimplementationof
effectiveITgovernancethroughoutanenterprise.
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
http://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Denhttp://images.google.com/imgres?imgurl=http://www.isacaboise.org/images/ISACA_I.gif&imgrefurl=http://www.isacaboise.org/WhatIsISACA.htm&h=387&w=1049&sz=17&hl=en&start=3&usg=__d3lNteCOJ2Jute6V_YwLfXMOkuk=&tbnid=S2w5VCpScZEo-M:&tbnh=55&tbnw=150&prev=/images%3Fq%3Disaca%26gbv%3D2%26hl%3Den -
8/3/2019 ISACA Presentation 10-9-08 Submitted
46/84
TheCOBITFramework
CharacteristicsofaControlFramework
10/12/2008 46
Sharper
BusinessFocus
Common
Language
Regulatory
Requirements
Generally
Accepted
Process
Orientation
COBITfocuseson
improvingIT
governancein
organizationsand
providesa
frameworkto
manageandcontrol
ITactivitiesand
supportsfive
requirementsfora
controlframework.
COBITisdrivenbybusinessneeds
Agenericmodelsuitablefor
anysize
organization
Asound
framework
for
ensuring
IT
compliance
Areliableandusefulsource
basedon
best
practices
Astandardized
process
model,
objectives,
andtools
Reference: ITGovernanceInstitute,COBIT4.1
ISACAKansasCityChapterPresentation
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
47/84
TheCOBITFramework
Relationships
10/12/2008 47
OrganizationswillconsideranduseavarietyofITmodels,standardsandbestpractices.Thesemustbeunderstoodinorder
toconsiderhowtheycanbeusedtogether,withCOBITactingas
theconsolidator
(umbrella).
COBIT
ISO 9000
ISO 17799
ITIL
COSO
WHAT HOW
SCOPE OF COVERAGE
ISACAKansasCityChapterPresentation
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
48/84
TheCOBITFramework
Introduction
10/12/2008 48
Originatesfrombusinessrequirements
Process
orientedIdentifiesITresources
Definesmanagementcontrolobjectives
Incorporatesmajorinternationalstandards
DeFactostandardforcontroloverIT
ControlObjectivesforInformationandRelatedTechnology
(COBIT)helpsorganizationsbridgecriticalgapsthatareoften
assumed
satisfied
within
an
enterprise
framework.
Reference: ITGovernanceInstitute,COBIT4.1
ISACAKansasCityChapterPresentation
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
49/84
TheCOBITFramework
GeneralAcceptability
10/12/2008 ISACAKansasCityChapterPresentation 49
Toachievealignment,itcanbeusedasastartingpointfor
tailoringspecificprocedures. COBITappealstodifferentusers:
Executive
Management
Business
Management
IT
Management Auditors
Obtainvaluefrom
ITinvestments
andbalance
risk
andcontrol
investment
Obtainassurance
onthe
managementand
controlofIT
services
ProvidetheIT
servicesthatthe
businessrequires
tosupport
strategyina
controlledmanner
Substantiate
opinionsand
provideadvice
to
managementon
internalcontrols
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
50/84
TheCOBITFramework
AdditionalStandards
10/12/2008 ISACAKansasCityChapterPresentation 50
PotentialusersoftheCOBITcontentcanleveragethe
frameworkincoordinationwithotherstandardstoinclude:
COSO
ITIL for service deliveryCMM for solution delivery
ISO for information
security
PMBOK or PRINCE2 forproject management
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
51/84
TheCOBITFramework
Evolution
10/12/2008 ISACAKansasCityChapterPresentation 51
1996
Reference: ITGovernanceInstitute,COBIT4.1
1998 2000 2002 2004 2006 2008
COBIT1
Audit
COBIT2
Control
COBIT3
Management
COBIT4
Governance
COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
52/84
TheCOBITFramework
AligningwiththeBusiness
10/12/2008 52
COBIT
COBI T f r a m e w o r k h e lp s I T d el iv e r t h e i n f o r m a t i on t h a t a n e n t e r p r i se r equ i r es by he lp i ng a l i gn I T w i th t he business.
Business
Requirements
IT
Processes
COBITEnterprise
Information
IT
Resources
Drivetheinvestmentin
ThatareusedbyToDeliver
Whichrespondsto
Reference: ITGovernanceInstitute,COBIT4.1
ISACAKansasCityChapterPresentation
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
53/84
TheCOBITFramework
TheCOBITCube
10/12/2008 ISACAKansasCityChapterPresentation 53
Applications
Information
Infras
tructure P
eople
Domains
Processes
Activities
IT
PROCESSES
BUSINESSREQUIREMENTSTheCOBITframeworkhas
three
key
components
that
assistorganizations
organizeprocessesand
deliverthe
information
thatthebusinessneedsto
achieveitsobjectives. This
isillustratedinthe
followingCOBITCube.
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
54/84
BusinessGoals
TheCOBITFramework
MappingGoalsandProcesses
10/12/2008 ISACAKansasCityChapterPresentation 54
ITGoals
ITProcesses
ITGoalsmappeddirectlyto
businessgoals
UsetheBalancedScorecard
asaguide
Leverageinformationcriteria
Reference: ITGovernanceInstitute,COBIT4.1
34processesintheCOBIT
Framework
Theseprocessesdeliverand
runinformationand
applications,andneed
infrastructureandpeople
BusinessRequirements
GovernanceRequirements
InformationServices
InformationCriteria
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
55/84
TheCOBITFramework
Essentials
10/12/2008 55
BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES
ITRESOURCES
DELIVERAND
SUPPORT
MONITOR
ANDEVALUATE
ACQUIREAND
IMPLEMENT
INFORMATION
PLAN
ANDORGANIZE
This is the classic model
of the COBIT framework,showing the domainmodel supported by ITresources, driven by
business and governanceobjectives, and based oninformation criteria.
4 Domains, 34 processes
7 information criteria
4 IT resources
Reference: ITGovernanceInstitute,COBIT4.1
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
56/84
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
57/84
TheCOBITFramework
ITResources
10/12/2008 ISACAKansasCityChapterPresentation 57
IT
RESOURCES
DELIVER
AND
SUPPORT
MONITOR
AND
EVALUATE
ACQUIRE
AND
IMPLEMENT
INFORMATION
PLAN
AND
ORGANIZE
ITResourcesaremanagedbyITprocessestoprovidethe
informationthattheorganizationneedstoachieveitsobjectives.
TherearefourelementsofITResources:
Reference: ITGovernanceInstitute,COBIT4.1
ApplicationsInformation
InfrastructurePeople
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
58/84
TheCOBITFramework
Domains PO
10/12/2008 ISACAKansasCityChapterPresentation 58
IT
RESOURCES
DELIVER
AND
SUPPORT
MONITOR
AND
EVALUATE
ACQUIRE
AND
IMPLEMENT
INFORMATION
PLAN
AND
ORGANIZE
ThePlan
and
Organize
Domain
(PO)
covers
strategy
and
tactics
associatedwiththewayITcontributestobusinessgoal
objectives. ItprovidesdirectiontotheAIandDSdomainswith
tenprocesses.
PO 1 Define a strategic IT plan.
PO 2 Define the Information architecture.
PO 3 Determine technological direction.
PO 4 Define the IT Processes, organization, andrelationships.
PO 5 Manage the IT investment.
PO 6 Communicate management aims and
direction.PO 7 Manage IT human resources.
PO 8 Manage quality.
PO 9 Assess and manage IT risks.
PO 10 Manage projects.
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
59/84
TheCOBITFramework
Domains AI
10/12/2008 ISACAKansasCityChapterPresentation 59
IT
RESOURCES
DELIVER
AND
SUPPORT
MONITOR
AND
EVALUATE
ACQUIRE
AND
IMPLEMENT
INFORMATION
PLAN
AND
ORGANIZE
Acquireand
Implement
Domain
(AI)
realizes
the
IT
strategy
and
solutionsandintegratesthem. Itprovidesthesolutionsand
transitionspassesthemtobeturnedintoservicesusingseven
processes.
AI 1 Identify automated solutions.
AI 2 Acquire and maintain application software.
AI 3 Acquire and maintain technologyinfrastructure.
AI 4 Enable operation and use.
AI 5 Procure IT resources.
AI 6 Manage Changes.
AI 7 Install and accredit solutions and change.
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
60/84
TheCOBITFramework
Domains DS
10/12/2008 ISACAKansasCityChapterPresentation 60
IT
RESOURCES
DELIVER
AND
SUPPORT
MONITOR
AND
EVALUATE
ACQUIRE
AND
IMPLEMENT
INFORMATION
PLAN
AND
ORGANIZE
Deliverand
Support
(DS)
is
concerned
with
the
actual
delivery
of
services,aswellasthemanagementofsecurity,continuity,data,
servicesupport,andoperationalfacilities.
DS 1 Define and manage service levels.
DS 2 Manage 3rd party services.
DS 3 Manage performance and capacity.
DS 4 Ensure continuous service.
DS 5 Ensure systems security.
DS 6 Identify and allocate costs.
DS 7 Educate and train users.
DS 8 Manage the service desk and incidents.DS 9 Manage the configuration.
DS 10 Manage problems.
DS 11 Manage data.
DS 12 Manage the physical environment.DS 13 Manage operations.
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
61/84
TheCOBITFramework
Domains ME
10/12/2008 ISACAKansasCityChapterPresentation 61
IT
RESOURCES
DELIVER
AND
SUPPORT
MONITOR
AND
EVALUATE
ACQUIRE
AND
IMPLEMENT
INFORMATION
PLAN
AND
ORGANIZE
Monitorand
evaluate
(ME)
combines
performance
management,
monitoringofinternalcontrol,regulatorycomplianceand
governance.
ME 1 Monitor and evaluate IT performance.
ME 2 Monitor and evaluate internal control.
ME 3 Ensure regulatory compliance.
ME 4 Provide IT governance.
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
62/84
TheCOBITFramework
DomainsandProcesses
10/12/2008 62
PLAN AND
ORGANIZE
PO 1 Define a strategic IT plan.
PO 2 Define the Information
architecture.
PO 3 Determine technologicaldirection.
PO 4 Define the IT Processes,organization, andrelationships.
PO 5 Manage the ITinvestment.
PO 6 Communicatemanagement aims anddirection.
PO 7 Manage IT humanresources.
PO 8 Manage quality.
PO 9 Assess and manage ITrisks.
PO 10 Manage projects.
ACQUIRE AND
IMPLEMENT
AI 1 Identify automatedsolutions.
AI 2 Acquire and maintainapplication software.
AI 3 Acquire and maintaintechnology infrastructure.
AI 4 Enable operation and use.
AI 5 Procure IT resources.
AI 6 Manage Changes.
AI 7 Install and accreditsolutions and change.
MONITOR AND
EVALUATE
ME 1 Monitor and evaluate ITperformance.
ME 2 Monitor and evaluateinternal control.
ME 3 Ensure regulatorycompliance.
ME 4 Provide IT governance.
DELIVER AND
SUPPORT
DS 1 Define and manageservice levels.
DS 2 Manage 3rd
party services.
DS 3 Manage performance andcapacity.
DS 4 Ensure continuousservice.
DS 5 Ensure systems security.
DS 6 Identify and allocatecosts.
DS 7 Educate and train users.
DS 8 Manage the service deskand incidents.
DS 9 Manage the configuration.
DS 10 Manage problems.
DS 11 Manage data.
DS 12 Manage the physicalenvironment.
DS 13 Manage operations.
Reference: ITGovernanceInstitute,COBIT4.1
ISACAKansasCityChapterPresentation
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
63/84
TheCOBITFramework
ControlRequirements
10/12/2008 ISACAKansasCityChapterPresentation 63
Inadditiontothedetailedcontrolobjectives,eachprocessinthe
COBITFrameworkhassixgenericcontrolrequirements.
PC1
ProcessOwner
PC2
Repeatability
PC3
Goals&
Objectives
PC4
Roles&
Responsibilities
PC5
Process
Performance
PC6
Policy,Plans&
Procedures
Reference: ITGovernanceInstitute,COBIT4.1
Owner
assignedfor
eachprocess.
Clear
responsibility.
Eachprocess
definedso
that
itis
repeatable.
Eachprocess
hasclear
goals
andobjectives
toensure
repeatability.
Noambiguous
roles,activities
and
responsibilities
toensure
efficient
execution.
Eachprocessis
measured
againstits
goals.
Document,
review,update,
andapproveall
communications
toinvolved
parties.
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
64/84
TheCOBITFramework
ManagementGuidelines
Toolkitsandtechniques
Dashboards,scorecards,benchmarking
Goalsandmetrics
Outcomemeasuresandperformanceindicators
BalancedScorecard(Financial,Customer,Internal,Learning/Innovation)
Resources
Inputsandoutputs
RACI
10/12/2008 ISACAKansasCityChapterPresentation 64
Foreach
process
in
COBIT,
Management
guidelinesprovidetoolstomeasureand
comparecapabilities.
Reference: ITGovernanceInstitute,COBIT4.1
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
65/84
TheCOBITFramework
ManagementGuidelines BalanceScorecard
10/12/2008 ISACAKansasCityChapterPresentation 65
Reference: ITGovernanceInstitute,COBIT4.1
Financial
COBITsuggestsusingthebalancedscorecardapproachfor
providingmetricsonITgoalachievement. Therearefour
dimensionstothescorecardthatmaptogoalandperformance
indicators.
Customer
Internal
Process
Learning&
Innovation
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
66/84
TheCOBITFramework
ManagementGuidelines GoalsandMetrics
10/12/2008 ISACAKansasCityChapterPresentation 66
SampleGoalsandMetricsforPO10,ManageProjects Reference: ITGovernanceInstitute,COBIT4.1
ThebusinessandITgoalsusedinthegoalsandmetricssection
ofCOBIT,includingtheirrelationship,areprovidedinappendixI
ofCOBIT4.1. ForeachITprocessinCOBIT,thegoalsandmetrics
arepresented,
as
noted
in
the
figure
below.
The COBIT Framework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
67/84
TheCOBITFramework
ManagementGuidelines MaturityModel
10/12/2008 ISACAKansasCityChapterPresentation 67
TheMaturity
Model
can
help
measure
management
processes.
IntheCOBITframework,eachprocesshasdetaileddescriptions
ofeachclassification.
0 NonExistent
1 Initial/AdHoc
2 Repeatablebut
Intuitive
3 DefinedProcess
4 Managedand
Measureable
5 Optimized
Reference: ITGovernanceInstitute,COBIT4.1
TheCOBITFramework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
68/84
The CO IT Framework
ManagementGuidelines RACI
10/12/2008 ISACAKansasCityChapterPresentation 68
SampleRACIChartforPO1,DefineaStrategicITPlan
Reference: ITGovernanceInstitute,COBIT4.1
TheCOBITFramework
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
69/84
ControlPractices
10/12/2008 69
ITControlPracticesextendtheCOBITFrameworkbyproviding
anadditionallevelofhelpwhenaddressingcontrolobjectives.
The
34
IT
processes
and
control
objectives
define
what
needstobedone.Thecontrolpracticesprovidethedetailed
howandwhythatmaybeneeded.
Reference: ITGovernanceInstitute,COBIT4.1
IT
Process
Control
Objective
Control
Practice
ISACAKansasCityChapterPresentation
ValIT
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
70/84
Introduction
10/12/2008 ISACAKansasCityChapterPresentation 70
ThegoaloftheValITinitiative,whichincludes
research,publications
and
supporting
services,
is
to
helpmanagementensurethatorganizationsrealize
optimalvaluefromITenabledbusinessinvestmentsat
an
affordable
cost
with
a
known
and
acceptable
level
ofrisk. ValITprovidesguidelines,processesand
supportingpracticestoassisttheboardandexecutive
managementinunderstandingandcarryingouttheir
rolesrelated
to
such
investments.
Reference: ITGovernanceInstitute,ValITBusinessCase
ValIT
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
71/84
Introduction
10/12/2008 71
ValITisbasedonCOBIT,focusingonthevaluedelivery
dimensionthatsupportsprocessesrelatedtotheevaluationand
selectionofinvestmentsandrealizedbenefitsofthedeliveryof
thoseinvestments.
TheValITframeworkisbasedontheCOBITframework
ForROI,
the
Val
IT
principles
are
applied
to
management
processes
including
valuegovernance,portfoliomanagement,andinvestmentmanagement.
Manageanorganization'sportfolioofITenabledbusinessinvestments;and
Maximizethe
quality
of
business
cases
for
IT
enabled
business
investments
withemphasisonkeyfinancialindicators,thequantificationof"soft"benefits
andappraisalofthedownsiderisk
Reference: ITGovernanceInstitute,ValIT2.0
ISACAKansasCityChapterPresentation
ValIT
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
72/84
Publications
10/12/2008 ISACAKansasCityChapterPresentation 72
ValITaddressesassumptions,costs,risksandoutcomesrelated
toabalancedportfolioofITenabledbusinessinvestments.
The
series
"Enterprise
Value:
Governance
of
IT
Investments,"
containsthreepublications:
Reference: www.isaca.org
ValIT
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
73/84
Questions
Thestrategicquestion.Istheinvestment:
Inlinewithourvisionandconsistentwithourbusiness
principles?
Contributing
to
our
strategic
objectives
and
providing
optimalvalue,ataffordablecost,atanacceptablelevel
ofrisk?
Thearchitecturequestion.Istheinvestment:
Inlinewithourarchitecturearchitecturalprinciples?
Inline
with
other
initiatives?
Thevaluequestion.Dowehave:
Aclearandsharedunderstandingoftheexpected
benefits?
Clearaccountabilityforrealizingthebenefits?
Thedelivery
question.
Do
we
have:
Effectiveanddisciplinedmanagement,deliveryand
changemanagementprocesses?
Competentandavailableresourcestodeliverthe
requiredcapabilities?
10/12/2008 ISACAKansasCityChapterPresentation 73
Arewe
doingthe
rightthings?
Arewe
gettingthe
benefits?
Arewe
doingthem
the
right
way?
Arewe
getting
them
done
well?
StrategicQuestion ValueQuestion
ArchitectureQuestion Delivery Question
Reference: ITGovernanceInstitute,ValITBusinessCase
ValIT
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
74/84
ProcessFramework
10/12/2008 ISACAKansasCityChapterPresentation 74
ValueGovernance(VG)
Establishinformedandcommittedleadership
Defineand
implement
processes
Defineportfoliocharacteristics
Alignandintegratevaluemanagementwithenterprise
financialplanning
Establisheffectivegovernancemonitoring
Continuouslyimprovevaluemanagementpractices
PortfolioManagement(PM)
Establishstrategicdirectionandtargetinvestmentmix
Determinethe
availability
and
sourcesoffunds
Managetheavailabilityofhumanresources
Evaluateandselectprogramstofund
Monitorandreportoninvestmentportfolioperformance
Optimizeinvestmentportfolio
performance
InvestmentManagement(IM)
Developandevaluatetheinitialprogrambusinesscase
Understandthe
candidate
programandimplementation
options
Developtheprogramplan
Developfulllifecyclecostsandbenefits
Developthedetailedcandidateprogrambusinesscase
Launchandmanagetheprogram
Updateoperational
IT
portfolios
Updatethebusinesscase
Monitorandreportontheprogram
Retire
the
program
Reference: ITGovernanceInstitute,ValIT2.0
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
75/84
Introduction
ITChallenges
Governance
TheCOBIT
Framework
COBITMappingstoVariousFrameworks
Closing
10/12/2008 ISACAKansasCityChapterPresentation 75
GovernanceOverview
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
76/84
ExecutionofITprojects
10/12/2008 76
Fromitgi.org
ISACAKansasCityChapterPresentation
GovernanceOverview
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
77/84
ExecutionofITprojects
10/12/2008 ISACAKansasCityChapterPresentation 77
Fromitgi.org
COBITMappingstoVariousFrameworks
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
78/84
PMBOKprocessescycle
10/12/2008 78
Frompmi.org
ISACAKansasCityChapterPresentation
COBITMappingstoVariousFrameworks
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
79/84
PMBOK
10/12/2008 79
Fromitgi.org
ISACAKansasCityChapterPresentation
COBITMappingstoVariousFrameworks
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
80/84
ProjectManagementProcesses
10/12/2008 80
Example
12.1
Frompmi.org
ISACAKansasCityChapterPresentation
CobiT Processes
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
81/84
CobiTProcesses
10/12/2008 ISACAKansasCityChapterPresentation 81
DS2
Example
Fromitgi.org
COBITMappingstoVariousFrameworks
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
82/84
MappingExample
10/12/2008 82
NoteDS2
ofCobiT
here
AndthePMBOK
Procurement
Management12.1
here
Fromitgi.org
ISACAKansasCityChapterPresentation
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
83/84
Introduction
ITChallenges
Governance
TheCOBIT
Framework
COBITMappingstoVariousFrameworks
Closing
10/12/2008 83ISACAKansasCityChapterPresentation
Closing
-
8/3/2019 ISACA Presentation 10-9-08 Submitted
84/84
Closing
Thankyouforthe
opportunityto
provide
thisinformationforyou
today.
Wehope
you
enjoyedthepresentation
andit
met
your
expectations.