it governance: cobit, iso17799 & itil. introduction cobit itil iso17799others

IT Governance:

COBIT, ISO17799 &

ITIL

IntroductionIntroduction

COBIT

ITIL

ISO17799 Others


EffectivenessEffectiveness

EfficiencyEfficiency

ExternalStakeholders

ExternalStakeholders

InternalStakeholders

InternalStakeholders IT GovernanceIT Governance


IT governance:

• Effective

• Meets management’s requirements

• Risks managed

• Controlled

• Provides value for money

“We are fast approaching the stage of IT evolution at which

innovation must translate into overall process improvements, as

it did in the mainframe world of 20 years ago.”

Source: Forrester


COBITCOBIT

Control Objectives for Information and related Technology

by ISACA / ITGI

COBITCOBIT

Plan and organize

Acquire and implement

Deliver and support

Monitor and evaluate

COBIT - Plan and OrganizeCOBIT - Plan and Organize

Define strategic IT plan

Define information architecture

Determine technological direction

Define IT processes, organization and relationships

Manage IT investment

Communicate management aims and direction

Manage IT human resources

Manage quality

Assess and manage IT risks

Manage projects

COBIT - Acquire and ImplementCOBIT - Acquire and Implement

Identify automated solutions

Acquire and maintain application software

Acquire and maintain technology infrastructure

Enable operation and use

Procure IT resources

Manage changes

Install and accredit solutions and changes

COBIT - Deliver and SupportCOBIT - Deliver and Support

Define and manage service levels

Manage third-party services

Manage performance and capacity

Ensure continuous service

Ensure systems security

Identify and allocate costs

Educate and train users

Manage service desk and incidents

Manage configuration

Manage problems

COBIT - Deliver and Support (cont.)COBIT - Deliver and Support (cont.)

Manage data

Manage physical environment

Manage operations

COBIT - Monitor and EvaluateCOBIT - Monitor and Evaluate

Monitor and evaluate IT performance

Monitor and evaluate internal control

Ensure regulatory compliance

Provide IT governance

ISO17799ISO17799

Information Technology / Security Techniques - Code of Practice for

information Security Management

by International Standards Organization (ISO)

ISO17799ISO17799

Security policy

Organizing information security

Asset management

Human resources security

Physical and environmental security

Communications and operations management

Access control

Information system acquisition, development and maintenance

Information security incident management

Business continuity management

Compliance

ITILITIL

Information Technology Infrastructure Library

by UK government / Office of Government Commerce

ITILITIL

Service support

Service delivery

ITIL - Service SupportITIL - Service Support

Incident management

Configuration management

Problem management

Change management

Release management

ITIL - Service DeliveryITIL - Service Delivery

Service level management

Capacity management

Availability management

Security management

Continuity management

Financial management

Mapping COBIT, ISO17799 & ITILMapping COBIT, ISO17799 & ITIL

COBIT:

PO1 – Define strategic IT plan

ISO17799:

• -

ITIL:

• -

Key:

Strong relationship Weak relationship No relationship


COBIT:

PO2 – Define information architecture

ISO17799:

• Asset management (classification)

ITIL:

• -

Key:



COBIT:

PO3 – Determine technological direction

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

PO4 – Define IT processes, organization and relationships

ISO17799:

• Organizing information security (internal)

• Asset management (responsibility)

• Access control (users)

ITIL:

• -

Key:



COBIT:

PO5 – Manage IT investment

ISO17799:

• -

ITIL:

• Financial management for IT services (budgeting)

Key:



COBIT:

PO6 – Communicate management aims and direction

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

PO7 – Manage IT human resources

ISO17799:

• Human resources security

ITIL:

• -

Key:



COBIT:

PO8 – Manage quality

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

PO9 – Assess and manage IT risks

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

PO10 – Manage projects

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

AI1 – Identify automated solutions

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

AI2 – Acquire and maintain application software

ISO17799:

• Assess control (development)

• Information system acquisition, development and maintenance (development –

software)

ITIL:

• -

Key:



COBIT:

AI3 – Acquire and maintain technology infrastructure

ISO17799:

• Information system acquisition, development and maintenance (development –

infrastructure)

ITIL:

• -

Key:



COBIT:

AI4 – Enable operation and use

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

AI5 – Procure IT resources

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

AI6 – Manage changes

ISO17799:

• Access control (maintenance)

• Information system acquisition, development and maintenance (maintenance)

ITIL:

• Change management

Key:



COBIT:

AI7 – Install and accredit solutions and changes

ISO17799:

• Information system acquisition, development and maintenance (maintenance)

ITIL:

• Release management

Key:



COBIT:

DS1 – Define and manage service levels

ISO17799:

• -

ITIL:

• Service level management

Key:



COBIT:

DS2 – Manage third-party services

ISO17799:

• Organizing information security (external)

ITIL:

• -

Key:



COBIT:

DS3 – Manage performance and capacity

ISO17799:

• Communication and operations management

ITIL:

• Capacity management

Key:



COBIT:

DS4 – Ensure continuous service

ISO17799:

• Business continuity management

ITIL:

• IT service continuity management

Key:



COBIT:

DS5 – Ensure system security

ISO17799:

• Security policy

• Communications and operations management (security)

• Access control (security)

• Information system acquisition, development and maintenance (security


ITIL:

• Security management

Key:



COBIT:

DS6 – Identify and allocate costs

ISO17799:

• -

ITIL:

• Financial management of IT services (costing)

Key:



COBIT:

DS7 – Educate and train users

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

DS8 – Manage service desk and incidents

ISO17799:

• Information security incident management

ITIL:

• Incident management

Key:



COBIT:

DS9 – Manage configuration

ISO17799:

• -

ITIL:

• Configuration management

Key:



COBIT:

DS10 – Manage problems

ISO17799:

• -

ITIL:

• Problem management

Key:



COBIT:

DS11 – Manage data

ISO17799:

• Communications and operations management (backups)

ITIL:

• Availability management

Key:



COBIT:

DS12 – Manage physical environment

ISO17799:

• Physical and environmental security

ITIL:

• -

Key:



COBIT:

DS13 – Manage operations

ISO17799:

• Communication and operations management (operations)

ITIL:

• -

Key:



COBIT:

ME1 – Monitor and evaluate IT performance

ISO17799:

• -

ITIL:

• -

Key:



COBIT:

ME2 – Monitor and evaluate internal control

ISO17799:

• Compliance (audit)

ITIL:

• -

Key:



COBIT:

ME3 – Ensure regulatory compliance

ISO17799:

• Compliance (standards)

ITIL:

• -

Key:



COBIT:

ME4 – Provide IT governance

ISO17799:

• -

ITIL:

• -

Key:


Case StudyCase Study

Key:

Maturity level≥ 3

Maturity level2 – 2.9

Maturity level≤ 1.9

0 Non-Existent: No processes

1 Initial: Processes are ad hoc

2 Repeatable: Processes are regular

3 Defined: Processes are repeatable, as well as documented and communicated

4 Managed: Processes are defined, as well as measured and monitored

5 Optimized: Processes are managed, and best practices are followed and

automated


Acquire &Implement

Deliver &Support

Monitor & Evaluate

Plan &Organize

DefineStrategicIT Plan

Define Information Architecture

Manage Quality

Determine Technological

Direction

Define IT Processes,

Organization, Relationships

Manage IT Investment

Communicate Management

Aims & Direction

Manage IT Human

Resources

Manage ProjectsAssess & Manage IT Risks

Identify Automated Solutions

Acquire & Maintain

Application Software

Acquire & Maintain

Technology infrastructure

Enable Operation

& Use

Procure IT Resources Manage Changes

Define & Manage Service

Level

Ensure Continuous

Service

Educate & Train Users

Manage Third-party Services

Manage Performance &

Capacity

Ensure System Security

Identify & Allocate Costs

Manage Service Desk & Incidents

Manage Configuration

Monitor & Evaluate IT Performance

Monitor & Evaluate Internal

Control

Ensure Regulatory compliance

Install & Accredit

Solutions & Changes

Manage Problems Manage Data Manage Physical

EnvironmentProvide IT

Governance

Manage Operations

ConclusionConclusion

More dependent upon information systems that support their

business critical functions

Challenge of ensuring confidentially, integrity and availability of

these information systems, as well as protecting related technology

infrastructure

Due to increasingly more complex environments and demanding

expectations of management, organizations are using number of

international standards to achieve international best practice related

to IT governance

ConclusionConclusion

Assess Design Implement

Present Future

Roadmap

it governance: cobit, iso17799 & itil. introduction cobit itil iso17799others

Documents

iso17799 itilcobit

train usersmanage service

organizedefine strategic

resourcesmanage changesinstall

support cont

application softwareacquire

evaluatecobit plan

risksmanage projectscobit