Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance.

Slides:



Advertisements
Similar presentations
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls
Security and Personnel
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
TI BISNIS ITG using COBIT &
Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
By Collin Smith COBIT Introduction By Collin Smith
ISS IT Assessment Framework
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Information Systems Security Officer
TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Overview and Introduction
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
First Practice - Information Security Management System Implementation and ISO Certification.
The Information Systems Audit Process
COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
How can projects be controlled?
Plug and Socket Preparing IT Management for Governance Rob England v6v6.
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
Introduction to IT Auditing
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.
1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction to IT audits PART II IT.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
© Obelis s.a CODE OF CONDUCT of Authorised Representative services under the Council Directive 93/42/EEC, Directive 98/79/EC and Council Directive.
Continual Service Improvement Process
Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.
Collin County’s Doing More with Less How Collin County’s ITIL Framework has worked to do more with less.
GRC - Governance, Risk MANAGEMENT, and Compliance
Overview:  Different controls in an organization  Relationship between IT controls & financial controls  The Mega Process Leads  Application of COBIT.
Roles and Responsibilities
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
ITIL Framework. What is ITIL ? ITIL stands for the Information Technology Infrastructure Library. ITIL is the international de facto management framework.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
IT GOVERNANCE  Objective : The objective of this area is to ensure that the Certified Information Systems Auditor ( CISA ) candidate understands and can.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
IT SERVICE MANAGEMENT (ITSM). ITIL\ITSM OVERVIEW  ITIL Framework.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.
THE TRAINING STRATEGY MODEL BUSINESS GOALS Establish the priorities BUSINESS PROCESSES Tasks or business model for achieving the goals JOB ROLES Identify.
SecSDLC Chapter 2.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
C OBI T and slides © 2007 IT Governance Institute. Used with permission. An Overview of C OBI T ®
Swedish Risk Management System Internal management and control Aiming to Transport Administration with reasonable certainty to.
© | Hansan Global | All Rights Reserved 1 INTRODUCTION TO IT SERVICE MANAGEMENT Hansan Global Pte Ltd.
Learn Integrated Management System Documentation Process with Ready-to-use EQHSMS Documentation Kit
AUDITING BUSINESS CONTINUITY PROGRAMS AND PLANS What to Look For Presented by: Tommye White, CBCP, DRP Chuck Walts, CBCP, CRP.
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
Principles of Information Security, Fourth Edition Chapter 1 Introduction to Information Security Part II.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
ISACA Willamette Valley Chapter Luncheon Thursday, March 20, 2008 Practical Auditors Guide for CobiT Steve Balough, CISA.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Office 365 Security Assessment Workshop
Outsourcing Policy & Procedures
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
EITS Planning & Decision Support
Software Assurance Maturity Model
Alignment of COBIT to Botswana IT Audit Methodology
Governance, audit and digital preservation
Change Management and COBIT®. ISACA London Chapter Presentation
Manage Business Continuity Introductory Brief
What is IT audit? An examination of how IT systems where implemented to ensure that they meet the organization’s business needs without compromising.
Data Governance & Management Skills and Experience
Bridging the ITSM Information Gap
Presentation transcript:

Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance and IT Management

Who am I ? Jan Bjørnsen: Working with this for nearly 20 years. In-depth skills and knowledge in IT Governance, Information Security, counceling and negotiation/contracting. Author of «Slik får du IT-styring og kontroll», Universitetsforlaget

1: IT Governance and IT Management The Straw Model You need a “Modus Operandi” that will focus on IT Governance and IT Management and I will give a brief presentation of the Straw Model to put everything into perspective. – We will look at Administrative, non-technical issues vs. Operational, technical activities – And the balance between Governing Documents vs. Dynamic documents like guidelines, procedures etc Some different sketches....

Frameworks and standards – an overview ISO COSOCOBIT ITIL v2.5 ITIL v3 ISO ISO 2700x ISO 900x Common Criteria

What do we want… Administrative, Non-technical Operative, Technical Statisc Dynamic

Policy Principles Procedures Guide Lines Strategy Straw Model of Architecture Vision IT/IS ITIL/ISO.... Risk Management Valued Deliveries Governance Architecture Implementation Functions Responsibility Procedures Policy Internal ”self-”control Cobit Processes Roles Plans Cobit processes GuidelinesPlanMonitor Report Detailed ”workbook” Continuity/ Assessments/etc

IT Governance Tjenester IT Governance Strategic Alignment Value Delivery Resource Management Risk Management Performance Management

Governance vs. Management Tjenester Advisory and Execution Service Management Resource Risk Handling Monitoring Process management Process Implementation Operative IT security Manage Infrastructure Manage Networks Incident/Problem handling ITIL BIA, Criticality Assessments Risk Analysis Contingency Plans Security Standards ISO 2700x Personnel Management Infrastruktur Applications Systems Actionbased monitoring Incident/Problem handling Implement Self Control IT-strategy Organisation potentiale Architecture building IT Governance Strategic Alignment Value Delivery Resource Management Risk Management Performance Management

IT Governance vs. IT Management Inhouse expertise Accountability „Provide“ responsibility „Supervise“ responsibility Outsourced expertise Responsibility „Execute/maintenance“ responsibility

”The Triangle of Responsibility” ”Provide”-responsibility «Accountable» in RACI ”Execute”-responsibility «Responsible» in RACI -Self Assurance -Internal Control ”Supervise”-responsibility «Consulted/Informed» in RACI -Evaluates Control Design Management/ Outsourced Responsibility Governance/ Inhouse Responsibility

Cobit – a de facto standard ( for IT governance, security, assurance, audit etc.) Cobit as a tool has matured from the introduction in 1996 and are today well adept for understanding, control and measure IT. It covers many facets today: – It is a tool for the CIO for governance and control – It is a tool for the IT Auditor for assurance – It is a tool to build a good Control Design – It is a tool for measure compliance and maturity – It is a tool for Security officers.

Cobit – Different views

Cobit and ITIL

Practical use of CobiT Security Architecture and The Straw Model Information security and other security functions can use the Straw Model to put everything into perspective. How to create governing documents How to present a strategy for implementation Creating Dynamic documents like security guidelines, implement security in procedures etc. Different samples.....

Straw Model of Architecture by Cobit

Straw Model of Architecture by organisation

Sample of documents Principles of Information Security Security Guidelines Control activity defined in processes As an example of the 5 IT Governance areas, I have chosen Risk Management for presentation purposes.

Do Risk Assessment and a Maturity Mapping Based on requirements in your SLA you need to know the Criticality of each system to ensure your Continuity plan cover the right systems (Example SmartRisk Access database) You also need to know how mature your organisation are related to Cobit (Example process DS 4 Ensure Continuous Services- RACI chart Excel)

Risk - CISM manual has a good description of operational risk Facilities and operational environment risk HSE risk Information Security risk Control Framework Risk Legal and regulatory Compliance risk Corporate Govenance risk Technology risk Project management risk Crime and fraud risk Personnel risk Supplier risk Information management risk Reputation risk Strategic risk Process and attitude risk Ethical risk Geopolitical risk Cultural risk Clima and weather risk

Contingency - on its own or as a part of the security architecture What are your goal(s)? Contingency/Continuity How to incorporate IT Continuity and IT Disaster Recovery plans into the architecture “Straw Model” with sample of layout and detailed description of time slot activites, Incident Respone Teams, Disaster Recovery Teams and Instructions and decision Gates to move through all phases of a critical situation. You need to understand the different levels of Continuity. – Backup/Restore – Continuity plans – IT Disaster Recovery Plans – Business Continuity Plans You also need to know how mature your organisation are related to Cobit process DS 4 Ensure Continuous Services

Our Framework Methodology Contingency plan BCPDRP BCP – Business Continuity Plan -(Using ISACA’s prinsiples) DRP – Disaster Recovery Plan -(Using CobiT’s Continuity process)

The first critical phases can be solved by using Incident Response Team. example, ( Must be based on your SLA and Criticality Assessments) Critical Timeslot for FIRST DECISION POINT are 40 minutes Timeslot for SECOND DECISION POINT are 60 minutes (1 hour) Timeslot for THIRD DECISION POINT are 120 minutes (2 hours) T1T2T3

Contingency If your Continuity plan do not solve the problem you must escalate. The IT Disaster Recovery Plan and BCP have 8 phases 1 The Notification phase – First (1) point of decision (further notification of IRT or “all clear/no danger” or move to second decision point directly) 2 The Overview phase – Second (2) point of decision (establish Disaster management Team or decide “all clear/no danger”) 3 The Response phase 4 The Activity phase 5 The Establishing phase – Third (3) point of decision (establish operation/production or further escalation) 6 The Operation phase – Fourth (4) point of decision (transition to standard operation or keep the alternately operation) 7 Return to Normal Operation phase 8 The Termination phase – Fifth (5) point of decision (wind up the Disaster Management Team and re-establish normal operation)

Sample of documents Contingency Principles Incident Response Team Authorisation Letter Continuity plan IT Disaster Recovery Plan Business Continuity Plan

Questions Contact Information Jan Bjørnsen Scandinavian Business Security Ltd. Mob: Web: