COBIT® as a Risk Management Framework John W. Lainhart IV CISA, CISM, CGEIT, CIPP/G Partner, Security, Privacy, Wireless & IT Governance IBM Global Business Services Principal Advisory to IT Governance Institute john.w.lainhart@us.ibm.com 301-803-2745 COBIT® as a Risk Management Framework

In This Presentation... The Governance Environment An introduction to IT Governance An introduction to Control Objectives for Information and related Technology (COBIT®) Overview of COBIT® Supporting Materials COBIT® Mappings to Other Standards An introduction to ValIT™ An introduction to RiskIT™ Recently Announced Certification Program – CGEIT Questions

IT Governance, COBIT, ValIT and RiskIT Are Brought to You by …

IT Governance Institute IT Governance Institute is a non-profit research think-tank associated with ISACA®

IT Governance Institute Product Suite Governance, Security and Assurance Management Business and Technology Management Governance IT Governance Implementation Guide Information Security Governance Board Briefing on IT Governance COBIT Control Practices IT Assurance Guide COBIT 4.1 Val IT

The Governance Environment

Forces Driving IT Governance Business/IT Alignment ROI Compliance Project Execution Security

What Makes IT Governance so important? Strategic importance of IT Extended Enterprise Regulatory requirements Cost optimisation Return on investment Drivers Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful ITGI 2005 Survey early findings confirm concerns Low return from high-cost IT investments, and transparency of IT’s performance are two top issues More than 30% claim negative return from IT investments targeting efficiency gains 40% do not have good alignment between IT plans and business strategy Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)

What makes IT Governance so important? Shareholders want protection for the Enterprise’s Share Price “…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…” “…financial reporting system is not up to speed…” “…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…” “…data entry problems…”

The Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for 2008 # 1 on this list is IT Governance, including business alignment From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc. IBM Confidential|

An Overview of IT Governance

What is IT Governance? “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.” ITGI, Board Briefing on IT Governance

IT Governance Needs a Management Framework Driving Forces Map Onto the IT Governance Focus Areas STRATEGIC ALIGNMENT VALUE DELIVERY IT GOVERNANCE PERFORMANCE MEASUREMENT MANAGEMENT RISK RESOURCE MANAGEMENT

IT Governance Focus Areas Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to Add value and competitive positioning to the enterprise’s products and services Contain costs while improving administrative efficiency and managerial effectiveness

IT Governance Focus Areas Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc)

IT Governance Focus Areas Risk management requires risk awareness of senior corporate officers, a clear under- standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations

IT Governance Focus Areas Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource

IT Governance Focus Areas Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow.

IT Governance Life Cycle

IT Governance Control Cycle

IT Governance Control Cycle Assess Environment Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy Establish risk management strategy Formally document existing processes

IT Governance Control Cycle Maintain IT Controls Framework Develop controls framework to supports sound business decisions Document integration points in the current environment Create an organizational mechanism to support the governance of IT Mitigate identified risks through the IT controls framework

IT Governance Control Cycle Develop & Refine Governing Documents Utilize a central repository for governing documents Develop a consistent approach for creating governing documents Consistently apply processes and procedures Gain executive commitment for IT governance frameworks and structure

IT Governance Control Cycle Communicate and Train Provide “Tone at the Top” Develop a strategic communication plan for mission objectives and overall management direction Execute strategic communication plan Implement a standard training program to avoid unnecessary and redundant training

IT Governance Control Cycle Implement and Operate Align staff responsibilities with IT control objectives Achieve sustainability of IT controls in the operational environment Support continuous improvement of operational effectiveness and accountability

IT Governance Control Cycle Measure and Validate Revise current metrics program to include newly defined controls Verify the sustainability of defined controls Develop cost effective automated measurements Measure all processes to include Applications, Databases, Platforms and Networks

IT Governance Control Cycle Monitor and Report Report on continued effectiveness of controls Increase transparency to auditors of issues and actions taken Accurately attest to IT’s compliance with policy, laws, and regulations Improve existing processes using metrics trending

IT Governance Control Cycle Enforce Reinforce required policy compliance and standards conformance Define a consistent approach for enforcement across all processes

An Overview of COBIT

COBIT 4.1—The IT Governance Framework IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for COBIT Internationally accepted good practices Management-oriented Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable not-for-profit organisation Maps 100% to COSO Maps strongly to all major related standards Is a reference, set of best practices, not an “off-the-shelf” cure Enterprises still needs to analyse their control requirements and customise based on: Value drivers Risk profile IT infrastructure, organisation and project portfolio The only IT management and control framework that covers the end-to-end IT life cycle

COBIT: An IT Control Framework Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives Promotes process focus and process ownership Divides IT into 4 domains and 34 processes, with a total of 210 control objectives Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT Addresses the resources made available to and built up by IT Domains: 1. Plan & Organize 2. Acquire & Implement 3. Delivery & Support 4. Monitor & Evaluate Information Criteria: 1. Effectiveness 2. Efficiency 3. Availability 4. Integrity 5. Confidentiality 6. Reliability 7. Compliance IT Resources: 1. Applications 2. Information 3. Infrastructure 4. People

Key Driving Forces for COBIT How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to—and built up by—IT Business Requirements IT Resources IT Processes Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate Applications Information Infrastructure People Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability

IT Life Cycle COBIT Framework Business Objectives Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources Applications Information Infrastructure People Monitor and Evaluate Plan and Organise IT Life Cycle Deliver and Support Acquire and Implement

COBIT Processes Plan and Organise Acquire and Implement PO1 Define an IT Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Plan and Organise Acquire and Implement

COBIT Processes Deliver and Support Monitor and Evaluate ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance Monitor and Evaluate

COBIT PC and AC Processes Process Goals and Objectives PC2 Process Ownership PC3 Process Responsibility PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures PC6 Process Performance Improvement Process Controls AC1 Source Data Preparation and Authorization AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transmission Authentication and Integrity Application Controls

Process Level Navigating in COBIT

Control Objectives P09.6 Maintenance and Monitoring of a Risk Action Plan Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.

Management Guidelines

Management Guidelines

Maturity Model

Maturity Levels in COBIT Non-existent Initial Repeatable Defined Managed Optimised 1 2 3 4 5 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.

Dimensions of Process Maturity in COBIT We capture process maturity data on each of six dimensions: Awareness and communication Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement

Leverage COBIT® Supporting Materials ...

Implementation Guide

Implementation Guide IT Governance Implementation Guide, 2nd Edition Detailed, structured guidance to the implementation of IT governance Generic IT governance implementation guidance, not just COBIT

Control Practices

Control Practices COBIT Control Practices, 2nd Edition Detailed guidance on each of the control objectives Management-oriented From three to 12 control practices per control objective

Assurance Guide

Assurance Guide IT Assurance Guide: Using COBIT Detailed guidance to support assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement Guidance on: How to leverage COBIT for assurance Detailed assurance testing steps

Quickstart

Quickstart For small and medium sized organizations and larger organizations wanting to quickstart IT governance Selection of components from the complete COBIT framework Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT

COBIT Security Baseline

COBIT Security Baseline - 44 Steps Toward Security Define the security strategy - 1 Define the IT organisation and relationships - 1 Communicate management aims and direction - 1 Manage IT human resources - 4 Assess and manage IT risks - 3 Identify automated solutions - 1 Acquire and maintain application and technology infrastructure - 3 Enable operation and use - 1 Manage changes - 2 Install and accredit solutions and changes - 2 Define and manage service levels - 1 Manage third-party services - 3 Ensure continuous service - 3 Ensure systems security - 8 Manage the configuration - 2 Manage data - 3 Manage the physical environment - 2 Monitor and evaluate IT performance—assess internal control adequacy - 1 Obtain independent assurance - 1 Ensure regulatory compliance – 1 6 Information Security Survival Kits Home Users Professional Users Managers Executives Senior Executives Board of Directors/Trustees

COBIT Mappings to Other Frameworks and Standards

Where COBIT Typically Sits King COSO Governance Layer COBIT Governance Layer IT ITIL 17799 Management Layer IT CMM TickIT

How COBIT Relates to Frameworks and Standards Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution Work Instruction Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6….

How COBIT Relates to Frameworks and Standards Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution Work Instruction Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6…. Workinstruction 2 3 4,5,6….

An Overview of ValIT

The Information Paradox ? The value of IT is being increasingly questioned... …yet organizations continue to spend more and more on IT SKIP 60

The Fundamental Question Are we maximizing the value of our IT-enabled business investments such that: we are getting optimal benefits; at an affordable cost; and with an acceptable level of risk? Over the full economic life-cycle of the investment

Without Effective Governance SYMPTOMS Situation Reluctance to say no to projects Lack of Strategic Focus Projects are “sold” on emotional basis -- not selected No strong review process Overemphasis on Financial ROI No clear strategic criteria for selection Can’t kill projects Leads to.. Too many projects Quality of execution suffers Underestimation of risks and costs Projects not aligned to strategy Budget overruns Project delays Business needs not met Lack of confidence (in IT) Results in.. Benefits not received Increased Complexity Sub-optimal use of resources Finger pointing Source: Fujitsu

Continuously Need to Question The strategic question. Is the investment: In line with our vision? Consistent with our business principles? Contributing to our strategic objectives? Providing optimal value, at affordable cost, at an acceptable level of risk? In the value question. Do we have: A clear and shared understanding of the expected benefits? Clear accountability for realising the benefits? Relevant metrics? An effective benefits realisation process? Some fundamental questions about the value enabled by IT The architecture question. Is the investment: In line with our architecture? Consistent with our architectural principles? Contributing to the population of our architecture? In line with other initiatives? The delivery question. Do we have: Effective and disciplined delivery and change management processes? Competent and available technical and business resources to deliver: the required capabilities; and the organisational changes required to leverage the capabilities? Source: The Information Paradox

Val IT Processes & Key Management Practices

P3M -Projects, Programs, and Portfolios Portfolio – a suite of business programmes managed to optimise overall enterprise value Portfolio Management Programme – a structured grouping of projects designed to produce clearly identified business value Programme Management Project Management Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget

Val IT Relationship between Processes & Practices Establish governance framework VG1-4, 6 -7 Establish portfolio parameters VG Provide strategic direction VG5, 9-11 VG8 PM1-5 PM6 Maintain resource profile Maintain funding profile Evaluate & prioritize investments PM14 PM7-10 Move selected investments to active portfolio Manage overall portfolio Monitor & report on portfolio performance PM PM11 PM12-13 Analyse alternatives Assign accountability Document business case Identify business req’ts Define candidate programme IM4 IM9 IM1-2 IM8, 13 IM3, 5-7 Launch programme Manage programme execution Monitor & report on programme performance Retire programme IM IM10 IM 11-12 IM15 IM14

Val IT Initiative …a value lens into COBIT™ Are we doing the right things? Are we doing them the right way? Are we doing them well? Are we getting the benefits? PO AI ME DS PM VG IM Val IT Governance & management of a portfolio of business change programmes COBIT Governance & management of a portfolio of technology projects, services, systems & supporting infrastructure

Val IT Initiative Status DONE Framework Business Case Case Study (initial) Extend FW to services & other IT assets/ resources & Simplify Maturity Models Management Guidelines Taxonomy QuickStart Guide 1st Qtr. of 2008 IN PROCESS Business Case v2.0 Empirical Analysis Benchmarking PLANNED Available for free download from: www.isaca.org or www.itgi.org

The Business Challenge Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that: Ensures clarity of, and accountability for the desired outcomes Enables understanding of the full scope of effort Breaks down the “silos” and “connects the dots” Manage the full economic life-cycle Senses and responds to changes and deviations This is a significant leadership challenge, opportunity and responsibility!

The RiskIT Initiative

RISKIT DESCRIPTION A risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT A number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)

RISKIT ACTIONS ITGI Board discussion on this initiative and decision to proceed with full business case development (July 2007) Business Case development, (October 2007) including Market survey Feasibility study High-level design of the product/service Set-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources Define high-level development and roll-out plan ITGI Board approved detailed business case and decision to proceed with full project (November 2007) RiskIT Task Force members appointed (December 2007) First RiskIT Task Force meeting held in Ghent, Belgium on 18-19 January 2008 First draft RiskIT planned to be issued by December 2008

RiskIT Processes & Key Management Practices As of 19 January 2008 first Task Force meeting in Ghent, Belgium High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc

RISK IT Product Family – Proposed Content & Lifecycle

RELATIONSHIP OF COBIT/VALIT/RISKIT

Certified in the Governance of Enterprise IT (CGEIT)

Questions