COBIT Introductory Workshop Excerpts from University of Calgary IT Session entitled “Introduction to COBIT, its Role in IT Governance and How to Apply it In UCIT” From June 5, 2009

Workshop Agenda This excerpt covers the 1st two points General Overview and Background of COBIT Rationale for Using COBIT at the UofC COBIT Foundations COBIT vs. Other Frameworks Practical Application of COBIT at the UofC This excerpt covers the 1st two points COBIT Introductory Workshop Page 1 2

General Overview and Background of COBIT COBIT Introductory Workshop Page 2

A Little Bit on Governance First: A Little Bit on Governance COBIT Introductory Workshop Page 3

Enterprise Governance Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of: Providing strategic direction Ensuring that defined objectives are achieved Ensuring that risks are managed appropriately Applying enterprise’s resources responsibly Effective and efficient IT Governance starts with effective enterprise governance that clarifies strategic direction, priorities of objectives, and exert sufficient control to manage risks and enterprise resources to achieve the outcomes. Management is differs from governance in that its primary focus is on the implementation of decisions made through the governance process. ©2007 IT Governance Institute COBIT Introductory Workshop Page 5

Organizational Challenges Relating to IT Security Keeping IT Running Aligning IT with Business Managing Complexity Regulatory Compliance Value/Cost Organisations require a structured approach for managing these and other challenges. This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes. Explain that there are many management challenges relating to the use of IT. The slide identifies some examples (the same as in the COBIT® Foundation Course). To manage this range of issues, a sound management approach is needed. The goals include agreed and aligned objectives for IT, effective controls, and effective tracking of performance. These are the main drivers for IT governance. COBIT Introductory Workshop Page 6

What is IT Governance? Ensuring IT is aligned to and leveraged to help address enterprise needs Decision making that leads to better alignment of IT and the business IT delivering more business value IT resources are used responsibly IT risks are managed appropriately It is about the organization leadership, internal/external stakeholders and how IT investment decisions are made and prioritized. COBIT Introductory Workshop Page 7

Governance is About Balance Enterprise governance is about: Conformance Adhering to legislation, internal policies, audit requirements, etc. Performance Improving profitability, efficiency, effectiveness, growth, etc. Performance Conformance Good governance processes will foster timely decisions, responsible actions, and alignment of an organization’s IT strategy with its overall mission and goals. Both Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. ©2007 IT Governance Institute COBIT Introductory Workshop Page 8

IT Governance, as Defined by IT Governance Institute (ITGI) IT governance is: The responsibility of the board of directors and executive management An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives PERFORMANCE MEASUREMENT RESOURCE MANAGEMENT RISK VALUE DELIVERY STRATEGIC ALIGNMENT www.itgi.org 2006 Educause survey suggest IT Governance is a top issue as funding IT is directly related to governance and institutional priority setting. COBIT Introductory Workshop Page 9

IT Governance Domains Strategic alignment Value delivery Resource Focuses on ensuring the linkage of business and IT plans and on aligning IT operations with enterprise operations Value delivery IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT Resource management Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people Risk management Senior management’s appetite for risk, compliance requirements, transparency about the significant risks to the organisation Assessment of the IT Governance domain can be integrated or independent based on organization operating environment and risks. Performance measurement Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery to achieve goals measurable beyond conventional accounting ©2007 IT Governance Institute COBIT Introductory Workshop Page 10

IT Governance Stakeholders Board and executive Set direction for IT, monitor key results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Business management Delivers and improves IT services as required by the business IT management IT audit Provides independent assurance to demonstrate that IT delivers what is needed Risk and compliance Measures compliance with related policies and focuses on identification/mitigation of new risks ©2007 IT Governance Institute COBIT Introductory Workshop Page 11

So what is COBIT? COBIT is a controls framework that supports IT Governance COBIT stands for Control Objectives for Information and Related Technology. It was created by ISACA (Information Systems Audit and Control Association) in 1996 Initially created to define control objectives for business applications It has evolved in Version 4.1 into a governance framework Now owned by the IT Governance Institute (ITGI) The COBIT framework was created with the main characteristics: Business-focused Process-oriented Controls-based Measurement-driven COBIT Introductory Workshop Page 13

Key Characteristics of COBIT Is freely downloadable Has internationally accepted good practices Is management-oriented Is supported by tools and training Allows the knowledge of expert volunteers to be shared and leveraged Continually evolves and is maintained by a reputable not-for-profit organisation Maps strongly to all major, related standards and audit practices However: Is a reference, not an ‘off-the-shelf’ cure Enterprises still need to analyse control requirements and customise COBIT based on their: Value drivers Risk profile IT infrastructure, organisation and project portfolio COBIT Introductory Workshop Page 14

History of COBIT Page 14 Evolution Governance COBIT 4 2005 COBIT 3 Management 2000 COBIT 2 Control 1998 COBIT 1 Audit 1996 COBIT Introductory Workshop Page 15 Page 14

Links to Business Strategy An organisation depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information. Business Strategy Information Criteria IT Resources IT Processes COBIT Introductory Workshop Page 16

COBIT Framework The “COBIT Cube” Information Criteria IT Processes IT Resources COBIT Introductory Workshop Page 17

Basic Concepts The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives. i IT Resources and Processes Information Business Processes Business Objectives provide to for achieving The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance. COBIT Introductory Workshop Page 18

What Does it do? COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT: It provides tools that both support effectiveness and enable audit Starts from business requirements Is process-oriented, organising IT activities into a generally accepted process model Identifies the major IT resources to be leveraged Defines the management control objectives to be considered Maps all the way to measurements – performance, audit, maturity Incorporates major standards and has become the de facto standard for overall control of IT This slide summarises the main attributes of the COBIT framework. IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective. COBIT Introductory Workshop Page 19

COBIT vs Other Frameworks Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). COSO COBIT ISO 27001/002 ISO 9000 ITIL HOW WHAT Others It is normal for COBIT to be used in conjunction with other good practices, standards and in-house developed guidance. COBIT can act like an umbrella providing the framework for everything else. SCOPE OF COVERAGE COSO – Committee of Sponsoring Agencies of the Treadway Commission – Internal Control Integrated Framework – focused on business controls ISO 27001/002 – Information Security Policy ISO 9000 – Family of standards for Quality Management COBIT Introductory Workshop Page 20

Enterprise Governance Best Practice Standards Another View CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Drivers PERFORMANCE: Business Goals Balanced Scorecard Enterprise Governance COSO IT Governance COBIT This slide shows how COBIT fits into the hierarchy—from business drivers at the top, down to specific governance processes and procedures. COBIT is the bridge between business and enterprise governance requirements and specific IT governance practices. ISO 9001:2000 ISO 27001/002 ISO 20000 Best Practice Standards PMBOK Others Processes and Procedures Lean Six Sigma Security Principles ITSM ITDDM TOGAF, others ITDDM stands for IT Definition and Delivery Method – used at the UofC as a standard methodology for project initiatives COBIT Introductory Workshop Page 21

Rationale for Using COBIT at the UofC COBIT Introductory Workshop Page 22

We’re Not Alone How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses? ANSWER: Inefficiently, ineffectively and not as well as they should. IT governance process and structure usually involve a confusing hybrid of autonomous departments and one or more centralized units. There are usually a complex committee structure and a mix of decentralized, independent decision makers who are responsible for most local decisions. The governance process are confusing and time consuming and occasionally fail, as evidenced of damaging IT security breaches on many campuses. ~ Source: Educause – IT Governance in Higher Education 2006 ~ COBIT Introductory Workshop Page 23

Why COBIT? Some of the advantages of adopting COBIT are: COBIT is aligned with and can be used with other standards and good practices COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organisation. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. COBIT provides tools to help manage and measure IT activities. COBIT is used by the Provincial Auditors in their annual audit review COBIT has been selected by Alberta Advanced Education & Technology as a target control framework for Post Secondary Institutions Target maturity level defined as 3 within 3 years COBIT Introductory Workshop Page 24

How it Supports IT Governance? COBIT brings the following advantages to an IT governance implementation effort: Enables mapping of IT goals to business goals and vice versa Better alignment, based on a business focus A view of what IT does that is understandable to management Clear ownership and responsibilities based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders, based on a common language Fulfilment of the COSO requirements for the IT control environment Performance Conformance These are the main benefits gained by using COBIT to implement IT governance. You could ask the class for their opinions and experiences. COBIT Introductory Workshop Page 25

Exploring the Key Benefits COBIT focuses on improving IT governance in organisations. COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework. Has general acceptability amongst organisations Helps meet regulatory requirements Control Framework Defines a common language Ensures process orientation Provides sharper business focus COBIT Introductory Workshop Page 26

Sharper Business Focus COBIT achieves sharper business focus by aligning IT with business objectives. The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy. COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself. Has general acceptability amongst organisations Defines a common language Ensures process orientation Helps meet regulatory requirements Control Framework Provides sharper business focus COBIT Introductory Workshop Page 27

Process Orientation When organisations implement COBIT, their focus is more process-oriented. Incidents and problems no longer divert attention from processes. Exceptions can be clearly defined as part of standard processes. With process ownership defined, assigned and accepted, the organisation is better able to maintain control through periods of rapid change or organisational crisis. Has general acceptability amongst organisations Defines a common language Helps meet regulatory requirements Ensures process orientation Control Framework Provides sharper business focus COBIT Introductory Workshop Page 28

General Acceptability COBIT is a proven and globally accepted standard for increasing the contribution of IT to organisational success. Coming soon to a campus near us The framework continues to improve and develop to keep pace with good practices. IT professionals from all over the world contribute their ideas and time to regular review meetings. Has general acceptability amongst organisations Defines a common language Helps meet regulatory requirements Provides sharper business Ensures process orientation Control Framework focus COBIT Introductory Workshop Page 29

Regulatory Requirements Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This pressure covers IT controls as well. Organisations constantly need to improve IT performance and demonstrate adequate controls over their IT activities. Many IT managers, advisors and auditors are turning to COBIT as the de facto response to regulatory IT requirements. Has general acceptability amongst organisations Defines a common language Provides sharper business Ensures process orientation Helps meet regulatory requirements Control Framework focus COBIT Introductory Workshop Page 30

Regulatory Requirements (cont.) In the Auditor General's April 2008 public report, he recommended: "...that the Department of Advanced Education and Technology give guidance to public post-secondary Institutions on using an IT control framework to develop control processes that are well-designed, efficient, and effective" The following excerpt was taken from the OAG’s audit plan for AET:   8.3 IT Controls framework for post-secondary institutions We understand the Department is working, through the Alberta Associations of Higher Education Information Technology, with Institutions to develop an IT Control Framework for Institutions. We support this initiative and will work with the Department to determine the progress made. This will also allow us to determine the extent and timing of work to perform at individual Institutions. Working with PSIs, the Provincial PSI ITM Control Framework will provide a holistic functional perspective built on guidance and requirements of: CoBIT 4.1 as published by the IT Governance Institute (Level 3 maturity targeted) General Computer Controls Review (GCCR) as published by the OAG Legislation / Regulation (FOIP, etc.) Other International Standards (ITIL, ISO27002, etc.) Specific institutional needs and interdependencies Existing principles and governance COBIT Introductory Workshop Page 31

Common Language A framework helps get everybody on the same page by defining critical terms and providing a glossary. Co-ordination within and across project teams and organisations can play a key role in the success of any project. Common language helps build confidence and trust. Has general acceptability amongst organisations Provides sharper business Ensures process orientation Defines a common language Helps meet regulatory requirements Control Framework focus COBIT Introductory Workshop Page 32

References/Sources IT Governance Institute - http://www.itgi.org/ ISACA - http://www.isaca.org/ COBIT Introductory Workshop Page 3