COBIT 5 and GRC Date.

Slides:



Advertisements
Similar presentations
COBIT® 5 for Assurance Introduction
Advertisements

COBIT 5 and GRC Date.
COBIT 5 for Information Security Introduction
Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.
Auditing, Assurance and Governance in Local Government
COBIT 5 Introduction Presented by.
© 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval.
Agenda COBIT 5 Product Family Information Security COBIT 5 content
COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.
Information Systems Controls for System Reliability -Information Security-
How can projects be controlled?
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
COBIT® 5 for Risk Introduction
Internal Auditing and Outsourcing
Effectively applying ISO9001:2000 clauses 5 and 8
Project Human Resource Management
International Auditing and Assurance Standards Board The Clarified ISAs, Audit Documentation, and SME Audit Considerations ISA Implementation Support Module.
Basic principles of IT Governance
COBIT Information Security An Introduction Tanvir Orakzai,PhD
Chapter Three IT Risks and Controls.
Internal Control in a Financial Statement Audit
Overview of COBIT5 and Impact on Local Content for IT By Mrs Tokunbo Martins Director Banking Supervision (Central Bank of Nigeria)
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Building our Future: Programme Board TOR PURPOSE To be the governing forum for the design & effective delivery of the Building our Future Programme To.
COBIT 5 Introduction 28 February 2012.
Comparing COBIT 4.1 and COBIT 5 Comparing COBIT 4.1 and COBIT 5 Presented by.
Chapter 9: Introduction to Internal Control Systems
Presented by Peter Tessin, CISA, CRISC, MSA, PMP Technical Research Manager.
12-CRS-0106 REVISED 8 FEB 2013 APO (Align, Plan and Organise)
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
Presented by. Information! Information is a key resource for all enterprises. Information is created, used, retained, disclosed and destroyed. Technology.
COBIT 5 Executive Summary © 2012 ISACA. All rights reserved.1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
12-CRS-0106 REVISED 8 FEB 2013 EDM (Evaluate, Direct, and Monitor) CDG4I3 / Audit Sistem Informasi Angelina Prima K | Gede Ary W. KK SIDE
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
COBIT 5 Executive Summary
COBIT® 5 for Assurance Introduction
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Project Human Resource Management
COSO and ERM Committee of Sponsoring Organizations (COSO) is an organization dedicated to providing thought leadership and guidance on internal control,
Click to see next slide Speed up your GDPR program Develop your IT Management System Accelerate your Information Security System … WITHOUT.
COBIT® 5 for Risk Introduction
Audit & Risk Management
Training Course on Integrated Management System for Regulatory Body
Comparing COBIT 4.1 and COBIT 5
COBIT 5 Executive Summary
COBIT 5 and GRC Date.
Asset Governance – Integrated Strategic Asset Management
Internal control - the IA perspective
همسویی چارچوب‏هاو به‏روشهای حاکمیت و مدیریت فناوری اطلاعات
COBIT 5 Executive Summary
COBIT® 5 for Assurance Introduction
COBIT® 5 for Assurance Introduction
Gem Complete Health Services
Comparing COBIT 4.1 and COBIT 5
Comparing COBIT 4.1 and COBIT 5
COBIT 5 Executive Summary
Portfolio, Programme and Project
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
COBIT® 5 for Risk Introduction
Taking the STANDARDS Seriously
December 5, 2018.
© 2012 ISACA. All rights reserved
COBIT 5 and GRC Date.
COBIT® 5 for Assurance Introduction
COBIT® 5 for Risk Introduction
COBIT 5 and GRC Date.
An overview of Internal Controls Structure & Mechanism
Comparing COBIT 4.1 and COBIT 5
Presentation transcript:

COBIT 5 and GRC Date

© 2012 ISACA. All rights reserved © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Use of this publication is permitted solely for personal use and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

GRC

GRC GRC: Governance, risk management and compliance An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.

GRC Definitions GRC: Governance—Exercise of authority; control; government; arrangement. Risk (management )—Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control) Compliance—The act of complying; a yielding; as to a desire, demand, or proposal; concession; submission Webster’s Online Dictionary

Types of Governance Different types of governance exist: Corporate governance Project governance Information technology governance Environmental governance Economic and financial governance Each type has one or more sources of guidance, each with similar goals but often varying terms and techniques for their achievement.

Implementing Governance The integration of the implementation of the GRC activities within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders. Such approaches are typically based on enablers of various types (e.g., principles, policies, models, frameworks, organisational structures).

A GRC Model Example From the OCEG Red Book GRC Capability Model version 2.1

Corporate Governance of IT ISO/IEC 38500: 2008 Corporate governance of information technology 1.1 Scope This standard provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.

Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.1 Principles 2.1.1 Principle 1: Responsibility 2.1.2 Principle 2: Strategy 2.1.3 Principle 3: Acquisition 2.1.4 Principle 4: Performance 2.1.5 Principle 5: Conformance 2.1.6 Principle 6: Human Behaviour

Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans.

ISACA and COBIT ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals. ISACA developed and maintains the internationally recognised COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.

COBIT 5

Governance of Enterprise IT COBIT: Governance of Enterprise IT (GEIT) 2005/7 2000 1998 Evolution of scope 1996 Governance of Enterprise IT COBIT 5 IT Governance COBIT4.0/4.1 Management COBIT3 Val IT 2.0 (2008) Control COBIT2 Risk IT (2009) Audit COBIT1 2012 A business framework from ISACA, at www.isaca.org/cobit Source: COBIT® 5 Introduction Presentation © 2012 ISACA® All rights reserved.

COBIT 5 in Overview COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.

The COBIT 5 Framework Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector.

COBIT 5 Principles Source:  COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

COBIT 5 Enterprise Enablers Source:  COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

GRC in COBIT 5

Governance (and Management) in COBIT 5 Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities.

Governance in COBIT 5 The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. 01 Ensure governance framework setting and maintenance. 02 Ensure benefits delivery. 03 Ensure risk optimisation. 04 Ensure resource optimisation. 05 Ensure stakeholder transparency. The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).

Governance in COBIT 5 (cont.) Source:  COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

Risk Management in COBIT 5 The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. Process Description Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. Process Purpose Statement Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.

Risk Management in COBIT 5 (cont.) The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. Process Description Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. Process Purpose Statement Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.

Risk Management in COBIT 5 (cont.) Source:  COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

Risk Management in COBIT 5 (cont.) All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept).

Risk Management in COBIT 5 (cont.) In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. Source:  COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved.

Compliance in COBIT 5 The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. Process Description Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. Process Purpose Statement Ensure that the enterprise is compliant with all applicable external requirements.

Compliance in COBIT 5 (cont.) Source:  COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

Compliance in COBIT 5 (cont.) Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures.

Compliance in COBIT 5 (cont.) In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source:  COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved.

Summary The COBIT 5 framework includes the necessary guidance to support enterprise GRC objectives and supporting activities: Governance activities related to GEIT (5 processes) Risk management process—and supporting guidance for risk management across the GEIT space Compliance—a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements—silos of activity!