C OBI T and slides © 2007 IT Governance Institute. Used with permission. An Overview of C OBI T ®
C OBI T and slides © 2008 IT Governance Institute. Used with permission. In This Presentation... Driving forces for IT governance and Control Objectives for Information and related Technology (C OBI T ® ) An introduction to: The C OBI T framework C OBI T supporting materials Where C OBI T fits with other frameworks and standards
C OBI T and slides © 2007 IT Governance Institute. Used with permission. The Governance Environment
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Forces Driving IT Governance Compliance Security Business/IT Alignment ROI Project Execution
C OBI T and slides © 2008 IT Governance Institute. Used with permission. IT Governance Needs a Management Framework Driving Forces Map Onto the IT Governance Focus Areas Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement IT Governance Domains Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement IT Governance Focus Areas
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Internationally accepted good practices Management-oriented Supported by tools and training Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable not- for-profit organization Maps 100 percent to COSO Maps strongly to all major related standards C OBI T 4.1—The IT Governance Framework The only IT management and control framework that covers the end-to-end IT life cycle IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for IT Processes IT Management Processes IT Governance Processes C OBI T good practices repository for
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Is a reference, set of best practices, not an ‘off-the-shelf’ cure Enterprises still to need to analyze their control requirements and customize based on: Value drivers Risk profile IT infrastructure, organization and project portfolio C OBI T 4.1—The IT Governance Framework IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for IT Processes IT Management Processes IT Governance Processes C OBI T good practices repository for
C OBI T and slides © 2008 IT Governance Institute. Used with permission. The resources made available to— and built up by—IT What the stakeholders expect from IT How IT is organized to respond to the requirements Key Driving Forces for C OBI T IT Processes IT Resources IT Resources Business Requirements Data Application systems Technology Facilities People Plan and Organize Aquire and Implement Deliver and Support Monitor and Evaluate Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Goals Responsibilities Control Objectives Requirements BusinessIT Governance Information the business needs to achieve its objectives Information executives and board need to exercise their responsibilities Direction and Resourcing How Does C OBI T Link to IT Governance? IT Governance
C OBI T and slides © 2007 IT Governance Institute. Used with permission. C OBI T Is Brought to You by …
C OBI T and slides © 2008 IT Governance Institute. Used with permission. IT Governance Institute IT Governance Institute is a non-profit research think tank associated with ISACA ®.
C OBI T and slides © 2008 IT Governance Institute. Used with permission. IT Governance Institute Product Suite Board Briefing on IT Governance Information Security Governance C OBI T 4.1 Val IT IT Governance Implementation Guide C OBI T Control Practices IT Assurance Guide Governance, Security and Assurance Management Business and Technology Management Governance
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Some findings of the ITGI survey of 600 executives: 18 % 26 % Executive awareness of C OBI T C OBI T is the preferred way to implement effective IT governance. Executive awareness is up. Perception that it is difficult to implement More than one-third of those who know the content, know it very well. C OBI T—Global Status More than half of those who know it, know its contents.
C OBI T and slides © 2007 IT Governance Institute. Used with permission. An Overview of C OBI T
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete Domains Natural grouping of processes, often matching an organizational domain of responsibility Process Orientation
C OBI T and slides © 2008 IT Governance Institute. Used with permission. IT Domains Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT strategy Computer operations Incident handling Acceptance testing Change management Contingency planning Problem management Activities Record new problem. Analyze. Propose solution. Monitor solution. Record known problem. Etc. Natural grouping of processes, often matching an organizational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result—activities have a life cycle whereas tasks are discrete Process Orientation
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Process Orientation Plan and Organize Description This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organization as well as technological infrastructure must be put in place. Topics Strategy and tactics Vision planned Organization and infrastructure Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? Domains
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Waterfall Model The control of that satisfy is enabled by considering 4 Domains Control Objectives 4 Domains - 34 Processes Control Objectives IT Processes Business Requirements Control Statements Control Practices
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Acquire and Implement Deliver and Support Monitor and Evaluate Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Applications Information Infrastructure People IT Resources Business Objectives Plan and Organize C OBI T Framework IT Life Cycle
C OBI T and slides © 2008 IT Governance Institute. Used with permission. C OBI T Processes Plan and Organize Acquire and Implement PO1 Define an IT Strategic Plan PO2Define the Information Architecture PO3Determine Technological Direction PO4Define the IT Processes, Organization and Relationships PO5Manage the IT Investment PO6Communicate Management Aims and Direction PO7Manage IT Human Resources PO8Manage Quality PO9Assess and Manage IT Risks PO10Manage Projects
C OBI T and slides © 2008 IT Governance Institute. Used with permission. C OBI T Processes Deliver and Support Monitor and Evaluate ME1Monitor and Evaluate IT Performance ME2Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4Provide IT Governance
C OBI T and slides © 2007 IT Governance Institute. Used with permission. Digging Into C OBI T
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Digging Into C OBI T Working with the C OBI T product suite Introduce the key elements of C OBI T. Show how they interrelate. Introduce supporting materials.
C OBI T and slides © 2008 IT Governance Institute. Used with permission. C OBI T Framework C OBI T framework provides guidance on IT governance and role of IT control. Generic controls: Controls that relate to all processes Application controls
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Process-level Navigating in C OBI T
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Which Domain?
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Process Description All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.
C OBI T and slides © 2008 IT Governance Institute. Used with permission. The Waterfall of Control c
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Information Criteria
C OBI T and slides © 2008 IT Governance Institute. Used with permission. IT Resources
C OBI T and slides © 2008 IT Governance Institute. Used with permission. IT Governance
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Control Objectives AI6.5 Change Closure and Documentation Whenever changes are implemented, update the associated system and user documentation and procedures accordingly.
C OBI T and slides © 2007 IT Governance Institute. Used with permission. Management Guidelines
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Management Guidelines
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Input-output Matrix Managing the Life Cycle Inputs coming from other processes Outputs going to other processes
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Managing the Life Cycle Whilst C OBI T represents the life cycle of IT investments, it must also manage inter-process interdependencies.
C OBI T and slides © 2008 IT Governance Institute. Used with permission. RACI Charts
C OBI T and slides © 2008 IT Governance Institute. Used with permission. RACI chart Typical Process Activities Standard Organization Chart Who is Responsible, Accountable Consulted and Informed?
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Goals and Metrics
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Maturity Model
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Maturity Levels in C OBI T Non-existent InitialRepeatableDefinedManagedOptimised 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Dimensions of Process Maturity in C OBI T Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement We capture process maturity data on each of six dimensions: Awareness and communication
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Collecting Maturity Model Data Policies, Standards and Procedures Tools and Automation Skills and Expertise Responsibility and Accountability Goal Setting and Measurement Awareness and Communication
C OBI T and slides © 2007 IT Governance Institute. Used with permission. How to Get Started With C OBI T
C OBI T and slides © 2008 IT Governance Institute. Used with permission. IT Goals IT Processes How Do Governance and the Business Drive IT? Business Goals Applications Information Infrastructure People Business Goals Governance Drivers Business Outcomes
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Business Goals IT Goals IT Processes How Do Governance and the Business Drive IT? Applications IT Processes Infrastructure & People need Information deliver run Applications IT Processes Infrastructure and People need Information deliver run Business Requirements Information Services Information Criteria require imply Governance Requirements influence Business Requirements Information Services Information Criteria require imply Governance Requirements influence
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Performance Measurement Goal Relationships
C OBI T and slides © 2007 IT Governance Institute. Used with permission. Leverage Supporting Materials
C OBI T and slides © 2007 IT Governance Institute. Used with permission. Implementation Guide
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Implementation Guide IT Governance Implementation Guide: Using C OBI T and Val IT, 2 nd Edition Detailed, structured guidance to the implementation of IT governance Generic IT governance implementation guidance, not just C OBI T
C OBI T and slides © 2007 IT Governance Institute. Used with permission. Control Practices
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Control Practices C OBI T Control Practices, 2 nd Edition Detailed guidance on each of the control objectives Management-oriented From three to 12 control practices per control objective
C OBI T and slides © 2007 IT Governance Institute. Used with permission. C OBI T Online
C OBI T and slides © 2008 IT Governance Institute. Used with permission. C OBI T Online An online view of C OBI T allows users to customise and integrate COBIT, coupled with process benchmarking.
C OBI T and slides © 2007 IT Governance Institute. Used with permission. Assurance Guide
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Assurance Guide IT Assurance Guide: Using COBIT Detailed guidance to support assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement Guidance on: How to leverage C OBI T for assurance Detailed assurance testing steps
C OBI T and slides © 2007 IT Governance Institute. Used with permission. C OBI T and Other Frameworks and Standards
C OBI T and slides © 2008 IT Governance Institute. Used with permission. TickIT Where C OBI T Typically Sits CMM COSO ITIL Governance Layer IT Governance Layer IT Management Layer C OBI T
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Integrator of technical standards Interface to business standards How C OBI T Relates to Frameworks and Standards
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. XY ## XY ## XY ## XY ## XY ## Strategic C OBI T ITIL CMM Process Control Process Execution Work Instruction How C OBI T Relates to Frameworks and Standards
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. XY ## XY ## XY ## XY ## XY ## Strategic C OBI T ITIL CMM Process Control Process Execution Work Instruction How C OBI T Relates to Frameworks and Standards
C OBI T and slides © 2008 IT Governance Institute. Used with permission. Summary Quality IT Services Successful IT Projects Improved efficiency Optimized costs Easier compliance Reduced operational risk Improved management, confidence and trust
C OBI T and slides © 2007 IT Governance Institute. Used with permission. An Overview of C OBI T ®