2/20/2016 Leveraging IT Governance and COBIT Chip Council, PhD, CGEIT, CISM, CISA Matt Schmidt, MS, CISSP, CISA Adjunct Professors, University of Minnesota

2/20/2016 Agenda  Introduction – 2:40 – 3:00  IT Governance – 3:00 – 3:45  The Problem  What Is IT Governance  How to evaluate it  How to Deploy it  Frameworks – 3:45 – 4:20  COBIT/ValIT (Chip)  ISO 2700x/ITIL (Matt)  Future Directions – 4:20 – 4:30  ISO/IEC DIS (Chip)

2/20/2016 The Problem – Current IT Issues  IT Strategy Not Aligned With the Business  Staffing Issues  High IT Cost – Low ROI  Service Delivery Problems

2/20/2016 What Is IT Governance Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. Peter Weill and Jeanne W. Ross IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (2004)

2/20/2016 Another Definition IT governance is the responsibility of the board of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. - IT Governance Institute

2/20/2016 IT Governance Focus Risk Management Value Delivery Strategic Alignment Resource Management Performance Measurement - IT Governance Institute

2/20/2016 How to evaluate it? Weill and Ross  Survey to quickly assess the effectiveness of an enterprise’s IT governance.  Recommended to have at least 10 senior managers take the survey. Four Objectives To Assess  Cost-effective use of IT  Effective use of IT for asset utilization  Effective use of IT for growth  Effective use of IT for business flexibility

2/20/2016 How to evaluate it? Question 1 – Outcomes How important are the following outcomes of your IT governance, on a scale from 1 (Not Important) to 5 (Very Important)

2/20/2016 How to evaluate it? Question 2 - Success What is the influence of the IT governance in your business on the following measures of success, on a scale from 1 (Not Successful) to 5 (Very Successful)

2/20/2016 How to evaluate it? Calculating Governance Performance Not all firms rank the outcomes with the same importance, so the answers to the first question are used to weight the answers to the second question.

2/20/2016 How to deploy it?  Ad Hoc Approach  Use a Standard or Framework  A Combination of the Two IMPORTANT: Any standard approach must be customized to meet the needs of the organization (Don’t be that guy or gal!)

2/20/2016 Benefits of the Standard Approach 1. The Wheel Exists 2. Structured 3. Best Practices 4. Knowledge Sharing 5. Auditable  -George Spafford

2/20/2016 COBIT

2/20/2016 COBIT Information Criteria  Efficiency  Effectiveness  Availability  Integrity  Confidentiality  Compliance  Reliability

2/20/2016 COBIT Framework

2/20/2016 Tools  COBIT 4.1 Control Objectives  COBIT 4.1 Assurance Guide  COBIT Implementation Guide  Worksheets  Sample Reports  Management Concerns Diagnostics  Risk Assessments

2/20/2016 ISO 2700x/ITIL  ISO/IEC 17799/27002 – Code of Practice for Information Security Management  Twelve main sections with specialized recommendations for risk assessment, security policy, governance, compliance, etc.  Based heavily on C-I-A Triad Principles  ITIL (IT Infrastructure Library)  IT Operations and Service Delivery Best Practices  Security recommendations based heavily on ISO/IEC 17799/27002

2/20/2016 Leveraging Multiple Frameworks  Typical driver for implementing multiple frameworks is regulatory compliance, however, that does not have to be the driver.  One size does not fit all.  Consider available mapping guidance to address overlap.  Underlying Themes  Understand your environment  Understand risks to your environment  Manage the risks to an acceptable level (acceptable level

2/20/2016 ISO/IEC Corporate Governance of Information Technology Standard  The ISO/IEC Corporate Governance of Information Technology Standard  An updated version of the Australian Standard AS8015, published in  This standard expresses six principles for good governance of IT use:  Responsibility  Strategy  Acquisition  Performance,  Conformance  Human Behavior  It is intended to guide the behavior of the organization,  Provides a lens or framework through which the behavior can be evaluated.  Describes the tasks that must be implemented in the governance system – at a much higher level than one finds in frameworks like ITIL and COBIT  Makes no reference to frameworks such as ITIL and COBIT but compliments many of them  It specifically acknowledges that organizations should select appropriate frameworks. -Mark Toomey Managing Director Infonomics Pty Ltd Melbourne, Australia MelbourneAustralia

2/20/2016 Acknowledgements -Bob Frelinger, CISA, CSSGB - Common Issues in Implementing IT Governance and How to Resolve Them (Presentation) -Peter Weill and Jeanne W. Ross IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (2004) (Book) -IT Governance Institute, COBIT 4.1 Framework (2007) -George Spafford: The Benefits of Standard IT Governance Frameworks: Datamation (2003) -Mark Toomey Managing Director Infonomics Pty Ltd

2/20/2016 Discussion