Presentation is loading. Please wait.

Presentation is loading. Please wait.

Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance.

Published byHugh Horatio Thompson Modified over 8 years ago

Similar presentations

Presentation on theme: "Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance."— Presentation transcript:

1 Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance and IT Management

2 Who am I ? Jan Bjørnsen: Working with this for nearly 20 years. In-depth skills and knowledge in IT Governance, Information Security, counceling and negotiation/contracting. Author of «Slik får du IT-styring og kontroll», Universitetsforlaget

3 1: IT Governance and IT Management The Straw Model You need a “Modus Operandi” that will focus on IT Governance and IT Management and I will give a brief presentation of the Straw Model to put everything into perspective. – We will look at Administrative, non-technical issues vs. Operational, technical activities – And the balance between Governing Documents vs. Dynamic documents like guidelines, procedures etc Some different sketches....

4 Frameworks and standards – an overview ISO 38500 COSOCOBIT ITIL v2.5 ITIL v3 ISO 20001 ISO 2700x ISO 900x Common Criteria

5

6 What do we want… Administrative, Non-technical Operative, Technical Statisc Dynamic

7 Policy Principles Procedures Guide Lines Strategy Straw Model of Architecture Vision IT/IS ITIL/ISO.... Risk Management Valued Deliveries Governance Architecture Implementation Functions Responsibility Procedures Policy Internal ”self-”control Cobit Processes Roles Plans Cobit processes GuidelinesPlanMonitor Report Detailed ”workbook” Continuity/ Assessments/etc

8

9 IT Governance Tjenester IT Governance Strategic Alignment Value Delivery Resource Management Risk Management Performance Management

10 Governance vs. Management Tjenester Advisory and Execution Service Management Resource Risk Handling Monitoring Process management Process Implementation Operative IT security Manage Infrastructure Manage Networks Incident/Problem handling ITIL BIA, Criticality Assessments Risk Analysis Contingency Plans Security Standards ISO 2700x Personnel Management Infrastruktur Applications Systems Actionbased monitoring Incident/Problem handling Implement Self Control IT-strategy Organisation potentiale Architecture building IT Governance Strategic Alignment Value Delivery Resource Management Risk Management Performance Management

11 IT Governance vs. IT Management Inhouse expertise Accountability „Provide“ responsibility „Supervise“ responsibility Outsourced expertise Responsibility „Execute/maintenance“ responsibility

12 ”The Triangle of Responsibility” ”Provide”-responsibility «Accountable» in RACI ”Execute”-responsibility «Responsible» in RACI -Self Assurance -Internal Control ”Supervise”-responsibility «Consulted/Informed» in RACI -Evaluates Control Design Management/ Outsourced Responsibility Governance/ Inhouse Responsibility

13

14

15 Cobit – a de facto standard ( for IT governance, security, assurance, audit etc.) Cobit as a tool has matured from the introduction in 1996 and are today well adept for understanding, control and measure IT. It covers many facets today: – It is a tool for the CIO for governance and control – It is a tool for the IT Auditor for assurance – It is a tool to build a good Control Design – It is a tool for measure compliance and maturity – It is a tool for Security officers.

16 Cobit – Different views

17 Cobit and ITIL

18 Practical use of CobiT Security Architecture and The Straw Model Information security and other security functions can use the Straw Model to put everything into perspective. How to create governing documents How to present a strategy for implementation Creating Dynamic documents like security guidelines, implement security in procedures etc. Different samples.....

19 Straw Model of Architecture by Cobit

20 Straw Model of Architecture by organisation

21 Sample of documents Principles of Information Security Security Guidelines Control activity defined in processes As an example of the 5 IT Governance areas, I have chosen Risk Management for presentation purposes.

22 Do Risk Assessment and a Maturity Mapping Based on requirements in your SLA you need to know the Criticality of each system to ensure your Continuity plan cover the right systems (Example SmartRisk Access database) You also need to know how mature your organisation are related to Cobit (Example process DS 4 Ensure Continuous Services- RACI chart Excel)

23 Risk - CISM manual has a good description of operational risk Facilities and operational environment risk HSE risk Information Security risk Control Framework Risk Legal and regulatory Compliance risk Corporate Govenance risk Technology risk Project management risk Crime and fraud risk Personnel risk Supplier risk Information management risk Reputation risk Strategic risk Process and attitude risk Ethical risk Geopolitical risk Cultural risk Clima and weather risk

24 Contingency - on its own or as a part of the security architecture What are your goal(s)? Contingency/Continuity How to incorporate IT Continuity and IT Disaster Recovery plans into the architecture “Straw Model” with sample of layout and detailed description of time slot activites, Incident Respone Teams, Disaster Recovery Teams and Instructions and decision Gates to move through all phases of a critical situation. You need to understand the different levels of Continuity. – Backup/Restore – Continuity plans – IT Disaster Recovery Plans – Business Continuity Plans You also need to know how mature your organisation are related to Cobit process DS 4 Ensure Continuous Services

25 Our Framework Methodology Contingency plan BCPDRP BCP – Business Continuity Plan -(Using ISACA’s prinsiples) DRP – Disaster Recovery Plan -(Using CobiT’s Continuity process)

26 The first critical phases can be solved by using Incident Response Team. example, ( Must be based on your SLA and Criticality Assessments) Critical Timeslot for FIRST DECISION POINT are 40 minutes Timeslot for SECOND DECISION POINT are 60 minutes (1 hour) Timeslot for THIRD DECISION POINT are 120 minutes (2 hours) T1T2T3

27 Contingency If your Continuity plan do not solve the problem you must escalate. The IT Disaster Recovery Plan and BCP have 8 phases 1 The Notification phase – First (1) point of decision (further notification of IRT or “all clear/no danger” or move to second decision point directly) 2 The Overview phase – Second (2) point of decision (establish Disaster management Team or decide “all clear/no danger”) 3 The Response phase 4 The Activity phase 5 The Establishing phase – Third (3) point of decision (establish operation/production or further escalation) 6 The Operation phase – Fourth (4) point of decision (transition to standard operation or keep the alternately operation) 7 Return to Normal Operation phase 8 The Termination phase – Fifth (5) point of decision (wind up the Disaster Management Team and re-establish normal operation)

28 Sample of documents Contingency Principles Incident Response Team Authorisation Letter Continuity plan IT Disaster Recovery Plan Business Continuity Plan

29 Questions Contact Information Jan Bjørnsen Scandinavian Business Security Ltd. Mob: +47 90 18 18 64 E-mail: jtb@sbsec.comjtb@ Web: www.sbsec.com

Download ppt "Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance."

Similar presentations

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Security and Personnel

Security and Personnel
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.

Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
ISS IT Assessment Framework

ISS IT Assessment Framework
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Information Systems Security Officer

Information Systems Security Officer
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Overview and Introduction

Overview and Introduction
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
The Information Systems Audit Process

The Information Systems Audit Process
COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.

COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Similar presentations

Ads by Google