Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Management Frameworks

Published byWeston Wale Modified over 10 years ago

Similar presentations

Presentation on theme: "IT Management Frameworks"— Presentation transcript:

1 IT Management Frameworks
©2009 ISACA/ITGI. All rights reserved. IT Management Frameworks A Valued Approach to Strengthening IT Management John Beveridge Office of the State Auditor Massachusetts Digital Government Summit Boston, Massachusetts October 19, 2009 ©2009 ISACA/ITGI. All rights reserved.

2 e-mail: john.beveridge@sao.state.ma.us
John Beveridge, CISA, CISM, CGFM, CFE, CGEIT, CQA Deputy Auditor Office of the State Auditor Room 1819, One Ashburton Place Boston, MA Co-Chair of Commonwealth’s Enterprise Security Board Adjunct faculty member ©2009 ISACA/ITGI. All rights reserved.

3 ©2009 ISACA/ITGI. All rights reserved.
In This Presentation... Driving forces for IT governance and Control Objectives for Information and related Technology (COBIT®) An introduction to: The COBIT framework COBIT supporting materials Where COBIT fits with other frameworks and standards ©2009 ISACA/ITGI. All rights reserved.

4 The Governance Environment
©2009 ISACA/ITGI. All rights reserved. The Governance Environment ©2009 ISACA/ITGI. All rights reserved.

5 Forces Driving IT Governance
©2009 ISACA/ITGI. All rights reserved. Forces Driving IT Governance Business/IT Alignment ROI Compliance Project Execution Security ©2009 ISACA/ITGI. All rights reserved.

6 Need for IT Governance Do these conditions sound familiar?
Increasing pressure to leverage technology in business strategies Growing complexity of IT environments Fragmented IT infrastructure; fragmented security infrastructures Communication gaps between business and IT managers IT service levels from internal IT functions that appear disappointing ©2009 ISACA/ITGI. All rights reserved.

7 Need for IT Governance Do these conditions sound familiar? Lack of assurance of adequate security by outsourced IT providers IT costs perceived to be out of control; yet under-funded IT security Marginal or unknown ROI/productivity gains on IT investments Impaired organizational flexibility and nimbleness to change User frustration leading to ad hoc solutions ©2009 ISACA/ITGI. All rights reserved.

8 IT Governance Needs a Management Framework
©2009 ISACA/ITGI. All rights reserved. IT Governance Needs a Management Framework Strategic Alignment Value Delivery Risk Management Resource Performance Measurement IT Governance Domains Focus Areas Driving Forces Map Onto the IT Governance Focus Areas ©2009 ISACA/ITGI. All rights reserved.

9 IT Governance Objectives
©2009 ISACA/ITGI. All rights reserved. IT Governance Objectives IT is aligned with the business enabling the business to maximize benefit IT resources are safeguarded and used in a responsible and ethical manner IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure IT performance is measured and evaluated for ROI ©2009 ISACA/ITGI. All rights reserved.

10 To Manage and Control IT, the Organization needs to:
©2009 ISACA/ITGI. All rights reserved. To Manage and Control IT, the Organization needs to: Employ the fundamentals of IT governance Have a clear understanding of the strategic value of technology Have appropriate frameworks of control Build and exercise mechanisms to provide adequate assurance that IT governance objectives are addressed ©2009 ISACA/ITGI. All rights reserved.

11 How Does COBIT Link to IT Governance?
©2009 ISACA/ITGI. All rights reserved. How Does COBIT Link to IT Governance? Goals Responsibilities Control Objectives Requirements Business IT Governance Information the business needs to achieve its objectives Information executives and board need to exercise their responsibilities Direction and Resourcing IT Governance ©2009 ISACA/ITGI. All rights reserved.

12 IT Governance Institute References
©2009 ISACA/ITGI. All rights reserved. IT Governance Institute References Governance, Security and Assurance Management Business and Technology Management Governance IT Governance Implementation Guide Information Security Governance Board Briefing on IT Governance COBIT Control Practices IT Assurance Guide COBIT 4.1 Val IT ©2009 ISACA/ITGI. All rights reserved.

13 ©2009 ISACA/ITGI. All rights reserved.
An Overview of COBIT ©2009 ISACA/ITGI. All rights reserved.

14 ©2009 ISACA/ITGI. All rights reserved.
CobiT CobiT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology. ©2009 ISACA/ITGI. All rights reserved.

15 How it Appears to the Instructor
©2009 ISACA/ITGI. All rights reserved. How it Appears to the Instructor ©2009 ISACA/ITGI. All rights reserved.

16 ©2009 ISACA/ITGI. All rights reserved.
What is CobiT? Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. Structured and organized to provide a powerful control model ©2009 ISACA/ITGI. All rights reserved.

17 Focus on Information and IT Management
©2009 ISACA/ITGI. All rights reserved. Focus on Information and IT Management “Right” information, to only the “right” party, in the “right” format, at the “right” time, at the “right” cost. Information that is relevant, reliable, secure, and available. Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment. ©2009 ISACA/ITGI. All rights reserved.

18 COBIT 4.1—The IT Governance Framework
©2009 ISACA/ITGI. All rights reserved. COBIT 4.1—The IT Governance Framework Internationally accepted good practices Management-oriented Supported by tools and training Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable not- for-profit organisation Maps 100 percent to COSO Maps strongly to all major related standards IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for COBIT good practices The only IT management and control framework that covers the end-to-end IT life cycle ©2009 ISACA/ITGI. All rights reserved.

19 COBIT 4.1—The IT Governance Framework
©2009 ISACA/ITGI. All rights reserved. COBIT 4.1—The IT Governance Framework CobiT is a reference, a set of best practices, not an ‘off-the-shelf’ cure Enterprises still to need to analyse their control requirements and customise based on: Value drivers Risk profile IT infrastructure, organisation and project portfolio IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for COBIT good practices As a framework, COBIT is not an off-the-shelf cure. It is a framework that allows organizations to use it as guidance to ensure a well-governed environment. One of the things one of my colleagues often talks about is to use COBIT, you go download the guidance, you read it, you identify which parts are applicable to your organization and then you engage your brain. By engaging your brain, you’re going to match your organizational requirement to the COBIT processes and metrics and performance indicators and the other aspects, and from there you’re going to analzse how you’re going to implement. But as you evolve it and now drive it and customize it to your environment, you’re going to apply your value drivers, your own risk drivers and most importantly, you’re going to align your COBIT implementation to your infrastructure, organization and culture. And culture is the operative word here. You need it to integrate with how you run your business. ©2009 ISACA/ITGI. All rights reserved.

20 ©2009 ISACA/ITGI. All rights reserved.
CobiT Sources Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes (ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry forums (ESF, I4) Emerging industry-specific requirements from banking, e-com, IT manufacturing. Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes (ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry forums (ESF, I4) ©2009 ISACA/ITGI. All rights reserved.

21 ©2009 ISACA/ITGI. All rights reserved.
CobiT Framework ©2009 ISACA/ITGI. All rights reserved.

22 ©2009 ISACA/ITGI. All rights reserved.
CobiT Framework Documents relationships among information criteria, IT resources, and IT processes Links control objectives and control practices to business processes and business objectives Assists in confirming that appropriate IT processes (and practices) are in place Facilitates evaluation and assurance methods ©2009 ISACA/ITGI. All rights reserved.

23 IT Resource Management
©2009 ISACA/ITGI. All rights reserved. IT Resource Management CobiT underscores and demonstrates that IT resources need to be managed in order to provide organizations with type and quality of information required to achieve organizational objectives. ©2009 ISACA/ITGI. All rights reserved.

24 Framework’s Three Components
©2009 ISACA/ITGI. All rights reserved. Framework’s Three Components Business Requirements for Information IT Resources IT Processes ©2009 ISACA/ITGI. All rights reserved.

25 Information Criteria -- The 1st Component
©2009 ISACA/ITGI. All rights reserved. Information Criteria -- The 1st Component Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of Information ©2009 ISACA/ITGI. All rights reserved.

26 IT Resources -- The 2nd Component
©2009 ISACA/ITGI. All rights reserved. IT Resources -- The 2nd Component Application Systems Information Infrastructure Facilities People ©2009 ISACA/ITGI. All rights reserved.

27 ©2009 ISACA/ITGI. All rights reserved.
Process Orientation Domains Natural grouping of processes, often matching an organisational domain of responsibility Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable result—activities have a life cycle whereas tasks are discrete COBIT has a process orientation. It shows the links between processes, business requirements and IT resources. The processes are divided up into a group of domains. These domains are a natural grouping of processes that really describe a series of processes. The next step is to understand the domains and the detailed processes. Each of the processes is broken out into what we call detail control activities or tasks. These tasks are really a series of actions to achieve measurable result-oriented activities that will really show you how to manage your life cycle. ©2009 ISACA/ITGI. All rights reserved.

28 Key Driving Forces for COBIT
©2009 ISACA/ITGI. All rights reserved. How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to—and built up by—IT Business Requirements IT Resources IT Processes Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate Data Application systems Technology Facilities People Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability So let’s look at how resources, processes and business requirements all work together to drive COBIT. If you think about our IT resources, there are usually five basic groupings including people, facilities, technology you use, application systems, and of course data. Data, in my opinion, is the key aspect. It’s how we manage information, which is why we call it information systems: management of information is key aspect to how we deliver value. In fact today one of the largest issues we have is information overload, and the most important aspect of information is how you leverage and manage it – this is critical for your organization. To manage your data or information, there are a series of processes. Those processes, if you think through it, follow a normal life cycle. You have a planning phase, which is going to be followed by an acquisition. Then you have to deliver and support, which is where you’re going to spend the majority of your time. And then you’re going to take the results, monitor and evaluate and use the information for value, the critical aspect of governance. This mirrors a Plan-Do-Check-Act lifecycle, and the lifecycle will evolve over time. Now who are your stakeholders and what are their expectations. Most don’t expect technology drawings or diagrams, rather, what they expect is IT to manage the business and business information for effectiveness, with efficiency, confidentiality and integrity, ensuring that we have high quality, availability and reliability. The stakeholders actually expect the systems we’re going to deliver to be delivered in the right time with the right level of quality, at the right price, that they can be sure of the information and the outcomes and they can be sure we deliver it. ©2009 ISACA/ITGI. All rights reserved.

29 ©2009 ISACA/ITGI. All rights reserved.
Process Orientation IT Domains Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT strategy Computer operations Incident handling Acceptance testing Change management Contingency planning Problem management Activities Record new problem. Analyse. Propose solution. Monitor solution. Record known problem. Etc. So what are the four domains? Plan and Organise as we mentioned before, Acquire and Implement, Deliver and Support, Monitor and Evaluate. So, as I’ve said before, the Deliver and Support domain for example, will cover all the processes that you need to deliver a series of processes so that your environment can be monitored, managed and run effectively. Processes that go into a little bit more detail strategy: how to handle incidents and problems, how to do formal acceptance testing, contingency planning and problem management. And then as you go down into the activities, we actually break it out into detailed steps, actions that you need to do, with outcomes and measures that you can use to ensure that you’ve done the step correctly. And one of the aspects of COBIT, which is not well understood, is it covers the whole life cycle, right from cradle to grave, from the idea or inception that you want to build an organization right through to retirement. And it is the only framework that really covers all these aspects. Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result—activities have a life cycle whereas tasks are discrete ©2009 ISACA/ITGI. All rights reserved.

30 ©2009 ISACA/ITGI. All rights reserved.
COBIT Domains: Plan and Organize Acquire and Implement Feedback Monitor and Evaluate Feedback Feedback Deliver and Support ©2009 ISACA/ITGI. All rights reserved.

31 COBIT Processes Plan and Organise Acquire and Implement PO1
©2009 ISACA/ITGI. All rights reserved. COBIT Processes PO1 Define an IT Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Plan and Organise As you break out the COBIT processes a little bit more, you can see here in the Plan and Organise domain, tasks such as Defining an IT Strategic Plan, Defining an Information Architecture, Determining Technology Direction. COBIT also includes managing projects: a series of processes to ensure that each project is managed equally and in a fair manner. Then as we go through the Acquire and Implement domain, you’ve got things like Identifying Automated Solutions. You know, some time ago most of our automated solutions were coded internally. If you think about it today, most technology we run is acquired. Unlike many years ago, IT now configures the majority of solutions. Very little technology is actually developed ourselves, so it’s an important step, acquisition. Then, once you own the technology you have to configure, maintain and support the technology. You have to ensure it works, you have to manage changes to the technology and configuration, but one of the most important steps in COBIT is AI7 Install and Accredit Solutions and Changes. That talks about the fact that you have to invest in solutions you need, to install them correctly and to ensure that those solutions operate effectively at all levels from IT to the business. Acquire and Implement ©2009 ISACA/ITGI. All rights reserved.

32 COBIT Processes Deliver and Support Monitor and Evaluate ME1
©2009 ISACA/ITGI. All rights reserved. COBIT Processes Deliver and Support The third domain in COBIT is Deliver and Support. Deliver and Support covers the everyday processes that ensures you deliver systems and value to your customers and your constituents. It goes from processes such as Defining and Managing Service Levels, not IT service levels, although they’re important, but ensuring that you’re representing and visualizing them in business terms. Managing your Third-party Services: ensuring that our third-party partners, which we all have, are managed in an appropriate manner. Capacity: an area that’s become a hot topic of light as we ensure to properly leverage the capacity we have. Systems Security: all of us are involved in the security issues; that we deliver the right systems in the right way, with the right level of security so that the right people access the information. And then what about costs? All of us have third-party suppliers today. Third-party suppliers that are costing us real dollars. Green dollars that we’re spending. We need to ensure that we’re spending the right money on the right things to the right people. And as we move forward – Education. An area we often cut corners in is Education. We need to ensure that we educate our users and train them appropriately. Then we have a series of processes that we do every day such as Managing a Service Desk. Ensuring that your data is managed correctly in your environment, ensuring your physical environment has only the right people come in and then ultimately managing your operations correctly. Now the key aspect of all this information, is to ensure that we leverage it. We collect it once and leverage it multiple times. So in the Monitor and Evaluate domain that’s exactly what we do. We go and collect the information that you have coming out of each of the control practices in the process that we’ve talked about, collect it once and use it many times. Of course, Monitor and Evaluate Internal Controls is a key aspect, and in these days of good technology, we should be doing a lot of that automatically; raising the appropriate alert when metrics are missed. But compliance has cost us all extensive amounts of money, as we have multiple forms of compliance we have to deliver. So just imagine an organization maybe that has HIPAA, Sarbanes-Oxley and FDIC or even GOBA. These multiple compliance requirements have typically in the past been collected independently, with a different set of people and a different set of team impacting our people. One of the opportunities with COBIT is to collect those metrics once and reuse them over and over again. Whether or not it’s for internal controls, your compliance requirements are ultimately providing and ensuring IT governance. To manage your environment appropriately, you’re ensuring you’re delivering the value you committed to your constituents and that you’re in line with the business requirements. ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance Monitor and Evaluate ©2009 ISACA/ITGI. All rights reserved.

33 Process Orientation Plan and Organise
©2009 ISACA/ITGI. All rights reserved. Process Orientation Plan and Organise Domains Description This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place. Topics Strategy and tactics Vision planned Organisation and infrastructure Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? So let’s talk about Plan and Organise for just a moment. The Plan and Organise domain covers things like a strategic plan, driving that strategic plan into an operational plan, and driving that operational plan into a plan that you can execute at the various levels of your organization. It’s going to cover all the domains that you need, the vision that you need to drive it, the structure of your organization, the strategies, what type of infrastructure model you want, and so on and so forth. All these elements help you drive out an organization that can add value. It comes with a number of questions. Is the IT organization, the business organization and the strategy aligned? What is the optimal enterprise strategy that you need? How do you use your resources? Are you making good use? You know, a question that I hear often is, “Do I understand the IT objectives? Am I ensuring that I’m managing them effectively? ©2009 ISACA/ITGI. All rights reserved.

34 ©2009 ISACA/ITGI. All rights reserved.
Digging Into COBIT So let’s dig into COBIT a little bit deeper. ©2009 ISACA/ITGI. All rights reserved.

35 ©2009 ISACA/ITGI. All rights reserved.
COBIT Framework COBIT framework provides guidance on IT governance and the role of IT control. Generic controls: Controls that relate to IT processes and Control Objectives If we start at the highest level, COBIT provides a framework that gives you guidance on IT governance and the control of IT. We have some generic controls that relate to all processes and include application controls. The process controls are generic and equally applicable to every process and are at the framework level. ©2009 ISACA/ITGI. All rights reserved.

36 Process-level Navigating in COBIT
©2009 ISACA/ITGI. All rights reserved. Process-level Navigating in COBIT Now, at the first level as you open COBIT and take a look at the work, you’ll see that the waterfall model we’ve talked about before is clearly defined at the high level control objective. ©2009 ISACA/ITGI. All rights reserved.

37 The WATERFALL Navigation Aid --
High Level Control Objectives for Each Process High-Level Control Objective The control of which satisfy is focusing on Is achieved by IT Processes Business Requirements Control Statements Practices Is measured by Users satisfaction ©2009 ISACA/ITGI. All rights reserved.

38 ©2009 ISACA/ITGI. All rights reserved.
Which Domain? The first thing you’ll see is which domain the process is oriented to. So the one we’re looking at now is AI6 or Manage Change, and you can see that lives within the Acquire and Implement domain. ©2009 ISACA/ITGI. All rights reserved.

39 ©2009 ISACA/ITGI. All rights reserved.
Process Description All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment. With every process we’ve introduced, there is a simple description of what that process is. So in the case of Manage Changes, it says “all changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment must be formally managed in a controlled manner.” It goes on for just a little bit more detail about how you might deliver that in the organization. Now, as you look through you can see here that it gives you a series of high-level statements you must adhere to. And it also says what the risk is. This assures the mitigation of risks that may negatively impact the stability or integrity of the production environment. That statement is absolutely key in today’s IT environment. Many analysts tell us that 80% of production unavailability is due to poorly implemented change, both scheduled and unscheduled. ©2009 ISACA/ITGI. All rights reserved.

40 The Waterfall of Control
©2009 ISACA/ITGI. All rights reserved. The Waterfall of Control c Therefore change management must be one of the key processes that help us as we drive forward. So, now as you look at the waterfall of control, information criteria is defined as primary and secondary in each process. ©2009 ISACA/ITGI. All rights reserved.

41 ©2009 ISACA/ITGI. All rights reserved.
Information Criteria So here in Manage Change, you can see that effectiveness, efficiency, integrity and availability are primary and secondary is reliability. ©2009 ISACA/ITGI. All rights reserved.

42 ©2009 ISACA/ITGI. All rights reserved.
IT Resources As you go through you can see the areas of resources that are impacted. In this case change of course impacts all – applications, information, infrastructure, and of course, people. ©2009 ISACA/ITGI. All rights reserved.

43 ©2009 ISACA/ITGI. All rights reserved.
IT Governance We need to identify which domain is the primary domain and which is the secondary domain that each process is involved in. So in the case of the IT Governance domain for AI6 or Manage Change, the primary is Value Delivery, the secondary is Resource Management. For every process the primary and secondary domains is defined. ©2009 ISACA/ITGI. All rights reserved.

44 ©2009 ISACA/ITGI. All rights reserved.
Control Objectives AI6.5 Change Closure and Documentation Whenever changes are implemented, update the associated system and user documentation and procedures accordingly. And of course, Control Objectives. As you can see in the Detailed Control Objectives there are a number of steps that are critical to each change or each process. So here if you go to AI6.5, one of the steps, which we all know is common sense, is Change Closure and Documentation. One of the things we need to do is ensure that change closure and documentation is produced. A logical step in the management of change – in what we’ve done in the development of COBIT – is documented these logical steps so that young players in this area cannot fall through the traps. ©2009 ISACA/ITGI. All rights reserved.

45 Management Guidelines
©2009 ISACA/ITGI. All rights reserved. Management Guidelines So going to Management Guidelines… ©2009 ISACA/ITGI. All rights reserved.

46 Management Guidelines
©2009 ISACA/ITGI. All rights reserved. Management Guidelines Management Guidelines go into even more detail to help you manage the processes that we’ve talked about. So here in front of you, you can see the page for AI6 Manage Changes. And we’ll just split out to each of the areas and talk about them a little bit more. ©2009 ISACA/ITGI. All rights reserved.

47 Input-output Matrix Managing the Life Cycle
©2009 ISACA/ITGI. All rights reserved. Input-output Matrix Managing the Life Cycle First, we have our Input-output Matrix. This is one of the key metrics that I love about COBIT. It will show you which of the processes the inputs come from and where the outputs go to. It really helps you, as you might want to do a limited COBIT implementation. Understand what inputs and outputs you need, where they go and ensure that you’ve got the right things going to the right processes. Outputs going to other processes Inputs coming from other processes ©2009 ISACA/ITGI. All rights reserved.

48 Primary Inputs and Outputs
©2009 ISACA/ITGI. All rights reserved. Primary Inputs and Outputs CobiT identifies from where primary inputs are obtained for each process The inputs are identifies and where they came from Also identifies to which IT processes the process provides output to The outputs (from the process) are identified to where they would be directed ©2009 ISACA/ITGI. All rights reserved.

49 Managing the Life Cycle
©2009 ISACA/ITGI. All rights reserved. Managing the Life Cycle Whilst COBIT represents the life cycle of IT investments, it must also manage inter-process interdependencies. As you manage the life cycle of a change, you’re going to see that there’s often interdependencies between the various processes as detailed within the input and outputs. The inputs may come from a number of processes and outputs may be transferred to another number of processes. This provides a guide for the user to know where the interdependencies are, as well as providing an excellent guide for which processes to utilise. ©2009 ISACA/ITGI. All rights reserved.

50 ©2009 ISACA/ITGI. All rights reserved.
RACI Charts RACI Charts are another key area of COBIT identifying who in the organization is Responsible, Accountable, Consulted and Informed. ©2009 ISACA/ITGI. All rights reserved.

51 ©2009 ISACA/ITGI. All rights reserved.
“RACI” Chart Identifies who is Responsible, Accountable, Consulted and/or Informed Addresses considerations for points of accountability Addresses issues of communication and desired input (who would be consulted) Rather than titles, think of positions in terms of roles Depending on the size of the organization or the IT function, several roles may be combined ©2009 ISACA/ITGI. All rights reserved.

52 RACI chart Standard Organisation Chart Typical Process Activities
©2009 ISACA/ITGI. All rights reserved. RACI chart Standard Organisation Chart Typical Process Activities The RACI Charts in the guidance are built on a standard organizational chart, a number of typical process activities and who is accountable, consulted, responsible and informed for each. Each process has a number of activities and the chart then maps to the RACI. Who is Responsible, Accountable Consulted and Informed? ©2009 ISACA/ITGI. All rights reserved.

53 ©2009 ISACA/ITGI. All rights reserved.
Goals and Metrics The Goals and Metrics are a key aspect of COBIT. There are IT Goals, there are Process Goals, and there are Activities and Activity Goals. Each of these are dependent on each other and each define metrics at which you can manage to. It’s key that you measure and manage these aspects so you ensure you are delivering the value you’ve talked about. And of course, to live in an IT governance environment you have to have measurements that make sense. ©2009 ISACA/ITGI. All rights reserved.

54 ©2009 ISACA/ITGI. All rights reserved.
Metrics Activity Goals tells us how well the process is performing Measured by KPIs Process Goals tell us what IT must deliver Measured by Key Goal indicators IT Goals tell us what we expect from IT Measured by Key Goal Indicators ©2009 ISACA/ITGI. All rights reserved.

55 ©2009 ISACA/ITGI. All rights reserved.
Maturity Model One of the most underused aspects of COBIT, but one of the appropriate aspects, is the Maturity Model. Every process has a Maturity Model, and that Maturity Model delivers a statement of behaviors that represent the maturity level for each process. The statement allows the user to quickly look through the maturity statements for the process and determine where you are and what activities represent the next level of maturity. So for example, AI6, Manage Change, you can see where you are between zero and five very quickly. You can determine what level you are currently at and what level you need to be at. . ©2009 ISACA/ITGI. All rights reserved.

56 ©2009 ISACA/ITGI. All rights reserved.
Use of Maturity Models The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation. Enables gaps in capability to be identified and demonstrated to management. Action plans can then be developed ©2009 ISACA/ITGI. All rights reserved.

57 Maturity Levels in COBIT
©2009 ISACA/ITGI. All rights reserved. Maturity Levels in COBIT Non-existent Initial Repeatable Defined Managed Optimised 1 2 3 4 5 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Now, a zero is non-existent of course. One is your initial, two is repeatable, right up to five, which is optimized. Now you might ask why do we have a management level zero or non-existent? Well, one of the things I’ve learned is in some processes - in terms of management processes - there are just no controls at all. And with no controls at all, you have to basically say we are totally ignoring that particular management process. As you go to a one, you have some ad hoc processes that are disorganized; two, maybe some regular patterns evolving; three, documented and communicated; four, monitored, measured or managed; and five you’re absolutely top class, best practice, everything’s followed, automated, totally managed, never have to worry about a thing. ©2009 ISACA/ITGI. All rights reserved.

58 Dimensions of Process Maturity in COBIT
©2009 ISACA/ITGI. All rights reserved. Dimensions of Process Maturity in COBIT Capture process maturity data on each of six dimensions: Awareness and communication Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability So what are the Dimensions of Process Maturity in COBIT? Well, we’ve captured six Domains: Awareness and Communication Policies, Standards and Procedures, Tools and Automations, Skills and Expertise, Responsibility and Accountability, and Goal Setting and Measurement. You know, one of the things I like to tell people is how do you ensure consistent, repeatable, delivered results if you don’t automate it? One of the things we need to do if we implement process is we need to automate it. We need to ensure that those results can be consistently delivered. Before you can automate you have to have those processes in place and you have to be able to deliver them on a consistent basis. All these steps add together to give you a maturity level to show you where you are on the maturity scale. Goal setting and measurement ©2009 ISACA/ITGI. All rights reserved.

59 Collecting Maturity Model Data
©2009 ISACA/ITGI. All rights reserved. Collecting Maturity Model Data 1 2 3 4 5 Awareness and Communication Policies, Standards and Procedures Tools and Automation Skills and Expertise So here you can see as you collect the data for the Maturity Model you might find that for one area you’re a two to a three, another area four to a five and so on and so forth. One of the concepts of COBIT Maturity Data Modeling is you can be in some processes more mature than others, and ultimately where you need to be is going to be a definition of your own assessment of your own organization based on your own industry and your own business objectives. Responsibility and Accountability Goal Setting and Measurement ©2009 ISACA/ITGI. All rights reserved.

60 How Do Governance and the Business Drive IT?
©2009 ISACA/ITGI. All rights reserved. How Do Governance and the Business Drive IT? Business Goals Business Requirements Information Services Criteria require imply Governance influence IT Goals Take a look at COBIT. As you review the guidance, you can see the business requirements and governance requirements ultimately influence how you drive your information services. This will give you a series of information criteria, a number of goals or measures that you’re going to use, and as you drive them down the waterfall of the cascade, you’re going to get IT processes that deliver information, run using applications and systems and need people to deliver value. IT Processes Applications IT Processes Infrastructure & People need Information deliver run and People ©2009 ISACA/ITGI. All rights reserved.

61 COBIT and Other Frameworks and Standards
©2009 ISACA/ITGI. All rights reserved. COBIT and Other Frameworks and Standards Now one of the questions that we get asked a lot is where does COBIT sit with other standards. ©2009 ISACA/ITGI. All rights reserved.

62 The Need for IT Governance Control Frameworks
©2009 ISACA/ITGI. All rights reserved. The Need for IT Governance Control Frameworks Many organizations recognize the potential benefits that technology can yield Successful organizations understand and manage what needs to be achieved and the risks associated with implementing new technologies This understanding is key to control and IT governance. Control Frameworks and generally accepted practices ©2009 ISACA/ITGI. All rights reserved.

63 Impact of Technology on Control
©2009 ISACA/ITGI. All rights reserved. Impact of Technology on Control Operational and control objectives do not change, or change a little Some technology-specific control objectives change There is a significant impact on the “mix” of controls used to address the control objectives. Technology can facilitate achieving control objectives ©2009 ISACA/ITGI. All rights reserved.

64 Control Models: Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices. Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess the need for control, and to design, develop, implement and exercise control Requires that controls be monitored and evaluated. ©2009 ISACA/ITGI. All rights reserved.

65 Where COBIT Typically Sits
©2009 ISACA/ITGI. All rights reserved. Where COBIT Typically Sits King COSO Governance Layer COBIT Governance Layer IT ITIL I made the statement earlier that COBIT is across the whole IT life cycle, and it maps 100% to COSO and organisational and business governance. So if we start with a three-layered model which starts with our governance layer, our IT governance layer and our IT management layer, where do these various frameworks fit? So at the highest level we’ll have COSO, and COSO or KING 2 or KING 3 as it’s currently being developed is really at an organisational governance layer. COBIT is the next layer down. It matches perfectly to COSO as you can see here and aligns particularly well with it. Under that you have another series of frameworks and standards. These integrate with various aspects of COBIT, whether it’s CMM or CMMI, TickIT, ITIL, the new ISO27000 series. These IT management layers really give you guidance in terms of IT management process and how to drive value forward. 17799 Management Layer IT CMM TickIT ©2009 ISACA/ITGI. All rights reserved.

66 How COBIT Relates to Frameworks and Standards
©2009 ISACA/ITGI. All rights reserved. How COBIT Relates to Frameworks and Standards Integrator of technical standards Interface to business standards Another way of representing the mappings is detail of how these frameworks work together. On this scale you can see we’ve got the IT relevance mapped against the level of abstraction and, as you can see in terms of these, you’ve got the things like balanced scorecards, Malcolm Baldrige award, and ISO9000 all in the high-end abstraction with not very holistic solutions. At the top you can see COBIT. COBIT goes across all of them in terms of where it fits and kind of sits in the middle of all four domains. ©2009 ISACA/ITGI. All rights reserved.

67 How COBIT Relates to Frameworks and Standards
©2009 ISACA/ITGI. All rights reserved. How COBIT Relates to Frameworks and Standards Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution So how do you use COBIT with other standards? So you’ve got your Strategic level, basic process control, process execution and work instruction. COBIT really is aligned with Strategic Process level controls to provide guidance that’s going to help drive value forward. In terms of process execution, many of you are probably aware of the ITIL, of the ITIL Domain and ITIL growth to really cover the operational aspects CMM is used and CMMI often in the application development environment. And once again it fits in a crossover between execution and process control /27000 series security standards really go across process control and link beautifully into COBIT in terms of the COBIT domains. Work Instruction Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. ©2009 ISACA/ITGI. All rights reserved.

68 How COBIT Relates to Frameworks and Standards
©2009 ISACA/ITGI. All rights reserved. How COBIT Relates to Frameworks and Standards Strategic 17799 COBIT Process Control CMM XY XY XY XY XY ITIL ## ## ## ## ## Process Execution So as you can see here, these frameworks fit well overlapping together or integrated with each other. And the key aspect here is COBIT covers all of them and some more. We could’ve included PMBOK, PRINCE2, many other frameworks. And, by the way, if you go to the ISACA website as a member you can see many of those frameworks are already mapped to COBIT. Work Instruction Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. ©2009 ISACA/ITGI. All rights reserved.

69 How COBIT Relates to Frameworks and Standards
©2009 ISACA/ITGI. All rights reserved. How COBIT Relates to Frameworks and Standards Control Objectives 20 40 60 80 100 IT Processes 27001 Reach COBIT Elements 66 318 21 34 27001 maps 100% onto COBIT 30% Plugging into COBIT Processes Now COBIT mapping to ISO/IEC17799 you can see here. What we’ve done here is a mapping of it and you can see how well it maps together here. All the processes are covered and down the bottom you can see where we’ve plugged the various aspects of ISO/IEC17799 into COBIT. COBIT maps equally well to ISO/IEC27002 and this mapping is available from the website. 25% 20% 15% 10% 5% 0% PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 AI 1 AI 2 AI 3 AI 4 AI 5 AI 6 AI 7 DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13 ME 1 ME 2 ME 3 ME 4 ©2009 ISACA/ITGI. All rights reserved.

70 How COBIT Relates to Frameworks and Standards
©2009 ISACA/ITGI. All rights reserved. How COBIT Relates to Frameworks and Standards Gartner Advisory on COBIT and ITIL Don’t just believe me. Here, I’m showing you the Gartner Advisory on ITIL and COBIT. You can see here that Gartner recommends to their customers that you use COBIT and ITIL together to give you a holistic environment; a holistic environment that ensures you’re not just going to be measuring the right things, but you’re going to be doing the right things. This is not the only advisory. You can go look on the ISACA website and you can see other advisories and information on how they map together. ©2009 ISACA/ITGI. All rights reserved.

71 Control (as defined by COBIT)
©2009 ISACA/ITGI. All rights reserved. Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. ©2009 ISACA/ITGI. All rights reserved.

72 To Avoid Risks, Threats and Exposures To Achieve Business Objectives
©2009 ISACA/ITGI. All rights reserved. To Avoid Risks, Threats and Exposures To Achieve Business Objectives Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. P. 12. ©2009 ISACA/ITGI. All rights reserved.

73 ©2009 ISACA/ITGI. All rights reserved.
IT Control Objective A statement of desired result or purpose to be achieved by implementing control procedures in a particular IT activity ©2009 ISACA/ITGI. All rights reserved.

74 ©2009 ISACA/ITGI. All rights reserved.
To understand internal control and what what mean by “reasonable assurance”, one needs to understand risk What is “reasonable assurance”? What is the relationship of reasonable assurance to residual risk? ©2009 ISACA/ITGI. All rights reserved.

75 ©2009 ISACA/ITGI. All rights reserved.
Assurance Level Residual Risk 100% Reasonable assurance 0% ©2009 ISACA/ITGI. All rights reserved.

76 Control Responsibilities
©2009 ISACA/ITGI. All rights reserved. Control Responsibilities Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met. Users -- exercise controls. Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls. Let’s review control responsibilities. ©2009 ISACA/ITGI. All rights reserved.

77 ©2009 ISACA/ITGI. All rights reserved.
COBIT® The COBIT family of products includes: COBIT® 4.1—Emphasizes regulatory compliance, helps organizations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework COBIT Advisor, 3rd Edition IT Governance Implementation Guide, Using COBIT and Val IT, 2nd Edition IT Governance Based on COBIT 4.1 COBIT Online COBIT Quickstart, 2nd Edition COBIT Security Baseline, 2nd Edition Mappings of COBIT to other international frameworks and standards ©2009 ISACA/ITGI. All rights reserved.

Download ppt "IT Management Frameworks"

Similar presentations

CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge

CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge
IBM Corporate Environmental Affairs and Product Safety

IBM Corporate Environmental Affairs and Product Safety
EMS Checklist (ISO model)

EMS Checklist (ISO model)
1 2009 ISACA All rights reserved. Unlocking the Value of Technology Investments Speaker Name/Title Date.

ISACA All rights reserved. Unlocking the Value of Technology Investments Speaker Name/Title Date.
Making sense of IT Governance –

Making sense of IT Governance –
IT Governance Framework

IT Governance Framework
Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.

Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
 2007 IT Governance Institute. All rights reserved. www.itgi.org1 IT Governance Using C OBI T ® and Val IT™: Presentation, 2 nd Edition The explanation.

 2007 IT Governance Institute. All rights reserved. IT Governance Using C OBI T ® and Val IT™: Presentation, 2 nd Edition The explanation.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT - II.

COBIT - II.
IT Governance Capability Maturity within Government

IT Governance Capability Maturity within Government
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Overview of IT Governance and

Overview of IT Governance and

Similar presentations

Ads by Google