c obi t it governance control objectives for information and related technology l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
C OBI T & IT Governance Control Objectives for Information and Related Technology PowerPoint Presentation
Download Presentation
C OBI T & IT Governance Control Objectives for Information and Related Technology

Loading in 2 Seconds...

play fullscreen
1 / 34

C OBI T & IT Governance Control Objectives for Information and Related Technology - PowerPoint PPT Presentation


  • 198 Views
  • Uploaded on

C OBI T & IT Governance Control Objectives for Information and Related Technology. Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute. This presentation is intended solely for academic use. Agenda.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'C OBI T & IT Governance Control Objectives for Information and Related Technology' - Samuel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
c obi t it governance control objectives for information and related technology

COBIT & IT GovernanceControl Objectives for Information and Related Technology

Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute. This presentation is intended solely for academic use.

c obi t control objectives for information and related technology

Agenda

COBIT: Control Objectives for Information and Related Technology
  • The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance
  • Exercise: How can you do on your own?
  • COBIT:
    • Where does it come from?
    • How does it view IT organizations?
    • What does it include?
  • Try again: Does COBIT help?
  • Other IT management frameworks
  • Key takeaways
reason 1 the quest for effective systems

Scale and cost

SOX Compliance

Threat vulnerability

Increased IT dependence

IT’s role in organizational change

Why?

Reason 1: The Quest for Effective Systems
  • Systematically controlled IT functions aim to assure that IS:
    • Provides value,
    • Pushes the envelope, and
    • Mitigates risk

“We’ll delete that old user ID later”

“We’ll write the documentation later”

“Pick the best solution for our department”

Business As Usual

“It will be plenty fast”

Management Inattention

“We won’t get hacked, we’re too small to be on a hacker’s radar”

“There’s no real need for a log file”

reason 2 the rise of internal control regulation

History

Reason 2: The Rise of Internal Control Regulation
  • Bank scandals in the 80’s brought us the 1992 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Internal Control Framework for certifying financial data systems.
  • WorldCom, Enron, etc.. brought us the Sarbanes-Oxley Act of 2002 (SOX).
    • Management is responsible for internal control and financial reporting procedures
    • Annual reports must asses internal controls
    • Officers submitting inaccurate certifications are subject to a fine up to $1m + 10 yrs, If purposeful, up to $5m + 20 years.
sox and is

History

SOX and IS
  • From an IS function perspective, this means, that for financial reporting systems at least, SEC companies need:
    • An evaluation framework for IS operations
    • Useful IS metrics
    • A systematic way to apply the framework
  • This perspective applies to non SEC organizations as well:
    • Lenders may require IS audits
    • Financial services companies have their own somewhat similar regulations
meeting the challenge it governance defined

Improve Performance; Reduce Risk

Performance vs. Goals and Best Practices

IT Governance

Meeting the Challenge: IT Governance Defined
  • IT Governance: the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives *.

Reliability of Financial Data

Regulatory Compliance

* (IT Governance Institute 2003, Board Briefing on IT Governance, 2nd Ed, page 18 )

an it governance model
An IT Governance Model

The IT Governance Framework:Be a Part of the Process

Provide Direction

IT Activities

  • Increase automation (make the business effective)
  • Decrease cost (make the enterprise efficient)
  • Manage risks (security, reliability and compliance)
  • Set Objectives
  • IT is aligned with the business
  • IT enables the business and maximises benefits
  • IT resources are used responsibly
  • IT-related risks are managed appropriately

Compare

Be Good!

Measure Performance

www.itgovernance.org - Board Briefing on IT Governance Huntonet al. Pg. 3

lets try it without a framework
Lets Try it Without A Framework
  • You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process.
    • Who should be involved in making sure this kind of thing doesn’t happen again?
    • What controls should be put into place?
    • How will you tell later if the controls are working?
    • Will your plan convince the angry board of directors?
how are we doing

Agenda

How Are We Doing?
  • The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance
  • Exercise: How can you do on your own?
  • COBIT:
    • Where does it come from?
    • How does it view IT organizations?
    • What does it include?
  • Try again: Does COBIT help?
  • Other IT management frameworks
  • Key takeaways
c obi t control objectives for information and related technology10

COBIT

COBIT: Control Objectives for Information and related Technology
  • COBIT is a process-oriented, business-goal focused, systematic framework for evaluating the IT operations within an organization. It is designed for:
    • Managers who need IT,
    • IT Providers (internal and external), and
    • “Auditors” concerned with risk, security, privacy, compliance, and assurance.
  • Stakeholders may not know how to evaluate their organizations, COBIT can help guide the process.
where did c obi t come from

COBIT

Where did COBIT come from?
  • The COBIT steering committee includes international representatives from industry, academia, government, and the security and control profession.
  • Based in the IT Governance Institute.
  • The COBIT group has done extensive work mapping to other standards.

http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Project1/COBIT_Project.htm

process oriented

IT Resources

Applications

Information

Infrastructure

People

Because Information systems are much more complex than lunch boxes: Processes!

Information systems’ acquisition, operation, and maintenance can be usefully understood as a set of IT processes. We figure out what to control in IT by looking at what we do in IT.

Process Oriented

Organizational Goals

Assets

Information Systems

Complexity brings special problems

used to achieve

which of these are it processes in the it governance sense
Which of These Are IT Processes In the IT Governance Sense?
  • Buying a new server
  • IT Purchasing Procedures
  • Hiring the Right People
  • Screening Potential IT Employees
  • Processing an invoice sent in by EDI from a supplier
  • Change Management System

NO! Just a decision

NO! Bunch of Decisions

NO! this is an IT-enabled process

YES

Good Governance Creates Good Processes that LEAD TO Good Decisions and IT Systems

business goal focused

COBIT

Business Goal Focused

Generic Business Goals are Matched with IT Goals

To offer competitive products and services, create IT agility

Goals are Matched with 34 IT Processes – Define Success

Achieve IT agility by adjusting HR, information architecture, and infrastructure

Defined Control Objectives Support Assurance.

Good data architecture keeps data to support decisions, organizes data for sharing, and verifies data reliability

Measure data architecture success in % of redundant data elements, % of applications in the plan, and frequency of validation activities.

Process Measures Support Systematic Evaluation to Manage IT Processes

slide16

Does the organization plan and organize adequately to meet information needs?

  • ME1 Monitor the processes
  • ME2 Monitor and evaluate internal control
  • ME3 Ensure Regulatory Compliance
  • ME4 Provide IT Governance

INFORMATION

MONITOR AND EVALUATE

Does the organization effectively deliver and support IT services?

Does the organization have and use sound processes for acquiring and implementing IT?

IT

RESOURCES

PLAN AND

ORGANISE

  • Data
  • Application systems
  • Technology
  • Facilities
  • People

DELIVER AND SUPPORT

Does the organization monitor and evaluate its IT activites?

  • DS1 Define and manage service levels
  • DS2 Manage third-party services
  • DS3 Manage peformance and capacity
  • DS4 Ensure continuous service
  • DS5 Ensure systems security
  • DS6 Identify and attribute costs
  • DS7 Educate and train users
  • DS8 Manage service desk and incidents
  • DS9 Manage the configuration
  • DS10 Manage problems
  • DS11 Manage data
  • DS12 Manage the physical environment
  • DS13 Manage operations

ACQUIRE AND

IMPLEMENT

  • AI1 Identify automated solutions
  • AI2 Acquire and mantain application software
  • AI3 Acquire and maintain technology infrastructure
  • AI4 Enable operation and use
  • AI5 Procure IT resources
  • AI6 Manage changes
  • AI7 Install and accredit solutions and changes

COBIT’sSystematic

Framework

Business Objectives

Governance Objectives

COBIT

PO1 Define a strategic IT plan

PO2 Define the information architecture

PO3 Determine the technological direction

PO4 Define the IT processes, organisation and relationships

PO5 Manage the IT investment

PO6 Communicate management aims and direction

PO7 Manage human resources

PO8 Manage quality

PO9 Assess and manage IT risks

PO10 Manage projects

  • Effectiveness
  • Efficiency
  • Confidenciality
  • Integrity
  • Availability
  • Compliance
  • Reliability

AI6 Manage changes

ai6 acquire and implement manage changes
AI6 – Acquire and ImplementManage Changes

Page 1

Control over the IT process of

process name

that satisfies the business requirement for IT of

summary of most important IT goals

is achieved by

key controls

and is measured by

key metrics

ai6 page 2 detailed control objectives
AI6 Page 2Detailed Control Objectives

Page 2

Detailed Control Objectives

AI6.1 Change Standards and Procedures

Set up formal change management procedures to handle in a standardised manner all requests..

AI6.2 Impact Assessment, Prioritisation and Authorisation

Ensure that all requests for change are assessed in a structured way for impacts on the operational system…

AI6.3 Emergency Changes

Establish a process for defining, raising, assessing and authorising emergency changes…

AI6.4 Change Status Tracking and Reporting

Establish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date…

AI6.5 Change Closure and Documentation

Whenever system changes are implemented, update the associated system and user documentation…

ai6 management guidelines
AI6 Management Guidelines

Page 3

Process Inputs and Outputs

Layered Goals and Metrics

RACI Chart

slide20

Page 4

Maturity Model

Management of the process of Manage changes that satisfies the business requirement for IT of responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework is:

0 Non-existent: No defined change management process…

1 Initial/Ad Hoc: It is recognised that changes should be managed…

2 Repeatable but Intuitive: Informal change management process…

3 Defined Process: Defined formal change management process…

4 Managed and Measurable: Change management well developed…

5 Optimised: Change management process is regularly reviewed…

slide22

COBIT

Audit Guidelines

An IT process is audited by:

•Obtaining an understandingof business requirements-related risks, and relevant control measures

•Evaluating the appropriateness of stated controls

•Assessing compliance by testing whether the stated controls are working as prescribed,

consistently and continuously

•Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources

slide23

COBIT

Audit Guidelines

AI6

Audit

Guideline

slide24

COBIT

Audit Guidelines

AI6

Audit

Guideline

slide25

COBIT

Audit Guidelines

AI6

Audit

Guideline

now that you have ai6
Now that you have AI6…
  • You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process.
    • Who should be involved in making sure this kind of thing doesn’t happen again?
    • What controls should be put into place?
    • How will you tell later if the controls are working?
    • Will your plan convince the angry board of directors?
different frameworks different emphasis

Comparing Frameworks

Different Frameworks:Different Emphasis
  • Control Objectives for Information & Related Technology (COBIT): Comprehensive checklists for IT, supports auditing, doesn’t directly address software development or give a roadmap for improvement
  • Capability Maturity Model Integration (CMMI): Geared for software development organizations
  • IT Infrastructure Library (ITIL): IT service delivery and management best practices
  • Six Sigma: Continuous improvement for repeatable activities (e.g., helpdesks)

http://www.computerworld.com/managementtopics/management/story/0,10801,90797,00.html

cobit asks all the right questions

Comparing Frameworks

COBIT Asks All the Right Questions

COBIT: 34 IT processes in 4 domains:

COBIT defines issues, values, measurements, and responsibilities. It focuses on control over execution and strives to address all IT governance issues.

cmm helps develop mature software development processes

CMM addresses only some of the issues considered by COBIT.

Comparing Frameworks

CMM Helps Develop Mature Software Development Processes

CMM (1993) and the later CMMI focus on improving the development, acquisition, and maintenance of systems.

SEI CMM

http://www.sei.cmu.edu/cmmi/general/general.html

ITGI’s mapping of SEI’s CMM for Software with COBIT 4.0

itil presents best practices for it service delivery
ITIL Presents Best Practices for IT Service Delivery

ITIL, originally created by the British Government, “the only consistent and comprehensive best practice for IT service management.”

ITIL provides more guidance on who should be responsible and how they should proceed. ITIL - Best practices

COBIT – IT control

ITGI’s mapping of ITIL With COBIT 4.0

it governance norms
IT Governance Norms
  • Business Alignment
  • A Risk/Control Perspective
  • Accountability
  • Continuous Improvement
  • Systematic Measurement
key takeaways

Takeaways

Key Takeaways
  • Forces are pushing organizations to adopt IT governance but its an uphill battle.
  • COBIT provides a systematic framework to evaluate IT operations. Plan, do, check, & correct.
  • A control perspective for IT processes is crucial to long term success. (It helps us talk nice to the CFO too!)
  • Thanks to the IT Governance Institute for material.
ai6 manage changes high level control objective
AI6 Manage ChangesHigh-Level Control Objective

Back To AI6 Page 1

  • All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment must be formally managed in a controlled manner. Changes (including procedures, processes, system and service parameters) must be logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.
ai6 waterfall
AI6 Waterfall

Back To AI6 Page 1

Control over the IT process of

Manage changes

that satisfies the business requirement for IT of

responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework

by focusing on

controlling impact assessment, authorisation and implementation of all changes to the IT infrastructure, applications and technical solutions, minimising errors due to incomplete request specifications and halting implementation of unauthorised changes

is achieved by

• Defining and communicating change procedures, including emergency changes

• Assessing, prioritising and authorising changes

• Tracking status and reporting on changes

and is measured by

• Number of disruptions or data errors caused by inaccurate

specifications or incomplete impact assessment

• Application or infrastructure rework caused by inadequate change

specifications

• Percent of changes that follow formal change control processes