1 / 34

C OBI T & IT Governance Control Objectives for Information and Related Technology

C OBI T & IT Governance Control Objectives for Information and Related Technology. Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute. This presentation is intended solely for academic use. Agenda.

Samuel
Download Presentation

C OBI T & IT Governance Control Objectives for Information and Related Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COBIT & IT GovernanceControl Objectives for Information and Related Technology Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute. This presentation is intended solely for academic use.

  2. Agenda COBIT: Control Objectives for Information and Related Technology • The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance • Exercise: How can you do on your own? • COBIT: • Where does it come from? • How does it view IT organizations? • What does it include? • Try again: Does COBIT help? • Other IT management frameworks • Key takeaways

  3. Scale and cost SOX Compliance Threat vulnerability Increased IT dependence IT’s role in organizational change Why? Reason 1: The Quest for Effective Systems • Systematically controlled IT functions aim to assure that IS: • Provides value, • Pushes the envelope, and • Mitigates risk “We’ll delete that old user ID later” “We’ll write the documentation later” “Pick the best solution for our department” Business As Usual “It will be plenty fast” Management Inattention “We won’t get hacked, we’re too small to be on a hacker’s radar” “There’s no real need for a log file”

  4. History Reason 2: The Rise of Internal Control Regulation • Bank scandals in the 80’s brought us the 1992 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Internal Control Framework for certifying financial data systems. • WorldCom, Enron, etc.. brought us the Sarbanes-Oxley Act of 2002 (SOX). • Management is responsible for internal control and financial reporting procedures • Annual reports must asses internal controls • Officers submitting inaccurate certifications are subject to a fine up to $1m + 10 yrs, If purposeful, up to $5m + 20 years.

  5. History SOX and IS • From an IS function perspective, this means, that for financial reporting systems at least, SEC companies need: • An evaluation framework for IS operations • Useful IS metrics • A systematic way to apply the framework • This perspective applies to non SEC organizations as well: • Lenders may require IS audits • Financial services companies have their own somewhat similar regulations

  6. Improve Performance; Reduce Risk Performance vs. Goals and Best Practices IT Governance Meeting the Challenge: IT Governance Defined • IT Governance: the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives *. Reliability of Financial Data Regulatory Compliance * (IT Governance Institute 2003, Board Briefing on IT Governance, 2nd Ed, page 18 )

  7. An IT Governance Model The IT Governance Framework:Be a Part of the Process Provide Direction IT Activities • Increase automation (make the business effective) • Decrease cost (make the enterprise efficient) • Manage risks (security, reliability and compliance) • Set Objectives • IT is aligned with the business • IT enables the business and maximises benefits • IT resources are used responsibly • IT-related risks are managed appropriately Compare Be Good! Measure Performance www.itgovernance.org - Board Briefing on IT Governance Huntonet al. Pg. 3

  8. Lets Try it Without A Framework • You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process. • Who should be involved in making sure this kind of thing doesn’t happen again? • What controls should be put into place? • How will you tell later if the controls are working? • Will your plan convince the angry board of directors?

  9. Agenda How Are We Doing? • The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance • Exercise: How can you do on your own? • COBIT: • Where does it come from? • How does it view IT organizations? • What does it include? • Try again: Does COBIT help? • Other IT management frameworks • Key takeaways

  10. COBIT COBIT: Control Objectives for Information and related Technology • COBIT is a process-oriented, business-goal focused, systematic framework for evaluating the IT operations within an organization. It is designed for: • Managers who need IT, • IT Providers (internal and external), and • “Auditors” concerned with risk, security, privacy, compliance, and assurance. • Stakeholders may not know how to evaluate their organizations, COBIT can help guide the process.

  11. COBIT Where did COBIT come from? • The COBIT steering committee includes international representatives from industry, academia, government, and the security and control profession. • Based in the IT Governance Institute. • The COBIT group has done extensive work mapping to other standards. http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Project1/COBIT_Project.htm

  12. IT Resources Applications Information Infrastructure People Because Information systems are much more complex than lunch boxes: Processes! Information systems’ acquisition, operation, and maintenance can be usefully understood as a set of IT processes. We figure out what to control in IT by looking at what we do in IT. Process Oriented Organizational Goals Assets Information Systems Complexity brings special problems used to achieve

  13. Which of These Are IT Processes In the IT Governance Sense? • Buying a new server • IT Purchasing Procedures • Hiring the Right People • Screening Potential IT Employees • Processing an invoice sent in by EDI from a supplier • Change Management System NO! Just a decision NO! Bunch of Decisions NO! this is an IT-enabled process YES Good Governance Creates Good Processes that LEAD TO Good Decisions and IT Systems

  14. Good Processes

  15. COBIT Business Goal Focused Generic Business Goals are Matched with IT Goals To offer competitive products and services, create IT agility Goals are Matched with 34 IT Processes – Define Success Achieve IT agility by adjusting HR, information architecture, and infrastructure Defined Control Objectives Support Assurance. Good data architecture keeps data to support decisions, organizes data for sharing, and verifies data reliability Measure data architecture success in % of redundant data elements, % of applications in the plan, and frequency of validation activities. Process Measures Support Systematic Evaluation to Manage IT Processes

  16. Does the organization plan and organize adequately to meet information needs? • ME1 Monitor the processes • ME2 Monitor and evaluate internal control • ME3 Ensure Regulatory Compliance • ME4 Provide IT Governance INFORMATION MONITOR AND EVALUATE Does the organization effectively deliver and support IT services? Does the organization have and use sound processes for acquiring and implementing IT? IT RESOURCES PLAN AND ORGANISE • Data • Application systems • Technology • Facilities • People DELIVER AND SUPPORT Does the organization monitor and evaluate its IT activites? • DS1 Define and manage service levels • DS2 Manage third-party services • DS3 Manage peformance and capacity • DS4 Ensure continuous service • DS5 Ensure systems security • DS6 Identify and attribute costs • DS7 Educate and train users • DS8 Manage service desk and incidents • DS9 Manage the configuration • DS10 Manage problems • DS11 Manage data • DS12 Manage the physical environment • DS13 Manage operations ACQUIRE AND IMPLEMENT • AI1 Identify automated solutions • AI2 Acquire and mantain application software • AI3 Acquire and maintain technology infrastructure • AI4 Enable operation and use • AI5 Procure IT resources • AI6 Manage changes • AI7 Install and accredit solutions and changes COBIT’sSystematic Framework Business Objectives Governance Objectives COBIT PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT processes, organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Manage quality PO9 Assess and manage IT risks PO10 Manage projects • Effectiveness • Efficiency • Confidenciality • Integrity • Availability • Compliance • Reliability AI6 Manage changes

  17. AI6 – Acquire and ImplementManage Changes Page 1 Control over the IT process of process name that satisfies the business requirement for IT of summary of most important IT goals is achieved by key controls and is measured by key metrics

  18. AI6 Page 2Detailed Control Objectives Page 2 Detailed Control Objectives AI6.1 Change Standards and Procedures Set up formal change management procedures to handle in a standardised manner all requests.. AI6.2 Impact Assessment, Prioritisation and Authorisation Ensure that all requests for change are assessed in a structured way for impacts on the operational system… AI6.3 Emergency Changes Establish a process for defining, raising, assessing and authorising emergency changes… AI6.4 Change Status Tracking and Reporting Establish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date… AI6.5 Change Closure and Documentation Whenever system changes are implemented, update the associated system and user documentation…

  19. AI6 Management Guidelines Page 3 Process Inputs and Outputs Layered Goals and Metrics RACI Chart

  20. Page 4 Maturity Model Management of the process of Manage changes that satisfies the business requirement for IT of responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework is: 0 Non-existent: No defined change management process… 1 Initial/Ad Hoc: It is recognised that changes should be managed… 2 Repeatable but Intuitive: Informal change management process… 3 Defined Process: Defined formal change management process… 4 Managed and Measurable: Change management well developed… 5 Optimised: Change management process is regularly reviewed…

  21. Like Dagwood’s Boss, We Want Controls (employees?) that Work

  22. COBIT Audit Guidelines An IT process is audited by: •Obtaining an understandingof business requirements-related risks, and relevant control measures •Evaluating the appropriateness of stated controls •Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously •Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources

  23. COBIT Audit Guidelines AI6 Audit Guideline

  24. COBIT Audit Guidelines AI6 Audit Guideline

  25. COBIT Audit Guidelines AI6 Audit Guideline

  26. Now that you have AI6… • You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process. • Who should be involved in making sure this kind of thing doesn’t happen again? • What controls should be put into place? • How will you tell later if the controls are working? • Will your plan convince the angry board of directors?

  27. Comparing Frameworks Different Frameworks:Different Emphasis • Control Objectives for Information & Related Technology (COBIT): Comprehensive checklists for IT, supports auditing, doesn’t directly address software development or give a roadmap for improvement • Capability Maturity Model Integration (CMMI): Geared for software development organizations • IT Infrastructure Library (ITIL): IT service delivery and management best practices • Six Sigma: Continuous improvement for repeatable activities (e.g., helpdesks) http://www.computerworld.com/managementtopics/management/story/0,10801,90797,00.html

  28. Comparing Frameworks COBIT Asks All the Right Questions COBIT: 34 IT processes in 4 domains: COBIT defines issues, values, measurements, and responsibilities. It focuses on control over execution and strives to address all IT governance issues.

  29. CMM addresses only some of the issues considered by COBIT. Comparing Frameworks CMM Helps Develop Mature Software Development Processes CMM (1993) and the later CMMI focus on improving the development, acquisition, and maintenance of systems. SEI CMM http://www.sei.cmu.edu/cmmi/general/general.html ITGI’s mapping of SEI’s CMM for Software with COBIT 4.0

  30. ITIL Presents Best Practices for IT Service Delivery ITIL, originally created by the British Government, “the only consistent and comprehensive best practice for IT service management.” ITIL provides more guidance on who should be responsible and how they should proceed. ITIL - Best practices COBIT – IT control ITGI’s mapping of ITIL With COBIT 4.0

  31. IT Governance Norms • Business Alignment • A Risk/Control Perspective • Accountability • Continuous Improvement • Systematic Measurement

  32. Takeaways Key Takeaways • Forces are pushing organizations to adopt IT governance but its an uphill battle. • COBIT provides a systematic framework to evaluate IT operations. Plan, do, check, & correct. • A control perspective for IT processes is crucial to long term success. (It helps us talk nice to the CFO too!) • Thanks to the IT Governance Institute for material.

  33. AI6 Manage ChangesHigh-Level Control Objective Back To AI6 Page 1 • All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment must be formally managed in a controlled manner. Changes (including procedures, processes, system and service parameters) must be logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.

  34. AI6 Waterfall Back To AI6 Page 1 Control over the IT process of Manage changes that satisfies the business requirement for IT of responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework by focusing on controlling impact assessment, authorisation and implementation of all changes to the IT infrastructure, applications and technical solutions, minimising errors due to incomplete request specifications and halting implementation of unauthorised changes is achieved by • Defining and communicating change procedures, including emergency changes • Assessing, prioritising and authorising changes • Tracking status and reporting on changes and is measured by • Number of disruptions or data errors caused by inaccurate specifications or incomplete impact assessment • Application or infrastructure rework caused by inadequate change specifications • Percent of changes that follow formal change control processes

More Related