SlideShare una empresa de Scribd logo

Cobi t riskmanagementframework_iac

Descargar como PPT, PDF
university of sargodha
university of sargodha
1 de 77
John W. Lainhart IV CISA, CISM, CGEIT, CIPP/G Partner, Security, Privacy, Wireless & IT Governance IBM Global Business Services Principal Advisory to IT Governance Institute john.w.lainhart@us.ibm.com 301-803-2745 C OBI T ® as a Risk Management Framework
In This Presentation... The Governance Environment An introduction to IT Governance An introduction to Control Objectives for Information and related Technology (COBIT®) Overview of COBIT® Supporting Materials COBIT® Mappings to Other Standards An introduction to ValIT™ An introduction to RiskIT™ Recently Announced Certification Program – CGEIT Questions
IT Governance, C OBI T, Val IT and Risk IT Are Brought to You by …
IT Governance Institute IT Governance Institute is a non-profit research think-tank associated with ISACA®
IT Governance Institute Product Suite Governance Business and Technology Management Governance, Security and Assurance Management ITOBIT Control Governance C Information on Board Briefing IT Assurance CValTIT OBI 4.1 Implementation ITPractices Security Governance Governance Guide Guide
The Governance Environment
Forces Driving IT Governance Business/IT Compliance Alignment ROI Project Execution Security
What Makes IT Governance so important? Drivers • Strategic importance of IT • Extended Enterprise • Regulatory requirements • Cost optimisation • Return on investment • Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects • Standish Group – about • Low return from high-cost IT investments, and transparency of IT’s 20% of projects fail outright, performance are two top issues 50% are challenged and • More than 30% claim negative return from IT investments targeting only 30% are successful efficiency gains • ITGI 2005 Survey early • 40% do not have good alignment between IT plans and business strategy findings confirm concerns • Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)
What makes IT Governance so important? Shareholders want protection for the Enterprise’s Share Price “…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…” “…financial reporting system is not up to speed…” “…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…” “…data entry problems…”
Global Business Services The Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for 2008 # 1 on this list is IT Governance, including business alignment From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc. IBM Confidential| © Copyright IBM Corporation 2005
An Overview of IT Governance
What is IT Governance? “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.” ITGI, Board Briefing on IT Governance
IT Governance Needs a Management Framework C GI T V DE AL Driving Forces E N R AT ME LI U E VE ST IGN RY AL Map Onto the PER UREME IT T MEA IT Governance M EN GOVERNANCE FOR S MAN RISK AGE MAN NT Focus Areas CE RESOURCE MANAGEMENT
IT Governance Focus Areas Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to • Add value and competitive positioning to the enterprise’s products and services • Contain costs while improving administrative efficiency and managerial effectiveness Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
IT Governance Focus Areas Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc) Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme ten Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
IT Governance Focus Areas Risk management requires risk awareness of senior corporate officers, a clear under- standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme ten Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
IT Governance Focus Areas Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
IT Governance Focus Areas Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow. Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
IT Governance Life Cycle
IT Governance Control Cycle
IT Governance Control Cycle Assess Environment •Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy •Establish risk management strategy •Formally document existing processes
IT Governance Control Cycle Maintain IT Controls Framework •Develop controls framework to supports sound business decisions •Document integration points in the current environment •Create an organizational mechanism to support the governance of IT •Mitigate identified risks through the IT controls framework
IT Governance Control Cycle Develop & Refine Governing Documents •Utilize a central repository for governing documents •Develop a consistent approach for creating governing documents •Consistently apply processes and procedures •Gain executive commitment for IT governance frameworks and structure
IT Governance Control Cycle Communicate and Train •Provide “Tone at the Top” •Develop a strategic communication plan for mission objectives and overall management direction •Execute strategic communication plan •Implement a standard training program to avoid unnecessary and redundant training
IT Governance Control Cycle Implement and Operate •Align staff responsibilities with IT control objectives •Achieve sustainability of IT controls in the operational environment •Support continuous improvement of operational effectiveness and accountability
IT Governance Control Cycle Measure and Validate •Revise current metrics program to include newly defined controls •Verify the sustainability of defined controls •Develop cost effective automated measurements •Measure all processes to include Applications, Databases, Platforms and Networks
IT Governance Control Cycle Monitor and Report •Report on continued effectiveness of controls •Increase transparency to auditors of issues and actions taken •Accurately attest to IT’s compliance with policy, laws, and regulations •Improve existing processes using metrics trending
IT Governance Control Cycle Enforce •Reinforce required policy compliance and standards conformance •Define a consistent approach for enforcement across all processes
An Overview of C OBI T
C OBI T 4.1—The IT Governance Framework CobiT Internationally accepted good practices C OBI T best practices Management-oriented Freely available Sharing knowledge and leveraging expert volunteers repository for Continually evolving Maintained by reputable not-for-profit organisation IT Processes Maps 100% to COSO IT Management Processes Maps strongly to all major related standards IT Governance Processes Is a reference, set of best practices, not an “off-the-shelf” cure Enterprises still needs to analyse their The only IT management control requirements and customise based on: and control framework Value drivers that covers the end-to-end Risk profile IT infrastructure, organisation and IT life cycle project portfolio
COBIT: An IT Control Framework  Starts from the premise that IT needs to Domains: 1. Plan & Organize deliver the information that the enterprise 2. Acquire & Implement needs to achieve its objectives 3. Delivery & Support  Promotes process focus and process 4. Monitor & Evaluate ownership Information Criteria:  Divides IT into 4 domains and 34 processes, 1. Effectiveness 2. Efficiency with a total of 210 control objectives 3. Availability 4. Integrity  Looks at fiduciary, quality and security needs 5. Confidentiality of enterprises and provides for seven 6. Reliability information criteria that can be used to 7. Compliance generically define what the business requires IT Resources: from IT 1. Applications 2. Information  Addresses the resources made available to 3. Infrastructure and built up by IT 4. People
Key Driving Forces for C OBI T How IT is What the The resources The resources How IT is What the made available to— organised to organised to stakeholders stakeholders made available to— respond to the Business expect from IT and built up by—IT and built up by—IT respond to the Requirements expect from IT requirements IT requirements Processes IT Resources IT IT Business Resources Processes Requirements  Applications  Plan and  Effectiveness Organise  Information  Efficiency  Aquire and  Infrastructure  Confidentiality Implement  Integrity  People  Deliver and Support  Availability  Compliance  Monitor and Evaluate  Information reliability
C OBI T Business Objectives Criteria Framework • • • Effectiveness Efficiency Confidentiality • Integrity • Availability • Compliance • Reliability IT Resources • Applications • Information • Infrastructure Monitor and • People Evaluate Plan and IT Life Organise Deliver and Cycle Support Acquire and Implement
C OBI T Processes PO1 Define an IT Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships Plan and PO5 Manage the IT Investment Organise PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure Acquire and AI4 Enable Operation and Use Implement AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
C OBI T Processes DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs Deliver and DS7 Educate and Train Users Support DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations ME1 Monitor and Evaluate IT Performance Monitor and ME2 Monitor and Evaluate Internal Control Evaluate ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance
C OBI T PC and AC Processes PC1 Process Goals and Objectives PC2 Process Ownership PC3 Process Responsibility Process Controls PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures PC6 Process Performance Improvement AC1 Source Data Preparation and Authorization AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks Application Controls AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transmission Authentication and Integrity
Process Level Navigating in C OBI T
Control Objectives P09.6 Maintenance and Monitoring of a Risk Action Plan Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.
Management Guidelines
Management Guidelines
Maturity Model
Maturity Levels in C OBI T Non-existent Initial Repeatable Defined Managed Optimised 0 1 2 3 4 5 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.
Dimensions of Process Maturity in C OBI T We capture process maturity data on each of six dimensions:  Awareness and communication  Policies, standards and procedures  Tools and automation  Skills and expertise  Responsibility and accountability  Goal setting and measurement
Leverage COBIT ® Supporting Materials ...
Implementation Guide
Implementation Guide IT Governance Implementation Guide, 2nd Edition  Detailed, structured guidance to the implementation of IT governance  Generic IT governance implementation guidance, not just COBIT
Control Practices
Control Practices COBIT Control Practices, 2nd Edition  Detailed guidance on each of the control objectives  Management-oriented  From three to 12 control practices per control objective
Assurance Guide
Assurance Guide IT Assurance Guide: Using COBIT  Detailed guidance to support assurance practitioners in:  Financial statement audit  Internal audit  Value for money  Operational improvement  Guidance on:  How to leverage COBIT for assurance  Detailed assurance testing steps
Quickstart
Quickstart For small and medium sized organizations and larger organizations wanting to quickstart IT governance  Selection of components from the complete COBIT framework  Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival  Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT
C OBI T Security Baseline
C OBI T Security Baseline - 44 Steps Toward Security 44 Steps Toward Security Define the security strategy - 1  Define the IT organisation and relationships - 1  Communicate management aims and direction - 1  Manage IT human resources - 4  Assess and manage IT risks - 3  Identify automated solutions - 1  Acquire and maintain application and technology infrastructure - 3  Enable operation and use - 1  Manage changes - 2  Install and accredit solutions and changes - 2  Define and manage service levels - 1  Manage third-party services - 3  Ensure continuous service - 3  Ensure systems security - 8  Manage the configuration - 2  Manage data - 3  Manage the physical environment - 2  Monitor and evaluate IT performance—assess internal control adequacy - 1  Obtain independent assurance - 1  Ensure regulatory compliance – 1 6 Information Security Survival Kits  Home Users  Professional Users  Managers  Executives  Senior Executives  Board of Directors/Trustees
C OBI T Mappings to Other Frameworks and Standards
Where C OBI T Typically Sits Governance COS King Management Governance Layer O C OBI T Layer ITIL IT 17799 CMM TickIT Layer IT
How C OBI T Relates to Frameworks and Standards Strategic COBIT Process Control XY XY XY XY XY 99771 ## ## ## ## ## Process Execution CMM ITIL Work Instruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction •2 •2 •2 •2 •2 •3 •3 •3 •3 •3 • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….
How C OBI T Relates to Frameworks and Standards Strategic COBIT Process Control XY XY XY XY XY 99771 ## ## ## ## ## Process Execution CMM ITIL Work Instruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction •2 •2 •2 •2 •2 •3 •3 •3 •3 •3 • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….
An Overview of Val IT
The Information Paradox The value of IT is being increasingly questioned... ?? ? …yet organizations continue to spend more and more on IT 60
The Fundamental Question Are we maximizing the value of our IT- enabled business investments such that:  we are getting optimal benefits;  at an affordable cost; and  with an acceptable level of risk? Over the full economic life-cycle of the investment
Without Effective Governance Situation Situation Leads to.. Leads to.. Results in.. Results in.. Budget overruns S Reluctance to say no Project delays to projects Too many projects Business needs M Lack of Strategic Focus not met O Benefits not received T Can’t kill projects Quality of execution Increased P Projects are “sold” on suffers emotional basis -- not Complexity selected M Sub-optimal Underestimation of use of Y resources No strong review process risks and costs S Finger Overemphasis on pointing Projects not aligned Financial ROI to strategy Lack of No clear confidence (in strategic criteria for selection IT) Source: Fujitsu
Continuously Need to Question The strategic question. Is the investment: In the value question. Do we have: In line with our vision? A clear and shared understanding of the expected Consistent with our business principles? benefits? Contributing to our strategic objectives? Clear accountability for realising the benefits? Providing optimal value, at affordable cost, at Relevant metrics? an acceptable level of risk? An effective benefits realisation process? Are we Are we doing getting the right the Some things? benefits? about the fundamental value enabled questions by IT Are we Are we doing them getting the right them done way? well? The architecture question. Is the investment: The delivery question. Do we have: In line with our architecture? Effective and disciplined delivery and change management processes? Consistent with our architectural principles? Competent and available technical and business Contributing to the population of our resources to deliver: architecture? the required capabilities; and the organisational changes required to leverage the In line with other initiatives? capabilities? Source: The Information Paradox
Val IT Processes & Key Management Practices VG1 Ensure informed and committed leadership VG2 Define and implement processes Value VG3 Define roles & responsibilities VG4 Ensure appropriate and accepted Governance accountability (VG) VG5 Define information requirements VG6 Establish reporting requirements VG7 Establish organisational structures VG8 Establish Strategic Direction VG9 Define investment categories VG10 Determine target portfolio mix VG11 Define evaluation criteria by category PM1 Maintain human resource Portfolio inventory PM2 Identify resource requirements Management PM3 Perform gap analysis (PM) PM4 Develop resourcing plan PM5 Monitor resource requirements Investment and utilisation PM6 Establish investment threshold Management PM7 Evaluate initial programme (IM) concept business case PM8 Evaluate & assign relative score to programme business case IM1 Develop a high-level definition of investment opportunity PM9 Create overall portfolio view IM2 Develop initial programme concept business case PM10 Make and communicate IM3 Develop clear understanding of candidate programmes investment decision IM4 Perform Alternatives Analysis PM11 Stage-gate (and fund) selected IM5 Develop Programme plan programmes IM6 Develop Benefits Realisation plan PM12 Optimize portfolio performance IM7 Identify Full life cycle costs & benefits PM13 Re-prioritise portfolio IM8 Develop detailed programme business case PM14 Monitor and report on portfolio IM9 Assign clear accountability & ownership performance IM10 Initiate, plan and launch the programme IM11 Manage programme IM12 Manage/track benefits IM13 Update business case IM14 Monitor and report on programme performance IM15 Retire programme
P3M -Projects, Programs, and Portfolios Portfolio – a suite of business programmes managed to optimise overall enterprise value Portfolio Management Programme – a structured grouping of projects designed to Programme produce clearly identified Management business value Project Management Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget
Val IT Relationship between Processes & Practices VG1- Establish governance framework 4, 6 -7 Establish Provide strategic direction portfolio parameters VG5, VG VG8 9-11 PM1-5 PM6 Maintain Maintain resource funding profile profile Evaluate & Move selected Manage Monitor & PM14 PM7- prioritize investments to overall report on 10 investments active portfolio portfolio portfolio performance PM PM11 PM12-13 Analyse alternatives Assign Document Identify business case business Define candidate accountability req’ts programme IM4 IM9 IM1-2 IM8, IM3, 5-7 13 Launch Manage Monitor & Retire programme programme report on programme execution programme performance IM15 IM IM10 IM 11- 12 IM14
Val IT Initiative …a value lens into C T™ COBI T Are we doing VG Val IT PM Are we getting the right the benefits? things? Va Governance & management ic eg t Deli lue of a portfolio of business at men Are we doing r St ign Al ve ry them the right way? IM Are we doing them well? change programmes IT IT Gover nance Governance ent P f s e e P f s e e P f s e e Per f sureme M a M a M a Mea Dom ains agem Man isk o o o orm R anc t c c ce Resource n n n n Management Are we doing Are we getting the right the benefits? things? Are we doing Are we doing them the right them well? way? Are we doing COBIT the right Are we getting ME the benefits? things? Governance & management PO of a portfolio of technology Are we doing Are we doing projects, services, systems & supporting infrastructure AI them the right way? DS them well?
Val IT Initiative Status DONE Framework Business Case Case Study (initial) IN PROCESS Extend FW to services & other IT assets/ resources & Simplify Maturity Models Management Guidelines Taxonomy QuickStart Guide 1st Qtr. of 2008 PLANNE D Business Case v2.0 Empirical Analysis Available for free download from: Benchmarking www.isaca.org or www.itgi.org
The Business Challenge  Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that:  Ensures clarity of, and accountability for the desired outcomes  Enables understanding of the full scope of effort  Breaks down the “silos” and “connects the dots”  Manage the full economic life-cycle  Senses and responds to changes and deviations This is a significant leadership challenge, opportunity and responsibility!
The Risk IT Initiative
RISK IT DESCRIPTION A risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT A number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)
RISK IT ACTIONS  ITGI Board discussion on this initiative and decision to proceed with full business case development (July 2007)  Business Case development, (October 2007) including Market survey Feasibility study High-level design of the product/service Set-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources Define high-level development and roll-out plan  ITGI Board approved detailed business case and decision to proceed with full project (November 2007)  RiskIT Task Force members appointed (December 2007)  First RiskIT Task Force meeting held in Ghent, Belgium on 18-19 January 2008  First draft RiskIT planned to be issued by December 2008
Risk IT Processes & Key Management Practices As of 19 January 2008 first Task Force meeting in Ghent, Belgium Risk Governance Glossary Risk Risk Inventory Repository Risk Risk Monitoring Management & Reporting High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc
RISK IT Product Family – Proposed Content & Lifecycle
RELATIONSHIP OF COBIT/ VAL IT/ RISK IT ValIT IT GOVERNANCE Set Objectives • Align business and IT RiskIT • Enable the business and maximise benefits • Ensure effective and efficient use of resources Evaluate • Manage IT risk as part of ERM Provide performance • Fulfil compliance requirements direction Measure and Translate report direction into performance Translate strategy into action strategy • Make the business effective • Make the business efficient • Manage risks (security, reliability & compliance) CobiT • Manage service delivery consistency IT MANAGEMENT
Certified in the Governance of Enterprise IT (CGEIT)
Questions

Recomendados

Cobit presentation
Cobit presentationCobit presentation
Cobit presentationFran Rodriguez
 
The Relationship Between ITG and ITSM Lifecycles
The Relationship Between ITG and ITSM Lifecycles The Relationship Between ITG and ITSM Lifecycles
The Relationship Between ITG and ITSM Lifecycles PradeepBhanot
 
RightIT™ Maximizing Government IT Efficiency
RightIT™ Maximizing Government IT EfficiencyRightIT™ Maximizing Government IT Efficiency
RightIT™ Maximizing Government IT EfficiencyBooz Allen Hamilton
 
4. it governance a compass without a map v.2.6 pink elephant
4. it governance a compass without a map v.2.6 pink elephant4. it governance a compass without a map v.2.6 pink elephant
4. it governance a compass without a map v.2.6 pink elephantaventia
 
2005 Presentation - Annual ITAM Conference
2005 Presentation - Annual ITAM Conference2005 Presentation - Annual ITAM Conference
2005 Presentation - Annual ITAM ConferenceSteve Gerick
 
CobIT presentation
CobIT presentationCobIT presentation
CobIT presentationMarc Vael
 
IT Outsourcing in 2013
IT Outsourcing in 2013IT Outsourcing in 2013
IT Outsourcing in 2013Michele Cotton
 
IT Outsourcing - The GM Way
IT Outsourcing - The GM WayIT Outsourcing - The GM Way
IT Outsourcing - The GM Wayuapippo
 

Recomendados

Cobit presentation
Cobit presentationCobit presentation
Cobit presentationFran Rodriguez
 
The Relationship Between ITG and ITSM Lifecycles
The Relationship Between ITG and ITSM Lifecycles The Relationship Between ITG and ITSM Lifecycles
The Relationship Between ITG and ITSM Lifecycles PradeepBhanot
 
RightIT™ Maximizing Government IT Efficiency
RightIT™ Maximizing Government IT EfficiencyRightIT™ Maximizing Government IT Efficiency
RightIT™ Maximizing Government IT EfficiencyBooz Allen Hamilton
 
4. it governance a compass without a map v.2.6 pink elephant
4. it governance a compass without a map v.2.6 pink elephant4. it governance a compass without a map v.2.6 pink elephant
4. it governance a compass without a map v.2.6 pink elephantaventia
 
2005 Presentation - Annual ITAM Conference
2005 Presentation - Annual ITAM Conference2005 Presentation - Annual ITAM Conference
2005 Presentation - Annual ITAM ConferenceSteve Gerick
 
CobIT presentation
CobIT presentationCobIT presentation
CobIT presentationMarc Vael
 
IT Outsourcing in 2013
IT Outsourcing in 2013IT Outsourcing in 2013
IT Outsourcing in 2013Michele Cotton
 
IT Outsourcing - The GM Way
IT Outsourcing - The GM WayIT Outsourcing - The GM Way
IT Outsourcing - The GM Wayuapippo
 
Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...
Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...
Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...HCL Infosystems
 
HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto SolutionHPDutchWorld
 
Guerilla Marketing of Enterprise Architecture Management
Guerilla Marketing of Enterprise Architecture ManagementGuerilla Marketing of Enterprise Architecture Management
Guerilla Marketing of Enterprise Architecture ManagementChristian Kählig
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStormSolutions
 
IT Governance Briefing
IT Governance BriefingIT Governance Briefing
IT Governance BriefingGreg Torski
 
2011 2012 trends in business and it
2011 2012 trends in business and it2011 2012 trends in business and it
2011 2012 trends in business and itBarry Derksen
 
Enpower Process Consulting Profile
Enpower Process Consulting ProfileEnpower Process Consulting Profile
Enpower Process Consulting ProfileEnpower Process Consultants
 
Irish Government Cloud Strategy Perspective
Irish Government Cloud Strategy PerspectiveIrish Government Cloud Strategy Perspective
Irish Government Cloud Strategy PerspectiveGar Mac Críosta
 
Intro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit AnalysisIntro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit Analysiswebmentorman
 
MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010Sudhakar_s
 
8 Strategies for IT Transformation
8 Strategies for IT Transformation8 Strategies for IT Transformation
8 Strategies for IT Transformationkenaibarbosa
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloJohn Intindolo
 
IT Strategic Planning - Methodology and Approach
IT Strategic Planning - Methodology and ApproachIT Strategic Planning - Methodology and Approach
IT Strategic Planning - Methodology and ApproachDave Shiple
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...TISA
 
The Challenge Of It In Downturn
The Challenge Of It In DownturnThe Challenge Of It In Downturn
The Challenge Of It In DownturnPéter Fehér
 
Eitm Technical Brief
Eitm Technical BriefEitm Technical Brief
Eitm Technical Briefbyunesiu
 
BiSL introduction ENG
BiSL introduction ENGBiSL introduction ENG
BiSL introduction ENGVosmeer
 
TripleTree eDiscovery
TripleTree eDiscoveryTripleTree eDiscovery
TripleTree eDiscoveryChris Hoffmann
 
Strategic Agility Introduction
Strategic Agility IntroductionStrategic Agility Introduction
Strategic Agility Introductionrobertdbecker
 
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...IS Unified Digital Enterprise Management ERP for IT
 
IT Governance - OpenThinking Day
IT Governance - OpenThinking DayIT Governance - OpenThinking Day
IT Governance - OpenThinking DayIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCERudy Shoushany
 

Más contenido relacionado

La actualidad más candente

Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...
Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...
Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...HCL Infosystems
 
HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto SolutionHPDutchWorld
 
Guerilla Marketing of Enterprise Architecture Management
Guerilla Marketing of Enterprise Architecture ManagementGuerilla Marketing of Enterprise Architecture Management
Guerilla Marketing of Enterprise Architecture ManagementChristian Kählig
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStormSolutions
 
IT Governance Briefing
IT Governance BriefingIT Governance Briefing
IT Governance BriefingGreg Torski
 
2011 2012 trends in business and it
2011 2012 trends in business and it2011 2012 trends in business and it
2011 2012 trends in business and itBarry Derksen
 
Irish Government Cloud Strategy Perspective
Irish Government Cloud Strategy PerspectiveIrish Government Cloud Strategy Perspective
Irish Government Cloud Strategy PerspectiveGar Mac Críosta
 
Intro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit AnalysisIntro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit Analysiswebmentorman
 
MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010Sudhakar_s
 
8 Strategies for IT Transformation
8 Strategies for IT Transformation8 Strategies for IT Transformation
8 Strategies for IT Transformationkenaibarbosa
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloJohn Intindolo
 
IT Strategic Planning - Methodology and Approach
IT Strategic Planning - Methodology and ApproachIT Strategic Planning - Methodology and Approach
IT Strategic Planning - Methodology and ApproachDave Shiple
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...TISA
 
The Challenge Of It In Downturn
The Challenge Of It In DownturnThe Challenge Of It In Downturn
The Challenge Of It In DownturnPéter Fehér
 
Eitm Technical Brief
Eitm Technical BriefEitm Technical Brief
Eitm Technical Briefbyunesiu
 
BiSL introduction ENG
BiSL introduction ENGBiSL introduction ENG
BiSL introduction ENGVosmeer
 
Strategic Agility Introduction
Strategic Agility IntroductionStrategic Agility Introduction
Strategic Agility Introductionrobertdbecker
 

La actualidad más candente (20)

Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...
Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...
Transcending Enterprise Boundaries: IT consolidation in an M&A deal, By Salil...
 
HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto Solution
 
Guerilla Marketing of Enterprise Architecture Management
Guerilla Marketing of Enterprise Architecture ManagementGuerilla Marketing of Enterprise Architecture Management
Guerilla Marketing of Enterprise Architecture Management
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
 
IT Governance Briefing
IT Governance BriefingIT Governance Briefing
IT Governance Briefing
 
2011 2012 trends in business and it
2011 2012 trends in business and it2011 2012 trends in business and it
2011 2012 trends in business and it
 
Enpower Process Consulting Profile
Enpower Process Consulting ProfileEnpower Process Consulting Profile
Enpower Process Consulting Profile
 
Irish Government Cloud Strategy Perspective
Irish Government Cloud Strategy PerspectiveIrish Government Cloud Strategy Perspective
Irish Government Cloud Strategy Perspective
 
Intro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit AnalysisIntro To COBIT IT Controls And Cost Benefit Analysis
Intro To COBIT IT Controls And Cost Benefit Analysis
 
MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010
 
8 Strategies for IT Transformation
8 Strategies for IT Transformation8 Strategies for IT Transformation
8 Strategies for IT Transformation
 
Project_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_IntindoloProject_Paper_Presentation_ISSC471_Intindolo
Project_Paper_Presentation_ISSC471_Intindolo
 
IT Strategic Planning - Methodology and Approach
IT Strategic Planning - Methodology and ApproachIT Strategic Planning - Methodology and Approach
IT Strategic Planning - Methodology and Approach
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...
 
The Challenge Of It In Downturn
The Challenge Of It In DownturnThe Challenge Of It In Downturn
The Challenge Of It In Downturn
 
Eitm Technical Brief
Eitm Technical BriefEitm Technical Brief
Eitm Technical Brief
 
BiSL introduction ENG
BiSL introduction ENGBiSL introduction ENG
BiSL introduction ENG
 
TripleTree eDiscovery
TripleTree eDiscoveryTripleTree eDiscovery
TripleTree eDiscovery
 
Strategic Agility Introduction
Strategic Agility IntroductionStrategic Agility Introduction
Strategic Agility Introduction
 
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
 

Similar a Cobi t riskmanagementframework_iac

MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCERudy Shoushany
 
Convergence Of Technology And Core Business Strategy
Convergence Of Technology And Core Business StrategyConvergence Of Technology And Core Business Strategy
Convergence Of Technology And Core Business StrategyLee Stott
 
Creating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business AlignmentCreating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business Alignmentgmwhitfield
 
Cobit Training course
Cobit Training courseCobit Training course
Cobit Training courseIman Baradari
 
Utf8''it organizational planning report
Utf8''it organizational planning reportUtf8''it organizational planning report
Utf8''it organizational planning reportAbuallia
 
ITSM in an uncertain economy
ITSM in an uncertain economyITSM in an uncertain economy
ITSM in an uncertain economywdpowel
 
IT governance by Erik Guldentops
IT governance by Erik Guldentops IT governance by Erik Guldentops
IT governance by Erik Guldentops CONFENIS 2012
 
Relating Enterprise Strategy
Relating Enterprise StrategyRelating Enterprise Strategy
Relating Enterprise StrategyToby_Vivek
 
High level service v2 slideshare
High level service v2 slideshare High level service v2 slideshare
High level service v2 slideshare phil1i
 
IT Governance for (smaller) Nonprofits
IT Governance for (smaller) NonprofitsIT Governance for (smaller) Nonprofits
IT Governance for (smaller) NonprofitsNTEN
 
IT Governance for Nonprofits
IT Governance for NonprofitsIT Governance for Nonprofits
IT Governance for NonprofitsDonny Shimamoto
 
Whitepaper Practical Information Technology Governance
Whitepaper Practical Information Technology GovernanceWhitepaper Practical Information Technology Governance
Whitepaper Practical Information Technology GovernanceAlan McSweeney
 
Benefits Identification, Assessment, Validation and Realisation for Informati...
Benefits Identification, Assessment, Validation and Realisation for Informati...Benefits Identification, Assessment, Validation and Realisation for Informati...
Benefits Identification, Assessment, Validation and Realisation for Informati...Alan McSweeney
 
Capital Planning And Investment Management And Control In Information Technology
Capital Planning And Investment Management And Control In Information TechnologyCapital Planning And Investment Management And Control In Information Technology
Capital Planning And Investment Management And Control In Information TechnologyAlan McSweeney
 

Similar a Cobi t riskmanagementframework_iac (20)

IT Governance - OpenThinking Day
IT Governance - OpenThinking DayIT Governance - OpenThinking Day
IT Governance - OpenThinking Day
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCE
 
Convergence Of Technology And Core Business Strategy
Convergence Of Technology And Core Business StrategyConvergence Of Technology And Core Business Strategy
Convergence Of Technology And Core Business Strategy
 
Creating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business AlignmentCreating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business Alignment
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRC
 
Cobit Training course
Cobit Training courseCobit Training course
Cobit Training course
 
Utf8''it organizational planning report
Utf8''it organizational planning reportUtf8''it organizational planning report
Utf8''it organizational planning report
 
IT_Governance iia uganda_presentation_ruyooka_2011
IT_Governance iia uganda_presentation_ruyooka_2011IT_Governance iia uganda_presentation_ruyooka_2011
IT_Governance iia uganda_presentation_ruyooka_2011
 
ITSM in an uncertain economy
ITSM in an uncertain economyITSM in an uncertain economy
ITSM in an uncertain economy
 
IT governance by Erik Guldentops
IT governance by Erik Guldentops IT governance by Erik Guldentops
IT governance by Erik Guldentops
 
Relating Enterprise Strategy
Relating Enterprise StrategyRelating Enterprise Strategy
Relating Enterprise Strategy
 
What is Cobit
What is CobitWhat is Cobit
What is Cobit
 
High level service v2 slideshare
High level service v2 slideshare High level service v2 slideshare
High level service v2 slideshare
 
IT Governance for (smaller) Nonprofits
IT Governance for (smaller) NonprofitsIT Governance for (smaller) Nonprofits
IT Governance for (smaller) Nonprofits
 
IT Governance for Nonprofits
IT Governance for NonprofitsIT Governance for Nonprofits
IT Governance for Nonprofits
 
Whitepaper Practical Information Technology Governance
Whitepaper Practical Information Technology GovernanceWhitepaper Practical Information Technology Governance
Whitepaper Practical Information Technology Governance
 
20100529 johnthorp
20100529 johnthorp20100529 johnthorp
20100529 johnthorp
 
Benefits Identification, Assessment, Validation and Realisation for Informati...
Benefits Identification, Assessment, Validation and Realisation for Informati...Benefits Identification, Assessment, Validation and Realisation for Informati...
Benefits Identification, Assessment, Validation and Realisation for Informati...
 
Capital Planning And Investment Management And Control In Information Technology
Capital Planning And Investment Management And Control In Information TechnologyCapital Planning And Investment Management And Control In Information Technology
Capital Planning And Investment Management And Control In Information Technology
 
It Finance
It FinanceIt Finance
It Finance
 

Más de university of sargodha

Más de university of sargodha (10)

Soft computing06
Soft computing06Soft computing06
Soft computing06
 
Soft computing01
Soft computing01Soft computing01
Soft computing01
 
Final taxo
Final taxoFinal taxo
Final taxo
 
Advance analysis of algo
Advance analysis of algoAdvance analysis of algo
Advance analysis of algo
 
Soft computing08
Soft computing08Soft computing08
Soft computing08
 
Prolog2 (1)
Prolog2 (1)Prolog2 (1)
Prolog2 (1)
 
Presentation1
Presentation1Presentation1
Presentation1
 
Lecture 32 fuzzy systems
Lecture 32 fuzzy systemsLecture 32 fuzzy systems
Lecture 32 fuzzy systems
 
Lecture 29 fuzzy systems
Lecture 29 fuzzy systemsLecture 29 fuzzy systems
Lecture 29 fuzzy systems
 
Soft computing09
Soft computing09Soft computing09
Soft computing09
 

Cobi t riskmanagementframework_iac

  • 1. John W. Lainhart IV CISA, CISM, CGEIT, CIPP/G Partner, Security, Privacy, Wireless & IT Governance IBM Global Business Services Principal Advisory to IT Governance Institute john.w.lainhart@us.ibm.com 301-803-2745 C OBI T ® as a Risk Management Framework
  • 2. In This Presentation... The Governance Environment An introduction to IT Governance An introduction to Control Objectives for Information and related Technology (COBIT®) Overview of COBIT® Supporting Materials COBIT® Mappings to Other Standards An introduction to ValIT™ An introduction to RiskIT™ Recently Announced Certification Program – CGEIT Questions
  • 3. IT Governance, C OBI T, Val IT and Risk IT Are Brought to You by …
  • 4. IT Governance Institute IT Governance Institute is a non-profit research think-tank associated with ISACA®
  • 5. IT Governance Institute Product Suite Governance Business and Technology Management Governance, Security and Assurance Management ITOBIT Control Governance C Information on Board Briefing IT Assurance CValTIT OBI 4.1 Implementation ITPractices Security Governance Governance Guide Guide
  • 7. Forces Driving IT Governance Business/IT Compliance Alignment ROI Project Execution Security
  • 8. What Makes IT Governance so important? Drivers • Strategic importance of IT • Extended Enterprise • Regulatory requirements • Cost optimisation • Return on investment • Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects • Standish Group – about • Low return from high-cost IT investments, and transparency of IT’s 20% of projects fail outright, performance are two top issues 50% are challenged and • More than 30% claim negative return from IT investments targeting only 30% are successful efficiency gains • ITGI 2005 Survey early • 40% do not have good alignment between IT plans and business strategy findings confirm concerns • Interest in and use of active management of the return on IT investments has doubled in 2 years (28% to 58%)
  • 9. What makes IT Governance so important? Shareholders want protection for the Enterprise’s Share Price “…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…” “…financial reporting system is not up to speed…” “…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…” “…data entry problems…”
  • 10. Global Business Services The Premier IT Leaders polled by ComputerWorld Magazine put these projects at the top of their to-do lists for 2008 # 1 on this list is IT Governance, including business alignment From the Dec 10, 2007 issue of Computerworld Magazine (pg 74) Computerworld Magazine is a publication of International Data Group Inc. IBM Confidential| © Copyright IBM Corporation 2005
  • 11. An Overview of IT Governance
  • 12. What is IT Governance? “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.” ITGI, Board Briefing on IT Governance
  • 13. IT Governance Needs a Management Framework C GI T V DE AL Driving Forces E N R AT ME LI U E VE ST IGN RY AL Map Onto the PER UREME IT T MEA IT Governance M EN GOVERNANCE FOR S MAN RISK AGE MAN NT Focus Areas CE RESOURCE MANAGEMENT
  • 14. IT Governance Focus Areas Strategic alignment, focuses on ensuring the linkage of business and IT plan; on defining, maintaining and validating the IT value proposition; on aligning IT operations with the enterprise operations; and establishing collaborative solutions to • Add value and competitive positioning to the enterprise’s products and services • Contain costs while improving administrative efficiency and managerial effectiveness Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
  • 15. IT Governance Focus Areas Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising expenses and proving the value of IT, and on controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc) Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme ten Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
  • 16. IT Governance Focus Areas Risk management requires risk awareness of senior corporate officers, a clear under- standing of the enterprise’s appetite for risk and transparency about the significant risks to the enterprise; it embeds risk management responsibilities in the operation of the enterprise and specifically addresses the safeguarding of IT assets, disaster recovery and continuity of operations Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme ten Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
  • 17. IT Governance Focus Areas Resource management covers the optimal investment, use and allocation of IT resources and capabilities (people, applications, technology, facilities, data) in servicing the needs of the enterprise, maximising the efficiency of these assets and optimising their costs, and specifically focusses on optimising knowledge and the IT infrastructure and on where and how to outsource Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
  • 18. IT Governance Focus Areas Performance measurement, tracking project delivery and monitoring IT services, using balanced scorecards that translate strategy into action to achieve goals measur-able beyond conventional accounting, measuring those relationships and knowledge-based assets necessary to compete in the information age: customer focus, process efficiency and the ability to learn and grow. Va gic nt De lue te liv r a me t n er S ig y A l IT IT Governance Perf ure Perf ureme t en Me Mea Dom ains agem Man isk orm orm s s R ance t ance t Resource n n Management
  • 21. IT Governance Control Cycle Assess Environment •Based on COBIT®, develop an approach for improved internal control to meet regulatory requirements that incorporates business and IT mission, vision, and strategy •Establish risk management strategy •Formally document existing processes
  • 22. IT Governance Control Cycle Maintain IT Controls Framework •Develop controls framework to supports sound business decisions •Document integration points in the current environment •Create an organizational mechanism to support the governance of IT •Mitigate identified risks through the IT controls framework
  • 23. IT Governance Control Cycle Develop & Refine Governing Documents •Utilize a central repository for governing documents •Develop a consistent approach for creating governing documents •Consistently apply processes and procedures •Gain executive commitment for IT governance frameworks and structure
  • 24. IT Governance Control Cycle Communicate and Train •Provide “Tone at the Top” •Develop a strategic communication plan for mission objectives and overall management direction •Execute strategic communication plan •Implement a standard training program to avoid unnecessary and redundant training
  • 25. IT Governance Control Cycle Implement and Operate •Align staff responsibilities with IT control objectives •Achieve sustainability of IT controls in the operational environment •Support continuous improvement of operational effectiveness and accountability
  • 26. IT Governance Control Cycle Measure and Validate •Revise current metrics program to include newly defined controls •Verify the sustainability of defined controls •Develop cost effective automated measurements •Measure all processes to include Applications, Databases, Platforms and Networks
  • 27. IT Governance Control Cycle Monitor and Report •Report on continued effectiveness of controls •Increase transparency to auditors of issues and actions taken •Accurately attest to IT’s compliance with policy, laws, and regulations •Improve existing processes using metrics trending
  • 28. IT Governance Control Cycle Enforce •Reinforce required policy compliance and standards conformance •Define a consistent approach for enforcement across all processes
  • 29. An Overview of C OBI T
  • 30. C OBI T 4.1—The IT Governance Framework CobiT Internationally accepted good practices C OBI T best practices Management-oriented Freely available Sharing knowledge and leveraging expert volunteers repository for Continually evolving Maintained by reputable not-for-profit organisation IT Processes Maps 100% to COSO IT Management Processes Maps strongly to all major related standards IT Governance Processes Is a reference, set of best practices, not an “off-the-shelf” cure Enterprises still needs to analyse their The only IT management control requirements and customise based on: and control framework Value drivers that covers the end-to-end Risk profile IT infrastructure, organisation and IT life cycle project portfolio
  • 31. COBIT: An IT Control Framework  Starts from the premise that IT needs to Domains: 1. Plan & Organize deliver the information that the enterprise 2. Acquire & Implement needs to achieve its objectives 3. Delivery & Support  Promotes process focus and process 4. Monitor & Evaluate ownership Information Criteria:  Divides IT into 4 domains and 34 processes, 1. Effectiveness 2. Efficiency with a total of 210 control objectives 3. Availability 4. Integrity  Looks at fiduciary, quality and security needs 5. Confidentiality of enterprises and provides for seven 6. Reliability information criteria that can be used to 7. Compliance generically define what the business requires IT Resources: from IT 1. Applications 2. Information  Addresses the resources made available to 3. Infrastructure and built up by IT 4. People
  • 32. Key Driving Forces for C OBI T How IT is What the The resources The resources How IT is What the made available to— organised to organised to stakeholders stakeholders made available to— respond to the Business expect from IT and built up by—IT and built up by—IT respond to the Requirements expect from IT requirements IT requirements Processes IT Resources IT IT Business Resources Processes Requirements  Applications  Plan and  Effectiveness Organise  Information  Efficiency  Aquire and  Infrastructure  Confidentiality Implement  Integrity  People  Deliver and Support  Availability  Compliance  Monitor and Evaluate  Information reliability
  • 33. C OBI T Business Objectives Criteria Framework • • • Effectiveness Efficiency Confidentiality • Integrity • Availability • Compliance • Reliability IT Resources • Applications • Information • Infrastructure Monitor and • People Evaluate Plan and IT Life Organise Deliver and Cycle Support Acquire and Implement
  • 34. C OBI T Processes PO1 Define an IT Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships Plan and PO5 Manage the IT Investment Organise PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure Acquire and AI4 Enable Operation and Use Implement AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
  • 35. C OBI T Processes DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs Deliver and DS7 Educate and Train Users Support DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations ME1 Monitor and Evaluate IT Performance Monitor and ME2 Monitor and Evaluate Internal Control Evaluate ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance
  • 36. C OBI T PC and AC Processes PC1 Process Goals and Objectives PC2 Process Ownership PC3 Process Responsibility Process Controls PC4 Roles and Responsibilities PC5 Policy, Plans and Procedures PC6 Process Performance Improvement AC1 Source Data Preparation and Authorization AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks Application Controls AC4 Processing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transmission Authentication and Integrity
  • 38. Control Objectives P09.6 Maintenance and Monitoring of a Risk Action Plan Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.
  • 42. Maturity Levels in C OBI T Non-existent Initial Repeatable Defined Managed Optimised 0 1 2 3 4 5 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.
  • 43. Dimensions of Process Maturity in C OBI T We capture process maturity data on each of six dimensions:  Awareness and communication  Policies, standards and procedures  Tools and automation  Skills and expertise  Responsibility and accountability  Goal setting and measurement
  • 44. Leverage COBIT ® Supporting Materials ...
  • 46. Implementation Guide IT Governance Implementation Guide, 2nd Edition  Detailed, structured guidance to the implementation of IT governance  Generic IT governance implementation guidance, not just COBIT
  • 48. Control Practices COBIT Control Practices, 2nd Edition  Detailed guidance on each of the control objectives  Management-oriented  From three to 12 control practices per control objective
  • 50. Assurance Guide IT Assurance Guide: Using COBIT  Detailed guidance to support assurance practitioners in:  Financial statement audit  Internal audit  Value for money  Operational improvement  Guidance on:  How to leverage COBIT for assurance  Detailed assurance testing steps
  • 52. Quickstart For small and medium sized organizations and larger organizations wanting to quickstart IT governance  Selection of components from the complete COBIT framework  Can be used as a baseline (set of “smart things to do”) for small and medium-sized enterprises and other entities where IT is not strategic or absolutely critical for survival  Can also be a starting point for larger enterprises in their first moves toward an appropriate level of control and governance of IT
  • 53. C OBI T Security Baseline
  • 54. C OBI T Security Baseline - 44 Steps Toward Security 44 Steps Toward Security Define the security strategy - 1  Define the IT organisation and relationships - 1  Communicate management aims and direction - 1  Manage IT human resources - 4  Assess and manage IT risks - 3  Identify automated solutions - 1  Acquire and maintain application and technology infrastructure - 3  Enable operation and use - 1  Manage changes - 2  Install and accredit solutions and changes - 2  Define and manage service levels - 1  Manage third-party services - 3  Ensure continuous service - 3  Ensure systems security - 8  Manage the configuration - 2  Manage data - 3  Manage the physical environment - 2  Monitor and evaluate IT performance—assess internal control adequacy - 1  Obtain independent assurance - 1  Ensure regulatory compliance – 1 6 Information Security Survival Kits  Home Users  Professional Users  Managers  Executives  Senior Executives  Board of Directors/Trustees
  • 55. C OBI T Mappings to Other Frameworks and Standards
  • 56. Where C OBI T Typically Sits Governance COS King Management Governance Layer O C OBI T Layer ITIL IT 17799 CMM TickIT Layer IT
  • 57. How C OBI T Relates to Frameworks and Standards Strategic COBIT Process Control XY XY XY XY XY 99771 ## ## ## ## ## Process Execution CMM ITIL Work Instruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction •2 •2 •2 •2 •2 •3 •3 •3 •3 •3 • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….
  • 58. How C OBI T Relates to Frameworks and Standards Strategic COBIT Process Control XY XY XY XY XY 99771 ## ## ## ## ## Process Execution CMM ITIL Work Instruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction • Workinstruction •2 •2 •2 •2 •2 •3 •3 •3 •3 •3 • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6…. • 4,5,6….
  • 59. An Overview of Val IT
  • 60. The Information Paradox The value of IT is being increasingly questioned... ?? ? …yet organizations continue to spend more and more on IT 60
  • 61. The Fundamental Question Are we maximizing the value of our IT- enabled business investments such that:  we are getting optimal benefits;  at an affordable cost; and  with an acceptable level of risk? Over the full economic life-cycle of the investment
  • 62. Without Effective Governance Situation Situation Leads to.. Leads to.. Results in.. Results in.. Budget overruns S Reluctance to say no Project delays to projects Too many projects Business needs M Lack of Strategic Focus not met O Benefits not received T Can’t kill projects Quality of execution Increased P Projects are “sold” on suffers emotional basis -- not Complexity selected M Sub-optimal Underestimation of use of Y resources No strong review process risks and costs S Finger Overemphasis on pointing Projects not aligned Financial ROI to strategy Lack of No clear confidence (in strategic criteria for selection IT) Source: Fujitsu
  • 63. Continuously Need to Question The strategic question. Is the investment: In the value question. Do we have: In line with our vision? A clear and shared understanding of the expected Consistent with our business principles? benefits? Contributing to our strategic objectives? Clear accountability for realising the benefits? Providing optimal value, at affordable cost, at Relevant metrics? an acceptable level of risk? An effective benefits realisation process? Are we Are we doing getting the right the Some things? benefits? about the fundamental value enabled questions by IT Are we Are we doing them getting the right them done way? well? The architecture question. Is the investment: The delivery question. Do we have: In line with our architecture? Effective and disciplined delivery and change management processes? Consistent with our architectural principles? Competent and available technical and business Contributing to the population of our resources to deliver: architecture? the required capabilities; and the organisational changes required to leverage the In line with other initiatives? capabilities? Source: The Information Paradox
  • 64. Val IT Processes & Key Management Practices VG1 Ensure informed and committed leadership VG2 Define and implement processes Value VG3 Define roles & responsibilities VG4 Ensure appropriate and accepted Governance accountability (VG) VG5 Define information requirements VG6 Establish reporting requirements VG7 Establish organisational structures VG8 Establish Strategic Direction VG9 Define investment categories VG10 Determine target portfolio mix VG11 Define evaluation criteria by category PM1 Maintain human resource Portfolio inventory PM2 Identify resource requirements Management PM3 Perform gap analysis (PM) PM4 Develop resourcing plan PM5 Monitor resource requirements Investment and utilisation PM6 Establish investment threshold Management PM7 Evaluate initial programme (IM) concept business case PM8 Evaluate & assign relative score to programme business case IM1 Develop a high-level definition of investment opportunity PM9 Create overall portfolio view IM2 Develop initial programme concept business case PM10 Make and communicate IM3 Develop clear understanding of candidate programmes investment decision IM4 Perform Alternatives Analysis PM11 Stage-gate (and fund) selected IM5 Develop Programme plan programmes IM6 Develop Benefits Realisation plan PM12 Optimize portfolio performance IM7 Identify Full life cycle costs & benefits PM13 Re-prioritise portfolio IM8 Develop detailed programme business case PM14 Monitor and report on portfolio IM9 Assign clear accountability & ownership performance IM10 Initiate, plan and launch the programme IM11 Manage programme IM12 Manage/track benefits IM13 Update business case IM14 Monitor and report on programme performance IM15 Retire programme
  • 65. P3M -Projects, Programs, and Portfolios Portfolio – a suite of business programmes managed to optimise overall enterprise value Portfolio Management Programme – a structured grouping of projects designed to Programme produce clearly identified Management business value Project Management Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget
  • 66. Val IT Relationship between Processes & Practices VG1- Establish governance framework 4, 6 -7 Establish Provide strategic direction portfolio parameters VG5, VG VG8 9-11 PM1-5 PM6 Maintain Maintain resource funding profile profile Evaluate & Move selected Manage Monitor & PM14 PM7- prioritize investments to overall report on 10 investments active portfolio portfolio portfolio performance PM PM11 PM12-13 Analyse alternatives Assign Document Identify business case business Define candidate accountability req’ts programme IM4 IM9 IM1-2 IM8, IM3, 5-7 13 Launch Manage Monitor & Retire programme programme report on programme execution programme performance IM15 IM IM10 IM 11- 12 IM14
  • 67. Val IT Initiative …a value lens into C T™ COBI T Are we doing VG Val IT PM Are we getting the right the benefits? things? Va Governance & management ic eg t Deli lue of a portfolio of business at men Are we doing r St ign Al ve ry them the right way? IM Are we doing them well? change programmes IT IT Gover nance Governance ent P f s e e P f s e e P f s e e Per f sureme M a M a M a Mea Dom ains agem Man isk o o o orm R anc t c c ce Resource n n n n Management Are we doing Are we getting the right the benefits? things? Are we doing Are we doing them the right them well? way? Are we doing COBIT the right Are we getting ME the benefits? things? Governance & management PO of a portfolio of technology Are we doing Are we doing projects, services, systems & supporting infrastructure AI them the right way? DS them well?
  • 68. Val IT Initiative Status DONE Framework Business Case Case Study (initial) IN PROCESS Extend FW to services & other IT assets/ resources & Simplify Maturity Models Management Guidelines Taxonomy QuickStart Guide 1st Qtr. of 2008 PLANNE D Business Case v2.0 Empirical Analysis Available for free download from: Benchmarking www.isaca.org or www.itgi.org
  • 69. The Business Challenge  Maximizing value and reducing risk made possible by IT both enables and requires a through IT governance approach that:  Ensures clarity of, and accountability for the desired outcomes  Enables understanding of the full scope of effort  Breaks down the “silos” and “connects the dots”  Manage the full economic life-cycle  Senses and responds to changes and deviations This is a significant leadership challenge, opportunity and responsibility!
  • 70. The Risk IT Initiative
  • 71. RISK IT DESCRIPTION A risk management framework that provides the missing link between enterprise risk management and IT Management and control, fitting in the overall IT Governance framework of ITGI, and building upon all existing risk related components within the current frameworks, i.e., COBIT and Val IT A number of related services and products (practical guides, reference data, interfaces/mapping with other standards, …)
  • 72. RISK IT ACTIONS  ITGI Board discussion on this initiative and decision to proceed with full business case development (July 2007)  Business Case development, (October 2007) including Market survey Feasibility study High-level design of the product/service Set-up project governance structure, incl. Core Team, expert team, identify project manager(s) and potential resources Define high-level development and roll-out plan  ITGI Board approved detailed business case and decision to proceed with full project (November 2007)  RiskIT Task Force members appointed (December 2007)  First RiskIT Task Force meeting held in Ghent, Belgium on 18-19 January 2008  First draft RiskIT planned to be issued by December 2008
  • 73. Risk IT Processes & Key Management Practices As of 19 January 2008 first Task Force meeting in Ghent, Belgium Risk Governance Glossary Risk Risk Inventory Repository Risk Risk Monitoring Management & Reporting High Level Risk Management Guidance: COSO ERM, AS/NZS 4360, etc
  • 74. RISK IT Product Family – Proposed Content & Lifecycle
  • 75. RELATIONSHIP OF COBIT/ VAL IT/ RISK IT ValIT IT GOVERNANCE Set Objectives • Align business and IT RiskIT • Enable the business and maximise benefits • Ensure effective and efficient use of resources Evaluate • Manage IT risk as part of ERM Provide performance • Fulfil compliance requirements direction Measure and Translate report direction into performance Translate strategy into action strategy • Make the business effective • Make the business efficient • Manage risks (security, reliability & compliance) CobiT • Manage service delivery consistency IT MANAGEMENT
  • 76. Certified in the Governance of Enterprise IT (CGEIT)

Notas del editor

  1. SKIP