El documento describe la importancia de integrar diferentes marcos de referencia en TI para alinear TI con los objetivos del negocio. Explica marcos como ITIL, COBIT, eTOM y MOF, así como estándares ISO como ISO 20000, ISO 27001 e ISO 38500. Resalta la necesidad de adoptar un enfoque integral para la gobernanza y gestión de TI que cubra áreas como servicios, procesos, riesgos y cumplimiento normativo.
4. Empresa y Gobierno de TI ITIL ® / ASL / ISO17799 / PMI / ISO Disciplinas Regulaciones Reportes / Privacidad Objetivos Corporativos Marco de trabajo de control de riesgo interno (COSO) Marco de trabajo de Gobernabilidad de TI (COBIT) Impulsores Gestión de Riesgos Empresariales Guías de Gestión de Controles de TI Estándares de Control Propiedad y Responsabilidad Monitoreo y Reportes
12. Entrega & Soporte (DS) Monitoreo & Evaluación (ME) Adquisición e Implementación (AI) Planeación & Organización (PO) Dominios de COBIT
13. 34 Objetivos de Control Planeación y Organización Monitoreo y Evaluación Entrega y Soporte Adquisición e Implementación PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine technological direction PO4 Define the IT processes, organization & relationships PO5 Manage the IT investment PO6 Communicate management aims & direction PO7 Manage IT human resources PO8 Manage quality PO9 Assess and manage IT risks PO10 Manage projects AI1 Identify automated solutions AI2 Acquire and maintain application software AI3 Acquire and maintain technology infrastructure AI4 Enable operation and use AI5 Procure IT resources AI6 Manages changes AI7 Install and accredit solutions and changes DS 1 Define and manage service levels DS 2 Manage third party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and allocate costs DS7 Educate and train users DS8 Manager Service Desk and incidents DS9 Manage the configuration DS10 Manage problems DS11 Manage data DS12 Manage the physical environment DS 13 Manage operations ME1 Monitor and evaluate IT performance ME2 Monitor and evaluate internal control ME3 Ensure regulatory compliance ME4 Provide IT Governance
18. Niveles de madurez Niveles de madurez Optimizado Administrado cuantitativamente Definido Manejado Inicial Enfocado en mejora Continua de procesos Procesos medidos y controlados Procesos caracterizados por la organización y la proactividad Procesos vistos como Proyectos, a menudo reactivos Procesos impredecibles, pobremente controlados y reactivos
24. ISO 20000 Procesos de Gestión de Servicios Procesos de Entrega de Servicios Procesos de Control Procesos de Liberación Procesos de Resolución Procesos de Relacionamiento
43. El ciclo de Deming Control continuo de la Calidad Mejora Efectiva de la Calidad ACT CHECK PLAN DO Tiempo Nivel de Madurez Consolidación del nivel alcanzado i.e.: ISO 9001 o Estándar Británico Alineación de TI con el Negocio Do (Project) Check (Audit) Act (New Actions) Plan (Project Plan )
45. Modelo de Gobernabilidad TI OPERACIONES TI Modelos de Auditoría Sistemas de Calidad y Marcos de Referencia Adm. Adm. de Servicios Desarrollo de Apl. Adm. de Proyectos Planeación TI Seguridad TI Sistema de Calidad COBIT COSO ISO 27001 PMI ISO Six Sigma Estrategia de SI TSO ASL RUP Sarbanes Oxley / CNBV Estados Unidos SEC (Securities and Exchange Commission) ITIL ISO 20000 CMM
46. Modelo de Servicios Los conductores del Negocio deben determinar los Servicios de TI y los objetivos de los procesos Objetivos de TI Procesos de TI Servicios de TI Conductores del Negocio Objetivos de Negocio Requerimientos del Negocio Aplicaciones Información Infraestructura Personas Requerimientos del Negocio Recursos Procesos Servicios CMMi , Rup ITIL – ISO 20000 Seguridad – ISO 27001 Proyectos - PMI Sistemas de Calidad- ISO / 6r
47.
48. Pink Elephant - Expertos en Gestión de Servicios de TI [email_address] www.pinkelephant.com
Notas del editor
Essentials V 7.0 Remind participants that we don’t do this simple for the sake of an ‘introduction’, but that there is key information in this intro that they are likely to be examined on.
Essentials V 7.0 Workbook Guide and Instructors Guide: The key drivers for IT governance have been corporate objectives – where the business driven by regulatory requirements on privacy – security, financial reporting SOX s404, Canadian Bill 198, etc have required that IT is more transparent in terms of its activities, holds back-up data, and is able attest to financial reporting under SOX. This requires an assurance that financial reporting systems are available and any risks relating to availability (lack of change control, etc). are managed. In addition the data needs to be secure and accurately. In addition corporate objectives are a driver in the need to push towards greater efficiencies, cost reduction and cost transparency in IT. SOX did not specify how to ensure governance – only that it needs to be done. COSO – and enterprise wide risk control framework required IT controls to be clearly defined. COBIT is the IT governance framework which integrates into COSO which is enterprise wide. As governance frameworks – COSO and COBIT emphasize ‘what’ controls are needed and provide management guidelines for these controls. The frameworks do not go into the details on specifying how it should be done. As such disciplines such as ITIL, PMI, etc support and integrate with overall control frameworks like COBIT.
1.5 Structure and scope of the ICT book Figure 1.5 of the ICT book presents the main ICTIM processes described in detail in the following chapters of this book. The relationships to each other and with Service Management and Application Management are also shown. The main ICTIM processes as shown in Figure 1.5 are: Design and Planning – concerned with the creation and/or improvement of the ICT solution Deployment – concerned with the implementation and rolling out of the business and/or ICT solution as designed and planned, with minimum disruption to the business processes Operations – concerned with the daily housekeeping and maintenance of the ICT infrastructure Technical Support – concerned with structuring and underpinning other processes to guarantee the services delivered by ICTIM.
Essentials V 7.0 Remind participants that we don’t do this simple for the sake of an ‘introduction’, but that there is key information in this intro that they are likely to be examined on.
Planning and Organization (PO) This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Beside that, the realization of the strategic vision has to be planned, communicated and managed for different perspectives (e.g. information architecture and technological direction). Finally, a proper organization as well as technological infrastructure must be in place. Acquisition and Implementation (AI) To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems. Delivery and Support (DS) This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. In order to deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls. Monitoring (M) All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses the management’s oversight of the organization’s control process and independent assurance provided by internal and external audit or obtained from alternative sources.
Essentials V 7.0 Remind participants that we don’t do this simple for the sake of an ‘introduction’, but that there is key information in this intro that they are likely to be examined on.
Conceptos Básicos Política de Seguridad de la Información La Política de Seguridad de la Información debe contar con el respaldo total de la dirección ejecutiva superior de TI e, idealmente, el apoyo y compromiso de los ejecutivos superiores de la gestión del negocio. Sistema de Información de Administración de la Seguridad (SMIS) El marco o el SMIS en turno, proporciona la base para el desarrollo de un programa de seguridad de la información rentable que soporta los objetivos de negocio. Los cinco elementos dentro de este marco son: Controlar, planificar, implementar, evaluar y mantener. Gobierno de la Seguridad de la Información El Gobierno de la Seguridad de la Información, cuando se implementa correctamente, debe proporcionar seis resultados básicos: Alineación estratégica Entrega de valor Gestión de riesgos Gestión del rendimiento Gestión de recursos Aseguramiento del proceso de negocio
Essentials V 7.0 Remind participants that we don’t do this simple for the sake of an ‘introduction’, but that there is key information in this intro that they are likely to be examined on.
Essentials V 7.0 Remind participants that we don’t do this simple for the sake of an ‘introduction’, but that there is key information in this intro that they are likely to be examined on.
Essentials V 7.0 Remind participants that we don’t do this simple for the sake of an ‘introduction’, but that there is key information in this intro that they are likely to be examined on.
Essentials V 7.0 Remind participants that we don’t do this simple for the sake of an ‘introduction’, but that there is key information in this intro that they are likely to be examined on.