SlideShare una empresa de Scribd logo

Cobit5 and-grc

Descargar como PPT, PDF
Tatto Sugiopranoto
Tatto Sugiopranoto
TecnologíaEmpresariales
1 de 31
Date
GRC GRC:  Governance, risk management and compliance  An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities  These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.
GRC Definitions GRC:  Governance—Exercise of authority; control; government; arrangement.  Risk (management )—Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control)  Compliance—The act of complying; a yielding; as to a desire, demand, or proposal; concession; submission  Webster’s Online Dictionary
Types of Governance  Different types of governance exist:  Corporate governance  Project governance  Information technology governance  Environmental governance  Economic and financial governance  Each type has one or more sources of guidance, each with similar goals but often varying terms and techniques for their achievement.
Implementing Governance  The integration of the implementation of the GRC activities within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders.  Such approaches are typically based on enablers of various types (e.g., principles, policies, models, frameworks, organisational structures).
A GRC Model Example  From the OCEG Red Book GRC Capability Model version 2.1
Corporate Governance of IT  ISO/IEC 38500: 2008  Corporate governance of information technology  1.1 Scope  This standard provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.  This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.
Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.1 Principles 2.1.1 Principle 1: Responsibility 2.1.2 Principle 2: Strategy 2.1.3 Principle 3: Acquisition 2.1.4 Principle 4: Performance 2.1.5 Principle 5: Conformance 2.1.6 Principle 6: Human Behaviour
Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans.
ISACA and COBIT  ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals.  ISACA developed and maintains the internationally recognised COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.
COBIT: Governance of Enterprise IT (GEIT) Evolution of scope IT Governance Val IT 2.0 Management (2008) Control Risk IT (2009) Audit COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 1996 1998 2000 2005/7 2012 A business framework from ISACA, at www.isaca.org/cobit Source: COBIT® 5 Introduction Presentation © 2012 ISACA® All rights reserved.
COBIT 5 in Overview COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
The COBIT 5 Framework  Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.  COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.  The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector.
COBIT 5 Principles Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
COBIT 5 Enterprise Enablers Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
Governance (and Management) in COBIT 5  Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM).  Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).  Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities.
Governance in COBIT 5 • The COBIT 5 process reference model subdivides the IT- related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimisation. •04 Ensure resource optimisation. •05 Ensure stakeholder transparency. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).
Governance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Risk Management in COBIT 5 • The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. • Process Description • Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. • Process Purpose Statement • Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.
Risk Management in COBIT 5 (cont.) • The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description • Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement • Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.
Risk Management in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Risk Management in COBIT 5 (cont.) • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. • APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/ mitigate/control, share/transfer/accept).
Risk Management in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved.
Compliance in COBIT 5 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description • Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement • Ensure that the enterprise is compliant with all applicable external requirements.
Compliance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Compliance in COBIT 5 (cont.) • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures.
Compliance in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved.
Summary • The COBIT 5 framework includes the necessary guidance to support enterprise GRC objectives and supporting activities: • Governance activities related to GEIT (5 processes) • Risk management process—and supporting guidance for risk management across the GEIT space • Compliance—a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture • Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements—silos of activity!

Recomendados

3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentationjmcarden
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 

Recomendados

3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentationjmcarden
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slidesStratos Lazaridis
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalEmilio Gratton
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT PerspectiveNeelabh Srivastava
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introductionTatto Sugiopranoto
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introductionsuhaskokate
 

Más contenido relacionado

La actualidad más candente

Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slidesStratos Lazaridis
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalEmilio Gratton
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACAMDFazlaRabbiAbir
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 

La actualidad más candente (20)

Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Iso 27001 foundation sample slides
Iso 27001 foundation sample slidesIso 27001 foundation sample slides
Iso 27001 foundation sample slides
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposal
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT Perspective
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made Easy
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
 

Similar a Cobit5 and-grc

Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introductionsuhaskokate
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introductionMarkus Yaldu
 
02-cobit5-introduction.ppt
02-cobit5-introduction.ppt02-cobit5-introduction.ppt
02-cobit5-introduction.pptElonMotta
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information securityElkanouni Mohamed
 
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptxPPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptxssuserd1791e
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementChristian F. Nissen
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.pptEmmacuet
 
Implementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance FrameworkImplementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance FrameworkIJCSIS Research Publications
 

Similar a Cobit5 and-grc (20)

Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 Introduction
 
COBIT5-IntroductionS
COBIT5-IntroductionSCOBIT5-IntroductionS
COBIT5-IntroductionS
 
Cobit 5 introduction plgr
Cobit 5 introduction plgrCobit 5 introduction plgr
Cobit 5 introduction plgr
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
02-cobit5-introduction.ppt
02-cobit5-introduction.ppt02-cobit5-introduction.ppt
02-cobit5-introduction.ppt
 
Cobit
CobitCobit
Cobit
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
 
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptxPPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
 
Cobit_5_Checklist.pdf
Cobit_5_Checklist.pdfCobit_5_Checklist.pdf
Cobit_5_Checklist.pdf
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT management
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
 
Cobit 5 Business Framework -Governance and Management of Enterprise IT
Cobit 5 Business Framework -Governance and Management of Enterprise ITCobit 5 Business Framework -Governance and Management of Enterprise IT
Cobit 5 Business Framework -Governance and Management of Enterprise IT
 
Co5bit
Co5bitCo5bit
Co5bit
 
COBIT 5 FAQ
COBIT 5 FAQCOBIT 5 FAQ
COBIT 5 FAQ
 
Implementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance FrameworkImplementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance Framework
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
 

Último

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Cobit5 and-grc

  • 2.
  • 3. GRC GRC:  Governance, risk management and compliance  An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities  These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.
  • 4. GRC Definitions GRC:  Governance—Exercise of authority; control; government; arrangement.  Risk (management )—Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control)  Compliance—The act of complying; a yielding; as to a desire, demand, or proposal; concession; submission  Webster’s Online Dictionary
  • 5. Types of Governance  Different types of governance exist:  Corporate governance  Project governance  Information technology governance  Environmental governance  Economic and financial governance  Each type has one or more sources of guidance, each with similar goals but often varying terms and techniques for their achievement.
  • 6. Implementing Governance  The integration of the implementation of the GRC activities within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders.  Such approaches are typically based on enablers of various types (e.g., principles, policies, models, frameworks, organisational structures).
  • 7. A GRC Model Example  From the OCEG Red Book GRC Capability Model version 2.1
  • 8. Corporate Governance of IT  ISO/IEC 38500: 2008  Corporate governance of information technology  1.1 Scope  This standard provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.  This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.
  • 9. Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.1 Principles 2.1.1 Principle 1: Responsibility 2.1.2 Principle 2: Strategy 2.1.3 Principle 3: Acquisition 2.1.4 Principle 4: Performance 2.1.5 Principle 5: Conformance 2.1.6 Principle 6: Human Behaviour
  • 10. Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans.
  • 11. ISACA and COBIT  ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals.  ISACA developed and maintains the internationally recognised COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.
  • 12.
  • 13. COBIT: Governance of Enterprise IT (GEIT) Evolution of scope IT Governance Val IT 2.0 Management (2008) Control Risk IT (2009) Audit COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 1996 1998 2000 2005/7 2012 A business framework from ISACA, at www.isaca.org/cobit Source: COBIT® 5 Introduction Presentation © 2012 ISACA® All rights reserved.
  • 14. COBIT 5 in Overview COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
  • 15. The COBIT 5 Framework  Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.  COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.  The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector.
  • 16. COBIT 5 Principles Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
  • 17. COBIT 5 Enterprise Enablers Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
  • 18.
  • 19. Governance (and Management) in COBIT 5  Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM).  Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).  Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities.
  • 20. Governance in COBIT 5 • The COBIT 5 process reference model subdivides the IT- related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimisation. •04 Ensure resource optimisation. •05 Ensure stakeholder transparency. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).
  • 21. Governance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
  • 22. Risk Management in COBIT 5 • The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. • Process Description • Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. • Process Purpose Statement • Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.
  • 23. Risk Management in COBIT 5 (cont.) • The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description • Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement • Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.
  • 24. Risk Management in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
  • 25. Risk Management in COBIT 5 (cont.) • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. • APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/ mitigate/control, share/transfer/accept).
  • 26. Risk Management in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved.
  • 27. Compliance in COBIT 5 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description • Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement • Ensure that the enterprise is compliant with all applicable external requirements.
  • 28. Compliance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
  • 29. Compliance in COBIT 5 (cont.) • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures.
  • 30. Compliance in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved.
  • 31. Summary • The COBIT 5 framework includes the necessary guidance to support enterprise GRC objectives and supporting activities: • Governance activities related to GEIT (5 processes) • Risk management process—and supporting guidance for risk management across the GEIT space • Compliance—a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture • Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements—silos of activity!