©2009 isaca/itgi. all rights reserved. it management frameworks a valued approach to strengthening...
TRANSCRIPT
©2009 ISACA/ITGI. All rights reserved.
IT Management FrameworksA Valued Approach to Strengthening
IT Management
John BeveridgeOffice of the State Auditor
Massachusetts Digital Government Summit
Boston, Massachusetts
October 19, 2009
• Deputy AuditorOffice of the State AuditorRoom 1819, One Ashburton PlaceBoston, MA 021087
• Co-Chair of Commonwealth’s Enterprise Security Board• Adjunct faculty member• 617.727.6200
e-mail: [email protected]
John Beveridge, CISA, CISM, CGFM, CFE, CGEIT, CQA
©2009 ISACA/ITGI. All rights reserved.
In This Presentation...
• Driving forces for IT governance and Control Objectives for Information and related Technology (COBIT®)
• An introduction to: – The COBIT framework– COBIT supporting materials
• Where COBIT fits with other frameworks and standards
©2009 ISACA/ITGI. All rights reserved.
The Governance Environment
©2009 ISACA/ITGI. All rights reserved.
Forces Driving IT Governance
Compliance
Security
Business/IT
Alignment
ROI
ProjectExecution
Need for IT Governance
Increasing pressure to leverage technology in business strategies
Growing complexity of IT environments Fragmented IT infrastructure; fragmented security
infrastructures Communication gaps between business and IT
managers IT service levels from internal IT functions that
appear disappointing
Do these conditions sound familiar?
Need for IT Governance
Lack of assurance of adequate security by outsourced IT providers
IT costs perceived to be out of control; yet under-funded IT security
Marginal or unknown ROI/productivity gains on IT investments
Impaired organizational flexibility and nimbleness to change
User frustration leading to ad hoc solutions
Do these conditions sound familiar?
©2009 ISACA/ITGI. All rights reserved.
IT Governance Needs a Management Framework
Driving Forces
Map Onto theIT
GovernanceFocus Areas
Strate
gic
Alignm
ent Value Delivery
Ris
k M
anagem
ent
Resource Management
Perform
ance
Measu
rem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignm
ent Value Delivery
Ris
k M
anagem
ent
Resource Management
Perform
ance
Measu
rem
ent
IT GovernanceFocus Areas
©2009 ISACA/ITGI. All rights reserved.
IT Governance Objectives
• IT is aligned with the business enabling the business to maximize benefit
• IT resources are safeguarded and used in a responsible and ethical manner
• IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure
• IT performance is measured and evaluated for ROI
©2009 ISACA/ITGI. All rights reserved.
To Manage and Control IT, the Organization
needs to:
• Employ the fundamentals of IT governance• Have a clear understanding of the strategic
value of technology• Have appropriate frameworks of control• Build and exercise mechanisms to provide
adequate assurance that IT governance objectives are addressed
©2009 ISACA/ITGI. All rights reserved.
Goals ResponsibilitiesControl
Objectives
Requirements
Business IT Governance
Information the business needs to
achieve its objectives
Information executives and board need to exercise their
responsibilities
Direction and Resourcing
How Does COBIT Link to IT Governance?
IT Governance
©2009 ISACA/ITGI. All rights reserved.
IT Governance Institute References
Board Briefing onIT Governance
InformationSecurity Governance
COBIT 4.1Val ITIT Governance
ImplementationGuide
COBIT ControlPractices
IT AssuranceGuide
Governance, Security and Assurance Management
Business and Technology
Management
Governance
©2009 ISACA/ITGI. All rights reserved.
An Overview of COBIT
©2009 ISACA/ITGI. All rights reserved.
CobiT
CobiT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.
©2009 ISACA/ITGI. All rights reserved.
How it Appears to the Instructor
©2009 ISACA/ITGI. All rights reserved.
Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.
Structured and organized to provide a powerful control model
©2009 ISACA/ITGI. All rights reserved.
• “Right” information, to only the “right” party, in the “right” format, at the “right” time, at the “right” cost.
• Information that is relevant, reliable, secure, and available.
• Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.
©2009 ISACA/ITGI. All rights reserved.
Internationally accepted good practicesManagement-orientedSupported by tools and trainingFreely availableSharing knowledge and leveraging expert volunteersContinually evolvingMaintained by reputable not- for-profit organisationMaps 100 percent to COSOMaps strongly to all major related standards
COBIT 4.1—The IT Governance Framework
The only IT managementand control framework
that covers the end-to-endIT life cycle
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
COBIT good practices repository for
©2009 ISACA/ITGI. All rights reserved.
CobiT is a reference, a set of best practices, not an ‘off-the-shelf’ cureEnterprises still to need to analyse their control requirements and customise based on:Value driversRisk profileIT infrastructure,
organisation and project portfolio
COBIT 4.1—The IT Governance Framework
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
COBIT good practices repository for
©2009 ISACA/ITGI. All rights reserved.
CobiT Sources
Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc)
Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes
(ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry forums
(ESF, I4) Emerging industry-specific requirements from banking,
e-com, IT manufacturing.
Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc)Technical standards (ISO, EDIFACT, etc.)Codes of Conduct Qualification criteria for IT systems and processes (ISO9000, ITSEC, TCSEC, etc.)Industry practices and requirements from industry forums (ESF, I4)
©2009 ISACA/ITGI. All rights reserved.
CobiT Framework
©2009 ISACA/ITGI. All rights reserved.
CobiT Framework
Documents relationships among information criteria, IT resources, and IT processes
Links control objectives and control practices to business processes and business objectives
Assists in confirming that appropriate IT processes (and practices) are in place
Facilitates evaluation and assurance methods
©2009 ISACA/ITGI. All rights reserved.
IT Resource Management
CobiT underscores and demonstrates that IT resources need to be managed in order to provide organizations with type and quality of information required to achieve organizational objectives.
©2009 ISACA/ITGI. All rights reserved.
Framework’s Three Components
Business Requirements for Information
IT Resources
IT Processes
©2009 ISACA/ITGI. All rights reserved.
Information Criteria -- The 1st Component
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability of Information
©2009 ISACA/ITGI. All rights reserved.
IT Resources -- The 2nd Component
• Application Systems
• Information
• Infrastructure Facilities
• People
©2009 ISACA/ITGI. All rights reserved.
Processes
A series of joined activities with natural control breaks
Activities or Tasks
Actions needed to achieve a measurable result—activities have a life cycle whereas tasks are discrete
Domains
Natural grouping of processes, often matching an organisational domain of responsibility
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
Process Orientation
©2009 ISACA/ITGI. All rights reserved.
The resources made available to—and built up by—IT
The resources made available to—and built up by—IT
What the stakeholders
expect from IT
What the stakeholders
expect from IT
How IT is organised to
respond to the requirements
How IT is organised to
respond to the requirements
Key Driving Forces for COBIT
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Data Application
systems Technology Facilities People
Plan and Organise
Aquire and Implement
Deliver and Support
Monitor and Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
reliability
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
©2009 ISACA/ITGI. All rights reserved.
IT Domains• Plan and
Organise• Acquire and
Implement• Deliver and
Support• Monitor and
Evaluate
IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management
Activities• Record new problem.• Analyse.• Propose solution.• Monitor solution.• Record known problem.• Etc.
Natural grouping of processes, often matching an organisational domain of responsibility
A series of joined activities with natural (control) breaks Actions needed to achieve
a measurable result—activities have a life cycle whereas tasks are discrete
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
Process Orientation
©2009 ISACA/ITGI. All rights reserved.
Plan andOrganize
Acquire andImplement
Deliver andSupport
Monitor and Evaluate
COBIT Domains:
Feedback
Feedback
Feedback
©2009 ISACA/ITGI. All rights reserved.
COBIT Processes
Plan andOrganise
Acquire andImplement
AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes
PO1 Define an IT Strategic PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects
©2009 ISACA/ITGI. All rights reserved.
COBIT Processes
Deliver andSupport
Monitor andEvaluate
DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations
ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance
©2009 ISACA/ITGI. All rights reserved.
Process OrientationPlan and Organise
• Description– This domain covers strategy and tactics, and concerns the identification of the way
IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.
• Topics– Strategy and tactics– Vision planned– Organisation and infrastructure
• Questions– Are IT and the business strategy aligned?– Is the enterprise achieving optimum use of its resources?– Does everyone in the organisation understand the IT objectives?– Are IT risks understood and being managed?– Is the quality of IT systems appropriate for business needs?
D
om
ain
s
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
©2009 ISACA/ITGI. All rights reserved.
Digging Into COBIT
©2009 ISACA/ITGI. All rights reserved.
COBIT Framework
• COBIT framework provides guidance on IT governance and the role of IT control.
• Generic controls:– Controls that relate to IT processes and
Control Objectives
©2009 ISACA/ITGI. All rights reserved.
Process-levelNavigating in COBIT
The WATERFALL Navigation Aid --High Level Control Objectives for Each Process
The control of
which satisfy
is focusing on
Is achieved by
IT Processes
BusinessRequirements
ControlStatements
ControlPractices
High-Level Control Objective
Users satisfaction
Is measured by
©2009 ISACA/ITGI. All rights reserved.
Which Domain?
©2009 ISACA/ITGI. All rights reserved.
Process Description
All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.
©2009 ISACA/ITGI. All rights reserved.
The Waterfall of Control
c
©2009 ISACA/ITGI. All rights reserved.
Information Criteria
©2009 ISACA/ITGI. All rights reserved.
IT Resources
©2009 ISACA/ITGI. All rights reserved.
IT Governance
©2009 ISACA/ITGI. All rights reserved.
Control Objectives
AI6.5 Change Closure and DocumentationWhenever changes are implemented, update the associated system and user documentation and procedures accordingly.
©2009 ISACA/ITGI. All rights reserved.
Management Guidelines
©2009 ISACA/ITGI. All rights reserved.
Management Guidelines
©2009 ISACA/ITGI. All rights reserved.
Input-output Matrix
Managing the Life Cycle
Inputs coming fromother processes
Outputs going toother processes
©2009 ISACA/ITGI. All rights reserved.
Primary Inputs and Outputs
CobiT identifies from where primary inputs are obtained for each process
The inputs are identifies and where they came from
Also identifies to which IT processes the process provides output to
The outputs (from the process) are identified to where they would be directed
©2009 ISACA/ITGI. All rights reserved.
Managing the Life Cycle
PO AI DS
Whilst COBIT represents the life cycle ofIT investments, it must also manage
inter-process interdependencies.
©2009 ISACA/ITGI. All rights reserved.
RACI Charts
©2009 ISACA/ITGI. All rights reserved.
“RACI” Chart
Identifies who is Responsible, Accountable, Consulted and/or Informed
Addresses considerations for points of accountability Addresses issues of communication and desired
input (who would be consulted) Rather than titles, think of positions in terms of roles Depending on the size of the organization or the IT
function, several roles may be combined
©2009 ISACA/ITGI. All rights reserved.
RACI chart
Typical ProcessActivities
Standard OrganisationChart
Who is Responsible, AccountableConsulted and Informed?
©2009 ISACA/ITGI. All rights reserved.
Goals and Metrics
©2009 ISACA/ITGI. All rights reserved.
Metrics
• Activity Goals tells us how well the process is performing– Measured by KPIs
• Process Goals tell us what IT must deliver– Measured by Key Goal indicators
• IT Goals tell us what we expect from IT– Measured by Key Goal Indicators
©2009 ISACA/ITGI. All rights reserved.
Maturity Model
©2009 ISACA/ITGI. All rights reserved.
Use of Maturity Models
• The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation.
• Enables gaps in capability to be identified and demonstrated to management.
• Action plans can then be developed
©2009 ISACA/ITGI. All rights reserved.
Maturity Levels in COBIT
0 1 2 3 4 5
Non-existent Initial Repeatable Defined Managed Optimised
0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.
©2009 ISACA/ITGI. All rights reserved.
Dimensions of Process Maturity in COBIT
Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement
Capture process maturity data on each of six dimensions:
Awareness and communication
©2009 ISACA/ITGI. All rights reserved.
Collecting MaturityModel Data
Policies, Standards and Procedures
Tools and Automation
Skills and Expertise
Responsibility and Accountability
Goal Setting and Measurement
0 1 2 3 4 5
Awareness and Communication
©2009 ISACA/ITGI. All rights reserved.
Business Goals
IT Goals
IT Processes
How Do Governance and
the Business Drive IT?
ApplicationsIT
Processes
Infrastructure & Peopleneed
Informationdeliver
runApplications
IT Processes
Infrastructure and Peopleneed
Informationdeliver
run
BusinessRequirements
InformationServices
Information Criteria
require
imply
GovernanceRequirements
influence
BusinessRequirements
InformationServices
Information Criteria
require
imply
GovernanceRequirements
influence
©2009 ISACA/ITGI. All rights reserved.
COBIT and Other Frameworks and Standards
©2009 ISACA/ITGI. All rights reserved.
The Need for IT Governance Control Frameworks
Many organizations recognize the potential benefits that technology can yield
Successful organizations understand and manage what needs to be achieved and the risks associated with implementing new technologies
This understanding is key to control and IT governance.
Control Frameworks and generally accepted practices
©2009 ISACA/ITGI. All rights reserved.
Impact of Technology on Control
Operational and control objectives do not change, or change a little
–Some technology-specific control objectives change
There is a significant impact on the “mix” of controls used to address the control objectives.
–Technology can facilitate achieving control objectives
Control Models:
Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices.
Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess
the need for control, and to design, develop, implement and exercise control
Requires that controls be monitored and evaluated.
©2009 ISACA/ITGI. All rights reserved.
King
TickIT
Where COBITTypically Sits
17799CMM
COSO
ITIL
Govern
an
ce
Layer
IT Govern
an
ce
Layer
IT Man
ag
em
en
tLayer
COBIT
©2009 ISACA/ITGI. All rights reserved.
Integrator of technical standards Interface to business standards
How COBIT Relates to Frameworks and
Standards
©2009 ISACA/ITGI. All rights reserved.
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic COBIT
ITILCMM
17
79
9
Process Control
Process Execution
Work Instruction
How COBIT Relates to Frameworks and
Standards
©2009 ISACA/ITGI. All rights reserved.
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic COBIT
ITILCMM
17
79
9
Process Control
Process Execution
Work Instruction
How COBIT Relates to Frameworks and
Standards
©2009 ISACA/ITGI. All rights reserved.
0%
5%
10%
15%
20%
25%
30%
PO 1
PO 2
PO 3
PO 4
PO 5
PO 6
PO 7
PO 8
PO 9
PO 1
0
AI 1
AI 2
AI 3
AI 4
AI 5
AI 6
DS
1
DS
2
DS
3
DS
4
DS
5
DS
6
DS
7
DS
8
DS
9
DS
10
DS
11
DS
12
DS
13
ME
1
ME
2
ME
3
ME
4
Plugging 27001 intoCOBIT Processes
Plugging 27001 intoCOBIT Processes
Con
trol
Objecti
ves
0
20
40
60
80
100
IT P
roce
sses
27001 Reach
COBIT Elements66
318
21
34
27001 maps 100%onto COBIT
27001 maps 100%onto COBIT
How COBIT Relates to Frameworks and
Standards
AI 7
©2009 ISACA/ITGI. All rights reserved.
Gartner Advisory on COBIT and ITIL
How COBIT Relates to Frameworks and
Standards
©2009 ISACA/ITGI. All rights reserved.
Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved
and that undesired events will be
prevented or detected and corrected.
©2009 ISACA/ITGI. All rights reserved.
To Achieve Business Objectives
To Avoid Risks, Threats and Exposures
Control (as defined by COBIT)
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that
business objectives will be achieved and that undesired events will be prevented or detected and corrected.
Source: COBIT Control Objectives. P. 12.
©2009 ISACA/ITGI. All rights reserved.
IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
©2009 ISACA/ITGI. All rights reserved.
To understand internal control and what what mean by “reasonable assurance”, one needs to understand risk
• What is “reasonable assurance”?
• What is the relationship of reasonable assurance to residual risk?
©2009 ISACA/ITGI. All rights reserved.
Assurance Level
100% Residual Risk
0%
Reasonable assurance
©2009 ISACA/ITGI. All rights reserved.
Control Responsibilities
• Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.
• Users -- exercise controls.
• Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.
©2009 ISACA/ITGI. All rights reserved.
COBIT®
• COBIT® 4.1—Emphasizes regulatory compliance, helps organizations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework
• COBIT Advisor, 3rd Edition• IT Governance Implementation Guide, Using
COBIT and Val IT, 2nd Edition• IT Governance Based on COBIT 4.1• COBIT Online• COBIT Quickstart, 2nd Edition• COBIT Security Baseline, 2nd Edition• Mappings of COBIT to other international
frameworks and standards
www.isaca.org/cobit
The COBIT family of products includes: