©2009 isaca/itgi. all rights reserved. it management frameworks a valued approach to strengthening...

©2009 ISACA/ITGI. All rights reserved.

IT Management FrameworksA Valued Approach to Strengthening

IT Management

John BeveridgeOffice of the State Auditor

Massachusetts Digital Government Summit

Boston, Massachusetts

October 19, 2009

• Deputy AuditorOffice of the State AuditorRoom 1819, One Ashburton PlaceBoston, MA 021087

• Co-Chair of Commonwealth’s Enterprise Security Board• Adjunct faculty member• 617.727.6200

e-mail: [email protected]

John Beveridge, CISA, CISM, CGFM, CFE, CGEIT, CQA


In This Presentation...

• Driving forces for IT governance and Control Objectives for Information and related Technology (COBIT®)

• An introduction to: – The COBIT framework– COBIT supporting materials

• Where COBIT fits with other frameworks and standards


The Governance Environment


Forces Driving IT Governance

Compliance

Security

Business/IT

Alignment

ROI

ProjectExecution

Need for IT Governance

Increasing pressure to leverage technology in business strategies

Growing complexity of IT environments Fragmented IT infrastructure; fragmented security

infrastructures Communication gaps between business and IT

managers IT service levels from internal IT functions that

appear disappointing

Do these conditions sound familiar?

Need for IT Governance

Lack of assurance of adequate security by outsourced IT providers

IT costs perceived to be out of control; yet under-funded IT security

Marginal or unknown ROI/productivity gains on IT investments

Impaired organizational flexibility and nimbleness to change

User frustration leading to ad hoc solutions

Do these conditions sound familiar?


IT Governance Needs a Management Framework

Driving Forces

Map Onto theIT

GovernanceFocus Areas

Strate

gic

Alignm

ent Value Delivery

Ris

k M

anagem

ent

Resource Management

Perform

ance

Measu

rem

ent

IT IT GovernanceGovernance

DomainsDomains

Strate

gic

Alignm

ent Value Delivery

Ris

k M

anagem

ent

Resource Management

Perform

ance

Measu

rem

ent

IT GovernanceFocus Areas


IT Governance Objectives

• IT is aligned with the business enabling the business to maximize benefit

• IT resources are safeguarded and used in a responsible and ethical manner

• IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure

• IT performance is measured and evaluated for ROI


To Manage and Control IT, the Organization

needs to:

• Employ the fundamentals of IT governance• Have a clear understanding of the strategic

value of technology• Have appropriate frameworks of control• Build and exercise mechanisms to provide

adequate assurance that IT governance objectives are addressed


Goals ResponsibilitiesControl

Objectives

Requirements

Business IT Governance

Information the business needs to

achieve its objectives

Information executives and board need to exercise their

responsibilities

Direction and Resourcing

How Does COBIT Link to IT Governance?

IT Governance


IT Governance Institute References

Board Briefing onIT Governance

InformationSecurity Governance

COBIT 4.1Val ITIT Governance

ImplementationGuide

COBIT ControlPractices

IT AssuranceGuide

Governance, Security and Assurance Management

Business and Technology

Management

Governance


An Overview of COBIT


CobiT

CobiT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.


How it Appears to the Instructor


Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.

Structured and organized to provide a powerful control model


• “Right” information, to only the “right” party, in the “right” format, at the “right” time, at the “right” cost.

• Information that is relevant, reliable, secure, and available.

• Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.


Internationally accepted good practicesManagement-orientedSupported by tools and trainingFreely availableSharing knowledge and leveraging expert volunteersContinually evolvingMaintained by reputable not- for-profit organisationMaps 100 percent to COSOMaps strongly to all major related standards

COBIT 4.1—The IT Governance Framework

The only IT managementand control framework

that covers the end-to-endIT life cycle

IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for



COBIT good practices repository for


CobiT is a reference, a set of best practices, not an ‘off-the-shelf’ cureEnterprises still to need to analyse their control requirements and customise based on:Value driversRisk profileIT infrastructure,

organisation and project portfolio

COBIT 4.1—The IT Governance Framework



CobiTCobiTbest practices repository for



COBIT good practices repository for


CobiT Sources

Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc)

Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes

(ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry forums

(ESF, I4) Emerging industry-specific requirements from banking,

e-com, IT manufacturing.

Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc)Technical standards (ISO, EDIFACT, etc.)Codes of Conduct Qualification criteria for IT systems and processes (ISO9000, ITSEC, TCSEC, etc.)Industry practices and requirements from industry forums (ESF, I4)


CobiT Framework


CobiT Framework

Documents relationships among information criteria, IT resources, and IT processes

Links control objectives and control practices to business processes and business objectives

Assists in confirming that appropriate IT processes (and practices) are in place

Facilitates evaluation and assurance methods


IT Resource Management

CobiT underscores and demonstrates that IT resources need to be managed in order to provide organizations with type and quality of information required to achieve organizational objectives.


Framework’s Three Components

Business Requirements for Information

IT Resources

IT Processes


Information Criteria -- The 1st Component

• Effectiveness

• Efficiency

• Confidentiality

• Integrity

• Availability

• Compliance

• Reliability of Information


IT Resources -- The 2nd Component

• Application Systems

• Information

• Infrastructure Facilities

• People


Processes

A series of joined activities with natural control breaks

Activities or Tasks

Actions needed to achieve a measurable result—activities have a life cycle whereas tasks are discrete

Domains

Natural grouping of processes, often matching an organisational domain of responsibility

IT Processes

BusinessRequirements

IT Resources

IT Processes


IT Resources

Process Orientation


The resources made available to—and built up by—IT

The resources made available to—and built up by—IT

What the stakeholders

expect from IT

What the stakeholders

expect from IT

How IT is organised to

respond to the requirements

How IT is organised to

respond to the requirements

Key Driving Forces for COBIT

IT Processes

IT Processes

IT Resources

IT Resources

Business Requirements

Business Requirements

Data Application

systems Technology Facilities People

Plan and Organise

Aquire and Implement

Deliver and Support

Monitor and Evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

reliability

IT Processes


IT Resources

IT Processes


IT Resources


IT Domains• Plan and

Organise• Acquire and

Implement• Deliver and

Support• Monitor and

Evaluate

IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management

Activities• Record new problem.• Analyse.• Propose solution.• Monitor solution.• Record known problem.• Etc.

Natural grouping of processes, often matching an organisational domain of responsibility

A series of joined activities with natural (control) breaks Actions needed to achieve

a measurable result—activities have a life cycle whereas tasks are discrete

IT Processes


IT Resources

IT Processes


IT Resources

Process Orientation


Plan andOrganize

Acquire andImplement

Deliver andSupport

Monitor and Evaluate

COBIT Domains:

Feedback

Feedback

Feedback


COBIT Processes

Plan andOrganise

Acquire andImplement

AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

PO1 Define an IT Strategic PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects


COBIT Processes

Deliver andSupport

Monitor andEvaluate

DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance


Process OrientationPlan and Organise

• Description– This domain covers strategy and tactics, and concerns the identification of the way

IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.

• Topics– Strategy and tactics– Vision planned– Organisation and infrastructure

• Questions– Are IT and the business strategy aligned?– Is the enterprise achieving optimum use of its resources?– Does everyone in the organisation understand the IT objectives?– Are IT risks understood and being managed?– Is the quality of IT systems appropriate for business needs?

D

om

ain

s

IT Processes


IT Resources

IT Processes


IT Resources


Digging Into COBIT


COBIT Framework

• COBIT framework provides guidance on IT governance and the role of IT control.

• Generic controls:– Controls that relate to IT processes and

Control Objectives


Process-levelNavigating in COBIT

The WATERFALL Navigation Aid --High Level Control Objectives for Each Process

The control of

which satisfy

is focusing on

Is achieved by

IT Processes


ControlStatements

ControlPractices

High-Level Control Objective

Users satisfaction

Is measured by


Which Domain?


Process Description

All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.


The Waterfall of Control

c


Information Criteria


IT Resources


IT Governance


Control Objectives

AI6.5 Change Closure and DocumentationWhenever changes are implemented, update the associated system and user documentation and procedures accordingly.


Management Guidelines


Input-output Matrix

Managing the Life Cycle

Inputs coming fromother processes

Outputs going toother processes


Primary Inputs and Outputs

CobiT identifies from where primary inputs are obtained for each process

The inputs are identifies and where they came from

Also identifies to which IT processes the process provides output to

The outputs (from the process) are identified to where they would be directed


Managing the Life Cycle

PO AI DS

Whilst COBIT represents the life cycle ofIT investments, it must also manage

inter-process interdependencies.


RACI Charts


“RACI” Chart

Identifies who is Responsible, Accountable, Consulted and/or Informed

Addresses considerations for points of accountability Addresses issues of communication and desired

input (who would be consulted) Rather than titles, think of positions in terms of roles Depending on the size of the organization or the IT

function, several roles may be combined


RACI chart

Typical ProcessActivities

Standard OrganisationChart

Who is Responsible, AccountableConsulted and Informed?


Goals and Metrics


Metrics

• Activity Goals tells us how well the process is performing– Measured by KPIs

• Process Goals tell us what IT must deliver– Measured by Key Goal indicators

• IT Goals tell us what we expect from IT– Measured by Key Goal Indicators


Maturity Model


Use of Maturity Models

• The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation.

• Enables gaps in capability to be identified and demonstrated to management.

• Action plans can then be developed


Maturity Levels in COBIT

0 1 2 3 4 5

Non-existent Initial Repeatable Defined Managed Optimised

0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.


Dimensions of Process Maturity in COBIT

Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement

Capture process maturity data on each of six dimensions:

Awareness and communication


Collecting MaturityModel Data

Policies, Standards and Procedures

Tools and Automation

Skills and Expertise

Responsibility and Accountability

Goal Setting and Measurement

0 1 2 3 4 5

Awareness and Communication


Business Goals

IT Goals

IT Processes

How Do Governance and

the Business Drive IT?

ApplicationsIT

Processes

Infrastructure & Peopleneed

Informationdeliver

runApplications

IT Processes

Infrastructure and Peopleneed

Informationdeliver

run


InformationServices


require

imply

GovernanceRequirements

influence


InformationServices


require

imply

GovernanceRequirements

influence


COBIT and Other Frameworks and Standards


The Need for IT Governance Control Frameworks

Many organizations recognize the potential benefits that technology can yield

Successful organizations understand and manage what needs to be achieved and the risks associated with implementing new technologies

This understanding is key to control and IT governance.

Control Frameworks and generally accepted practices


Impact of Technology on Control

Operational and control objectives do not change, or change a little

–Some technology-specific control objectives change

There is a significant impact on the “mix” of controls used to address the control objectives.

–Technology can facilitate achieving control objectives

Control Models:

Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices.

Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess

the need for control, and to design, develop, implement and exercise control

Requires that controls be monitored and evaluated.


King

TickIT

Where COBITTypically Sits

17799CMM

COSO

ITIL

Govern

an

ce

Layer

IT Govern

an

ce

Layer

IT Man

ag

em

en

tLayer

COBIT


Integrator of technical standards Interface to business standards

How COBIT Relates to Frameworks and

Standards


• Work instruction• 2• 3• 4,5, 6….





XY

##

XY

##

XY

##

XY

##

XY

##

Strategic COBIT

ITILCMM

17

79

9

Process Control

Process Execution

Work Instruction


Standards


0%

5%

10%

15%

20%

25%

30%

PO 1

PO 2

PO 3

PO 4

PO 5

PO 6

PO 7

PO 8

PO 9

PO 1

0

AI 1

AI 2

AI 3

AI 4

AI 5

AI 6

DS

1

DS

2

DS

3

DS

4

DS

5

DS

6

DS

7

DS

8

DS

9

DS

10

DS

11

DS

12

DS

13

ME

1

ME

2

ME

3

ME

4

Plugging 27001 intoCOBIT Processes

Plugging 27001 intoCOBIT Processes

Con

trol

Objecti

ves

0

20

40

60

80

100

IT P

roce

sses

27001 Reach

COBIT Elements66

318

21

34

27001 maps 100%onto COBIT

27001 maps 100%onto COBIT


Standards

AI 7


Gartner Advisory on COBIT and ITIL


Standards


Control (as defined by COBIT)

The policies, procedures, practices and

organizational structures designed to

provide reasonable assurance that

business objectives will be achieved

and that undesired events will be

prevented or detected and corrected.


To Achieve Business Objectives

To Avoid Risks, Threats and Exposures

Control (as defined by COBIT)

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that

business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Source: COBIT Control Objectives. P. 12.


IT Control Objective

A statement of desired result or

purpose to be achieved by

implementing control procedures

in a particular IT activity


To understand internal control and what what mean by “reasonable assurance”, one needs to understand risk

• What is “reasonable assurance”?

• What is the relationship of reasonable assurance to residual risk?


Assurance Level

100% Residual Risk

0%

Reasonable assurance


Control Responsibilities

• Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.

• Users -- exercise controls.

• Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.


COBIT®

• COBIT® 4.1—Emphasizes regulatory compliance, helps organizations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework

• COBIT Advisor, 3rd Edition• IT Governance Implementation Guide, Using

COBIT and Val IT, 2nd Edition• IT Governance Based on COBIT 4.1• COBIT Online• COBIT Quickstart, 2nd Edition• COBIT Security Baseline, 2nd Edition• Mappings of COBIT to other international

frameworks and standards

www.isaca.org/cobit

The COBIT family of products includes:

©2009 isaca/itgi. all rights reserved. it management frameworks a valued approach to strengthening...

Documents

governance objectives

governance environment

governance framework

governance tool

roi slide

assurance guide governance

cqa slide

instructor slide