overview of cobit standards
DESCRIPTION
Control Objectives for Information and Related Technology - Overview of standardsTRANSCRIPT
![Page 1: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/1.jpg)
75%Loading . Loading . . 25%50%Loading . . .
100%Loading . .
IT Audit and Risk Management Presentation
Presentation was last accessed on Thursday, October 8 2009 10:23:11 PM
![Page 2: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/2.jpg)
IT Audit and Risk Management Presentation
Group 2:Group 2:PGPM508_12 Gunvel Sivaram PGPM508_52 On Ali AbbasiPGPM508_41 Saurav SwapnilPGPM508_33 Prasath L Krishna PGPM508_59 Malviya Prashant
![Page 3: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/3.jpg)
= we need
Governance
Will it Work???Will it Work???
It may actually work: Experience Luck A culture of “Quick and Dirty”
It may actually work: Experience Luck A culture of “Quick and Dirty”
But What happens when we need to DocumentImproveFix/Find an errorTransfer responsibility
![Page 4: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/4.jpg)
Linkage of Business and IT Plans
Optimal investment
Track & monitor- implementation
Value Proposition: promised benefit against strategy
Clear understanding, risk appetite, compliance
Focus AreasFocus Areas
is a set of best practices (framework) for information technology (IT) management
created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)
![Page 5: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/5.jpg)
Mission: “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.”
COBIT 1COBIT 1
COBIT 2
COBIT 3
COBIT 4 & 4.1
History
COBIT 4 & 4.1
COBIT 3
COBIT 2
COBIT 1 1996: Audit
COBIT 3
COBIT 4 & 4.1
COBIT 2
COBIT 1 1996: Audit
1998: Control
COBIT 1
COBIT 2
COBIT 3
COBIT 4 & 4.1
1996: Audit
1998: Control
2K: Management; ‘03: Online version
COBIT 1
COBIT 2
COBIT 3
COBIT 4 & 4.1
1996: Audit
1998: Control
2K: Management; ‘03: Online version
2005: Governance; ‘07: 4.1
Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
![Page 6: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/6.jpg)
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
![Page 7: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/7.jpg)
Basic COBIT PrincipleBasic COBIT Principle
COBIT is Business focused
Drive the investments in
that are used by
which responds
to
to deliver
![Page 8: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/8.jpg)
Basic COBIT FrameworkBasic COBIT Framework
COBIT CubeCOBIT Cube
IT resources are managed by IT processes to achieve IT goals that respond to the business requirements.
![Page 9: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/9.jpg)
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
![Page 10: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/10.jpg)
Basic COBIT PrincipleBasic COBIT Principle
COBIT is Controls based
NormsStandardsObjectives Process
Compare
ACT
CONTROL INFORMATION
Statements of managerial actions to increase value or reduce risk
Consist of the policies, procedures, practices and organizational structures
Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
![Page 11: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/11.jpg)
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
![Page 12: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/12.jpg)
Basic COBIT PrincipleBasic COBIT Principle
COBIT is measurement driven
Maturity models to enable benchmarking and identification of necessary capability improvements
Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles
Activity goals for enabling effective process performance
![Page 13: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/13.jpg)
Basic COBIT PrincipleBasic COBIT Principle
Where COBIT fits in
![Page 14: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/14.jpg)
![Page 15: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/15.jpg)
Basic COBIT 4.1 PrincipleBasic COBIT 4.1 Principle
COBIT is process oriented
• Provides direction to solution delivery (AI) and service delivery (DS)
Plan & Organize
![Page 16: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/16.jpg)
COBIT Structure:Plan & OrganizeCOBIT Structure:Plan & Organize
IT processes
The PO domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives.
It also highlights the organizational and infrastructural form IT needs to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
![Page 17: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/17.jpg)
COBIT Structure:Plan & OrganizeCOBIT Structure:Plan & Organize
PO1 Define a Strategic IT Plan and direction -
PO2 Define the Information Architecture +
PO3 Determine Technological Direction -
PO4 Define the IT Processes, Organization and Relationships -
PO5 Manage the IT Investment +
PO6 Communicate Management Aims and Direction +
PO7 Manage IT Human Resources +
PO8 Manage Quality +
PO9 Assess and Manage IT Risks -
PO10 Manage Projects -
IT processes
Mapping of ISO/IEC 27002:2007 objectives to a COBIT process+ Good Match (more than 2) - No or Minor Match
![Page 18: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/18.jpg)
COBIT Structure:Plan & OrganizeCOBIT Structure:Plan & Organize
Summary
Inputs = Requirements;
Outputs = DS and AI;
Core Activities = iterative strategic definition stage;
Sub Core Activities = managing the purse strings, people and communication;
Other Activities = managing the quality, IT risks and projects and lots of monitoring & evaluation techniques
![Page 19: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/19.jpg)
COBIT Structure:Acquire & ImplementCOBIT Structure:Acquire & Implement
IT processes
The AI domain covers:• identifying IT requirements, • acquiring the technology, and • implementing it within the company’s current business processes.
This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.
![Page 20: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/20.jpg)
COBIT Structure:Acquire & ImplementCOBIT Structure:Acquire & Implement
Summary
Inputs = Requirements and PO activities;
Outputs = DS and PO;
Core Activities = identifying the solution, maintaining software & infrastructure, change and configuration management, enabling its use, and implementing the result into the operational environment;
Other Activities = managing quality, IT risks and projects and lots of monitoring & evaluation techniques and finally procuring those IT resources
![Page 21: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/21.jpg)
DS Levels
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
Concerned with the actual delivery of required services - service delivery, management of security and continuity, service support for users, management of data, operational facilities.
It typically addresses the following management questions:
• Are IT services being delivered in line with business priorities?
• Are IT costs optimized?
• Is the workforce able to use the IT systems productively and safely?
• Are adequate confidentiality, integrity and availability in place?
COBIT Structure: Deliver & SupportCOBIT Structure: Deliver & Support
![Page 22: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/22.jpg)
DS1 Define and Manage Service Levels
Effective communication between IT management and business customers regarding services required is enabled by a documented definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business requirements.
Deliver & Support exampleDeliver & Support example
![Page 23: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/23.jpg)
DS1.6 Review of Service Level Agreements and Contracts
DS1.1 Service Level Management Framework
DS1.5 Monitoring and Reporting of Service Level Achievements
DS1.4 Operating Level Agreements
DS1.3 Service Level Agreements
DS1.2 Definition of Services
DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels
![Page 24: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/24.jpg)
DS1 Define and Manage Service LevelsDS1 Define and Manage Service Levels
![Page 25: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/25.jpg)
COBIT Structure:Monitor & EvaluateCOBIT Structure:Monitor & Evaluate
IT processes
ME1: Monitor and Evaluate IT Performance ME2: Monitor and Evaluate Internal Control ME3: Ensure Regulatory Compliance ME4: Provide IT Governance
![Page 26: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/26.jpg)
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 1: Monitor and Evaluate IT Performance
Monitoring ApproachEstablishment of general monitoring framework and approach that define the
scope, methodology and process to be followed for monitoring IT’s contributionDefinition and Collection of Monitoring Data
Defining a balanced set of performance objectives, measures, targets and benchmarks, and have them signed off by stakeholdersMonitoring Method
Deployment of a method that provides a succinct, all around view of IT performances and fit s within the enterprise monitoring system Performance Assessment
Periodic review of performance against targets, perform remedial action against initial deviationsBoard and Executive Reporting
Management reports containing progress against set targetsRemedial Actions
Identification and initiation of remedial actions based on the performance monitoring, assessment and reporting.
![Page 27: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/27.jpg)
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 2: Monitor and Evaluate Internal Control
Monitoring of Internal Control FrameworkContinuous assessment against industry best practices and benchmarks to
improve IT control environmentSupervisory Review
Compliance with policies and standards, information security, change controlsControl Exceptions
Record information of exceptions, and ensure proper analysis of underling issuesControl Self-assessment
Evaluate the completeness and effectiveness of management’s internal controls through a continuing program of self assessment.Assurance of Internal Control
Third party reviewRemedial Actions
Identify and initiate remedial actions based on control assessment and reporting; Review negotiation and understanding of management responses
![Page 28: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/28.jpg)
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 3: Ensure Regulatory Compliance
Identification of Laws and Regulations Having Potential Impact on ITDefine and implement process to ensure timely identification of local and
international regulatory requirement, policies related to information and information service deliveryOptimization of Response to Regulatory Requirements
Review and optimize IT policies, standards and procedures to ensure legal requirements are coveredEvaluation of Compliance with Regulatory RequirementsPositive Assurance of Compliance
Regularly reporting of corrective actions being taken by process ownersIntegrated Reporting
Integrate IT reporting on regulatory requirements with similar output from other business functions
![Page 29: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/29.jpg)
COBIT Structure: Monitor & EvaluateCOBIT Structure: Monitor & Evaluate
ME 4: Provide IT Governance
Establishment of an IT Governance FrameworkDefine framework including leadership, processes, roles and responsibilities,
information requirements, organizational structureStrategic Alignment
Develop shared understanding of business and IT.Resource Management
Optimize the investment, use and allocation of IT assets through regular assessmentsPerformance Measurement
Report performance to board in timely fashionIndependent Assurance
![Page 30: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/30.jpg)
SummarySummary
![Page 31: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/31.jpg)
How do you align an IT risk assessment with COBIT controls?How do you align an IT risk assessment with COBIT controls?
![Page 32: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/32.jpg)
CoBiTCoBiTvsvsCOSOCOSO
Targets management controls Targets IT controls specifically
Useful for management at large
Useful for IT management, users, and auditors
How to do What to do
![Page 33: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/33.jpg)
Supporting Applications and Related Infrastructure
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Plan & Organize
Acquire & Implement
Delivery & Support
Monitor & Evaluate
CoBiT vs COSOCoBiT vs COSO
COSOCOSO COBITCOBIT
![Page 34: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/34.jpg)
![Page 35: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/35.jpg)
Your Security
Check
Thank You
Logout when you are finished
Who knows your password
![Page 36: Overview of COBIT standards](https://reader035.vdocument.in/reader035/viewer/2022062703/555212a6b4c905852b8b524d/html5/thumbnails/36.jpg)
References
new COBiT Version 4.1 available: http://www.isaca.org/cobit
http://itknowledgeexchange.techtarget.com/it-compliance/how-do-you-align-an-it-risk-assessment-with-cobit-controls/
http://www.mahindrasatyam.net/services/business_value_enhancement/enterprise_risk_complaince_mngt.asp
Ben KallandITIL Expert and Cobit Foundation certified [email protected]