c obi t and slides © 2007 it governance institute. used with permission. an overview of c obi t ®
DESCRIPTION
C OBI T and slides © 2007 IT Governance Institute. Used with permission. The Governance EnvironmentTRANSCRIPT
COBIT and slides © 2007 IT Governance Institute. Used with permission.
An Overview of COBIT®
COBIT and slides © 2008 IT Governance Institute. Used with permission.
In This Presentation... Driving forces for IT governance
and Control Objectives for Information and related Technology (COBIT®)
An introduction to: The COBIT framework COBIT supporting materials
Where COBIT fits with other frameworks and standards
COBIT and slides © 2007 IT Governance Institute. Used with permission.
The Governance Environment
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Forces Driving IT Governance
Compliance
Security
Business/IT
Alignment
ROI
ProjectExecution
COBIT and slides © 2008 IT Governance Institute. Used with permission.
IT Governance Needs a Management Framework
Driving Forces
Map Onto theIT
GovernanceFocus Areas
Strategic
Alignment Value Delivery
Risk
Ma
nage
men
t
Resource Management
Performance
Measurement
IT IT GovernanceGovernance
DomainsDomains
Strategic
Alignment Value Delivery
Risk
Ma
nage
men
t
Resource Management
Performance
Measurement
IT GovernanceFocus Areas
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Internationally accepted good practicesManagement-orientedSupported by tools and trainingFreely availableSharing knowledge and leveraging expert volunteersContinually evolvingMaintained by reputable not- for-profit organizationMaps 100 percent to COSOMaps strongly to all major related standards
COBIT 4.1—The IT Governance Framework
The only IT managementand control framework
that covers the end-to-endIT life cycle
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
COBIT good practices repository for
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Is a reference, set of best practices, not an ‘off-the-shelf’ cureEnterprises still to need to analyze their control requirements and customize based on:Value driversRisk profileIT infrastructure,
organization and project portfolio
COBIT 4.1—The IT Governance Framework
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
COBIT good practices repository for
COBIT and slides © 2008 IT Governance Institute. Used with permission.
The resources The resources made available to—made available to—and built up by—ITand built up by—IT
What the What the stakeholders stakeholders
expect from ITexpect from IT
How IT is How IT is organized to organized to
respond to the respond to the requirementsrequirements
Key Driving Forces for COBIT
IT Processes
IT Resources
Business Requirements
Data Application
systems Technology Facilities People
Plan and Organize
Aquire and Implement
Deliver and Support
Monitor and Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
reliability
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Goals ResponsibilitiesControlObjectives
Requirements
BusinessBusiness ITIT GovernanceGovernance
Information the business needs to
achieve its objectives
Information executives and board need to exercise their
responsibilities
Direction and Resourcing
How Does COBIT Link to IT Governance?
IT Governance
COBIT and slides © 2007 IT Governance Institute. Used with permission.
COBIT Is Brought to You by …
COBIT and slides © 2008 IT Governance Institute. Used with permission.
IT Governance Institute
IT GovernanceInstitute is a
non-profitresearch think
tankassociated with
ISACA®.
COBIT and slides © 2008 IT Governance Institute. Used with permission.
IT Governance Institute Product Suite
Board Briefing onIT Governance
InformationSecurity GovernanceCOBIT 4.1Val IT
IT GovernanceImplementation
GuideCOBIT Control
PracticesIT Assurance
Guide
Governance, Security and Assurance Management
Business and Technology
Management
Governance
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Some findings of the ITGI survey of 600 executives:
18 %18 %26 %26 %
2003 2005Executive awareness
of COBIT
COBIT is the preferred way to implement effective IT governance.Executive awareness is up.Perception that it is difficult to implement
More than one-third of those who know the content,
know it very well.
COBIT—Global Status
More than half of
those who know it, know its contents.
COBIT and slides © 2007 IT Governance Institute. Used with permission.
An Overview of COBIT
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Processes
A series of joined activities with natural control breaks
Activities or Tasks
Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete
Domains
Natural grouping of processes, often matching an organizational domain of responsibility
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
Process Orientation
COBIT and slides © 2008 IT Governance Institute. Used with permission.
IT Domains• Plan and
Organize• Acquire and
Implement• Deliver and
Support• Monitor and
Evaluate
IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management
Activities• Record new problem.• Analyze.• Propose solution.• Monitor solution.• Record known problem.• Etc.
Natural grouping of processes, often matching an organizational domain of responsibility
A series of joined activities with natural (control) breaks Actions needed to achieve
a measurable result—activities have a life cycle whereas tasks are discrete
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
Process Orientation
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Process OrientationPlan and Organize Description
This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organization as well as technological infrastructure must be put in place.
Topics Strategy and tactics Vision planned Organization and infrastructure
Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT
objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business
needs?
Dom
ains
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Waterfall Model
The control of
that satisfy
is enabled by
considering
4 Domains - 34 4 Domains - 34 Processes - 210 Control Objectives - 210 Control Objectives
IT ProcessesBusiness
RequirementsControl
StatementsControl
Practices
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Acquire andImplement
Deliver andSupport
Monitor and
Evaluate
Criteria• Effectiveness• Efficiency• Confidentialit
y• Integrity• Availability• Compliance• Reliability
• Applications• Information• Infrastructure• People
IT Resources
Business Objectives
Plan andOrganize
COBITFramework
IT Life Cycle
COBIT and slides © 2008 IT Governance Institute. Used with permission.
COBIT Processes
Plan andOrganize
Acquire andImplement
AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes
PO1 Define an IT Strategic PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects
COBIT and slides © 2008 IT Governance Institute. Used with permission.
COBIT Processes
Deliver andSupport
Monitor andEvaluate
DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations
ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance
COBIT and slides © 2007 IT Governance Institute. Used with permission.
Digging Into COBIT
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Digging Into COBIT Working with the COBIT product
suite Introduce the key elements of COBIT. Show how they interrelate. Introduce supporting materials.
COBIT and slides © 2008 IT Governance Institute. Used with permission.
COBIT Framework COBIT framework provides
guidance on IT governance and role of IT control.
Generic controls: Controls that relate to all processes Application controls
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Process-levelNavigating in COBIT
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Which Domain?
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Process Description
All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.
COBIT and slides © 2008 IT Governance Institute. Used with permission.
The Waterfall of Control
c
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Information Criteria
COBIT and slides © 2008 IT Governance Institute. Used with permission.
IT Resources
COBIT and slides © 2008 IT Governance Institute. Used with permission.
IT Governance
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Control Objectives
AI6.5 Change Closure and DocumentationWhenever changes are implemented, update the associated system and user documentation and procedures accordingly.
COBIT and slides © 2007 IT Governance Institute. Used with permission.
Management Guidelines
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Management Guidelines
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Input-output MatrixManaging the Life Cycle
Inputs coming fromother processes
Outputs going toother processes
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Managing the Life Cycle
PO AI DS
Whilst COBIT represents the life cycle ofIT investments, it must also manage
inter-process interdependencies.
COBIT and slides © 2008 IT Governance Institute. Used with permission.
RACI Charts
COBIT and slides © 2008 IT Governance Institute. Used with permission.
RACI chart
Typical ProcessActivities
Standard OrganizationChart
Who is Responsible, AccountableConsulted and Informed?
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Goals and Metrics
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Maturity Model
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Maturity Levels in COBIT
0 1 2 3 4 5
Non-existent Initial Repeatable Defined Managed Optimised
0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Dimensions of Process Maturity in COBIT
Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement
We capture process maturity data on each of six dimensions:
Awareness and communication
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Collecting MaturityModel Data
Policies, Standards and Procedures
Tools and Automation
Skills and Expertise
Responsibility and Accountability
Goal Setting and Measurement
0 1 2 3 4 5
Awareness and Communication
COBIT and slides © 2007 IT Governance Institute. Used with permission.
How to Get Started With COBIT
COBIT and slides © 2008 IT Governance Institute. Used with permission.
IT Goals
IT Processes
How Do Governance and the Business Drive IT?
Business Goals
Applications
Information
Infrastructure
People
Business GoalsGovernance Drivers
Business Outcomes
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Business Goals
IT Goals
IT Processes
How Do Governance and the Business Drive IT?
ApplicationsIT Processes
Infrastructure & Peopleneed
Informationdeliver
runApplicationsIT
Processes
Infrastructure and Peopleneed
Informationdeliver
run
BusinessRequirements
InformationServices
Information Criteria
require
imply
GovernanceRequirements
influence
BusinessRequirements
InformationServices
Information Criteria
require
imply
GovernanceRequirements
influence
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Performance MeasurementGoal Relationships
COBIT and slides © 2007 IT Governance Institute. Used with permission.
Leverage Supporting Materials
COBIT and slides © 2007 IT Governance Institute. Used with permission.
Implementation Guide
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Implementation Guide
IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition
Detailed, structured guidance to the implementation of IT governance
Generic IT governance implementation guidance, not just COBIT
COBIT and slides © 2007 IT Governance Institute. Used with permission.
Control Practices
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Control Practices
COBIT Control Practices, 2nd Edition Detailed guidance on each of the
control objectives Management-oriented From three to 12 control practices
per control objective
COBIT and slides © 2007 IT Governance Institute. Used with permission.
COBIT Online
COBIT and slides © 2008 IT Governance Institute. Used with permission.
COBIT Online
An online view of COBITallows users to customise and integrate COBIT,
coupled with process benchmarking.
COBIT and slides © 2007 IT Governance Institute. Used with permission.
Assurance Guide
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Assurance GuideIT Assurance Guide: Using COBIT Detailed guidance to support
assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement
Guidance on: How to leverage COBIT for assurance Detailed assurance testing steps
COBIT and slides © 2007 IT Governance Institute. Used with permission.
COBIT and Other Frameworks and Standards
COBIT and slides © 2008 IT Governance Institute. Used with permission.
TickIT
Where COBITTypically Sits
17799CMM
COSO
ITIL
Gov
erna
nce
Laye
rIT G
over
nanc
eLa
yer
IT Man
agem
ent
Laye
r
COBIT
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Integrator of technical standards Interface to business standards
How COBIT Relates to Frameworks and Standards
COBIT and slides © 2008 IT Governance Institute. Used with permission.
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic COBIT
ITILCMM
1779
9
Process Control
Process Execution
Work Instruction
How COBIT Relates to Frameworks and Standards
COBIT and slides © 2008 IT Governance Institute. Used with permission.
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
• Work instruction• 2• 3• 4,5, 6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic COBIT
ITILCMM
1779
9
Process Control
Process Execution
Work Instruction
How COBIT Relates to Frameworks and Standards
COBIT and slides © 2008 IT Governance Institute. Used with permission.
Summary Quality IT Services Successful IT Projects Improved efficiency Optimized costs Easier compliance Reduced operational risk Improved management,
confidence and trust
COBIT and slides © 2007 IT Governance Institute. Used with permission.
An Overview of COBIT®