cobit5-torino 1 3 2012 - aiea€™evoluzione rispetto cobit 4.1 torino, 1 ... but don’t we...
TRANSCRIPT
Capitolo di Milano
COBIT 5 l’evoluzione rispetto CobiT 4.1
Torino, 1 marzo 2012
COBIT 5 COBIT 5 l’evoluzione rispetto CobiT 4.1
Torino, 1 Torino, 1 marzomarzo 20122012
Presentato da:
Alberto Piamonte
2
Capitolo di Milano
COBIT 5
Nel 2011 sono usciti:
• COBIT 5 Framework (85 pp)
– Principi
– Architettura
– Enablers
• COBIT 5 Process Reference Guide (218 pp)
• COBIT Assessment Program (per CobiT 4.1
ma usato anche da COBIT 5)
– COBIT Assessment Model (PAM) 73pp
– COBIT Assessor Guide 47pp
– COBIT Self-assessment Guide 31pp
A valle delle prime esperienze di utilizzo, alcune note . . .
4
Capitolo di Milano
�
Information Information
CriteriaCriteria
Risorse IT
Processi IT
Business Strategy
CobiT 4.1
5
Capitolo di Milano
Information Criteria
IT Resources
IT Processes
Business Strategy
CobiT 4.1
•Efficacia
•Efficienza
•Riservatezza
•Integrità
•Disponibilità
•Conformità
•Affidabilità
6
Capitolo di Milano
Information Criteria
• Efficacia
• Efficienza
• Riservatezza
• Integrità
• Disponibilità
• Conformità
• Affidabilità
• Efficacia
• Efficienza
• Riservatezza
• Integrità
• Disponibilità
• Conformità
• Affidabilità
Acquire and maintain skilled and motivated people.17
Manage product and business innovation.16Learning
Improve and maintain operational and staff productivity.15
Manage business change.14
Provide compliance with internal policies.13
Provide compliance with external laws, regulations and contracts.12
Lower process costs.11
Improve and maintain business process functionality.10
Internal
Obtain reliable and useful information for strategic decision making.9
Achieve cost optimalisation of service delivery.8
Create agility in responding to changing business requirements (time to market).7
Establish service continuity and availability.6
Offer competitive products and services.5
Improve customer orientation and service.4
Customer
Improve corporate governance and transparancy.3
Manage IT-related business risk.2
Provide a good return on investment of IT-enabeled business investments.1
Financial
Balanced Score Cards (BSC)
7
Capitolo di Milano
Criteri BSC
Business
Goals
IT Resources
IT Processes
Business Strategy
COBIT5 : architettura
Service
Capabilities
Processes
Culture,
Ethics,
Behaviour
Organisational
Structures
InformationPrinciples &
Policies
Skills &
Competencies
Importanza
relativa
COBIT 5 Enablers
9
Capitolo di Milano
1 - Integrator fremework
• Partendo dall’attuale COBIT framework, riunendo le attualiframeworks e linee guida ISACA quali:
Val IT Risk IT
BMIS ITAF
Board Briefing Taking Governance Forward
• Mantenendo il collegamento con le principali frameworks e standards presenti sul mercato (ITIL, ISO , ecc.)
• Non solo in prospettiva IT, ma estendibile ad altri aspetti dibusiness
© 2010 ISACA. All rights reserved. 9
10
Capitolo di MilanopProduct and business innovation culture
pssSkilled and motivated peopleLearning & Growth
pCompliance with internal policies
ppOperational and staff productivity
sppManaged business change programmes
ppOptimisation of business process costs
ppOptimisation of business process functionality
Internal
spOptimisation of service delivery costs
pppInformation‐‐‐‐based strategic decision making
spAgile responses to a changing business
environment
pBusiness service continuity and availability
spCustomer‐‐‐‐oriented service culture
Customer
sspFinancial transparency
pStakeholder value of business investments
spPortfolio of competitive products and services
spManaged business risks (safeguarding of assets)
pCompliance with external laws and regulations
Financial
Resource
optimizati
on
Risk
optimizati
on
Benefits
realisatio
n
Governance Objectives
Enterprise Goals
2/3 - Stakeholder Value driven and Business focussed
11
Capitolo di MilanopProduct and business innovation culture
pssSkilled and motivated peopleLearning & Growth
pCompliance with internal policies
ppOperational and staff productivity
sppManaged business change programmes
ppOptimisation of business process costs
ppOptimisation of business process functionality
Internal
spOptimisation of service delivery costs
pppInformation‐‐‐‐based strategic decision making
spAgile responses to a changing business
environment
pBusiness service continuity and availability
spCustomer‐‐‐‐oriented service culture
Customer
sspFinancial transparency
pStakeholder value of business investments
spPortfolio of competitive products and services
spManaged business risks (safeguarding of assets)
pCompliance with external laws and regulations
Financial
Resource
optimizati
on
Risk
optimizati
on
Benefits
realisatio
n
Governance Objectives
Enterprise Goals
Importanza
Relativa (P/S)
dei :
COBIT
Processes
e
degli altri
Enablers !
2/3 - Stakeholder Value driven and Business focussed
12
Capitolo di Milano
4 – Enablers based
• Per raggiungere gli obiettivi di
business, bisogna considerare un
insieme di Enablers tra loro
interconnessi:
1. Processi
2. Cultura, etica e comportamenti
3. Strutture organizzative
4. Informazioni
5. Principi e Politiche
6. Skill e competenze
7. Capacità di erogare Servizi
Service
Capabilities
Processes
Culture,
Ethics,
Behaviour
Organisational
Structures
InformationPrinciples &
Policies
Skills &
Competencies
Systemic Governance
Stakeholder needs
14
Capitolo di Milano
Process Enabler Model
Relazioni:
•Informazioni in input o in output
•Strutture organizzative,
•Servizi
•Producono o necessitano di Policy e procedure
•Gli aspetti ambientali e/o culturali influenzano le
modalità di esecuzione del processo
16
Capitolo di Milano
Process Reference Guide
• A separate publication that expands on the
process-enabler model
• Contains full details of the COBIT processes in
a similar way to the process documentation in
COBIT 4.1
17
Capitolo di Milano
Information Enabler Model
Un’evoluzione degli Information Criteria CobiT 4.1 …..
23
Capitolo di Milano
5 - Governance e Management
Governance definizione e controllo delle
strategie
Management esecuzione e gestione delle
risorse
Nel Process Model del COBIT 5 viene fatta una chiara distinzione tra le due discipline
24
Capitolo di Milano
Commenti …..
• Possibilità di una transizione graduale e
progressiva da 4.1 a 5
• COBIT 5 può essere utilizzato in “CobiT 4.1
mode”, per acquisire successivamente le
novità che servono
• …
Capitolo di Milano
ISACA’s COBIT Assessment
Programme
ISACAISACA’’ss COBIT Assessment COBIT Assessment
Programme Programme
26
Capitolo di Milano
What is the new COBIT assessment process?
� The COBIT process programme is described in COBIT® Process Assessment
Model (PAM): Using COBIT ® 4.1.
� PAM brings together two proven ‘heavyweights’ in the IT arena, ISO and
ISACA.
� The COBIT PAM adapts the existing COBIT 4.1 content into an ISO 15504
compliant process assessment model.
Copyright ISACA 2011. All rights reserved Slide 26
27
Capitolo di Milano
What’s different?
� But don’t we already have maturity models for COBIT 4.1 processes?
� The new COBIT assessment programme is:
• A robust assessment process based on ISO 15504
• An alignment of COBIT’s maturity model scale with the international standard
• A new capability-based assessment model which includes:
• Specific process requirements derived from COBIT 4.1
• Ability of process to achieve process attributes based on ISO 15504
• Evidence requirements
• Assessor qualifications and experiential requirements
� Results in a more robust, objective and repeatable assessment
� Assessment results will likely vary from existing COBIT maturity models!
Copyright ISACA 2011. All rights reserved Slide 27
28
Capitolo di Milano
Assessment Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Process Assessment Model
Assessment Process
Copyright ISACA 2011. All rights reserved Slide 28
30
Capitolo di Milano
PRM Based on COBIT 4.1Process ID DS1
Process Name Define and Manage Service Levels
Purpose Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.Outcomes (Os) Number Description
DS1-O1 A service management framework is in place to define the organisational structure for service level management, covering the base definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.
DS1-O2 Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.DS1-O3 Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.DS1-O4 Processes are in place to monitor (and periodically review) SLAs and achievements.
Base Practices (BPs) Number Description SupportsDS1-BP1 Create a framework for defining IT services. DS1-O1DS1-BP2 Build an IT service catalogue. DS1-O1, O2DS1-BP3 Define SLAs for critical IT services. DS1-O2DS1-BP4 Define OLAs for meeting SLAs. DS1-O3DS1-BP5 Monitor and report end-to-end service level performance. DS1-O4DS1-BP6 Review SLAs and underpinning contracts. DS1-O4DS1-BP7 Review and update the IT service catalogue. DS1-O1DS1-BP8 Create a service improvement plan. DS1-O1
Work Products (WPs)Inputs
Number Description SupportsPO1-WP1 Strategic IT plan DS1-O1, O2, O3, O4PO1-WP4 IT service portfolio DS1-O1, O2, O3, O4PO2-WP5 Assigned data classifications DS1-O1PO5-WP3 Updated IT service portfolio DS1-O4AI2-WP4 Initial planned SLAs DS1-O3AI3-WP7 Initial planned OLAs DS1-O3DS4-WP5 Disaster service requirements, including roles and responsibilities DS1-O1ME1-WP1 Performance input to IT planning DS1-O1, O2
OutputsNumber Description Input To Supports
DS1-WP1 Contract review report DS2 DS1-O1, O4DS1-WP2 Process performance reports ME1 DS1-O4DS1-WP3 New/updated service requirements PO1 DS1-O2, O3DS1-WP4 SLAs AI1, DS2, DS3, DS4, DS6, DS8, DS13 DS1-O2DS1-WP5 OLAs DS4 to DS8, DS11, DS13 DS1-O3DS1-WP6 Updated IT service portfolio PO1 DS1-O1, O4
Copyright ISACA 2011. All rights reserved Slide 30
31
Capitolo di Milano
Assessment Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
31Copyright ISACA 2011. All rights reserved Slide 31
32
Capitolo di Milano
Measurement Framework
� COBIT assessment process measures the extent to which a given process
achieves specific attributes relative to that process— ‘process attributes’.
� COBIT assessment process defines 9 process attributes (based on ISO/IEC
15504-2)
• PA 1.1 Process performance
• PA 2.1 Performance management
• PA 2.2 Work product management
• PA 3.1 Process definition
• PA 3.2 Process deployment
• PA 4.1 Process measurement
• PA 4.2 Process control
• PA 5.1 Process innovation
• PA 5.2 Continuous optimization
Copyright ISACA 2011. All rights reserved Slide 32
33
Capitolo di Milano
Process Capability
Base Practice and Work Products
Generic Practice and Generic Work Products
Instance view /
individual knowledge
Enterprise view /
corporate knowledge
34
Capitolo di Milano
Process Attributes (example)
� PA 1.1 Process performance
• The process performance attribute is a measure of the extent to which the
process purpose is achieved.
• As a result of full achievement of this attribute, the process achieves its
defined outcomes.
Copyright ISACA 2011. All rights reserved Slide 34
35
Capitolo di Milano
Process Attributes (example)
� PA 2.1 Performance management
• A measure of the extent to which the performance of the process is managed. As a result of full
achievement of this attribute:
a. Objectives for the performance of the process are identified.
b. Performance of the process is planned and monitored.
c. Performance of the process is adjusted to meet plans.
d. Responsibilities and authorities for performing the process are defined, assigned and communicated.
e. Resources and information necessary for performing the process are identified, made available, allocated and used.
f. Interfaces between the involved parties are managed to ensure effective communication and clear assignment of
responsibility.
� PA 2.2 Work product management
• A measure of the extent to which the work products produced by the process are appropriately
managed. As a result of full achievement of this attribute:
a. Requirements for the work products of the process are defined.
b. Requirements for documentation and control of the work products are defined.
c. Work products are appropriately identified, documented and controlled.
d. Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet
requirements.
Copyright ISACA 2011. All rights reserved Slide 35
36
Capitolo di Milano
Process Attribute Rating Scale
N Not achieved—0 to 15% achievement There is little or no evidence of achievement of the defined attribute in the assessed process.
P Partially achieved—> 15% to 50% achievementThere is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable.
L Largely achieved—> 50% to 85% achievement There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process.
F Fully achieved—> 85% to 100% achievement There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process.
Copyright ISACA 2011. All rights reserved Slide 36
37
Capitolo di Milano
Process Capability Levels
Level 0 Incomplete processLevel 0 Incomplete processIncomplete
The process is not implemented or fails to
achieve its purpose.
Level 1 Performed processPA 1.1 Process performance attribute
Level 1 Performed processPA 1.1 Process performance attribute
Performed
The process is implemented and
achieves its process purpose.
Level 2 Managed processPA 2.1 Performance management attributePA 2.2 Work product management ttribute
Level 2 Managed processPA 2.1 Performance management attributePA 2.2 Work product management ttribute
Managed
The process is managed and work
products are established,
controlled and maintained.
Level 4 Predictable processPA 4.1 Process measurement attributePA 4.2 Process control attribute
Level 4 Predictable processPA 4.1 Process measurement attributePA 4.2 Process control attribute
Predictable
The process is enacted consistently
within defined limits.
Level 5 Optimizing processPA 5.1 Process innovation attributePA 5.2 Process optimization attribute
Level 5 Optimizing processPA 5.1 Process innovation attributePA 5.2 Process optimization attribute
Optimizing
The process is continuously improved to meet relevant
current and projected business goals.
Level 3 Established processPA 3.1 Process definition attributePA 3.2 Process deployment attribute
Level 3 Established processPA 3.1 Process definition attributePA 3.2 Process deployment attribute
Established
A defined process is used based on a
standard process.
37Copyright ISACA 2011. All rights reserved Slide 37
38
Capitolo di Milano
COBIT Assessment Process Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
38Copyright ISACA 2011. All rights reserved Slide 38
39
Capitolo di Milano
Process Attributes and Capability Levels
This figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.
Incomplete
Performed
Managed
Established
Predictable
Optimizing
39
9 Process Attributes Process Attribute Indicators (PAI)
Copyright ISACA 2011. All rights reserved Slide 39
40
Capitolo di Milano
Process Attribute Rating
�Assessment indicators in the PAM are used to
support the assessors’ judgement in rating process
attributes:
• Provide the basis for repeatability across assessments
�A rating is assigned based on objective, validated
evidence for each process attribute.
�Traceability needs to be maintained between an
attribute rating and the objective evidence used in
determining that rating.
Copyright ISACA 2011. All rights reserved Slide 40
41
Capitolo di Milano
Un esempio: AI7 Install and Accredit Solutions and ChangesSatisfy the business requirement of implementing new or changed systems that function without major problems
after installation.
PO3 Technology standards
PO4 Documented system owners
PO8 Development standards
PO10 Project management guidelines
PO10 Detailed project plans
AI3Configured system to be
tested/installed
AI4
User, operational, support,
technical and administration
manuals
AI5 Procured items
AI6 Change authorisation
Released configuration
itemsDS8, DS9
Known and accepted
errorsAI4
Promotion to production DS13
Software release and
distribution planDS13
Post-implementation
review
PO2, PO5,
PO10
Internal control
monitoringME2
Base Practice
• A test strategy/plan based on
organisational standards for testing of
the system and data conversion is
prepared and followed.
• Release planning, including planned
approval and fallback mechanisms is
undertaken.
• An appropriate environment for testing,
including training, is established.
• Test results are evaluated and approved
by business management prior to
approval of release to production.
• Build and review implementation plans.
• Define and review a test strategy (entry and exit criteria) and an operational test plan
methodology.
• Build and maintain a business and technical requirements repository and test cases for
accredited systems.
• Perform system conversion and integration tests on the test environment.
• Deploy the test environment and conduct final acceptance tests.
• Recommend promotion to production based on agreed-upon accreditation criteria.
Generic Practice
ISO/IEC 155094 Attribute Rating
Scale (N,P,L,F)
WP in
WP out
Process Outcomes
42
Capitolo di Milano
Assessor Certification
� COBIT process assessment roles:
• Lead assessor—a ‘competent’ assessor responsible for overseeing the
assessment activities
• Assessor—an individual, developing assessor competencies, who performs the
assessment activities
� Assessor competencies:
• Knowledge, skills and experience:
• With the process reference model; process assessment model, methods and tools;
and rating processes
• With the processes/domains being assessed
• Personal attributes that contribute to effective performance
� A training and certification scheme is being developed for COBIT 4.1 and
will also be established for COBIT 5, following publication in January 2012.
Copyright ISACA 2011. All rights reserved Slide 42
43
Capitolo di Milano
COBIT Mapping e Assessment Class
ISACA (e AIEA Milano) hanno pubblicato una serie di “Mappature” del COBIT. Tali mappature
si riferiscono ai processi ed in particolare agli Obiettivi di Controllo che corrispondono agli
Outcomes del PAM !
Alcune Mappature disponibili
• Business Goals
• Governance Focus Areas and COSO
• Sorbanes – Oxley Act
• Basilea II
• Cloud Computing• Public
• Private
• Hibrid
• Sistema di Controllo Interno della Legge 262/2005
• Altri Standard (ISO 27001, ITIL, ecc.)
Sono definite e formalizzate tre classi di assessment con obiettivi e precisione differenti.
Rigore, e di conseguenza costo, crescono dal livello 1 al livello 3
1. Confronto con altre organizzazioni
2. Internal reporting formale ed affidabile da usare, ad esempio, come base per un piano di
miglioramento
3. Test e comprensione del Processo in esame e base per assessment di classe 2 o 3
44
Capitolo di Milano
Nuovo COBIT Capability Model
• Il maturity model di COBIT 4.1 (e quindi anche del COBIT 5) viene sostituito dal
Capability Model basato sull’ISO/IEC 15504 , secondo la nuova iniziativa ISACA:
COBIT Assessment Program (CAP).
• Vantaggi:
– Mantiene l’attenzione al risultato del processo di controllo (Outcome), non ai
WP in output
– Semplifica, evitando duplicazioni (MM, Control Objectives, Proc. Controls).
– Migliore affidabilità e ripetibilità delle valutazione eliminando ambiguità di
interpretazione. Metodo rigoroso e formale, proponibile all’interno ma anche
all’esterno.
– Conforme ad uno standard affermato (SPICE), applicabile anche ad altri
contesti : COSO, ITIL, Basel II, …
– E’ prevista formazione e certificazione ad hoc per gli “assessors”
46
Capitolo di Milano
COSO SPICE assessment results
(COSO 2006 Guidance)
• The assessment delivers a process capability profile …..
• Such a profile illustrates the compliance with the COSO framework. It also illustrates whichaspects need improvement.
• Not achieving level 1 means that compliance is generally missing.
• Achieving level 1 and failing in process attribute performance management means thatgenerally compliance is there but is not well tracked against targets (e.g. coverage of people knowing the ethical and integrity level).
• Achieving level 1 and failing in process attribute work product management means thatgenerally compliance is there but the results of successful departments are not kept in a structured way that they can be accessed and re-used as good practice.
• Achieving levels 1 and 2 and failing in process attribute process definition means that the compliance is there, targets are tracked, results are accessible, but there is no agreedstandard process across all departments. Etc.
• Thus from a capability level profile auditors can read levels of compliance and becomeexperts using defined measurement tools to establish improvement plans for firms.
• There is a shift then from pure audit to continuous improvement thinking.
Process Name Integrity and Ethical Values
Process Purpose Sound integrity and ethical values, particularly of top management,
are developed and understood and set the standard of conduct for
financial reporting.