Professional Documents
Culture Documents
May10,2012
Anthony Noble Viacom Inc.
Rob Johnson Bank of America
createdin2009:
d i 2009 John W Lainhart IV CISA CISM CGEIT IBM Global
JohnW.Lainhart,IV,CISA,CISM,CGEIT,IBMGlobal
ConsultingServices,USA,Cochair
DerekJ.Oliver,Ph.D.,DBA,CISA,CISM,CITP,FBCS,FISM,
Includedinternationalexperts MInstISP+,RavenswoodConsultantsLtd,UK,Cochair
Pippa G.Andrews,CISA,ACA,CIA,KPMG,Australia
fromacrossISACA Elisabeth Antonsson, CISM, BSc, BA, Nordea Bank,Sweden
ElisabethAntonsson,CISM,BSc,BA,Nordea Bank, Sweden
constituencygroups StevenA.Babb,CGEIT,KPMG,UK
StevenDeHaes,Ph.D.,AntwerpManagementSchool,
(Assurance,Security Belgium
Managementand PeterHarrison,CGEIT,FCPA,IBMAustraliaLtd.,Australia
JimmyHeschl,CISA,CISM,CGEIT,ITILExpert,bwin.party
Risk/Governance) digitalentertainmentplc,Austria
RobJohnson,CISA,CISM,CGEIT,CRISC,CISSP,Bankof
CochairJohnLainhart America,USA
ErikPols,CISA,CISM,ShellInternationalITCI,Netherlands
(PastInternationalPresident) VernonPoole,CISM,CGEIT,Sapphire,UK
Abdul Rafeq CISA CGEIT CIA FCA A Rafeq andAssociates,
AbdulRafeq,CISA,CGEIT,CIA,FCA,A.Rafeq and Associates
CoChairDerekOliver India
(PastChairmanoftheBMIS
DevelopmentCommittee)
Allrightsreserved. 4
The Need?
TheNeed?
Moreemphasisonoperationalriskmanagement
Needtodriveriskmanagementdisciplinesdirectlyintotheday
todayresponsibilitiesofprofessionals
Regulatorybodiesrequiringmoreprivacy,securityandanenhanced
Regulatory bodies requiring more privacy security and an enhanced
controlenvironment
Respondingtofinancialcrisis
Increasedpublicityandliability
Workforcesareincreasinglyglobalizedanddistributed,which
increases complexities to govern and manage
increasescomplexitiestogovernandmanage
Massivevolumesofinformation supportedbytechnology
drivebusinesssuccessbutalsoraiseahostofcomplex
challenges for business and IT leaders
challengesforbusinessandITleaders
WhatisCOBIT5?
APracticalView
Builds on COBIT 4 as a Foundation
BuildsonCOBIT4asaFoundation
COBIT5isasignificantstrategicevolutionofCOBIT4.1
g g
COBIT5isacomprehensivegovernanceandmanagement
framework comprising industry practices analytical tools and
frameworkcomprisingindustrypractices,analyticaltoolsand
modelsthathelpanenterpriseachieveoptimalvalueand
objectivebybalancingtechnology:
Benefits
Risk
ResourceUse
COBIT:OneFrameworkforthe
GovernanceofEnterpriseIT
f
GovernanceofEnterpriseIT
p
ITGovernance
V l IT 2 0
ValIT2.0
Evolution
Management (2008)
Control
E
RiskIT
ik
(2009)
Audit
Highlights ATaste!
The COBIT 5 Framework
TheCOBIT5Framework
The
Theinitialpublicationintroduces,definesand
initial publication introduces defines and
describesthecomponentsthatmakeupthe
COBIT Framework
COBITFramework
Principles
Architecture
Enablers
Introductiontoimplementationguidanceandthe
Introd ction to implementation g idance and the
COBITprocessassessmentapproach
COBIT5Principles:LinksITand
theBusiness
h
Balance benefits, risk, resources
Makesaclear
distinction
between IIntegratesgovernance
governanceand ofenterpriseITinto
management enterprisegovernance
Definesasetof
enablers to support
enablerstosupport
theimplementation Serveastheoverarching
ofacomprehensive frameworkforgovernance
governanceand g
andmanagementof
managementsystem enterpriseIT
ShiftsITProcessestoa
BusinessView
IntegratesgovernanceofenterpriseITintoenterprisegovernance
Coversallfunctionsandprocesseswithintheenterprise;COBIT5does
p p ;
notfocusonlyontheITfunction,buttreatsinformationandrelated
technologiesasassetsthatneedtobedealtwithjustlikeanyotherasset
byeveryoneintheenterprise.
ConsidersallITrelatedgovernanceandmanagementenablerstobe
Considers all IT related governance and management enablers to be
enterprisewideandendtoend,i.e.inclusiveofeverythingand
everyone,internalandexternalthatisrelevanttogovernanceand
managementofenterpriseinformationandrelatedIT
COBIT5EnablersDimensions
All enablers have a set of common dimensions.
provides a common, simple, and structured way to deal with
enablers,
allows to manage their complex interactions, and
TheCOBIT5frameworkdefines
sevencategoriesofenablers:
Processes
Frameworks,Principlesand
F k Pi i l d
policies
Organisationalstructures
People,Skillsand
competencies
Culture,ethicsandbehaviour
Services,Infrastructure&
Applications
Information
Principle5:Separating
GovernancefromManagement
f
Governanceensuresthatenterpriseobjectives
areachievedbyevaluatingstakeholderneeds,
conditionsandoptions;settingdirection
throughprioritisationanddecisionmaking;
andmonitoringperformance,complianceand
progressagainstplans.
Managementplans,builds,runsandmonitors
activitiesinalignmentwiththedirectionsetby
thegovernancebodytoachievetheenterprise
objectives.
ImmediateDifferences:Thefour
MANAGEMENTdomains
d
Align,Plan&Organise(APO)replacesPO
Align, Plan & Organise (APO) replaces PO
Define&Manage theEnterpriseITControlFramework
Build,Acquire&Implement(BAI)replacesAI
Manage Knowledge
Deliver,Service&Support(DSS)replacesDS
Manage Suppliers
Monitor,Evaluate&Assess(MEA)replacesME
ProvideAssurance
Provide Assurance (KeymanagementDomainforAuditors)
(Key management Domain for Auditors)
Moremeaningful&morebusinessrelated!
gf
Monitor,Evaluate&Assess(MEA)
COBIT5:ProcessReference
GuideExposureDraft
Alignmentisnowconsideredtobethe
g
resultofallgovernanceandmanagement
activities.
COBIT5ProcessMap
The Lens Concept
TheLensConcept
The Eye of the Beholder: what are you looking for?
COBIT5Framework
COBIT5
COBIT5 COBIT5 COBIT5 COBIT5
For
ForAudit ForRisk For? For?
Security
OtherStandards,Frameworks,
Guidelinesetc
e.g.ISO,ITIL,NationalStandards.
g , ,
EasiertoNavigate:SmallerIntegrated
P bli i
Publications
Capability vs. Maturity Model
Capabilityvs.MaturityModel
TheprocessmaturitymodelofCOBIT4.1hasbeenreplacedwitha
capabilitymodelbasedonISO/IEC15504toalignwithandsupporta
separateISACAinitiative,theCOBITAssessmentProgram(CAP).
NotetheAssessmentmodelisnotanAssurancemodel
Thereareanumberofbenefitsindoingso:
Focusonprocessisachievingitsintendedpurposeanddeliveringits
requiredoutcomesasexpected.
q p
Simplification
Improvedreliabilityandrepeatability ofprocesscapabilityassessment
Compliancewithagenerallyaccepted(ISO)processassessment
Compliance with a generally accepted (ISO) process assessment
standard
ProcessCapabilityModel
Comparison
COBIT4.1 COBIT5ISO/IEC
MeaningoftheCOBIT5ISO/IEC15504Based
Meaning of the COBIT 5 ISO/IEC 15504 Based
MaturityModel 15504Based Context
CapabilityLevels
Levels CapabilityLevels
Continuouslyimprovedtomeetrelevantcurrentand
5.Optimised 5.Optimised
p j
projectedenterprisegoals.
p g
Enterpriseview/
4.Managedand Operateswithindefinedlimitstoachieveitsprocess
4.Predictable corporate
Measurable outcomes.
knowledge
Implementedusingadefinedprocessthatiscapableof
3.Defined 3.Established
achieving its process outcomes
achievingitsprocessoutcomes.
Implementedinamanagedfashion(planned,monitored
N/A 2.Managed andadjusted)anditsworkproductsareappropriately
established,controlledandmaintained.
Instanceview/
2.Repeatable 1.Performed Processachievesitsprocesspurpose. individual
1. Initial/Adhoc knowledge
Notimplementedorlittleornoevidenceofany
0.Nonexistent 0.Incomplete
systematicachievementoftheprocesspurpose.
COBIT 5 Process Capability Model
COBIT5ProcessCapabilityModel
InISO/IEC15504capabilitylevelsaredefinedbyaset
ofnineprocessattributes;theseattributescoversome
groundcoveredbythecurrentCOBIT4maturity
attributesand/orprocesscontrols,butonlytoacertain
extentandinadifferentway.
BenefitsofCOBIT5for
B fit f COBIT 5 f
Auditors?
APracticalView
Benefits of the Update
BenefitsoftheUpdate
ThebenefitsofthenewCOBIT5ProcessCapabilityModelcomparedto
theCOBIT4.1MaturityModelsinclude:
h COBIT 4 1 M i M d l i l d
Auditorcanfocusonprocessthatassuresachievingitspurposeandrequiredoutcomes.
Simplifieswhattestingcontenteliminatingofduplication,becausetheCOBIT4.1
Maturity Model assessment requires the use of a number of specific components,
MaturityModelassessmentrequirestheuseofanumberofspecificcomponents,
includingtheGenericMaturityModel,ProcessMaturityModels,ControlObjectivesand
ProcessControlstosupportprocessassessment.
Improvedreliabilityandrepeatabilityofprocesscapabilityassessmentactivitiesand
evaluations reducing debates and disagreements between stakeholders on assessment
evaluations,reducingdebatesanddisagreementsbetweenstakeholdersonassessment
results.
Compliancewithagenerallyacceptedprocessassessmentstandardandtherefore
strongsupportforprocessassessmentapproachinthemarket.
Increasedusabilityofprocesscapabilityassessmentresults,asthenewmodel
establishesabasisformoreformal,rigorousassessmentstobeperformed,forboth
internalandpotentialexternalpurposes.
APracticalView
TYPESOFASSURANCE
What is Assurance?
WhatisAssurance?
TakenfromITAssuranceGuide:UsingCOBITV4.1
Types of Assurance
TypesofAssurance
ITAssuranceActivitiesinclude:
IT Assurance Activities include:
Performariskassessment
Diagnoseoperationaland/orprojectrisk
Diagnose operational and/or project risk
Plan/performriskbasedassuranceactivities
Assess/Selfassessprocessmaturity
A /S lf t it
Assess/Selfassesscontrols
Substantiaterisk
S b i ik
Processcapabilityassessments
APracticalView
ASSURANCEMETHODOLOGIES
Standard Audit Methodology
StandardAuditMethodology
AuditPlanningg
Usebusinessgoalsasastarter
Riskassessment/analysisofnotmeetinggoals
DefineScope/ObjectivesofAudit
/
Examinedriversfortheaudit
Selectcontrolobjectivesforreview
Select control objectives for review
ExecuteAudit
Testthecontrolsandtheirdesign
g
Documentcontrolweaknesses
Reportanoverallconclusionandrecommendations
Example: Assessment Overview
Example:AssessmentOverview
ProcessAssessmentModel
Process Assessment Model
AssessmentProcess
33
ThisfigureisreproducedfromISO155042:2003withthepermissionofISOatwww.iso.org.CopyrightremainswithISO.
Examples
APractitionersView
Change Management
ChangeManagement
AI6inCOBIT4.1andBAI06inCOBIT5
AI6 in COBIT 4 1 and BAI06 in COBIT 5
COBIT4.1containedaMaturityModel
CO i d i d l
COBIT5usestheCapabilityModel
WilluseEmergencyChangesforourexample
Will use Emergency Changes for our example
COBIT 4.1 COAI6.3
COBIT4.1 CO AI6.3 =BAI06.2
BAI06.2
AI6.3EmergencyChanges
6.3 e ge cy C a ges
Establishaprocessfordefining,raising,testing,
documenting,assessingandauthorising emergency
changesthatdonotfollowtheestablishedchange
h th t d t f ll th t bli h d h
process.
BAI06.02ManageEmergencyChanges.
BAI06.02 Manage Emergency Changes.
Carefullymanageemergencychangestominimise
furtherincidentsandmakesurethechangeis
controlledandtakesplacesecurely.Verifythat
emergencychangesareappropriatelyassessedand
authorised afterthechange.
g
For Assurance we can..
ForAssurancewecan..
MaturityAssessment
y
UsetheCOBITV4.1MaturityModel
CapabilityAssessment
UsetheCOBITProcessAssessmentModelV4.1
EfficiencyandEffectivenessofControls
Assessment
UsetheITAssuranceGuide:UsingCOBITV4.1
UsetheISACAChangeManagementAuditProgram
whichreferencesCOBIT4.1
h h f
DevelopacustomauditprogramusingCOBIT5
ProcessReferenceGuide
COBIT 4.1 Maturity Model AI6
COBIT4.1MaturityModel
Managementoftheprocessthatsatisfiesthebusiness
requirementforITofrespondingtobusiness
requirementsinalignmentwiththebusinessstrategy,
whilstreducingsolutionandservicedeliverydefectsand
reworkis:
ki
Level3Definedwhenthereisadefinedformalchange
managementprocessinplace,includingcategorisation,
prioritisation emergency procedures change authorisation and
prioritisation,emergencyprocedures,changeauthorisation and
releasemanagement,andcomplianceisemerging.
Workaroundstakeplace,andprocessesareoftenbypassed.
Errorsmayoccurandunauthorised changesoccasionallyoccur.
Th
TheanalysisoftheimpactofITchangesonbusinessoperations
l i f th i t f IT h b i ti
isbecomingformalised,tosupportplannedrolloutsofnew
applicationsandtechnologies.
COBIT 4.1 Capability Model AI6
COBIT4.1CapabilityModel
Purpose:SatisfythebusinessrequirementofmanagingITchangesinalignment
with the business strategy to reduce solution and service delivery defects and
withthebusinessstrategytoreducesolutionandservicedeliverydefectsand
rework.
Outcomes(Os)NumberDescription
AI6
AI6O1
O1 Changestandardsandassociatedprocedures,includingthoseforemergency
Ch t d d d i t d d i l di th f
changes,aredefinedandcommunicated.
AI6O2 Changesareassessed,prioritised andauthorised.
AI6O3 Changestatusistrackedandreported.
BasePractices(BPs)
AI6BP1 Developandimplementaprocesstoconsistentlyrecord,assessandprioritise
changerequests.Supports AI1O1
AI6BP2 Assessimpactandprioritise changesbasedonbusinessneeds.Supports AI1O2
AI6BP3 Assurethatanyemergencyandcriticalchangefollowstheapprovedprocess.
Supports AI1O1
AI6BP4 Authorise changes.Supports AI1O2
AI6BP5 Manageanddisseminaterelevantinformationregardingchanges.Supports AI1O3
Assurance Guide COBIT 4.1 AI6
AssuranceGuideCOBIT4.1
TestofControls EmergencyChanges
Enquirewhetherandconfirmthattheoverallchange
managementprocessincludesemergencychangeprocedures
(e.g.,defining,raising,testing,documenting,assessingand
authorising emergencychanges).
emergency changes)
Inspectthedocumentationforarepresentativesampleof
emergencychangesand,byinterviewingkeystaffmembers,
establishwhetheremergencychangesareimplementedas
g y g p
specifiedinthechangemanagementprocess.
Confirmthroughinterviewswithkeystaffmembersthat
emergencyaccessarrangementsareauthorised,documented
andrevokedafterthechangehasbeenapplied.
d k d ft th h h b li d
Enquirewhetherandconfirmthatapostimplementation
reviewofemergencychangesisconducted.
Assurance Guide COBIT 4.1 AI6
AssuranceGuideCOBIT4.1
TestSamples
p EmergencyChanges
g y g
Inspectasampleofemergencychangesandverifythat
theyhavebeenprocessedinaccordancewiththechange
management framework Verify that procedures have
managementframework.Verifythatprocedureshave
beenfollowedtoauthorise,documentandrevokeaccess
afterthechangehasbeenapplied.
Inspectasampleofemergencychangesanddetermineifa
Inspect a sample of emergency changes and determine if a
postimplementationreviewhasbeenconductedafterthe
changeswereapplied.Considerimplicationsforfurther
applicationsystemmaintenance,impactondevelopment
li ti t i t i t d l t
andtestenvironments,applicationsoftwaredevelopment
quality,documentationandmanuals,anddataintegrity.
ISACA Audit Program
ISACAAuditProgram
6.4.2
6.4.2Testobjective:Toverifytheeffectiveness
Test objective: To verify the effectiveness
oftheemergencychangecontrolprocessthat
ensurestheintegrityoftheproductionlibraries
g y p
andapplicationdata.
Selectasampleofemergencymovestoproduction.
p g y p
Determineiftheprogramwasrunfromaninterimlibraryor
theproductionlibrary.
Iftheproductionlibrarywasused,determineifaonetime
If the production library was used determine if a one time
passwordwasretrieved.
Determineiftheonetimepasswordwasdisabled.
Build Your Own Audit Program
BuildYourOwnAuditProgram
Process
Processgoal:Allemergencychangesare
goal: All emergency changes are
reviewedandauthorised afterthechange.
Reviewhistoricalmetrics:
Percentoftotalchangesthatareemergencyfixes
Numberofemergencychangesnotauthorised
afterthechange
Examinetheoutputforverification:
Documentedpostimplementationreviewof
emergencychanges
Build Your Own Audit Program
BuildYourOwnAuditProgram
TestthattheBasePracticeactivitiesarebeingperformed:
Ensurethatadocumentedprocedureexiststodeclare,assess,
givepreliminaryapproval,authorise afterthechangeandrecord
anemergencychange.
Verifythatallemergencyaccessarrangementsforchangesare
V if th t ll t f h
appropriatelyauthorised,documentedandrevokedafterthe
changehasbeenapplied.
Monitorallemergencychanges,andconductpost
Monitor all emergency changes and conduct post
implementationreviewsinvolvingallconcernedparties.The
reviewshouldconsiderandinitiatecorrectiveactionsbasedon
rootcausessuchasproblemswithbusinessprocess,application
systemdevelopmentandmaintenance,developmentandtest
t d l t d i t d l t dt t
environments,documentationandmanuals,anddataintegrity.
Definewhatconstitutesanemergencychange.
Example: Information Quality
Example:InformationQuality
StakeholdersCanbeinternalorexternaltotheenterprise.
informationproducers,informationcustodiansandinformationconsumers:
Informationproducer,responsibleforcreatingtheinformation
Informationcustodian,responsibleforstoringandmaintainingtheinformation
Information custodian responsible for storing and maintaining the information
Informationconsumer,responsibleforusingtheinformation
Goals:
Thegoalsofinformationaredividedinthreesubdimensionsofquality:
IntrinsicqualityTheextenttowhichdatavaluesareinconformancewiththeactualortruevalues.Itincludes:
Intrinsic qualityThe extent to which data values are in conformance with the actual or true values It includes:
AccuracyTheextenttowhichinformationiscorrectandreliable
ObjectivityTheextenttowhichinformationisunbiased,unprejudicedandimpartial
BelievabilityTheextenttowhichinformationisregardedastrueandcredible
ReputationTheextenttowhichinformationishighlyregardedintermsofitssourceorcontent
ContextualandrepresentationalqualityTheextenttowhichinformationisapplicabletothetask.Itincludes:
RelevancyTheextenttowhichinformationisapplicableandhelpfulforthetaskathand
R l Th t t t hi h i f ti i li bl d h l f l f th t k t h d
CompletenessTheextenttowhichinformationisnotmissingandisofsufficientdepthandbreadthforthetaskat
hand
CurrencyTheextenttowhichinformationissufficientlyuptodateforthetaskathand
AppropriateamountofinformationTheextenttowhichthevolumeofinformationisappropriateforthetaskathand
ConciserepresentationTheextenttowhichinformationiscompactlyrepresented
ConsistentrepresentationTheextenttowhichinformationispresentedinthesameformat
InterpretabilityTheextenttowhichinformationisinappropriatelanguages,symbols,andunits,andthedefinitions
areclear
UnderstandabilityTheextenttowhichinformationiseasilycomprehended
EaseofmanipulationTheextenttowhichinformationiseasytomanipulateandapplytodifferenttasks
Security/AccessibilityqualityTheextenttowhichinformationisavailableorobtainable.Itincludes:
AvailabilityTheextenttowhichinformationisavailablewhenrequired,oreasilyandquicklyretrievable
RestrictedAccessTheextenttowhichaccesstoinformationisrestrictedappropriatelytoauthorisedparties
Collaborate Contribute Connect
www.isaca.org/knowledge-center
The Knowledge Center is a collection of
resources and online communities that
connect ISACA members globally, across
industries and by professional focus - under
one umbrella. Add or reply to a discussion,
post a document or link, connect with other
ISACA members, or create a wiki by
participating in a community today!