Professional Documents
Culture Documents
Roger Southgate
CISA, CISM, FCCA, MBA
rwsouthgate@isaca-
london.org
The Organisation Challenge
meeting the
demands of Today Good things to
happen
Bad things not
happening
the problems
needs of Continuous
Tomorrow? improvement
Measure
results
2
Global Status Report 2008
Key Findings of the Survey
The 13 key messages that have been identified during the analysis of
the survey reflect important findings from the results of the survey:
1.Although championship for IT governance within the
enterprise comes from the C‐level, in daily practice IT
governance is still very much a CIO/IT director issue. The few non‐IT
people in the sample have a much more positive view of IT than do
the IT professionals themselves.
2. The importance of IT continues to increase.
3.Self‐assessment regarding IT governance has increased
and is quite positive
4.Communication between IT and users is improving, but
slowly.
5.There is still substantial room for improvement in
alignment between IT governance and corporate governance—
as well as for IT strategy and business strategy.
6.IT‐related problems persist. While security/compliance is
an issue, people are the most critical problem.
3
DS5 Ensure Systems Security
Overall Maturity Assessment
4
Deliver and Support Domain Overall Maturity
Assessments for all Processes
5
The World Bank
The Role of International Standards,
Principles and Best Practices
International standards and codes of best
practice are expected to make two
principal contributions. The first is to
enhance transparency by defining
minimum standards and best practices for
disclosure by governments, as well as by
financial institutions and corporations.
Perhaps even more importantly,
international benchmarks can provide a
guide in assessing policies and hence
assist in addressing weaknesses and
strengthening policies and institutions,
both to reduce vulnerability and to
promote long‐term development.
6
The Context
7
The Challenges of Complexity, Detail and Time
Models – Frameworks – Proven Practices help us
make sense of the context and the challenges we
face …..they provide roadmaps
Reach
Pervasive National Global
Principles
Prescription
Range
Focused
Prescription
9
COSO ERM
Internal Environment Event Identification Control Activities
Risk Management Philosophy Events Integration with Risk Response
Risk Appetite Influencing Factors Types of Control Activities
Board of Directors Event Identification Techniques Policies and Procedures
Integrity and Ethical Values Event Interdependencies Controls over Information Systems
Commitment to Competence Event Categories Entity Specific
Organisational Structure Distinguishing Risks and
Assignment of Authority and Opportunities
Responsibility
Human Resource Standards
12
The World Economic Forum
1. Economics
– 6 trends, 6 issues of concern, 6 risks
2. Geopolitics
– 7 trends, 9 issues of concern, 12 risks
3. Environment
– 3 trends, 6 issues of concern, 7 risks
Published in early
January each year 4. Society
– 4 trends, 4 issues of concern, 4 risks
5. Technology
– 2 trends, 2 issues of concern, 2 risks
13 www.weforum.org
14
Center for Information Systems Research
(CISR)
Availability
Access
Accuracy
Agility
http://mitsloan.mit.edu/cisr/index.php
15
The Global Information Technology Report
16
World Economic Forum
Global Information Technology Readiness – gitr
The Networked Readiness
Index Framework
Market
Individual Readiness
Networked
Readiness Readiness Business Readiness
Index
Government Readiness
Individual Usage
Usage Business Usage
Government Usage
17
The Jericho Forum “Commandments”
for the emerging de‐perimeterised future
http://www.jerichoforum.org
disclosure
modification
accidental loss/destruction
interruption
inside
disclosure
modification
deliberate
loss/destruction
network interruption
asset
disclosure
accidental modification
loss/destruction
interruption
outside
disclosure
deliberate modification
loss/destruction
interruption
Article 12
No one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence, nor to attacks upon his
honour and reputation. Everyone has the right to the protection
of the law against such interference or attacks.
20
COBIT Fundamentals
“To provide the information that the
organisation needs to achieve its
Are we
doing the
objectives, IT resources need to be Are we
getting
right managed by a set of naturally grouped the
things?
processes.”
benefits?
The Business
Requirements for Resources IT Processes
Information
Effectiveness Applications Plan and Organise
Efficiency Information Acquire and Implement
Confidentiality Infrastructure Deliver and Support
Integrity People Monitor and Evaluate
Availability Maturity Model Attributes:
A&C Awareness and Communication Are we
Are we Compliance PSP Policies, Standards and Procedures getting
doing T&A Tools and Automation them
them the
Information S&E Skills and Expertise
Reliability done
right way? R&A Responsibility and Accountability well?
GSM Goal Setting and Measurement
21
What is Control?
Control is defined within COBIT as the:
policies,
procedures,
practices and
organisational structures designed to provide reasonable
assurance that business objectives will be achieved and
undesired events will be prevented or detected and
corrected.
Enterprise management needs to make control objective choices by:
• Selecting those that are applicable
• Deciding upon those that will be implemented
• Choosing how to implement them (frequency, span, automation, etc.)
• Accepting the risk of not implementing those that may apply
22
The Drivers and Pulls
Value
Risk
Cost Time
23
What Does it Mean?
Authority Accountability
Transparency
24
What Does it Mean?
Authority Accountability
Transparency
25
Authority and Accountability
26
The Five Focus Areas of
IT Governance
Are we Are we
doing the getting
right Define strategy IT Alignment the
things? benefits?
Risk
Value Delivery Management
Good things to Bad things not
happen happening
Resolve
problems IT Resource
Management
Continuous
improvement Are we
Are we Performance
getting
doing Measurement
them
them the
Measure done
right way?
results well?
27
What is Trusted and why……?
Do we design and build for Security?
Virtualisation
Local IT
Operations
Borders
Confidential Logical
Boundaries
Data Connectivity
Barriers
Administration
Are we Are we
doing them getting
Incidents
the right them done
way? Change well?
Configuration
28
Is it “built in” or “bolted on”
What Risk does this control mitigate?
Business
Controls Business Processes
• Systems development
Business
Applications
• Change management
• Security
• Computer operations
IT Resources
and Processes
29
The Way Forward
? Realism
? Relevance
? Results
9 Look
9 Act
9 Speak
9 Think
30
Standards and Good Practices
COSO
ISO
C
GI T DE VAL
9000 R A
ST IGN
AL
TE EN
M
LI UE
VE
RY
“COBIT
the integrator“
PER SUREM
T
MEA
M EN
FOR
MAN RISK
AGE
www.itgi.org
MAN NT
E
CE
RESOURCE
MANAGEMENT
ISO ISO
CMMI 27000 ITIL 20000
31
Questions?
Click on the questions tab on your screen, type in your question
(and name if you wish) and hit submit.
32