This action might not be possible to undo. Are you sure you want to continue?
Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. Structured and organized to provide powerful control model and evaluative tool a
Overview COBIT – Control Objectives for Information and related Technology Currently at version 4.1 A model designed to control of the IT function Supports IT governance by providing a comprehensive description of the control objectives for IT processes Text Text Text Text Te xt Text Text Te xt Text 4 .
Overview of CobiT What CobiT is not!! Audit software An IT audit plan An IT Internal Audit workprogram An IT audit testing plan Guide on “How to Audit” IT 5 .
o A tool that for IT professionals that has linked information technology and control practices o CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management. and Audit Guidelines followed in September 1996. administration and monitoring of an IT environment. 6 . Control Objectives in April 1996. control professionals and auditors.Overview of CobiT Then what is CobiT? o It is the Control Objectives for Information and related Technology o A methodology consisting of standards and controls created to assist IT professionals in the implementation. o The CobiT Executive Summary and Framework were released in December 1995. review.
A control framework. a set of generally accepted control objectives. 2. and 3.Overview of CobiT o CobiT represents 1. which should enable them to control all the different activities underlying IT deployment. the CobiT Audit Guidelines. o CobiT is business process oriented provides the business process owners with a framework. o CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives. 7 .
control needs and technical issues by presenting the controls through one vehicle.Overview of CobiT What is the purpose of CobiT? o To provide management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT. 8 . o CobiT helps bridge the gaps between business risks. o It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.
exercise. implementation. and evaluation of internal control 9 .Overview of CobiT Promotes an improved focus on business information requirements Helps ensure that IT processes are defined and that responsibilities are assigned Supports management’s efforts to demonstrate due diligence Serves as excellent criteria for evaluation Strengthens the understanding. design.
Management-oriented Supports corporate and IT governance Process-oriented Controls-based Measurement-driven Based on a Strong Foundation and Sound Principles of Internal Control 10 . being secure. Focuses on information having integrity. and available.
11 .IT Resource Management CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality of information required to achieve organizational objectives.
COBIT COBIT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity. and the management of related technology. and availability. 12 . security.
Links recommended control practices for IT to business and control objectives. 13 . Addresses key attributes of information produced by IT. Provides guidance in implementing and evaluating the appropriateness of IT-related management control practices.
and available. 15 . to only the “right” party. in the “right” format.Focus on Information Management and IT “Right” information. reliable. Information that is relevant. Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment. at the “right” cost. at the “right” time. secure.
COBIT Target Groups COBIT is primarily intended for management. business users of IT and auditors Main target groups o Managers – holding executive responsibility for operation of the enterprise o End users – provide assurance of security and controls o Auditors – independent assurance of quality and controls o Business and IT consultants – bring knowledge and advice o IT Service Management Professionals – provides a framework covering complete lifecycle of IT systems and services 16 .
Who is COBIT aimed at? To Those Individuals Who are Interested in and Responsible for the Management and Evaluation of Information Technology Management IT & Business Users Auditors / Advisors Academics & Students of Management and IT Legislators. Regulators. Oversight Bodies 17 .
and IT Resources 18 .COBIT Structure IT Governance Cube with 3 interrelated viewpoints(Quality Criteria.IT Processes.
4 COBIT Domains Plan & Organize – concerned with identification of the way IT can best contribute to the achievement of business objectives Acquire and Implement – acquiring. security. and training Monitor & Evaluate – regular assessment over time for quality and compliance with control requirements 19 . implementing or development of IT Solutions to be integrated into business process Deliver & Support – delivery of required services including traditional operations.
COBIT mapped onto Management Cycle 20 .
Components of CobiT 21 .
Components of CobiT The 4 Domains of CobiT MONITORING (MO) PLANNING & ORGANIZATION (PO) ACQUISITION & IMPLEMENTATION (AI) DELIVERY & SUPPORT (DS) 22 .
M2.Monitor the process controls.Obtain independent assurance 23 .Components of CobiT MONITORING (MO) All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to M1.
Assess risks PO10.Components of CobiT PLANNING & ORGANIZATION (PO) Addresses strategy and tactics.Define IT Organization and relationships PO5.Communicate management aims and directions PO7.Manage the investment in IT Is the IT strategy be effectively controlled and will it contribute to the business objectives? PO6.Define the Information architecture PO3.Define a strategic IT plan PO2.Manage Human Resources PO8.Manage quality 24 .Ensure compliance with external requirements PO9.Manage projects PO11.Determine technical direction PO4. PO1. and concerns the identification of the way information technology can best contribute to the achievement of business objectives.
Managing changes 25 .Acquire and maintain application software AI3.Acquire and maintain technology architecture AI4. IT solutions need to be identified.Components of CobiT ACQUISITION & IMPLEMENTATION (AI) To realize the IT strategy. Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards? AI1.Develop and maintain IT procedures AI5. developed and/or acquired as well as implemented and integrated into the business process.Identify solutions AI2.Install and accredit systems AI6.
Manage the configuration of IT systems DS10.Identify and allocate costs DS7.Manage data DS12.Assist and advise IT customers DS9.Manage facilities DS13.Manage Third Party services DS3.Define service levels DS2.Manage performance capacity DS4.Manage operations 26 .Ensure continuous service DS5.Manage problems and incidents DS11.Educate and train users DS8.Components of CobiT DELIVERY & SUPPORT (DS) Addresses the actual delivery of required information services. Are information related services delivered in a controlled manner? DS1.Ensure systems security DS6.
" (Definition of Internal Auditing by the Institute of Internal Auditors.Overview of Internal Audit Internal Audit o "Internal auditing is an independent. objective assurance and consulting activity designed to add value and improve an organization's operations. disciplined approach to evaluate and improve the effectiveness of risk management. Inc. 27 .) The mission of Internal Audit is to evaluate the efficiency and effectiveness of the entity’s procedures and related internal controls. control. and governance processes. we also provide control recommendations and controls advisory. It helps an organization accomplish its objectives by bringing a systematic. As Internal Auditors.
VIDEO http://www.youtube.com/watch?v=bg_GEN8AZA0 28 .
the IT Auditor o Business Process Auditor o The IT Inspection Team. or o The IT Control Team 30 .CobiT For Internal Auditors Who uses CobiT in the Internal Audit world? o Typically.
CobiT For Internal Auditors How is CobiT used by Internal Audit? o Establishing control baselines and standards o Facilitating and creating performance metrics for Risk Assessments o Developing the audit plan o Facilitating the audit o Managing residual risk o Issuing control advisory and recommendations to the IT groups 31 .
Data Center reviews 10. Audits of Security Configuration 8. Reviews of Security Administration 9. Information System Implementations Pre-Implementation Review Implementation of Controls Certification Reviews Post Implementation Review 1. Audits of the Business Continuity Program 7. Reviews of Baselines Standards for IT and 6. Code Development / Source Code Management Reviews 2. General Controls Reviews 3. Application Review / Audits 11. Reviews of Procurement IT Purchasing and 2.CobiT For Internal Auditors Audits that can be performed with the use of CobiT 1. Audits of Business Processes BE CREATIVE! How can you fit CobiT into your audit plan?32 .
DELIVERY & SUPPORT 33 .Applications of the 4 CobiT Domains All of the discussed types of reviews can employ the 4 CobiT domains: – – – – MONITORING. PLANNING & ORGANIZATION. ACQUISITION & IMPLEMENTATION.
CobiT Trends In general. standard. and “Best Practice” template 34 . and is it working effectively With the right planning. each of the 4 domains can be applied to each review with careful planning All IT Audit reviews should have a component that includes o Management controls of the information o Review of controls over the way that information is delivered / facilitated o How the IT control review process works. all reviews can be performed with the use of the 4 domains as a reference.
CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC. System management processes across different systems can compared 7. Audit groups can recruit based on experience with an internationally recognized audit tool 2. A common language between auditee. Control evaluations processes are standardized across the IT environment 9. Its just plain old fun! 35 . Post-audit benchmarking is easily achieved through existing CobiT Control Objectives 6. Benchmarks and standards are portable throughout the IT environment 8. auditor.e. user management and data owners is provided 5. test plans) 3. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT control “Best Practices” 4.Top Ten Strengths of CobiT in Internal Audit 10. workprograms. International IT Audit groups can knowledge share (i. HIPAA) 1.
Problems Inherent to the Implementation and Use of CobiT
CobiT is a control framework with Audit Guidelines. Therefore, o It is NOT an audit plan o It is NOT a workprogram o It does NOT provide for audit steps / techniques / procedures o It does NOT define standards o It does NOT define acceptable levels for IT processes The use of CobiT requires a sufficient amount of experience with IT controls because it does not detail actual controls verification and testing steps
Problems Inherent to the Implementation and Use of CobiT
CobiT is time & resource intensive to implement o Steep learning curve o New audit plans and workprograms o New documentation methods needed Although CobiT is process focused, CobiT based reviews tend to be more system-focused. o Few, if any processes, are composed of one system. o All data flows between systems, so how are data flows evaluated? o How can major information flow processes be evaluated within reasonable time constraints?
Opportunities to Implement CobiT
Ideal Times to Implement the CobiT Framework o Beginning of an audit year o During a reorganization of the audit department o During a change of strategy for the IT Audit group o Upon implementation of Business Process focused audits
difficulties can arise in creating procedures to test for the existence of CobiT prescribed controls 39 .Threats to CobiT in the Internal Audit World Threats to Cobit in Internal Audit o Initial audits are time intensive and difficult because auditors are unfamiliar with CobiT terminology o Auditees can be unreceptive recommendations as opposed recommendations to controls based to traditional IT o If the audit staff does not have a sufficient amount of experience with IT controls.
Framework for Managing Operational Risk 41 .
Need for better operational controls Importance of technology Risks associated with an ever changing technology environment Demand for recognizable value Need to hold senior management accountable and strengthen governance 42 .
vulnerable and ever changing environment Adequately managing risk with increasing IT dependence Effectively dealing with the scale and cost of current and future IT investments Protecting operations and IT resources against increasing vulnerabilities and a wide spectrum of threats 43 .• • • • Achieving sufficient value from IT to support the entity’s mission within a complex.
• • • Being able to adequately track and measure IT performance in support of business objectives Obtaining adequate assurance for the integrity. security and availability of IT systems Being able to demonstrate due diligence in meeting IT governance objectives 44 .
45 . Instead. we are no longer just automating an established business process.It is about IT-enabled change. we are using technology to expand business process capabilities and management decision making -. security. Poorly-managed IT places the integrity.• • • Today. and availability of data and systems at risk and increases the likelihood of unrealized benefit.
security.Management Issues Difficulty of obtaining adequate assurance that operational and control objectives are being addressed and will be met Not being sufficiently aware of the impact of technology on control assessment Not knowing who is really responsible for system integrity. and availability Having cluttered or defused points of accountability for IT processes across the organization 46 .
Management Issues Not recognizing that we often manage IT as if it were separate from the enterprise when in fact it is highly integrated with business operations Uncoordinated strategic planning between business and IT operations Outsourcing without adequate monitoring and evaluation 47 .
Management Issues • There are a whole host of folks who pose a real danger to IT systems Meeting privacy requirements Failing to meet regulatory or legal requirements Having a false sense of security Achieving adequate value to support the entity’s mission 48 .
Management Questions Is IT well managed? o Are we doing the right things? o Are we doing them the best way? o Are they being done well? o Are we achieving desired benefits? Is IT properly controlled? Do we exercise and can we demonstrate due diligence? Are the information technology drivers in sync with the agency’s mandates and business goals? 49 .
How do responsible managers keep the ship on course? …… keep it afloat? How do we achieve satisfactory results for our citizens and stake-holders? How do we adapt in a timely manner to “best practices” for our organization’s environment? 50 .
balanced scorecard. monitoring and evaluation – dashboards with indicators – Disaster recovery and BCP to keep it afloat To achieve satisfactory results for our customers and stakeholders Measurement processes. To adapt in a timely manner to “best practices” for our organization’s environment Benchmarking. . and afloat Strategic and tactical planning. To establish and maintain course . etc. . CMM comparisons 51 .
practices and assurance mechanisms do we apply to the “right” resources to achieve value? What guidance is there to assist management in understanding IT processes and how to achieve IT process results? What standards should be applied to our IT environment? How do we address governance? 52 .IT Value How do we manage to achieve acceptable IT value? What policies.
COBIT as an IT Governance Framework COBIT provides a framework to control IT and supports the following 5 requirements for an IT control framework o o o o o Providing a sharper business focus Ensuring a process orientation Having a general acceptability among organizations Defining a common language Helping to meet regulatory requirements 54 .
compliance requirements. applications. information and infrastructure Performance Measurement – tracks and monitors strategy implementation 55 .IT Governance Focus Areas Strategic Alignment – focus on ensuring the linkage of business and IT plans Value Delivery – executing the value proposition throughout the delivery cycle Risk Management – requires risk awareness by senior corporate officers. transparency Resource Management – optimal investment in and management of critical resources: people.
IT Governance Focus Areas 56 .
itgi.The Need for IT Governance IC EG NT AT E TR GNM S I AL DE VAL LI U E VE RY Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: • Providing strategic direction • Ensuring that objectives are achieved • Ascertaining that risks are managed appropriately • Verifying that the enterprise’s resources are used responsibly CE MAN NT E F OR PER SUREM MEA www.itgi.org www.org RESOURCE MANAGEMENT MAN RISK AGE MEN T 57 .
itgi. organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives CE MAN NT E F OR PER SUREM MEA www.org MAN RISK AGE MEN T RESOURCE MANAGEMENT 2005 2003 64% Doing something about it 64% Doing 58% 36% 42% Not doing something about it 42% Not doing something about it Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005 58 . consisting of the leadership. as Defined by ITGI IT governance is: IC EG NT AT E TR GNM S I AL DE VAL LI U E VE RY • The responsibility of the board of directors and executive management • An integral part of enterprise governance.org www.itgi.IT Governance.
internal policies. Performance • Improving profitability. 59 . growth. effectiveness. audit requirements.Enterprise Governance Drives IT Governance Enterprise governance is about: Conformance • Adhering to legislation. Performance Conformance Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. etc. etc. efficiency.
for example. on defining. resource usage.IT Governance Focus Areas Strategic alignment Value delivery Resource management Risk management Focuses on ensuring the linkage of business and IT plans. understanding of compliance requirements. infrastructure and people. ensuring that IT delivers the promised benefits against the strategy. using. Key issues relate to the optimisation of knowledge and infrastructure. and on aligning IT operations with enterprise operations Is about executing the value proposition throughout the delivery cycle. and the proper management of. concentrating on optimising costs and proving the intrinsic value of IT Is about the optimal investment in. and embedding of risk management responsibilities in the organisation Performance measurement Tracks and monitors strategy implementation. process performance and service delivery. maintaining and validating the IT value proposition. project completion. balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting 60 . transparency about the significant risks to the enterprise. a clear understanding of the enterprise’s appetite for risk. Requires risk awareness by senior corporate officers. information. critical IT resources: applications.
Make IT governance a shared responsibility between the business (customer) and the IT service provider. Boards and executive management need to extend enterprise governance to include IT. Focus as much on improving performance and enabling competitive advantage as preventing problems.Making IT Governance Work To make an IT governance implementation project successful: Make IT governance a workable solution—able to deal with the challenges and pitfalls presented by IT. provide the necessary leadership and organisational structures. and insist on well-managed and properly controlled processes. 61 . Align IT governance within a wider enterprise governance scheme. with the full commitment and direction of the board.
monitor results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Delivers and improves IT services as required by the business Provides independent assurance to demonstrate that IT delivers what is needed IT management IT audit Risk and compliance Measures compliance with policies and focuses on alerts to new risks 62 .IT Governance Stakeholders Board and executive Business management Set direction for IT.
and Know where they are through measured progress and monitoring and evaluation 63 .Need for IT Governance Control Framework Many organizations recognize the potential benefits of technology The successful organizations: Understand that IT is more than an enabler Understand and manage the risks associated with implementing new technologies Keep a keen eye on the mission and goals.
64 . and there is effective monitoring of performance to keep on track and avoid unexpected outcomes.The Need for IT Governance Security Aligning IT with Business Keeping IT Running Managing Complexity Value/Cost Regulatory Compliance Organizations require a structured approach for managing these and other challenges. good management controls are in place. Need to ensure that IT objectives are agreed to.
Need for IT Governance Control Framework CobiT underscores the importance to recognize: Optimizing value. and ensuring the availability of technology is an entity or senior management issue. safeguarding. and engage IT and business process management Requires understanding of what we want the technology to do. measure results. not just an IT management issue Business and IT goals depend on our understanding of how to dynamically apply IT. and how we are going to measure success 65 .
It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT: Starts from business requirements Is process-oriented. organizing IT activities into a generally accepted process model Identifies the major IT resources to be leveraged Defines the management control objectives to be considered Incorporates major international standards Has become the de facto standard for overall control of IT IT resources need to be managed by a set of naturally grouped processes.COBIT Provides a Framework for IT Governance COBIT helps bridge the gaps between business risks. control needs and technical issues. COBIT provides a framework that achieves this objective. 66 .
organizational structures.How Does COBIT View IT Governance? Consists of leadership. and processes that ensure that IT sustains and extends the enterprise’s strategies and objectives IT governance is the responsibility of executives and the board of directors 67 .
IT Governance Objectives IT is aligned with the business and enables the business to maximize benefit IT resources are safeguarded and used in a responsible and ethical manner IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure 68 .
IT Governance Integrates and institutionalizes good practices to ensure that IT supports the business objectives. Enables the enterprise to take advantage of its information and IT resources to maximize benefit and capitalize on opportunities. 69 .
COBIT IT IT IT IT IT Governance is aligned with the business enables the business and maximizes benefits resources are used responsibly risks are managed appropriately 70 .
IT Governance Focus Areas Strategic alignment Value delivery Resource management Risk management Performance measurement 71 .
defining. concentrating on optimizing costs and proving the intrinsic value of IT. Value Delivery is about executing the value proposition throughout the delivery cycle. maintaining and validating the IT value proposition. 72 .IT Governance Focus Areas Strategic Alignment focuses on ensuring the linkage of business and IT plans. and aligning IT operations with enterprise operations. ensuring that IT delivers the promised benefits against the strategy.
and the proper management of. critical IT resources: applications. 73 . understanding of compliance requirements. Risk Management requires risk awareness by senior corporate officers. a clear understanding of the enterprise’s appetite for risk.IT Governance Focus Areas Resource Management is about the optimal investment in. Key issues relate to the optimization of knowledge and infrastructure. information. transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization. infrastructure and people.
process performance and service delivery.IT Governance Focus Areas Performance Measurement tracks and monitors strategy implementation. project completion. balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. for example. 74 . using. resource usage.
What Should Management Do? • Inquire: Ask the right questions • Focus on IT’s
Alignment with the agency objectives
Value delivery Risk management
• Adopt an IT governance framework • Focus on important IT processes and core IT
competencies • Embed responsibilities for IT security and management in the organization • Measure performance and results
To Manage and Control IT, COBIT Recommends: Employing fundamentals of IT governance Understanding strategic value of IT Understanding and managing associated risks Exercising appropriate frameworks of control Having mechanisms to provide adequate assurance that IT governance objectives are addressed
Agencies Need Assurance
² ² ²
That information and systems can be relied upon That operations are adequately controlled That information has integrity, is protected, and will be available That due diligence and compliance with good business practices can be demonstrated.
CobiT provides the control evaluation methodology
Aligned with control models. standards and best practices for IT management 78 .CobiT is an Authoritative Source Built on a sound framework of control and IT-related control practices. Aligned with de jure and de facto standards and regulations. Subject to extensive review and exposure.
COBIT’s View of the Definition of Control Why Control Information Systems? ² ² The answer lies in the realm of what the business wants: to accomplish and avoid It therefore falls to the spectrum of: objectives and risks 79 .
COBIT’s View of the Definition of Control The Objectives and Risks become Value Drivers and Drivers in COBIT Risk 80 .
procedures. 81 .Control (as defined by COBIT) The policies. practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
12. Threats and Exposures Control (as defined by COBIT) The policies. practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. 82 . procedures.To Achieve Business Objectives To Avoid Risks. P. Source: COBIT Control Objectives.
CobiT promotes a healthy understanding about “reasonable assurance” and “residual risk” Knowing the acceptable levels for reasonable assurance and residual risk is a critical success factor for designing and managing an adequate framework of control 83 .
Assurance Level 100% Residual Risk Reasonable Assurance 0% 84 .
Relation to Other Control Models CobiT is in alignment with other control models: o COSO o COCO o Cadbury o King 85 .
They must be understood to consider how they can be used together. standards and best practices. COSO COBIT ISO 17799 ISO 9000 WHAT ITIL HOW SCOPE OF COVERAGE 86 .COBIT and Other IT Management Frameworks Organizations will consider and use a variety of IT models. with COBIT acting as the consolidator (‘umbrella’).
SarbanesOxley Act.Where Does COBIT Fit? Drivers PERFORMANCE: Business Goals CONFORMANCE Basel II. Enterprise Governance Balanced Scorecard COSO IT Governance COBIT Best Practice Standards ISO 9001:2000 ISO 17799 ISO 20000 Processes and Procedures QA Procedures Security Principles ITIL 87 . etc.
COBIT Framework ► The COBIT framework was created with the main characteristics: Business-focused Process-oriented Controls-based Measurement-driven COBIT Framework Characteristics 88 .
isaca.COBIT: An IT Control Framework Governance Management Evolution Control Audit COBIT 1 1996 COBIT 2 1998 COBIT 3 2000 COBIT 4 2005 For latest updates on COBIT. 89 . log on to www.org/cobit.
related standards Is a reference.COBIT: Value and Limitations COBIT: ► ► ► ► ► ► ► ► ► ► Has internationally accepted good practices Is management-oriented Is supported by tools and training Is freely downloadable Allows the knowledge of expert volunteers to be shared and leveraged Continually evolves Is maintained by a reputable not-for-profit organisation Maps 100 percent to COSO Maps strongly to all major. organisation and project portfolio 90 . not an ‘off-the-shelf’ cure Enterprises still need to analyse control requirements and customise COBIT based on their: ► ► ► Value drivers Risk profile IT infrastructure.
COBIT Components An organisation depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information. IT Resources Business Strategy IT Processes Information Criteria 91 .
COBIT: Advantages Some of the advantages of adopting COBIT are: ► ► COBIT is aligned with other standards and good practices and should be used together with them. COBIT provides tools to help manage IT activities. COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organisation. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. ► ► 92 .
Provides sharper business Defines a common language Ensures process orientation Control Framework Helps meet regulatory requirements Has general acceptability amongst organisations 93 .COBIT and IT Governance ► ► COBIT focuses on improving IT governance in organisations. COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework.
can ensure that the primary focus is value delivery and not technical excellence as an end in itself. COBIT.) Business Focus ► COBIT achieves sharper business focus by aligning IT with business objectives. ► Provides sharper business focus Defines a common language ► Ensures process orientation Control Framework Helps meet regulatory requirements Has general acceptability amongst organisations 94 .COBIT and IT Governance (Cont. The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy. supported by appropriate business-focused metrics.
With process ownership defined. assigned and accepted. ► Provides sharper business focus Defines a common language ► ► Ensures process orientation Control Framework Helps meet regulatory requirements Has general acceptability amongst organisations 95 . Incidents and problems no longer divert attention from processes. Exceptions can be clearly defined as part of standard processes.COBIT and IT Governance (Cont. the organisation is better able to maintain control through periods of rapid change or organisational crisis.) Process Orientation ► When organisations implement COBIT. their focus is more process-oriented.
Provides sharper business focus Defines a common language ► Ensures process orientation Control Framework Helps meet regulatory requirements ► Has general acceptability amongst organisations 96 . The framework continues to improve and develop to keep pace with good practices. IT professionals from all over the world contribute their ideas and time to regular review meetings.) General Acceptability ► COBIT is a proven and globally accepted standard for increasing the contribution of IT to organisational success.COBIT and IT Governance (Cont.
Organisations constantly need to improve IT performance and demonstrate adequate controls over their IT activities. advisors and auditors are turning to COBIT as the de facto response to regulatory IT requirements.) Regulatory Requirements ► Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. Many IT managers.COBIT and IT Governance (Cont. Provides sharper business focus Defines a common language ► Ensures process orientation Control Framework Helps meet regulatory requirements ► Has general acceptability amongst organisations 97 . This pressure covers IT controls as well.
Ensures process orientation Control Framework Helps meet regulatory requirements ► ► Has general acceptability amongst organisations 98 . Common language helps build confidence and trust. Co-ordination within and across project teams and organisations can play a key role in the success of any project.COBIT and IT Governance (Cont.) Provides sharper business focus Defines a common language Common Language ► A framework helps get everybody on the same page by defining critical terms and providing a glossary.
for achieving i Information provide IT Resources and Processes ► Business Objectives to Business Processes The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.COBIT: Premise ► The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives. 99 .
The objective is to facilitate IT governance to deliver IT value whilst managing IT risks. IT Resources Business Strategy IT Processes Information Criteria 100 .COBIT: Principle The principle of the COBIT framework is to link management’s IT expectations with management’s IT responsibilities.
..……. Domains Processes Activities Applications Information Infrastructure People 101 . COBIT focuses on two key areas: ► ► Providing the information required to support business objectives and requirements Treating information as the result of the combined application of IT-related resources that need to be managed by IT processes Information Criteria IT Process Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Business Requirement Control Approach IT Resources IT Processes Consideration • …………………………… • …………………………… • …………………….COBIT Framework As a control and governance framework for IT.
COBIT Cube The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives. COBIT provides three key components. For controlling this delivery. Business Requirements for Information Criteria IT Resources IT Processes 102 . each forming a dimension of the COBIT cube.
The delivery of information is controlled through 34 IT processes. These processes specify what the business needs to achieve its objectives. activities have life cycles and include many discrete tasks. There are 34 processes across the four domains. Information Criteria ► Domains Processes Activities IT Processes IT Resources 103 . Moreover.COBIT Cube: IT Processes ► COBIT describes the IT life cycle with the help of four domains: Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate ► Processes are series of activities with natural control breaks. Activities are actions that are required to achieve measurable results.
communicating and managing the realisation of the strategic vision Implementing organisational and technological infrastructure ► Scope: Are IT and the business strategically aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? IT and Business 104 .COBIT Cube: IT Domains Plan and Organise (PO) ► Objectives: Formulating strategy and tactics Identifying how IT can best contribute to achieving business objectives Planning.
COBIT Cube: IT Domains (Cont. PO8 Manage quality. PO10 Manage projects. Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate 105 . PO3 Determine technological direction. PO6 Communicate management aims and direction. which consists of 34 IT processes defined within the four IT domains. PO5 Manage the IT investment. PO9 Assess and manage IT risks.) Let’s look at the COBIT process model. Plan and Organise PO1 Define a strategic IT plan. PO7 Manage IT human resources. organisation and relationships. PO2 Define the information architecture. PO4 Define the IT processes.
implementing.COBIT Cube: IT Domains (Cont. developing or acquiring. and integrating IT solutions Changes in and maintenance of existing systems ► Scope: Are new projects likely to deliver solutions that meet business needs? Are new projects likely to be delivered on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations? ? New Projects Organisation 106 .) Acquire and Implement (AI) ► Objectives: Identifying.
COBIT Cube: IT Domains (Cont. AI3 Acquire and maintain technology infrastructure. AI5 Procure IT resources. AI4 Enable operation and use. AI2 Acquire and maintain application software. Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate 107 . AI7 Install and accredit solutions and changes.) Acquire and Implement AI1 Identify automated solutions. AI6 Manage changes.
including service delivery The management of security. data and operational facilities Service support for users ► Scope: Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the workforce able to use IT systems productively and safely? Are adequate confidentiality.COBIT Cube: IT Domains (Cont. integrity and availability in place? IT Services Business Priorities 108 .) Deliver and Support (DS) ► Objectives: The actual delivery of required services. continuity.
Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate 109 . DS10 Manage problems.COBIT Cube: IT Domains (Cont. DS12 Manage the physical environment. DS7 Educate and train users. DS13 Manage operations. DS2 Manage third-party services.) Deliver and Support DS1 Define and manage service levels. DS6 Identify and allocate costs. DS5 Ensure systems security. DS4 Ensure continuous service. DS9 Manage the configuration. DS8 Manage service desk and incidents. DS3 Manage performance and capacity. DS11 Manage data.
) Monitor and Evaluate (ME) ► Objectives: Performance management Monitoring of internal control Regulatory compliance Governance ► Scope: Is IT’s performance measured to detect problems before it is too late? Does management ensure that internal controls are effective and efficient? Can IT performance be linked to business goals? Are risk.COBIT Cube: IT Domains (Cont. compliance and performance measured and reported? IT Performance 110 . control.
ME4 Provide IT governance.COBIT Cube: IT Domains (Cont. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements.) Monitor and Evaluate ME1 Monitor and evaluate IT performance. Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate 111 .
COBIT Cube: Information Criteria ► To satisfy business objectives. information criteria are based on the following requirements: Quality Fiduciary Security Quality Requirements Fiduciary Requirements Security Requirements ► Information Criteria IT Resources IT Processes 112 . information needs to conform to specific control criteria. which COBIT refers to as business requirements for information. Broadly.
e.. i. It also concerns the safeguarding of necessary resources and associated capabilities. externally imposed business criteria as well as internal policies Availability Compliance Reliability Relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities 113 . Deals with complying with those laws. consistent and usable manner Concerns the provision of information through the optimal (most productive and economical) use of resources Concerns the protection of sensitive information from unauthorised disclosure Effectiveness Quality Requirements Fiduciary Requirements Security Requirements Efficiency Information Criteria Confidentiality IT Resources IT Processes Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Relates to information being available when required by the business process now and in the future.) Deals with information being relevant and pertinent to the business process as well as being delivered in a timely. regulations and contractual arrangements to which the business process is subject.COBIT Cube: Information Criteria (Cont. correct.
as required. acquire. deliver and store the information that the organisation needs to achieve its objectives. that enable the processing of applications. in whatever form used by the business. processed and output by information systems. They may be internal. Information Criteria Applications Information Infrastructure People IT Resources IT Processes 114 . organise. The IT resources identified in COBIT are defined as: Applications are automated user systems and manual procedures that process information. deliver. operating systems and networking. People are the personnel required to plan. such as hardware. Information is data that are input. monitor and evaluate information systems and services. outsourced or contracted. Infrastructure includes the technology and facilities. implement. support.COBIT Cube: IT Resources ► ► IT processes manage IT resources to generate.
Install and accredit solutions and changes. Ensure systems security. Manage changes. Procure IT resources. organisation and relationships. PO5 Manage the IT investment. Educate and train users. Manage service desk and incidents. Ensure compliance with external requirements. Define the information architecture. Enable operation and use. PO3 Determine technological direction. Manage operations. Manage the configuration. PO8 Manage quality. Manage problems. Identify and allocate costs. Acquire and maintain technology infrastructure. PO10 Manage projects. 115 . Manage third-party services. Acquire and maintain application software. PO4 Define the IT processes. PO7 Manage IT human resources. Manage the physical environment. Manage performance and capacity.COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES C ME1 ME2 ME3 ME4 Monitor and evaluate IT performance. Provide IT governance. O B I T INFORMATION Efficiency Effectiveness Compliance Reliability Integrity Availability Confidentiality PLAN AND ORGANISE IT RESOURCES FRAMEWORK PO1 PO2 MONITOR AND EVALUATE DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 Define and manage service levels. Applications Information Infrastructure People DELIVER AND SUPPORT ACQUIRE AND IMPLEMENT AI1 AI2 AI3 AI4 AI5 AI6 AI7 Identify automated solutions. PO9 Assess and manage IT risks. Define a strategic IT plan. PO6 Communicate management aims and direction. Monitor and evaluate internal control. Manage data. Ensure continuous service.
116 .COBIT Cube IT resources are managed by IT processes to achieve IT goals that respond to the business requirements. This is the basic principle of the COBIT framework. as illustrated by the COBIT cube.
Interrelationship of the COBIT Components 117 .
COBIT provides three key components. For controlling this delivery. each forming a dimension of the COBIT cube.COBIT Cube The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives. Business Requirements for Information Criteria IT Resources IT Processes 118 .
COBIT provides the framework and guidance to implement IT governance. for achieving i Information provide IT Resources and Processes Business Objectives to Business Processes ► The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. 119 .COBIT: Premise ► The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.
COBIT Processes within Domains Each of the processes(34): previous Domains are composed of 120 .
Domains and processes A Domain contains the relationships of each individual processes For example: Plan and Organize 121 .
COBIT Domains with Processes
COBIT Process Descriptions
COBIT does offer detailed descriptions for all 34 processes. The Process Descriptions: o contain the inputs, outputs, responsibilities, metrics and goals o Provide a basis of expert knowledge from which the enterprise may decide is relevant to their organization o Diagrams with relationships to other processes are also illustrated
Where is COBIT Today?
inputs and output Language and presentation – more concise in presentation.How is CobiT Focused? IT Governance – better coverage with governance practices Business requirements – better business to IT linkages with cascading goals and supporting metrics Harmonization – improved integration with key practices Value Creation – extended focus on IT investment Enterprise architecture . actionoriented. control model and management guidelines are consolidated into one document 125 .process structure and resources Process definitions and process flows – improved descriptions. activities.
IT Assurance Guide provides guidance for the assurance team with a structured assurance approach linked to the COBIT framework that is understandable for business and IT professionals 126 .What are the key COBIT Documents? Control Objectives define what needs to be done to implement an effective control structure to improve IT performance and address IT solutions and service delivery risks. Control Practices provides guidance on the risks to be avoided and value to be gained from implementing a control objective. and instruction on how to implement the objective.
COBIT and Related Products COBIT 4. Board Briefing on IT To help executives understand why IT governance is important. It comes complete with tools and techniques to help managers uncover security-related problems IT Governance Provides a generic road map for implementing IT governance using the COBIT and Implementation Guide Val IT resources Control Practices Provide guidance on why the control objectives are worth implementing and how to implement them IT Assurance Guide Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives 127 . technical issues and business risks. what its issues are Governance and what their responsibility is for managing it Information Security To help overcome these barriers by explaining information security in Governance business terms.1 COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements.
all presented in an easy-to-follow format to help users gain the benefits of COBIT quickly. COBIT Security To focuses on IT security risk in a way that is simple to follow and implement for Baseline (available everyone.to medium-sized enterprise to executives 3rd quarter 2007) and board members of larger organizations. ITIL and ISO/IEC 17799) may be made easier. To explain to business users and senior management the value of IT best ITIL and ISO 17799 practices and how harmonization.COBIT and Related Products COBIT Quickstart To summarized version of the COBIT resources. from the home user or small. focusing on the most crucial IT processes. COBIT Mapping Series 128 . control objectives and metrics. To overview and various mappings of COBIT to other international guidance have been published by ITGI. such as CMM. Val IT To provides guidance for managing an organization’s portfolio of IT-enabled business investments and for maximizing the quality of business cases for IT-enabled business investments. ISO17799. implementation and integration of best practices (COBIT. To provides guidance on how to ensure compliance for the IT environment based on the COBIT control objectives related to financial reporting. IT Control Objectives for Sarbanes-Oxley Aligning COBIT.
COBIT and Related Products 129 .
Control Objectives Framework Control Objectives Management Guidelines Maturity Models 131 .
COBIT Objectives .IT Governance Topics Focus on IT Alignment by linking Information Criteria. IT Resources and IT Goals to Business Goals Focus on Value Delivery by using valueoriented IT goals to focus on the IT processes that are critical to deliver effectively Focus on Risk Management by using riskoriented IT goals to focus on the IT processes that are needed to manage risk Focus on Resource Management by using Maturity Models to ensure there is a capability to deliver Focus on Performance Management by using metrics and scorecards to ensure plans are on track and deviations are identified and 132 .
business cases and IT budgets. Maintain the portfolios of IT-enabled investment programmers. Provide input to business cases for new investments. IT services and IT assets. cost management and benefit management processes.2 Business-IT Alignment Educate executives on current technology capabilities and future directions. The business and IT strategies should be integrated.Concise Control Objectives CobiT 4. based on investment.1 PO1. the opportunities that IT provides.2 Business-IT Alignment Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration. PO5. 134 . so agreed priorities can be established. and what the business has to do to capitalize on those opportunities.0 PO1. service and asset portfolios. Communicate the cost and benefit aspects of these portfolios to the budget prioritization. which form the basis for the current IT budget. PO5. Make sure the business direction to which IT is aligned is understood. Identify where the business (strategy) is critically dependent on IT and mediate between imperatives of the business and the technology. and broadly communicated. Mediate between business and IT imperatives so priorities can be mutually agreed.1 Financial Management Framework Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT enabled investments.1 Financial Management Framework Establish a financial framework for IT that drives budgeting and cost/benefit analysis. clearly linking enterprise goals and IT goals and recognizing opportunities as well as current capability limitations. New investments and maintenance to service and asset portfolios will influence the future IT budget. CobiT 4. taking into account current IT asset and service portfolios.
Framework Update 137 .
IT resources. and IT processes Links control objectives and control practices to business processes and business objectives Assists in confirming that appropriate IT processes (and practices) are in place Facilitates evaluation and assurance methods 138 .COBIT Framework Documents relationships among information criteria.
The 1st Component Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability 139 .Information Criteria -.
The 2nd Component Application Systems Information Infrastructure People 140 .IT Resources -.
IT Process Domains -.The 3rd Component Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate 141 .
providing an end-to-end Enterprise architecture concepts help identify the resources essential for process success 142 . run and monitor.COBIT Process Model Subdivides IT into four domains 34 processes in line with the domains Responsibility areas of plan. build.
What Are the Main Changes? 143 .
COBIT Domains: Information Processes (3rd Component) k ac b ed Fe Plan and Organize Monitor and Evaluate Fe ed ba ck Feedback Acquire and Implement Deliver and Support 144 .
the enterprise needs to invest in and manage and control IT resources using a structured set of processes in order to provide the services that deliver the required enterprise information. 145 .COBIT Framework Basic COBIT Principle To provide the information that the enterprise requires to achieve its objectives.
146 . importance of focusing on control objectives and their relationship to the business organization and its business processes. and value of managed processes and resources to attain data integrity.CobiT Framework Helps one understand the: relationship of controls to control objectives. security and availability.
users and auditors.CobiT is Business-focused Business orientation is the main theme of COBIT. Designed to be used by IT service providers. and to also provide comprehensive guidance for management and business process owners. 148 .
Business Orientation of COBIT Links business goals to IT goals Provides metrics and maturity models to measure their achievement Identifies the associated responsibilities of business and IT process owners. 149 .
Business Goals Financial Perspective Expand market share Increase revenue Return on Investment Optimize asset utilization Manage business risks Customer Perspective Improve customer orientation and service Offer competitive products and service Service availability Agility in responding to changing business requirements Cost optimization of service delivery 150 .
Business Goals Internal Perspective Automate and integrate the business value chain Improve and maintain business process functionality Lower process costs Compliance with external laws and regulations Transparency Compliance with internal policies Improve and maintain operational and staff productivity Learning and Growth Perspective Product and business innovation Obtain reliable and useful information for strategic decision making Acquire and maintain skilled and motivated personnel 151 .
7.IT Goals 1. 4. 3. 5. 8. 6. 2. Respond to business requirements in alignment with business strategy Respond to governance requirements in line with board direction Ensure the satisfaction of end users with service offerings and service levels Optimize the use of information Create IT agility Define how business function and control requirements are translated in effective and efficient automated solutions Acquire and maintain integrated and standardized application systems Acquire and maintain and integrated and standardized infrastructure 152 .
10. 14.IT Goals 9. 11. Acquire and maintain IT skills that respond to the IT strategy Ensure mutual satisfaction of third-party relationships Seamlessly integrate applications and technology solutions into business processes Ensure transparency and understanding of IT cost. benefits. 16. resources and capabilities Reduce solution and service delivery defects and rework Protect the achievement of IT objectives Establish clarity of business impact of risks to IT objectives and resources 153 . 12. 18. 13. 17. policies and service levels Ensure proper use and performance of the applications and technology solutions Account for and protect all IT assets Optimize the IT infrastructure. strategy. 15.
IT Goals 19. continuous improvement and readiness for future change 154 . 23. 28. 22. 24. 20. 21. 27. 26. Ensure critical and confidential information is withheld from those who should not have access to it Ensure automated business transactions and information exchanges can be trusted Ensure IT services and infrastructure can properly resist and recover from failures due to error. deliberate attack or disaster Ensure minimum business impact in the event of an IT service disruption or change Make sure that IT service are available as required Improve IT’s cost-efficiency and its contribution to business profitability Deliver projects on time and on budget meeting quality standards Maintain the integrity of information and processing infrastructure Ensure IT compliance with laws and regulations Ensure that IT demonstrates cost-efficient service quality. 25.
Linking Business Goals to IT Goals An Example: • The business goal of increasing revenue is linked to IT goals numbers 25 and 28. continuous improvement and readiness for future change” 156 . which are: • “Deliver projects on time and on budget meeting quality standards” and • “Ensure that IT demonstrates costefficient service quality.
Linking IT Goals to IT Processes Example of linking IT goals to IT processes: • The IT goal of optimizing the use of information is linked to IT processes PO2 and DS11 (information architecture and managing data) 158 .
The WATERFALL Navigation Aid -High Level Control Objectives for Each Process The control of IT Processes which satisfy Business Requirements is focusing on Control Statements High-Level Control Objective Is achieved by Control Practices Is measured by Users satisfaction 160 .
Accountable. Consulted and/or Informed Addresses considerations for points of accountability Addresses issues of communication and desired input (who would be consulted) Rather than titles.“RACI” Chart Identifies who is Responsible. several roles may be combined 162 . think of positions in terms of roles Depending on the size of the organization or the IT function.
Primary Inputs and Outputs CobiT identifies from where primary inputs are obtained for each process The inputs are identifies and where they came from Also identifies to which IT processes the process provides output to The outputs (from the process) are identified to where they would be directed 163 .
Requires setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance).Metrics Performance measurement is essential for IT governance. 165 .
Metrics Activity Goals tells us how well the process is performing o Measured by KPIs Process Goals tell us what IT must deliver o Measured by Key Goal indicators IT Goals tell us what we expect from IT o Measured by Key Goal Indicators 166 .
Use of Maturity Models
The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation. Enables gaps in capability to be identified and demonstrated to management. Action plans can then be developed
Control Practices Control Practices Control Objectives Value Drivers Risk Drivers 172 .
outputs. activities 173 .Control Design Necessary and sufficient steps Roles & responsibilities Characteristics Generic and specific practices Active and passive Input.
why and what to implement to improve IT performance Includes key elements of value and risk statements and control practices 174 .IT Control Practices Provides guidance on risks to avoided and value to be gained Provides detailed guidance on specific controls needed to address high-level and detailed control objectives Provides guidance on how.
IT Control Practices Describing the different necessary and sufficient steps to achieve a control objective Action-oriented. enabling timely execution and measurable Relevant to the purpose of the control objective Supporting clear roles and responsibility including segregation 175 .
Control Practices The benefits listed under ‘why do it’ are tangible and motivate to implement controls The set of control practices is complete (e.g. key controls) and implementation satisfies the control objective Control practices listed are generally accepted as good business practice Control practices suggest sustainable solutions The control practices are effective in addressing the risk linked to not achieving the detailed control objective The control practices suggest efficient solutions The wording of the control practices is concise while providing clear and unambiguous guidance on what is expected for implementation The control practices are realistic 176 Characteristics: .
IT Assurance Guide Need for IT Governance and Assurance The CobiT Framework IT Assurance Approaches How CobiT Supports IT Assurance Activities 177 .
Operating effectiveness (implemented. consistent application and proper use) 4. Design and operating efficiency (cost/benefit and possible use of automation) Providing 3 types of assurance guidance Testing the suggested control design Testing control objective achievement Documenting impact of control weaknesses 178 . Existence 2. Design effectiveness 3.Approach IT Assurance Steps Testing of a control approach covering 4 assurance objectives 1.
review) Observe (confirmation is inherent) Re-perform or re-calculate and analyze (often based on a sample) Automated evidence collection (sample. search.Approach IT Assurance Steps Tests based on a documented taxonomy of relevant assurance methods Enquire and confirm (via different source) Inspect (walk-through. trace. compare. extract) and analyze 179 .
Using CobiT 1 183 .
CobiT provides the basis for IT Governance CobiT IT CobiT Links business goals to IT Goals Provide Direction Processes and Maturity Models focus on IT capability Set Objectives IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT-related risks are managed appropriately CobiT Framework provides a common understandi ng of IT’s role IT Activities Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security. reliability and compliance) Compare Measure Performanc e CobiT KGIs and KPIs enable measuremen t 184 .
Using CobiT From an organizational perspective. 185 . entities should use control models such as COSO and CobiT along with generally accepted control practices to build and exercise appropriate controls to help manage their entities.
Strong Basis for Policy Development Use CobiT as a basis to develop or strengthen policies and control practices Compare existing policies and standard procedures against CobiT Conduct high-level and detailed policy reviews 186 .
level of risk.Using CobiT Matrices to Focus on: IT Functions o Their importance? o Level of performance? o Control documentation? Responsible Parties of IT o Performed by? o Contracted services? o Primary responsible party? Risk Assessment o Importance. control documentation? 187 .
CobiT’s Evaluation Focus What is most critical to the business? What are the CSFs? What are the risks and threats? How robust and appropriate does the internal control structure appear? What are management’s concerns? 188 .
Risks to the Entity? ² ² ² ² ² ² ² Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment Unknown loss of data or system integrity 189 .
COBIT Focuses on Risk-Based Approach Focuses on the entity from a management perspective Emphasis on knowledge of the business and the technology Focus on assessing the effectiveness of a “combination” of controls Linkage between risk assessment and testing focusing on control objectives 190 .
measurement and evaluation Use CobiT to help design service contracts by identifying deliverables and responsibilities Use CobiT for ongoing monitoring and evaluation of providers and partners 191 .To Address Outsourced Services Determine whether desired processes are in place and establish accountability Agree on levels of control.
Recap: CobiT Recognizes IT is an integral part of the organization IT governance is an integral part of corporate governance Focus on control objectives can strengthen appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a system of internal control 192 .
Interrelationships of CobiT Components 194 .
2nd Edition CobiT Control Practices 2nd Edition IT Assurance Guide 195 .COBIT Content Diagram CobiT and Val IT frameworks Control Objectives Key Management Pratices IT Governance Implementation Guide.
IT Risk Analysis—A Generally Accepted Framework Asset Identification and Valuation Threat Assessment Risk Assessment Countermeasures Vulnerability Assessment Control Evaluation Residual Risk Action Plan 196 .
IT Risk Analysis—A Generally Accepted Framework Asset Identification and Valuation Alternative Entry Point Alternative Entry Point Threat Assessment Countermeasures Vulnerability Assessment Risk Assessment Control Evaluation Residual Risk Action Plan 197 .
Vulnerability Assessment Risk Assessment Control Evaluation Translate into business consequences and into financial risks. Prevent and detect. Only prevent. Ignore. 3. Action Plan Residual Risk 198 . 2.IT Risk Analysis—A Generally Accepted Framework Asset Identification and Valuation Threat Assessment Countermeasures Three Approaches: 1.
Summary 199 .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.