Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
SdS AIEA Roma 15 dicembre 2010
ISACA & ROSI
SdS AIEA Roma 15 dicembre 2010
ISACA & ROSI ?
• G 41
• CobiT & ROSI– Risk Drivers / Value Drivers
– Capire cosa vuole il Business ?
– Gestire l’investimento• Val IT
SdS AIEA Roma 15 dicembre 2010
Driving Value From Information Security:A Governance Perspective
Determining the ROSI of information security projects helps in crystallizing the intangible benefits and nonquantifiable considerations. This enables management toweigh all the factors in the right perspective and to arrive at informed decisions, rather than relying on instinct alone.
ISACA JOURNAL VOLUME 2, 2009
Costs/benefits of IT security projects largely depend on the human factor, cost and revenue drivers, business objectives, security metrics, and organizationalcharacteristics, which can substantially influence end results. Refining ROSI estimatesthrough learning experience and by comparing estimated and realized ROSI willimprove this tool with each successive project, resulting in better calibration and more accurate estimates. Thus, ROSI, with a balanced scorecard focus, will become a tool of choice for the future, in the hands of decision makers.
SdS AIEA Roma 15 dicembre 2010
SdS AIEA Roma 15 dicembre 2010
IS Auditing Guideline: G41 Return on Security Investment(ROSI)
maggio 2010
1. BACKGROUND2. ROSI3. OBJECTIVES
3.1 Audit4. CONSIDERATIONS
4.1 Audit5. EFFECTIVE DATE
5.1 This guideline is effective for all information systemsaudits beginning on or after 1 May 2010.
SdS AIEA Roma 15 dicembre 2010
1.1 Linkage to Standards1.1.1 Standard S10 IT Governance states the IT audit
and assurance professional should review:• and assess whether the IT function aligns with the
enterprise’s mission, vision, values, objectives and strategies
• whether the IT function has a clear statement about the performance expected by the business (effectiveness and efficiency) and assess itsachievement
• and assess the effectiveness of IT resources and performance management processes
SdS AIEA Roma 15 dicembre 2010
1.2 Linkage to COBIT
• 1.2.1 Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processesand consideration of COBIT’s control objectives and associated management practices.
• ……..
• The process and control objectives to be selectedand adapted may vary depending on the specificscope and terms of reference of the assignment.
SdS AIEA Roma 15 dicembre 2010
1.3 Purpose of the Guideline
• 1.3.1 Enterprises are increasingly finding itchallenging to make a case to invest in IT security. ……1.3.2 Enterprises cannot afford to ignore the value propositions of security metrics toeffectively achieve appropriate ROSI. ….1.3.3 IT audit and assurance professionalsmust have a clear understanding of the value proposition for ROSI. ….
SdS AIEA Roma 15 dicembre 2010
1.5 Risk Management1.5.1 There should be collaborative periodic risk assessment developedamongst those responsible for securing information assets and the responsible senior management, with the business owner(s) managing the information assets of the enterprise. …1.5.2 There is an inherent risk that the subject matter may be highlycomplicated coupled with security engineers/administrators who may notadequately understand all of the risks to the enterprise and the necessarymitigating control processes. …1.5.3 There is inherent audit risk resulting from the auditor responsible for performing an independent assessment not adequately understandingand/or reviewing the necessary control processes commensurate with the level of risk. … Thus, management should be alerted that audit will notguarantee that the auditor will completely identify, test and conclude on the adequacy of all controls. Accordingly, additional oversight and independentassessment of the auditor’s evaluation may be warranted given the size, complexity and significance of the enterprise’s information assets.
SdS AIEA Roma 15 dicembre 2010
4.1 Audit4.1.1 There are various ROSI models and there is no one model
that fits all enterprises. 4.1.2 Enterprises must have a well-defined process of data
collection for security breaches and lapses. 4.1.3 Security investments are made after proper analyses of
security requirements, risk assessments, productperformance, vendor service level agreement and, mostimportantly, alignment of the security plan to the overallbusiness objectives.
4.1.4 No security is complete without adequate insurance. The enterprise should be adequately protected byappropriate insurance
4.1.5 Security must be considered as a business protector and enabler not as an inhibitor.
4.1.6 Trust is the highest form of security. • …
SdS AIEA Roma 15 dicembre 2010
CobiT & ROSI
SdS AIEA Roma 15 dicembre 2010 � 2009 ISACA All Rights reserved. 12
CCOBIOBITT®® Defines Processes, Goals and Metrics
Relationship Amongst Process, Goals and Metrics (DS5)
SdS AIEA Roma 15 dicembre 2010
I ritorni in termini di Business :Value Drivers & Risk Drivers
• 788 Risk Drivers
• 736 Value Drivers
• Associati a 980 Control practices
Ritorni
Investimenti
SdS AIEA Roma 15 dicembre 2010
SdS AIEA Roma 15 dicembre 2010
Impatti in termini di business
SdS AIEA Roma 15 dicembre 2010
Financial contribution
Provide a good return on investment of IT-enabeledbusiness investments
Manage IT-related business risk
Improvecorporate governance and transparancy
Operational excellence
Managebusiness change
Improve and maintainbusiness process functionality
Lover process cost
Provide compliance with external laws, regulations and contracts
Compliance withinternal policies
Improve and maintainoperational and staff productivity
Customer orientation
Improve customerorientation and service
Offer competitive products and services
Establish service continuity and availability
Achieve cost optimalisationof service delivery
Obtain reliable and usefulinformation for strategicdecision making
Future orientationManage product and business innovation
Acquire and maintain skilled and motivated people
CobiT - Extended Balanced Scorecards
Visionand
Strategy
Visionand
Strategy
16
� L’IT è adeguata ?
� Dove intervenire ?
� Cosa fare, come ?
Create agility in responding to changing business requirements (time to market)
SdS AIEA Roma 15 dicembre 2010
…. in altre parole: da dove comincio ?
Dov’èl’Agility ?
SdS AIEA Roma 15 dicembre 2010
Dov’è l’Agility ?
Proviamo a chiederlo al : COBIT !
SdS AIEA Roma 15 dicembre 2010
Valutazione degli obiettivi di business – Fase1
19
SdS AIEA Roma 15 dicembre 2010
Valutazione degli obiettivi di business – Fase2Assegnazione importanza ai Processi IT
20
SdS AIEA Roma 15 dicembre 2010
Importanza del dominio / processo
POPO 10 Gestire progetti
AIAI 1 Identificare soluzioni automatizzate
DSDS 1 Definire e gestire i livelli di servizio
DS 3 Gestire le prestazioni e la capacità produttiva
MEME 1 Monitorare e valutare le prestazioni dell’IT
Si vedono chiaramente complementarietà tra aspetti strutturali / organizzativi ed aspetti operativi / strumentali
SdS AIEA Roma 15 dicembre 2010
Impatti in termini di business
• Si possono usare anche bottom-up : – Come giustificare un progetto che automatizza
Configuration Management e Sw Distribution
SdS AIEA Roma 15 dicembre 2010
ROSI : due ulteriori considerazioni
• ROSI per partire . . . e poi ?
• Evoluzione del ruolo dell’IT
•• Val ITVal IT™™
SdS AIEA Roma 15 dicembre 2010
SdS AIEA Roma 15 dicembre 2010
The Business Case Process Maturity
SdS AIEA Roma 15 dicembre 2010� 2009 ISACA All rights reserved. 26
The Seven Principles of Val ITThe Seven Principles of Val IT™™
IT-enabled investments will:1. Be managed as a portfolio of investments
2. Include the full scope of activities required to achieve business value
3. Be managed through their full economic life cycle
Value delivery practices will:4. Recognise different categories of investments to be
evaluated and managed differently
5. Define and monitor key metrics and respond quickly to any changes or deviations
6. Engage all stakeholders and assign appropriate accountabilityfor delivery of capabilities and realisation of business benefits
7. Be continually monitored, evaluated and improved
SdS AIEA Roma 15 dicembre 2010
27
A New PerspectiveA New Perspective
IT Investments
Investments inIT-enabled Change
Source: The Information Paradox