ISACA & ROSI - AIEA · Thus, ROSI, with a balanced scorecard focus, will become a tool of choice for the future, in the hands of decision makers. SdS AIEA Roma 15 dicembre 2010

SdS AIEA Roma 15 dicembre 2010

ISACA & ROSI


ISACA & ROSI ?

• G 41

• CobiT & ROSI– Risk Drivers / Value Drivers

– Capire cosa vuole il Business ?

– Gestire l’investimento• Val IT


Driving Value From Information Security:A Governance Perspective

Determining the ROSI of information security projects helps in crystallizing the intangible benefits and nonquantifiable considerations. This enables management toweigh all the factors in the right perspective and to arrive at informed decisions, rather than relying on instinct alone.

ISACA JOURNAL VOLUME 2, 2009

Costs/benefits of IT security projects largely depend on the human factor, cost and revenue drivers, business objectives, security metrics, and organizationalcharacteristics, which can substantially influence end results. Refining ROSI estimatesthrough learning experience and by comparing estimated and realized ROSI willimprove this tool with each successive project, resulting in better calibration and more accurate estimates. Thus, ROSI, with a balanced scorecard focus, will become a tool of choice for the future, in the hands of decision makers.



IS Auditing Guideline: G41 Return on Security Investment(ROSI)

maggio 2010

1. BACKGROUND2. ROSI3. OBJECTIVES

3.1 Audit4. CONSIDERATIONS

4.1 Audit5. EFFECTIVE DATE

5.1 This guideline is effective for all information systemsaudits beginning on or after 1 May 2010.


1.1 Linkage to Standards1.1.1 Standard S10 IT Governance states the IT audit

and assurance professional should review:• and assess whether the IT function aligns with the

enterprise’s mission, vision, values, objectives and strategies

• whether the IT function has a clear statement about the performance expected by the business (effectiveness and efficiency) and assess itsachievement

• and assess the effectiveness of IT resources and performance management processes


1.2 Linkage to COBIT

• 1.2.1 Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processesand consideration of COBIT’s control objectives and associated management practices.

• ……..

• The process and control objectives to be selectedand adapted may vary depending on the specificscope and terms of reference of the assignment.


1.3 Purpose of the Guideline

• 1.3.1 Enterprises are increasingly finding itchallenging to make a case to invest in IT security. ……1.3.2 Enterprises cannot afford to ignore the value propositions of security metrics toeffectively achieve appropriate ROSI. ….1.3.3 IT audit and assurance professionalsmust have a clear understanding of the value proposition for ROSI. ….


1.5 Risk Management1.5.1 There should be collaborative periodic risk assessment developedamongst those responsible for securing information assets and the responsible senior management, with the business owner(s) managing the information assets of the enterprise. …1.5.2 There is an inherent risk that the subject matter may be highlycomplicated coupled with security engineers/administrators who may notadequately understand all of the risks to the enterprise and the necessarymitigating control processes. …1.5.3 There is inherent audit risk resulting from the auditor responsible for performing an independent assessment not adequately understandingand/or reviewing the necessary control processes commensurate with the level of risk. … Thus, management should be alerted that audit will notguarantee that the auditor will completely identify, test and conclude on the adequacy of all controls. Accordingly, additional oversight and independentassessment of the auditor’s evaluation may be warranted given the size, complexity and significance of the enterprise’s information assets.


4.1 Audit4.1.1 There are various ROSI models and there is no one model

that fits all enterprises. 4.1.2 Enterprises must have a well-defined process of data

collection for security breaches and lapses. 4.1.3 Security investments are made after proper analyses of

security requirements, risk assessments, productperformance, vendor service level agreement and, mostimportantly, alignment of the security plan to the overallbusiness objectives.

4.1.4 No security is complete without adequate insurance. The enterprise should be adequately protected byappropriate insurance

4.1.5 Security must be considered as a business protector and enabler not as an inhibitor.

4.1.6 Trust is the highest form of security. • …


CobiT & ROSI

SdS AIEA Roma 15 dicembre 2010 � 2009 ISACA All Rights reserved. 12

CCOBIOBITT®® Defines Processes, Goals and Metrics

Relationship Amongst Process, Goals and Metrics (DS5)


I ritorni in termini di Business :Value Drivers & Risk Drivers

• 788 Risk Drivers

• 736 Value Drivers

• Associati a 980 Control practices

Ritorni

Investimenti



Impatti in termini di business


Financial contribution

Provide a good return on investment of IT-enabeledbusiness investments

Manage IT-related business risk

Improvecorporate governance and transparancy

Operational excellence

Managebusiness change

Improve and maintainbusiness process functionality

Lover process cost

Provide compliance with external laws, regulations and contracts

Compliance withinternal policies

Improve and maintainoperational and staff productivity

Customer orientation

Improve customerorientation and service

Offer competitive products and services

Establish service continuity and availability

Achieve cost optimalisationof service delivery

Obtain reliable and usefulinformation for strategicdecision making

Future orientationManage product and business innovation

Acquire and maintain skilled and motivated people

CobiT - Extended Balanced Scorecards

Visionand

Strategy

Visionand

Strategy

16

� L’IT è adeguata ?

� Dove intervenire ?

� Cosa fare, come ?

Create agility in responding to changing business requirements (time to market)


…. in altre parole: da dove comincio ?

Dov’èl’Agility ?


Dov’è l’Agility ?

Proviamo a chiederlo al : COBIT !


Valutazione degli obiettivi di business – Fase1

19


Valutazione degli obiettivi di business – Fase2Assegnazione importanza ai Processi IT

20


Importanza del dominio / processo

POPO 10 Gestire progetti

AIAI 1 Identificare soluzioni automatizzate

DSDS 1 Definire e gestire i livelli di servizio

DS 3 Gestire le prestazioni e la capacità produttiva

MEME 1 Monitorare e valutare le prestazioni dell’IT

Si vedono chiaramente complementarietà tra aspetti strutturali / organizzativi ed aspetti operativi / strumentali


Impatti in termini di business

• Si possono usare anche bottom-up : – Come giustificare un progetto che automatizza

Configuration Management e Sw Distribution


ROSI : due ulteriori considerazioni

• ROSI per partire . . . e poi ?

• Evoluzione del ruolo dell’IT

•• Val ITVal IT™™



The Business Case Process Maturity

SdS AIEA Roma 15 dicembre 2010� 2009 ISACA All rights reserved. 26

The Seven Principles of Val ITThe Seven Principles of Val IT™™

IT-enabled investments will:1. Be managed as a portfolio of investments

2. Include the full scope of activities required to achieve business value

3. Be managed through their full economic life cycle

Value delivery practices will:4. Recognise different categories of investments to be

evaluated and managed differently

5. Define and monitor key metrics and respond quickly to any changes or deviations

6. Engage all stakeholders and assign appropriate accountabilityfor delivery of capabilities and realisation of business benefits

7. Be continually monitored, evaluated and improved


27

A New PerspectiveA New Perspective

IT Investments

Investments inIT-enabled Change

Source: The Information Paradox

Documents

ISACA & ROSI - AIEA · Thus, ROSI, with a balanced scorecard focus, will become a tool of choice for the future, in the hands of decision makers. SdS AIEA Roma 15 dicembre 2010