Upload
chaim-seaberg
View
219
Download
1
Tags:
Embed Size (px)
Citation preview
COBIT Introductory Workshop
Excerpts from University of Calgary IT Session
entitled
“Introduction to COBIT, its Role in IT
Governance and How to Apply it
In UCIT”From June 5, 2009
Workshop Agenda
• General Overview and Background of COBIT
• Rationale for Using COBIT at the UofC
• COBIT Foundations
• COBIT vs. Other Frameworks
• Practical Application of COBIT at the UofC
This excerpt covers the 1st two points
COBIT Introductory Workshop Page 1
General Overview and
Background of COBIT
COBIT Introductory Workshop Page 2
First:
A Little Bit on Governance
COBIT Introductory Workshop Page 3
Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of:
•Providing strategic direction
•Ensuring that defined objectives are achieved
•Ensuring that risks are managed appropriately
•Applying enterprise’s resources responsibly
•Effective and efficient
Enterprise Governance
©2007 IT Governance Institute
COBIT Introductory Workshop Page 5
Organisations require a structured approach for managing these and other challenges.
This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes.
Keeping IT Running
Security
Value/Cost
Managing Complexity
AligningIT with
Business
Regulatory Compliance
Organizational Challenges Relating to IT
COBIT Introductory Workshop Page 6
What is IT Governance?
Ensuring IT is aligned to and leveraged to help address enterprise needs
• Decision making that leads to better alignment of IT and the business
• IT delivering more business value
• IT resources are used responsibly
• IT risks are managed appropriately
COBIT Introductory Workshop Page 7
Enterprise governance is about:
Conformance• Adhering to legislation, internal policies, audit requirements, etc.
Performance• Improving profitability, efficiency, effectiveness, growth, etc.
Governance is About Balance
Both Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.
Performance
Conformance
©2007 IT Governance Institute
COBIT Introductory Workshop Page 8
IT governance is:
• The responsibility of the board of directors and executive management
• An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives
IT Governance, as Defined by IT Governance Institute (ITGI)
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RESOURCEMANAGEMENT
RIS
KM
AN
AG
EM
EN
T
VALUEDELIVERY
STRATEGIC
ALIGNMENT
www.itgi.orgwww.itgi.org
COBIT Introductory Workshop Page 9
IT Governance Domains
Value delivery
Focuses on ensuring the linkage of business and IT plans and on aligning IT operations with enterprise operations
IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT
Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people
Senior management’s appetite for risk, compliance requirements, transparency about the significant risks to the organisation
Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery to achieve goals measurable beyond conventional accounting
Performance measurement
Risk management
Resource management
Strategic alignment
©2007 IT Governance Institute
COBIT Introductory Workshop Page 10
©2007 IT Governance Institute
IT Governance Stakeholders
Business management
Set direction for IT, monitor key results and insist on corrective measures
Defines business requirements for IT and ensures that value is delivered and risks are managed
Delivers and improves IT services as required by the business
Provides independent assurance to demonstrate that IT delivers what is needed
Measures compliance with related policies and focuses on identification/mitigation of new risks
Risk and compliance
IT audit
IT management
Board and executive
COBIT Introductory Workshop Page 11
► COBIT is a controls framework that supports IT Governance
► COBIT stands for Control Objectives for Information and Related Technology.
► It was created by ISACA (Information Systems Audit and Control Association) in 1996
► Initially created to define control objectives for business applications
► It has evolved in Version 4.1 into a governance framework
► Now owned by the IT Governance Institute (ITGI)
► The COBIT framework was created with the main characteristics:
Business-focused
Process-oriented
Controls-based
Measurement-driven
So what is COBIT?
COBIT Introductory Workshop Page 13
► Is freely downloadable
► Has internationally accepted good practices
► Is management-oriented
► Is supported by tools and training
► Allows the knowledge of expert volunteers to be shared and leveraged
► Continually evolves and is maintained by a reputable not-for-profit organisation
► Maps strongly to all major, related standards and audit practices
However:
► Is a reference, not an ‘off-the-shelf’ cure
► Enterprises still need to analyse control requirements and customise COBIT based on their:
► Value drivers
► Risk profile
► IT infrastructure, organisation and project portfolio
Key Characteristics of COBIT
COBIT Introductory Workshop Page 14
History of COBIT
Governance
COBIT 4
2005
COBIT 3
Management
2000
COBIT 2
Control
1998
COBIT 1
Audit
1996
Evo
lutio
n
COBIT Introductory Workshop Page 15
An organisation depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.
Business Strategy
Information Criteria
IT Resources
IT Processes
Links to Business Strategy
COBIT Introductory Workshop Page 16
COBIT FrameworkThe “COBIT Cube”
Information Criteria
IT ResourcesIT Processes
COBIT Introductory Workshop Page 17
► The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.
i
IT Resources and Processes
Information
Business Processes
Business Objectives
provide
to
for achieving
► The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.
Basic Concepts
COBIT Introductory Workshop Page 18
COBIT:
It provides tools that both support effectiveness and enable audit
Starts from business requirements
Is process-oriented, organising IT activities into a generally accepted process model
Identifies the major IT resources to be leveraged
Defines the management control objectives to be considered
Maps all the way to measurements – performance, audit, maturity
Incorporates major standards and has become the de facto standard for overall control of IT
COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure.
IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective.
What Does it do?
COBIT Introductory Workshop Page 19
Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’).
COBIT
ISO 9000
ISO 27001/002
ITIL
COSO
WHATHOW
SCOPE OF COVERAGE
COBIT vs Other Frameworks
COSO – Committee of Sponsoring Agencies of the Treadway Commission – Internal Control Integrated Framework – focused on business controlsISO 27001/002 – Information Security PolicyISO 9000 – Family of standards for Quality Management
COBIT Introductory Workshop Page 20
Others
PERFORMANCE: Business Goals
CONFORMANCEBasel II, Sarbanes-
Oxley Act, etc.
Enterprise Governance
IT Governance
ISO 9001:2000
ISO 27001/002
ISO 20000Best Practice Standards
Lean Six Sigma
Processes and Procedures
Drivers
COBIT
COSO
Security Principles
ITSM
Balanced Scorecard
ITDDM
PMBOK
TOGAF, others
Others
Another View
COBIT Introductory Workshop Page 21
ITDDM stands for IT Definition and Delivery Method – used at the UofC as a standard methodology for project initiatives
Rationale for Using
COBIT at the UofC
COBIT Introductory Workshop Page 22
How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses?
ANSWER: Inefficiently, ineffectively and not as well as they should.
~ Source: Educause – IT Governance in Higher Education 2006 ~
We’re Not Alone
COBIT Introductory Workshop Page 23
Some of the advantages of adopting COBIT are:
► COBIT is aligned with and can be used with other standards and good practices
► COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organisation.
► COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities.
► COBIT provides tools to help manage and measure IT activities.
► COBIT is used by the Provincial Auditors in their annual audit review
► COBIT has been selected by Alberta Advanced Education & Technology as a target control framework for Post Secondary Institutions
► Target maturity level defined as 3 within 3 years
Why COBIT?
COBIT Introductory Workshop Page 24
COBIT brings the following
advantages to an IT governance
implementation effort:
Enables mapping of IT goals to business goals and vice versa
Better alignment, based on a business focus A view of what IT does that is understandable to
management Clear ownership and responsibilities based on
process orientation General acceptability with third parties and
regulators Shared understanding amongst all stakeholders,
based on a common language Fulfilment of the COSO requirements for the IT
control environment
Performance
Conformance
How it Supports IT Governance?
COBIT Introductory Workshop Page 25
► COBIT focuses on improving IT governance in organisations.
► COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework.
Exploring the Key Benefits
Has general acceptability amongst organisations
Helps meet regulatory requirements
Control Framework
Defines a common language
Ensures process orientation
Provides sharper business focus
COBIT Introductory Workshop Page 26
► COBIT achieves sharper business focus by aligning IT with business objectives.
► The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy.
► COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself.
Has general acceptability amongst organisations
Defines a common language
Ensures process orientation
Helps meet regulatory requirements
Control Framework
Sharper Business Focus
Provides sharper business focus
COBIT Introductory Workshop Page 27
► When organisations implement COBIT, their focus is more process-oriented.
► Incidents and problems no longer divert attention from processes.
► Exceptions can be clearly defined as part of standard processes.
► With process ownership defined, assigned and accepted, the organisation is better able to maintain control through periods of rapid change or organisational crisis. Has general
acceptability amongst organisations
Defines a common language
Helps meet regulatory requirements
Ensures process orientation
Control Framework
Process Orientation
Provides sharper business focus
COBIT Introductory Workshop Page 28
► COBIT is a proven and globally accepted standard for increasing the contribution of IT to organisational success.
► Coming soon to a campus near us
► The framework continues to improve and develop to keep pace with good practices.
► IT professionals from all over the world contribute their ideas and time to regular review meetings.
Has general acceptability amongst organisations
Defines a common language
Helps meet regulatory requirements
Provides sharper business
Ensures process orientation
Control Framework
focus
General Acceptability
COBIT Introductory Workshop Page 29
► Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This pressure covers IT controls as well.
► Organisations constantly need to improve IT performance and demonstrate adequate controls over their IT activities.
► Many IT managers, advisors and auditors are turning to COBIT as the de facto response to regulatory IT requirements. Has general
acceptability amongst organisations
Defines a common language
Provides sharper business
Ensures process orientation
Helps meet regulatory requirements
Control Framework
focus
Regulatory Requirements
COBIT Introductory Workshop Page 30
► In the Auditor General's April 2008 public report, he recommended:
"...that the Department of Advanced Education and Technology give guidance to public post-secondary Institutions on using an IT control framework to develop control processes that are well-designed, efficient, and effective"
► The following excerpt was taken from the OAG’s audit plan for AET:
8.3 IT Controls framework for post-secondary institutionsWe understand the Department is working, through the Alberta Associations of
Higher Education Information Technology, with Institutions to develop an IT Control Framework for Institutions. We support this initiative and will work with the Department to determine the progress made. This will also allow us to determine the extent and timing of work to perform at individual Institutions.
► Working with PSIs, the Provincial PSI ITM Control Framework will provide a holistic functional perspective built on guidance and requirements of:
• CoBIT 4.1 as published by the IT Governance Institute (Level 3 maturity targeted)• General Computer Controls Review (GCCR) as published by the OAG• Legislation / Regulation (FOIP, etc.)• Other International Standards (ITIL, ISO27002, etc.)• Specific institutional needs and interdependencies• Existing principles and governance
Regulatory Requirements (cont.)
COBIT Introductory Workshop Page 31
► A framework helps get everybody on the same page by defining critical terms and providing a glossary.
► Co-ordination within and across project teams and organisations can play a key role in the success of any project.
► Common language helps build confidence and trust.
Has general acceptability amongst organisations
Provides sharper business
Ensures process orientation
Defines a common language
Helps meet regulatory requirements
Control Framework
focus
Common Language
COBIT Introductory Workshop Page 32
References/Sources
IT Governance Institute - http://www.itgi.org/
ISACA - http://www.isaca.org/
COBIT Introductory Workshop Page 3