Sharpen the COBIT axe before chopping the IT Governance …€¦ · Sharpen the COBIT axe before chopping the IT Governance tree Cai Walters CISA, CISM, Network+, Security+ Conferencia

Sharpen the COBIT axe before chopping the IT Governance tree

Cai Walters CISA, CISM, Network+, Security+

Conferencia Anual ISACA Monterrey 2017

Who is: Cai Walters


Professions over the last 30 years • Senior IT Auditor • Policy writer of IT regulations for the country of Curaçao • Project Manager/Consultant • Head of System Development and Maintenance Department • Programmer

Education: • Business Administration and Computer Science • CISA • CISM • Network+ • Security+ • ISO 20000, 22301, 27000, 31000, 38500, • Cobit, Prince2, ITIL, ISTQB Tester, DSDM

Speaks: • Dutch • English • Papiamento • German

Who is: Cai Walters


Born and raised in Curaçao

Part of the Dutch Kingdom

Who is: Cai Walters


Responsible father

Who is: Cai Walters


Enjoys table tennis

Who is: Cai Walters


Family in many places. Here are my primos y sobrinos from Mexico.

Who is: Cai Walters


Loves standards and frameworks

There's nothing so practical as good theory

Kurt Lewin

Content

Sharpen the COBIT axe before chopping the IT Governance tree

Give guidance and practical tips on how to perform an IT Governance assessment

using COBIT


How to start

How to start


Describing the problem Shine the light the dense wood

Create a pathway to solve the problem(s)

Abraham Lincoln said, "if I had 6 hours to chop down a tree, I'd spend the first 4 sharpening the axe."

How to start


How to start

• Assessing the Governance of IT involves C-Level management: Have little time Are your superior / the once paying the consultant bill Might not like the outcome of the assessment rating Want to see results as soon as possible Would like to see silver bullet solutions

• It is a complex topic, involves all enablers:

Principles, Policies and Frameworks Processes Organizational structures Culture, Ethics and Behavior Information Services, Infrastructure and Applications People, Skills and Competencies


Performing a process assessment


You only get one change to make a first impression


Assessment Project steps

1 Initiation 2 Planning the assessment 3 Briefing

For each process:

4 Data collection 5 Data validation 6 Process attributes rating

7 Assessment reporting

1. Confirm the assignment


IT Governance processes

IT Management processes


Begin with the end in mind

Initiation: Purpose and Scope Business drivers and assessment objectives map to COBIT processes through the goals cascade

Initiation: Setting target capability levels. Assessment reporting: The higher the target capability level and the wider the scope the more work has to be done.

For each process • Data collection • Data validation • Process attributes rating

Step 1

Step 4,5,6

Step 1, 7


Roles and responsibilities

Roles and responsibilities




. .


For each process:



Docto 2.pdf

Create the work program


What should we use as a work program? a) www.isaca.org / tab Knowledge & Insights / search on IS Audit/Assurance programs

E.g. EDM02 Ensure Benefits Delivery Audit/Assurance Program

b) Process Assessment Model?

c) Something else?

http://www.isaca.org/

Docto 1.pdf



. . .


For each process:



Data collection


Collecting, validating, rating


Create the workprogram


Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose.

Level 1 Performed process PA 1.1 Process performance attribute

Performed The process is implemented and achieves its process purpose.

Level 2 Managed process PA 2.1 Performance management attribute

PA 2.2 Work product management attribute

Managed The process is managed and work products are established, controlled and maintained.

Level 4 Predictable process PA 4.1 Process measurement attribute

PA 4.2 Process control attribute

Predictable The process is enacted consistently within defined limits.

Level 5 Optimizing process PA 5.1 Process innovation attribute

PA 5.2 Process optimization attribute

Optimizing The process is continuously improved to meet relevant current and projected business goals.

Level 3 Established process PA 3.1 Process definition attribute

PA 3.2 Process deployment attribute

Established A defined process is used based on a standard process.



. . .

. . .


For each process:



Assessment reporting


The results of the assessment are analysed and presented in a report .

The report also covers any key issues raised during the assessment such as:

• Observed areas of strength and weakness

• Findings of high risk, i.e., magnitude of gap between assessed capability and desired/required capability


Resume

Prior to chopping the IT Governance tree you need: • Extensive IT knowledge • Be up-to-date with new technologies • Get educated in COBIT 5.0

• Foundation; • Implementation; and • Assessment

• Good communication skill • Tools to organize your work • An effective work program

[email protected]

¡GRACIAS! Dank U wel

Masha danki Thank you

Vielen dank

www.isacamty.org.mx www.isaca.org


Documents

Sharpen the COBIT axe before chopping the IT Governance …€¦ · Sharpen the COBIT axe before chopping the IT Governance tree Cai Walters CISA, CISM, Network+, Security+ Conferencia