Upload
truongbao
View
230
Download
0
Embed Size (px)
Citation preview
Sharpen the COBIT axe before chopping the IT Governance tree
Cai Walters CISA, CISM, Network+, Security+
Conferencia Anual ISACA Monterrey 2017
Who is: Cai Walters
Conferencia Anual ISACA Monterrey 2017
Professions over the last 30 years • Senior IT Auditor • Policy writer of IT regulations for the country of Curaçao • Project Manager/Consultant • Head of System Development and Maintenance Department • Programmer
Education: • Business Administration and Computer Science • CISA • CISM • Network+ • Security+ • ISO 20000, 22301, 27000, 31000, 38500, • Cobit, Prince2, ITIL, ISTQB Tester, DSDM
Speaks: • Dutch • English • Papiamento • German
Who is: Cai Walters
Conferencia Anual ISACA Monterrey 2017
Born and raised in Curaçao
Part of the Dutch Kingdom
Who is: Cai Walters
Conferencia Anual ISACA Monterrey 2017
Family in many places. Here are my primos y sobrinos from Mexico.
Who is: Cai Walters
Conferencia Anual ISACA Monterrey 2017
Loves standards and frameworks
There's nothing so practical as good theory
Kurt Lewin
Content
Sharpen the COBIT axe before chopping the IT Governance tree
Give guidance and practical tips on how to perform an IT Governance assessment
using COBIT
How to start
Conferencia Anual ISACA Monterrey 2017
Describing the problem Shine the light the dense wood
Create a pathway to solve the problem(s)
Abraham Lincoln said, "if I had 6 hours to chop down a tree, I'd spend the first 4 sharpening the axe."
How to start
• Assessing the Governance of IT involves C-Level management: Have little time Are your superior / the once paying the consultant bill Might not like the outcome of the assessment rating Want to see results as soon as possible Would like to see silver bullet solutions
• It is a complex topic, involves all enablers:
Principles, Policies and Frameworks Processes Organizational structures Culture, Ethics and Behavior Information Services, Infrastructure and Applications People, Skills and Competencies
Conferencia Anual ISACA Monterrey 2017
Performing a process assessment
Conferencia Anual ISACA Monterrey 2017
You only get one change to make a first impression
Conferencia Anual ISACA Monterrey 2017
Assessment Project steps
1 Initiation 2 Planning the assessment 3 Briefing
For each process:
4 Data collection 5 Data validation 6 Process attributes rating
7 Assessment reporting
1. Confirm the assignment
Conferencia Anual ISACA Monterrey 2017
IT Governance processes
IT Management processes
Conferencia Anual ISACA Monterrey 2017
Begin with the end in mind
Initiation: Purpose and Scope Business drivers and assessment objectives map to COBIT processes through the goals cascade
Initiation: Setting target capability levels. Assessment reporting: The higher the target capability level and the wider the scope the more work has to be done.
For each process • Data collection • Data validation • Process attributes rating
Step 1
Step 4,5,6
Step 1, 7
Conferencia Anual ISACA Monterrey 2017
Assessment Project steps
. .
1 Initiation 2 Planning the assessment 3 Briefing
For each process:
4 Data collection 5 Data validation 6 Process attributes rating
7 Assessment reporting
Create the work program
Conferencia Anual ISACA Monterrey 2017
What should we use as a work program? a) www.isaca.org / tab Knowledge & Insights / search on IS Audit/Assurance programs
E.g. EDM02 Ensure Benefits Delivery Audit/Assurance Program
b) Process Assessment Model?
c) Something else?
Conferencia Anual ISACA Monterrey 2017
Assessment Project steps
. . .
1 Initiation 2 Planning the assessment 3 Briefing
For each process:
4 Data collection 5 Data validation 6 Process attributes rating
7 Assessment reporting
Create the workprogram
Conferencia Anual ISACA Monterrey 2017
Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose.
Level 1 Performed process PA 1.1 Process performance attribute
Performed The process is implemented and achieves its process purpose.
Level 2 Managed process PA 2.1 Performance management attribute
PA 2.2 Work product management attribute
Managed The process is managed and work products are established, controlled and maintained.
Level 4 Predictable process PA 4.1 Process measurement attribute
PA 4.2 Process control attribute
Predictable The process is enacted consistently within defined limits.
Level 5 Optimizing process PA 5.1 Process innovation attribute
PA 5.2 Process optimization attribute
Optimizing The process is continuously improved to meet relevant current and projected business goals.
Level 3 Established process PA 3.1 Process definition attribute
PA 3.2 Process deployment attribute
Established A defined process is used based on a standard process.
Conferencia Anual ISACA Monterrey 2017
Assessment Project steps
. . .
. . .
1 Initiation 2 Planning the assessment 3 Briefing
For each process:
4 Data collection 5 Data validation 6 Process attributes rating
7 Assessment reporting
Assessment reporting
Conferencia Anual ISACA Monterrey 2017
The results of the assessment are analysed and presented in a report .
The report also covers any key issues raised during the assessment such as:
• Observed areas of strength and weakness
• Findings of high risk, i.e., magnitude of gap between assessed capability and desired/required capability
Conferencia Anual ISACA Monterrey 2017
Resume
Prior to chopping the IT Governance tree you need: • Extensive IT knowledge • Be up-to-date with new technologies • Get educated in COBIT 5.0
• Foundation; • Implementation; and • Assessment
• Good communication skill • Tools to organize your work • An effective work program
¡GRACIAS! Dank U wel
Masha danki Thank you
Vielen dank
www.isacamty.org.mx www.isaca.org
Conferencia Anual ISACA Monterrey 2017