ITG using COBIT
description
Transcript of ITG using COBIT
ITG using COBITSuccessful organisations require an appreciation for and a basic
understanding of the risks and constraints of IT at all levels within the enterprise in order to achieve effective direction and adequate
controls. COBIT provides such a control and security framework for IT.
[email protected] | [email protected]://blog.stikom.edu/erwin
BISNISTI&
Forces Driving IT Governance
Compliance
Security
Business/ITAlignment ROI
ProjectExecution
IT Governance Needs a Management Framework
Strategi
c
Alignment
Value Delivery
Risk
Mana
geme
nt
Resource Management
Performance
Measurement
IT IT GovernanceGovernance
DomainsDomains
Strategi
c
Alignment
Value Delivery
Risk
Mana
geme
nt
Resource Management
Performance
Measurement
IT IT GovernanceGovernance
DomainsDomains
Driving ForcesMap Onto theIT GovernanceDomains
COBIT 4.1—The IT Governance Framework
Internationally accepted good practicesManagement-orientedSupported by tools and trainingFreely available at www.itgi.orgSharing knowledge and leveraging expert volunteersContinually evolvingMaintained by reputable not- for-profit organisationMaps strongly to all major related standards
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
COBIT best practices repository for
The only IT management and control framework that covers
the end-to-end IT life cycle
COBIT 4.1—The IT Governance Framework
Is a reference, set of best practices, not an ‘off-the-shelf’ cureEnterprises still to need to analyse their control requirements and customise based on:
Value driversRisk profileIT infrastructure,
organisation and project portfolio
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes
COBIT best practices repository for
The only IT management and control framework that covers
the end-to-end IT life cycle
Where COBIT Typically Sits
17799CMM
COSO
ITIL
Gove
rnan
ceLa
yer
IT Gove
rnan
ceLa
yer
IT Man
agem
ent
Laye
r
COBIT 27001
Concepts That Underpin COBIT
COBIT FRAMEWORK SPECIFICS• “Control” is defined as the policies, procedures,
practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.• “IT control objective” is defined as a statement of the
desired result or purpose to be achieved by implementing control procedures in a particular IT activity.
COBIT Cube: Processes, Resources and Information Criteria
Key Driving Forces for COBIT
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability
Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate
Data Application systems Technology Facilities People
IT ProcessesIT
ResourcesBusiness
Requirements
The resources made available to—and
built up by—IT
What the stakeholders expect
from IT
How IT is organised to respond to the requirements
How Does COBIT Link to ITG?
Goals ResponsibilitiesControlObjectives
Requirements
Business IT Governance
Information the business needs to achieve its objectives
Information executives and board need to exercise their responsibilities
Direction and
Resourcing
IT Governance
Process Orientation
Processes
A series of joined activities with natural control breaks
Activities or Tasks
Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete
Domains
Natural grouping of processes, often matching an organisational domain of responsibility
Process OrientationIT Domains• Plan and
Organise• Acquire and
Implement• Deliver and
Support• Monitor and
Evaluate
IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management
Activities• Record new problem.• Analyse.• Propose solution.• Monitor solution.• Record known problem.• Etc. …
Natural grouping of processes, often matching an organisational domain of responsibility
A series of joined activities with natural (control) breaks Actions needed to achieve a
measurable result—activities have a life cycle, whereas tasks are discrete
Process Orientation Plan and Organise • Description
• This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place.
• Topics• Strategy and tactics• Vision planned• Organisation and infrastructure
• Questions• Are IT and the business strategy aligned?• Is the enterprise achieving optimum use of its resources?• Does everyone in the organisation understand the IT objectives?• Are IT risks understood and being managed?• Is the quality of IT systems appropriate for business needs?
Dom
ains
Waterfall Model
The control of
that satisfy
is enabled by
considering
4 Domains - 34 Processes - 210 Control Objectives
IT ProcessesBusinessRequirements
Control Statements
ControlPractices
Cobit 4.1
COBIT Processes
Plan andOrganise
Acquire andImplement
PO1 Define an IT strategic plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.
AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.
COBIT Processes
Deliver andSupport
Monitor andEvaluate
ME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance with external requirements.ME4 Provide IT governance.
DS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.
COBIT 5
COBIT 5
ITG Framework• Cobit• IT control objectives
• ITIL• IT infrastructure, service and operation management
• ISO 27001• Information security management
• PMBoK• Program and project management