IT Governance with COBIT and Risk Management

by Michael Curry

Outline

• Review: need for IT Controls & COBIT• The COBIT Framework• How COBIT is Used• Making a Case for BIS Acquisition• Calculating ROI (CBRA)– Cost– Benefit– Risk– Analysis and Recommendations

Review: The Need for IT Controls• Organizations heavily depend on IT systems

– They are complex and difficult to manage– Increasing disconnects between business goals and IT (Cost,

reliability, security, accuracy, availability, performance, complexity, etc.)

• Controls are needed to better connect IT with business goals and objectives

• COBIT is one such framework that is unique because:– It is suggestive, not prescriptive– Takes into account different points of view (Management, IT

teams and Auditors)

Digging Deeper: How COBIT works

• Business goals should be closely linked to IT goals

• This link is complex involving:– Applications– Information– Infrastructure– People– And IT Process

Digging Deeper: How COBIT worksCOBIT separates business and IT processes down into 4 distinct areas:

IT: Implements the requirements AND provides control indicators of service quality

Business: Defines requirements & uses IT services

And assigns responsibility for those processes

How to Approach an Issue Using COBIT

1. Start by looking over the 34 Processes to see if one seems like a logical fit for the issue

2. Review Description and Control Objectives to validate this is the right Process for the issue

3. Consult the inputs/outputs to see what other processes are related to this issue

4. Review the RACI chart to begin organizing team members around resolution activities

5. Consult the Goals & Objectives and Maturity Model to identify current capability and steps needed to reach desired level

• PO9.3 Event Identification– Identify threats with potential negative impact on the

enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects

• PO9.4 Risk Assessment– Assess the likelihood and impact of risks, using qualitative and

quantitative methods • PO9.5 Risk Response

– Develop a response designed to mitigate exposure to each risk– Identify risk strategies such as avoidance, reduction, acceptance– determine associated responsibilities; and consider risk

tolerance levels

• Control Objectives for PO9– PO9.1 IT Risk Management Framework– PO9.2 Establishment of Risk Context– PO9.3 Event Identification– PO9.4 Risk Assessment– PO9.5 Risk Response– PO9.6 Maintenance and Monitoring of a Risk

Action Plan• Which objectives should we be focused on?

Risk Management: Why Bother?

• Protect the company’s reputation• Meet increasing expectations by customers,

legislators, regulators, investors, etc.• Manage real crisis situations to best outcome• Create a culture that anticipates and resolves

risks before they happen• A responsible measure for business to take

“fail to plan is a plan to fail”

Sources of Risk

• Processes: events related to business operations• People: events caused by employee errors or

misdeeds• Systems: disruption due to technology failure• External events: outside factors threatening

operations• -OR- a combination of one or more of the above!

A programming error causes miscalculation in prices: Systems (program) → Processes (pricing)A fire occurs destroying the IT system and causing disruption to the business: External event (fire) → Systems (unavailable) → Processes (disrupted)

COBIT Maturity

• Maturity is a measure of management practices• Primarily depends on IT controls and the underlying

business needs they support• Each process is rated on a scale of 0 to 5

0—Management processes are not applied at all1—Processes are ad hoc and disorganized2—Processes follow a regular pattern3—Processes are documented and communicated4—Processes are monitored and measured5—Good practices are followed and automated

• Not all processes need the same maturity goals across the entire IT environment (a poor use of resources)

Take Away

• Understand how COBIT’s 34 processes help unify business goals with IT goals and why that is a desirable result

• Given a Business and IT issue use COBIT to identify steps to resolve the issue

• Complete a risk assessment as recommended by PO9 (risks, KRI & mitigation)

• Understand how the Maturity Model is used to measure management and IT capabilities