COBIT 5 ISACA's new Framework for IT Governance, Risk

COBIT 5© ISACA COBIT 5 ISACA’s new framework for IT Governance, Risk, Security and Auditing An overview M. Garsoux COBIT 5 Licensed Training Provider...

11 downloads 683 Views 1MB Size
COBIT 5© ISACA

COBIT 5 ISACA’s new framework for IT Governance, Risk, Security and Auditing An overview

M. Garsoux COBIT 5 Licensed Training Provider

COBIT 5© ISACA

Introduction Principles Processes Implementation Supporting Products Questions

2

COBIT 5© ISACA

3

COBIT 5© ISACA

Evolution of scope

Governance of Enterprise IT IT Governance Val IT 2.0

Management

(2008)

Control Risk IT (2009)

Audit COBIT1

1996

COBIT2

1998

COBIT3

2000

COBIT4.0/4.1

2005/7

COBIT 5

2012

A business framework from ISACA, at www.isaca.org/cobit

4

COBIT 5© ISACA

What is CobiT? • Control Objectives for Information and Related Technology (CobiT) • is a set of best practices for Information Technology management • developed by ISACA (Information Systems Audit & Control Association) • and IT Governance Institute • in 1996. ISACA develops and maintains the internationally recognized COBIT framework, helping IT professionals and enterprise leaders fulfil their IT Governance responsibilities while delivering value to the business. The latest ISACA’s globally accepted framework COBIT 5 is aimed to provide an end-to-end business view of the governance of enterprise IT that reflects the central role of IT in creating value for enterprises 5

COBIT 5© ISACA

• Information is a key resource for all enterprises. • Information is created, used, retained, disclosed and destroyed. • Technology plays a key role in these actions. • Technology is becoming pervasive in all aspects of business and personal life. What benefits does information and technology bring to enterprises? 6

COBIT 5© ISACA

Helps enterprises: • Bring Order to Complex Standards and Frameworks • Extract Value from Information Chaos • Address all Stakeholders Needs and Maximize Value of Corporate Information • Protect and Drive Enterprise Value

7

COBIT 5© ISACA

Enterprises and their executives strive to : • Maintain quality information to support business decisions. • Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT. • Achieve operational excellence through reliable and efficient application of technology. • Maintain IT-related risk at an acceptable level. • Optimise the cost of IT services and technology.

How can these benefits be realized to create enterprise stakeholder value? 8

COBIT 5© ISACA

• COBIT 5 is a comprehensive framework that helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. • COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. • The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for profit or in the public sector. 9

COBIT 5© ISACA

10

COBIT 5© ISACA

11

COBIT 5© ISACA

• Enterprises exist to create value for their stakeholders

12

COBIT 5© ISACA

Stakeholder Value • Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets. • Enterprise boards, executives and management have to embrace IT like any other significant part of the business. • External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. • COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.

13

COBIT 5© ISACA

Goals cascade • Stakeholder needs have to be transformed into an enterprises’ actionable strategy. • The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customised goals within the context of the enterprise, IT-related goals and enabler goals.

14

COBIT 5© ISACA

COBIT 5 entreprise goals Governance objectives BSC

Description F 1.Stakeholder value of business investments I N 2.Portfolio of competitive products and services A N 3.Managed business risks (safeguarding of assets) C I 4.Compliance with external laws and regulations A 5.Financial transparency L 6.Customer oriented service culture C U 7.Business service continuity and availability S T 8.Agile responses to a changing business environment O M 9.Information based strategic decision making E 10.Optimisation of service delivery costs R 11.Optimisation of business process functionality I N 12.Optimisation of business process costs T E 13.Managed business change programmes R N 14.Operational and staff productivity A 15.Compliance with internal policies L Learning 16.Skilled and motivated people &Growth 17.Product and business innovation culture

Benefits P P

P P

Risk P P P S

Resource S S S S S

P P P P P P P P S P

P

P P P

S P P P P S P P

15

COBIT 5© ISACA

COBIT 5 IT-related goals BSC Description F 1. Alignment of IT and business strategy I N 2. IT compliance and support for business compliance with external laws & regulations A 3. Commitment of executive management for making IT related decisions N C 4. Managed IT related business risks I A 5. Realised benefits form IT-enabled investments and services portfolio L 6. Transparency of IT costs, benefits and risk C 7. Delivery of IT services in line with business requirements U S 8. Adequate use of applications, information and technology structure T I N T E R N A L L &G

9. IT agility 10. Security of information, processing infrastructure and applications 11. Optimisation of IT assets, resources and capabilities 12. Enablement and support of business processes by integrating applications and technology 13. Delivery of programme on time, on budget, and meeting requirements and quality standards 14. Availability of reliable and useful information for decision making 15. IT compliance with internal policies 16. Competent and motivated business and IT personnel 17. Knowledge, expertise and initiatives for business innovation

16

COBIT 5© ISACA

Mapping of Enterprise goals into IT-goals Enterprise Goal

IT -Related Goal Alignment of IT and business strategy Delivery of IT services Customer 7 in line with business requirements Financial 1

Internal

9 IT agility Competent and Learning 16 motivated business and Growth and IT personnel

Stakeholder Value of Customer - oriented Optimisation of business Skilled and Business investments service culture process functionality motivated peole 1 6 11 16 Financial Customer Internal Learning and Growth P

P

P

S

P

P

P

S

S

S

P

S

S

S

P

17

COBIT 5© ISACA

Mapping IT goals to processes IT - Related Goal Delivery of IT services Alignment of IT and in line with business business strategy requirements COBIT 5 Process

EDM01

EDM02 Evaluate, Direct and Monitor EDM03 EDM0 4

EDM05

Ensure Governance Framework Setting and Maintenance Ensure Benefits Delivery Ensure Risk Optimisation Ensure Ressource Optimisation Ensure Stakeholder Transparency

IT agility

Knowledge, expertise and initiatives for business innovation

1

7

9

17

Financial

Customer

Internal

P

P

S

P

P

P

S

S

S

S

S

S

P

P

S

S S

18

COBIT 5© ISACA

Key components of a governance system

19

COBIT 5© ISACA

• COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises: – Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000 – IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK/PRINCE2, CMMI – Etc.

• This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. • ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references. 20

COBIT 5© ISACA

COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. COBIT 5 enablers are: • Factors that, individually and collectively, influence whether something will work • Driven by the goals cascade • Described by the COBIT 5 framework in seven categories 21

COBIT 5© ISACA

2

4

3

1

5

6

7

22

COBIT 5© ISACA

1. Principles, policies and frameworks—Are the vehicle to translate the desired behaviour into practical guidance for day-to-day management 2. Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT related goals 3. Organisational structures—Are the key decision-making entities in an organisation 4. Culture, ethics and behaviour—Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities 5. Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services 7. People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions

23

COBIT 5© ISACA

• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM) • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM)

24

COBIT 5© ISACA

COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown.

25

COBIT 5© ISACA

COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.

26

COBIT 5© ISACA

27

COBIT 5© ISACA

28

COBIT 5© ISACA

29

COBIT 5© ISACA

30

COBIT 5© ISACA

31

COBIT 5© ISACA

32

COBIT 5© ISACA

33

COBIT 5© ISACA

• Failed IT initiatives • Rising costs • Perception of low business value for IT investments • Significant incidents related to IT risk (e.g. data loss) • Service delivery problems • Failure to meet regulatory or contractual requirements • Audit findings for poor IT performance or low service levels • Hidden and/or rogue IT spending

 Resource waste through duplication   

 

or overlap in IT initiatives Insufficient IT resources IT staff burnout / dissatisfaction IT enabled changes frequently failing to meet business needs (late deliveries or budget overruns) Multiple and complex IT assurance efforts Board members or senior managers that are reluctant to engage with IT

34

COBIT 5© ISACA

• Merger, acquisition or divestiture • Shift in the market, economy or competitive position • Change in business operating model or sourcing arrangements • New regulatory or compliance requirements • Significant technology change or paradigm shift

 An enterprise-wide governance focus

or project  A new CIO, CFO, COO or CEO  External audit or consultant assessments  A new business strategy or priority

By using pain points or trigger events as the launching point for IT governance initiatives, the business case for GEIT improvement can be related to issues being experienced, which will improve buy-in to the business case.

35

COBIT 5© ISACA

36

COBIT 5© ISACA

37

COBIT 5© ISACA

38

COBIT 5© ISACA

39