3. It may actually work!
Because we have:
• Experience
• Luck
• A culture of ‘Quick and Dirty’
But what happens when we need to:
• Document
• Improve
• Find an error
• Transfer responsibility
= we need governance
4. Why do we need to govern?
• Stakeholders expect
• Current business is stable and creates value
• Responsiveness to changing business models
• These contradictory expectations can be achieved with
• Governance of enterprise’s IT
• Governance responsibilities
• Strategy generation
• Value Delivery
• Risk Management
• Performance Measurement
4
5. IT Governance Focus Areas
• The five main focus areas of IT
Governance, all driven by
stakeholder value
IC V
EG N T DE AL
• Two of them are outcomes TE LI UE
RA NM VE
ST I G RY
• Value Delivery
AL
• Risk Management
• Three of them are drivers IT GOVERNANCE
PER SUREM
ME A
T
• Strategic Alignment
M EN
FO R
MAN RISK
• Resource Management (which
AGE
MAN NT
overlays them all)
• Performance Measurement
E
CE
• IT Governance is a continuous RESOURCE
life cycle, which can be entered MANAGEMENT
at any point
IT Governance Institute, 2003 – Board Briefing on IT Governance, 2nd edition, 2006, COBIT 4.1 Executive Overview, 2007
5
6. What do we get from governing?
• Board and executives have a clear picture of the
performance of IT
• Better investment decisions
• Trust that IT achieves objectives as directed
• Clearly assigned roles and responsibilities
• Help management to execute strategy and encourage desirable
behavior
• Transparency in governance
• Improves stakeholder confidence in the responsibility,
accountability and competitive position of the enterprise
• Enable customers to influence services - customer satisfaction
• Improves employee satisfaction and reduces retention
6
7. What do we get from governing?
• Balanced operations
• IT can respond to the business needs and
• at the same time maintain and improve the stability and quality of
services in a cost-efficient manner
• Outsourced services can be directed and controlled clearly
• Enables effective, efficient and adaptable relationships
• Improved ROI and VOI
• Effective governance eliminates redundancy, overlap and lack of
clarity, helps to reduce failures, optimize costs and increase
efficiency
• Compliance to rules and legislation is achieved and
maintained
7
8. Frameworks, standards and players
• ITIL (Information Technology Infrastructure Library)
• A set of guidance, a collection of Best Practices for IT Service
Management - IT Service Management Framework
• ISO/IEC 20000
• International standard for IT Service Management
• TOGAF (Open Group Architecture Framework)
• A framework for Enterprise Architecture
• A comprehensive approach to the design, planning, implementation,
and governance of an enterprise information architecture
8
9. Frameworks, standards and players
• CMMI (Capability Maturity Model Integration)
• A process improvement approach
• helps integrate traditionally separate organizational
functions
• set process improvement goals and priorities
• COBIT
• provide guidance for quality processes
• created by ISACA and the IT Governance Institute initially in 1996
• provides a generally accepted, practical toolset:
• enables good practice for IT control through organization
• highlights link between business and IT goals
• emphasized regulatory compliance
• An authoritative, up-to-date, internationally and generally
accepted, internal control framework for IT governance
9
10. Frameworks, standards and players
• ISO/IEC 27001
• an information security standard published in 2005
• intended to be used in conjunction with ISO/IEC 27002, the Code of
Practice for Information Security Management
• ISO/IEC 27002
• Based on the British Standard (BS) 7799-1:1999
• published in 2005
• renumbered ISO/IEC 27002:2005 in July 2007
• ISO/IEC 27002 provides best practice recommendations on information
security management for use by those who are responsible for initiating,
implementing or maintaining Information Security Management Systems
(ISMS).
10
11. Frameworks, standards and players
• AS8015
• An Australian standard for IT Governance, published in 2005
• Provides principles, a model and vocabulary as a basic framework
for implementing effective corporate governance of ICT
• ISO/IEC 38500 (very closely based on AS8015)
• Corporate governance of information technology standard
• Provides guiding principles for directors of organizations (including
owners, board members, directors, partners, senior executives, or
similar) on the effective, efficient, and acceptable use of
Information Technology (IT) within their organizations.
11
12. Why COBIT?
• COBIT is used in many companies to provide a framework
for governance and implementation of internal controls
• COBIT includes the essential business and IT process
controls and objectives needed to achieve corporate
objectives
• COBIT is written at the management level and driven by
business requirements
• COBIT is aligned with other IT practices and standards but
is more complete than others
• COBIT is generally accepted as the internal IT control
framework
12
13. COBIT
• Control Objectives for Information and related Technology
• COBIT supports IT governance by providing a framework
to ensure that
• IT is aligned with the business
• IT enables the business and maximises benefits
• IT resources are used responsibly
• IT risks are managed appropriately
• Designed to support
• Executive and management boards
• Business and IT management
• Governance, assurance, control, security professionals
13
14. COBIT mission
• To research, develop, publicise and promote an
authorative, up-to-date, internationally accepted IT
governance control framework for adaption by
enterprises and day-to-day use by business managers,
IT professionals and assurance professionals.
14
15. COBIT fits in
• Business-focused
• Business goals and IT goals, COBIT’s information criteria, COBIT’s IT
resources
• Process-oriented
• Domains: Plan and Organise (PO), Acquire and Implement (AI),
Deliver and Support (DS), Monitor and Evaluate (ME)
• Controls-based
• Process controls, Business and IT controls, IT general controls and
application controls
• Measurement-driven
• Maturity models
15
16. COBIT is business-focused
Business drive the
which
requirements investments in
responds to
IT
Enterprise
Resources
COBIT
information
that are
IT
to deliver used by
Processes
16
17. COBIT is process-oriented
• Plan and Organise
• Provides direction to solution
Plan and organise
delivery (AI) and service delivery
(DS)
• Acquire and Implement
Acquire Deliver
• Provides the solutions and passes
and and
them to be turned into services
implement support
• Deliver and Support
• Receives the solutions and makes
them usable for end users
Monitor and evaluate
• Monitor and Evaluate
• Monitors all processes to ensure
that the direction provided is
followed
17
18. COBIT is controls-based
• COBIT defines
• Control objectives for all 34 processes
• Overarching process and application controls
• Control objectives
• Reasonable assurance that business objectives will be achieved
and undesired events will be prevented or detected and corrected
• Consist of the policies, procedures, practices and organisational
structures
• Statements of managerial actions to increase value or reduce risk
• Some controls apply to all processes
• Six overarching process controls
• Six overarching application controls
18
19. COBIT is measurement-driven
• COBIT Maturity levels
• profiles of IT processes
• not a threshold model
• Process maturity
• Process may be mainly at
level 3
• However some parts can be at
lower levels
• And some even at the highest
level of 5 (optimised)
• It is misleading to say that
the process is not defined if
part of it is not complete
19
20. History of COBIT
• A framework and a knowledge base for managing IT
• created by ISACA and the IT Governance Institute in 1994
• Former name of IT Governance Institute was the
Information Systems Audit and Control Foundation
(ISACF) – renamed in 2003
• COBIT was transferred to the IT Governance Institute in 1999
Governance
COBIT4 & 4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
20
21. COBIT 4.1
• A single publication consisting of four sections
• Executive Overview
• The COBIT framework
• The core content
• Framework processes
• Control Objectives
• Management Guidelines
• Maturity Models
• Appendixes I through VIII
• I -Tables linking goals and processes
• II - Mapping IT processes to IT Governance focus areas, COSO,
COBIT IT resources and COBIT Information criteria
• V - Cross-references Between COBIT 3rd Edition and COBIT 4.1
21
22. COBIT 4.1 – the core content
• Frameworks
• Organize IT Governance objectives and good practices by IT
domains and processes, and links them to business requirements
• Control Objectives
• Provide a complete set of high-level requirements to be
considered by management for effective control of each process
• Management Guidelines / Maturity Models
• Help assign responsibility, measure performance, and benchmark
and address gaps in capability
22
23. Interrelationships of
COBIT components
requirements information
nto
ni
ow con
nd
au
by
troll
ke ed b
dit
bro
d
y
re
ed
su
ea
wi
m
th
derived
from
ce
for outcome
an
m
r im
rfo
by th ple
fo
wi
e
ed rp
rm
me
d
rm fo te nte
at
di
fo
ur
er dw
au
it
p ith
y
based on
IT Governance Institute – COBIT 4.1 Executive Overview, 2007
23
24. The COBIT Cube
Business Requirements
lity
s
es ce
i ty
y i ty
tia rity
en enc bil ian abil
n
v
ti e l
i a
g
ail omp
fid Inte
c li
f e c Ef f i Re
on Av
Ef C
C
Infrastructure
People
DOMAINS
Information
Applications
IT Processes
PROCESSES
ACTIVITIES
s
ce
ur
o
s
Re
IT
IT Governance Institute, COBIT 4.1
24
25. Basic principle of the COBIT Framework
that respond to the Business Requirements
Information Criteria
IT Goals
DOMAINS
IT Processes
PROCESSES
to achieve
are managed by
ACTIVITIES
s
ce
ur
o
s
Re
IT
25
26. Plan and Organise domain - processes
• PO1 Define a Strategic IT Plan
• PO2 Define the Information Architecture
• PO3 Determine Technological Direction
• PO4 Define the IT Processes, Organisation and Relationships
• PO5 Manage the IT Investment
• PO6 Communicate Management Aims and Direction
• PO7 Manage IT Human Resources
• PO8 Manage Quality
• PO9 Assess and Manage IT Risks
• PO10 Manage Projects
26
27. Acquire and Implement domain - processes
• AI1 Identify Automated Solutions
• AI2 Acquire and Maintain Application Software
• AI3 Acquire and Maintain Technology Infrastructure
• AI4 Enable Operation and Use
• AI5 Procure IT Resources
• AI6 Manage Changes
• AI7 Install and Accredit Solutions and Changes
27
28. Deliver and Support domain - processes
• DS1 Define and Manage Service Levels
• DS2 Manage Third-party Services
• DS3 Manage Performance and Capacity
• DS4 Ensure Continuous Service
• DS5 Ensure Systems Security
• DS6 Identify and Allocate Costs
• DS7 Educate and Train Users
• DS8 Manage Service Desk and Incidents
• DS9 Manage the Configuration
• DS10 Manage Problems
• DS11 Manage Data
• DS12 Manage the Physical Environment
• DS13 Manage Operations
28
29. Monitor and Evaluate domain - processes
• ME1 Monitor and Evaluate IT Performance
• ME2 Monitor and Evaluate Internal Control
• ME3 Ensure Compliance With External Requirements
• ME4 Provide IT Governance
29
30. Process Controls
• COBIT defines control objectives for all 34 processes
• Each of the COBIT processes has
• A high-level control objective – the process description
• A number of detailed control objectives
• As a whole, they are the characteristics of a well-managed
process
• COBIT defines also overarching process controls
• That apply to all processes
• And should be considered together with the process control
objectives to have a complete view of control requirements
30
31. Process Controls
• The detailed control objectives are identified by a two-
character domain reference (PO, AI, DS, ME) plus a
process number and control objective number
• E.g., PO10 Manage Projects, has 14 detailed control objectives
• From PO10.1 to PO10.14
• When DS2 Manage Third-party Services has four
• From DS2.1 to DS2.4
• The overarching Process Controls are numbered
• From PC1 to PC6
31
32. COBIT Maturity model
• Similar to CMM
• Interpreted for the nature of COBIT’s IT management processes
• A generic maturity scale
• A specific model generated for each COBIT IT process
• Not a threshold model
• Designed as profiles of IT processes
• Possible current and future states
• Using the maturity models management can identify
• The actual performance of the enterprise – Where the enterprise is today
• the current status of the industry – The comparison
• the enterprises target for improvement – Where the enterprise wants to be
• The required growth path between as-is and to-be
32
33. COBIT Maturity model
• COBIT Maturity levels
• profiles of IT processes
• not a threshold model
• Process maturity
• Process may be mainly at
level 3
• However some parts can be at
lower levels
• And some even at the highest
level of 5 (optimised)
• It is misleading to say that
the process is not defined if
part of it is not complete
33
34. COBIT Maturity Model
• Generic Maturity Model
• 0 - (Non-existent) management processes are not applied at all
• 1 – (Initial/Ad Hoc) processes are ad hoc and disorganised
• 2 – (Repeatable but intuitive) processes follow a regular pattern
• 3 – (Defined Process) processes are documented and communicated
• 4 – (Managed and Measurable) processes are monitored and measured
• 5 – (Optimised) good practices are followed and automated
34
35. Goal Relationship example
Maintain
enterprise
reputation and
Leadership.
Business Goal Ensure that
IT Services can
resist and recover
from attacks.
IT Goals
Detect and resolve
unauthorised
access.
Process Goals Understand security
requirements,
vulnerabilities and
threats.
Activity Goals
35
36. Outcome measure, Performance indicator example
IT Goal Process Goal
Ensure that
Detect and resolve
IT Services can
unauthorised
resist and recover
Dri
access.
from attacks.
ve
Number of actual
Number of actual
incidents because
IT incidents with
of unauthorised
business impact
access
Outcome measure Outcome measure
Performance indicator Performance indicator
36
37. COBIT Framework
Business Requirements
Information Criteria
he
ot
t
nd
spo Quality Security Fiduciary
t re
ha
t
ss lity e
ne ncy lity
i ty nc
tia rity
e bil plia iabi
iv n
ie
ct fic nfide nteg vaila om l
ffe Ef Re
I
E o C
A
C
DOMAINS
IT Goals Plan and Organise (PO)
Infrastructure
People
Acquire and Implement (AI)
to achieve
Deliver and Support (DS)
Information
Monitor and Evaluate (ME)
Applications
PROCESSES
High level and detailed
IT goals
control objectives
Process goals
IT Processes
Maturity models
Activity goals
Outcome measures
ACTIVITIES
Performance indicators s
ce
ur
o
s
Re
IT
are managed by
37
38. COBIT Core Components
• Each COBIT IT process has
• Section one - Process Description
• Process description
• Summary of the objectives - presented in a waterfall
• Mapping of the process to
– Information criteria, IT resources, IT governance focus areas
• Section two – Control Objectives
• Detailed control objectives for this process
• Section three – Management Guideline
• Process inputs and outputs, RACI chart, goals and metrics
• Section four – Maturity model
• Maturity model for this process
38
41. Example : DS2
• The following slides are an example of the content of
COBIT
• Process: DS2 Manage Third-party Services
42. DS2
Mapping to
Information
Criteria
Summary of
the objectives
in a waterfall
Mapping to
IT governance
focus areas Mapping to
IT resources
IT Governance Institute, COBIT 4.1
42
43. DS2 - Process Description
DS2 Manage Third-party Services
The need to assure that services provided by third parties (suppliers,
vendors and partners) meet business requirements requires an
effective third-party management process. This process is
accomplished by clearly defining the roles, responsibilities and
expectations in third-party agreements as well as reviewing and
monitoring such agreements for effectiveness and compliance.
Effective management of third-party services minimises the business
risk associated with non-performing suppliers.
43
44. DS2 Manage Third-party Services
• DS2 mappings to
• Information criteria
• IT resources
• IT Governance focus areas
• P primary relationship
• S secondary relationship
44
46. Control Objectives
• Control objectives
• Reasonable assurance that business objectives will be achieved
and undesired events will be prevented or detected and corrected
• Consist of the policies, procedures, practices and organisational
structures
• Statements of managerial actions to increase value or reduce risk
• Each of the COBIT processes has
• A high-level control objective – the process description
• A number of detailed control objectives
• As a whole, they are the characteristics of a well-managed
process
46
47. DS2 – Control Objectives
IT Governance Institute, COBIT 4.1
47
48. COBIT Control Practices
• Provides guidance on why controls are worth implementing
• Why - Value drives and Risk drivers
• And how to implement them
• Helps to justify and design the specific controls needed to
improve IT Governance
• How, why and what to implement for each control objective
• to improve IT performance
• to address IT solution and service delivery risks
• Not included in COBIT 4.1
• A separate publication
48
49. DS2 - Management Guidelines
Process Process
inputs outputs
RACI
chart
Goals and
metrics
49
50. Management Guidelines
• Process inputs
• What the process owner needs from others
• Inputs come also from other sources than COBIT
• Process outputs
• What the process owner has to deliver
• RACI chart
• What has to be delegated and to whom
• Goals and metrics
• How the process should be measured
50
51. DS2 – Process inputs and outputs
PO1 Define a strategic IT plan
PO8 Manage quality
AI5 Procure IT resources
DS1 Define and manage service levels
DS4 Ensure continuous service
ME1 Monitor and evaluate IT performance
AI5 Procure IT resources
PO9 Assess and manage IT risks
51
52. RACI chart
• Responsible
• The person or people responsible for getting the job don
• Correct execution of the process and the activities
• Potential OLA opportunities
• Accountable
• Only one person can be accountable for each task
• Ownership of quality, and end result of the process
• Consulted
• The people who are consulted and whose opinions are sought
• Involvement through input of knowledge and information
• Informed
• The people who are kept up-to-date on progress
• Receiving information about process execution and quality
• Helps to expose communication and workflow paths
52
54. Outcome measure, Performance indicator example
IT Goal Process Goal
Ensure that
Detect and resolve
IT Services can
unauthorised
resist and recover
Dri
access.
from attacks.
ve
Number of actual
Number of actual
incidents because
IT incidents with
of unauthorised
business impact
access
Outcome measure Outcome measure
Performance indicator Performance indicator
54
58. More information?
Ben Kalland
ITIL Expert and Cobit Foundation certified consultant
Accredited ITIL trainer
ben.kalland@tieturi.fi
Tieturi Oy, HTC Santa Maria
Tammasaarenkatu 5
00180 HELSINKI
www.tieturi.fi/itil