SlideShare a Scribd company logo

Business is evolving, you should too with COBIT

Ben Kalland
Ben Kalland

Introduction to cobit

TechnologyBusiness
1 of 58
Download to read offline
Business is evolving, you should too. What is COBIT? Ben Kalland, Tieturi Helsinki, Tampere, Turku, Tukholma, Göteborg | www.tieturi.fi
Governance?
It may actually work! Because we have: • Experience • Luck • A culture of ‘Quick and Dirty’ But what happens when we need to: • Document • Improve • Find an error • Transfer responsibility = we need governance
Why do we need to govern? • Stakeholders expect • Current business is stable and creates value • Responsiveness to changing business models • These contradictory expectations can be achieved with • Governance of enterprise’s IT • Governance responsibilities • Strategy generation • Value Delivery • Risk Management • Performance Measurement 4
IT Governance Focus Areas • The five main focus areas of IT Governance, all driven by stakeholder value IC V EG N T DE AL • Two of them are outcomes TE LI UE RA NM VE ST I G RY • Value Delivery AL • Risk Management • Three of them are drivers IT GOVERNANCE PER SUREM ME A T • Strategic Alignment M EN FO R MAN RISK • Resource Management (which AGE MAN NT overlays them all) • Performance Measurement E CE • IT Governance is a continuous RESOURCE life cycle, which can be entered MANAGEMENT at any point IT Governance Institute, 2003 – Board Briefing on IT Governance, 2nd edition, 2006, COBIT 4.1 Executive Overview, 2007 5
What do we get from governing? • Board and executives have a clear picture of the performance of IT • Better investment decisions • Trust that IT achieves objectives as directed • Clearly assigned roles and responsibilities • Help management to execute strategy and encourage desirable behavior • Transparency in governance • Improves stakeholder confidence in the responsibility, accountability and competitive position of the enterprise • Enable customers to influence services - customer satisfaction • Improves employee satisfaction and reduces retention 6
What do we get from governing? • Balanced operations • IT can respond to the business needs and • at the same time maintain and improve the stability and quality of services in a cost-efficient manner • Outsourced services can be directed and controlled clearly • Enables effective, efficient and adaptable relationships • Improved ROI and VOI • Effective governance eliminates redundancy, overlap and lack of clarity, helps to reduce failures, optimize costs and increase efficiency • Compliance to rules and legislation is achieved and maintained 7
Frameworks, standards and players • ITIL (Information Technology Infrastructure Library) • A set of guidance, a collection of Best Practices for IT Service Management - IT Service Management Framework • ISO/IEC 20000 • International standard for IT Service Management • TOGAF (Open Group Architecture Framework) • A framework for Enterprise Architecture • A comprehensive approach to the design, planning, implementation, and governance of an enterprise information architecture 8
Frameworks, standards and players • CMMI (Capability Maturity Model Integration) • A process improvement approach • helps integrate traditionally separate organizational functions • set process improvement goals and priorities • COBIT • provide guidance for quality processes • created by ISACA and the IT Governance Institute initially in 1996 • provides a generally accepted, practical toolset: • enables good practice for IT control through organization • highlights link between business and IT goals • emphasized regulatory compliance • An authoritative, up-to-date, internationally and generally accepted, internal control framework for IT governance 9
Frameworks, standards and players • ISO/IEC 27001 • an information security standard published in 2005 • intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management • ISO/IEC 27002 • Based on the British Standard (BS) 7799-1:1999 • published in 2005 • renumbered ISO/IEC 27002:2005 in July 2007 • ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). 10
Frameworks, standards and players • AS8015 • An Australian standard for IT Governance, published in 2005 • Provides principles, a model and vocabulary as a basic framework for implementing effective corporate governance of ICT • ISO/IEC 38500 (very closely based on AS8015) • Corporate governance of information technology standard • Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. 11
Why COBIT? • COBIT is used in many companies to provide a framework for governance and implementation of internal controls • COBIT includes the essential business and IT process controls and objectives needed to achieve corporate objectives • COBIT is written at the management level and driven by business requirements • COBIT is aligned with other IT practices and standards but is more complete than others • COBIT is generally accepted as the internal IT control framework 12
COBIT • Control Objectives for Information and related Technology • COBIT supports IT governance by providing a framework to ensure that • IT is aligned with the business • IT enables the business and maximises benefits • IT resources are used responsibly • IT risks are managed appropriately • Designed to support • Executive and management boards • Business and IT management • Governance, assurance, control, security professionals 13
COBIT mission • To research, develop, publicise and promote an authorative, up-to-date, internationally accepted IT governance control framework for adaption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. 14
COBIT fits in • Business-focused • Business goals and IT goals, COBIT’s information criteria, COBIT’s IT resources • Process-oriented • Domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), Monitor and Evaluate (ME) • Controls-based • Process controls, Business and IT controls, IT general controls and application controls • Measurement-driven • Maturity models 15
COBIT is business-focused Business drive the which requirements investments in responds to IT Enterprise Resources COBIT information that are IT to deliver used by Processes 16
COBIT is process-oriented • Plan and Organise • Provides direction to solution Plan and organise delivery (AI) and service delivery (DS) • Acquire and Implement Acquire Deliver • Provides the solutions and passes and and them to be turned into services implement support • Deliver and Support • Receives the solutions and makes them usable for end users Monitor and evaluate • Monitor and Evaluate • Monitors all processes to ensure that the direction provided is followed 17
COBIT is controls-based • COBIT defines • Control objectives for all 34 processes • Overarching process and application controls • Control objectives • Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected • Consist of the policies, procedures, practices and organisational structures • Statements of managerial actions to increase value or reduce risk • Some controls apply to all processes • Six overarching process controls • Six overarching application controls 18
COBIT is measurement-driven • COBIT Maturity levels • profiles of IT processes • not a threshold model • Process maturity • Process may be mainly at level 3 • However some parts can be at lower levels • And some even at the highest level of 5 (optimised) • It is misleading to say that the process is not defined if part of it is not complete 19
History of COBIT • A framework and a knowledge base for managing IT • created by ISACA and the IT Governance Institute in 1994 • Former name of IT Governance Institute was the Information Systems Audit and Control Foundation (ISACF) – renamed in 2003 • COBIT was transferred to the IT Governance Institute in 1999 Governance COBIT4 & 4.1 Management COBIT3 Control COBIT2 Audit COBIT1 20
COBIT 4.1 • A single publication consisting of four sections • Executive Overview • The COBIT framework • The core content • Framework processes • Control Objectives • Management Guidelines • Maturity Models • Appendixes I through VIII • I -Tables linking goals and processes • II - Mapping IT processes to IT Governance focus areas, COSO, COBIT IT resources and COBIT Information criteria • V - Cross-references Between COBIT 3rd Edition and COBIT 4.1 21
COBIT 4.1 – the core content • Frameworks • Organize IT Governance objectives and good practices by IT domains and processes, and links them to business requirements • Control Objectives • Provide a complete set of high-level requirements to be considered by management for effective control of each process • Management Guidelines / Maturity Models • Help assign responsibility, measure performance, and benchmark and address gaps in capability 22
Interrelationships of COBIT components requirements information nto ni ow con nd au by troll ke ed b dit bro d y re ed su ea wi m th derived from ce for outcome an m r im rfo by th ple fo wi e ed rp rm me d rm fo te nte at di fo ur er dw au it p ith y based on IT Governance Institute – COBIT 4.1 Executive Overview, 2007 23
The COBIT Cube Business Requirements lity s es ce i ty y i ty tia rity en enc bil ian abil n v ti e l i a g ail omp fid Inte c li f e c Ef f i Re on Av Ef C C Infrastructure People DOMAINS Information Applications IT Processes PROCESSES ACTIVITIES s ce ur o s Re IT IT Governance Institute, COBIT 4.1 24
Basic principle of the COBIT Framework that respond to the Business Requirements Information Criteria IT Goals DOMAINS IT Processes PROCESSES to achieve are managed by ACTIVITIES s ce ur o s Re IT 25
Plan and Organise domain - processes • PO1 Define a Strategic IT Plan • PO2 Define the Information Architecture • PO3 Determine Technological Direction • PO4 Define the IT Processes, Organisation and Relationships • PO5 Manage the IT Investment • PO6 Communicate Management Aims and Direction • PO7 Manage IT Human Resources • PO8 Manage Quality • PO9 Assess and Manage IT Risks • PO10 Manage Projects 26
Acquire and Implement domain - processes • AI1 Identify Automated Solutions • AI2 Acquire and Maintain Application Software • AI3 Acquire and Maintain Technology Infrastructure • AI4 Enable Operation and Use • AI5 Procure IT Resources • AI6 Manage Changes • AI7 Install and Accredit Solutions and Changes 27
Deliver and Support domain - processes • DS1 Define and Manage Service Levels • DS2 Manage Third-party Services • DS3 Manage Performance and Capacity • DS4 Ensure Continuous Service • DS5 Ensure Systems Security • DS6 Identify and Allocate Costs • DS7 Educate and Train Users • DS8 Manage Service Desk and Incidents • DS9 Manage the Configuration • DS10 Manage Problems • DS11 Manage Data • DS12 Manage the Physical Environment • DS13 Manage Operations 28
Monitor and Evaluate domain - processes • ME1 Monitor and Evaluate IT Performance • ME2 Monitor and Evaluate Internal Control • ME3 Ensure Compliance With External Requirements • ME4 Provide IT Governance 29
Process Controls • COBIT defines control objectives for all 34 processes • Each of the COBIT processes has • A high-level control objective – the process description • A number of detailed control objectives • As a whole, they are the characteristics of a well-managed process • COBIT defines also overarching process controls • That apply to all processes • And should be considered together with the process control objectives to have a complete view of control requirements 30
Process Controls • The detailed control objectives are identified by a two- character domain reference (PO, AI, DS, ME) plus a process number and control objective number • E.g., PO10 Manage Projects, has 14 detailed control objectives • From PO10.1 to PO10.14 • When DS2 Manage Third-party Services has four • From DS2.1 to DS2.4 • The overarching Process Controls are numbered • From PC1 to PC6 31
COBIT Maturity model • Similar to CMM • Interpreted for the nature of COBIT’s IT management processes • A generic maturity scale • A specific model generated for each COBIT IT process • Not a threshold model • Designed as profiles of IT processes • Possible current and future states • Using the maturity models management can identify • The actual performance of the enterprise – Where the enterprise is today • the current status of the industry – The comparison • the enterprises target for improvement – Where the enterprise wants to be • The required growth path between as-is and to-be 32
COBIT Maturity model • COBIT Maturity levels • profiles of IT processes • not a threshold model • Process maturity • Process may be mainly at level 3 • However some parts can be at lower levels • And some even at the highest level of 5 (optimised) • It is misleading to say that the process is not defined if part of it is not complete 33
COBIT Maturity Model • Generic Maturity Model • 0 - (Non-existent) management processes are not applied at all • 1 – (Initial/Ad Hoc) processes are ad hoc and disorganised • 2 – (Repeatable but intuitive) processes follow a regular pattern • 3 – (Defined Process) processes are documented and communicated • 4 – (Managed and Measurable) processes are monitored and measured • 5 – (Optimised) good practices are followed and automated 34
Goal Relationship example Maintain enterprise reputation and Leadership. Business Goal Ensure that IT Services can resist and recover from attacks. IT Goals Detect and resolve unauthorised access. Process Goals Understand security requirements, vulnerabilities and threats. Activity Goals 35
Outcome measure, Performance indicator example IT Goal Process Goal Ensure that Detect and resolve IT Services can unauthorised resist and recover Dri access. from attacks. ve Number of actual Number of actual incidents because IT incidents with of unauthorised business impact access Outcome measure Outcome measure Performance indicator Performance indicator 36
COBIT Framework Business Requirements Information Criteria he ot t nd spo Quality Security Fiduciary t re ha t ss lity e ne ncy lity i ty nc tia rity e bil plia iabi iv n ie ct fic nfide nteg vaila om l ffe Ef Re I E o C A C DOMAINS IT Goals Plan and Organise (PO) Infrastructure People Acquire and Implement (AI) to achieve Deliver and Support (DS) Information Monitor and Evaluate (ME) Applications PROCESSES High level and detailed IT goals control objectives Process goals IT Processes Maturity models Activity goals Outcome measures ACTIVITIES Performance indicators s ce ur o s Re IT are managed by 37
COBIT Core Components • Each COBIT IT process has • Section one - Process Description • Process description • Summary of the objectives - presented in a waterfall • Mapping of the process to – Information criteria, IT resources, IT governance focus areas • Section two – Control Objectives • Detailed control objectives for this process • Section three – Management Guideline • Process inputs and outputs, RACI chart, goals and metrics • Section four – Maturity model • Maturity model for this process 38
Cobit Framework
COBIT Framework Navigation IT Governance Institute, COBIT 4.1 40
Example : DS2 • The following slides are an example of the content of COBIT • Process: DS2 Manage Third-party Services
DS2 Mapping to Information Criteria Summary of the objectives in a waterfall Mapping to IT governance focus areas Mapping to IT resources IT Governance Institute, COBIT 4.1 42
DS2 - Process Description DS2 Manage Third-party Services The need to assure that services provided by third parties (suppliers, vendors and partners) meet business requirements requires an effective third-party management process. This process is accomplished by clearly defining the roles, responsibilities and expectations in third-party agreements as well as reviewing and monitoring such agreements for effectiveness and compliance. Effective management of third-party services minimises the business risk associated with non-performing suppliers. 43
DS2 Manage Third-party Services • DS2 mappings to • Information criteria • IT resources • IT Governance focus areas • P primary relationship • S secondary relationship 44
DS2 Waterfall 45
Control Objectives • Control objectives • Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected • Consist of the policies, procedures, practices and organisational structures • Statements of managerial actions to increase value or reduce risk • Each of the COBIT processes has • A high-level control objective – the process description • A number of detailed control objectives • As a whole, they are the characteristics of a well-managed process 46
DS2 – Control Objectives IT Governance Institute, COBIT 4.1 47
COBIT Control Practices • Provides guidance on why controls are worth implementing • Why - Value drives and Risk drivers • And how to implement them • Helps to justify and design the specific controls needed to improve IT Governance • How, why and what to implement for each control objective • to improve IT performance • to address IT solution and service delivery risks • Not included in COBIT 4.1 • A separate publication 48
DS2 - Management Guidelines Process Process inputs outputs RACI chart Goals and metrics 49
Management Guidelines • Process inputs • What the process owner needs from others • Inputs come also from other sources than COBIT • Process outputs • What the process owner has to deliver • RACI chart • What has to be delegated and to whom • Goals and metrics • How the process should be measured 50
DS2 – Process inputs and outputs PO1 Define a strategic IT plan PO8 Manage quality AI5 Procure IT resources DS1 Define and manage service levels DS4 Ensure continuous service ME1 Monitor and evaluate IT performance AI5 Procure IT resources PO9 Assess and manage IT risks 51
RACI chart • Responsible • The person or people responsible for getting the job don • Correct execution of the process and the activities • Potential OLA opportunities • Accountable • Only one person can be accountable for each task • Ownership of quality, and end result of the process • Consulted • The people who are consulted and whose opinions are sought • Involvement through input of knowledge and information • Informed • The people who are kept up-to-date on progress • Receiving information about process execution and quality • Helps to expose communication and workflow paths 52
DS2 - RACI chart 53
Outcome measure, Performance indicator example IT Goal Process Goal Ensure that Detect and resolve IT Services can unauthorised resist and recover Dri access. from attacks. ve Number of actual Number of actual incidents because IT incidents with of unauthorised business impact access Outcome measure Outcome measure Performance indicator Performance indicator 54
DS2 – Goals and metrics 55
DS2 – Maturity model – levels 0 through 2 56
DS2 – Maturity model – levels 3 through 5 57
More information? Ben Kalland ITIL Expert and Cobit Foundation certified consultant Accredited ITIL trainer ben.kalland@tieturi.fi Tieturi Oy, HTC Santa Maria Tammasaarenkatu 5 00180 HELSINKI www.tieturi.fi/itil

Recommended

Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An OverviewAnurag Purohit
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementChristian F. Nissen
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - FoundationMirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITMark Constable
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveSayyed Zakir Ali Rizwe
 
IT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentIT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentEryk Budi Pratama
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 

Recommended

Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An OverviewAnurag Purohit
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementChristian F. Nissen
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - FoundationMirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITMark Constable
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveSayyed Zakir Ali Rizwe
 
IT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentIT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentEryk Budi Pratama
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdfmohammed539963
 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free TrainingEnterpriseGRC Solutions, Inc.
 
Cobit presentation
Cobit presentationCobit presentation
Cobit presentationFran Rodriguez
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT PerspectiveNeelabh Srivastava
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsRob Akershoek
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.pptEmmacuet
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1Richard Willis
 
Ey segregation of_duties
Ey segregation of_dutiesEy segregation of_duties
Ey segregation of_dutiesIndrani Bhattacharya
 
RDrew ITIL Presentation
RDrew ITIL PresentationRDrew ITIL Presentation
RDrew ITIL PresentationRon Drew
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001Burcu Pelin TELLİ
 
Cobit
CobitCobit
Cobitifourkhushbooshah
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)ISACA Riyadh
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 IntroductionMohammad Reda Katby
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 
Cobi t riskmanagementframework_iac
Cobi t riskmanagementframework_iacCobi t riskmanagementframework_iac
Cobi t riskmanagementframework_iacuniversity of sargodha
 
CobIT presentation
CobIT presentationCobIT presentation
CobIT presentationMarc Vael
 

More Related Content

What's hot

cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdfmohammed539963
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsRob Akershoek
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.pptEmmacuet
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1Richard Willis
 
RDrew ITIL Presentation
RDrew ITIL PresentationRDrew ITIL Presentation
RDrew ITIL PresentationRon Drew
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)ISACA Riyadh
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 

What's hot (20)

cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdf
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
Cobit presentation
Cobit presentationCobit presentation
Cobit presentation
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT Perspective
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and Standards
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made Easy
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1
 
Ey segregation of_duties
Ey segregation of_dutiesEy segregation of_duties
Ey segregation of_duties
 
RDrew ITIL Presentation
RDrew ITIL PresentationRDrew ITIL Presentation
RDrew ITIL Presentation
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
Cobit
CobitCobit
Cobit
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 Introduction
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
 

Similar to Business is evolving, you should too with COBIT

CobIT presentation
CobIT presentationCobIT presentation
CobIT presentationMarc Vael
 
A Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & ComplianceA Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & ComplianceInnoTech
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systemsRamsés Gallego
 
Kt Intro Master V7
Kt Intro Master V7Kt Intro Master V7
Kt Intro Master V7TedLemmers
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStormSolutions
 
Cobi T Top Down Bottom Up
Cobi T Top Down Bottom UpCobi T Top Down Bottom Up
Cobi T Top Down Bottom UpDave Kohrell
 
Business Governance Of Enterprise It
Business Governance Of Enterprise ItBusiness Governance Of Enterprise It
Business Governance Of Enterprise Itjponnoly
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCERudy Shoushany
 
Creating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business AlignmentCreating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business Alignmentgmwhitfield
 
Oracle Presentation
Oracle PresentationOracle Presentation
Oracle PresentationGalit Fein
 
Leadership Development & Succession Planning Mahra Feb2009
Leadership Development & Succession Planning Mahra Feb2009Leadership Development & Succession Planning Mahra Feb2009
Leadership Development & Succession Planning Mahra Feb2009David Liddell
 
Do You Know Rahat Kazmi, Lets Connect And Collaborate
Do You Know Rahat Kazmi, Lets Connect And CollaborateDo You Know Rahat Kazmi, Lets Connect And Collaborate
Do You Know Rahat Kazmi, Lets Connect And CollaborateRahat Kazmi
 
Capgemini Consulting Business & Information Strategy Overview
Capgemini Consulting Business & Information Strategy OverviewCapgemini Consulting Business & Information Strategy Overview
Capgemini Consulting Business & Information Strategy OverviewRobert Morsch
 
Considerations in Selecting and Protecting Your IT Investment
Considerations in Selecting and Protecting Your IT InvestmentConsiderations in Selecting and Protecting Your IT Investment
Considerations in Selecting and Protecting Your IT InvestmentHelene Heller, PMP
 
Va Field Ops And It Governance
Va Field Ops And It GovernanceVa Field Ops And It Governance
Va Field Ops And It Governancejbreeling
 

Similar to Business is evolving, you should too with COBIT (20)

Cobi t riskmanagementframework_iac
Cobi t riskmanagementframework_iacCobi t riskmanagementframework_iac
Cobi t riskmanagementframework_iac
 
CobIT presentation
CobIT presentationCobIT presentation
CobIT presentation
 
A Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & ComplianceA Value Centric Approach to Governance Risk & Compliance
A Value Centric Approach to Governance Risk & Compliance
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systems
 
Kt Intro Master V7
Kt Intro Master V7Kt Intro Master V7
Kt Intro Master V7
 
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
SilverStorm "Credibility and Collaboration to achieve excellence in IT Govern...
 
Cobi T Top Down Bottom Up
Cobi T Top Down Bottom UpCobi T Top Down Bottom Up
Cobi T Top Down Bottom Up
 
Business Governance Of Enterprise It
Business Governance Of Enterprise ItBusiness Governance Of Enterprise It
Business Governance Of Enterprise It
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCE
 
Creating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business AlignmentCreating A Necessary Dependence - IT Business Alignment
Creating A Necessary Dependence - IT Business Alignment
 
Cobit5 and-grc
Cobit5 and-grcCobit5 and-grc
Cobit5 and-grc
 
BPM in Telecoms
BPM in TelecomsBPM in Telecoms
BPM in Telecoms
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRC
 
Oracle Presentation
Oracle PresentationOracle Presentation
Oracle Presentation
 
Leadership Development & Succession Planning Mahra Feb2009
Leadership Development & Succession Planning Mahra Feb2009Leadership Development & Succession Planning Mahra Feb2009
Leadership Development & Succession Planning Mahra Feb2009
 
Do You Know Rahat Kazmi, Lets Connect And Collaborate
Do You Know Rahat Kazmi, Lets Connect And CollaborateDo You Know Rahat Kazmi, Lets Connect And Collaborate
Do You Know Rahat Kazmi, Lets Connect And Collaborate
 
Capgemini Consulting Business & Information Strategy Overview
Capgemini Consulting Business & Information Strategy OverviewCapgemini Consulting Business & Information Strategy Overview
Capgemini Consulting Business & Information Strategy Overview
 
Considerations in Selecting and Protecting Your IT Investment
Considerations in Selecting and Protecting Your IT InvestmentConsiderations in Selecting and Protecting Your IT Investment
Considerations in Selecting and Protecting Your IT Investment
 
TAO
TAOTAO
TAO
 
Va Field Ops And It Governance
Va Field Ops And It GovernanceVa Field Ops And It Governance
Va Field Ops And It Governance
 

More from Ben Kalland

ITIL-prosessien kypsyysmittauksesta
ITIL-prosessien kypsyysmittauksestaITIL-prosessien kypsyysmittauksesta
ITIL-prosessien kypsyysmittauksestaBen Kalland
 
ITIL-prosessien kypsyysmittari
ITIL-prosessien kypsyysmittariITIL-prosessien kypsyysmittari
ITIL-prosessien kypsyysmittariBen Kalland
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000Ben Kalland
 
ITIL - mita se on?
ITIL - mita se on?ITIL - mita se on?
ITIL - mita se on?Ben Kalland
 

More from Ben Kalland (7)

Palveluluettelo
PalveluluetteloPalveluluettelo
Palveluluettelo
 
ITIL-prosessien kypsyysmittauksesta
ITIL-prosessien kypsyysmittauksestaITIL-prosessien kypsyysmittauksesta
ITIL-prosessien kypsyysmittauksesta
 
ITIL-prosessien kypsyysmittari
ITIL-prosessien kypsyysmittariITIL-prosessien kypsyysmittari
ITIL-prosessien kypsyysmittari
 
Yhteys2009
Yhteys2009Yhteys2009
Yhteys2009
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000
 
Itil Koulutus
Itil KoulutusItil Koulutus
Itil Koulutus
 
ITIL - mita se on?
ITIL - mita se on?ITIL - mita se on?
ITIL - mita se on?
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Business is evolving, you should too with COBIT

  • 1. Business is evolving, you should too. What is COBIT? Ben Kalland, Tieturi Helsinki, Tampere, Turku, Tukholma, Göteborg | www.tieturi.fi
  • 3. It may actually work! Because we have: • Experience • Luck • A culture of ‘Quick and Dirty’ But what happens when we need to: • Document • Improve • Find an error • Transfer responsibility = we need governance
  • 4. Why do we need to govern? • Stakeholders expect • Current business is stable and creates value • Responsiveness to changing business models • These contradictory expectations can be achieved with • Governance of enterprise’s IT • Governance responsibilities • Strategy generation • Value Delivery • Risk Management • Performance Measurement 4
  • 5. IT Governance Focus Areas • The five main focus areas of IT Governance, all driven by stakeholder value IC V EG N T DE AL • Two of them are outcomes TE LI UE RA NM VE ST I G RY • Value Delivery AL • Risk Management • Three of them are drivers IT GOVERNANCE PER SUREM ME A T • Strategic Alignment M EN FO R MAN RISK • Resource Management (which AGE MAN NT overlays them all) • Performance Measurement E CE • IT Governance is a continuous RESOURCE life cycle, which can be entered MANAGEMENT at any point IT Governance Institute, 2003 – Board Briefing on IT Governance, 2nd edition, 2006, COBIT 4.1 Executive Overview, 2007 5
  • 6. What do we get from governing? • Board and executives have a clear picture of the performance of IT • Better investment decisions • Trust that IT achieves objectives as directed • Clearly assigned roles and responsibilities • Help management to execute strategy and encourage desirable behavior • Transparency in governance • Improves stakeholder confidence in the responsibility, accountability and competitive position of the enterprise • Enable customers to influence services - customer satisfaction • Improves employee satisfaction and reduces retention 6
  • 7. What do we get from governing? • Balanced operations • IT can respond to the business needs and • at the same time maintain and improve the stability and quality of services in a cost-efficient manner • Outsourced services can be directed and controlled clearly • Enables effective, efficient and adaptable relationships • Improved ROI and VOI • Effective governance eliminates redundancy, overlap and lack of clarity, helps to reduce failures, optimize costs and increase efficiency • Compliance to rules and legislation is achieved and maintained 7
  • 8. Frameworks, standards and players • ITIL (Information Technology Infrastructure Library) • A set of guidance, a collection of Best Practices for IT Service Management - IT Service Management Framework • ISO/IEC 20000 • International standard for IT Service Management • TOGAF (Open Group Architecture Framework) • A framework for Enterprise Architecture • A comprehensive approach to the design, planning, implementation, and governance of an enterprise information architecture 8
  • 9. Frameworks, standards and players • CMMI (Capability Maturity Model Integration) • A process improvement approach • helps integrate traditionally separate organizational functions • set process improvement goals and priorities • COBIT • provide guidance for quality processes • created by ISACA and the IT Governance Institute initially in 1996 • provides a generally accepted, practical toolset: • enables good practice for IT control through organization • highlights link between business and IT goals • emphasized regulatory compliance • An authoritative, up-to-date, internationally and generally accepted, internal control framework for IT governance 9
  • 10. Frameworks, standards and players • ISO/IEC 27001 • an information security standard published in 2005 • intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management • ISO/IEC 27002 • Based on the British Standard (BS) 7799-1:1999 • published in 2005 • renumbered ISO/IEC 27002:2005 in July 2007 • ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). 10
  • 11. Frameworks, standards and players • AS8015 • An Australian standard for IT Governance, published in 2005 • Provides principles, a model and vocabulary as a basic framework for implementing effective corporate governance of ICT • ISO/IEC 38500 (very closely based on AS8015) • Corporate governance of information technology standard • Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. 11
  • 12. Why COBIT? • COBIT is used in many companies to provide a framework for governance and implementation of internal controls • COBIT includes the essential business and IT process controls and objectives needed to achieve corporate objectives • COBIT is written at the management level and driven by business requirements • COBIT is aligned with other IT practices and standards but is more complete than others • COBIT is generally accepted as the internal IT control framework 12
  • 13. COBIT • Control Objectives for Information and related Technology • COBIT supports IT governance by providing a framework to ensure that • IT is aligned with the business • IT enables the business and maximises benefits • IT resources are used responsibly • IT risks are managed appropriately • Designed to support • Executive and management boards • Business and IT management • Governance, assurance, control, security professionals 13
  • 14. COBIT mission • To research, develop, publicise and promote an authorative, up-to-date, internationally accepted IT governance control framework for adaption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. 14
  • 15. COBIT fits in • Business-focused • Business goals and IT goals, COBIT’s information criteria, COBIT’s IT resources • Process-oriented • Domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), Monitor and Evaluate (ME) • Controls-based • Process controls, Business and IT controls, IT general controls and application controls • Measurement-driven • Maturity models 15
  • 16. COBIT is business-focused Business drive the which requirements investments in responds to IT Enterprise Resources COBIT information that are IT to deliver used by Processes 16
  • 17. COBIT is process-oriented • Plan and Organise • Provides direction to solution Plan and organise delivery (AI) and service delivery (DS) • Acquire and Implement Acquire Deliver • Provides the solutions and passes and and them to be turned into services implement support • Deliver and Support • Receives the solutions and makes them usable for end users Monitor and evaluate • Monitor and Evaluate • Monitors all processes to ensure that the direction provided is followed 17
  • 18. COBIT is controls-based • COBIT defines • Control objectives for all 34 processes • Overarching process and application controls • Control objectives • Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected • Consist of the policies, procedures, practices and organisational structures • Statements of managerial actions to increase value or reduce risk • Some controls apply to all processes • Six overarching process controls • Six overarching application controls 18
  • 19. COBIT is measurement-driven • COBIT Maturity levels • profiles of IT processes • not a threshold model • Process maturity • Process may be mainly at level 3 • However some parts can be at lower levels • And some even at the highest level of 5 (optimised) • It is misleading to say that the process is not defined if part of it is not complete 19
  • 20. History of COBIT • A framework and a knowledge base for managing IT • created by ISACA and the IT Governance Institute in 1994 • Former name of IT Governance Institute was the Information Systems Audit and Control Foundation (ISACF) – renamed in 2003 • COBIT was transferred to the IT Governance Institute in 1999 Governance COBIT4 & 4.1 Management COBIT3 Control COBIT2 Audit COBIT1 20
  • 21. COBIT 4.1 • A single publication consisting of four sections • Executive Overview • The COBIT framework • The core content • Framework processes • Control Objectives • Management Guidelines • Maturity Models • Appendixes I through VIII • I -Tables linking goals and processes • II - Mapping IT processes to IT Governance focus areas, COSO, COBIT IT resources and COBIT Information criteria • V - Cross-references Between COBIT 3rd Edition and COBIT 4.1 21
  • 22. COBIT 4.1 – the core content • Frameworks • Organize IT Governance objectives and good practices by IT domains and processes, and links them to business requirements • Control Objectives • Provide a complete set of high-level requirements to be considered by management for effective control of each process • Management Guidelines / Maturity Models • Help assign responsibility, measure performance, and benchmark and address gaps in capability 22
  • 23. Interrelationships of COBIT components requirements information nto ni ow con nd au by troll ke ed b dit bro d y re ed su ea wi m th derived from ce for outcome an m r im rfo by th ple fo wi e ed rp rm me d rm fo te nte at di fo ur er dw au it p ith y based on IT Governance Institute – COBIT 4.1 Executive Overview, 2007 23
  • 24. The COBIT Cube Business Requirements lity s es ce i ty y i ty tia rity en enc bil ian abil n v ti e l i a g ail omp fid Inte c li f e c Ef f i Re on Av Ef C C Infrastructure People DOMAINS Information Applications IT Processes PROCESSES ACTIVITIES s ce ur o s Re IT IT Governance Institute, COBIT 4.1 24
  • 25. Basic principle of the COBIT Framework that respond to the Business Requirements Information Criteria IT Goals DOMAINS IT Processes PROCESSES to achieve are managed by ACTIVITIES s ce ur o s Re IT 25
  • 26. Plan and Organise domain - processes • PO1 Define a Strategic IT Plan • PO2 Define the Information Architecture • PO3 Determine Technological Direction • PO4 Define the IT Processes, Organisation and Relationships • PO5 Manage the IT Investment • PO6 Communicate Management Aims and Direction • PO7 Manage IT Human Resources • PO8 Manage Quality • PO9 Assess and Manage IT Risks • PO10 Manage Projects 26
  • 27. Acquire and Implement domain - processes • AI1 Identify Automated Solutions • AI2 Acquire and Maintain Application Software • AI3 Acquire and Maintain Technology Infrastructure • AI4 Enable Operation and Use • AI5 Procure IT Resources • AI6 Manage Changes • AI7 Install and Accredit Solutions and Changes 27
  • 28. Deliver and Support domain - processes • DS1 Define and Manage Service Levels • DS2 Manage Third-party Services • DS3 Manage Performance and Capacity • DS4 Ensure Continuous Service • DS5 Ensure Systems Security • DS6 Identify and Allocate Costs • DS7 Educate and Train Users • DS8 Manage Service Desk and Incidents • DS9 Manage the Configuration • DS10 Manage Problems • DS11 Manage Data • DS12 Manage the Physical Environment • DS13 Manage Operations 28
  • 29. Monitor and Evaluate domain - processes • ME1 Monitor and Evaluate IT Performance • ME2 Monitor and Evaluate Internal Control • ME3 Ensure Compliance With External Requirements • ME4 Provide IT Governance 29
  • 30. Process Controls • COBIT defines control objectives for all 34 processes • Each of the COBIT processes has • A high-level control objective – the process description • A number of detailed control objectives • As a whole, they are the characteristics of a well-managed process • COBIT defines also overarching process controls • That apply to all processes • And should be considered together with the process control objectives to have a complete view of control requirements 30
  • 31. Process Controls • The detailed control objectives are identified by a two- character domain reference (PO, AI, DS, ME) plus a process number and control objective number • E.g., PO10 Manage Projects, has 14 detailed control objectives • From PO10.1 to PO10.14 • When DS2 Manage Third-party Services has four • From DS2.1 to DS2.4 • The overarching Process Controls are numbered • From PC1 to PC6 31
  • 32. COBIT Maturity model • Similar to CMM • Interpreted for the nature of COBIT’s IT management processes • A generic maturity scale • A specific model generated for each COBIT IT process • Not a threshold model • Designed as profiles of IT processes • Possible current and future states • Using the maturity models management can identify • The actual performance of the enterprise – Where the enterprise is today • the current status of the industry – The comparison • the enterprises target for improvement – Where the enterprise wants to be • The required growth path between as-is and to-be 32
  • 33. COBIT Maturity model • COBIT Maturity levels • profiles of IT processes • not a threshold model • Process maturity • Process may be mainly at level 3 • However some parts can be at lower levels • And some even at the highest level of 5 (optimised) • It is misleading to say that the process is not defined if part of it is not complete 33
  • 34. COBIT Maturity Model • Generic Maturity Model • 0 - (Non-existent) management processes are not applied at all • 1 – (Initial/Ad Hoc) processes are ad hoc and disorganised • 2 – (Repeatable but intuitive) processes follow a regular pattern • 3 – (Defined Process) processes are documented and communicated • 4 – (Managed and Measurable) processes are monitored and measured • 5 – (Optimised) good practices are followed and automated 34
  • 35. Goal Relationship example Maintain enterprise reputation and Leadership. Business Goal Ensure that IT Services can resist and recover from attacks. IT Goals Detect and resolve unauthorised access. Process Goals Understand security requirements, vulnerabilities and threats. Activity Goals 35
  • 36. Outcome measure, Performance indicator example IT Goal Process Goal Ensure that Detect and resolve IT Services can unauthorised resist and recover Dri access. from attacks. ve Number of actual Number of actual incidents because IT incidents with of unauthorised business impact access Outcome measure Outcome measure Performance indicator Performance indicator 36
  • 37. COBIT Framework Business Requirements Information Criteria he ot t nd spo Quality Security Fiduciary t re ha t ss lity e ne ncy lity i ty nc tia rity e bil plia iabi iv n ie ct fic nfide nteg vaila om l ffe Ef Re I E o C A C DOMAINS IT Goals Plan and Organise (PO) Infrastructure People Acquire and Implement (AI) to achieve Deliver and Support (DS) Information Monitor and Evaluate (ME) Applications PROCESSES High level and detailed IT goals control objectives Process goals IT Processes Maturity models Activity goals Outcome measures ACTIVITIES Performance indicators s ce ur o s Re IT are managed by 37
  • 38. COBIT Core Components • Each COBIT IT process has • Section one - Process Description • Process description • Summary of the objectives - presented in a waterfall • Mapping of the process to – Information criteria, IT resources, IT governance focus areas • Section two – Control Objectives • Detailed control objectives for this process • Section three – Management Guideline • Process inputs and outputs, RACI chart, goals and metrics • Section four – Maturity model • Maturity model for this process 38
  • 40. COBIT Framework Navigation IT Governance Institute, COBIT 4.1 40
  • 41. Example : DS2 • The following slides are an example of the content of COBIT • Process: DS2 Manage Third-party Services
  • 42. DS2 Mapping to Information Criteria Summary of the objectives in a waterfall Mapping to IT governance focus areas Mapping to IT resources IT Governance Institute, COBIT 4.1 42
  • 43. DS2 - Process Description DS2 Manage Third-party Services The need to assure that services provided by third parties (suppliers, vendors and partners) meet business requirements requires an effective third-party management process. This process is accomplished by clearly defining the roles, responsibilities and expectations in third-party agreements as well as reviewing and monitoring such agreements for effectiveness and compliance. Effective management of third-party services minimises the business risk associated with non-performing suppliers. 43
  • 44. DS2 Manage Third-party Services • DS2 mappings to • Information criteria • IT resources • IT Governance focus areas • P primary relationship • S secondary relationship 44
  • 46. Control Objectives • Control objectives • Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected • Consist of the policies, procedures, practices and organisational structures • Statements of managerial actions to increase value or reduce risk • Each of the COBIT processes has • A high-level control objective – the process description • A number of detailed control objectives • As a whole, they are the characteristics of a well-managed process 46
  • 47. DS2 – Control Objectives IT Governance Institute, COBIT 4.1 47
  • 48. COBIT Control Practices • Provides guidance on why controls are worth implementing • Why - Value drives and Risk drivers • And how to implement them • Helps to justify and design the specific controls needed to improve IT Governance • How, why and what to implement for each control objective • to improve IT performance • to address IT solution and service delivery risks • Not included in COBIT 4.1 • A separate publication 48
  • 49. DS2 - Management Guidelines Process Process inputs outputs RACI chart Goals and metrics 49
  • 50. Management Guidelines • Process inputs • What the process owner needs from others • Inputs come also from other sources than COBIT • Process outputs • What the process owner has to deliver • RACI chart • What has to be delegated and to whom • Goals and metrics • How the process should be measured 50
  • 51. DS2 – Process inputs and outputs PO1 Define a strategic IT plan PO8 Manage quality AI5 Procure IT resources DS1 Define and manage service levels DS4 Ensure continuous service ME1 Monitor and evaluate IT performance AI5 Procure IT resources PO9 Assess and manage IT risks 51
  • 52. RACI chart • Responsible • The person or people responsible for getting the job don • Correct execution of the process and the activities • Potential OLA opportunities • Accountable • Only one person can be accountable for each task • Ownership of quality, and end result of the process • Consulted • The people who are consulted and whose opinions are sought • Involvement through input of knowledge and information • Informed • The people who are kept up-to-date on progress • Receiving information about process execution and quality • Helps to expose communication and workflow paths 52
  • 53. DS2 - RACI chart 53
  • 54. Outcome measure, Performance indicator example IT Goal Process Goal Ensure that Detect and resolve IT Services can unauthorised resist and recover Dri access. from attacks. ve Number of actual Number of actual incidents because IT incidents with of unauthorised business impact access Outcome measure Outcome measure Performance indicator Performance indicator 54
  • 55. DS2 – Goals and metrics 55
  • 56. DS2 – Maturity model – levels 0 through 2 56
  • 57. DS2 – Maturity model – levels 3 through 5 57
  • 58. More information? Ben Kalland ITIL Expert and Cobit Foundation certified consultant Accredited ITIL trainer ben.kalland@tieturi.fi Tieturi Oy, HTC Santa Maria Tammasaarenkatu 5 00180 HELSINKI www.tieturi.fi/itil