8. @CarlosChalicoT
#ISACA_ITG
WhatĀ“s in this for you?
By the end of this session you will:
!
ā¢ Understand the concept of governance, IT
governance and its difference against IT management
ā¢ Know the advantages of deļ¬ning an effective IT
Governance model
ā¢ Know some frameworks available to deļ¬ne IT
Governance (COBIT, ISO 38500)
8
12. @CarlosChalicoT
#ISACA_ITG
FromWikipedia
Governance is the act of governing. It relates to
decisions that deļ¬ne expectations, grant power, or
verify performance. It consists of either a separate
process or part of decision-making or leadership
processes. In modern nation-states, these processes
and systems are typically administered by a
government.
12
13. @CarlosChalicoT
#ISACA_ITG
FromWikipedia
Governance is the act of governing. It relates to
decisions that deļ¬ne expectations, grant power, or
verify performance. It consists of either a separate
process or part of decision-making or leadership
processes. In modern nation-states, these processes
and systems are typically administered by a
government.
13
14. @CarlosChalicoT
#ISACA_ITG
From OECD
14
Corporate governance is one key element
in improving economic efļ¬ciency and
growth as well as enhancing investor
conļ¬dence. Corporate governance involves
a set of relationships between a companyās
management, its board, its shareholders and
other stakeholders. Corporate governance
also provides the structure through which
the objectives of the company are se, and
the means of attaining those objectives and
monitoring performance are determined.
http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf
15. @CarlosChalicoT
#ISACA_ITG
From OECD
15
Corporate governance is one key element
in improving economic efļ¬ciency and
growth as well as enhancing investor
conļ¬dence. Corporate governance involves
a set of relationships between a companyās
management, its board, its shareholders and
other stakeholders. Corporate governance
also provides the structure through which
the objectives of the company are set, and
the means of attaining those objectives and
monitoring performance are determined.
http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf
24. @CarlosChalicoT
#ISACA_ITG
24
So, what does this mean?
HBRHarvard Business Review
http://blogs.hbr.org/2013/08/todays-cto-needs-to-become/
http://blogs.hbr.org/cs/2013/07/todays_cio_needs_to_be_the_chi.html
CIO CTO
29. @CarlosChalicoT
#ISACA_ITG
29
So, what does this mean?
In essence, the governance of IT is the
theory that enables an organisationās
principal decision makers to make better
decisions around IT and, at the same
time, provides guidance for IT managers
who are tasked with IT operations and
the design, development and
implementation of IT solutions.
30. @CarlosChalicoT
#ISACA_ITG
30
So, what does this mean?
ā¢ Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation
and decision making; and monitoring performance,
compliance and progress against agreed-on direction
and objectives.
ā¢ Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives.
31. @CarlosChalicoT
#ISACA_ITG
31
So, what does this mean?
The action of the board
or governing body to
direct IT activities and to
build a decision-making
model, combined with
the action of the IT
management teams to
develop supporting
systems, processes and
procedures, result in the
development of an IT
governance framework.
What to do
How to do it
32. @CarlosChalicoT
#ISACA_ITG
32
Why IT Governance?
ā¢ āDue diligenceā
ā¢ IT is critical to the business (and pervasive)
ā¢ IT is strategic to the business
ā¢ Expectations and reality donāt match
ā¢ IT hasnāt gotten the attention it deserves (yet)
ā¢ IT may involve huge investments and large risks
52. @CarlosChalicoT
#ISACA_ITG
What is ISO?
52
ā¢ International Organization for Standardization
ā¢ Worldās largest developer of voluntary standards
ā¢ Founded in 1947
ā¢ 19,500 standards released
ā¢ Members from 164 countries
ā¢ Headquartered in Geneva, Switzerland
The Boys. 65 delegates from 25 countries. London, 1946.
http://www.iso.org
53. @CarlosChalicoT
#ISACA_ITG
What is a Standard?
53
āA document that provides
requirements, speciļ¬cations,
guidelines or characteristics that
can be used consistently to ensure
that materials, products, processes
and services are ļ¬t for their
purpose.
ISO standards can be purchased
from the ISO store or from our
membersā
Office in La Voie Creuse, Geneva, Switzerland, 2007.
http://www.iso.org
54. @CarlosChalicoT
#ISACA_ITG
What are the beneļ¬ts?
54
āISO International Standards ensure that products
and services are safe, reliable and of good quality.
For business, they are strategic tools that reduce
costs by minimizing waste and errors, and
increasing productivity.They help companies to
access new markets, level the playing ļ¬eld for
developing countries and facilitate free and fair
global tradeā
http://www.iso.org
55. @CarlosChalicoT
#ISACA_ITG
ISO/IEC 38500:2008
55
ā¢ Provides guiding principles for directors of organizations
(owners, board members, partners, senior executives) on the
effective, efļ¬cient, and acceptable use of IT within their
organizations
ā¢ Applies to the governance of management processes (and
decisions) relating to the information and communication
services used by an organization.These processes could be
controlled by IT specialists within the organization, external
service providers, or business units within the organization.
ā¢ It also provides guidance to those advising, informing, or
assisting directors (this includes IT auditors)
http://www.iso.org
56. @CarlosChalicoT
#ISACA_ITG
ISO/IEC 38500:2008
56
ā¢ Based on Australian Standard AS 8015-2005
ā¢ Submitted for Fast Track ISO adoption
ā¢ Alison Holt
ā¢ New Zealand
ā¢ Longitude 174
ā¢ Co-chaired ISOās working group for IT Governance
Framework standards
http://www.ramin.com.au/itgovernance/as8015.html
61. @CarlosChalicoT
#ISACA_ITG
IT potential problems
61
ā¢ Different areas of the organisation have different relationships
with different IT vendors
ā¢ IT systems evolve independently with no united direction or
strategy
ā¢ IT systems under/over-perform
ā¢ IT managers donāt understand the operation
ā¢ Operational managers donāt understand IT
ā¢ No sense of ownership on data, infrastructure and processes
ā¢ Users frustrated for, apparently, not having enough resources
ā¢ Nobody thinks or wants the CIO, except when there is a
problem.
68. @CarlosChalicoT
#ISACA_ITG
Responsibility
68
ā¢ The CIO that was not respected, even with an ISSP
communicated and authorized
ā¢ The āPerfectā Operational Director
ā¢ The ājumpingā requirements
ā¢ The eternal āYesā CIO
ā¢ The 24x7x52xFOREVER HR requirement
72. @CarlosChalicoT
#ISACA_ITG
Acquisition
72
ā¢ IT acquisitions are made for valid reasons
!
ā¢ Appropriate analysis is made to support purchasing
decisions
!
ā¢ There is a balance among beneļ¬ts, opportunities,
costs and risks in the short and long term
73. @CarlosChalicoT
#ISACA_ITG
Acquisition
73
ā¢ Some suggestions:
ā¢ Understand required beneļ¬ts
ā¢ Informal chats with vendors
ā¢ Deļ¬ne a formal purchasing process
ā¢ Visit other organisations that are doing what you
want to do
ā¢ Understand the ādo nothingā option
ā¢ Check out references
75. @CarlosChalicoT
#ISACA_ITG
Performance
75
ā¢ IT ļ¬ts the requirements to support the organisation
!
ā¢ IT provides services, levels of service and service
quality required to meet the organisationās current
and future requirements
78. @CarlosChalicoT
#ISACA_ITG
Conformance
78
ā¢ How easy has been for your company to conļ¬gure
the systems to comply with laws and regulations?
Compliance on
IT Systems Process
Process
2
Process
Process
Change
Change
80. @CarlosChalicoT
#ISACA_ITG
Human Behaviour
80
ā¢ Have you deļ¬ned policies to make clear how you
want your IT systems to be used?
ā¢ How are you balancing personalVs. professional use
of the corporate IT resources?
ā¢ Is your management team setting the tone?
ā¢ How are you connecting
with customers, providers,
authority?
85. @CarlosChalicoT
#ISACA_ITG
Implementing ISO 38500
85
Implementation
Design and
Definition
Communication
and awareness
IT controls
Policies and procedures
Plan development
Business
processes
improvements
Current State
Assessment
Continuous
Improvement
Auditing
Operation
Monitoring
Third parties
considerations
Extended IT governance
IT processes
improvements
Problems
identification
Training and testing
Adjustments
Monitoring
controls
Reporting
Audit guidelines
Responsibility
assignment
88. @CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
88
ā¢ Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation
and decision making; and monitoring performance,
compliance and progress against agreed-on direction
and objectives (EDM)
ā¢ Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives (PBRM)
89. @CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
89
COBIT 5 brings together the ļ¬ve principles that
allow the enterprise to build an effective governance
and management framework based on a holistic set
of seven enablers that optimises information and
technology investment and use for the beneļ¬t of
stakeholders.
93. @CarlosChalicoT
#ISACA_ITG
9393
ā¢ Enterprises have many stakeholders, and ācreating valueā means
differentāand sometimes conļ¬ictingāthings to each of them.
ā¢ Governance is about negotiating and deciding amongst different
stakeholdersā value interests.
ā¢ The governance system should consider all stakeholders when
making beneļ¬t, resource and risk assessment decisions.
ā¢ For each decision, the following can and should be asked:
ā¢ Who receives the beneļ¬ts?
ā¢ Who bears the risk?
ā¢ What resources are required?
Meeting Stakeholder Needs
95. @CarlosChalicoT
#ISACA_ITG
9595
Meeting Stakeholder Needs
ā¢ Beneļ¬ts of the COBIT 5 goals cascade:
ā¢ It allows the deļ¬nition of priorities for
implementation, improvement and assurance of
enterprise governance of IT based on (strategic)
objectives of the enterprise and the related risk.
ā¢ In practice, the goals cascade:
ā¢ Deļ¬nes relevant and tangible goals and objectives at various levels of
responsibility.
ā¢ Filters the knowledge base of COBIT 5, based on enterprise goals to
extract relevant guidance for inclusion in speciļ¬c implementation,
improvement or assurance projects.
ā¢ Clearly identiļ¬es and communicates how (sometimes very operational)
enablers are important to achieve enterprise goals.
96. @CarlosChalicoT
#ISACA_ITG
9696
Covering the enterprise ent-to-end
ā¢ COBIT 5 addresses the governance and management of
information and related technology from an enterprisewide,
end-to-end perspective.
ā¢ This means that COBIT 5:
ā¢ Integrates governance of enterprise IT into enterprise governance, i.e.,
the governance system for enterprise IT proposed by COBIT 5
integrates seamlessly in any governance system because COBIT 5 aligns
with the latest views on governance.
ā¢ Covers all functions and processes within the enterprise; COBIT 5
does not focus only on the āIT functionā, but treats information and
related technologies as assets that need to be dealt with just like any
other asset by everyone in the enterprise.
98. @CarlosChalicoT
#ISACA_ITG
98
Applying a single integrated framework
ā¢ COBIT 5 aligns with the latest relevant other standards and
frameworks used by enterprises:
ā¢ Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
ā¢ IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,TOGAF,
PMBOK/PRINCE2, CMMI
ā¢ This allows the enterprise to use COBIT 5 as the overarching
governance and management framework integrator.
ā¢ ISACA plans a capability to facilitate COBIT user mapping of
practices and activities to third-party references.
99. @CarlosChalicoT
#ISACA_ITG
99
Enabling a holistic approach
ā¢ COBIT 5 enablers are:
ā¢ Factors that, individually and collectively, inļ¬uence whether something will
workāin the case of COBIT, governance and management over
enterprise IT
ā¢ Driven by the goals cascade, i.e., higher-level IT-related goals deļ¬ne what
the different enablers should achieve
ā¢ Described by the COBIT 5 framework in seven categories
101. @CarlosChalicoT
#ISACA_ITG
101
Enabling a holistic approach
ā¢ ProcessesāDescribe an organised set of practices and
activities to achieve certain objectives and produce a set
of outputs in support of achieving overall IT-related
goals
ā¢ Organizational structuresāAre the key decision-
making entities in an organization
ā¢ Culture, ethics and behaviorāOf individuals and of
the organization; very often underestimated as a success
factor in governance and management activities
102. @CarlosChalicoT
#ISACA_ITG
102
Enabling a holistic approach
ā¢ Principles, policies and frameworksāAre the vehicles
to translate the desired behaviour into practical
guidance for day-to-day management
ā¢ InformationāIs pervasive throughout any organisation,
i.e., deals with all information produced and used by the
enterprise. Information is required for keeping the
organisation running and well governed, but at the
operational level, information is very often the key
product of the enterprise itself.
103. @CarlosChalicoT
#ISACA_ITG
103
Enabling a holistic approach
ā¢ Services, infrastructure and applicationsāInclude the
infrastructure, technology and applications that provide
the enterprise with information technology processing
and services
ā¢ People, skills and competenciesāAre linked to
people and are required for successful completion of all
activities and for making correct decisions and taking
corrective actions
104. @CarlosChalicoT
#ISACA_ITG
104
Enabling a holistic approach
ā¢ Systemic governance and management through
interconnected enablersāTo achieve the main objectives of the
enterprise, it must always consider an interconnected set of
enablers, i.e., each enabler:
ā¢ Needs the input of other enablers to be fully effective, e.g.,
processes need information, organisational structures need skills
and behaviour
ā¢ Delivers output to the beneļ¬t of other enablers, e.g., processes
deliver information, skills and behaviour make processes efļ¬cient
ā¢ This is a KEY principle emerging from the ISACA development
work around the Business Model for Information Security (BMIS).
106. @CarlosChalicoT
#ISACA_ITG
Separating Government from Management
106
ā¢ The COBIT 5 framework makes a clear distinction between
governance and management.
ā¢ These two disciplines:
ā¢ Encompass different types of activities
ā¢ Require different organisational structures
ā¢ Serve different purposes
ā¢ GovernanceāIn most enterprises, governance is the
responsibility of the board of directors under the leadership of
the chairperson.
ā¢ ManagementāIn most enterprises, management is the
responsibility of the executive management under the leadership
of the CEO.
107. @CarlosChalicoT
#ISACA_ITG
Separating Government from Management
107
ā¢ Governance ensures that stakeholders needs, conditions and
options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction and
objectives (EDM).
ā¢ Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).
109. @CarlosChalicoT
#ISACA_ITG
Separating Government from Management
109
ā¢ The COBIT 5 framework describes seven categories of enablers
(Principle 4). Processes are one category.
ā¢ An enterprise can organise its processes as it sees ļ¬t, as long as
all necessary governance and management objectives are covered.
Smaller enterprises may have fewer processes; larger and more
complex enterprises may have many processes, all to cover the
same objectives.
ā¢ COBIT 5 includes a process reference model (PRM), which
deļ¬nes and describes in detail a number of governance and
management processes.The details of this speciļ¬c enabler model
can be found in the COBIT 5: Enabling Processes volume.
114. @CarlosChalicoT
#ISACA_ITG
114
ā¢ The improvement of the governance of enterprise IT (GEIT)
is widely recognized by top management as an essential part
of enterprise governance
ā¢ Information and the pervasiveness of IT are increasingly part
of every aspect of business and public life
ā¢ The need to drive more value from IT investments and
manage an increasing array of IT-related risk has never been
greater
ā¢ Increasing regulation and legislation over business use of
information is also driving heightened awareness of the
importance of a well-governed and managed IT environment
Implementing GEIT with COBIT
115. @CarlosChalicoT
#ISACA_ITG
115
Implementing GEIT with COBIT
ā¢ ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers. Indeed,
implementing good GEIT is almost impossible without
engaging an effective governance framework. Best practices
and standards are also available to underpin COBIT 5
ā¢ Frameworks, best practices and standards are useful only if
they are adopted and adapted effectively.There are
challenges that need to be overcome and issues that need
to be addressed if GEIT is to be implemented successfully.
ā¢ COBIT 5: Implementation provides guidance on how to do
this
116. @CarlosChalicoT
#ISACA_ITG
116
Implementing GEIT with COBIT
ā¢ COBIT 5: Implementation covers the following subjects:
ā¢ Positioning GEIT within an enterprise
ā¢ Taking the ļ¬rst steps towards improving GEIT
ā¢ Implementation challenges and success factors
ā¢ Enabling GEIT-related organisational and behavioural
change
ā¢ Implementing continual improvement that includes change
enablement and programme management
ā¢ Using COBIT 5 and its components
118. @CarlosChalicoT
#ISACA_ITG
TheValue of CGEIT
118
CGEIT recognizes a wide range of professionals for their
knowledge and application of enterprise IT governance
principles and practices.As a CGEIT certiļ¬ed professional,
you demonstrate that you are capable of bringing IT
governance into an organizationāthat you grasp the
complex subject holistically, and therefore, enhance value to
the enterprise.Ā
http://www.isaca.org/Certiļ¬cation/CGEIT-Certiļ¬ed-in-the-Governance-of-enterprise-it/Pages/default.aspx
122. @CarlosChalicoT
#ISACA_ITG
Top 10 GRC challenges
122
1. Management complexity of risk and compliance programs
2. Organisational alignment of risk and compliance metrics and control
across functional domains
3. Managing regulatory complexity to reduce the cost of compliance
4. Privacy and intelectual property protection
5. Cybersecurity risks
6. BYOD and mobile strategy
7. Supplyvalue chain risk
8. Building out infrastructure to enable situational awareness and
predictive analytics
9. Aligning operational security with risk and compliance programs
10. Aligning business continuity and availability with risk management
125. @CarlosChalicoT
#ISACA_ITG
Conclusions
125
ā¢ The world is changing and the IT departments need to
get adapted to that
ā¢ Governance of Enterprise IT is mandatory, complexity
in compliance, value requirements, innovation and
transformation needs, support its implementation
ā¢ Effective governance requires a committed
organisation
ā¢ ISO 38500 and COBIT 5 can be the frameworks for
implementing this