This courseware was designed for the training entitled 'Governance and Management of Enterprise IT with COBIT 5 Framework' with the objective of understanding COBIT 5 Framework as well as achieving IT Governance effectiveness using the respective framework.
Governance and Management of Enterprise IT with COBIT 5 Framework
1. March 2014Governance and Management of Enterprise IT with COBIT 5
Governance and Management of
Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
IT Advisor, Auditor and Consultant
v2.2 as of March 2014
2. March 2014Governance and Management of Enterprise IT with COBIT 5
Profile of Training Lead
Advisor at six companies.
ISACA International Chapter Subject Matter
Expert.
ISACA International Chapter Journal Reviewer.
ISACA International Chapter Certification
Exam and QAE Developer.
Reviewer Panel at two international journals.
Have audited and consulted 30+ companies.
Have written 300+ manuscripts, articles and
pieces in IT space.
2
3. March 2014Governance and Management of Enterprise IT with COBIT 5
Importance of Information
Information is a key resource for all
enterprises.
Information is
created, used, retained, disclosed and
destroyed.
Technology plays a key role in these actions.
Technology is becoming pervasive in all
aspects of business and personal life.
What benefits do information and
technology bring to enterprises?
3
4. March 2014Governance and Management of Enterprise IT with COBIT 5
WhyDoes IT Need a Control
Framework?
Any of these conditions sound familiar?
Increasing pressure to leverage technology in business
strategies
Growing complexity of IT environments
Fragmented IT infrastructures
Communication gap between business and IT
managers
IT service levels that are disappointing from internal IT
functions and from increasingly outsourced IT
providers
IT costs perceived to be out of control
Marginal ROI/productivity gains on technology
investments
Impaired organizational flexibility and nimbleness to
change
4
5. March 2014Governance and Management of Enterprise IT with COBIT 5
Increasing dependence on information and systems
delivering this information
Increasing vulnerabilities and a wide spectrum of threats
Scale and cost of current and future investments in
information and information systems
Need for complying with regulations
Potential for technologies to dramatically change
organizations and business practices, create new
opportunities and reduce costs
Recognition by many organizations of potential benefits
technology can yield
Successful organizations understand and
manage risks associated with implementing
new technologies
WhyDoes IT Need a Control
Framework? (cont’d)
5
6. March 2014Governance and Management of Enterprise IT with COBIT 5
IT provides value
Cost, time and functionality are as expected
IT does not provide surprises
Risks are mitigated
IT pushes the envelope
New opportunities and innovations for
process, product and services
To ensure that
Management needs to get IT under control.
WhyDoes IT Need a Control
Framework? (cont’d)
6
7. March 2014Governance and Management of Enterprise IT with COBIT 5
Board and Executive
•To ensure management follows and
implements the strategic direction for
IT
Management
•To make IT investment decisions
•To balance risk and control investment
•To benchmark existing and future IT
environment
Who Needs a Control
Framework?
7
8. March 2014Governance and Management of Enterprise IT with COBIT 5
Users
• To obtain assurance on security and control
of products and services they acquire
internally or externally
Auditors
• To substantiate opinions to management on
internal controls
• To advise on what minimum controls are
necessary
Who Needs a Control
Framework? (cont’d)
8
9. March 2014Governance and Management of Enterprise IT with COBIT 5
Increase acceptance and reduce time to implement IT
governance
A guide for formal audits and reviews
Use results of audits to plan improvements
Achieving primary goals for IT governance: transform
organizational practices and pursue improved processes
A credible source for management's decision on controls
Impresses and helps IT operations managers with its ability to
assist in understanding what auditors want
For business to communicate requirements and concerns
Reference to ensure identification of all major risk areas
Improves communications and relations with IT management
Why and How COBIT is Used? 9
10. March 2014Governance and Management of Enterprise IT with COBIT 5
To improve audit approach/programmes
To support audit work with detailed audit
guidelines
To provide guidance for IT governance
As a valuable benchmark for IS/IT control
To improve IS/IT controls
To standardise audit approach/programmes
Why and How COBIT is Used?
(cont’d)
10
11. March 2014Governance and Management of Enterprise IT with COBIT 5
Enterprise Benefits
Enterprises and their executives strive to:
Maintain quality information to support business
decisions.
Generate business value from IT-enabled
investments, i.e., achieve strategic goals and
realise business benefits through effective and
innovative use of IT.
Achieve operational excellence through reliable and
efficient application of technology.
Maintain IT-related risk at an acceptable level.
Optimise the cost of IT services and technology.
How can these benefits be realized to create
enterprise stakeholder value?
11
12. March 2014Governance and Management of Enterprise IT with COBIT 5
Stakeholder Value
Delivering enterprise stakeholder value requires
good governance and management of
information and technology (IT) assets.
Enterprise boards, executives and management
have to embrace IT like any other significant part
of the business.
External legal, regulatory and contractual
compliance requirements related to enterprise
use of information and technology are
increasing, threatening value if breached.
12
13. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT 5 provides a
comprehensive framework
that assists enterprises
to achieve their goals and
deliver value through
effective governance and
management of enterprise
IT.
13
14. March 2014Governance and Management of Enterprise IT with COBIT 5
►Has internationally accepted good practices
►Is management-oriented and supported by tools and training
►Is freely downloadable and continually evolves
►Allows the knowledge of expert volunteers to be shared and
leveraged
►Is maintained by a reputable not-for-profit organization
►Fully maps to COSO and all major, related standards
►Is a reference, not an ‘off-the-shelf’ cure
Enterprises still need to analyze control requirements and customize
COBIT based on:
►Value drivers
►Risk profile
►IT infrastructure, organization and project portfolio
COBIT: Value and Limitations 14
15. March 2014Governance and Management of Enterprise IT with COBIT 5
An organization depends on reliable and timely data and
information. COBIT components provide a comprehensive
framework for delivering value while managing risk and
control over data and information.
Business Strategy
Information
Criteria
IT Resources
IT Processes
COBIT Components 15
16. March 2014Governance and Management of Enterprise IT with COBIT 5
►Aligned with other standards and good practices and
should be used together with them.
►COBIT’s framework and supporting best practices
provide a well-managed and flexible IT environment in
an organization.
►Provides a control environment that is responsive to
business needs and serves management and audit
functions in terms of their control responsibilities.
►Provides tools to manage IT activities.
COBIT Advantages 16
17. March 2014Governance and Management of Enterprise IT with COBIT 5
►Focuses on improving IT governance in organizations.
►Provides a framework to manage and control IT activities and
supports five requirements for a control framework.
Has general
acceptability
amongst
organizations
Helps meet
regulatory
requirements
Control
Framework
Defines a
common
language
Provides
sharper
business
Ensures
process
orientation
focus
COBIT and IT Governance 17
18. March 2014Governance and Management of Enterprise IT with COBIT 5
Business Focus
►Achieves sharper business
focus by aligning IT with
business objectives.
►Measurement of IT
performance focus on IT’s
contribution to enabling and
extending the business
strategy.
►Ensuring the primary focus
is value delivery and not
technical excellence as an
end in itself.
Has general
acceptability
amongst
organizations
Defines a
common
language
Ensures
process
orientation
Helps meet
regulatory
requirements
Provides
sharper
business
Control
Framework
focus
COBIT and IT Governance (cont’d)18
19. March 2014Governance and Management of Enterprise IT with COBIT 5
Process Orientation
►When organizations
implement COBIT, their
focus is more process-
oriented.
►Incidents and problems no
longer divert attention from
processes.
►Exceptions can be clearly
defined as part of standard
processes.
►With process ownership
defined, assigned and
accepted, better to maintain
control through periods of
rapid change or
organizationalcrisis.
Has general
acceptability
amongst
organizations
Defines a
common
language
Helps meet
regulatory
requirements
Provides
sharper
business
Ensures
process
orientation
Control
Framework
focus
COBIT and IT Governance (cont’d)19
20. March 2014Governance and Management of Enterprise IT with COBIT 5
General Acceptability
►A proven and globally
accepted standard for
increasing contribution of
IT to organizational
success.
►It continues to improve
and develop to keep pace
with good practices.
►IT professionals from all
over the world contribute
their ideas and time to
regular review meetings.
Has general
acceptability
amongst
organisations
Defines a
common
language
Helps meet
regulatory
requirements
Provides
sharper
business
Ensures
process
orientation
Control
Framework
focus
COBIT and IT Governance (cont’d)20
21. March 2014Governance and Management of Enterprise IT with COBIT 5
Regulatory Requirements
►Recent corporate scandals
have increased regulatory
pressures on boards of
directors to report their
status and ensure that
internal controls are
appropriate.
►Organizations constantly
need to improve IT
performance and
demonstrate adequate
controls over their IT
activities.
►De facto response to
regulatory IT requirements.
Has general
acceptability
amongst
organizations
Defines a
common
language
Provides
sharper
business
Ensures
process
orientation
Helps meet
regulatory
requirements
Control
Framework
focus
COBIT and IT Governance (cont’d)21
22. March 2014Governance and Management of Enterprise IT with COBIT 5
Common Language
►Everybody on the same
page by defining critical
terms and providing a
glossary.
►Co-ordination within
and across project
teams and
organizations can play
a key role in the
success of any project.
►Common language
helps build confidence
and trust.
Has general
acceptability
amongst
organisations
Provides
sharper
business
Ensures
process
orientation
Defines a
common
language
Helps meet
regulatory
requirements
Control
Framework
focus
COBIT and IT Governance (cont’d)22
Has general
acceptability
amongst
organizations
Defines a
common
language
Provides
sharper
business
Ensures
process
orientation
Helps meet
regulatory
requirements
Control
Framework
23. March 2014Governance and Management of Enterprise IT with COBIT 5
It is based on premise that IT needs to deliver
information that an enterprise requires to achieve its
objectives.
i
IT Resources
and Processes
Information
Business
Processes
Business
Objectives
provide
to
for
achieving
It helps align IT with the business by focusing on business
information requirements and organizing IT resources. COBIT
provides the framework and guidance to implement IT
governance.
COBIT: Premise 23
24. March 2014Governance and Management of Enterprise IT with COBIT 5
Link management’s IT expectations with management’s IT
responsibilities
The objective is to facilitate IT governance to deliver IT value whilst
managing IT risks.
Business Strategy
Information
Criteria
IT Resources
IT Processes
COBIT: Principle 24
25. March 2014Governance and Management of Enterprise IT with COBIT 5
As a control and governance framework for IT, it focuses on two key areas:
► Providing info required to support business objectives and requirements
► Treating info as the result of combined application of IT-related resources
needed to be managed by IT processes
Processes
Activities
Domains
IT Processes
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Applications
Information
Infrastructure
People
IT Process
Business Requirement
Control Approach
Consideration
• ……………………………
• ……………………………
• ……………………..……..
Information Criteria
COBIT: Premise 25
26. March 2014Governance and Management of Enterprise IT with COBIT 5
It describes how IT processes deliver information the
business needs to achieve its objectives.
For controlling this delivery, COBIT provides three key
components, each forming a dimension of the COBIT cube.
Business Requirements for Information Criteria
IT Resources
IT Processes
COBIT: Cube 26
27. March 2014Governance and Management of Enterprise IT with COBIT 5
► COBIT describes the IT life cycle with the help of four domains:
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
► Processes are series of activities with natural control breaks.
► 34 processes across the four domains specifying what business needs
to achieve its objectives.
► Activities are actions that are required to achieve measurable results.
Moreover, activities have life cycles and include many discrete tasks.
Processes
Activities
Domains IT Resources
Information Criteria
IT Processes
COBIT Cube: IT Processes 27
28. March 2014Governance and Management of Enterprise IT with COBIT 5
Plan and Organize (PO)
► Objectives
Formulating strategy and tactics
Identifying how IT can best contribute to achieving business objectives
Planning, communicating and managing the realization of the strategic vision
Implementing organizational and technological infrastructure
► Scope
Are IT and the business strategically aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organization understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
IT and Business
COBIT Cube: IT Domains 28
29. March 2014Governance and Management of Enterprise IT with COBIT 5
Have a look at COBIT process model
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation
and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and
direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Plan and Organise
Plan and
Organize
Deliver and
Support
Acquire and
Implement
Monitor and
Evaluate
IT Processes
COBIT Cube: IT Domains (cont’d)29
30. March 2014Governance and Management of Enterprise IT with COBIT 5
Acquire and Implement (AI)
► Objectives:
Identifying, developing, acquiring, implementing and integrating IT
solutions
Changes in and maintenance of existing systems
► Scope:
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?
New Projects Organization
?
COBIT Cube: IT Domains (cont’d)30
31. March 2014Governance and Management of Enterprise IT with COBIT 5
Plan and
Organize
Deliver and
Support
Acquire and
Implement
Monitor and
Evaluate
IT Processes
AI1 Identify automated solutions.
AI2 Acquire and maintain application
software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
Acquire and Implement
COBIT Cube: IT Domains (cont’d)31
32. March 2014Governance and Management of Enterprise IT with COBIT 5
Deliver and Support (DS)
►Objectives:
The actual delivery of required services, including service delivery
The management of security, continuity, data and operational
facilities
Service support for users
►Scope:
Are IT services being delivered in line with business priorities?
Are IT costs optimized?
Is the workforce able to use IT systems productively and safely?
Are adequate confidentiality, integrity and availability in place?
IT Services Business Priorities
COBIT Cube: IT Domains (cont’d)32
33. March 2014Governance and Management of Enterprise IT with COBIT 5
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Deliver and Support
Plan and
Organise
Deliver and
Support
Acquire
and
Implement
Monitor
and
Evaluate
IT Processes
COBIT Cube: IT Domains (cont’d)33
34. March 2014Governance and Management of Enterprise IT with COBIT 5
Monitor and Evaluate (ME)
►Objectives:
Performance management
Monitoring of internal control
Regulatory compliance
Governance
►Scope:
Is IT’s performance measured to detect problems before too late?
Does management ensure internal controls are effective and
efficient?
Can IT performance be linked to business goals?
Are risk, control, compliance and performance measured and
reported?
IT Performance
COBIT Cube: IT Domains (cont’d)34
35. March 2014Governance and Management of Enterprise IT with COBIT 5
ME1 Monitor and evaluate IT
performance.
ME2 Monitor and evaluate internal
control.
ME3 Ensure compliance with
external requirements.
ME4 Provide IT governance.
Monitor and Evaluate
Plan and
Organize
Deliver
and
Support
Acquire
and
Implement
Monitor
and
Evaluate
IT Processes
COBIT Cube: IT Domains (cont’d)35
36. March 2014Governance and Management of Enterprise IT with COBIT 5
►To satisfy business objectives, information needs to
conform to specific control criteria, which COBIT refers to as
business requirements for information.
►Broadly, information criteria are based on the following
requirements:
Quality
Fiduciary
Security
Fiduciary Requirements
Security Requirements
Quality Requirements
Information Criteria
IT Resources
IT Processes
COBIT Cube: Information Criteria 36
37. March 2014Governance and Management of Enterprise IT with COBIT 5
Effectiveness
Deals with information being relevant and pertinent to the
business process as well as being delivered in a
timely, correct, consistent and usable manner
Efficiency
Concerns the provision of information through the
optimal (most productive and economical) use of
resources
Confidentiality Concerns the protection of sensitive
information from unauthorised disclosure
Integrity
Relates to the accuracy and completeness of
information as well as to its validity in accordance
with business values and expectations
Availability
Relates to information being available when required by the
business process now and in the future. It also concerns the
safeguarding of necessary resources and associated capabilities.
Compliance
Deals with complying with those laws, regulations and contractual arrangements
to which the business process is subject, i.e., externally imposed business
criteria as well as internal policies
Reliability Relates to the provision of appropriate information for management to operate the
entity and to exercise its fiduciary and governance responsibilities
Fiduciary Requirement
Security Requirements
Quality Requirements
Information Criteria
IT Resources
IT Processes
COBIT Cube: Information Criteria (cont’d) 37
38. March 2014Governance and Management of Enterprise IT with COBIT 5
► IT processes manage IT resources to generate, deliver and store the information that the
organization needs to achieve its objectives.
► The IT resources identified in COBIT are defined as:
Applications are automated user systems and manual procedures that process
information.
Information is data that are input, processed and output by information systems, in
whatever form used by the business.
Infrastructure includes the technology and facilities, such as hardware, operating
systems and networking, that enable the processing of applications.
People are the personnel required to
plan, organize, acquire, implement, deliver, support, monitor and evaluate information
systems and services. They may be internal, outsourced or contracted, as required.
Applications
Information
Infrastructure
People
IT
Resources
Information Criteria
IT Processes
COBIT Cube: IT Resources 38
39. March 2014Governance and Management of Enterprise IT with COBIT 5
IT resources are managed by IT processes to
achieve IT goals that respond to the business
requirements
COBIT 5 Cube
40. March 2014Governance and Management of Enterprise IT with COBIT 5
Interrelationships with COBIT Components
40
43. March 2014Governance and Management of Enterprise IT with COBIT 5
Governance and Management
Governance ensures that enterprise objectives are
achieved by:
Evaluating stakeholder needs, conditions and
options
Setting direction through prioritisation and decision
making
Monitoring performance, compliance and progress
against agreed-on direction and objectives (EDM)
Managementplans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM)
43
44. March 2014Governance and Management of Enterprise IT with COBIT 5
In Short…
It brings together the five principles that
allow the enterprise to build an effective
governance and management framework
Based on a holistic set of seven enablers
that optimises information and technology
investment and use for the benefit of
stakeholders
44
46. March 2014Governance and Management of Enterprise IT with COBIT 5
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
COBIT 5: Complete Business
Framework
2005/720001998
Evolutionofscope
1996 2012
Val IT 2.0
(2008)
Risk IT
(2009)
46
48. March 2014Governance and Management of Enterprise IT with COBIT 5
Five COBIT 5 Principles
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated
Framework
4. Enabling a Holistic Approach
5. Separating Governance From
Management
48
49. March 2014Governance and Management of Enterprise IT with COBIT 5
Meeting Stakeholder Needs
Enterprises exist to create value for their
stakeholders
49
50. March 2014Governance and Management of Enterprise IT with COBIT 5
Meeting Stakeholder Needs
Enterprises have many stakeholders, and ‘creating
value’ means different—and sometimes conflicting—
things to each of them.
Governance is about negotiating and deciding
amongst different stakeholders’ value interests.
The governance system should consider all
stakeholders when making benefit, resource and risk
assessment decisions.
For each decision, the following can and should be
asked:
-Who receives the benefits?
-Who bears the risk?
-What resources are required?
50
51. March 2014Governance and Management of Enterprise IT with COBIT 5
Meeting Stakeholder Needs
Stakeholder needs have
to be transformed into
an enterprise’s practical
strategy.
The COBIT 5 goals
cascade translates
stakeholder needs into
specific, practical and
customised goals within
the context of the
enterprise, IT-related
goals and enabler goals.
51
52. March 2014Governance and Management of Enterprise IT with COBIT 5
Meeting Stakeholder Needs(cont.)
Benefits of the COBIT 5 goals cascade:
It allows the definition of priorities for
implementation, improvement and assurance of
enterprise governance of IT based on enterprise
strategic objectives and related risk
In practice, the goals cascade:
Defines relevant and tangible goals and objectives
at various levels of responsibility
Filters the knowledge base of COBIT 5, based on
enterprise goals to extract relevant guidance for
inclusion in specific implementation, improvement
or assurance projects
Clearly identifies and communicates how
(sometimes very operational) enablers are
important to achieve enterprise goals
52
53. March 2014Governance and Management of Enterprise IT with COBIT 5
Covering the Enterprise End-to-end
It addresses the governance and management of
information and related technology from an enterprise
wide, end-to-end perspective
It means:
Integrates governance of enterprise IT into
enterprise governance, i.e., the governance system
for enterprise IT proposed by COBIT 5 integrates
seamlessly in any governance system because
COBIT 5 aligns with the latest views on governance
Covers all functions and processes within the
enterprise; COBIT 5 does not focus only on the
‘IT function’, but treats information and related
technologies as assets that need to be dealt with
just like any other asset by everyone in the
enterprise
53
54. March 2014Governance and Management of Enterprise IT with COBIT 5
Covering the Enterprise End-to-end
54
55. March 2014Governance and Management of Enterprise IT with COBIT 5
Applying a Single Integrated Framework
It aligns with the latest relevant other standards
and frameworks:
Enterprise: COSO, COSO ERM, ISO/IEC
9000, ISO/IEC 31000
IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000
series, TOGAF, PMBOK/PRINCE2, CMMI
Use it as the overarching governance and
management framework integrator
ISACA plans a capability to facilitate COBIT user
mapping of practices and activities to third-party
references
55
56. March 2014Governance and Management of Enterprise IT with COBIT 5
Enabling a Holistic Approach
COBIT 5 enablers are:
Factors that, individually and
collectively, influence whether something will
work—in the case of COBIT, governance and
management over enterprise IT
Driven by the goals cascade, i.e., higher-level
IT-related goals define what the different
enablers should achieve
Described by COBIT 5 framework in seven
categories
56
57. March 2014Governance and Management of Enterprise IT with COBIT 5
Enabling a Holistic Approach (cont’d) 57
58. March 2014Governance and Management of Enterprise IT with COBIT 5
1. Processes—Describe an organised set of practices and activities to
achieve certain objectives and produce a set of outputs in support of
achieving overall IT-related goals
2. Organisational structures—Are the key decision-making entities in an
organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation;
very often underestimated as a success factor in governance and
management activities
4. Principles, policies and frameworks—Are the vehicles to translate the
desired behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with
all information produced and used by the enterprise. Information is
required for keeping the organisation running and well governed, but at
the operational level, information is very often the key product of the
enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies—Are linked to people and are
required for successful completion of all activities and for making correct
decisions and taking corrective actions
58
Enabling a Holistic Approach (cont’d)
59. March 2014Governance and Management of Enterprise IT with COBIT 5
Systemic governance and management through
interconnected enablers—To achieve the main objectives of the
enterprise, it must always consider an interconnected set of
enablers, i.e., each enabler:
Needs the input of other enablers to be fully
effective, e.g., processes need
information, organisational structures need skills
and behaviour
Delivers output to the benefit of other
enablers, e.g., processes deliver
information, skills and behaviour make
processes efficient
This is a KEY principle emerging from the ISACA development
work around the Business Model for Information Security (BMIS).
59
Enabling a Holistic Approach (cont’d)
61. March 2014Governance and Management of Enterprise IT with COBIT 5
Separating Governance From Management
These two disciplines:
Encompass different types of activities
Require different organisational structures
Serve different purposes
Governance—In most
enterprises, governance is the responsibility of
the board of directors under the leadership of
the chairperson.
Management—In most
enterprises, management is the responsibility
of the executive management under the
leadership of the CEO.
61
62. March 2014Governance and Management of Enterprise IT with COBIT 5
Separating Governance From Management 62
• Governance ensures that stakeholders needs,
conditions and options are evaluated to determine
balanced, agreed-on enterprise objectives to be
achieved; setting direction through prioritisation
and decision making; and monitoring
performance and compliance against agreed-on
direction and objectives (EDM)
• Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise
objectives (PBRM)
64. March 2014Governance and Management of Enterprise IT with COBIT 5
Separating Governance From Management
COBIT 5 framework describes seven categories of
enablers(Principle #4).
An enterprise can organise its processes as it sees
fit, as long as all necessary governance and
management objectives are covered
Smaller enterprises may have fewer processes
while larger and more complex enterprises may
have many processes, all to cover the same
objectives.
COBIT 5 includes a process reference model
(PRM), which defines and describes in detail a
number of governance and management
processes.
64
65. March 2014Governance and Management of Enterprise IT with COBIT 5
The Need for IT Governance
65
Organizations require a structured approach for
managing these and other challenges
This will ensure that there are agreed objectives for
IT, good management controls in place and effective
monitoring of performance to keep on track and avoid
unexpected outcomes
Keeping
IT Running
Security
Value/Cost
Managing
Complexity
Aligning
IT with
Business
Regulatory
Compliance
66. March 2014Governance and Management of Enterprise IT with COBIT 5
Enterprise governance is a set
of responsibilities and
practices exercised by the
board and executive
management with the goal
of:
• Providing strategic direction
• Ensuring that objectives are
achieved
• Ascertaining that risks are
managed appropriately
• Verifying that the enterprise’s
resources are used
responsibly
RESOURCE
MANAGEMENT
www.itgi.orgwww.itgi.org
The Need for IT Governance (cont’d)
66
67. March 2014Governance and Management of Enterprise IT with COBIT 5
Enterprise governance is about:
Conformance
• Adhering to legislation, internal
policies, audit
requirements, etc.
Performance
• Improving
profitability, efficiency, effective
ness, growth, etc.
Enterprise governance and IT governance require a balance between
conformance and performance goals directed by the board.
Performance
Conformance
Enterprise Governance Drives IT
Governance
67
68. March 2014Governance and Management of Enterprise IT with COBIT 5
Value delivery
Focuses on ensuring the linkage of business and IT plans;
on defining, maintaining and validating the IT value
proposition; and on aligning IT operations with enterprise
operations
Is about executing the value proposition throughout the delivery
cycle, ensuring that IT delivers the promised benefits against the
strategy, concentrating on optimising costs and proving the
intrinsic value of IT
Is about the optimal investment in, and the proper
management of, critical IT resources: applications,
information, infrastructure and people. Key issues relate to
the optimisation of knowledge and infrastructure.
Requires risk awareness by senior corporate officers, a clear
understanding of the enterprise’s appetite for risk,
understanding of compliance requirements, transparency
about the significant risks to the enterprise, and embedding
of risk management responsibilities in the organisation
Tracks and monitors strategy implementation, project
completion, resource usage, process performance and
service delivery, using, for example, balanced scorecards
that translate strategy into action to achieve goals
measurable beyond conventional accounting
Performance
measurement
Risk management
Resource
management
Strategic
alignment
IT Governance Focus Areas
68
69. March 2014Governance and Management of Enterprise IT with COBIT 5
Making IT Governance Work
Make IT governance a workable solution—able to deal
with the challenges and pitfalls presented by IT.
Focus as much on improving performance and enabling
competitive advantage as preventing problems.
Make IT governance a shared responsibility between the
business (customer) and the IT service provider, with the
full commitment and direction of the board.
Align IT governance within a wider enterprise governance
scheme.
Boards and executive management need to extend
enterprise governance to include IT, provide the necessary
leadership and organisational structures, and insist on
well-managed and properly controlled processes.
69
70. March 2014Governance and Management of Enterprise IT with COBIT 5
Business Management
Set direction for IT, monitor results and
insist on corrective measures
Defines business requirements for IT and
ensures that value is delivered and risks are
managed
Delivers and improves IT services
as required by the business
Provides independent assurance to
demonstrate that IT delivers what is
needed
Measures compliance with policies
and focuses on alerts to new risks
Risk and Compliance
IT Audit
IT Management
Board and Executive
IT Governance Stakeholders
70
71. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT:
Starts from business requirements
Is process-oriented, organizing IT activities into
a generally accepted process model
Identifies the major IT resources to be
leveraged
Defines the management control objectives to
be considered
Incorporates major international standards
Has become the de facto standard for overall
control of IT
Bridge the gaps between business risks, control needs and
technical issues. It provides good practices across a domain
and process framework and presents activities in a
manageable and logical structure.
IT resources need to be managed by a set of naturally
grouped processes. COBIT provides a framework that
achieves this objective.
Framework for IT Governance 71
72. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT Help Implementing Effective IT
Governance
It brings following advantages to an IT governance
implementation effort:
Enables mapping of IT goals to business goals and vice versa
Better alignment, based on a business focus
A view of what IT does that is understandable to management
Clear ownership and responsibilities based on process
orientation
General acceptability with third parties and regulators
Shared understanding amongst all stakeholders, based on a
common language
Fulfilment of the COSO requirements for the IT control
environment
73. March 2014Governance and Management of Enterprise IT with COBIT 5
We will consider and use a variety of IT models, standards
and best practices. These must be understood in order to
consider how they can be used together, with COBIT acting
as the consolidator (‘umbrella’).
COBIT
ISO 9000
ISO 17799
ITIL
COSO
WHAT HOW
SCOPE OF COVERAGE
COBIT and Other IT Management Frameworks
73
74. March 2014Governance and Management of Enterprise IT with COBIT 5
PERFORMANCE:
Business Goals
CONFORMANCE
Basel II, SOX, etc.
Enterprise Governance
IT Governance
ISO
9001:2000
ISO
17799
ISO
20000
Best Practice Standards
QA
Procedures
Processes and Procedures
Drivers
COBIT
COSO
Security
Principles
ITIL
Balanced
Scorecard
Where Does COBIT Fit?
74
75. March 2014Governance and Management of Enterprise IT with COBIT 5
Governance, Risk and Compliance
An increasingly used ‘umbrella term’
that covers these three areas of
enterprise activities.
These areas of activity are
progressively being more aligned and
integrated to improve enterprise
performance and delivery of
stakeholder needs.
75
76. March 2014Governance and Management of Enterprise IT with COBIT 5
GRC Definitions
Governance—Exercise of authority; control;
government; arrangement.
Risk (management )—Hazard; danger; peril;
exposure to loss, injury, or destruction (The act or art
of managing; the manner of
treating, directing, carrying on, or using, for a
purpose; conduct; administration; guidance; control)
Compliance—The act of complying; a yielding;
as to a desire, demand, or proposal; concession;
submission
Webster’s Online Dictionary
76
77. March 2014Governance and Management of Enterprise IT with COBIT 5
Types of Governance
Different types of governance exist:
Corporate governance
Project governance
Information technology governance
Environmental governance
Economic and financial governance
Each type has one or more sources of
guidance, each with similar goals but
often varying terms and techniques for
their achievement.
77
78. March 2014Governance and Management of Enterprise IT with COBIT 5
Implementing Governance
Integration of GRC activities
implementation within an enterprise
requires a systemic approach for
reliably achieving the business goals
of its stakeholders.
Such approaches are typically based
on enablers of various types i.e.
principles, policies, frameworks, organi
zational structures.
78
79. March 2014Governance and Management of Enterprise IT with COBIT 5
A GRC Model Example
From OCEG Red Book GRC Capability
Model version 2.1.
79
80. March 2014Governance and Management of Enterprise IT with COBIT 5
Corporate Governance of IT
ISO/IEC 38500: 2008 on Corporate governance of
information technology
1.1 Scope
It provides guiding principles for directors of organizations
(including owners, board
members, directors, partners, senior executives, or similar)
on the effective, efficient, and acceptable use of Information
Technology (IT) within their organizations.
It applies to the governance of management processes
(and decisions) relating to the information and
communication services used by an organization
These processes could be controlled by IT specialists
within the organization or external service providers, or by
business units within the organization.
80
81. March 2014Governance and Management of Enterprise IT with COBIT 5
Corporate Governance of IT (cont’d)
ISO/IEC 38500: 2008
Corporate governance of information technology
2.1 Principles
2.1.1 Principle 1: Responsibility
2.1.2 Principle 2: Strategy
2.1.3 Principle 3: Acquisition
2.1.4 Principle 4: Performance
2.1.5 Principle 5: Conformance
2.1.6 Principle 6: Human Behavior
81
82. March 2014Governance and Management of Enterprise IT with COBIT 5
Corporate Governance of IT (cont’d)
ISO/IEC 38500: 2008
Corporate governance of information technology
2.2 Model
Directors should govern IT through three main
tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of plans
and policies to ensure that use of IT meets business
objectives.
c) Monitor conformance to policies, and
performance against the plans.
82
84. March 2014Governance and Management of Enterprise IT with COBIT 5
Governance in COBIT 5
Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation and
decision making; and monitoring
performance, compliance and progress against agreed
direction and objectives(EDM).
Managementplans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM).
84
85. March 2014Governance and Management of Enterprise IT with COBIT 5
Governance in COBIT 5 (cont’d)
• The COBIT 5 process reference model subdivides the
IT-related practices and activities of the enterprise into
two main areas—governance and management—with
management further divided into domains of processes
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and
monitor (EDM) practices are defined.
•01 Ensure governance framework setting and maintenance.
•02 Ensure benefits delivery.
•03 Ensure risk optimization.
•04 Ensure resource optimization.
•05 Ensure stakeholder transparency.
85
86. March 2014Governance and Management of Enterprise IT with COBIT 5
Governance in COBIT 5 (cont’d) 86
87. March 2014Governance and Management of Enterprise IT with COBIT 5
Risk Management in COBIT 5
• GOVERNANCE domain contains five governance
processes, one of which focuses on stakeholder risk-
related objectives: EDM03 Ensure risk optimization.
• Process Description
Ensurethe enterprise’s risk appetite and toleranceare
understood, articulated and communicated. Risk to
enterprise value related to use of IT is identified and
managed.
• Process Purpose Statement
EnsureIT-related enterprise risk doesn’t exceed risk
appetite and risk tolerance. Impact of IT risk to
enterprise value is identified and managed. The
potential for compliance failures is minimized.
87
88. March 2014Governance and Management of Enterprise IT with COBIT 5
Risk Management in COBIT 5 (cont’d)
• MANAGEMENT Align, Plan and Organise domain
contains a risk-related process: APO12 Manage
risk.
• Process Description
Continually identify, assess and reduce IT-related
risk within levels of tolerance set by enterprise
executive management.
• Process Purpose Statement
Integrate management of IT-relatedenterprise
risk with overall ERM, and balance costs and
benefits of managing IT-related enterprise risk.
88
89. March 2014Governance and Management of Enterprise IT with COBIT 5
Risk Management in COBIT 5 (cont’d)89
90. March 2014Governance and Management of Enterprise IT with COBIT 5
Risk Management in COBIT 5 (cont’d)
• All enterprise activities have associated risk exposures
resulting from environmental threats that exploit enabler
vulnerabilities
• EDM03 Ensure risk optimization
Ensuresenterprise stakeholders approach torisk is
articulated to direct how risks facing enterprise will
be treated.
• APO12 Manage risk
ProvidesERM arrangements to ensure stakeholder
direction is followed by the enterprise.
• All other processes include practices and activities
that are designed to treat related risk (avoid,
reduce/mitigate/control, share/transfer/accept).
90
91. March 2014Governance and Management of Enterprise IT with COBIT 5
Risk Management in COBIT 5 (cont’d)
COBIT 5 suggests accountabilities, and responsibilities for
enterprise roles and governance/management structures
(RACI charts) for each process. These include risk-
related roles.
91
92. March 2014Governance and Management of Enterprise IT with COBIT 5
Compliance in COBIT 5
• The MANAGEMENT Monitor, Evaluate and Assess
domain contains a compliance focused process:
MEA03 Monitor, evaluate and assess compliance
with external requirements.
• Process Description
Evaluate that IT processes and IT-supported business
processes are compliant with laws, regulations and
contractual requirements. Obtain assurance that the
requirements have been identified and complied with,
and integrate IT compliance with overall enterprise
compliance.
• Process Purpose Statement
Ensure that the enterprise is compliant with all
applicable external requirements.
92
94. March 2014Governance and Management of Enterprise IT with COBIT 5
Compliance in COBIT 5 (cont’d)
• Legal and regulatory compliance is a key part of
the effective governance of an enterprise, hence
its inclusion in the GRC term and in the COBIT 5
Enterprise Goals and supporting enabler process
structure (MEA03).
• In addition to MEA03, all enterprise activities
include control activities that are designed to
ensure compliance not only with externally
imposed legislative or regulatory requirements
but also with enterprise governance-determined
principles, policies and procedures.
94
95. March 2014Governance and Management of Enterprise IT with COBIT 5
Compliance in COBIT 5 (cont’d)
COBIT 5 suggests accountabilities, and responsibilities for
enterprise roles and governance/management structures
(RACI charts) for each process. These include a
compliance-related role.
95
96. March 2014Governance and Management of Enterprise IT with COBIT 5
Summary
• COBIT 5 framework includes necessary guidance to
support enterprise GRC objectives and supporting
activities:
• Governance activities related to GEIT (5
processes)
• Risk management process—and supporting
guidance for risk management across the GEIT
space
• Compliance—a specific focus on compliance
activities within the framework and how they fit
within the complete enterprise picture
• Inclusion of GRC arrangements within the business
framework for GEIT helps enterprises to avoid the
main issue with GRC arrangements—silos of activity!
96
98. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT 5 Implementation 98
• The improvement of GEIT is widely recognised by top
management as an essential part of enterprise
governance.
• Information and pervasiveness of IT are increasingly
part of every aspect of business and public life.
• The need to drive more value from IT investments
and manage an increasing array of IT-related risk has
never been greater.
• Increasing regulation and legislation over business
use of information is also driving heightened
awareness of the importance of a well-governed and
managed IT environment.
99. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT 5 Implementation (cont’d)
99
• ISACA has developed the COBIT 5 framework to
help enterprises implement sound governance
enablers.
• Indeed, implementing good GEIT is almost
impossible without engaging an effective
governance framework. Best practices and
standards are also available to underpin COBIT 5.
• Frameworks, best practices and standards are
useful only if they are adopted and adapted
effectively.
• There are challenges that need to be overcome and
issues that need to be addressed if GEIT is to be
implemented successfully.
100. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT 5 Implementation (cont’d)
100
It covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and
behavioural change
• Implementing continual improvement that
includes change enablement and programme
management
• Using COBIT 5 and its components
101. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT 5 Implementation (cont’d)
101
102. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT 5
Future Supporting Products
104. March 2014Governance and Management of Enterprise IT with COBIT 5
COBIT 5 Future Supporting Products
104
• Professional Guides
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• Enabler Guides
• COBIT 5: Enabling Information
• COBIT Online Replacement
• COBIT Assessment Programme
• Process Assessment Model (PAM): Using COBIT 5
• Assessor Guide: Using COBIT 5
• Self-assessment Guide: Using COBIT 5