Governance and Management of Enterprise IT with COBIT 5 Framework

March 2014Governance and Management of Enterprise IT with COBIT 5
Governance and Management of
Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
IT Advisor, Auditor and Consultant
v2.2 as of March 2014

Profile of Training Lead
Advisor at six companies.
ISACA International Chapter Subject Matter
Expert.
ISACA International Chapter Journal Reviewer.
ISACA International Chapter Certification
Exam and QAE Developer.
Reviewer Panel at two international journals.
Have audited and consulted 30+ companies.
Have written 300+ manuscripts, articles and
pieces in IT space.
2

Importance of Information
 Information is a key resource for all
enterprises.
 Information is
created, used, retained, disclosed and
destroyed.
 Technology plays a key role in these actions.
 Technology is becoming pervasive in all
aspects of business and personal life.
What benefits do information and
technology bring to enterprises?
3

WhyDoes IT Need a Control
Framework?
Any of these conditions sound familiar?
 Increasing pressure to leverage technology in business
strategies
 Growing complexity of IT environments
 Fragmented IT infrastructures
 Communication gap between business and IT
managers
 IT service levels that are disappointing from internal IT
functions and from increasingly outsourced IT
providers
 IT costs perceived to be out of control
 Marginal ROI/productivity gains on technology
investments
 Impaired organizational flexibility and nimbleness to
change
4

Increasing dependence on information and systems
delivering this information
Increasing vulnerabilities and a wide spectrum of threats
Scale and cost of current and future investments in
information and information systems
Need for complying with regulations
Potential for technologies to dramatically change
organizations and business practices, create new
opportunities and reduce costs
Recognition by many organizations of potential benefits
technology can yield
Successful organizations understand and
manage risks associated with implementing
new technologies
Framework? (cont’d)
5

IT provides value
Cost, time and functionality are as expected
 IT does not provide surprises
Risks are mitigated
 IT pushes the envelope
New opportunities and innovations for
process, product and services
To ensure that
Management needs to get IT under control.
6

 Board and Executive
•To ensure management follows and
implements the strategic direction for
IT
Management
•To make IT investment decisions
•To balance risk and control investment
•To benchmark existing and future IT
environment
Who Needs a Control
Framework?
7

Users
• To obtain assurance on security and control
of products and services they acquire
internally or externally
 Auditors
• To substantiate opinions to management on
internal controls
• To advise on what minimum controls are
necessary
Who Needs a Control
8

Increase acceptance and reduce time to implement IT
governance
A guide for formal audits and reviews
Use results of audits to plan improvements
Achieving primary goals for IT governance: transform
organizational practices and pursue improved processes
A credible source for management's decision on controls
Impresses and helps IT operations managers with its ability to
assist in understanding what auditors want
For business to communicate requirements and concerns
Reference to ensure identification of all major risk areas
Improves communications and relations with IT management
Why and How COBIT is Used? 9

 To improve audit approach/programmes
 To support audit work with detailed audit
guidelines
 To provide guidance for IT governance
 As a valuable benchmark for IS/IT control
 To improve IS/IT controls
 To standardise audit approach/programmes
Why and How COBIT is Used?
(cont’d)
10

Enterprise Benefits
Enterprises and their executives strive to:
 Maintain quality information to support business
decisions.
 Generate business value from IT-enabled
investments, i.e., achieve strategic goals and
realise business benefits through effective and
innovative use of IT.
 Achieve operational excellence through reliable and
efficient application of technology.
 Maintain IT-related risk at an acceptable level.
 Optimise the cost of IT services and technology.
How can these benefits be realized to create
enterprise stakeholder value?
11

Stakeholder Value
Delivering enterprise stakeholder value requires
good governance and management of
information and technology (IT) assets.
Enterprise boards, executives and management
have to embrace IT like any other significant part
of the business.
External legal, regulatory and contractual
compliance requirements related to enterprise
use of information and technology are
increasing, threatening value if breached.
12

COBIT 5 provides a
comprehensive framework
that assists enterprises
to achieve their goals and
deliver value through
effective governance and
management of enterprise
IT.
13

►Has internationally accepted good practices
►Is management-oriented and supported by tools and training
►Is freely downloadable and continually evolves
►Allows the knowledge of expert volunteers to be shared and
leveraged
►Is maintained by a reputable not-for-profit organization
►Fully maps to COSO and all major, related standards
►Is a reference, not an ‘off-the-shelf’ cure
Enterprises still need to analyze control requirements and customize
COBIT based on:
►Value drivers
►Risk profile
►IT infrastructure, organization and project portfolio
COBIT: Value and Limitations 14

An organization depends on reliable and timely data and
information. COBIT components provide a comprehensive
framework for delivering value while managing risk and
control over data and information.
Business Strategy
Information
Criteria
IT Resources
IT Processes
COBIT Components 15

►Aligned with other standards and good practices and
should be used together with them.
►COBIT’s framework and supporting best practices
provide a well-managed and flexible IT environment in
an organization.
►Provides a control environment that is responsive to
business needs and serves management and audit
functions in terms of their control responsibilities.
►Provides tools to manage IT activities.
COBIT Advantages 16

►Focuses on improving IT governance in organizations.
►Provides a framework to manage and control IT activities and
supports five requirements for a control framework.
Has general
acceptability
amongst
organizations
Helps meet
regulatory
requirements
Control
Framework
Defines a
common
language
Provides
sharper
business
Ensures
process
orientation
focus
COBIT and IT Governance 17

Business Focus
►Achieves sharper business
focus by aligning IT with
business objectives.
►Measurement of IT
performance focus on IT’s
contribution to enabling and
extending the business
strategy.
►Ensuring the primary focus
is value delivery and not
technical excellence as an
end in itself.
Has general
acceptability
amongst
organizations
Defines a
common
language
Ensures
process
orientation
Helps meet
regulatory
requirements
Provides
sharper
business
Control
Framework
focus
COBIT and IT Governance (cont’d)18

Process Orientation
►When organizations
implement COBIT, their
focus is more process-
oriented.
►Incidents and problems no
longer divert attention from
processes.
►Exceptions can be clearly
defined as part of standard
processes.
►With process ownership
defined, assigned and
accepted, better to maintain
control through periods of
rapid change or
organizationalcrisis.
Has general
acceptability
amongst
organizations
Defines a
common
language
Helps meet
regulatory
requirements
Provides
sharper
business
Ensures
process
orientation
Control
Framework
focus

General Acceptability
►A proven and globally
accepted standard for
increasing contribution of
IT to organizational
success.
►It continues to improve
and develop to keep pace
with good practices.
►IT professionals from all
over the world contribute
their ideas and time to
regular review meetings.
Has general
acceptability
amongst
organisations
Defines a
common
language
Helps meet
regulatory
requirements
Provides
sharper
business
Ensures
process
orientation
Control
Framework
focus

Regulatory Requirements
►Recent corporate scandals
have increased regulatory
pressures on boards of
directors to report their
status and ensure that
internal controls are
appropriate.
►Organizations constantly
need to improve IT
performance and
demonstrate adequate
controls over their IT
activities.
►De facto response to
regulatory IT requirements.
Has general
acceptability
amongst
organizations
Defines a
common
language
Provides
sharper
business
Ensures
process
orientation
Helps meet
regulatory
requirements
Control
Framework
focus

Common Language
►Everybody on the same
page by defining critical
terms and providing a
glossary.
►Co-ordination within
and across project
teams and
organizations can play
a key role in the
success of any project.
►Common language
helps build confidence
and trust.
Has general
acceptability
amongst
organisations
Provides
sharper
business
Ensures
process
orientation
Defines a
common
language
Helps meet
regulatory
requirements
Control
Framework
focus
Has general
acceptability
amongst
organizations
Defines a
common
language
Provides
sharper
business
Ensures
process
orientation
Helps meet
regulatory
requirements
Control
Framework

It is based on premise that IT needs to deliver
information that an enterprise requires to achieve its
objectives.
i
IT Resources
and Processes
Information
Business
Processes
Business
Objectives
provide
to
for
achieving
It helps align IT with the business by focusing on business
information requirements and organizing IT resources. COBIT
provides the framework and guidance to implement IT
governance.
COBIT: Premise 23

Link management’s IT expectations with management’s IT
responsibilities
The objective is to facilitate IT governance to deliver IT value whilst
managing IT risks.
Business Strategy
Information
Criteria
IT Resources
IT Processes
COBIT: Principle 24

As a control and governance framework for IT, it focuses on two key areas:
► Providing info required to support business objectives and requirements
► Treating info as the result of combined application of IT-related resources
needed to be managed by IT processes
Processes
Activities
Domains
IT Processes
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Applications
Information
Infrastructure
People
IT Process
Business Requirement
Control Approach
Consideration
• ……………………………
• ……………………………
• ……………………..……..
Information Criteria
COBIT: Premise 25

It describes how IT processes deliver information the
business needs to achieve its objectives.
For controlling this delivery, COBIT provides three key
components, each forming a dimension of the COBIT cube.
Business Requirements for Information Criteria
IT Resources
IT Processes
COBIT: Cube 26

► COBIT describes the IT life cycle with the help of four domains:
 Plan and Organize
 Acquire and Implement
 Deliver and Support
 Monitor and Evaluate
► Processes are series of activities with natural control breaks.
► 34 processes across the four domains specifying what business needs
to achieve its objectives.
► Activities are actions that are required to achieve measurable results.
Moreover, activities have life cycles and include many discrete tasks.
Processes
Activities
Domains IT Resources
IT Processes
COBIT Cube: IT Processes 27

Plan and Organize (PO)
► Objectives
 Formulating strategy and tactics
 Identifying how IT can best contribute to achieving business objectives
 Planning, communicating and managing the realization of the strategic vision
 Implementing organizational and technological infrastructure
► Scope
 Are IT and the business strategically aligned?
 Is the enterprise achieving optimum use of its resources?
 Does everyone in the organization understand the IT objectives?
 Are IT risks understood and being managed?
 Is the quality of IT systems appropriate for business needs?
IT and Business
COBIT Cube: IT Domains 28

Have a look at COBIT process model
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation
and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and
direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Plan and Organise
Plan and
Organize
Deliver and
Support
Acquire and
Implement
Monitor and
Evaluate
IT Processes
COBIT Cube: IT Domains (cont’d)29

Acquire and Implement (AI)
► Objectives:
 Identifying, developing, acquiring, implementing and integrating IT
solutions
 Changes in and maintenance of existing systems
► Scope:
 Are new projects likely to deliver solutions that meet business needs?
 Are new projects likely to be delivered on time and within budget?
 Will the new systems work properly when implemented?
 Will changes be made without upsetting current business operations?
New Projects Organization
?

Plan and
Organize
Deliver and
Support
Acquire and
Implement
Monitor and
Evaluate
IT Processes
AI1 Identify automated solutions.
AI2 Acquire and maintain application
software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
Acquire and Implement

Deliver and Support (DS)
►Objectives:
 The actual delivery of required services, including service delivery
 The management of security, continuity, data and operational
facilities
 Service support for users
►Scope:
 Are IT services being delivered in line with business priorities?
 Are IT costs optimized?
 Is the workforce able to use IT systems productively and safely?
 Are adequate confidentiality, integrity and availability in place?
IT Services Business Priorities

DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Deliver and Support
Plan and
Organise
Deliver and
Support
Acquire
and
Implement
Monitor
and
Evaluate
IT Processes

Monitor and Evaluate (ME)
►Objectives:
 Performance management
 Monitoring of internal control
 Regulatory compliance
 Governance
►Scope:
 Is IT’s performance measured to detect problems before too late?
 Does management ensure internal controls are effective and
efficient?
 Can IT performance be linked to business goals?
 Are risk, control, compliance and performance measured and
reported?
IT Performance

ME1 Monitor and evaluate IT
performance.
ME2 Monitor and evaluate internal
control.
ME3 Ensure compliance with
external requirements.
ME4 Provide IT governance.
Monitor and Evaluate
Plan and
Organize
Deliver
and
Support
Acquire
and
Implement
Monitor
and
Evaluate
IT Processes

►To satisfy business objectives, information needs to
conform to specific control criteria, which COBIT refers to as
business requirements for information.
►Broadly, information criteria are based on the following
requirements:
 Quality
 Fiduciary
 Security
Fiduciary Requirements
Security Requirements
Quality Requirements
IT Resources
IT Processes
COBIT Cube: Information Criteria 36

Effectiveness
Deals with information being relevant and pertinent to the
business process as well as being delivered in a
timely, correct, consistent and usable manner
Efficiency
Concerns the provision of information through the
optimal (most productive and economical) use of
resources
Confidentiality Concerns the protection of sensitive
information from unauthorised disclosure
Integrity
Relates to the accuracy and completeness of
information as well as to its validity in accordance
with business values and expectations
Availability
Relates to information being available when required by the
business process now and in the future. It also concerns the
safeguarding of necessary resources and associated capabilities.
Compliance
Deals with complying with those laws, regulations and contractual arrangements
to which the business process is subject, i.e., externally imposed business
criteria as well as internal policies
Reliability Relates to the provision of appropriate information for management to operate the
entity and to exercise its fiduciary and governance responsibilities
Fiduciary Requirement
Security Requirements
Quality Requirements
IT Resources
IT Processes
COBIT Cube: Information Criteria (cont’d) 37

► IT processes manage IT resources to generate, deliver and store the information that the
organization needs to achieve its objectives.
► The IT resources identified in COBIT are defined as:
 Applications are automated user systems and manual procedures that process
information.
 Information is data that are input, processed and output by information systems, in
whatever form used by the business.
 Infrastructure includes the technology and facilities, such as hardware, operating
systems and networking, that enable the processing of applications.
 People are the personnel required to
plan, organize, acquire, implement, deliver, support, monitor and evaluate information
systems and services. They may be internal, outsourced or contracted, as required.
Applications
Information
Infrastructure
People
IT
Resources
IT Processes
COBIT Cube: IT Resources 38

IT resources are managed by IT processes to
achieve IT goals that respond to the business
requirements
COBIT 5 Cube

Interrelationships with COBIT Components
40

COBIT 5 Principles 41

COBIT 5 Enablers 42

Governance and Management
Governance ensures that enterprise objectives are
achieved by:
Evaluating stakeholder needs, conditions and
options
Setting direction through prioritisation and decision
making
Monitoring performance, compliance and progress
against agreed-on direction and objectives (EDM)
Managementplans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM)
43

In Short…
It brings together the five principles that
allow the enterprise to build an effective
governance and management framework
Based on a holistic set of seven enablers
that optimises information and technology
investment and use for the benefit of
stakeholders
44

Navigating COBIT 5

Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
COBIT 5: Complete Business
Framework
2005/720001998
Evolutionofscope
1996 2012
Val IT 2.0
(2008)
Risk IT
(2009)
46

47
COBIT 5 Product Family

Five COBIT 5 Principles
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated
Framework
4. Enabling a Holistic Approach
5. Separating Governance From
Management
48

Meeting Stakeholder Needs
Enterprises exist to create value for their
stakeholders
49

Enterprises have many stakeholders, and ‘creating
value’ means different—and sometimes conflicting—
things to each of them.
Governance is about negotiating and deciding
amongst different stakeholders’ value interests.
The governance system should consider all
stakeholders when making benefit, resource and risk
assessment decisions.
For each decision, the following can and should be
asked:
-Who receives the benefits?
-Who bears the risk?
-What resources are required?
50

Stakeholder needs have
to be transformed into
an enterprise’s practical
strategy.
The COBIT 5 goals
cascade translates
stakeholder needs into
specific, practical and
customised goals within
the context of the
enterprise, IT-related
goals and enabler goals.
51

Meeting Stakeholder Needs(cont.)
Benefits of the COBIT 5 goals cascade:
 It allows the definition of priorities for
implementation, improvement and assurance of
enterprise governance of IT based on enterprise
strategic objectives and related risk
 In practice, the goals cascade:
 Defines relevant and tangible goals and objectives
at various levels of responsibility
 Filters the knowledge base of COBIT 5, based on
enterprise goals to extract relevant guidance for
inclusion in specific implementation, improvement
or assurance projects
 Clearly identifies and communicates how
(sometimes very operational) enablers are
important to achieve enterprise goals
52

Covering the Enterprise End-to-end
 It addresses the governance and management of
information and related technology from an enterprise
wide, end-to-end perspective
 It means:
 Integrates governance of enterprise IT into
enterprise governance, i.e., the governance system
for enterprise IT proposed by COBIT 5 integrates
seamlessly in any governance system because
COBIT 5 aligns with the latest views on governance
 Covers all functions and processes within the
enterprise; COBIT 5 does not focus only on the
‘IT function’, but treats information and related
technologies as assets that need to be dealt with
just like any other asset by everyone in the
enterprise
53

Covering the Enterprise End-to-end
54

Applying a Single Integrated Framework
 It aligns with the latest relevant other standards
and frameworks:
 Enterprise: COSO, COSO ERM, ISO/IEC
9000, ISO/IEC 31000
 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000
series, TOGAF, PMBOK/PRINCE2, CMMI
 Use it as the overarching governance and
management framework integrator
 ISACA plans a capability to facilitate COBIT user
mapping of practices and activities to third-party
references
55

Enabling a Holistic Approach
COBIT 5 enablers are:
Factors that, individually and
collectively, influence whether something will
work—in the case of COBIT, governance and
management over enterprise IT
Driven by the goals cascade, i.e., higher-level
IT-related goals define what the different
enablers should achieve
Described by COBIT 5 framework in seven
categories
56

Enabling a Holistic Approach (cont’d) 57

1. Processes—Describe an organised set of practices and activities to
achieve certain objectives and produce a set of outputs in support of
achieving overall IT-related goals
2. Organisational structures—Are the key decision-making entities in an
organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation;
very often underestimated as a success factor in governance and
management activities
4. Principles, policies and frameworks—Are the vehicles to translate the
desired behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with
all information produced and used by the enterprise. Information is
required for keeping the organisation running and well governed, but at
the operational level, information is very often the key product of the
enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies—Are linked to people and are
required for successful completion of all activities and for making correct
decisions and taking corrective actions
58
Enabling a Holistic Approach (cont’d)

 Systemic governance and management through
interconnected enablers—To achieve the main objectives of the
enterprise, it must always consider an interconnected set of
enablers, i.e., each enabler:
 Needs the input of other enablers to be fully
effective, e.g., processes need
information, organisational structures need skills
and behaviour
 Delivers output to the benefit of other
enablers, e.g., processes deliver
information, skills and behaviour make
processes efficient
 This is a KEY principle emerging from the ISACA development
work around the Business Model for Information Security (BMIS).
59

 All enablers have a set of common dimensions:
 Provides a common, simple and structured way to deal
with enablers
 Allows an entity to manage its complex interactions
 Facilitates successful outcomes of the enablers
60
Source: COBIT® 5, figure 13. © 2012 ISACA®

Separating Governance From Management
 These two disciplines:
Encompass different types of activities
Require different organisational structures
Serve different purposes
 Governance—In most
enterprises, governance is the responsibility of
the board of directors under the leadership of
the chairperson.
 Management—In most
enterprises, management is the responsibility
of the executive management under the
leadership of the CEO.
61

Separating Governance From Management 62
• Governance ensures that stakeholders needs,
conditions and options are evaluated to determine
balanced, agreed-on enterprise objectives to be
achieved; setting direction through prioritisation
and decision making; and monitoring
performance and compliance against agreed-on
direction and objectives (EDM)
• Management plans, builds, runs and monitors
governance body to achieve the enterprise
objectives (PBRM)

COBIT 5 is not prescriptive, but it advocates that
organisations implement governance and management
processes such that the key areas are covered, as shown.
63
Source: COBIT® 5, figure 15. © 2012 ISACA®

 COBIT 5 framework describes seven categories of
enablers(Principle #4).
 An enterprise can organise its processes as it sees
fit, as long as all necessary governance and
management objectives are covered
 Smaller enterprises may have fewer processes
while larger and more complex enterprises may
have many processes, all to cover the same
objectives.
 COBIT 5 includes a process reference model
(PRM), which defines and describes in detail a
number of governance and management
processes.
64

The Need for IT Governance
65
Organizations require a structured approach for
managing these and other challenges
This will ensure that there are agreed objectives for
IT, good management controls in place and effective
monitoring of performance to keep on track and avoid
unexpected outcomes
Keeping
IT Running
Security
Value/Cost
Managing
Complexity
Aligning
IT with
Business
Regulatory
Compliance

Enterprise governance is a set
of responsibilities and
practices exercised by the
board and executive
management with the goal
of:
• Providing strategic direction
• Ensuring that objectives are
achieved
• Ascertaining that risks are
managed appropriately
• Verifying that the enterprise’s
resources are used
responsibly
RESOURCE
MANAGEMENT
www.itgi.orgwww.itgi.org
The Need for IT Governance (cont’d)
66

Enterprise governance is about:
Conformance
• Adhering to legislation, internal
policies, audit
requirements, etc.
Performance
• Improving
profitability, efficiency, effective
ness, growth, etc.
Enterprise governance and IT governance require a balance between
conformance and performance goals directed by the board.
Performance
Conformance
Enterprise Governance Drives IT
Governance
67

Value delivery
Focuses on ensuring the linkage of business and IT plans;
on defining, maintaining and validating the IT value
proposition; and on aligning IT operations with enterprise
operations
Is about executing the value proposition throughout the delivery
cycle, ensuring that IT delivers the promised benefits against the
strategy, concentrating on optimising costs and proving the
intrinsic value of IT
Is about the optimal investment in, and the proper
management of, critical IT resources: applications,
information, infrastructure and people. Key issues relate to
the optimisation of knowledge and infrastructure.
Requires risk awareness by senior corporate officers, a clear
understanding of the enterprise’s appetite for risk,
understanding of compliance requirements, transparency
about the significant risks to the enterprise, and embedding
of risk management responsibilities in the organisation
Tracks and monitors strategy implementation, project
completion, resource usage, process performance and
service delivery, using, for example, balanced scorecards
that translate strategy into action to achieve goals
measurable beyond conventional accounting
Performance
measurement
Risk management
Resource
management
Strategic
alignment
IT Governance Focus Areas
68

Making IT Governance Work
Make IT governance a workable solution—able to deal
with the challenges and pitfalls presented by IT.
Focus as much on improving performance and enabling
competitive advantage as preventing problems.
Make IT governance a shared responsibility between the
business (customer) and the IT service provider, with the
full commitment and direction of the board.
Align IT governance within a wider enterprise governance
scheme.
Boards and executive management need to extend
enterprise governance to include IT, provide the necessary
leadership and organisational structures, and insist on
well-managed and properly controlled processes.
69

Business Management
Set direction for IT, monitor results and
insist on corrective measures
Defines business requirements for IT and
ensures that value is delivered and risks are
managed
Delivers and improves IT services
as required by the business
Provides independent assurance to
demonstrate that IT delivers what is
needed
Measures compliance with policies
and focuses on alerts to new risks
Risk and Compliance
IT Audit
IT Management
Board and Executive
IT Governance Stakeholders
70

COBIT:
 Starts from business requirements
 Is process-oriented, organizing IT activities into
a generally accepted process model
 Identifies the major IT resources to be
leveraged
 Defines the management control objectives to
be considered
 Incorporates major international standards
 Has become the de facto standard for overall
control of IT
Bridge the gaps between business risks, control needs and
technical issues. It provides good practices across a domain
and process framework and presents activities in a
manageable and logical structure.
IT resources need to be managed by a set of naturally
grouped processes. COBIT provides a framework that
achieves this objective.
Framework for IT Governance 71

COBIT Help Implementing Effective IT
Governance
It brings following advantages to an IT governance
implementation effort:
Enables mapping of IT goals to business goals and vice versa
Better alignment, based on a business focus
A view of what IT does that is understandable to management
Clear ownership and responsibilities based on process
orientation
General acceptability with third parties and regulators
Shared understanding amongst all stakeholders, based on a
common language
Fulfilment of the COSO requirements for the IT control
environment

We will consider and use a variety of IT models, standards
and best practices. These must be understood in order to
consider how they can be used together, with COBIT acting
as the consolidator (‘umbrella’).
COBIT
ISO 9000
ISO 17799
ITIL
COSO
WHAT HOW
SCOPE OF COVERAGE
COBIT and Other IT Management Frameworks
73

PERFORMANCE:
Business Goals
CONFORMANCE
Basel II, SOX, etc.
Enterprise Governance
IT Governance
ISO
9001:2000
ISO
17799
ISO
20000
Best Practice Standards
QA
Procedures
Processes and Procedures
Drivers
COBIT
COSO
Security
Principles
ITIL
Balanced
Scorecard
Where Does COBIT Fit?
74

Governance, Risk and Compliance
An increasingly used ‘umbrella term’
that covers these three areas of
enterprise activities.
These areas of activity are
progressively being more aligned and
integrated to improve enterprise
performance and delivery of
stakeholder needs.
75

GRC Definitions
Governance—Exercise of authority; control;
government; arrangement.
Risk (management )—Hazard; danger; peril;
exposure to loss, injury, or destruction (The act or art
of managing; the manner of
treating, directing, carrying on, or using, for a
purpose; conduct; administration; guidance; control)
Compliance—The act of complying; a yielding;
as to a desire, demand, or proposal; concession;
submission
 Webster’s Online Dictionary
76

Types of Governance
Different types of governance exist:
 Corporate governance
 Project governance
 Information technology governance
 Environmental governance
 Economic and financial governance
Each type has one or more sources of
guidance, each with similar goals but
often varying terms and techniques for
their achievement.
77

Implementing Governance
Integration of GRC activities
implementation within an enterprise
requires a systemic approach for
reliably achieving the business goals
of its stakeholders.
Such approaches are typically based
on enablers of various types i.e.
principles, policies, frameworks, organi
zational structures.
78

A GRC Model Example
From OCEG Red Book GRC Capability
Model version 2.1.
79

Corporate Governance of IT
ISO/IEC 38500: 2008 on Corporate governance of
information technology
1.1 Scope
It provides guiding principles for directors of organizations
(including owners, board
members, directors, partners, senior executives, or similar)
on the effective, efficient, and acceptable use of Information
Technology (IT) within their organizations.
It applies to the governance of management processes
(and decisions) relating to the information and
communication services used by an organization
These processes could be controlled by IT specialists
within the organization or external service providers, or by
business units within the organization.
80

Corporate Governance of IT (cont’d)
ISO/IEC 38500: 2008
Corporate governance of information technology
2.1 Principles
2.1.1 Principle 1: Responsibility
2.1.2 Principle 2: Strategy
2.1.3 Principle 3: Acquisition
2.1.4 Principle 4: Performance
2.1.5 Principle 5: Conformance
2.1.6 Principle 6: Human Behavior
81

Corporate Governance of IT (cont’d)
ISO/IEC 38500: 2008
Corporate governance of information technology
2.2 Model
Directors should govern IT through three main
tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of plans
and policies to ensure that use of IT meets business
objectives.
c) Monitor conformance to policies, and
performance against the plans.
82

GRC in COBIT 5

Governance in COBIT 5
Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation and
decision making; and monitoring
performance, compliance and progress against agreed
direction and objectives(EDM).
Managementplans, builds, runs and monitors
governance body to achieve the enterprise objectives
(PBRM).
84

Governance in COBIT 5 (cont’d)
• The COBIT 5 process reference model subdivides the
IT-related practices and activities of the enterprise into
two main areas—governance and management—with
management further divided into domains of processes
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and
monitor (EDM) practices are defined.
•01 Ensure governance framework setting and maintenance.
•02 Ensure benefits delivery.
•03 Ensure risk optimization.
•04 Ensure resource optimization.
•05 Ensure stakeholder transparency.
85

Governance in COBIT 5 (cont’d) 86

Risk Management in COBIT 5
• GOVERNANCE domain contains five governance
processes, one of which focuses on stakeholder risk-
related objectives: EDM03 Ensure risk optimization.
• Process Description
Ensurethe enterprise’s risk appetite and toleranceare
understood, articulated and communicated. Risk to
enterprise value related to use of IT is identified and
managed.
• Process Purpose Statement
EnsureIT-related enterprise risk doesn’t exceed risk
appetite and risk tolerance. Impact of IT risk to
enterprise value is identified and managed. The
potential for compliance failures is minimized.
87

Risk Management in COBIT 5 (cont’d)
• MANAGEMENT Align, Plan and Organise domain
contains a risk-related process: APO12 Manage
risk.
Continually identify, assess and reduce IT-related
risk within levels of tolerance set by enterprise
executive management.
Integrate management of IT-relatedenterprise
risk with overall ERM, and balance costs and
benefits of managing IT-related enterprise risk.
88

Risk Management in COBIT 5 (cont’d)89

• All enterprise activities have associated risk exposures
resulting from environmental threats that exploit enabler
vulnerabilities
• EDM03 Ensure risk optimization
Ensuresenterprise stakeholders approach torisk is
articulated to direct how risks facing enterprise will
be treated.
• APO12 Manage risk
ProvidesERM arrangements to ensure stakeholder
direction is followed by the enterprise.
• All other processes include practices and activities
that are designed to treat related risk (avoid,
reduce/mitigate/control, share/transfer/accept).
90

COBIT 5 suggests accountabilities, and responsibilities for
enterprise roles and governance/management structures
(RACI charts) for each process. These include risk-
related roles.
91

Compliance in COBIT 5
• The MANAGEMENT Monitor, Evaluate and Assess
domain contains a compliance focused process:
MEA03 Monitor, evaluate and assess compliance
with external requirements.
Evaluate that IT processes and IT-supported business
processes are compliant with laws, regulations and
contractual requirements. Obtain assurance that the
requirements have been identified and complied with,
and integrate IT compliance with overall enterprise
compliance.
Ensure that the enterprise is compliant with all
applicable external requirements.
92

Compliance in COBIT 5 (cont’d)
• Legal and regulatory compliance is a key part of
the effective governance of an enterprise, hence
its inclusion in the GRC term and in the COBIT 5
Enterprise Goals and supporting enabler process
structure (MEA03).
• In addition to MEA03, all enterprise activities
include control activities that are designed to
ensure compliance not only with externally
imposed legislative or regulatory requirements
but also with enterprise governance-determined
principles, policies and procedures.
94

Compliance in COBIT 5 (cont’d)
COBIT 5 suggests accountabilities, and responsibilities for
enterprise roles and governance/management structures
(RACI charts) for each process. These include a
compliance-related role.
95

Summary
• COBIT 5 framework includes necessary guidance to
support enterprise GRC objectives and supporting
activities:
• Governance activities related to GEIT (5
processes)
• Risk management process—and supporting
guidance for risk management across the GEIT
space
• Compliance—a specific focus on compliance
activities within the framework and how they fit
within the complete enterprise picture
• Inclusion of GRC arrangements within the business
framework for GEIT helps enterprises to avoid the
main issue with GRC arrangements—silos of activity!
96

COBIT 5 Implementation

COBIT 5 Implementation 98
• The improvement of GEIT is widely recognised by top
management as an essential part of enterprise
governance.
• Information and pervasiveness of IT are increasingly
part of every aspect of business and public life.
• The need to drive more value from IT investments
and manage an increasing array of IT-related risk has
never been greater.
• Increasing regulation and legislation over business
use of information is also driving heightened
awareness of the importance of a well-governed and
managed IT environment.

COBIT 5 Implementation (cont’d)
99
• ISACA has developed the COBIT 5 framework to
help enterprises implement sound governance
enablers.
• Indeed, implementing good GEIT is almost
impossible without engaging an effective
governance framework. Best practices and
standards are also available to underpin COBIT 5.
• Frameworks, best practices and standards are
useful only if they are adopted and adapted
effectively.
• There are challenges that need to be overcome and
issues that need to be addressed if GEIT is to be
implemented successfully.

100
It covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and
behavioural change
• Implementing continual improvement that
includes change enablement and programme
management
• Using COBIT 5 and its components

101

COBIT 5
Future Supporting Products

COBIT 5 Product Family 103

COBIT 5 Future Supporting Products
104
• Professional Guides
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• Enabler Guides
• COBIT 5: Enabling Information
• COBIT Online Replacement
• COBIT Assessment Programme
• Process Assessment Model (PAM): Using COBIT 5
• Assessor Guide: Using COBIT 5
• Self-assessment Guide: Using COBIT 5

Thank You!
105

Governance and Management of Enterprise IT with COBIT 5 Framework

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Governance and Management of Enterprise IT with COBIT 5 Framework

Similar to Governance and Management of Enterprise IT with COBIT 5 Framework (20)

More from Goutama Bachtiar

More from Goutama Bachtiar (20)

Recently uploaded

Recently uploaded (20)

Governance and Management of Enterprise IT with COBIT 5 Framework