Transcription
COBIT 5 – 2013 . . . ed oltreSessione di Studio 28 novembre 2013 TorinoAlberto Piamonte
Argomentidella Sessione COBIT5 Principi ed EnablersProcess Assessment4.1 - 5EsempiInformation SecurityEnabling InformationAssuranceRiskQ&A2
COBIT5 «UNIVERSAL» aleRisorseInterventiDove operare Processi Principi – Policies –Frameworks Sistemi Persone Organizzazione Informazioni disponibili Cultura / eticaCome operare Pratiche / Attività Base Consolidate e universalmente accettate Riferimento ai principaliStandard Priorità in funzioneobiettivi di ssOrganizzazioneImpostazioneIT / ISDefinizioneSoluzioni ITControlloErogazione ServiziSupportoMisura eControllo. . . . . In modo strutturato e connesso. . . . .3
NIST Cybersecurity FrameworkFrameworksThe Framework Core is not a checklist of activities to perform;it presents key cybersecurity outcomes that are aligned withactivities known to manage cybersecurity risk. These activitiesare mapped to a subset of commonly used standards andguidelines.BI : DISPOSIZIONI PRELIMINARI E PRINCIPI GENERALI1.PremessaIl sistema dei controlli interni è un elemento fondamentale delcomplessivo sistema di governo delle banche; esso assicura chel’attività aziendale sia in linea con le strategie e le politicheaziendali .La presente disciplina:. rappresenta la cornice generale del sistema dei controlliaziendali Chech-box mentatlity Tactical & reactive Achieve point-in-time ComplianceCertificationRisk-BasedApproach Proactive & Holistic Continous Monitoring Proactive mentalityCompliance DrivenApproach4
GovernanceStrumenti Si studiaCOBIT5 Si adattaSiapplica «UNIVERSAL» FrameworkInfo Security Risk Contesto AziendaleVendor MgmtPrivacy EU.Problem(s) specificFramework based onCOBIT5PrincipiEnablersGoalsAssessmentGuide Information SecurityAssuranceEnabler InformationRiskGuidaImplementazione5
Principi COBIT 56
1 – MeetingStakeholders needs1. Capire le esigenze2. Trasformarle in obiettivi diBusiness3. Trasformarli in obiettivi ITStakeholder Drivers(Environment, TechnologyEvolution, .)Stakeholder NeedsBenefitsRiskResourceRealisation Optimisation OptimisationEnterprise GoalsQuesta è la nostra area di interventoed a questo livello dobbiamoindividuare e gestire gli obiettivi /rischi IT traducendoli in azioniconcrete : in una prospettiva«aziendale»IT-related GoalsEnabler Goals7
Balanced Scorecard : la«Vision» aziendale«equilibrata» :partire col piede giustoThis simple test will give you insights into yourstrategy, and help you to avoid some of the manypitfalls of poor strategydesign, managementand implementation. Stakeholder value of business investments Portfolio of competitive products and servicesFinancial Compliance with external laws and regulationsStakeholder Drivers(Environment, Technology Evolution,.) Financial transparency Customer‐oriented service cultureStakeholder NeedsBenefitsRealisationRiskOptimisation Managed business risks (safeguarding of assets)ResourceOptimisation Business service continuity and availabilityCustomerEnterprise Goals Agile responses to a changing business environment Information‐based strategic decision makingIT-related Goals Optimisation of service delivery costs Optimisation of business process functionalityProcess and Enabler GoalsInternalLearning &Growth Optimisation of business process costs Managed business change programmes Operational and staff productivity Compliance with internal policies Skilled and motivated people Product and business innovation culture8
Principio 2:Covering the Enterprise End–to–EndStakeholder Drivers(Environment, Technology Evolution, .)Owners andStakeholdersAccountableDelegateStakeholder NeedsGoverning BodyMonitorRiskOptimisationResourceOptimisationSet ct and AlignOperations andExecutionEnterprise GoalsIT-related GoalsEnabler Goals9
Principle 3:Un’unico FrameworkIntegratoCOBIT 5: Allineato con gli altri standard e frameworkoggi disponibili Coprire tutta l’Azienda Fornire la base per integrare efficacemente glialtri standard, framework e prassi utilizzate Integrare tutti i precedent prodotti ISACA Un’architettura per dare struttura alle regoledi governo e produrre un insieme coerente distrumenti pratici 2012 ISACA. All Rights Reserved.10
Principle 3:Un’unico FrameworkIntegrato11
1212
COBIT5 ProductFamily13
Pubblicazioni COBIT5 (28/11/2013)DocumentoCOBIT 5 FrameworkCOBIT 5 Enabling ProcessesCOBIT 5 Implementation tool kitCOBIT 5 for Information SecurityCOBIT 5 for AssuranceCOBIT 5 for RiskCOBIT Assessment ProgrammeCOBIT Process Assessment Model (PAM): Using COBIT 5COBIT Assessor Guide: Using COBIT 5COBIT Self-Assessment Guide: Using COBIT 5 tool kitCOBIT 5: Enabling InformationCOBIT Translations (?)COBIT 5 Online (4 Q 2013 / 2014)Vendor Management Using COBIT 5Configuration Management Using COBIT 5Transforming Cybersecurity Using COBIT 5Securing Mobile Devices Using COBIT 5 for Information SecuritySecurity Considerations for Cloud Computing(Appendix C. Mapping Threats and Mitigating Actions to COBIT 5 for Information ool-KitAdvanced Persistent Threats: How To Manage The Risk To Your BusinessBig Data White PaperTotalePaggsoci (AIEAMI)non soci9423078220 318 216 35 35 35 13515017517517514452 2490 30 40804013588190 13880 35 55607575132182112 35170 1.4051414
Chi riconosceCOBIT5 ?Regulatory and Legislative Recognition USA, Canada, India, Giappone,Brasile, Argentina, Australia,UAE - Dubai, Colombia, CostaRica, Mexico, Paraguay,Uruguay, Venezuela, Grecia,Lithuania, Romania EU riconosce il COBIT comeFramework Turchia Sud Africa Russia ? PRC ?15
Principle 4:Consentire unapproccio OlisticoCOBIT 5 definisce un insieme di enablers per larealizzazione di un Sistema integrale di governance emanagement per l’IT nell’azienda.COBIT 5 enablers sono: Fattori che , da soli o congiuntamente, influiscono sulfatto che qualcosa funzioni Collegati allagoals cascade Descritti nelframeworkCOBIT 5 insette categorie 2012 ISACA. All Rights Reserved.16
Principio 5 – Separazione tra Governance e Management17
Principio 5Separazione tra Governance eManagement Governance garantisce che le esigenze,condizioni ed alternative degli stakeholdersiano:– Valutate per definire gli obiettivi daraggiungere, in modo bilanciato e concordato– Stabilire la direzione stabilendo indirizzi epriorità– Monitorare le prestazioni ed i progressi nelrispetto degli obiettivi e delle prioritàconcordati (EDM) Management pianifica, realizza, opera econtrolla le attività rivolte al raggiungimentodegli obiettivi definiti dalla Governance perraggiungere gli obiettivi aziendali (PBRM) 2012 ISACA. All Rights Reserved.18
The COBIT 5 Enterprise Enablers19
Le dimensioni di unqualsiasi Enabler COBIT 5Chi ha un ruolo attivo nelCome si gestisce undeterminareenabler ?cosa ci siattende dall’enablerHa portato i risultatiPorterà i risultatiattesi ?attesi ?20
EnablerPrincipi, Policies &Frameworks Lo scopo di questo enabler è quello dicomunicare indirizzi ed istruzioni dellaDirezione Aziendale. Sono strumenti per comunicare regole edistruzioni a supporto degli obiettivi diGoverno e dei valori aziendali. Good practices21
EnablerStrutture Organizzative Le “Good Practices” per le struttureorganizzative possono venir ragruppatein: Principi operativi – Assetto pratico di come lastruttura opererà, Span of control – I confini entro i quali siesercita il potere decisionale Livello di autorità – Le decisioni che lastruttura è autorizzata a prendee. Delega di responsabilità – La struttura puòdelegare un sottoinsieme di decisioni adstrutture a suo riporto Procedure di Escalation – Percorsi da seguirein caso di problemi nel prendere decisioni.22
Enabler :Processi COBIT 5 Enablers:Processes costituisce ilManuale diriferimento per i 37Processi COBIT523
Life CyclePratiche “generalizzate” (GP) qualiquelle contenute nel COBIT5 ProcessAssessment Model (basate sullostandard ISO/IEC 15504 ) assistononella definizione, esecuzione,monitoraggi ed ottimizzazione di unprocesso.Process Practices: COBIT 5 EnablingProcesses descrive le “internalProcess Practices” in termini di:pratiche, attività ed attività di dettaglioCome si gestisce ilProcesso ?Porterà i risultati attesi ?24
COBIT 5 Process Reference ModelProcessi : Visione olisticaGovernarePianificare ed OrganizzareGestireRealizzareErogare2525
Schema di un Processo COBIT5DescrizioneProcessoPurposeIT Related GoalRelated MetricsProcess GoalsRelated DaaDettaglio attività2626
DescrizioneDescrizionePurposePurposePurposeIT Related GoalRelated MetricsProcess GoalsRelated MetricsRACIIT Related GoalRelated MetricsProcess GoalsRelated MetricsRACIInputOutputActivityIT Related GoalRelated MetricsProcess GoalsRelated MetricsRACIDescriptionDescriptionPracticeProcesso CDescrizioneProcesso BProcesso AConnessione tra Processi ticeToActivityInputOutputFromToActivityUn insieme molto dettagliato (ed esaustivo) di relazioni comprendente,per ogni G/M Practice (210) : Responsabilità (RACI) (25) Work Products ( circa 700) Attività (1112 n) ( attività di dettaglio )utilizzabile operativamente2727
PurposeIT – Related Goals(primary)Goals (outcomes)2828
RACIBase PracticesExcel RACI2929
Base PracticeWP in / outActivities3030
3131
ISO/IEC 15504(SPICE)ISACACapitolo di Milano
ISO/IEC 15504 SPICE Project 1993 Esigenza di strumenti di valutazioneforniture per acquisizione di Sistemi(difesa e telecomunicazioni) conalto contenuto di Sw 2003 rilascio ISO/IEC 15504 Focus su : Come definire un processo per esserepoi in grado di prevederne la capacità(capability vs. maturity) di produrre irisultati attesi (outcomes) Come eseguire la misura3333
ISO/IEC 15504ISO/IEC 15504-2:2003 identifies the measurementframework for process capability and the requirements for:––––performing an assessment;process reference models;process assessment models;verifying conformity of process assessment.The requirements for process assessment defined in ISO/IEC15504-2:2003 form a structure which:––––––ASSESSMENT : Objective Impartial Consistent Repeatable Representative Comparablefacilitates self-assessment;provides a basis for use in process improvement andcapability determination;takes into account the context in which the assessedprocess is implemented;produces a process rating;addresses the ability of the process to achieve its purpose;is applicable across all application domains and sizes oforganization; and may provide an objective benchmarkbetween organizations.The minimum set of requirements defined inISO/IEC 15504-2:2003 ensures that assessmentresults are objective, impartial, consistent,repeatable and representative of the assessedprocesses. Results of conformant processassessments may be compared when thescopes of the assessments are considered to besimilar;.3434
ISO/IEC 15504 – Process Assessment Model (PAM)3535
PAM : PRM & MF3636
37
ISACA’s COBIT AssessmentProgramme
What is the new COBIT assessment process? The COBIT process programme is described in COBIT Process Assessment Model(PAM): Using COBIT 5.PAM brings together two proven ‘heavyweights’ in the IT arena, ISO and ISACA.ISACA decided to adopt ISO/IEC 15504-2:2003 Information technology—Processassessment—Part 2: Performing an assessment, that support , among others, boththe Committee of Sponsoring Organizations of the Treadway Commission’s InternalControl—Integrated Framework and ITIL Version 3 assessments using the ISOapproach.The COBIT PAM uses the existing COBIT 5 content : an ISO 15504 compliant processassessment model.3939
Assessment OverviewProcess Assessment ModelAssessment Process4040
The high-level measurable objectives of performing theprocess and the likely outcomes of effective implementationof the processAn observable result of a process—an artefact, a significant change ofstate or the meeting of specified constraintsThe activities that, when consistently performed, contribute toachieving the process purposeThe artefacts associated with theexecution of a process—defined interms or process ‘inputs’ and process“outputs”41
Medesimo schemaDescrizioneIT Related GoalRelated MetricsProcess GoalsRelated ionInputOutputFromToActivity4242
Process Attributes and Capability LevelsThis figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.434343
Livelli 2-5 It should be noted that WPs for someprocesses provide higher capabilityrequirements for other processes. This willresult in a progressive implementation ofprocesses.The initial focus on any process assessmentwould be the core (sometimes calledprimary) processes, which are primarilypart of the BAI and DSS domains.Processes in the APO and MEA domains willbe required to support improvement in thecapability of these core processes past level1.An example is APO01 Manage the ITmanagement framework, which is requiredas part of establishing the IT processframework, to document roles andresponsibilities required by processes atcapability level 2.4444
Performance e Capability45
Setting Target (Cost vs. Benefit)Il punto «ottimale»dipende anche dallatipologia e dimensionedell’Azienda e quindiposso usare la misuradella capability perottimizzare il ROI GETSoldi buttatiEFFECTIVENESS OF PROTECTION46
AssessmentProcessActivities1. Initiation2. Planning the assessment3. Briefing4. Data collection5. Data validation6. Process attributes rating7. Reporting the results474747
COBIT 4.1 ?
Where Have All the Control Objectives Gone?4949
Erik GuldentopsIsaca Journal 42011 COBIT 4.1 Control Objectives– Molto utili– Manca una chiara distinzione traobiettivo ed azione COBIT 5 (e CobiT 4.1 PAM-med)– Non ci sono più: sostituiti da G&MPractices e Outcomes CobiT 4.1– Poco sviluppato il concetto di“sequenza di attività” COBIT 5 (e CobiT 4.1 PAM-med)– WP in - G&M Practices - WP out5050
Vediamo il tutto graficamenteMaturityModelIT-related GoalCobiT 4.1CobiT 4.1COBIT5.0PAM-medControl Objectives PC1 putsInfromOutcomes(Goals)OutputsWP outtoPAMActivitiesPractices(RACI)(RACI)51
CobiT 4.1,ValIT, RiskITMappingCobit 4.1Application Controls6 (mapped)Control Objectives210 (207 mapped, 3 deleted)ValIT Key ManagementPractice43 (mapped)RiskIT Key ManagementPractice43 (mapped)COBIT 5G/M Practices210 (177 da CobiT 4.1, 33 new)V. Allegato5252
CobiT 4.1 Control Objective - COBIT 5 BP I/O ActivityCobiT 4.1 Control ObjectiveAI1.4 Requirements and Feasibility Decision and ApprovalVerify that the process requires the business sponsor to approve and sign off onbusiness functional and technical requirements and feasibility study reports atpredetermined key stages.The business sponsor should make the final decision with respect to the choice ofsolution and acquisition approach.COBIT 55353
CobiT 4.1 Control Objective - COBIT 5 BP I/O ActivityCobiT 4.1 Control ObjectiveDS4.6 IT Continuity Plan TrainingProvide all concerned parties with regular training sessions regarding theprocedures and their roles and responsibilities in case of an incident or disaster.Verify and enhance training according to the results of the contingency tests.COBIT 55454
EnablerCultura, Etica eComportamenti Le “Good practices” per creare, favorire emantenere i comportamenti desideratisono: Comunicazione dei comportamentidesiderati e dei valori dell’Azienda (Codici etici) Consapevolezza di quali siano icomportamenti desiderati Incentivi Regole, norme e sanzioni55
EnablerInformation. quando leInformazionicostituiscono ilfattore (abilitante)principale. ad esempio56
Addressing Information Governance andManagement Issues Using COBIT 557
Information Governance/Management Issue:Marketing SituationalAwareness(Big Data Dimension 1:Variety of Information)Marketing Function Goal Risk .4.3.1 Issue Description and Business Context An enterprise marketing team wishes toincrease its awareness of and capacity torespond to public perceptions of itscompany’s offerings. Data sources include social media postings,such as micro and traditional blogs, socialsites, and audio conversations betweencustomers and service representatives. The enterprise wishes to correlate thesentiment detected in both online and callcentre channels with sales trends in varioussegments and regions around the world. Speech-to-text conversion, web indexing andnatural language text processing are required.In big data terms, this is a variety issue. COBIT5 : non più solo IT – Function !58
Una nuova dimensione per COBIT5Stakeholder Drivers(Environment, Technology Evolution, .)Stakeholder timisationEnterprise GoalsIT-Function GoalsMarketing and SalesFunction GoalsEnablers for IT FunctionEnablers for Marketing and Sales59
Enabler 6Servizi, Infrastrutture edApplicazioni “Good Practices” per l’enabler. Architettura : principi e regole generali cheguidino l’implementazione e l’utilizzo di risorseIT. Ad esempio : Riutilizzo – Componenti comuni da riutilizzare. Buy vs. build – Regole di decisione (ad es. Lesoluzioni vanno acquistate a meno esista unpreciso razionale per lo sviluppo ionterno, ecc.) Semplicità – L’architettura va progettata emantenuta garantendo la massima semplicità,compatibilmante con gli obiettivi. Flessibilità (Agility) – Rispondere a mutateesigenze in modo efficace ed efficente. Openness - Utilizzare il più possibile soluzionibasate su Open Industry Standards.60
Enabler 7Persone, Capacità eCompetenze “Good practices” inparticolare per : Descrivere vari livelli di competenza per ivar ruoli. Definire la capacità per ogni ruolo Mappare le categorie di skill categoriesper domini dei processi COBIT 5 (APO;BAI etc.) v. prossima slide In particolare in corrispondenza dellaattività legate all’IT, e.s. businessanalysis, information management etc. Usare fonti esterne per defire le “goodpractices come : The Skills Framework for the information age(SFIA)61
COBIT 5 ImplementationNeed for new or improved ITgovernance organization isusually recognized by painpoints and/or trigger events62
COBIT 5 Due esempi di utilizzo63
SECTION 3RECTIFICATION AND ERASUREEsempio 1Article ttoriRight to rectificationEuropeo Protezione DatiThe data subject shall have the right to obtain from the controller theDoveoperareGovernoCDAinaccurate. ThePersonaliBeneficirectification of personal data relating to them which areEvitareRischiGestioneottimaleRisorse Processidata subject shall have the right to obtain completion of incomplete Principi – Policies –PianificazioneBusiness statement.Frameworkspersonal data, including by way of supplementing a correctiveOrganizzazione Sistemi PersoneIT / ISImpostazione OrganizzazioneDefinizione Informazioni disponibili Cultura / eticaÈ una: «Service request»che richiedeControllo come ?SoluzioniIT una «Service capability»,Erogazione ServiziCome operareArea : Management - Domain : Deliver, Service and SupportSupporto Pratiche / Attività BaseDSS02 - Manage Service Requests and Incidents Consolidate e universalmente accettateMisura e Riferimentoai principaliProcessDescription ControlloStandardProvide timely and effective response to user requests and resolution of Priorità in funzionetypes of incidents. Restore normal service; record and fulfill userobiettivi diallbusinessrequests; and record, investigate, diagnose, escalate and resolve incidents.Valore aggiunto COBIT5 64
DSS02 - Management PracticesDSS02.01 - Define incident andservice request classificationschemes.DSS02.02 - Record, classify andprioritise requests and incidents.DescriptionDefine incident and service request classification schemes and models.DSS02.03 - Verify, approve and fulfilservice requests.Identify, record and classify service requests and incidents, and assign apriority according to business criticality and service agreements.Select the appropriate request procedures and verify that the servicerequests fulfil defined request criteria. Obtain approval, if required, and fulfilthe requests.Identify and record incident symptoms, determine possible causes, andallocate for resolution.Document, apply and test the identified solutions or workarounds andperform recovery actions to restore the IT-related service. RACIDSS02.04 - Investigate, diagnose andallocate incidents.DSS02.05 - Resolve and recover fromincidents.DSS02.06 - Close service requests andVerify satisfactory incident resolution and/or request fulfilment, and close.incidents.DSS02.07 - Track status and produce Regularly track, analyse and report incident and request fulfilment trends toreports.provide information for continual improvement.65
. activitiesDSS02.01 - Define service request classification schemes (Output)ToInternalInternalDescription Incident and service request classification schemes and models Rules for incident escalationDSS02.01 - Activities1. Define incident and service request classification and prioritisation schemes and criteria for problem registration, to ensure consistentapproaches for handling, informing users about and conducting trend analysis.2. Define incident models for known errors to enable efficient and effective resolution.3. Define service request models according to service request type to enable self-help and efficient service for standard requests.4. Define incident escalation rules and procedures, especially for major incidents and security incidents.5. Define incident and request knowledge sources and their use.1. Define and communicate the nature and characteristics of potential security-related incidents so they can be easily recognised and their impactunderstood to enable a commensurate response.66
Solo per unarticolo ?Service Capabilities / RequestsArt EUCancellazione automatica dati scaduti ( Art. 17)Article 17 - Right to be forgotten and to erasure - 7incidente(DSS02)Communicaterect / erasureArtt 16 and 17Article 13 - Rights in relation to recipients Ci sono«istanze» perCancellazionedati moltesu richiestale quali è richiestala- capacitàdi erogareunerasureservizio o gestire unArticle 17Right to be forgottenand toComunicazione relativa applicazione o meno Art 13, 15, 19Article 12 - Procedures and mechanisms for exercising the rights of the datasubject - 2Article 12 - Procedures and mechanisms for exercising the rights of the datasubject - 3Confirmation Data are (are not) processedArticle 15 - Right of access for the data subjectConsent withdrawArticle 7 - Conditions for consent - 3Data Breach notification to Data SubjectArticle 32 - Communication of a personal data breach to the data subjectData breach notification to Supervisory AuthorityArticle 31 - Notification of a personal data breach to the supervisory authorityInform third parties that Personal Data are to be erasedArticle 17 - Right to be forgotten and to erasurePrivacy AwarenessArticle 37 - Tasks of the data protection officer - 1 - (b)Restrict processing instead of erasureArticle 17 - Right to be forgotten and to erasure - 4Rettifica datiArticle 16 - Right to rectificationRichiesta via informatica informazioni da parte interessato(Art 12)Article 12 - Procedures and mechanisms for exercising the rights of the datasubject - 1Trasmit Copy of Data undergoing processingArticle 18 - Right to data portability . .67
Per le Aziende di qualsiasi dimensione ?DimensionePiccolaSi domanda al «Commecialista»MediaCOBIT5 – DSS02GrandeCOBIT5 – DSS02 ISO 15504 Capability Assessment68
69
Uno schema: life cycle !Setup Requisiti Call for tender Valutazione Shortlist NegoziazioneCambio FornitoreContratto Accordo Deliverables Livelli di Servizio Metriche Costi LegaleOperations Avviamento Gestioneoperazioni MonitoringTransition-out Phase outoperativo Trasferimentodelle conoscenzee della gestioneoperativa al nuovofornitoreCambio contrattomodificheLo schema è utilizzabile per : Assegnare responsabilità Identificare minacce e valutare impatti associandole a relative azioni correttive Mappare il Processo sulla realtà aziendale Identificare Strumenti / Documenti di supporto (Enabler Information !)70
Assegnare le responsabilità71
Identificare minacce epesare i rischiconseguentiMinacciaRecent research revealsthat approximately oneout of five enterprises(19 percent) does notinvest sufficient effortto manage vendorsand vendor-providedservices effectively.Rischio conseguenteImpattoT1 Vendor selectionFinancial, operational, reputational andlegal/compliance?T2 Contract developmentFinancial, operational and legal/compliance?T3 RequirementsFinancial, operational, reputational andlegal/compliance?T4 GovernanceFinancial, operational and legal/compliance?T5 StrategyFinancial, operational and legal/compliance?72
Per ogni minaccia Una o più azioni correttive Una indicazione agli enablers (1)coinvolti1 - Enablers:1. Principles, policies and frameworks2. Processes3. Organizational structures4. Culture, ethics and behaviour5. Information6. Services, infrastructure and applications7.People, skills and competencies73
12345678910111213141516171819202122Diversify sourcing strategy to avoid overreliance or vendor lockinEstablish policies and procedures for vendor managementEstablish a vendor management governance modelSet up a vendor management organization within the enterpriseForesee requirements regarding the skills and competencies of the vendor employeesUse standard documents and templatesFormulate clear requirementsPerform adequate vendor selectionCover all relevant life-cycle events during contract draftingDetermine the adequate security and controls needed during the relationshipSet up SLAsSet up operating level agreements (OLAs) and underpinning contractsSet up appropriate vendor performance/service level monitoring and reportingEstablish a penalties and reward model with the vendorConduct adequate vendor relationship management during the life cycleReview contracts and SLAs on a periodic basisConduct vendor risk managementPerform an evaluation of compliance with enterprise policiesPerform an evaluation of vendor internal controlsPlan and manage the end of the relationshipUse a vendor management systemCreate data and hardware disposal stipulationsT5T4T3MinacciaT2Azione correttivaT1Identificare minacce e valutare impattiassociandole a relative azioni correttivexxxxxxxxxxxxxxxxxxxxxxxxxxxxx74
excel
COBIT5 «Vendor Management Framework»76
Olistico !!!Risk- Based approach ?Cosa manca ?
E gli altri enablers ?211154431ProcessPrinciples, Policiesand FrameworksInformationServices,Infrastructure andApplicationsOrganisational Ethics, Culture and People, Skills andStructuresBehaviourCompetencies
EnablerInformation Call for Tender Vendor Contract Service Level Agreements SLAs Defined How to Create Successful SLAs SLA Common Pitfalls Benefits of Effective Service LevelManagement OLAs and Underpinning Contracts Managing a Cloud Service Provider Excerpt From Security Considerationsfor Cloud Computing Appendix A. Vendor Selection Dashboard Criteri (pesati) di selezione Appendix B. Call for Tender TemplateAppendix C. Call for Tender ChecklistAppendix D. Drafting the Contract:High-level Legal Checklist for Nonlegal StakeholdersAppendix E. Example ContractTemplateAppendix F. SLA TemplateAppendix G. Service Level Agreement(SLA) ChecklistAppendix H. Example SLA TemplateAppendix I. Example Generic SLAAppendix J. Example SLA Slim VersionAppendix K. Example SLA for BackOffice and Local Area Network (LAN)ServicesAppendix L. High-level Mapping ofCOBIT 5 and ITIL V3 for VendorManagement79
COBIT 5 for Assurance
Scope of the Assurance PublicationIn this publication, two perspectives on assurance are identified:Assurance functionperspectiveDescribes what is needed inan enterprise to build andprovide assurancefunction(s).COBIT 5 is an end-to-endframework, meaning that itconsiders the provisioningand use of assurance as partof the overall governanceand management ofenterprise IT.Assessment perspectiveDescribes the subject matterover which assurance needsto be provided.In this case, the subjectmatter is enterprise IT,which is described in ampledetail in the COBIT 5framework and COBIT 5:Enabling Processes and istherefore not covered indetail in the assurance guideitself.
Two Perspectives on AssuranceProvided by COBIT 5Both perspectives are built on the seven common governance andmanagement enablers of the COBIT 5 framework.
Assurance Framework83
Indice di Assurance Assurance utilizzando tuttigli Enablers Esempi di Assurance conCOBIT51. Change management2. Risk management3. Bring your own device(BYOD)84
Risk Framework20/12/201385
COBIT5 forInformationSecurityGiugno 2012 – 220 pagg8686
87
COBIT5 for Info Security :StrutturaPrinciples, Policies and FrameworksModelInformation Security PrinciplesInformation Security PoliciesAdapting Policies to the Enterprise’sEnvironment5. Policy Life Cycle4.1.1.2.3.4.2.3.2.3.4.5.2.Organisational Structures1. Model2. Information Security Roles and Structures3. Accountability Over Information Security3.4.6.ModelInformation TypesInformation StakeholdersInformation Life CycleServices, Infrastructure and Applications1.2.7.ModelCulture Life CycleLeadership and ChampionsDesirable BehaviourInformation1.Processes1. Process
COBIT 5 Framework 94 COBIT 5 Enabling Processes 230 135 COBIT 5 Implementation tool kit 78 150 COBIT 5 for Information Security 220 35 175 COBIT 5 for Assurance 318 35 175 COBIT 5 for Risk 2
