Strategy, COBIT And Vision: HOW DO THEY RELATE?

Transcription

Strategy, COBIT and Vision:HOW DO THEY RELATE?Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013

AGENDAIT’s Changing LandscapeISACA’s Response Vision and Mission COBIT 5 Strategy 2022Questions and Discussion

PACE OF CHANGE OF DIGITAL INFRASTRUCTUREDIGITAL POWERComputingXMoore’s lawDoubles every18 monthsSource: John Seely BrownCommunicationXFiber lawXDoubles every9 monthsStorageXDisk lawXDoubles every12 monthsContentCommunity lawX2n, where n isnumber of people

WORLDWIDE IT SPENDING FORECAST(BILLIONS OF US 2%Data Center Systems1412.3%1474.5%1544.2%Enterprise Software2783.3%2966.4%3166.8%IT Services8811.8%9275.2%9745.1%Telecom Services1,661-0.1%1,7012.4%1,7422.4%Overall IT3,5881.2%3,7374.2%3,8813.8%Source: Gartner (January 2013)

OTHER GARTNER PREDICTIONS Technology spend outside IT will become almost 90% by end ofthe decade. 4.4M IT jobs globally will be created to support Big Data. 34B of IT spending in 2013 In 2016 1.6B smart mobile devices will be purchased globally. Security investments will increase by 56% in five years. Driver: Regulatory compliance

WHAT DOES IT MEAN? Information systems environments are continuing toincrease in complexity and impact, bringingunprecedented value opportunities along withsignificant risk. This requires: Active governance and management of information Advanced auditing and security approaches

EXAMPLE Securing and auditing the cloud requires goodunderstanding of: Technologies (web services, virtualization) Related control frameworks Business requirements (linking IT with the business) Legal requirements (data transfer, retention, protection) Contractual agreements (e.g., impeding factors from moving toother providers)Source: ISACA Cloud Computing Management Audit/Assurance Program

ISACA THEN AND NOWTHENNOWEDPAAISACAIT auditors and risk managers, privacy officers,compliance professionals, information securityexperts, IT control and IT governanceprofessionalsCISA and CISM, CGEIT and CRISCIS Auditing Standards and IS Control StandardsCOBITCOBIT 57,504 members (y-e 1992)110,388 members (y-e 2012)

KEY ACCOMPLISHMENTS IN 2013 The association reached 100,000 full year dues paying members The 100,000th CISA was awarded We successfully opened our 200th chapter Achieved an 83% retention rate ona global basis Our CRISC certification won an award for the best professionalcertification from SC Magazine

VISIONAND MISSION

VISION AND MISSIONISACA’s vision (to aspire to as an organization)“Trust in, and value from, information systems”ISACA’s mission (to guide decision making and investments)“For professionals and organizations be the leading global provider ofknowledge, certifications, community, advocacy and education oninformation systems, assurance and security, enterprise governanceof IT, and IT-related risk and compliance”

IT VALUE FACTORS BusinessRequirementsAlignment IT and business processesdrive theinvestment inOrganization structureOrganization strategyIntegration whichresponds toIT ProcessesIT ResourcesEnterprise architectureBusiness architectureProcess designOrganization designPerformance metricsthatare used byto deliverEnterpriseInformation

VALUE DEFINED (VAL IT) IT is not an end to itself but a means of enabling businessoutcomes. IT is not about implementing technology. It is aboutunlocking value through IT-enabled organizational change. Value is the total life-cycle benefits net of related costs,adjusted for risk and (in the case of financial value) for the timevalue of money. The concept of value relies on the relationship between meetingthe expectations of stakeholders and the resources used to doso.

TRUST DEFINED Definition 1: Trust is the ability to predict what asystem will do in various situations.Definition 2: Trust is using an informationsystem without having full knowledge about it. Definition 3: Trust is giving something now(credit card) with an expectation of some futurereturn or benefit (online purchase). Definition 4: Trust is being vulnerable (enteringprivate and sensitive information) whileexpecting that the vulnerabilities will not beexploited (identity theft).Trust that: Private and sensitive informationwill remain confidential. Process integrity is maintained.Essential business processesare available or recoverable.

TRUST AND VALUE RELATIONSHIPTRUSTASSURANCETrust creates the opportunity for Value.Value is based on an expectation of Trust.Assurance binds Trust and Value together.VALUE

GovernanceInformation systems are integral enablers that:Audit/Assurance Achieve an organization’s strategy and businessobjectives Provide the confidentiality, integrity, availabilityand reliability of information assets Ensure compliance with applicable laws andregulationsTheir criticality brings to the enterpriseunprecedented potential for both value creationand risk (creating the need for trust).Risk ManagementInfo Security

COBIT 5

COBIT 5: GOVERNANCE OF ENTERPRISE ITEvolution of ScopeGovernance of Enterprise IT (GEIT)IT GovernanceManagement(2008)ControlRisk IT(2009)AuditCOBIT 119962012 ISACA. Used by permission.Val IT 2.0COBIT 21998COBIT 32000COBIT 4.0/4.1 COBIT 52005/72012

COBIT 5: PRODUCT FAMILY2012 ISACA. Used by permission.

COBIT 5: OVERVIEWCOBIT 5 brings together thefive principles.that allow the enterprise to build aneffective governance andmanagement framework.based on a holistic set ofseven enablers.that optimises the informationand technology investment and usefor the benefit of stakeholders.

COBIT 5: THE FRAMEWORKIn other words Creates optimal value by balancingbenefits, risk and resources Enables information and relatedtechnology to be governed and managedin a holistic manner Offers generic, useful principles andenablers

COBIT 5 PRINCIPLES2012 ISACA. Used by permission.

COBIT 5 ENABLERS2012 ISACA. Used by permission.

COBIT 5 ENABLING PROCESSES2012 ISACA. Used by permission.

OTHER COBIT 5 RESOURCES Vendor Management Using COBIT 5 COBIT 5: Enabling Information(Just Released)Configuration Management UsingCOBIT 5 Risk Scenarios Using COBIT 5 forRisk (February 2014)Securing Mobile Devices Using COBIT5 Controls and Assurance in the CloudUsing COBIT 5 (April 2014)Transforming Cybersecurity UsingCOBIT 5 IT Control Objectives for SarbanesOxley (update, June 2014) COBIT Process Assessment Model:Using COBIT 5 Advanced Persistent Threats:How to Manage Risk in Your Business

STRATEGY2022

STRATEGIC ASPIRATIONBy 2022, ISACA will be the foremost global organization on the topic oftrust in and value from information and information systems, providingdistinctive relevant knowledge and services to help stakeholders enhancethe governance and management of information and information systems.201220132014Horizon 12015201620172018Horizon 2201920202021Horizon 32022

20-PLUS INITIATIVES1.Expanding products for current constituents2.Creating new products for new constituents3.Targeting industries and building enterprise relationships4.Strengthening the operating mode

STAKEHOLDERS AND (both private and public sector entities including commercialorganizations, government entities, academic institutions,professional not-for-profits, etc.)Non-memberConsumerISACA’s individual stakeholders will be drawn from the population of those withprofessional focus in areas of information and practices related to IT/ISgovernance, management, security, assurance or risk for expediency, ISACAterms these individuals information trust/value professionals]. Whether theseindividuals will be members, credential holders, non-member consumers or notinterested in ISACA depends on their perception of ISACA’s value propositionfor them and the degree to which they find ISACA’s areas of focus relevant.AdvocateAdvocate in this context refersto the internal enterpriseinfluencer who represents theconduit for ISACA to reach theenterprise (e.g., the CIO whoadvocates adoption of COBITfor his/her organization).Stakeholders and EnablersConsumers

ISACA’S LINES OF BUSINESSCredentialing andCareer ManagementKnowledgeStakeholders identifiedNeeds outlinedContribution definedProposed products listedRelations

STRATEGY MAPENTERPRISE GOALSBy 2022, ISACA will be the foremost global organization on the topic of trust in and value from information andinformation systems, providing distinctive relevant knowledge and services to help stakeholders enhance thegovernance and management of information and information systems.Serve our stakeholders and be at the forefront of our professional spaceE-1 Be the preferred organization forinformation trust/value professionalsand enterprises by continuouslymeeting their needsE-2 Enhance the global relevance, positionand reputation of ISACA and itsstakeholders through our thoughtleadership and advocacyLOB: Credentialing & Career Management, Knowledge, RelationsSUPPORTING GOALSC-1 2 Advocate for andincrease professionalvalue of credentials andcredential holdersK-1 Advance theprofessional knowledge andcompetencies of individualsby developing and providinghighly valued knowledgeproducts and services andengaging educationR-1 Be the preferredglobal membershiporganization andcommunityC-3 Be theleadingcareerresourceK-2 Enhance ability ofenterprises to addressinformation trust/value needsand meet market demands bydeveloping and providingframeworks and relatedknowledge and educationalproductsR-2 Increase ISACA’sglobal relevance andposition2012 ISACA. Used by permission.C-4 Provide usable andrelevant professional ethics,standards and guidelines,professional tools andtechniquesK-3 Expand availableknowledge resources byincreasing knowledgecontributions fromindividuals andenterprisesR-3 Better enable ISACA chapters toserve members and new stakeholdersand create awareness of ISACAproducts and servicesEnable the organization and be operationally excellentE-3 Align enablers with ISACA’s mission andvision to support realization of strategic goalsand delivery of benefitsPrinciples, policies, processes, structure,culture, ethics, behaviorE-3.1 Maintain a realistic,relevant, forward-pushingstrategyE-3.2 Actively scan for drivers offuture change and trends, anddetermine ISACA’s response tothemE-3.3 Encourage a stakeholderfocused, innovative culture andbehaviorsE-3.4 Inspire stakeholderloyalty and enhance our brandidentity with appropriateproduct, marketing andcommunication strategiesE-3.5 Maintain anappropriate organizationalstructure which enablesexecution of our strategyE-3.6 Ensure goodcorporate governanceprinciples, policies &practices, and support anethical culture andbehaviorsE-3.7 Embed effectiveenterprise riskmanagement in executionof activities and ourstrategyE-4 Optimize our resourcesand their useResources and their useE-4.1 Utilize effective andefficient processes whichoptimize use of our resourcesE-4.2 Ensure we have sufficienthuman resources with thecompetencies, skills and motivationto deliver onISACA’s strategyE-4.3 Ensure the financial resourcesto sustain core business and seizestrategic opportunityE-4.4 Obtain the informationnecessary to enable strategicdecision-making and executionE-4.5 Align and leverage IT to enableachievement of business objectivesand our strategy

“FIRST IN FOCUS”Execution: What will ISACA provide to meet stakeholder needs?What are our first-in-focus S22 solutions? To address immediate market-driven stakeholder needs:Offerings on cybersecurity and privacy To address emerging needs:Approach for ISACA’s response tomegatrends For the future:Strategy for COBIT—Maximize its value potential;undertake process of positioning COBIT’s relevancy in broaderbusiness sense; continue visionary approach to defining andpursuing COBIT-related knowledge development, business/ITintegration

VOLUNTEER BODIES Emerging Business and Technology Committee Cybersecurity TF Privacy TF COBIT Growth Strategy TF M&A TF Assurance TF

QUESTIONS &DISCUSSION

OTHER COBIT 5 RESOURCES COBIT 5: Enabling Information (Just Released) Risk Scenarios Using COBIT 5 for Risk (February 2014) Controls and Assurance in the Cloud Using COBIT 5 (April 2014) IT Control Objectives for Sarbanes-Oxley (update, June 2014) Vendor Management Using COBIT 5