Transcription
7. COBITControl Objectives for Informationand related Technology2006
s2
Objectives of implementing COBIT Supporting IT Governance– COBIT supports IT governance by providing aframework to ensure that: IT is aligned with the businessIT enables the business and maximizes benefitsIT resources are used responsiblyIT risks are managed appropriately3
COBIT Framework History The COBIT framework was defined in thefirst edition, copyrighted in April 1996 bythe IT Governance Institute. The COBIT 2nd Edition released in 1998 The COBIT 3rd Edition released in 2000 The COBIT 4.0 Edition released in 20054
COBIT is Measurement-drivenCOBIT provides: Maturity models to enable benchmarking andidentification of necessary capabilityimprovements Performance goals and metrics for the ITprocesses, demonstrating how processes meetbusiness and IT goals and are used for measuringinternal process performance based on balancedscorecard principles Activity goals for enabling effective processperformance5
The core content The core content is divided according to the34 IT processes. Each process is covered in four sections ofapproximately one page each, combining togive a complete picture of how– to control,– manage and– measure the process.6
The four sections for each process are:1. The high-level control objective for the process(a) A process description summarizing the process objectives(b) A high-level control objective represented in a waterfallsummarizing process goals, metrics and practices(c) The mapping of the process to the process domains, informationcriteria, IT resources and IT governance focus2.3.The detailed control objectives for the processManagement guidelines: the process inputs and outputsRACI (Responsible, Accountable, Consulted and/or Informed)4. The maturity model for the process7
How Is COBIT 4.0 DifferentFrom COBIT 3rd Edition? COBIT 4.0 is an enhancement of COBIT3rd Edition and in no way invalidates anyimplementation or execution activitiesbased on COBIT 3rd Edition. The introduction of COBIT 4.0 provides theopportunity to further improve ITgovernance and control arrangements.8
Executive Overview
IT Governance Focus Areas10
COBIT as the generally acceptedinternal control framework for IT COBIT is focused on what is required to achieve adequatemanagement and control of IT. COBIT has been aligned and harmonised with other, moredetailed, IT standards and best practices.– Example: COSO is generally accepted as the internal controlframework for enterprises.– COBIT is the generally accepted internal control framework for IT. COBIT has become the integrator for IT best practices andthe umbrella framework for IT governance that helps inunderstanding and managing the risks and benefitsassociated with IT.11
COBIT Products12
Framework Explaining how COBIT organises ITgovernance objectives and best practices byIT domains and processes, and links them tobusiness requirements13
Control objectives Providing generic best practice managementobjectives for all IT activities14
Control Practices Providing guidance on why controls areworth implementing and how to implementthem15
Interrelationships of COBIT Components16
COBIT Framework
Basic COBIT Principle:Business-focused Business orientation is the main theme of COBIT. The COBIT framework is based on the followingprinciple:– to provide the information that the enterprise requires to achieve its objectives, the enterprise needs to manage and control IT resources usinga structured set of processes to deliver the required informationservices. The COBIT framework provides tools to helpensure alignment to business requirements.18
Basic COBIT Principle:Business-focused19
COBIT’s information criteria Effectiveness deals with information being relevant andpertinent to the business process as well as being delivered in atimely, correct, consistent and usable manner.Efficiency concerns the provision of information through theoptimal (most productive and economical) use of resources.Confidentiality concerns the protection of sensitive informationfrom unauthorised disclosure.Integrity relates to the accuracy and completeness ofinformation as well as to its validity in accordance with businessvalues and expectations.Availability relates to information being available whenrequired by the business process now and in the future. It alsoconcerns the safeguarding of necessary resources and associatedcapabilities.Compliance deals with complying with those laws, regulationsand contractual arrangements to which the business process issubject, i.e., externally imposed business criteria, as well asinternal policies.Reliability relates to the provision of appropriate informationfor management to operate the entity and exercise its fiduciaryand governance responsibilities. Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliancetõhususefektiivsus.20
Defining IT Goals andEnterprise Architecture for ITBusiness goals for IT should lead toa clear definition of IT’s ownobjectives – the IT goalsThe IT goals in turn define the ITresources and capabilities (theenterprise architecture for IT)required to successfully execute IT’spart of the enterprise’s strategy.21
Business Goals for ITEvery enterprise uses IT toenable business initiativesand these can be representedas business goals for IT.22
Enterprise Architecture for IT23
Managing IT Resources to Deliver IT Goals24
The COBIT Cube25
Business Goals and IT Goals
Linking Business Goals to IT Goals27
IT Goals28
IT Goals29
Management guidelines
Performance MeasurementGoals and metrics are defined in COBIT at threelevels: IT goals and metrics that define what the businessexpects from IT (what the business would use tomeasure IT) Process goals and metrics that define what the ITprocess must deliver to support IT’s objectives(how the IT process owner would be measured) Process performance metrics (to measure howwell the process is performing to indicate if thegoals are likely to be met)31
CSF, KGI, KPI Critical Success Factors - for gettingprocesses under control Key Goal Indicators - for monitoringachievement of IT process goals Key Performance Indicators - formonitoring performance within each ITprocess32
Key goal indicatorsKey goal indicators (KGI) define measures that tellmanagement—after the fact—whether an ITprocess has achieved its business requirements,usually expressed in terms of information criteria: Availability of information needed to support thebusiness needs Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability, effectiveness andcompliance33
Key performance indicators Key performance indicators (KPI) definemeasures that determine how well the IT processis performing in enabling the goal to be reached. They are lead indicators of whether a goal willlikely be reached or not, and are good indicators ofcapabilities, practices and skills. They measure the activity goals, which are theactions the process owner must take to achieveeffective process performance.34
How Well Enterprise is CurrentlyPerforming For effective IT governance to be implemented,enterprises need to assess how well they arecurrently performing and be able to identify whereand how improvements can be made. This applies to both the IT governance processitself and all the processes that need to bemanaged within IT. The use of maturity models greatly simplifiesthis task and provides a pragmatic and structuredapproach for measuring how well developed anenterprise’s processes are against a consistent andeasy-to-understand scale.35
Maturity Models Maturity models are techniques enabling theenterprise:– Build a view of current practices by discussing them inworkshops and comparing to example models– Set targets for future development by consideringmodel descriptions higher up the scale and comparingto best practices– Plan projects to reach the targets by defining thespecific changes required to improve management– Prioritise project work by identifying where the greatestimpact will be made and where it is easiest toimplement36
Maturity models Maturity modelling for management and control over ITprocesses is based on a method of evaluating theorganisation, so it can evaluate itself from a level of nonexistent (0) to optimised (5). Using the maturity models developed for each of COBIT’s34 IT processes, management can identify:– The actual performance of the enterprise—Where the enterprise istoday– The current status of the industry—The comparison– The enterprise’s target for improvement—Where the enterprisewants to be37
Maturity models38
Generic Maturity ModelThis approach is derived from the maturity model that the SoftwareEngineering Institute defined for the maturity of software development capability.39
The Three Dimensions of Maturity Performance40
Critical Success Factors41
Example: Relationship Among Process, Goalsand Metrics (DS5 – Ensure systems security)42
Four Types of ActivitiesThese control principles are neededat different levels, at strategic tactical administrative level There are usually four types of activities ateach level that logically follow each other:–––– planningdoingcheckingcorrectingThe feedback and control loop mechanismsbetween the levels should be considered.43
Plan-Do-Check-Correct44
OverallCOBITFramework45
46
47
48
49
COBIT Framework and ITGovernance Focus Areas50
Plan and Organise51
PO1 Define a Strategic IT Plan IT strategic planning is required to manageand direct all IT resources in line with thebusiness strategy and priorities.The IT function and business stakeholdersare responsible for ensuring that optimalvalue is realised from project and serviceportfolios.The strategic plan should improve keystakeholders’ understanding of ITopportunities and limitations, assess currentperformance and clarify the level ofinvestment required.The business strategy and priorities are tobe reflected in portfolios and executed bythe IT tactical plan(s), which establishesconcise objectives, plans and tasksunderstood and accepted by both businessand IT.52
PO1 Define a Strategic IT Plan53
Detailed Control ObjectivesPO1 Define a Strategic IT Plan
PO1.1 IT Value Management Work with the business to ensure that the enterprise portfolio of IT-enabledinvestments contains programmes that have solid business cases.Recognise that there are mandatory, sustaining and discretionary investmentsthat differ in complexity and degree of freedom in allocating funds.IT processes should provide effective and efficient delivery of the ITcomponents of programmes and early warning of any deviations from plan,including cost, schedule or functionality, that might impact the expectedoutcomes of the programmes.IT services should be executed against equitable and enforceable service levelagreements.Accountability for achieving the benefits and controlling the costs is clearlyassigned and monitored.Establish fair, transparent, repeatable and comparable evaluation of businesscases including financial worth, the risk of not delivering a capability and therisk of not realising the expected benefits.55
PO1.2 Business-IT Alignment Educate executives on current technology capabilities andfuture directions, the opportunities that IT provides, andwhat the business has to do to capitalise on thoseopportunities. Make sure the business direction to which IT is aligned isunderstood. The business and IT strategies should be integrated, clearlylinking enterprise goals and IT goals and recognisingopportunities as well as current capability limitations, andbroadly communicated. Identify where the business (strategy) is criticallydependent on IT and mediate between imperatives of thebusiness and the technology, so agreed priorities can beestablished.56
PO1.3 Assessment of CurrentPerformance Assess the performance of the existingplans and information systems in terms of––––––contribution to business s,strengths and weaknesses.57
PO1.4 IT Strategic Plan Create a strategic plan that defines, in co-operation withthe relevant stakeholders, how IT will contribute to theenterprise’s strategic objectives (goals) and related costsand risks. It includes how IT will support IT-enabled investmentprogrammes and operational service delivery. It defines how the objectives will be met and measured andwill receive formal sign-off from the stakeholders. The IT strategic plan should cover investment/operationalbudget, funding sources, sourcing strategy, acquisitionstrategy, and legal and regulatory requirements. The strategic plan should be sufficiently detailed to allowthe definition of tactical IT plans.58
PO1.5 IT Tactical Plans Create a portfolio of tactical IT plans that are derived fromthe IT strategic plan. These tactical plans describe– required IT initiatives,– resource requirements, and– how the use of resources and achievement of benefits will bemonitored and managed. The tactical plans should be sufficiently detailed to allowthe definition of project plans. Actively manage the set tactical IT plans and initiativesthrough analysis of project and service portfolios. This encompasses balancing requirements and resourceson a regular basis, comparing them to achievement ofstrategic and tactical goals and the expected benefits, andtaking appropriate action on deviations.59
PO1.6 IT Portfolio Management Actively manage with the business the portfolio of IT-enabledinvestment programmes required to achieve specific strategic businessobjectives by–––––––– ting,initiating,managing andcontrolling programmes.This includes–––––––clarifying desired business outcomes,ensuring that programme objectives support achievement of the outcomes,understanding the full scope of effort required to achieve the outcomes,assigning clear accountability with supporting measures,defining projects within the programme,allocating resources and funding, delegating authority, andcommissioning required projects at programme launch.60
PO1 Define a Strategic IT Plan –Inputs and Outputs61
PO1 Define a Strategic IT Plan –RACI Chart62
PO1 Define a Strategic IT Plan –Goals and Metrics63
PO1 Define a Strategic IT Plan –Maturity ModelManagement of the process of Define a strategic IT plan thatsatisfies the business requirement for IT of sustaining orextending the business strategy and governancerequirements while being transparent about benefits, costsand risks is either:––––––0 Non-existent1 Initial/ Ad Hoc2 Repeatable but Intuitive3 Defined Process4 Managed and Measurable5 Optimised64
0 Non-existent when IT strategic planning is not performed.There is no management awareness that ITstrategic planning is needed to supportbusiness goals.65
1 Initial/ Ad Hoc when The need for IT strategic planning is known by ITmanagement. IT planning is performed on an asneeded basis in response to a specific businessrequirement. IT strategic planning is occasionally discussed atIT management meetings. The alignment of business requirements,applications and technology takes place reactivelyrather than by an organisationwide strategy. The strategic risk position is identified informallyon a project-by-project basis.66
2 Repeatable but Intuitive when IT strategic planning is shared with businessmanagement on an as-needed basis. Updating of the IT plans occurs in response torequests by management. Strategic decisions are driven on a project-byproject basis, without consistency with an overallorganisation strategy. The risks and user benefits of major strategicdecisions are being recognised in an intuitive way.67
3 Defined Process when A policy defines when and how to perform IT strategicplanning. IT strategic planning follows a structuredapproach, which is documented and known to all staff. The IT planning process is reasonably sound and ensuresthat appropriate planning is likely to be performed. However, discretion is given to individual managers withrespect to implementation of the process, and there are noprocedures to examine the process. The overall IT strategy includes a consistent definition ofrisks that the organisation is willing to take as an innovatoror follower. The IT financial, technical and human resources strategiesincreasingly influence the acquisition of new products andtechnologies. IT strategic planning is discussed at business managementmeetings.68
4 Managed and Measurable when IT strategic planning is standard practice and exceptions would benoticed by management.IT strategic planning is a defined management function with seniorlevel responsibilities.Management is able to monitor the IT strategic planning process, makeinformed decisions based on it and measure its effectiveness.Both short-range and long-range IT planning occurs and is cascadeddown into the organisation, with updates done as needed.The IT strategy and organisationwide strategy are increasinglybecoming more co-ordinated by addressing business processes andvalue-added capabilities and leveraging the use of applications andtechnologies through business process reengineering.There is a well-defined process for determining the usage of internaland external resources required in system development and operations.69
5 Optimised when IT strategic planning is a documented, living process, iscontinuously considered in business goal setting andresults in discernable business value through investmentsin IT. Risk and value-added considerations are continuouslyupdated in the IT strategic planning process. Realistic long-range IT plans are developed and constantlyupdated to reflect changing technology and businessrelated developments. Benchmarking against well-understood and reliableindustry norms takes place and is integrated with thestrategy formulation process. The strategic plan includes how new technologydevelopments can drive the creation of new businesscapabilities and improve the competitive advantage of theorganisation.70
M o n i t o r a n d E va l u a t e71
ME4 Provide IT Governance Establishing aneffective governanceframework includesdefining organisationalstructures, processes,leadership, roles andresponsibilities toensure that enterpriseIT investments arealigned and deliveredin accordance withenterprise strategiesand objectives.72
ME4 Provide IT Governance73
Detailed Control ObjectivesME4 Provide IT Governance
ME4.1 Establishment of an ITGovernance Framework Work with the board to define and establish an IT governanceframework including leadership, processes, roles and responsibilities,information requirements, and organisational structures to ensure thatthe enterprise’s IT-enabled investment programmes are aligned withand deliver on the enterprise’s strategies and objectives.The framework should provide clear linkage among– the enterprise strategy,– the portfolio of IT-enabled investment programmes that execute thestrategy,– the individual investment programmes, and– the business and IT projects that make up the programmes. The framework should provide for unambiguous accountabilities andpractices to avoid breakdown in internal control and oversight.The framework should be consistent with the overall enterprise controlenvironment and generally accepted control principles, and be basedon the IT process and control framework.75
ME4.2 Strategic Alignment Enable board and executive understanding of strategic IT issues suchas the role of IT, technology insights and capabilities.Make sure there is a shared understanding between the business and ITof the potential contribution of IT to the business strategy.Make sure that there is a clear understanding that value is achievedfrom IT only when IT-enabled investments are managed as a portfolioof programmes that include the full scope of changes that the businesshas to make to optimise the value from IT capabilities in delivering onthe strategy.Work with the board to define and implement governance bodies, suchas an IT strategy committee, to provide strategic direction tomanagement relative to IT, ensuring that the strategy and objectivesare cascaded down into business units and IT functions, and thatconfidence and trust are developed between the business and IT.Enable the alignment of IT to the business in strategy and operations,encouraging co-responsibility between business and IT for makingstrategic decisions and obtaining benefits from IT-enabledinvestments.76
ME4.3 Value Delivery Manage IT-enabled investment programmes and other IT assets andservices to ensure that they deliver the greatest possible value insupporting the enterprise’s strategy and objectives.Ensure that the expected business outcomes of IT-enabled investmentsand the full scope of effort required to achieve those outcomes isunderstood, that comprehensive and consistent business cases arecreated and approved by stakeholders, that assets and investments aremanaged throughout their economic life cycle, and that there is activemanagement of the realisation of benefits, such as contribution to newservices, efficiency gains and improved responsiveness to customerdemands.Enforce a disciplined approach to portfolio, programme and projectmanagement, insisting that the business takes ownership of all ITenabled investments and IT ensures optimisation of the costs ofdelivering IT capabilities and services.Ensure that technology investments are standardised to the greatestextent possible to avoid the increased cost and complexity of aproliferation of technical solutions.77
ME4.4 Resource Management Optimise the investment, use and allocation of IT assetsthrough regular assessment, making sure that IT hassufficient, competent and capable resources to execute thecurrent and future strategic objectives and keep up withbusiness demands. Management should put clear, consistent and enforcedhuman resources policies and procurement policies inplace to ensure that resource requirements are fulfilledeffectively and to conform to architecture policies andstandards. The IT infrastructure should be assessed on a periodicbasis to ensure that it is standardised wherever possibleand interoperability exists where required.78
ME4.5 Risk Management Work with the board to define the enterprise’s appetite forIT risk. Communicate IT risk appetite into the enterprise and agreeon an IT risk management plan. Embed risk management responsibilities into theorganisation, ensuring that the business and IT regularlyassess and report IT-related risks and the impact on thebusiness. Make sure IT management follows up on risk exposures,paying special attention to IT control failures andweaknesses in internal control and oversight, and theiractual and potential business impact. The enterprise’s IT risk position should be transparent toall stakeholders.79
ME4.6 Performance Measurement Report relevant portfolio, programme and IT performance to the boardand executives in a timely and accurate manner.Management reports should be provided for senior management’sreview of the enterprise’s progress toward identified goals.Status reports should include the extent to which planned objectiveshave been achieved, deliverables obtained, performance targets metand risks mitigated.Integrate reporting with similar output from other business functions.The performance measures should be approved by key stakeholders.The board and executive should challenge these performance reportsand IT management should be given an opportunity to explaindeviations and performance problems.Upon review, appropriate management action should be initiated andcontrolled.80
ME4.7 Independent Assurance Ensure that the organisation establishes andmaintains a function that is competent andadequately staffed and/or seeks externalassurance services to provide the board—this will occur most likely through an auditcommittee—with timely independentassurance about the compliance of IT withits policies, standards and procedures, aswell as with generally accepted practices.81
ME4 Provide IT Governance –Inputs and Outputs82
ME4 Provide IT Governance –RACI Chart83
ME4 Provide IT Governance –Goals and Metrics84
ME4 Provide IT Governance –Maturity Model Management of the process of Provide ITgovernance that satisfies the business requirementfor IT of integrating IT governance with corporategovernance objectives and complying with lawsand regulations is either:––––––0 Non-existent1 Initial/ Ad Hoc2 Repeatable but Intuitive3 Defined Process4 Managed and Measurable5 Optimised85
0 Non-existent when There is a complete lack of anyrecognisable IT governance process. The organisation has not even recognisedthat there is an issue to be addressed;– hence, there is no communication about theissue.86
1 Initial/ Ad Hoc when There is recognition that IT governance issues exist andneed to be addressed. There are ad hoc approaches applied on an individual orcase-by-case basis. Management’s approach is reactive and there is onlysporadic, inconsistent communication on issues andapproaches to address them. Management has only an approximate indication of how ITcontributes to business performance. Management only reactively responds to an incident thathas caused some loss or embarrassment to theorganisation.87
2 Repeatable but Intuitive when There is awareness of IT governance issues.IT governance activities and performance indicators, which include ITplanning, delivery and monitoring processes, are under development.Selected IT processes are identified for improvement based onindividuals’ decisions.Management has identified basic IT governance measurements andassessment methods and techniques; however, the process has not beenadopted across the organisation.Communication on governance standards and responsibilities is left tothe individual. Individuals drive the governance processes withinvarious IT projects and processes.The processes, tools and metrics to measure IT governance are limitedand may not be used to their full capacity due to a lack of expertise intheir functionality.88
3 Defined Process when The importance of and need for IT governance areunderstood by management and communicated to theorganisation. A baseline set of IT governance indicators is developedwhere linkages between outcome measures andperformance drivers are defined and documented. Procedures have been standardised and documented. Management has communicated standardised proceduresand training is established. Tools have been identified to assist with overseeing ITgovernance. Processes may be monitored, but deviations, while mostlybeing acted upon by individual initiative, would unlikelybe detected by management.89
4 Managed and Measurable when There is full understanding of IT governance issues at alllevels. There is a clear understanding of who the customer is andresponsibilities are defined and monitored through servicelevel agreements. Responsibilities are clear and process ownership isestablished. IT processes and IT governance are aligned with andintegrated into the business and the IT strategy. Improvement in IT processes is based primarily upon aquantitative understanding and it is possible to monitor andmeasure compliance with procedures and process metrics.90
4 Managed and Measurable when All process stakeholders are aware of risks, the importance of IT andthe opportunities it can offer.Management has defined tolerances under which processes mustoperate. There is limited, primarily tactical, use of technology, basedon mature techniques and enforced standard tools.IT governance has been integrated into strategic and operationalplanning and monitoring processes.Performance indicators over all IT governance activities are beingrecorded and tracked, leading to enterprisewide improvements.Overall accountability of key process performance is clear andmanagement is rewarded based on key performance measures.91
5 Optimised when There is advanced and forward-looking understanding ofIT governance issues and solutions. Training and communication are supported by leadingedge concepts and techniques. Processes have been refined to a level of industry bestpractice, based on results of continuous improvement andmaturity modelling with other organisations. The implementation of IT policies has led to anorganisation, people and processes that are quick to adaptand fully support IT governance requirements. All problems and deviations are root cause analysed andefficient action is expediently identified and initiated.92
5 Optimised when IT is used in an extensive, integrated and optimised manner toautomate the workflow and provide tools to improve quality andeffectiveness.The risks and returns of the IT processes are defined, balanced andcommunicated across the enterprise.External experts are leveraged and benchmarks are used for guidance.Monitoring, self-assessment and communication about governanceexpectations are pervasive within the organisation and there is optimaluse of technology to support measurement, analysis, communicationand training.Enterprise governance and IT governance are strategically linked,leveraging technology and human and financial resources to increasethe competitive advantage of the enterprise. IT governance activitiesare integrated with the enterprise governance process.93
COBIT Related Standards
COBIT Related StandardsXXX?95
Regulations for the IT Department96
I
4 COBIT Framework History The COBIT framework was defined in the first edition, copyrighted in April 1996 by the IT Governance Institute. The COBIT 2nd Edition released in 1998 The COBIT 3rd Edition re
