A Globally Accepted Business Framework For The Governance .

Transcription

COBIT 5A globally accepted businessframework for the governance andmanagement of enterprise ITDenver ISACA AGM Chapter MeetingApril 25, 2013Debbie Lew (debbie.lew@ey.com 805-778-7049)

Agenda What is COBIT and background?Why COBIT – drivers?Review of the framework: key features COBIT 5 Principles COBIT EnablersCOBIT 4.1 and COBIT 5 DifferencesProcess Capability Model and AssessmentImplementing COBIT – the basicsCOBIT BenefitsPage 2

COBIT 5: The Business Framework for thegovernance and management of enterprise ITCCobiTOBITbest practicesrepository forIT ProcessesIT Management ProcessesIT Governance Processes The only frameworkthat covers the end-to-end IT life cyclePage 3Internationally accepted goodpracticesManagement-orientedSupported by tools and trainingFreely availableSharing knowledge andleveraging expert volunteersContinually evolvingMaintained by reputable notfor-profit organizationMaps strongly to all majorrelated standardsIs a reference, set of bestpractices, not an “off-the-shelf”cure

The Evolution of COBIT 54Governance of Enterprise ITEvolutionIT GovernanceBMIS(2010)ManagementVal IT 2.0Control(2008)AuditRisk 2005/7An business framework from ISACA, at www.isaca.org/cobit 2012 ISACA. All Rights Reserved.Page 4COBIT 52012

Why Develop COBIT 5? ISACA Board of Directors directive: “Tie togetherand reinforce all ISACA knowledge assets withCOBIT.” Provide a renewed and authoritative governanceand management framework for enterpriseinformation and related technology. Integrate all other major ISACA frameworks andguidance Align with other major frameworks and standards. 2012 ISACA. All Rights Reserved.Page 55

Drivers for COBIT5 Provide guidance in: Enterprise architectureAsset and service managementEmerging sourcing and organization modelsInnovation and emerging technologies (includingstreamlining product development, manufacturing and supplychain processes to deliver products to market with increasinglevels of efficiency, speed and quality). End to end business and IT responsibilitiesControls for user-initiated and user-controlled ITsolutions 2012 ISACA. All Rights Reserved.Page 6

Business NeedsEnterprise are under constant pressure to: Increase benefits realization through effective and innovativeuse of enterprise IT: Generate business value from new enterprise investments withsupporting IT investmentAchieve operational excellence through application of technologyMaintain IT related risk at an acceptable levelContain cost of IT services and technologyEnsure business and IT collaboration, leading to businessuser satisfaction with IT engagement and servicesComply with ever increasing relevant laws, regulations andpolicies. 2012 ISACA. All Rights Reserved.Page 7

COBIT5 ScopeNot simply IT: not only for big business! COBIT5 is about governing and managing informationWhatever medium is used End to end throughout the enterpriseInformation is equally important to: Global, multinational business National and local government Charities and not for profit enterprise Small to medium enterprises and Clubs and associations 2012 ISACA. All Rights Reserved.Page 8

COBIT5 ScopeNot simply IT: not only for big business! COBIT5 is about governing and managing informationWhatever medium is used End to end throughout the enterpriseInformation is equally important to: Global, multinational business National and local government Charities and not for profit enterprise Small to medium enterprises and Clubs and associations 2012 ISACA. All Rights Reserved.Page 9

COBIT5 ScopeNot simply IT: not only for big business! COBIT5 is about governing and managing informationWhatever medium is used End to end throughout the enterpriseInformation is equally important to: Global, multinational business National and local government Charities and not for profit enterprise Small to medium enterprises and Clubs and associations 2012 ISACA. All Rights Reserved.Page 10

COBIT5 Format Simplified COBIT5 is initially in 3 volumes: COBIT5 directly addresses the needs of the viewer fromdifferent perspectivesDevelopment continues with specific practitioner guides(COBIT5 for Security was issued June 2012)The Framework – Free DownloadThe Process Reference Guide – Free to MembersImplementation Guide – Free to MembersCOBIT5 is based on: 5 principles and7 enablers 2012 ISACA. All Rights Reserved.Page 11

COBIT 5 Product Family 2012 ISACA. All Rights Reserved.Page 12 2012 ISACA. All Rights Reserved.

Review of COBIT 5 FrameworkPage 13

COBIT 5 PrinciplesSource: COBIT 5, figure 2. 2012 ISACA All rights reserved.Page 1414

Principle 1:Meeting Stakeholder Needs Enterprises exist to create value for their stakeholders Value creation: realizing benefits at an optimal resourcecost while optimizing risk. 2012 ISACA. All Rights Reserved.Page 15

Principle 1:Meeting Stakeholder Needs Enterprisesexist to create valuefor their stakeholders Stakeholder needs have to betransformed into an enterprise’sactionable strategy. The COBIT 5 goals cascadeallows the definition of prioritiesfor: Governance Objective:Value CreationImplementationImprovementAssurance of enterprise governanceof IT. 2012 ISACA. All Rights Reserved.Page 1616Source: COBIT 5, figure 4. 2012 ISACA All rights reserved.

Principle 1:Meeting Stakeholder Needs Enterprises have many stakeholders Governance is about NegotiatingDeciding amongst different stakeholders‟ value interestsConsidering all stakeholders when making benefit, resource andrisk assessment decisionsFor each decision, ask: For whom are the benefits?Who bears the risk?What resources are required? 2012 ISACA. All Rights Reserved.Page 1717

Principle 1:Meeting Stakeholder NeedsEXTERNAL STAKEHOLDERSEXTERNAL STAKEHOLDER NEEDSBusiness partners, suppliers,shareholders, regulators/government, external users,customers, standardisationorganisations, external auditors,consultants, etc.· How do I know my business partner’s operations are secure andreliable?· How do I know the organisation is compliant with applicable rulesand regulations?· How do I know the enterprise is maintaining an effective system ofinternal control? 2012 ISACA. All Rights Reserved.Page 18

Principle 1:Meeting Stakeholder Needs Internal stakeholder concerns include: How do I get value from the use of IT?How do I manage performance of IT?How can I best exploit new technology for new strategic opportunities?How do I know whether I’m compliant with all applicable laws andregulations?Am I running an efficient and resilient IT operation?How do I control cost of IT?Is the information I am processing adequately and appropriatelysecured?How critical is IT to sustaining the enterprise?What do I do if IT is not available? 2012 ISACA. All Rights Reserved.Page 19

Enterprise GoalsPage 20Source: COBIT 5, 2012 ISACA All rights reserved.

IT Related GoalsPage 21Source: COBIT 5, 2012 ISACA All rights reserved.

Principle 2:Covering the Enterprise End–to–End Governance roles, activities and relationships: Define Who is involved in governanceHow they are involvedWhat they do andHow they interactCOBIT 5 defines the difference between governanceand management activities in principle 5 2012 ISACA. All Rights Reserved.Page 22

Principle 2:Covering the Enterprise End-to-EndKey components of agovernance systemSource: COBIT 5, figure 9. 2012 ISACA All rights reserved.Page 23

Principle 3:Applying a Single Integrated FrameworkCOBIT5: Is complete in enterprise coverageProvides a basis to integrate effectively otherframeworks, standards and practices usedAligns with the latest relevant standards andframeworks (COSO, ITIL, ISO, PMBOK, NIST etc)Integrates all knowledge previously dispersed overdifferent ISACA frameworks (Risk IT, Val IT, BMIS)Source: COBIT 5, figure 12. 2012 ISACA All rights reserved.Page 2424

Principle 3:Applying a Single Integrated FrameworkEnablersprovidestructure to theCOBIT 5knowledgebasePage 25 2012 ISACA. All Rights Reserved.

Mapping of COBIT5 2012 ISACA. All Rights Reserved.Page 26

Principle 4:Enabling a Holistic ApproachCOBIT5 defines a set of enablers to support theimplementation of a comprehensive governance andmanagement system for enterprise IT.COBIT5 enablers are: Factors that, individually and collectively, influencewhether something will work Driven by the goals cascade Described by the COBIT5 framework in sevencategories 2012 ISACA. All Rights Reserved.Page 2727

Principle 4:Enabling a Holistic ApproachSource: COBIT 5, figure 12. 2012 ISACA All rights reserved.Page 2828

Principle 5:Separating Governance from ManagementThe COBIT 5 framework makes a clear distinction betweengovernance and management. These two disciplines: Encompass different types of activities Require different organisational structures Serve different purposes Governance ensures that stakeholders needs, conditions andoptions are evaluated to determine balanced, agreed-onenterprise objectives to be achieved; setting direction throughprioritisation and decision making; and monitoring performanceand compliance against agreed-on direction and objectives. Management plans, builds, runs and monitors activities inalignment with the direction set by the governance body toachieve the enterprise objectives. 2012 ISACA. All Rights Reserved.Page 2929

Principle 5:Separating Governance from ManagementCOBIT 5 is not prescriptive, but it advocates that organizationsimplement governance and management processes such that the keyareas are covered, as shown.Source: COBIT 5, figure 15. 2012 ISACA All rights reserved.Page 3030

COBIT5Enabling Processes:COBIT 5 includes a process reference model (PRM),which defines and describes in detail a number ofgovernance and management processes.Page 31

Process Reference Model Represents all the processes normally found in anenterprise relating to ITProvides a common reference model understandableto IT and business managers.Provides a common languageProvides a framework for measuring, monitoring ITperformance, communicating with service providers,and integrating best mgmt. practicesSubdivides governance (1) and management (4)domains.36 ProcessesHarmonized with other frameworks and standards 2012 ISACA. All Rights Reserved.Page 32

COBIT5Process Reference Model:Page 33Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.33

Exercise – Enabling a holistic approachDeveloping enablers for AP012 process – Manage RiskAP012 Manage RiskArea: ManagementDomain: Align, Plan, andOrganiseProcess DescriptionContinually identify, assess and reduce IT-related risk within levels oftolerance set by enterprise executive management.Process Purpose StatementIntegrate the management of IT-related risk with overall ERM, andbalance the costs and benefits of managing IT-related enterprise risk.Page 34

Challenges to Success?Page 35 2012 ISACA. All Rights Reserved.

Challenges to Success?Page 36 2012 ISACA. All Rights Reserved.

COBIT 4.1 and COBIT 5 DifferencesPage 37

COBIT 4.1 to COBIT 5 – The Differences The major changes in COBIT 5 content and how they mayimpact GEIT* implementation/improvement are:1.2.3.4.5.6.7.8.New GEIT principlesIncreased focus on enablersNew and modified processesSeparated governance and management practices andactivitiesRevised and expanded goals and metricsDefined inputs and outputsMore detailed RACI chartsProcess Capability Assessment Model(* Governance of Enterprise Information Technology)Source 2012 ISACA All rights reserved.Page 38

COBIT 5 PrinciplesSource: COBIT 5, figure 2. 2012 ISACA All rights reserved.Page 3939

The COBIT 5 Enterprise Enablers 2012 ISACA. All Rights Reserved.Page 40

New and Modified Processes There are several new and modified processes thatreflect current thinking, in particular: Page 41APO03 Manage enterprise architectureAPO04 Manage innovationAPO05 Manage portfolioAPO06 Manage budget and costsAPO08 Manage relationshipsAPO13 Manage securityBAI05 Management organizational change enablementBAI08 Manage knowledgeBAI09 Manage assetsDSS05 Manage security serviceDSS06 Manage business process controlsSource 2012 ISACA All rights reserved.

COBIT 5 Process Reference ModelPage 42 2012 ISACA. All Rights Reserved.

Separating governance from management COBIT 5 introduces five new governanceprocesses This guidance: Helps enterprises to further refine and strengthenexecutive management-level GEIT practices andactivitiesSupports GEIT integration with existing enterprisegovernance practices and is aligned withISO/IEC 38500 2012 ISACA. All Rights Reserved.Page 43

COBIT 5 Process Reference ModelPage 44 2012 ISACA. All Rights Reserved.

COBIT5 and Legacy ISACA FrameworksPage 45Source: COBIT 5, 2012 ISACA All rights reserved.

Mapping COBIT4.1 to COBIT5Page 46Source: COBIT 5, 2012 ISACA All rights reserved.

COBIT 5 Processes Cover end-to end business and IT activities Provides a more holistic and complete coverage ofpractices Makes the involvement, responsibilities andaccountabilities of business stakeholders in the use ofIT more explicit and transparent.Source 2012 ISACA All rights reserved.Page 47

Practices and Activities The COBIT5 governance and management practicescan be related to: COBIT 4.1 control objectivesVal IT and Risk IT processesThe COBIT 5 activities are related to: COBIT 4.1 control practicesVal IT and Risk IT management practicesSource 2012 ISACA All rights reserved.Page 48

Goals and MetricsInputs and OutputsCOBIT 5 Follows the same goal and metric concepts asCOBIT 4.1, Val IT and Risk IT renamed as : Enterprise goals,IT-related goalsProcess goalsProvides a revised goals cascadeProvides inputs and outputs for every managementprac

COBIT 5: The Business Framework for the governance and management of enterprise IT Internationally accepted good practices Management-oriented Supported by tools and training Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable not- for-profit organization Maps strongly to all major related standards .