Benefits of EGIT • • • Internal Stakeholders • • • • • • External Stakeholders • • • Boards Exec Mgmt Business Managers IT Managers Assurance Providers Risk Mgmt. Regulators Business Partners IT Vendors Benefits Realization Risk optimization Resource Optimization Governance Objectives • (5) EDM – Evaluate (strategy), Direct (sr mgmt.), Monitor (achievements) Management Objectives • • • • (14) APO – Align, Plan, Organize: overall Org, Strategy, supporting activities (11) BAI – Build, Acquire, Implement: definition, acquisition, implementation, integration of I&T (6) DSS – Deliver, Service, Support: operational delivery, support I&T services and Security (4) MEA – Monitor, Evaluate, Access: performance monitoring, conformance, targets, internal objectives, requirements Principles for Governance System 1. 2. 3. 4. 5. 6. Satisfy Stakeholders Needs & generate value; Work in a holistic way; Dynamic; Clear distinguish between governance and management; Tailored to enterprise needs; End-to-End. Governance Framework 1. 2. 3. Based on Conceptual Model maximizing consistency and automation; Open and flexible; Align to major standards, frameworks and regulations. Components of a Governance System • Contribute to good operations of the I&T gov sys • Can be Generic or Variants tailored for specific purpose or context within a focus area • Interact with each other > holistic • Different types: 1. Processes > organized set of practices to achieve objectives, produce outputs that support IT Goals; 2. Org Structures > key decision-making entities; 3. Principles, policies and frameworks > translates desired behavior into practical guidance 4. Information > Is pervasive . Includes all info produced and used by the company; 5. Culture, ethics and behavior > Individuals/Enterprise. Often underestimated for success; 6. People, skills and competencies > required for good decisions, corrective actions and successful completion of activities Focus Area – Certain governance topic, domain or issue that can be addressed by a collection of GMO and their components Ex: SME, cybersecurity, digital transformation, cloud, DevOps… Unlimited Focus Areas 7. Services, infrastructure and apps > infra, tech and apps that provides the company with the gov sys for I&T processing 11 Design Factors include any combination of the following: Enterprise Strategy: Orgs have a primary strat and a secondary strat Threat Landscape: Normal or High 1. Growth/Acquisition 2. Innovation/Differentiation 3. Cost Leadership 4. Client Service/Stability Compliance Requirements: Low, Normal, High Enterprise Goals: supports strategy > realized by achievement of goals structured along balanced scorecard dimensions Role of IT: Support, Factory, Turnaround, Strategic 4 Financial BSC 3 Customer BSC 4 Internal BSC 2 Growth BSC Sourcing Model: Outsourcing, Cloud, Insourced, Hybrid Risk Profile: identifies I&T related risks the company is exposed and indicates the areas exceeding the risk appetite IT Implementation methods: Agile, DevOps, Traditional, Hybrid 19 I&T related risks Tech adoption strategy: 1st Mover, Follower, Slow adopter I&T-related issues: I&T related risks materialized 20 I&T related issues Enterprise Size: Large (+250 FTEs), SME (50 to 250 FTEs) COBIT Performance Management Principles (CPM): 1. 2. 3. 4. 5. Simple to understand and use Consistent and support the conceptual model Provide, reliable, repeatable and relevant results Flexible Support different types of assessment, (self, formal or audits) Rating Process Activities: Formal: Yes/No Informal: Fully (+85%), Largely (50%-85%), Partially (15%-50%), Not (-15%) Capability Levels Maturity Levels (achieved if all required capability levels are achieved) Process activities Components Focus Areas Information Quality Criteria Intrinsic Contextual Security/Privacy/Accessibility Designing a Tailored Governance System Design factors can influence GMOs equivalence and make some more important than others, sometimes to the extent that some governance and management objectives may become negligible. Higher importance translates into setting higher target capability levels for important GMOs. Components variation—Components are required to achieve governance and management objectives. Some design factors can influence the importance of one or more components or can require specific variations. Need for specific focus areas—Some design factors, such as threat landscape, specific risk, target development methods and infrastructure set-up, will drive the need for variation of the core COBIT model content to a specific context.
