COBIT & IT Governance Control Objectives for Information and Related Technology Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute. This presentation is intended solely for academic use. Agenda COBIT: Control Objectives for Information and Related Technology • The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance • Exercise: How can you do on your own? • COBIT: – Where does it come from? – How does it view IT organizations? – What does it include? • Try again: Does COBIT help? • Other IT management frameworks • Key takeaways COBIT – Controlling and Auditing IS 2 Why? Reason 1: The Quest for Effective Systems • Systematically controlled IT functions “We’ll delete that old user ID later” aim to assure that IS: “We’ll write the – Provides documentation later” “Pick the best solution value, for our department” – Pushes the envelope, and “It will be plenty fast” “We won’t get – Mitigates risk hacked, we’re too small to be on a hacker’s radar” Business Management As Usual Scale Inattention and cost SOX Compliance “There’s no real need Threat vulnerability for a log file” Increased IT dependence IT’s role in organizational change COBIT – Controlling and Auditing IS 3 History Reason 2: The Rise of Internal Control Regulation • Bank scandals in the 80’s brought us the 1992 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Internal Control Framework for certifying financial data systems. • WorldCom, Enron, etc.. brought us the Sarbanes-Oxley Act of 2002 (SOX). – Management is responsible for internal control and financial reporting procedures – Annual reports must asses internal controls – Officers submitting inaccurate certifications are subject to a fine up to $1m + 10 yrs, If purposeful, up to $5m + 20 years. COBIT – Controlling and Auditing IS 4 History SOX and IS • From an IS function perspective, this means, that for financial reporting systems at least, SEC companies need: – An evaluation framework for IS operations – Useful IS metrics – A systematic way to apply the framework • This perspective applies to non SEC organizations as well: – Lenders may require IS audits – Financial services companies have their own somewhat similar regulations COBIT – Controlling and Auditing IS 5 IT Governance Meeting the Challenge: IT Governance Defined • IT Governance: the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives *. Improve Performance; Reduce Risk Performance vs. Goals and Best Practices Reliability of Financial Data Regulatory Compliance * (IT Governance Institute 2003, Board Briefing on IT Governance, 2nd Ed, page 18 ) COBIT – Controlling and Auditing IS 6 The IT Governance Framework: An Governance Model BeIT a Part of the Process Provide Direction Set Objectives • IT is aligned with the business • IT enables the business and maximises benefits • IT resources are used responsibly Be • IT-related risks are Good! appropriately managed Compare IT Activities • Increase automation (make the business effective) • Decrease cost (make the enterprise efficient) • Manage risks (security, reliability and compliance) Measure Performance www.itgovernance.org - Board Briefing on IT Governance Hunton et al. Pg. 3 COBIT – Controlling and Auditing IS 7 Lets Try it Without A Framework • You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process. – Who should be involved in making sure this kind of thing doesn’t happen again? – What controls should be put into place? – How will you tell later if the controls are working? – Will your plan convince the angry board of directors? COBIT – Controlling and Auditing IS 8 Agenda How Are We Doing? • The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance • Exercise: How can you do on your own? • COBIT: – Where does it come from? – How does it view IT organizations? – What does it include? • Try again: Does COBIT help? • Other IT management frameworks • Key takeaways COBIT – Controlling and Auditing IS 9 COBIT COBIT: Control Objectives for Information and related Technology • COBIT is a process-oriented, business-goal focused, systematic framework for evaluating the IT operations within an organization. It is designed for: – Managers who need IT, – IT Providers (internal and external), and – “Auditors” concerned with risk, security, privacy, compliance, and assurance. • Stakeholders may not know how to evaluate their organizations, COBIT can help guide the process. COBIT – Controlling and Auditing IS 10 COBIT Where did COBIT come from? • The COBIT steering committee includes international representatives from industry, academia, government, and the security and control profession. • Based in the IT Governance Institute. • The COBIT group has done extensive work mapping to other standards. http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Project1/COBIT_Project.htm COBIT – Controlling and Auditing IS 11 Process Oriented Infrastructure Information IT Resources Systems Assetsbrings Complexity used to achieve Organizational Goals People Information Applications special problems Because Information systems are much more complex than lunch boxes: Processes! Information systems’ acquisition, operation, and maintenance can be usefully understood as a set of IT processes. We figure out what to control in IT by looking at what we do in IT. COBIT – Controlling and Auditing IS 12 Which of These Are IT Processes In the IT Governance Sense? • • • • • NO! Just a decision Buying a new server IT Purchasing Procedures Hiring the Right People NO! Bunch of Decisions Screening Potential IT Employees Processing an invoice sent in by EDI NO! this is an IT-enabled process from a supplier • Change Management System Good Governance Creates Good Processes that LEAD TO Good Decisions and IT Systems COBIT – Controlling and Auditing IS 13 Good Processes COBIT – Controlling and Auditing IS 14 COBIT Business Goal Focused Generic Business Goals are Matched with IT Goals To offer competitive products and services, create IT agility Goals are Matched with 34 IT Processes – Define Success Achieve IT agility by adjusting HR, information architecture, and infrastructure Defined Control Objectives Support Assurance. Good data architecture keeps data to support decisions, organizes data for sharing, and verifies data reliability Process Measures Support Systematic Evaluation to Manage IT Processes Measure data architecture success in % of redundant data elements, % of applications in the plan, and frequency of validation activities. COBIT – Controlling and Auditing IS 15 COBIT’s Systematic Framework COBIT ME1 ME2 ME3 ME4 Monitor the processes Monitor and evaluate internal control Ensure Regulatory Compliance Provide IT Governance INFORMATION PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT processes, organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Manage quality PO9 Assess and manage IT risks PO10 Manage projects Does the organization • Effectiveness • Efficiency • Confidenciality plan and organize • Integrity • Availability the organization Compliance to ••Does meet MONITORadequately AND Reliability EVALUATE effectively Does theinformation organizationneeds? have and deliver and IT support IT services? PLAN AND use sound processes for RESOURCES ORGANISE acquiring and implementing IT? DELIVER AND • Data SUPPORT systems Does the organization •• Application Technology • Facilities • People monitor andservice evaluate DS1 Define and manage levels DS2 Manage third-party services DS3 Manage peformance and capacity its IT activites? ACQUIRE AND DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Manage service desk and incidents DS9 Manage the configuration DS10 Manage problems DS11 Manage data DS12 Manage the physical environment DS13 Manage operations IMPLEMENT AI1 AI2 AI3 AI4 AI5 AI6 AI7 Identify automated solutions Acquire and mantain application software Acquire and maintain technology infrastructure Enable operation and use Procure IT resources Manage Manage changes changes Install and accredit solutions and changes Page 1 AI6 – Acquire and Implement Manage Changes Control over the IT process of process name that satisfies the business requirement for IT of summary of most important IT goals is achieved by key controls and is measured by key metrics COBIT – Controlling and Auditing IS 17 Page 2 AI6 Page 2 Detailed Control Objectives Detailed Control Objectives AI6.1 Change Standards and Procedures Set up formal change management procedures to handle in a standardised manner all requests.. AI6.2 Impact Assessment, Prioritisation and Authorisation Ensure that all requests for change are assessed in a structured way for impacts on the operational system… AI6.3 Emergency Changes Establish a process for defining, raising, assessing and authorising emergency changes… AI6.4 Change Status Tracking and Reporting Establish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date… AI6.5 Change Closure and Documentation Whenever system changes are implemented, update the associated system and user documentation… COBIT – Controlling and Auditing IS 18 Page 3 AI6 Management Guidelines Process Inputs and Outputs Layered Goals and Metrics RACI Chart COBIT – Controlling and Auditing IS 19 Page 4 Maturity Model Management of the process of Manage changes that satisfies the business requirement for IT of responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework is: 0 Non-existent: No defined change management process… 1 Initial/Ad Hoc: It is recognised that changes should be managed… 2 Repeatable but Intuitive: Informal change management process… 3 Defined Process: Defined formal change management process… 4 Managed and Measurable: Change management well developed… 5 Optimised: Change management process is regularly reviewed… COBIT – Controlling and Auditing IS 20 Like Dagwood’s Boss, We Want Controls (employees?) that Work COBIT – Controlling and Auditing IS 21 COBIT Audit Guidelines An IT process is audited by: • Obtaining an understanding of business requirements-related risks, and relevant control measures • Evaluating the appropriateness of stated controls • Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously • Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources COBIT – Controlling and Auditing IS 22 COBIT Audit Guidelines AI6 Audit Guideline COBIT – Controlling and Auditing IS 23 COBIT Audit Guidelines AI6 Audit Guideline COBIT – Controlling and Auditing IS 24 COBIT Audit Guidelines AI6 Audit Guideline COBIT – Controlling and Auditing IS 25 Now that you have AI6… • You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process. – Who should be involved in making sure this kind of thing doesn’t happen again? – What controls should be put into place? – How will you tell later if the controls are working? – Will your plan convince the angry board of directors? COBIT – Controlling and Auditing IS 26 Comparing Frameworks Different Frameworks: Different Emphasis • Control Objectives for Information & Related Technology (COBIT): Comprehensive checklists for IT, supports auditing, doesn’t directly address software development or give a roadmap for improvement • Capability Maturity Model Integration (CMMI): Geared for software development organizations • IT Infrastructure Library (ITIL): IT service delivery and management best practices • Six Sigma: Continuous improvement for repeatable activities (e.g., helpdesks) http://www.computerworld.com/managementtopics/management/story/0,10801,90797,00.html COBIT – Controlling and Auditing IS 27 Comparing Frameworks COBIT Asks All the Right Questions COBIT: 34 IT processes in 4 domains: COBIT defines issues, values, measurements, and responsibilities. It focuses on control over execution and strives to address all IT governance issues. COBIT – Controlling and Auditing IS 28 Comparing Frameworks CMM Helps Develop Mature Software Development Processes CMM (1993) and the later CMMI focus on improving the development, acquisition, and maintenance of systems. CMM addresses only some of the issues considered by COBIT. SEI CMM http://www.sei.cmu.edu/cmmi/general/general.html ITGI’s mapping of SEI’s CMM for Software with COBIT 4.0 COBIT – Controlling and Auditing IS 29 ITIL Presents Best Practices for IT Service Delivery ITIL, originally created by the British Government, “the only consistent and comprehensive best practice for IT service management.” ITIL provides more guidance on who should be responsible and how they should proceed. ITIL - Best practices COBIT – IT control ITGI’s mapping of ITIL With COBIT 4.0 COBIT – Controlling and Auditing IS 30 IT Governance Norms • • • • • Business Alignment A Risk/Control Perspective Accountability Continuous Improvement Systematic Measurement COBIT – Controlling and Auditing IS 31 Takeaways Key Takeaways • Forces are pushing organizations to adopt IT governance but its an uphill battle. • COBIT provides a systematic framework to evaluate IT operations. Plan, do, check, & correct. • A control perspective for IT processes is crucial to long term success. (It helps us talk nice to the CFO too!) • Thanks to the IT Governance Institute for material. COBIT – Controlling and Auditing IS 32 Back To AI6 Page 1 AI6 Manage Changes High-Level Control Objective • All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment must be formally managed in a controlled manner. Changes (including procedures, processes, system and service parameters) must be logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment. COBIT – Controlling and Auditing IS 33 Back To AI6 Page 1 AI6 Waterfall Control over the IT process of Manage changes that satisfies the business requirement for IT of responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework by focusing on controlling impact assessment, authorisation and implementation of all changes to the IT infrastructure, applications and technical solutions, minimising errors due to incomplete request specifications and halting implementation of unauthorised changes is achieved by • Defining and communicating change procedures, including emergency changes • Assessing, prioritising and authorising changes • Tracking status and reporting on changes and is measured by • Number of disruptions or data errors caused by inaccurate specifications or incomplete impact assessment • Application or infrastructure rework caused by inadequate change specifications • Percent of changes that follow formal change control processes COBIT – Controlling and Auditing IS 34