Add to collection(s) Add to saved
  1. Business
  2. Management

An Introduction to COBIT An Introduction to COBIT 4.1

advertisement 
An Introduction to COBIT 4.1
The Control and Management Framework
By: Aqel M. Aqel, CISA, MBA
ISACA Riyadh Chapter – Saudi Arabia
08th of June 2009
‫ﺑﺴﻢ ﺍﷲ ﺍﻟﺮﺣﻤﻦ ﺍﻟﺮﺣﻴﻢ‬
‫ﺃﻗﺮﺃ ﺑﺎﺳﻢ ﺭﺑﻚ ﺍﻟﺬﻱ ﺧﻠﻖ‬
‫ﺍﻗﺮﺃ ﻭ ﺭﺑﻚ ﺍﻷﻛﺮﻡ‬
‫‪3‬‬
‫‪1‬‬
‫ﺧﻠﻖ ﺍﻹﻧﺴﺎﻥ ﻣﻦ ﻋﻠﻖ‬
‫ﺍﻟﺬﻱ ﻋﻠﻢ ﺑﺎﻟﻘﻠﻢ‬
‫ﻋﻠﻢ ﺍﻹﻧﺴﺎﻥ ﻣﺎ ﻟﻢ ﻳﻌﻠﻢ‬
‫ﺻﺪﻕ ﺍﷲ ﺍﻟﻌﻈﻴﻢ‬
‫‪5‬‬
‫‪4‬‬
‫‪2‬‬
Seminar Outline
►
►
Introduction about IT Governance
ƒ
Information Technology evolutions
ƒ
Roles between technical staff and other departments
IT Risks
ƒ
►
►
The Need for IT Governance
Governance, Different Models Evolutions
Evolutions.
COBIT Framework Domains & Criteria.
ƒ
IT Planning and Organizing.
ƒ
IT Acquisition and Implementation.
ƒ
IT Delivery and Support.
ƒ
IT Monitoring.
g
A Glance at Implementation Road Map
1. Introduction about IT Governance
Introduction/ IT Governance Concepts
What is the Role of IT in organization ?
IT Impact on business:
• Increasing / Total dependency on IT
• Value of IT investments tangible & intangible
• Higher cost of downtime
• Customer trust / firm reputation
• E-Commerce B
B2
2B, B2
B2C …etc. opportunities
• Information creditability
• ICT can controll business
b i
process
• Data capturing / performance Measurement
Introduction/ IT Governance Concepts
Corporate Governance :
Business Business Business Business
Business Business Business Business
Business Business Business Business
People
Business
Business Business
A Business
Assets
t
Owners
&
Business
Business
Business
Business
Tangible
&
workers
Business
Business Business
Business
Intangible
B i e Business
Business
B i e Business
B i e Business
B i e
Business Business Business Business
Business Business Business
Business
Regulations
Business
Business
Business Business
L
Local
lBusiness
&
Business
Business Business
Business
Process
Global
Business Business Business Business
Business Business Business Business
Business Business Business Business
OUTCOMES
•
Realize Strategy
•
Achieve Business
Objectives
•
Business
Progress
•
Customer
Satisfaction
•
National
Prosperity
p y
Introduction/ IT Governance Concepts
ICT as Business Enabler
Stakeholders
Business
Activities
Reports
IT Governance
Information
Framework
Business Logic &
Controls
IT Infrastructure
Hard are
Hardware
S ft
Software
H
Human
R
Resources
IT Process
Source: Aqel M. Aqel
Introduction/ IT Governance Concepts
Conventional Governance Tools:
► Organization
g
Structure
►
Roles and responsibilities
►
Policies & standards
►
Controls
ƒ
Preventive
ƒ
Detective
ƒ
corrective
►
Periodic Reporting
►
Reviewing
►
I d
Independent
d
Audit
A di
Source: Aqel M. Aqel
Introduction/ IT Governance Concepts
1.
Supports b
S
business
i
effectively
ff i l to
Maximize Profits & optimize costs
2.
Business Competitive advantage
d
3.
New business opportunities
4.
Protect IT investment
5.
Successful IT Projects
6.
Manage IT risks
7.
B i
Business
continuity
i i
Profitts $
Controlled (Governed) IT will:
Ti
Time
2. IT Risks
IT Risks
It is Serious.
Sam
mple Threats
‰
Trojan Horses
‰
Rounding
g Down
‰
Viruses
‰
Worms
‰
Logic Bomb
‰
Trap Doors
‰
Wire Tapping
‰
Data Leakage
‰
Network Attacks (DOS)
‰
Abnormal Shutdown
‰
Natural Disasters
Source: 2002 CERT
Source: 2002 CSI/FBI Survey
Cost of Downtime
Source: Meta Group 2000
Internet and ee-Mail Threats
¾
77 % of Web sites with malicious code are legitimate sites that
have been compromised
compromised..
¾
70 % of the top 100 sites either hosted malicious content or
contained a masked redirect to lure unsuspecting victims from
legitimate sites to malicious sites.
sites.
¾
84..5 % of email messages were spam.
84
spam.
¾
90..4 % of all unwanted emails in circulation during this period
90
contained links to spam sites or malicious Web sites.
sites.
¾
39 % of malicious Web attacks included datadata-stealing code.
code.
¾
57 % of datadata-stealing attacks are conducted over the Web
Web..
Source: recent research by Websense Security Labs™ 2009
IT Risks..wellRisks..well-known Incidents
Estonia
Pictured: Russians protest Tallinn
Tallinn's
s
decision to move a Soviet memorial.
When Estonia's government announced it
was relocating a Soviet memorial in the
country's capital, Russian hackers
expressed their displeasure with cyberwarfare. They launched a wave of
"distributed denial-of-service" attacks
against the country's government,
banking and media Web sites, using
thousands of personal computers
hijacked with hidden software to overload
the servers. Many sites were down for
more than a week. Estonia originally
blamed Russia's government for the
cyber blitz, but no direct connection
between the hackers and the country's
government could be found.
Source: Worst Cyber security Meltdowns, by Andy Greenberg, Oct 2007 Forbs.com
IT Risks..wellRisks..well-known Incidents
TJX (Retailer)- Jan 2007
© eva serrabassa/IstockPhoto
In January, retailer TJX, owner of TJ Maxx
and Marshall's,
Marshall's revealed that hackers had
gained access to more than 45 million
users' credit card information--the
largest single data theft of all time.
According to an investigation by
Canada's Privacy Commission, the
hackers likely used a long-range
antenna to tap the stores' wi-fi
networks Weaving within outmoded
networks.
wireless protocol, the electronic intruders
spent more than a year and a half
stealing reams of private financial data.
By TJX
TJX'ss own accounting
accounting, the theft has
cost more than $256 million.
Source: Worst Cyber security Meltdowns, by Andy Greenberg, Oct 2007 Forbs.com
IT Risks
It is Serious.
When an organization
suffers a data breach, it
costs approximately US
$197 per lost record.
record
That means if a company
loses 100,000 records, it
would cost close to US
$20 million.
Source: COBIT Focus Vol. 3 2008
IT Failure Statistic
What’ are the Risks?
26% Power Outage
Service Failure
Burst Water Pipe
1%
Human Error
2%
Network Outage
2%
Other
2%
Power Surge / Spike
12% Storm Damage
1%
10%
3%
Flood
8% Hardware Error
3% 5%
Employee Sabotage
Software Error
Earthquake
7% Bombing
6%
6%
Fire
6%
H i
Hurricane
Source: Contingency Planning Research
IT Risks Who is responsible ?
Business owners / Managers are responsible for
Sustaining business operations and any losses
incurred because of ICT Threats.
Managers Hot Issues and Key Concerns 1/4
►
►
►
►
►
How far should we go in controlling IT, and is the cost justified
by the benefit?
What are the indicators of good performance?
What are the key management practices to apply?
What do others do?
How do we measure and compare?
Managers Hot Issues and Key Concerns 2/4
►
►
►
►
►
►
►
Poor understanding of the value contribution of IT
Risks not recognized
g
Lack of management direction or effective oversight committees
Poor time
time--toto-market results relative to software development
Projects running over budget
Frequent security incidents and
A li ti
Applications
lacking
l ki in
i functionality.
f
ti
lit
Managers Hot Issues and Key Concerns 3/4
Source: ITGI IT Governance Global Status Report 2006
Managers Hot Issues and Key Concerns 4/4
Source: Gartner Research
What IT Governance is all about?
►
how does the enterprise get IT under control such that:
ƒ It delivers the information the enterprise needs?
ƒ How does it manage the risks and secure the IT resources on which it is
so dependent?
ƒ How does the enterprise ensure that IT achieves its objectives and
supports the business?
►
Management needs control objectives that contains:
ƒ
ƒ
ƒ
ƒ
Policies,,
Practices,
Procedures &
Organizational
Structure
Designed to ƒ Business objectives are
achieved
provide
ƒ Undesired events are:
reasonable
™ Prevented or
assurance that:
th t
™ Detected and
™ Corrected
Drivers for IT Governance implementation
►
►
►
►
►
►
►
►
►
►
►
Dissatisfied customers
Changing market position
Competition
New product/service introduction
High operating costs or other fiscal
issues
Inefficient or ineffective business
processes
Security or privacy breach
Major business operational or IT outage
Obsolescence of IT or information
systems
y
Merger or acquisition
Shareholder demand for shortshort-term
results
►
►
►
►
►
►
►
►
►
►
►
►
►
►
Regulatory or legislative changes
New chief executive officer (CEO)
Privatization/regulation
Enterprise resource planning
Outsourcing
Best--of
Best
of--breed IT systems
Common IT architecture
Shared services
C t reduction
Cost
d ti
Quality of IT service provision
Technology innovation
IT enablers
bl
to
t assist
i t enterprise
t
i business
b i
goals
Transaction growth
Realignment with available IT skills
Governance Environment Vary according
►
►
►
►
►
►
►
The community’s and enterprise’s ethics and culture
Ruling
g laws,, regulations
g
and policies,
p
, (internal
(
and external))
The mission, vision and values of the enterprise
The enterprise’s models for roles and responsibilities
The enterprise’s governance policies and practices
Industry practices
Th enterprise’s
The
t
i ’ business
b i
plan
l and
d strategic
t t i intentions
i t ti
3. COBIT Framework
Domains & Criteria.
Criteria
Introduction/ COBIT 4.1 2007
COBIT ™ Control Objectives for IT & Related
Technologies
►
Contains 34 Business Driven IT processes categorized into four
groups.
►
Associated with each process a set of detailed control objectives
based on international best practices (318
(318 C.O. in third edition,
215 in ver. 4.0 reduced to 210 in 4.1).
►
Controls specifies the purpose (objective) to be achieved out of
the
h control,
l with
i h a set off KGI,
G KSF,
S & audit
di guidelines.
id li
►
It includes management guidelines and maturity levels of five
grades for each control
control.
IT Governance Definition:
“A structure
t t
off relationships
l ti hi and
d processes to
t direct
di t and
d control
t l
the enterprise in order to achieve the enterprise’s goals by adding
value while balancing risk versus return over IT and its
processes.”
Source www.austin.cc.tx.us/audit/Glossary/LetterI.htm
ITGI definition:
It is an integral part of enterprise Governance and consists
of leadership, organizational structure and processes
that
h ensures the
h organization
i i ’s IT S
Sustains
i & extends
d
the organization strategies and objectives.” Source: COBIT 3
Enterprise / Corporate Governance:
ITGI definition:
“It is a set of responsibilities and practices exercised by the BOD
and
d executive
ti managementt with
ith the
th goall off providing
idi strategic
t t i
direction, ensuring that the risks are managed appropriately and
verifying that the enterprise resources are used responsibly.”
Source: ITGI
“The system by which the current and future use of ICT is directed
and controlled. It involves evaluating and directing the plans for
the use of ICT to support the organization and monitoring this use
to achieve plans. It includes the strategy and policies for using
ICT within an organization.
source AS 8015
8015--2005
COBIT Governance Concepts
What we want from Information Technology?
1.
2.
3.
Information Quality Requirements:
•
Correctness
•
Completeness
•
Accuracy
Fiduciary Requirements:
Criteria
1. Effectiveness
2. Efficiency
•
Availability
•
Reliability
•
Compliancy
4. Integrity
•
Effectiveness
5 Availability
5.
Security Requirements:
3. Confidentiality
•
Confidentiality
6. Compliance
•
Integrity
7. Reliability
•
Availability
COBIT Governance Concepts
IT Assets / Resources Categories
Simply, IT Governance is
about Control &
P t ti …
Protection,
1.
Applications
2.
Information
So What we want to
govern / protect?
3.
Infrastructures
(Technology & Facilities in COBIT III)
4.
People
(Human resources COBIT III)
IT Governance Domains:
1.
Planning and organizing
2
2.
Acquisition and
Implementation
3
3.
Delivery and support
4.
Monitoring & Evaluation
Source: COBIT 4
Control
Objecti es
Objectives
for IT & Related
Technologies,
T h l i
COBIT™ .
COBIT™
1. Plan and
Organize
2. Acquire
Implement
3. Deliver and
Support
4. Monitor and
Evaluate
P01 – P10
AI1
AI
1 – AI
AI7
7
DS1
DS
1 – DS
DS13
13
ME1
ME
1 – ME
ME4
4
Introduction/ Governance concepts
COBIT ™ , what we mean by “Control”
?
Control: The policies, procedures, practices and organizational
structures designed to provide reasonable assurance that business
objectives will be achieved and undesired events will be prevented
or detected and prevented.
Control Objectives: The statement of the desired result or
purpose to be achieved by implementing control procedures in a
particular IT activity
Source: COBIT
Introduction/ Governance concepts
COBIT ™ Control
C
l Obj
Objectives
i
for
f IT & R
Related
l
d
Technologies
The Control of
IT Process
To satisfy
Business Requirements
By Focusing on
Control Statements
Considering
Source: COBIT
Control
Practices
Plan and Organize
►
►
►
►
►
►
►
►
►
►
PO1 Define a Strategic IT Plan
PO1
PO2
PO
2 Define the Information Architecture
PO3
PO
3 Determine Technological Direction
PO4
PO
4 Define the IT Processes, Organization and Relationships
PO5
PO
5 Manage the IT Investment
PO6
PO
6 Communicate Management Aims and Direction
PO7
PO
7 Manage
M
IT Human
H
Resources
R
PO8
PO
8 Manage Quality
PO9
PO
9 Assess and Manage IT Risks
PO10
PO
10 Manage Projects
Acquire and Implement
►
►
►
►
►
►
►
AI1
AI1
AI2
AI
2
AI3
AI
3
AI4
AI
4
AI5
AI
5
AI6
AI
6
AI7
AI
7
Identify Automated Solutions
Acquire
q
and Maintain Application
pp
Software
Acquire and Maintain Technology Infrastructure
Enable Operation and Use
Procure IT Resources
Manage Changes
I t ll and
Install
d Accredit
A
dit Solutions
S l ti
and
d Changes
Ch
Deliver and Support
►
►
►
►
►
►
►
►
►
►
►
►
►
DS1 Define and Manage Service Levels
DS1
DS2
DS
2 Manage ThirdThird-party Services
DS3
DS
3 Manage
M
Performance
P f
and
d Capacity
C
it
DS4
DS
4 Ensure Continuous Service
DS5
DS
5 Ensure Systems Security
DS6
DS
6 Identify and Allocate Costs
DS7
DS
7 Educate and Train Users
DS8
DS
8 Manage Service Desk and Incidents
DS9
DS
9 Manage the Configuration
DS10
DS
10 Manage Problems
DS11
DS
11 Manage Data
DS12
DS
12 Manage
M
the
h Physical
Ph i l Environment
E i
DS13
DS
13 Manage Operations
Monitor and Evaluate
►
►
►
►
ME1
ME1
ME2
ME
2
ME3
ME
3
ME4
ME
4
Monitor and Evaluate IT Performance
Monitor and Evaluate Internal Control
Ensure Regulatory Compliance
Provide IT Governance
Control over the IT process of:
PO1
PO
1 Define a Strategic
g Information Technology
gy Plan
that satisfies the business requirement
Sustain or extends business strategy and governance requirements
By Focusing on
Translate business requirements into services
And achieved by
9
9
9
Alignment of business current and future plans.
plans
Understand current capabilities
Prioritization of business objectives
PO1
PO
1 Define a Strategic Information Technology Plan
Detailed Control Objectives
1.1 IT value management
1.2 Business – IT Alignment
1.3 Assessment of current Performance
1.4 IT Strategic Plan
1.5 IT Tactical Plans
1.6 IT Portfolio management
Control over the IT process of:
PO2
PO
2 Define the Information Architecture
that satisfies the business requirement
Respond to requirements, provide reliable and consistent information, integrate
application to business processes.
processes
By Focusing on
To be agile in responding to requirements, to provide reliable and consistent
information and to seamlessly integrate applications into business processes
And achieved by
Assuring the accuracy of the information architecture and data model
9 Assigning data ownership
9 Classifying information using an agreed classification scheme
9
PO2
PO
2 Define the Information Architecture
Detailed Control Objectives
2.1 Enterprise Information Architecture Model
2.2 Enterprise Data Dictionary and Data Syntax Rules
2.3 Data Classification Scheme
2.4 Integrity Management
Control over the IT process of:
AI1
AI
1 Identify Automated Solutions
that satisfies the business requirement
Translating business functional and control requirements into an effective and
efficient design of automated solutions
By Focusing on
Identifying technically feasible and costcost-effective solutions
And achieved by
Defining business and technical requirements
9 Undertaking feasibility studies as defined in the development
standards
9 Approving (or rejecting) requirements and feasibility study results
9
AI1
AI
1 Identify Automated Solutions
Detailed Control Objectives
1.1 Definition and Maintenance of Business Functional and Technical
Requirements
1.2 Risk Analysis Report
1.3 Feasibility Study and Formulation of Alternative Courses of Action
1.4 Requirements and Feasibility Decision and Approval
What Else…?
Else ?
Business Goals vs. IT Goals
17 Business Goals
28 IT Goals
Products Components
1.
2.
3.
4.
5
5.
6.
COBIT Framework
IT Assurance Guide Using
COBIT
COBIT Control Practices:
Guidance to Achieve Control
Objectives for Successful IT
Governance, 2nd Edition,
COBIT Quick start
COBIT Security Baseline
Board Briefing on IT
Governance, 2nd Edition
4. Implementation !!!
IT Governance Life Cycle
Governance
Objective
Direct
Create
Protect
Execute
Monitor
IT Governance
Focus Area
Strategic
St
t i
Alignment
Value Delivery
Risk
Ri
k
Management
Resources
R
Management
Performance
P
f
Management
COBIT / VAL IT
• Business – IT
Goals
• Control Objectives
•O
Outcomes
t
indicators
• Management Practices and performance metrics
Contribution
• Process and Maturity Models
• ICT Balanced
Scorecard
•A
Assurance
Guide
Source: COBIT Implementation Guide 2nd edition 2007
Stakeholders' Objectives That derived
Implementation phases
COBIT Implementation Road Map
Source: COBIT Implementation Guide 2nd edition 2007
Thank You
Introduction to IT Governance
Using COBIT IV Framework
Related documents
v DESIGN IT GOVERNANCE FOR PLANNING AND ORGANIZING
v DESIGN IT GOVERNANCE FOR PLANNING AND ORGANIZING
COBIT 5 Exec. Summary
COBIT 5 Exec. Summary
IT Project Profile, Governance and Leadership of the IT Function
IT Project Profile, Governance and Leadership of the IT Function
IT Governance and The 4 Cobit Domain Processes
IT Governance and The 4 Cobit Domain Processes
3 December
3 December
HUMAN RESOURCES MANAGEMENT
HUMAN RESOURCES MANAGEMENT
Organizing Information Technology Services
Organizing Information Technology Services
course outline “introduction to international law”
course outline “introduction to international law”
Download
advertisement