COBIT Presentation - Office of the Vice

advertisement
Control Objectives for Information
and related Technology
(COBIT)
Overview
January 31, 2008
Overview
• Background – trends in auditing affecting
IT
• Overview of the COBIT
• Linkages to other methodologies
• Practical application – in audit and IT
management
Auditing Trends
Audit Committees
– Increasing dependence on IT infrastructure to support
traditional assurance/auditing
– Increasing obligations regarding risk management
and control including IT
– Uses Internal Audit to give assurance – we adopted
COBIT with the ability to use other frameworks as
deemed appropriate
– Management has a role as well
Office of the Auditor General
– Comments to entities who have been broad IT
assessment include ensuring the following is in place:
•
•
•
•
IT strategies (not just for centralized IT services)
Integration of IT requirements into business planning
Documented IT risk assessments
Business continuity planning and emergency response
planning
• Service level performance measures
• Processes to build awareness for IT internal controls and
security
• An IT control framework (recommended to several
organizations) – recommended COBIT and being adopted
COBIT Overview1
IT Governance Institute
Enterprise governance is a set of
responsibilities and practices exercised by
the board and executive management
with the goal of:
• Providing strategic direction
• Ensuring that objectives are achieved
www.itgi.org
www.itgi.org
RESOURCE
MANAGEMENT
1
• Ascertaining that risks are managed
appropriately
• Verifying that the enterprise’s resources
are used responsibly
This information and that on the following slides is consolidated from
information developed by the IT Governance Institute.
Major COBIT Elements
- IT Processes
- Business Requirements
- IT Resources
IT Processes
1. COBIT describes the IT life cycle with the help of
four domains:
– Plan and Organize
– Acquire and Implement
– Deliver and Support
– Monitor and Evaluate
2. In each domain are processes are series of
activities. There are 34 processes specifying what
the business needs to achieve its objectives.
3. The last activities are actions that are required to
achieve measurable results with the processes.
Plan and Organise
Acquire and
Implement
Plan and
Organise
IT Processes
Deliver and
Support
Monitor and
Evaluate
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation
and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and
direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Acquire and Implement
Plan and
Organise
Acquire and
Implement
IT Processes
Deliver and
Support
Monitor and
Evaluate
AI1 Identify automated solutions.
AI2 Acquire and maintain application
software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
Deliver and Support
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Acquire and
Implement
Plan and
Organise
IT Processes
Deliver and
Support
Monitor and
Evaluate
Monitor and Evaluate
Acquire and
Implement
Plan and
Organise
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
IT Processes
Deliver and
Support
Monitor and
Evaluate
Business Requirements
Effectiveness
Efficiency
Deals with information being relevant and pertinent to the business process as
well as being delivered in a timely, correct, consistent and usable manner
Concerns the provision of information through the optimal (most productive and
economical) use of resources
Confidentiality Concerns the protection of sensitive information from
unauthorised disclosure
Integrity
Relates to the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations
Availability
Relates to information being available when required by the business process now and
in the future. It also concerns the safeguarding of necessary resources and associated
capabilities.
Compliance
Deals with complying with those laws, regulations and contractual arrangements to
which the business process is subject, i.e., externally imposed business criteria as well
as internal policies
Reliability
Relates to the provision of appropriate information for management to operate
the entity and to exercise its fiduciary and governance responsibilities
IT Resources
 Applications
 Information
 Infrastructure
 People
Use of COBIT in Internal Audit
• Annual Risk Assessment (developed with Grant Thornton)
• Can audit difference ways:
– a application system (all processes)
– a process (e.g. IT investment management across a unit or the
campus)
– a resource component (e.g. infrastructure) and/or a
business requirement (e.g. security)
•
Maps to other frameworks
Flexible yet defensible
Use of COBIT in Management
• Seeing an increase in formal adoption of frameworks.
• Supporting documentation being developed for
management.
• Flexible adoption – one size does not fit all.
• Can be blended with other framework.
Organisations will consider and use a variety of IT models,
standards and best practices.
COSO
COBIT
ISO 17799
ISO 9000
WHAT
ITIL
SCOPE OF COVERAGE
IT Process Capability Maturity Scorecard—Example
IT Process Capability Maturity
Initial
Plan and Organise
PO1
Define a strategic IT plan.
PO2
Define the information architecture.
PO3
Determine the technological direction.
PO4
Define the IT process, organisation and relationships.
PO5
Manage the IT investment.
PO6
Communicate management aims and direction.
PO7
Manage IT human resources.
PO8
Manage quality.
PO9
Assess and manage risks.
PO10 Manage projects.
Acquire and Implement
AI1
Identify automated solutions.
AI2
Acquire and maintain application softw are.
AI3
Acquire and maintain technology infrastructure.
AI4
Enable operation and use.
AI5
Procure IT resources.
AI6
Manage changes.
AI7
Install and accredit solutions and changes.
Deliver and Support
DS1
Define and manage service levels.
DS2
Manage third-party services.
DS3
Manage performance and capacity.
DS4
Ensure continuous service.
DS5
Ensure systems security.
DS6
Identify and allocate costs.
DS7
Educate and train users.
DS8
Manage service desk and incidents.
DS9
Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Monitor and Evaluate
ME1
Monitor and evluate IT performance.
ME2
Monitor and evaluate internal control.
ME3
Ensure compliance w ith external requirements.
ME4
Provide IT governance.
Repeatable
Defined
Managed
Optimised
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES
C
ME1
ME2
ME3
ME4
Monitor and evaluate IT
performance.
Monitor and evaluate internal
control.
Ensure compliance with external
requirements.
Provide IT governance.
O B I
T
FRAMEWORK
PO1
PO2
PO3
PO4
INFORMATION
Integrity
Efficiency
Effectiveness
Compliance
Availability
Confidentiality
Reliability
PLAN
AND
ORGANISE
MONITOR
AND
EVALUATE
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and manage service levels.
Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
Manage service desk and incidents.
Manage the configuration.
Manage problems.
Manage data.
Manage the physical environment.
Manage operations.
IT
RESOURCES
Applications
Information
Infrastructure
People
DELIVER
AND
SUPPORT
Define a strategic IT plan.
Define the information architecture.
Determine technological direction.
Define the IT processes, organisation
and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and
direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
AI1
AI2
ACQUIRE
AND
IMPLEMENT
AI3
AI4
AI5
AI6
AI7
Identify automated solutions.
Acquire and maintain application
software.
Acquire and maintain technology
infrastructure.
Enable operation and use.
Procure IT resources.
Manage changes.
Install and accredit solutions and
changes.
Questions
Contact:
Ian Simpson
Systems Auditor
492-2980
Download