SlideShare a Scribd company logo

Cobit Training course

Download as PPTX, PDF
I
Iman Baradari

The document discusses Iman Baradari's background and qualifications. It states that he has a Master's degree in project management from the University of Melbourne and various professional certifications in project management, IT service management, and risk management. It also lists his work experience, which includes roles as a project manager for several large IT projects in Iran.

1 of 104
IBPM Group
My Background IBPM Group
Teachers Name: Iman Baradari  Master of Engineering project management, University of Melbourne  Project management professional certifications: • Risk Management Professional(RMP) • Project Management Professional(PMP) • PRINCE2 (Foundation and Practitioner) • Managing successful Programmes (MSP) • Management of Portfolio(MOP)  ITSM professional certifications: • ITIL V2 and V3.0 (Foundation) • ITIL V2 Service manager • ISO 20000 IBPM Group• COBIT
Working Experiences: • Project manager: E-SASAD programme • Designing an integrated ITSM solution based on ITIL • Vice President: Iran Fuel Smart Card National Project • Project planning and control manager: Iran Fuel Smart Card National Project • Project manager: Iran rail way Support System based on ITIL and ISO 20000 IBPM Group
Attendance Introduction IBPM Group
 Please describe your  Roles and Responsibility  Knowledge in IT service management  Knowledge in Project management  Work experiences in IT service management  Clarify your needs and expectations from this course IBPM Group
Introduction IBPM Group
IT Challenges  Aligning IT with business requirement  Value delivery  IT expenditure  Mastering complexity  Regulatory compliance  Security  IT risks IBPM Group
Enterprise Governance IT Governance IBPM Group
Corporate Governance vs. IT Governance Corporate governance is the set of processes, customs, policies, laws, management practices and institutions affecting the way an entity is controlled and managed. It incorporates all the relationships among the many stakeholders involved and aims to organize them to meet the goals of the organization in the most effective and efficient manner possible. An effective corporate governance strategy allows an organization to manage all aspects of its business in order to meet its objectives. IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. IBPM Group
Enterprise governance drives IT governance Enterprise governance is about: • Conformance • Adhering to legislation, internal policies, audit requirements, etc. Performance • Performance • Improving profitability, efficiency, Conformance effectiveness, growth, etc. Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Source: ITGI IBPM Group
Corporate Governance The field of Corporate Governance is a multi-faceted subject that includes several fields of study. These fields include areas such as: 1. Accountability and fiduciary duty. These advocate the implementation of guidelines and mechanisms to ensure management acts in good faith and that the public organization is protected from wrongdoing or fraud. 2. Economic efficiency view. This involves how the corporate governance system intends to optimize results, and meet its objectives. 3. Strategic efficiency view. This involves public policy objectives that are not directly measurable in economic terms such as alleviation of poverty, access to markets, income stabilization, health care and job creation. These are issues that are the main focus of most public sector institutions and are not readily measured in economic terms. 4. Stakeholder view. This area of study focuses more attention and accountability on other stakeholders such as citizens, employees, businesses and other levels of government (i.e. provincial, municipal or local authorities). IBPM Group
IT Governance IT Governance focuses specifically on information technology systems, their performance and risk management. The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications and infrastructure. IT governance should be viewed as how IT creates value that fits into the overall Corporate Governance Strategy of the organization, and never be seen as a discipline on its own. In taking this approach, all stakeholders would be required to participate in the decision making process. This creates a shared acceptance of responsibility for critical systems and ensures that IT related decisions are made and driven by the business and not vice versa. IBPM Group
Various definitions of IT Governance  The structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.  IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.  A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. IBPM Group
Various definitions of IT Governance  Specifying the decision rights and accountability framework to encourage desirable behaviors in the use of IT.  Governance is not about what decisions get made – that is management – but it is about who makes the decisions and how they are made.  IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied will have an immense impact on whether the entity will attain its vision, mission or strategic goals. IBPM Group
Various definitions of IT Governance ITGI definition: IT governance consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the enterprise’s strategies and objectives. At its core, IT has 2 responsibilities: 1.IT must deliver value 2.Enable the business IBPM Group
Purpose of IT Governance  Establish and clarify accountability and decision rights (clearly define roles and authority).  Manage risks, change and contingency proactively.  Improve IT organizational performance, compliance, maturity and staff development.  Improve customer service and overall responsiveness.  Align IT investments and priorities more closely with the business.  Manage, evaluate, prioritize, fund, measure and monitor requests for IT services and the resulting work and deliverables, in a more consistent and repeatable manner that optimizes returns to the business.  Manage the responsible utilization of resources and assets.  Ensure that IT delivers on its plans, budgets and commitments. IBPM Group
What does it mean? Governance is about deciding the "who, what, when, why, and how" of decision-making.  The decisions required by the organization (the "what")  The roles (the "who") in the organization that are accountable for which decisions  Policies that guide how the decisions should be made (the "why")  The measures that enable informed decision-making (the "how")  At what point in the governance process is the decision appropriately made? (the "when") IBPM Group
Benefits of IT Governance  Confidence of Top management  Responsiveness of IT to Business Formalizes IT oversight and accountability to ensure more effective and ethical management.  Improves planning, integration, communications and performance between the Business Units and IT Groups and within IT Groups  Improves ROI based demand management (IT requests and Total Cost of Ownership) decisions to analyze, prioritize, fund, approve and manage major IT investments (capital and operating expenses).  Optimize assets and human capital resources  Facilitates compliance and audits by documenting processes, controls and decision authority.  More Trancparency IBPM Group
IT Governance Responsibilities To meet the requirements listed in the previous section, a framework for IT governance and control should:  Provide a business focus to enable alignment between business and IT objectives  Establish a process orientation to define the scope and extent of coverage, with a defined structure enabling easy navigation of content  Be generally acceptable by being consistent with accepted IT good practices and standards and independent of specific technologies  Supply a common language with a set of terms and definitions that are generally understandable by all stakeholders  Help meet regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and external auditors IBPM Group
IT Governance stakeholders A governance and control framework needs to serve a variety of internal and external stakeholders, each of whom has specific needs:  Stakeholders within the enterprise who have an interest in generating value from IT investments: • Those who make investment decisions • Those who decide about requirements • Those who use IT services  Internal and external stakeholders who provide IT services: • Those who manage the IT organization and processes • Those who develop capabilities • Those who operate the services  Internal and external stakeholders who have a control/risk responsibility: • Those with security, privacy and/or risk responsibilities • Those performing compliance functions • Those requiring or providing assurance services IBPM Group
IT Governance Focus areas IBPM Group
IT Governance Focus areas IT IT Governance Governance Focus Areas Domains Resource Management IBPM Group
IT Governance Focus areas  Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. . IBPM Group
IT Governance Focus areas  Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.  Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. . IBPM Group
IT Governance Focus areas – Strategic Alignment Strategic Alignment focuses on ensuring the linkage of business and IT plans IT value proposition  Defining,  Maintaining  Validating Aligning IT operations with enterprise operations IBPM Group
IT Governance Focus areas – Value Delivery  Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.  Governance are mostly qualitative and less quantitative which does not lend itself to ‘value delivery’.  Many new IT Governance initiatives often have no mechanism in place to measure the success or benefits of their governance efforts.  When IT Governance performance measurement disciplines and practices are in use, they are mostly informal, subjective or based on qualitative measures only. IBPM Group
IT Governance Focus areas – Risk management  Risk awareness by senior corporate officer  A clear understanding of the enterprise’s appetite for risk  Transparency about the significant risks to the enterprise  Embedding of risk management responsibilities into the organization IBPM Group
IT Governance Focus areas – Resource management Optimal investment in, and the proper management of, critical IT resources:  Processes  People  Applications  Infrastructure  Information IBPM Group
IT Governance Focus areas – Performance management  Tracks and monitors strategy implementation  Project completion  Resource usage  Process performance  Service delivery IBPM Group
COBIT Framework IBPM Group
IBPM Group
COBIT is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to stakeholders. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. COBIT is continuously kept up to date and harmonised with other standards and guidance. Hence, COBIT has become the integrator for IT good practices and the umbrella framework for IT governance that helps in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its high-level, business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT. IBPM Group
COBIT Characteristics  Business Focused  Process Oriented  Control Based  Measurement driven IBPM Group
COBIT is Business Focused IBPM Group
Basic COBIT Principle IBPM Group
COBIT is Business Focused Business orientation is the main theme of COBIT. It is designed not only to be employed by IT service providers, users and auditors, but also, and more important, to provide comprehensive guidance for management and business process owners. The COBIT framework is based on the following principle To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information. Managing and controlling information are at the heart of the COBIT framework and help ensure alignment to business requirements IBPM Group
IBPM Group
Business Goals and IT Goals IBPM Group
IBPM Group
IBPM Group
IBPM Group
Business Goals and IT Goals Whilst information criteria provide a generic method for defining the business requirements, defining a set of generic business and IT goals provides a business-related and more refined basis for establishing business requirements and developing the metrics that allow measurement against these goals. Every enterprise uses IT to enable business initiatives, and these can be represented as business goals for IT. If IT is to successfully deliver services to support the enterprise’s strategy, there should be a clear ownership and direction of the requirements by the business (the customer) and a clear understanding of what needs to be delivered, and how, by IT (the provider). IBPM Group
COBIT Information criteria IBPM Group
COBIT’s Information criteria  Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.  Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.  Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. IBPM Group
COBIT’s Information criteria  Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.  Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.  Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities. IBPM Group
COBIT IT Resources IBPM Group
IT Resources The IT organization delivers against these goals by a clearly defined set of processes that use people skills and technology infrastructure to run automated business applications while leveraging business information. These resources, together with the processes, constitute an enterprise architecture for IT. IBPM Group
IT Resources The IT resources identified in COBIT can be defined as follows:  Applications are the automated user systems and manual procedures that process the information.  Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business.  Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.  People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required. IBPM Group
IT Resources Below diagram summarizes how the business goals for IT influence how the IT resources need to be managed by the IT processes to deliver IT’s goals. IBPM Group
COBIT is Process oriented IBPM Group
COBIT is Process Oriented COBIT defines IT activities in a generic process model within four domains. These domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor. The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps toward good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined. IBPM Group
The Four interrelated Domains of COBIT IBPM Group
The Four interrelated Domains of COBIT To govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan, build, run and monitor. Within the COBIT framework, these domains, as shown in figure 8, are called:  Plan and Organize (PO) Provides direction to solution delivery (AI) and service delivery (DS)  Acquire and Implement (AI) Provides the solutions and passes them to be turned into services  Deliver and Support (DS) Receives the solutions and makes them usable for end users  Monitor and Evaluate (ME) Monitors all processes to ensure that the direction provided is followed IBPM Group
Plan and Organize(PO) This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological infrastructure should be out in place. This domain typically addresses the following management questions:  Are IT and the business strategy aligned?  Is the enterprise achieving optimum use of its resources?  Does everyone in the organization understand the IT objectives?  Is the quality of IT systems appropriate for business needs?  Are IT risks understood and being managed? IBPM Group
ACQUIRE AND IMPLEMENT (AI) To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions:  Are new projects likely to deliver solutions that meet business needs?  Are new projects likely to be delivered on time and within budget?  Will the new systems work properly when implemented?  Will changes be made without upsetting current business operations? IBPM Group
DELIVER AND SUPPORT (DS) This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions:  Are IT services being delivered in line with business priorities?  Are IT costs optimized?  Is the workforce able to use the IT systems productively and safely?  Are adequate confidentiality, integrity and availability in place for information security? IBPM Group
MONITOR AND EVALUATE (ME) All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions:  Is IT’s performance measured to detect problems before it is too late?  Does management ensure that internal controls are effective and efficient?  Can IT performance be linked back to business goals?  Are adequate confidentiality, integrity and availability controls in place for information security? IBPM Group
The Four interrelated Domains of COBIT Across these four domains, COBIT has identified 34 IT processes that are generally used. While most enterprises have defined plan, build, run and monitor responsibilities for IT, and most have the same key processes, few will have the same process structure or apply all 34 COBIT processes. COBIT provides a complete list of processes that can be used to verify the completeness of activities and responsibilities; however, they need not all apply, and, even more, they can be combined as required by each enterprise. For each of these 34 processes, a link is made to the business and IT goals that are supported. Information on how the goals can be measured, what the key activities and major deliverables are, and who is responsible for them is also provided. IBPM Group
COBIT Cube IBPM Group
COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES C O B I T ME1 Monitor and evaluate IT FRAMEWORK PO1 Define a strategic IT plan. performance. INFORMATION PO2 Define the information ME2 Monitor and evaluate architecture. internal control. Efficiency Integrity PO3 Determine technological ME3 Ensure compliance with direction. external requirements. Effectiveness Availability PO4 Define the IT processes, ME4 Provide IT governance. Compliance Confidentiality organisation and Reliability relationships. MONITOR PLAN PO5 Manage the IT investment. AND AND PO6 Communicate management EVALUATE ORGANISE aims and direction. IT PO7 Manage IT human DS1 Define and manage service RESOURCES resources. levels. PO8 Manage quality. DS2 Manage third-party PO9 Assess and manage IT services. risks. DS3 Manage performance and PO10 Manage projects. capacity. Applications DS4 Ensure continuous service. Information AI1 Identify automated DS5 Ensure systems security. Infrastructure solutions. DS6 Identify and allocate costs. DELIVER People ACQUIRE AI2 Acquire and maintain DS7 Educate and train users. application software. AND AND DS8 Manage service desk and AI3 Acquire and maintain incidents. SUPPORT IMPLEMENT technology infrastructure. DS9 Manage the configuration. AI4 Enable operation and use. DS10 Manage problems. AI5 Procure IT resources. DS11 Manage data. AI6 Manage changes. DS12 Manage the physical AI7 Install and accredit environment. solutions and changes. DS13 Manage operations. Source: ITGI IBPM Group
COBIT Controls IBPM Group
COBIT is Controls based COBIT defines control objectives for all 34 processes, as well as overarching process and application controls. Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They: • Are statements of managerial actions to increase value or reduce risk • Consist of policies, procedures, practices and organizational structures • Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected IBPM Group
COBIT is Controls based The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number. In addition to the control objectives, each COBIT process has generic control requirements that are identified by PCn, for process control number. They should be considered together with the process control objectives to have a complete view of control requirements. IBPM Group
IT GENERAL CONTROLS AND APPLICATION CONTROLS General controls are controls embedded in IT processes and services. Examples include:  Systems development  Change management  Security  Computer operations Controls embedded in business process applications are commonly referred to as application controls. Examples include: • Completeness • Accuracy • Validity • Authorization IBPM Group
Generic Control requirements  PC1 Process Goals and Objectives Define and communicate specific, measurable, actionable, realistic, results- oriented and timely (SMARRT) process goals and objectives for the effective execution of each IT process. Ensure that they are linked to the business goals and supported by suitable metrics.  PC2 Process Ownership Assign an owner for each IT process, and clearly define the roles and responsibilities of the process owner. Include, for example, responsibility for process design, interaction with other processes, accountability for the end results, measurement of process performance and the identification of improvement opportunities.  PC3 Process Repeatability Design and establish each key IT process such that it is repeatable and consistently produces the expected results. Provide for a logical but flexible and scalable sequence of activities that will lead to the desired results and is agile enough to deal with exceptions and emergencies. Use consistent processes, where possible, and tailor only when unavoidable. IBPM Group
Generic Control requirements PC4 Roles and Responsibilities Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the process end deliverables. PC5 Policy, Plans and Procedures Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date. PC6 Process Performance Improvement Identify a set of metrics that provides insight into the outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals. Define how the data are to be obtained. IBPM Group
Application Control The following list provides a recommended set of application control objectives. They are identified by ACn, for application control number.  AC1 Source Data Preparation and Authorization Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design. Detect errors and irregularities so they can be reported and corrected. AC2 Source Data Collection and Entry Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.  AC3 Accuracy, Completeness and Authenticity Checks Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible. IBPM Group
Application Control AC4 Processing Integrity and Validity Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. AC5 Output Review, Reconciliation and Error Handling Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient, and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the output is used. AC6 Transaction Authentication and Integrity Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport. IBPM Group
Business and IT Controls The enterprise’s system of internal controls impacts IT at three levels:  Executive management level business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the board and communicated throughout the enterprise. The IT control environment is directed by this top-level set of objectives and policies.  At the business process level controls are applied to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process remain as manual procedures, such as authorization for transactions, separation of duties and manual reconciliations To support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, IBPM Group
Business and IT Controls  Support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on application controls. IBPM Group
Maturity Model IBPM Group
COBIT Maturity Model IBPM Group
COBIT Maturity Model 0 Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed. 1 Initial/Ad Hoc There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized. 2 Repeatable but Intuitive Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. IBPM Group
COBIT Maturity Model 3 Defined Process Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed and Measurable Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. IBPM Group
The Three dimensions of Maturity IBPM Group
Performance measurement IBPM Group
Goals and metrics are defined in COBIT at three levels:  IT goals and metrics that define what the business expects from IT and how to measure it  Process goals and metrics that define what the IT process must deliver to support IT’s objectives and how to measure it Activity goals and metrics that establish what needs to happen inside the process to achieve the required performance and how to measure it IBPM Group
Example of Goal relationship IBPM Group
Example of Goal relationship The terms KGI and KPI, used in previous versions of COBIT, have been replaced with two types of metrics:  Outcome measures, previously key goal indicators (KGIs), indicate whether the goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’.  Performance indicators, previously key performance indicators (KPIs), indicate whether goals are likely to be met. They can be measured before the outcome is clear and, therefore, are called ‘lead indicators’. IBPM Group
IBPM Group
IBPM Group
IBPM Group
Interrelationships of COBIT Components IBPM Group
COBIT General Framework IBPM Group
COBIT Benefits  Better alignment, based on a business focus  A view, understandable to management, of what IT does  Clear ownership and responsibilities, based on process orientation  General acceptability with third parties and regulators  Shared understanding amongst all stakeholders, based on a common language IBPM Group
COBIT Framework Navigation IBPM Group
IBPM Group
Process-level Navigating in COBIT IBPM Group
Which Domain? IBPM Group
Process Description All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment. IBPM Group
The Waterfall of Control c IBPM Group
Information Criteria IBPM Group
IT Resources IBPM Group
IT Governance IBPM Group
Control Objectives AI6.5 Change Closure and Documentation Whenever changes are implemented, update the associated system and user documentation and procedures accordingly. IBPM Group
Management Guidelines IBPM Group
Management Guidelines IBPM Group
Input-output Matrix Managing the Life Cycle Outputs going to other processes Inputs coming from other processes IBPM Group
Managing the Life Cycle Whilst COBIT represents the life cycle of IT investments, it must also manage inter-process interdependencies. PO AI DS IBPM Group
RACI Charts IBPM Group
RACI chart Standard Organization Chart Typical Process Activities Who is Responsible, Accountable Consulted and Informed? IBPM Group
Goals and Metrics IBPM Group
Maturity Model IBPM Group

More Related Content

Cobit Training course

  • 2. My Background IBPM Group
  • 3. Teachers Name: Iman Baradari  Master of Engineering project management, University of Melbourne  Project management professional certifications: • Risk Management Professional(RMP) • Project Management Professional(PMP) • PRINCE2 (Foundation and Practitioner) • Managing successful Programmes (MSP) • Management of Portfolio(MOP)  ITSM professional certifications: • ITIL V2 and V3.0 (Foundation) • ITIL V2 Service manager • ISO 20000 IBPM Group• COBIT
  • 4. Working Experiences: • Project manager: E-SASAD programme • Designing an integrated ITSM solution based on ITIL • Vice President: Iran Fuel Smart Card National Project • Project planning and control manager: Iran Fuel Smart Card National Project • Project manager: Iran rail way Support System based on ITIL and ISO 20000 IBPM Group
  • 5. Attendance Introduction IBPM Group
  • 6.  Please describe your  Roles and Responsibility  Knowledge in IT service management  Knowledge in Project management  Work experiences in IT service management  Clarify your needs and expectations from this course IBPM Group
  • 8. IT Challenges  Aligning IT with business requirement  Value delivery  IT expenditure  Mastering complexity  Regulatory compliance  Security  IT risks IBPM Group
  • 9. Enterprise Governance IT Governance IBPM Group
  • 10. Corporate Governance vs. IT Governance Corporate governance is the set of processes, customs, policies, laws, management practices and institutions affecting the way an entity is controlled and managed. It incorporates all the relationships among the many stakeholders involved and aims to organize them to meet the goals of the organization in the most effective and efficient manner possible. An effective corporate governance strategy allows an organization to manage all aspects of its business in order to meet its objectives. IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. IBPM Group
  • 11. Enterprise governance drives IT governance Enterprise governance is about: • Conformance • Adhering to legislation, internal policies, audit requirements, etc. Performance • Performance • Improving profitability, efficiency, Conformance effectiveness, growth, etc. Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Source: ITGI IBPM Group
  • 12. Corporate Governance The field of Corporate Governance is a multi-faceted subject that includes several fields of study. These fields include areas such as: 1. Accountability and fiduciary duty. These advocate the implementation of guidelines and mechanisms to ensure management acts in good faith and that the public organization is protected from wrongdoing or fraud. 2. Economic efficiency view. This involves how the corporate governance system intends to optimize results, and meet its objectives. 3. Strategic efficiency view. This involves public policy objectives that are not directly measurable in economic terms such as alleviation of poverty, access to markets, income stabilization, health care and job creation. These are issues that are the main focus of most public sector institutions and are not readily measured in economic terms. 4. Stakeholder view. This area of study focuses more attention and accountability on other stakeholders such as citizens, employees, businesses and other levels of government (i.e. provincial, municipal or local authorities). IBPM Group
  • 13. IT Governance IT Governance focuses specifically on information technology systems, their performance and risk management. The primary goals of IT Governance are to assure that the investments in IT generate business value, and to mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, applications and infrastructure. IT governance should be viewed as how IT creates value that fits into the overall Corporate Governance Strategy of the organization, and never be seen as a discipline on its own. In taking this approach, all stakeholders would be required to participate in the decision making process. This creates a shared acceptance of responsibility for critical systems and ensures that IT related decisions are made and driven by the business and not vice versa. IBPM Group
  • 14. Various definitions of IT Governance  The structure, oversight and management processes which ensure the delivery of the expected benefits of IT in a controlled way to help enhance the long term sustainable success of the enterprise.  IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.  A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. IBPM Group
  • 15. Various definitions of IT Governance  Specifying the decision rights and accountability framework to encourage desirable behaviors in the use of IT.  Governance is not about what decisions get made – that is management – but it is about who makes the decisions and how they are made.  IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied will have an immense impact on whether the entity will attain its vision, mission or strategic goals. IBPM Group
  • 16. Various definitions of IT Governance ITGI definition: IT governance consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the enterprise’s strategies and objectives. At its core, IT has 2 responsibilities: 1.IT must deliver value 2.Enable the business IBPM Group
  • 17. Purpose of IT Governance  Establish and clarify accountability and decision rights (clearly define roles and authority).  Manage risks, change and contingency proactively.  Improve IT organizational performance, compliance, maturity and staff development.  Improve customer service and overall responsiveness.  Align IT investments and priorities more closely with the business.  Manage, evaluate, prioritize, fund, measure and monitor requests for IT services and the resulting work and deliverables, in a more consistent and repeatable manner that optimizes returns to the business.  Manage the responsible utilization of resources and assets.  Ensure that IT delivers on its plans, budgets and commitments. IBPM Group
  • 18. What does it mean? Governance is about deciding the "who, what, when, why, and how" of decision-making.  The decisions required by the organization (the "what")  The roles (the "who") in the organization that are accountable for which decisions  Policies that guide how the decisions should be made (the "why")  The measures that enable informed decision-making (the "how")  At what point in the governance process is the decision appropriately made? (the "when") IBPM Group
  • 19. Benefits of IT Governance  Confidence of Top management  Responsiveness of IT to Business Formalizes IT oversight and accountability to ensure more effective and ethical management.  Improves planning, integration, communications and performance between the Business Units and IT Groups and within IT Groups  Improves ROI based demand management (IT requests and Total Cost of Ownership) decisions to analyze, prioritize, fund, approve and manage major IT investments (capital and operating expenses).  Optimize assets and human capital resources  Facilitates compliance and audits by documenting processes, controls and decision authority.  More Trancparency IBPM Group
  • 20. IT Governance Responsibilities To meet the requirements listed in the previous section, a framework for IT governance and control should:  Provide a business focus to enable alignment between business and IT objectives  Establish a process orientation to define the scope and extent of coverage, with a defined structure enabling easy navigation of content  Be generally acceptable by being consistent with accepted IT good practices and standards and independent of specific technologies  Supply a common language with a set of terms and definitions that are generally understandable by all stakeholders  Help meet regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and external auditors IBPM Group
  • 21. IT Governance stakeholders A governance and control framework needs to serve a variety of internal and external stakeholders, each of whom has specific needs:  Stakeholders within the enterprise who have an interest in generating value from IT investments: • Those who make investment decisions • Those who decide about requirements • Those who use IT services  Internal and external stakeholders who provide IT services: • Those who manage the IT organization and processes • Those who develop capabilities • Those who operate the services  Internal and external stakeholders who have a control/risk responsibility: • Those with security, privacy and/or risk responsibilities • Those performing compliance functions • Those requiring or providing assurance services IBPM Group
  • 22. IT Governance Focus areas IBPM Group
  • 23. IT Governance Focus areas IT IT Governance Governance Focus Areas Domains Resource Management IBPM Group
  • 24. IT Governance Focus areas  Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. . IBPM Group
  • 25. IT Governance Focus areas  Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.  Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. . IBPM Group
  • 26. IT Governance Focus areas – Strategic Alignment Strategic Alignment focuses on ensuring the linkage of business and IT plans IT value proposition  Defining,  Maintaining  Validating Aligning IT operations with enterprise operations IBPM Group
  • 27. IT Governance Focus areas – Value Delivery  Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.  Governance are mostly qualitative and less quantitative which does not lend itself to ‘value delivery’.  Many new IT Governance initiatives often have no mechanism in place to measure the success or benefits of their governance efforts.  When IT Governance performance measurement disciplines and practices are in use, they are mostly informal, subjective or based on qualitative measures only. IBPM Group
  • 28. IT Governance Focus areas – Risk management  Risk awareness by senior corporate officer  A clear understanding of the enterprise’s appetite for risk  Transparency about the significant risks to the enterprise  Embedding of risk management responsibilities into the organization IBPM Group
  • 29. IT Governance Focus areas – Resource management Optimal investment in, and the proper management of, critical IT resources:  Processes  People  Applications  Infrastructure  Information IBPM Group
  • 30. IT Governance Focus areas – Performance management  Tracks and monitors strategy implementation  Project completion  Resource usage  Process performance  Service delivery IBPM Group
  • 33. COBIT is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to stakeholders. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. COBIT is continuously kept up to date and harmonised with other standards and guidance. Hence, COBIT has become the integrator for IT good practices and the umbrella framework for IT governance that helps in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its high-level, business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT. IBPM Group
  • 34. COBIT Characteristics  Business Focused  Process Oriented  Control Based  Measurement driven IBPM Group
  • 35. COBIT is Business Focused IBPM Group
  • 37. COBIT is Business Focused Business orientation is the main theme of COBIT. It is designed not only to be employed by IT service providers, users and auditors, but also, and more important, to provide comprehensive guidance for management and business process owners. The COBIT framework is based on the following principle To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information. Managing and controlling information are at the heart of the COBIT framework and help ensure alignment to business requirements IBPM Group
  • 39. Business Goals and IT Goals IBPM Group
  • 43. Business Goals and IT Goals Whilst information criteria provide a generic method for defining the business requirements, defining a set of generic business and IT goals provides a business-related and more refined basis for establishing business requirements and developing the metrics that allow measurement against these goals. Every enterprise uses IT to enable business initiatives, and these can be represented as business goals for IT. If IT is to successfully deliver services to support the enterprise’s strategy, there should be a clear ownership and direction of the requirements by the business (the customer) and a clear understanding of what needs to be delivered, and how, by IT (the provider). IBPM Group
  • 44. COBIT Information criteria IBPM Group
  • 45. COBIT’s Information criteria  Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.  Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.  Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. IBPM Group
  • 46. COBIT’s Information criteria  Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.  Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.  Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities. IBPM Group
  • 47. COBIT IT Resources IBPM Group
  • 48. IT Resources The IT organization delivers against these goals by a clearly defined set of processes that use people skills and technology infrastructure to run automated business applications while leveraging business information. These resources, together with the processes, constitute an enterprise architecture for IT. IBPM Group
  • 49. IT Resources The IT resources identified in COBIT can be defined as follows:  Applications are the automated user systems and manual procedures that process the information.  Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business.  Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.  People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required. IBPM Group
  • 50. IT Resources Below diagram summarizes how the business goals for IT influence how the IT resources need to be managed by the IT processes to deliver IT’s goals. IBPM Group
  • 51. COBIT is Process oriented IBPM Group
  • 52. COBIT is Process Oriented COBIT defines IT activities in a generic process model within four domains. These domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor. The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps toward good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined. IBPM Group
  • 53. The Four interrelated Domains of COBIT IBPM Group
  • 54. The Four interrelated Domains of COBIT To govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan, build, run and monitor. Within the COBIT framework, these domains, as shown in figure 8, are called:  Plan and Organize (PO) Provides direction to solution delivery (AI) and service delivery (DS)  Acquire and Implement (AI) Provides the solutions and passes them to be turned into services  Deliver and Support (DS) Receives the solutions and makes them usable for end users  Monitor and Evaluate (ME) Monitors all processes to ensure that the direction provided is followed IBPM Group
  • 55. Plan and Organize(PO) This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological infrastructure should be out in place. This domain typically addresses the following management questions:  Are IT and the business strategy aligned?  Is the enterprise achieving optimum use of its resources?  Does everyone in the organization understand the IT objectives?  Is the quality of IT systems appropriate for business needs?  Are IT risks understood and being managed? IBPM Group
  • 56. ACQUIRE AND IMPLEMENT (AI) To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions:  Are new projects likely to deliver solutions that meet business needs?  Are new projects likely to be delivered on time and within budget?  Will the new systems work properly when implemented?  Will changes be made without upsetting current business operations? IBPM Group
  • 57. DELIVER AND SUPPORT (DS) This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions:  Are IT services being delivered in line with business priorities?  Are IT costs optimized?  Is the workforce able to use the IT systems productively and safely?  Are adequate confidentiality, integrity and availability in place for information security? IBPM Group
  • 58. MONITOR AND EVALUATE (ME) All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions:  Is IT’s performance measured to detect problems before it is too late?  Does management ensure that internal controls are effective and efficient?  Can IT performance be linked back to business goals?  Are adequate confidentiality, integrity and availability controls in place for information security? IBPM Group
  • 59. The Four interrelated Domains of COBIT Across these four domains, COBIT has identified 34 IT processes that are generally used. While most enterprises have defined plan, build, run and monitor responsibilities for IT, and most have the same key processes, few will have the same process structure or apply all 34 COBIT processes. COBIT provides a complete list of processes that can be used to verify the completeness of activities and responsibilities; however, they need not all apply, and, even more, they can be combined as required by each enterprise. For each of these 34 processes, a link is made to the business and IT goals that are supported. Information on how the goals can be measured, what the key activities and major deliverables are, and who is responsible for them is also provided. IBPM Group
  • 61. COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES C O B I T ME1 Monitor and evaluate IT FRAMEWORK PO1 Define a strategic IT plan. performance. INFORMATION PO2 Define the information ME2 Monitor and evaluate architecture. internal control. Efficiency Integrity PO3 Determine technological ME3 Ensure compliance with direction. external requirements. Effectiveness Availability PO4 Define the IT processes, ME4 Provide IT governance. Compliance Confidentiality organisation and Reliability relationships. MONITOR PLAN PO5 Manage the IT investment. AND AND PO6 Communicate management EVALUATE ORGANISE aims and direction. IT PO7 Manage IT human DS1 Define and manage service RESOURCES resources. levels. PO8 Manage quality. DS2 Manage third-party PO9 Assess and manage IT services. risks. DS3 Manage performance and PO10 Manage projects. capacity. Applications DS4 Ensure continuous service. Information AI1 Identify automated DS5 Ensure systems security. Infrastructure solutions. DS6 Identify and allocate costs. DELIVER People ACQUIRE AI2 Acquire and maintain DS7 Educate and train users. application software. AND AND DS8 Manage service desk and AI3 Acquire and maintain incidents. SUPPORT IMPLEMENT technology infrastructure. DS9 Manage the configuration. AI4 Enable operation and use. DS10 Manage problems. AI5 Procure IT resources. DS11 Manage data. AI6 Manage changes. DS12 Manage the physical AI7 Install and accredit environment. solutions and changes. DS13 Manage operations. Source: ITGI IBPM Group
  • 62. COBIT Controls IBPM Group
  • 63. COBIT is Controls based COBIT defines control objectives for all 34 processes, as well as overarching process and application controls. Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They: • Are statements of managerial actions to increase value or reduce risk • Consist of policies, procedures, practices and organizational structures • Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected IBPM Group
  • 64. COBIT is Controls based The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number. In addition to the control objectives, each COBIT process has generic control requirements that are identified by PCn, for process control number. They should be considered together with the process control objectives to have a complete view of control requirements. IBPM Group
  • 65. IT GENERAL CONTROLS AND APPLICATION CONTROLS General controls are controls embedded in IT processes and services. Examples include:  Systems development  Change management  Security  Computer operations Controls embedded in business process applications are commonly referred to as application controls. Examples include: • Completeness • Accuracy • Validity • Authorization IBPM Group
  • 66. Generic Control requirements  PC1 Process Goals and Objectives Define and communicate specific, measurable, actionable, realistic, results- oriented and timely (SMARRT) process goals and objectives for the effective execution of each IT process. Ensure that they are linked to the business goals and supported by suitable metrics.  PC2 Process Ownership Assign an owner for each IT process, and clearly define the roles and responsibilities of the process owner. Include, for example, responsibility for process design, interaction with other processes, accountability for the end results, measurement of process performance and the identification of improvement opportunities.  PC3 Process Repeatability Design and establish each key IT process such that it is repeatable and consistently produces the expected results. Provide for a logical but flexible and scalable sequence of activities that will lead to the desired results and is agile enough to deal with exceptions and emergencies. Use consistent processes, where possible, and tailor only when unavoidable. IBPM Group
  • 67. Generic Control requirements PC4 Roles and Responsibilities Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the process end deliverables. PC5 Policy, Plans and Procedures Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date. PC6 Process Performance Improvement Identify a set of metrics that provides insight into the outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals. Define how the data are to be obtained. IBPM Group
  • 68. Application Control The following list provides a recommended set of application control objectives. They are identified by ACn, for application control number.  AC1 Source Data Preparation and Authorization Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design. Detect errors and irregularities so they can be reported and corrected. AC2 Source Data Collection and Entry Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.  AC3 Accuracy, Completeness and Authenticity Checks Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible. IBPM Group
  • 69. Application Control AC4 Processing Integrity and Validity Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions. AC5 Output Review, Reconciliation and Error Handling Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient, and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the output is used. AC6 Transaction Authentication and Integrity Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport. IBPM Group
  • 70. Business and IT Controls The enterprise’s system of internal controls impacts IT at three levels:  Executive management level business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the board and communicated throughout the enterprise. The IT control environment is directed by this top-level set of objectives and policies.  At the business process level controls are applied to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process remain as manual procedures, such as authorization for transactions, separation of duties and manual reconciliations To support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, IBPM Group
  • 71. Business and IT Controls  Support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on application controls. IBPM Group
  • 72. Maturity Model IBPM Group
  • 74. COBIT Maturity Model 0 Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed. 1 Initial/Ad Hoc There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized. 2 Repeatable but Intuitive Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. IBPM Group
  • 75. COBIT Maturity Model 3 Defined Process Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed and Measurable Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. IBPM Group
  • 76. The Three dimensions of Maturity IBPM Group
  • 77. Performance measurement IBPM Group
  • 78. Goals and metrics are defined in COBIT at three levels:  IT goals and metrics that define what the business expects from IT and how to measure it  Process goals and metrics that define what the IT process must deliver to support IT’s objectives and how to measure it Activity goals and metrics that establish what needs to happen inside the process to achieve the required performance and how to measure it IBPM Group
  • 79. Example of Goal relationship IBPM Group
  • 80. Example of Goal relationship The terms KGI and KPI, used in previous versions of COBIT, have been replaced with two types of metrics:  Outcome measures, previously key goal indicators (KGIs), indicate whether the goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’.  Performance indicators, previously key performance indicators (KPIs), indicate whether goals are likely to be met. They can be measured before the outcome is clear and, therefore, are called ‘lead indicators’. IBPM Group
  • 84. Interrelationships of COBIT Components IBPM Group
  • 86. COBIT Benefits  Better alignment, based on a business focus  A view, understandable to management, of what IT does  Clear ownership and responsibilities, based on process orientation  General acceptability with third parties and regulators  Shared understanding amongst all stakeholders, based on a common language IBPM Group
  • 87. COBIT Framework Navigation IBPM Group
  • 89. Process-level Navigating in COBIT IBPM Group
  • 91. Process Description All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment. IBPM Group
  • 92. The Waterfall of Control c IBPM Group
  • 96. Control Objectives AI6.5 Change Closure and Documentation Whenever changes are implemented, update the associated system and user documentation and procedures accordingly. IBPM Group
  • 97. Management Guidelines IBPM Group
  • 99. Input-output Matrix Managing the Life Cycle Outputs going to other processes Inputs coming from other processes IBPM Group
  • 100. Managing the Life Cycle Whilst COBIT represents the life cycle of IT investments, it must also manage inter-process interdependencies. PO AI DS IBPM Group
  • 102. RACI chart Standard Organization Chart Typical Process Activities Who is Responsible, Accountable Consulted and Informed? IBPM Group