SlideShare a Scribd company logo

IT Governance - COBIT Perspective

Download as PPSX, PDF
Sayyed Zakir Ali Rizwe
Sayyed Zakir Ali Rizwe

Defines IT Governance, its need, what can happen if governance is not applied and how COBIT has all the answers

1 of 16
IT GOVERNANCE COBIT PERSPECTIVE 1 Sayyed Zakir Ali Rizwe MS[CE], BS[CE] CISSP, CISA and CISM
WHY IT GOVERNANCE  Promotes Diligence.  IT is Critical & Strategic to the Business.  Expectations Vs Reality  IT Involves Huge Investments and High Risks.  Balance b/w Performance & Conformance 2 Performance Conformance ITGOVERNANCE–COBITPERSPECTIVE
NEED FOR IT GOVERNANCE 3 VALUE / COST ALIGNING IT WITH BUSINESS SECURITY KEEP IT RUNNING MANAGING COMPLEXITY REGULATION • Structured Approach is Required by Organizations to Manage these Challenges. • Governance ensures that there are: • Agreed Objectives for IT • Adequate Controls are in place • Effective Performance Monitoring ITGOVERNANCE–COBITPERSPECTIVE
WITHOUT GOVERNANCE 4 R E S U LT “Over” Budgeting Proceedings “Late” Business Needs “Not Met” Benefits “Not” Received “Lack” of Confidence in IT L E A D S TO “Too Many” Projects “Quality” of Execution “Cant Kill” Projects “Under-Estimation” Risks & Costs “Not” Aligned to Strategy S I T UA T I O N Reluctance to Say “No” to Projects “Lack” of Strategic Focus “No” Strong View for Projects “Over Emphasis” Financial ROI “No” Clear Strategic Criteria ITGOVERNANCE–COBITPERSPECTIVE
IT GOVERNANCE - DEFINED 5 IT GOVERNANCE Strategic Alignment Value Delivery Performance Measurement Resource Management Risk Management Information Technology Governance controls the present and future use of ICT in a manner aligned to Business Requirements Involves maintaining, evaluating and directing support to the Organization for Effective Monitoring, Strategy, Policy development and Enabling ICT use Governance Goals • Providing Strategic Direction • Ensure Objectives are Achieved and Yield Expected Value. • Performance is Maintained. • Risks are Identified & Managed • Verify Enterprise’s Resources Usage with Responsibility. ITGOVERNANCE–COBITPERSPECTIVE
IT G OVERNANC E IT DISCIPLINES, DRIVERS & ISSUES 6 • Business Ser vice Management • Business Technology Optimization • Enterprise Technology Architecture • Asset Management • Portfolio Management • Security Assessment • Ser vice Management • Project Governance • Project Management ITGOVERNANCE–COBITPERSPECTIVE DRIVERS  IT is Central to Business Success.  Optimize Returns on IT Related Business Investments.  Holding Transparency.  Legal & Regulatory Compliance  And Assure that all Stated is Achieved. ISSUES  Understanding & Managing all IT Related Risks.  Deliver Value from IT Expenditure.  Assure Business Maximize Opportunities for use of IT including new technologies.  Enhance Understanding between IT Function & Business.  Ensure and Maintain Appropriate IT Capabilities.
IT G OVERNANC E MAKING IT WORK – CONTINUED.. 7 BOARD OF DIRECTORS: Set Direction for IT, Monitor Results and Insist on Corrective Measures. BUSINESS MANAGEMENT: Defines Business Requirements for IT and Ensures that Value is Delivered and Risks Managed. IT MANAGEMENT Delivers and Improves IT Services as Required by Business. IT AUDIT Provides Independent Assurance to Demonstrate that IT Delivers the Needed. COMPLIANCE Measures Compliance with Policies and Focuses on Alerts to Emerging Risks. PositionAvailable–RoleDefinitionRequired. ITGOVERNANCE–COBITPERSPECTIVE
COBIT C O M M O N O B J E C T I V E S F O R I N F O R M AT I O N & R E L AT E D T E C H N O L O G Y Control Objectives for Information and Related Technology (COBIT) is a Set of Best Practices for IT Management developed by Information Systems Audit & Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides Managers, IT Resources & Auditors with a set of Generally Accepted Measures, Indicators, Processes and Best-Practices, assisting them in Maximizing Benefits in appropriation for Governance and Control. Comprise of 34 High Level Processes covering 210 Control Objectives categorized in Four Domains:  Planning & Organization  Acquisition & Implementation  Delivery & Support  Monitoring & Evaluation. 8 ITGOVERNANCE–COBITPERSPECTIVE COBIT 1 AU D I T COBIT 2 C O N T R O L COBIT 3 M A N AG E M E N T COBIT 4 G OV E R N A N C E 1996 1998 2000 2005 EVOLUTION
COBIT PRODUCT & CONTENT COBIT products are organized into three levels, designed to support:  Executive Management & Board  Business & IT Management  Governance, Assurance, Control and Security Professionals. 9 How Does the Board Exercise its Responsibilities? Executives & Board •How do we Measure Performance? •How do we Compare to Others? •How do Improve over Time? Business & Technology Management • IT Governance Framework? • Implementation in the Enterprise? • Assessment of IT Governance Framework? Governance, Assurance, Control & Security Pro. Board Briefing on IT Governance Mgt. Guidelines COBIT & Val IT Framework Control Objectives Key Mgt Practices IT Gov. Implementation Guide COBIT Control Practices IT Assurance Guide ITGOVERNANCE–COBITPERSPECTIVE
COBIT – PRINCIPLE  Starts from Business Requirements.  Process-Oriented: Organizing IT activities into a generally accepted Process Model.  Identify Major IT Resources to be leveraged.  Define Management Control Objectives for Consideration.  Incorporate International IS Service Standards.  Valuated as the de-facto standard for IT Governance & Control. 10 COBIT allow Managers to Bridge-Gap between Control Requirements, Technical Issues and Business Risks. Thus enabling Clear Policy Development, Inline Implementation and Practiced IT Controls throughout the Enterprise, engaging Assured & Improved Value from IT Investments. IT Resources IT Processes Info. Criteria Business Strategy COBIT COMPONENTS Drives Investments Responds to Used by To Deliver ITGOVERNANCE–COBITPERSPECTIVE
11 It is Imperative that Stake Holders take Process Ownership (What Needs to be Delivered) & Specify Direction (And How) by IT. C O B I T BUSINESS GOALS & IT GOALS Enterprise Strategy Business Goals For IT IT Goals Enterprise Arch. For IT IT Scorecard Business Requirements Information Services Governance Requirements Information Criteria BUSINESS GOALS FOR IT Require Influence Imply IT Processes Information Applications Infrastructure & People ENTERPRISE ARCHITECTU RE - IT Deliver Need Run ITGOVERNANCE–COBITPERSPECTIVE
COBIT – FRAMEWORK DEFINED 12 CONTROL FRAMEWORK Business Focus Common Language Process Orientation General Acceptability Regulatory Requirements 1. Aligning IT with business objectives. 2. Measure IT performance on its contribution in enabling & extending business strategy. 3. Supported by business-focused metrics, assures value delivery as primary focus not technical excellence as an end in itself. 1. Commonality enable everybody on the same page by defining major terms and glossary. 2. Co-ordination within, across project teams and organizations play a key role in the project success. 3. Build confidence & trust. 1. Implementation process-oriented. 2. Incidents & problems no longer divert attention from processes. 3. Exceptions clearly defined as part of standard processes. 4. With ownership defined, assigned and accepted, better controls are exercised. 1. Proven globally accepted standards for increasing contribution of IT to company’s success. 2. The framework continues to improve & develop good practices. 3. IT professionals from all over contribute their ideas and time to regular review meetings. 1. Organization constantly need to improve IT performance and demonstrate adequate controls. 2. IT Managers, Advisors and Auditors are turning to COBIT as the de-facto Regulatory Plane. Business Driven Process Oriented Control Driven Measured ITGOVERNANCE–COBITPERSPECTIVE
COBIT – CUBE 13 Focused Key Areas: • Provide Information to Support Business Objectives & Requirements. • Treating Resulting Information to be managed by IT processes. IT Process Bus. Requirement Control Approach Consideration COBIT Cube Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources Applications Information Infrastructure People IT Process Domain Processes Activities ITGOVERNANCE–COBITPERSPECTIVE
COBIT – OBJECTIVES ILLUSTRATED 14 Information Plan & Organize Acquire & Implement Deliver & Support Monitor & Evaluate IT Resources P01 Define Strategic Plan. P02 Define Information Architecture. P03 Define Technological Direction P04 Define IT Processes, Organization & Relationship. P05 Manage IT Investment P06 Communicate Mgt Aims & Direction. P07 Manage IT HR P08 Manage Quality P09 Assess & Manage IT Risks. P10. Manage Projects A11 Identify Automated Solutions A12 Acquire & Maintain Application Software. A13 Acquire & Maintain Technology Architecture A14 Enable Operation & Use. A15 Procure IT Resources A16 Manage Changes. A17 Install & Accredit Solution & Changes. ME1 Monitor & Evaluate IT Performance ME2 Monitor & Evaluate Internal Controls. ME3 Ensure Compliance with External Requirements. ME4 Provide IT Governance DS1 Define & Manage Service Level. DS2 Manage Third Party Service. DS3. Manage Performance & Capacity. DS4 Ensure Continuous Service. DS5 Ensure Sys. Security. DS6 Identify & Allocate Cost DS7 Educate & Train Users DS8 Manage Service Desk & Incidents DS9 Manage Configuration DS10 Manage Problem DS11 Manage Data DS12 Manage Physical Env. DS13 Manage Operations. Application Information Infrastructure People Efficiency Effectiveness Compliance Reliability Integrity Availability Confidentiality Business & Governance Objectives ITGOVERNANCE–COBITPERSPECTIVE
COBIT FUNCTIONAL BOUNDARIES – BUSINESS & IT Responsibility is jointly served by and between Stake Holders and IT. • Business is Responsible to: • Define Functional & Control Requirements • Use & Promote Automated Services • IT is Responsible to: • Automate & Implement Business Functional & Control Requirements • Establish Controls to Maintain Information | Data Integrity. BUSINESS RESPONSIBILITY IT RESPONSIBILITY BUSINESS RESPONSIBILITY Business Controls IT General Controls Business Controls PLAN & ORGANIZE MONITOR & EVALUATE ACQUIRE & IMPLEMENT DELIVER & SUPPORT A P P L I C A T I O N C O N T R O L S Automated Services Functional Requirements Control Requirements ITGOVERNANCE–COBITPERSPECTIVE
COBIT PLACEMENT 16 Performance Business Goals Conformance Balanced Scorecard COSO C O B I T ISO 17799 ISO 20000 QA Procedures Security Principles ITSM DRIVERS ENTERPRISE GOVERNANCE IT GOVERNANCE BEST PRACTICES | STANDARDS PROCESSES & PROCEDURES W H A T H O W COVERAGE ITGOVERNANCE–COBITPERSPECTIVE

More Related Content

IT Governance - COBIT Perspective

  • 1. IT GOVERNANCE COBIT PERSPECTIVE 1 Sayyed Zakir Ali Rizwe MS[CE], BS[CE] CISSP, CISA and CISM
  • 2. WHY IT GOVERNANCE  Promotes Diligence.  IT is Critical & Strategic to the Business.  Expectations Vs Reality  IT Involves Huge Investments and High Risks.  Balance b/w Performance & Conformance 2 Performance Conformance ITGOVERNANCE–COBITPERSPECTIVE
  • 3. NEED FOR IT GOVERNANCE 3 VALUE / COST ALIGNING IT WITH BUSINESS SECURITY KEEP IT RUNNING MANAGING COMPLEXITY REGULATION • Structured Approach is Required by Organizations to Manage these Challenges. • Governance ensures that there are: • Agreed Objectives for IT • Adequate Controls are in place • Effective Performance Monitoring ITGOVERNANCE–COBITPERSPECTIVE
  • 4. WITHOUT GOVERNANCE 4 R E S U LT “Over” Budgeting Proceedings “Late” Business Needs “Not Met” Benefits “Not” Received “Lack” of Confidence in IT L E A D S TO “Too Many” Projects “Quality” of Execution “Cant Kill” Projects “Under-Estimation” Risks & Costs “Not” Aligned to Strategy S I T UA T I O N Reluctance to Say “No” to Projects “Lack” of Strategic Focus “No” Strong View for Projects “Over Emphasis” Financial ROI “No” Clear Strategic Criteria ITGOVERNANCE–COBITPERSPECTIVE
  • 5. IT GOVERNANCE - DEFINED 5 IT GOVERNANCE Strategic Alignment Value Delivery Performance Measurement Resource Management Risk Management Information Technology Governance controls the present and future use of ICT in a manner aligned to Business Requirements Involves maintaining, evaluating and directing support to the Organization for Effective Monitoring, Strategy, Policy development and Enabling ICT use Governance Goals • Providing Strategic Direction • Ensure Objectives are Achieved and Yield Expected Value. • Performance is Maintained. • Risks are Identified & Managed • Verify Enterprise’s Resources Usage with Responsibility. ITGOVERNANCE–COBITPERSPECTIVE
  • 6. IT G OVERNANC E IT DISCIPLINES, DRIVERS & ISSUES 6 • Business Ser vice Management • Business Technology Optimization • Enterprise Technology Architecture • Asset Management • Portfolio Management • Security Assessment • Ser vice Management • Project Governance • Project Management ITGOVERNANCE–COBITPERSPECTIVE DRIVERS  IT is Central to Business Success.  Optimize Returns on IT Related Business Investments.  Holding Transparency.  Legal & Regulatory Compliance  And Assure that all Stated is Achieved. ISSUES  Understanding & Managing all IT Related Risks.  Deliver Value from IT Expenditure.  Assure Business Maximize Opportunities for use of IT including new technologies.  Enhance Understanding between IT Function & Business.  Ensure and Maintain Appropriate IT Capabilities.
  • 7. IT G OVERNANC E MAKING IT WORK – CONTINUED.. 7 BOARD OF DIRECTORS: Set Direction for IT, Monitor Results and Insist on Corrective Measures. BUSINESS MANAGEMENT: Defines Business Requirements for IT and Ensures that Value is Delivered and Risks Managed. IT MANAGEMENT Delivers and Improves IT Services as Required by Business. IT AUDIT Provides Independent Assurance to Demonstrate that IT Delivers the Needed. COMPLIANCE Measures Compliance with Policies and Focuses on Alerts to Emerging Risks. PositionAvailable–RoleDefinitionRequired. ITGOVERNANCE–COBITPERSPECTIVE
  • 8. COBIT C O M M O N O B J E C T I V E S F O R I N F O R M AT I O N & R E L AT E D T E C H N O L O G Y Control Objectives for Information and Related Technology (COBIT) is a Set of Best Practices for IT Management developed by Information Systems Audit & Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides Managers, IT Resources & Auditors with a set of Generally Accepted Measures, Indicators, Processes and Best-Practices, assisting them in Maximizing Benefits in appropriation for Governance and Control. Comprise of 34 High Level Processes covering 210 Control Objectives categorized in Four Domains:  Planning & Organization  Acquisition & Implementation  Delivery & Support  Monitoring & Evaluation. 8 ITGOVERNANCE–COBITPERSPECTIVE COBIT 1 AU D I T COBIT 2 C O N T R O L COBIT 3 M A N AG E M E N T COBIT 4 G OV E R N A N C E 1996 1998 2000 2005 EVOLUTION
  • 9. COBIT PRODUCT & CONTENT COBIT products are organized into three levels, designed to support:  Executive Management & Board  Business & IT Management  Governance, Assurance, Control and Security Professionals. 9 How Does the Board Exercise its Responsibilities? Executives & Board •How do we Measure Performance? •How do we Compare to Others? •How do Improve over Time? Business & Technology Management • IT Governance Framework? • Implementation in the Enterprise? • Assessment of IT Governance Framework? Governance, Assurance, Control & Security Pro. Board Briefing on IT Governance Mgt. Guidelines COBIT & Val IT Framework Control Objectives Key Mgt Practices IT Gov. Implementation Guide COBIT Control Practices IT Assurance Guide ITGOVERNANCE–COBITPERSPECTIVE
  • 10. COBIT – PRINCIPLE  Starts from Business Requirements.  Process-Oriented: Organizing IT activities into a generally accepted Process Model.  Identify Major IT Resources to be leveraged.  Define Management Control Objectives for Consideration.  Incorporate International IS Service Standards.  Valuated as the de-facto standard for IT Governance & Control. 10 COBIT allow Managers to Bridge-Gap between Control Requirements, Technical Issues and Business Risks. Thus enabling Clear Policy Development, Inline Implementation and Practiced IT Controls throughout the Enterprise, engaging Assured & Improved Value from IT Investments. IT Resources IT Processes Info. Criteria Business Strategy COBIT COMPONENTS Drives Investments Responds to Used by To Deliver ITGOVERNANCE–COBITPERSPECTIVE
  • 11. 11 It is Imperative that Stake Holders take Process Ownership (What Needs to be Delivered) & Specify Direction (And How) by IT. C O B I T BUSINESS GOALS & IT GOALS Enterprise Strategy Business Goals For IT IT Goals Enterprise Arch. For IT IT Scorecard Business Requirements Information Services Governance Requirements Information Criteria BUSINESS GOALS FOR IT Require Influence Imply IT Processes Information Applications Infrastructure & People ENTERPRISE ARCHITECTU RE - IT Deliver Need Run ITGOVERNANCE–COBITPERSPECTIVE
  • 12. COBIT – FRAMEWORK DEFINED 12 CONTROL FRAMEWORK Business Focus Common Language Process Orientation General Acceptability Regulatory Requirements 1. Aligning IT with business objectives. 2. Measure IT performance on its contribution in enabling & extending business strategy. 3. Supported by business-focused metrics, assures value delivery as primary focus not technical excellence as an end in itself. 1. Commonality enable everybody on the same page by defining major terms and glossary. 2. Co-ordination within, across project teams and organizations play a key role in the project success. 3. Build confidence & trust. 1. Implementation process-oriented. 2. Incidents & problems no longer divert attention from processes. 3. Exceptions clearly defined as part of standard processes. 4. With ownership defined, assigned and accepted, better controls are exercised. 1. Proven globally accepted standards for increasing contribution of IT to company’s success. 2. The framework continues to improve & develop good practices. 3. IT professionals from all over contribute their ideas and time to regular review meetings. 1. Organization constantly need to improve IT performance and demonstrate adequate controls. 2. IT Managers, Advisors and Auditors are turning to COBIT as the de-facto Regulatory Plane. Business Driven Process Oriented Control Driven Measured ITGOVERNANCE–COBITPERSPECTIVE
  • 13. COBIT – CUBE 13 Focused Key Areas: • Provide Information to Support Business Objectives & Requirements. • Treating Resulting Information to be managed by IT processes. IT Process Bus. Requirement Control Approach Consideration COBIT Cube Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources Applications Information Infrastructure People IT Process Domain Processes Activities ITGOVERNANCE–COBITPERSPECTIVE
  • 14. COBIT – OBJECTIVES ILLUSTRATED 14 Information Plan & Organize Acquire & Implement Deliver & Support Monitor & Evaluate IT Resources P01 Define Strategic Plan. P02 Define Information Architecture. P03 Define Technological Direction P04 Define IT Processes, Organization & Relationship. P05 Manage IT Investment P06 Communicate Mgt Aims & Direction. P07 Manage IT HR P08 Manage Quality P09 Assess & Manage IT Risks. P10. Manage Projects A11 Identify Automated Solutions A12 Acquire & Maintain Application Software. A13 Acquire & Maintain Technology Architecture A14 Enable Operation & Use. A15 Procure IT Resources A16 Manage Changes. A17 Install & Accredit Solution & Changes. ME1 Monitor & Evaluate IT Performance ME2 Monitor & Evaluate Internal Controls. ME3 Ensure Compliance with External Requirements. ME4 Provide IT Governance DS1 Define & Manage Service Level. DS2 Manage Third Party Service. DS3. Manage Performance & Capacity. DS4 Ensure Continuous Service. DS5 Ensure Sys. Security. DS6 Identify & Allocate Cost DS7 Educate & Train Users DS8 Manage Service Desk & Incidents DS9 Manage Configuration DS10 Manage Problem DS11 Manage Data DS12 Manage Physical Env. DS13 Manage Operations. Application Information Infrastructure People Efficiency Effectiveness Compliance Reliability Integrity Availability Confidentiality Business & Governance Objectives ITGOVERNANCE–COBITPERSPECTIVE
  • 15. COBIT FUNCTIONAL BOUNDARIES – BUSINESS & IT Responsibility is jointly served by and between Stake Holders and IT. • Business is Responsible to: • Define Functional & Control Requirements • Use & Promote Automated Services • IT is Responsible to: • Automate & Implement Business Functional & Control Requirements • Establish Controls to Maintain Information | Data Integrity. BUSINESS RESPONSIBILITY IT RESPONSIBILITY BUSINESS RESPONSIBILITY Business Controls IT General Controls Business Controls PLAN & ORGANIZE MONITOR & EVALUATE ACQUIRE & IMPLEMENT DELIVER & SUPPORT A P P L I C A T I O N C O N T R O L S Automated Services Functional Requirements Control Requirements ITGOVERNANCE–COBITPERSPECTIVE
  • 16. COBIT PLACEMENT 16 Performance Business Goals Conformance Balanced Scorecard COSO C O B I T ISO 17799 ISO 20000 QA Procedures Security Principles ITSM DRIVERS ENTERPRISE GOVERNANCE IT GOVERNANCE BEST PRACTICES | STANDARDS PROCESSES & PROCEDURES W H A T H O W COVERAGE ITGOVERNANCE–COBITPERSPECTIVE