Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2009 ISACA/ITGI. All rights reserved. IT Management Frameworks A Valued Approach to Strengthening IT Management John Beveridge Office of the State Auditor.

Similar presentations


Presentation on theme: "©2009 ISACA/ITGI. All rights reserved. IT Management Frameworks A Valued Approach to Strengthening IT Management John Beveridge Office of the State Auditor."— Presentation transcript:

1

2 ©2009 ISACA/ITGI. All rights reserved. IT Management Frameworks A Valued Approach to Strengthening IT Management John Beveridge Office of the State Auditor Massachusetts Digital Government Summit Boston, Massachusetts October 19, 2009

3 Deputy Auditor Office of the State Auditor Room 1819, One Ashburton Place Boston, MA 021087 Co-Chair of Commonwealths Enterprise Security Board Adjunct faculty member 617.727.6200 e-mail: john.beveridge@sao.state.ma.us John Beveridge, CISA, CISM, CGFM, CFE, CGEIT, CQA

4 ©2009 ISACA/ITGI. All rights reserved. In This Presentation... Driving forces for IT governance and Control Objectives for Information and related Technology (C OBI T ®) An introduction to: –The C OBI T framework –C OBI T supporting materials Where C OBI T fits with other frameworks and standards

5 ©2009 ISACA/ITGI. All rights reserved. The Governance Environment

6 ©2009 ISACA/ITGI. All rights reserved. Forces Driving IT Governance Compliance Security Business/IT Alignment ROI Project Execution

7 Need for IT Governance Increasing pressure to leverage technology in business strategies Growing complexity of IT environments Fragmented IT infrastructure; fragmented security infrastructures Communication gaps between business and IT managers IT service levels from internal IT functions that appear disappointing Do these conditions sound familiar?

8 Need for IT Governance Lack of assurance of adequate security by outsourced IT providers IT costs perceived to be out of control; yet under-funded IT security Marginal or unknown ROI/productivity gains on IT investments Impaired organizational flexibility and nimbleness to change User frustration leading to ad hoc solutions Do these conditions sound familiar?

9 ©2009 ISACA/ITGI. All rights reserved. IT Governance Needs a Management Framework Driving Forces Map Onto the IT Governance Focus Areas Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement IT Governance Domains Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement IT Governance Focus Areas

10 ©2009 ISACA/ITGI. All rights reserved. IT Governance Objectives IT is aligned with the business enabling the business to maximize benefit IT resources are safeguarded and used in a responsible and ethical manner IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure IT performance is measured and evaluated for ROI

11 ©2009 ISACA/ITGI. All rights reserved. To Manage and Control IT, the Organization needs to: Employ the fundamentals of IT governance Have a clear understanding of the strategic value of technology Have appropriate frameworks of control Build and exercise mechanisms to provide adequate assurance that IT governance objectives are addressed

12 ©2009 ISACA/ITGI. All rights reserved. Goals Responsibilities Control Objectives Requirements BusinessIT Governance Information the business needs to achieve its objectives Information executives and board need to exercise their responsibilities Direction and Resourcing How Does C OBI T Link to IT Governance? IT Governance

13 ©2009 ISACA/ITGI. All rights reserved. IT Governance Institute References Board Briefing on IT Governance Information Security Governance C OBI T 4.1 Val IT IT Governance Implementation Guide C OBI T Control Practices IT Assurance Guide Governance, Security and Assurance Management Business and Technology Management Governance

14 ©2009 ISACA/ITGI. All rights reserved. An Overview of C OBI T

15 ©2009 ISACA/ITGI. All rights reserved. CobiT CobiT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.

16 ©2009 ISACA/ITGI. All rights reserved. How it Appears to the Instructor

17 ©2009 ISACA/ITGI. All rights reserved. l Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. l Structured and organized to provide a powerful control model

18 ©2009 ISACA/ITGI. All rights reserved. Right information, to only the right party, in the right format, at the right time, at theright cost. Information that is relevant, reliable, secure, and available. Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.

19 ©2009 ISACA/ITGI. All rights reserved. Internationally accepted good practices Management-oriented Supported by tools and training Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable not- for-profit organisation Maps 100 percent to COSO Maps strongly to all major related standards C OBI T 4.1The IT Governance Framework The only IT management and control framework that covers the end-to-end IT life cycle IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for IT Processes IT Management Processes IT Governance Processes C OBI T good practices repository for

20 ©2009 ISACA/ITGI. All rights reserved. CobiT is a reference, a set of best practices, not an off-the-shelf cure Enterprises still to need to analyse their control requirements and customise based on: Value drivers Risk profile IT infrastructure, organisation and project portfolio C OBI T 4.1The IT Governance Framework IT Processes IT Management Processes IT Governance Processes CobiT best practices repository for IT Processes IT Management Processes IT Governance Processes C OBI T good practices repository for

21 ©2009 ISACA/ITGI. All rights reserved. CobiT Sources Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes (ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry forums (ESF, I4) Emerging industry-specific requirements from banking, e-com, IT manufacturing. Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes (ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry forums (ESF, I4)

22 ©2009 ISACA/ITGI. All rights reserved. CobiT Framework

23 ©2009 ISACA/ITGI. All rights reserved. CobiT Framework Documents relationships among information criteria, IT resources, and IT processes Links control objectives and control practices to business processes and business objectives Assists in confirming that appropriate IT processes (and practices) are in place Facilitates evaluation and assurance methods

24 ©2009 ISACA/ITGI. All rights reserved. IT Resource Management CobiT underscores and demonstrates that IT resources need to be managed in order to provide organizations with type and quality of information required to achieve organizational objectives.

25 ©2009 ISACA/ITGI. All rights reserved. Frameworks Three Components Business Requirements for Information IT Resources IT Processes

26 ©2009 ISACA/ITGI. All rights reserved. Information Criteria -- The 1st Component Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of Information

27 ©2009 ISACA/ITGI. All rights reserved. IT Resources -- The 2nd Component Application Systems Information Infrastructure Facilities People

28 ©2009 ISACA/ITGI. All rights reserved. Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable resultactivities have a life cycle whereas tasks are discrete Domains Natural grouping of processes, often matching an organisational domain of responsibility Process Orientation

29 ©2009 ISACA/ITGI. All rights reserved. The resources made available to and built up byIT What the stakeholders expect from IT How IT is organised to respond to the requirements Key Driving Forces for C OBI T IT Processes IT Resources IT Resources Business Requirements Data Application systems Technology Facilities People Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability

30 ©2009 ISACA/ITGI. All rights reserved. IT Domains Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT strategy Computer operations Incident handling Acceptance testing Change management Contingency planning Problem management Activities Record new problem. Analyse. Propose solution. Monitor solution. Record known problem. Etc. Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable resultactivities have a life cycle whereas tasks are discrete Process Orientation

31 ©2009 ISACA/ITGI. All rights reserved. Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate COBIT Domains: Feedback

32 ©2009 ISACA/ITGI. All rights reserved. C OBI T Processes Plan and Organise Acquire and Implement PO1 Define an IT Strategic Plan PO2Define the Information Architecture PO3Determine Technological Direction PO4Define the IT Processes, Organisation and Relationships PO5Manage the IT Investment PO6Communicate Management Aims and Direction PO7Manage IT Human Resources PO8Manage Quality PO9Assess and Manage IT Risks PO10Manage Projects

33 ©2009 ISACA/ITGI. All rights reserved. C OBI T Processes Deliver and Support Monitor and Evaluate ME1Monitor and Evaluate IT Performance ME2Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4Provide IT Governance

34 ©2009 ISACA/ITGI. All rights reserved. Process Orientation Plan and Organise Description –This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place. Topics –Strategy and tactics –Vision planned –Organisation and infrastructure Questions –Are IT and the business strategy aligned? –Is the enterprise achieving optimum use of its resources? –Does everyone in the organisation understand the IT objectives? –Are IT risks understood and being managed? –Is the quality of IT systems appropriate for business needs? Domains

35 ©2009 ISACA/ITGI. All rights reserved. Digging Into C OBI T

36 ©2009 ISACA/ITGI. All rights reserved. C OBI T Framework C OBI T framework provides guidance on IT governance and the role of IT control. Generic controls: –Controls that relate to IT processes and Control Objectives

37 ©2009 ISACA/ITGI. All rights reserved. Process-level Navigating in C OBI T

38 The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process The control of which satisfy is focusing on Is achieved by IT Processes Business Requirements Control Statements Control Practices High-Level Control Objective Users satisfaction Is measured by

39 ©2009 ISACA/ITGI. All rights reserved. Which Domain?

40 ©2009 ISACA/ITGI. All rights reserved. Process Description All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.

41 ©2009 ISACA/ITGI. All rights reserved. The Waterfall of Control c

42 ©2009 ISACA/ITGI. All rights reserved. Information Criteria

43 ©2009 ISACA/ITGI. All rights reserved. IT Resources

44 ©2009 ISACA/ITGI. All rights reserved. IT Governance

45 ©2009 ISACA/ITGI. All rights reserved. Control Objectives AI6.5 Change Closure and Documentation Whenever changes are implemented, update the associated system and user documentation and procedures accordingly.

46 ©2009 ISACA/ITGI. All rights reserved. Management Guidelines

47 ©2009 ISACA/ITGI. All rights reserved. Management Guidelines

48 ©2009 ISACA/ITGI. All rights reserved. Input-output Matrix Managing the Life Cycle Inputs coming from other processes Outputs going to other processes

49 ©2009 ISACA/ITGI. All rights reserved. Primary Inputs and Outputs CobiT identifies from where primary inputs are obtained for each process The inputs are identifies and where they came from Also identifies to which IT processes the process provides output to The outputs (from the process) are identified to where they would be directed

50 ©2009 ISACA/ITGI. All rights reserved. Managing the Life Cycle Whilst C OBI T represents the life cycle of IT investments, it must also manage inter-process interdependencies.

51 ©2009 ISACA/ITGI. All rights reserved. RACI Charts

52 ©2009 ISACA/ITGI. All rights reserved. RACI Chart Identifies who is Responsible, Accountable, Consulted and/or Informed Addresses considerations for points of accountability Addresses issues of communication and desired input (who would be consulted) Rather than titles, think of positions in terms of roles Depending on the size of the organization or the IT function, several roles may be combined

53 ©2009 ISACA/ITGI. All rights reserved. RACI c hart Typical Process Activities Standard Organisation Chart Who is Responsible, Accountable Consulted and Informed?

54 ©2009 ISACA/ITGI. All rights reserved. Goals and Metrics

55 ©2009 ISACA/ITGI. All rights reserved. Metrics Activity Goals tells us how well the process is performing –Measured by KPIs Process Goals tell us what IT must deliver –Measured by Key Goal indicators IT Goals tell us what we expect from IT –Measured by Key Goal Indicators

56 ©2009 ISACA/ITGI. All rights reserved. Maturity Model

57 ©2009 ISACA/ITGI. All rights reserved. Use of Maturity Models The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation. Enables gaps in capability to be identified and demonstrated to management. Action plans can then be developed

58 ©2009 ISACA/ITGI. All rights reserved. Maturity Levels in C OBI T 012345 Non-existent InitialRepeatableDefinedManagedOptimised 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.

59 ©2009 ISACA/ITGI. All rights reserved. Dimensions of Process Maturity in C OBI T Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement Capture process maturity data on each of six dimensions: Awareness and communication

60 ©2009 ISACA/ITGI. All rights reserved. Collecting Maturity Model Data Policies, Standards and Procedures Tools and Automation Skills and Expertise Responsibility and Accountability Goal Setting and Measurement 012345 Awareness and Communication

61 ©2009 ISACA/ITGI. All rights reserved. Business Goals IT Goals IT Processes How Do Governance and the Business Drive IT? Applications IT Processes Infrastructure & People need Information deliver run Applications IT Processes Infrastructure and People need Information deliver run Business Requirements Information Services Information Criteria require imply Governance Requirements influence Business Requirements Information Services Information Criteria require imply Governance Requirements influence

62 ©2009 ISACA/ITGI. All rights reserved. COBIT and Other Frameworks and Standards

63 ©2009 ISACA/ITGI. All rights reserved. The Need for IT Governance Control Frameworks Many organizations recognize the potential benefits that technology can yield Successful organizations understand and manage what needs to be achieved and the risks associated with implementing new technologies This understanding is key to control and IT governance. Control Frameworks and generally accepted practices

64 ©2009 ISACA/ITGI. All rights reserved. Impact of Technology on Control è Operational and control objectives do not change, or change a little –Some technology-specific control objectives change è There is a significant impact on the mix of controls used to address the control objectives. –Technology can facilitate achieving control objectives

65 Control Models: Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices. Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess the need for control, and to design, develop, implement and exercise control Requires that controls be monitored and evaluated.

66 ©2009 ISACA/ITGI. All rights reserved. King TickIT Where C OBI T Typically Sits 17799 CMM COS O ITIL Governance Layer IT Governance Layer IT Management Layer C OBI T

67 ©2009 ISACA/ITGI. All rights reserved. Integrator of technical standards Interface to business standards How C OBI T Relates to Frameworks and Standards

68 ©2009 ISACA/ITGI. All rights reserved. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. XY ## XY ## XY ## XY ## XY ## Strategic C OBI T ITIL CMM 17799 Process Control Process Execution Work Instruction How C OBI T Relates to Frameworks and Standards

69 ©2009 ISACA/ITGI. All rights reserved. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. Work instruction 2 3 4,5, 6…. XY ## XY ## XY ## XY ## XY ## Strategic C OBI T ITIL CMM 17799 Process Control Process Execution Work Instruction How C OBI T Relates to Frameworks and Standards

70 ©2009 ISACA/ITGI. All rights reserved. 0% 5% 10% 15% 20% 25% 30% PO 1 PO 2 PO 3PO 4PO 5PO 6PO 7PO 8 PO 9 PO 10 AI 1AI 2AI 3 AI 4 AI 5 AI 6 DS 1DS 2DS 3DS 4DS 5 DS 6 DS 7 DS 8DS 9 DS 10DS 11 DS 12 DS 13 ME 1 ME 2 ME 3ME 4 Plugging 27001 into C OBI T Processes Plugging 27001 into C OBI T Processes Control ControlObjectives 0 20 40 60 80 100 IT Processes 27001 Reach C OBI T Elements 66 318 21 34 27001 maps 100% onto C OBI T 27001 maps 100% onto C OBI T How C OBI T Relates to Frameworks and Standards AI 7

71 ©2009 ISACA/ITGI. All rights reserved. Gartner Advisory on C OBI T and ITIL How C OBI T Relates to Frameworks and Standards

72 ©2009 ISACA/ITGI. All rights reserved. Control (as defined by C OBI T ) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

73 ©2009 ISACA/ITGI. All rights reserved. To Achieve Business Objectives To Avoid Risks, Threats and Exposures Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. P. 12.

74 ©2009 ISACA/ITGI. All rights reserved. IT Control Objective A statement of desired result or purpose to be achieved by implementing control procedures in a particular IT activity

75 ©2009 ISACA/ITGI. All rights reserved. To understand internal control and what what mean by reasonable assurance, one needs to understand risk What is reasonable assurance? What is the relationship of reasonable assurance to residual risk?

76 ©2009 ISACA/ITGI. All rights reserved. Assurance Level 100% Residual Risk 0% Reasonable assurance

77 ©2009 ISACA/ITGI. All rights reserved. Control Responsibilities Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met. Users -- exercise controls. Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.

78 ©2009 ISACA/ITGI. All rights reserved. C OBI T ® C OBI T ® 4.1Emphasizes regulatory compliance, helps organizations increase the value attained from IT, enables alignment and simplifies implementation of the C OBI T framework C OBI T Advisor, 3 rd Edition IT Governance Implementation Guide, Using C OBI T and Val IT, 2 nd Edition IT Governance Based on C OBI T 4.1 C OBI T Online C OBI T Quickstart, 2 nd Edition C OBI T Security Baseline, 2 nd Edition Mappings of C OBI T to other international frameworks and standards www.isaca.org/cobit The C OBI T family of products includes:


Download ppt "©2009 ISACA/ITGI. All rights reserved. IT Management Frameworks A Valued Approach to Strengthening IT Management John Beveridge Office of the State Auditor."

Similar presentations


Ads by Google