Presentation on theme: "COBIT 5: Using or Abusing It Dr. Derek J. Oliver Ravenswood Consultants Ltd."— Presentation transcript:
COBIT 5: Using or Abusing It Dr. Derek J. Oliver Ravenswood Consultants Ltd.
Why me? Derek J. Oliver –Certified Information Systems Auditor –Certified Information Security Manager –Certified in Risk & Information Systems Control –Chartered IT Professional –Fellow of the British Computer Society –Fellow of the Institute of IT Service Management –Member of the Institute of Information Security Professionals –35+ years in the Profession [..... with a PhD and DBA to follow an MSc] –Past President, ISACA London Chapter –Past Member, CISA Certification Board –Past Member, CISA Test Enhancement Committee –Founding Chair, CISM Test Enhancement Committee –Chair, BMIS Development Committee –Co-Chair, COBIT 5 Task Force –Former Member, ISACA Framework Committee
This evening’s content... Where we’re at: COBIT 5 in 2014 What has COBIT 5 given to the Enterprise? What is still missing! How has COBIT 5 Helped? Why COBIT 5 is important: –To Governance –To Management
ISACA Board of Directors: –“ Tie together and reinforce all ISACA knowledge assets with COBIT.” –Provide a renewed and authoritative governance and management framework for enterprise information and related technology, linking together and reinforcing all other major ISACA frameworks and guidance including: Val ITRisk IT BMISITAF Board BriefingTaking Governance Forward –Connect to other major frameworks and standards in the marketplace (ITIL, ISO standards, etc.) A reminder of the COBIT 5 Objectives
Governance of Enterprise IT COBIT 5 IT Governance C OBI T4.0/4.1 Management C OBI T3 Control C OBI T2 Audit C OBI T1 The Evolution of COBIT 2005/ Evolution Val IT 2.0 (2008) Risk IT (2009) BMIS (2010) 5
COBIT 5 PAM COBIT 5 PAM The Lens Concept 6 The Eye of the Beholder: what are you looking for? COBIT 5 For Infosec COBIT 5 For Assurance COBIT 5 For ? COBIT 5 For ? Links to other Standards, Frameworks, Guidelines etc e.g. ISO, ITIL, National Standards. Links to other Standards, Frameworks, Guidelines etc e.g. ISO, ITIL, National Standards. COBIT 5 Framework COBIT 5 For Risk COBIT 5 Enabling Processes Practitioner Guides Practitioner Guides Implementation Guide Implementation Guide COBIT 5 Enabling Information COBIT 5 Toolkit COBIT 5 Toolkit
The COBIT 5 Principles COBIT 5 is used to address specific needs COBIT 5 integrates governance of enterprise IT into enterprise governance COBIT 5 integrates all existing frameworks, standards etc COBIT 5 supports a comprehensive governance and management system for enterprise IT and Information The COBIT 5 framework makes a clear distinction between governance and management
COBIT 5 Enablers
COBIT 5 was initially in 3 volumes in April, 2012: 1.Framework – Free Download 2.Enabling Processes– Free to Members 3.Implementation Guide - Free to Members COBIT 5 Process Assessment Model - Free to Members COBIT 5 for Information Security COBIT 5 for Assurance COBIT 5 for Risk COBIT 5 Enabling Information COBIT 5 Online COBIT 5 in 2014
Enterprise Benefits of the Principles The Stakeholder Concept Helps everyone involved to focus on the job in hand The end to end Concept Helps to look at an issue across the Enterprise The single, integrated framework Simplifies the approach to governance & management The holistic approach Enables the Enterprise (and its problems) to be viewed as a whole Separating Governance & Management Directs responsibility within the Enterprise
Enterprise Benefits of the Enablers Principles, Policies & Frameworks Focus on the basic infrastructure of both Governance & Management Processes Gives a structure to any view of the Enterprise Organisational Structures Supports enterprise growth & development Culture, Ethics & Behaviors Reminds the Enterprise of the impact of “People”! Information Helps everyone to understand the real meaning of the word! Services, Infrastructure & Applications Puts these aspects in their place in supporting Stakeholder needs People, Skills and Competencies Directs the Enterprise again at the importance of its People
What’s Missing?... MY OPINION Enabling: Culture, Ethics & Behavior Greater insight into the impact on the Enterprise of failing to pay attention to these important factors Currently covered by the BMIS “Implementing a Culture of Security” publication Enabling: Principles, Policies & Frameworks OK, not easy to write as a “Global” publication More detail on what constitutes a “good” Policy etc. Minimum requirements & expectations Distribution, Training & Maintenance
COBIT 5 for Information Security Provides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats and: –Reduce complexity and increase cost-effectiveness –Increase user satisfaction with information security arrangements and outcomes –Improve integration of information security –Inform risk decisions and risk awareness –Reduce information security incidents –Enhance support for innovation and competitiveness Leverages the COBIT 5 framework through a security lens. It is the only security framework that integrates other major frameworks and standards.
Has it helped? As a derivative from BMIS, it has expressed the concepts of the holistic approach to security and the need to avoid “Silo Thinking” Provides greater, more detailed explanations of the security needs of Stakeholders and of each Enabler’s relationship to Information Security Gives good advice, illustrated by models, on how to implement and maintain a good security infrastructure Focuses on Business Information not simply IT and covers: Business Model for Information Security (BMIS)–ISACA Standard of Good Practice for Information Security (ISF) ISO/IEC Series NIST SP a PCI-DSS
Lets assurance professionals leverage COBIT 5 when planning and performing assurance reviews, which unifies an organization’s business, IT and assurance professionals around a common framework, objectives and vocabulary making it easier to reach consensus on any needed control improvements. Provides a roadmap built from well-accepted assurance approaches that enable assurance professionals to effectively plan, scope and execute IT assurance initiatives, navigate increasing technology complexity, and demonstrate strategic value to IT and business stakeholders 15 COBIT 5 for Assurance
Has it helped? Provides guidance on how to use the COBIT 5 framework to establish and sustain assurance provisioning and an assurance function for the enterprise Provides a structured approach on how to provide assurance over enablers (all of COBIT 5’s defined enablers, e.g., processes, information, organisational structures) Illustrates the structured approach with a number of concrete examples of assurance programmes Assurance providers can rely on the consistency, structure, context and vocabulary of the COBIT 5 framework and its related products Helps the Enterprise Assurance Professionals to express observations, findings, conclusions and recommendations in a structured language Gives advice on setting up and managing the Assurance function as well as approaching assurance projects Like Information Security, it was written by Assurance Professionals under the management of a Task Force
Defines IT risk as the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Provides: –Stakeholders with a better understanding of the current state and risk impact throughout the enterprise –Guidance on how to manage the risk to levels, including an extensive set of measures –Guidance on how to set up the appropriate risk culture for the enterprise –Guidance on risk assessments that enable stakeholders to consider the cost of mitigation and the required resources against the loss exposure –Opportunities to integrate IT risk management with enterprise risk –Improved communication and understanding amongst all internal and external stakeholders 17 COBIT 5 for Risk
Has it helped? Guidance on how to use the COBIT 5 framework to establish the risk governance and management function(s) for the enterprise Guidance and a structured approach on how to use the COBIT 5 principles to govern and manage IT risk A clear understanding of the alignment of COBIT 5 for Risk with other relevant standards End-to-end guidance on how to manage risk A common and sustainable approach for assessment and response Like the other Practitioner Guides, it was managed by a Task Force.... but: The Task Force only met TWICE as a group No interim documents were provided for comment The concept of Inherent Risk was ignored and (on my protest) was covered by the statement” COBIT 5 for Risk does not use this concept.”
A reference guide that provides a structured way of thinking about information governance and management issues in any type of organization. This structure can be applied throughout the life cycle of information, from conception and design, through building information systems, securing information, using and providing assurance over information, and to the disposal of information. 19 COBIT 5: Enabling Information
Has it helped? Provides Enterprises with: –A comprehensive information model that comprises all aspects of information including: Stakeholders, goals (quality) Life cycle stages Good practices (information attributes) –Guidance on how to use an established governance and management framework (COBIT 5) to address common information governance and management issues such as: Big data Master data management Information disintermediation Privacy –An understanding of the reasons and criticality that information needs to be managed and governed in an appropriate way
COBIT 5 Online A multi-phase initiative by ISACA to address a wide variety of member needs for accessing, understanding and applying the COBIT 5 framework. The primary objective of this inaugural version was to provide access to the latest news and insights and easy access to online versions of COBIT 5 publications. A consolidated, comprehensive resource center for governance and management of enterprise IT. Unlike a printed book or pdf, the platform offers dynamic content and helps to increase the utility of COBIT and family of products
Has it helped? Too early to say, but CobiT 4.1 Online was popular and well used so....
Process Assessment Model Provides a basis for assessing an enterprise’s processes against COBIT 5. Evidence-based to enable a reliable, consistent and repeatable way to assess IT process capabilities Helps IT leaders gain C-level and board member buy-in for change and improvement initiatives Follows standard audit/assurance approaches but provides considerably more “granularity” than Capability Maturity Models Comes as a Model; a Programme and self-Assessment and Assessor Guides (4 publications)
Has it helped? Excellent guide for Auditors & other Assurance Professionals Explains how to assess compliance with the COBIT 5 Processes Provides a clear compliance statement that highlights failures and attracts the attention of the “Governance Body” as well as senior management Very useful publication!
COBIT 5 Related Pub’s COBIT 5-Related Guides: COBIT 5 Principles: Where Did They Come From? (white paper) COBIT 5 Principles: Where Did They Come From? Controls and Assurance in the Cloud: Using COBIT 5 (book) Controls and Assurance in the Cloud: Using COBIT 5 Relating the COSO Internal Control—Integrated Framework and COBIT (white paper) Relating the COSO Internal Control—Integrated Framework and COBIT Vendor Management: Using COBIT 5 (book) Vendor Management: Using COBIT 5 Securing Mobile Devices Using COBIT 5 for Information Security (book) Securing Mobile Devices Using COBIT 5 for Information Security Transforming Cybersecurity: Using COBIT 5 (book) Transforming Cybersecurity: Using COBIT 5 Configuration Management Using COBIT 5 (book) Configuration Management Using COBIT 5 RBI Guidelines Mapping With COBIT 5 (India WP) RBI Guidelines Mapping With COBIT 5 Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT 5 (India WP) Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT 5