2IT Governance Is the Key Issue Enterprises are giving money, productivity and competitive advantage by not implementing effective IT governanceA better way to:Direct IT for optimal advantageMeasure the value provided by ITManage IT-related risksIT governance goes a long way towards bridging the gap between corporate expectations and perceptions of the IT function. The need for top management direction and oversight regarding the value of IT and the management of IT-related risks are now understood as key elements of governance. Value, risk and control constitute the core of IT governance.IT governance consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.Governance is not the sole responsibility of the CIO; it is the responsibility of an enterprise’s top executives and board of directors. Successful enterprises understand the risks and exploit the benefits of IT and find ways to deal with:• Aligning IT strategy with the business strategy• Ensuring investors and stakeholders that a ‘standard of due care’ around mitigating ITrisks is being met by the enterprise• Providing organisational structures that facilitate the implementation of strategy andgoals• Measuring IT’s performanceThese are the benefits of sound IT governance.
3IT GovernanceThe purpose of IT governance is to direct IT endeavors, to ensure that IT’s performance meets the following objectives:• Alignment of IT with the enterprise and realisation of the promised benefits• Use of IT to enable the enterprise by exploiting opportunities and maximising benefits• Responsible use of IT resources• Appropriate management of IT-related risks
5Why do we need a Framework? Increasing dependence on information and the systems that deliver this informationIncreasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfareScale and cost of the current and future investments in information and information systemsThe need to comply with regulationsThe potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costsRecognition by many organisations of the potential benefits that technology can yield
6Who Needs a Framework?Board and ExecutiveTo ensure management follows and implements the strategic direction for ITManagementTo make IT investment decisionsTo balance risk and control investmentTo benchmark existing and future IT environmentUsersTo obtain assurance on security and control of products and services they acquire internally or externallyAuditorsTo substantiate opinions to management on internal controlsTo advise on what minimum controls are necessary
7COBITControl Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for IT management created by the Information systems audit and control association (ISACA),Incorporates major international standardsHas become the de facto standard for overall control over ITStarts from business requirementsIs process-oriented
8COBIT: Basics?Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectivesPromotes process focus and process ownershipDivides IT into 34 processes belonging to four domains and provides a high-level control objective for eachConsiders fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from ITIs supported by a set of over 300 detailed control objectivesPlan and OrganiseAcquire and ImplementDeliver and SupportMonitor and EvaluateEffectivenessEfficiencyAvailabilityIntegrityConfidentialityReliabilityCompliance
9Overview of CobiT Then what is CobiT? It is the Control Objectives for Information and related TechnologyA methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment.The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September 1996.A tool that for IT professionals that has linked information technology and control practicesCobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors.
10Overview of CobiT CobiT represents A control framework,a set of generally accepted control objectives, andthe CobiT Audit Guidelines.CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment.
11Overview of CobiT What is the purpose of CobiT? To provide management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT.CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle.It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.
13PLANNING & ORGANIZATION (PO) ACQUISITION & IMPLEMENTATION (AI) Components of CobiTThe 4 Domains of CobiTMONITORING (MO)PLANNING & ORGANIZATION (PO)ACQUISITION & IMPLEMENTATION (AI)DELIVERY & SUPPORT (DS)
14MONITORING (MO) Components of CobiT All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirementsAuditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls.M1- Monitor the processM2- Obtain independent assurance
15PLANNING & ORGANIZATION (PO) Components of CobiTPLANNING & ORGANIZATION (PO)Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives.Is the IT strategy be effectively controlled and will it contribute to the business objectives?PO1- Define a strategic IT planPO2- Define the Information architecturePO3- Determine technical directionPO4- Define IT Organization and relationshipsPO5- Manage the investment in ITPO6- Communicate management aims and directionsPO7- Manage Human ResourcesPO8- Ensure compliance with external requirementsPO9- Assess risksPO10- Manage projectsPO11- Manage quality
16ACQUISITION & IMPLEMENTATION (AI) Components of CobiTACQUISITION & IMPLEMENTATION (AI)To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process.Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards?AI1- Identify solutionsAI2- Acquire and maintain application softwareAI3- Acquire and maintain technology architectureAI4- Develop and maintain IT proceduresAI5- Install and accredit systemsAI6- Managing changes
17DELIVERY & SUPPORT (DS) Components of CobiTDELIVERY & SUPPORT (DS)Addresses the actual delivery of required information services.Are information related services delivered in a controlled manner?DS8- Assist and advise IT customersDS9- Manage the configuration of IT systemsDS10- Manage problems and incidentsDS11- Manage dataDS12- Manage facilitiesDS13- Manage operationsDS1- Define service levelsDS2- Manage Third Party servicesDS3- Manage performance capacityDS4- Ensure continuous serviceDS5- Ensure systems securityDS6- Identify and allocate costsDS7- Educate and train users
18COBIT is a Road Map for an easy IT Governance Accepted globally as a set of tools that ensures IT is working effectivelyFunctions as an overarching frameworkProvides common language to communicate goals, objectives and expected results to all stakeholdersBased on, and integrates, industry standards and good practices in:Strategic alignment of IT with business goalsValue delivery of services and new projectsRisk managementResource managementPerformance measurementThe COBIT mission is to research, continually update, publicise and promote an authoritative, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. Now in its 4.1 release, the framework has been used successfully by IT organisations and business executives in many industries and of many sizes. COBIT provides a common language to communicate goals, objectives and expected results. A common language benefits all levels of IT, including management and stakeholders.
19Business BenefitsCOBIT® provides guidance for executive management to govern IT within the enterpriseMore effective tools for IT to support business goalsMore transparent and predictable full life-cycle IT costsMore timely and reliable information from ITHigher quality IT services and more successful projectsMore effective management of IT-related risksCOBIT delivers significant benefits in areas that are fundamental to every enterprise: value, risk and control.Implementing COBIT also provides:Clearer security and privacy requirements, and more easily monitoredimplementationMore efficient and successful auditsIT compliance with regulatory requirements will become a normalmanagement practice
20Harmonizing the Elements of IT Governance Resource ManagementStrategic AlignmentValue DeliveryPerformance MeasurementRisk ManagementCOBIT is based on the analysis and harmonisation of existing IT standards and good practices and conforms to generally accepted governance principles. It is positioned at a high level, driven by business requirements, covers the full range of IT activities, and concentrates on what should be achieved rather than how to achieve effective governance, management and control. Therefore, it appeals to executive management; business and IT management; governance, assurance and security professionals; and IT audit and control professionals.• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the enterprise.• Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
21The COBIT® FrameworkLet’s take a closer look at the COBIT framework. COBIT defines IT activities in a generic process model within four domains along with a set of information criteria. The four domains are: Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor. The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps towards good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined.• Plan and Organise (PO)—Provides direction to solution delivery (AI) and servicedelivery (DS) (example controls: Define Strategic IT Plan, Manage Quality)• Acquire and Implement (AI)—Provides the solutions and passes them to be turnedinto services (example controls: Identify Automated Solutions, Manage Changes)• Deliver and Support (DS)—Receives the solutions and makes them usable for endusers (example controls: Define and Manage Service Levels, Identify and Allocate Costs• Monitor and Evaluate (ME)—Monitors all processes to ensure that the directionprovided is followed (example controls: Ensure Regulatory Compliance, Monitor andEvaluate IT Performance)
22The high-level approach diagram of information system audits ApprochRef-
23Operationalising CMMI: integrating CMMI and CoBIT perspective Ref-
24The COBIT model groups all information and IT activities into four domains, which are articulated into 34 processesRef:
26COBIT® Defines Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5)The chart illustrates the relationship between the business, IT, process and activity goals, and the different metrics. From top left to top right, the goals cascade is illustrated. Below the goal is the outcome measure for the goal. The small arrow indicates that the same metric is a performance indicator for the higher-level goal.The example provided is from DS5 Ensure systems security. COBIT provides metrics only up to the IT goals outcome as delineated by the dotted line. While they are also performance indicators for the business goals for IT, COBIT does not provide business goal outcome measures.The metrics have been developed with the following characteristics in mind:• A high insight-to-effort ratio (i.e., insight into performance and theachievement of goals as compared to the effort to capture them)• Comparable internally (e.g., percent against a base or numbers over time)• Comparable externally irrespective of enterprise size or industry• Better to have a few good metrics (may even be one very good onethat could be influenced by different means) than a longer list oflower-quality metrics• Easy to measure, not to be confused with targets
27Defined Responsibilities for Each Process RACI ChartA RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.FunctionsActivitiesLink business goals to IT goals.CIA/RIdentify critical dependencies and current performance.RBuild an IT strategic plan.ABuild IT tactical plans.Analyse programme portfolios and manage project and service portfolios.COBIT also provides information on what processes should be delegated and to whom they should be delegated. This helps to ensure that IT processes are being managed at the appropriate level within an enterprise. The ‘RACI’ Chart is defined for each process and indicates who is responsible, accountable, consulted or should be informed about specific tasks within a given process.The roles in the RACI chart are categorised for all processes as:• Chief executive officer (CEO)• Chief financial officer (CFO)• Business executives• Chief information officer (CIO)• Business process owner• Head operations• Chief architect• Head development• Head IT administration (for large enterprises, the head of functions suchas human resources, budgeting and internal control)• The project management officer (PMO) or function• Compliance, audit, risk and security (groups with control responsibilitiesbut not operational IT responsibilities)
28COBIT® Products and Their Primary Audience COBIT products have been organised into three levels designed to support:• Executive management and boards• Business and IT management• Governance, assurance, control and security professionalsThis COBIT-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes (IT Control Objectives for Sarbanes-Oxley, 2nd Edition), for domains such as security (COBIT® Security Baseline and Information Security Governance: Guidance for Boards of Directors and Executive Management), or for specific enterprises (COBIT® Quickstart for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive IT governance implementation).COBIT, Risk IT and Val IT frameworksImplementing and Continually Improving IT GovernanceCOBIT User Guide for Service ManagersCOBIT andApplication Controls
30... IT Governance Focus Areas Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.• Resource management is about the optimal investment in, and the proper management of,critical IT resources: applications, information, infrastructure and people. Key issues relate tothe optimisation of knowledge and infrastructure.• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
31Management statement on IT Governance “IT governance is the responsibility of Telco’s executives to install a system of management control that ensures that Telco’s business objectives are achieved through end-to-end processes, quality of information and the supportive IT. This consists in our opinion of directing Telco’s IT resources towards optimal performance aiming for: - IT to be aligned with the business and the business processes; - IT resources to be used in a controlled structure; - IT risks to be assessed and to be managed appropriately.” “Further formalisation of goal setting and performancemonitoring of the overall IT program couldbe enforced by regular internal audits.”
32Forces influencing IT Governance IT Governance Institute Erik Guldentops Value(Brookings Institute)85% of market value of enterprises is intangible (knowledge, information, capability…)Institutional investors willing to pay up to 20% premium for shares of enterprises that have governance frameworkITGovernanceTrust(McKinsey)Assurance(Turnbull)Regulations establishing responsibility of enterprise officers for internal control and risk transparency.Trust can vanish overnight. A factory cannot.Survival(Alan Greenspan)
33IT Governance Lifecycle IT Governance Institute approachIT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the board of directors). It consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.DefinitionProvide DirectionCompareMeasure PerformanceIT ActivitiesIncrease automation (make the businesseffective)Decrease cost(make the enterprise efficient)Manage risks(security, reliability and compliance)IT is aligned with thebusiness, enables thebusiness andmaximises benefitsIT resources are usedresponsiblyIT related risks aremanaged appropriatelySet ObjectivesFrameworkIT Governance LifecycleEnvironmentEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices…...AlignmentDeliveryValueManagementof RiskMonitoring &ReportingEvaluationLifecycle
34Ex-Organisatie Telco RvB Corporate staf Division Fixed Division Mobile IT OperatorsIT partners
35IT Governance framework DIO focusCIO focusBusinessInformationSystemsInformationTechnologyStrategyStructureproduct, process,organisationuse of informationand transportIT products, securityIT managementImplementationBusiness AlignmentDemand Management
36Expertise in IT Governance InformationSystemsInformationTechnologyBusinessCompliancemanagementSourcingInformationEconomicsStrategyThird PartyAssuranceInformationarchitectureManagementof changeStructureUser/ApplicationcontrolsSecurity/OperationsIT ServiceManagementImplementationBusiness AlignmentDemand Management
37IT Governance is ...... IT management Business orientatieExternITGovernanceIT ControlITManagementInternTijds dimensieHedenToekomstOntleend aan IT Governance mechanismen: Wim van Grembergen en Steven de Haes, Kluwer 2004
38Visit www.isaca.org/cobit to download the COBIT® framework Getting StartedVisit to download the COBIT® frameworkIf you would like to learn more, or are interested in taking the first steps, you will find that our web site has a wealth of material.The site offers not only a PDF version of COBIT you can download free of charge, it also offers archived Webcasts, case studies, access to the online discussion forum, and information on COBIT training.
39TOM detail: Spider Diagrams CustomerCustomerINPUTSOUTPUTSCustomerInterfaceMan.CustomerInterfaceMan.Notifications Trouble Reports,Status reportsTrouble reportsOrderHandlingMajor TroubleReportsProblem HandlingSalesQoS & SLA terms,Profiles- Receive trouble notif- Determine cause &resolveRequest tore-configureServiceConfiguration- Track progress of resolutionServiceConfigurationCompletion notification- Initiate action to reconfigure- Generate TT to suppliersOtherProvider(s)- Confirm trouble clearedTrouble reportOtherProvider(s)Trouble report,Trouble cleared- Notify cust. trouble cleared- Schedule with and notifycustomer of planned workProblemreportsServiceProblemResolutionTrouble report,Trouble clearedCustomerQoSMan.Trouble report*SLA violations, Planned mtc.scheduling and notificationCustomerQoSMan.SLA/QoS violations,Trouble reportsServiceProblemResolutionQoS ViolationsServiceQualityMan.Rating &Discounting
40Governance - architectuur 1. Domains:2. Governance structure :Company wide steering committee; chair RvB memberBoard responsibilities like wise (Fixed, Mobile, CFO)Clear domain accountability (domain manager)Linkage to business via sponsor, steer by domain management:3. Roles /responsibilities in conformance with baseline document:Domain manager (reporting to DIO), DIO & CIOProgram office per division chaired by DIOArchitectural board chaired by CIO (with participation of division)fixedmobilecorporateSalesFulfillmentBillingSalesFulfillmentBillingSalesFulfillmentBillingEnterprise mgmt.Enterprise mgmt.Enterprise mgmt.Service BackboneService BackboneService BackboneMarketingOperationsPurchasingMarketingOperationsPurchasingMarketingOperationsPurchasingbusinesssponsor (MT member)working modedomain mngroperational mngt
41Different Levels of IT Control StrategicCorePossible OutsourcingTacticOperational
44Business alignment demand supply Example:Telco adoption of CobiT FrameworkBUSINESSPROCESSESINFORMATIONeffectivenessefficiencyconfidencialityintegrityavailabilitycompliancereliabilityCriteriaCOBITITRESOURCESdataaplication systemstechnologyfacilitiespeoplePLANNING ANDORGANISATIONAQUISITION ANDIMPLEMENTATIONDELIVERY AND SUPPORTMONITORINGBusiness alignmentIn order to provide the information that the organization needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.demandsupply
45Gartner Advisory on CobiT and ITIL ActivitiesBS7799SecurityCobiTControlWHATHOWRef: itgi.org,
46Ex-IT Control Framework CobiTSupplyDemandKey Control ObjectivesManage ChangesManage IT-configurationsManage IT incidents and problemsManage SecurityManage Service levelsManage Business ContinuityManage IT CostsManage Business Information PlanningManage Releases (Project Management)Manage IT SourcingITILProcessesPlus