Presentation on theme: "1 Transforming Enterprise IT Ref: www.isaca.org/cobitwww.isaca.org/cobit."— Presentation transcript:
1 Transforming Enterprise IT Ref:
IT Governance Is the Key Issue IT Governance Is the Key Issue Enterprises are giving money, productivity and competitive advantage by not implementing effective IT governance A better way to: – Direct IT for optimal advantage – Measure the value provided by IT – Manage IT-related risks
IT Governance The purpose of IT governance is to direct IT endeavors, to ensure that IT’s performance meets the following objectives: Alignment of IT with the enterprise and realisation of the promised benefits Use of IT to enable the enterprise by exploiting opportunities and maximising benefits Responsible use of IT resources Appropriate management of IT-related risks
Focus Areas of IT Governance
Why do we need a Framework? Increasing dependence on information and the systems that deliver this information Increasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfare Scale and cost of the current and future investments in information and information systems The need to comply with regulations The potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs Recognition by many organisations of the potential benefits that technology can yield
Who Needs a Framework? Board and Executive To ensure management follows and implements the strategic direction for IT Management To make IT investment decisions To balance risk and control investment To benchmark existing and future IT environment Users To obtain assurance on security and control of products and services they acquire internally or externally Auditors To substantiate opinions to management on internal controls To advise on what minimum controls are necessary
COBIT Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for IT management created by the Information systems audit and control association (ISACA), 1. Incorporates major international standards 2. Has become the de facto standard for overall control over IT 3. Starts from business requirements 4. Is process-oriented
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives l Effectiveness l Efficiency l Availability l Integrity l Confidentiality l Reliability l Compliance l Plan and Organise l Acquire and Implement l Deliver and Support l Monitor and Evaluate C OBI T: Basics?
Then what is CobiT? It is the Control Objectives for Information and related Technology A methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment. The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September A tool that for IT professionals that has linked information technology and control practices CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors. Overview of CobiT
CobiT represents A control framework, a set of generally accepted control objectives, and the CobiT Audit Guidelines. CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives. CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment.
Overview of CobiT What is the purpose of CobiT? To provide management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT. CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.
Components of CobiT
The 4 Domains of CobiT MONITORING (MO) PLANNING & ORGANIZATION (PO) ACQUISITION & IMPLEMENTATION (AI) DELIVERY & SUPPORT (DS)
Components of CobiT M1- Monitor the process M2- Obtain independent assurance MONITORING (MO) All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls.
Components of CobiT PO1- Define a strategic IT plan PO2- Define the Information architecture PO3- Determine technical direction PO4- Define IT Organization and relationships PO5- Manage the investment in IT PLANNING & ORGANIZATION (PO) Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives. Is the IT strategy be effectively controlled and will it contribute to the business objectives? PO6- Communicate management aims and directions PO7- Manage Human Resources PO8- Ensure compliance with external requirements PO9- Assess risks PO10- Manage projects PO11- Manage quality
Components of CobiT AI1- Identify solutions AI2- Acquire and maintain application software AI3- Acquire and maintain technology architecture AI4- Develop and maintain IT procedures AI5- Install and accredit systems AI6- Managing changes ACQUISITION & IMPLEMENTATION (AI) To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process. Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards?
Components of CobiT DS1- Define service levels DS2- Manage Third Party services DS3- Manage performance capacity DS4- Ensure continuous service DS5- Ensure systems security DS6- Identify and allocate costs DS7- Educate and train users DS8- Assist and advise IT customers DS9- Manage the configuration of IT systems DS10- Manage problems and incidents DS11- Manage data DS12- Manage facilities DS13- Manage operations DELIVERY & SUPPORT (DS) Addresses the actual delivery of required information services. Are information related services delivered in a controlled manner?
2009 ISACA All Rights reserved. 18 C OBI T is a Road Map for an easy IT Governance Accepted globally as a set of tools that ensures IT is working effectively Functions as an overarching framework Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: – Strategic alignment of IT with business goals – Value delivery of services and new projects – Risk management – Resource management – Performance measurement
2009 ISACA All Rights reserved. 19 Business Benefits C OBI T ® provides guidance for executive management to govern IT within the enterprise More effective tools for IT to support business goals More transparent and predictable full life-cycle IT costs More timely and reliable information from IT Higher quality IT services and more successful projects More effective management of IT-related risks
2009 ISACA All Rights reserved. 20 Harmonizing the Elements of IT Governance IT Governance Resource Management Strategic Alignment Value Delivery Performance Measurement Risk Management
2009 ISACA All Rights reserved. 21 The C OBI T ® Framework
The high-level approach diagram of information system audits Approch Ref-
Ref- Operationalising CMMI: integrating CMMI and CoBIT perspective
The COBIT model groups all information and IT activities into four domains, which are articulated into 34 processes Ref: A-New-Way-to-Enhance-IT-and-Business-Governance-Collaboration.aspx
2009 ISACA All Rights reserved. 26 C OBI T ® C OBI T ® Defines Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5)
2009 ISACA All Rights reserved. 27 Defined Responsibilities for Each Process Link business goals to IT goals. CI A/ R IC Identify critical dependencies and current performance. CCR A/ R CCCCCC Build an IT strategic plan. ACCRICCCCIC Build IT tactical plans. CIACCCCCRI Analyse programme portfolios and manage project and service portfolios. CIIARRCRCCI RACI Chart Activities Functions A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.
2009 ISACA All Rights reserved. 28 C OBI T ® Products and Their Primary Audience C OBI T, Risk IT and Val IT frameworks Implementing and Continually Improving IT Governance C OBI T User Guide for Service Managers C OBI T and Application Controls
IT Governance Focus Areas Ref:
... IT Governance Focus Areas Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation. Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
Management statement on IT Governance “IT governance is the responsibility of Telco’s executives to install a system of management control that ensures that Telco’s business objectives are achieved through end-to-end processes, quality of information and the supportive IT. This consists in our opinion of directing Telco’s IT resources towards optimal performance aiming for: -IT to be aligned with the business and the business processes; -IT resources to be used in a controlled structure; -IT risks to be assessed and to be managed appropriately.” “Further formalisation of goal setting and performance monitoring of the overall IT program could be enforced by regular internal audits.”
IT Governanc e Forces influencing IT Governance IT Governance Institute Erik Guldentops Trust(McKinsey) Value (Brookings Institute) Survival (Alan Greenspan) Assurance(Turnbull) Regulations establishing responsibility of enterprise officers for internal control and risk transparency. Institutional investors willing to pay up to 20% premium for shares of enterprises that have governance framework Trust can vanish overnight. A factory cannot. 85% of market value of enterprises is intangible (knowledge, information, capability…)
IT Governance Institute approach IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the board of directors). It consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. Definition Environment w Ethics & Culture w Laws & Regulations w Mission & Vision w Role Models w Industry Practices w …... Alignment Value Delivery Management of Risk Monitoring & Reporting Evaluation Lifecycle Provide Direction Compare Measure Performance IT Activities Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability and compliance) IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed appropriately Set Objectives Framework
Ex-Organisatie Telco Division Mobile Division Fixed IT partners IT Operators RvB Corporate staf
Implementation Structure Strategy Information Technology Information Systems Business Business Alignment Demand Management IT Governance framework product, process, organisation IT products, security IT management use of information and transport DIO focus CIO focus
Expertise in IT Governance Business Alignment Demand Management IT Service Management Information architecture User/Application controls Security/ Operations Sourcing Information Economics Compliance management Third Party Assurance Management of change Structure Information Systems Implementation Strategy Information Technology Business
IT Governance is IT management IT Governance IT Management Business orientatie Intern Extern Tijds dimensie Toekomst Heden Ontleend aan IT Governance mechanismen: Wim van Grembergen en Steven de Haes, Kluwer 2004 IT Control
2009 ISACA All Rights reserved. 38 Getting Started Visit to download the C OBI T ® frameworkwww.isaca.org/cobit
Notifications Trouble Reports, Status reports Problem Handling QoS & SLA terms, Profiles - Receive trouble notif - Determine cause &resolve - Track progress of resolution - Initiate action to reconfigure - Generate TT to suppliers - Confirm trouble cleared - Notify cust. trouble cleared Trouble reports Completion notification INPUTS SLA violations, Planned mtc. scheduling and notification Problem reports SLA/QoS violations, Trouble reports OUTPUTS Request to re-configure Trouble report, Trouble cleared Trouble report* Trouble report Trouble report, Trouble cleared - Schedule with and notify customer of planned work QoS Violations Major Trouble Reports Customer Interface Man. Order Handling Service Configuration Other Provider(s) Service Problem Resolution Customer QoS Man. Service Quality Man. Customer Interface Man. Sales Customer QoS Man. Service Configuration Other Provider(s) Service Problem Resolution Rating & Discounting TOM detail: Spider Diagrams
Governance - architectuur 1. Domains: 2. Governance structure : Company wide steering committee; chair RvB member Board responsibilities like wise (Fixed, Mobile, CFO) Clear domain accountability (domain manager) Linkage to business via sponsor, steer by domain management: 3. Roles /responsibilities in conformance with baseline document: Domain manager (reporting to DIO), DIO & CIO Program office per division chaired by DIO Architectural board chaired by CIO (with participation of division) Service Backbone SalesFulfillmentBilling Operations Purchasing Enterprise mgmt. Marketing Service Backbone SalesFulfillmentBilling Operations Purchasing Enterprise mgmt. Marketing Service Backbone SalesFulfillmentBilling Operations Purchasing Enterprise mgmt. Marketing fixedmobilecorporate business sponsor (MT member) operational mngt domain mngr working mode
Different Levels of IT Control Strategic Tactic Operational Possible Outsourcing Core
Clear governance relationships Business view Technology view Business processes Business rules Domain structure Functional architecture Data architecture Domain services Governance model Application programs and modules Databases Connectivity Hardware, opera-ting systems, net-works Middleware, data-base management systems Domains/servicesProcessesTechnologyApplications Strategic aspiration Business plan Value proposition Going-to-market model Business strategy BusinessIT Demand (CIO/DIO) IT Supply (IT Service organizations)
BUSINESS PROCESSES BUSINESS PROCESSES INFORMATION effectiveness efficiency confidenciality integrity availability compliance reliability effectiveness efficiency confidenciality integrity availability compliance reliability Criteria C OBI T IT RESOURCES IT RESOURCES data aplication systems technology facilities people data aplication systems technology facilities people PLANNING AND ORGANISATION PLANNING AND ORGANISATION AQUISITION AND IMPLEMENTATION AQUISITION AND IMPLEMENTATION DELIVERY AND SUPPORT MONITORING Example:Telco adoption of CobiT Framework In order to provide the information that the organization needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. supply Business alignment demand
Gartner Advisory on CobiT and ITILITILActivities BS7799Security CobiTControl WHAT HOW Ref: itgi.org,
Ex-IT Control Framework 1.Manage Changes 2.Manage IT-configurations 3.Manage IT incidents and problems 4.Manage Security 5.Manage Service levels 6.Manage Business Continuity 7.Manage IT Costs 8.Manage Business Information Planning 9.Manage Releases (Project Management) 10.Manage IT Sourcing