© ITGI, ISACA - not for commercial use. A High-level Overview of the C OBI T Principles, Structure, and Framework John R. Robles ISACA PR - 5 th Symposium C OBI T Framework “This information is copyrighted by the IT Governance Institute and Information Systems Audit and Control Association. Any commercial use is strictly forbidden. It may, however, be used for educational or promotional purposes by ISACA members and chapters on a not- for-profit basis.”

© ITGI, ISACA - not for commercial use. Why does IT need a control and governance framework? Do any of these conditions sound familiar? Increasing pressure to leverage technology in business strategies Growing complexity of IT environments Fragmented IT infrastructures Demand for technologists outstripping supply Communication gap between business and IT managers IT service levels that are disappointing IT costs perceived to be out of control Marginal ROI/productivity gains on technology investments Impaired organisational flexibility and nimbleness to change User frustration leading to ad hoc solutions IT managers operating like firefighters

© ITGI, ISACA - not for commercial use. PO AI DS MO IT Governance Model IT governance helps ascertain how automated systems: --Simplify operations --Cut costs --Increase revenue Needs an IT Control Framework

© ITGI, ISACA - not for commercial use. Generally applicable and accepted international standard for good practice for IT controls For application to enterprisewide information systems Technology-independent Starting from business requirements for information Management- and business process owner-oriented Based on ISACA's Control Objectives yAligned with de jure and de facto standards and regulations yBased on critical review of tasks and activities or process focus Includes existing standards and regulations yISO, EDIFACT and others yCodes of Conduct issued by Council of Europe yProfessional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA, etc. First published in April 1996, second edition in 1998, third in July 2000 Has become the de facto standard for control over IT Fundamental in achieving IT governance Generally applicable and accepted international standard for good practice for IT controls For application to enterprisewide information systems Technology-independent Starting from business requirements for information Management- and business process owner-oriented Based on ISACA's Control Objectives yAligned with de jure and de facto standards and regulations yBased on critical review of tasks and activities or process focus Includes existing standards and regulations yISO, EDIFACT and others yCodes of Conduct issued by Council of Europe yProfessional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA, etc. First published in April 1996, second edition in 1998, third in July 2000 Has become the de facto standard for control over IT Fundamental in achieving IT governance C OBI T: An IT Control Framework Principles

© ITGI, ISACA - not for commercial use. u Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives u Promotes process focus and process ownership u Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each u Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT u Is supported by a set of over 300 detailed control objectives u Effectiveness u Efficiency u Availability u Integrity u Confidentiality u Reliability u Compliance u Plan and Organise u Acquire and Implement u Deliver and Support u Monitor and Evaluate C OBI T: An IT Control Framework Concepts

© ITGI, ISACA - not for commercial use.ITDomains Processes IT Control Objectives  Critical Success Factors  Outcome Measures  Key Performance Indicators  Maturity Model IT Control Practices IT is an important element of corporate governance and management accountability. Ensure business-oriented solutions. Framework for risk assessment As a means to communicate with all stakeholders Authoritative basis (internationally accepted, exhaustive, evolving) Why should an organisation adopt C OBI T? C OBI T: An IT Control Framework

© ITGI, ISACA - not for commercial use. “To provide the information the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.” zRelates to business requirements zLinks to business processes zEmpowers business owners zDecomposed IT into four domains and 34 processes zDomains: (plan-build-run) + monitor zControl, audit, implementation and performance management knowledge structured by process Business Process C OBI T: An IT Control Framework

© ITGI, ISACA - not for commercial use. Framework C OBI T: An IT Control Framework BUSINESS REQUIREMENTS IT PROCESSES IT IT RESOURCES

© ITGI, ISACA - not for commercial use.  Data  Information Systems  Technology  Facilities  Human Resources  Plan and Organise  Acquire and Implement  Deliver and Support  Monitor and Evaluate  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Information Reliability C OBI T Framework How do they relate? IT Processes Business Requirements IT Resources

© ITGI, ISACA - not for commercial use. IT Processes IT Resources IT Resources Business Requirements  Data  Information Systems  Technology  Facilities  Human Resources  Planning and organisation  Acquisition and implementation  Delivery and Support  Monitoring  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Information Reliability C OBI T Framework How do they relate? How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to— and built up by—IT

© ITGI, ISACA - not for commercial use. Processes A series of joined activities with natural control breaks Activities or tasks Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. Domains Natural grouping of processes, often matching an organisational domain of responsibility C OBI T Framework IT Processes

© ITGI, ISACA - not for commercial use. Data : Data objects in their widest sense, i.e., external and internal, structured and unstructured, graphics, sound, etc. Application Systems : Understood to be the sum of manual and programmed procedures Technology : Covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities : Resources to house and support information systems People : Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services C OBI T Framework IT Resources

© ITGI, ISACA - not for commercial use. IT Domains Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT Strategy Policy and Procedures Feasibility Study Acceptance Testing Change Management Contingency Planning Problem Management Activities Record New Problem Analyse Propose Solution Monitor Solution Record Known Problem Etc. Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete. C OBI T Framework

© ITGI, ISACA - not for commercial use. Topics zStrategy and tactics zVision planned zOrganisation and infrastructure Questions zAre IT and the business strategy aligned? zIs the enterprise achieving optimum use of its resources? zDoes everyone in the organisation understand the IT objectives? zAre IT risks understood and being managed? zIs the quality of IT systems appropriate for business needs? Domain: Plan and Organise (PO) C OBI T D omains

© ITGI, ISACA - not for commercial use. zPO1—Define a strategic IT plan zPO2—Define the information architecture zPO3—Determine the technological direction zPO4—Define the IT processes, organization and relationships zPO5—Manage the IT investment zPO6—Communicate management aims and direction zPO7—Manage IT human resources zPO8—Manage quality zPO9—Assess and manage IT risks zPO10—Manage projects. Plan and Organise

© ITGI, ISACA - not for commercial use. Topics zIT solutions zChanges and maintenance Questions zAre new projects likely to deliver solutions that meet business needs? zAre new projects likely to deliver on time and within budget? zWill the new systems work properly when implemented? zWill changes be made without upsetting current business operations? Domain: Acquire and Implement (AI) C OBI T D omains

© ITGI, ISACA - not for commercial use. zAI1—Identify automated solutions zAI2—Acquire and maintain application software zAI3—Acquire and maintain technology infrastructure zAI4—Enable operation and use zAI5—Procure IT resources zAI6—Manage changes zAI7—Install and accredit solutions and changes Acquire and Implement

© ITGI, ISACA - not for commercial use. Topics zDelivery of required services zSetup of support processes zProcessing by application systems Questions zAre IT services being delivered in line with business priorities? zAre IT costs optimised? zIs the workforce able to use the IT systems productively and safely? zAre adequate security, integrity and availability in place? Domain: Deliver and Support (DS) C OBI T Domains

© ITGI, ISACA - not for commercial use. zDS1—Define and manage service levels zDS2—Manage third-party services zDS3—Manage performance and capacity zDS4—Ensure continuous service zDS5—Ensure systems security zDS6—Identify and allocate costs zDS7—Educate and train users zDS8—Manage service desk and incidents zDS9—Manage the configuration zDS10—Manage problems zDS11—Manage data zDS12—Manage the physical environment zDS13—Manage operations Deliver and Support

© ITGI, ISACA - not for commercial use. Topics zAssessment over time, delivering assurance zManagement’s oversight of the control system zPerformance measurement Questions zCan IT’s performance be measured and can problems be detected before it is too late? zIs independent assurance needed to ensure that critical areas are operating as intended? Domain: Monitor and Evaluate (ME) C OBI T Domains

© ITGI, ISACA - not for commercial use. zME1—Monitor and evaluate IT performance zME2—Monitor and evaluate internal control zME3—Ensure regulatory compliance zME4—Provide IT governance Monitor and Evaluate

© ITGI, ISACA - not for commercial use. The control of IT Processes which satisfy is enabled by Control Statements considering Control Practices C OBI T Framework Waterfall Model 4 Domains - 34 Processes Control Objectives Business Requirements

© ITGI, ISACA - not for commercial use. PO1—Define a strategic IT plan PO2—Define the information architecture PO3—Determine the technological direction PO4—Define the IT processes, organization and relationships PO5—Manage the IT investment PO6—Communicate management aims and direction PO7—Manage IT human resources PO8—Manage quality PO9—Assess and manage IT risks PO10—Manage projects AI1—Identify automated solutions AI2—Acquire and maintain application software AI3—Acquire and maintain technology infrastructure AI4—Enable operation and use AI5—Procure IT resources AI6—Manage changes AI7—Install and accredit solutions and changes ME1—Monitor and evaluate IT performance ME2—Monitor and evaluate internal control ME3—Ensure regulatory compliance ME4—Provide IT governance DS1—Define and manage service levels DS2—Manage third-party services DS3—Manage performance and capacity DS4—Ensure continuous service DS5—Ensure systems security DS6—Identify and allocate costs DS7—Educate and train users DS8—Manage service desk and incidents DS9—Manage the configuration DS10—Manage problems DS11—Manage data DS12—Manage the physical environment DS13—Manage operations MONITOR AND EVALUATE MONITOR AND EVALUATE Business Objectives IT RESOURCES IT RESOURCES Data Application systems Technology Facilities People Data Application systems Technology Facilities People PLAN AND ORGANISE PLAN AND ORGANISE ACQUIRE AND IMPLEMENT ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Criteria C OBI T Framework

© ITGI, ISACA - not for commercial use. PO1 Define a strategic IT plan PO3 Determine the technological direction PO5 Manage the IT investment PO9 Assess and manage IT risks PO10 Manage projects AI1Identify automated solutions AI2 Acquire and maintain application s/w AI5 Procure IT resources AI6 Manage changes DS1 Define and manage service levels DS4 Ensure continuous service DS5 Ensure systems security DS10 Manage problems DS11 Manage data ME1 Monitor and evaluate IT performance The Most Important IT Processes Survey

© ITGI, ISACA - not for commercial use.  High-level Control Objective å One per process  Detailed Control Objectives å Three to 30 per process  Control Practices å Five to seven per control objective C OBI T—Content

© ITGI, ISACA - not for commercial use.  Based on the 41 primary references  Developed following a rigorous research process  Three to 30 detailed control objectives for each of the 34 processes  Directed to IT management, IT staff, control and audit functions and business process owners  For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional.  Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers. C OBI T Control Objectives

© ITGI, ISACA - not for commercial use. AI6 MANAGE CHANGES 6.1 Change Request Initiation and Control IT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request. 6.2 Impact Assessment A procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality. 6.3 Control of Changes IT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems. 6.4 Emergency Changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation. C OBI T Control Objectives

© ITGI, ISACA - not for commercial use. zIT control practices are key control mechanisms that support: yThe achievement of control objectives yThe prevention, detection and correction of undesired events zIT control practices achieve that through: yResponsible use of resources yAppropriate management of risk yAlignment of IT with business Translate C OBI T ’s control objectives into detailed, implementable practices and provide the business argumentation for implementation, from a value and a risk perspective C OBI T IT Control Practices

© ITGI, ISACA - not for commercial use. C OBI T IT Control Practices

© ITGI, ISACA - not for commercial use. 1.Management has defined parameters, characteristics and procedures that allow it to identify and declare emergencies. 2.All emergency changes are documented, if not before, then after implementation. 3.All emergency changes are tested, if not before, then after implementation. 4.All emergency changes are formally authorised by the system owner and management, before implementation. 5.Before and after images as well as intervention logs are retained for subsequent review. Controlling emergency changes by implementing the control practices will :  Ensure emergency procedures are used in declared emergencies only  Ensure urgent changes can be implemented without compromising confidentiality, integrity, availability, reliability and accuracy AI6 Manage Change AI6.4 Emergency Changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation. IT Control PracticesWhy do it? C OBI T—Example Process

© ITGI, ISACA - not for commercial use.  To improve audit approach/programs y To support audit work with detailed audit guidelines y To provide guidance for IT governance y As a valuable benchmark for IS/IT control y To improve IS/IT controls y To standardise audit approach/programs How Is C OBI T Used? (Results from Surveys) The C OBI T Framework

© ITGI, ISACA - not for commercial use. C OBI T—Benefits What Comfort about: Dependence on IT IT risks are mitigated IT delivers value Assurance of: Cost down and revenue up Business operations improved Service levels maintained Who Executive Business manager IT manager Project manager Developer Operations staff User Security officer Auditor

© ITGI, ISACA - not for commercial use. y Helps substantially increase acceptance and reduce time needed to implement IT governance program y Provides a guide for formal audits/reviews y Helps use results of audits as an opportunity to plan improvements y Strong factor in achieving primary goals for IT governance—transform organisational practices and pursue improved processes y Provides economical continuous improvement framework y Management's decision on controls needed was based on a credible source (C OBI T) y IT operations manager impressed with C OBI T's ability to help him understand what auditors want y Ideal for business management y Reliable source reference that ensures identification of all major risk areas y Improves communications and relations with IT management Why Is C OBI T Used? (Testimonials from Case Studies) The C OBI T Framework

© ITGI, ISACA - not for commercial use. C OBI T Products Management Guidelines  Provide management direction for: Getting the enterprise's information and related processes under control Monitoring achievement of organisational goals Monitoring and improving performance within each IT process Benchmarking organisational achievement  Action-oriented and generic  Provide answers to typical management questions: How far should we go in controlling IT, and is the cost justified by the benefit? What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare?

© ITGI, ISACA - not for commercial use. Biggest Challenge = Sustainable Solutions l Establish policy, objectives and targets l Implement policy, responsibilities, processes and procedures l Measure performance against policy and external best practice l Take corrective and preventive action and continuously improve l Measure success of the change projects l Provide feedback into other improvement projects Identify needs Envision the solution Plan the solution Implement the solution Road MapApproach l Business value and risk analysis l As-is and to-be positions l Gap analysis l Project identification and initiation IT Governance Implementation Guide

© ITGI, ISACA - not for commercial use. Raise awareness & make decision Analyse values and risks Select processes Identify needs Define projects Develop & implement change plan Plan the solution Integrate into day-to- day practices Integrate measures into ITBSC Implement the solution Define where you are Define where you want to be Analyse gaps Envision the solution Implementation Road Map Post- implement. review Feedback IT Governance Implementation Guide

© ITGI, ISACA - not for commercial use. ImplementationManual IT Governance Implementation Guide

© ITGI, ISACA - not for commercial use. Conclusion —C OBI T Values Sharing knowledge and leveraging expert volunteers Internationally accepted good practices Continually evolves Maintained by reputable not-for-profit organisation Maps strongly onto all major related standards Is management-oriented Is supported by tools and training Maps completely to ISO17799 and COSO Provide action-oriented solutions FUTURE PRESENT

© ITGI, ISACA - not for commercial use. Summary of CobiT 4.0 Domains and Processes zPLAN AND ORGANISE zPO1—Define a strategic IT plan zPO2—Define the information architecture zPO3—Determine the technological direction zPO4—Define the IT processes, organization and relationships zPO5—Manage the IT investment zPO6—Communicate management aims and direction zPO7—Manage IT human resources zPO8—Manage quality zPO9—Assess and manage IT risks zPO10—Manage projects zACQUIRE AND IMPLEMENT zAI1—Identify automated solutions zAI2—Acquire and maintain application software zAI3—Acquire and maintain technology infrastructure zAI4—Enable operation and use zAI5—Procure IT resources zAI6—Manage changes zAI7—Install and accredit solutions and changes zDELIVER AND SUPPORT zDS1—Define and manage service levels zDS2—Manage third-party services zDS3—Manage performance and capacity zDS4—Ensure continuous service zDS5—Ensure systems security zDS6—Identify and allocate costs zDS7—Educate and train users zDS8—Manage service desk and incidents zDS9—Manage the configuration zDS10—Manage problems zDS11—Manage data zDS12—Manage the physical environment zDS13—Manage operations zMONITOR AND EVALUATE zME1—Monitor and evaluate IT performance zME2—Monitor and evaluate internal control zME3—Ensure regulatory compliance zME4—Provide IT governance

© ITGI, ISACA - not for commercial use. IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL USA John R. Robles and Associates The C OBI T Framework