COBIT & IT Governance Control Objectives for Information and Related Technology Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute. This presentation is intended solely for academic use.
COBIT: Control Objectives for Information and Related Technology Agenda COBIT: Control Objectives for Information and Related Technology The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance Exercise: How can you do on your own? COBIT: Where does it come from? How does it view IT organizations? What does it include? Try again: Does COBIT help? Other IT management frameworks Key takeaways
Reason 1: The Quest for Effective Systems Why? Reason 1: The Quest for Effective Systems Systematically controlled IT functions aim to assure that IS: Provides value, Pushes the envelope, and Mitigates risk “We’ll delete that old user ID later” “We’ll write the documentation later” “Pick the best solution for our department” Scale and cost SOX Compliance Threat vulnerability Increased IT dependence IT’s role in organizational change Business As Usual “It will be plenty fast” Management Inattention “We won’t get hacked, we’re too small to be on a hacker’s radar” “There’s no real need for a log file”
Reason 2: The Rise of Internal Control Regulation History Reason 2: The Rise of Internal Control Regulation Bank scandals in the 80’s brought us the 1992 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Internal Control Framework for certifying financial data systems. WorldCom, Enron, etc.. brought us the Sarbanes-Oxley Act of 2002 (SOX). Management is responsible for internal control and financial reporting procedures Annual reports must asses internal controls Officers submitting inaccurate certifications are subject to a fine up to $1m + 10 yrs, If purposeful, up to $5m + 20 years.
History SOX and IS From an IS function perspective, this means, that for financial reporting systems at least, SEC companies need: An evaluation framework for IS operations Useful IS metrics A systematic way to apply the framework This perspective applies to non SEC organizations as well: Lenders may require IS audits Financial services companies have their own somewhat similar regulations
Meeting the Challenge: IT Governance Defined IT Governance: the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives *. Improve Performance; Reduce Risk Performance vs. Goals and Best Practices Reliability of Financial Data Regulatory Compliance * (IT Governance Institute 2003, Board Briefing on IT Governance, 2nd Ed, page 18 )
The IT Governance Framework: Be a Part of the Process An IT Governance Model The IT Governance Framework: Be a Part of the Process Provide Direction Be Good! IT Activities Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability and compliance) Set Objectives IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT-related risks are managed appropriately Compare Measure Performance www.itgovernance.org - Board Briefing on IT Governance Hunton et al. Pg. 3
Lets Try it Without A Framework You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process. Who should be involved in making sure this kind of thing doesn’t happen again? What controls should be put into place? How will you tell later if the controls are working? Will your plan convince the angry board of directors?
Agenda How Are We Doing? The quest for effective systems and the rise of internal control regulation emphasize the need for IT governance Exercise: How can you do on your own? COBIT: Where does it come from? How does it view IT organizations? What does it include? Try again: Does COBIT help? Other IT management frameworks Key takeaways
COBIT: Control Objectives for Information and related Technology COBIT is a process-oriented, business-goal focused, systematic framework for evaluating the IT operations within an organization. It is designed for: Managers who need IT, IT Providers (internal and external), and “Auditors” concerned with risk, security, privacy, compliance, and assurance. Stakeholders may not know how to evaluate their organizations, COBIT can help guide the process.
Where did COBIT come from? The COBIT steering committee includes international representatives from industry, academia, government, and the security and control profession. Based in the IT Governance Institute. The COBIT group has done extensive work mapping to other standards. http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Project1/COBIT_Project.htm
Complexity brings special problems Process Oriented Organizational Goals Information Systems Complexity brings special problems Assets IT Resources Applications Information Infrastructure People used to achieve Because Information systems are much more complex than lunch boxes: Processes! Information systems’ acquisition, operation, and maintenance can be usefully understood as a set of IT processes. We figure out what to control in IT by looking at what we do in IT.
Which of These Are IT Processes In the IT Governance Sense? Buying a new server IT Purchasing Procedures Hiring the Right People Screening Potential IT Employees Processing an invoice sent in by EDI from a supplier Change Management System NO! Just a decision NO! Bunch of Decisions NO! this is an IT-enabled process YES Good Governance Creates Good Processes that LEAD TO Good Decisions and IT Systems
Good Processes
Business Goal Focused COBIT Generic Business Goals are Matched with IT Goals To offer competitive products and services, create IT agility Goals are Matched with 34 IT Processes – Define Success Achieve IT agility by adjusting HR, information architecture, and infrastructure Defined Control Objectives Support Assurance. Good data architecture keeps data to support decisions, organizes data for sharing, and verifies data reliability Measure data architecture success in % of redundant data elements, % of applications in the plan, and frequency of validation activities. Process Measures Support Systematic Evaluation to Manage IT Processes
Governance Objectives COBIT’s Systematic Framework Business Objectives Governance Objectives COBIT ME1 Monitor the processes ME2 Monitor and evaluate internal control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance INFORMATION PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT processes, organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Manage quality PO9 Assess and manage IT risks PO10 Manage projects Does the organization plan and organize adequately to meet information needs? MONITOR AND EVALUATE Effectiveness Efficiency Confidenciality Integrity Availability Compliance Reliability Does the organization effectively deliver and support IT services? Does the organization have and use sound processes for acquiring and implementing IT? IT RESOURCES Data Application systems Technology Facilities People Does the organization monitor and evaluate its IT activites? PLAN AND ORGANISE DELIVER AND SUPPORT DS1 Define and manage service levels DS2 Manage third-party services DS3 Manage peformance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Manage service desk and incidents DS9 Manage the configuration DS10 Manage problems DS11 Manage data DS12 Manage the physical environment DS13 Manage operations ACQUIRE AND IMPLEMENT AI1 Identify automated solutions AI2 Acquire and mantain application software AI3 Acquire and maintain technology infrastructure AI4 Enable operation and use AI5 Procure IT resources AI6 Manage changes AI7 Install and accredit solutions and changes AI6 Manage changes
AI6 – Acquire and Implement Manage Changes Page 1 Control over the IT process of process name that satisfies the business requirement for IT of summary of most important IT goals is achieved by key controls and is measured by key metrics
AI6 Page 2 Detailed Control Objectives AI6.1 Change Standards and Procedures Set up formal change management procedures to handle in a standardised manner all requests.. AI6.2 Impact Assessment, Prioritisation and Authorisation Ensure that all requests for change are assessed in a structured way for impacts on the operational system… AI6.3 Emergency Changes Establish a process for defining, raising, assessing and authorising emergency changes… AI6.4 Change Status Tracking and Reporting Establish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date… AI6.5 Change Closure and Documentation Whenever system changes are implemented, update the associated system and user documentation…
AI6 Management Guidelines Page 3 Process Inputs and Outputs Layered Goals and Metrics RACI Chart
Page 4 Maturity Model Management of the process of Manage changes that satisfies the business requirement for IT of responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework is: 0 Non-existent: No defined change management process… 1 Initial/Ad Hoc: It is recognised that changes should be managed… 2 Repeatable but Intuitive: Informal change management process… 3 Defined Process: Defined formal change management process… 4 Managed and Measurable: Change management well developed… 5 Optimised: Change management process is regularly reviewed…
Like Dagwood’s Boss, We Want Controls (employees?) that Work
An IT process is audited by: COBIT Audit Guidelines An IT process is audited by: • Obtaining an understanding of business requirements-related risks, and relevant control measures • Evaluating the appropriateness of stated controls • Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously • Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources
COBIT Audit Guidelines AI6 Audit Guideline
COBIT Audit Guidelines AI6 Audit Guideline
COBIT Audit Guidelines AI6 Audit Guideline
Now that you have AI6… You are the CEO of NASDAQ. You discover that the embarrassing error reported in the article happened when a new version of a software application was put into production. You know you need a better process. Who should be involved in making sure this kind of thing doesn’t happen again? What controls should be put into place? How will you tell later if the controls are working? Will your plan convince the angry board of directors?
Different Frameworks: Different Emphasis Comparing Frameworks Different Frameworks: Different Emphasis Control Objectives for Information & Related Technology (COBIT): Comprehensive checklists for IT, supports auditing, doesn’t directly address software development or give a roadmap for improvement Capability Maturity Model Integration (CMMI): Geared for software development organizations IT Infrastructure Library (ITIL): IT service delivery and management best practices Six Sigma: Continuous improvement for repeatable activities (e.g., helpdesks) http://www.computerworld.com/managementtopics/management/story/0,10801,90797,00.html
COBIT Asks All the Right Questions Comparing Frameworks COBIT Asks All the Right Questions COBIT: 34 IT processes in 4 domains: COBIT defines issues, values, measurements, and responsibilities. It focuses on control over execution and strives to address all IT governance issues.
CMM Helps Develop Mature Software Development Processes Comparing Frameworks CMM Helps Develop Mature Software Development Processes CMM (1993) and the later CMMI focus on improving the development, acquisition, and maintenance of systems. CMM addresses only some of the issues considered by COBIT. SEI CMM http://www.sei.cmu.edu/cmmi/general/general.html ITGI’s mapping of SEI’s CMM for Software with COBIT 4.0
ITIL Presents Best Practices for IT Service Delivery ITIL, originally created by the British Government, “the only consistent and comprehensive best practice for IT service management.” ITIL provides more guidance on who should be responsible and how they should proceed. ITIL - Best practices COBIT – IT control ITGI’s mapping of ITIL With COBIT 4.0
IT Governance Norms Business Alignment A Risk/Control Perspective Accountability Continuous Improvement Systematic Measurement
Takeaways Key Takeaways Forces are pushing organizations to adopt IT governance but its an uphill battle. COBIT provides a systematic framework to evaluate IT operations. Plan, do, check, & correct. A control perspective for IT processes is crucial to long term success. (It helps us talk nice to the CFO too!) Thanks to the IT Governance Institute for material.
AI6 Manage Changes High-Level Control Objective Back To AI6 Page 1 All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment must be formally managed in a controlled manner. Changes (including procedures, processes, system and service parameters) must be logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.
AI6 Waterfall Back To AI6 Page 1 Control over the IT process of Manage changes that satisfies the business requirement for IT of responding to business requirements in alignment with the business strategy, whilst reducing solution and service delivery defects and rework by focusing on controlling impact assessment, authorisation and implementation of all changes to the IT infrastructure, applications and technical solutions, minimising errors due to incomplete request specifications and halting implementation of unauthorised changes is achieved by • Defining and communicating change procedures, including emergency changes • Assessing, prioritising and authorising changes • Tracking status and reporting on changes and is measured by • Number of disruptions or data errors caused by inaccurate specifications or incomplete impact assessment • Application or infrastructure rework caused by inadequate change specifications • Percent of changes that follow formal change control processes