Basic principles of IT Governance Lukáš Neduchal FCCA, CISA, CRISC - člen Správnej rady ISACA Slovensko - Riaditeľ | Poradenské služby | Ernst & Young, k.s.

Content IT Governance – expected knowledge? Used practices (COBIT5), Goals, Domains, Basic principles, IT alignment – what does it mean? IT Security within IT Governance ? Suggested activities for board members

ISACA & ITGI

ISACA History and Mission Activities ISACA was incorporated in 1969 by a small group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer systems. Today, ISACA has more than 110,000 constituents worldwide. As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. Activities ISACA provides practical guidance, benchmarks and other effective tools for all enterprises that use information systems. Through its comprehensive guidance and services, ISACA defines the roles of information systems governance, security, audit and assurance professionals worldwide. The COBIT 5, Val IT and Risk IT governance frameworks and the CISA, CISM, CGEIT and CRISC certifications are ISACA brands respected and used by these professionals for the benefit of their enterprises. ISACA.org © ISACA. Used with permission

ISACA Certifications The certification is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. The management-focused is the globally accepted standard for individuals who design, build and manage enterprise information security programs. CISM is the leading credential for information security managers. recognizes a range of professionals for their knowledge and application of enterprise IT governance principles and practices. CGEIT provides you the credibility to discuss critical issues around governance and strategic alignment based on your recognized skills, knowledge and business experience. (pronounced “see-risk”) is the only certification that positions IT professionals for future career growth by linking IT risk management to enterprise risk management, and positioning them to become strategic partners to the business. ISACA.org © ISACA. Used with permission

ITGI (The IT Governance Institute ) ISACA formed the ITGI to focus on original research, publications, resources and symposia on IT governance and related topics. History and Mission The IT Governance Institute (ITGI) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. ITGI offers original research on global practices and perceptions relative to governance and management of IT. Activities Conducts original research on governance of enterprise IT and offers several publications as complimentary downloads on the ITGI web site Offers a web site (www.itgi.org) with extensive resources and links ITGI paper: Board Briefing on IT Governance

Governance of Enterprise IT and COBIT 5

The Importance of IT Boards usually expect management to: Deliver IT solutions of the right quality, on time and on budget Harness and exploit IT to return business value Leverage IT to increase efficiency and productivity while managing IT risks The ultimate reason why IT governance is important is that expectations and reality often do not match  Source: Board Briefing on IT Governance 2nd. edition © ISACA p.13. Used with permission

Signs of ineffective IT governance? Business losses, damaged reputations or weakened competitive positions Deadlines not met, costs higher than expected and quality lower than anticipated Enterprise efficiency and core processes negatively impacted by poor quality of IT deliverables Failures of IT initiatives to bring innovation or deliver the promised benefits or even to be delivered at all

The Purpose and Objectives of IT governance IT governance practices aim at ensuring that expectations for IT are met, IT's performance is measured, its resources are managed and its risks are mitigated. to understand the issues and the strategic importance of IT to ensure that the enterprise can sustain its operations to ascertain that it can implement the strategies required to extend its activities into the future Source: Board Briefing on IT Governance 2nd. edition © ISACA p.7. Used with permission

Enterprise governance and IT governance Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: providing strategic direction ensuring that objectives are achieved ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. Aligning IT strategy with the business strategy  Cascading strategy and goals down into the enterprise  Providing organizational structures that facilitate the implementation of strategy and goals  Insisting that an IT control framework be adopted and implemented  Measuring IT's performance Source: Board Briefing on IT Governance 2nd. edition © ISACA p.7. Used with permission

Source: COBIT® 5, © 2013 ISACA® Used with permission. COBIT 5 In Summary … COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders. Source:  COBIT® 5, © 2013 ISACA® Used with permission. 12

Source: COBIT® 5, figure 11. © 2013 ISACA® Used with permission. COBIT 5 Product Family Source:  COBIT® 5, figure 11. © 2013 ISACA® Used with permission. 13

Governance of Enterprise IT COBIT 5: Now One Complete Business Framework for 2005/7 2000 1998 Evolution of scope 1996 Governance of Enterprise IT COBIT 5 IT Governance COBIT4.0/4.1 Management COBIT3 Val IT 2.0 (2008) Control COBIT2 Risk IT (2009) Audit COBIT1 2012 A business framework from ISACA, at www.isaca.org/cobit COBIT5-Introduction-1.pptx © ISACA. SL 13 Used with permission 14

ISO/IEC 38500: 2008 (Corporate governance of information technology) 1.1 Scope … This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization… 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans. Source: COBIT5-Introduction-1.pptx © ISACA. Used with permission 15

Governance and Management in COBIT 5 Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities. 01 Ensure governance framework setting and maintenance. 02 Ensure benefits delivery. 03 Ensure risk optimization. 04 Ensure resource optimization. 05 Ensure stakeholder transparency. Source: COBIT5-and-GRC.pptx © ISACA. SL20.Used with permission 16

Source: COBIT® 5, figure 16. © 2012 ISACA® Used with permission. five governance processes and management domains of processes EDM GRC P M B R Source:  COBIT® 5, figure 16. © 2012 ISACA® Used with permission. 17

Source: COBIT 5-Framework-English Source:  COBIT 5-Framework-English.pdf, figure 25 © 2012 ISACA® Used with permission.

Source: COBIT® 5, © ISACA® Used with permission. Example Source:  COBIT® 5, © ISACA® Used with permission.

Source: COBIT® 5, © ISACA® Used with permission. EDM01 Activities Example Source:  COBIT® 5, © ISACA® Used with permission.

Source: COBIT® 5, © ISACA® Used with permission. EDM01 RACI Chart Example In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source:  COBIT® 5, © ISACA® Used with permission.

COBIT 5…IT Governance Fundamentally, IT governance is concerned about two things: IT’s delivery of value to the business driven by strategic alignment of IT with the business. mitigation of IT risks. driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained. Source: COBIT5-Introduction-1.pptx © ISACA. Used with permission

5 Focus Areas of IT Governance This leads to the five main focus areas for IT governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk management. Three of them are drivers: strategic alignment, resource management (which overlays them all) and performance measurement D O D O D Source: Board Briefing on IT Governance 2nd. edition © ISACA p.19-p.20. Used with permission

Understanding IT Governance as a process for IT IT governance is also a process in which the IT strategy drives the IT processes, which obtain resources necessary to execute their responsibilities. The IT processes report against these responsibilities on process outcome, performance, risks mitigated and accepted, and resources consumed. These reports should either confirm that the strategy is properly executed or provide indications that strategic redirection is required. Source: Board Briefing on IT Governance 2nd. edition © ISACA p.19-p.20. Used with permission

The board should drive enterprise alignment by: Ascertaining that IT strategy is aligned with enterprise strategy. Ascertaining that IT delivers against the strategy through clear expectations and measurement. Directing IT strategy by addressing the level and allocation of investments, balancing the investments between supporting and growing the enterprise and by making considered decisions about where IT resources should be focused. Ensuring a culture of openness and collaboration among the business, geographical and functional units of the enterprise. Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission

IT Strategic Alignment But who should be responsible for strategic alignment between IT and the business? Should it be the chief information officer (CIO) and the IT function or should it be the CEO and the business executives or equally shared between both? To help enable this: Board members should take an active role in IT strategy or similar committees. CEOs should provide organizational structures to support the implementation of IT strategy. CIOs must be business-oriented and provide a bridge between IT and the business. All executives should become involved in IT steering or similar committees. Cascading Source: Board Briefing on IT Governance 2nd. edition © ISACA p.15. Used with permission

The board should direct management to deliver measurable value through IT by: Delivering solutions and services with the appropriate quality, on time and on budget. Enhancing reputation, product leadership and cost- efficiency. Providing customer trust and competitive time-to- market. Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission

The board should manage enterprise risk by: Ascertaining that there is transparency about the significant risks to the enterprise and being aware that the final responsibility for risk management rests with the board. Being conscious that risk mitigation can generate cost- efficiencies. Considering that a proactive risk management approach can create competitive advantage. Insisting that risk management be embedded in the operation of the enterprise. Ascertaining that management has put processes, technology and assurance in place for information security to ensure that: Business transactions can be trusted IT services are usable, can appropriately resist attacks and recover from failures Critical information is withheld from those who should not have access to it (Act No. 122/2013) Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission

The board should support learning and growth and manage resources by: Maintaining awareness of new IT developments and opportunities. Ensuring that IT resources are able to support current and expected business requirements. Committing to improving the efficiency and effectiveness of the IT infrastructure. Sustaining an adequate investment in staff education, development and training for IT operations and developments. Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission

The board should also measure performance by: Defining and monitoring measures together with management to verify that objectives are achieved and measure performance to eliminate surprises. Leveraging a system of balanced business scorecards maintained by management. Note: “Pragmatic practices in support of the board’s governance requirements are listed in appendix B, Board IT Governance Tool Kit”. Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission

How Should Executive Management Address the Expectations? Cascade strategy, policies and goals down into the enterprise and align the IT organization with the enterprise goals. Provide organizational structures to support the implementation of IT strategies and an IT infrastructure to facilitate the creation and sharing of business information. Embed clear accountabilities for risk management and control over IT into the organization, based on a clear risk policy and comprehensive control framework. Measure performance by having outcome measures for business value and competitive advantage that IT delivers and performance drivers to show how well IT performs. Use few but precise performance measures, directly and demonstrably linked to strategy. Source: Board Briefing on IT Governance 2nd. edition © ISACA p.18. Used with permission

How Should Executive Management Address the Expectations? continued Focus on core business competencies IT must support, which are those business processes that add customer value, differentiate the enterprise’s products and services in the marketplace, and add value across multiple products and services over time Focus on important IT processes that improve business value, such as change applications and problem management. Management must become aggressive in defining these processes and their associated responsibilities. Focus on core IT competencies that usually relate to planning and overseeing the management of IT assets, risks, projects, customers and vendors (also supported by an IT steering committee) Create a flexible and adaptive enterprise that leverages information and knowledge. This is an enterprise that senses what is happening in the market; uses knowledge assets to learn from that and innovates new products, services, channels and processes; then mutates rapidly to bring innovation to market or to repel challenges; and finally measures results and performance. At the heart of this emerging model is knowledge. IT is the enabling factor to collect, build and distribute knowledge. Source: Board Briefing on IT Governance 2nd. edition © ISACA p.18. Used with permission

Thank You