IT Governance: COBIT, ISO17799 & ITIL

Introduction COBIT ITIL ISO17799Others

Introduction Effectiveness Efficiency External Stakeholders External Stakeholders Internal Stakeholders Internal Stakeholders IT Governance

Introduction IT governance: Effective Meets management’s requirements Risks managed Controlled Provides value for money

“We are fast approaching the stage of IT evolution at which innovation must translate into overall process improvements, as it did in the mainframe world of 20 years ago.” Source: Forrester Introduction

COBIT Control Objectives for Information and related Technology by ISACA / ITGI

COBIT Plan and organize Acquire and implement Deliver and support Monitor and evaluate

COBIT - Plan and Organize Define strategic IT plan Define information architecture Determine technological direction Define IT processes, organization and relationships Manage IT investment Communicate management aims and direction Manage IT human resources Manage quality Assess and manage IT risks Manage projects

COBIT - Acquire and Implement Identify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Enable operation and use Procure IT resources Manage changes Install and accredit solutions and changes

COBIT - Deliver and Support Define and manage service levels Manage third-party services Manage performance and capacity Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Manage service desk and incidents Manage configuration Manage problems

COBIT - Deliver and Support (cont.) Manage data Manage physical environment Manage operations

COBIT - Monitor and Evaluate Monitor and evaluate IT performance Monitor and evaluate internal control Ensure regulatory compliance Provide IT governance

ISO17799 Information Technology / Security Techniques - Code of Practice for information Security Management by International Standards Organization (ISO)

ISO17799 Security policy Organizing information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information system acquisition, development and maintenance Information security incident management Business continuity management Compliance

ITIL Information Technology Infrastructure Library by UK government / Office of Government Commerce

ITIL Service support Service delivery

ITIL - Service Support Incident management Configuration management Problem management Change management Release management

ITIL - Service Delivery Service level management Capacity management Availability management Security management Continuity management Financial management

Mapping COBIT, ISO17799 & ITIL COBIT: PO1 – Define strategic IT plan ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO2 – Define information architecture ISO17799: Asset management (classification) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO3 – Determine technological direction ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO4 – Define IT processes, organization and relationships ISO17799: Organizing information security (internal) Asset management (responsibility) Access control (users) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO5 – Manage IT investment ISO17799: - ITIL: Financial management for IT services (budgeting) Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO6 – Communicate management aims and direction ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO7 – Manage IT human resources ISO17799: Human resources security ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO8 – Manage quality ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO9 – Assess and manage IT risks ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: PO10 – Manage projects ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: AI1 – Identify automated solutions ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: AI2 – Acquire and maintain application software ISO17799: Assess control (development) Information system acquisition, development and maintenance (development – software) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: AI3 – Acquire and maintain technology infrastructure ISO17799: Information system acquisition, development and maintenance (development – infrastructure) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: AI4 – Enable operation and use ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: AI5 – Procure IT resources ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: AI6 – Manage changes ISO17799: Access control (maintenance) Information system acquisition, development and maintenance (maintenance) ITIL: Change management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: AI7 – Install and accredit solutions and changes ISO17799: Information system acquisition, development and maintenance (maintenance) ITIL: Release management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS1 – Define and manage service levels ISO17799: - ITIL: Service level management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS2 – Manage third-party services ISO17799: Organizing information security (external) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS3 – Manage performance and capacity ISO17799: Communication and operations management ITIL: Capacity management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS4 – Ensure continuous service ISO17799: Business continuity management ITIL: IT service continuity management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS5 – Ensure system security ISO17799: Security policy Communications and operations management (security) Access control (security) Information system acquisition, development and maintenance (security

Mapping COBIT, ISO17799 & ITIL ITIL: Security management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS6 – Identify and allocate costs ISO17799: - ITIL: Financial management of IT services (costing) Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS7 – Educate and train users ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS8 – Manage service desk and incidents ISO17799: Information security incident management ITIL: Incident management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS9 – Manage configuration ISO17799: - ITIL: Configuration management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS10 – Manage problems ISO17799: - ITIL: Problem management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS11 – Manage data ISO17799: Communications and operations management (backups) ITIL: Availability management Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS12 – Manage physical environment ISO17799: Physical and environmental security ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: DS13 – Manage operations ISO17799: Communication and operations management (operations) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: ME1 – Monitor and evaluate IT performance ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: ME2 – Monitor and evaluate internal control ISO17799: Compliance (audit) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: ME3 – Ensure regulatory compliance ISO17799: Compliance (standards) ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Mapping COBIT, ISO17799 & ITIL COBIT: ME4 – Provide IT governance ISO17799: - ITIL: - Key: Strong relationshipWeak relationshipNo relationship

Case Study Key: Maturity level ≥ 3 Maturity level 2 – 2.9 Maturity level ≤ 1.9 0Non-Existent: No processes 1Initial: Processes are ad hoc 2Repeatable: Processes are regular 3Defined: Processes are repeatable, as well as documented and communicated 4Managed: Processes are defined, as well as measured and monitored 5Optimized: Processes are managed, and best practices are followed and automated

Case Study Acquire & Implement Deliver & Support Monitor & Evaluate Plan & Organize Define Strategic IT Plan Define Information Architecture Manage Quality Determine Technological Direction Define IT Processes, Organization, Relationships Manage IT Investment Communicate Management Aims & Direction Manage IT Human Resources Manage Projects Assess & Manage IT Risks Identify Automated Solutions Acquire & Maintain Application Software Acquire & Maintain Technology infrastructure Enable Operation & Use Procure IT Resources Manage Changes Define & Manage Service Level Ensure Continuous Service Educate & Train Users Manage Third- party Services Manage Performance & Capacity Ensure System Security Identify & Allocate Costs Manage Service Desk & Incidents Manage Configuration Monitor & Evaluate IT Performance Monitor & Evaluate Internal Control Ensure Regulatory compliance Install & Accredit Solutions & Changes Manage Problems Manage Data Manage Physical Environment Provide IT Governance Manage Operations

Case Study Acquire & Implement Deliver & Support Monitor & Evaluate Plan & Organize Define Strategic IT Plan Define Information Architecture Manage Quality Determine Technological Direction Define IT Processes, Organization, Relationships Manage IT Investment Communicate Management Aims & Direction Manage IT Human Resources Manage Projects Assess & Manage IT Risks Identify Automated Solutions Acquire & Maintain Application Software Acquire & Maintain Technology infrastructure Enable Operation & Use Procure IT Resources Manage Changes Define & Manage Service Level Ensure Continuous Service Educate & Train Users Manage Third- party Services Manage Performance & Capacity Ensure System Security Identify & Allocate Costs Manage Service Desk & Incidents Manage Configuration Monitor & Evaluate IT Performance Monitor & Evaluate Internal Control Ensure Regulatory compliance Install & Accredit Solutions & Changes Manage Problems Manage Data Manage Physical Environment Provide IT Governance Manage Operations

Case Study

Conclusion More dependent upon information systems that support their business critical functions Challenge of ensuring confidentially, integrity and availability of these information systems, as well as protecting related technology infrastructure Due to increasingly more complex environments and demanding expectations of management, organizations are using number of international standards to achieve international best practice related to IT governance

Conclusion AssessDesignImplement PresentFuture Roadmap