Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to CobiT 4.1 & Mapping CobiT to other Frameworks and Standards Jimmy Heschl [Senior Manager, KPMG Austria]

Published byLambert Sherman Modified over 8 years ago

Similar presentations

Presentation on theme: "An Introduction to CobiT 4.1 & Mapping CobiT to other Frameworks and Standards Jimmy Heschl [Senior Manager, KPMG Austria]"— Presentation transcript:

1 An Introduction to CobiT 4.1 & Mapping CobiT to other Frameworks and Standards Jimmy Heschl [Senior Manager, KPMG Austria]

2 Some Personal Information KPMG Austria –Senior Manager –IRM - Information Risk Management –IT Advisory –Implementation of IT processes, based on COSO, CobiT, ITIL, …) Board member of ISACA Austria Member of the CobiT Steering Committee Book: IT Governance Involved in creation of CobiT 4.0 & 4.1 Responsible for CobiT Mapping Project(s) Author of –CobiT Mapping – Overview of International IT Guidance, 2nd Edition –CobiT Mapping – Mapping of ISO/IEC 17799:2000 with CobiT –CobiT Mapping – Mapping of ITIL with CobiT Translation of CobiT into German Language CISA, CISM, ITIL Foundation, ITIL Service Management,... Jimmy Heschl [Senior Manager, KPMG Austria]

3 Agenda IT Governance CobiT –Content –Updates Integration of Standards –ITIL –ISO17799 –others Jimmy Heschl [Senior Manager, KPMG Austria]

4 What is IT Governance? Terminology –kybernân –„To guide / steer a boat“ Corporate Governance –is the system by which companies are directed and controlled. (Cadbury Report) IT Governance –is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. (IT Governance Institute) Jimmy Heschl [Senior Manager, KPMG Austria]

5 What is IT Governance? IT Activities Provide Direction Measure Performance  Increase automation (make the business effective)  Decrease cost (make the enterprise efficient)  Manage risks (security, reliability & compliance) Compare Set Objectives  IT is aligned with the business  IT enables the business & maximises benefits  IT resources are used responsibly  IT-related risks are managed appropriately Jimmy Heschl [Senior Manager, KPMG Austria]

6 Other IT management practices In theory –IT Management –IT Service Management –IT Project Management –IT/Information Security Management –IT Audit Jimmy Heschl [Senior Manager, KPMG Austria]

7 Other disciplines IT Management IT Service Management IT Project Management IT Security Management IT Audit … Jimmy Heschl [Senior Manager, KPMG Austria]

8 Organisational view Stakeholder IT Governance CFO OPsADSD CIOCMOCxO CEO IT xyz Management Jimmy Heschl [Senior Manager, KPMG Austria]

9 IT Governance Standards Demanding –Legislation concerning Internal Control Over Financial Reporting –Risk management –Special legislation –Your customers Jimmy Heschl [Senior Manager, KPMG Austria]

10 IT Governance Standards Demanding –Legislation concerning Internal Control Over Financial Reporting –Risk management –Special legislation –Your customers Supporting –CobiT –ITIL –ISO17799 / 2700x –CMMI –PMBOK –PRINCE2 –… and many more Jimmy Heschl [Senior Manager, KPMG Austria]

11 CobiT COBIT ® = Control OBjectives for Information and Related Technology Process-oriented framework for IT Governance Focused on business goals and how IT supports their achievement A tool for –Business management –IT management –IT process managers First developed in 1992 Issued by IT Governance Institute Accepted globally as the de facto standard for a IT control framework Documents can be downloaded from www.isaca.org Jimmy Heschl [Senior Manager, KPMG Austria]

12 How is CobiT Developed and Maintained? ITGI‘s independent status and desire to promote openly available guidance is a key influencing factor CobiT Steering Committee of volunteers and a management team drive the CobiT strategy and developments Over 100 experts from around the world (members, industry players) and eight volunteer teams form a unique support team (BE, UK, DK, AU, ZA plus Chicago, San Francisco and DC in the US) Development teams create new content with no commercial pressures ISACA/ITGI International HQ provide support services to produce and distribute the finished products CobiT 4.0 has been a two-year effort with many interconnected projects Jimmy Heschl [Senior Manager, KPMG Austria]

13 CobiT History CobiT has evolved from an auditor‘s tool to an IT governance framework, used increasingly by IT management Governance Management Control Audit CobiT 1CobiT 2CobiT 3CobiT 4 1996199820002005 Jimmy Heschl [Senior Manager, KPMG Austria]

14 Where has CobiT 4.0 Focused? –IT Governance – Better coverage with governance practices in key processes to enable executives and the business to take their responsibility –Business Requirements – Better business to IT linkages with cascading goals and supporting metrics –Harmonisation – Improved integration with other key practices –Value Creation – Extended focus on risk-adjusted IT investments –Enterprise Architecture – Process structure and resources –Process Definitions and Process Flows – Improved process descriptions, activities, inputs and outputs –Language and Presentation – More concise, action-oriented and consolidate into one book –Feedback – Responded to user comments Jimmy Heschl [Senior Manager, KPMG Austria]

15 Top-down approach Jimmy Heschl [Senior Manager, KPMG Austria]

16 CobiT 4.0 Focus IT Goals Business- requirements Governance- requirements Information Services Information Criteria Business Goals for IT influence require IT Processes (with responsibilities) Business Architecture for IT deliver Information Applications Infrastructure and staff run require Jimmy Heschl [Senior Manager, KPMG Austria]

17 Linking Business Goals to IT Goals Jimmy Heschl [Senior Manager, KPMG Austria]

18 Linking IT Goals to IT Processes Jimmy Heschl [Senior Manager, KPMG Austria]

19 CobiT Components IT Processes Control Objectives Control Practices Audit Guidelines Activity Goals Maturity Models Key Goal Indicators Key Performance Indicators Business requirementsinformation controlled by implemented with translated to audited by made effective and efficient with measured by for performance for outcome for maturity Jimmy Heschl [Senior Manager, KPMG Austria]

20 CobiT Components IT Processes Control Objectives Control Practices Audit Guidelines Activity Goals Maturity Models Key Goal Indicators Key Performance Indicators Business requirementsinformation controlled by implemented with translated to audited by made effective and efficient with measured by for performance for outcome for maturity Management focus Audit focus Jimmy Heschl [Senior Manager, KPMG Austria]

21 CobiT IT Processes Information Monitor and Evaluate Deliver and Support Acquire and Implement Plan and Organise PO1Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. AI1Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. DS1 Define and manage service levels. DS2 Manage third-party services. DS3Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure regulatory compliance. ME4 Provide IT governance. Jimmy Heschl [Senior Manager, KPMG Austria]

22 CobiT Core Content Framework 34 CobiT IT Processes –Process overview –Control Objectives –Management Guidelines RACI-Chart Inputs & Outputs Goals & Metrics Specific Maturity Model Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Jimmy Heschl [Senior Manager, KPMG Austria]

23 For 34 IT processes you have … Process Overview Process description IT domain & Information indicators IT goals Process goals Key practices Key metrics IT Governance & IT Resource indicators Jimmy Heschl [Senior Manager, KPMG Austria]

24 For 34 IT processes you have … RACI chart Jimmy Heschl [Senior Manager, KPMG Austria]

25 For 34 IT processes you have … Inputs Outputs Jimmy Heschl [Senior Manager, KPMG Austria]

26 For 34 IT processes you have … IT Goals Metrics Jimmy Heschl [Senior Manager, KPMG Austria]

27 For 34 IT processes you have … Process Goals Metrics Jimmy Heschl [Senior Manager, KPMG Austria]

28 For 34 IT processes you have … Activity Goals Metrics Jimmy Heschl [Senior Manager, KPMG Austria]

29 For 34 IT processes you have … A complete measurement system Jimmy Heschl [Senior Manager, KPMG Austria]

30 For 34 IT processes you have … Control Objectives Jimmy Heschl [Senior Manager, KPMG Austria]

31 For 34 IT processes you have … Specific Maturity model –From –Via –to Jimmy Heschl [Senior Manager, KPMG Austria]

32 Generic Maturity Model to-be improvement measures as-is Awareness and Communication Policies, Standards and Procedures Tools and Automation Skills and Expertise Responsibility and Accountability Goal Setting and Measurement 5 4 3 2 1 Overall Process Maturity Maturity Attributes Jimmy Heschl [Senior Manager, KPMG Austria]

33 CobiT Core Content Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models WHAT Jimmy Heschl [Senior Manager, KPMG Austria]

34 CobiT More Content Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach ValueRisk Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach ValueRisk Control Objective Control Practices Assurance Approach ValueRisk Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps ValueRisk Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps ValueRisk Control Objective Control Practices Assurance Steps ValueRisk WHAT Jimmy Heschl [Senior Manager, KPMG Austria]

35 Implementation Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach ValueRisk WHAT Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach ValueRisk Control Objective Control Practices Assurance Approach ValueRisk WHAT HOW Board Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Executive Baseline for IT Governance Implementation Guide using CobiT HOW Board Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Executive Baseline for IT Governance Implementation Guide using CobiT Board Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Executive Baseline for IT Governance Implementation Guide using CobiT Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps ValueRisk WHAT Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps ValueRisk Control Objective Control Practices Assurance Steps ValueRisk WHAT Jimmy Heschl [Senior Manager, KPMG Austria]

36 Assurance Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Audit Director Baseline for IT Governance IT Assurance Guide using CobiT HOW Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Audit Director Baseline for IT Governance IT Assurance Guide using CobiT Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Audit Director Baseline for IT Governance IT Assurance Guide using CobiT HOW Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach ValueRisk WHAT Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Approach ValueRisk Control Objective Control Practices Assurance Approach ValueRisk WHAT HOW Board Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Executive Baseline for IT Governance Implementation Guide using CobiT HOW Board Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Executive Baseline for IT Governance Implementation Guide using CobiT Board Briefing CIO Baseline for IT Governance Implementation Guide using CobiT Board Briefing Executive Baseline for IT Governance Implementation Guide using CobiT Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps ValueRisk WHAT Framework Control Objectives Management Guidelines Maturity Models Framework Control Objectives Management Guidelines Maturity Models Control Objective Control Practices Assurance Steps ValueRisk Control Objective Control Practices Assurance Steps ValueRisk WHAT Jimmy Heschl [Senior Manager, KPMG Austria]

37 CobiT 4.0 and 4.1 Changes in the Core Content –No fundamental update to the framework but fine- tuning –Executive Overview enhanced –Better explanation of Performance Measurement –Control Objectives Control Practices ValIT development Grouped / reworded control objectives –Application Controls –List of Business and IT Goals (appendix I) Jimmy Heschl [Senior Manager, KPMG Austria]

38 Future developments No radical changes of CobiT in the next years Ongoing update and improvement Alignment of CobiT-Products –CobiT Online –Quick Start –Mapping –Slicing & Dicing –ValIT & RiskIT CobiT has a BIG impact –Relationship Governance, Business and IT –Control Objectives for Business and IT Jimmy Heschl [Senior Manager, KPMG Austria]

39 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

40 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

41 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

42 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

43 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

44 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

45 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

46 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Jimmy Heschl [Senior Manager, KPMG Austria]

47 Started in 2003 Integration of Standards Update of CobiT CobiT Mapping Project Further mappings –In progress TOGAF (Architecture) COSO ERM GBPM –On our radar ITIL v3 FFEIC (US banking) NIAC (Insurance) NIST SP800-53 FISMA IAIS Framework (Solvency II) HIPAA (Health Insurance) GLBA (Privacy) ISO19770-1 (SW Asset Mgmt) ISO 20000 (Service Mgmt) ISO 27005 (Risk Mgmt) ISO 27002 (ISO17799) Jimmy Heschl [Senior Manager, KPMG Austria]

48 ITIL IT Infrastructure Library Issued by OGC Best practice for IT service management Certification –Personnel –Organisations BS15000 ISO20000 ITIL v3 Jimmy Heschl [Senior Manager, KPMG Austria]

49 ITIL Overview Jimmy Heschl [Senior Manager, KPMG Austria]

50 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

51 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

52 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

53 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

54 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

55 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

56 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

57 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

58 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

59 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

60 CobiT & ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

61 ISO/IEC 17799:2005 Issued by ISO Best Practice for Information Security Defines –Security Categories –Control Objectives –Illustrative Controls History –CoP for Security Management –BS7799 Part 1 –ISO/IEC 17799:2000 Future –ISO/IEC 27002 Certification for organisations available –ISO/IEC 27001:2005 –BS7799 Part 2 Jimmy Heschl [Senior Manager, KPMG Austria]

62 ISO/IEC 17799:2005 Security Categories –Security policy –Organisation of information security –Asset management –Human resources security –Physical and environmental security –Communications and operations management –Access control –Information systems acquisition, development and maintenance –Information security incident management –Business continuity management –Compliance Jimmy Heschl [Senior Manager, KPMG Austria]

63 CobiT & ISO/IEC 17799:2005 Jimmy Heschl [Senior Manager, KPMG Austria]

64 CobiT and many others … Jimmy Heschl [Senior Manager, KPMG Austria]

65 Qualitative comparison Jimmy Heschl [Senior Manager, KPMG Austria]

66 PlanBuild Run Governance Operative Management Qualitative comparison ITIL TOGAF ISO17799 COSO CMMI CobiT 4.1 additions CobiT 4.1 Core Content Jimmy Heschl [Senior Manager, KPMG Austria]

67 PlanBuild Run Governance Operative Management Qualitative comparison Jimmy Heschl [Senior Manager, KPMG Austria]

68 PlanBuild Run Governance Operative Management Qualitative comparison COSO Jimmy Heschl [Senior Manager, KPMG Austria]

69 PlanBuild Run Governance Operative Management Qualitative comparison COSO TOGAF Jimmy Heschl [Senior Manager, KPMG Austria]

70 PlanBuild Run Governance Operative Management Qualitative comparison COSO TOGAF ITIL Jimmy Heschl [Senior Manager, KPMG Austria]

71 PlanBuild Run Governance Operative Management Qualitative comparison COSO TOGAF ITIL ISO17799 Jimmy Heschl [Senior Manager, KPMG Austria]

72 PlanBuild Run Governance Operative Management Qualitative comparison COSO TOGAF ITIL ISO17799 Jimmy Heschl [Senior Manager, KPMG Austria]

73 PlanBuild Run Governance Operative Management Qualitative comparison COSO TOGAF ITIL ISO17799 CobiT 4.1 Core Content Jimmy Heschl [Senior Manager, KPMG Austria]

74 Plan Build Run Governance Operative Management Qualitative comparison COSO TOGAF ITIL ISO17799 CobiT 4.1 additions CobiT 4.1 Core Content Jimmy Heschl [Senior Manager, KPMG Austria]

75 Gartner‘s Advise Combine Cobit and ITIL for Powerful IT Governance Strong framework tools are essential for ensuring IT resources are aligned with an enterprise‘s business objectives, and that services and information meet quality, fiduciary and security needs. Bottom Line: CobiT and ITIL are not mutually exclusive and can be combined to provide a powerful IT governance, control and best-practice framework in IT service management. Enterprises that want to put their ITIL program into the context of a wider control and governance framework should use CobiT. Source: Technical Guidelines, TG-16-1849, S.Mingay, S. Bittinger Jimmy Heschl [Senior Manager, KPMG Austria]

76 Forrester‘s Advise Establish frameworks to ease Governance Implementation –First CobiT for overall governance –Then ITIL for service delivery and management –Then ISO 17799 for information security –Balanced Scorecard for measurement and communication Source: Helping Business Thrive On Technology Change, A Road Map To Comprehensive IT Governance, Craig Symons Jimmy Heschl [Senior Manager, KPMG Austria]

77 Conclusion An overall control framework should be applied for IT governance and management A wide range of Good & Best Practices is available CobiT is an excellent Framework IT should not re-invent the wheel Good & Best Practices can be integrated into CobiT It is possible It can be done External, independent support is beneficial Jimmy Heschl [Senior Manager, KPMG Austria]

78 For More Information: Jimmy Heschl, CISA, CISM Senior Manager KPMG Austria jheschl@kpmg.at Get your IT under control! If you don‘t, IT will control you! Jimmy Heschl [Senior Manager, KPMG Austria]

79 Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit send. Jimmy Heschl [Senior Manager, KPMG Austria]

Download ppt "An Introduction to CobiT 4.1 & Mapping CobiT to other Frameworks and Standards Jimmy Heschl [Senior Manager, KPMG Austria]"

Similar presentations

IT Governance & Quality Management

IT Governance & Quality Management
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
ISACA Guidance and Practices Committee

ISACA Guidance and Practices Committee
Alignment of Enterprise Governance and IT Governance

Alignment of Enterprise Governance and IT Governance
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT - II.

COBIT - II.
IT Governance Capability Maturity within Government

IT Governance Capability Maturity within Government
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Using COBIT and ITIL Robert E Stroud CGEIT

Using COBIT and ITIL Robert E Stroud CGEIT
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Improving IT Governance Through Formal Change Management

Improving IT Governance Through Formal Change Management
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Overview of IT Governance and

Overview of IT Governance and
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Similar presentations

Ads by Google