Introduction to COBIT 2019 and IT management

Introduction to COBIT 2019 and IT management
COBIT 2019 and IT Management - Introduction Christian F. Nissen, CFN Consult RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countries COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) TOGAFTM and IT4ITTM are trademarks of The Open Group SIAM® is a registered trademark of EXIN © 2019 of CFN Consult unless otherwise stated
2 Agenda 1. Governance of IT 2. COBIT Background 3. COBIT Other frameworks 4. COBIT Principles 5. COBIT Goals 6. COBIT Objectives 7. COBIT Components 8. COBIT Design factors 9. COBIT Focus areas 10. COBIT Performance management 11. Designing and implementing a governance system Agenda © 2019
3 Assignment  What is the difference between “IT Governance” and “IT Management”?  What are the differences and similarities between “Corporate governance”, “IT Governance”, “Project governance”, “Process governance”, “Service governance”, “Information governance” and “application governance”?  Time: 10 minutes Governance © 2019
Governance – an introduction Definition? MANAGEMENT of MANAGEMENT Object? 4 Asset System (Architecture/configuration of resources) Value Lifecycle Governance © 2019
Governance – an introduction Who? Why? 5 Delegate Accountable Owner Evaluate & direct Monitor Gover- nance body Plan-do- check-act Report Operation & execution Manage- ment Asset Optimize resources Maximize return on investment Optimize risk Meet preference Governance © 2019
Governance – an introduction How? What? ❍ Principles, policies and plans (Boundaries, principles, policies, decision models, strategies, plans, etc.) ❍ Goals (Performance and outcome goals) ❍ Controls (Control objectives, requirements, agreements, etc.) ❍ Maturity (Capability maturity, benchmarks, etc.) ❍ Resources (Money, etc. etc.) 6 Evaluate Direct Monitor Governance © 2019
Governance – an introduction When? 7 Asset value Complexity of asset (system/lifecycle) Need for governance Governance © 2019
9 IT governance balances: Conformance  Adhering to legislation, internal policies, audit requirements, etc. Performance  Improving profitability, efficiency, effectiveness, growth, etc. Performance Conformance A delicate balance Governance © 2019
COBIT  Originally: The Control Objectives for Information and related Technology (COBIT)  COBIT consists of a number of general goals, practices (controls), processes, organizational structures, information flows, and other components for governance and management of enterprise IT  Are references, sets of best practices, not an ‘off-the-shelf’ cure (descriptive – not prescriptive)  COBIT is produced and owned by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) www.isaca.org/cobit COBIT 11 © 2019
12 Why COBIT 2019? Value creation:  Benefits realization  Risk optimization  Resource optimization COBIT © 2019 Business/IT Alignment Enterprise Governance of IT Value Creation
COBIT 2019 – Governance framework principles 13 COBIT © 2019 1. Based on a conceptual model 2. Open and flexible 3. Aligned to major standards
14 For latest updates on COBIT, visit www.isaca.org/cobit. COBIT History COBIT © 2019 Audit Control Practices Manage- ment Gover- nance Capabili- ties
15 COBIT 2019 – Scope Governance ensures that:  Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives.  Direction is set through prioritization and decision making.  Performance and compliance are monitored against agreed- on direction and objectives. Management  Plans, builds, runs and monitors activities, in alignment with the direction set by the governance body, to achieve the enterprise objectives. COBIT © 2019
COBIT 2019 – Scope 16 © 2019 COBIT
17 COBIT 2019 – Scope  COBIT defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills, and infrastructure.  COBIT addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels.  COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system. COBIT © 2019
18 COBIT 2019 – Target audience COBIT Stakeholder Benefit of COBIT Internal Stakeholders Boards Provides insights on how to get value from the use of IT and explains relevant board responsibilities Executive Management Helps to understand how to obtain the IT solutions enterprises require and how best to exploit new technology for new strategic opportunities Business Managers Provides guidance on how to organize and monitor performance of IT across the enterprise IT Managers Provides guidance on how best to build and structure the IT department, manage performance of IT, run an efficient and effective IT operation, control IT costs, align IT strategy to business priorities, etc. Assurance Providers Helps to manage dependency on external service providers, get assurance over IT, and ensure the existence of an effective and efficient system of internal controls Risk Management Helps to ensure the identification and management of all IT-related risk External Stakeholders Regulators Helps to ensure the enterprise is compliant with applicable rules and regulations and has the right governance system in place to manage and sustain compliance Business Partners Helps to ensure that a business partner’s operations are secure, reliable and compliant with applicable rules and regulations IT Vendors Helps to ensure that an IT vendor’s operations are secure, reliable and compliant with applicable rules and regulations
COBIT 2019 – Overview 19 COBIT © 2019
COBIT 2019 – Product family Products  COBIT 2019 Framework: Introduction and Methodology  COBIT 2019 Framework: Governance and Management Objectives  COBIT 2019 Design Guide  COBIT 2019 Implementation Guide 20 COBIT © 2019
Some relevant best practices and standards Best practices Standards Regulations Corporate Governance God Selskabsledelse COSO Sarbanes-Oxley (SoX) IT Governance COBIT, MoV, MoP ISO/IEC 38500 IT Management COBIT / MoR Enterprise Architecture TOGAF ISO/IEC 42016 IT Service Management ITIL, eTOM, VeriSM, SAFe ISO/IEC 20000, IT4IT Information Security & privacy ISF ISO/IEC 27000 Data protection acts, GDPR Quality Management LEAN, EFQM, Six Sigma, Test ISO 9000 Process Maturity CMMi, TIPA ISO/IEC 33000 Project & Program Management PRINCE2, MSP, PMBOK Industry specific GAMP, Basel II, Solvency II FDA requirements 22 COBITandrelatedframeworks © 2019
COBIT and related frameworks (COBIT 5, Appendix E) 23 COBITandrelatedframeworks
Governance related best practices and standards  IT Governance Institute (ISACA)  Board Briefing on IT Governance  COBIT  Peter Weill and Jeanne W. Ross  IT Governance  Cabinet Office  ITIL  PRINCE2  MoR  MSP  MoV, MoP, P3O, P3M3  ISO/IEC  ISO/IEC 38500 Corporate governance of IT 24 COBITandrelatedframeworks © 2019
25 ISO/IEC 38500  Formal standard for IT Governance  ISO/IEC 38500 is produced and owned by Standards Organization (ISO)  ISO/IEC 38500 covers six principles for IT Governance:  Responsibility  Strategy  Acquisition  Performance  Conformance  Human behavior  www.iso.org COBITandrelatedframeworks © 2019
ISO/IEC 38500 History and ownership  ISO/IEC 38500 was originally developed by the Australian standardization organization and was named AS8015:2005.  In 2009 it was fast tracked through ISO and officially re-named to ISO/IEC 38500:2008 in April 2008.  In 2016 it was revised to ISO/IEC 38500:2016 26 COBITandrelatedframeworks © 2019
ISO/IEC 38500 The six principles  Principle 1: Responsibility Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.  Principle 2: Strategy The organization’s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization’s business strategy.  Principle 3: Acquisition IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term. 27 COBITandrelatedframeworks © 2019
ISO/IEC 38500 The six principles  Principle 4: Performance IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.  Principle 5: Conformance The use of IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.  Principle 6: Human Behavior IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the ‘people in the process’. 28 COBITandrelatedframeworks © 2019
Governance activities according to ISO/IEC 38500 29  Evaluate (Current and future use of IT)  Direct (Preparation and implementation)  Monitor (Conformance and performance) COBITandrelatedframeworks © 2019
COBIT 2019 – Six governance system principles 31 COBITPrinciples COBIT 2019 principles 2. Holistic Approach 1. provide Stakeholder Value 5. Tailored to Enterprise Needs 3. Dynamic Governance System 4. Governance Distinct From Management © 2019 6. End-to-End Governance System
COBIT 2019 – Goals cascade 33 Enterprise Goals Alignment Goals Governance and Management Objectives Cascade to Cascade to COBITGoals © 2019 Stakeholder Drivers and Needs Cascade to
COBIT 2019 – Enterprise Goals 34 © 2019 BSC dimension Ref. Enterprise Goal Financial EG01 Portfolio of competitive products and services EG02 Managed business risk EG03 Compliance with external laws and regulations EG04 Quality of financial information Customer EG05 Customer-oriented service culture EG06 Business-service continuity and availability EG07 Quality of management information Internal EG08 Optimization of internal business process functionality EG09 Optimization of business process costs EG10 Staff skills, motivation and productivity EG11 Compliance with internal policies Learning and Growth EG12 Managed digital transformation programs EG13 Product and business innovation COBITGoals
COBIT 2019 – Alignment Goals 35 © 2019 BSC dimension Ref. Alignment Goal Financial AG01 IT compliance and support for business compliance with external laws and regulations AG02 Managed IT-related risk AG03 Realized benefits from IT enabled investments and services portfolio AG04 Quality of technology-related financial information Customer AG05 Delivery of I&T services in line with business requirements AG06 Agility to turn business requirements into operational solutions Internal AG07 Security of information, processing infrastructure and applications, and privacy AG08 Enabling and supporting business processes by integrating applications and technology AG09 Delivery of programs on time, on budget and meeting requirements and quality standards AG10 Quality of IT management information AG11 IT compliance with internal policies Learning and Growth AG12 Competent and motivated staff with mutual understanding of technology and business AG13 Knowledge, expertise and initiatives for business innovation COBITGoals
COBIT 2019 – Mapping Enterprise and Alignment Goals 36 © 2019 COBITGoals
COBIT 2019 – Mapping Alignment Goals and Objectives 37 © 2019 COBITGoals
COBIT 2019 – Objectives  For information and technology to contribute to enterprise goals, a number of governance and management objectives (i.e. capabilities) should be achieved.  A governance or management objective always relates to one process and a series of related components of other types to help achieve the objective. 39 COBITObjectives © 2019
COBIT 2019 – Objectives  COBIT 2019 includes 5 governance objectives and 35 management objectives and covering 231 governance and management practices (controls) in five domains:  Evaluate, Direct and Monitor (Governance)  Align, Plan and Organize (Management)  Build, Acquire and Implement (Management)  Deliver, Service and Support (Management)  Monitor, Evaluate and Assess (Management) 40 COBITObjectives © 2019
COBIT 2019 – Core model (40 objectives) 41 COBITObjectives © 2019
COBIT 2019 – Core model 42 EDM01 Ensured Governance Framework Setting & Maintenance EDM02 Ensured Benefits Delivery EDM03 Ensured Risk Optimization EDM04 Ensured Resource Optimization EDM05 Ensured Stakeholder Engagement APO01 Managed I&T Management Framework APO02 Managed Strategy APO03 Managed Enterprise Architecture APO04 Managed Innovation APO05 Managed Portfolio APO06 Managed Budget & Costs APO07 Managed Human Resources APO08 Managed Relationships APO09 Managed Service Agreements APO10 Managed Vendors APO11 Managed Quality APO12 Managed Risk APO13 Managed Security APO14 Managed Data © 2019 COBITObjectives
COBIT 2019 – Core model 43 BAI01 Managed Programs BAI02 Managed Requirements Definition BAI03 Managed Solutions Identification & Build BAI04 Managed Availability & Capacity BAI05 Managed Organizational Change BAI06 Managed IT Changes BAI07 Managed IT Change Acceptance and Transitioning BAI08 Managed Knowledge BAI09 Managed Assets BAI10 Managed Configuration BAI11 Managed Projects DSS01 Managed Operations DSS02 Managed Service Requests & Incidents DSS03 Managed Problems DSS04 Managed Continuity DSS05 Managed Security Services DSS06 Managed Business Process Controls MEA01 Managed Performance and Conformance Monitoring MEA02 Managed System of Internal Control MEA03 Managed Compliance with External Requirements MEA04 Managed Assurance © 2019 COBITObjectives
COBIT 2019 – Objective – Example 44 COBITObjectives © 2019
COBIT 2019 – Components To satisfy the objectives, each enterprise needs to establish, tailor and sustain a governance system built from a number of components.  Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over IT.  Components interact with each other, resulting in a holistic governance system for IT.  Components can be of different types. 46 © 2019 COBITComponents
COBIT 2019 – Components 47 COBITComponents © 2019 Governance System Processes Organizational Structures Information People, Skills and Competences Principles, Policies, Procedures Culture, Ethics and Behavior Services, Infrastructure and Applications
COBIT 2019 – Processes – Example 48 © 2019 COBITComponents
COBIT 2019 – Processes – Controls  Controls are statements of managerial actions to increase value or reduce risk  Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected  In COBIT, called “Governance Practices” and “Management Practices” 49 © 2019 COBITComponents
50 COBIT 2019 – Processes – Control types  Directive controls  Preventive controls  Compensating  Detective controls  Corrective controls © 2019 COBITComponents
COBIT 2019 – Processes – Process specific controls Example: Manager IT Changes BAI06.01 Evaluate, prioritize and authorize change requests.  Evaluate all requests for change to determine the impact on business processes and IT services, and to assess whether change will adversely affect the operational environment and introduce unacceptable risk. Ensure that changes are logged, prioritized, categorized, assessed, authorized, planned and scheduled. BAI06.02 Manage emergency changes  Carefully manage emergency changes to minimize further incidents. Ensure the emergency change is controlled and takes place securely. Verify that emergency changes are appropriately assessed and authorized after the change. BAI06.03 Track and report change status  Maintain a tracking and reporting system to document rejected changes and communicate the status of approved, in-process and complete changes. Make certain that approved changes are implemented as planned. BAI06.04 Close and document the changes  Whenever changes are implemented, update the solution, user documentation and procedures affected by the change 51 © 2019 COBITComponents
ISO/IEC 20000-1:2011 – Requirements 9.2 Change management A change management policy shall be established that defines: a) CIs which are under the control of change management; b) criteria to determine changes with potential to have a major impact on services or the customer. Removal of a service shall be classified as a change to a service with the potential to have a major impact. Transfer of a service from the service provider to the customer or a different party shall be classified as a change with potential to have a major impact. There shall be a documented procedure to record, classify, assess and approve requests for change. The service provider shall document and agree with the customer the definition of an emergency change. There shall be a documented procedure for managing emergency changes. All changes to a service or service component shall be raised using a request for change. Requests for change shall have a defined scope. . . . 52 © 2019 COBITComponents
ISO/IEC 27002:2013 – Requirements 12.1.2 Change Management Control Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. Implementation guidance In particular, the following items should be considered: a) identification and recording of significant changes; b) planning and testing of changes; c) assessment of the potential impacts, including information security impacts, of such changes; d) formal approval procedure for proposed changes; e) verification that information security requirements have been met; f) communication of change details to all relevant persons; g) fall-back procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events; h) provision of an emergency change process to enable quick and controlled implementation of changes needed to resolve an incident. Formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes. When changes are made, an audit log containing all relevant information should be retained. 53 © 2019 COBITComponents
Compliance requirements  Security standards  Privacy legislation  Spam legislation  Trade practices legislation  Intellectual property rights, including software licensing agreements  Record keeping requirements  Environmental legislation and regulations  Health and safety legislation  Accessibility legislation  Social responsibility standards  . . . 54 © 2019 COBITComponents
COBIT ISO/IEC 20000 ISO/IEC 27000 Control Objective Database Policy Process Procedure Work instructions Roles 55 7.1 Owners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned . . . 9.1 Configuration management shall provide information to the change management process on the impact of a requested change on the service and infrastructure configurations . . . BAI10.03 Maintain an up- to-date repository of configuration items (CIs) by populating any configuration changes. . . . Mapping compliance requirements © 2019 COBITComponents
COBIT 2019 – Organizational Structures – Example 56 © 2019 COBITComponents
COBIT 2019 – Information – Example 57 © 2019 COBITComponents
COBIT 2019 – People, Skills, Competences – Example 58 © 2019 COBITComponents The people, skills and competencies governance component identifies human resources and skills required to achieve the governance or management objective. COBIT® 2019 based this guidance on the Skills Framework for the Information Age (SFIA®) V6 (version 6). All listed skills are described in detail in the SFIA framework. The Detailed Reference provides a unique code that correlates to SFIA guidance on the skill
COBIT 2019 – Policies, Procedures – Example 59 © 2019 COBITComponents
COBIT 2019 – Culture, Ethics, Behavior – Example 60 © 2019 COBITComponents
COBIT 2019 – Services, Infrastructure, Applications – Example 61 © 2019 COBITComponents
COBIT 2019 – Design factors Design factors are factors that can influence the design of an enterprise’s governance system and position it for success in the use of IT. Design factors include any combination of the following: 63 © 2019 COBITDesignfactors 6. Compliance Requirements 7. Role of IT 8. Sourcing Model for IT 9. IT Implemen- tation Methods 10. Technology Adoption Strategy 11. Enterprise Size 1. Enterprise Strategy 2. Enterprise Goals 3. Risk Profile 4. IT-Related Issues 5. Threat Landscape
COBIT 2019 – Design factors 1. Enterprise strategy. Organizations typically have a primary strategy and, at most, one secondary strategy. Enterprises can have different strategies, which can be expressed as one or more of the following archetypes: 64 © 2019 COBITDesignfactors Strategy Archetype Explanation Growth/Acquisition The enterprise has a focus on growing (revenues) Innovation/Differentiation The enterprise has a focus on offering different and/or innovative products and services to their clients Cost leadership The enterprise has a focus on short-term cost minimization Client service/Stability The enterprise has a focus on providing stable and client-oriented service
COBIT 2019 – Design factors 2. Enterprise goals supporting the enterprise strategy: 65 © 2019 COBITDesignfactors BSC dimension Ref. Enterprise goal Financial EG01 Portfolio of competitive products and services EG02 Managed business risk EG03 Compliance with external laws and regulations EG04 Quality of financial information Customer EG05 Customer-oriented service culture EG06 Business-service continuity and availability EG07 Quality of management information Internal EG08 Optimization of internal business process functionality EG09 Optimization of business process costs EG10 Staff skills, motivation and productivity EG11 Compliance with internal policies Growth EG12 Managed digital transformation programs EG13 Product and business innovation
COBIT 2019 – Design factors 3. Risk profile of the enterprise: 66 © 2019 COBITDesignfactors 1 IT investment decision making, portfolio definition & maintenance 2 Program & projects life cycle management 3 IT cost & oversight 4 IT expertise, skills & behavior 5 Enterprise/IT architecture 6 IT operational infrastructure incidents 7 Unauthorized actions 8 Software adoption/usage problems 9 Hardware incidents 10 Software failures 11 Logical attacks (hacking, malware, etc.) 12 Third-party/supplier incidents 13 Noncompliance 14 Geopolitical Issues 15 Industrial action 16 Acts of nature 17 Technology-based innovation 18 Environmental 19 Data & information management
COBIT 2019 – Design factors 4. IT-related issues. The most common issues include: 67 © 2019 COBITDesignfactors A Frustration between different IT entities across the organization because of a perception of low contribution to business value B Frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or a perception of low contribution to business value C Significant I&T-related incidents, such as data loss, security breaches, project failure and application errors, linked to IT D Service delivery problems by the IT outsourcer(s) E Failures to meet IT-related regulatory or contractual requirements F Regular audit findings or other assessment reports about poor IT performance or reported IT quality or service problems G Substantial hidden and rogue IT spending, that is, I&T spending by user departments outside the control of the normal I&T investment decision mechanisms and approved budgets H Duplications or overlaps between various initiatives, or other forms of wasted resources I Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction J IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget K Reluctance by board members, executives or senior management to engage with IT, or a lack of committed business sponsorship for IT L Complex IT operating model and/or unclear decision mechanisms for IT-related decisions M Excessively high cost of IT
COBIT 2019 – Design factors 4. IT-related issues continued . . . 68 © 2019 COBITDesignfactors N Obstructed or failed implementation of new initiatives or innovations caused by the current IT architecture and systems O Gap between business and technical knowledge, which leads to business users and information and/or technology specialists speaking different languages P Regular issues with data quality and integration of data across various sources Q High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation R Business departments implementing their own information solutions with little or no involvement of the enterprise IT department (related to end-user computing, which often stems from dissatisfaction with IT solutions and services) S Ignorance of and/or noncompliance with privacy regulations T Inability to exploit new technologies or innovate using I&T
COBIT 2019 – Design factors 5. Threat landscape under which the enterprise operates: 69 © 2019 COBITDesignfactors Threat Landscape Explanation Normal The enterprise is operating under what are considered normal threat levels. High Due to its geopolitical situation, industry sector or particular profile, the enterprise is operating in a high-threat environment.
Regulatory Environment Explanation Low compliance requirements The enterprise is subject to a minimal set of regular compliance requirements that are lower than average. Normal compliance requirements The enterprise is subject to a set of regular compliance requirements that are common across different industries. High compliance requirements The enterprise is subject to higher-than-average compliance requirements, most often related to industry sector or geopolitical conditions. COBIT 2019 – Design factors 6. Compliance requirements to which the enterprise is subject: 70 © 2019 COBITDesignfactors
Role of IT Explanation Support IT is not crucial for the running and continuity of the business process and services, nor for their innovation. Factory When IT fails, there is an immediate impact on the running and continuity of the business processes and services. However, IT is not seen as a driver for innovating business processes and services. Turnaround IT is seen as a driver for innovating business processes and services. At this moment, however, there is not a critical dependency on IT for the current running and continuity of the business processes and services. Strategic IT is critical for both running and innovating the organization’s business processes and services. COBIT 2019 – Design factors 7. Role of IT for the enterprise: 71 © 2019 COBITDesignfactors
Sourcing Model Explanation Outsourcing The enterprise calls upon the services of a third party to provide IT services. Cloud The enterprise maximizes the use of the cloud for providing IT services to its users. Insourced The enterprise provides for its own IT staff and services. Hybrid A mixed model is applied, combining the other three models in varying degrees. COBIT 2019 – Design factors 8. Sourcing model for IT that the enterprise adopts: 72 © 2019 COBITDesignfactors
Sourcing Model Explanation Agile The enterprise uses Agile development working methods for its software development. DevOps The enterprise uses DevOps working methods for software building, deployment and operations. Traditional The enterprise uses a more classic approach to software development (waterfall) and separates software development from operations. Hybrid The enterprise uses a mix of traditional and modern IT implementation, often referred to as “bimodal IT.” COBIT 2019 – Design factors 9. IT implementation methods that the enterprise adopts: 73 © 2019 COBITDesignfactors
Sourcing Model Explanation First mover The enterprise generally adopts new technologies as early as possible and tries to gain first-mover advantage. Follower The enterprise typically waits for new technologies to become mainstream and proven before adopting them. Slow adopter The enterprise is very late with adoption of new technologies. COBIT 2019 – Design factors 10. Technology Adaption Strategy: 74 © 2019 COBITDesignfactors
Sourcing Model Explanation Large enterprise (Default) Enterprise with more than 250 full-time employees (FTEs) Small and medium enterprise Enterprise with 50 to 250 FTEs COBIT 2019 – Design factors 11. Enterprise size: 75 © 2019 COBITDesignfactors
COBIT 2019 – Design factors COBIT 2019 Governance System Design Workbook – Canvas 76 © 2019 COBITDesignfactors
COBIT 2019 – Focus areas A focus area describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.  Examples of focus areas include: small and medium enterprises, cybersecurity, digital transformation, cloud computing, privacy, and DevOps.  Focus areas may contain a combination of generic governance components and variants.  The number of focus areas is virtually unlimited. That is what makes COBIT open-ended. 78 © 2019 COBITFocusareas
COBIT 2019 – Performance management The COBIT Performance Management (CPM) model largely aligns to the CMMI® Development concepts:  Process activities are associated to capability levels included in the Governance and Management Objectives guide.  Other governance and management component types (e.g., organizational structures, information) may also have capability levels defined for them in future guidance.  Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives and underlying components) and will be achieved if all required capability levels are achieved. 80 © 2019 COBITPerformancemanagement
COBIT 2019 – Performance management Capability and maturity levels: 81 © 2019 COBITPerformancemanagement Processes Other types of governance and management components Maturity Capability Capability
COBIT 2019 – Performance management Capability levels for processes: 82 © 2019 COBITPerformancemanagement 0 1 2 3 4 5 • Lack of any basic capability • Incomplete approach to address governance and management purpose • May or may not be meeting the intent of any process practices The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized as initial or intuitive—not very organized. The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed. The process achieves its purpose in a much more organized way using organizational assets. Processes typically are well defined. The process achieves its purpose, is well defined, and its performance is (quantitatively) measured. The process its purpose, is well defined, its performance is measured to improve performance and continuous improvement is pursued.
COBIT 2019 – Performance management The COBIT core model assigns capability levels to all process activities, enabling clear definition of the processes and required activities for achieving the different capability levels. 83 © 2019 COBITPerformancemanagement
COBIT 2019 – Performance management COBIT also provides guidance for how to assign capability levels for the other governance and management component types such as:  Organizational structures,  Information, and  Culture and behavior 84 © 2019 COBITPerformancemanagement
COBIT 2019 – Performance management Maturity levels for focus areas: 85 © 2019 COBITPerformancemanagement 0 1 2 3 4 5 Incomplete—Work may or may not be completed toward achieving the purpose of governance and management objectives in the focus area. Initial—Work is completed, but the full goal and intent of the focus area are not yet achieved. Managed—Planning and performance measurement take place, although not yet in a standardized way. Defined—Enterprise wide standards provide guidance across the enterprise. Quantitative—The enterprise is data driven, with quantitative performance improvement. Optimizing—The enterprise is focused on continuous improvement.
COBIT 2019 – Governance System Design Workflow 87 © 2019 Designandimplementgovernance
COBIT 2019 – Implementation Road Map There are seven phases that comprise the COBIT implementation approach: 1. What are the drivers? 2. Where are we now? 3. Where do we want to be? 4. What needs to be done? 5. How do we get there? 6. Did we get there? 7. How do we keep the momentum going? 88 © 2019 Designandimplementgovernance
COBIT 2019 – Design vs. Implementation Connection Points Between COBIT Design Guide and COBIT Implementation Guide: 89 © 2019 Designandimplementgovernance COBIT Implementation Guide COBIT Design Guide Phase 1—What are the drivers? (Continuous improvement [CI] tasks) Step 1—Understand the enterprise context and strategy. Phase 2—Where are we now? (CI tasks) Step 2—Determine the initial scope of the governance system. Step 3—Refine the scope of the governance system. Step 4—Conclude the governance system design. Phase 3—Where do we want to be? (CI tasks) Step 4—Conclude the governance system design
COBIT 2019 – Overview 90 © 2019 Conclusion
Questions and comments 91 Conclusion © 2019
Contact 92 Christian F. Nissen cfn@cfnconsult.dk +45 40 19 41 45 CFN Consult ApS Nysoevang 15A DK-2750 Ballerup CVR: 39 36 47 86 © 2019

Introduction to COBIT 2019 and IT management

Check these out next

Introduction to COBIT 2019 and IT management

Recommandé

Contenu connexe

Présentations pour vous(20)

Similaire à Introduction to COBIT 2019 and IT management(20)

Plus de Christian F. Nissen(6)

Dernier(20)

Introduction to COBIT 2019 and IT management