Contenu connexe
Similaire à Cobit presentation (20)
Plus de Fran Rodriguez (9)
Cobit presentation
- 1. The explanation of the COBIT®
framework in this PowerPoint
presentation is designed for use by
professors whose classes cover
topics such as:
•Information systems management
•Information security management
•Auditing
•Information systems auditing
•Accounting information systems
IT Governance Using C OBI T ® and
Val IT™: Presentation, 2 nd Edition
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 1
- 2. Disclaimer
The IT Governance InstituteTM (ITGITM) and the author of IT Governance
Using COBIT® and Val IT TM: Presentation, 2nd Edition, have designed
the publication primarily as an educational resource for educators.
ITGI, ISACA® and the authors make no claim that use of this product
will assure a successful outcome. The publication should not be
considered inclusive of all proper procedures and tests or exclusive
of other procedures and tests that are reasonably directed to
obtaining the same results. In determining the propriety of any
specific procedure or test, controls professionals should apply their
own professional judgement to the specific control circumstances
presented by the particular systems or IT environment. Note this
publication is an update of COBIT in Academia: COBIT Presentation
Package.
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 2
- 3. Disclosure
© 2007 IT Governance Institute. All rights reserved. This
publication is intended solely for academic use and shall not be
used in any other manner (including for any commercial purpose).
Reproductions of selections of this publication are permitted
solely for the use described above and must include the following
copyright notice and acknowledgement: ‘Copyright © 2007 IT
Governance Institute. All rights reserved. Reprinted by
permission.’ IT Governance Using COBIT® and Val IT™:
Presentation, 2nd Edition, may not otherwise be used, copied or
reproduced, in any form by any means (electronic, mechanical,
photocopying, recording or otherwise), without the prior written
permission of ITGI. Any modification, distribution, performance,
display, transmission or storage, in any form by any means
(electronic, mechanical, photocopying, recording or otherwise) of
IT Governance Using COBIT® and Val IT™: Presentation, 2nd Edition,
is strictly prohibited. No other right or permission is granted with
respect to this work.
IT Governance Using COBIT® and Val IT™: Presentation, 2nd Edition
ISBN 978-1-60420-029-4
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 3
- 4. Acknowledgements
Researcher
– Ed O’Donnell, University of Kansas, USA
Contributors
– Roger Stephen Debreceny, Ph.D., FCPA, University of Hawaii, USA
– Steven DeHaes, University of Antwerp Management School, Belgium
– Erik Guldentops, CISA, CISM, University of Antwerp Management
School, Belgium
– Robert Parker, CISA, CA, CMC, FCA, Canada
– V. Sambamurthy, Ph.D., Michigan State University, USA
– Scott Lee Summers, Ph.D., Brigham Young University, USA
– John Thorp, The Thorp Network, Canada
– Wim Van Grembergen, Ph.D., University of Antwerp Management
School, Belgium
– Ramesh Venkataraman, Ph.D., Indiana University, USA
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 4
- 5. This presentation
includes...
Driving forces for IT governance and
Control Objectives for Information and
related Technology (COBIT®)
An introduction to:
• The COBIT framework
• COBIT supporting materials
An explanation of where COBIT fits with
other frameworks and standards
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 5
- 7. Forces Driving
IT Governance
Business/IT
Compliance Alignment
ROI
Project
Execution
Security
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 7
- 8. IT Governance Needs a
Management Framework
V
gic t D alu
t e en eli e
Driving Forces a m
tr n
S ig
ve
ry
Al
Map Onto the IT
Governance
Perf ureme
Perf ureme
ent
IT Governance
Mea
Mea
Dom ains
agem
Man isk
orm
orm
s
s
Domains
R
ance t
ance t
Resource
n
n
Management
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 8
- 9. C OBI T 4.1—The IT
Governance Framework
Internationally accepted good
CobiT
C OBI T
practices
Management-oriented
best practices Supported by tools and
repository for training
Freely available at
IT Processes www.itgi.org
IT Management Processes Sharing knowledge and
IT Governance Processes leveraging expert volunteers
Continually evolving
The only IT management Maintained by reputable not-
and control framework for-profit organisation
that covers the end-to-end Maps 100 percent to COSO
IT life cycle Maps strongly to all major
related standards
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 9
- 10. C OBI T 4.1—The IT
Governance Framework
Is a reference, set of best practices,
not an ‘off-the-shelf’ cure
Enterprises still to need to analyse
their control requirements and
customise based on:
Value drivers
CobiT
C OBI T
Risk profile
IT infrastructure, organisation
best practices and project portfolio
repository for
IT Processes
IT Management Processes
IT Governance Processes
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 10
- 11. Key Driving Forces for
C OBI T How IT is What the
The resources
The resources How IT is What the
made available to— organised to
organised to stakeholders
stakeholders
made available to— respond to the Business expect from IT
and built up by—IT
and built up by—IT respond to the Requirements expect from IT
requirements IT
requirements Processes
IT
Resources
IT Business
IT
Resources Requirements
Processes
Data Plan and Effectiveness
Organise
Application Efficiency
systems Aquire and Confidentiality
Implement
Technology Integrity
Deliver and
Facilities Support
Availability
Compliance
People Monitor and
Evaluate Information
reliability
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 11
- 12. How Does C OBI T Link to IT
Governance?
Direction and
Requirements Resourcing
Control
Goals Responsibilities
Objectives
Business IT Governance
Information the Information
business needs to executives and board
achieve its objectives need to exercise their
responsibilities
IT Governance
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 12
- 13. An Overview of C OBI T
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 13
- 14. Process Orientation
Business
Requirements
IT
Processes
IT
Resources Natural grouping of processes,
often matching an organisational
Domains domain of responsibility
A series of joined activities with
natural control breaks
Processes
Actions needed to achieve a
measurable result—activities have
a life cycle, whereas tasks are
Activities discrete
or Tasks
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 14
- 15. Process Orientation
Business
Requirements
IT Domains IT
Processes
• Plan and IT
Resources
Organise IT Processes
• Acquire and • IT strategy
Implement • Computer operations
• Deliver and • Incident handling Activities
Support • Acceptance testing • Record new problem.
• Monitor and • Change management • Analyse.
Evaluate • Contingency planning • Propose solution.
Natural grouping of • Problem management • Monitor solution.
processes, often matching • Record known problem.
A series of joined activities
an organisational domain of
with natural (control) breaks • Etc. …
responsibility
Actions needed to achieve a
measurable result—activities
have a life cycle, whereas tasks
are discrete
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 15
- 16. Process Orientation
Plan and Organise
Description
This domain covers strategy and tactics, and concerns the
identification of the way IT can best contribute to the achievement of
the business objectives. The realisation of the strategic vision needs
to be planned, communicated and managed for different perspectives.
Proper organisation and technological infrastructure must be put in
place.
Topics Business
s n a mo D
Strategy and tactics Requirements
IT
Vision planned Processes
IT
Organisation and infrastructure Resources
Questions
Are IT and the business strategy aligned?
i
Is the enterprise achieving optimum use of its resources?
Does everyone in the organisation understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 16
- 17. Waterfall Model
The control of
IT Processes that satisfy
Business
Requirements is enabled by
Control
Statements considering
Control
Practices
4 Domains - 34 Processes - 210 Control Objectives
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 17
- 18. C OBI T Business Objectives
Criteria
Framework •
•
•
Effectiveness
Efficiency
Confidentiality
• Integrity
• Availability
• Compliance
• Reliability
IT Resources
• Data
• Application systems
• Technology
Monitor and • Facilities
• People
Evaluate
Plan and
IT Life Organise
Deliver and Cycle
Support
Acquire and
Implement
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 18
- 19. C OBI T Processes
PO1 Define an IT strategic plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation and relationships.
Plan and PO5 Manage the IT investment.
Organise PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology infrastructure.
Acquire and
AI4 Enable operation and use.
Implement AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 19
- 20. C OBI T Processes
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
Deliver and
DS7 Educate and train users.
Support DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
ME1 Monitor and evaluate IT performance.
Monitor and ME2 Monitor and evaluate internal control.
Evaluate ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 20
- 21. Processes in the
Student Book
The following processes are included in the
Student Book, 2nd Edition:
DS2 Manage third-party services.
PO9 Assess and manage IT risks.
AI2 Acquire and maintain application software.
DS5 Ensure systems security.
ME2 Monitor and evaluate internal control.
DS2 is used as an example in the Student Book,
2nd Edition, and the following slides use DS2 to
illustrate the related COBIT information for a
process.
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 21
- 22. Navigating in C OBI T
DS2 Process Level
Information
Criteria
Waterfall
IT
Governance
IT
Resources
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 22
- 26. DS2 Maturity Model
DS2 Manage Third-party Services
Management of the process Manage third-party services that satisfies the business requirement for IT of providing
satisfactory third-party services whilst being transparent about benefits, costs and risks is:
0 Non-existent when
Responsibilities and accountabilities are not defined. There are no formal policies and procedures regarding
contracting with third parties. Third-party services are neither approved nor reviewed by management. There are
no measurement activities and no reporting by third parties. In the absence of a contractual obligation for
reporting, senior management is not aware of the quality of the service delivered.
1 Initial/Ad Hoc when
Management is aware of the need to have documented policies and procedures for third-party management,
including signed contracts. There are no standard terms of agreement with service providers. Measurement of the
services provided is informal and reactive. Practices are dependent on the experience (e.g., on demand) of the
individual and the supplier.
2 Repeatable but Intuitive when
The process for overseeing third-party service providers, associated risks and the delivery of services is informal. A
signed, pro forma contract is used with standard vendor terms and conditions (e.g., the description of services to be
provided). Reports on the services provided are available, but do not support business objectives.
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 26
- 27. DS2 Maturity Model
cont.
3 Defined when
Well-documented procedures are in place to govern third-party services, with clear processes for vetting and
negotiating with vendors. When an agreement for the provision of services is made, the relationship with the third
party is purely a contractual one. The nature of the services to be provided is detailed in the contract and includes
legal, operational and control requirements. The responsibility for oversight of third-party services is assigned.
Contractual terms are based on standardised templates. The business risk associated with the third-party services is
assessed and reported.
4 Managed and Measurable when
Formal and standardised criteria are established for defining the terms of engagement, including scope of work,
services/deliverables to be provided, assumptions, schedule, costs, billing arrangements and responsibilities.
Responsibilities for contract and vendor management are assigned. Vendor qualifications, risks and capabilities are
verified on a continual basis. Service requirements are defined and linked to business objectives. A process exists to
review service performance against contractual terms, providing input to assess current and future third-party
services. Transfer pricing models are used in the procurement process. All parties involved are aware of service, cost
and milestone expectations. Agreed-upon goals and metrics for the oversight of service providers exist.
5 Optimised when
Contracts signed with third parties are reviewed periodically at predefined intervals. The responsibility for managing
suppliers and the quality of the services provided is assigned. Evidence of contract compliance to operational, legal
and control provisions is monitored, and corrective action is enforced. The third party is subject to independent
periodic review, and feedback on performance is provided and used to improve service delivery. Measurements vary in
response to changing business conditions. Measures support early detection of potential problems with third-party
services. Comprehensive, defined reporting of service level achievement is linked to the third-party compensation.
Management adjusts the process of third-party service acquisition and monitoring based on the measurers.
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 27
- 28. Control Practices
COBIT Control Practices, 2nd Edition
Detailed guidance on each of the control
objectives
Management-oriented
From three to 12 control practices per
control objective
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 28
- 31. IT Assurance Guide
IT Assurance Guide: Using COBIT
Detailed guidance to support assurance
practitioners in:
• Financial statement audit
• Internal audit
• Value for money
• Operational improvement
Guidance on:
• How to leverage COBIT for assurance
• Detailed assurance testing steps
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 31
- 33. DS2 Assurance Steps cont.
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 33
- 34. Implementation Guide, 2 nd
Edition
IT Governance Implementation Guide,
2nd Edition
Detailed, structured guidance to the
implementation of IT governance
Generic IT governance implementation
guidance, not just COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 34
- 35. Where C OBI T
Typically Sits
Governance
COS King
Management Governance Layer
OOBI T
C
Layer
ITIL
IT
17799
CMM TickIT
Layer
IT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 35
Notes de l'éditeur
- Return on Investment (ROI)