SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
Process Capability Assessment replaces Capabilities Maturity Model PCA is an all or nothing process, that then grades success AFTER implementation success. UNTIL implementation success the process is not achieved, partially achieved, largely achieved and finally Fully achieved.
Finally! An excellent definition of Governance
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced,agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making;and monitoring performance and compliance against agreed-on direction and objectives. – COBIT 5 definition
Relationships with other enablers—Links between processes and the other enabler categories exist through the following relationships: IT steering committee, enterprise risk committee, board, audit, chief information officer (CIO), chief executive etc.. Culter etc…
The Business model for information security
The process reference model is required for evaluation. In short the process must be documented to count as performed. not achieved, partially achieved, largely achieved and finally Fully achieved. figure 20. In the COBIT 4.1 maturity model, a process could achieve a level 1 or 2 without fully achieving all the process’s objectives; in the COBIT 5 process capability level, this will result in a lower score of 0 or 1. The COBIT 4.1 and COBIT 5 capability scales can be considered to ‘map’ approximately as shown in figure 20. because the ISO/IEC 15504 process capability assessment approach does not require this and even prohibits this approach. Instead, the approach defines the information required in the ‘process reference model’ (the process model to be used for the assessment): – Process description, with the purpose statements – Base practices, which are the equivalent of process governance or management practices in COBIT 5 terms – Work products, which are the equivalent of the inputs and outputs in COBIT 5 terms identify in which dimensions or for which attributes there were specific weaknesses that needed improvement. This approach was used by enterprises when there was an improvement focus rather than a need to obtain one maturity number for reporting purposes. In COBIT 5 the assessment model provides a measurement scale for each capability attribute and guidance on how to apply it, so for each process an assessment can be made for each of the nine capability attributes.
Cobit 5 used in an information security review
COBIT 5 Used in a Security Review
John Kenneth Barchie
CISM, CRISC, CISSP
COBIT 5 Tools of the Framework
COSO for SOX
COBIT 5 Goodbye CMM
Process Optimization and
Process Control and
Work Product Management
Process Performance –
Be Careful with Ad Hoc
COBIT 5 Other tools not used in this
Mapping of Goals to Processes
Mapping of Stakeholder needs
Set up a table to show activities
COBIT 5 Reference
PCI DSS Reference
COBIT 5 recommended activity
Determine the significance of IT and its role with respect to the business.
Consider external regulations, laws and contractual obligations and determine how they
should be applied within the governance of enterprise IT.
Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions
and ensure that risk-aware enterprise decisions are made.
Determine that IT use is subject to appropriate risk assessment and evaluation, as
described in relevant international and national standards
Direct the integration of the IT risk strategy and operations with the enterprise strategic
risk decisions and operations.
COBIT 5 Report Tools Used
Setting the Scope
COBIT 5 Providing the Process
COBIT 5 Documenting the Enablers
COBIT 5 Stakeholder Needs
Understand the cost of doing business
Direct and Monitor Management
COBIT 5 Advantages Page 17
The starting point of governance and management
activities are the stakeholder needs related to enterprise IT.
• Creates a more holistic, integrated and complete view
of enterprise governance and management of IT that:
- Is consistent
- Provides an end‐to‐end view on all IT‐related matters
- Provides a systemic view
• Creates a common language between IT and business for the
enterprise governance and management of IT
Thank you for your time, Questions?
John Kenneth Barchie, CISM, CRISC etc…
Sr. Security Consultant for IPI International
President of Barchie Consulting
President of (ISC)2 Silicon Valley Chapter