Presentation on IT Governance delivered for the ISACA Toronto Chapter

1. IT Governance
November, 2013

2. @CarlosChalicoT
#ISACA_ITG
2
IT Governance

3. @CarlosChalicoT
#ISACA_ITG
3
IT Governance

4. @CarlosChalicoT
#ISACA_ITG
4
IT Governance

5. @CarlosChalicoT
#ISACA_ITG
5
IT Governance

6. @CarlosChalicoT
#ISACA_ITG
6
Quote
Robert Frost
“The brain is a wonderful organ; it
starts working the moment you get up
in the morning and does not stop until
you get into the office”

7. @CarlosChalicoT
#ISACA_ITG
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA,
PbD Ambassador
Ouest Business Solutions Inc.
Director Eastern Region
7
IT Governance

8. @CarlosChalicoT
#ISACA_ITG
What´s in this for you?
By the end of this session you will:
!
• Understand the concept of governance, IT
governance and its difference against IT management
• Know the advantages of defining an effective IT
Governance model
• Know some frameworks available to define IT
Governance (COBIT, ISO 38500)
8

9. @CarlosChalicoT
#ISACA_ITG
First things first
9
Title:
Elephant In The Room
Artist:
Leah Saulnier The Painting Maniac
Medium:
Painting - Oil

10. @CarlosChalicoT
#ISACA_ITG
10
Quote
“Management must manage”
Harold S. Geneen

11. @CarlosChalicoT
#ISACA_ITG
So, what does this mean?
Governance
11

12. @CarlosChalicoT
#ISACA_ITG
FromWikipedia
Governance is the act of governing. It relates to
decisions that define expectations, grant power, or
verify performance. It consists of either a separate
process or part of decision-making or leadership
processes. In modern nation-states, these processes
and systems are typically administered by a
government.
12

13. @CarlosChalicoT
#ISACA_ITG
FromWikipedia
Governance is the act of governing. It relates to
decisions that define expectations, grant power, or
verify performance. It consists of either a separate
process or part of decision-making or leadership
processes. In modern nation-states, these processes
and systems are typically administered by a
government.
13

14. @CarlosChalicoT
#ISACA_ITG
From OECD
14
Corporate governance is one key element
in improving economic efficiency and
growth as well as enhancing investor
confidence. Corporate governance involves
a set of relationships between a company’s
management, its board, its shareholders and
other stakeholders. Corporate governance
also provides the structure through which
the objectives of the company are se, and
the means of attaining those objectives and
monitoring performance are determined.
http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf

15. @CarlosChalicoT
#ISACA_ITG
From OECD
15
Corporate governance is one key element
in improving economic efficiency and
growth as well as enhancing investor
confidence. Corporate governance involves
a set of relationships between a company’s
management, its board, its shareholders and
other stakeholders. Corporate governance
also provides the structure through which
the objectives of the company are set, and
the means of attaining those objectives and
monitoring performance are determined.
http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf

16. @CarlosChalicoT
#ISACA_ITG
Other Sources
16

17. @CarlosChalicoT
#ISACA_ITG
Key Points
17
!
•Relationships
!
•Management
•Board
•Shareholders
•Stakeholders
!
•Structure
!
•Objectives of the organization
!
•Monitoring performance
!
•Economic efficiency and growth
!
•Confidence

18. @CarlosChalicoT
#ISACA_ITG
18
Quote
Alison Holt
“Organizations with good governance
practices in place can be shown to be more
successful than organizations without”

19. @CarlosChalicoT
#ISACA_ITG
Turning Risk Into Results
19

20. @CarlosChalicoT
#ISACA_ITG
Turning Risk Into Results
20

21. @CarlosChalicoT
#ISACA_ITG
21
Quote
“Corporate governance is the system by which
companies are directed and controlled”
Adrian Cadbury

22. @CarlosChalicoT
#ISACA_ITG
22
So, what does this mean?
IT Governance

23. @CarlosChalicoT
#ISACA_ITG
23
So, what does this mean?

24. @CarlosChalicoT
#ISACA_ITG
24
So, what does this mean?
HBRHarvard Business Review
http://blogs.hbr.org/2013/08/todays-cto-needs-to-become/
http://blogs.hbr.org/cs/2013/07/todays_cio_needs_to_be_the_chi.html
CIO CTO

25. @CarlosChalicoT
#ISACA_ITG
So, what does this mean?
CIO Information
Innovation

26. @CarlosChalicoT
#ISACA_ITG
So, what does this mean?
CTO Technology
Transformation

27. @CarlosChalicoT
#ISACA_ITG
27
So, what does this mean?
Innovate Transform
Value

28. @CarlosChalicoT
#ISACA_ITG
28
So, what does this mean?
Know
Control
Measure
Rely
IT
Processes
Infrastructure
Elements

29. @CarlosChalicoT
#ISACA_ITG
29
So, what does this mean?
In essence, the governance of IT is the
theory that enables an organisation’s
principal decision makers to make better
decisions around IT and, at the same
time, provides guidance for IT managers
who are tasked with IT operations and
the design, development and
implementation of IT solutions.

30. @CarlosChalicoT
#ISACA_ITG
30
So, what does this mean?
• Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation
and decision making; and monitoring performance,
compliance and progress against agreed-on direction
and objectives.
• Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives.

31. @CarlosChalicoT
#ISACA_ITG
31
So, what does this mean?
The action of the board
or governing body to
direct IT activities and to
build a decision-making
model, combined with
the action of the IT
management teams to
develop supporting
systems, processes and
procedures, result in the
development of an IT
governance framework.
What to do
How to do it

32. @CarlosChalicoT
#ISACA_ITG
32
Why IT Governance?
• “Due diligence”
• IT is critical to the business (and pervasive)
• IT is strategic to the business
• Expectations and reality don’t match
• IT hasn’t gotten the attention it deserves (yet)
• IT may involve huge investments and large risks

33. @CarlosChalicoT
#ISACA_ITG
33
Why IT Governance?
IT Governance
FrameworkCulture
Goals
Characteristics
Organization

34. @CarlosChalicoT
#ISACA_ITG
34
Why IT Governance?

35. @CarlosChalicoT
#ISACA_ITG
35
Why IT Governance?
834

36. @CarlosChalicoT
#ISACA_ITG
36
Why IT Governance?

37. @CarlosChalicoT
#ISACA_ITG
37
Why IT Governance?

38. @CarlosChalicoT
#ISACA_ITG
38
Why IT Governance?

39. @CarlosChalicoT
#ISACA_ITG
39
Why IT Governance?

40. @CarlosChalicoT
#ISACA_ITG
40
Why IT Governance?

41. @CarlosChalicoT
#ISACA_ITG
41
Why IT Governance?

42. @CarlosChalicoT
#ISACA_ITG
42
Why IT Governance?

43. @CarlosChalicoT
#ISACA_ITG
43
Why IT Governance?
GEIT
IT value delivery
Mitigation of
• Strategic alignment
• Resources availability & Mgt
• Monitoring
Objectives
IT-related risks
to the business

44. @CarlosChalicoT
#ISACA_ITG
44
Why IT Governance?
ITGI identifies five focus areas of GEIT:
• Strategic alignment
• Value delivery
• Risk management
• Resource management
• Performance measurement

45. @CarlosChalicoT
#ISACA_ITG
45
Why IT Governance?

46. @CarlosChalicoT
#ISACA_ITG
46
Why IT Governance?

47. @CarlosChalicoT
#ISACA_ITG
Available Frameworks
47
ISO 38500
COBIT 5

48. @CarlosChalicoT
#ISACA_ITG
48
Quote
Alison Holt
“A tool is only a tool if it helps you
and your business”

49. IT Governance
November, 2013
Break!

50. @CarlosChalicoT
#ISACA_ITG
Why IT Governance?
50

51. @CarlosChalicoT
#ISACA_ITG
51
Quote
Alison Holt
“Where there is poor organisational governance
practice in place, it will be difficult to implement
good IT and information practice that delivers
consistent quality deliverables”

52. @CarlosChalicoT
#ISACA_ITG
What is ISO?
52
• International Organization for Standardization
• World’s largest developer of voluntary standards
• Founded in 1947
• 19,500 standards released
• Members from 164 countries
• Headquartered in Geneva, Switzerland
The Boys. 65 delegates from 25 countries. London, 1946.
http://www.iso.org

53. @CarlosChalicoT
#ISACA_ITG
What is a Standard?
53
“A document that provides
requirements, specifications,
guidelines or characteristics that
can be used consistently to ensure
that materials, products, processes
and services are fit for their
purpose.
ISO standards can be purchased
from the ISO store or from our
members”
Office in La Voie Creuse, Geneva, Switzerland, 2007.
http://www.iso.org

54. @CarlosChalicoT
#ISACA_ITG
What are the benefits?
54
“ISO International Standards ensure that products
and services are safe, reliable and of good quality.
For business, they are strategic tools that reduce
costs by minimizing waste and errors, and
increasing productivity.They help companies to
access new markets, level the playing field for
developing countries and facilitate free and fair
global trade”
http://www.iso.org

55. @CarlosChalicoT
#ISACA_ITG
ISO/IEC 38500:2008
55
• Provides guiding principles for directors of organizations
(owners, board members, partners, senior executives) on the
effective, efficient, and acceptable use of IT within their
organizations
• Applies to the governance of management processes (and
decisions) relating to the information and communication
services used by an organization.These processes could be
controlled by IT specialists within the organization, external
service providers, or business units within the organization.
• It also provides guidance to those advising, informing, or
assisting directors (this includes IT auditors)
http://www.iso.org

56. @CarlosChalicoT
#ISACA_ITG
ISO/IEC 38500:2008
56
• Based on Australian Standard AS 8015-2005
• Submitted for Fast Track ISO adoption
• Alison Holt
• New Zealand
• Longitude 174
• Co-chaired ISO’s working group for IT Governance
Framework standards
http://www.ramin.com.au/itgovernance/as8015.html

57. @CarlosChalicoT
#ISACA_ITG
57
Quote
Alison Holt
“Implementing IT governance is not
necessarily a quick process, but it is
effective”

58. @CarlosChalicoT
#ISACA_ITG
58
ISO/IEC 38500:2008

59. @CarlosChalicoT
#ISACA_ITG
59
Process
1
Process
2
Process
3
Process
n
Information Technology Processes
Pervasiveness
ISO/IEC 38500:2008
Goal
ISO 38500
Guidelines
Directors
Senior Executives
Effective
Efficient
Acceptable
ICTUse

60. @CarlosChalicoT
#ISACA_ITG
60
Quote
“May the Force be with you”
Obi Wan Kenobi

61. @CarlosChalicoT
#ISACA_ITG
IT potential problems
61
• Different areas of the organisation have different relationships
with different IT vendors
• IT systems evolve independently with no united direction or
strategy
• IT systems under/over-perform
• IT managers don’t understand the operation
• Operational managers don’t understand IT
• No sense of ownership on data, infrastructure and processes
• Users frustrated for, apparently, not having enough resources
• Nobody thinks or wants the CIO, except when there is a
problem.

62. @CarlosChalicoT
#ISACA_ITG
62
ISO/IEC 38500:2008
ISO
38500
Scope, Application,
Objectives
Framework
Guidance

63. @CarlosChalicoT
#ISACA_ITG
Scope,Application, Objectives
63
Goal
ISO 38500
Guidelines
Directors
Senior Executives
Effective
Efficient
Acceptable
ICTUse
Confidence
Stakeholders

64. @CarlosChalicoT
#ISACA_ITG
64
ISO/IEC 38500:2008
ISO
38500
Scope, Application,
Objectives
Framework
Guidance

65. @CarlosChalicoT
#ISACA_ITG
Framework
65
ISO
38500
Six Principles
Model
IT Governance IT Management
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human Behaviour

66. @CarlosChalicoT
#ISACA_ITG
Responsibility
66
• Everyone understands and accepts his or her
responsibility
!
• This includes supply of and demand for IT
!
• Those with responsibility for actions also have the
authority to perform those actions

67. @CarlosChalicoT
#ISACA_ITG
Responsibility
67

68. @CarlosChalicoT
#ISACA_ITG
Responsibility
68
• The CIO that was not respected, even with an ISSP
communicated and authorized
• The “Perfect” Operational Director
• The “jumping” requirements
• The eternal “Yes” CIO
• The 24x7x52xFOREVER HR requirement

69. @CarlosChalicoT
#ISACA_ITG
Strategy
69
• Organisation’s business strategy considers current
and future capabilities of IT
!
• Strategic plans for IT satisfy the current and ongoing
needs of the organisation

70. @CarlosChalicoT
#ISACA_ITG
Strategy
70
• “With that money I can setup a new branch”
• “Hey, that IT strategy made me think that the
operational strategy needs to be re-visited”

71. @CarlosChalicoT
#ISACA_ITG
71
Strategy
?

72. @CarlosChalicoT
#ISACA_ITG
Acquisition
72
• IT acquisitions are made for valid reasons
!
• Appropriate analysis is made to support purchasing
decisions
!
• There is a balance among benefits, opportunities,
costs and risks in the short and long term

73. @CarlosChalicoT
#ISACA_ITG
Acquisition
73
• Some suggestions:
• Understand required benefits
• Informal chats with vendors
• Define a formal purchasing process
• Visit other organisations that are doing what you
want to do
• Understand the “do nothing” option
• Check out references

74. @CarlosChalicoT
#ISACA_ITG
Acquisition
74
Time and budget are important, but…
!
…having the organisation understanding the motives
is critical

75. @CarlosChalicoT
#ISACA_ITG
Performance
75
• IT fits the requirements to support the organisation
!
• IT provides services, levels of service and service
quality required to meet the organisation’s current
and future requirements

76. @CarlosChalicoT
#ISACA_ITG
Performance
76
• Under-PerformanceVs. Over-Performance
• We often over-procure for reasons of convenience
• How would you react if your main server starts
running out of space?

77. @CarlosChalicoT
#ISACA_ITG
Conformance
77
• IT complies and supports compliance
!
• Policies and practices are clearly defined,
implemented and enforced

78. @CarlosChalicoT
#ISACA_ITG
Conformance
78
• How easy has been for your company to configure
the systems to comply with laws and regulations?
Compliance on
IT Systems Process
Process
2
Process
Process
Change
Change

79. @CarlosChalicoT
#ISACA_ITG
Human Behaviour
79
• IT policies, practices and decisions show respect for
human behaviour
!
• This includes current and evolving needs of all of the
people in the processes

80. @CarlosChalicoT
#ISACA_ITG
Human Behaviour
80
• Have you defined policies to make clear how you
want your IT systems to be used?
• How are you balancing personalVs. professional use
of the corporate IT resources?
• Is your management team setting the tone?
• How are you connecting
with customers, providers,
authority?

81. @CarlosChalicoT
#ISACA_ITG
81
ISO/IEC 38500:2008
ISO
38500
Scope, Application,
Objectives
Framework
Guidance

82. @CarlosChalicoT
#ISACA_ITG
Guidance
82
• Provides examples for the application of each one of
the six principles

83. @CarlosChalicoT
#ISACA_ITG
Guidance
83
• Additional documents:
• Cloud computing
• IT Audit
• Digital forensics
• Interoperability
• Business frameworks

84. @CarlosChalicoT
#ISACA_ITG
84
Quote
“Nothing will work unless you do”
Maya Angelou

85. @CarlosChalicoT
#ISACA_ITG
Implementing ISO 38500
85
Implementation
Design and
Definition
Communication
and awareness
IT controls
Policies and procedures
Plan development
Business
processes
improvements
Current State
Assessment
Continuous
Improvement
Auditing
Operation
Monitoring
Third parties
considerations
Extended IT governance
IT processes
improvements
Problems
identification
Training and testing
Adjustments
Monitoring
controls
Reporting
Audit guidelines
Responsibility
assignment

86. IT Governance
November, 2013
Break!

87. @CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
87
Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

88. @CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
88
• Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation
and decision making; and monitoring performance,
compliance and progress against agreed-on direction
and objectives (EDM)
• Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives (PBRM)

89. @CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
89
COBIT 5 brings together the five principles that
allow the enterprise to build an effective governance
and management framework based on a holistic set
of seven enablers that optimises information and
technology investment and use for the benefit of
stakeholders.

90. @CarlosChalicoT
#ISACA_ITG
How has COBIT dealt with IT Governance?
90
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
A business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
2005/720001998
Evolutionofscope
1996 2012
Val IT 2.0
(2008)
Risk IT
(2009)
© 2012 ISACA® All rights reserved.

91. @CarlosChalicoT
#ISACA_ITG
COBIT Principles
91
• Meeting stakeholder needs
• Covering the enterprise end-to-end
• Applying a single integrated framework
• Enabling a holistic approach
• Separating governance from management

92. @CarlosChalicoT
#ISACA_ITG
Meeting Stakeholder Needs
92
Enterprises exist to create value for their stakeholders.

93. @CarlosChalicoT
#ISACA_ITG
9393
• Enterprises have many stakeholders, and ‘creating value’ means
different—and sometimes conflicting—things to each of them.
• Governance is about negotiating and deciding amongst different
stakeholders’ value interests.
• The governance system should consider all stakeholders when
making benefit, resource and risk assessment decisions.
• For each decision, the following can and should be asked:
• Who receives the benefits?
• Who bears the risk?
• What resources are required?
Meeting Stakeholder Needs

94. @CarlosChalicoT
#ISACA_ITG
9494
Meeting Stakeholder Needs
• Stakeholder needs have to be
transformed into an enterprise’s
actionable strategy.
• The COBIT 5 goals cascade
translates stakeholder needs into
specific, actionable and
customised goals within the
context of the enterprise, IT-
related goals and enabler goals.
Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.

95. @CarlosChalicoT
#ISACA_ITG
9595
Meeting Stakeholder Needs
• Benefits of the COBIT 5 goals cascade:
• It allows the definition of priorities for
implementation, improvement and assurance of
enterprise governance of IT based on (strategic)
objectives of the enterprise and the related risk.
• In practice, the goals cascade:
• Defines relevant and tangible goals and objectives at various levels of
responsibility.
• Filters the knowledge base of COBIT 5, based on enterprise goals to
extract relevant guidance for inclusion in specific implementation,
improvement or assurance projects.
• Clearly identifies and communicates how (sometimes very operational)
enablers are important to achieve enterprise goals.

96. @CarlosChalicoT
#ISACA_ITG
9696
Covering the enterprise ent-to-end
• COBIT 5 addresses the governance and management of
information and related technology from an enterprisewide,
end-to-end perspective.
• This means that COBIT 5:
• Integrates governance of enterprise IT into enterprise governance, i.e.,
the governance system for enterprise IT proposed by COBIT 5
integrates seamlessly in any governance system because COBIT 5 aligns
with the latest views on governance.
• Covers all functions and processes within the enterprise; COBIT 5
does not focus only on the ‘IT function’, but treats information and
related technologies as assets that need to be dealt with just like any
other asset by everyone in the enterprise.

97. @CarlosChalicoT
#ISACA_ITG
9797
Covering the enterprise ent-to-end
Key Components of
a governance
system
Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.
Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.

98. @CarlosChalicoT
#ISACA_ITG
98
Applying a single integrated framework
• COBIT 5 aligns with the latest relevant other standards and
frameworks used by enterprises:
• Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
• IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,TOGAF,
PMBOK/PRINCE2, CMMI
• This allows the enterprise to use COBIT 5 as the overarching
governance and management framework integrator.
• ISACA plans a capability to facilitate COBIT user mapping of
practices and activities to third-party references.

99. @CarlosChalicoT
#ISACA_ITG
99
Enabling a holistic approach
• COBIT 5 enablers are:
• Factors that, individually and collectively, influence whether something will
work—in the case of COBIT, governance and management over
enterprise IT
• Driven by the goals cascade, i.e., higher-level IT-related goals define what
the different enablers should achieve
• Described by the COBIT 5 framework in seven categories

100. @CarlosChalicoT
#ISACA_ITG
100
Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
Enabling a holistic approach

101. @CarlosChalicoT
#ISACA_ITG
101
Enabling a holistic approach
• Processes—Describe an organised set of practices and
activities to achieve certain objectives and produce a set
of outputs in support of achieving overall IT-related
goals
• Organizational structures—Are the key decision-
making entities in an organization
• Culture, ethics and behavior—Of individuals and of
the organization; very often underestimated as a success
factor in governance and management activities

102. @CarlosChalicoT
#ISACA_ITG
102
Enabling a holistic approach
• Principles, policies and frameworks—Are the vehicles
to translate the desired behaviour into practical
guidance for day-to-day management
• Information—Is pervasive throughout any organisation,
i.e., deals with all information produced and used by the
enterprise. Information is required for keeping the
organisation running and well governed, but at the
operational level, information is very often the key
product of the enterprise itself.

103. @CarlosChalicoT
#ISACA_ITG
103
Enabling a holistic approach
• Services, infrastructure and applications—Include the
infrastructure, technology and applications that provide
the enterprise with information technology processing
and services
• People, skills and competencies—Are linked to
people and are required for successful completion of all
activities and for making correct decisions and taking
corrective actions

104. @CarlosChalicoT
#ISACA_ITG
104
Enabling a holistic approach
• Systemic governance and management through
interconnected enablers—To achieve the main objectives of the
enterprise, it must always consider an interconnected set of
enablers, i.e., each enabler:
• Needs the input of other enablers to be fully effective, e.g.,
processes need information, organisational structures need skills
and behaviour
• Delivers output to the benefit of other enablers, e.g., processes
deliver information, skills and behaviour make processes efficient
• This is a KEY principle emerging from the ISACA development
work around the Business Model for Information Security (BMIS).

105. @CarlosChalicoT
#ISACA_ITG
105
Enabling a holistic approach
COBIT 5 Enabler Dimensions:
• All enablers have a set of common dimensions.This set of common
dimensions:
• Provides a common, simple and structured way to deal with enablers
• Allows an entity to manage its complex interactions
• Facilitates successful outcomes of the enablers
Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.

106. @CarlosChalicoT
#ISACA_ITG
Separating Government from Management
106
• The COBIT 5 framework makes a clear distinction between
governance and management.
• These two disciplines:
• Encompass different types of activities
• Require different organisational structures
• Serve different purposes
• Governance—In most enterprises, governance is the
responsibility of the board of directors under the leadership of
the chairperson.
• Management—In most enterprises, management is the
responsibility of the executive management under the leadership
of the CEO.

107. @CarlosChalicoT
#ISACA_ITG
Separating Government from Management
107
• Governance ensures that stakeholders needs, conditions and
options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction and
objectives (EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).

108. @CarlosChalicoT
#ISACA_ITG
Separating Government from Management
108
COBIT 5 is not prescriptive, but it advocates that organisations
implement governance and management processes such that the key
areas are covered, as shown.
Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.

109. @CarlosChalicoT
#ISACA_ITG
Separating Government from Management
109
• The COBIT 5 framework describes seven categories of enablers
(Principle 4). Processes are one category.
• An enterprise can organise its processes as it sees fit, as long as
all necessary governance and management objectives are covered.
Smaller enterprises may have fewer processes; larger and more
complex enterprises may have many processes, all to cover the
same objectives.
• COBIT 5 includes a process reference model (PRM), which
defines and describes in detail a number of governance and
management processes.The details of this specific enabler model
can be found in the COBIT 5: Enabling Processes volume.

110. @CarlosChalicoT
#ISACA_ITG
110
Quote
“It’s a trap!”
Admiral Ackbar

111. @CarlosChalicoT
#ISACA_ITG
Implementing GEIT with COBIT
111

112. @CarlosChalicoT
#ISACA_ITG
112
Implementing GEIT with COBIT
Source: COBIT® 5, © 2012 ISACA® All rights reserved.

113. @CarlosChalicoT
#ISACA_ITG
113
Implementing GEIT with COBIT

114. @CarlosChalicoT
#ISACA_ITG
114
• The improvement of the governance of enterprise IT (GEIT)
is widely recognized by top management as an essential part
of enterprise governance
• Information and the pervasiveness of IT are increasingly part
of every aspect of business and public life
• The need to drive more value from IT investments and
manage an increasing array of IT-related risk has never been
greater
• Increasing regulation and legislation over business use of
information is also driving heightened awareness of the
importance of a well-governed and managed IT environment
Implementing GEIT with COBIT

115. @CarlosChalicoT
#ISACA_ITG
115
Implementing GEIT with COBIT
• ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers. Indeed,
implementing good GEIT is almost impossible without
engaging an effective governance framework. Best practices
and standards are also available to underpin COBIT 5
• Frameworks, best practices and standards are useful only if
they are adopted and adapted effectively.There are
challenges that need to be overcome and issues that need
to be addressed if GEIT is to be implemented successfully.
• COBIT 5: Implementation provides guidance on how to do
this

116. @CarlosChalicoT
#ISACA_ITG
116
Implementing GEIT with COBIT
• COBIT 5: Implementation covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and behavioural
change
• Implementing continual improvement that includes change
enablement and programme management
• Using COBIT 5 and its components

117. @CarlosChalicoT
#ISACA_ITG
117
Value of GEIT

118. @CarlosChalicoT
#ISACA_ITG
TheValue of CGEIT
118
CGEIT recognizes a wide range of professionals for their
knowledge and application of enterprise IT governance
principles and practices.As a CGEIT certified professional,
you demonstrate that you are capable of bringing IT
governance into an organization—that you grasp the
complex subject holistically, and therefore, enhance value to
the enterprise.
http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-enterprise-it/Pages/default.aspx

119. @CarlosChalicoT
#ISACA_ITG
TheValue of CGEIT
119

120. @CarlosChalicoT
#ISACA_ITG
GRC
120

121. @CarlosChalicoT
#ISACA_ITG
GRC Magic Quadrant
121

122. @CarlosChalicoT
#ISACA_ITG
Top 10 GRC challenges
122
1. Management complexity of risk and compliance programs
2. Organisational alignment of risk and compliance metrics and control
across functional domains
3. Managing regulatory complexity to reduce the cost of compliance
4. Privacy and intelectual property protection
5. Cybersecurity risks
6. BYOD and mobile strategy
7. Supplyvalue chain risk
8. Building out infrastructure to enable situational awareness and
predictive analytics
9. Aligning operational security with risk and compliance programs
10. Aligning business continuity and availability with risk management

123. @CarlosChalicoT
#ISACA_ITG
123
Quote
“The only place success comes
before work is in the dictionary”
Vince Lombardi

124. @CarlosChalicoT
#ISACA_ITG
124
Case Study
Please follow instructions to review
the Case Study.

125. @CarlosChalicoT
#ISACA_ITG
Conclusions
125
• The world is changing and the IT departments need to
get adapted to that
• Governance of Enterprise IT is mandatory, complexity
in compliance, value requirements, innovation and
transformation needs, support its implementation
• Effective governance requires a committed
organisation
• ISO 38500 and COBIT 5 can be the frameworks for
implementing this

126. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
126
http://www.slideshare.net/sap/99-facts-on-the-future-of-business

127. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
127

128. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
128

129. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
129

130. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
130

131. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
131
SAP & Vuzix Augmented Reality

132. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
132

133. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
133

134. @CarlosChalicoT
#ISACA_ITG
FinalThoughts
134

135. @CarlosChalicoT
#ISACA_ITG
Questions and Answers
135
Carlos Chalico
CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA,
PbD Ambassador
Ouest Business Solutions Inc.
carlos.chalico@ouestsolutions.com
(647)6388062
twitter: @CarlosChalicoT
LinkedIn: ca.linkedin.com/in/carloschalico/

136. IT Governance
November, 2013
Thank You!