an introduction to cobit an introduction to cobit 4.1 - isaca riyadh
TRANSCRIPT
An Introduction to COBIT An Introduction to COBIT 44..1 1 The Control and Management FrameworkThe Control and Management Framework
By:By: Aqel M. Aqel, Aqel M. Aqel, CISA, MBACISA, MBA
ISACA Riyadh Chapter ISACA Riyadh Chapter –– Saudi Arabia Saudi Arabia 0808thth of Juneof June 20092009
بسم االله الرحمن الرحيمبسم االله الرحمن الرحيمخلق الإنسان من علقخلق الإنسان من علق أقرأ باسم ربك الذي خلقأقرأ باسم ربك الذي خلق 12
34ربك الأكرم الذي علم بالقلم ربك الأكرم الذي علم بالقلم وواقرأاقرأ
5علم الإنسان ما لم يعلمعلم الإنسان ما لم يعلم
صدق االله العظيمصدق االله العظيم
Seminar OutlineSeminar Outline
►► Introduction about IT Governance Introduction about IT Governance Information Technology evolutions Information Technology evolutions
Roles between Roles between technical staff and other departments technical staff and other departments
►► IT RisksIT RisksThe Need for IT Governance Different Models EvolutionsThe Need for IT Governance Different Models EvolutionsThe Need for IT Governance, Different Models Evolutions.The Need for IT Governance, Different Models Evolutions.
►► COBIT Framework Domains & CriteriaCOBIT Framework Domains & Criteria..IT Planning and Organizing.IT Planning and Organizing.
IT Acquisition and Implementation.IT Acquisition and Implementation.
IT Delivery and Support.IT Delivery and Support.
IT Monitoring.IT Monitoring.gg
►► A Glance at Implementation Road MapA Glance at Implementation Road Map
1.1. Introduction about IT Governance Introduction about IT Governance
Introduction/ IT Governance ConceptsIntroduction/ IT Governance ConceptsWhat is the Role of IT in organization ?What is the Role of IT in organization ?IT Impact on business:IT Impact on business:
•• Increasing / Total dependency on ITIncreasing / Total dependency on IT
•• Value of IT investments tangible & intangibleValue of IT investments tangible & intangible
•• Higher cost of downtimeHigher cost of downtime
•• Customer trust / firm reputationCustomer trust / firm reputation
•• EE--Commerce BCommerce B22B, BB, B22C …etc. opportunitiesC …etc. opportunities
•• Information creditability Information creditability
ICT l b iICT l b i•• ICT can control business processICT can control business process
•• Data capturing / performance MeasurementData capturing / performance Measurement
Introduction/ Introduction/ IT Governance IT Governance ConceptsConceptsCorporate Governance Corporate Governance ::
OUTCOMESBusiness Business Business Business Business Business Business Business Business Business Business Business
People A t
• Realize Strategy
• Achieve BusinessBusiness Business Business Business Business Business Business Business Business Business Business Business B i e B i e B i e B i e
People Owners & workers
Assets Tangible &Intangible
• Achieve Business Objectives
• Business Business Business Business Business Business Business Business Business Business Business Business Business Business Business Business Business
Regulations L l &
Progress
• Customer SatisfactionBusinessBusiness Business Business Business
Business Business Business Business Business Business Business Business Business Business Business Business
Local & Global
Satisfaction
• National Prosperity
Business Process
Business Business Business Business Business Business Business Business
p y
Introduction/ Introduction/ IT Governance IT Governance ConceptsConcepts
ICT as Business ICT as Business EnablerEnabler
StakeholdersBusiness Activities
Reports
IT Governance
Framework
Activities
Information
Business Logic &
Controls
IT Infrastructure
Hard are S ft H R IT ProcessHardware Software Human Resources IT Process
Source: Aqel M. AqelSource: Aqel M. Aqel
Introduction/ Introduction/ IT Governance IT Governance ConceptsConcepts
Conventional Governance Conventional Governance Tools:Tools:►► Organization StructureOrganization Structuregg
►► Roles and responsibilitiesRoles and responsibilities
►► Policies & standardsPolicies & standards
►► ControlsControlsPreventivePreventive
DetectiveDetective
correctivecorrective
►► Periodic Reporting Periodic Reporting
►► ReviewingReviewing
I d d A diI d d A di►► Independent AuditIndependent AuditSource: Aqel M. AqelSource: Aqel M. Aqel
Introduction/ Introduction/ IT Governance IT Governance ConceptsConcepts
Controlled Controlled (Governed) IT will:(Governed) IT will:
S b i ff i l1. Supports business effectively to Maximize Profits & optimize costs
d2. Business Competitive advantage
3. New business opportunities
ts $
4. Protect IT investment
5. Successful IT Projects Ti
Pro
fit
5. Successful IT Projects
6. Manage IT risks
B i i i
Time
7. Business continuity
22. IT Risks. IT Risks
IT RisksIT Risks
It is Serious.
Trojan Horses Rounding Down
Sam
gViruses WormsLogic Bomb
mple Th
Source: Source: 2002 2002 CERTCERT
Logic BombTrap DoorsWire Tapping
reats
Data LeakageNetwork Attacks (DOS)Abnormal ShutdownAbnormal ShutdownNatural Disasters
Source: Source: 2002 2002 CSI/FBI SurveyCSI/FBI Survey
Cost of DowntimeCost of Downtime
Source: Meta Group Source: Meta Group 20002000
Internet and eInternet and e--Mail Threats Mail Threats 7777 %% ofof WebWeb sitessites withwith maliciousmalicious codecode areare legitimatelegitimate sitessites thatthat
havehave beenbeen compromisedcompromised..
7070 %% ofof thethe toptop 100100 sitessites eithereither hostedhosted maliciousmalicious contentcontent oror
containedcontained aa maskedmasked redirectredirect toto lurelure unsuspectingunsuspecting victimsvictims fromfrom
legitimatelegitimate sitessites toto maliciousmalicious sitessites..
8484..55 %% ofof emailemail messagesmessages werewere spamspam..
9090..44 %% ofof allall unwantedunwanted emailsemails inin circulationcirculation duringduring thisthis periodperiod
containedcontained linkslinks toto spamspam sitessites oror maliciousmalicious WebWeb sitessites..
3939 %% ofof maliciousmalicious WebWeb attacksattacks includedincluded datadata--stealingstealing codecode..
5757 %% ofof datadata--stealingstealing attacksattacks areare conductedconducted overover thethe WebWeb..
Source: recent research by Source: recent research by WebsenseWebsense Security Labs™ Security Labs™ 20092009
IT Risks..wellIT Risks..well--known Incidentsknown Incidents
When Estonia's government announced it was relocating a Soviet memorial in the
Estonia
country's capital, Russian hackers expressed their displeasure with cyber-warfare. They launched a wave of "distributed denial-of-service" attacks against the country's government, banking and media Web sites, using thousands of personal computershijacked with hidden software to overload the servers. Many sites were down for more than a week. Estonia originally blamed Russia's government for the cyber blitz, but no direct connection Pictured: Russians protest Tallinn'sbetween the hackers and the country's government could be found.
Pictured: Russians protest Tallinn s decision to move a Soviet memorial.
Source: Worst Cyber security Meltdowns, by Source: Worst Cyber security Meltdowns, by Andy Greenberg, Oct Andy Greenberg, Oct 2007 2007 Forbs.comForbs.com
IT Risks..wellIT Risks..well--known Incidentsknown Incidents
In January, retailer TJX, owner of TJ Maxx and Marshall's revealed that hackers had
TJX (Retailer)- Jan 2007
and Marshall's, revealed that hackers had gained access to more than 45 million users' credit card information--the largest single data theft of all time. According to an investigation byAccording to an investigation by Canada's Privacy Commission, the hackers likely used a long-range antenna to tap the stores' wi-finetworks Weaving within outmodednetworks. Weaving within outmoded wireless protocol, the electronic intruders spent more than a year and a half stealing reams of private financial data. By TJX's own accounting the theft hasBy TJX s own accounting, the theft has cost more than $256 million.© eva serrabassa/IstockPhoto
Source: Worst Cyber security Meltdowns, by Source: Worst Cyber security Meltdowns, by Andy Greenberg, Oct Andy Greenberg, Oct 2007 2007 Forbs.comForbs.com
IT RisksIT Risks
It is Serious.When an organization suffers a data breach, it costs approximately US $197 per lost record$197 per lost record.
That means if a company loses 100,000 records, it would cost close to US $20 million.
Source: COBIT Focus Vol. 3 2008
IT Failure StatisticIT Failure Statistic
WhatWhat’ are t’ are the Risks?he Risks?WhatWhat’ are t’ are the Risks?he Risks?
26%
12%1% Storm Damage
Power Outage
Service Failure
10%2%
2%
1%
Flood
Burst Water Pipe
Human Error
Network Outage 10%
8%3%
2%
2% Flood
Hardware Error
Network Outage
Power Surge / Spike
Other
8%
7%6%6%
6%
5%3%Hardware Error
Bombing
H i
Employee SabotageSoftware Error
Earthquake
Source: Contingency Planning Research
HurricaneFire
IT RisksIT Risks Who is responsible ?Who is responsible ?
Business owners / Managers are responsible for Sustaining business operations and any lossesSustaining business operations and any losses incurred because of ICT Threats.
Managers Hot Issues and Key Concerns Managers Hot Issues and Key Concerns 11//44
►► How far should we go in controlling IT, and is the cost justified How far should we go in controlling IT, and is the cost justified by the benefit?by the benefit?
►► What are the indicators of good performance?What are the indicators of good performance?►► What are the key management practices to apply?What are the key management practices to apply?►► What do others do?What do others do?►► How do we measure and compare?How do we measure and compare?
Managers Hot Issues and Key Concerns Managers Hot Issues and Key Concerns 22//44
►► Poor understanding of the value contribution of ITPoor understanding of the value contribution of IT►► Risks not recognized Risks not recognized gg►► Lack of management direction or effective oversight committeesLack of management direction or effective oversight committees►► Poor timePoor time--toto--market results relative to software developmentmarket results relative to software development►► Projects running over budgetProjects running over budget►► Frequent security incidents andFrequent security incidents and
A li ti l ki i f ti litA li ti l ki i f ti lit►► Applications lacking in functionality. Applications lacking in functionality.
Managers Hot Issues and Key Concerns Managers Hot Issues and Key Concerns 33//44
Source: ITGI IT Governance Global Status Report 2006
Managers Hot Issues and Key Concerns Managers Hot Issues and Key Concerns 44//44
Source: Gartner Research
What IT Governance is all about?What IT Governance is all about?
►► how does the enterprise get IT under control such that:how does the enterprise get IT under control such that:It delivers the information the enterprise needs? It delivers the information the enterprise needs? How does it manage the risks and secure the IT resources on which it isHow does it manage the risks and secure the IT resources on which it isHow does it manage the risks and secure the IT resources on which it is How does it manage the risks and secure the IT resources on which it is so dependent? so dependent? How does the enterprise ensure that IT achieves its objectives and How does the enterprise ensure that IT achieves its objectives and supports the business?supports the business?supports the business?supports the business?
Business objectives areBusiness objectives areDesigned toDesigned toPolicies, Policies,
►► Management needs control objectives that contains:Management needs control objectives that contains:Business objectives are Business objectives are achievedachievedUndesired events are:Undesired events are:
Prevented orPrevented or
Designed to Designed to provide provide reasonable reasonable
th tth t
,,Practices,Practices,Procedures &Procedures &OrganizationalOrganizational Prevented orPrevented or
Detected and Detected and CorrectedCorrected
assurance that:assurance that:Organizational Organizational StructureStructure
Drivers for IT Governance implementation Drivers for IT Governance implementation
►► Dissatisfied customersDissatisfied customers►► Changing market positionChanging market position►► CompetitionCompetition
►► Regulatory or legislative changesRegulatory or legislative changes►► New chief executive officer (CEO)New chief executive officer (CEO)►► Privatization/regulationPrivatization/regulation►► CompetitionCompetition
►► New product/service introductionNew product/service introduction►► High operating costs or other fiscal High operating costs or other fiscal
issuesissues
►► Privatization/regulationPrivatization/regulation►► Enterprise resource planningEnterprise resource planning►► OutsourcingOutsourcing►► BestBest ofof breed IT systemsbreed IT systemsissuesissues
►► Inefficient or ineffective business Inefficient or ineffective business processesprocesses
►► Security or privacy breachSecurity or privacy breach
►► BestBest--ofof--breed IT systemsbreed IT systems►► Common IT architectureCommon IT architecture►► Shared servicesShared services
C t d tiC t d ti►► Security or privacy breachSecurity or privacy breach►► Major business operational or IT outageMajor business operational or IT outage►► Obsolescence of IT or information Obsolescence of IT or information
systemssystems
►► Cost reductionCost reduction►► Quality of IT service provisionQuality of IT service provision►► Technology innovationTechnology innovation
IT bl t i t t i b iIT bl t i t t i b iyy
►► Merger or acquisitionMerger or acquisition►► Shareholder demand for shortShareholder demand for short--term term
resultsresults
►► IT enablers to assist enterprise business IT enablers to assist enterprise business goalsgoals
►► Transaction growthTransaction growth►► Realignment with available IT skillsRealignment with available IT skills►► Realignment with available IT skillsRealignment with available IT skills
Governance Environment Vary accordingGovernance Environment Vary according
►► The community’s and enterprise’s ethics and cultureThe community’s and enterprise’s ethics and culture►► Ruling laws, regulations and policies, (internal and external)Ruling laws, regulations and policies, (internal and external)g , g p , ( )g , g p , ( )►► The mission, vision and values of the enterpriseThe mission, vision and values of the enterprise►► The enterprise’s models for roles and responsibilitiesThe enterprise’s models for roles and responsibilities►► The enterprise’s governance policies and practicesThe enterprise’s governance policies and practices►► Industry practicesIndustry practices
Th t i ’ b i l d t t i i t tiTh t i ’ b i l d t t i i t ti►► The enterprise’s business plan and strategic intentionsThe enterprise’s business plan and strategic intentions
33. COBIT Framework. COBIT FrameworkDomains & CriteriaDomains & CriteriaDomains & Criteria.Domains & Criteria.
Introduction/ COBIT Introduction/ COBIT 44..1 20071 2007
COBIT COBIT ™™ Control Objectives for IT & Related Control Objectives for IT & Related TechnologiesTechnologies
►► Contains Contains 34 34 Business Driven Business Driven IT processes categorized into four IT processes categorized into four groups.groups.groups. groups.
►► Associated with each process a set of detailed control objectives Associated with each process a set of detailed control objectives based on international best practices (based on international best practices (318 318 C.O. in third edition, C.O. in third edition, 215 215 in in ver. ver. 44..0 0 reduced to reduced to 210 210 in in 44..11).).
►► Controls specifies the purpose (objective) to be achieved out of Controls specifies the purpose (objective) to be achieved out of h l i h f G S & di id lih l i h f G S & di id lithe control, with a set of KGI, KSF, & audit guidelines.the control, with a set of KGI, KSF, & audit guidelines.
►► It includes management guidelines and maturity levels of five It includes management guidelines and maturity levels of five grades for each controlgrades for each controlgrades for each control.grades for each control.
IT Governance Definition:IT Governance Definition:
“A t t f l ti hi d t di t d t l“A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and itsvalue while balancing risk versus return over IT and its processes.”Source www.austin.cc.tx.us/audit/Glossary/LetterI.htm
ITGIITGI definition:definition:
It is an integral part of enterprise Governance and consists of leadership, organizational structure and processes h h i i ’ IT S i & dthat ensures the organization’s IT Sustains & extends
the organization strategies and objectives.” Source: COBIT Source: COBIT 33
Enterprise / Corporate Governance:Enterprise / Corporate Governance:ITGIITGI definition:definition:
““It is a set of responsibilities and practices exercised by the BOD It is a set of responsibilities and practices exercised by the BOD d ti t ith th l f idi t t id ti t ith th l f idi t t iand executive management with the goal of providing strategic and executive management with the goal of providing strategic
direction, ensuring that the risks are managed appropriately and direction, ensuring that the risks are managed appropriately and verifying that the enterprise resources are used responsiblyverifying that the enterprise resources are used responsibly..””verifying that the enterprise resources are used responsiblyverifying that the enterprise resources are used responsibly..
Source: Source: ITGIITGI
“The system by which the current and future use of ICT is directed “The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for and controlled. It involves evaluating and directing the plans for the use of ICT to support the organization and monitoring this usethe use of ICT to support the organization and monitoring this usethe use of ICT to support the organization and monitoring this use the use of ICT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using to achieve plans. It includes the strategy and policies for using ICT within an organization. ICT within an organization.
source AS source AS 80158015--2005 2005
COBIT Governance COBIT Governance ConceptsConceptsWhat we want from What we want from Information Technology?Information Technology?
1. Information Quality Requirements:Criteria
1.Effectiveness
• Correctness• Completeness
Accuracy2.Efficiency
3.Confidentiality
• Accuracy2. Fiduciary Requirements:
• Availability 3.Confidentiality
4. Integrity
5 Availability
• Reliability • Compliancy• Effectiveness 5.Availability
6.Compliance
• Effectiveness3. Security Requirements:
• Confidentiality
7.Reliability• Integrity• Availability
COBIT Governance ConceptsCOBIT Governance Concepts
IT Assets / Resources CategoriesIT Assets / Resources Categories
1. Applications
2. Information
Simply, IT Governance is about Control & P t ti 2. Information
3. Infrastructures (Technology & Facilities in COBIT III)
Protection,…
So What we want to (Technology & Facilities in COBIT III)
4. People govern / protect?
(Human resources COBIT III)
IT Governance Domains:IT Governance Domains:
1.1. Planning and organizingPlanning and organizing
22 Acquisition andAcquisition and2.2. Acquisition and Acquisition and ImplementationImplementation
33 Delivery and supportDelivery and support3.3. Delivery and supportDelivery and support
4.4. Monitoring & EvaluationMonitoring & Evaluation
Source: COBIT Source: COBIT 44
Control Control Objecti esObjecti esObjectives Objectives for IT & Related for IT & Related T h l i COBITT h l i COBITTechnologies, COBITTechnologies, COBIT™™ ..
11. Plan and. Plan and 22.. AcquireAcquire 33.. Deliver andDeliver and 44.. Monitor andMonitor and11. Plan and . Plan and OrganizeOrganize
PP0101 PP1010
22. . Acquire Acquire Implement Implement
AIAI11 AIAI77
33. . Deliver and Deliver and SupportSupport
DSDS11 DSDS1313
44. . Monitor and Monitor and EvaluateEvaluate
MEME11 MEME44PP01 01 –– PP1010 AIAI1 1 –– AIAI77 DSDS1 1 –– DSDS1313 MEME1 1 –– MEME44
Introduction/ Governance conceptsIntroduction/ Governance concepts
COBIT COBIT ™™ , , what we mean by “Control” what we mean by “Control” ??
Control: The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and prevented.
Control Objectives: The statement of the desired result or purpose to be achieved by implementing control procedures in apurpose to be achieved by implementing control procedures in a particular IT activity
Source: Source: COBITCOBIT
Introduction/ Governance conceptsIntroduction/ Governance conceptsCOBITCOBIT C l Obj i f IT & R l dC l Obj i f IT & R l dCOBIT COBIT ™™ Control Objectives for IT & Related Control Objectives for IT & Related TechnologiesTechnologies
The Control of
IT ProcessTo satisfy
Business Requirements
By Focusing on
Control Statements
Considering
ControlSource:Source: COBITCOBIT Control Practices
Source: Source: COBITCOBIT
Plan and OrganizePlan and Organize
►► POPO1 1 Define a Strategic IT PlanDefine a Strategic IT Plan►► POPO2 2 Define the Information ArchitectureDefine the Information Architecture►► POPO3 3 Determine Technological DirectionDetermine Technological Direction►► POPO4 4 Define the IT Processes, Organization and RelationshipsDefine the IT Processes, Organization and Relationships►► POPO5 5 Manage the IT InvestmentManage the IT Investment►► POPO6 6 Communicate Management Aims and DirectionCommunicate Management Aims and Direction
POPO77 M IT H RM IT H R►► POPO7 7 Manage IT Human ResourcesManage IT Human Resources►► POPO8 8 Manage QualityManage Quality►► POPO99 Assess and Manage IT RisksAssess and Manage IT Risks►► POPO9 9 Assess and Manage IT RisksAssess and Manage IT Risks►► POPO10 10 Manage ProjectsManage Projects
Acquire and Implement Acquire and Implement
►► AIAI1 1 Identify Automated SolutionsIdentify Automated Solutions►► AIAI2 2 Acquire and Maintain Application SoftwareAcquire and Maintain Application Softwareq ppq pp►► AIAI3 3 Acquire and Maintain Technology InfrastructureAcquire and Maintain Technology Infrastructure►► AIAI4 4 Enable Operation and UseEnable Operation and Use►► AIAI5 5 Procure IT ResourcesProcure IT Resources►► AIAI6 6 Manage ChangesManage Changes
AIAI77 I t ll d A dit S l ti d ChI t ll d A dit S l ti d Ch►► AIAI7 7 Install and Accredit Solutions and ChangesInstall and Accredit Solutions and Changes
Deliver and SupportDeliver and Support►► DSDS1 1 Define and Manage Service LevelsDefine and Manage Service Levels►► DSDS2 2 Manage ThirdManage Third--party Servicesparty Services
DSDS33 M P f d C itM P f d C it►► DSDS3 3 Manage Performance and CapacityManage Performance and Capacity►► DSDS4 4 Ensure Continuous ServiceEnsure Continuous Service►► DSDS55 Ensure Systems SecurityEnsure Systems Security►► DSDS5 5 Ensure Systems SecurityEnsure Systems Security►► DSDS6 6 Identify and Allocate CostsIdentify and Allocate Costs►► DSDS7 7 Educate and Train UsersEducate and Train Users►► DSDS8 8 Manage Service Desk and IncidentsManage Service Desk and Incidents►► DSDS9 9 Manage the ConfigurationManage the Configuration►► DSDS10 10 Manage ProblemsManage Problems►► DSDS11 11 Manage DataManage Data
DSDS1212 M h Ph i l E iM h Ph i l E i►► DSDS12 12 Manage the Physical EnvironmentManage the Physical Environment►► DSDS13 13 Manage Operations Manage Operations
Monitor and EvaluateMonitor and Evaluate
►► MEME1 1 Monitor and Evaluate IT PerformanceMonitor and Evaluate IT Performance►► MEME2 2 Monitor and Evaluate Internal ControlMonitor and Evaluate Internal Control►► MEME3 3 Ensure Regulatory ComplianceEnsure Regulatory Compliance►► MEME4 4 Provide IT GovernanceProvide IT Governance
POPO1 1 Define a Strategic Information Technology PlanDefine a Strategic Information Technology Plan
Control over the IT process of:Control over the IT process of:
g gyg gythat satisfies the business requirementthat satisfies the business requirement
Sustain or extends business strategy and governance Sustain or extends business strategy and governance requirements requirements
By Focusing onBy Focusing onTranslate business requirements into servicesTranslate business requirements into services
Alignment of business current and future plansAlignment of business current and future plans
And achieved byAnd achieved by
Alignment of business current and future plans.Alignment of business current and future plans.Understand current capabilitiesUnderstand current capabilitiesPrioritization of business objectivesPrioritization of business objectives
POPO1 1 Define a Strategic Information Technology PlanDefine a Strategic Information Technology Plan
Detailed Control ObjectivesDetailed Control Objectives
11..1 1 IT value managementIT value management
11..2 2 Business Business –– IT AlignmentIT Alignment
11 33 Assessment of current PerformanceAssessment of current Performance11..3 3 Assessment of current PerformanceAssessment of current Performance
11..4 4 IT Strategic PlanIT Strategic Plan
11 55 IT Tactical PlansIT Tactical Plans11..5 5 IT Tactical PlansIT Tactical Plans
11..6 6 IT Portfolio management IT Portfolio management
POPO2 2 Define the Information ArchitectureDefine the Information Architecture
Control over the IT process of:Control over the IT process of:
that satisfies the business requirementthat satisfies the business requirementRespond to requirements, provide reliable and consistent information, integrate Respond to requirements, provide reliable and consistent information, integrate application to business processesapplication to business processes
By Focusing onBy Focusing on
application to business processes.application to business processes.
TTo o be agile in responding to requirements, to provide reliable and consistent be agile in responding to requirements, to provide reliable and consistent
And achieved byAnd achieved by
information and to seamlessly integrate applications into business processesinformation and to seamlessly integrate applications into business processes
Assuring the accuracy of the information architecture and data modelAssuring the accuracy of the information architecture and data modelAssigning data ownershipAssigning data ownershipClassifying information using an agreed classification schemeClassifying information using an agreed classification scheme
And achieved byAnd achieved by
Classifying information using an agreed classification schemeClassifying information using an agreed classification scheme
POPO2 2 Define the Information ArchitectureDefine the Information Architecture
22..11 Enterprise Information Architecture ModelEnterprise Information Architecture Model
Detailed Control ObjectivesDetailed Control Objectives
22..1 1 Enterprise Information Architecture ModelEnterprise Information Architecture Model
22..2 2 Enterprise Data Dictionary and Data Syntax RulesEnterprise Data Dictionary and Data Syntax Rules
22..3 3 Data Classification SchemeData Classification Scheme
22..4 4 Integrity Management Integrity Management
AIAI1 1 Identify Automated SolutionsIdentify Automated Solutions
Control over the IT process of:Control over the IT process of:
that satisfies the business requirementthat satisfies the business requirementTranslating Translating business functional and control requirements into an effective and business functional and control requirements into an effective and efficient design of automated solutionsefficient design of automated solutions
By Focusing onBy Focusing on
Identifying Identifying technically feasible and costtechnically feasible and cost--effective solutionseffective solutions
Defining business and technical requirementsDefining business and technical requirements
And achieved byAnd achieved by
Defining business and technical requirementsDefining business and technical requirementsUndertaking feasibility studies as defined in the development Undertaking feasibility studies as defined in the development standardsstandardsApproving (or rejecting) requirements and feasibility study resultsApproving (or rejecting) requirements and feasibility study resultsApproving (or rejecting) requirements and feasibility study resultsApproving (or rejecting) requirements and feasibility study results
AIAI1 1 Identify Automated SolutionsIdentify Automated Solutions
11..1 1 Definition and Maintenance of Business Functional and Technical Definition and Maintenance of Business Functional and Technical
Detailed Control ObjectivesDetailed Control Objectives
RequirementsRequirements
11..2 2 Risk Analysis ReportRisk Analysis Report
11..3 3 Feasibility Study and Formulation of Alternative Courses of ActionFeasibility Study and Formulation of Alternative Courses of Action
11..4 4 Requirements and Feasibility Decision and ApprovalRequirements and Feasibility Decision and Approval
What Else ?What Else ?What Else…?What Else…?
Business GoalsBusiness Goals vs. IT Goalsvs. IT Goals
28 28 IT GoalsIT Goals17 17 Business Goals Business Goals
Products ComponentsProducts Components
1.1. COBIT COBIT FrameworkFramework2.2. IT Assurance Guide Using IT Assurance Guide Using
COBITCOBIT3.3. COBIT Control Practices: COBIT Control Practices:
Guidance to Achieve Control Guidance to Achieve Control Objectives for Successful ITObjectives for Successful ITObjectives for Successful IT Objectives for Successful IT Governance, Governance, 22nd Edition,nd Edition,
4.4. COBIT COBIT Quick startQuick start55 COBIT Security BaselineCOBIT Security Baseline5.5. COBIT Security BaselineCOBIT Security Baseline6.6. Board Briefing on IT Board Briefing on IT
Governance, Governance, 22nd Editionnd Edition
44 Implementation !!!Implementation !!!44. Implementation !!!. Implementation !!!
IT Governance Life Cycle IT Governance Life Cycle
Direct Create Protect Execute MonitorGovernance Objective
St t i Ri k R P fStrategic Alignment Value Delivery Risk
Management Resources
Management Performance Management
IT Governance Focus Area
• ICT Balanced Scorecard
A
COBIT / VAL IT• Control Objectives
• Process and Maturity Models
• Business – IT Goals
O t • AssuranceGuide
Contribution• Management Practices and performance metrics
• Outcomesindicators
Source: COBIT Implementation Guide 2nd edition 2007
Stakeholders' ObjectivesStakeholders' Objectives That derived That derived Implementation phasesImplementation phasesImplementation phasesImplementation phases
COBIT Implementation Road MapCOBIT Implementation Road Map
Source: COBIT Implementation Guide 2nd edition 2007
Thank YouThank YouIntroduction to IT GovernanceIntroduction to IT Governance
Using COBIT IV Framework