title when not a introuducing cobit 5 - isaca stroud... · itil, pmbok, prince2, togaf, ... —the...
TRANSCRIPT
WHEN
TITLE
IS
NOT A
QUESTION
N
O ‘WE
CAN’
WHEN
TITLE
IS
NOT A
QUESTION
N
O ‘WE
CAN’
introuducing
COBIT 5
COBIT® 5 initiative
—The initiative charge from the Board of Directors: − “tie together and reinforce all
ISACA knowledge assets with COBIT.”
—The COBIT 5 Task Force: − experts from ISACA
constituency groups
−Oversight provided by the Framework Committee & Knowledge Board
− Leveraging industry SME’s
drivers for COBIT® 5
— Increased Focus on Enterprise Governance
— Link and reinforce all ISACA’s Guidance
− Primary - VAL IT, Risk IT
− Considering BMIS, ITAF, TGF, Board Briefing
— Need to connect to other frameworks and standards (such as, ITIL, PMBOK, Prince2, TOGAF, ISO)
— Further guidance in high interest areas
— Improve ease of use, consistency in concepts, terminology, & level of detail
— Scope covers full end-to-end business and IT functional responsibilities
increased focus on enterprise governance concepts and objectives
— Enterprises exist to deliver value to stakeholders
— Achieved within value and risk parameters and use of resources responsibly
— Governance system “steers” via means and mechanisms within an effective structure
— Incident caused and legislative driven need
— Governance at the top of the agenda for most enterprises
information is critical to the new normal!
— Information is a key resource for all enterprises
— Information is created, used and destroyed
—Technology plays a key role in these actions
—Technology is becoming pervasive in all aspects of business and personal life
—Processes to ensure trust and value from information
What benefits does information and technology bring to enterprises?
enterprise benefits top management must strive to:
— Obtain quality information to support business decisions
— Generate business value from IT-enabled investments, i.e. achieve strategic goals and realise business benefits through effective and innovative use of IT
— Achieve operational excellence through reliable and efficient application of technology.
— Maintain IT-related risk at an acceptable level
— Optimise the cost of IT services and technology
Benefits must be realized to drive stakeholder value
governance
— A governance system refers to all the means and mechanisms
that enable multiple stakeholders in an enterprise to have an
organised say in evaluating conditions and options; setting
direction through prioritisation and decision making; and
monitoring compliance, performance and progress against
plans, to satisfy specific enterprise objectives.
— Means and mechanisms include frameworks, principles,
policies, sponsorship, structures and decision mechanisms,
roles and responsibilities, processes and practices.
In most enterprises, this is the responsibility of the board of
directors under the leadership of the chairman.
management
—Management entails the judicious use of means
(resources, people, processes, practices et al) to achieve
an identified end. It is a means or instrument by which
the governance body achieves a result or objective.
Management is responsible for execution within the
direction set by the governance body.
—Management is about planning, building, organising and
controlling operational activities to align with the direction
set by the governance body, and reporting back on these
activities.
stakeholder value!
— Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets
— Enterprise Boards, Executive and management have to embrace IT like any other significant part of doing business
— External legal and regulatory compliance requirements
related to enterprise use of information and technology are
increasing, threatening value if breached
— COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT
COBIT ®5 framework deliverables
— An enterprise wide, “end-to-end” framework addressing governance and management of information and related technology
— The framework structure will include familiar components such as a domain/process model and other components such as governance/management practices, RACI charts and inputs/outputs.
— An initial publication introduces, defines and describes the components that make up the COBIT®5 Framework
− Principles
− Architecture
− Enablers
− Introduction to implementation guidance and the COBIT process assessment approach
COBIT ®5 framework
— COBIT 5 enables enterprises to create optimal value from
information technology by maintaining a balance between
realising benefits and optimising risk levels and resource use.
— COBIT 5 enables IT to be governed and managed in a holistic
manner for the whole enterprise, taking in the full end-to-end
business and IT functional areas of responsibility, considering
the IT-related interests of internal and external stakeholders.
— The COBIT 5 principles and enablers are generic and useful
for enterprises of all sizes, whether commercial, not-for -profit
or in the public sector.
COBIT 5 principles
COBIT 5 enablers
governance objective
features in COBIT®5
— Practical guidance with consideration of all, unique stakeholders
— Non-technical overarching framework
— Clear distinction between governance and management
— Scope addressing management and governance of information
— Clear migration guidance from prior versions
— Process model updates addressing innovation and emerging technologies
— Addressing governance enablers such as behavior, skills and decision making
COBIT ®5 Governance Enablers
Service
Capabilities
Processes
Culture,
Ethics,
Behaviour
Organisational
Structures
InformationPrinciples &
Policies
Skills &
Competencies
process reference model
— Represents all the processes normally found in an enterprise relating to IT
— Provides a common reference model understandable to IT and business managers.
— Provides a common language
— Provides a framework for measuring, monitoring IT performance, communicating with service providers, and integrating best mgmt. practices
— Subdivides governance (1) and management (4) domains.
— 36 Processes
— VAL IT and Risk IT integrated
process reference Model – (draft)
process changes
—4 Domains to 5 Domains (1 Governance & 4
Management)
—Domains have 3-character acronyms vs. 2-character
acronyms:
− EDM (Evaluate, Direct & Monitor)
− APO (Align, Plan & Organization)
− BAI (Build, Acquire & Implement)
− DSS (Deliver, Service & Support)
− MEA (Monitor, Evaluate & Assess)
new and modified processes
− APO3 – Manage Enterprise Architecture (combo of PO2 and
PO3)
− APO4 – Management Innovation (new)
− APO5 – Manage Portfolio (previous PO5 Manage IT Investments)
− APO6 – Manage Budget and Costs (previous PO5 IT
Investments)
− APO8 – Manage Relationships (new)
− BAI5 – Enable Organizational Change (new)
− BAI8 – Knowledge Management (new)
− DSS2 – Manage Assets (new)
− DSS8 – Manage Business Process Controls (new)
process enabler model
process reference guide separate publication expands process-enabler model
—Contains full details of the COBIT processes in a similar way to the process documentation in COBIT 4.1
−Process description and purpose
−Goals cascade (enterprise and IT)
−Process goals and metrics
−Process practices, activities and inputs/Outputs at practice level
−RACI Chart
− Integrates contents of 4.1, VAL IT and RISK IT
−Mapping between COBIT 5 and Legacy ISACA Frameworks
differences between COBIT ®5 and previous releases
—Architecture changes emphasizing systemic nature of a
governance and management system
—Process Model changes
— Integration of COBIT, VAL IT, Risk IT with explicit
structural differentiation between governance and
management processes
—Framework components reviewed and simplified
architecture change principles
— Alignment with the most up-to-date views on Governance as expressed in the Taking Governance Forward initiative and ISO/IEC 38500, resulting in an overarching architecture with
− Stakeholder driven governance and management of enterprise IT.
− Governance Objectives being defined in terms of Value, Risk and Resource Use optimization.
— Systemic nature of enterprise governance, demonstrated by
− A set of interconnected and interrelated enablers to support governance of enterprise IT and ensure objectives are achieved
o Note: ISO/IEC 38500 Corporate governance of information technology standard, provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.
COBIT ®5 Architecture
Stakeholder
Needs
Service
Capabilities
Processes
Culture,
Ethics,
Behaviour
Organisational
Structures
InformationPrinciples and
Policies
Skills and
Competencies
COBIT 5
Enablers
COBIT 5 Knowledge Base
Current guidance and contents Structure for future contents
COBIT 5 Product Family
Governance
Objectives:
Value
(Benefits, Risk, Resource)
Existing ISACA
Guidance(COBIT, Val IT,
Risk IT, BMIS, …)
Other
Standards
and
Frameworks
COBIT 5 : Framework Implementation
Guide
COBIT 5 for Security
Other Practice
Guides
COBIT 5 Practice Guides
COBIT 5 Online Collaborative Environment
COBIT 5 : Process Reference GuideOther Enabler
Guidance
COBIT 5 Enabler Guides
COBIT 5: The Framework
Knowledge Base
Content Filter
COBIT ®5 Architecture
Stakeholder
Needs
Service
Capabilities
Processes
Culture,
Ethics,
Behaviour
Organisational
Structures
InformationPrinciples and
Policies
Skills and
Competencies
COBIT 5
Enablers
COBIT 5 Knowledge Base
Current guidance and contents Structure for future contents
COBIT 5 Product Family
Governance
Objectives:
Value
(Benefits, Risk, Resource)
Existing ISACA
Guidance(COBIT, Val IT,
Risk IT, BMIS, …)
Other
Standards
and
Frameworks
COBIT 5 : Framework Implementation
Guide
COBIT 5 for Security
Other Practice
Guides
COBIT 5 Practice Guides
COBIT 5 Online Collaborative Environment
COBIT 5 : Process Reference GuideOther Enabler
Guidance
COBIT 5 Enabler Guides
COBIT 5: The Framework
Knowledge Base
Content Filter
framework component changes
— The names have been changed from Business Goals to Enterprise Goals, and from IT Goals to IT Related Goals in order to better reflect that COBIT ® 5 is intended for all sorts of enterprises, not only commercial environments, and the fact that COBIT ® 5 is not only about making sure the IT function is performing, but also that the business functions assume their responsibility in providing the right direction, making good use of IT, and following up on IT investments and use
— There are now 17 Enterprise Goals and also 17 IT Related goals. The goals are now also written more as outcome statements
— The stakeholders for IT are now explicitly named, and there are also some illustrative stakeholder issues included in the guidance to show how the framework addresses them
enterprise goals
IT Related Goals
internal stakeholders
COBIT ® 5 process capability model
—Based on ISO/IEC 15504 “Software Engineering –
Process Assessment Std.”
—Different from the COBIT ® 4.1 Maturity Model in design
and use.
—Focus on capability
process capability model characteristics
—Six levels of capability including “incomplete”
—Each level can only be achieved only when the level
below is fully achieved
—Level 1 is “largely achieved” and benefits realized by
the organization
—Higher capabilities add differing attributes and benefits
differences - COBIT ®5 PCM and COBIT ®4.1 maturity model
— Naming and meaning of levels are different
— Process is described in terms of its purpose and outcomes
— Maturity level in COBIT ®4 and capability level in COBIT ®5 are not directly comparable and cannot be used interchangeably or mixed.
— Scores in COBIT ®5 will be lower due to completion of all process capabilities at lower level
— Nine Process Capability Attributes (v5) vs. six maturity Attributes (v4)
COBIT ®5 summary
—COBIT ®5 Major changes
−Consolidation of frameworks
−Adjustment of domains and processes
−4 to 5 domains
—Assessment process changed to focus
on capability using ISO\IEC 15504
COBIT® 5 news updates
—www.isaca.org/COBIT5
—COBIT Focus newsletter
—Community.ca.com\blogs\ppm
—Community.ca.com\blogs\itil
—@ISACA
COBIT ®5
—brings together the five principles that
—allow the enterprise to build an effective governance
and management framework based on
—an holistic set of seven enablers that
—optimises information and technology investment
and use for the benefit of stakeholders
thank you
Robert E Stroud CGEIT CRISC
Twitter @robertestroud
Blog http://community.ca.com/blogs/ITIL