1 Transforming Enterprise IT Ref: .

1

Transforming Transforming Enterprise ITEnterprise IT

Ref: www.isaca.org/cobit

http://www.isaca.org/cobit

IT Governance Is the Key IssueIT Governance Is the Key Issue

• Enterprises are giving money, productivity and competitive advantage by not implementing effective IT governance

• A better way to:– Direct IT for optimal advantage– Measure the value provided by IT– Manage IT-related risks

IT Governance

The purpose of IT governance is to direct IT endeavors, to ensure that IT’s performance meets the following objectives:

• Alignment of IT with the enterprise and realisation of the promised benefits

• Use of IT to enable the enterprise by exploiting opportunities and maximising benefits

• Responsible use of IT resources• Appropriate management of IT-related risks

Focus Areas of IT Governance

Why do we need a Framework?

Increasing dependence on information and the systems that deliver this informationIncreasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfareScale and cost of the current and future investments in information and information systemsThe need to comply with regulationsThe potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costsRecognition by many organisations of the potential benefits that technology can yield

Who Needs a Framework?

Board and Executive

To ensure management follows and implements the strategic direction for ITManagement

To make IT investment decisionsTo balance risk and control investmentTo benchmark existing and future IT environment

Users

To obtain assurance on security and control of products and services they acquire internally or externally

Auditors

To substantiate opinions to management on internal controlsTo advise on what minimum controls are necessary

COBIT

Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for IT management created by the Information systems audit and control association (ISACA),

1. Incorporates major international standards2.Has become the de facto standard for overall control over IT3.Starts from business requirements4. Is process-oriented

Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives

Promotes process focus and process ownership

Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each

Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT

Is supported by a set of over 300 detailed control objectives

Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance

Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate

COBIT: Basics?

Then what is CobiT?

It is the Control Objectives for Information and related Technology

A methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment.

The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September 1996.

A tool that for IT professionals that has linked information technology and control practices

CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors.

Overview of CobiT

Overview of CobiT

CobiT represents A control framework,a set of generally accepted control objectives, andthe CobiT Audit Guidelines.

CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.

CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment.

Overview of CobiT

What is the purpose of CobiT?To provide management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT.

CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle.

It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.

Components of CobiT

Components of CobiT

The 4 Domains of CobiT

MONITORING (MO)

PLANNING & ORGANIZATION (PO)

ACQUISITION & IMPLEMENTATION (AI)

DELIVERY & SUPPORT (DS)

Components of CobiT

M1- Monitor the processM2- Obtain independent assurance

MONITORING (MO)All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements

Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls.

Components of CobiT

PO1- Define a strategic IT planPO2- Define the Information architecturePO3- Determine technical directionPO4- Define IT Organization and relationshipsPO5- Manage the investment in IT

PLANNING & ORGANIZATION (PO)Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives.

Is the IT strategy be effectively controlled and will it contribute to the business objectives?

PO6- Communicate management aims and directionsPO7- Manage Human ResourcesPO8- Ensure compliance with external requirementsPO9- Assess risksPO10- Manage projectsPO11- Manage quality

Components of CobiT

AI1- Identify solutionsAI2- Acquire and maintain application softwareAI3- Acquire and maintain technology architectureAI4- Develop and maintain IT proceduresAI5- Install and accredit systemsAI6- Managing changes

ACQUISITION & IMPLEMENTATION (AI)To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process. Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards?

Components of CobiT

DS1- Define service levelsDS2- Manage Third Party servicesDS3- Manage performance capacityDS4- Ensure continuous serviceDS5- Ensure systems securityDS6- Identify and allocate costsDS7- Educate and train users

DS8- Assist and advise IT customersDS9- Manage the configuration of IT systemsDS10- Manage problems and incidentsDS11- Manage dataDS12- Manage facilitiesDS13- Manage operations

DELIVERY & SUPPORT (DS)Addresses the actual delivery of required information services.

Are information related services delivered in a controlled manner?

2009 ISACA All Rights reserved. 18

CCOBIOBITT is a Road Map is a Road Map for an easyfor an easy IT Governance IT Governance

• Accepted globally as a set of tools that ensures IT is working effectively

• Functions as an overarching framework • Provides common language to communicate goals, objectives

and expected results to all stakeholders• Based on, and integrates, industry standards and good

practices in:– Strategic alignment of IT with business goals– Value delivery of services and new projects– Risk management– Resource management– Performance measurement


Business BenefitsBusiness Benefits

COBIT® provides guidance for executive management to govern IT within the enterprise

• More effective tools for IT to support business goals

• More transparent and predictable full life-cycle IT costs

• More timely and reliable information from IT

• Higher quality IT services and more successful projects

• More effective management of IT-related risks


Harmonizing the Elements of IT GovernanceHarmonizing the Elements of IT Governance

IT Governance

ResourceManagement

Strate

gic

Alignment Value

Delivery

Performan

ce

Measu

remen

tR

isk

Man

agem

ent


The CThe COBIOBITT®® Framework Framework

The high-level approach diagram of information system audits

Approch

Ref- http://www.isaca.org/Knowledge-Center/cobit/Pages/Government-of-Dubai.aspx

Ref- http://www.emeraldinsight.com/journals.htm?articleid=1954554&show=html

Operationalising CMMI: integrating CMMI and CoBIT perspective

The COBIT model groups all information and IT activities into four domains, which are articulated into 34 processes

Ref: http://www.isaca.org/Journal/Past-Issues/2008/Volume-4/Pages/Case-Study-Better-to-Prevent-Than-Cure-A-New-Way-to-Enhance-IT-and-Business-Governance-Collaboration.aspx

Ref:http://educore.info/tag/cobit/


CCOBIOBITT® ® Defines Processes, Goals and MetricsRelationship Amongst Process, Goals and Metrics (DS5)


Defined Responsibilities for Each ProcessDefined Responsibilities for Each Process

Link business goals to IT goals. C IA/R

I C

Identify critical dependencies and current performance.

C C RA/R

C C C C C C

Build an IT strategic plan. A C C R I C C C C I C

Build IT tactical plans. C I A C C C C C R I

Analyse programme portfolios and manage project and service portfolios.

C I I A R R C R C C I

RACI Chart

Activities Funct

ionsA RACI chart identifies who is Responsible,

Accountable, Consulted and/or Informed.


CCOBIOBITT®® Products and Their Primary Audience Products and Their Primary Audience

COBIT, Risk IT and Val IT frameworks Implementing and

Continually Improving IT Governance

COBIT User Guide for Service Managers

COBIT and Application Controls

IT Governance Focus Areas

Ref: http://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf

... IT Governance Focus Areas

Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.

• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.

• Resource management is about the optimal investment in, and the proper management of,critical IT resources: applications, information, infrastructure and people. Key issues relate tothe optimisation of knowledge and infrastructure.

• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.

• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

Management statement onIT Governance

“IT governance is the responsibility of Telco’s executives to install a

system of management control that ensures that Telco’s business

objectives are achieved through end-to-end processes, quality of

information and the supportive IT. This consists in our opinion of directing

Telco’s IT resources towards optimal performance aiming for:

- IT to be aligned with the business and the business processes;

- IT resources to be used in a controlled structure;

- IT risks to be assessed and to be managed appropriately.”

“Further formalisation of goal setting and performance monitoring of the overall IT program could be enforced by regular internal audits.”

ITITGovernanceGovernance

Forces influencing IT GovernanceIT Governance Institute

Erik Guldentops

TrustTrust(McKinsey)(McKinsey)

ValueValue(Brookings Institute)(Brookings Institute)

SurvivalSurvival(Alan Greenspan)(Alan Greenspan)

AssuranceAssurance(Turnbull)(Turnbull)

Regulations establishing responsibility of enterprise officers for internal control

and risk transparency.

Institutional investors willing to pay up to 20% premium for

shares of enterprises that have governance framework

Trust can vanish overnight. A factory cannot.

85% of market value of enterprises is intangible (knowledge, information,

capability…)

www.itgi.org

IT Governance Institute approach

IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the board of directors). It consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

Definition

EnvironmentEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices…...

Alignment

Valu

e

Delivery

Man

agem

ent

of R

isk

Monitoring &

ReportingEvalu

ati

on

LifecycleProvide Provide DirectionDirection

CompareCompare

Measure Measure PerformancePerformance

IT ActivitiesIT Activities

Increase automation (make the business

effective) Decrease cost (make the enterprise

efficient) Manage risks (security, reliability and

compliance)

IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed appropriately

Set ObjectivesSet Objectives

Framework

Ex-Organisatie Telco

DivisionMobile

DivisionFixed

IT partners

IT Operators

RvB

Corporate staf

Implementation

Structure

Strategy

InformationTechnology

InformationSystems

Business

BusinessAlignment

DemandManagement

IT Governance framework

pro

du

ct, p

roce

ss,

org

an

isa

tion

IT p

rodu

cts,

se

curi

tyIT

man

ag

emen

t

use

of i

nfo

rma

tion

and

tran

spo

rt

DIO focus CIO focus

Expertise in IT Governance

BusinessAlignment

DemandManagement

IT Service Management

Information architecture

User/Applicationcontrols

Security/Operations

SourcingInformation Economics

Compliancemanagement

Third PartyAssurance

Managementof changeStructure

Information Systems

Implementation

Strategy

InformationTechnologyBusiness

IT Governance is ...... IT management

IT Governance

IT Management

Business orientatie

Intern

Extern

Tijds dimensieToekomstHeden

Ontleend aan IT Governance mechanismen: Wim van Grembergen en Steven de Haes, Kluwer 2004

IT Control


Getting StartedGetting StartedVisit www.isaca.org/cobit to download the COBIT® framework

Notifications Trouble Reports, Status reports

Problem HandlingQoS & SLA terms, Profiles

- Receive trouble notif- Determine cause &resolve- Track progress of resolution- Initiate action to reconfigure- Generate TT to suppliers- Confirm trouble cleared- Notify cust. trouble cleared

Trouble reports

Completion notification

INPUTS

SLA violations, Planned mtc. scheduling and notification

Problem reports

SLA/QoS violations, Trouble reports

OUTPUTS

Request to re-configure

Trouble report, Trouble cleared

Trouble report*

Trouble report

Trouble report,Trouble cleared

- Schedule with and notify customer of planned work

QoS Violations

Major Trouble Reports

Customer

CustomerInterface

Man.

OrderHandling

ServiceConfiguration

OtherProvider(s)

ServiceProblem

Resolution

CustomerQoSMan. Service

QualityMan.

Customer

CustomerInterface

Man.

Sales

CustomerQoSMan.

ServiceConfiguration

OtherProvider(s)

ServiceProblem

ResolutionRating &

Discounting

TOM detail: Spider Diagrams

Governance - architectuur1. Domains:

2. Governance structure :• Company wide steering committee; chair RvB member• Board responsibilities like wise (Fixed, Mobile, CFO)• Clear domain accountability (domain manager)• Linkage to business via sponsor,

steer by domain management:

3. Roles /responsibilities in conformance with baseline document:• Domain manager (reporting to DIO), DIO & CIO• Program office per division chaired by DIO• Architectural board chaired by CIO (with participation of division)

Service Backbone

Sales Fulfillment Billing

Operations Purchasing

Enterprise mgmt.

Marketing

Service Backbone



Enterprise mgmt.

Marketing

Service Backbone



Enterprise mgmt.

Marketing

fixed mobile corporate

businesssponsor

(MT member)

operationalmngt

domainmngr

working mode

Different Levels of IT Control

Strategic

Tactic

OperationalPossible OutsourcingPossible Outsourcing

CorCoree

Clear governance relationships

Business view

Technology view

Business processes

Business rules

Domain structure

Functional architecture

Data architecture

Domain services

Governance model

Application programs and modules

Databases

Connectivity

Hardware, opera-ting systems, net-works

Middleware, data-base management systems

Domains/servicesProcesses TechnologyApplications

Strategic aspiration

Business plan

Value proposition

Going-to-market model

Business strategy

Business IT Demand(CIO/DIO)

IT Supply (IT Service organizations)

Demand Mngt - “Broker” - Functional characteristics - Quality Assurance - Maintenance documentation

Demand Management

Business- Functional requirements- Usage- Money

-Operations-Softwaremaintenance/supply

- Infrastructure

IT- Axioms- Portfolio- Target architecture

Purchasing- Contract standards- Preferred Suppliers- Legal guidelines

Selection functionalityImplementation/Control SLA

Organization Supply

BUSINESSPROCESSESBUSINESS

PROCESSES

INFORMATIONINFORMATION

• effectiveness• efficiency• confidenciality• integrity• availability• compliance• reliability

• effectiveness• efficiency• confidenciality• integrity• availability• compliance• reliability

Criteria

COBITCOBIT

IT RESOURCES

IT RESOURCES

• data• aplication systems• technology• facilities• people

• data• aplication systems• technology• facilities• people PLANNING AND

ORGANISATIONPLANNING AND ORGANISATION

AQUISITION ANDIMPLEMENTATIONAQUISITION AND

IMPLEMENTATION

DELIVERY AND SUPPORT

DELIVERY AND SUPPORT

MONITORINGMONITORING

Example:Telco adoption of CobiT Framework

In order to provide In order to provide the information the information

that the that the organization needs organization needs

to achieve its to achieve its objectives, IT objectives, IT

resources need to resources need to be managed by a be managed by a set of naturally set of naturally

grouped grouped processes. processes.

supply

Business

alignme

nt

deman

d

Gartner Advisory on CobiT and ITIL

ITILITILActivitiesActivities

BS7799BS7799SecuritySecurity

CobiTCobiTControlControl

WHATWHAT

HOWHOW

Ref: itgi.org,

Ex-IT Control Framework

1. Manage Changes

2. Manage IT-configurations

3. Manage IT incidents and problems

4. Manage Security

5. Manage Service levels

6. Manage Business Continuity

7. Manage IT Costs

8. Manage Business Information Planning

9. Manage Releases (Project Management)

10. Manage IT Sourcing

1 Transforming Enterprise IT Ref: .

Documents

Transcript of 1 Transforming Enterprise IT Ref: .