Lukáš Neduchal FCCA, CISA, CRISC - č len Správnej rady ISACA Slovensko - Riadite ľ |...
33
Lukáš Neduchal FCCA, CISA, CRISC - člen Správnej rady ISACA Slovensko - Riaditeľ | Poradenské služby | Ernst & Young, k.s. Basic principles of IT Governance
-
Upload
evan-mccarthy -
Category
Documents
-
view
217 -
download
0
Transcript of Lukáš Neduchal FCCA, CISA, CRISC - č len Správnej rady ISACA Slovensko - Riadite ľ |...
Lukáš Neduchal FCCA, CISA, CRISC- člen Správnej rady ISACA Slovensko- Riaditeľ | Poradenské služby | Ernst
& Young, k.s.
Basic principles of IT Governance
Content
IT Governance – expected knowledge?Used practices (COBIT5), Goals, Domains,
Basic principles, IT alignment – what does it mean? IT Security within IT Governance ?Suggested activities for board members
ISACA & ITGI
ISACA
History and MissionISACA was incorporated in 1969 by a small
group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer systems. Today, ISACA has more than 110,000 constituents worldwide.
As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.
ActivitiesISACA provides practical guidance,
benchmarks and other effective tools for all enterprises that use information systems. Through its comprehensive guidance and services, ISACA defines the roles of information systems governance, security, audit and assurance professionals worldwide. The COBIT 5, Val IT and Risk IT governance frameworks and the CISA, CISM, CGEIT and CRISC certifications are ISACA brands respected and used by these professionals for the benefit of their enterprises.
ISACA.org © ISACA. Used with permission
ISACA Certifications
The certification is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems.
The management-focused is the globally accepted standard for individuals who design, build and manage enterprise information security programs. CISM is the leading credential for information security managers.
recognizes a range of professionals for their knowledge and application of enterprise IT governance principles and practices. CGEIT provides you the credibility to discuss critical issues around governance and strategic alignment based on your recognized skills, knowledge and business experience.
(pronounced “see-risk”) is the only certification that positions IT professionals for future career growth by linking IT risk management to enterprise risk management, and positioning them to become strategic partners to the business.
ISACA.org © ISACA. Used with permission
ITGI (The IT Governance Institute )ISACA formed the ITGI to focus on original
research, publications, resources and symposia on IT governance and related topics.
History and MissionThe IT Governance Institute (ITGI) was
established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. ITGI offers original research on global practices and perceptions relative to governance and management of IT.
ActivitiesConducts original research on governance
of enterprise IT and offers several publications as complimentary downloads on the ITGI web site
Offers a web site (www.itgi.org) with extensive resources and links
ITGI paper: Board Briefing on IT Governance
Governance of Enterprise IT and COBIT 5
The Importance of IT
Boards usually expect management to:Deliver IT solutions of the right quality, on
time and on budgetHarness and exploit IT to return business
valueLeverage IT to increase efficiency and
productivity while managing IT risks
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.13. Used with permission
The ultimate reason why IT governance is important is that expectations and
reality often do not match
The ultimate reason why IT governance is important is that expectations and
reality often do not match
Signs of ineffective IT governance?
Business losses, damaged reputations or weakened competitive positions
Deadlines not met, costs higher than expected and quality lower than anticipated
Enterprise efficiency and core processes negatively impacted by poor quality of IT deliverables
Failures of IT initiatives to bring innovation or deliver the promised benefits or even to be delivered at all
The Purpose and Objectives of IT governance
to understand the issues and the strategic
importance of IT to ensure that the enterprise can sustain
its operations to ascertain that it can implement the
strategies required to extend its activities into the futureSource: Board Briefing on IT Governance 2nd. edition © ISACA p.7.
Used with permission
IT governance practices aim at ensuring that expectations for IT are met, IT's performance is measured, its resources are managed and its risks are mitigated.
Enterprise governance and IT governance
Aligning IT strategy with the business strategy
Cascading strategy and goals down into the enterprise
Providing organizational structures that facilitate the implementation of strategy and goals
Insisting that an IT control framework be adopted and implemented
Measuring IT's performance
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.7. Used with permission
Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:
providing strategic direction
ensuring that objectives are achieved
ascertaining that risks are managed appropriately and
verifying that the enterprise’s resources are used responsibly.
COBIT 5 In Summary …COBIT 5 brings together the five principles
that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
Source: COBIT® 5, © 2013 ISACA® Used with permission.
COBIT 5 Product Family
Source: COBIT® 5, figure 11. © 2013 ISACA® Used with permission.
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
A business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
COBIT 5: Now One Complete Business Framework for
2005/720001998
Evolution of scope
1996 2012
Val IT 2.0
(2008)
Risk IT(2009)
COBIT5-Introduction-1.pptx © ISACA. SL 13 Used with permission
ISO/IEC 38500: 2008 (Corporate governance of information technology)1.1 Scope
… This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization…
2.2 ModelDirectors should govern IT through three main tasks:a) Evaluate the current and future use of IT.b) Direct preparation and implementation of
plans and policies to ensure that use of IT meets business objectives.
c) Monitor conformance to policies, and performance against the plans.
Source: COBIT5-Introduction-1.pptx © ISACA. Used with permission
Governance and Management in COBIT 5
Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM).
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities.
Source: COBIT5-and-GRC.pptx © ISACA. SL20.Used with permission
• 01 Ensure governance framework setting and maintenance.
• 02 Ensure benefits delivery.
• 03 Ensure risk optimization.
• 04 Ensure resource optimization.
• 05 Ensure stakeholder transparency.
Source: COBIT® 5, figure 16. © 2012 ISACA® Used with permission.
EDM
P
B
R
M
GRC
- five governance processes - and management domains of
processes
Source: COBIT 5-Framework-English.pdf, figure 25 © 2012 ISACA® Used with permission.
Example
Source: COBIT® 5, © ISACA® Used with permission.
EDM01 Activities
Source: COBIT® 5, © ISACA® Used with permission.
Example
EDM01 RACI Chart In addition to activities, COBIT 5 suggests
accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role.
Source: COBIT® 5, © ISACA® Used with permission.
Example
COBIT 5…IT Governance
Fundamentally, IT governance is concerned about two things:
IT’s delivery of value to the businessdriven by strategic alignment of IT with
the business. mitigation of IT risks.
driven by embedding accountability into the enterprise.
Both need to be supported by adequate resources and measured to ensure that the results are obtained.Source: COBIT5-Introduction-1.pptx © ISACA. Used with permission
5 Focus Areas of IT Governance
This leads to the five main focus areas for IT governance, all driven by stakeholder value.
Two of them are outcomes: value delivery and risk management.
Three of them are drivers: strategic alignment, resource management (which overlays them all) and performance measurement
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.19-p.20. Used with permission
O
OD
D
D
IT governance is also a process in which the IT strategy drives the IT processes, which obtain resources necessary to execute their responsibilities.
The IT processes report against these responsibilities on process outcome, performance, risks mitigated and accepted, and resources consumed.
These reports should either confirm that the strategy is properly executed or provide indications that strategic redirection is required.
Understanding IT Governance as a process for IT
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.19-p.20. Used with permission
The board should drive enterprise alignment by:
Ascertaining that IT strategy is aligned with enterprise strategy.
Ascertaining that IT delivers against the strategy through clear expectations and measurement.
Directing IT strategy by addressing the level and allocation of investments, balancing the investments between supporting and growing the enterprise and by making considered decisions about where IT resources should be focused.
Ensuring a culture of openness and collaboration among the business, geographical and functional units of the enterprise.
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission
IT Strategic Alignment
But who should be responsible for strategic alignment between IT and the business? Should it be the chief information officer (CIO) and the IT function or should it be the CEO and the business executives or equally shared between both?
To help enable this:Board members should take an active role in
IT strategy or similarcommittees.CEOs should provide organizational
structures to support theimplementation of IT strategy.CIOs must be business-oriented and provide
a bridge between IT andthe business.All executives should become involved
in IT steering or similar committees.
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.15. Used with permission
Cascading
The board should direct management to deliver measurable value through IT by:
Delivering solutions and services with the appropriate quality, on time and on budget.
Enhancing reputation, product leadership and cost-efficiency.
Providing customer trust and competitive time-to-market.
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission
The board should manage enterprise risk by:
Ascertaining that there is transparency about the significant risks to the enterprise and being aware that the final responsibility for risk management rests with the board.
Being conscious that risk mitigation can generate cost-efficiencies.
Considering that a proactive risk management approach can create competitive advantage.
Insisting that risk management be embedded in the operation of the enterprise.
Ascertaining that management has put processes, technology and assurance in place for information security to ensure that:Business transactions can be trustedIT services are usable, can appropriately
resist attacks and recover from failuresCritical information is withheld from
those who should not have access to it (Act No. 122/2013)
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission
The board should support learning and growth and manage resources by:
Maintaining awareness of new IT developments and opportunities.
Ensuring that IT resources are able to support current and expected business requirements.
Committing to improving the efficiency and effectiveness of the IT infrastructure.
Sustaining an adequate investment in staff education, development and training for IT operations and developments.Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17.
Used with permission
The board should also measure performance by:
Defining and monitoring measures together with management to verify that objectives are achieved and measure performance to eliminate surprises.
Leveraging a system of balanced business scorecards maintained by management.
Note: “Pragmatic practices in support of the board’s governance requirements are listed in appendix B, Board IT Governance Tool Kit”.
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.17. Used with permission
How Should Executive Management Address the Expectations?
Cascade strategy, policies and goals down into the enterprise and align the IT organization with the enterprise goals.
Provide organizational structures to support the implementation of IT strategies and an IT infrastructure to facilitate the creation and sharing of business information.
Embed clear accountabilities for risk management and control over IT into the organization, based on a clear risk policy and comprehensive control framework.
Measure performance by having outcome measures for business value and competitive advantage that IT delivers and performance drivers to show how well IT performs. Use few but precise performance measures, directly and demonstrably linked to strategy.Source: Board Briefing on IT Governance 2nd. edition © ISACA p.18.
Used with permission
How Should Executive Management Address the Expectations? continued
Focus on core business competencies IT must support, which are those business processes that add customer value, differentiate the enterprise’s products and services in the marketplace, and add value across multiple products and services over time
Focus on important IT processes that improve business value, such as change applications and problem management. Management must become aggressive in defining these processes and their associated responsibilities.
Focus on core IT competencies that usually relate to planning and overseeing the management of IT assets, risks, projects, customers and vendors (also supported by an IT steering committee)
Create a flexible and adaptive enterprise that leverages information and knowledge. This is an enterprise that senses what is happening in the market; uses knowledge assets to learn from that and innovates new products, services, channels and processes; then mutates rapidly to bring innovation to market or to repel challenges; and finally measures results and performance. At the heart of this emerging model is knowledge. IT is the enabling factor to collect, build and distribute knowledge.
Source: Board Briefing on IT Governance 2nd. edition © ISACA p.18. Used with permission
Thank You
