September 17, 2012 Pittsburgh ISACA Chapter
Transcript of September 17, 2012 Pittsburgh ISACA Chapter
![Page 1: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/1.jpg)
September 17, 2012
Pittsburgh ISACA Chapter
![Page 2: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/2.jpg)
What is COBIT?
• Control Objectives for Information and related Technologies – ISACA‘s guidance on the enterprise governance and management of IT.
– Builds on more than 15 years of practical usage and application of COBIT by many enterprises and users from business, IT, risk, security and assurance communities.
• Connect to, and, where relevant, align with, other major frameworks
and standards in the marketplace, such as
– Information Technology Infrastructure Library (ITIL®)
– The Open Group Architecture Forum (TOGAF®)
– Project Management Body of Knowledge (PMBOK®)
– PRojects IN Controlled Environments 2 (PRINCE2®)
– Committee of Sponsoring Organizations of the Treadway Commission (COSO)
– International Organization for Standardization (ISO) standards.
![Page 3: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/3.jpg)
What is COBIT?
• COBIT 5 brings together the five principles
that allow the organizations to build an
effective governance and management
framework based on a holistic set of seven
enablers that optimizes information and
technology investment and use for the benefit
of stakeholders.
![Page 4: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/4.jpg)
What you need to remember…
• ―All models are wrong, some models are useful‖ –
George Box or W. Edwards Deming
• Thus, when adopting COBIT, a certain degree of
adaptation also needs to occur in order for it to be
of value.
• Incorporate an operation model and a common
language for all parts of the enterprise involved in
IT activities
• Leverage the Appendices for Model navigation
• Adapt to each unique organization
![Page 5: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/5.jpg)
Why Version 5?
• Provide more stakeholders a say…
• Address the increasing dependency on external
business and IT parties…
• Deal with the amount of information, which has
increased significantly…
• Deal with much more pervasive IT…
• Provide further guidance in the area of
innovation and emerging technologies…
• Less about audit and more about governance…
![Page 6: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/6.jpg)
Why Version 5?
• All previous content from these 3 models are
integrated and updated into COBIT 5
![Page 7: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/7.jpg)
COBIT begins with Information
• Information is a key resource.
• Information is created, used, modified, retained, disclosed and destroyed.
• Technology plays a key role in these actions.
• Technology is pervasive in all aspects of business.
What benefits do information and technology bring to organizations?
![Page 8: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/8.jpg)
Enterprise Benefits
• Organizations and their leaders strive to:
• Maintain quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realize business benefits through
effective and innovative use of IT.
• Achieve operational excellence through reliable and efficient
application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimize the cost of IT services and technology.
How can these benefits be realized to create enterprise
stakeholder value?
![Page 9: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/9.jpg)
Stakeholder Value
• Delivering organizational stakeholder value requires good
governance and management of information and technology
(IT) assets.
• Corporate boards, executives and management have to
embrace IT like any other significant part of the business.
• External legal, regulatory and contractual compliance
requirements related to enterprise use of information and
technology are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that assists
enterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT.
![Page 10: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/10.jpg)
The COBIT 5 Framework
• COBIT 5 helps organizations create optimal value from IT
by maintaining a balance between realizing benefits and
optimizing risk levels and resource use.
• COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire
organization, taking in the full end-to-end business and
functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic and
useful for organizations of all sizes, whether commercial,
not-for-profit or in the public sector.
![Page 11: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/11.jpg)
COBIT Structure
• COBIT provides cascading guidance to
align the complex relationship between
business and IT goals by depicting a
cascading relationship between the sets of
goals and ―enablers‖.
• COBIT provides the ‗What‘ for defining
best practices and their subsequent
measures.
![Page 12: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/12.jpg)
COBIT 5 Principles
Source: COBIT® 5, © 2012 ISACA®
![Page 13: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/13.jpg)
Goals Cascade
The COBIT 5 Goals Cascade
is the mechanism to translate
stakeholder needs into
specific, actionable and
customized enterprise goals,
IT-related goals and
enabler goals.
Source: COBIT® 5. © 2012 ISACA®
![Page 14: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/14.jpg)
COBIT Stakeholder
Drivers & Needs
• A governance system should consider all stakeholders when making
benefit, risk and resource assessment decisions.
• For each decision, the following questions can and should be asked:
– For whom are the benefits?
– Who bears the risk?
– What resources are required?
![Page 15: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/15.jpg)
Stakeholders
Needs
• These
questions
point us
towards
Enterprise
Goal
focus
Source: COBIT® 5. © 2012 ISACA®
![Page 16: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/16.jpg)
Stakeholder
Needs
• These
questions
point us
towards
Enterprise
Goal
focus
Source: COBIT® 5. © 2012 ISACA®
![Page 17: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/17.jpg)
COBIT Enterprise Goals
• COBIT provides 17 general enterprise
goals
• These goals are categorized into four
domains:
– Financial
– Customer
– Internal
– Learning and Growth
![Page 18: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/18.jpg)
COBIT Enterprise Goals
Primary & Secondary Source: COBIT® 5. © 2012 ISACA®
![Page 19: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/19.jpg)
COBIT 5 Model
• ‗P‘ stands for primary, when there is an
important relationship and is primary
support for the achievement of a COBIT
object (e.g. goal).
• ‗S‘ stands for secondary, when there is still
a strong, but less important, relationship.
![Page 20: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/20.jpg)
COBIT Enterprise Goals -
Metrics
Source: COBIT® 5. © 2012 ISACA®
![Page 21: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/21.jpg)
COBIT Enterprise Goals -
Metrics
Source: COBIT® 5. © 2012 ISACA®
![Page 22: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/22.jpg)
COBIT IT Goals
• COBIT provides 17 Generic IT Goals
• Enterprise Goals translate into these IT
Goals
• The IT Goals require the successful
application and use of a number of
enablers.
Enterprise
Goals IT Goals
Traceability
![Page 23: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/23.jpg)
COBIT IT Goals
Source: COBIT® 5. © 2012 ISACA®
![Page 24: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/24.jpg)
COBIT IT Goals - Metrics
Source: COBIT® 5. © 2012 ISACA®
![Page 25: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/25.jpg)
COBIT IT Goals - Metrics
Source: COBIT® 5. © 2012 ISACA®
![Page 26: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/26.jpg)
COBIT IT Goals - Metrics
Source: COBIT® 5. © 2012 ISACA® All rights reserved.
Source: COBIT® 5. © 2012 ISACA®
![Page 27: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/27.jpg)
Mapping of
Goals • Understanding
the alignment of
Enterprise
Goals with IT
Goals is critical
to leveraging
COBIT 5.
Source: COBIT® 5. © 2012 ISACA® All rights reserved.
![Page 28: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/28.jpg)
COBIT 5 Enablers
Source: COBIT® 5. © 2012 ISACA®
![Page 29: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/29.jpg)
COBIT Enablers
• Enablers are factors that, individually and
collectively, influence whether something
will work—in this case, governance and
management over enterprise IT.
• Enablers are driven by the goals cascade,
i.e., higher-level IT-related goals define
what the different enablers should
achieve.
![Page 30: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/30.jpg)
COBIT Enablers
1. Principles, policies and frameworks are the vehicle to translate the desired
behavior into practical guidance for day-to-day management.
2. Processes describe an organized set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related
goals.
3. Organizational structures are the key decision-making entities in an enterprise.
4. Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
5. Information is pervasive throughout any organization and includes all information
produced and used by the enterprise. Information is required for keeping the
organization running and well governed, but at the operational level, information is
very often the key product of the enterprise itself.
6. Services, infrastructure and applications include the infrastructure, technology and
applications that provide the enterprise with information technology processing and
services.
7. People, skills and competencies are linked to people and are required for
successful completion of all activities and for making correct decisions and taking
corrective actions.
![Page 31: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/31.jpg)
COBIT Enablers
• Some of the enablers defined previously are also
enterprise resources that need to be managed and
governed as well.
• This applies to:
– Information, which needs to be managed as a
resource. Some information, such as management
reports and business intelligence information, are
important enablers for the governance and
management of the enterprise.
– Service, infrastructure and applications
– People, skills and competencies
![Page 32: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/32.jpg)
COBIT Enablers Interconnected
• Each enabler needs the input of other enablers to be fully effective;
– For Example:
• processes need information
• organizational structures need skills and behavior
• And delivers output to the benefit of other enablers.
– For Example :
• processes deliver information,
• skills and behavior make processes efficient.
• This means that to deal with any stakeholder need, all interrelated
enablers have to be analyzed for relevance and addressed if
required.
![Page 33: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/33.jpg)
COBIT 5 Enablers
33
Source: COBIT® 5. © 2012 ISACA®
![Page 34: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/34.jpg)
COBIT Enablers
• All enablers have a set of common dimensions. This set
of common dimensions:
• Provides a common, simple and structured way to deal
with enablers
• Allows an entity to manage its complex interactions
• Facilitates successful outcomes of the enablers
![Page 35: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/35.jpg)
COBIT Enabler Dimensions
Source: COBIT® 5. © 2012 ISACA®
![Page 36: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/36.jpg)
COBIT Information Criteria
COBIT 5 information model allows definition of an additional set of criteria, hence
adding value to the COBIT 4.1 criteria.
![Page 37: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/37.jpg)
COBIT: Enabling Processes
![Page 38: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/38.jpg)
COBIT: Enabling Processes
• A process is defined as ‘a collection of
practices influenced by the enterprise‘s
policies and procedures that takes inputs
from a number of sources (including other
processes), manipulates the inputs and
produces outputs (e.g., products,
services)‘.
![Page 39: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/39.jpg)
COBIT: Enabling Processes
The processes model shows:
• Stakeholders - Processes have internal and external
stakeholders, with their own roles; stakeholders and their
responsibility levels are documented in RACI charts. External
stakeholders include customers, business partners,
shareholders and regulators. Internal stakeholders include the
board, management, staff and volunteers.
• Goals - process goals are defined as ‗a statement describing
the desired outcome of a process. An outcome can be an
artifact, a significant change of a state or a significant
capability improvement of other processes‘. They are part of
the goals cascade, i.e., process goals support IT-related
goals, which in turn support enterprise goals.
![Page 40: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/40.jpg)
Process Goals
Process goals can be categorized as:
• Intrinsic goals—Does the process have intrinsic
quality? Is it accurate and in line with good practice? Is it
compliant with internal and external rules?
• Contextual goals—Is the process customized and
adapted to the enterprise‘s specific situation? Is the
process relevant, understandable, easy to apply?
• Accessibility and security goals—The process
remains confidential, when required, and is known and
accessible those who need it.
![Page 41: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/41.jpg)
Process Goal Metrics
• At each level of the goals cascade, metrics are defined
to measure the extent to which goals are achieved.
• Metrics can be defined as ‗a quantifiable entity that
allows the measurement of the achievement of a
process goal.
• Metrics should be SMART—specific, measurable,
actionable, relevant and timely‘.
• To manage the enabler effectively and efficiently,
metrics need to be defined to measure the extent to
which the expected outcomes are achieved.
![Page 42: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/42.jpg)
Process Life cycle
• Life cycle—Each process has a life cycle. It is
defined, created, operated, monitored, and
adjusted/updated or retired.
• Generic process practices such as those defined
in the COBIT process assessment model based
on ISO/IEC 15504 can assist with defining,
running, monitoring and optimizing processes.
![Page 43: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/43.jpg)
Good Practices
• Good practices—COBIT 5: Enabling
Processes contains a process reference model,
in which process internal good practices are
described in growing levels of detail: practices,
activities and detailed activities.
![Page 44: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/44.jpg)
COBIT Enabling Processes
• COBIT provides 37 IT Processes
segmented into 5 domains
– Evaluate, Direct and Monitor (EDM)
– Align, Plan and Organize (APO)
– Build, Acquire and Implement (BAI)
– Delver, Service and Support (DSS)
– Monitor, Evaluate and Assess (MEA)
![Page 45: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/45.jpg)
COBIT Enabling Processes
• Although, as described previously, most of the
processes require ‗planning‘, ‗implementation‘,
‗execution‘ and ‗monitoring‘ activities within the process
or within the specific issue being addressed (e.g.,
quality, security), they are placed in domains in line with
what is generally the most relevant area of activity when
regarding IT at the enterprise level.
• In COBIT 5, the processes also cover the full scope of
business and IT activities related to the governance and
management of enterprise IT, thus making the process
model truly enterprise-wide.
![Page 46: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/46.jpg)
Governance and Management
• Governance ensures that organizational objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritization and
decision making; and monitoring performance,
compliance and progress against agreed-upon direction
and objectives.
• Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the organizational
objectives.
46
![Page 47: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/47.jpg)
Source: COBIT® 5. © 2012 ISACA®
![Page 48: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/48.jpg)
Evaluate, Direct and Monitor
(EDM) • Governance ensures that enterprise
objectives are achieved by evaluating
stakeholder needs, conditions and options;
setting direction through prioritization and
decision making; and monitoring
performance, compliance and progress
against agreed-on direction and objectives
(EDM).
![Page 49: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/49.jpg)
Evaluate, Direct and Monitor
(EDM)
EDM01 Ensure Governance Framework
Setting and Maintenance
EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimization
EDM04 Ensure Resource Optimization
EDM05 Ensure Stakeholder Transparency
![Page 50: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/50.jpg)
Align, Plan and Organize
(APO) • The Align, Planning and Organization domain
covers the use of information & technology and
how best it can be used in a company to help
achieve the company‘s goals and objectives. It
also highlights the organizational and
infrastructural form IT is to take in order to
achieve the optimal results and to generate the
most benefits from the use of IT.
![Page 51: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/51.jpg)
Align, Plan and Organize
(APO) APO01 Manage the IT Management Framework
APO02 Manage Strategy
APO03 Manage Enterprise Architecture
APO04 Manage Innovation
APO05 Manage Portfolio
APO06 Manage Budget and Costs
APO07 Manage Human Relations
APO08 Manage Relationships
APO09 Manage Service Agreements
APO10 Manage Suppliers
APO11 Manage Quality
APO12 Manage Risk
APO13 Manage Security
![Page 52: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/52.jpg)
Build, Acquire and Implement
(BAI) • The Build, Acquire and Implement domain
covers identifying IT requirements,
acquiring the technology, and
implementing it within the company‘s
current business processes.
![Page 53: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/53.jpg)
Build, Acquire and Implement
(BAI) BAI01 Manage Programs and Projects
BAI02 Manage Requirements Definition
BAI03 Manage Solutions Identification and Build
BAI04 Manage Availability and Capacity
BAI05 Manage Organizational Change Enablement
BAI06 Manage Changes
BAI07 Manage Changes Acceptance and
Transitioning
BAI08 Manage Knowledge
BAI09 Manage Assets
BAI10 Manage Configuration
![Page 54: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/54.jpg)
Deliver, Service and Support
(DSS) • The Deliver, Service and Support domain
focuses on the delivery aspects of the
information technology. It covers areas
such as the execution of the applications
within the IT system and its results, as well
as, the support processes that enable the
effective and efficient execution of these IT
systems.
![Page 55: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/55.jpg)
Deliver, Service and Support
(DSS)
DSS01 Manage Operations
DSS02 Manage Service Requests and
Incidents
DSS03 Manage Problems
DSS04 Manage Continuity
DSS05 Manage Security Services
DSS06 Manage Business Process
Controls
![Page 56: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/56.jpg)
Monitor, Evaluate and Assess
(MEA) • The Monitor, Evaluate and Assess domain deals with a
company‘s strategy in assessing the needs of the
company and whether or not the current IT system still
meets the objectives for which it was designed and the
controls necessary to comply with regulatory
requirements. Monitoring also covers the issue of an
independent assessment of the effectiveness of IT
system in its ability to meet business objectives and the
company‘s control processes by internal and external
auditors
![Page 57: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/57.jpg)
Monitor, Evaluate and Assess
(MEA)
MEA01 Monitor, Evaluate and Assess
Performance and Conformance
MEA02 Monitor, Evaluate and Asses the
System of Internal Control
MEA03 Evaluate and Assess Compliance
with External Requirements
![Page 58: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/58.jpg)
Governance & Management
Source: COBIT® 5. © 2012 ISACA®
![Page 59: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/59.jpg)
IT Process
to IT Goal
Mapping
Source: COBIT® 5. © 2012 ISACA®
![Page 60: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/60.jpg)
IT Process
to IT Goal
Mapping
Source: COBIT® 5. © 2012 ISACA®
![Page 61: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/61.jpg)
COBIT Enabling Process
• Example Walkthrough:
– APO 02 Manage Strategy
• Process Label – Domain Prefix and Number
• Process Name
• Area of the Process – Governance or Management
![Page 62: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/62.jpg)
APO 02 Manage Strategy
• Description – What it does and accomplishes
• Purpose Statement – Overall purpose description
Source: COBIT® 5. © 2012 ISACA®
![Page 63: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/63.jpg)
APO 02 Manage Strategy
• Goal Cascade – Related IT Goals
• Generic Metrics – Measure achievement of IT Goals
Source: COBIT® 5. © 2012 ISACA®
![Page 64: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/64.jpg)
APO 02 Manage Strategy
• Process Goals
• Process Metrics Source: COBIT® 5. © 2012 ISACA®
![Page 65: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/65.jpg)
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
![Page 66: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/66.jpg)
APO 02 Manage Strategy
RACI Chart
• Responsible – Who is getting the task
done?
• Accountable - Who accounts for the
success of the task?
• Consulted – Who is providing input?
• Informed – Who is receiving information?
![Page 67: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/67.jpg)
APO 02 Manage Strategy
• Detailed description
• Activities
Source: COBIT® 5. © 2012 ISACA®
![Page 68: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/68.jpg)
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
![Page 69: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/69.jpg)
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
![Page 70: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/70.jpg)
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
![Page 71: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/71.jpg)
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
![Page 72: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/72.jpg)
Source: COBIT® 5. © 2012 ISACA®
![Page 73: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/73.jpg)
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
![Page 74: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/74.jpg)
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
![Page 75: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/75.jpg)
APO 02 Manage Strategy
• Related guidance from external sources
Source: COBIT® 5. © 2012 ISACA®
![Page 76: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/76.jpg)
Generic Guidance for
Processes
Source: COBIT® 5. © 2012 ISACA®
![Page 77: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/77.jpg)
New & Modified Processes
• 5 new Governance Processes
– EDM 01 Ensure Governance Framework
Setting and Maintenance
– EDM 02 Ensure Benefits Delivery
– EDM 03 Ensure Risk Optimization
– EDM 04 Ensure Resource Optimization
– EDM 05 Ensure Stakeholder Transparency
![Page 78: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/78.jpg)
New & Modified Processes
Summary of changes between COBIT 4.1
and COBIT 5 • Processes in CobiT® 4.1 that are merged in CobiT® 5
• DS7 is merged with PO7 (Education and Human Resources)
• PO6 is merged with PO1 (Management Communications and
Management)
• PO2 is merged with PO3 (Information and Technical Architectures)
• AI2 is merged with AI3 (Application Software and Infrastructure
Components)
• DS12 is merged with DS5 (Physical Environment and Information
Security)
![Page 79: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/79.jpg)
New & Modified Processes
Entirely new processes in COBIT
• EDM1 Set and Maintain Governance Framework
• APO1 Define the Management Framework
• APO4 Manage Innovation (partly PO3)
• APO8 Manage Relationships
• BAI8 Knowledge Management
• DSS2 Manage Assets (partly DS9)
• DSS8 Manage Business Process Controls.
![Page 80: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/80.jpg)
New & Modified Processes
Processes in COBIT 4.1 that are
reassigned in COBIT 5
• ME4 to EDM1, 2, 3, 4, 5 (Governance)
Processes in COBIT 4.1 that are
relocated in COBIT 5
• PO1 to APO2 (Strategic Planning)
• PO4 to APO1 (Organization, Relationships
and Processes)
![Page 81: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/81.jpg)
Putting this all together
Enabler
Goals
IT
Goals
Enterprise
Goals
Processes
Activities
![Page 82: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/82.jpg)
COBIT Capability
![Page 83: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/83.jpg)
COBIT Process Capability
Model
Source: COBIT® 5. © 2012 ISACA®
![Page 84: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/84.jpg)
COBIT Process Capability
Model
Source: COBIT® 5. © 2012 ISACA®
![Page 85: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/85.jpg)
COBIT Process Capability
Model There are six levels of capability that a process can achieve, including an ‗incomplete
process‘ designation if the practices in it do not achieve the intended purpose of the
process:
• 0 Incomplete process—The process is not implemented or fails to achieve its
process purpose. At this level, there is little or no evidence of any systematic
achievement of the process purpose.
• 1 Performed process (one attribute)—The implemented process achieves its
process purpose.
• 2 Managed process (two attributes)—The previously described performed process is
now implemented in a managed fashion (planned, monitored and adjusted) and its
work products are appropriately established, controlled and maintained.
• 3 Established process (two attributes)—The previously described managed process
is now implemented using a defined process that is capable of achieving its process
outcomes.
• 4 Predictable process (two attributes)—The previously described established
process now operates within defined limits to achieve its process outcomes.
• 5 Optimizing process (two attributes)—The previously described predictable
process is continuously improved to meet relevant current and projected business
goals.
![Page 86: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/86.jpg)
COBIT Process Capability
Model Assessing whether the process achieves its goals—or, in other words, achieves capability level
1—can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed
process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what
degree each objective is achieved. This scale consists of the following ratings:
• N (Not achieved)—There is little or no evidence of achievement of the defined attribute in
the assessed process. (0 to 15 percent achievement)
• P (Partially achieved)—There is some evidence of an approach to, and some achievement
of, the defined attribute in the assessed process. Some aspects of achievement of the attribute
may be unpredictable. (15 to 50 percent achievement)
• L (Largely achieved)—There is evidence of a systematic approach to, and significant
achievement of, the defined attribute in the assessed process. Some weakness related to this
attribute may exist in the assessed process. (50 to 85 percent achievement)
• F (Fully achieved)—There is evidence of a complete and systematic approach to, and full
achievement of, the defined attribute in the assessed process. No significant weaknesses
related to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the
same rating scale, expressing the extent to which the base practices are applied.
3. To further refine the assessment, the work products also may be taken into consideration to
determine the extent to which a specific assessment attribute has been achieved.
![Page 87: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/87.jpg)
Auditor Tips
• Evidence of activities (as well as
inputs/outputs) are critical in assessing the
existence of controls
• Information, metrics/measurements are
key to any critical IT process.
![Page 88: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/88.jpg)
Remaining Thoughts
• COBIT has evolved to provide the over-arching framework for organizations to achieve IT Governance while leveraging other industry best practices, frameworks, and models to provide prescriptive actions.
• COBIT promotes tight alignment with IT processes and enterprise goals.
• COBIT is a useful tool beyond just the standard audit guidance.
![Page 89: September 17, 2012 Pittsburgh ISACA Chapter](https://reader036.fdocuments.us/reader036/viewer/2022081605/587892361a28ab53078b7a4e/html5/thumbnails/89.jpg)
Questions?
Thank you