IT Governance with COBIT and Risk Management
by Michael Curry
Outline
• Review: need for IT Controls & COBIT• The COBIT Framework• How COBIT is Used• Making a Case for BIS Acquisition• Calculating ROI (CBRA)– Cost– Benefit– Risk– Analysis and Recommendations
Review: The Need for IT Controls• Organizations heavily depend on IT systems
– They are complex and difficult to manage– Increasing disconnects between business goals and IT (Cost,
reliability, security, accuracy, availability, performance, complexity, etc.)
• Controls are needed to better connect IT with business goals and objectives
• COBIT is one such framework that is unique because:– It is suggestive, not prescriptive– Takes into account different points of view (Management, IT
teams and Auditors)
Digging Deeper: How COBIT works
• Business goals should be closely linked to IT goals
• This link is complex involving:– Applications– Information– Infrastructure– People– And IT Process
Digging Deeper: How COBIT worksCOBIT separates business and IT processes down into 4 distinct areas:
IT: Implements the requirements AND provides control indicators of service quality
Business: Defines requirements & uses IT services
And assigns responsibility for those processes
How to Approach an Issue Using COBIT
1. Start by looking over the 34 Processes to see if one seems like a logical fit for the issue
2. Review Description and Control Objectives to validate this is the right Process for the issue
3. Consult the inputs/outputs to see what other processes are related to this issue
4. Review the RACI chart to begin organizing team members around resolution activities
5. Consult the Goals & Objectives and Maturity Model to identify current capability and steps needed to reach desired level
• PO9.3 Event Identification– Identify threats with potential negative impact on the
enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects
• PO9.4 Risk Assessment– Assess the likelihood and impact of risks, using qualitative and
quantitative methods • PO9.5 Risk Response
– Develop a response designed to mitigate exposure to each risk– Identify risk strategies such as avoidance, reduction, acceptance– determine associated responsibilities; and consider risk
tolerance levels
• Control Objectives for PO9– PO9.1 IT Risk Management Framework– PO9.2 Establishment of Risk Context– PO9.3 Event Identification– PO9.4 Risk Assessment– PO9.5 Risk Response– PO9.6 Maintenance and Monitoring of a Risk
Action Plan• Which objectives should we be focused on?
Risk Management: Why Bother?
• Protect the company’s reputation• Meet increasing expectations by customers,
legislators, regulators, investors, etc.• Manage real crisis situations to best outcome• Create a culture that anticipates and resolves
risks before they happen• A responsible measure for business to take
“fail to plan is a plan to fail”
Sources of Risk
• Processes: events related to business operations• People: events caused by employee errors or
misdeeds• Systems: disruption due to technology failure• External events: outside factors threatening
operations• -OR- a combination of one or more of the above!
A programming error causes miscalculation in prices: Systems (program) → Processes (pricing)A fire occurs destroying the IT system and causing disruption to the business: External event (fire) → Systems (unavailable) → Processes (disrupted)
COBIT Maturity
• Maturity is a measure of management practices• Primarily depends on IT controls and the underlying
business needs they support• Each process is rated on a scale of 0 to 5
0—Management processes are not applied at all1—Processes are ad hoc and disorganized2—Processes follow a regular pattern3—Processes are documented and communicated4—Processes are monitored and measured5—Good practices are followed and automated
• Not all processes need the same maturity goals across the entire IT environment (a poor use of resources)
Take Away
• Understand how COBIT’s 34 processes help unify business goals with IT goals and why that is a desirable result
• Given a Business and IT issue use COBIT to identify steps to resolve the issue
• Complete a risk assessment as recommended by PO9 (risks, KRI & mitigation)
• Understand how the Maturity Model is used to measure management and IT capabilities
Top Related