Post on 30-Jan-2018
transcript
Preview of COBIT® 5
(Differences between v4.0/4.1 and v5) December 8, 2011
Preview of COBIT5 Page 2
AGENDA
► Introductions
► Quick COBIT® Overview
► Drivers of COBIT®5 – Increased focus on Enterprise
Governance
► Benefits of COBIT®5
► Updated Process Model
► Details of the Change
► New - COBIT® 5 Process Capability Model
► Wrap Up
COBIT® - An Overview
Preview of COBIT5 Page 4
COBIT® 4.1 – The IT governance framework
• Internationally accepted good practices
• Management-oriented • Supported by tools and
training • Freely available • Sharing knowledge and
leveraging expert volunteers • Continually evolving • Maintained by reputable not-
for-profit organization • Maps strongly to all major
related standards • Is a reference, set of best
practices, not an “off-the-shelf” cure
The only IT management
and control framework
that covers the end-to-end
IT life cycle
IT Processes IT Processes
IT Management Processes IT Management Processes
IT Governance Processes IT Governance Processes
CobiT CobiT best practices repository for
IT Processes IT Processes
IT Management Processes IT Management Processes
IT Governance Processes IT Governance Processes
COBIT best practices repository for
Preview of COBIT5 Page 5
COBIT® history
COBIT® has evolved from an auditor„s tool to an IT
governance framework, used increasingly by IT
management
Governance
Management
Control
Audit
COBIT 1 COBIT 2 COBIT 3 COBIT 4
1996 1998 2000 2005
Preview of COBIT5 Page 6
Introduction to COBIT®
Preview of COBIT5 Page 7
Waterfall model
The control of
that satisfy
is enabled by
considering
4 Domains - 34 Processes - 210 Control Objectives
IT Processes
Business
Requirements
Control
Statements
Control
Practices
Preview of COBIT5 Page 8
Processes
A series of joined activities with
natural control breaks
Activities
or tasks
Actions needed to achieve a
measurable result—activities have
a life cycle whereas tasks are
discrete
Domains
Natural grouping of processes,
often matching an organizational
domain of responsibility
Process orientation
Preview of COBIT5 Page 9
IT Domains • Plan and
Organize
• Acquire and
Implement
• Deliver and
Support
• Monitor and
Evaluate
IT Processes • IT strategy
• Computer operations
• Incident handling
• Acceptance testing
• Change management
• Contingency planning
• Problem management
Activities • Record new problem.
• Analyse.
• Propose solution.
• Monitor solution.
• Record known
problem. Natural grouping of
processes, often
matching an
organisational domain of
responsibility
A series of joined
activities with natural
(control) breaks
Actions needed to achieve a
measurable result—
activities have a life cycle
whereas tasks are discrete
Process Orientation
Preview of COBIT5 Page 10
COBIT® processes
Planning and Organizing
Acquire and Implement
PO1 Define and IT Strategic Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
Preview of COBIT5 Page 11
COBIT® processes
Deliver and Support
Monitor and Evaluate
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance
Preview of COBIT5 Page 12
Acquire and
Implement
Deliver and
Support
Monitor and
Evaluate
Criteria • Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability
• Data
• Application Systems
• Technology
• Facilities
• People
IT Resources
Business Objectives
Plan and
Organise
COBIT® framework
Preview of COBIT5 Page 13
COBIT® IT processes
Information
Monitor and
Evaluate
Deliver and
Support Acquire and
Implement
Plan and
Organize
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes,
organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims
and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure regulatory compliance.
ME4 Provide IT governance.
Preview of COBIT5 Page 14
Linking business goals to IT goals
Preview of COBIT5 Page 15
Linking IT goals to IT processes
Preview of COBIT5 Page 16
For 34 IT processes you have …
Process
description
IT domain &
Information
indicators
IT goals
Process goals
Key practices
Key metrics
IT governance
& IT resource
Preview of COBIT5 Page 17
Stra
tegic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Perfo
rman
ce
Measu
remen
t
IT IT GovernanceGovernance
DomainsDomains
Stra
tegic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Perfo
rman
ce
Measu
remen
t
IT IT GovernanceGovernance
DomainsDomains
1. Strategic Alignment aligning with the business and providing collaborative solutions
2. Value Delivery focus on IT costs and proof of value
3. Risk Management safeguarding assets, business continuity and compliance
4. Resource Management IT assets, knowledge, infrastructure and partners.
5. Performance Measurement metrics, IT Scorecards and dashboards
F
OC
US
A
RE
AS
Are we doing the right things?
Are we getting the benefits?
Are we getting them done well?
Are we doing them the right
way?
Five focus areas of IT governance
Preview of COBIT5 Page 18
Governance lifecycle
COBIT®5 Update
Preview of COBIT5 Page 20
► The initiative charge from the Board of Directors:
► “tie together and reinforce all ISACA knowledge assets with COBIT.”
► The COBIT 5 Task Force:
► experts from ISACA constituency groups
► reports to the Framework Committee and then the Knowledge Board
COBIT ®5 initiative
Preview of COBIT5 Page 21
► Increased Focus on Enterprise Governance
► Link and reinforce all ISACA‟s Guidance
► Primary - VAL IT, Risk IT
► Considering BMIS, ITAF, TGF, Board Briefing
► Need to connect to other frameworks and standards (such as, ITIL, PMBOK, Prince2, TOGAF, ISO)
► Further guidance in high interest areas
► Improve ease of use, consistency in concepts, terminology, & level of detail
► Scope covers full end-to-end business and IT functional responsibilities
News Major Drivers for COBIT® 5
Preview of COBIT5 Page 22
► Concepts and Objectives
► Enterprises exist to deliver value to their Stakeholders
► Achieved within value and risk parameters and use of resources responsibly
► Governance system “steers” via means and mechanisms within an effective structure
► Incident caused and legislative driven need
► Governance at the top of the agenda for most enterprises
News Increased Focus on Enterprise Governance
Preview of COBIT5 Page 23
Governance Objective
Preview of COBIT5 Page 24
► Practical guidance with consideration of all, unique
stakeholders
► Non-technical overarching framework
► Clear distinction between governance and management
► Scope addressing management and governance of information
► Clear migration guidance from prior versions
► Process model updates addressing innovation and emerging technologies
► Addressing governance enablers such as behavior, skills and decision making
News Responding Features from COBIT®5
Preview of COBIT5 Page 25
Distinction between Governance and Management Processes
Preview of COBIT5 Page 26
COBIT ®5 Governance Enablers
Service
Capabilities
Processes
Culture,
Ethics,
Behaviour
Organisational
Structures
InformationPrinciples &
Policies
Skills &
Competencies
Preview of COBIT5 Page 27
► Enterprise wide benefits:
► Increased value creation through effective governance
and management of enterprise information and
technology assets
► Increased business user satisfaction with IT
engagement and services–IT seen as a key enabler.
► Increased compliance with relevant laws, regulations
and policies
► IT function becomes more business focused
► Increases the COBIT ® 5 users‟ contribution to the
enterprise
Benefits of Using COBIT® 5
Preview of COBIT5 Page 28
► Represents all the processes normally found in an enterprise
relating to IT
► Provides a common reference model understandable to IT
and business managers.
► Provides a common language
► Provides a framework for measuring, monitoring IT
performance, communicating with service providers, and
integrating best mgmt. practices
► Subdivides governance (1) and management (4) domains.
► 36 Processes
► VAL IT and Risk IT integrated
News Process Reference Model
Preview of COBIT5 Page 29
Process Reference Model
Preview of COBIT5 Page 30
► 4 Domains to 5 Domains (1 Governance & 4 Management)
► Domains have 3-character acronyms vs. 2-character
acronyms:
► EDM (Evaluate, Direct & Monitor)
► APO (Align, Plan & Organization)
► BAI (Build, Acquire & Implement)
► DSS (Deliver, Service & Support)
► MEA (Monitor, Evaluate & Assess)
► 34 COBIT4.1 processes to 5 Governance processes and
31 Management processes in COBIT 5 = 36 processes
News Review of Process Changes
Preview of COBIT5 Page 31
► New and modified processes
► APO3 – Manage Enterprise Architecture (combo of PO2 and PO3)
► APO4 – Management Innovation (new)
► APO5 – Manage Portfolio (previous PO5 Manage IT Investments)
► APO6 – Manage Budget and Costs (previous PO5 IT Investments)
► APO8 – Manage Relationships (new)
► BAI5 – Enable Organizational Change (new)
► BAI8 – Knowledge Management (new)
► DSS2 – Manage Assets (new)
► DSS8 – Manage Business Process Controls (new)
News Review of Process Changes
Preview of COBIT5 Page 32
Process Enabler Model
Preview of COBIT5 Page 33
► A separate publication that expands on the process-enabler
model
► Contains full details of the COBIT processes in a similar way to the process documentation in COBIT 4.1
► Process description and purpose
► Goals cascade (enterprise and IT)
► Process goals and metrics
► Process practices, activities and inputs/Outputs at practice level
► RACI Chart
► Integrates contents of 4.1, VAL IT and RISK IT
► Mapping between COBIT 5 and Legacy ISACA Frameworks
News Process Reference Guide
Preview of COBIT5 Page 34
► Architecture changes emphasizing systemic nature of a
governance and management system
► Process Model changes
► Integration of COBIT, VAL IT, Risk IT with explicit
structural differentiation between governance and
management processes
► Framework components reviewed and simplified
News Most important differences between COBIT ®5 and earlier versions.
Preview of COBIT5 Page 35
► Alignment with the most up-to-date views on Governance as expressed in the Taking Governance Forward initiative and ISO/IEC 38500, resulting in an overarching architecture with o Stakeholder driven governance and management of enterprise IT.
o Governance Objectives being defined in terms of Value, Risk and Resource Use optimization.
► Systemic nature of enterprise governance, demonstrated by o A set of interconnected and interrelated enablers to support
governance of enterprise IT and ensure objectives are achieved
o Note: ISO/IEC 38500 Corporate governance of information technology standard,
provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations‟ use of IT.
News Architecture Change Principles
Preview of COBIT5 Page 36
News COBIT ®5 Architecture
Stakeholder
Needs
Service
Capabilities
Processes
Culture,
Ethics,
Behaviour
Organisational
Structures
InformationPrinciples and
Policies
Skills and
Competencies
COBIT 5
Enablers
COBIT 5 Knowledge Base
Current guidance and contents Structure for future contents
COBIT 5 Product Family
Governance
Objectives:
Value
(Benefits, Risk, Resource)
Existing ISACA
Guidance(COBIT, Val IT,
Risk IT, BMIS, …)
Other
Standards
and
Frameworks
COBIT 5 : Framework Implementation
Guide
COBIT 5 for Security
Other Practice
Guides
COBIT 5 Practice Guides
COBIT 5 Online Collaborative Environment
COBIT 5 : Process Reference GuideOther Enabler
Guidance
COBIT 5 Enabler Guides
COBIT 5: The Framework
Knowledge Base
Content Filter
Preview of COBIT5 Page 37
► Addition of a separate „Governance‟ domain, which contains five separate governance processes for enterprise IT (5 Domains)
► Continuation of the „Management‟ domains concept, where 31 processes are included, spread over four domains. Domains, although they have now 3- character acronyms compared to 2-character acronyms in COBIT 4.1. (PO, AI, DS, ME to EDM, APO, BAI, DSS, MEA)
► Some of the processes are very similar to their predecessors, some are a consolidation of processes in earlier frameworks, and some new processes have been added.
News Process Model Change Principles
Preview of COBIT5 Page 38
► The names have been changed from Business Goals to
Enterprise Goals, and from IT Goals to IT Related Goals in order to better reflect that COBIT ® 5 is intended for all sorts of enterprises, not only commercial environments, and the fact that COBIT ® 5 is not only about making sure the IT function is performing, but also that the business functions assume their responsibility in providing the right direction, making good use of IT, and following up on IT investments and use.
► There are now 17 Enterprise Goals and also 17 IT Related goals. The goals are now also written more as outcome statements.
► The stakeholders for IT are now explicitly named, and there are also some illustrative stakeholder issues included in the guidance to show how the framework addresses them.
News Framework Component Changes
Preview of COBIT5 Page 39
News Enterprise Goals
Preview of COBIT5 Page 40
News IT Related Goals
Preview of COBIT5 Page 41
News Internal Stakeholder Needs
Preview of COBIT5 Page 42
News External Stakeholder Needs
Preview of COBIT5 Page 43
► Process Capability Model
► Based on ISO/IEC 15504 “Software
Engineering – Process Assessment Std.”
► Different from the COBIT ® 4.1 Maturity Model
in design and use.
► Focus on capability
News The NEW COBIT ® 5 Process Capability Model
Preview of COBIT5 Page 44
► Six levels of capability including “incomplete”
► Each level can only be achieved only when the
level below is fully achieved
► Level 1 is “largely achieved” and benefits realized
by the organization
► Higher capabilities add differing attributes and
benefits
News Process Capability Model Characteristics
Preview of COBIT5 Page 45
► Naming and meaning of levels are different
► Process is described in terms of its purpose and outcomes
► Maturity level in COBIT ®4 and capability level in COBIT ®5 are not directly comparable and cannot be used interchangeably or mixed.
► Scores in COBIT ®5 will be lower due to completion of all process capabilities at lower level
► Nine Process Capability Attributes (v5) vs. six maturity Attributes (v4)
News Differences - COBIT ®5 PCM and COBIT ®4.1 MM
Preview of COBIT5 Page 46
COBIT 4.1 Maturity Model Comparison to
COBIT 5 Process Capability Levels
Preview of COBIT5 Page 47
Comparison of v4 Maturity Attributes vs.
V5 Process Capability Attributes
Preview of COBIT5 Page 48
► COBIT ®5 Major changes
► Consolidation of frameworks
► Adjustment of domains and processes
► 4 to 5 domains
► 34 to 36 IT Processes
► Assessment process changed to focus on
Capability using ISO 15504
News COBIT ®5 Preview Summary
Preview of COBIT5 Page 49
► An enterprise wide, “end-to-end” framework addressing
governance and management of information and related
technology
► The framework structure will include familiar components such as a
domain/process model and other components such as
governance/management practices, RACI charts and inputs/outputs.
► An initial publication introduces, defines and describes the
components that make up the COBIT®5 Framework
► Principles
► Architecture
► Enablers
► Introduction to implementation guidance and the COBIT
process assessment approach
The COBIT® 5 Framework – What will be delivered?
Preview of COBIT5 Page 50
• As the initiative progresses throughout 2011 and 2012 there will be periodic updates provided:
On the ISACA web site, www.isaca.org/COBIT5
In the COBIT Focus newsletter
In other ISACA membership communications, events, marketing materials and PR activities
• Watch these spaces for more news!
COBIT® 5 news
Preview of COBIT5 Page 51
Thank you
Contact details:
Ernst & Young’s
IT Risk Management Center of Excellence
Josh Turcotte, CISA
Email: Josh.Turcotte@ey.com
Phone: (214) 969 0678 (Dallas)
Stacey Hamaker, CISA CIA
Email: Stacey.Hamaker@ey.com
Phone: (214) 969 8832 (Dallas) This presentation contains materials that are property of ISACA and Ernst & Young. All rights reserved.