1 The COBIT 5 First Aid Kit - ITpreneurs Online Campus:...

The COBIT 5® First Aid KitEssential information for professionals and enterprises using COBIT 5®

1

2

The COBIT 5® First Aid KitThe COBIT 5® First Aid Kit is an essential toolkit for the effective utilization of COBIT 5® in any enterprise. The kit provides essential COBIT 5® components to support you when you need them the most. In any IT governance emergency, think of this kit before looking elsewhere.

COBIT is a registered trademark of ISACA and the IT Governance Institute. © 2012 ISACA. All rights reserved.

I T G o v e r n a n c e

FaK_coB_060309_en

3

Typical IT Challenges

Aligning IT with Business

Enforcing Security

Keeping IT Up and Running

Managing Complexity

Achieving Regulatory Compliance

Balancing Value and Cost

Enterprises require a structured approach to

manage these and other challenges.

IT Governance ensures that there are agreed objectives for IT, good management controls are in place, and performance is monitored to avoid unexpected outcomes.

44

5IT Governance?Governance ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. While management executes the direction set by the board by planning, building, delivering, and monitoring operational activities to achieve enterprise objectives.

Optimizing risks

Realizing benefits

Optimizing resources

IT governance is an integral part of enterprise governance.

6Enterprise Governance

PERFORMANCE

Improving profitability,

efficiency, effectiveness,

growth, and so on.

CONFORMANCE

Adhering to legislation,

internal policies, audit

requirements, and so on. PERFORMANCE

CONFORMANCE

7Internal Stakeholders of IT Governancei n t e r n a l S ta k e h o l d e r S i n t e r e S t S

IT Manager How do I manage IT performance?

Board and Executives How do I get value from IT?

IT Auditor How do I provide independent assurance?

Business Executive and Process Owner How do I exploit IT for strategic advantages?

Risk and Compliance Manager How do I ensure compliance with policies, regulations, and laws?

8e X t e r n a l S ta k e h o l d e r S i n t e r e S t S

Regulators Do you comply with regulations?

Suppliers Is my business partner secure and reliable?

External Auditor Are there adequate financial controls?

Customers Is my personal information secure and private?

External Stakeholders of IT Governance

COBIT 5® Principles

COBIT 5® Principles

Meeting Stakeholder

needs

Separating Governance from

Management

Enabling a holistic

Approach

Applying a Single Integrated

Framework

Covering the Enterprise End to End

9

COBIT Provides a Framework for IT Governance Effective governance and management can only be achieved by adopting and implementing a suitable

framework that:

Considers all stakeholders.

Addresses all the necessary enablers.

Is based on best practices and standards.

Controls the use of information and IT enterprise -wide.

Clarifies the scope of governance and management.

10

Benefits of IT Governance

Increased efficiencies and optimized costs

Better returns on IT-related investments

Confidence and trust of senior management

Transparent and meaningful management information about IT performance

Solutions and services that are reliable, secure, and aligned with business needs and priorities

Nimble enterprise that can respond quickly to changing IT-related requirements

risks

Costs Failures

Incidents

Benefits

Trust rOI

Transparency

11

Implementation of Effective IT Governance using COBIT 5® 12Enables the mapping of enterprise goals to IT-related goals and of IT-related goals to process goals.

Allows for better alignment based on a business focus.

Provides a management view of IT performance that is understandable.

Defines clear ownership and responsibilities based on process orientation.

Establishes general acceptability with third parties and regulators.

Creates shared understanding among all stakeholders based on a common language.

11

COBIT 5®:

COBIT 5® addresses the governance and management of information and related technology from an enterprise-wide, end-to-end perspective. This means:

•COBIT 5® integrates governance of enterprise IT into

enterprise governance.

•COBIT 5® covers all functions and processes within the

enterprise.

COBIT 5® is a single and integrated framework because it:

Aligns with the latest relevant standards and frameworks.

Is complete in enterprise coverage.

Provides a simple architecture.

Also integrates all knowledge.

c o B I T 5 ® o v e r v I e w

13Covering the Enterprise End-to-End

COBIT 5® focuses on the following IT governance enablers:

Processes

Information

Organizational structures

Culture, ethics, and behavior

People, skills, and competencies

Services, infrastructure, and applications

Frameworks, principles, and policies

14COBIT 5® Enablers

CONFORMANCELegal and Contractual Requirements

BALANCEDSCORECARD COSO/OECD/KING III

ISO/IEC 9001:2008

ISO/IEC 27000:2009

ITIL 2011 & ISO/IEC 20000:2008

QAPROCEDURES

SECURITYPRINCIPLES

IT SERVICE MANAGEMENT PRINCIPLES

DRIVERS

ENTERPRISE GOVERNANCE

IT GOVERNANCE

BEST PRACTICE STANDARDS

PROCESS AND PROCEDURES

COBIT 5

PERFORMANCEEnterprise Goals

®

COBIT and Other Frameworks 15

16Processes for Governance of Enterprise IT

Evaluate, Direct, and Monitor

17

18The COBIT 5® Process Components: Practices

Each COBIT 5® process has Activities and Practices.

For each COBIT 5® process, the governance and management practices provide a complete set of high-level requirements for effective and practical governance and management of enterprise IT.

19The COBIT 5® Process Components: ActivitiesActivities provide guidance to achieve key practices and provide the how, why, and what to implement and improve IT performance and address risks.

how what

why

Improving IT perform

ance

Implem

enting

COBIT 5® Activities Governance or management practice

20Inputs and OutputsEach COBIT 5® process also has inputs and outputs that are defined for each management practice. Process linkages are shown for each input and output. Some outputs are only internal to the process.

Inputs and Outputs for a process

21Process Goals and Metrics

Goals and metrics describe how processes should be measured. These are defined at three levels:

Enterprise goals and metrics: Define the strategic objectives of the enterprise and how these goals will be measured by execu-

tive management.

IT-related goals and metrics: Define what the enterprise expects from its use of IT, and what the business will use to measure

use of IT.

Process goals and metrics: Define what the governance and management of IT processes must deliver to support the IT-relat-

ed goals, that is, how the IT process owner will be measured.

RACI charts indicate roles and responsibilities in relation to processes and activities.

For a variety oF roles, For example:

22COBIT and Process Roles and Ownership

•Chief executive officer (Ceo)

•Chief financial officer (CFo)

•Business executives

•Chief information officer (Cio)

•Business process owner

•Head operations

•Chief architect

•Head development

•Head it administration

•the project management office (pmo) or function

•Compliance, audit, risk, and security

rRESPONSIBLE

aACCOUNTABLE

CCONSULTED

iINFORMED

W h o i s :

c o B I T aT a G l a n c e

23The New ISO/IEC 15504 Process Capability Assessment Approach

The COBIT 5® product set includes a new process assessment model, based on the internationally recognized

ISO/IEC 15504 Software Engineering—Process Assessment standard.

Process Assessment Model

Level 5 Optimizing Process (2 attributes) Level 4 Predictable Process (2 attributes) Level 3 Established Process (2 attributes) Level 2 Managed Process (2 attributes) Level 1 Performed Process (1 attribute) Level 0 Incomplete Process

Based on ISO/IEC 15504-2

Capability Dimension

Process Dimension EDM Evaluate, direct and Monitor

APO Align, Plan and Organise

BAI Build, Acquire and Implement DSS

Deliver, Service and Support MEA

Monitor, Evaluate and Assess

reviewing the process outcomes.

Assessing the process (governance or management) practices.

Considering the work products.

24Process Assessment

The assessment distinguishes between assessing capability level 1 and the higher levels. Capability level 1 can be

assessed by:

25Higher Process Capability Levels

For higher process capability levels, the standard generic practices and work products taken from ISO/IEC

15504:2 are used. An example for PA 2.1, Performance Management, is:

Result of Full Achievement of the Attribute

Generic Practices (GPs) Generic Work Products (GWPs)

a. Objectives for the

performance of the process

are identified.

GP 2.1.1 Identify the objectives for

the performance of the process. The

performance objectives, scoped together with

assumptions and constraints, are defined and

communicated.

GWP 1.0 Process documentation should outline the process

scope.

GWP 2.0 Process plan should provide details of the process

performance outcomes.

b. Performance of the process

is planned and monitored.

GP 2.1.2 Plan and monitor the performance of the process to fulfill the identified objectives.

Basic measures of process performance

linked to business objectives are established

and monitored. They include key milestones,

required activities, estimates and schedules.

GWP 2.0 Process plan should provide details of the process

performance outcomes.

GWP 9.0 Process performance records should provide

details of the outcomes.

Note: At this level, the record of process performance may be

in the form of reports, issues registers and informal records.

26Application of the COBIT 4 Maturity Model Approach with COBIT 5®

The most important differences between an ISO/IEC 15504–based process capability assessment and the current

COBIT 4.1 maturity model are:

The naming style and meaning of the capability levels.

different types of attributes. requirement for an

ISO/IEC 15504:2 compliant process reference model.

27Maturity Profile of an Enterprise

The difference between the COBIT 4.1 maturity model and COBIT 5® assessment model is:

In COBIT 4.1, the maturity model produced a maturity profile of an enterprise primarily for benchmarking purposes, not for formal assessments.

In COBIT 5®, the assessment model provides a measurement scale for each capability attribute; each level must be achieved completely before reaching the next level.

TOOLS AND AUTOMATION

SKILLS AND EXPERTISE

RESPONSIBILITY AND ACCOUNTABILITY

GOAL SETTING AND MEASUREMENT

AWARENESS AND COMMUNICATION

POLICIES, STANDARDS AND

PROCEDURES

28Using the COBIT 4.1 CMM Method for COBIT 5®

recognition of the need for the process is emerging. There is

sporadic communication about issues.

There is an awareness of the need to act. The management

communicates the overall issues.

There is an understanding of the need to act. The

management is more formal and structured in its communication.

There is an understanding of the total requirements.

Mature communication techniques are applied and standard communication tools are in use.

There is an advanced, forward-looking understanding of

requirements. There is proactive communication of issues based on trends, mature communication techniques are applied, and integrated communication tools are in use.

51 2 3 4



PROCEDURES






There are ad-hoc approaches to processes and

practices and the processes and policies are undefined.

Similar and common processes emerge but are largely intuitive

because of individual expertise. Some aspects of the process are repeatable because of individual expertise and the existence of some documentation and an informal understanding of policy and procedures.

Usage of good practices emerges. Processes, policies,

and procedures are defined and documented for all key activities.

The process is sound and complete and internal best

practices are applied. All aspects of the process are documented and repeatable. Policies have been approved and signed off by the management. Standards for developing and maintaining the processes and procedures are adopted and followed.

External best practices and standards are applied.

Process documentation has evolved to automated workflows. Processes, policies, and procedures are standardized and integrated to enable end-to-end management and improvement.

51 2 3 4






PROCEDURES



Some tools may exist and usage is based on standard desktop

tools. There is no planned approach to tool usage.

Common approaches to the use of tools exist but are based

on solutions developed by key individuals. Vendor tools may have been acquired but are probably not applied correctly and may even be shelf ware.

A plan has been defined for the use and standardization

of tools to automate the process. Tools are being used for their basic purposes but may not all be in accordance with the agreed plan and may not be integrated with one another.

Tools are implemented according to

a standardized plan and some have been integrated with other related tools. Tools are being used in main areas to automate the management of the process and monitor critical activities and controls.

Standardized toolsets are used across the enterprise. Tools are

fully integrated with other related tools to enable end-to-end support for the processes. Tools are being used to support the improvement of the process and automatically detect control exceptions.

51 2 3 4





PROCEDURES




Skills required for the process are not identified. A training

plan does not exist and no formal training takes place.

Minimum skill requirements are identified for critical

areas. Training is provided in response to needs, rather than based on an agreed plan, and informal on-the-job training occurs.

Skill requirements are defined and documented for all

areas. A formal training plan has been developed, but formal training is still based on individual initiatives.

Skill requirements and proficiency are updated and

ensured for all areas. Mature training techniques are applied according to the training plan and knowledge sharing is encouraged. All internal domain experts are involved and the effectiveness of the training plan is assessed.

The organization encourages continuous

improvement of skills based on defined personal and organizational goals. Training and education support external best practices, the use of leading-edge concepts and techniques, deployment of knowledge-based systems, and the advice of experts and leaders.

51 2 3 4







PROCEDURES


There is no definition of accountability and responsibility.

People take ownership of issues based on their own initiative and on a reactive basis.

An individual assumes responsibility and is usually held

accountable, even if this is not formally agreed. There is confusion about responsibility when problems occur and a tendency toward a culture of blame.

Process responsibility and accountability are defined and

process owners have been identified. The process owner is unlikely to have full authority to exercise the responsibilities.

Process responsibility and accountability are

accepted and working in a way that enables a process owner to fully discharge responsibilities. A reward culture that motivates positive action in place.

Process owners are empowered to make decisions and

take action. Acceptance of responsibility has been cascaded down throughout the organization in a consistent fashion.

51 2 3 4







PROCEDURES


Goals are not clear and no measurement takes place.

Some goal setting occurs and a few financial measures

are established but are known only by senior management. There is inconsistent monitoring in isolated areas.

Some effectiveness, goals and measures are set but not

communicated, and there is a clear link to business goals. Measurement processes emerge but are not consistently applied. IT balanced-scorecard concepts are being adopted, as is occasional intuitive application of root cause analysis.

Efficiency and effectiveness are measured,

communicated, and linked to business goals and the IT strategic plan. The IT balanced scorecard is implemented in some areas with some exceptions and root cause analysis is being standardized. Continuous improvement is emerging.

There is an integrated performance measurement system

linking IT performance to business goals by the global application of the IT balanced scorecard. Exceptions are globally and consistently noted by the management and a root cause analysis is applied.

51 2 3 4

Training solutions that help

professionals and organizations

understand and implement COBIT in

a better manner.

“A best practice is only as good as the person using it.”

34COBIT Education

c o B I T e d u c aT I o n

35Mastering COBIT Using Effective Learning Solutions Enterprises using or planning to use COBIT to improve IT governance and management

Suitable for business, IT and assurance professionals

From awareness level understanding to be expert practitioner or advisor

Please go to www.itpreneurs.com/cobit to learn more about the ITpreneurs COBIT 5® course offerings.

We would like to hear from you if you have

any suggestions or ideas or if you have been

involved in an IT governance crisis for which

you did not find an answer in the kit.

Forward your comments and suggestions to

[email protected].

36Your Opinion Counts!

ITIL® COBIT® TOGAF® TIPA® XBRL®

Cloud Computing® PRINCE2®

Kepner-Tregoe® PMBOK® ISO/IEC 27001®

37ITpreneurs’ IT Best Practice Domains

ITpreneurs is a global provider of training solutions in the IT management and IT governance best practice domains.

For more information visit www.ITpreneurs.com

www.ITpreneurs.com

38

Date post:	12-May-2018
Category:	Documents
Upload:	hoangdang
View:	219 times
Download:	1 times

1 The COBIT 5 First Aid Kit - ITpreneurs Online Campus:...

Documents