Introduction to COBIT

1

Introduction to COBITfor

IT Auditor

Armanto Witjaksono

2

3

Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.

Structured and organized to provide a powerful control model and evaluative tool

4

Overview

COBIT – Control Objectives for Information and related Technology

Currently at version 4.1 A model designed to control of the IT function Supports IT governance by providing a comprehensive

description of the control objectives for IT processes

Text

Text

Text

TextText

Text

Text

TextText

5

Overview of CobiT

What CobiT is not!!Audit softwareAn IT audit planAn IT Internal Audit workprogramAn IT audit testing planGuide on “How to Audit” IT

6

Then what is CobiT?o It is the Control Objectives for Information and related Technology

o A methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment.

o The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September 1996.

o A tool that for IT professionals that has linked information technology and control practices

o CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors.

Overview of CobiT

7

Overview of CobiT

o CobiT represents

1. A control framework,

2. a set of generally accepted control objectives, and

3. the CobiT Audit Guidelines.

o CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.

o CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment.

8

Overview of CobiT

What is the purpose of CobiT?o To provide management and business process owners with

an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT.

o CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle.

o It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.

9

Promotes an improved focus on business information requirements

Helps ensure that IT processes are defined and that responsibilities are assigned

Supports management’s efforts to demonstrate due diligence

Serves as excellent criteria for evaluation Strengthens the understanding, design,

implementation, exercise, and evaluation of internal control

Overview of CobiT

10

Focuses on information having integrity, being secure, and available.

Management-oriented Supports corporate and IT governance Process-oriented Controls-based Measurement-driven Based on a Strong Foundation and Sound

Principles of Internal Control

11

IT Resource Management

CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality of information required to achieve organizational objectives.

12

COBIT

COBIT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.

13

Addresses key attributes of information produced by IT.

Links recommended control practices for IT to business and control objectives.

Provides guidance in implementing and evaluating the appropriateness of IT-related management control practices.

14

15

“Right” information, to only the “right” party, in the “right” format, at the “right” time, at the “right” cost.

Information that is relevant, reliable, secure, and available.

Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.

Focus on Information and IT Management

16

COBIT Target Groups

COBIT is primarily intended for management, business users of IT and auditors

Main target groupso Managers – holding executive responsibility for operation of

the enterpriseo End users – provide assurance of security and controlso Auditors – independent assurance of quality and controlso Business and IT consultants – bring knowledge and adviceo IT Service Management Professionals – provides a

framework covering complete lifecycle of IT systems and services

17

To Those Individuals Who are Interested in and Responsible for the Management and Evaluation of Information Technology

Management IT & Business Users Auditors / Advisors Academics & Students of Management and IT Legislators, Regulators, Oversight Bodies Vendors

Who is COBIT aimed at?

18

COBIT Structure

IT Governance Cube with 3 interrelated viewpoints(Quality Criteria,IT Processes, and IT Resources

19

4 COBIT Domains

Plan & Organize – concerned with identification of the way IT can best contribute to the achievement of business objectives

Acquire and Implement – acquiring, implementing or development of IT Solutions to be integrated into business process

Deliver & Support – delivery of required services including traditional operations, security, and training

Monitor & Evaluate – regular assessment over time for quality and compliance with control requirements

20

COBIT mapped onto Management Cycle

21

Components of CobiT

22

Components of CobiT

The 4 Domains of CobiT

MONITORING (MO)

PLANNING & ORGANIZATION (PO)

ACQUISITION & IMPLEMENTATION (AI)

DELIVERY & SUPPORT (DS)

23

Components of CobiT

M1- Monitor the process M2- Obtain independent assurance

MONITORING (MO)All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements

Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls.

24

Components of CobiT

PO1- Define a strategic IT plan PO2- Define the Information architecture PO3- Determine technical direction PO4- Define IT Organization and relationships PO5- Manage the investment in IT

PLANNING & ORGANIZATION (PO)Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives.

Is the IT strategy be effectively controlled and will it contribute to the business objectives?

PO6- Communicate management aims and directions PO7- Manage Human Resources PO8- Ensure compliance with external requirements PO9- Assess risks PO10- Manage projects PO11- Manage quality

25

Components of CobiT

AI1- Identify solutions AI2- Acquire and maintain application software AI3- Acquire and maintain technology architecture AI4- Develop and maintain IT procedures AI5- Install and accredit systems AI6- Managing changes

ACQUISITION & IMPLEMENTATION (AI)To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process. Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards?

26

Components of CobiT

DS1- Define service levels DS2- Manage Third Party services DS3- Manage performance capacity DS4- Ensure continuous service DS5- Ensure systems security DS6- Identify and allocate costs DS7- Educate and train users

DS8- Assist and advise IT customers DS9- Manage the configuration of IT systems DS10- Manage problems and incidents DS11- Manage data DS12- Manage facilities DS13- Manage operations

DELIVERY & SUPPORT (DS)Addresses the actual delivery of required information services.

Are information related services delivered in a controlled manner?

27

Overview of Internal Audit

Internal Audito "Internal auditing is an independent, objective assurance and

consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."(Definition of Internal Auditing by the Institute of Internal Auditors, Inc.)

The mission of Internal Audit is to evaluate the efficiency and effectiveness of the entity’s procedures and related internal controls.

As Internal Auditors, we also provide control recommendations and controls advisory.

http://www.theiia.org/

28

VIDEO

http://www.youtube.com/watch?v=bg_GEN8AZA0

29

30

CobiT For Internal Auditors

Who uses CobiT in the Internal Audit world?

o Typically, the IT Auditor

o Business Process Auditor

o The IT Inspection Team, or

o The IT Control Team

31


How is CobiT used by Internal Audit?o Establishing control baselines and standards

o Facilitating and creating performance metrics for Risk Assessments

o Developing the audit plan

o Facilitating the audit

o Managing residual risk

o Issuing control advisory and recommendations to the IT groups

32

1. Reviews of Baselines and Standards for IT

2. Information System Implementations Pre-Implementation Review Implementation of Controls

Certification Reviews Post Implementation Review

3. Code Development / Source Code Management Reviews

4. General Controls Reviews

5. Data Center reviews

6. Audits of the Business Continuity Program

7. Audits of Security Configuration

8. Reviews of Security Administration

9. Reviews of IT Purchasing and Procurement

10. Application Review / Audits

11. Audits of Business Processes


Audits that can be performed with the use of CobiT

BE CREATIVE! How can you fit CobiT into your audit plan?

33

Applications of the 4 CobiT Domains

All of the discussed types of reviews can employ the 4 CobiT domains:

– MONITORING, – PLANNING & ORGANIZATION, – ACQUISITION & IMPLEMENTATION, – DELIVERY & SUPPORT

34

CobiT Trends

In general, each of the 4 domains can be applied to each review with careful planning

All IT Audit reviews should have a component that includes o Management controls of the informationo Review of controls over the way that information is delivered /

facilitated o How the IT control review process works, and is it working

effectively

With the right planning, all reviews can be performed with the use of the 4 domains as a reference, standard, and “Best Practice” template

35

10. Control evaluations processes are standardized across the IT environment

9. Benchmarks and standards are portable throughout the IT environment

8. System management processes across different systems can compared

7. Post-audit benchmarking is easily achieved through existing CobiT Control Objectives

6. A common language between auditee, auditor, user management and data owners is provided

5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT control “Best Practices”

4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)

3. Audit groups can recruit based on experience with an internationally recognized audit tool

2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)

1. Its just plain old fun!

Top Ten Strengths of CobiT in Internal Audit

36

Problems Inherent to the Implementation and Use of CobiT

CobiT is a control framework with Audit Guidelines. Therefore, o It is NOT an audit plano It is NOT a workprogramo It does NOT provide for audit steps / techniques / procedureso It does NOT define standardso It does NOT define acceptable levels for IT processes

The use of CobiT requires a sufficient amount of experience with IT controls because it does not detail actual controls verification and testing steps

37

Problems Inherent to the Implementation and Use of CobiT

CobiT is time & resource intensive to implement o Steep learning curveo New audit plans and workprogramso New documentation methods needed

Although CobiT is process focused, CobiT based reviews tend to be more system-focused. o Few, if any processes, are composed of one system.o All data flows between systems, so how are data flows

evaluated?o How can major information flow processes be evaluated

within reasonable time constraints?

38

Opportunities to Implement CobiT

Ideal Times to Implement the CobiT Frameworko Beginning of an audit year

o During a reorganization of the audit department

o During a change of strategy for the IT Audit group

o Upon implementation of Business Process focused audits

39

Threats to CobiT in the Internal Audit World

Threats to Cobit in Internal Audito Initial audits are time intensive and difficult because auditors

are unfamiliar with CobiT terminology

o Auditees can be unreceptive to controls based recommendations as opposed to traditional IT recommendations

o If the audit staff does not have a sufficient amount of experience with IT controls, difficulties can arise in creating procedures to test for the existence of CobiT prescribed controls

40

41

Framework for Managing Operational Risk

42

Need for better operational controls Importance of technology Risks associated with an ever changing technology

environment Demand for recognizable value Need to hold senior management accountable and

strengthen governance

43

• Achieving sufficient value from IT to support the entity’s mission within a complex, vulnerable and ever changing environment

• Adequately managing risk with increasing IT dependence

• Effectively dealing with the scale and cost of current and future IT investments

• Protecting operations and IT resources against increasing vulnerabilities and a wide spectrum of threats

44

• Being able to adequately track and measure IT performance in support of business objectives

• Obtaining adequate assurance for the integrity, security and availability of IT systems

• Being able to demonstrate due diligence in meeting IT governance objectives

45

• Today, we are no longer just automating an established business process.

• Instead, we are using technology to expand business process capabilities and management decision making -- It is about IT-enabled change.

• Poorly-managed IT places the integrity, security, and availability of data and systems at risk and increases the likelihood of unrealized benefit.

46

Management Issues

Difficulty of obtaining adequate assurance that operational and control objectives are being addressed and will be met

Not being sufficiently aware of the impact of technology on control assessment

Not knowing who is really responsible for system integrity, security, and availability

Having cluttered or defused points of accountability for IT processes across the organization

47

Management Issues

Not recognizing that we often manage IT as if it were separate from the enterprise when in fact it is highly integrated with business operations

Uncoordinated strategic planning between business and IT operations

Outsourcing without adequate monitoring and evaluation

48

Management Issues

• There are a whole host of folks who pose a real danger to IT systems

Meeting privacy requirements Failing to meet regulatory or legal requirements Having a false sense of security Achieving adequate value to support the entity’s

mission

49

Management Questions

Is IT well managed?o Are we doing the right things?o Are we doing them the best way?o Are they being done well?o Are we achieving desired benefits?

Is IT properly controlled? Do we exercise and can we demonstrate due diligence? Are the information technology drivers in sync with the

agency’s mandates and business goals?

50

How do responsible managers keep the ship on course? …… keep it afloat?

How do we achieve satisfactory results for our citizens and stake-holders?

How do we adapt in a timely manner to “best practices” for our organization’s environment?

51

To establish and maintain course . . . and afloat Strategic and tactical planning, monitoring and

evaluation – dashboards with indicators – Disaster recovery and BCP to keep it afloat

To achieve satisfactory results for our customers and stake-holders Measurement processes, balanced scorecard, etc.

To adapt in a timely manner to “best practices” for our organization’s environment Benchmarking, CMM comparisons

52

IT Value

How do we manage to achieve acceptable IT value?

What policies, practices and assurance mechanisms do we apply to the “right” resources to achieve value?

What guidance is there to assist management in understanding IT processes and how to achieve IT process results?

What standards should be applied to our IT environment?

How do we address governance?

53

54

COBIT as an IT Governance Framework

COBIT provides a framework to control IT and supports the following 5 requirements for an IT control framework

o Providing a sharper business focuso Ensuring a process orientationo Having a general acceptability among organizationso Defining a common languageo Helping to meet regulatory requirements

55

IT Governance Focus Areas

Strategic Alignment – focus on ensuring the linkage of business and IT plans

Value Delivery – executing the value proposition throughout the delivery cycle

Risk Management – requires risk awareness by senior corporate officers, compliance requirements, transparency

Resource Management – optimal investment in and management of critical resources: people, applications, information and infrastructure

Performance Measurement – tracks and monitors strategy implementation

56


57

Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:

• Providing strategic direction

• Ensuring that objectives are achieved

• Ascertaining that risks are managed appropriately

• Verifying that the enterprise’s resources are used responsibly

The Need for IT Governance

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RESOURCEMANAGEMENT

RIS

KM

AN

AG

EM

EN

T

VALUEDELIVERY

STRATEGIC

ALIGNMENT

www.itgi.orgwww.itgi.org

58

IT governance is:

• The responsibility of the board of directors and executive management

• An integral part of enterprise governance, consisting of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives

IT Governance, as Defined by ITGI

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RESOURCEMANAGEMENT

RIS

KM

AN

AG

EM

EN

T

VALUEDELIVERY

STRATEGIC

ALIGNMENT

www.itgi.orgwww.itgi.org

64% Doing something about it64% Doing something about it

42% Not doing something about it42% Not doing something about it2003

2005

Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005

36%

58%

59

Enterprise governance is about: Conformance

• Adhering to legislation, internal policies, audit requirements, etc.

Performance• Improving profitability, efficiency,

effectiveness, growth, etc.

Enterprise Governance Drives IT Governance

Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.

Performance

Conformance

60


Value delivery

Focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations

Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT

Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.

Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organisation

Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting

Performance measurement

Risk management

Resource management

Strategic alignment

61

To make an IT governance implementation project successful:

Make IT governance a workable solution—able to deal with the challenges and pitfalls presented by IT. Focus as much on improving performance and enabling competitive advantage as preventing problems. Make IT governance a shared responsibility between the business (customer) and the IT service provider, with the full commitment and

direction of the board. Align IT governance within a wider enterprise governance scheme. Boards and executive management need to extend enterprise governance to include IT, provide the necessary leadership and organisational

structures, and insist on well-managed and properly controlled processes.

Making IT Governance Work

62

IT Governance Stakeholders

Business management

Set direction for IT, monitor results and insist on corrective measures

Defines business requirements for IT and ensures that value is delivered and risks are managed

Delivers and improves IT services as required by the business

Provides independent assurance to demonstrate that IT delivers what is needed

Measures compliance with policies and focuses on alerts to new risks

Risk and compliance

IT audit

IT management

Board and executive

63

Many organizations recognize the potential benefits of technology

The successful organizations: Understand that IT is more than an enabler Understand and manage the risks associated

with implementing new technologies Keep a keen eye on the mission and goals, and Know where they are through measured

progress and monitoring and evaluation

Need for IT Governance Control Framework

64

Organizations require a structured approach for managing these and other challenges.

Need to ensure that IT objectives are agreed to, good management controls are in place, and there is effective monitoring of performance to keep on track and avoid unexpected outcomes.

The Need for IT Governance

Keeping IT Running

Security

Value/Cost

Managing Complexity

AligningIT with Business

Regulatory Compliance

65

CobiT underscores the importance to recognize:

Optimizing value, safeguarding, and ensuring the availability of technology is an entity or senior management issue, not just an IT management issue

Business and IT goals depend on our understanding of how to dynamically apply IT, measure results, and engage IT and business process management

Requires understanding of what we want the technology to do, and how we are going to measure success

Need for IT Governance Control Framework

66

COBIT: Starts from business requirements

Is process-oriented, organizing IT activities into a generally accepted process model

Identifies the major IT resources to be leveraged

Defines the management control objectives to be considered

Incorporates major international standards

Has become the de facto standard for overall control of IT

COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure.

IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that

achieves this objective.

COBIT Provides a Framework for IT Governance

67

How Does COBIT View IT Governance?

Consists of leadership, organizational structures, and processes that ensure that IT sustains and extends the enterprise’s strategies and objectives

IT governance is the responsibility of executives and the board of directors

68

IT Governance Objectives

IT is aligned with the business and enables the business to maximize benefit

IT resources are safeguarded and used in a responsible and ethical manner

IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure

69

IT Governance

Integrates and institutionalizes good practices to ensure that IT supports the business objectives.

Enables the enterprise to take advantage of its

information and IT resources to maximize benefit and capitalize on opportunities.

70

COBIT IT Governance

IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT risks are managed appropriately

71


Strategic alignment Value delivery Resource management Risk management Performance

measurement

72


Strategic Alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.

Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.

73

IT Governance Focus Areas Resource Management is about the optimal

investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.

Risk Management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.

74


Performance Measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

75

What Should Management Do?

Inquire: Ask the right questions Focus on IT’s

Alignment with the agency objectives Value delivery Risk management

Adopt an IT governance framework Focus on important IT processes and core IT

competencies Embed responsibilities for IT security and

management in the organization Measure performance and results

76

To Manage and Control IT, COBIT Recommends:

Employing fundamentals of IT governance Understanding strategic value of IT Understanding and managing associated risks Exercising appropriate frameworks of control Having mechanisms to provide adequate assurance

that IT governance objectives are addressed

77

Agencies Need Assurance

That information and systems can be relied upon That operations are adequately controlled That information has integrity, is protected, and will

be available That due diligence and compliance with good

business practices can be demonstrated.

CobiT provides the control criteria and evaluation methodology

78

CobiT is an Authoritative Source

Built on a sound framework of control and IT-related

control practices. Aligned with de jure and de facto standards and

regulations. Subject to extensive review and exposure. Aligned with control models, standards and best

practices for IT management

79

COBIT’s View of the Definition of Control

Why Control Information Systems?

The answer lies in the realm of what the business wants: to accomplish and avoid

It therefore falls to the spectrum of: objectives and risks

80

COBIT’s View of the Definition of Control

The Objectives and Risks become Value Drivers and Risk

Drivers in COBIT

81

Control (as defined by COBIT)

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

82

To Achieve Business Objectives

To Avoid Risks, Threats and Exposures

Control (as defined by COBIT)

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that

business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Source: COBIT Control Objectives. P. 12.

83

CobiT promotes a healthy understanding about “reasonable assurance” and “residual

risk”

Knowing the acceptable levels for reasonable assurance and residual risk is a critical

success factor for designing and managing an adequate framework of control

84

Assurance Level

100%

Residual Risk

0%

Reasonable Assurance

85

Relation to Other Control Models

CobiT is in alignment with other control models:

o COSO

o COCO

o Cadbury

o King

86

Organizations will consider and use a variety of IT models, standards and best practices. They must be understood to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’).

COBIT

ISO 9000

ISO 17799

ITIL

COSO

WHAT HOW

COBIT and Other IT Management Frameworks

SCOPE OF COVERAGE

87

PERFORMANCE: Business Goals

CONFORMANCEBasel II, Sarbanes-

Oxley Act, etc.

Enterprise Governance

IT Governance

ISO 9001:2000

ISO 17799

ISO 20000Best Practice Standards

QAProcedures

Processes and Procedures

Drivers

COBIT

COSO

Security Principles

ITIL

Balanced Scorecard

Where Does COBIT Fit?

88

COBIT Framework

► The COBIT framework was created with the main characteristics:

Business-focused

Process-oriented

Controls-based

Measurement-driven

COBIT Framework Characteristics

89

For latest updates on COBIT, log on to www.isaca.org/cobit.

Governance

COBIT 4

2005

COBIT 3

Management

2000

COBIT 2

Control

1998

COBIT 1

Audit

1996

Evo

lutio

n

COBIT: An IT Control Framework

90

COBIT:

► Has internationally accepted good practices

► Is management-oriented

► Is supported by tools and training

► Is freely downloadable

► Allows the knowledge of expert volunteers to be shared and leveraged

► Continually evolves

► Is maintained by a reputable not-for-profit organisation

► Maps 100 percent to COSO

► Maps strongly to all major, related standards

► Is a reference, not an ‘off-the-shelf’ cure

Enterprises still need to analyse control requirements and customise COBIT based on their:

► Value drivers

► Risk profile

► IT infrastructure, organisation and project portfolio

COBIT: Value and Limitations

91

COBIT Components

An organisation depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.

Business Strategy

Information Criteria

IT Resources

IT Processes

92

COBIT: Advantages

Some of the advantages of adopting COBIT are:

► COBIT is aligned with other standards and good practices and should be used together with them.

► COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organisation.

► COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities.

► COBIT provides tools to help manage IT activities.

93

COBIT and IT Governance

► COBIT focuses on improving IT governance in organisations.

► COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework.

Has general acceptability amongst organisations

Helps meet regulatory requirements

Control Framework

Defines a common language

Provides sharper business

Ensures process orientation

94

COBIT and IT Governance (Cont.)

Business Focus

► COBIT achieves sharper business focus by aligning IT with business objectives.

► The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy.

► COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself.






Control Framework

focus

95


Process Orientation

► When organisations implement COBIT, their focus is more process-oriented.

► Incidents and problems no longer divert attention from processes.

► Exceptions can be clearly defined as part of standard processes.

► With process ownership defined, assigned and accepted, the organisation is better able to maintain control through periods of rapid change or organisational crisis.






Control Framework

focus

96


General Acceptability

► COBIT is a proven and globally accepted standard for increasing the contribution of IT to organisational success.

► The framework continues to improve and develop to keep pace with good practices.

► IT professionals from all over the world contribute their ideas and time to regular review meetings. Has general

acceptability amongst organisations





Control Framework

focus

97


Regulatory Requirements

► Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This pressure covers IT controls as well.

► Organisations constantly need to improve IT performance and demonstrate adequate controls over their IT activities.

► Many IT managers, advisors and auditors are turning to COBIT as the de facto response to regulatory IT requirements.






Control Framework

focus

98


Common Language

► A framework helps get everybody on the same page by defining critical terms and providing a glossary.

► Co-ordination within and across project teams and organisations can play a key role in the success of any project.

► Common language helps build confidence and trust.






Control Framework

focus

99

COBIT: Premise

► The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.

i

IT Resources and Processes

Information

Business Processes

Business Objectives

provide

to

for achieving

► The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.

100

COBIT: Principle

The principle of the COBIT framework is to link management’s IT expectations with management’s IT responsibilities. The objective is to facilitate IT governance to deliver IT value whilst managing IT risks.

Business Strategy


IT Resources

IT Processes

101

COBIT Framework

As a control and governance framework for IT, COBIT focuses on two key areas:

► Providing the information required to support business objectives and requirements

► Treating information as the result of the combined application of IT-related resources that need to be managed by IT processes

Processes

Activities

Domains

IT Processes

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability

IT Resources

Applications

Information

Infrastructure

People

IT Process

Business Requirement

Control Approach

Consideration• ……………………………• ……………………………• ……………………..……..


102

COBIT Cube

The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives.

For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube.

Business Requirements for Information Criteria

IT Resources

IT Processes

103

COBIT Cube: IT Processes

► COBIT describes the IT life cycle with the help of four domains:

Plan and Organise

Acquire and Implement

Deliver and Support

Monitor and Evaluate

► Processes are series of activities with natural control breaks. There are 34 processes across the four domains. These processes specify what the business needs to achieve its objectives. The delivery of information is controlled through 34 IT processes.

► Activities are actions that are required to achieve measurable results. Moreover, activities have life cycles and include many discrete tasks.

Processes

Activities

Domains IT Resources


IT Processes

104

COBIT Cube: IT Domains

Plan and Organise (PO)► Objectives:

Formulating strategy and tactics Identifying how IT can best contribute to achieving business objectives Planning, communicating and managing the realisation of the strategic vision Implementing organisational and technological infrastructure

► Scope: Are IT and the business strategically aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?

IT and Business

105

Let’s look at the COBIT process model, which consists of 34 IT processes defined within the four IT domains.

PO1 Define a strategic IT plan.

PO2 Define the information architecture.

PO3 Determine technological direction.

PO4 Define the IT processes, organisation

and relationships.

PO5 Manage the IT investment.

PO6 Communicate management aims and

direction.

PO7 Manage IT human resources.

PO8 Manage quality.

PO9 Assess and manage IT risks.

PO10 Manage projects.

Plan and Organise

COBIT Cube: IT Domains (Cont.)

Plan and Organise

Deliver and Support



IT Processes

106


Acquire and Implement (AI)

► Objectives:

Identifying, developing or acquiring, implementing, and integrating IT solutions

Changes in and maintenance of existing systems

► Scope:

Are new projects likely to deliver solutions that meet business needs?

Are new projects likely to be delivered on time and within budget?

Will the new systems work properly when implemented?

Will changes be made without upsetting current business operations?

New Projects Organisation

?

107


Plan and Organise

Deliver and Support



IT Processes

AI1 Identify automated solutions.

AI2 Acquire and maintain application

software.

AI3 Acquire and maintain technology

infrastructure.

AI4 Enable operation and use.

AI5 Procure IT resources.

AI6 Manage changes.

AI7 Install and accredit solutions and

changes.


108


Deliver and Support (DS)

► Objectives:

The actual delivery of required services, including service delivery

The management of security, continuity, data and operational facilities

Service support for users

► Scope:

Are IT services being delivered in line with business priorities?

Are IT costs optimised?

Is the workforce able to use IT systems productively and safely?

Are adequate confidentiality, integrity and availability in place?

IT Services Business Priorities

109


DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.

DS6 Identify and allocate costs.

DS7 Educate and train users.

DS8 Manage service desk and incidents.

DS9 Manage the configuration.

DS10 Manage problems.

DS11 Manage data.

DS12 Manage the physical environment.

DS13 Manage operations.

Deliver and Support

Plan and Organise

Deliver and Support



IT Processes

110


Monitor and Evaluate (ME)

► Objectives:

Performance management

Monitoring of internal control

Regulatory compliance

Governance

► Scope:

Is IT’s performance measured to detect problems before it is too late?

Does management ensure that internal controls are effective and efficient?

Can IT performance be linked to business goals?

Are risk, control, compliance and performance measured and reported?

IT Performance

111

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.



Plan and Organise

Deliver and Support



IT Processes

112

COBIT Cube: Information Criteria

► To satisfy business objectives, information needs to conform to specific control criteria, which COBIT refers to as business requirements for information.

► Broadly, information criteria are based on the following requirements:

Quality

Fiduciary

Security

Fiduciary Requirements

Security Requirements

Quality Requirements


IT Resources

IT Processes

113

COBIT Cube: Information Criteria (Cont.)

EffectivenessDeals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner

EfficiencyConcerns the provision of information through the optimal (most productive and economical) use of resources

ConfidentialityConcerns the protection of sensitive information from unauthorised disclosure

IntegrityRelates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations

AvailabilityRelates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

ComplianceDeals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies

ReliabilityRelates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities

Fiduciary Requirements

Security Requirements

Quality Requirements


IT ResourcesIT Processes

114

COBIT Cube: IT Resources

► IT processes manage IT resources to generate, deliver and store the information that the organisation needs to achieve its objectives.

► The IT resources identified in COBIT are defined as:

Applications are automated user systems and manual procedures that process information.

Information is data that are input, processed and output by information systems, in whatever form used by the business.

Infrastructure includes the technology and facilities, such as hardware, operating systems and networking, that enable the processing of applications.

People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate information systems and services. They may be internal, outsourced or contracted, as required.

Applications

Information

Infrastructure

People

IT Resources


IT Processes

115

BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES

Efficiency

ApplicationsInformation

InfrastructurePeople

DELIVER AND

SUPPORT

MONITORAND

EVALUATE

ACQUIREAND

IMPLEMENT

INFORMATION

ITRESOURCES

C O B I TF R A M E W O R K

Effectiveness

Confidentiality

Integrity

AvailabilityCompliance

DS1 Define and manage service levels.

DS2 Manage third-party services.DS3 Manage performance and

capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and

incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical

environment.DS13 Manage operations.

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

PO1 Define a strategic IT plan.PO2 Define the information

architecture.PO3 Determine technological

direction.PO4 Define the IT processes,

organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims

and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain application

software.AI3 Acquire and maintain technology

infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and

changes.

PLANAND

ORGANISE

Reliability

COBIT Framework

116

COBIT Cube

IT resources are managed by IT processes to achieve IT goals that respond to the business requirements. This is the basic principle of the COBIT framework, as illustrated by the COBIT cube.

117

Interrelationship of the COBIT Components

118

COBIT Cube

The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives.

For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube.

Business Requirements for Information Criteria

IT Resources

IT Processes

119

COBIT: Premise

►The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.

i

IT Resources and Processes

Information

Business Processes

Business Objectives

provide

to

for achieving

►The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.

120

COBIT Processes within Domains

Each of the previous Domains are composed of processes(34):

121

Domains and processes

A Domain contains the relationships of each individual processes

For example: Plan and Organize

122

COBIT Domains with Processes

123

COBIT Process Descriptions

COBIT does offer detailed descriptions for all 34 processes.

The Process Descriptions:o contain the inputs, outputs, responsibilities, metrics and

goals

o Provide a basis of expert knowledge from which the enterprise may decide is relevant to their organization

o Diagrams with relationships to other processes are also illustrated

124

Where is COBIT Today?

125

How is CobiT Focused?

IT Governance – better coverage with governance practices Business requirements – better business to IT linkages with cascading

goals and supporting metrics Harmonization – improved integration with key practices Value Creation – extended focus on IT investment Enterprise architecture - process structure and resources Process definitions and process flows – improved descriptions,

activities, inputs and output Language and presentation – more concise in presentation, action-

oriented, control model and management guidelines are consolidated into one document

126

What are the key COBIT Documents?

Control Objectives define what needs to be done to implement an effective control structure to improve IT performance and address IT solutions and service delivery risks.

Control Practices provides guidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how to implement the objective.

IT Assurance Guide provides guidance for the assurance team with a structured assurance approach linked to the COBIT framework that is understandable for business and IT professionals

127

COBIT and Related Products

COBIT 4.1 COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks.

Board Briefing on IT Governance

To help executives understand why IT governance is important, what its issues are and what their responsibility is for managing it

Information Security Governance

To help overcome these barriers by explaining information security in business terms. It comes complete with tools and techniques to help managers uncover security-related problems

IT Governance Implementation

Guide

Provides a generic road map for implementing IT governance using the COBIT and Val IT resources

Control Practices Provide guidance on why the control objectives are worth implementing and how to implement them

IT Assurance Guide Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives

128

COBIT and Related ProductsCOBIT Quickstart To summarized version of the COBIT resources, focusing on the most crucial IT

processes, control objectives and metrics, all presented in an easy-to-follow format to help users gain the benefits of COBIT quickly.

COBIT Security Baseline

(available 3rd quarter 2007)

To focuses on IT security risk in a way that is simple to follow and implement for everyone, from the home user or small- to medium-sized enterprise to executives and board members of larger organizations.

Val IT To provides guidance for managing an organization’s portfolio ofIT-enabled business investments and for maximizing the quality of business cases for IT-enabled business investments.

IT Control Objectives for

Sarbanes-Oxley

To provides guidance on how to ensure compliance for the IT environment based on the COBIT control objectives related to financial reporting.

Aligning COBIT, ITIL and ISO

17799

To explain to business users and senior management the value of IT best practices and how harmonization, implementation andintegration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made easier.

COBIT Mapping Series

To overview and various mappings of COBIT to other internationalguidance have been published by ITGI, such as CMM, ISO17799.

129

COBIT and Related Products

130

131

Control Objectives

Framework

Control Objectives

Management Guidelines

Maturity Models

132

Focus on IT Alignment by linking Information Criteria, IT Resources and IT Goals to Business Goals

Focus on Value Delivery by using value-oriented IT goals to focus on the IT processes that are critical to deliver effectively

Focus on Risk Management by using risk-oriented IT goals to focus on the IT processes that are needed to manage risk

Focus on Resource Management by using Maturity Models to ensure there is a capability to deliver

Focus on Performance Management by using metrics and scorecards to ensure plans are on track and deviations are identified and corrected

COBIT Objectives - IT Governance Topics

133

134

Concise Control Objectives

PO1.2 Business-IT Alignment

Establish processes of bi-directional education and

reciprocal involvement in strategic planning to achieve

business and IT alignment and integration. Mediate

between business and IT imperatives so priorities can be

mutually agreed.

PO1.2 Business-IT Alignment

Educate executives on current technology capabilities and

future directions, the opportunities that IT provides, and

what the business has to do to capitalize on those

opportunities. Make sure the business direction to which IT

is aligned is understood. The business and IT strategies

should be integrated, clearly linking enterprise goals and IT

goals and recognizing opportunities as well as current

capability limitations, and broadly communicated. Identify

where the business (strategy) is critically dependent on IT

and mediate between imperatives of the business and the

technology, so agreed priorities can be established.

PO5.1 Financial Management Framework

Establish and maintain a financial framework to manage the

investment and cost of IT assets and services through portfolios

of IT enabled investments, business cases and IT budgets.

PO5.1 Financial Management Framework

Establish a financial framework for IT that drives budgeting and

cost/benefit analysis, based on investment, service and asset

portfolios. Maintain the portfolios of IT-enabled investment

programmers, IT services and IT assets, which form the basis for

the current IT budget. Provide input to business cases for new

investments, taking into account current IT asset and service

portfolios.

New investments and maintenance to service and asset portfolios

will influence the future IT budget. Communicate the cost and

benefit aspects of these portfolios to the budget prioritization, cost

management and benefit management processes.

CobiT 4.1 CobiT 4.0

135

136

137

Framework Update

138

COBIT Framework

Documents relationships among information criteria, IT resources, and IT processes

Links control objectives and control practices to business processes and business objectives

Assists in confirming that appropriate IT processes (and practices) are in place

Facilitates evaluation and assurance methods

139

Information Criteria -- The 1st Component

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability

140

IT Resources -- The 2nd Component

Application Systems

Information

Infrastructure

People

141

IT Process Domains -- The 3rd Component

Plan and Organize


Deliver and Support


142

COBIT Process Model

Subdivides IT into four domains 34 processes in line with the domainsResponsibility areas of plan, build, run and

monitor, providing an end-to-endEnterprise architecture concepts help

identify the resources essential for process success

143

What Are the Main Changes?

144

Plan andOrganize

Acquire andImplement

Deliver andSupport


COBIT Domains: Information Processes (3rd Component)

Feedback

Feedback

Feedback

145

COBIT Framework

To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes in order to provide the services that deliver the required enterprise information.

Basic COBIT Principle

146

CobiT Framework

Helps one understand the: relationship of controls to control objectives, importance of focusing on control objectives and

their relationship to the business organization and its business processes, and

value of managed processes and resources to attain data integrity, security and availability.

147

148

CobiT is Business-focused

Business orientation is the main theme of COBIT.

Designed to be used by IT service providers, users and auditors, and to also provide comprehensive guidance for management and business process owners.

149

Business Orientation of COBIT

Links business goals to IT goalsProvides metrics and maturity models to

measure their achievement Identifies the associated responsibilities of

business and IT process owners.

150

Business Goals

Financial Perspective Expand market share Increase revenue Return on Investment Optimize asset utilization Manage business risks

Customer Perspective Improve customer orientation and service Offer competitive products and service Service availability Agility in responding to changing business requirements Cost optimization of service delivery

151

Business Goals

Internal Perspective Automate and integrate the business value chain Improve and maintain business process functionality Lower process costs Compliance with external laws and regulations Transparency Compliance with internal policies Improve and maintain operational and staff productivity

Learning and Growth Perspective Product and business innovation Obtain reliable and useful information for strategic decision making Acquire and maintain skilled and motivated personnel

152

IT Goals

1. Respond to business requirements in alignment with business strategy

2. Respond to governance requirements in line with board direction3. Ensure the satisfaction of end users with service offerings and service

levels4. Optimize the use of information5. Create IT agility6. Define how business function and control requirements are translated

in effective and efficient automated solutions7. Acquire and maintain integrated and standardized application

systems8. Acquire and maintain and integrated and standardized infrastructure

153

IT Goals

9. Acquire and maintain IT skills that respond to the IT strategy10. Ensure mutual satisfaction of third-party relationships11. Seamlessly integrate applications and technology solutions into

business processes12. Ensure transparency and understanding of IT cost, benefits, strategy,

policies and service levels13. Ensure proper use and performance of the applications and

technology solutions14. Account for and protect all IT assets15. Optimize the IT infrastructure, resources and capabilities16. Reduce solution and service delivery defects and rework17. Protect the achievement of IT objectives18. Establish clarity of business impact of risks to IT objectives and

resources

154

IT Goals

19. Ensure critical and confidential information is withheld from those who should not have access to it

20. Ensure automated business transactions and information exchanges can be trusted

21. Ensure IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster

22. Ensure minimum business impact in the event of an IT service disruption or change

23. Make sure that IT service are available as required24. Improve IT’s cost-efficiency and its contribution to business profitability25. Deliver projects on time and on budget meeting quality standards26. Maintain the integrity of information and processing infrastructure27. Ensure IT compliance with laws and regulations28. Ensure that IT demonstrates cost-efficient service quality, continuous

improvement and readiness for future change

155

156

Linking Business Goals to IT Goals

An Example:

• The business goal of increasing revenue is linked to IT goals numbers 25 and 28, which are:

• “Deliver projects on time and on budget meeting quality standards” and

• “Ensure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change”

157

158

Linking IT Goals to IT Processes

Example of linking IT goals to IT processes:

• The IT goal of optimizing the use of information is linked to IT processes PO2 and DS11 (information architecture and managing data)

159

160

The WATERFALL Navigation Aid --High Level Control Objectives for Each Process

The control of

which satisfy

is focusing on

Is achieved by

IT Processes

BusinessRequirements

ControlStatements

ControlPractices

High-Level Control Objective

Users satisfaction

Is measured by

161

162

“RACI” Chart

Identifies who is Responsible, Accountable, Consulted and/or Informed

Addresses considerations for points of accountability Addresses issues of communication and desired input (who

would be consulted) Rather than titles, think of positions in terms of roles Depending on the size of the organization or the IT function,

several roles may be combined

163

Primary Inputs and Outputs

CobiT identifies from where primary inputs are obtained for each process

The inputs are identifies and where they came from Also identifies to which IT processes the process provides

output to The outputs (from the process) are identified to where they

would be directed

164

165

Metrics

Performance measurement is essential for IT governance.

Requires setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance).

166

Metrics

Activity Goals tells us how well the process is performingo Measured by KPIs

Process Goals tell us what IT must delivero Measured by Key Goal indicators

IT Goals tell us what we expect from ITo Measured by Key Goal Indicators

167

168

169

170

Use of Maturity Models

The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation.

Enables gaps in capability to be identified and demonstrated to management.

Action plans can then be developed

171

172

Control Practices

Control Practices

Control Objectives

Value Drivers

Risk Drivers

173

Control Design

Necessary and sufficient steps Roles & responsibilities Characteristics Generic and specific practices Active and passive Input, outputs, activities

174

IT Control Practices

Provides guidance on risks to avoided and value to be gained

Provides detailed guidance on specific controls needed to address high-level and detailed control objectives

Provides guidance on how, why and what to implement to improve IT performance

Includes key elements of value and risk statements and control practices

175

IT Control Practices

Describing the different necessary and sufficient steps to achieve a control objective

Action-oriented, enabling timely execution and measurable

Relevant to the purpose of the control objective Supporting clear roles and responsibility including

segregation

176

The benefits listed under ‘why do it’ are tangible and motivate to implement controls

The set of control practices is completecomplete (e.g. key controls) and implementation satisfies the control objective

Control practices listed are generally accepted as good business good business practicepractice

Control practices suggest sustainablesustainable solutions

The control practices are effectiveeffective in addressing the risk linked to not achieving the detailed control objective

The control practices suggest efficientefficient solutions

The wording of the control practices is conciseconcise while providing clear and unambiguous guidance on what is expected for implementation

The control practices are realisticrealistic

Control Practices Characteristics:

177

IT Assurance Guide

Need for IT Governance and Assurance

The CobiT Framework

IT Assurance Approaches

How CobiT Supports IT Assurance Activities

178

Approach

Testing of a control approach covering 4 assurance objectives

1. Existence2. Design effectiveness3. Operating effectiveness (implemented,

consistent application and proper use)4. Design and operating efficiency (cost/benefit

and possible use of automation) Providing 3 types of assurance guidance

Testing the suggested control design Testing control objective achievement Documenting impact of control weaknesses

IT Assurance Steps

179

Approach

Tests based on a documented taxonomy of relevant assurance methods

Enquire and confirm (via different source) Inspect (walk-through, search, compare,

review) Observe (confirmation is inherent) Re-perform or re-calculate and analyze

(often based on a sample) Automated evidence collection (sample,

trace, extract) and analyze

IT Assurance Steps

180

181

182

1831

Using CobiT

184

Provide Direction

Compare

Measure Performance

IT Activities Increase automation

(make the business effective) Decrease cost (make the enterprise

efficient) Manage risks (security, reliability and

compliance)

IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT-related risks are managed appropriately

Set Objectives

CobiT provides the basis for IT Governance

CobiT Links business goals to IT Goals

CobiT Framework provides a common understanding of IT’s role

CobiT IT Processes and Maturity Models focus on IT capability

CobiT KGIs and KPIs enable measurement

185

Using CobiT

From an organizational perspective, entities should use control models such as COSO and CobiT along with generally accepted control practices to build and exercise appropriate controls to help manage their entities.

186

Strong Basis for Policy Development

Use CobiT as a basis to develop or strengthen policies and control practices

Compare existing policies and standard procedures against CobiT

Conduct high-level and detailed policy reviews

187

Using CobiT Matrices to Focus on:

IT Functionso Their importance?o Level of performance?o Control documentation?

Responsible Parties of ITo Performed by?o Contracted services?o Primary responsible party?

Risk Assessmento Importance, level of risk, control documentation?

188

CobiT’s Evaluation Focus

What is most critical to the business? What are the CSFs? What are the risks and threats? How robust and appropriate does the internal

control structure appear? What are management’s concerns?

189

Risks to the Entity?

Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment Unknown loss of data or system integrity

190

COBIT Focuses on Risk-Based Approach

Focuses on the entity from a management perspective

Emphasis on knowledge of the business and the technology

Focus on assessing the effectiveness of a “combination” of controls

Linkage between risk assessment and testing focusing on control objectives

191

To Address Outsourced Services

Determine whether desired processes are in place and establish accountability

Agree on levels of control, measurement and evaluation

Use CobiT to help design service contracts by identifying deliverables and responsibilities

Use CobiT for ongoing monitoring and evaluation of providers and partners

192

Recap: CobiT Recognizes

IT is an integral part of the organization IT governance is an integral part of corporate

governance Focus on control objectives can strengthen

appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a system of

internal control

193

194

Interrelationships of CobiT Components

195

COBIT Content Diagram

CobiT and Val IT frameworks

Control Objectives

Key Management Pratices

IT Governance Implementation Guide,

2nd Edition

CobiT Control Practices 2nd Edition

IT Assurance Guide

196

IT Risk Analysis—A Generally Accepted FrameworkIT Risk Analysis—A Generally Accepted Framework

AssetIdentificationand Valuation

Vulnerability Assessment

ThreatAssessment

RiskAssessment

Counter- measures

ControlEvaluation

ResidualRisk

Action Plan

197




ThreatAssessment

RiskAssessment

Counter-measures

ControlEvaluation

ResidualRisk

Action Plan

AlternativeEntry Point

AlternativeEntry Point

198



ThreatAssessment

RiskAssessment

Counter-measures

ControlEvaluation

ResidualRisk

Action Plan

Three Approaches:1. Ignore.2. Only prevent.3. Prevent and detect.

Translate into business

consequences and into

financial risks.


199

Summary

Date post:	14-Dec-2014
Category:	Documents
Upload:	cukup-nie-sajah
View:	632 times
Download:	88 times