www.isaca-malta.orgwww.isaca-malta.org

Roger Southgate

Past President of ISACA London ChapterMember of the BSI Committees for Service Management and IT Governance

Leader of the COBITDevelopment Group in London

Obtaining Assurance from IT through governance frameworks

www.isaca-malta.org 2

Delegate Update

The next five slides were added to my presentation to provide some more detail on COBIT Security Baseline, which was introduced by Eric in the session immediately before lunch

www.isaca-malta.org 3

Page 16 - 22

COBIT Security Baseline Structure

48 Pages

www.isaca-malta.org 4

Plan and OrganiseDefine the security strategy and the information architectureDefine the IT Organisation and relationshipsCommunicate management aims and directionManage IT human resourcesAssess and manage IT risks

Acquire and ImplementIdentify automated solutionsAcquire and maintain application technology infrastructureEnable operation and useManage changesInstall and accredit solutions and changes

10 steps

10 steps

The COBIT Security Baseline – 44 Steps

www.isaca-malta.org

Deliver and SupportDefine and manage service levelsManage third-party servicesEnsure continuous serviceManage the configurationManage dataManage the physical environment

Monitor and EvaluateMonitor and evaluate IT performance – assess internal control adequacyObtain independent assuranceEnsure regulatory compliance

21steps

3steps

The COBIT Security Baseline – 44 Steps

www.isaca-malta.org 6

Regularly discuss with key staff (from business and IT management) where and when security problems can adversely impact business objectives and how to protect against them.

Prepare a risk management action plan to address all risks according to business risk.

Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security controls (e.g., backup, access control, virus protection, firewalls) and insurance coverage.

8

9

10

ISO/IEC27002:2005

4.1

4.2

4.1,4.2,6.1,8.2

COBIT 4.1

PO2: 2.3PO9: 9.1,

9.2,9.3,9.4

PO9: 9.5,9.6

PO7: 7.4AI1: 1.1,

1.2PO9: 9.5

Assess and Manage IT Risks

www.isaca-malta.org 7

Boards of Directors / Trustees

Senior Executives

Home Users15 Non Technical Precautions +7 Technical

Professional Users

10 “Dos” and 10 “Don’ts”

Managers

38 Conditions to Check

Executives13 Questions to Ask + 17 Items to Action

13 Questions to Ask + 7 Items to Action

9 Questions to Ask + 7 Items to Action

6

6

7

5

6

6

Specific Information Security Risks

Six Information Security Survival Kits

www.isaca-malta.org

Session Plan

• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?

8

www.isaca-malta.org

How I got started

9

www.isaca-malta.org

Session Plan

• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?

10

www.isaca-malta.org

Enterprise Governance in Practice

Enterprise Governance

Conformance PerformanceCorporate Governance

processesBusiness Governance

processes

• Chairman / CEO• Non-Executive Directors• Audit Committee• Resource and Remuneration Committee• Strategic Risk Management for compliance• Controls Assurance

AccountabilityAssurance

Value CreationResource Utilisation

• Strategic Planning and Alignment• Strategic Decision Making• Dashboards / Scorecards• Strategic Enterprise Systems• Continuous Improvement• Strategic Risk Management

11

www.isaca-malta.org

The Challenges We Face

Are we doing the

right

things?

Are we doing them

the right way?

12

Are we getting

them done well?

Are we getting the benefits?

www.isaca-malta.org

The Roots

Assurance v11996

IT Control v21998

Management of IT Performance v32000

Governance - IT Focus v4.12005/2007

BusinessGoals

IT Goals

IT Processes

IT Activities

The journey continues

2001-3

13

www.isaca-malta.orgwww.isaca-malta.org

COBIT Components and inter-relationships

Maturity Models

Outcome Measures

Performance Indicators

IT GoalsIT Processes

Business Goals

requirements information

mea

sure

d by

for perfo

rman

ce

for o

utco

me

for maturity

Key Activities

broken down into

RACI Chart

perf

orm

ed b

y

Control Design Tests

audite

d with

audited with

Control Outcome Tests

derivedfrom

basedon

Control Objectives

controlled by

Control Practices

implemented with

ValueDrivers

RiskDrivers

why

14

www.isaca-malta.org

COSO

International / National Legal Framework

ISO 38500

ISO

900

0

CMM

I

ISO

270

00

ITIL

ISO

200

00

Frameworks, Standards and Codes of Practice

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RESOURCEMANAGEMENT

RIS

KM

AN

AG

EM

EN

T

VALUEDELIVERYSTRATEGIC

ALIGNMENT

www.itgi.org

“COBIT the integrator“

15

www.isaca-malta.org

Sets out six principles for good corporate governance of IT.

1: Responsibility2: Strategy3: Acquisition4: Performance5: Conformance6: Human Behaviour

Directors should govern IT through three main tasks:a) Evaluate the current and future use of IT.b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives.c) Monitor conformance to policies, and performance against the plans.

ITGI Enables ISO/IEC 38500

© ISO/IEC 2008 – All rights reserved16

www.isaca-malta.org

Implementing and Continually Improving IT Governance

17

www.isaca-malta.org

Session Plan

• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?

18

www.isaca-malta.org

How we LOOk at things......... .

.....really does make a difference

What can you see?

19

www.isaca-malta.org

We are ALL human after all

What we plan to do

What we think we do

What we say we do

What we actually do

From the neck up there is no limitation on what a person can accomplish

From the shoulders down, we are all severely limited in what we can accomplish by ourselves

We are all fallible, frail and forgetful

Thought + Action = Result + Consequences

“Mind the gap!”

20

www.isaca-malta.org

Complexity, Detail and Time

Models – Frameworks – Good Practices help us make sense of the context and the challenges we face they provide roadmaps

Route maps or plans reflect the choices we make to guide our organisations to our defined destination

21

www.isaca-malta.org

Session Plan

• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?

22

www.isaca-malta.org

Where are we right now?

How are we going to get there?

Where do we need to get to?

Are we on the same page?

23

www.isaca-malta.org

Getting Started with Value Management

Diagram from page 20

24

www.isaca-malta.org

Where are we right now?

25

www.isaca-malta.org 26

Where are we right now?

www.isaca-malta.org

Session Plan

• How I got started• The challenges we face• A word of caution• How can I get stated?• What help is available?

27

www.isaca-malta.org

The Opportunity Clock is always ticking…

The demands of Today

The needs of Tomorrow

Maturity Model Attributes:A&C Awareness and CommunicationPSP Policies, Standards and ProceduresT&A Tools and AutomationS&E Skills and ExpertiseR&A Responsibility and AccountabilityGSM Goal Setting and Measurement

Requirements for Information:

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Information Reliability

28 28

www.isaca-malta.org

Define strategy

Preserve valueCreate value

Good things to happen

Bad things nothappening

Resolveproblems

Continuousimprovement

Measureresults

What?

How?

RiskManagement

Value Delivery

IT ResourceManagement

StrategicAlignment

PerformanceMeasurement

The Five Focus Areas of IT Governance

Are we doing the

right

things?

Are we doing them

the right way?

Are we getting

them done well?

Are we getting the benefits?

29

www.isaca-malta.org

Business Process/esBusiness Controls

IT ProcessesApplication

Controls

Generic Process Controls

General IT Controls

IT Resource Stack

• Systems development• Change management• Security• Computer operations

Data

Data

DesktopsData

Information Services Resource and Control View

30

www.isaca-malta.org

The BusinessRequirements for

Information IT Processes Resources

Effectiveness EfficiencyConfidentialityIntegrityAvailabilityCompliance Information Reliability

Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate

ApplicationsInformation InfrastructurePeople

“To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”

COBIT Fundamentals

Maturity Model Attributes:A&C Awareness and CommunicationPSP Policies, Standards and ProceduresT&A Tools and AutomationS&E Skills and ExpertiseR&A Responsibility and AccountabilityGSM Goal Setting and Measurement

Are we doing the

right

things?

Are we doing them

the right way?

Are we getting

them done well?

Are we getting the benefits?

31

www.isaca-malta.org

? Realism? Relevance? Results

Look Act Speak Think

The Way ForwardOur journey continues.....

Thank you

rsouthgate@isaca-london.orgTel: +44(0)2392 259720

Mob: +44(0)7714 769617

All ISACA publications are available from www.isaca.org

32