SlideShare une entreprise Scribd logo
1  sur  193
Télécharger pour lire hors ligne
Comprehending Information
Technology Governance
Delivered on February 2013

Goutama Bachtiar
Technology Advisor, Consultant and Auditor
www.linkedin.com/in/goutama
T: @goudotmobi
Allow Me to Introduce Myself

February 2013

Developed by @goudotmobi

2
Trainer Profile
 15 years of working experience with exposure in
advisory, consulting, audit, training and education,
software development, project management and
network administration
 VP - Head of Information Technology at Roligio Group
 Advisor at Global Innovations and Technology
Platform
 Subject Matter Expert, Editorial Journal Reviewer and
Exam Developer at ISACA
 Program Evaluator at Project Management Institute
 Microsoft Faculty Fellow
 Columnist and contributor at ZDNet Asia, e27.co,
Forbes Indonesia, DetikINET and InfoKomputer
among others
February 2013

Developed by @goudotmobi

4
Background and Objectives
BACKGROUND
• IT Governance is to a country’s constitution what management is to the
country’s laws
• Corporate Governance, IT Governance, and IT Security Governance are
responsibilities of Board or Senior Management
• The significance of IT governance can be judged from the fact that ISACA
has introduced a new certification, Certified in the Governance of
Enterprise IT (CGEIT), effective since December, 2008, just on the
respective subject
• Topics covered will map directly to ISACA’s job practice areas (domains)
OBJECTIVES
• The training will address key knowledge areas related to IT Governance
domains: IT Governance Framework, IT/Business Strategy Alignment, IT
Value Delivery, Risk Management, Resource Management and
Performance Measurement
• Differentiate between IT Governance and IT Management, and help set up
IT Governance Framework including IT alignment, Value delivery, Risk
Management, Performance Management, and Resource Utilization
February 2013

Developed by @goudotmobi

5
Targeted Participants
• Corporate and IT management interested in learning
the “what” and “how to” on IT Governance
• IT auditors and Management Consultants who’d like to
learn how to audit IT Governance, and provide
governance-related services to Senior Client
Management
• Senior IT management responsible for understanding
theory and implementation of IT Governance, Value
Delivery, IT Risk Management, Information Security,
and Balanced Score Card (BSC) Implementation

February 2013

Developed by @goudotmobi

6
Training Agenda
•
•
•
•
•
•
•

Governance vs Management
IT Governance Framework
IT Alignment with Business Requirements
IT Value Delivery
IT Risk Management
IT Performance Measurement
IT Balanced Score Card

February 2013

Developed by @goudotmobi

7
Training Agenda (cont’d)
•
•
•
•
•
•
•

IT Resource Management
Board’s Oversight Committees
IT Strategy Committee
IT Steering Committee
Board’s Business Continuity Oversight
Auditing IT Governance
Maturity of IT Governance With CMM Scale

February 2013

Developed by @goudotmobi

8
ISACA Certification
CGEIT constitutes:
1. IT Governance Framework (25%)
2. Strategic Alignment (15%)
3. Value Delivery (15%)
4. Risk Management (20%)
5. Resource Management (13%)
6. Performance Measurement (12%)
February 2013

Developed by @goudotmobi

9
IT GOVERNANCE IN A BRIEF
Common Issues
•
•
•
•

Disconnect between IT & everyone else
IT is overwhelmed
Projects are delayed; not as successful
Customer dissatisfaction & “I’ll do it myself”
mentality
• Multiple systems exist for similar needs
• IT lacks direction

February 2013

Developed by @goudotmobi

11
Common Issues (cont’d)
•
•
•
•
•

No one person is accountable for IT
Technology does not make things better
Security concerns
Data in multiple places/hard to pull together
Projects not delivered or not done well

February 2013

Developed by @goudotmobi

12
Solution
•
•
•
•
•
•

Well-defined decision making process
Forward thinking IT leadership
High-performing IT management team
Easily understood Architecture & Standards
Project Evaluation & Prioritization
Best Practice Project Management approach

February 2013

Developed by @goudotmobi

13
Understanding IT Governance
• Comprises the body of issues addressed in
considering how IT is applied within the
enterprise.
• Effective enterprise governance focuses on:
– Individual and group expertise
– Experience in specific areas

• Key element: alignment of business and IT

February 2013

Developed by @goudotmobi

14
What is IT Governance?
• Structure to help align IT strategy with
business strategy
• According to ITGI, there are 5 areas of focus:
– Strategic alignment
– Value delivery
– Resource management
– Risk management
– Performance measures

February 2013

Developed by @goudotmobi

15
IT Governance Definition
“The responsibility of executives and the board
of directors, and consists of the leadership,
organizational structures and processes that
ensure that the enterprise’s IT sustains and
extends the organization’s strategies and
objectives”

February 2013

Developed by @goudotmobi

16
Three Pillars of IT Governance

IT Governance

Infrastructure
Management

1
7

IT Use/Demand
Management

Developed by @goudotmobi

IT Project
Management
Managing Ever-Increasing Complexity

February 2013

Developed by @goudotmobi

18
IT Governance Institute
• IT Governance Institute (www.itgi.org) is a non-profit,
independent research entity that provides guidance for
global business community on issues related to governance
of IT assets
• Established by ISACA in 1998 to help exec and IT pro ensure
that IT delivers value and its risks are mitigated through
alignment with enterprise objectives, IT resources are
properly allocated, and IT performance is measured
• ITGI developed Control Objectives for Information and
related Technology (COBIT®) and Val ITTM, and offers
original research and case studies to help enterprise
leaders and boards of directors fulfill their IT governance
responsibilities and help IT professionals deliver valueadding services
February 2013

Developed by @goudotmobi

19
Why is IT Governance important?
•
•
•
•
•
•

Compliance with regulations
Competitive advantage
Support of enterprise goals
Growth and innovation
Increase in intangible assets
Reduction of risk

February 2013

Developed by @goudotmobi

20
Why is IT Governance important? (cont’d)

February 2013

Developed by @goudotmobi

21
Who is involved?
•
•
•
•
•

Team leaders
Managers
Executives
Board of Directors
Stakeholders

February 2013

Developed by @goudotmobi

22
Governance and Management
• Governance ensures that enterprise objectives
are achieved by evaluating stakeholder needs,
conditions and options; setting direction through
prioritisation and decision making; and
monitoring performance, compliance and
progress against agreed-on direction and
objectives (EDM)
• Management plans, builds, runs and monitors
activities in alignment with the direction set by
the governance body to achieve the enterprise
objectives (PBRM)
February 2013

Developed by @goudotmobi

23
Corporate Governance of IT
ISO/IEC 38500: 2008

Corporate governance of IT
Scope

• Provides guiding principles for directors of organizations
(including owners, board members, directors, partners,
senior executives, or similar) on the effective, efficient,
and acceptable use of IT within their organizations
• Applies to the governance of management processes (and
decisions) relating to the ICT services used by an
organization. These processes could be controlled by IT
specialists within the organization or external service
providers, or by business units within the organization
February 2013

Developed by @goudotmobi

24
Corporate Governance of IT (cont.)
ISO/IEC 38500: 2008

Corporate Governance of IT
2.1 Principles
Principle 1: Responsibility
Principle 2: Strategy
Principle 3: Acquisition
Principle 4: Performance
Principle 5: Conformance
Principle 6: Human Behavior

February 2013

Developed by @goudotmobi

25
IT Governance Landscape

February 2013

Developed by @goudotmobi

26
Approaches Currently In Use
• Business As Usual - “Firefighting”

• Legislation - “Forced”

• Best Practice Focused
February 2013

Developed by @goudotmobi

27
Commencing Best Practices
Quality & Control Models
• ISO 900x
• COBIT®
• TQM
• EFQM
• Six Sigma
• COSO
• Deming
• etc..

Process Frameworks
• ITIL®
• Application Service Library
• Gartner CSD
• IBM Processes
• EDS Digital Workflow
• Microsoft MOF
• Telecom Ops Map
• etc..

•What is not defined cannot be controlled
•What is not controlled cannot be measured
•What is not measured cannot be improved
February 2013

Developed by @goudotmobi

28
ITIL® v2 to v3
Introduction to ITIL

T
h
e

Planning To Implement Service Management

T
h
e

Service Management

B The
u Business
s Perspective
i
Service
n
Delivery
Small-Scale
e
Implementation
s
s
Application Management

Service
Support

ICT
Infrastructure
Management

Security
Management

T
e
c
h
n
o
l
o
g
y

Software Asset Management
February 2013

Developed by @goudotmobi

29
ITIL® v2 Service Support Model
The Business, Customers or Users
Monitoring
Tools

Incidents
Incident
Management
Service reports
Incident statistics
Audit reports

Communications
Difficulti
Updates
es
Work-arounds
Queries
Customer
Survey reports
Enquirie
Incidents Service Desk
Changes
s
Customer
Survey
Problem
reports
Management
Releases

Problem statistics
Problem reports
Problem reviews
Diagnostic aids
Audit reports

Incidents

February 2013

Change
Management
Change schedule
CAB minutes
Change statistics
Change reviews
Audit reports

Problems
Known Errors

Release
Management
Release schedule
Release statistics
Release reviews
Secure library’
Testing standards
Audit reports

Changes

CMDB
Developed by @goudotmobi

Configuration
Management
CMDB reports
CMDB statistics
Policy standards
Audit reports

ReleasesCls
Relationships

30
ITIL® V2 Service Delivery Model
Business, Customers and Users
Communications

Querie
Updates
Reports
s
Enquiri
Service Level
es

Availability
Management
Availability plan
AMDB
Design criteria
Targets/Thresholds
Reports
Audit reports

Management

Capacity
Management
Capacity plan
CDV
Targets/thresholds
Capacity reports
Schedules
Audit reports

Requirements
Targets
Achievements
Financial
Management
For IT Services
Financial plan
Types and models
Costs and charges
Reports
Budgets and forecasts
Audit reports

Management
Tools
February 2013

Alerts and
Exceptions
Changes
Developed by @goudotmobi

SLAs, SLRs
OLAs
Service reports
Service
catalogue
SIP
IT Exception
Service
Continuity
reports
Management
Audit reports
IT continuity plans
BIS and risk analysis
Requirements defined
Control centers
DR contracts
Reports
Audit reports

31
IT Governance and ITIL®version 3

February 2013

Developed by @goudotmobi

32
IT Governance and COBIT

Why Get Into Governance?
• Due diligence”
• IT is critical to the business
• IT is strategic to the business
• Expectations and reality don’t match
• IT hasn’t gotten the attention it deserves
• IT involves huge investments and large
risks
February 2013

Developed by @goudotmobi

33
IT Governance and COBIT
“Due diligence”
• Infrastructure and productive functions
• Skills, culture, operating environment
• Capabilities, risks, process knowledge and
customer information
• Service levels

Enterprises should be equally inquisitive
about themselves.
February 2013

Developed by @goudotmobi

34
IT Governance and COBIT
IT Is Critical to Most Businesses

This criticality arises from:
• The increasing dependence on information and the
systems and communications that deliver it
• The dependence on entities beyond the direct control of
the enterprise
• IT failures increasingly impacting reputation and enterprise
value
• The potential for technologies to dramatically change
organisations and business practices, create new
opportunities and reduce costs
• The risks of doing business in an interconnected world
• The need to build and maintain knowledge essential to
sustain and grow the business
February 2013

Developed by @goudotmobi

35
IT Governance and COBIT
Why Has IT Not Gotten the Attention It
Merits?
• IT requires more technical insight than do other
disciplines to understand how IT
• Enables the enterprise
• Creates risks
• Gives rise to opportunities
• IT has traditionally been treated as an entity
separate to the business
• IT is complex, and even more so in the extended
enterprise operating in a networked economy
February 2013

Developed by @goudotmobi

36
IT Governance and COBIT

October 1992: A new
command and control
system developed by
the London ambulance
service failed on the
first day of operation.

1997: Barings Bank
collapsed as a result of
unauthorized trading, in
part enabled by the
willful manipulation of
management
information.

August 1997: UK
investment managers,
Save & Prosper,
abandoned a major
new IT system, having
spent 2 million pounds
on its design and
implementation.

February 2013

Developed by @goudotmobi

October 1998: UK
Internet bank Egg
launched a new onlineonly credit card, only to
find its technical
infrastructure was
unable to cope with the
demand.

37
IT Governance and COBIT

What Should Boards Do About It?
•
•
•
•

Be driven by stakeholder value
Adopt an IT governance framework
Ask the right questions
Focus on IT’s
• Alignment with the business
• Value delivery
• Risk management
• Measure result
IT Value
Delivery

IT
Strategic
Alignment

Stakeholder
Value Drivers

Risk
Management

Performance
Measurement

February 2013

Developed by @goudotmobi

38
IT Governance and COBIT
What Should
Management Do About
It?

Align IT strategy with
business goals

Cascade strategy and
goals down into the
organisation

Set up organisational
structures that facilitate
strategy implementation

Adopt a control and
governance framework

Provide IT
infrastructures that
facilitate creation and
sharing of business
information

Embed responsibilities
for risk management in
the organisation

Focus on important IT
processes and core IT
competencies

Measure performance
(balanced business
scorecard)

February 2013

Developed by @goudotmobi

39
IT Governance and COBIT
COBIT: An IT Control Framework









Starts from the premise that IT needs to
deliver the information that the
enterprise needs to achieve its objectives.
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to
four domains and provides a high level
control objective for each
Looks at fiduciary, quality and security
needs of enterprises, providing seven
information criteria that can be used to
generically define what the business
requires from IT
Is supported by a set of over 300 detailed
control objectives

February 2013

Developed by @goudotmobi

•

Planning

•

Acquiring &
Implementing

•

Delivery & Support

•

Monitoring



Effectiveness
Efficiency
Availability
Integrity
Confidentiality
Reliability
Compliance








40
IT Governance and COBIT

IT Governance Defined (1)
Several definitions with common elements:
•
•
•
•

Responsibility of the board of directors
Protects shareholder value
Ensures risk transparency
Directs and controls IT investment, opportunity, benefits
and risks
• Aligns IT with the business while accepting IT is a critical
input to and component of the strategic plan, influencing
strategic opportunities
• Sustains the current operation and prepares for the
future
• Is an integral part of a global governance structure

February 2013

Developed by @goudotmobi

41
IT Governance and COBIT

IT Governance Defined (2)
IT governance, like other governance subjects, is
the responsibility of executives and shareholders
(represented by the board of directors). It
consists of the leadership and organisational
structures and processes that ensure that the
organisation’s IT sustains and extends the
organisation’s strategies and objectives.

February 2013

Developed by @goudotmobi

42
IT Governance and COBIT
IT Governance Framework
Act if not
aligned

Set
measurable
goals

Deliver
Compare against the
results
goals

Measure
performance
February 2013

Developed by @goudotmobi

43
IT Governance and COBIT

IT Governance Framework
Set Objectives
IT is aligned with the
business
IT enables the
business and
maximises benefits
IT resources are used
responsibly
IT-related risks are
managed
appropriately

Provide
Direction
IT Activities

Compare

Increase automation
(make the business
effective)
Decrease cost
(make the enterprise
efficient)
Manage risks
(security, reliability and
compliance)

Measure
Performance

February 2013

Developed by @goudotmobi

44
Enterprise Governance
• Responsibilities and practices exercised by the
board and executive management with goals
of:
• Provide strategic direction
• Ensure achieved objectives
• Appropriately managed risk
• Responsible resource use

February 2013

Developed by @goudotmobi

45
Enterprise Governance Objective
A Balance of
• Performance
By improve profit, efficiency, effectiveness,
growth, etc
• Conformance
Adhere to legislation, internal policies, audit
requirements, etc
Both Enterprise governance and IT governance
require a balance between performance and
conformance goals as directed by the board
February 2013

Developed by @goudotmobi

46
Enterprise vs IT Governance
• Enterprise
Responsibilities and practices exercised by the board
and exec management with goals of:
–
–
–
–

Provide strategic direction
Ensure achieved objectives
Appropriately managed risk
Responsible resource use

• IT
Part of enterprise governance
Consisting of leadership, organizational structures and
processes that ensure that the enterprise’s IT sustains
and furthers the enterprise strategies and objectives
February 2013

Developed by @goudotmobi

47
Governance as Control Views

February 2013

Developed by @goudotmobi

48
Governance Stakeholder
Responsibilities

February 2013

Developed by @goudotmobi

49
Governance, Stakeholders, Interests
• IT Governance is part of Enterprise Governance
• Governance Focus Areas
– Strategic Alignment
– Value Delivery
– Risk Management
– Resource Management
– Performance Measurement
• Governance objective is balance of
– Performance – Value Delivery
– Conformance – Risk Management
February 2013

Developed by @goudotmobi

50
Governance, Stakeholders, Interests (cont’d)
Governance Stakeholders include
– Board & Executives
– Business & IT Management
– Risk and Compliance & IT Audit
Stakeholders
– Have Governance Role & Responsibilities
– Expect Inputs and Deliver Outputs to
Governance Process
February 2013

Developed by @goudotmobi

51
IT Governance Framework (ITGI)
Provide
Direction

IT Activities

Set Objectives
v
v
v
v

IT is aligned with the business
IT enables the business and
maximizes benefits
IT resources are used responsibly
IT-related risks managed
appropriately

v
Compare

v
v

Increase automation (make the
business effective)
Decrease cost (make enterprise
efficient)
Manage risks (security reliability
and compliance)

Measure
Performance

February 2013

Developed by @goudotmobi

52
Governance Support with COBIT

February 2013

Developed by @goudotmobi

53
Control Objectives for IT (COBIT)

February 2013

Developed by @goudotmobi

54
COBIT Processes

February 2013

Developed by @goudotmobi

55
COBIT Processes (cont’d)

February 2013

Developed by @goudotmobi

56
Content Overview
• For Framework
 Process Controls
 Application Controls
 Maturity Attributes

• For each Process
 Description, linkage to business goal, …
 Detailed Control Objectives
 Management Guidelines





February 2013

Process Inputs and Outputs
Process Activities and RACI
Measurements
Maturity Model

Developed by @goudotmobi

57
Val IT V.2.0 – Value Management

February 2013

Developed by @goudotmobi

58
Val IT
• Val IT supports the enterprise goal of
• creating optimal value from IT enabled investments
at an affordable cost, with an acceptable level of risk
• and is guided by
• a set of principles applied in value management
processes
• that are enabled by
• key management practices
• and are measured by
• performance against goals and metrics
February 2013

Developed by @goudotmobi

59
Val IT Key Definitions
• Project—A structured set of activities concerned with delivering a defined
capability (that is necessary but not sufficient to achieve a required
business outcome) to the enterprise based on an agreed upon schedule
and budget
• Program —A structured grouping of inter-dependent projects that are
both necessary and sufficient to achieve a desired business outcome and
create value. These projects could involve, but are not limited to, changes
in the nature of the business, business processes, the work performed by
people, as well as the competencies required to carry out the work,
enabling technology and organizational structure. The investment program
is the primary unit of investment within Val IT
• Portfolio—Groupings of ‘objects of interest’ (investment program, IT
services, IT projects, other IT assets or resources) managed and monitored
to optimize business value. The investment portfolio is of primary interest
to Val IT
• IT service, project, asset or other resource portfolios are of primary
interest to COBIT

February 2013

Developed by @goudotmobi

60
Val IT Framework

February 2013

Developed by @goudotmobi

61
Value Governance
The goal of VG is to ensure that value management practices
are embedded in the enterprise, enabling it to secure optimal
value from its IT‐enabled investments throughout full
economic life cycle
An executive commitment to value governance helps
enterprises:
– Establish the governance framework for value management in a
manner that is fully integrated with overall enterprise governance
– Provide strategic direction for the investment decisions
– Define the characteristics of portfolios required to support new
investments and resulting IT services, assets and other resources
– Improve value management on a continual basis, based on lessons
learned

February 2013

Developed by @goudotmobi

62
Value Governance Process
• VG1: Establish informed and committed
leadership
• VG2: Define and implement processes
• VG3: Define portfolio characteristics
• VG4: Align and integrate value management with
enterprise financial planning
• VG5: Establish effective governance monitoring
• VG6: Continuously improve value management
practices
February 2013

Developed by @goudotmobi

63
Portfolio Management
• The goal of portfolio management (PM) is to
ensure that an enterprise secures optimal value
across its portfolio of IT‐enabled investments
• An executive commitment to portfolio
management helps enterprises:
– Establish and manage resource profiles
– Define investment thresholds
– Evaluate, prioritize, and select, defer, or reject new
investments
– Manage and optimize the overall investment portfolio
– Monitor and report on portfolio performance
February 2013

Developed by @goudotmobi

64
Portfolio Management Process
• PM1 Establish strategic direction and target
investment mix
• PM2 Determine the availability and sources of
funds
• PM3 Manage the availability of human resources
• PM4 Evaluate and select program to fund
• PM5 Monitor and report on investment portfolio
performance
• PM6 Optimize investment portfolio performance
February 2013

Developed by @goudotmobi

65
Investment Management
The goal of investment management (IM) is to ensure that the
enterprise’s individual IT-enabled investments contribute to optimal
value. When organizational leaders commit to investment
management they improve their ability to:
–
–
–
–

Identify business requirements
Develop a clear understanding of candidate investment program
Analyze alternative approaches to implementing the program
Define each program and document, and maintain a detailed business
case for it, including benefits’ details, throughout full economic life
cycle of investment
– Assign clear accountability and ownership (for benefits realization)
– Manage each program through its full economic life cycle, including
retirement
– Monitor and report on each program’s

February 2013

Developed by @goudotmobi

66
Investment Management Process
• IM1 Develop and evaluate the initial program concept
business case
• IM2 Understand the candidate program and
implementation options
• IM3 Develop the program plan
• IM4 Develop full life‐cycle costs and benefits
• IM5 Develop the detailed candidate program business case
• IM6 Launch and manage the program
• IM7 Update operational IT portfolios
• IM8 Update the business case
• IM9 Monitor and report on the program
• IM10 Retire the program
February 2013

Developed by @goudotmobi

67
Risk IT

February 2013

Developed by @goudotmobi

68
Types of Risk

February 2013

Developed by @goudotmobi

69
Risk IT Principles
• The Risk IT framework principles are
– Effective enterprise governance of IT risk:
– Always connects to business objectives
– Aligns the management of IT‐related business risk with
overall enterprise risk management
– Balances the costs and benefits of managing risk
• Effective management of IT risk
– Promotes fair and open communication of IT risk
– Establishes the right tone from the top while defining and
enforcing personal accountability for operating within
acceptable and well‐defined tolerance levels
– Is a continuous process and part of daily activities
February 2013

Developed by @goudotmobi

70
Risk IT Building Blocks
Key building blocks of good IT risk management:
• Set responsibility for IT risk management
• Set objectives and define risk appetite and
tolerance
• Identify, analyze and describe risk
• Monitor risk exposure
• Treat IT risk
• Link with existing guidance to manage risk
February 2013

Developed by @goudotmobi

71
Risk Assessment

ISACA Risk IT

Information Security Risk Management for
ISO 27001

IT Risk Assessment
Frameworks
CRAMM Information Security Toolkit

OCTAVE (Operationally Critical Threat,
Asset, Vulnerability Evaluation)

February 2013
Developed by @goudotmobi

72
IT Risk ASSESSMENT
•Definition of risk assessment

The potential that a given threat will exploit vulnerabilities of
an asset or group of assets to cause loss or damage to the
assets. The impact or relative severity of the risk is
proportional to the business value of the loss/damage and to
the estimated frequency of the threat.

February 2013

Developed by @goudotmobi

73
IT Risk ASSESSMENT
Components of risk assessment
• Threats to, and vulnerabilities of,
processes and/or assets (including both
physical and information assets)
• Impact on assets based on threats and
vulnerabilities
• Probabilities of threats (combination of
the likelihood and frequency of
occurrence)

February 2013

Developed by @goudotmobi

74
ISACA Risk IT
Risk IT: A Balance is Essential
• Risk and value are two sides of the same coin.
• Risk is inherent to all enterprises.
BUT
Enterprises need to ensure that opportunities for
value creation are not missed by trying to
eliminate all risk.

February 2013

Developed by @goudotmobi

75
Risk IT Extends Val IT and COBIT
Risk IT complements and
extends COBIT and Val IT
to make a more complete
IT governance guidance
resource.

February 2013

Developed by @goudotmobi

76
IT-related Risk Management
Risk IT is not limited to information security. It covers all ITrelated risks, including:

• Late project delivery
• Not achieving enough
value from IT
• Compliance
• Misalignment
• Obsolete or inflexible
IT architecture
• IT service delivery
problems
February 2013

Developed by @goudotmobi

77
Guiding Principles of Risk IT
 Always connect to enterprise objectives.
 Align the management of IT-related business risk
with overall enterprise risk management.
 Balance the costs and benefits of managing risk.
 Promote fair and open communication of IT risk.

February 2013

Developed by @goudotmobi

78
Guiding Principles of Risk IT
 Establish the right tone from the top while defining
and enforcing personal accountability for operating
within acceptable and well-defined tolerance levels.
 Understand that this is a continuous process and an
important part of daily activities.

February 2013

Developed by @goudotmobi

79
Key Risk IT Content: The “What”
• Key content of the Risk IT framework includes:
• Risk management essentials
•
In Risk Governance: Risk appetite and tolerance,
responsibilities and accountability for IT risk
management, awareness and communication, and risk
culture
•
In Risk Evaluation: Describing business impact and
risk scenarios
•
In Risk Response: Key risk indicators (KRI) and risk
response definition and prioritisation
• Section on how Risk IT extends and enhances COBIT and
Val IT (Note: Risk IT does not require the use of COBIT or
Val IT.)

February 2013

Developed by @goudotmobi

80
Key Risk IT Content: The “What”
• Process model sections that contain:
• Descriptions
• Input-output tables

• RACI (Responsible, Accountable, Consulted, Informed)
table
• Goals and Metrics Table
• Maturity model is provided for each domain
• Appendices
• Reference materials
• High-level comparison of Risk IT to other risk management
frameworks and standards
• Glossary
February 2013

Developed by @goudotmobi

81
Risk IT Three Domains

February 2013

Developed by @goudotmobi

82
Risk IT: The “How”
• Key contents of The Risk IT Practitioner Guide:
•
•

Review of the Risk IT process model
Risk IT to COBIT and Val IT

•

How to use it:
1. Define a risk universe and scoping risk management
2. Risk appetite and risk tolerance
3. Risk awareness, communication and reporting: includes key risk indicators, risk
profiles, risk aggregation and risk culture
4. Express and describe risk: guidance on business context, frequency, impact,
COBIT business goals, risk maps, risk registers
5. Risk scenarios: includes capability risk factors and environmental risk factors
6. Risk response and prioritisation
7. A risk analysis workflow: “swim lane” flow chart, including role context
8. Mitigation of IT risk using COBIT and Val IT

•
•

Mappings: Risk IT to other risk management standards and frameworks
Glossary

February 2013

Developed by @goudotmobi

83
Risk/Response Definition
The purpose of defining a risk
response is to bring risk in line
with the defined risk tolerance
for the enterprise after due risk
analysis.
In other words, a response needs
to be defined such that future
residual risk (=current risk with
the risk response defined and
implemented) is as much as
possible (usually depending on
budgets available) within risk
tolerance limits.

February 2013

Developed by @goudotmobi

84
Risk IT Benefits and Outcomes
Accurate view on current and near-future IT-related events

End-to-end guidance on how to manage IT-related risks
Understanding of how to capitalise on the investment made in an IT internal control
system already in place
Integration with the overall risk and compliance structures within the enterprise
Common language to help manage the relationships
Promotion of risk ownership throughout the organisation

Complete risk profile to better understand risk

February 2013

Developed by @goudotmobi

85
Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27000 Family of Standards
• ISO/IEC 27001 based on BS7799 by British
Standards Institution
• Adopts “plan-do-check-act” process model
• Information Security Management System
(ISMS) standard (ISO/IEC 27001)
• Formal specification  mandates specific
requirements
• Adoption of ISO/IEC 27001 allows for formal
audit and certification to explicit standard
• Risk management based on ISO/IEC 27000
standards
February 2013

Developed by @goudotmobi

86
Information Security Risk Management
for Iso/IEC 27001/ISO 27005
ISO/IEC 27005
• Information security risk management
standard
• Does not specify, recommend or name
any specific risk analysis method
• Does specify a structured, systematic
and rigorous process from analysis
risks to creating the risk treatment
plan
February 2013

Developed by @goudotmobi

87
CRAMM Information security risk
toolkit
• Provides staged and disciplined approach towards IT
risk assessment

Source: http://www.cramm.com/overview/howitworks.htm

February 2013

Developed by @goudotmobi

88
CRAMM Information security risk
toolkit
Asset identification and valuation
•
•
•
•

Physical
Software
Data
Location

Threat and vulnerability assessment
•
•
•
•
•

Hacking
Viruses
Failures of equipment or software
Wilful damage or terrorism
Errors by people

Countermeasure selection and recommendation

February 2013

Developed by @goudotmobi

89
CERT OCTAVE
Operationally Critical Threat, Asset, and
Vulnerability Evaluation Framework by
Software Engineering Institute (1999)
• Components of information security risk evaluation
• Processes with required inputs, activities, outputs
• Phase 1: Build asset-based threat profiles
• Phase 2: Identify Infrastructure Vulnerabilities
• Phase 3: Develop security strategy and plans
Self-directed information security risk
evaluation

Analysis team includes people from business
units and IT department

February 2013

Developed by @goudotmobi

90
CERT OCTAVE

February 2013

Developed by @goudotmobi

91
CERT OCTAVE

February 2013

Developed by @goudotmobi

92
Regulatory requirements
Steps to determine compliance with external requirements:
• Identify external requirements
• Establishment and organization
• Responsibilities
• Correlation to financial, operational and IT audit functions
• Document pertinent laws and regulations
• Banking Act
• Insurance Act
• Circulars by Regulator
• Government Instruction Manual or Circular
• Statutory Act

February 2013

Developed by @goudotmobi

93
Val IT Principles
• IT enabled investments will:
– Be managed as a portfolio of investments
– Include the full scope of activities required to achieve business value
– Be managed through their full economic life cycle
• Value delivery practices will:
– Recognize that there are different categories of investments that will be
evaluated and managed differently
– Define and monitor key metrics and will respond quickly to any changes
or deviations
– Engage all stakeholders and assign appropriate accountability to the
delivery of capabilities and the realization of business benefits
– Be continually monitored, evaluated and improved

February 2013

Developed by @goudotmobi

94
The COBIT 5 Framework
• Simply stated, COBIT 5 helps enterprises create
optimal value from IT by maintaining a balance
between realising benefits and optimising risk levels
and resource use.
• COBIT 5 enables information and related technology
to be governed and managed in a holistic manner for
the entire enterprise, taking in the full end-to-end
business and functional areas of responsibility,
considering the IT-related interests of internal and
external stakeholders.
• The COBIT 5 principles and enablers are generic
and useful for enterprises of all sizes, whether
commercial, not-for-profit or in the public sector.
February 2013

Developed by @goudotmobi

95
COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

96
COBIT 5 Enablers

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

97
COBIT 5: Now One Complete
Business Framework for
Evolution of scope

Governance of Enterprise IT
IT Governance
Val IT 2.0

Management

(2008)

Control
Risk IT
(2009)

Audit
COBIT1

1996

COBIT2

1998

COBIT3

2000

COBIT4.0/4.1

2005/7

COBIT 5

2012

An business framework from ISACA, at www.isaca.org/cobit
© 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

98
COBIT 5 Framework
 The main, overarching COBIT 5 product
 Contains the executive summary and the full
description of all of the COBIT 5 framework
components:
 The five COBIT 5 principles
 The seven COBIT 5 enablers plus
 An introduction to the implementation guidance provided by
ISACA (COBIT 5 Implementation)
 An introduction to the COBIT Assessment Programme (not
specific to COBIT 5) and the process capability approach
being adopted by ISACA for COBIT
February 2013

Developed by @goudotmobi

99
COBIT 5 Product Family

Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

100
Five COBIT 5 Principles
The five COBIT 5 principles:
1.Meeting Stakeholder Needs
2.Covering the Enterprise End-to-end
3.Applying a Single Integrated Framework
4.Enabling a Holistic Approach
5.Separating Governance From Management

February 2013

Developed by @goudotmobi

101
Meeting Stakeholder Needs
Principle 1. Meeting Stakeholder Needs
 Enterprises exist to create value for their stakeholders.

February 2013

Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved.

Developed by @goudotmobi

102
Meeting Stakeholder Needs

(cont.)

Principle 1. Meeting Stakeholder Needs:
 Enterprises have many stakeholders, and ‘creating value’
means different—and sometimes conflicting—things to
each of them.
 Governance is about negotiating and deciding amongst
different stakeholders’ value interests.
 The governance system should consider all stakeholders
when making benefit, resource and risk assessment
decisions.
 For each decision, the following can and should be asked:
- Who receives the benefits?
- Who bears the risk?
- What resources are required?
February 2013

Developed by @goudotmobi

103
Meeting Stakeholder Needs

(cont.)

Principle 1. Meeting
Stakeholder Needs:
 Stakeholder needs have to
be transformed into an
enterprise’s practical
strategy.
 The COBIT 5 goals cascade
translates stakeholder needs
into specific, practical and
customised goals within the
context of the enterprise,
IT-related goals and enabler
goals.
February 2013

Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
Developed by @goudotmobi

104
Meeting Stakeholder Needs

(cont.)

Principle 1. Meeting Stakeholder Needs:
Benefits of the COBIT 5 goals cascade:
 It allows the definition of priorities for implementation,
improvement and assurance of enterprise governance of IT
based on (strategic) objectives of the enterprise and the
related risk.
 In practice, the goals cascade:
 Defines relevant and tangible goals and objectives at
various levels of responsibility.
 Filters the knowledge base of COBIT 5, based on
enterprise goals to extract relevant guidance for inclusion
in specific implementation, improvement or assurance
projects.
 Clearly identifies and communicates how (sometimes very
operational) enablers are important to achieve enterprise
goals.
February 2013
Developed by @goudotmobi
105
Covering the Enterprise End-to-end
Principle 2. Covering the Enterprise End-to-end:
 COBIT 5 addresses the governance and management of
information and related technology from an enterprisewide,
end-to-end perspective.
 This means that COBIT 5:
 Integrates governance of enterprise IT into enterprise
governance, i.e., the governance system for enterprise IT
proposed by COBIT 5 integrates seamlessly in any
governance system because COBIT 5 aligns with the
latest views on governance.
 Covers all functions and processes within the enterprise;
COBIT 5 does not focus only on the ‘IT function’, but
treats information and related technologies as assets that
need to be dealt with just like any other asset by everyone
in the enterprise.
February 2013

Developed by @goudotmobi

106
Covering the Enterprise End-to-end (cont.)
Principle 2. Covering the Enterprise End-to-end

Key components of a
governance system

Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.

Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

107
Applying a Single Integrated Framework
Principle 3. Applying a Single Integrated Framework:
 COBIT 5 aligns with the latest relevant other standards and
frameworks used by enterprises:
 Enterprise: COSO, COSO ERM, ISO/IEC 9000,
ISO/IEC 31000
 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series,
TOGAF, PMBOK/PRINCE2, CMMI
 This allows the enterprise to use COBIT 5 as the
overarching governance and management framework
integrator.
 ISACA plans a capability to facilitate COBIT user mapping
of practices and activities to third-party references.
February 2013

Developed by @goudotmobi

108
Enabling a Holistic Approach
Principle 4. Enabling a Holistic Approach
COBIT 5 enablers are:
• Factors that, individually and collectively,
influence whether something will work—in the
case of COBIT, governance and management
over enterprise IT
• Driven by the goals cascade, i.e., higher-level
IT-related goals define what the different
enablers should achieve
• Described by the COBIT 5 framework in seven
categories
February 2013

Developed by @goudotmobi

109
Enabling a Holistic Approach (cont.)
Principle 4. Enabling a Holistic Approach

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

110
Enabling a Holistic Approach (cont.)
Principle 4. Enabling a Holistic Approach:
1. Processes—Describe an organised set of practices and activities to achieve
certain objectives and produce a set of outputs in support of achieving overall
IT-related goals
2. Organisational structures—Are the key decision-making entities in an
organisation
3. Culture, ethics and behaviour—Of individuals and of the organisation; very
often underestimated as a success factor in governance and management
activities
4. Principles, policies and frameworks—Are the vehicles to translate the desired
behaviour into practical guidance for day-to-day management
5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise. Information is required for
keeping the organisation running and well governed, but at the operational level,
information is very often the key product of the enterprise itself.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies—Are linked to people and are required for
successful completion of all activities and for making correct decisions and
taking corrective actions
February 2013

Developed by @goudotmobi

111
Enabling a Holistic Approach (cont).
Principle 4. Enabling a Holistic Approach:
 Systemic governance and management through
interconnected enablers—To achieve the main objectives
of the enterprise, it must always consider an
interconnected set of enablers, i.e., each enabler:
 Needs the input of other enablers to be fully effective, e.g., processes
need information, organisational structures need skills and behaviour
 Delivers output to the benefit of other enablers, e.g., processes deliver
information, skills and behaviour make processes efficient

 This is a KEY principle emerging from the ISACA
development work around the Business Model for
Information Security (BMIS).

February 2013

Developed by @goudotmobi

112
Enabling a Holistic Approach (cont).
Principle 4. Enabling a Holistic Approach
COBIT 5 Enabler Dimensions:
• All enablers have a set of common dimensions. This set of common
dimensions:
– Provides a common, simple and structured way to deal with enablers
– Allows an entity to manage its complex interactions
– Facilitates successful outcomes of the enablers

Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

113
Separating Governance From Management
Principle 5. Separating Governance From Management:
 The COBIT 5 framework makes a clear distinction
between governance and management.
 These two disciplines:
 Encompass different types of activities
 Require different organisational structures
 Serve different purposes
 Governance—In most enterprises, governance is the
responsibility of the board of directors under the
leadership of the chairperson.
 Management—In most enterprises, management is the
responsibility of the executive management under the
leadership of the CEO.
February 2013

Developed by @goudotmobi

114
Separating Governance From Management (cont.)
Principle 5. Separating Governance From
Management:
• Governance ensures that stakeholders needs, conditions
and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved; setting
direction through prioritisation and decision making;
and monitoring performance and compliance against
agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM).
February 2013

Developed by @goudotmobi

115
Separating Governance From Management (cont.)
Principle 5. Separating Governance From Management:
COBIT 5 is not prescriptive, but it advocates that organisations
implement governance and management processes such that the
key areas are covered, as shown.

Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

116
Separating Governance From Management (cont.)
Principle 5. Separating Governance from
Management:
 The COBIT 5 framework describes seven categories of
enablers (Principle 4). Processes are one category.
 An enterprise can organise its processes as it sees fit,
as long as all necessary governance and management
objectives are covered. Smaller enterprises may have
fewer processes; larger and more complex enterprises
may have many processes, all to cover the same
objectives.
 COBIT 5 includes a process reference model (PRM),
which defines and describes in detail a number of
governance and management processes. The details of
this specific enabler model can be found in the COBIT
5: Enabling Processes volume.
February 2013

Developed by @goudotmobi

117
COBIT 5: Enabling Processes
 COBIT 5: Enabling Processes complements
COBIT 5 and contains a detailed reference guide
to the processes that are defined in the COBIT 5
process reference model:
 In Chapter 2, the COBIT 5 goals cascade is recapitulated
and complemented with a set of example metrics for the
enterprise goals and the IT-related goals.
 In Chapter 3, the COBIT 5 process model is explained and
its components defined.
 Chapter 4 shows the diagram of this process reference
model.
 Chapter 5 contains the detailed process information for all
37 COBIT 5 processes in the process reference model.
February 2013

Developed by @goudotmobi

118
COBIT 5: Enabling Processes (cont.)

Source: COBIT® 5, figure 29. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

119
COBIT 5: Enabling Processes (cont.)

February 2013

Developed by @goudotmobi
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

120
COBIT 5: Enabling Processes (Cont.)
COBIT 5: Enabling Processes:
• The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two
main areas—governance and management— with
management further divided into domains of processes:
• The GOVERNANCE domain contains five
governance processes; within each process, evaluate,
direct and monitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with
the responsibility areas of plan, build, run and monitor
(PBRM).
February 2013

Developed by @goudotmobi

121
COBIT 5 Implementation
• The improvement of the governance of enterprise IT
(GEIT) is widely recognised by top management as an
essential part of enterprise governance.
• Information and the pervasiveness of information
technology are increasingly part of every aspect of
business and public life.
• The need to drive more value from IT investments and
manage an increasing array of IT-related risk has never
been greater.
• Increasing regulation and legislation over business use of
information is also driving heightened awareness of the
importance of a well-governed and managed IT
environment.
February 2013
Developed by @goudotmobi
122
COBIT 5 Implementation (cont.)
• ISACA has developed the COBIT 5 framework to help
enterprises implement sound governance enablers
• Indeed, implementing good GEIT is almost impossible
without engaging an effective governance framework
• Best practices and standards are also available to underpin
COBIT 5
• Frameworks, best practices and standards are useful only
if they are adopted and adapted effectively
• There are challenges that need to be overcome and issues
that need to be addressed if GEIT is to be implemented
successfully
February 2013

Developed by @goudotmobi

123
COBIT 5 Implementation (cont.)
• COBIT 5: Implementation covers the following subjects:
• Positioning GEIT within an enterprise
• Taking the first steps towards improving GEIT
• Implementation challenges and success factors
• Enabling GEIT-related organisational and behavioural
change
• Implementing continual improvement that includes
change enablement and programme management
• Using COBIT 5 and its components

February 2013

Developed by @goudotmobi

124
COBIT 5 Implementation (cont.)

February 2013

Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved.

Developed by @goudotmobi

125
COBIT 5
Future Supporting Products
COBIT 5 Product Family

Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved.

February 2013

Developed by @goudotmobi

127
COBIT 5 Future Supporting Products
Future supporting products:
• Professional Guides:
• COBIT 5 for Information Security
• COBIT 5 for Assurance
• COBIT 5 for Risk
• Enabler Guides:
• COBIT 5: Enabling Information
• COBIT Online Replacement
• COBIT Assessment Programme:
• Process Assessment Model (PAM): Using COBIT 5
• Assessor Guide: Using COBIT 5
• Self-assessment Guide: Using COBIT 5
February 2013

Developed by @goudotmobi

128
Governance (and Management) in COBIT 5
• Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions and
options; setting direction through prioritisation and
decision making; and monitoring performance, compliance
and progress against agreed direction and objectives
(EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).
• Exercising governance and management effectively in
practice requires appropriately using all enablers. The
COBIT process reference model allows us to focus easily on
the relevant enterprise activities.
February 2013

Developed by @goudotmobi

129
Governance in COBIT 5
• The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two main
areas—governance and management—with management
further divided into domains of processes
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and monitor
(EDM) practices are defined.
•01 Ensure governance framework setting and maintenance.
•02 Ensure benefits delivery.
•03 Ensure risk optimization.
•04 Ensure resource optimization.
•05 Ensure stakeholder transparency.

• The four MANAGEMENT domains are in line with the
responsibility areas of plan, build, run and monitor (PBRM).
February 2013

Developed by @goudotmobi

130
Governance in COBIT 5 (cont.)

February 2013

Developed by @goudotmobi
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

131
Risk Management in COBIT 5
• The GOVERNANCE domain contains five governance
processes, one of which focuses on stakeholder risk-related
objectives: EDM03 Ensure risk optimisation.
• Process Description
• Ensure that the enterprise’s risk appetite and tolerance
are understood, articulated and communicated, and
that risk to enterprise value related to the use of IT is
identified and managed.
• Process Purpose Statement
• Ensure that IT-related enterprise risk does not exceed
risk appetite and risk tolerance, the impact of IT risk to
enterprise value is identified and managed, and the
potential for compliance failures is minimised.
February 2013

Developed by @goudotmobi

132
Risk Management in COBIT 5 (cont.)
• The MANAGEMENT Align, Plan and Organise domain
contains a risk-related process: APO12 Manage risk.
• Process Description
• Continually identify, assess and reduce IT-related risk
within levels of tolerance set by enterprise executive
management.
• Process Purpose Statement
• Integrate the management of IT-related enterprise
risk with overall ERM, and balance the costs and
benefits of managing IT-related enterprise risk.
February 2013

Developed by @goudotmobi

133
Risk Management in COBIT 5 (cont.)

February 2013

Developed by @goudotmobi
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

134
Risk Management in COBIT 5 (cont.)
• All enterprise activities have associated risk exposures
resulting from environmental threats that exploit enabler
vulnerabilities
• EDM03 Ensure risk optimisation ensures that the
enterprise stakeholders approach to risk is articulated to
direct how risks facing the enterprise will be treated.
• APO12 Manage risk provides the enterprise risk
management (ERM) arrangements that ensure that the
stakeholder direction is followed by the enterprise.
• All other processes include practices and activities that
are designed to treat related risk (avoid,
reduce/mitigate/control, share/transfer/accept).
February 2013

Developed by @goudotmobi

135
Risk Management in COBIT 5 (cont.)
• In addition to activities, COBIT 5 suggests accountabilities,
and responsibilities for enterprise roles and
governance/management structures (RACI charts) for each
process. These include risk-related roles.

February 2013

Developed by @goudotmobi
Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved.

136
Compliance in COBIT 5
• The MANAGEMENT Monitor, Evaluate and Assess domain
contains a compliance focused process: MEA03 Monitor,
evaluate and assess compliance with external
requirements.
• Process Description
• Evaluate that IT processes and IT-supported business
processes are compliant with laws, regulations and
contractual requirements. Obtain assurance that the
requirements have been identified and complied with, and
integrate IT compliance with overall enterprise compliance.
• Process Purpose Statement
• Ensure that the enterprise is compliant with all applicable
external requirements.
February 2013

Developed by @goudotmobi

137
Compliance in COBIT 5 (cont.)

February 2013

Developed by @goudotmobi
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

138
Compliance in COBIT 5 (cont.)
• Legal and regulatory compliance is a key part of the
effective governance of an enterprise, hence its inclusion
in the GRC term and in the COBIT 5 Enterprise Goals and
supporting enabler process structure (MEA03).
• In addition to MEA03, all enterprise activities include
control activities that are designed to ensure compliance
not only with externally imposed legislative or regulatory
requirements but also with enterprise governancedetermined principles, policies and procedures.

February 2013

Developed by @goudotmobi

139
Compliance in COBIT 5 (cont.)
• In addition to activities, COBIT 5 suggests accountabilities,
and responsibilities for enterprise roles and
governance/management structures (RACI charts) for each
process. These include a compliance-related role.

February 2013

Developed by @goudotmobi
Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved.

140
CHALLENGES AND CONCERNS
RELATE TO IT GOVERNANCE

February 2013

Developed by @goudotmobi

141
Aligning IT and Business Strategy
• Corporate Mission – Business Goals – IT
Strategy
• Requires involvement from many levels and
activities within the enterprise.
• Lack of alignment leads to adverse business
issues.
• Strong IT Governance contributes toward
proper alignment.
February 2013

Developed by @goudotmobi

142
IT Service Delivery

February 2013

Developed by @goudotmobi

143
Ensuring Value and Effectiveness
• IT issues are the least understood, despite
increasing reliance placed on IT.
• Initiate IT governance structures with the right
level of executive involvement.
• Board of Director’s require essential IT related
skills

February 2013

Developed by @goudotmobi

144
Information Systems Governance
• Consists of leadership, organizational
structures and processes that safeguard
information.
• Security over information assets.
• Benefits of IS Governance.
• IS is a top-down process.

February 2013

Developed by @goudotmobi

145
Measuring IT Governance
Performance
• Measuring IT performance is a key concern as it
demonstrates the effectiveness and added
business value of IT.
• Commonly seen as the IT “Black Hole” – costs
continually rise without clear evidence of value
derived from the IT function.
• Traditional performance measurement methods
require monetary values which are hard to apply
to IT systems.
February 2013

Developed by @goudotmobi

146
IT Governance Performance
Management Approaches

February 2013

Developed by @goudotmobi

147
IT Balanced Scorecard
• One of the most effective means to aid an
organization in achieving IT and business alignment.
• Provides a systematic translation of the IT strategy
into tangible success factors and metrics.
• Gives a balanced view of the value added by IT to the
business.
• Calculating the value of IT investments is a business
issue for which business managers are ultimately
responsible for.
February 2013

Developed by @goudotmobi

148
ISACA Global Status Report 2K8 (cont’d)
Research purposes
 Reach members of the C-Suite to determine their sense of priority
and actions taken relative to IT governance
 Understand their need for tools and services to help ensure effective
IT governance
Detailed objectives
 Survey and analyze the degree to which the concept of IT
governance is recognized, established and accepted within
boardrooms and especially by chief information officers (CIOs)
 Determine what level of IT governance expertise exists and which
frameworks are known and are (or will be) adopted
 Measure the extent to which ITGI’s own framework, Control
Objectives for Information and related Technology (COBIT), is
selected and how it is perceived
February 2013

Developed by @goudotmobi

149
ISACA Global Status Report 2K8 (cont’d)
Revealed Results
 Insufficient IT staff availability, service delivery issues and difficulty
proving the value of information technology continue to concern
executives at organizations around the world
 58% noted an insufficient number of staff, compared to 35 percent
in 2005
 48 % said that IT service delivery problems remain the second most
common problem
 38 %point to problems relating to staff with inadequate skills
 30 % reported problems anticipating the return on investment (ROI)
for IT expenditures
 The study is a follow-up to ITGI’s 2003 and 2005 surveys and tracks
IT governance trends over the past four years

February 2013

Developed by @goudotmobi

150
ISACA Global Status Report 2K8 (cont’d)
• Survey Sample
Researchers contacted CIOs and chief executive officers
(CEOs). The total number of interviews conducted was
749, of which 652 were from a random sample of
organizations
71 were known as COBIT users and 26 were
experienced COBIT users
• Global Reach
The interviews were conducted worldwide (in 23
countries), and all continents/regions were
represented.
February 2013

Developed by @goudotmobi

151
New Ways of Implementing IT Governance
Lifecycle Approach by synergizing in between COBIT, ValIT and RiskIT

February 2013

Developed by @goudotmobi

152
Implementing IT Governance Life Cycle

February 2013

Developed by @goudotmobi

153
Lifecycle Phase Walkthrough
Phases:
• What are the drivers?
• Where are we now?
• Where do we want to be?
• What needs to be done?
• How do we get there?
• Did we get there?
• How do we keep the momentum going?
February 2013

Developed by @goudotmobi

154
What Are The Drivers?
• Goal of Phase:
– Outline the business case
– Identify stakeholders, roles & responsibilities
– IT Governance program “wake-up call” and
communication kick-off
• Need for new or improved IT Governance Organization
recognized in Pain Points and/or Trigger events
• Pain Points analyzed for root cause and opportunities
looked for during Trigger events
• Root causes and opportunities provide business case
for improved or new IT Governance initiatives
February 2013

Developed by @goudotmobi

155
Trigger Events
•
•
•
•

•
•
•
•
•

Merger, acquisition or divestiture
An enterprise-wide governance focus or
Shift in the market, economy or competitive position
Change in business operating model or sourcing
arrangements
A new CIO, CFO, COO or CEO
External audit or consultant assessments
A new business strategy
New regulatory or compliance requirements
Significant technology change or paradigm shift

February 2013

Developed by @goudotmobi

156
Common Painful Points
•
•
•
•
•
•
•
•
•
•
•

Failed IT initiatives
Rising Costs
Resource waste through duplication or overlap in IT
Perception of low business initiatives value for IT investments
Significant incidents related to IT risk (e.g. data loss)
Service Delivery Problems
Failure to meet regulatory or contractual requirements
Audit findings for poor IT performance or low service levels
Insufficient IT resources
IT Staff burnout/disastisfaction
IT enabled changes frequently failing to meet business needs (late
deliveries or budget overruns)
• Hidden and/or rogue IT spending
• Multiple and complex IT assurance efforts
• Board members or senior managers that are reluctant to engage with IT
February 2013

Developed by @goudotmobi

157
Where are we now?
• Define the Problems and Opportunities
– See paint point causes and trigger event opportunities
• Form Powerful Guiding Team
– Knowledgeable about the business environment
– Have insight into influencing factors
• Assess the Current State
– Identify IT goals and their alignment with enterprise goals
– Identify the most important processes
– Understand management’s risk appetite
– Understand the maturity of existing governance and
related processes
February 2013

Developed by @goudotmobi

158
Where do we want to be?
• Define the Roadmap
– Describe the high level change enablement plan and
objectives
• Communicate Desired Vision
– Develop a communication strategy
– Communicate the vision
– Articulate the rationale and benefits of the change
– Set the “tone at the top”
• Define Target State and Perform Gap Analysis
– Define the target for improvement
– Analyze the gaps
– Identify potential improvements
February 2013

Developed by @goudotmobi

159
What Needs to be done?
• Develop Program Plan
– Prioritize potential initiatives
– Develop formal and justifiable projects
– Use plans that include contribution and program objectives
• Empower Role Players and Identify Quick Wins
– High Benefit, easy implementation should come first
– Obtain buy-in by key stakeholders affected by the change
– Identify strengths in existing processes and leverage accordingly
• Design and Build Improvements
– Plot improvements onto a grid to assist with prioritization
– Consider approach, deliverables, resources needed, costs,
estimated time scales, project dependencies and risks

February 2013

Developed by @goudotmobi

160
How Do We Get There?
• Execute the Plan
– Execute projects according to an integrated program plan
– Provide regular update reports to stakeholders
– Document and Monitor the contribution of projects while
managing risks identified
• Enable Operation and Use
– Build on the momentum and credibility of quick wins
– Plan cultural and behavioral aspects of the broader transition
– Define Measures of Success
• Implement Improvements
– Adopt and Adapt best practices to suit the organization’s
approach to policies and process changes
February 2013

Developed by @goudotmobi

161
Did We Get There?
• Realize Benefits
– Monitor the overall performance of the program against business
case objectives
– Monitor and measure the investment performance
• Embed New Approaches
– Provide transition from project mode to “business as usual”
– Monitor whether new roles and responsibilities have been taken
on
– Track and assess objectives of the change response plans
– Maintain communication and ensure communication between
appropriate stakeholders continues
• Operate and Measure
– Set targets for each metric
– Measure metrics against targets
– Communicate results and adjust targets as necessary
February 2013

Developed by @goudotmobi

162
How Do We Keep Momentum Going?
• Continual Improvements – keeping the momentum is critical to
sustainment of the lifecycle
• Review the Program Benefits
– Review Program effectiveness through program review gate
• Sustain
– Conscious reinforcement (reward achievers)
– Ongoing communication campaign (feedback on performance)
– Continuous top management commitment
• Monitor and Evaluate
– Identify new governance objectives based on program experience
– Communicate lessons learned and further improvement
requirements for the next iteration of the cycle
February 2013

Developed by @goudotmobi

163
Identifying Challenges

February 2013

Developed by @goudotmobi

164
Change Enablement
• Guidance provided at each lifecycle phase
• Based on Cotter Model
– Establish a sense of urgency
– Form a powerful guiding coalition
– Create and communicate a clear vision, expressed simply
– Empower others to act on the vision, identifying and
implementing quick-wins
– Enable use and implement improvements/produce more
change
– Institutionalize new approaches
– Sustain
February 2013

Developed by @goudotmobi

165
Program Management Guidance
• Guidance provided at each lifecycle phase
– Initiate program
– Define problems and opportunities
– Define roadmap
– Develop program plan
– Execute plan
– Realize benefits
– Review program effectiveness
• Detailed guidance provided by Val IT
February 2013

Developed by @goudotmobi

166
RESOURCE MANAGEMENT

February 2013

Developed by @goudotmobi

167
Considerations in a Sourced
Environment
• Sourcing Strategy
• Contract
Management
• Finance
Management
• Relationship
Management
• Performance
Management
February 2013
168

Developed by @goudotmobi
Sourcing Strategy
• Part of IT Strategic Plan
• Inventory of critical Supplier relationships
• Update based on changes to Business, IT or
Supplier Strategies
• May contain intervention plans

February 2013
169

Developed by @goudotmobi
Contract Management
• Initial negotiation and inlife change management
• Defines Services/Quality
• Defines ownership of
Intellectual Property
• Compliance with Law and
Policy
• Audit Rights
February 2013
170

Developed by @goudotmobi
Contract Change Management
• Required by either changing business
needs or to address ambiguity.
• Should be viewed as a negotiation.
• Each party will attempt to get
concessions not previously obtained
- value is at risk
• Depend on Relationship
Management for smaller changes to
avoid this risk
February 2013
171

Developed by @goudotmobi
Intellectual Property
• Supplier IP may be
used to deliver
efficiencies ($)
• However, use of
Supplier IP may limit
sourcing flexibility.
• Who owns process
‘know-how’ and does
this change over
time?
• What risk does this
represent?
February 2013
172

Developed by @goudotmobi

NPS
Intellectual Property
Mitigations
• Inventory, inventory, inventory
– IT processes supporting the business
– Materials (documents, rights, etc.)

• Risk Management discussion with
business
• Seek legal help
• Follow up!
February 2013
173

Developed by @goudotmobi
Audit Rights
•
•
•
•

Business requirements drive specifics.
Must be in the initial contract
For supplier shared services, SAS70 Type II
Audit rights should be unlimited and at no
cost.

NPS

February 2013
174

Developed by @goudotmobi
Finance Management
• Deal financials reporting
• Invoice Verification
– Service receipt
– Credits
– Incentives

• Internal cost recovery
NPS

February 2013
175

Developed by @goudotmobi
Finance Management
• This is THE PLACE to receive an
independent confirmation of IT value
delivery.
• Budgets are a very unforgiving reality
check!

NPS

February 2013
176

Developed by @goudotmobi
Relationship Management
• Overall Supplier
management
• Monitor business needs
• Communication Forums
• Issue Management
• Risk Management
• Project Management
February 2013
177

Developed by @goudotmobi
Risk Management
• IT Governance process to evaluate
Supplier Financial, Service Delivery,
Relationship and Information Security
risks in total.
• As before, there may be a translation
here from technical risk to business risk.
• Can use Probability x Business Impact as
the metric. The business should supply
the Impact.
• This can be a powerful tool to use with
Suppliers. They speak the lingua franca as
well.
NPS

February 2013
178

Developed by @goudotmobi
Project Management
•Good Project Management helps assure value
delivery
•Define ‘project’ vs. ‘daily work’ in the contract.
•Has linkages to Finance Management (paying
Project costs), Service Delivery (assuring
Project deliverables)
NPS

February 2013
179

Developed by @goudotmobi
Performance Management
•
•
•
•

Aligning Service Delivery Requirements
Managing and Reporting against SLAs
Management of individual projects
Work prioritization

February 2013
180

Developed by @goudotmobi
Best Practices for IT Governance
IT governance has become significant due to:
• Demands for better return from IT investments
• Increases in IT expenditures
• Regulatory requirements for IT controls
• Selection of service providers and outsourcing

• Complexity of network security
• Adoptions of control frameworks
• Benchmarking
February 2013

Developed by @goudotmobi

181
Best Practices for IT Governance (cont’d)
Audit role in IT governance
• Audit plays a significant role in the successful
implementation of IT governance within an
organization
• Reporting on IT governance involves auditing at the
highest level in the organization and may cross
division, functional or departmental boundaries

February 2013

Developed by @goudotmobi

182
Best Practices for IT Governance (cont’d)
• In accordance with the defined role of the IS auditor, the
following aspects related to IT governance need to be
assessed:
– Alignment of the IS function with the organization’s mission,
vision, values, objectives and strategies
– Achievement of performance objectives established by the
business (e.g., effectiveness and efficiency) by the IS function
– Legal, environmental, information quality, fiduciary, security,
and privacy requirements
– The control environment of the organization
– The inherent risks within the IS environment
– IT investment/expenditure
February 2013

Developed by @goudotmobi

183
Auditing IT Governance
Indicators of potential problems include:
• Unfavorable end-user attitudes
• Excessive costs
• Budget overruns

• Late projects
• High staff turnover
• Inexperienced staff
• Frequent hardware/software errors
February 2013

Developed by @goudotmobi

184
IT Governance Audit Planning
• Audit Team Composition
• Audit Criteria
• Learning from the Balanced
Scorecard Approach

February 2013
185

Developed by @goudotmobi
Audit Team Composition
• Leadership - Business or IT?
– Audit Supervision and Auditor in
Charge Independence is a must

• Beware setting up an audit team
that may reflect corporate IT
Governance issues
• Consider sourcing
knowledgeable auditors

February 2013
186

Developed by @goudotmobi
IT Governance Audit Criteria/Standards
• IIA Governance Auditing
Standards
• ISACA / ITGI IT Governance
Auditing Guidelines
• ITGI Risk IT Framework
• ITGI Val IT Framework
• << Insert your Company business
policies here >>
February 2013
187

Developed by @goudotmobi
Learnings from the Balanced Scorecard
• Consider IT Governance from
various business points of view
(1)
– Corporate
– Customer
– Operational Excellence
– Future / Sustainability
1. “Measuring and Improving IT Governance Through the Balanced Scorecard”
Information Systems Control Journal, Volume 2, 2005

February 2013
188

Developed by @goudotmobi
Balanced Scorecard:
Corporate View
Objective
Business/ IT Alignment

Operational budget
approval

Value Delivery

Business Unit Performance

Cost Management

Attainment of expense and
recovery targets

Risk Management

Results of Internal Audits

Intercompany Synergy

February 2013
189

Example Metrics

Single System Solutions

Developed by @goudotmobi
Balanced Scorecard:
Customer View
Objective
Customer Satisfaction

Business Unit Survey
ratings

Competitive Costs

Attainment of unit cost
targets

Development Performance

Major Project Scores

Operational Performance

February 2013
190

Example Metrics

Attainment of targeted
levels

Developed by @goudotmobi
Balanced Scorecard:
Operational View
Objective
Development Process

Function Point Measures

Operational process

Change Management
effectiveness

Process Maturity

Level of IT Processes

Enterprise Architecture

February 2013
191

Example Metrics

State of the infrastructure
assessment

Developed by @goudotmobi
Balanced Scorecard:
Future View
Objective
Human Resource
Management

Staff Turnover

Employee Satisfaction

Satisfaction survey scores

Knowledge Management

February 2013
192

Example Metrics

Implementation of learned
lessons

Developed by @goudotmobi
Reviewing Documentation
The following documents should be reviewed:
• IT strategies, plans and budgets
• Security policy documentation
• Organization/functional charts

• Job descriptions
• System development and program change procedures
• Operations procedures
• Human resource manuals

• Quality assurance procedures
February 2013

Developed by @goudotmobi

193

Contenu connexe

Tendances

IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentationjmcarden
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsMichael Sim
 
IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).Rob Akershoek
 
IT Governance Introduction
IT Governance  IntroductionIT Governance  Introduction
IT Governance IntroductionKeith Rackley
 
Understanding Digital transformation
Understanding Digital transformation Understanding Digital transformation
Understanding Digital transformation Patrizia Bertini
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
IT Asset Management by Miradore
IT Asset Management by MiradoreIT Asset Management by Miradore
IT Asset Management by MiradoreMiradore
 
IT-Governance.pptx
IT-Governance.pptxIT-Governance.pptx
IT-Governance.pptxJayLloyd8
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
ITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT MappingITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT MappingRob Akershoek
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500Ramiro Cid
 

Tendances (20)

IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentation
 
CobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced ScorecardsCobiT, Val IT & Balanced Scorecards
CobiT, Val IT & Balanced Scorecards
 
IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).
 
IT Governance Introduction
IT Governance  IntroductionIT Governance  Introduction
IT Governance Introduction
 
Understanding Digital transformation
Understanding Digital transformation Understanding Digital transformation
Understanding Digital transformation
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance Presentation
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
Operational Analytics
Operational AnalyticsOperational Analytics
Operational Analytics
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT Perspective
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019
 
IT Asset Management by Miradore
IT Asset Management by MiradoreIT Asset Management by Miradore
IT Asset Management by Miradore
 
Cobit
CobitCobit
Cobit
 
IT-Governance.pptx
IT-Governance.pptxIT-Governance.pptx
IT-Governance.pptx
 
Robotic Process Auditing
Robotic Process Auditing Robotic Process Auditing
Robotic Process Auditing
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
 
ITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT MappingITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT Mapping
 
Intelligent Process Automation in Audit
Intelligent Process Automation in AuditIntelligent Process Automation in Audit
Intelligent Process Automation in Audit
 
ITIL vs. COBIT
ITIL vs. COBITITIL vs. COBIT
ITIL vs. COBIT
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
 

En vedette

Whitepaper Practical Information Technology Governance
Whitepaper   Practical Information Technology GovernanceWhitepaper   Practical Information Technology Governance
Whitepaper Practical Information Technology GovernanceAlan McSweeney
 
RDrew ITIL Presentation
RDrew ITIL PresentationRDrew ITIL Presentation
RDrew ITIL PresentationRon Drew
 
Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...
Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...
Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...Ron Dolin
 
Data Governance And Technology Enablement First San Francisco Partners 2009
Data Governance And Technology Enablement   First San Francisco Partners  2009Data Governance And Technology Enablement   First San Francisco Partners  2009
Data Governance And Technology Enablement First San Francisco Partners 2009First San Francisco Partners
 
IT governance and bal
IT governance and balIT governance and bal
IT governance and balsourov_das
 
Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3pjmartinez
 
Integration strategies and tactics for information technology governance
Integration strategies and tactics for information technology governanceIntegration strategies and tactics for information technology governance
Integration strategies and tactics for information technology governanceVishal Sharma
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Osman Hasan
 
Information Governance and technology
Information Governance and technologyInformation Governance and technology
Information Governance and technologyClaude Super
 
Swot analysis of COMSATS Institute of Information Technology, Abbottabad
Swot analysis of COMSATS Institute of Information Technology, Abbottabad  Swot analysis of COMSATS Institute of Information Technology, Abbottabad
Swot analysis of COMSATS Institute of Information Technology, Abbottabad Zohaib HUSSAIN
 
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra YulistiaSNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra Yulistiarahmatmoelyana
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
Governance Maturity Assessment Report
Governance Maturity Assessment ReportGovernance Maturity Assessment Report
Governance Maturity Assessment Reportsmcasas
 
Impact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskImpact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskPECB
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global OrganizationsPECB
 
IT 비즈니스 기획 전문가 로드맵
IT 비즈니스 기획 전문가 로드맵IT 비즈니스 기획 전문가 로드맵
IT 비즈니스 기획 전문가 로드맵Kevin Kim
 

En vedette (20)

Whitepaper Practical Information Technology Governance
Whitepaper   Practical Information Technology GovernanceWhitepaper   Practical Information Technology Governance
Whitepaper Practical Information Technology Governance
 
The iTTi Manifesto
The iTTi ManifestoThe iTTi Manifesto
The iTTi Manifesto
 
IT Governances
IT GovernancesIT Governances
IT Governances
 
What is IT Governance?
What is IT Governance?What is IT Governance?
What is IT Governance?
 
RDrew ITIL Presentation
RDrew ITIL PresentationRDrew ITIL Presentation
RDrew ITIL Presentation
 
Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...
Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...
Feedback on Technology Governance, Strategy, and Funding Proposal: Executive ...
 
Data Governance And Technology Enablement First San Francisco Partners 2009
Data Governance And Technology Enablement   First San Francisco Partners  2009Data Governance And Technology Enablement   First San Francisco Partners  2009
Data Governance And Technology Enablement First San Francisco Partners 2009
 
It goverence
It goverenceIt goverence
It goverence
 
IT governance and bal
IT governance and balIT governance and bal
IT governance and bal
 
Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3
 
Integration strategies and tactics for information technology governance
Integration strategies and tactics for information technology governanceIntegration strategies and tactics for information technology governance
Integration strategies and tactics for information technology governance
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)
 
Information Governance and technology
Information Governance and technologyInformation Governance and technology
Information Governance and technology
 
Swot analysis of COMSATS Institute of Information Technology, Abbottabad
Swot analysis of COMSATS Institute of Information Technology, Abbottabad  Swot analysis of COMSATS Institute of Information Technology, Abbottabad
Swot analysis of COMSATS Institute of Information Technology, Abbottabad
 
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra YulistiaSNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
Governance Maturity Assessment Report
Governance Maturity Assessment ReportGovernance Maturity Assessment Report
Governance Maturity Assessment Report
 
Impact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskImpact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing Risk
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
 
IT 비즈니스 기획 전문가 로드맵
IT 비즈니스 기획 전문가 로드맵IT 비즈니스 기획 전문가 로드맵
IT 비즈니스 기획 전문가 로드맵
 

Similaire à Comprehending Information Technology Governance

It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013James Sutter
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013Jim Sutter
 
تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة عنوان المحاضرة Establish an...
تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة  عنوان المحاضرة Establish an...تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة  عنوان المحاضرة Establish an...
تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة عنوان المحاضرة Establish an...Egyptian Engineers Association
 
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docxCHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docxbartholomeocoombs
 
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docxCHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docxketurahhazelhurst
 
Critical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsCritical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsRachid Meziani, PhD, CGEIT, PMP
 
Where will BRM find themselves in Product Centric Organizations in the Near F...
Where will BRM find themselves in Product Centric Organizations in the Near F...Where will BRM find themselves in Product Centric Organizations in the Near F...
Where will BRM find themselves in Product Centric Organizations in the Near F...Svetlana Sidenko
 
#Futureproofing your School: A Toolkit for Bursars
#Futureproofing your School: A Toolkit for Bursars#Futureproofing your School: A Toolkit for Bursars
#Futureproofing your School: A Toolkit for BursarsMark S. Steed
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 
It governance 13 may20102
It governance 13 may20102It governance 13 may20102
It governance 13 may20102James Sutter
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCERudy Shoushany
 
IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...
IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...
IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...360 BSI
 
IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014ArmeniaFED
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
CIT 3122 IS Governance Lecture 3.pptx
CIT 3122 IS Governance Lecture 3.pptxCIT 3122 IS Governance Lecture 3.pptx
CIT 3122 IS Governance Lecture 3.pptxanthonywanjohi5
 
Data Governance for End-User Computing
Data Governance for  End-User ComputingData Governance for  End-User Computing
Data Governance for End-User ComputingDATAVERSITY
 

Similaire à Comprehending Information Technology Governance (20)

It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013
 
The Value of Portfolio Management
The Value of Portfolio ManagementThe Value of Portfolio Management
The Value of Portfolio Management
 
تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة عنوان المحاضرة Establish an...
تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة  عنوان المحاضرة Establish an...تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة  عنوان المحاضرة Establish an...
تواصل_تطوير المحاضرة رقم 203 مستشار / محمد خليفة عنوان المحاضرة Establish an...
 
COBIT Intor.pptx
COBIT Intor.pptxCOBIT Intor.pptx
COBIT Intor.pptx
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the Lens
 
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docxCHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
 
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docxCHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
 
Critical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsCritical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance Implementations
 
Where will BRM find themselves in Product Centric Organizations in the Near F...
Where will BRM find themselves in Product Centric Organizations in the Near F...Where will BRM find themselves in Product Centric Organizations in the Near F...
Where will BRM find themselves in Product Centric Organizations in the Near F...
 
#Futureproofing your School: A Toolkit for Bursars
#Futureproofing your School: A Toolkit for Bursars#Futureproofing your School: A Toolkit for Bursars
#Futureproofing your School: A Toolkit for Bursars
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 
It governance 13 may20102
It governance 13 may20102It governance 13 may20102
It governance 13 may20102
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCE
 
IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...
IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...
IT Governance: Governance & Management of Enterprise IT, 25 - 28 October 2015...
 
IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
CIT 3122 IS Governance Lecture 3.pptx
CIT 3122 IS Governance Lecture 3.pptxCIT 3122 IS Governance Lecture 3.pptx
CIT 3122 IS Governance Lecture 3.pptx
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
Data Governance for End-User Computing
Data Governance for  End-User ComputingData Governance for  End-User Computing
Data Governance for End-User Computing
 

Plus de Goutama Bachtiar

Crypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainCrypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainGoutama Bachtiar
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Blockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryBlockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryGoutama Bachtiar
 
Leveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumLeveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumGoutama Bachtiar
 
Library of Information Technology Icons
Library of Information Technology IconsLibrary of Information Technology Icons
Library of Information Technology IconsGoutama Bachtiar
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereGoutama Bachtiar
 
IS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyIS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyGoutama Bachtiar
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudGoutama Bachtiar
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationGoutama Bachtiar
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet BankingGoutama Bachtiar
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryGoutama Bachtiar
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsGoutama Bachtiar
 
The State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesThe State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesGoutama Bachtiar
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Goutama Bachtiar
 
Implementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioImplementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioGoutama Bachtiar
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsGoutama Bachtiar
 
Valuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureValuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureGoutama Bachtiar
 
Riding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyRiding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyGoutama Bachtiar
 

Plus de Goutama Bachtiar (20)

Crypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and BlockchainCrypto Currency, Bitcoin and Blockchain
Crypto Currency, Bitcoin and Blockchain
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Blockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking IndustryBlockchain Essentials - Harnessing the Technology for Banking Industry
Blockchain Essentials - Harnessing the Technology for Banking Industry
 
Delving into Fintech
Delving into FintechDelving into Fintech
Delving into Fintech
 
Leveraging Agile Project Management with Scrum
Leveraging Agile Project Management with ScrumLeveraging Agile Project Management with Scrum
Leveraging Agile Project Management with Scrum
 
Library of Information Technology Icons
Library of Information Technology IconsLibrary of Information Technology Icons
Library of Information Technology Icons
 
PMBOK 6th vs 5th Edition
PMBOK 6th vs 5th EditionPMBOK 6th vs 5th Edition
PMBOK 6th vs 5th Edition
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking Sphere
 
IS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New EconomyIS and IT Auditor Roles in Today's New Economy
IS and IT Auditor Roles in Today's New Economy
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and Fraud
 
Utilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and InvestigationUtilizing Internet for Fraud Examination and Investigation
Utilizing Internet for Fraud Examination and Investigation
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
 
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment IndustryElectronic Payment Fundamentals: When Tech Embracing Payment Industry
Electronic Payment Fundamentals: When Tech Embracing Payment Industry
 
State of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and SolutionsState of Cyber Crime in Banking Sector Today: Threats and Solutions
State of Cyber Crime in Banking Sector Today: Threats and Solutions
 
The State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and ChallengesThe State of ERP in Indonesia: Trends, Opportunities and Challenges
The State of ERP in Indonesia: Trends, Opportunities and Challenges
 
Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)Developing and Managing Business Continuity Plan (BCP)
Developing and Managing Business Continuity Plan (BCP)
 
Implementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft VisioImplementing BPMN 2.0 with Microsoft Visio
Implementing BPMN 2.0 with Microsoft Visio
 
Understanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor RelationshipsUnderstanding IT Strategy, Sourcing and Vendor Relationships
Understanding IT Strategy, Sourcing and Vendor Relationships
 
Valuing Information Management and IT Architecture
Valuing Information Management and IT ArchitectureValuing Information Management and IT Architecture
Valuing Information Management and IT Architecture
 
Riding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information TechnologyRiding and Capitalizing the Next Wave of Information Technology
Riding and Capitalizing the Next Wave of Information Technology
 

Dernier

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 

Dernier (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 

Comprehending Information Technology Governance

  • 1. Comprehending Information Technology Governance Delivered on February 2013 Goutama Bachtiar Technology Advisor, Consultant and Auditor www.linkedin.com/in/goutama T: @goudotmobi
  • 2. Allow Me to Introduce Myself February 2013 Developed by @goudotmobi 2
  • 3. Trainer Profile  15 years of working experience with exposure in advisory, consulting, audit, training and education, software development, project management and network administration  VP - Head of Information Technology at Roligio Group  Advisor at Global Innovations and Technology Platform  Subject Matter Expert, Editorial Journal Reviewer and Exam Developer at ISACA  Program Evaluator at Project Management Institute  Microsoft Faculty Fellow  Columnist and contributor at ZDNet Asia, e27.co, Forbes Indonesia, DetikINET and InfoKomputer among others
  • 5. Background and Objectives BACKGROUND • IT Governance is to a country’s constitution what management is to the country’s laws • Corporate Governance, IT Governance, and IT Security Governance are responsibilities of Board or Senior Management • The significance of IT governance can be judged from the fact that ISACA has introduced a new certification, Certified in the Governance of Enterprise IT (CGEIT), effective since December, 2008, just on the respective subject • Topics covered will map directly to ISACA’s job practice areas (domains) OBJECTIVES • The training will address key knowledge areas related to IT Governance domains: IT Governance Framework, IT/Business Strategy Alignment, IT Value Delivery, Risk Management, Resource Management and Performance Measurement • Differentiate between IT Governance and IT Management, and help set up IT Governance Framework including IT alignment, Value delivery, Risk Management, Performance Management, and Resource Utilization February 2013 Developed by @goudotmobi 5
  • 6. Targeted Participants • Corporate and IT management interested in learning the “what” and “how to” on IT Governance • IT auditors and Management Consultants who’d like to learn how to audit IT Governance, and provide governance-related services to Senior Client Management • Senior IT management responsible for understanding theory and implementation of IT Governance, Value Delivery, IT Risk Management, Information Security, and Balanced Score Card (BSC) Implementation February 2013 Developed by @goudotmobi 6
  • 7. Training Agenda • • • • • • • Governance vs Management IT Governance Framework IT Alignment with Business Requirements IT Value Delivery IT Risk Management IT Performance Measurement IT Balanced Score Card February 2013 Developed by @goudotmobi 7
  • 8. Training Agenda (cont’d) • • • • • • • IT Resource Management Board’s Oversight Committees IT Strategy Committee IT Steering Committee Board’s Business Continuity Oversight Auditing IT Governance Maturity of IT Governance With CMM Scale February 2013 Developed by @goudotmobi 8
  • 9. ISACA Certification CGEIT constitutes: 1. IT Governance Framework (25%) 2. Strategic Alignment (15%) 3. Value Delivery (15%) 4. Risk Management (20%) 5. Resource Management (13%) 6. Performance Measurement (12%) February 2013 Developed by @goudotmobi 9
  • 10. IT GOVERNANCE IN A BRIEF
  • 11. Common Issues • • • • Disconnect between IT & everyone else IT is overwhelmed Projects are delayed; not as successful Customer dissatisfaction & “I’ll do it myself” mentality • Multiple systems exist for similar needs • IT lacks direction February 2013 Developed by @goudotmobi 11
  • 12. Common Issues (cont’d) • • • • • No one person is accountable for IT Technology does not make things better Security concerns Data in multiple places/hard to pull together Projects not delivered or not done well February 2013 Developed by @goudotmobi 12
  • 13. Solution • • • • • • Well-defined decision making process Forward thinking IT leadership High-performing IT management team Easily understood Architecture & Standards Project Evaluation & Prioritization Best Practice Project Management approach February 2013 Developed by @goudotmobi 13
  • 14. Understanding IT Governance • Comprises the body of issues addressed in considering how IT is applied within the enterprise. • Effective enterprise governance focuses on: – Individual and group expertise – Experience in specific areas • Key element: alignment of business and IT February 2013 Developed by @goudotmobi 14
  • 15. What is IT Governance? • Structure to help align IT strategy with business strategy • According to ITGI, there are 5 areas of focus: – Strategic alignment – Value delivery – Resource management – Risk management – Performance measures February 2013 Developed by @goudotmobi 15
  • 16. IT Governance Definition “The responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives” February 2013 Developed by @goudotmobi 16
  • 17. Three Pillars of IT Governance IT Governance Infrastructure Management 1 7 IT Use/Demand Management Developed by @goudotmobi IT Project Management
  • 18. Managing Ever-Increasing Complexity February 2013 Developed by @goudotmobi 18
  • 19. IT Governance Institute • IT Governance Institute (www.itgi.org) is a non-profit, independent research entity that provides guidance for global business community on issues related to governance of IT assets • Established by ISACA in 1998 to help exec and IT pro ensure that IT delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources are properly allocated, and IT performance is measured • ITGI developed Control Objectives for Information and related Technology (COBIT®) and Val ITTM, and offers original research and case studies to help enterprise leaders and boards of directors fulfill their IT governance responsibilities and help IT professionals deliver valueadding services February 2013 Developed by @goudotmobi 19
  • 20. Why is IT Governance important? • • • • • • Compliance with regulations Competitive advantage Support of enterprise goals Growth and innovation Increase in intangible assets Reduction of risk February 2013 Developed by @goudotmobi 20
  • 21. Why is IT Governance important? (cont’d) February 2013 Developed by @goudotmobi 21
  • 22. Who is involved? • • • • • Team leaders Managers Executives Board of Directors Stakeholders February 2013 Developed by @goudotmobi 22
  • 23. Governance and Management • Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM) • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM) February 2013 Developed by @goudotmobi 23
  • 24. Corporate Governance of IT ISO/IEC 38500: 2008 Corporate governance of IT Scope • Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of IT within their organizations • Applies to the governance of management processes (and decisions) relating to the ICT services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization February 2013 Developed by @goudotmobi 24
  • 25. Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate Governance of IT 2.1 Principles Principle 1: Responsibility Principle 2: Strategy Principle 3: Acquisition Principle 4: Performance Principle 5: Conformance Principle 6: Human Behavior February 2013 Developed by @goudotmobi 25
  • 26. IT Governance Landscape February 2013 Developed by @goudotmobi 26
  • 27. Approaches Currently In Use • Business As Usual - “Firefighting” • Legislation - “Forced” • Best Practice Focused February 2013 Developed by @goudotmobi 27
  • 28. Commencing Best Practices Quality & Control Models • ISO 900x • COBIT® • TQM • EFQM • Six Sigma • COSO • Deming • etc.. Process Frameworks • ITIL® • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc.. •What is not defined cannot be controlled •What is not controlled cannot be measured •What is not measured cannot be improved February 2013 Developed by @goudotmobi 28
  • 29. ITIL® v2 to v3 Introduction to ITIL T h e Planning To Implement Service Management T h e Service Management B The u Business s Perspective i Service n Delivery Small-Scale e Implementation s s Application Management Service Support ICT Infrastructure Management Security Management T e c h n o l o g y Software Asset Management February 2013 Developed by @goudotmobi 29
  • 30. ITIL® v2 Service Support Model The Business, Customers or Users Monitoring Tools Incidents Incident Management Service reports Incident statistics Audit reports Communications Difficulti Updates es Work-arounds Queries Customer Survey reports Enquirie Incidents Service Desk Changes s Customer Survey Problem reports Management Releases Problem statistics Problem reports Problem reviews Diagnostic aids Audit reports Incidents February 2013 Change Management Change schedule CAB minutes Change statistics Change reviews Audit reports Problems Known Errors Release Management Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Changes CMDB Developed by @goudotmobi Configuration Management CMDB reports CMDB statistics Policy standards Audit reports ReleasesCls Relationships 30
  • 31. ITIL® V2 Service Delivery Model Business, Customers and Users Communications Querie Updates Reports s Enquiri Service Level es Availability Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Management Capacity Management Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Requirements Targets Achievements Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports Management Tools February 2013 Alerts and Exceptions Changes Developed by @goudotmobi SLAs, SLRs OLAs Service reports Service catalogue SIP IT Exception Service Continuity reports Management Audit reports IT continuity plans BIS and risk analysis Requirements defined Control centers DR contracts Reports Audit reports 31
  • 32. IT Governance and ITIL®version 3 February 2013 Developed by @goudotmobi 32
  • 33. IT Governance and COBIT Why Get Into Governance? • Due diligence” • IT is critical to the business • IT is strategic to the business • Expectations and reality don’t match • IT hasn’t gotten the attention it deserves • IT involves huge investments and large risks February 2013 Developed by @goudotmobi 33
  • 34. IT Governance and COBIT “Due diligence” • Infrastructure and productive functions • Skills, culture, operating environment • Capabilities, risks, process knowledge and customer information • Service levels Enterprises should be equally inquisitive about themselves. February 2013 Developed by @goudotmobi 34
  • 35. IT Governance and COBIT IT Is Critical to Most Businesses This criticality arises from: • The increasing dependence on information and the systems and communications that deliver it • The dependence on entities beyond the direct control of the enterprise • IT failures increasingly impacting reputation and enterprise value • The potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs • The risks of doing business in an interconnected world • The need to build and maintain knowledge essential to sustain and grow the business February 2013 Developed by @goudotmobi 35
  • 36. IT Governance and COBIT Why Has IT Not Gotten the Attention It Merits? • IT requires more technical insight than do other disciplines to understand how IT • Enables the enterprise • Creates risks • Gives rise to opportunities • IT has traditionally been treated as an entity separate to the business • IT is complex, and even more so in the extended enterprise operating in a networked economy February 2013 Developed by @goudotmobi 36
  • 37. IT Governance and COBIT October 1992: A new command and control system developed by the London ambulance service failed on the first day of operation. 1997: Barings Bank collapsed as a result of unauthorized trading, in part enabled by the willful manipulation of management information. August 1997: UK investment managers, Save & Prosper, abandoned a major new IT system, having spent 2 million pounds on its design and implementation. February 2013 Developed by @goudotmobi October 1998: UK Internet bank Egg launched a new onlineonly credit card, only to find its technical infrastructure was unable to cope with the demand. 37
  • 38. IT Governance and COBIT What Should Boards Do About It? • • • • Be driven by stakeholder value Adopt an IT governance framework Ask the right questions Focus on IT’s • Alignment with the business • Value delivery • Risk management • Measure result IT Value Delivery IT Strategic Alignment Stakeholder Value Drivers Risk Management Performance Measurement February 2013 Developed by @goudotmobi 38
  • 39. IT Governance and COBIT What Should Management Do About It? Align IT strategy with business goals Cascade strategy and goals down into the organisation Set up organisational structures that facilitate strategy implementation Adopt a control and governance framework Provide IT infrastructures that facilitate creation and sharing of business information Embed responsibilities for risk management in the organisation Focus on important IT processes and core IT competencies Measure performance (balanced business scorecard) February 2013 Developed by @goudotmobi 39
  • 40. IT Governance and COBIT COBIT: An IT Control Framework      Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives February 2013 Developed by @goudotmobi • Planning • Acquiring & Implementing • Delivery & Support • Monitoring  Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance       40
  • 41. IT Governance and COBIT IT Governance Defined (1) Several definitions with common elements: • • • • Responsibility of the board of directors Protects shareholder value Ensures risk transparency Directs and controls IT investment, opportunity, benefits and risks • Aligns IT with the business while accepting IT is a critical input to and component of the strategic plan, influencing strategic opportunities • Sustains the current operation and prepares for the future • Is an integral part of a global governance structure February 2013 Developed by @goudotmobi 41
  • 42. IT Governance and COBIT IT Governance Defined (2) IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the board of directors). It consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives. February 2013 Developed by @goudotmobi 42
  • 43. IT Governance and COBIT IT Governance Framework Act if not aligned Set measurable goals Deliver Compare against the results goals Measure performance February 2013 Developed by @goudotmobi 43
  • 44. IT Governance and COBIT IT Governance Framework Set Objectives IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT-related risks are managed appropriately Provide Direction IT Activities Compare Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability and compliance) Measure Performance February 2013 Developed by @goudotmobi 44
  • 45. Enterprise Governance • Responsibilities and practices exercised by the board and executive management with goals of: • Provide strategic direction • Ensure achieved objectives • Appropriately managed risk • Responsible resource use February 2013 Developed by @goudotmobi 45
  • 46. Enterprise Governance Objective A Balance of • Performance By improve profit, efficiency, effectiveness, growth, etc • Conformance Adhere to legislation, internal policies, audit requirements, etc Both Enterprise governance and IT governance require a balance between performance and conformance goals as directed by the board February 2013 Developed by @goudotmobi 46
  • 47. Enterprise vs IT Governance • Enterprise Responsibilities and practices exercised by the board and exec management with goals of: – – – – Provide strategic direction Ensure achieved objectives Appropriately managed risk Responsible resource use • IT Part of enterprise governance Consisting of leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and furthers the enterprise strategies and objectives February 2013 Developed by @goudotmobi 47
  • 48. Governance as Control Views February 2013 Developed by @goudotmobi 48
  • 50. Governance, Stakeholders, Interests • IT Governance is part of Enterprise Governance • Governance Focus Areas – Strategic Alignment – Value Delivery – Risk Management – Resource Management – Performance Measurement • Governance objective is balance of – Performance – Value Delivery – Conformance – Risk Management February 2013 Developed by @goudotmobi 50
  • 51. Governance, Stakeholders, Interests (cont’d) Governance Stakeholders include – Board & Executives – Business & IT Management – Risk and Compliance & IT Audit Stakeholders – Have Governance Role & Responsibilities – Expect Inputs and Deliver Outputs to Governance Process February 2013 Developed by @goudotmobi 51
  • 52. IT Governance Framework (ITGI) Provide Direction IT Activities Set Objectives v v v v IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT-related risks managed appropriately v Compare v v Increase automation (make the business effective) Decrease cost (make enterprise efficient) Manage risks (security reliability and compliance) Measure Performance February 2013 Developed by @goudotmobi 52
  • 53. Governance Support with COBIT February 2013 Developed by @goudotmobi 53
  • 54. Control Objectives for IT (COBIT) February 2013 Developed by @goudotmobi 54
  • 56. COBIT Processes (cont’d) February 2013 Developed by @goudotmobi 56
  • 57. Content Overview • For Framework  Process Controls  Application Controls  Maturity Attributes • For each Process  Description, linkage to business goal, …  Detailed Control Objectives  Management Guidelines     February 2013 Process Inputs and Outputs Process Activities and RACI Measurements Maturity Model Developed by @goudotmobi 57
  • 58. Val IT V.2.0 – Value Management February 2013 Developed by @goudotmobi 58
  • 59. Val IT • Val IT supports the enterprise goal of • creating optimal value from IT enabled investments at an affordable cost, with an acceptable level of risk • and is guided by • a set of principles applied in value management processes • that are enabled by • key management practices • and are measured by • performance against goals and metrics February 2013 Developed by @goudotmobi 59
  • 60. Val IT Key Definitions • Project—A structured set of activities concerned with delivering a defined capability (that is necessary but not sufficient to achieve a required business outcome) to the enterprise based on an agreed upon schedule and budget • Program —A structured grouping of inter-dependent projects that are both necessary and sufficient to achieve a desired business outcome and create value. These projects could involve, but are not limited to, changes in the nature of the business, business processes, the work performed by people, as well as the competencies required to carry out the work, enabling technology and organizational structure. The investment program is the primary unit of investment within Val IT • Portfolio—Groupings of ‘objects of interest’ (investment program, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. The investment portfolio is of primary interest to Val IT • IT service, project, asset or other resource portfolios are of primary interest to COBIT February 2013 Developed by @goudotmobi 60
  • 61. Val IT Framework February 2013 Developed by @goudotmobi 61
  • 62. Value Governance The goal of VG is to ensure that value management practices are embedded in the enterprise, enabling it to secure optimal value from its IT‐enabled investments throughout full economic life cycle An executive commitment to value governance helps enterprises: – Establish the governance framework for value management in a manner that is fully integrated with overall enterprise governance – Provide strategic direction for the investment decisions – Define the characteristics of portfolios required to support new investments and resulting IT services, assets and other resources – Improve value management on a continual basis, based on lessons learned February 2013 Developed by @goudotmobi 62
  • 63. Value Governance Process • VG1: Establish informed and committed leadership • VG2: Define and implement processes • VG3: Define portfolio characteristics • VG4: Align and integrate value management with enterprise financial planning • VG5: Establish effective governance monitoring • VG6: Continuously improve value management practices February 2013 Developed by @goudotmobi 63
  • 64. Portfolio Management • The goal of portfolio management (PM) is to ensure that an enterprise secures optimal value across its portfolio of IT‐enabled investments • An executive commitment to portfolio management helps enterprises: – Establish and manage resource profiles – Define investment thresholds – Evaluate, prioritize, and select, defer, or reject new investments – Manage and optimize the overall investment portfolio – Monitor and report on portfolio performance February 2013 Developed by @goudotmobi 64
  • 65. Portfolio Management Process • PM1 Establish strategic direction and target investment mix • PM2 Determine the availability and sources of funds • PM3 Manage the availability of human resources • PM4 Evaluate and select program to fund • PM5 Monitor and report on investment portfolio performance • PM6 Optimize investment portfolio performance February 2013 Developed by @goudotmobi 65
  • 66. Investment Management The goal of investment management (IM) is to ensure that the enterprise’s individual IT-enabled investments contribute to optimal value. When organizational leaders commit to investment management they improve their ability to: – – – – Identify business requirements Develop a clear understanding of candidate investment program Analyze alternative approaches to implementing the program Define each program and document, and maintain a detailed business case for it, including benefits’ details, throughout full economic life cycle of investment – Assign clear accountability and ownership (for benefits realization) – Manage each program through its full economic life cycle, including retirement – Monitor and report on each program’s February 2013 Developed by @goudotmobi 66
  • 67. Investment Management Process • IM1 Develop and evaluate the initial program concept business case • IM2 Understand the candidate program and implementation options • IM3 Develop the program plan • IM4 Develop full life‐cycle costs and benefits • IM5 Develop the detailed candidate program business case • IM6 Launch and manage the program • IM7 Update operational IT portfolios • IM8 Update the business case • IM9 Monitor and report on the program • IM10 Retire the program February 2013 Developed by @goudotmobi 67
  • 68. Risk IT February 2013 Developed by @goudotmobi 68
  • 69. Types of Risk February 2013 Developed by @goudotmobi 69
  • 70. Risk IT Principles • The Risk IT framework principles are – Effective enterprise governance of IT risk: – Always connects to business objectives – Aligns the management of IT‐related business risk with overall enterprise risk management – Balances the costs and benefits of managing risk • Effective management of IT risk – Promotes fair and open communication of IT risk – Establishes the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well‐defined tolerance levels – Is a continuous process and part of daily activities February 2013 Developed by @goudotmobi 70
  • 71. Risk IT Building Blocks Key building blocks of good IT risk management: • Set responsibility for IT risk management • Set objectives and define risk appetite and tolerance • Identify, analyze and describe risk • Monitor risk exposure • Treat IT risk • Link with existing guidance to manage risk February 2013 Developed by @goudotmobi 71
  • 72. Risk Assessment ISACA Risk IT Information Security Risk Management for ISO 27001 IT Risk Assessment Frameworks CRAMM Information Security Toolkit OCTAVE (Operationally Critical Threat, Asset, Vulnerability Evaluation) February 2013 Developed by @goudotmobi 72
  • 73. IT Risk ASSESSMENT •Definition of risk assessment The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat. February 2013 Developed by @goudotmobi 73
  • 74. IT Risk ASSESSMENT Components of risk assessment • Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets) • Impact on assets based on threats and vulnerabilities • Probabilities of threats (combination of the likelihood and frequency of occurrence) February 2013 Developed by @goudotmobi 74
  • 75. ISACA Risk IT Risk IT: A Balance is Essential • Risk and value are two sides of the same coin. • Risk is inherent to all enterprises. BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. February 2013 Developed by @goudotmobi 75
  • 76. Risk IT Extends Val IT and COBIT Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource. February 2013 Developed by @goudotmobi 76
  • 77. IT-related Risk Management Risk IT is not limited to information security. It covers all ITrelated risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems February 2013 Developed by @goudotmobi 77
  • 78. Guiding Principles of Risk IT  Always connect to enterprise objectives.  Align the management of IT-related business risk with overall enterprise risk management.  Balance the costs and benefits of managing risk.  Promote fair and open communication of IT risk. February 2013 Developed by @goudotmobi 78
  • 79. Guiding Principles of Risk IT  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels.  Understand that this is a continuous process and an important part of daily activities. February 2013 Developed by @goudotmobi 79
  • 80. Key Risk IT Content: The “What” • Key content of the Risk IT framework includes: • Risk management essentials • In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture • In Risk Evaluation: Describing business impact and risk scenarios • In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation • Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) February 2013 Developed by @goudotmobi 80
  • 81. Key Risk IT Content: The “What” • Process model sections that contain: • Descriptions • Input-output tables • RACI (Responsible, Accountable, Consulted, Informed) table • Goals and Metrics Table • Maturity model is provided for each domain • Appendices • Reference materials • High-level comparison of Risk IT to other risk management frameworks and standards • Glossary February 2013 Developed by @goudotmobi 81
  • 82. Risk IT Three Domains February 2013 Developed by @goudotmobi 82
  • 83. Risk IT: The “How” • Key contents of The Risk IT Practitioner Guide: • • Review of the Risk IT process model Risk IT to COBIT and Val IT • How to use it: 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritisation 7. A risk analysis workflow: “swim lane” flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT • • Mappings: Risk IT to other risk management standards and frameworks Glossary February 2013 Developed by @goudotmobi 83
  • 84. Risk/Response Definition The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits. February 2013 Developed by @goudotmobi 84
  • 85. Risk IT Benefits and Outcomes Accurate view on current and near-future IT-related events End-to-end guidance on how to manage IT-related risks Understanding of how to capitalise on the investment made in an IT internal control system already in place Integration with the overall risk and compliance structures within the enterprise Common language to help manage the relationships Promotion of risk ownership throughout the organisation Complete risk profile to better understand risk February 2013 Developed by @goudotmobi 85
  • 86. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27000 Family of Standards • ISO/IEC 27001 based on BS7799 by British Standards Institution • Adopts “plan-do-check-act” process model • Information Security Management System (ISMS) standard (ISO/IEC 27001) • Formal specification  mandates specific requirements • Adoption of ISO/IEC 27001 allows for formal audit and certification to explicit standard • Risk management based on ISO/IEC 27000 standards February 2013 Developed by @goudotmobi 86
  • 87. Information Security Risk Management for Iso/IEC 27001/ISO 27005 ISO/IEC 27005 • Information security risk management standard • Does not specify, recommend or name any specific risk analysis method • Does specify a structured, systematic and rigorous process from analysis risks to creating the risk treatment plan February 2013 Developed by @goudotmobi 87
  • 88. CRAMM Information security risk toolkit • Provides staged and disciplined approach towards IT risk assessment Source: http://www.cramm.com/overview/howitworks.htm February 2013 Developed by @goudotmobi 88
  • 89. CRAMM Information security risk toolkit Asset identification and valuation • • • • Physical Software Data Location Threat and vulnerability assessment • • • • • Hacking Viruses Failures of equipment or software Wilful damage or terrorism Errors by people Countermeasure selection and recommendation February 2013 Developed by @goudotmobi 89
  • 90. CERT OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Framework by Software Engineering Institute (1999) • Components of information security risk evaluation • Processes with required inputs, activities, outputs • Phase 1: Build asset-based threat profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop security strategy and plans Self-directed information security risk evaluation Analysis team includes people from business units and IT department February 2013 Developed by @goudotmobi 90
  • 93. Regulatory requirements Steps to determine compliance with external requirements: • Identify external requirements • Establishment and organization • Responsibilities • Correlation to financial, operational and IT audit functions • Document pertinent laws and regulations • Banking Act • Insurance Act • Circulars by Regulator • Government Instruction Manual or Circular • Statutory Act February 2013 Developed by @goudotmobi 93
  • 94. Val IT Principles • IT enabled investments will: – Be managed as a portfolio of investments – Include the full scope of activities required to achieve business value – Be managed through their full economic life cycle • Value delivery practices will: – Recognize that there are different categories of investments that will be evaluated and managed differently – Define and monitor key metrics and will respond quickly to any changes or deviations – Engage all stakeholders and assign appropriate accountability to the delivery of capabilities and the realization of business benefits – Be continually monitored, evaluated and improved February 2013 Developed by @goudotmobi 94
  • 95. The COBIT 5 Framework • Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. • COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. • The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector. February 2013 Developed by @goudotmobi 95
  • 96. COBIT 5 Principles Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 96
  • 97. COBIT 5 Enablers Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 97
  • 98. COBIT 5: Now One Complete Business Framework for Evolution of scope Governance of Enterprise IT IT Governance Val IT 2.0 Management (2008) Control Risk IT (2009) Audit COBIT1 1996 COBIT2 1998 COBIT3 2000 COBIT4.0/4.1 2005/7 COBIT 5 2012 An business framework from ISACA, at www.isaca.org/cobit © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 98
  • 99. COBIT 5 Framework  The main, overarching COBIT 5 product  Contains the executive summary and the full description of all of the COBIT 5 framework components:  The five COBIT 5 principles  The seven COBIT 5 enablers plus  An introduction to the implementation guidance provided by ISACA (COBIT 5 Implementation)  An introduction to the COBIT Assessment Programme (not specific to COBIT 5) and the process capability approach being adopted by ISACA for COBIT February 2013 Developed by @goudotmobi 99
  • 100. COBIT 5 Product Family Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 100
  • 101. Five COBIT 5 Principles The five COBIT 5 principles: 1.Meeting Stakeholder Needs 2.Covering the Enterprise End-to-end 3.Applying a Single Integrated Framework 4.Enabling a Holistic Approach 5.Separating Governance From Management February 2013 Developed by @goudotmobi 101
  • 102. Meeting Stakeholder Needs Principle 1. Meeting Stakeholder Needs  Enterprises exist to create value for their stakeholders. February 2013 Source: COBIT® 5, figure 3. © 2012 ISACA® All rights reserved. Developed by @goudotmobi 102
  • 103. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs:  Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them.  Governance is about negotiating and deciding amongst different stakeholders’ value interests.  The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.  For each decision, the following can and should be asked: - Who receives the benefits? - Who bears the risk? - What resources are required? February 2013 Developed by @goudotmobi 103
  • 104. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs:  Stakeholder needs have to be transformed into an enterprise’s practical strategy.  The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals. February 2013 Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved. Developed by @goudotmobi 104
  • 105. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs: Benefits of the COBIT 5 goals cascade:  It allows the definition of priorities for implementation, improvement and assurance of enterprise governance of IT based on (strategic) objectives of the enterprise and the related risk.  In practice, the goals cascade:  Defines relevant and tangible goals and objectives at various levels of responsibility.  Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects.  Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals. February 2013 Developed by @goudotmobi 105
  • 106. Covering the Enterprise End-to-end Principle 2. Covering the Enterprise End-to-end:  COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.  This means that COBIT 5:  Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance.  Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. February 2013 Developed by @goudotmobi 106
  • 107. Covering the Enterprise End-to-end (cont.) Principle 2. Covering the Enterprise End-to-end Key components of a governance system Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved. Source: COBIT® 5, figure 9. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 107
  • 108. Applying a Single Integrated Framework Principle 3. Applying a Single Integrated Framework:  COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:  Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000  IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI  This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.  ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references. February 2013 Developed by @goudotmobi 108
  • 109. Enabling a Holistic Approach Principle 4. Enabling a Holistic Approach COBIT 5 enablers are: • Factors that, individually and collectively, influence whether something will work—in the case of COBIT, governance and management over enterprise IT • Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve • Described by the COBIT 5 framework in seven categories February 2013 Developed by @goudotmobi 109
  • 110. Enabling a Holistic Approach (cont.) Principle 4. Enabling a Holistic Approach Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 110
  • 111. Enabling a Holistic Approach (cont.) Principle 4. Enabling a Holistic Approach: 1. Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals 2. Organisational structures—Are the key decision-making entities in an organisation 3. Culture, ethics and behaviour—Of individuals and of the organisation; very often underestimated as a success factor in governance and management activities 4. Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management 5. Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services 7. People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions February 2013 Developed by @goudotmobi 111
  • 112. Enabling a Holistic Approach (cont). Principle 4. Enabling a Holistic Approach:  Systemic governance and management through interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:  Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour  Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient  This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS). February 2013 Developed by @goudotmobi 112
  • 113. Enabling a Holistic Approach (cont). Principle 4. Enabling a Holistic Approach COBIT 5 Enabler Dimensions: • All enablers have a set of common dimensions. This set of common dimensions: – Provides a common, simple and structured way to deal with enablers – Allows an entity to manage its complex interactions – Facilitates successful outcomes of the enablers Source: COBIT® 5, figure 13. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 113
  • 114. Separating Governance From Management Principle 5. Separating Governance From Management:  The COBIT 5 framework makes a clear distinction between governance and management.  These two disciplines:  Encompass different types of activities  Require different organisational structures  Serve different purposes  Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.  Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. February 2013 Developed by @goudotmobi 114
  • 115. Separating Governance From Management (cont.) Principle 5. Separating Governance From Management: • Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM). • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). February 2013 Developed by @goudotmobi 115
  • 116. Separating Governance From Management (cont.) Principle 5. Separating Governance From Management: COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown. Source: COBIT® 5, figure 15. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 116
  • 117. Separating Governance From Management (cont.) Principle 5. Separating Governance from Management:  The COBIT 5 framework describes seven categories of enablers (Principle 4). Processes are one category.  An enterprise can organise its processes as it sees fit, as long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.  COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes. The details of this specific enabler model can be found in the COBIT 5: Enabling Processes volume. February 2013 Developed by @goudotmobi 117
  • 118. COBIT 5: Enabling Processes  COBIT 5: Enabling Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 process reference model:  In Chapter 2, the COBIT 5 goals cascade is recapitulated and complemented with a set of example metrics for the enterprise goals and the IT-related goals.  In Chapter 3, the COBIT 5 process model is explained and its components defined.  Chapter 4 shows the diagram of this process reference model.  Chapter 5 contains the detailed process information for all 37 COBIT 5 processes in the process reference model. February 2013 Developed by @goudotmobi 118
  • 119. COBIT 5: Enabling Processes (cont.) Source: COBIT® 5, figure 29. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 119
  • 120. COBIT 5: Enabling Processes (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 120
  • 121. COBIT 5: Enabling Processes (Cont.) COBIT 5: Enabling Processes: • The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two main areas—governance and management— with management further divided into domains of processes: • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). February 2013 Developed by @goudotmobi 121
  • 122. COBIT 5 Implementation • The improvement of the governance of enterprise IT (GEIT) is widely recognised by top management as an essential part of enterprise governance. • Information and the pervasiveness of information technology are increasingly part of every aspect of business and public life. • The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater. • Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment. February 2013 Developed by @goudotmobi 122
  • 123. COBIT 5 Implementation (cont.) • ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers • Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework • Best practices and standards are also available to underpin COBIT 5 • Frameworks, best practices and standards are useful only if they are adopted and adapted effectively • There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully February 2013 Developed by @goudotmobi 123
  • 124. COBIT 5 Implementation (cont.) • COBIT 5: Implementation covers the following subjects: • Positioning GEIT within an enterprise • Taking the first steps towards improving GEIT • Implementation challenges and success factors • Enabling GEIT-related organisational and behavioural change • Implementing continual improvement that includes change enablement and programme management • Using COBIT 5 and its components February 2013 Developed by @goudotmobi 124
  • 125. COBIT 5 Implementation (cont.) February 2013 Source: COBIT® 5, figure 17. © 2012 ISACA® All rights reserved. Developed by @goudotmobi 125
  • 127. COBIT 5 Product Family Source: COBIT® 5, figure 11. © 2012 ISACA® All rights reserved. February 2013 Developed by @goudotmobi 127
  • 128. COBIT 5 Future Supporting Products Future supporting products: • Professional Guides: • COBIT 5 for Information Security • COBIT 5 for Assurance • COBIT 5 for Risk • Enabler Guides: • COBIT 5: Enabling Information • COBIT Online Replacement • COBIT Assessment Programme: • Process Assessment Model (PAM): Using COBIT 5 • Assessor Guide: Using COBIT 5 • Self-assessment Guide: Using COBIT 5 February 2013 Developed by @goudotmobi 128
  • 129. Governance (and Management) in COBIT 5 • Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM). • Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). • Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities. February 2013 Developed by @goudotmobi 129
  • 130. Governance in COBIT 5 • The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimization. •04 Ensure resource optimization. •05 Ensure stakeholder transparency. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). February 2013 Developed by @goudotmobi 130
  • 131. Governance in COBIT 5 (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 131
  • 132. Risk Management in COBIT 5 • The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. • Process Description • Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. • Process Purpose Statement • Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised. February 2013 Developed by @goudotmobi 132
  • 133. Risk Management in COBIT 5 (cont.) • The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description • Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement • Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk. February 2013 Developed by @goudotmobi 133
  • 134. Risk Management in COBIT 5 (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 134
  • 135. Risk Management in COBIT 5 (cont.) • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. • APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept). February 2013 Developed by @goudotmobi 135
  • 136. Risk Management in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. February 2013 Developed by @goudotmobi Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved. 136
  • 137. Compliance in COBIT 5 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description • Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement • Ensure that the enterprise is compliant with all applicable external requirements. February 2013 Developed by @goudotmobi 137
  • 138. Compliance in COBIT 5 (cont.) February 2013 Developed by @goudotmobi Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. 138
  • 139. Compliance in COBIT 5 (cont.) • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governancedetermined principles, policies and procedures. February 2013 Developed by @goudotmobi 139
  • 140. Compliance in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. February 2013 Developed by @goudotmobi Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved. 140
  • 141. CHALLENGES AND CONCERNS RELATE TO IT GOVERNANCE February 2013 Developed by @goudotmobi 141
  • 142. Aligning IT and Business Strategy • Corporate Mission – Business Goals – IT Strategy • Requires involvement from many levels and activities within the enterprise. • Lack of alignment leads to adverse business issues. • Strong IT Governance contributes toward proper alignment. February 2013 Developed by @goudotmobi 142
  • 143. IT Service Delivery February 2013 Developed by @goudotmobi 143
  • 144. Ensuring Value and Effectiveness • IT issues are the least understood, despite increasing reliance placed on IT. • Initiate IT governance structures with the right level of executive involvement. • Board of Director’s require essential IT related skills February 2013 Developed by @goudotmobi 144
  • 145. Information Systems Governance • Consists of leadership, organizational structures and processes that safeguard information. • Security over information assets. • Benefits of IS Governance. • IS is a top-down process. February 2013 Developed by @goudotmobi 145
  • 146. Measuring IT Governance Performance • Measuring IT performance is a key concern as it demonstrates the effectiveness and added business value of IT. • Commonly seen as the IT “Black Hole” – costs continually rise without clear evidence of value derived from the IT function. • Traditional performance measurement methods require monetary values which are hard to apply to IT systems. February 2013 Developed by @goudotmobi 146
  • 147. IT Governance Performance Management Approaches February 2013 Developed by @goudotmobi 147
  • 148. IT Balanced Scorecard • One of the most effective means to aid an organization in achieving IT and business alignment. • Provides a systematic translation of the IT strategy into tangible success factors and metrics. • Gives a balanced view of the value added by IT to the business. • Calculating the value of IT investments is a business issue for which business managers are ultimately responsible for. February 2013 Developed by @goudotmobi 148
  • 149. ISACA Global Status Report 2K8 (cont’d) Research purposes  Reach members of the C-Suite to determine their sense of priority and actions taken relative to IT governance  Understand their need for tools and services to help ensure effective IT governance Detailed objectives  Survey and analyze the degree to which the concept of IT governance is recognized, established and accepted within boardrooms and especially by chief information officers (CIOs)  Determine what level of IT governance expertise exists and which frameworks are known and are (or will be) adopted  Measure the extent to which ITGI’s own framework, Control Objectives for Information and related Technology (COBIT), is selected and how it is perceived February 2013 Developed by @goudotmobi 149
  • 150. ISACA Global Status Report 2K8 (cont’d) Revealed Results  Insufficient IT staff availability, service delivery issues and difficulty proving the value of information technology continue to concern executives at organizations around the world  58% noted an insufficient number of staff, compared to 35 percent in 2005  48 % said that IT service delivery problems remain the second most common problem  38 %point to problems relating to staff with inadequate skills  30 % reported problems anticipating the return on investment (ROI) for IT expenditures  The study is a follow-up to ITGI’s 2003 and 2005 surveys and tracks IT governance trends over the past four years February 2013 Developed by @goudotmobi 150
  • 151. ISACA Global Status Report 2K8 (cont’d) • Survey Sample Researchers contacted CIOs and chief executive officers (CEOs). The total number of interviews conducted was 749, of which 652 were from a random sample of organizations 71 were known as COBIT users and 26 were experienced COBIT users • Global Reach The interviews were conducted worldwide (in 23 countries), and all continents/regions were represented. February 2013 Developed by @goudotmobi 151
  • 152. New Ways of Implementing IT Governance Lifecycle Approach by synergizing in between COBIT, ValIT and RiskIT February 2013 Developed by @goudotmobi 152
  • 153. Implementing IT Governance Life Cycle February 2013 Developed by @goudotmobi 153
  • 154. Lifecycle Phase Walkthrough Phases: • What are the drivers? • Where are we now? • Where do we want to be? • What needs to be done? • How do we get there? • Did we get there? • How do we keep the momentum going? February 2013 Developed by @goudotmobi 154
  • 155. What Are The Drivers? • Goal of Phase: – Outline the business case – Identify stakeholders, roles & responsibilities – IT Governance program “wake-up call” and communication kick-off • Need for new or improved IT Governance Organization recognized in Pain Points and/or Trigger events • Pain Points analyzed for root cause and opportunities looked for during Trigger events • Root causes and opportunities provide business case for improved or new IT Governance initiatives February 2013 Developed by @goudotmobi 155
  • 156. Trigger Events • • • • • • • • • Merger, acquisition or divestiture An enterprise-wide governance focus or Shift in the market, economy or competitive position Change in business operating model or sourcing arrangements A new CIO, CFO, COO or CEO External audit or consultant assessments A new business strategy New regulatory or compliance requirements Significant technology change or paradigm shift February 2013 Developed by @goudotmobi 156
  • 157. Common Painful Points • • • • • • • • • • • Failed IT initiatives Rising Costs Resource waste through duplication or overlap in IT Perception of low business initiatives value for IT investments Significant incidents related to IT risk (e.g. data loss) Service Delivery Problems Failure to meet regulatory or contractual requirements Audit findings for poor IT performance or low service levels Insufficient IT resources IT Staff burnout/disastisfaction IT enabled changes frequently failing to meet business needs (late deliveries or budget overruns) • Hidden and/or rogue IT spending • Multiple and complex IT assurance efforts • Board members or senior managers that are reluctant to engage with IT February 2013 Developed by @goudotmobi 157
  • 158. Where are we now? • Define the Problems and Opportunities – See paint point causes and trigger event opportunities • Form Powerful Guiding Team – Knowledgeable about the business environment – Have insight into influencing factors • Assess the Current State – Identify IT goals and their alignment with enterprise goals – Identify the most important processes – Understand management’s risk appetite – Understand the maturity of existing governance and related processes February 2013 Developed by @goudotmobi 158
  • 159. Where do we want to be? • Define the Roadmap – Describe the high level change enablement plan and objectives • Communicate Desired Vision – Develop a communication strategy – Communicate the vision – Articulate the rationale and benefits of the change – Set the “tone at the top” • Define Target State and Perform Gap Analysis – Define the target for improvement – Analyze the gaps – Identify potential improvements February 2013 Developed by @goudotmobi 159
  • 160. What Needs to be done? • Develop Program Plan – Prioritize potential initiatives – Develop formal and justifiable projects – Use plans that include contribution and program objectives • Empower Role Players and Identify Quick Wins – High Benefit, easy implementation should come first – Obtain buy-in by key stakeholders affected by the change – Identify strengths in existing processes and leverage accordingly • Design and Build Improvements – Plot improvements onto a grid to assist with prioritization – Consider approach, deliverables, resources needed, costs, estimated time scales, project dependencies and risks February 2013 Developed by @goudotmobi 160
  • 161. How Do We Get There? • Execute the Plan – Execute projects according to an integrated program plan – Provide regular update reports to stakeholders – Document and Monitor the contribution of projects while managing risks identified • Enable Operation and Use – Build on the momentum and credibility of quick wins – Plan cultural and behavioral aspects of the broader transition – Define Measures of Success • Implement Improvements – Adopt and Adapt best practices to suit the organization’s approach to policies and process changes February 2013 Developed by @goudotmobi 161
  • 162. Did We Get There? • Realize Benefits – Monitor the overall performance of the program against business case objectives – Monitor and measure the investment performance • Embed New Approaches – Provide transition from project mode to “business as usual” – Monitor whether new roles and responsibilities have been taken on – Track and assess objectives of the change response plans – Maintain communication and ensure communication between appropriate stakeholders continues • Operate and Measure – Set targets for each metric – Measure metrics against targets – Communicate results and adjust targets as necessary February 2013 Developed by @goudotmobi 162
  • 163. How Do We Keep Momentum Going? • Continual Improvements – keeping the momentum is critical to sustainment of the lifecycle • Review the Program Benefits – Review Program effectiveness through program review gate • Sustain – Conscious reinforcement (reward achievers) – Ongoing communication campaign (feedback on performance) – Continuous top management commitment • Monitor and Evaluate – Identify new governance objectives based on program experience – Communicate lessons learned and further improvement requirements for the next iteration of the cycle February 2013 Developed by @goudotmobi 163
  • 165. Change Enablement • Guidance provided at each lifecycle phase • Based on Cotter Model – Establish a sense of urgency – Form a powerful guiding coalition – Create and communicate a clear vision, expressed simply – Empower others to act on the vision, identifying and implementing quick-wins – Enable use and implement improvements/produce more change – Institutionalize new approaches – Sustain February 2013 Developed by @goudotmobi 165
  • 166. Program Management Guidance • Guidance provided at each lifecycle phase – Initiate program – Define problems and opportunities – Define roadmap – Develop program plan – Execute plan – Realize benefits – Review program effectiveness • Detailed guidance provided by Val IT February 2013 Developed by @goudotmobi 166
  • 168. Considerations in a Sourced Environment • Sourcing Strategy • Contract Management • Finance Management • Relationship Management • Performance Management February 2013 168 Developed by @goudotmobi
  • 169. Sourcing Strategy • Part of IT Strategic Plan • Inventory of critical Supplier relationships • Update based on changes to Business, IT or Supplier Strategies • May contain intervention plans February 2013 169 Developed by @goudotmobi
  • 170. Contract Management • Initial negotiation and inlife change management • Defines Services/Quality • Defines ownership of Intellectual Property • Compliance with Law and Policy • Audit Rights February 2013 170 Developed by @goudotmobi
  • 171. Contract Change Management • Required by either changing business needs or to address ambiguity. • Should be viewed as a negotiation. • Each party will attempt to get concessions not previously obtained - value is at risk • Depend on Relationship Management for smaller changes to avoid this risk February 2013 171 Developed by @goudotmobi
  • 172. Intellectual Property • Supplier IP may be used to deliver efficiencies ($) • However, use of Supplier IP may limit sourcing flexibility. • Who owns process ‘know-how’ and does this change over time? • What risk does this represent? February 2013 172 Developed by @goudotmobi NPS
  • 173. Intellectual Property Mitigations • Inventory, inventory, inventory – IT processes supporting the business – Materials (documents, rights, etc.) • Risk Management discussion with business • Seek legal help • Follow up! February 2013 173 Developed by @goudotmobi
  • 174. Audit Rights • • • • Business requirements drive specifics. Must be in the initial contract For supplier shared services, SAS70 Type II Audit rights should be unlimited and at no cost. NPS February 2013 174 Developed by @goudotmobi
  • 175. Finance Management • Deal financials reporting • Invoice Verification – Service receipt – Credits – Incentives • Internal cost recovery NPS February 2013 175 Developed by @goudotmobi
  • 176. Finance Management • This is THE PLACE to receive an independent confirmation of IT value delivery. • Budgets are a very unforgiving reality check! NPS February 2013 176 Developed by @goudotmobi
  • 177. Relationship Management • Overall Supplier management • Monitor business needs • Communication Forums • Issue Management • Risk Management • Project Management February 2013 177 Developed by @goudotmobi
  • 178. Risk Management • IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. • As before, there may be a translation here from technical risk to business risk. • Can use Probability x Business Impact as the metric. The business should supply the Impact. • This can be a powerful tool to use with Suppliers. They speak the lingua franca as well. NPS February 2013 178 Developed by @goudotmobi
  • 179. Project Management •Good Project Management helps assure value delivery •Define ‘project’ vs. ‘daily work’ in the contract. •Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables) NPS February 2013 179 Developed by @goudotmobi
  • 180. Performance Management • • • • Aligning Service Delivery Requirements Managing and Reporting against SLAs Management of individual projects Work prioritization February 2013 180 Developed by @goudotmobi
  • 181. Best Practices for IT Governance IT governance has become significant due to: • Demands for better return from IT investments • Increases in IT expenditures • Regulatory requirements for IT controls • Selection of service providers and outsourcing • Complexity of network security • Adoptions of control frameworks • Benchmarking February 2013 Developed by @goudotmobi 181
  • 182. Best Practices for IT Governance (cont’d) Audit role in IT governance • Audit plays a significant role in the successful implementation of IT governance within an organization • Reporting on IT governance involves auditing at the highest level in the organization and may cross division, functional or departmental boundaries February 2013 Developed by @goudotmobi 182
  • 183. Best Practices for IT Governance (cont’d) • In accordance with the defined role of the IS auditor, the following aspects related to IT governance need to be assessed: – Alignment of the IS function with the organization’s mission, vision, values, objectives and strategies – Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function – Legal, environmental, information quality, fiduciary, security, and privacy requirements – The control environment of the organization – The inherent risks within the IS environment – IT investment/expenditure February 2013 Developed by @goudotmobi 183
  • 184. Auditing IT Governance Indicators of potential problems include: • Unfavorable end-user attitudes • Excessive costs • Budget overruns • Late projects • High staff turnover • Inexperienced staff • Frequent hardware/software errors February 2013 Developed by @goudotmobi 184
  • 185. IT Governance Audit Planning • Audit Team Composition • Audit Criteria • Learning from the Balanced Scorecard Approach February 2013 185 Developed by @goudotmobi
  • 186. Audit Team Composition • Leadership - Business or IT? – Audit Supervision and Auditor in Charge Independence is a must • Beware setting up an audit team that may reflect corporate IT Governance issues • Consider sourcing knowledgeable auditors February 2013 186 Developed by @goudotmobi
  • 187. IT Governance Audit Criteria/Standards • IIA Governance Auditing Standards • ISACA / ITGI IT Governance Auditing Guidelines • ITGI Risk IT Framework • ITGI Val IT Framework • << Insert your Company business policies here >> February 2013 187 Developed by @goudotmobi
  • 188. Learnings from the Balanced Scorecard • Consider IT Governance from various business points of view (1) – Corporate – Customer – Operational Excellence – Future / Sustainability 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005 February 2013 188 Developed by @goudotmobi
  • 189. Balanced Scorecard: Corporate View Objective Business/ IT Alignment Operational budget approval Value Delivery Business Unit Performance Cost Management Attainment of expense and recovery targets Risk Management Results of Internal Audits Intercompany Synergy February 2013 189 Example Metrics Single System Solutions Developed by @goudotmobi
  • 190. Balanced Scorecard: Customer View Objective Customer Satisfaction Business Unit Survey ratings Competitive Costs Attainment of unit cost targets Development Performance Major Project Scores Operational Performance February 2013 190 Example Metrics Attainment of targeted levels Developed by @goudotmobi
  • 191. Balanced Scorecard: Operational View Objective Development Process Function Point Measures Operational process Change Management effectiveness Process Maturity Level of IT Processes Enterprise Architecture February 2013 191 Example Metrics State of the infrastructure assessment Developed by @goudotmobi
  • 192. Balanced Scorecard: Future View Objective Human Resource Management Staff Turnover Employee Satisfaction Satisfaction survey scores Knowledge Management February 2013 192 Example Metrics Implementation of learned lessons Developed by @goudotmobi
  • 193. Reviewing Documentation The following documents should be reviewed: • IT strategies, plans and budgets • Security policy documentation • Organization/functional charts • Job descriptions • System development and program change procedures • Operations procedures • Human resource manuals • Quality assurance procedures February 2013 Developed by @goudotmobi 193

Notes de l'éditeur

  1. Trainer presentationslides for InformationTechnology Governance training. Image credit: Europeanfinancialreview.com
  2. Image credit: blogs.adobe.com
  3. Picture credit: Convergemerge and ISACA SF Chapter
  4. Picture credit: Convergemerge and ISACA SF Chapter
  5. Picture credit: Convergemerge and ISACA SF Chapter
  6. Key Findings on the survey, see IT-Governance-Global-Status-Report-April-2008.pdf
  7. Review Manual Reference Pages:p. 88 - 90
  8. The IS auditor should confirm that the terms of reference state the:• Scope of the work• Reporting line to be used• IS auditor’s right of access to information  
  9. Content to Emphasize: The organizational status and skill sets of the IS auditor should be considered for appropriateness with regard to the nature of the planned audit.  Review Manual Reference Pages:p. 90