C OBI T and slides © 2007 IT Governance Institute. Used with permission. An Overview of C OBI T ®

COBIT and slides © 2007 IT Governance Institute. Used with permission.

An Overview of COBIT®


In This Presentation... Driving forces for IT governance

and Control Objectives for Information and related Technology (COBIT®)

An introduction to: The COBIT framework COBIT supporting materials

Where COBIT fits with other frameworks and standards


The Governance Environment


Forces Driving IT Governance

Compliance

Security

Business/IT

Alignment

ROI

ProjectExecution


IT Governance Needs a Management Framework

Driving Forces

Map Onto theIT

GovernanceFocus Areas

Strategic

Alignment Value Delivery

Risk

Ma

nage

men

t

Resource Management

Performance

Measurement

IT IT GovernanceGovernance

DomainsDomains

Strategic

Alignment Value Delivery

Risk

Ma

nage

men

t

Resource Management

Performance

Measurement

IT GovernanceFocus Areas


Internationally accepted good practicesManagement-orientedSupported by tools and trainingFreely availableSharing knowledge and leveraging expert volunteersContinually evolvingMaintained by reputable not- for-profit organizationMaps 100 percent to COSOMaps strongly to all major related standards

COBIT 4.1—The IT Governance Framework

The only IT managementand control framework

that covers the end-to-endIT life cycle

IT ProcessesIT ProcessesIT Management ProcessesIT Management ProcessesIT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for


COBIT good practices repository for


Is a reference, set of best practices, not an ‘off-the-shelf’ cureEnterprises still to need to analyze their control requirements and customize based on:Value driversRisk profileIT infrastructure,

organization and project portfolio

COBIT 4.1—The IT Governance Framework


CobiTCobiTbest practices repository for


COBIT good practices repository for


The resources The resources made available to—made available to—and built up by—ITand built up by—IT

What the What the stakeholders stakeholders

expect from ITexpect from IT

How IT is How IT is organized to organized to

respond to the respond to the requirementsrequirements

Key Driving Forces for COBIT

IT Processes

IT Resources

Business Requirements

Data Application

systems Technology Facilities People

Plan and Organize

Aquire and Implement

Deliver and Support

Monitor and Evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

reliability

IT Processes

BusinessRequirements

IT Resources

IT Processes


IT Resources


Goals ResponsibilitiesControlObjectives

Requirements

BusinessBusiness ITIT GovernanceGovernance

Information the business needs to

achieve its objectives

Information executives and board need to exercise their

responsibilities

Direction and Resourcing

How Does COBIT Link to IT Governance?

IT Governance


COBIT Is Brought to You by …


IT Governance Institute

IT GovernanceInstitute is a

non-profitresearch think

tankassociated with

ISACA®.


IT Governance Institute Product Suite

Board Briefing onIT Governance

InformationSecurity GovernanceCOBIT 4.1Val IT

IT GovernanceImplementation

GuideCOBIT Control

PracticesIT Assurance

Guide

Governance, Security and Assurance Management

Business and Technology

Management

Governance


Some findings of the ITGI survey of 600 executives:

18 %18 %26 %26 %

2003 2005Executive awareness

of COBIT

COBIT is the preferred way to implement effective IT governance.Executive awareness is up.Perception that it is difficult to implement

More than one-third of those who know the content,

know it very well.

COBIT—Global Status

More than half of

those who know it, know its contents.


An Overview of COBIT


Processes

A series of joined activities with natural control breaks

Activities or Tasks

Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

Domains

Natural grouping of processes, often matching an organizational domain of responsibility

IT Processes


IT Resources

IT Processes


IT Resources

Process Orientation


IT Domains• Plan and

Organize• Acquire and

Implement• Deliver and

Support• Monitor and

Evaluate

IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management

Activities• Record new problem.• Analyze.• Propose solution.• Monitor solution.• Record known problem.• Etc.

Natural grouping of processes, often matching an organizational domain of responsibility

A series of joined activities with natural (control) breaks Actions needed to achieve

a measurable result—activities have a life cycle whereas tasks are discrete

IT Processes


IT Resources

IT Processes


IT Resources

Process Orientation


Process OrientationPlan and Organize Description

This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organization as well as technological infrastructure must be put in place.

Topics Strategy and tactics Vision planned Organization and infrastructure

Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organization understand the IT

objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business

needs?

Dom

ains

IT Processes


IT Resources

IT Processes


IT Resources


Waterfall Model

The control of

that satisfy

is enabled by

considering

4 Domains - 34 4 Domains - 34 Processes - 210 Control Objectives - 210 Control Objectives

IT ProcessesBusiness

RequirementsControl

StatementsControl

Practices


Acquire andImplement

Deliver andSupport

Monitor and

Evaluate

Criteria• Effectiveness• Efficiency• Confidentialit

y• Integrity• Availability• Compliance• Reliability

• Applications• Information• Infrastructure• People

IT Resources

Business Objectives

Plan andOrganize

COBITFramework

IT Life Cycle


COBIT Processes

Plan andOrganize

Acquire andImplement

AI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

PO1 Define an IT Strategic PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects


COBIT Processes

Deliver andSupport

Monitor andEvaluate

DS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

ME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance


Digging Into COBIT


Digging Into COBIT Working with the COBIT product

suite Introduce the key elements of COBIT. Show how they interrelate. Introduce supporting materials.


COBIT Framework COBIT framework provides

guidance on IT governance and role of IT control.

Generic controls: Controls that relate to all processes Application controls


Process-levelNavigating in COBIT


Which Domain?


Process Description

All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation, and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.


The Waterfall of Control

c


Information Criteria


IT Resources


IT Governance


Control Objectives

AI6.5 Change Closure and DocumentationWhenever changes are implemented, update the associated system and user documentation and procedures accordingly.


Management Guidelines


Management Guidelines


Input-output MatrixManaging the Life Cycle

Inputs coming fromother processes

Outputs going toother processes


Managing the Life Cycle

PO AI DS

Whilst COBIT represents the life cycle ofIT investments, it must also manage

inter-process interdependencies.


RACI Charts


RACI chart

Typical ProcessActivities

Standard OrganizationChart

Who is Responsible, AccountableConsulted and Informed?


Goals and Metrics


Maturity Model


Maturity Levels in COBIT

0 1 2 3 4 5

Non-existent Initial Repeatable Defined Managed Optimised

0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.


Dimensions of Process Maturity in COBIT

Policies, standards and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement

We capture process maturity data on each of six dimensions:

Awareness and communication


Collecting MaturityModel Data

Policies, Standards and Procedures

Tools and Automation

Skills and Expertise

Responsibility and Accountability

Goal Setting and Measurement

0 1 2 3 4 5

Awareness and Communication


How to Get Started With COBIT


IT Goals

IT Processes

How Do Governance and the Business Drive IT?

Business Goals

Applications

Information

Infrastructure

People

Business GoalsGovernance Drivers

Business Outcomes


Business Goals

IT Goals

IT Processes

How Do Governance and the Business Drive IT?

ApplicationsIT Processes

Infrastructure & Peopleneed

Informationdeliver

runApplicationsIT

Processes

Infrastructure and Peopleneed

Informationdeliver

run


InformationServices


require

imply

GovernanceRequirements

influence


InformationServices


require

imply

GovernanceRequirements

influence


Performance MeasurementGoal Relationships


Leverage Supporting Materials


Implementation Guide


Implementation Guide

IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition

Detailed, structured guidance to the implementation of IT governance

Generic IT governance implementation guidance, not just COBIT


Control Practices


Control Practices

COBIT Control Practices, 2nd Edition Detailed guidance on each of the

control objectives Management-oriented From three to 12 control practices

per control objective


COBIT Online


COBIT Online

An online view of COBITallows users to customise and integrate COBIT,

coupled with process benchmarking.


Assurance Guide


Assurance GuideIT Assurance Guide: Using COBIT Detailed guidance to support

assurance practitioners in: Financial statement audit Internal audit Value for money Operational improvement

Guidance on: How to leverage COBIT for assurance Detailed assurance testing steps


COBIT and Other Frameworks and Standards


TickIT

Where COBITTypically Sits

17799CMM

COSO

ITIL

Gov

erna

nce

Laye

rIT G

over

nanc

eLa

yer

IT Man

agem

ent

Laye

r

COBIT


Integrator of technical standards Interface to business standards

How COBIT Relates to Frameworks and Standards


• Work instruction• 2• 3• 4,5, 6….





XY

##

XY

##

XY

##

XY

##

XY

##

Strategic COBIT

ITILCMM

1779

9

Process Control

Process Execution

Work Instruction








XY

##

XY

##

XY

##

XY

##

XY

##

Strategic COBIT

ITILCMM

1779

9

Process Control

Process Execution

Work Instruction



Summary Quality IT Services Successful IT Projects Improved efficiency Optimized costs Easier compliance Reduced operational risk Improved management,

confidence and trust


An Overview of COBIT®

Documents

C OBI T and slides © 2007 IT Governance Institute. Used with permission. An Overview of C OBI T ®