Professional Documents
Culture Documents
Introductiontocobit2019anditmanagement 190411195810 PDF
Introductiontocobit2019anditmanagement 190411195810 PDF
- Introduction
RESILIATM, ITIL®, PRINCE2® MSP®, MoP® and MoV® are Registered Trade Marks of AXELOS in the United Kingdom and other countries
COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
TOGAFTM and IT4ITTM are trademarks of The Open Group
SIAM® is a registered trademark of EXIN
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
2 © 2019
Assignment
Time: 10 minutes
3 © 2019
Governance – an introduction
Object?
Value
Asset
System Lifecycle
(Architecture/configuration of
resources)
4 © 2019
Governance – an introduction
Who?
Evaluate & Plan-do-
Governance
Why?
Maximize return on investment
Asset
Optimize Optimize
resources risk
Meet preference
5 © 2019
Governance – an introduction
How?
Evaluate
Governance
Direct Monitor
What?
❍ Principles, policies and plans (Boundaries, principles,
policies, decision models, strategies, plans, etc.)
❍ Goals (Performance and outcome goals)
❍ Controls (Control objectives, requirements, agreements, etc.)
❍ Maturity (Capability maturity, benchmarks, etc.)
❍ Resources (Money, etc. etc.)
6 © 2019
Governance – an introduction
When?
Governance
Asset value
Need for governance
Complexity of asset
(system/lifecycle)
7 © 2019
A delicate balance
IT governance balances:
Governance
Conformance
Adhering to legislation, internal
policies, audit requirements, etc.
Performance Performance
Improving profitability, efficiency,
effectiveness, growth, etc.
Conformance
9 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
10 © 2019
COBIT
www.isaca.org/cobit
11 © 2019
Why COBIT 2019?
Value creation:
Benefits realization
Risk optimization
COBIT
Resource optimization
Enterprise Business/IT
Value Creation
Governance of IT Alignment
12 © 2019
COBIT 2019 – Governance framework principles
1. Based on
a conceptual
COBIT
model
3. Aligned 2. Open
to major and
standards flexible
13 © 2019
COBIT History
15 © 2019
COBIT 2019 – Scope
COBIT
16 © 2019
COBIT 2019 – Scope
17 © 2019
COBIT 2019 – Target audience
Stakeholder Benefit of COBIT
Internal Stakeholders
Boards Provides insights on how to get value from the use of IT and explains relevant
board responsibilities
Executive Helps to understand how to obtain the IT solutions enterprises require and how
Management best to exploit new technology for new strategic opportunities
COBIT
Business Provides guidance on how to organize and monitor performance of IT across the
Managers enterprise
IT Managers Provides guidance on how best to build and structure the IT department, manage
performance of IT, run an efficient and effective IT operation, control IT costs, align
IT strategy to business priorities, etc.
Assurance Helps to manage dependency on external service providers, get assurance over
Providers IT, and ensure the existence of an effective and efficient system of internal controls
Risk Helps to ensure the identification and management of all IT-related risk
Management
External Stakeholders
Regulators Helps to ensure the enterprise is compliant with applicable rules and regulations
and has the right governance system in place to manage and sustain compliance
Business Helps to ensure that a business partner’s operations are secure, reliable and
Partners compliant with applicable rules and regulations
IT Vendors Helps to ensure that an IT vendor’s operations are secure, reliable and compliant
with applicable rules and regulations
18
COBIT 2019 – Overview
COBIT
19 © 2019
COBIT 2019 – Product family
Products
20 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
21 © 2019
COBIT and related frameworks
Some relevant best practices and standards
Best practices Standards Regulations
Corporate God Selskabsledelse Sarbanes-Oxley
Governance COSO (SoX)
IT Governance COBIT, MoV, MoP ISO/IEC 38500
IT Management COBIT / MoR
Enterprise TOGAF ISO/IEC 42016
Architecture
IT Service ITIL, eTOM, VeriSM, ISO/IEC 20000, IT4IT
Management SAFe
Information Security ISF ISO/IEC 27000 Data protection
& privacy acts, GDPR
Quality Management LEAN, EFQM, Six ISO 9000
Sigma, Test
Process Maturity CMMi, TIPA ISO/IEC 33000
Project & Program PRINCE2, MSP,
Management PMBOK
Industry specific GAMP, Basel II, FDA requirements
Solvency II
22 © 2019
COBIT and related frameworks
COBIT and related frameworks (COBIT 5, Appendix E)
23
COBIT and related frameworks
Governance related best practices and standards
26 © 2019
COBIT and related frameworks
ISO/IEC 38500 The six principles
Principle 1: Responsibility
Individuals and groups within the organization understand
and accept their responsibilities in respect of both supply of,
and demand for IT. Those with responsibility for actions also
have the authority to perform those actions.
Principle 2: Strategy
The organization’s business strategy takes into account the
current and future capabilities of IT; the strategic plans for IT
satisfy the current and ongoing needs of the organization’s
business strategy.
Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of
appropriate and ongoing analysis, with clear and
transparent decision making. There is appropriate balance
between benefits, opportunities, costs, and risks, in both the
short term and the long term.
27 © 2019
COBIT and related frameworks
ISO/IEC 38500 The six principles
Principle 4: Performance
IT is fit for purpose in supporting the organization, providing
the services, levels of service and service quality required to
meet current and future business requirements.
Principle 5: Conformance
The use of IT complies with all mandatory legislation and
regulations. Policies and practices are clearly defined,
implemented and enforced.
Principle 6: Human Behavior
IT policies, practices and decisions demonstrate respect for
Human Behavior, including the current and evolving needs
of all the ‘people in the process’.
28 © 2019
COBIT and related frameworks
Governance activities according to ISO/IEC 38500
29 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
30 © 2019
COBIT 2019 – Six governance system principles
COBIT Principles
6. End-to-End 1. provide
Governance Stakeholder
System Value
5. Tailored to COBIT
2. Holistic
Enterprise 2019 Approach
Needs
principles
4. Governance 3. Dynamic
Distinct From Governance
Management System
31 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
32 © 2019
COBIT 2019 – Goals cascade
Cascade to
Enterprise Goals
Cascade to
Alignment Goals
Cascade to
33 © 2019
COBIT 2019 – Enterprise Goals
BSC dimension Ref. Enterprise Goal
Financial EG01 Portfolio of competitive products and services
EG02 Managed business risk
COBIT Goals
34 © 2019
COBIT 2019 – Alignment Goals
BSC dimension Ref. Alignment Goal
Financial AG01 IT compliance and support for business compliance with external
laws and regulations
COBIT Goals
36 © 2019
COBIT 2019 – Mapping Alignment Goals and Objectives
COBIT Goals
37 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
38 © 2019
COBIT 2019 – Objectives
39 © 2019
COBIT 2019 – Objectives
40 © 2019
COBIT 2019 – Core model (40 objectives)
COBIT Objectives
41 © 2019
COBIT 2019 – Core model
42 © 2019
COBIT 2019 – Core model
43 © 2019
COBIT 2019 – Objective – Example
COBIT Objectives
44 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
45 © 2019
COBIT 2019 – Components
COBIT Components
46 © 2019
COBIT 2019 – Components
COBIT Components
Processes
Services,
Infrastructure Organizational
and Structures
Applications
Governance
System
Culture, Ethics
Information
and Behavior
47 © 2019
COBIT 2019 – Processes – Example
COBIT Components
48 © 2019
COBIT 2019 – Processes – Controls
COBIT Components
49 © 2019
COBIT 2019 – Processes – Control types
COBIT Components
Directive controls
Preventive controls
Compensating
Detective controls
Corrective controls
50 © 2019
COBIT 2019 – Processes – Process specific controls
COBIT Components
51 © 2019
ISO/IEC 20000-1:2011 – Requirements
COBIT Components
Implementation guidance
In particular, the following items should be considered:
a) identification and recording of significant changes;
b) planning and testing of changes;
c) assessment of the potential impacts, including information security impacts, of such
changes;
d) formal approval procedure for proposed changes;
e) verification that information security requirements have been met;
f) communication of change details to all relevant persons;
g) fall-back procedures, including procedures and responsibilities for aborting and
recovering from unsuccessful changes and unforeseen events;
h) provision of an emergency change process to enable quick and controlled
implementation of changes needed to resolve an incident.
Security standards
Privacy legislation
Spam legislation
Trade practices legislation
Intellectual property rights, including software
licensing agreements
Record keeping requirements
Environmental legislation and regulations
Health and safety legislation
Accessibility legislation
Social responsibility standards
...
54 © 2019
Mapping compliance requirements
COBIT Components
55 © 2019
COBIT 2019 – Organizational Structures – Example
COBIT Components
56 © 2019
COBIT 2019 – Information – Example
COBIT Components
57 © 2019
COBIT 2019 – People, Skills, Competences – Example
COBIT Components
58 © 2019
COBIT 2019 – Policies, Procedures – Example
COBIT Components
59 © 2019
COBIT 2019 – Culture, Ethics, Behavior – Example
COBIT Components
60 © 2019
COBIT 2019 – Services, Infrastructure, Applications – Example
COBIT Components
61 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
62 © 2019
COBIT 2019 – Design factors
COBIT Design factors
9. IT 10.
6. Compliance 8. Sourcing Implemen- Technology 11. Enterprise
7. Role of IT
Requirements Model for IT tation Adoption Size
Methods Strategy
63 © 2019
COBIT 2019 – Design factors
COBIT Design factors
64 © 2019
COBIT 2019 – Design factors
COBIT Design factors
67 © 2019
COBIT 2019 – Design factors
COBIT Design factors
68 © 2019
COBIT 2019 – Design factors
COBIT Design factors
69 © 2019
COBIT 2019 – Design factors
COBIT Design factors
70 © 2019
COBIT 2019 – Design factors
COBIT Design factors
71 © 2019
COBIT 2019 – Design factors
COBIT Design factors
72 © 2019
COBIT 2019 – Design factors
COBIT Design factors
73 © 2019
COBIT 2019 – Design factors
COBIT Design factors
74 © 2019
COBIT 2019 – Design factors
COBIT Design factors
Large enterprise Enterprise with more than 250 full-time employees (FTEs)
(Default)
Small and medium Enterprise with 50 to 250 FTEs
enterprise
75 © 2019
COBIT 2019 – Design factors
COBIT Design factors
76 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
77 © 2019
COBIT 2019 – Focus areas
COBIT Focus areas
78 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
79 © 2019
COBIT Performance management
COBIT 2019 – Performance management
80 © 2019
COBIT Performance management
COBIT 2019 – Performance management
Maturity
Processes Capability
81 © 2019
COBIT Performance management
COBIT 2019 – Performance management
The process achieves its purpose through the application of a basic, yet
2 complete, set of activities that can be characterized as performed.
The process more or less achieves its purpose through the application of an
1 incomplete set of activities that can be characterized as initial or intuitive—not
very organized.
• Lack of any basic capability
0 • Incomplete approach to address governance and management purpose
• May or may not be meeting the intent of any process practices
82 © 2019
COBIT Performance management
COBIT 2019 – Performance management
83 © 2019
COBIT Performance management
COBIT 2019 – Performance management
84 © 2019
COBIT Performance management
COBIT 2019 – Performance management
Initial—Work is completed, but the full goal and intent of the focus area are not
1 yet achieved.
85 © 2019
Agenda
1. Governance of IT
2. COBIT Background
3. COBIT Other frameworks
Agenda
4. COBIT Principles
5. COBIT Goals
6. COBIT Objectives
7. COBIT Components
8. COBIT Design factors
9. COBIT Focus areas
10. COBIT Performance management
11. Designing and implementing a governance system
86 © 2019
Design and implement governance
COBIT 2019 – Governance System Design Workflow
87 © 2019
Design and implement governance
COBIT 2019 – Implementation Road Map
88 © 2019
Design and implement governance
COBIT 2019 – Design vs. Implementation
89 © 2019
COBIT 2019 – Overview
Conclusion
90 © 2019
Questions and comments
Conclusion
91 © 2019
Christian F. Nissen
Contact
cfn@cfnconsult.dk
+45 40 19 41 45
92 © 2019