340 likes | 762 Views
COBIT Introductory Workshop. Excerpts from University of Calgary IT Session entitled “Introduction to COBIT, its Role in IT Governance and How to Apply it In UCIT” From June 5, 2009. Workshop Agenda. General Overview and Background of COBIT Rationale for Using COBIT at the UofC
E N D
COBIT Introductory Workshop Excerpts from University of Calgary IT Session entitled “Introduction to COBIT, its Role in IT Governance and How to Apply it In UCIT” From June 5, 2009
Workshop Agenda • General Overview and Background of COBIT • Rationale for Using COBIT at the UofC • COBIT Foundations • COBIT vs. Other Frameworks • Practical Application of COBIT at the UofC • This excerpt covers the 1st two points 2
General Overview and Background of COBIT
First: A Little Bit on Governance
Enterprise Governance • Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of: • Providing strategic direction • Ensuring that defined objectives are achieved • Ensuring that risks are managed appropriately • Applying enterprise’s resources responsibly • Effective and efficient ©2007 IT Governance Institute
Organizational Challenges Relating to IT Security Keeping IT Running Aligning IT with Business Managing Complexity Regulatory Compliance Value/Cost Organisations require a structured approach for managing these and other challenges. This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes.
What is IT Governance? • Ensuring IT is aligned to and leveraged to help address enterprise needs • Decision making that leads to better alignment of IT and the business • IT delivering more business value • IT resources are used responsibly • IT risks are managed appropriately
Governance is About Balance • Enterprise governance is about: • Conformance • Adhering to legislation, internal policies, audit requirements, etc. • Performance • Improving profitability, efficiency, effectiveness, growth, etc. Performance Conformance Both Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. ©2007 IT Governance Institute
STRATEGIC VALUE ALIGNMENT DELIVERY RISK PERFORMANCE MANAGEMENT MEASUREMENT www.itgi.org www.itgi.org RESOURCE MANAGEMENT • IT Governance, as Defined by IT Governance Institute (ITGI) • IT governance is: • The responsibility of the board of directors and executive management • An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives
IT Governance Domains Focuses on ensuring the linkage of business and IT plans and on aligning IT operationswith enterprise operations Strategic alignment Value delivery IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people Resource management Risk management Senior management’s appetite for risk, compliance requirements, transparency about the significant risks to the organisation Performance measurement Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery to achieve goals measurable beyond conventional accounting ©2007 IT Governance Institute
IT Governance Stakeholders Board and executive Set direction for IT, monitor key results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Business management Delivers and improves IT services as required by the business IT management Provides independent assurance to demonstrate that IT delivers what is needed IT audit Risk and compliance Measures compliance with related policies and focuses on identification/mitigation of new risks ©2007 IT Governance Institute
So what is COBIT? • COBIT is a controls framework that supports IT Governance • COBIT stands for Control Objectives for Information and Related Technology. • It was created by ISACA (Information Systems Audit and Control Association) in 1996 • Initially created to define control objectives for business applications • It has evolved in Version 4.1 into a governance framework • Now owned by the IT Governance Institute (ITGI) • The COBIT framework was created with the main characteristics: • Business-focused • Process-oriented • Controls-based • Measurement-driven
Key Characteristics of COBIT • Is freely downloadable • Has internationally accepted good practices • Is management-oriented • Is supported by tools and training • Allows the knowledge of expert volunteers to be shared and leveraged • Continually evolves and is maintained by a reputable not-for-profit organisation • Maps strongly to all major, related standards and audit practices • However: • Is a reference, not an ‘off-the-shelf’ cure • Enterprises still need to analyse control requirements and customise COBIT based on their: • Value drivers • Risk profile • IT infrastructure, organisation and project portfolio
Governance Management Evolution Control Audit COBIT 1 COBIT 2 COBIT 3 COBIT 4 1996 1998 2000 2005 • History of COBIT Page 14
Business Strategy IT Processes IT Resources Information Criteria • Links to Business Strategy An organisation depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.
COBIT Framework • The “COBIT Cube” Information Criteria IT Processes IT Resources
for achieving Business Objectives i Business Processes to Information provide IT Resources and Processes • Basic Concepts • The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives. • The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.
What Does it do? COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure. • COBIT: • It provides tools that both support effectiveness and enable audit • Starts from business requirements • Is process-oriented, organising IT activities into a generally accepted process model • Identifies the major IT resources to be leveraged • Defines the management control objectives to be considered • Maps all the way to measurements – performance, audit, maturity • Incorporates major standards and has become the de facto standard for overall control of IT IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective.
COBIT vs Other Frameworks Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’). COSO COBIT ISO 27001/002 ISO 9000 ITIL HOW WHAT Others SCOPE OF COVERAGE COSO – Committee of Sponsoring Agencies of the Treadway Commission – Internal Control Integrated Framework – focused on business controls ISO 27001/002 – Information Security Policy ISO 9000 – Family of standards for Quality Management
Another View CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. PERFORMANCE: Business Goals Drivers Balanced Scorecard Enterprise Governance COSO COBIT IT Governance ISO 9001:2000 ISO 27001/002 ISO 20000 PMBOK Others Best Practice Standards Lean Six Sigma Security Principles Processes and Procedures ITSM ITDDM TOGAF, others ITDDM stands for IT Definition and Delivery Method – used at the UofC as a standard methodology for project initiatives
Rationale for Using COBIT at the UofC
We’re Not Alone How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses? ANSWER: Inefficiently, ineffectively and not as well as they should. ~ Source: Educause – IT Governance in Higher Education 2006 ~
Why COBIT? Some of the advantages of adopting COBIT are: • COBIT is aligned with and can be used with other standards and good practices • COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organisation. • COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. • COBIT provides tools to help manage and measure IT activities. • COBIT is used by the Provincial Auditors in their annual audit review • COBIT has been selected by Alberta Advanced Education & Technology as a target control framework for Post Secondary Institutions • Target maturity level defined as 3 within 3 years
How it Supports IT Governance? COBIT brings the following advantages to an IT governance implementation effort: • Enables mapping of IT goals to business goals and vice versa • Better alignment, based on a business focus • A view of what IT does that is understandable to management • Clear ownership and responsibilities based on process orientation • General acceptability with third parties and regulators • Shared understanding amongst all stakeholders, based on a common language • Fulfilment of the COSO requirements for the IT control environment Performance Conformance
Defines a common language Ensures process orientation Helps meet regulatory requirements Control Framework Has general acceptability amongst organisations • Exploring the Key Benefits • COBIT focuses on improving IT governance in organisations. • COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework. Provides sharper business focus
Defines a common language Ensures process orientation Helps meet regulatory requirements Control Framework Has general acceptability amongst organisations • Sharper Business Focus • COBIT achieves sharper business focus by aligning IT with business objectives. • The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy. • COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself. Provides sharper business focus
Defines a common language Ensures process orientation Helps meet regulatory requirements Control Framework Has general acceptability amongst organisations • Process Orientation • When organisations implement COBIT, their focus is more process-oriented. • Incidents and problems no longer divert attention from processes. • Exceptions can be clearly defined as part of standard processes. • With process ownership defined, assigned and accepted, the organisation is better able to maintain control through periods of rapid change or organisationalcrisis. Provides sharper business focus
Provides sharper business Defines a common language Ensures process orientation Helps meet regulatory requirements Control Framework Has general acceptability amongst organisations • General Acceptability • COBIT is a proven and globally accepted standard for increasing the contribution of IT to organisational success. • Coming soon to a campus near us • The framework continues to improve and develop to keep pace with good practices. • IT professionals from all over the world contribute their ideas and time to regular review meetings. focus
Provides sharper business Defines a common language Ensures process orientation Helps meet regulatory requirements Control Framework Has general acceptability amongst organisations • Regulatory Requirements • Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This pressure covers IT controls as well. • Organisations constantly need to improve IT performance and demonstrate adequate controls over their IT activities. • Many IT managers, advisors and auditors are turning to COBIT as the de facto response to regulatory IT requirements. focus
Regulatory Requirements (cont.) • In the Auditor General's April 2008 public report, he recommended: • "...that the Department of Advanced Education and Technology give guidance to public post-secondary Institutions on using an IT control framework to develop control processes that are well-designed, efficient, and effective" • The following excerpt was taken from the OAG’s audit plan for AET: • 8.3 IT Controls framework for post-secondary institutions • We understand the Department is working, through the Alberta Associations of Higher Education Information Technology, with Institutions to develop an IT Control Framework for Institutions. We support this initiative and will work with the Department to determine the progress made. This will also allow us to determine the extent and timing of work to perform at individual Institutions. • Working with PSIs, the Provincial PSI ITM Control Framework will provide a holistic functional perspective built on guidance and requirements of: • CoBIT 4.1 as published by the IT Governance Institute (Level 3 maturity targeted) • General Computer Controls Review (GCCR) as published by the OAG • Legislation / Regulation (FOIP, etc.) • Other International Standards (ITIL, ISO27002, etc.) • Specific institutional needs and interdependencies • Existing principles and governance
Provides sharper business Defines a common language Ensures process orientation Helps meet regulatory requirements Control Framework Has general acceptability amongst organisations • Common Language • A framework helps get everybody on the same page by defining critical terms and providing a glossary. • Co-ordination within and across project teams and organisations can play a key role in the success of any project. • Common language helps build confidence and trust. focus
References/Sources IT Governance Institute - http://www.itgi.org/ ISACA - http://www.isaca.org/