Emilio Gratton Isaca And It Governance

IT Governance- the ISACA solution -

October 2010Emilio Gratton

ISACA MEMBER 630629

OUTLINE

1. NEED AND MEANING

2. MANAGEMENT SELECTION

3. COBIT FOCUS AREAS

4. COBIT FRAMEWORK

5. VALIT AT A GLANCE

6. RISKIT AT A GLANCE

7. COBIT PROCESS EXAMPLE

8. CONCLUSIONS

1. HOW TO EXPLOIT THE BENEFIT OF IT (IT VALUE) IN FAVOUR OF AN ENTERPRISE2. HOW TO MANAGE IT ASSOCIATED RISKS (NON COMPLIANCE / CRITICAL

DEPENDENCIES)3. HOW TO MAINTAIN THE CONTROL OVER VALUE AND RISK

IT Governance

IT Value

IT Risks

IT Controls

NEED AND MEANING

NEED AND MEANING

IT Governance

RESPONSIBILITY OF THE

EXECUTIVES AND

BOARD OF DIRECTORS

CONSIST OF:― LEADERSHIP― ORGANISATIONAL STRUCTURES― PROCESSES

ENTERPRISE’S IT MANAGEMENTSUSTAIN AND EXTENDS

THE ORGANIZATION’S STRATEGIES & OBJECTIVES

MANAGEMENT SELECTIONwhat IT

management ?

MANAGEMENT SELECTION

what IT management ?

Professional association with 95,000 constituents. Worldwide (160) leader in IT governance,

control, security and assurance.Offers the CISA, CISM, CRISC and

CGEIT certifications.

Controlled OBjectives for Information and related Technologies

ISACACOBIT

MANAGEMENT SELECTION

IT Governance

ISACAINTEGRATES

INSTITUTIONALISES

GOOD PRACTISES

ENTERPRISE’S IT SUPPORTS THE

BUSINESS OBJECTIVES

COBIT• linking to the business requirements• Organising IT activities into a process model• Identifying the major IT resources to be leveraged• Defining the management control objectives

COBIT FOCUS AREAS

ResourceManagement

Strategic

Alignment ValueDelivery

Performance

Measurem

entRi

skM

anag

emen

t

IT Governanc

e

COBIT

COBIT FOCUS AREAS• STRATEGIC ALIGNMENT linkage of business and IT plans

defining, maintaining and validating the IT value proposition

aligning IT operations with enterprise operations.

• VALUE DELIVERY executing the value throughout the delivery cycle,

ensuring that IT delivers the promised benefits against the strategy, optimising costs and proving the intrinsic value of IT.

• RESOURCE MANAGEMENT investment in – management of – critical IT resources: applications, information, infrastructure and people.

Key issues optimisation of knowledge and infrastructure.

• RISK MANAGEMENT Requires : risk awareness by senior corporate officers, understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.

• PERFORMANCE MEASUREMENT Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

COBITCOBITFRAMEWORK

BUSINESS-FOCUSED• BASIC PRINCIPLE• INFORMATION CRITERIA• ALIGN BUSINESS GOALS TO IT GOALS• ALIGN RESOURCE AND IT

ARCHITECTURE

PROCESS-ORIENTED• 4 DOMAINS• 34 IT PROCESSES

CONTROL-BASED• 6 PROCESS CONTROLS• 6 APPLICATION CONTROLS

MEASUREMENT-DRIVEN• MATURITY SCALE• MATURITY LEVELS• MATURITY MODELS

COBIT FRAMEWORK – THE BUSINESSBASIC COBIT PRINCIPLE

COBIT FRAMEWORK – THE BUSINESSINFORMATION CRITERIA

BUSINESS REQUIREMENT FOR INFORMATION

1. Effectiveness : information being relevant and pertinent to the business process as well as delivery in a timely, correct, consistent and usable manner.

2. Efficiency : provision of information through the optimal (most productive and economical) use of resources.

3. Confidentiality : protection of sensitive information from unauthorised disclosure.

4. Integrity : accuracy and completeness of information as well as validity in accordance with business values and expectations.

5. Availability : information being available when required by the business process now and in the future, safeguarding of necessary resources and associated capabilities.

6. Compliance : complying with the laws, regulations and contractual arrangements to which the business process is subject.

7. Reliability : provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.

COBIT FRAMEWORK – THE GOALSDEFINING IT GOALS AND ENTERPRISE ARCHITECTURE FOR IT

COBIT FRAMEWORK – THE RESOURCESIT RESOURCES CLASSIFICATION

P01 PROCESS “PLAN AND ORGANISE - DEFINE A STRATEGIC IT PLAN”SCREENSHOTS

COBIT FRAMEWORK – THE PROCESSES4 DOMAINS – 34 PROCESSES

PLAN AND ORGANISE

ACQUIRE AND IMPLEMENT

DELIVERY AND SUPPORT

MONITOR AND EVALUATE

COBIT FRAMEWORK – THE CONTROLSCONTROL MODEL

COBIT FRAMEWORK – THE CONTROLSBOUNDARIES BETWEEN CONTROLS

COBIT FRAMEWORK - MEASUREMENTSGRAPHIC REPRESENTATION OF A MATURITY MODEL

COBIT FRAMEWORK - MEASUREMENTSMATURITY LEVELS OF AN IT PROCESS

COBIT FRAMEWORK - MEASUREMENTSTHE THREE DIMENSIONS OF MATURITY

COBIT FRAMEWORK – THE COBIT CUBETHE THREE DIMENSIONS OF IT CONTROLLED MANAGEMENT

COBIT FRAMEWORK – THE GOVERNANCE MAPPING

HOW COBIT FRAMEWORK MAP IT GOVERNANCE FOCUS AREAS

IT GOVERNANCE FOCUS AREAS

ResourceManagement

Strategic

Alignment ValueDelivery

Performance

Measurem

entRi

skM

anag

emen

t

IT Governanc

e

COBIT

ValITB A S E D O N C O B I T

• Many enterprises practice elements of Val IT™ already• Val IT™ provides a consistent, repeatable and comprehensive

approach• IT and business become equal shareholders because Val IT™ helps

management to answer these key questions:*

The strategic question

The architecture question

The value question

The delivery question

* Based on the Four ‘Area's as described by John Thorp in his book The Information Paradox, written jointly with Fujitsu, first published in 1998 and revised in 2003

A COMPREHENSIVE APPROACH

VALIT AT A GLANCE 1ValIT

DOMAINS AND PROCESSES

VALIT AT A GLANCE 2ValIT

CONTRIBUTION TO IT GOVERNANCE

VALIT AT A GLANCE 3ValIT

IT GOVERNANCE FOCUS AREAS

ResourceManagement

Strategic

Alignment ValueDelivery

Performance

Measurem

entRi

skM

anag

emen

t

IT Governanc

e

COBIT

ValITB A S E D O N C O B I T

RiskITB A S E D O N C O B I T

RISK AND OPPORTUNITY MANAGEMENT

RISKIT AT A GLANCE 1RiskIT

BUSINESS OBJECTIVE

RISKIT AT A GLANCE 2RiskIT

RISKIT AT A GLANCE 3

RISKIT AT A GLANCE 3

RISK IT’S THREE DOMAINS

RiskIT

RISKIT AT A GLANCE 4

RISKIT AT A GLANCE 3

RISK RESPONSE APPROACH

RiskIT

RISKIT AT A GLANCE 5CONTRIBUTION TO IT GOVERNANCE

RISKIT AT A GLANCE 4RiskIT

COBIT PROCESS EXAMPLE 1

COBIT PROCESS EXAMPLE 2

COBIT PROCESS EXAMPLE 3

COBIT PROCESS EXAMPLE 4

COBIT PROCESS EXAMPLE 5

COBIT PROCESS EXAMPLE 6

COBIT PROCESS EXAMPLE 7

COBIT PROCESS EXAMPLE 8

CONCLUSIONS

1. UNIQUE SET OF TOOLS AND STANDARDIZED DOCUMENTATION

2. VAST PARTECIPATION OF PROFESSIONALS

3. EXPANDIBILITY OF SCOPES

4. CONTINUOS UPDATE

5. LARGE SET OF CERTIFICATIONS

SOLUTION STRENGHT

CONCLUSIONS

1. CLEAR GUIDANCES AND THOROUGH EXPLANATIONS

2. PROCESSES ADAPTABILITY TO MANY MANAGEMENT SOFTWARE

3. FACILITATE MIGRATION FROM OTHER MANAGEMENT WORLDS

4. CONSISTENCY AMONG ISACA DOCUMENTATION

SOLUTION EASINESS

PERMISSIONS

COBIT 4.1 including select text and figures featured within this presentation are the property of ISACA/ITGI. Copyright © 1996-2007 ITGI. All rights reserved. ISACA, ITGI and COBIT are registered trademarks of ISACA.