COBIT 5. Jimmy Heschl. Process Analytics and Control. Wien, April 12

Transcription

1

2 COBIT 5 Process Analytics and Control Wien, April 12 Anmerkung: Sämtliche Informationen und Abbildungen dieser Präsentation unterliegen dem Urheber- und Werknutzungsrecht und anderen Bestimmungen. Jegliche Vervielfältigung, insbesonders jene zur kommerziellen Verwendung ist vom Autor ausdrücklich zu genehmigen.

3 Zur Person bwin.party, COBIT & J ustiz St i egl Wirtschaftsinfor m atik KP M G Ernst & Y oung Pragmatisc h e Gov e rnance auf Basis von S tandards, wie C OBIT sic h ert ver l ässlichkeit. 3

4 Zur Person bwin.party, COBIT & J ustiz St I egl Wirtschaftsinfor M atik KP M G Ernst & Y oung Pragmatisc H e Gov E rnance auf Basis von S tandards, wie C OBIT sic H ert ver L ässlichkeit 4

5 Der Anspruch Provide a renewed and authoritative governance and management framework for enterprise information and related technology (GEIT & MEIT). Linking together and reinforcing all other major ISACA frameworks and guidance such as: COBIT, Val IT, Risk IT, BMIS, ITAF, Board Briefing, TGF Connect to other major frameworks and standards in the marketplace (COSO, ITIL, ISO standards, etc.). 5

6 COBIT 5 - Entwicklung Gruppen Task Force Future Framework ( ) COBIT 5 Task Force Core Development Team Professional Support Team (PwC) Researcher Vorgehen Design durch Task Force Ausarbeitung durch Development Team Development Workshops Public Exposure Drafts Stress Tests SME Reviews 6

7 Was ist neu? Fokus Enterprise Governance over IT Scope Business & IT Methode Enabler Produkt Knowledge Base & Views und einiges mehr. 7

8 Publikationen Zum Release (10. April 2012) - COBIT Framework - Enabling Processes - Implementation Guide In Entwicklung - COBIT 5 for Security - COBIT 5 for Risk - COBIT 5 for Assurance - COBIT Online Replacement - COBIT 5 Assessment Programme In Planung - COBIT 5 for Performance - COBIT 5: Enabling Information (Enabler Guide) - More to come - COBIT Trainings - Ab Mai erste Kurse 8

9 Evolution of Scope Governance of Enterprise IT IT Governance Management Val IT 2.0 (2008) Control Audit Risk IT (2009) COBIT1 COBIT2 COBIT3 COBIT4.0 COBIT4.1 COBIT 5 9

10 COBIT 5 - Principles Meeting Stakeholder Needs Separating Governance From Management COBIT 5 Principles Covering the Enterprise End-to-End Enabling A Holistic Approach Applying a Single Integrated Framework 10

11 Meeting Stakeholder Needs Meeting Stakeholder s Needs Separating Governance From Management Enabling A Holistic Approach COBIT 5 Principles Applying a Single Integrated Framework Covering the Enterprise End-to-End Stakeholder Drivers (Environment, Technology, Evolution, ) Drive Governance Objective: Value Creation Benefits Realisation Resource Optimisation Risk Optimisation Jimmy Heschl 11

12 Meeting Stakeholder s Needs 12

13 Internal Stakeholders IT Manager How do we deliver IT services, as required by the business and directed by the board? Board, Executive, and Business Manager How do we define business direction for IT, deliver value, and manage risks? Risk and Compliance Manager How do we ensure that policies, regulations, and laws are complied with and new risks identified? IT Auditor How do we provide independent assurance of IT value delivery and risk mitigation? 13

14 External Stakeholders External Auditor I need to know whether the figures reported are correct and the control system is reliable? External Stakeholders Customers I need you to keep my private information secure on your computer system. Regulator How can we be assured that the organization has a business continuity plan? Remains in the country? Pays taxes? Keeps an employer of choice? Protects data and knowledge? mycompany? Anonymous How can I get access to the data? Suppliers Do we have assurance that confidential information about our company is not sent to our competitors? 14

15 Meeting Stakeholder Needs Separating Governance From Management COBIT Jim my He 5 Principles schl Covering the Enterprise End-to-End Stakeholder Drivers (Environment, Technology Evolution, ) Enabling A Holistic Approach Applying a Single Integrated Framework Stakeholder Needs Benefits Realisation Jiimmy Resource H eschl Optimisation Risk Optimisation Cascade to Enterprise Goals Cascade to IT Related Goals Cascade to Enabler Goals 15

16 Meeting Stakeholder Needs Covering the Enterprise End-to-End Separating Governance From Management Enabling A Holistic Approach COBIT 5 Principles Applying a Single Integrated Framework Covering the Enterprise End-to-End Governance Objective: Value Creation Benefits Realisation Resource Optimisation Risk Optimisation Governance Enablers Governance Scope Governance Roles, Activities and Relationships 16

17 Meeting Stakeholder Needs Separating Governance From Management COBIT Jim my He 5 Principles schl Covering the Enterprise End-to-End Governance Roles, Activities and Relationships Enabling A Holistic Approach Applying a Single Integrated Framework Delegate Set Direction Instruct & Align Owners and Stakeholders Accountability Governing Body Jim my He schl Monitor Management Report Operations & Execution 17

18 Meeting Stakeholder Needs Separating Governance from Management Separating Governance From Management Enabling A Holistic Approach COBIT Jim my He 5 Principles schl Applying a Single Integrated Framework Covering the Enterprise End-to-End Governance Jim my He schl Evaluate Direct Monitor Plan Build Run Monitor Management 18

19 Meeting Stakeholder Needs Aktualisierte Definitionen Separating Governance From Management Enabling A Holistic Approach COBIT Jim my He 5 Principles schl Applying a Single Integrated Framework Covering the Enterprise End-to-End Governance Governance Grafik: ensures Jjimmy that HHHeeeschl enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against plans. Management Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. 19

20 GRC - Three Different Areas (often mixed up) Governance Risk Compliance Scope Evaluate, direct and monitor risk, value and resources. Probability of uncertain future events. Conforming to a rule. Question Are we getting the benefits? Are things going wrong? Are we doing things in accordance to requirements? (And: Can we prove it or shall we hide it?) Stakeholder Owners Management Owners Management Law enforcement Auditors Management Reaction Get the most out of it. Avoid it. Document it (CMA). 20

21 Meeting Stakeholder Needs Separating Governance From Management COBIT Jim my He 5 Principles schl Covering the Enterprise End-to-End Applying a Single Integrated Framework Enabling A Holistic Approach Applying a Single Integrated Framework Existing ISACA Guidance New ISACA Guidance Materials Other Standards and Frameworks COBIT 5 Knowledge Base COBIT 5 Enablers COBIT 5 Products COBIT 5 Framework COBIT 5 Enabler Guides COBIT 5 Practice Guides COBIT 5 Online 21

22 Meeting Stakeholder Needs Enabling a Holistic Approach Separating Governance From Management Enabling A Holistic Approach COBIT Jim my He 5 Principles schl Applying a Single Integrated Framework Covering the Enterprise End-to-End COBIT 5 Enablers Processes Organisational Structures Culture, Ethics & Behaviour Frameworks, Policies and Procedures Information Services Infrastructure Applications Resources People, Skills & Competences 22

23 Enabler Performance Management Enabler Dimension Meeting Stakeholder Needs Separating Governance From Management COBIT Jim my He 5 Principles schl Covering the Enterprise End-to-End Enabler Structure Enabling A Holistic Approach Applying a Single Integrated Framework Stakeholders Goals Life Cycle Good Practices Internal Stakeholders External Stakeholders Intrinsic Quality Contextual Quality (Relevance, Effectiveness) Accessibility and Security Plan Design Build/Acquire/ Create/Implement Use/Operate Evaluate/Monitor Update/Dispose Practices, Activities, Detailed Activities Work Products (Inputs/Outputs) Metrics for Achievement of Goals (Lag Indicators) Metrics for Application of Practice (Lead Indicators) Are Stakeholder Needs Addressed? Are Enabler Goals Achieved? Is Life Cycle Managed? Are Good Practices Applied? 23

24 Key Enabler: Processes Governance of Enterprise IT Evaluate Direct Monitor Plan (APO) Build (BAI) Run (DSS) Monitor (MEA) Management of Enterprise IT 24

25 Processes for Governance of Enterprise IT Evaluate, Direct & Monitor EDM1 Set and Maintain the Governance Framework EDM2 Ensure Benefits Delivery EDM3 Ensure Risk Optimisation EDM4 Ensure Resource Optimisation EDM5 Ensure Stakeholder Transparency Processes for Management of Enterprise IT Align, Plan & Organise Grafik: Jimmy Heschhl APO1 Define the Management Framework for IT APO2 Manage Strategy APO3 Manage Enterprise Architecture APO4 Manage Innovation APO5 Manage Portfolio APO6 Manage Budget & Costs APO7 Manage Human Resources Monitor, Evaluate & Assess APO8 Manage Relationships APO9 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risks APO13 Manage Security MEA1 Monitor & Evaluate Performance and Conformance Build, Acquire & Implement BAI1 Manage Programmes and Projects BAI2 Define Requirements BAI3 Identify & Build Solutions BAI4 Manage Availability & Capacity BAI5 Enable organisational Change BAI6 Manage Changes BAI7 Accept & Transition Changes MEA2 Monitor System of Internal Control BAI8 Manage Knowledge BAI9 Manage Assets BAI10 Manage Configuration Deliver, Service & Support DSS1 Manage Operations DSS2 Manage Service Requests & Incidents DSS3 Manage Problems DSS4 Manage Continuity DSS5 Manage Security Administration DSS6 Manage Business Process Controls MEA3 Monitor and Assess Compliance with External Requirements

26 Processes for Governance of Enterprise IT Evaluate, Direct & Monitor (DEM) Governance Framework Benefits Delivery Risk Optimisation Resource Optimisation Stakeholder Transparency Processes for Management of Enterprise IT Align, Plan & Organise (APO) Grafik: Jimmy Heschhl Management Framework Budget & Costs Quality Strategy Human Resources Risks Enterprise Architecture Relationships Security Mgmt. Innovation Service Agreements Portfolio Suppliers Monitor, Evaluate & Assess 1 Performance Conformance Build, Acquire & Implement (BAI) Programs & Projects Manage Changes Define Requirements Accept & Transition Identify & Build Solutions Knowledge Availability & Capacity Assets Organisational Change Configuration 2 System of Internal Control Deliver, Service & Support (DSS) Requests & Operations Problems Continuity Incidents Security Admin. Business Controls 3 Compliance

27 Processes for Governance of Enterprise IT Evaluate, Direct & Monitor (DEM) Governance Framework Benefits Delivery Risk Optimisation Resource Optimisation Stakeholder Transparency Processes for Management of Enterprise IT Align, Plan & Organise (APO) Grafik: Jimmy Heschhl Management Framework Strategy Enterprise Architecture Innovation Portfolio Monitor, Evaluate & Assess Budget & Costs Quality Human Resources Risks Relationships Security Mgmt. Service Agreements Suppliers Performance Conformance Build, Acquire & Implement (BAI) Programs & Projects Define Requirements Identify & Build Solutions Availability & Capacity Organisational Change System of Internal Control Manage Changes Accept & Transition Knowledge Assets Configuration Deliver, Service & Support (DSS) Requests & Operations Problems Continuity Incidents Security Admin. Business Controls Compliance

28 Processes for Governance of Enterprise IT Evaluate, Direct & Monitor (DEM) Governance Framework Benefits Delivery Risk Optimisation Resource Optimisation Stakeholder Transparency Processes for Management of Enterprise IT Align, Plan & Organise (APO) Grafik: Jimmy Heschhl Management Framework Strategy Enterprise Architecture Innovation Portfolio Monitor, Evaluate & Assess Budget & Costs Quality Human Resources Risks Relationships Security Mgmt. Service Agreements Suppliers Performance Conformance Build, Acquire & Implement (BAI) Programs & Projects Define Requirements Identify & Build Solutions Availability & Capacity Organisational Change System of Internal Control Manage Changes Accept & Transition Knowledge Assets Configuration Deliver, Service & Support (DSS) Requests & Operations Problems Continuity Incidents Security Admin. Business Controls Compliance

29 Processes for Governance of Enterprise IT Evaluate, Direct & Monitor (DEM) Governance Framework Benefits Delivery Risk Optimisation Resource Optimisation Stakeholder Transparency Processes for Management of Enterprise IT Align, Plan & Organise (APO) Grafik: Jimmy Heschhl Management Framework Strategy Enterprise Architecture Innovation Portfolio Monitor, Evaluate & Assess Budget & Costs Quality Human Resources Risks Relationships Security Mgmt. Service Agreements Suppliers Performance Conformance Build, Acquire & Implement (BAI) Programs & Projects Define Requirements Identify & Build Solutions Availability & Capacity Organisational Change System of Internal Control Manage Changes Accept & Transition Knowledge Assets Configuration Deliver, Service & Support (DSS) Requests & Operations Problems Continuity Incidents Security Admin. Business Controls Compliance

30 Processes for Governance of Enterprise IT Evaluate, Direct & Monitor (DEM) Governance Framework Benefits Delivery Risk Optimisation Resource Optimisation Stakeholder Transparency Processes for Management of Enterprise IT Align, Plan & Organise (APO) Grafik: Jimmy Heschhl Management Framework Budget & Costs Quality Strategy Human Resources Risks Enterprise Architecture Relationships Security Mgmt. Innovation Service Agreements Portfolio Suppliers Monitor, Evaluate & Assess 1 Performance Conformance Build, Acquire & Implement (BAI) Programs & Projects Manage Changes Define Requirements Accept & Transition Identify & Build Solutions Knowledge Availability & Capacity Assets Organisational Change Configuration 2 System of Internal Control Deliver, Service & Support (DSS) Requests & Operations Problems Continuity Incidents Security Admin. Business Controls 3 Compliance

31 Prozesse für die Chefs Behaupten, bestimmen, motzen (Evaluate, Direct & Monitor) Wohin, sog I. (EDM1 - Set and Maintain the Governance Framework) Wos bringts? (EDM2 - Ensure Benefits Delivery) Aufpassen! (EDM3 - Ensure Risk Optimisation) Des geht mit weniger! (EDM4 - Ensure Resource Optimisation) Vastehst? (EDM5 - Ensure Stakeholder Transparency) Prozesse für die Hackler Hinbiegen, raunzen und amoi schau n (Align, Plan & Organise) Grafik: Jimmy Heschhl Wia, sog I. (APO1 - Define the Management Framework for IT) Heats zua. (APO2 - Manage Strategy) Wos, des ois? (APO3 - Manage Enterprise Architecture) Wos neigs. (APO4 - Manage Innovation) So vü arbeit! (APO5 - Manage Portfolio) Vü z teia! (APO6 - Manage Budget & Costs) G frasta. (APO7 - Manage Human Resources) Motzen, raunzen, g scheit reden (Monitor, Evaluate & Assess) De scho wieder! (APO8 - Manage Relationships) So weit und mehr ned. (APO9 - Manage Service Agreements) Mehr G frasta. (APO10 - Manage Suppliers) Bla Bla. (APO11 - Manage Quality) Feig! (APO12 - Manage Risks) Finger weg! (APO13 - Manage Security) Passt scho. (MEA1 - Monitor & Evaluate Performance and Conformance) Probieren, erschleichen, hinstell n (Build, Acquire & Implement) Wo fang ma an? (BAI1 - Manage Programmes and Projects) Sog I da ned! (BAI8 - Manage Knowledge) Wos woits? (BAI2 - Define Requirements) Meins! (BAI9 - Manage Assets) Schau ma moi! (BAI3 - Identify & Build Solutions) A Meins! (BAI10 - Manage Configuration) Wie vü denn no? (BAI4 - Manage Availability & Capacity) Tats ihr amoi wos! (BAI5 - Enable organisational Change) Fang ma uns net an! (BAI6 - Manage Changes) Fang! (BAI7 - Accept & Transition Changes) Na geh! (MEA2 - Monitor System of Internal Control) Gleich selber machen, helf n und wurscht ln (Deliver, Service & Support) Auf geht s. (DSS1 - Manage Operations) Gschamster Diener. (DSS2 - Manage Service Requests & Incidents) Ned scho wieder. (DSS3 - Manage Problems) Oha! (DSS4 - Manage Continuity) Finger weg, wirkli! (DSS5 - Manage Security Administration) s Eingmochte. (DSS6 - Manage Business Process Controls) Jo eh! (MEA3 - Monitor and Assess Compliance with External Requirements) 31

32 IT Related Goals Related Metrics Percent enterprise strategic goals and requirements supported by IT strategic goals. Stakeholder satisfaction with scope of the planned portfolio of programmes and services. Percent IT value drivers mapped to business value drivers. Related Metrics Percent IT-enabled investments where benefit realisation monitored through full economic life cycle. Percent IT services where expected benefits realised. Percent IT-enabled investments where claimed benefits met or exceeded. Related Metrics Process Description Maintain an awareness of information technology and related service trends, identify innovation opportunities, and plan how to benefit from innovation in relation to business needs. Analyse what opportunities for business innovation or improvement can be created by emerging technologies, services or IT-enabled business innovation, as well as through existing established technologies and by business and IT process innovation. Influence strategic planning and enterprise architecture decisions. Process Purpose Statement Process Model Achieve competitive advantage, business innovation, and improved operational effectiveness and efficiency by exploiting information technology developments. Alignment of IT and business strategy Process Goals Relevant stakeholders are engaged in the programmes and projects. Related Metrics Percent stakeholders effectively engaged. Level of stakeholder satisfaction with involvement. The programme and project activities are executed according to the plans. Realised benefits from IT-enabled investments and services portfolio. Related Metrics Percent deviations from plan addressed. Percent stakeholder signoffs for stage-gate reviews of active programmes. Frequency of status reviews Related Metrics Descriptive Domain, Number, Name Process Description Process Purpose Statement Process Management IT Related Goals & Metrics Process Goals & Metrics Roles & Responsibilities Process Design & Operation Management Practices Activities Inputs & Outputs Related Guidance APO13.01 APO13.02 Management Practice Management BAI06.01: Practice Evaluate, prioritise and authorise change requests Evaluate all requests for change to determine the impact on business processes and IT services, assess Management BAI06.01: Practice whether Evaluate, it will prioritise adversely and affect authorise the operational change environment requests and introduce unacceptable risks. Ensure that Evaluate changes all requests are logged, for change prioritised, to determine categorised, the impact assessed, on business authorised, processes planned and and IT services, scheduled. assess Management BAI06.01: Practice Evaluate, prioritise and authorise change requests whether it will adversely affect the operational environment and introduce unacceptable risks. Ensure that Evaluate all requests for change to determine the impact on business processes and IT services, assess Management BAI06.01: Practice Evaluate, changes prioritise are logged, and authorise prioritised, change categorised, requests assessed, authorised, planned and scheduled. whether it will adversely Inputs affect the operational environment and introduce Output unacceptable risks. Ensure that Evaluate all requests for change to determine the impact on business processes and IT services, assess BAI06.01: Evaluate, changes prioritise are logged, and authorise prioritised, change categorised, requests assessed, authorised, planned and scheduled. whether it will adversely Inputs affect Fromthe operational Description environment and introduce Output unacceptable Description risks. Ensure that Destination Evaluate all requests for change to determine Integrated the impact and on configured business solution processes and IT services, Root cause assess changes are logged, prioritised, analyses and From BAI03.05 categorised, assessed, authorised, planned and scheduled. whether it will adversely Inputs affect the operational Description Internal components environment and introduce Output unacceptable Description risks. recommendations Ensure that Destination changes are logged, prioritised, categorised, Integrated assessed, and configured authorised, solution planned and Root scheduled. cause analyses and InputsFrom BAI03.05 Description DSS02.03 components Approved service requests Output Description Approved requests for changeinternal recommendations Destination BAI07.01 Integrated and configured solution Root cause analyses and InputsFrom BAI03.05 Description DSS02.03 components DSS03.03 Approved Proposed service requests solutions Output to Description known errors Approved Change requests plan for and changeinternal recommendations Destination schedule BAI07.01 BAI07.01 Integrated and configured solution Root cause analyses and From BAI03.05 Description DSS02.03 components DSS03.03 Approved DSS03.03 Proposed service requests Identified solutions sustainable to Description known errors Approved solutions Change requests plan for and changeinternal recommendations Destination schedule BAI07.01 BAI07.01 Integrated and configured solution Root cause analyses and BAI03.05DSS02.03 DSS03.03 Approved DSS03.03 Proposed service requests DSS04.08 Identified solutions Approved sustainable to known errors Approved changes solutions Change requests plan for and changeinternal components recommendations schedule BAI07.01 BAI07.01 to the plans DSS02.03 DSS03.03 Approved DSS03.03 Proposed service requests DSS04.08 Identified solutions Root cause analyses and DSS06.01 Approved sustainable to known errors Approved changes solutions Change requests plan for and change schedule BAI07.01 BAI07.01 to the plans recommendations DSS03.03 DSS03.03 Proposed DSS04.08 Identified solutions Root cause analyses and DSS06.01 Approved sustainable to known errors changes solutions Change plan and schedule BAI07.01 to the plans recommendations DSS03.03 DSS04.08 Identified Root cause analyses and DSS06.01 Approved sustainable changes solutions to the plans recommendations DSS04.08 Root cause analyses and DSS06.01 Approved changes to the plans recommendations Root cause analyses and DSS06.01 recommendations Key Management Practice Establish and maintain an Information Security Management System (ISMS) Define and manage an information security treatment plan Privacy Officer Business Continuity Manager Information Security Manager Service Manager Head IT Administration Head IT Operations Head Development Head Architect Chief Information Officer Audit Compliance Head Human Resources Enterprise Risk Committee Architecture Board Chief Information Security Officer Chief Risk Officer Value Management Office Project Management Office Steering Committee Strategy Executive Committee Business Process Owners Business Executives Chief Operating Officer Chief Financial Officer Chief Executive Officer Board C C C I C I I C A C C C C R I I I R I R C C C C C C C I I C A C C C C R C C C R C R C C APO13.03 Monitor and review the ISMS C R C R A C C R R R R R R R R R Management Practice Management APO13.01: Practice Establish and maintain an Information Security Management System (ISMS) Establish and maintain an information security management system (ISMS) that provides a standard, APO13.01: Establish and maintain an Information Security Management System (ISMS) Management formal and continuous approach to security management for information, enabling secure technology and Establish Practice and maintain an information security management system (ISMS) that provides a standard, business processes that are aligned with business requirements and enterprise security management. APO13.01: formal Establish and continuous and maintain approach an Information to security management Security Management for information, System enabling (ISMS) secure technology and Management Establish Practice business and maintain processes Activities an information that are aligned security with management business requirements system (ISMS) and that enterprise provides security a standard, management. formal and continuous approach to security management for information, enabling secure technology and Management APO13.01: Practice Establish Activities and Define maintain the scope an Information and boundaries Security of the ISMS Management in terms of System the characteristics (ISMS) of the enterprise, the organisation, Establish business and maintain processes an its information location, that are assets aligned security and with management technology, business and requirements system including (ISMS) details and that enterprise of and provides justification security a standard, for management. any exclusions from the scope. APO13.01: Define the scope and boundaries of the ISMS in terms of the characteristics of the enterprise, the organisation, formal Establish and continuous and maintain approach an Information to security management Security Management for information, System enabling (ISMS) secure technology and Establish Activities its location, Define assets an ISMS and technology, in accordance and with including enterprise details policy of and and justification aligned with for the any enterprise, exclusions the from organization, the scope. its business and maintain processes an information that are location, aligned security assets with management and business technology. requirements system (ISMS) and that enterprise provides security a standard, management. formal and continuous Define approach the Define scope an to and ISMS security boundaries in accordance management of the with ISMS for enterprise in information, terms of policy the enabling characteristics and aligned secure with of technology the enterprise, and the organization, organisation, its business processes Activities its location, that are location, assets aligned Align assets and with the technology, and business ISMS technology. with and requirements the including overall enterprise details and enterprise of approach and justification security to the for management. any exclusions of security. from the scope. Activities Define the Define scope an Align and ISMS boundaries the Obtain ISMS accordance with management of the with ISMS overall enterprise in authorisation enterprise terms of policy the approach to characteristics and implement aligned to the and with management of operate the enterprise, or change of security. the the organization, organisation, ISMS. its its location, location, assets assets and technology, and technology. and including details of and justification for any exclusions from the scope. Define the scope and boundaries Obtain management Prepare of the ISMS and in authorisation maintain terms of a the Statement to characteristics implement of Applicability and of operate the enterprise, that or describes change the the organisation, the ISMS. scope of the ISMS. its location, Define assets an Align ISMS and the technology, in ISMS accordance with and the with including overall enterprise enterprise details policy of approach and and justification aligned to the with management for the any enterprise, exclusions of security. the from organization, the scope. its location, assets and Prepare technology. Define and maintain and communicate a Statement Information of Applicability security that management describes the roles scope and of the responsibilities. ISMS. Define an ISMS Obtain accordance management with enterprise authorisation policy to and implement aligned and with operate the enterprise, or change the the organization, ISMS. its location, Align assets the and ISMS technology. with Define the overall and Communicate communicate enterprise the approach Information ISMS approach. to security the management management of security. roles and responsibilities. Prepare and maintain a Statement of Applicability that describes the scope of the ISMS. Align the Obtain ISMS with management the overall Communicate authorisation enterprise the approach to ISMS implement approach. to the and management operate or change of security. the ISMS. Define and communicate Information security management roles and responsibilities. Obtain management Prepare and authorisation maintain a Statement to implement of Applicability and operate that or describes change the the ISMS. scope of the ISMS. Communicate the ISMS approach. Prepare Define and maintain and communicate a Statement Information of Applicability security that management describes the roles scope and of the responsibilities. ISMS. Define and Communicate communicate the Information ISMS approach. security management roles and responsibilities. Communicate the ISMS approach. Related Standard ISO/IEC ITILV PMBOK PRINCE2 Detailed Reference 0.1 Release management process 12. Transition Planning and Support 15. Release and Deployment 16. Service Validation and Testing 17. Evaluation PMBOK quality assurance and acceptance of all products. PRINCE2 product-based planning 32

33 Process Model Descriptive Domain, Number, Name Process Description Process Purpose Statement Process Management IT Related Goals & Metrics Process Goals & Metrics Roles & Responsibilities Process Design & Operation Management Practices Activities Inputs & Outputs Related Guidance IT Stakeholder IT Professionals 33

34 Process Description & Process Purpose Statement Process Description Maintain an awareness of information technology and related service trends, identify innovation opportunities, and plan how to benefit from innovation in relation to business needs. Analyse what opportunities for business innovation or improvement can be created by emerging technologies, services or IT-enabled business innovation, as well as through existing established technologies and by business and IT process innovation. Influence strategic planning and enterprise architecture decisions. Process Purpose Statement Achieve competitive advantage, business innovation, and improved operational effectiveness and efficiency by exploiting information technology developments. 34

35 IT Related Goals and Metrics IT Related Goals Alignment of IT and business strategy Related Metrics Percent enterprise strategic goals and requirements supported by IT strategic goals. Stakeholder satisfaction with scope of the planned portfolio of programmes and services. Percent IT value drivers mapped to business value drivers. Realised benefits from IT-enabled investments and services portfolio. Related Metrics Percent IT-enabled investments where benefit realisation monitored through full economic life cycle. Percent IT services where expected benefits realised. Percent IT-enabled investments where claimed benefits met or exceeded.... Related Metrics 35

36 Process Goals and Metrics Process Goals Relevant stakeholders are engaged in the programmes and projects. Related Metrics Percent stakeholders effectively engaged. Level of stakeholder satisfaction with involvement. The programme and project activities are executed according to the plans. Related Metrics Percent deviations from plan addressed. Percent stakeholder signoffs for stage-gate reviews of active programmes. Frequency of status reviews.... Related Metrics 36

37 Function RACI Chart Key Management Practice Board Chief Executive Officer Chief Financial Officer Chief Operating Officer Business Executives Business Process Owners Strategy Executive Committee Steering Committee Project Management Office Value Management Office Chief Risk Officer Chief Information Security Officer Architecture Board Enterprise Risk Committee Head Human Resources Compliance Audit Chief Information Officer Head Architect Head Development Head IT Operations Head IT Administration Service Manager Information Security Manager Business Continuity Manager Privacy Officer APO13.01 Establish and maintain an Information Security Management System (ISMS) C C C I C I I C A C C C C R I I I R I R C C APO13.02 Define and manage an information security treatment plan C C C C C I I C A C C C C R C C C R C R C C APO13.03 Monitor and review the ISMS C R C R A C C R R R R R R R R R RACI: Who is Responsible (Zuständig) Accountable (Verantwortlich) Consulted (Befragt) Informed (Informiert) 37

38 Management Practice & Activities Management Practice APO13.01: Establish and maintain an Information Security Management System (ISMS) Establish and maintain an information security management system (ISMS) that provides a standard, formal and continuous approach to security management for information, enabling secure technology and business processes that are aligned with business requirements and enterprise security management. Activities Define the scope and boundaries of the ISMS in terms of the characteristics of the enterprise, the organisation, its location, assets and technology, and including details of and justification for any exclusions from the scope. Define an ISMS in accordance with enterprise policy and aligned with the enterprise, the organization, its location, assets and technology. Align the ISMS with the overall enterprise approach to the management of security. Obtain management authorisation to implement and operate or change the ISMS. Prepare and maintain a Statement of Applicability that describes the scope of the ISMS. Define and communicate Information security management roles and responsibilities. Communicate the ISMS approach. 38

39 Inputs & Outputs Management Practice BAI06.01: Evaluate, prioritise and authorise change requests Evaluate all requests for change to determine the impact on business processes and IT services, assess whether it will adversely affect the operational environment and introduce unacceptable risks. Ensure that changes are logged, prioritised, categorised, assessed, authorised, planned and scheduled. Inputs Output From BAI03.05 Description Integrated and configured solution components Description Root cause analyses and recommendations Destination Internal DSS02.03 Approved service requests Approved requests for change BAI07.01 DSS03.03 Proposed solutions to known errors Change plan and schedule BAI07.01 DSS03.03 Identified sustainable solutions DSS04.08 Approved changes to the plans DSS06.01 Root cause analyses and recommendations 39

40 Related Guidance Related Standard ISO/IEC ITILV PMBOK PRINCE2 Detailed Reference 0.1 Release management process 12. Transition Planning and Support 15. Release and Deployment 16. Service Validation and Testing 17. Evaluation PMBOK quality assurance and acceptance of all products. PRINCE2 product-based planning 40

41 COBIT 5 Implementation Guide Positioning GEIT within an enterprise Taking the first steps towards improving GEIT Implementation challenges and success factors Enabling GEIT- related organisational and behavioural change Implementing continual improvement that includes change enablement and programme management Using COBIT 5 and its components 41

42 COBIT 5 - Gedanken Migration / Umsetzung Management und Governance der IT. Klarer Stakeholder-Fokus als Treiber. Governance ist nicht Compliance. Governance ist nicht die Erweiterung der IT-Hausaufgaben. Neu-Nummerierung ist nicht Ziel der Sache. Strategie, Planung und Nachhaltigkeit statt ad-hoc Vorgehen. Professionelle Unterstützung ist sinnvoll, Outsourcing keine Option. Allgemein Enabler-Konzept wird noch Zeit brauchen. Erwartungshaltung wird sich steigern. Nach wie vor: Die Bibel ist ein anderes Buch. 42

43 Zusammenfassung COBIT 5 ist hier Wesentliche Neuerungen und Ergänzungen Integration der Frameworks Leichter in der Anwendung als Vorversionen Kompakter Klarer Vollständiger 43

44 Kontakt: LinkedIn, Xing, 44