ISACA All Rights Reserved.

Transcription

1

2 Tichaona Zororo CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor B.Sc. Honours Information Systems, PGD Computer Auditing Accredited COBIT 5 Trainer ISACA 2016.

3

4

5

6

7

8

9

10

11 Business Value

12

13

14

15

16 Value Creation Governance Objectives Benefits Realisation EDM02 Risk Optimization EDM03 Resource Optimization EDM04 ISACA 2016.

17

18 1 Meeting Stakeholder Needs COBIT 5 2 Covering the Enterprise End-to-End Principles ISACA Enabling a Hollistic Approach 3 Applying a single integrated Framework

19

20 Meeting Stakeholder Needs: Enterprises exist to create value for their stakeholders by maintaining a balance between the realisation of benefits and the optimisation of risk and use of resources. COBIT 5 provides all of the required processes and other enablers to support business value creation through the use of IT. An enterprise can customise COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into manageable, specific, IT-related goals and mapping these to specific processes and practices. ISACA 2016.

21

22 Covering the Enterprise End to end: COBIT 5 integrates governance of enterprise IT into enterprise governance: It covers all functions and processes within the enterprise; COBIT 5 does not focus only on the IT function, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. It considers all IT-related governance and management enablers to be enterprise-wide and end-to-end, i.e., inclusive of everything and everyone internal and external that is relevant to governance and management of enterprise information and related IT. ISACA 2016.

23

24 Applying a Single Integrated Framework : There are many IT-related standards and best practices, each providing guidance on a subset of IT activities. COBIT 5 aligns with other relevant standards and frameworks at a high level, and thus can serve as the overarching framework for governance and management of enterprise IT. ISACA 2016.

25

26 Enabling a Holistic Approach: Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise. ISACA 2016.

27

28 Resources ISACA 2016.

29 Metrics for Achievement of Goal (Lag Indicators) The 7 Enabler Dimensions Enabler Dimensions Enabler Performance Management Metrics for Application of Practice (Lead Indicators) ISACA 2016.

30 People, Skills & Competencies Principles, Processes Framework Processes Metrics for Achievement of Goals (Lag Indicators) SIA Information Culture Ethics & Behaviour Organisational Structures Metrics for Application of Practice (Lead Indicators) ISACA 2016.

31

32 Separating Governance from Management: The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. ISACA 2016.

33

34 Processes for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting & Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimization EDM04 Ensure Resource Optimization EDM05 Stakeholder Transparency Processes for Management of Enterprise IT Align, Plan and Organise APO01 Manage the IT Management Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Resources Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems Controls APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security BAI07 Manage Change Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configuration DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Monitor Evaluate & Assess MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance With External Requirements ISACA 2016.

35

36 Grab the Low Hanging Fruit Focusing on quick wins and the prioritisation of the most beneficial improvements that are easiest to implement to demonstrate benefit and build confidence for further improvements Unlocking Your World to a Sea Opportunities ISACA 2016.

37 The 7 phases of the implementation life cycle Creating the Appropriate Environment Programme management Change enablement Continual Improvement Life Cycle What are the drivers? Initiate programme Establish desire to change Recognise need to act Where are we now? Define problems and opportunities Form implementation team Assess current state Where do we want to be? Define road map Communicate outcome Define target state What needs to be done? Plan programme Identify role players Build improvements How do we get there? Execute Operate and use Implement improvements Did we get there? Realise benefits Embedded new approaches Operate & Measure How do we keep the momentum going? Review effectiveness Sustain Monitor & Evaluate ISACA 2016.

38 GEIT Ideation Phase? Unlocking Your World to a Sea Opportunities ISACA 2016.

39 Phase 1 What Are The Drivers? Unlocking Your World to a Sea Opportunities ISACA 2016.

40 Phase 1 The Business Case for GEIT Unlocking Your World to a Sea Opportunities ISACA 2016.

41 Phase 1 Pain Points Unlocking Your World to a Sea Opportunities ISACA 2016.

42

43 Phase 1 Trigger Events Unlocking Your World to a Sea Opportunities ISACA 2016.

44

45 The 7 phases of the implementation life cycle Programme management Change enablement Continual Improvement Life Cycle Initiate the Programme What are the drivers? Initiate programme Establish desire to change Recognise need to act ISACA 2016.

46 Phase 1

47

48 Process Assessment Phases? Unlocking Your World to a Sea Opportunities ISACA 2016.

49 Phase 2 Where Are We Now? Unlocking Your World to a Sea Opportunities ISACA 2016.

50 The 7 phases of the implementation life cycle Programme management Change enablement Continual Improvement Life Cycle Define problems & opportunities Where are we now? Define problems and opportunities Form implementation team Assess current state Understand the pain points that have been identified as governance problems Take advantage of trigger events that provide opportunity for improvement Knowledge of the business environment Insight into influencing factors Identify the IT goals in respect to enterprise goals Identify the most important processes Understand management risk appetite Understand the maturity of existing governance Related processes ISACA 2016.

51 Phase 2

52

53 Phase 3 Where Do We Want to Be? Unlocking Your World to a Sea Opportunities ISACA 2016.

54 The 7 phases of the implementation life cycle Programme management Change enablement Continual Improvement Life Cycle Define road map Where do we want to be? Define road map Communicate outcome Define target state Describe the high level change enablement plan and objectives Develop a communication strategy Communicate the vision Articulate the rationale and benefits of the change Set the tone at the top Define the target for improvement Analyze the gaps Identify potential improvements ISACA 2016.

55 Phase 3

56

57 GEIT Solution Design Phase? Unlocking Your World to a Sea Opportunities ISACA 2016.

58 Phase 4 What Needs to Be Done? Unlocking Your World to a Sea Opportunities ISACA 2016.

59 The 7 phases of the implementation life cycle Programme management Change enablement Continual Improvement Life Cycle Plan the Programme What needs to be done? Plan programme Identify role players Build improvements Prioritize potential initiatives Develop formal and justifiable projects Use plans that include contribution and program objectives Empower role players and identify quick wins [Low Hanging Fruit visible issues that can be addressed relatively quickly and help establish the credibility of the overall initiative by demonstrating benefits ] High benefit, easy implementations should come first Obtain buy-in by key stakeholders affected by the change Identify strengths in existing processes and leverage accordingly Plot improvements onto a grid to assist with prioritization Consider approach, deliverables, resources needed, costs, estimated time scales, project dependencies and risks ISACA 2016.

60 Phase 4

61

62 GEIT Solution Implementation Phase? Unlocking Your World to a Sea Opportunities ISACA 2016.

63 Phase 5 How Do We Get There? Unlocking Your World to a Sea Opportunities ISACA 2016.

64 The 7 phases of the implementation life cycle Programme management Change enablement Continual Improvement Life Cycle Execute the Programme How do we get there? Execute Operate and use Implement improvements Execute projects according to an integrated program plan Provide regular update reports to stakeholders Document and monitor the contribution of projects while managing risks identified Build on the momentum and credibility of quick wins Plan cultural and behavioral aspects of the broader transition Define measures of success Adopt and adapt best practices to suit the enterprise s approach to policies and process changes ISACA 2016.

65 Phase 5

66

67 Post Implementation Phases? Unlocking Your World to a Sea Opportunities ISACA 2016.

68 Phase 6 Did We Get There? Unlocking Your World to a Sea Opportunities ISACA 2016.

69 The 7 phases of GEIT implementation life cycle Programme management Change enablement Continual Improvement Life Cycle Realise Benefits Did we get there? Realise benefits Embedded new approaches Operate & Measure Monitor the overall performance of the program against business case objectives Monitor and measure the investment performance Provide transition from project mode to business as usual mode Monitor whether new roles and responsibilities have been taken on Track and assess objectives of the change response plans Maintain communication and ensure communication between appropriate stakeholders continues Set targets for each metric Measure metrics against targets Communicate results and adjust targets as necessary ISACA 2016.

70 Phase 6

71

72 Phase 7 How Do We Keep the Momentum Going? Unlocking Your World to a Sea Opportunities ISACA 2016.

73 The 7 phases of the implementation life cycle Programme management Change enablement Continual Improvement Life Cycle Review Effectiveness How do we keep the momentum going? Review effectiveness Sustain Monitor & Evaluate keeping the momentum is critical to sustainment of the lifecycle. Review program effectiveness through a program review gate Review the program benefits Conscious reinforcement (reward achievers) Ongoing communication campaign (feedback on performance) Continuous top management commitment Identify new governance objectives based on program experience Communicate lessons learned and further improvement requirements for the next iteration of the cycle ISACA 2016.

74 Phase 7

75

76

77

78 Is a standard based approach to process assessment that produces results that support process improvement criteria and planning. Improved reliability and repeatability reducing debates and disagreements between stakeholders on assessment results. Provides enterprises with a repeatable, reliable and robust methodology for assessing the capability of IT processes. ISO compliance. Provides a means to measure the performance of any of the 5 Governance (EDM-based) or 32 Management (PBRMbased) processes thereby allowing areas for improvement to be identified. Simplified content through elimination of duplication.

79

80 ISO Process Attribute Rating Scale ISO Concepts and Vocabulary Process Assessment Terminology ISO Measurement Framework ISO Guidance on Performing an Assessment Process Assessment Process Process Capability Levels & Attributes ISO Assessment Process Assessment Indicators Process Capability Level Ratings ISO An Exemplar Process Assessment Model Generic Work Products & Generic Practices ISACA 2016.

81 37 Processes Process Description Process Purpose Statement IT Related Goals & Metrics Enabling Processes 2 Areas 5 Domains Process Related Goals & Metrics 210 Practices Practice Description 30 Outputs 1111 Activities ISACA 2016.

82

83

84

85 Provide Gap Analysis and improvement planning information to support definition of justifiable improvement projects Assessing Capability of IT Processes Report internally to an enterprise s executive management or board of directors on the capability of IT processes and establish a target for improvement based on business requirements ISACA Provide the governance body and management with process assessment ratings to measure and monitor current IT processes capabilities Enable those in governance & management to benchmark process capabilities & support investment decision making with regard to process improvement

86 Process Assessment Can invlove Process Improvement Leads to Process Capability Determination ISACA 2016.

87

88 GEIT Implementation Phase Creating the Appropriate Environment Programme management Change enablement Continual Improvement Life Cycle Phase 2 Where are we now? Define problems and opportunities Form implementati on team Assess current state Phase 3 Where do we want to be? Define road map Communicat e outcome Define target state ISACA 2016.

89

90 Assessor Guide: Using COBIT 5 Provides details on how to undertake a full ISO compliant assessment (Guidance on how to perform an assessment) Principles, Policies & Frameworks Process Assessment Model: Using COBIT 5 Principles, Policies & Frameworks Forms the basis for the assessment of an enterprise's IT processes Self Assessment Guide: Using COBIT 5 Provides guidance on how to perform a basic/less rigorous selfassessment of an organisation s current IT process capability levels against COBIT processes Assessment Programme Tool Kit: Using COBIT 5 Support assessment activities, including scoping templates and mapping to business and IT goals Principles, Policies & Frameworks ISACA 2016.

91

92 COBIT 4.1 Process Maturity Level ISO/IEC Process Capability Level Attribute 5 Optimised 4 Managed and measurable 3 Defined 2 Repeatable but intuitive 1 Initial/ad hoc 0 Non-existent 5 Optimizing 4 Predictable 3 Established 2 Managed 1 Performed 0 Incomplete PA 5.1 Process innovation PA 5.2 Process optimization PA 4.1 Process measurement PA 4.2 Process control PA 3.1 Process definition PA 3.2 Process deployment PA 2.1 Performance management PA 2.2 Work product management PA 1.1 Process performance ISACA 2016.

93

94 Class 1: Used for Comparison with other enterprises Assessor Independent of the unit being Assessed A minimum of 4 process instances for each process assessed Class 2: Used to provide a basis for an initial assessment at the commencement of a process improvement programme To enable assessment conclusion to be drawn about the opportunities for improvement Can be performed internally or by an independent assessor A minimum of 2 process instances for each process assessed Class 3: Used for testing and understanding the IT process and potential benefits from improvement. Suitable for monitoring the ongoing progress of an improvement programme or to identify key issues for a later class 1 or 2 Can be performed internally or by an independent assessor No minimum number of process instances required for each process assessed ISACA 2016.

95

96 Optimizing The process is continuously improved to meet relevant current and projected business goals Level 5 Optimizing process PA.5.1 Process Innovation attribute PA.5.2 Process Optimization attribute Predictable The process is enacted consistently within defined limits Level 4 Predictable Process PA.4.1 Process Measurement attribute PA.4.2 Process Control attribute Established A defined process is used based on a standard process. Level 3 Established Process PA.3.1 Process Definition attribute PA.3.2 Process Deployment attribute 9 Process Attributes 6 Process Capability Levels Level 2 Managed Process PA.2.1 Performance Management attribute PA.2.2 Work Product Management attribute Managed The process is managed and work products are established, controlled and maintained. Level 1 Performed process PA.1.1 Process Performance attribute Performed The process is implemented and achieves its process purpose Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. No process Attribute ISACA 2016.

97

98 N Not achieved > 0 to 15 % achievement There is little or no evidence of achievement of the defined attribute in the assessed process 4 Rating Scales NP Partially achieved > 15 % to 50 % achievement 00% 15% Not Achieved N There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable L Largely achieved > 50 % to 85% achievement 16% - 50% Partially Achieved NP 51% - 85% Largely Achieved L 86% - 100% Fully Achieved F There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process F Fully achieved > 85 % to 100 % achievement There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process ISACA 2016.

99

100 Level 5 - Optimised PA.5.1 PA.5.2 Process Innovation Process Optimization L / F Level 4 - Predictable PA.4.1 PA.4.2 Process Measurement Process Control L / F F Level 3 - Established PA.3.1 PA.3.2 Process Definition Process Deployment L / F F F Level 2 - Managed PA.2.1 Performance Management PA.2.2 Work Product Management L / F F F F Level 1 - Performed PA.1.1 Process Performance L / F F F F F Level 0 - Incomplete Incomplete process ISACA 2016.

101

102

103

104 / Capability Dimension Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 PA5.2 Continuous optimisation PA5.1 Process innovation PA4.2 Process control PA4.1 Process measurement PA3.2 Process deployment PA3.1 Process definition PA2.2 Performance management PA2.1 Work product management PA1.1 Process performance Based on (Level 1 to 5) Process Attribute Indicators (PAI): GP : Generic Practice GWP : Generic Work Product Additional performance indicators Level 1 based on : BP : Base practices WP : Work products EDM 5 Processes APO 13 Processes BAI 10 Processes DSS 6 Processes MEA 3 Processes ISACA 2016.

105

106 ISO Generic Practices Measurement Framework Capability Levels Process Attributes Rating Scale 9 Generic Work Products ISACA 2016.

107

108 40 Generic Practices Level 5 Optimizing process PA.5.1 Process Innovation attribute PA.5.2 Process Optimization attribute 8 Generic Practices Level 4 Predictable Process PA.4.1 Process Measurement attribute PA.4.2 Process Control attribute 11 Generic Practices Level 3 Established Process PA.3.1 Process Definition attribute PA.3.2 Process Deployment attribute 11 Generic Practices Level 2 Managed Process PA.2.1 Performance Management attribute PA.2.2 Work Product Management attribute 10 Generic Practices Level 1 Performed process PA.1.1 Process Performance attribute 210 Base Practices Level 0 Incomplete process ISACA 2016.

109 PA 1.1 Process Performance BP Achieve the process outcomes PA 2.1 Performance Management GP GP GP GP GP GP Identify the objectives Plan & monitor the performance Adjust the performance Define responsibilities and authorities Identify and make available Manage the interfaces PA 2.2 Work Product Management GP GP GP GP Define the requirements for the work products Define the requirements for documentation and control Identify document and control Review and adjust work products ISACA 2016.

110 PA 3.1 Process Definition GP GP GP GP GP Define the standard Determine the sequence and interaction between processes Identify the roles and competencies Identify the required infrastructure and work environment Determine suitable methods PA 3.2 Process Deployment GP GP GP GP GP GP Deploy a defined process Assign and communicate roles and responsibilities and authorities Ensure necessary competencies Provide resources and information Provide adequate processes infrastructure Collect and analyse data ISACA 2016.

111 PA 4.1 Process Measurement GP GP GP GP GP GP PA 4.2 Process Control GP GP GP GP GP Identify process information needs Define process measurement objectives Establish quantitative objectives Identify product and process Collect product and process measurement results Use results of the defined measurement Determine analysis Define parameters Analyse process and product measurement results Identify and implement corrective actions Re-establish control ISACA 2016.

112 PA 5.1 Process Innovation GP GP GP GP Define the process improvement objective for the process Analyse measurement data of the process Identify improvement opportunities of the process Derive improvement opportunities of the process from new technologies and process concepts GP Define an implementation strategy PA 5.2 Process Optimisation GP GP GP Assess the impact of each proposed change Manage the implementation of agreed changes Based on actual performance, evaluate the effectiveness of process change ISACA 2016.

113

114 GWP ID GWP 1.0 Process Documentation 2.0 Process Plan 3.0 Quality Plan 4.0 Quality Records 5.0 Policies and Standards 6.0 Performance Improvement Plan 7.0 Process Measurement Plan 8.0 Process Control Plan 9.0 Process Performance Records ISACA 2016.

115

116

117 Processes for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting & Maintenance EDM03 Ensure Risk Optimization EDM05 Stakeholder Transparency EDM02 Ensure Benefits Delivery EDM04 Ensure Resource Optimization Processes for Management of Enterprise IT Align, Plan and Organise APO01 Manage the IT Management Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Resources Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security BAI07 Manage Change Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configuration DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls Monitor Evaluate & Assess MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance With External Requirements ISACA 2016.

118 EDM 5 - Process APO -13 Processes BAI - 10 Processes DSS - 6 Processes MEA - 3 Processes ISACA 2016.

119 COBIT 5 Enablers Enabling Processes 230 pages 210 Practices 30 Outputs 210 Base Practices 434 Base Work Products EDM 15 Practices APO 72 Practices BAI 68 Practices DSS 38 Practices MEA 17 Practices ISACA 2016.

120

121 +27 (0) tichaona.zororo Tichaona Zororo tichaonazororo Tichaona Tichaona Zororo +27 (0) EGIT Enterprise Governance of IT (Pty) Ltd

122