September 17, 2012 Pittsburgh ISACA Chapter
What is COBIT? Control Objectives for Information and related Technologies ISACA s guidance on the enterprise governance and management of IT. Builds on more than 15 years of practical usage and application of COBIT by many enterprises and users from business, IT, risk, security and assurance communities. Connect to, and, where relevant, align with, other major frameworks and standards in the marketplace, such as Information Technology Infrastructure Library (ITIL ) The Open Group Architecture Forum (TOGAF ) Project Management Body of Knowledge (PMBOK ) PRojects IN Controlled Environments 2 (PRINCE2 ) Committee of Sponsoring Organizations of the Treadway Commission (COSO) International Organization for Standardization (ISO) standards.
What is COBIT? COBIT 5 brings together the five principles that allow the organizations to build an effective governance and management framework based on a holistic set of seven enablers that optimizes information and technology investment and use for the benefit of stakeholders.
What you need to remember All models are wrong, some models are useful George Box or W. Edwards Deming Thus, when adopting COBIT, a certain degree of adaptation also needs to occur in order for it to be of value. Incorporate an operation model and a common language for all parts of the enterprise involved in IT activities Leverage the Appendices for Model navigation Adapt to each unique organization
Why Version 5? Provide more stakeholders a say Address the increasing dependency on external business and IT parties Deal with the amount of information, which has increased significantly Deal with much more pervasive IT Provide further guidance in the area of innovation and emerging technologies Less about audit and more about governance
Why Version 5? All previous content from these 3 models are integrated and updated into COBIT 5
COBIT begins with Information Information is a key resource. Information is created, used, modified, retained, disclosed and destroyed. Technology plays a key role in these actions. Technology is pervasive in all aspects of business. What benefits do information and technology bring to organizations?
Enterprise Benefits Organizations and their leaders strive to: Maintain quality information to support business decisions. Generate business value from IT-enabled investments, i.e., achieve strategic goals and realize business benefits through effective and innovative use of IT. Achieve operational excellence through reliable and efficient application of technology. Maintain IT-related risk at an acceptable level. Optimize the cost of IT services and technology. How can these benefits be realized to create enterprise stakeholder value?
Stakeholder Value Delivering organizational stakeholder value requires good governance and management of information and technology (IT) assets. Corporate boards, executives and management have to embrace IT like any other significant part of the business. External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
The COBIT 5 Framework COBIT 5 helps organizations create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire organization, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for organizations of all sizes, whether commercial, not-for-profit or in the public sector.
COBIT Structure COBIT provides cascading guidance to align the complex relationship between business and IT goals by depicting a cascading relationship between the sets of goals and enablers. COBIT provides the What for defining best practices and their subsequent measures.
COBIT 5 Principles Source: COBIT 5, 2012 ISACA
Goals Cascade The COBIT 5 Goals Cascade is the mechanism to translate stakeholder needs into specific, actionable and customized enterprise goals, IT-related goals and enabler goals. Source: COBIT 5. 2012 ISACA
COBIT Stakeholder Drivers & Needs A governance system should consider all stakeholders when making benefit, risk and resource assessment decisions. For each decision, the following questions can and should be asked: For whom are the benefits? Who bears the risk? What resources are required?
Stakeholders Needs These questions point us towards Enterprise Goal focus Source: COBIT 5. 2012 ISACA
Stakeholder Needs These questions point us towards Enterprise Goal focus Source: COBIT 5. 2012 ISACA
COBIT Enterprise Goals COBIT provides 17 general enterprise goals These goals are categorized into four domains: Financial Customer Internal Learning and Growth
COBIT Enterprise Goals Source: COBIT 5. 2012 ISACA Primary & Secondary
COBIT 5 Model P stands for primary, when there is an important relationship and is primary support for the achievement of a COBIT object (e.g. goal). S stands for secondary, when there is still a strong, but less important, relationship.
COBIT Enterprise Goals - Metrics Source: COBIT 5. 2012 ISACA
COBIT Enterprise Goals - Metrics Source: COBIT 5. 2012 ISACA
COBIT IT Goals COBIT provides 17 Generic IT Goals Enterprise Goals Traceability IT Goals Enterprise Goals translate into these IT Goals The IT Goals require the successful application and use of a number of enablers.
COBIT IT Goals Source: COBIT 5. 2012 ISACA
COBIT IT Goals - Metrics Source: COBIT 5. 2012 ISACA
COBIT IT Goals - Metrics Source: COBIT 5. 2012 ISACA
COBIT IT Goals - Metrics Source: COBIT 5. 2012 ISACA All rights reserved.
Mapping of Goals Understanding the alignment of Enterprise Goals with IT Goals is critical to leveraging COBIT 5. Source: COBIT 5. 2012 ISACA All rights reserved.
COBIT 5 Enablers Source: COBIT 5. 2012 ISACA
COBIT Enablers Enablers are factors that, individually and collectively, influence whether something will work in this case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve.
COBIT Enablers 1. Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management. 2. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. 3. Organizational structures are the key decision-making entities in an enterprise. 4. Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. 5. Information is pervasive throughout any organization and includes all information produced and used by the enterprise. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. 7. People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions.
COBIT Enablers Some of the enablers defined previously are also enterprise resources that need to be managed and governed as well. This applies to: Information, which needs to be managed as a resource. Some information, such as management reports and business intelligence information, are important enablers for the governance and management of the enterprise. Service, infrastructure and applications People, skills and competencies
COBIT Enablers Interconnected Each enabler needs the input of other enablers to be fully effective; For Example: processes need information organizational structures need skills and behavior And delivers output to the benefit of other enablers. For Example : processes deliver information, skills and behavior make processes efficient. This means that to deal with any stakeholder need, all interrelated enablers have to be analyzed for relevance and addressed if required.
COBIT 5 Enablers 33 Source: COBIT 5. 2012 ISACA
COBIT Enablers All enablers have a set of common dimensions. This set of common dimensions: Provides a common, simple and structured way to deal with enablers Allows an entity to manage its complex interactions Facilitates successful outcomes of the enablers
COBIT Enabler Dimensions Source: COBIT 5. 2012 ISACA
COBIT Information Criteria COBIT 5 information model allows definition of an additional set of criteria, hence adding value to the COBIT 4.1 criteria.
COBIT: Enabling Processes
COBIT: Enabling Processes A process is defined as a collection of practices influenced by the enterprise s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (e.g., products, services).
COBIT: Enabling Processes The processes model shows: Stakeholders - Processes have internal and external stakeholders, with their own roles; stakeholders and their responsibility levels are documented in RACI charts. External stakeholders include customers, business partners, shareholders and regulators. Internal stakeholders include the board, management, staff and volunteers. Goals - process goals are defined as a statement describing the desired outcome of a process. An outcome can be an artifact, a significant change of a state or a significant capability improvement of other processes. They are part of the goals cascade, i.e., process goals support IT-related goals, which in turn support enterprise goals.
Process Goals Process goals can be categorized as: Intrinsic goals Does the process have intrinsic quality? Is it accurate and in line with good practice? Is it compliant with internal and external rules? Contextual goals Is the process customized and adapted to the enterprise s specific situation? Is the process relevant, understandable, easy to apply? Accessibility and security goals The process remains confidential, when required, and is known and accessible those who need it.
Process Goal Metrics At each level of the goals cascade, metrics are defined to measure the extent to which goals are achieved. Metrics can be defined as a quantifiable entity that allows the measurement of the achievement of a process goal. Metrics should be SMART specific, measurable, actionable, relevant and timely. To manage the enabler effectively and efficiently, metrics need to be defined to measure the extent to which the expected outcomes are achieved.
Process Life cycle Life cycle Each process has a life cycle. It is defined, created, operated, monitored, and adjusted/updated or retired. Generic process practices such as those defined in the COBIT process assessment model based on ISO/IEC 15504 can assist with defining, running, monitoring and optimizing processes.
Good Practices Good practices COBIT 5: Enabling Processes contains a process reference model, in which process internal good practices are described in growing levels of detail: practices, activities and detailed activities.
COBIT Enabling Processes COBIT provides 37 IT Processes segmented into 5 domains Evaluate, Direct and Monitor (EDM) Align, Plan and Organize (APO) Build, Acquire and Implement (BAI) Delver, Service and Support (DSS) Monitor, Evaluate and Assess (MEA)
COBIT Enabling Processes Although, as described previously, most of the processes require planning, implementation, execution and monitoring activities within the process or within the specific issue being addressed (e.g., quality, security), they are placed in domains in line with what is generally the most relevant area of activity when regarding IT at the enterprise level. In COBIT 5, the processes also cover the full scope of business and IT activities related to the governance and management of enterprise IT, thus making the process model truly enterprise-wide.
Governance and Management Governance ensures that organizational objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against agreed-upon direction and objectives. Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the organizational objectives. 46
Source: COBIT 5. 2012 ISACA
Evaluate, Direct and Monitor (EDM) Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM).
Evaluate, Direct and Monitor (EDM) EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM03 EDM04 Ensure Risk Optimization Ensure Resource Optimization EDM05 Ensure Stakeholder Transparency
Align, Plan and Organize (APO) The Align, Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.
Align, Plan and Organize (APO) APO01 Manage the IT Management Framework APO02 APO03 APO04 APO05 APO06 APO07 APO08 APO09 APO10 APO11 APO12 APO13 Manage Strategy Manage Enterprise Architecture Manage Innovation Manage Portfolio Manage Budget and Costs Manage Human Relations Manage Relationships Manage Service Agreements Manage Suppliers Manage Quality Manage Risk Manage Security
Build, Acquire and Implement (BAI) The Build, Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company s current business processes.
Build, Acquire and Implement (BAI) BAI01 BAI02 BAI03 BAI04 BAI05 BAI06 BAI07 BAI08 BAI09 BAI10 Manage Programs and Projects Manage Requirements Definition Manage Solutions Identification and Build Manage Availability and Capacity Manage Organizational Change Enablement Manage Changes Manage Changes Acceptance and Transitioning Manage Knowledge Manage Assets Manage Configuration
Deliver, Service and Support (DSS) The Deliver, Service and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems.
Deliver, Service and Support (DSS) DSS01 DSS02 DSS03 DSS04 DSS05 Manage Operations Manage Service Requests and Incidents Manage Problems Manage Continuity Manage Security Services DSS06 Manage Business Process Controls
Monitor, Evaluate and Assess (MEA) The Monitor, Evaluate and Assess domain deals with a company s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company s control processes by internal and external auditors
Monitor, Evaluate and Assess (MEA) MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Asses the System of Internal Control MEA03 Evaluate and Assess Compliance with External Requirements
Governance & Management Source: COBIT 5. 2012 ISACA
IT Process to IT Goal Mapping Source: COBIT 5. 2012 ISACA
IT Process to IT Goal Mapping Source: COBIT 5. 2012 ISACA
COBIT Enabling Process Example Walkthrough: APO 02 Manage Strategy Process Label Domain Prefix and Number Process Name Area of the Process Governance or Management
APO 02 Manage Strategy Description What it does and accomplishes Purpose Statement Overall purpose description Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Goal Cascade Related IT Goals Generic Metrics Measure achievement of IT Goals Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Process Goals Process Metrics Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy RACI Chart Responsible Who is getting the task done? Accountable - Who accounts for the success of the task? Consulted Who is providing input? Informed Who is receiving information?
APO 02 Manage Strategy Detailed description Activities Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA
Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Source: COBIT 5. 2012 ISACA
APO 02 Manage Strategy Related guidance from external sources Source: COBIT 5. 2012 ISACA
Generic Guidance for Processes Source: COBIT 5. 2012 ISACA
New & Modified Processes 5 new Governance Processes EDM 01 Ensure Governance Framework Setting and Maintenance EDM 02 Ensure Benefits Delivery EDM 03 Ensure Risk Optimization EDM 04 Ensure Resource Optimization EDM 05 Ensure Stakeholder Transparency
New & Modified Processes Summary of changes between COBIT 4.1 and COBIT 5 Processes in CobiT 4.1 that are merged in CobiT 5 DS7 is merged with PO7 (Education and Human Resources) PO6 is merged with PO1 (Management Communications and Management) PO2 is merged with PO3 (Information and Technical Architectures) AI2 is merged with AI3 (Application Software and Infrastructure Components) DS12 is merged with DS5 (Physical Environment and Information Security)
New & Modified Processes Entirely new processes in COBIT EDM1 Set and Maintain Governance Framework APO1 Define the Management Framework APO4 Manage Innovation (partly PO3) APO8 Manage Relationships BAI8 Knowledge Management DSS2 Manage Assets (partly DS9) DSS8 Manage Business Process Controls.
New & Modified Processes Processes in COBIT 4.1 that are reassigned in COBIT 5 ME4 to EDM1, 2, 3, 4, 5 (Governance) Processes in COBIT 4.1 that are relocated in COBIT 5 PO1 to APO2 (Strategic Planning) PO4 to APO1 (Organization, Relationships and Processes)
Putting this all together Enterprise Goals IT Goals Enabler Goals Processes Activities
COBIT Capability
COBIT Process Capability Model Source: COBIT 5. 2012 ISACA
COBIT Process Capability Model Source: COBIT 5. 2012 ISACA
COBIT Process Capability Model There are six levels of capability that a process can achieve, including an incomplete process designation if the practices in it do not achieve the intended purpose of the process: 0 Incomplete process The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose. 1 Performed process (one attribute) The implemented process achieves its process purpose. 2 Managed process (two attributes) The previously described performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained. 3 Established process (two attributes) The previously described managed process is now implemented using a defined process that is capable of achieving its process outcomes. 4 Predictable process (two attributes) The previously described established process now operates within defined limits to achieve its process outcomes. 5 Optimizing process (two attributes) The previously described predictable process is continuously improved to meet relevant current and projected business goals.
COBIT Process Capability Model Assessing whether the process achieves its goals or, in other words, achieves capability level 1 can be done by: 1. Reviewing the process outcomes as they are described for each process in the detailed process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what degree each objective is achieved. This scale consists of the following ratings: N (Not achieved) There is little or no evidence of achievement of the defined attribute in the assessed process. (0 to 15 percent achievement) P (Partially achieved) There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable. (15 to 50 percent achievement) L (Largely achieved) There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process. (50 to 85 percent achievement) F (Fully achieved) There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process. (85 to 100 percent achievement) 2. In addition, the process (governance or management) practices can be assessed using the same rating scale, expressing the extent to which the base practices are applied. 3. To further refine the assessment, the work products also may be taken into consideration to determine the extent to which a specific assessment attribute has been achieved.
Auditor Tips Evidence of activities (as well as inputs/outputs) are critical in assessing the existence of controls Information, metrics/measurements are key to any critical IT process.
Remaining Thoughts COBIT has evolved to provide the overarching framework for organizations to achieve IT Governance while leveraging other industry best practices, frameworks, and models to provide prescriptive actions. COBIT promotes tight alignment with IT processes and enterprise goals. COBIT is a useful tool beyond just the standard audit guidance.
Questions? Thank you