C T & IT Governance OBI

COBIT & IT Governance
Control Objectives for Information and
Related Technology
Includes material subject to: Copyright
© 2004 and 2005 IT Governance
Institute. This presentation is intended
solely for academic use.
Agenda
COBIT: Control Objectives for
Information and Related Technology
• The quest for effective systems and the rise
of internal control regulation emphasize the
need for IT governance
• Exercise: How can you do on your own?
• COBIT:
– Where does it come from?
– How does it view IT organizations?
– What does it include?
• Try again: Does COBIT help?
• Other IT management frameworks
• Key takeaways
COBIT – Controlling and Auditing IS
2
Why?
Reason 1: The Quest for Effective
Systems
• Systematically controlled IT functions
“We’ll delete that old
user ID later”
aim to assure that IS:
“We’ll write the
– Provides
documentation
later”
“Pick the best solution
value,
for our department”
– Pushes the envelope, and
“It will be plenty fast”
“We won’t get
– Mitigates risk
hacked, we’re
too small to be
on a hacker’s
radar”
Business
Management
As Usual Scale
Inattention
and cost
SOX Compliance
“There’s no real need
Threat vulnerability
for a log file”
Increased IT dependence
IT’s role in organizational change
COBIT – Controlling and Auditing IS
3
History
Reason 2: The Rise of Internal
Control Regulation
• Bank scandals in the 80’s brought us the
1992 Committee of Sponsoring
Organizations of the Treadway Commission
(COSO) Integrated Internal Control
Framework for certifying financial data
systems.
• WorldCom, Enron, etc.. brought us the
Sarbanes-Oxley Act of 2002 (SOX).
– Management is responsible for internal control
and financial reporting procedures
– Annual reports must asses internal controls
– Officers submitting inaccurate certifications are
subject to a fine up to $1m + 10 yrs, If
purposeful, up to $5m + 20 years.
COBIT – Controlling and Auditing IS
4
History
SOX and IS
• From an IS function perspective, this
means, that for financial reporting systems
at least, SEC companies need:
– An evaluation framework for IS operations
– Useful IS metrics
– A systematic way to apply the framework
• This perspective applies to non SEC
organizations as well:
– Lenders may require IS audits
– Financial services companies have their own
somewhat similar regulations
COBIT – Controlling and Auditing IS
5
IT
Governance
Meeting the Challenge:
IT Governance Defined
• IT Governance: the leadership
and organizational structures
and processes that ensure that
the organization’s IT sustains
and extends the organization’s
strategies and objectives *.
Improve Performance;
Reduce Risk
Performance vs. Goals and Best
Practices
Reliability of Financial
Data
Regulatory Compliance
* (IT Governance Institute 2003, Board Briefing on IT Governance, 2nd Ed, page 18 )
COBIT – Controlling and Auditing IS
6
The IT Governance Framework:
An
Governance
Model
BeIT
a Part
of the Process
Provide
Direction
Set Objectives
• IT is aligned with the
business
• IT enables the
business and
maximises benefits
• IT resources are used
responsibly
Be
• IT-related risks are
Good! appropriately
managed
Compare
IT Activities
• Increase automation
(make the business
effective)
• Decrease cost (make the
enterprise efficient)
• Manage risks (security,
reliability and
compliance)
Measure
Performance
www.itgovernance.org - Board Briefing
on IT Governance Hunton et al. Pg. 3
COBIT – Controlling and Auditing IS
7
Lets Try it Without A Framework
• You are the CEO of NASDAQ. You discover
that the embarrassing error reported in the
article happened when a new version of a
software application was put into production.
You know you need a better process.
– Who should be involved in making sure this kind
of thing doesn’t happen again?
– What controls should be put into place?
– How will you tell later if the controls are working?
– Will your plan convince the angry board of
directors?
COBIT – Controlling and Auditing IS
8
Agenda
How Are We Doing?
• The quest for effective systems and the rise
of internal control regulation emphasize the
need for IT governance
• Exercise: How can you do on your own?
• COBIT:
– Where does it come from?
– How does it view IT organizations?
– What does it include?
• Try again: Does COBIT help?
• Other IT management frameworks
• Key takeaways
COBIT – Controlling and Auditing IS
9
COBIT
COBIT: Control Objectives for
Information and related Technology
• COBIT is a process-oriented, business-goal
focused, systematic framework for
evaluating the IT operations within an
organization. It is designed for:
– Managers who need IT,
– IT Providers (internal and external), and
– “Auditors” concerned with risk, security, privacy,
compliance, and assurance.
• Stakeholders may not know how to evaluate
their organizations, COBIT can help guide
the process.
COBIT – Controlling and Auditing IS
10
COBIT
Where did COBIT come from?
• The COBIT steering committee
includes international representatives
from industry, academia, government,
and the security and control
profession.
• Based in the IT Governance Institute.
• The COBIT group has done extensive
work mapping to other standards.
http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Project1/COBIT_Project.htm
COBIT – Controlling and Auditing IS
11
Process Oriented
Infrastructure
Information
IT Resources
Systems
Assetsbrings
Complexity
used to achieve
Organizational
Goals
People
Information
Applications
special problems
Because Information
systems are much more
complex than lunch
boxes: Processes!
Information systems’ acquisition, operation, and maintenance
can be usefully understood as a set of IT processes. We
figure out what to control in IT by looking at what we do in IT.
COBIT – Controlling and Auditing IS
12
Which of These Are IT Processes In
the IT Governance Sense?
•
•
•
•
•
NO! Just a decision
Buying a new server
IT Purchasing Procedures
Hiring the Right People NO! Bunch of Decisions
Screening Potential IT Employees
Processing an invoice sent in by EDI
NO! this is an IT-enabled process
from a supplier
• Change Management System
Good Governance Creates Good Processes that
LEAD TO Good Decisions and IT Systems
COBIT – Controlling and Auditing IS
13
Good Processes
COBIT – Controlling and Auditing IS
14
COBIT
Business Goal Focused
Generic Business
Goals are Matched
with IT Goals
To offer competitive products and services,
create IT agility
Goals are Matched
with 34 IT Processes
– Define Success
Achieve IT agility by adjusting HR, information
architecture, and infrastructure
Defined Control
Objectives Support
Assurance.
Good data architecture keeps data to support
decisions, organizes data for sharing, and
verifies data reliability
Process Measures
Support Systematic
Evaluation to Manage
IT Processes
Measure data architecture success in % of
redundant data elements, % of applications in
the plan, and frequency of validation activities.
COBIT – Controlling and Auditing IS
15
COBIT’s Systematic
Framework
COBIT
ME1
ME2
ME3
ME4
Monitor the processes
Monitor and evaluate internal control
Ensure Regulatory Compliance
Provide IT Governance
INFORMATION
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT processes, organisation and relationships
PO5 Manage the IT investment
PO6 Communicate management aims and direction
PO7 Manage human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage projects
Does the organization
• Effectiveness
• Efficiency
• Confidenciality
plan and organize
• Integrity
• Availability the organization
Compliance
to ••Does
meet
MONITORadequately
AND
Reliability
EVALUATE
effectively
Does theinformation
organizationneeds?
have and deliver and
IT
support
IT services?
PLAN AND
use sound processes for
RESOURCES
ORGANISE
acquiring
and implementing
IT?
DELIVER
AND
• Data
SUPPORT
systems
Does the organization •• Application
Technology
• Facilities
• People
monitor
andservice
evaluate
DS1 Define and manage
levels
DS2 Manage third-party services
DS3 Manage
peformance and capacity
its
IT activites?
ACQUIRE AND
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
IMPLEMENT
AI1
AI2
AI3
AI4
AI5
AI6
AI7
Identify automated solutions
Acquire and mantain application software
Acquire and maintain technology infrastructure
Enable operation and use
Procure IT resources
Manage
Manage changes
changes
Install and accredit solutions and changes
Page 1
AI6 – Acquire and Implement
Manage Changes
Control over the IT process of
process name
that satisfies the business requirement for IT of
summary of most important IT goals
is achieved by
key controls
and is measured by
key metrics
COBIT – Controlling and Auditing IS
17
Page 2
AI6 Page 2
Detailed Control Objectives
Detailed Control Objectives
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a
standardised manner all requests..
AI6.2 Impact Assessment, Prioritisation and Authorisation
Ensure that all requests for change are assessed in a structured way for
impacts on the operational system…
AI6.3 Emergency Changes
Establish a process for defining, raising, assessing and authorising
emergency changes…
AI6.4 Change Status Tracking and Reporting
Establish a tracking and reporting system for keeping change
requestors and relevant stakeholders up to date…
AI6.5 Change Closure and Documentation
Whenever system changes are implemented, update the associated
system and user documentation…
COBIT – Controlling and Auditing IS
18
Page 3
AI6 Management Guidelines
Process
Inputs
and
Outputs
Layered Goals and Metrics
RACI Chart
COBIT – Controlling and Auditing IS
19
Page 4
Maturity Model
Management of the process of Manage changes that satisfies the
business requirement for IT of responding to business
requirements in alignment with the business strategy, whilst
reducing solution and service delivery defects and rework is:
0 Non-existent: No defined change management process…
1 Initial/Ad Hoc: It is recognised that changes should be managed…
2 Repeatable but Intuitive: Informal change management process…
3 Defined Process: Defined formal change management process…
4 Managed and Measurable: Change management well developed…
5 Optimised: Change management process is regularly reviewed…
COBIT – Controlling and Auditing IS
20
Like Dagwood’s Boss, We Want
Controls (employees?) that Work
COBIT – Controlling and Auditing IS
21
COBIT
Audit
Guidelines
An IT process is audited by:
• Obtaining an understanding of business requirements-related
risks, and relevant control measures
• Evaluating the appropriateness of stated controls
• Assessing compliance by testing whether the
stated controls are working as prescribed,
consistently and continuously
• Substantiating the risk of the control
objectives not being met by using analytical
techniques and/or consulting alternative sources
COBIT – Controlling and Auditing IS
22
COBIT
Audit
Guidelines
AI6
Audit
Guideline
COBIT – Controlling and Auditing IS
23
COBIT
Audit
Guidelines
AI6
Audit
Guideline
COBIT – Controlling and Auditing IS
24
COBIT
Audit
Guidelines
AI6
Audit
Guideline
COBIT – Controlling and Auditing IS
25
Now that you have AI6…
• You are the CEO of NASDAQ. You discover
that the embarrassing error reported in the
article happened when a new version of a
software application was put into production.
You know you need a better process.
– Who should be involved in making sure this kind
of thing doesn’t happen again?
– What controls should be put into place?
– How will you tell later if the controls are working?
– Will your plan convince the angry board of
directors?
COBIT – Controlling and Auditing IS
26
Comparing
Frameworks
Different Frameworks:
Different Emphasis
• Control Objectives for Information & Related
Technology (COBIT): Comprehensive
checklists for IT, supports auditing, doesn’t
directly address software development or
give a roadmap for improvement
• Capability Maturity Model Integration
(CMMI): Geared for software development
organizations
• IT Infrastructure Library (ITIL): IT service
delivery and management best practices
• Six Sigma: Continuous improvement for
repeatable activities (e.g., helpdesks)
http://www.computerworld.com/managementtopics/management/story/0,10801,90797,00.html
COBIT – Controlling and Auditing IS
27
Comparing
Frameworks
COBIT Asks All the Right Questions
COBIT: 34 IT processes in 4 domains:
COBIT defines
issues, values,
measurements, and
responsibilities. It
focuses on control
over execution and
strives to address all
IT governance
issues.
COBIT – Controlling and Auditing IS
28
Comparing
Frameworks
CMM Helps Develop Mature Software
Development Processes
CMM (1993) and the later CMMI focus on improving the
development, acquisition, and maintenance of systems.
CMM addresses
only some of the
issues considered
by COBIT.
SEI CMM
http://www.sei.cmu.edu/cmmi/general/general.html
ITGI’s mapping of SEI’s CMM for Software with COBIT 4.0
COBIT – Controlling and Auditing IS
29
ITIL Presents Best Practices for IT
Service Delivery
ITIL, originally created by the British Government, “the only consistent
and comprehensive best practice for IT service management.”
ITIL provides more
guidance on who
should be
responsible and how
they should proceed.
ITIL - Best practices
COBIT – IT control
ITGI’s mapping of ITIL With COBIT 4.0
COBIT – Controlling and Auditing IS
30
IT Governance Norms
•
•
•
•
•
Business Alignment
A Risk/Control Perspective
Accountability
Continuous Improvement
Systematic Measurement
COBIT – Controlling and Auditing IS
31
Takeaways
Key Takeaways
• Forces are pushing organizations to adopt
IT governance but its an uphill battle.
• COBIT provides a systematic framework to
evaluate IT operations. Plan, do, check, &
correct.
• A control perspective for IT processes is
crucial to long term success. (It helps us talk
nice to the CFO too!)
• Thanks to the IT Governance Institute for
material.
COBIT – Controlling and Auditing IS
32
Back To AI6
Page 1
AI6 Manage Changes
High-Level Control Objective
• All changes, including emergency
maintenance and patches, relating to
infrastructure and applications within the
production environment must be formally
managed in a controlled manner. Changes
(including procedures, processes, system
and service parameters) must be logged,
assessed and authorised prior to
implementation and reviewed against
planned outcomes following implementation.
This assures mitigation of the risks of
negatively impacting the stability or integrity
of the production environment.
COBIT – Controlling and Auditing IS
33
Back To AI6
Page 1
AI6 Waterfall
Control over the IT process of
Manage changes
that satisfies the business requirement for IT of
responding to business requirements in alignment with the business strategy, whilst reducing
solution and service delivery defects and rework
by focusing on
controlling impact assessment, authorisation and implementation of all changes to the IT
infrastructure, applications and technical solutions, minimising errors due to incomplete
request specifications and halting implementation of unauthorised changes
is achieved by
• Defining and communicating change procedures, including emergency changes
• Assessing, prioritising and authorising changes
• Tracking status and reporting on changes
and is measured by
• Number of disruptions or data errors caused by inaccurate
specifications or incomplete impact assessment
• Application or infrastructure rework caused by inadequate change
specifications
• Percent of changes that follow formal change control processes
COBIT – Controlling and Auditing IS
34