com
CobiT™
Overview
Training
Materials used to train for the CobiT Foundation ™ are only available
through our accredited ITPreneurs partner purchase program, which is
licensed for Distribution as an ISACA® certification course. This
presentation is heavily adapted by EnterpriseGRC Solutions,
representing summary of main points and is not available for sale or
distribution. Individuals or Organizations may contact us to purchase the
entire set of materials. For additional information please visit
http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan
Woertman (arjan.woertman@itpreneurs.com)
Materials used to train for the CobiT Foundation ™ Are only available through our accredited ITPreneurs partner purchase
program, which is licensed for Distribution as an ISACA certification course. This presentation is heavily adapted by
EnterpriseGRC Solutions a summary of main points and is not available for sale or distribution. To purchase the entire set of
materials from ITPreneurs, please visit http://www.itsmcampus.com/docs/cobit_update.pdf or email Arjan Woertman
(arjan.woertman@itpreneurs.com)
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 2
http://www.enterprisegrc.com
Session Agenda
COBIT Foundation Course ™
Published for distribution by ITPreneurs on behalf of ISACA, materials for
the CobiT course are the product of many years of committee contribution.
Formal training requires purchase of the complete training materials
This session is an overview to prepare students for the full 8 to 20 hour
course. CobiT Foundation™ is a program of study that results in capacity to
both pass an external examination and to successfully implement CobiT in a
work environment. Live training involves interactive exercises.
EnterpriseGRC Solutions, Inc. is authorized to provide CobiT training. By the
end of today’s half day, you will have new found appreciation for the value
in extended study and application of the CobiT Framework, as well as other
ITGI authorized courses ranging from introductory to advanced Governance
Topics.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 3
http://www.enterprisegrc.com
Course Introduction
COBIT was developed by IT Governance
Institute (ITGI™).
Our objective today is to achieve a basic
understanding of COBIT and how you might
apply it in practice.
This training consists of the following sections
COBIT: Resources
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 4
About ISACA and ITGI
ISACA - With more than 70,000 members in more than 140 countries, ISACA
(www.isaca.org) is a recognized, worldwide leader in IT governance, control,
security, and assurance. Founded in 1969, ISACA:
Sponsors international conferences.
Publishes the Information Systems Control journal.
Develops international information systems auditing and control standards.
Administers the globally respected Certified Information Systems Auditor
(CISA) and Certified Information Security Manager (CISM) designations.
ITGI - The IT Governance Institute (ITGI) (www.itgi.org) was established by
ISACA in 1998 to advance international thinking and standards in directing
and controlling an enterprise's information technology. ITGI:
Developed COBIT, now in its fifth edition.
Offers original research and case studies to assist enterprise leaders and
boards of directors in their IT governance responsibilities.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 5
Topics of This Session
Main points in our session will cover
IT management issues affect organizations.
Principles of IT governance
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 6
The COBIT Framework
COBIT’s main characteristics are:
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 7
COBIT: An IT Control Framework
For latest updates on COBIT, log on to
Evolution
Governance
Management
Control
Audit
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 8
The COBIT Cube: IT Processes
COBIT describes the IT life cycle with Processes are series of activities with natural
the help of four domains: control breaks. 34 processes across the
Plan and Organize four domains, specify what the business
needs to achieve its objectives. The
Acquire and Implement delivery of information is controlled
Deliver and Support through 34 high-level control objectives,
one for each process.
Monitor and Evaluate
Activities are actions that achieve
measurable results, have life cycles and
include many discrete tasks.
Information Criteria
IT Resources
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 9
Key Objectives of Foundation Knowledge
The principles of IT governance.
Who is responsible for IT governance.
How IT governance resolves management issues.
The scope of IT governance.
The need for a control framework driven by IT
governance.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 10
IT Challenges
Keeping IT Running
Value
Costs Organization
IT Resources and Expenses
Mastering Complexity
Regulatory Compliance
Security
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 11
IT Challenges – Keep The Enterprise Running
As a result, organizations need to guarantee the continuity of IT services for business-critical services
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 12
IT Challenges – Provide Strategic Value
Value
As a result, organizations need to identify the right IT projects and execute them within time and
budget to deliver the expected value.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 13
IT Challenges Manage Costs
Costs
As a result, organizations need to manage IT costs as carefully as they do other significant costs of
business. This requires efficient and effective processes and allocation of resources such as people
and technology. In addition, it requires effective vendor relationships.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 14
IT Challenges – Master Complexity
Mastering Complexity
Handling External Relationships
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 15
IT Challenges – Alignment with the Business
Aligning IT With Business
As a result, organizations need to ensure that IT partners with the business to deliver value.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 16
IT Challenges – Regulatory Compliance
Regulatory Compliance
Compliance
Therefore, organizations need to ensure compliance in legal and contractual requirements with
service providers and trading partners.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 17
IT Challenges - Security
Security
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 18
What Is Enterprise Governance?
Enterprise governance is a set
of responsibilities and practices
exercised by the board and
executive management with
the goals of:
Providing strategic direction.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 19
Governance Is About Balance
Governance is about Performance
and Conformance
Performance Conformance
Governance requires a balance
between the conformance and
performance goals, as directed by Improving Adhering to
the board. profitability, legislation,
efficiency, internal policies,
IT governance is part of enterprise effectiveness, and audit
and growth requirements
governance. It is defined as a
structure of relationships and
processes to direct and control the
enterprise toward achieving its
goals by adding value while
balancing risk versus return over IT
and its processes.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 20
Principles of IT Governance
The board of directors and executive management are
responsible for IT governance, which involves structures
and processes that direct the organization toward achieving
its objectives.
Direct and Control
Responsibility
Accountability
Activities
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 21
Principles of IT Governance – Direct and Control
Direct and Control
Direct: The management provides direction Control: Control ensures that the objective
to implement a change. To provide effective is achieved and no undesired incidents
direction, the management needs to occur.
understand the intended change. In
addition, the management directs another
person to bring about the change.
Direct Control
Sets
Compares
Direction
Board
Sets Objectives
Reports
and Measures Measures
Performs
Reports
Activities
Measures
IT Organization
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 22
Principles of IT Governance – Direct and Control
Direct and Control can be related to the functioning of a thermostat. A thermostat
regulates room temperature without producing any heating or cooling effect itself. It only
compares the room temperature with its own set point and switches on or off the heater
or cooler.
72
Directs
Cooler
Controls
Heater 70
65
75
60 80
Thermostat
The thermostat directs the heating/cooling system based on the temperature setting.
The heating/cooling system controls the room temperature by providing the right
amount of additional heating or cooling, based on instructions from the thermostat.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 23
Principles of IT Governance - Responsibility
Responsibility
The CEO is ultimately responsible for overall internal control. Senior managers assign responsibility for
the establishment of specific internal control policies and procedures to the personnel performing a
unit's functions. Internal control is the responsibility of everyone in an organization and should be an
explicit or implicit part of job descriptions.
Direct Control
Sets
Compares
Direction
Board
Sets Objectives
Reports
and Measures Measures
Performs
Reports
Activities
Measures
IT Organization
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 24
Principles of IT Governance - Accountability
Accountability
Accountability is related to responsibility but specifically focuses on having the authority to make
decisions and give approval. For the final outcome of a set of activities, the responsibility cannot be
passed to anyone else. For example, responsibility for the process of defining the IT strategy will be
shared by several people, each responsible for certain tasks and activities. Ultimately, it may be the CEO
who decides on key issues and approves the final version. He is then accountable for the IT strategy.
Sets
Compares
Direction
Board
Sets Objectives
Reports
and Measures Measures
Performs
Reports
Activities
Measures
IT Organization
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 25
Principles of IT Governance – Activities - Actions
IT Function in an Organization
Activities
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 26
IT Governance Stakeholders - Internal
Internal Stakeholders and Their Concerns
Board, Executive, and Business
IT Manager Manager
How do we deliver IT
services, as required by the How do we define business direction
Internal for IT, deliver value, and manage
business and directed by the
Stakeholders risks?
board?
Organization
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 27
IT Governance Stakeholders - External
External Stakeholders and Their Concerns
External Auditor
Customers
I need to know whether or
I need you to keep my banking
not the automated banking External details secure on your
reconciliation system works in Stakeholders
order to clear the audit. computer system.
Regulators Suppliers
How can we be assured Do we have assurance
that the organization has that confidential
a business continuity information about our
plan? If it does not, company is not sent to
regulators may retract our competitors?
Organization
the banking license.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 28
IT Governance: Focus Areas
Strategic Alignment
Value Delivery
Risk Management
Resource Management
Performance Measurement
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 29
IT Governance: Strategic Alignment
Strategic Alignment
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 30
IT Governance: Value Delivery
Value Delivery
Business Value
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 31
IT Governance: Risk Management
Risk Management
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 32
IT Governance: Resource Management
Resource Management
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 33
IT Governance: Performance Management
Performance Measurement
If you cannot
measure it, you
cannot manage it.
Performance Management
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 34
Benefits of IT Governance
More transparency
Responsiveness of IT to
business
Confidence of the top IT Governance
management Benefits
Higher
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 35
Need for a Control Framework for IT Governance
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 36
Summary IT Governance
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 37
Summary IT Governance
Organizations typically face the following IT The focus areas of IT governance are:
challenges that drive the need for IT
Strategic alignment
governance:
Value delivery
Keeping IT running
Risk management
Delivering value to customers
Resource management
Managing IT costs
Performance measurement
Mastering complexity
Governance and control frameworks are
Aligning IT with business
becoming part of IT management best
Ensuring regulatory compliance practices and are enablers for establishing IT
Managing security governance and complying with continually
IT governance is a structure of relationships increasing regulatory requirements.
and processes that helps direct and control
the achievement of enterprise goals. IT
governance is an integral part of enterprise
governance.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 38
Can You Name The Players in this Slide?
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 39
Objectives
Identify
Understand
Explain
Demonstrate
Apply
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 40
Topics for the CobiT Control Framework
Characteristics of a Control
Framework
Introduction to Val IT
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 41
What do We Get from A Compliance Framework?
define
execute
Compliance
Resources
Services
measure
Risk
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-682142
5 Characteristics of a Control Framework
Defines a
Provides Sharper Common
Business Focus Language
Control
Framework Helps Meet
Ensures Process
Regulatory
Orientation
Requirements
Has General
Acceptability
Among
Organizations
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 43
Characteristics – Business Focus
Business Focus
COBIT achieves sharper
business focus by aligning IT Provides Defines a
with business objectives. Sharper Common
Business Language
The measurement of IT Focus
performance should focus
on IT’s contribution to
enabling and extending the Control
business strategy. Ensures Framework Helps Meet
COBIT, supported by Process Regulatory
Orientation Requirements
appropriate business-
focused metrics, can ensure
that the primary focus is
value delivery and not Has General
Acceptability
technical excellence as an Among
end in itself. Organizations
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 44
Characteristics – Process Orientation
Process Orientation
When organizations
implement COBIT, their focus is Provides Defines a
more process-oriented. Sharper Common
Business Language
Incidents and problems no Focus
longer divert attention from
processes.
Control
Exceptions can be clearly
Ensures Framework Helps Meet
defined as part of standard Process Regulatory
processes. Orientation Requirements
change or organizational
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 45
Characteristics – General Acceptability
General Acceptability
COBIT is a proven and
Provides Defines a
globally accepted Sharper Common
standard for increasing Business Language
Focus
the contribution of IT to
organizational success.
The framework Control
continues to improve Ensures Framework Helps Meet
Process Regulatory
and develop to keep Orientation Requirements
pace with best practices.
IT professionals from all
Has General
over the world Acceptability
Among
contribute their ideas Organizations
and time to regular
review meetings.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 46
Characteristics – Regulatory Requirements
Regulatory Requirements
Recent corporate scandals
have increased regulatory Provides Defines a
pressures on boards of Sharper Common
directors to report their status Business Language
Focus
and ensure that internal
controls are appropriate. This
covers IT controls as well. Control
Organizations constantly need Ensures Framework Helps Meet
to improve IT performance Process Regulatory
Orientation Requirements
and demonstrate adequate
controls over their IT
activities.
Has General
Many IT managers, advisors, Acceptability
and auditors are turning to Among
COBIT as the de facto Organizations
response to regulatory IT
requirements
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 47
Characteristics – Common Language
Common Language
A framework helps get
Provides Defines a
everybody on the same Sharper Common
page by defining critical Business Language
terms and providing a Focus
glossary.
Coordination within and Control
across project teams and Ensures Framework Helps Meet
organizations can play a Process Regulatory
Orientation Requirements
key role in the success of
any project.
A common language
Has General
builds confidence and Acceptability
trust. Among
Organizations
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 48
What are Compliance Components? (Object Model)
Company Name
Department
Accounting Oversight Board
Highest level Process Profile owner Audits Department Owner
Audit owner
Ownership Accounting
Domain/Process Oversight Board
Champions Sponsor: Department
Assign Control Management
object owners Domains
There are four domains,
Four records, 1 of
possible 4
to all objects
Management Functions
Parent Process
Item inherits its Domain Business has unlimited
High level Mangement
Control Objectives Functions, but are typically Architecture
limited to fewer than 10
There are thirty four Process inherits Diagrams,
control objectives. Domain, Control Object Inventories,
1 of 34 associated to Detail Control Systems
all objects KGI, CSF, KPI Items inherit
Domain, Control Object
Detail Control
List is a single object that KGI, CSF, KPI, Parent Process Policy
Item inherits its Domain and
inherits domain and control object evidence
Control object Handbooks,
of process
Component Process Legal Contracts
Critical Success Key Goal Key Performance Item inherits its Domain and Business has unlimited
Factors (CSF) Indicators (KGI) Indicators (KPI) Control object Component Level Processes
Each control obj. Each control obj. Each control obj. evidence SubProcess are typically
Maturity Level
has N number of has N number of has N number of of process fewer than 10
CSF list KGI list KPI list 34 sets of
Audit Five item rows
results Maturity Profile
Work Instruction is
associated to Process
Audit Results:
34 control objects Detail Control Objectives
352+ Detail Objectives Work Instructions
34 maturity rating 34 Sets of 3 to 24 Operation Process Book
supported by Performance detailed objectives defining Control Actual step by step
reports Object Tasks and Proficiencies procedures, Corporate
Process Profiles Communications, Portals
Detailed summary of Training materials
Deficiencies and Risk
Stated Corporate Critical
Success Factors Support
Ongoing Process substantiated
Optimization maturity rating
evidence of process
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 49
COBIT Provides a Framework for IT Governance
COBIT helps bridge the gaps among business risks,
COBIT - Bridging Gaps
control needs, and technical issues. It provides
good practices across a domain and a process
framework and presents activities in a manageable
and logical structure. COBIT:
Starts from business requirements.
Is process-oriented, organizing IT activities into a
generally accepted process model.
Identifies the major IT resources to be leveraged.
Defines the management control objectives to be
considered.
Incorporates major international standards.
Has become the de facto framework for overall
control over IT.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 50
COBIT: Product for Many Audiences
COBIT – Designed for Management, Auditors, and IT
The COBIT framework helps not only technical users but also those who are
responsible for the effective use of IT, such as the management or auditors.
The COBIT framework helps these users by ensuring that:
Their requirements are properly understood and defined.
Everyone is “on the same page,” using a commonly understood reference model.
Management
Audit
Information
Technology
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 51
COBIT: Premise
The COBIT framework is based on the premise that IT needs
to deliver the information that an enterprise requires to
achieve its objectives.
For achieving
i Business Objectives
To Business Processes
Provide Information
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 52
COBIT Components
An organization depends on reliable and timely data and information. COBIT
components provide a comprehensive framework for delivering value while
managing risk and control over data and information.
Business
which Requirements drive the
responds to investment in
Enterprise
COBIT IT Resources
Information
that are
to deliver IT Processes
used by
As a control and governance framework for IT, COBIT focuses on two key areas:
1. Providing the information required to support business objectives and
requirements
2. Treating information as the result of the combined application of IT-related
resources that need to be managed by IT processes
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 53
The COBIT Cube
The COBIT framework describes how IT processes deliver the
information that the business needs to achieve its objectives.
IT Processes
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 54
The COBIT Cube: IT Processes
COBIT describes the IT life cycle with the help of four domains:
Information Criteria
1. Plan and Organize
2. Acquire and Implement Domains IT Resources
3. Deliver and Support Processes
4. Monitor and Evaluate Activities
IT Processes
Processes are series of activities with natural control breaks. There are
34 processes across the four domains. These processes specify what the
business needs to achieve its objectives. The delivery of information is
controlled through 34 high-level control objectives, one for each
process.
Activities are actions that are required to achieve measurable results.
Moreover, activities have life cycles and include many discrete tasks.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 55
The COBIT Cube: IT Domains
PLAN AND ORGANIZE (PO)
Objectives:
Formulating strategy and tactics
Identifying how IT can best contribute to achieving business objectives
Planning, communicating, and managing the realization of the strategic vision
Implementing organizational and technological infrastructure
Scope:
Are IT and the business strategically aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organization understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
IT and Business
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 56
COBIT Cube Domains – Plan and Organize
Let's look at the COBIT process model, which consists of 34 IT processes defined within the
four IT domains.
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 57
The COBIT Cube: IT Domains (Contd.)
ACQUIRE AND IMPLEMENT (AI)
Objectives:
Identifying, developing or acquiring, implementing, and integrating IT
solutions
Changing and maintaining existing systems
Scope:
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
?
New Projects Organization
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 58
COBIT Cube Domains – Acquire and Implement
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 59
COBIT Cube Domains – Deliver and Support
DELIVER AND SUPPORT (DS)
Objectives:
The actual delivery of required services, including service delivery
The management of security, continuity, data, and operational facilities
Scope:
Are IT services being delivered in line with business priorities?
Are IT costs optimized?
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 60
COBIT Cube Domains Deliver and Support
Deliver and Support
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 61
COBIT Cube Domains – Monitor and Evaluate
MONITOR AND EVALUATE (ME)
Objectives:
Performance management
Monitoring of internal control
Regulatory compliance
Governance
Scope:
Is performance of IT measured to detect problems before it is too late?
Does management ensure that internal controls are effective and efficient?
Can IT performance be linked to business goals?
Are risk, control, compliance, and performance measured and reported?
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 62
COBIT Cube Domains - Monitor and Evaluate
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 63
The COBIT Cube: Business Requirements
To satisfy business objectives, information needs to conform to certain control
criteria, which COBIT refers to as business requirements for information.
Based on broader quality, fiduciary, and security requirements, seven distinct
information criteria are defined.
Business Requirements
Information Criteria are:
Effectiveness
Efficiency
IT Processes IT Resources
Confidentiality
Integrity
Availability
Compliance
Reliability
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 64
The COBIT Cube: Business Requirements
Deals with information being relevant and pertinent to the business process
Effectiveness as well as being delivered in a timely, correct, consistent, and usable
manner.
Relates to information being available ,when required by the business process, at present and in the
Availability future. It also concerns the safeguarding of necessary resources and associated capabilities.
Deals with complying with those laws, regulations, and contractual arrangements to which the business
Compliance process is subject, that is, externally imposed business criteria as well as internal policies.
Relates to the provision of appropriate information for the management to operate the entity and to exercise
Reliability its fiduciary and governance responsibilities.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 65
The COBIT Cube – IT Resources
IT processes manage IT resources to generate, deliver, and store
the information that the organization needs to achieve its
objectives. The IT resources identified in COBIT can be defined as:
http://www.enterprisegrc.com
66
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821
COBIT Framework
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES
PO1 Define a strategic IT plan.
ME1 Monitor and evaluate IT PO2 Define the information
performance. architecture.
ME2 Monitor and evaluate PO3 Determine technological
internal control. INFORMATION direction.
ME3 Ensure compliance with PO4 Define the IT processes,
external requirements. Efficiency Integrity organization, and
Effectiveness Availability relationships.
ME4 Provide IT governance.
Compliance Confidentiality PO5 Manage the IT investment.
Reliability PO6 Communicate management
MONITOR PLAN aims and direction.
DS1 Define and manage service AND AND PO7 Manage IT human resources.
levels. EVALUATE ORGANIZE
PO8 Manage quality.
DS2 Manage third-party services. IT
RESOURCES PO9 Assess and manage IT risks.
DS3 Manage performance and
PO10 Manage projects.
capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security. Applications
AI1 Identify automated solutions.
DS6 Identify and allocate costs. Information
Infrastructure AI2 Acquire and maintain
DS7 Educate and train users. application software.
DELIVER People ACQUIRE
DS8 Manage the service desk and AI3 Acquire and maintain
AND AND
incidents. technology infrastructure.
SUPPORT IMPLEMENT
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions
environment. and change.
DS13 Manage operations.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 67
COBIT — Value and Limitations
COBIT:
Has internationally accepted good practices.
Is management-oriented.
Continually evolves.
Enterprises still need to analyze the control requirements and customize COBIT based on
the enterprise’s:
Value drivers.
Risk profile.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 68
COBIT: Advantages
Some of the advantages of adopting COBIT are:
COBIT is aligned with other standards and best practices and should be used
together with them.
COBIT’s framework and supporting best practices provide a well-managed and
flexible IT environment in an organization.
COBIT provides a control environment that is responsive to business needs
and serves management and audit functions in terms of their control
responsibilities.
COBIT provides tools to help manage IT activities.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 69
Val IT
Introducing Val IT
Val IT is based on COBIT and extends and complements it, focusing on the value
delivery dimension. Specifically, Val IT focuses on the:
Re-investment decision (are we doing the right things?)
The goal of the Val IT initiative is to help management ensure that organizations
realize optimal value from IT-enabled business investments at an affordable
cost, with a known and acceptable level of risk.
Optimal Value
Helps
Management
Achieve
VAL IT
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 70
Val IT – Principles
The principles of Val IT are outlined below:
IT-enabled investments will be managed as a
portfolio of investments.
IT-enabled investments will include the full scope of
activities that are required to achieve business
value.
IT-enabled investments will be managed through
their full economic life cycle.
Value delivery practices will recognize that there VAL IT
are different categories of investments that will be
evaluated and managed differently.
Value delivery practices will define and monitor key
metrics and will respond quickly to any changes or
deviations.
Value delivery practices will engage all stakeholders
and assign appropriate accountability for the
delivery of capabilities and the realization of
business benefits.
Value delivery practices will be continually
monitored, evaluated, and improved.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 71
Val IT – Areas
Val IT is based on the “Four Rs” highlighted below.
Some fundamental questions about the value delivered by IT.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 72
Val IT Value Governance
Figure 8-Key Management Practices Supporting the Three Val IT Processes
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 73
Val IT – Investment Management
Figure 8-Key Management Practices Supporting the Three Val IT Processes
Value
Investment Management Governance
(VG)
IM1 Develop a high-level definition of investment opportunity.
IM2 Develop an initial program concept business case.
IM3 Develop a clear understanding of candidate programs.
IM4 Perform an alternative analysis.
Investment Portfolio
IM5 Develop a program plan. Management Management
(IM) (PM)
IM6 Develop a benefits realization plan.
IM7 Identify full lifecycle costs and benefits.
IM8 Develop a detailed program business case.
IM9 Assign clear accountability and ownership.
IM10 Initiate, plan, and launch the program.
IM11 Manage the program.
IM12 Manage and track benefits
IM13 Update the business case.
IM14 Monitor and report on program performance.
IM15 Retire the program.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 74
Val IT – Portfolio Management
Figure 8-Key Management Practices Supporting the Three Val IT Processes
Portfolio Management
PM1 Maintain a human resource inventory.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 75
Val IT – Processes
Investment management
VAL IT
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 76
COBIT Management Guidelines
Goals and metrics show how processes
should be measured. These are defined
at three levels:
Process Input
IT goals and metrics: Define what the Key Activities and
and Output
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 77
Key Activities and RACI Charts RACI Chart for PO10
A RACI chart identifies who is Responsible, Accountable, Consulted, and Informed.
Head IT Administration
Functions
Head Development
Bus Process Owner
Compliance, Audit,
Risk, and Security
Head Operations
Chief Architect
Business Exec
PMO
CEO
CFO
CFO
Activities
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 78
Process Input and Output
Each process is linked to other processes.
Inputs are the deliverables that a process
requires from other processes.
Outputs are the deliverables that a process
provides to others.
In some cases, the input and output are outside
the scope of the COBIT framework.
Process Input and Output
Example: P010: Manage Projects
P08 Development standards Detailed project plans P08 Al1 Al7 DS6
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 79
Components of Management Guidelines:
Outcome Measures
Outcome Measures (Key Goal Indicators in COBIT 4.0):
Define measures that inform the management — after the
fact — whether an IT function, process, or activity has
achieved its goals. Outcome measures of the IT functions are
often expressed in terms of information criteria, such as:
Availability of the information needed to support the business
needs
Absence of integrity and confidentiality risks
Cost-efficiency of processes and operations
Confirmation of reliability, effectiveness, and compliance
Outcome Measures
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 80
Components of Management Guidelines:
Performance Indicators
Performance indicators (Key Performance Indicators in COBIT
4.0): Performance indicators define measures that determine
how well the business, IT function, or IT process is performing in
enabling the reaching of goals. They are lead indicators of
whether goals will be reached, driving the higher-level goals.
They often measure the availability of appropriate capabilities,
practices, and skills, and the outcome of underlying activities.
Note: The outcome measures of the lower level become the
performance indicators of the higher level.
Performance
Indicators http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 81
Process and Activity Goals Example: PO10
Goals and Metrics
IT Process Activities
Drive
measures measures measures
Percent of projects following
project management standards
and practices
Percent of projects meeting Percent of projects on time and Percent of certified or trained
Metrics
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 82
Key Goal Indicators – PO10
COBIT defines two levels of outcome measures:
One for the IT department
(IT outcome measure) and one for the IT
process (process outcome measure).
IT Outcome Measure:
Percentage of projects meeting stakeholder expectations — on
time, within budget, and meeting requirements
— weighed by importance
Process Outcome Measure:
Percentage of projects on time and within budget
Percentage of projects meeting stakeholder expectations
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 83
Performance Indicators – PO10
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 84
Benchmarking
Maturity models provide a scale to benchmark company practices against industry
standards and guidelines. A maturity model is a measure that enables an organization to
grade its maturity for a specific process from nonexistent (0) to optimized (5).
The above scale shows the status of the current and the
proposed position of the organization in relation to industry
best practices, standards, and guidelines.
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 85
The COBIT Maturity Model
Attributes Rankings
Awareness and
Management processes are not applied
O – Nonexistent at all.
communication
Skills and
Processes are documented and
3 – Defined communicated.
expertise
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 86
Maturity Model for PO10 Nonexistant
4 – Managed
5 – Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 87
Maturity Model for PO10 Initial
The use of project management techniques and approaches
O – Nonexistent
within IT is a decision left to individual IT managers. There is
a lack of management commitment to project ownership
and project management. Critical decisions on project
1 – Initial
management are made without user management or
customer input. There is little or no customer and user
involvement in defining IT projects. There is no clear
2 – Repeatable
organization within IT for the management of projects.
Roles and responsibilities for the management of projects
3 – Defined
are not defined. Projects, schedules, and milestones are
poorly defined, if at all. Project staff time and expenses are
not tracked and compared to budgets.
4 – Managed
5 – Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 88
Maturity Model for PO10 Repeatable
4 – Managed
5 – Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 89
Maturity Model for PO10 Defined
The IT project management process and methodology have been
O – Nonexistent established and communicated. IT projects are defined, with
appropriate business and technical objectives. Senior IT and
business management are beginning to be committed to and
1 – Initial involved in the management of IT projects. A project management
office is established within IT, with initial roles and responsibilities
defined. IT projects are monitored, with defined and updated
2 – Repeatable milestones, schedules, and budget and performance
measurements. Project management training is available and is
primarily a result of individual staff initiatives. Quality assurance
procedures and post-system-implementation activities have been
3 – Defined
defined but are not broadly applied by IT managers. Projects are
beginning to be managed as portfolios.
4 – Managed
5 – Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 90
Maturity Model for PO10 Managed
The management requires formal and standardized project
O – Nonexistent metrics and the review of lessons learned at project
completion. Project management is measured and evaluated
throughout the organization and not just within IT.
1 – Initial Enhancements to the project management process are
formalized and communicated with project team members
trained on enhancements. IT management has implemented
2 – Repeatable a project organization structure with documented roles,
responsibilities, and staff performance criteria. Criteria for
evaluating success at each milestone have been established.
Value and risk are measured and managed before, during,
3 – Defined
and after the completion of projects. Projects increasingly
address organization goals, rather than only IT-specific ones.
There is strong and active project support from senior
4 – Managed management sponsors as well as stakeholders. Relevant
project management training is planned for employees in the
project management office and across the IT function.
5 – Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 91
Maturity Model for PO10 Optimized
4 – Managed
5 – Optimized
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 92
IT Assurance Guide
The objective of the IT Assurance Guide is to:
Demonstrate how to use COBIT to support a variety of IT assurance
activities.
Enable the users to leverage COBIT when planning and performing
assurance reviews, so that the business, IT, and assurance professionals
are all aligned around a common framework and objectives.
Guide planning, scoping, and executing assurance reviews using a
roadmap based on well-accepted assurance approaches, supported by
detailed tests that are based on COBIT’s processes and control
objectives.
Assurance Roadmap
Execution Roadmap
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 93
Assurance Guide Roadmap
The Assurance Guide roadmap consists of the following three stages:
Assurance Roadmap
Execution Roadmap
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 94
The Execution Roadmap Consists Of The Following
Six Stages:
Execution Roadmap
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 95
Thank You For Your Time and Interest
http://www.enterprisegrc.com
© EnterpriseGRC Solutions, Inc. ISACA® and ITPreneurs ™All Rights Reserved - You could be earning credit right now! To learn more about accredited on line and live training 800 847-6821 96