Slide 1ObjectivesBackgroundDevelopmentAudiencesIT GovernanceIT Governance and COBITFrameworkProcess OrientationDomain 1: Plan and Organize (PO)Domain 2: Acquire & Implement (AI)Domain 3: Deliver & Support (DS1)Domain 4: Monitoring (M)Support FrameworkMaturity ModelAn Example: DS2 Manage Third-Party ServicesDS2: Management GuidelinesDS2: Goals and MetricsSelected Control PracticesDS2 Maturity ModelDS2 Maturity ModelAudit IT ControlsAudit IT ControlsAudit IT ControlsAudit IT ControlsAudit IT ControlsAudit IT ControlsCOBIT Adoption and BenefitsGroup AssignmentM B A D 7 0 9 0Fall, 2008IS Security, Audit, and Control (Dr. Zhao)1Control Objectives for Information and Related Technologies (COBIT)ObjectivesFall, 2008IS Security, Audit, and Control (Dr. Zhao)2HistoryOverviewMaturity ModelAn Example: Manage Third-Party ServicesAuditing IT ControlsBenefits and Current AdoptionBackgroundFall, 2008IS Security, Audit, and Control (Dr. Zhao)3ISACA published the first edition of COBIT in 1996A set of control objectives for business applicationsISACAMore than 75,000 members world wideOver 60,000 CISA and 7,000 CISMSecond version was published in 1998The implementation tool set and high level and detailed control objectivesReleased the third version in 2000Management guidelinesPrime publisher: Information Technology Governance InstituteNewest version: 4.1DevelopmentFall, 2008IS Security, Audit, and Control (Dr. Zhao)4Industry-wide voluntary contributions:ISACA members, COBIT users, expert advisors.Academic research projectsE.g., UAMS Belgium, the University of HawaiiAn incremental update processAudiencesFall, 2008IS Security, Audit, and Control (Dr. Zhao)5•Board•Management•Users•Auditorso BOD wants to ensure that Mgmt implements IT aligned to Businesso Mgmt wants to ensure that investments are properly made, risks reduced, capacity for expansion, etc.oUsers wants assurance on security and quality of products and servicesoAuditors needs to ensure the effectiveness of control mechanismsIT GovernanceFall, 2008IS Security, Audit, and Control (Dr. Zhao)6Strategic AlignmentValue DeliveryRisk ManagementResource ManagementPerformance MeasurementIT IT GovernanceGovernanceDomainsDomainsStrategic AlignmentValue DeliveryRisk ManagementResource ManagementPerformance MeasurementIT IT GovernanceGovernanceDomainsDomains• Strategic Alignment• Business objectives, competitive environment, current and future technologies• Value Delivery• Appropriate quality• On-time and within-budget delivery• Risk Management• Varieties• Determine the enterprise’s appetite for risk• Performance Measurement• Financial means• Intangible assets: customer focus, process efficiency, ability to learn and grow • Resource Management• Data, application, technology, facilities, and peopleIT Governance and COBITFall, 2008IS Security, Audit, and Control (Dr. Zhao)7GoalsResponsibilitiesControlObjectivesRequirementsBusiness ITGovernanceInformation the business needs to achieve its objectives Information executives and board need to exercise their responsibilitiesDirection and Resourcing IT GovernanceFrameworkFall, 2008IS Security, Audit, and Control (Dr. Zhao)8Resources-Data-Application systems-Technologies-Facilities-PeopleProcesses4 Major Domains-Plan & Organize-Acquisition & Implementation-Delivery & Support- MonitoringBusiness Requirements-Effectiveness-Efficiency-Confidentiality-Integrity-Availability-Compliance-ReliabilityProcess OrientationFall, 2008IS Security, Audit, and Control (Dr. Zhao)9ProcessesA series of joined activities with natural control breaks (34)Activities or TasksActions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discreteDomainsNatural grouping of processes, often matching an organisational domain of responsibility (4)IT ProcessesBusinessRequirementsIT ResourcesIT ProcessesBusinessRequirementsIT ResourcesDomain 1: Plan and Organize (PO)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)10Emphasis on vision, strategy, tactics, organization, and infrastructureProcesses (11):PO1: Define strategic IT planPO2: Define IT architecturePO3: Determine technology directionPO4: Define IT organization and relationshipsPO5: Management Investment in ITEtc.Domain 2: Acquire & Implement (AI) Fall, 2008IS Security, Audit, and Control (Dr. Zhao)11Emphasis on solutions, changes, and maintenanceProcesses (6)AI1: Identify automated solutionsAI2: Acquire and maintain application softwareAI3: Acquire and maintain technology infrastructureAI4: Develop and maintain IT proceduresAI5: Install and accredit systemsAI6: Manage changesDomain 3: Deliver & Support (DS1)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)12Emphasis on delivery of required services, set up of support processes and processing by application systemsProcesses (13)DS1: Define and manage service levelsDS2: Manage third party servicesDS3: Manage performance & capacityDS4: Ensure continuous servicesDS5: Ensure system securityEtc.Domain 4: Monitoring (M)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)13Emphasis on assessment over time, delivering assurance, management review of control systems, performance measurement.Processes (4)M1: Monitor the processM2: Assess internal control adequacyM3: Obtain independent assuranceM4: Provide for independent auditSupport FrameworkFall, 2008IS Security, Audit, and Control (Dr. Zhao)14Management guidelines:Input and output processesRACI ChartControl objectives and practices (how)Performance MetricsLag indicator: key goal indicators (KGI)Lead indicator: key performance indicator (KPI)Maturity ModelMaturity ModelFall, 2008IS Security, Audit, and Control (Dr. Zhao)15Purpose:The actual performance of the enterprise – where the enterprise is today.The current status of the industry – the comparisonThe enterprise’s target for improvement – where the enterprise wants to be.Five stages:0 – Non existent – Management processes are not applied at all, 1 – Initial processes are ad hoc and disorganized, 2 – Repeatable – processes follow a regular pattern3 –Defined Processes are documented and communicated, 4 – Managed processes are monitored and measured, 5- Optimized - Good practices are followed and automated.An Example: DS2 Manage
View Full Document