Slide 1ObjectivesBackgroundDevelopmentAudiencesIT GovernanceIT Governance and COBITFrameworkProcess OrientationDomain 1: Plan and Organize (PO)Domain 2: Acquire & Implement (AI)Domain 3: Deliver & Support (DS1)Domain 4: Monitoring (M)Support FrameworkMaturity ModelAn Example: DS2 Manage Third-Party ServicesDS2: Management GuidelinesDS2: Goals and MetricsSelected Control PracticesDS2 Maturity ModelDS2 Maturity ModelAudit IT ControlsAudit IT ControlsAudit IT ControlsAudit IT ControlsAudit IT ControlsAudit IT ControlsCOBIT Adoption and BenefitsGroup AssignmentM B A D 7 0 9 0Fall, 2008IS Security, Audit, and Control (Dr. Zhao)1Control Objectives for Information and Related Technologies (COBIT)ObjectivesFall, 2008IS Security, Audit, and Control (Dr. Zhao)2HistoryOverviewMaturity ModelAn Example: Manage Third-Party ServicesAuditing IT ControlsBenefits and Current AdoptionBackgroundFall, 2008IS Security, Audit, and Control (Dr. Zhao)3ISACA published the first edition of COBIT in 1996A set of control objectives for business applicationsISACAMore than 75,000 members world wideOver 60,000 CISA and 7,000 CISMSecond version was published in 1998The implementation tool set and high level and detailed control objectivesReleased the third version in 2000Management guidelinesPrime publisher: Information Technology Governance InstituteNewest version: 4.1DevelopmentFall, 2008IS Security, Audit, and Control (Dr. Zhao)4Industry-wide voluntary contributions:ISACA members, COBIT users, expert advisors.Academic research projectsE.g., UAMS Belgium, the University of HawaiiAn incremental update processAudiencesFall, 2008IS Security, Audit, and Control (Dr. Zhao)5•Board•Management•Users•Auditorso BOD wants to ensure that Mgmt implements IT aligned to Businesso Mgmt wants to ensure that investments are properly made, risks reduced, capacity for expansion, etc.oUsers wants assurance on security and quality of products and servicesoAuditors needs to ensure the effectiveness of control mechanismsIT GovernanceFall, 2008IS Security, Audit, and Control (Dr. Zhao)6Strategic AlignmentValue DeliveryRisk ManagementResource ManagementPerformance MeasurementIT IT GovernanceGovernanceDomainsDomainsStrategic AlignmentValue DeliveryRisk ManagementResource ManagementPerformance MeasurementIT IT GovernanceGovernanceDomainsDomains• Strategic Alignment• Business objectives, competitive environment, current and future technologies• Value Delivery• Appropriate quality• On-time and within-budget delivery• Risk Management• Varieties• Determine the enterprise’s appetite for risk• Performance Measurement• Financial means• Intangible assets: customer focus, process efficiency, ability to learn and grow • Resource Management• Data, application, technology, facilities, and peopleIT Governance and COBITFall, 2008IS Security, Audit, and Control (Dr. Zhao)7GoalsResponsibilitiesControlObjectivesRequirementsBusiness ITGovernanceInformation the business needs to achieve its objectives Information executives and board need to exercise their responsibilitiesDirection and Resourcing IT GovernanceFrameworkFall, 2008IS Security, Audit, and Control (Dr. Zhao)8Resources-Data-Application systems-Technologies-Facilities-PeopleProcesses4 Major Domains-Plan & Organize-Acquisition & Implementation-Delivery & Support- MonitoringBusiness Requirements-Effectiveness-Efficiency-Confidentiality-Integrity-Availability-Compliance-ReliabilityProcess OrientationFall, 2008IS Security, Audit, and Control (Dr. Zhao)9ProcessesA series of joined activities with natural control breaks (34)Activities or TasksActions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discreteDomainsNatural grouping of processes, often matching an organisational domain of responsibility (4)IT ProcessesBusinessRequirementsIT ResourcesIT ProcessesBusinessRequirementsIT ResourcesDomain 1: Plan and Organize (PO)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)10Emphasis on vision, strategy, tactics, organization, and infrastructureProcesses (11):PO1: Define strategic IT planPO2: Define IT architecturePO3: Determine technology directionPO4: Define IT organization and relationshipsPO5: Management Investment in ITEtc.Domain 2: Acquire & Implement (AI) Fall, 2008IS Security, Audit, and Control (Dr. Zhao)11Emphasis on solutions, changes, and maintenanceProcesses (6)AI1: Identify automated solutionsAI2: Acquire and maintain application softwareAI3: Acquire and maintain technology infrastructureAI4: Develop and maintain IT proceduresAI5: Install and accredit systemsAI6: Manage changesDomain 3: Deliver & Support (DS1)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)12Emphasis on delivery of required services, set up of support processes and processing by application systemsProcesses (13)DS1: Define and manage service levelsDS2: Manage third party servicesDS3: Manage performance & capacityDS4: Ensure continuous servicesDS5: Ensure system securityEtc.Domain 4: Monitoring (M)Fall, 2008IS Security, Audit, and Control (Dr. Zhao)13Emphasis on assessment over time, delivering assurance, management review of control systems, performance measurement.Processes (4)M1: Monitor the processM2: Assess internal control adequacyM3: Obtain independent assuranceM4: Provide for independent auditSupport FrameworkFall, 2008IS Security, Audit, and Control (Dr. Zhao)14Management guidelines:Input and output processesRACI ChartControl objectives and practices (how)Performance MetricsLag indicator: key goal indicators (KGI)Lead indicator: key performance indicator (KPI)Maturity ModelMaturity ModelFall, 2008IS Security, Audit, and Control (Dr. Zhao)15Purpose:The actual performance of the enterprise – where the enterprise is today.The current status of the industry – the comparisonThe enterprise’s target for improvement – where the enterprise wants to be.Five stages:0 – Non existent – Management processes are not applied at all, 1 – Initial processes are ad hoc and disorganized, 2 – Repeatable – processes follow a regular pattern3 –Defined Processes are documented and communicated, 4 – Managed processes are monitored and measured, 5- Optimized - Good practices are followed and automated.An Example: DS2 Manage