page 1 cobit introductory workshop excerpts from university of calgary it session entitled...

COBIT Introductory Workshop

Excerpts from University of Calgary IT Session

entitled

“Introduction to COBIT, its Role in IT

Governance and How to Apply it

In UCIT”From June 5, 2009

Workshop Agenda

• General Overview and Background of COBIT

• Rationale for Using COBIT at the UofC

• COBIT Foundations

• COBIT vs. Other Frameworks

• Practical Application of COBIT at the UofC

This excerpt covers the 1st two points

COBIT Introductory Workshop Page 1

General Overview and

Background of COBIT


First:

A Little Bit on Governance


Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of:

•Providing strategic direction

•Ensuring that defined objectives are achieved

•Ensuring that risks are managed appropriately

•Applying enterprise’s resources responsibly

•Effective and efficient

Enterprise Governance

©2007 IT Governance Institute


Organisations require a structured approach for managing these and other challenges.

This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid unexpected outcomes.

Keeping IT Running

Security

Value/Cost

Managing Complexity

AligningIT with

Business

Regulatory Compliance

Organizational Challenges Relating to IT


What is IT Governance?

Ensuring IT is aligned to and leveraged to help address enterprise needs

• Decision making that leads to better alignment of IT and the business

• IT delivering more business value

• IT resources are used responsibly

• IT risks are managed appropriately


Enterprise governance is about:

Conformance• Adhering to legislation, internal policies, audit requirements, etc.

Performance• Improving profitability, efficiency, effectiveness, growth, etc.

Governance is About Balance

Both Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.

Performance

Conformance



IT governance is:

• The responsibility of the board of directors and executive management

• An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives

IT Governance, as Defined by IT Governance Institute (ITGI)

PE

RF

OR

MA

NC

E

ME

AS

UR

EM

EN

T

RESOURCEMANAGEMENT

RIS

KM

AN

AG

EM

EN

T

VALUEDELIVERY

STRATEGIC

ALIGNMENT

www.itgi.orgwww.itgi.org


IT Governance Domains

Value delivery

Focuses on ensuring the linkage of business and IT plans and on aligning IT operations with enterprise operations

IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT

Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people

Senior management’s appetite for risk, compliance requirements, transparency about the significant risks to the organisation

Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery to achieve goals measurable beyond conventional accounting

Performance measurement

Risk management

Resource management

Strategic alignment




IT Governance Stakeholders

Business management

Set direction for IT, monitor key results and insist on corrective measures

Defines business requirements for IT and ensures that value is delivered and risks are managed

Delivers and improves IT services as required by the business

Provides independent assurance to demonstrate that IT delivers what is needed

Measures compliance with related policies and focuses on identification/mitigation of new risks

Risk and compliance

IT audit

IT management

Board and executive


► COBIT is a controls framework that supports IT Governance

► COBIT stands for Control Objectives for Information and Related Technology.

► It was created by ISACA (Information Systems Audit and Control Association) in 1996

► Initially created to define control objectives for business applications

► It has evolved in Version 4.1 into a governance framework

► Now owned by the IT Governance Institute (ITGI)

► The COBIT framework was created with the main characteristics:

Business-focused

Process-oriented

Controls-based

Measurement-driven

So what is COBIT?


► Is freely downloadable

► Has internationally accepted good practices

► Is management-oriented

► Is supported by tools and training

► Allows the knowledge of expert volunteers to be shared and leveraged

► Continually evolves and is maintained by a reputable not-for-profit organisation

► Maps strongly to all major, related standards and audit practices

However:

► Is a reference, not an ‘off-the-shelf’ cure

► Enterprises still need to analyse control requirements and customise COBIT based on their:

► Value drivers

► Risk profile

► IT infrastructure, organisation and project portfolio

Key Characteristics of COBIT


History of COBIT

Governance

COBIT 4

2005

COBIT 3

Management

2000

COBIT 2

Control

1998

COBIT 1

Audit

1996

Evo

lutio

n


An organisation depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.

Business Strategy

Information Criteria

IT Resources

IT Processes

Links to Business Strategy


COBIT FrameworkThe “COBIT Cube”

Information Criteria

IT ResourcesIT Processes


► The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.

i

IT Resources and Processes

Information

Business Processes

Business Objectives

provide

to

for achieving

► The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.

Basic Concepts


COBIT:

It provides tools that both support effectiveness and enable audit

Starts from business requirements

Is process-oriented, organising IT activities into a generally accepted process model

Identifies the major IT resources to be leveraged

Defines the management control objectives to be considered

Maps all the way to measurements – performance, audit, maturity

Incorporates major standards and has become the de facto standard for overall control of IT

COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure.

IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective.

What Does it do?


Organisations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’).

COBIT

ISO 9000

ISO 27001/002

ITIL

COSO

WHATHOW

SCOPE OF COVERAGE

COBIT vs Other Frameworks

COSO – Committee of Sponsoring Agencies of the Treadway Commission – Internal Control Integrated Framework – focused on business controlsISO 27001/002 – Information Security PolicyISO 9000 – Family of standards for Quality Management


Others

PERFORMANCE: Business Goals

CONFORMANCEBasel II, Sarbanes-

Oxley Act, etc.

Enterprise Governance

IT Governance

ISO 9001:2000

ISO 27001/002

ISO 20000Best Practice Standards

Lean Six Sigma

Processes and Procedures

Drivers

COBIT

COSO

Security Principles

ITSM

Balanced Scorecard

ITDDM

PMBOK

TOGAF, others

Others

Another View


ITDDM stands for IT Definition and Delivery Method – used at the UofC as a standard methodology for project initiatives

Rationale for Using

COBIT at the UofC


How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses?

ANSWER: Inefficiently, ineffectively and not as well as they should.

~ Source: Educause – IT Governance in Higher Education 2006 ~

We’re Not Alone


Some of the advantages of adopting COBIT are:

► COBIT is aligned with and can be used with other standards and good practices

► COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organisation.

► COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities.

► COBIT provides tools to help manage and measure IT activities.

► COBIT is used by the Provincial Auditors in their annual audit review

► COBIT has been selected by Alberta Advanced Education & Technology as a target control framework for Post Secondary Institutions

► Target maturity level defined as 3 within 3 years

Why COBIT?


COBIT brings the following

advantages to an IT governance

implementation effort:

Enables mapping of IT goals to business goals and vice versa

Better alignment, based on a business focus A view of what IT does that is understandable to

management Clear ownership and responsibilities based on

process orientation General acceptability with third parties and

regulators Shared understanding amongst all stakeholders,

based on a common language Fulfilment of the COSO requirements for the IT

control environment

Performance

Conformance

How it Supports IT Governance?


► COBIT focuses on improving IT governance in organisations.

► COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework.

Exploring the Key Benefits

Has general acceptability amongst organisations

Helps meet regulatory requirements

Control Framework

Defines a common language

Ensures process orientation

Provides sharper business focus


► COBIT achieves sharper business focus by aligning IT with business objectives.

► The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy.

► COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself.





Control Framework

Sharper Business Focus



► When organisations implement COBIT, their focus is more process-oriented.

► Incidents and problems no longer divert attention from processes.

► Exceptions can be clearly defined as part of standard processes.

► With process ownership defined, assigned and accepted, the organisation is better able to maintain control through periods of rapid change or organisational crisis. Has general

acceptability amongst organisations




Control Framework

Process Orientation



► COBIT is a proven and globally accepted standard for increasing the contribution of IT to organisational success.

► Coming soon to a campus near us

► The framework continues to improve and develop to keep pace with good practices.

► IT professionals from all over the world contribute their ideas and time to regular review meetings.




Provides sharper business


Control Framework

focus

General Acceptability


► Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This pressure covers IT controls as well.

► Organisations constantly need to improve IT performance and demonstrate adequate controls over their IT activities.

► Many IT managers, advisors and auditors are turning to COBIT as the de facto response to regulatory IT requirements. Has general

acceptability amongst organisations





Control Framework

focus

Regulatory Requirements


► In the Auditor General's April 2008 public report, he recommended:

"...that the Department of Advanced Education and Technology give guidance to public post-secondary Institutions on using an IT control framework to develop control processes that are well-designed, efficient, and effective"

► The following excerpt was taken from the OAG’s audit plan for AET:

8.3 IT Controls framework for post-secondary institutionsWe understand the Department is working, through the Alberta Associations of

Higher Education Information Technology, with Institutions to develop an IT Control Framework for Institutions. We support this initiative and will work with the Department to determine the progress made. This will also allow us to determine the extent and timing of work to perform at individual Institutions.

► Working with PSIs, the Provincial PSI ITM Control Framework will provide a holistic functional perspective built on guidance and requirements of:

• CoBIT 4.1 as published by the IT Governance Institute (Level 3 maturity targeted)• General Computer Controls Review (GCCR) as published by the OAG• Legislation / Regulation (FOIP, etc.)• Other International Standards (ITIL, ISO27002, etc.)• Specific institutional needs and interdependencies• Existing principles and governance

Regulatory Requirements (cont.)


► A framework helps get everybody on the same page by defining critical terms and providing a glossary.

► Co-ordination within and across project teams and organisations can play a key role in the success of any project.

► Common language helps build confidence and trust.






Control Framework

focus

Common Language


References/Sources

IT Governance Institute - http://www.itgi.org/

ISACA - http://www.isaca.org/


page 1 cobit introductory workshop excerpts from university of calgary it session entitled...

Documents

cobit framework

governance framework

uofc cobit foundations

background of cobit

management board

executive management

business value

proper management