Overview of COBIT standards

50 %
50 %
Information about Overview of COBIT standards
Education

Published on October 9, 2009

Author: swapnilsaurav

Source: slideshare.net

Description

Control Objectives for Information and Related Technology - Overview of standards

IT Audit and Risk Management Presentation Presentation was last accessed on Thursday, October 8 2009 10:23:11 PM … 75% Loading . Loading . . 25% 50% Loading . . . 100% Loading . .

IT Audit and Risk Management Presentation Group 2: PGPM508_12 Gunvel Sivaram PGPM508_52 On Ali Abbasi PGPM508_41 Saurav Swapnil PGPM508_33 Prasath L Krishna PGPM508_59 Malviya Prashant

Will it Work??? It may actually work: Experience Luck A culture of “Quick and Dirty” But What happens when we need to Document Improve Fix/Find an error Transfer responsibility = we need Governance

Linkage of Business and IT Plans Optimal investment Track & monitor- implementation Value Proposition: promised benefit against strategy Clear understanding, risk appetite, compliance Focus Areas is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)

Mission : “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model. COBIT 1 COBIT 2 COBIT 3 COBIT 4 & 4.1 History COBIT 4 & 4.1 COBIT 3 COBIT 2 COBIT 1 1996: Audit COBIT 3 COBIT 4 & 4.1 COBIT 2 COBIT 1 1996: Audit 1998: Control COBIT 1 COBIT 2 COBIT 3 COBIT 4 & 4.1 1996: Audit 1998: Control 2K: Management; ‘03: Online version COBIT 1 COBIT 2 COBIT 3 COBIT 4 & 4.1 1996: Audit 1998: Control 2K: Management; ‘03: Online version 2005: Governance; ‘07: 4.1

Basic COBIT Principle Where COBIT fits in

Basic COBIT Principle COBIT is Business focused Drive the investments in that are used by which responds to to deliver

Basic COBIT Framework COBIT Cube IT resources are managed by IT processes to achieve IT goals that respond to the business requirements.

Basic COBIT Principle Where COBIT fits in

Basic COBIT Principle COBIT is Controls based Norms Standards Objectives Process Compare ACT CONTROL INFORMATION Statements of managerial actions to increase value or reduce risk Consist of the policies, procedures, practices and organizational structures Reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected

Basic COBIT Principle Where COBIT fits in

Basic COBIT Principle COBIT is measurement driven Maturity models to enable benchmarking and identification of necessary capability improvements Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles Activity goals for enabling effective process performance

Basic COBIT Principle Where COBIT fits in

 

Basic COBIT 4.1 Principle COBIT is process oriented Provides direction to solution delivery (AI) and service delivery (DS) Plan & Organize

Provides direction to solution delivery (AI) and service delivery (DS)

COBIT Structure: Plan & Organize IT processes The PO domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT needs to take in order to achieve the optimal results and to generate the most benefits from the use of IT.

COBIT Structure: Plan & Organize IT processes PO1 Define a Strategic IT Plan and direction - PO2 Define the Information Architecture + PO3 Determine Technological Direction - PO4 Define the IT Processes, Organization and Relationships - PO5 Manage the IT Investment + PO6 Communicate Management Aims and Direction + PO7 Manage IT Human Resources + PO8 Manage Quality + PO9 Assess and Manage IT Risks - PO10 Manage Projects - Mapping of ISO/IEC 27002:2007 objectives to a COBIT process + Good Match (more than 2) - No or Minor Match

COBIT Structure: Plan & Organize Summary Inputs = Requirements; Outputs = DS and AI; Core Activities = iterative strategic definition stage; Sub Core Activities = managing the purse strings, people and communication; Other Activities = managing the quality, IT risks and projects and lots of monitoring & evaluation techniques

COBIT Structure: Acquire & Implement IT processes The AI domain covers: identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.

The AI domain covers:

identifying IT requirements,

acquiring the technology, and

implementing it within the company’s current business processes.

This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.

COBIT Structure: Acquire & Implement Summary Inputs = Requirements and PO activities; Outputs = DS and PO; Core Activities = identifying the solution, maintaining software & infrastructure, change and configuration management, enabling its use, and implementing the result into the operational environment; Other Activities = managing quality, IT risks and projects and lots of monitoring & evaluation techniques and finally procuring those IT resources

COBIT Structure: Deliver & Support DS Levels DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Concerned with the actual delivery of required services - service delivery, management of security and continuity, service support for users, management of data, operational facilities. It typically addresses the following management questions: • Are IT services being delivered in line with business priorities? • Are IT costs optimized? • Is the workforce able to use the IT systems productively and safely? • Are adequate confidentiality, integrity and availability in place?

Deliver & Support example DS1 Define and Manage Service Levels Effective communication between IT management and business customers regarding services required is enabled by a documented definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business requirements.

DS1.6 Review of Service Level Agreements and Contracts DS1.1 Service Level Management Framework DS1.5 Monitoring and Reporting of Service Level Achievements DS1.4 Operating Level Agreements DS1.3 Service Level Agreements DS1.2 Definition of Services DS1 Define and Manage Service Levels

DS1 Define and Manage Service Levels

COBIT Structure: Monitor & Evaluate IT processes ME1: Monitor and Evaluate IT Performance ME2: Monitor and Evaluate Internal Control ME3: Ensure Regulatory Compliance ME4: Provide IT Governance

COBIT Structure: Monitor & Evaluate ME 1: Monitor and Evaluate IT Performance Monitoring Approach Establishment of general monitoring framework and approach that define the scope, methodology and process to be followed for monitoring IT’s contribution Definition and Collection of Monitoring Data Defining a balanced set of performance objectives, measures, targets and benchmarks, and have them signed off by stakeholders Monitoring Method Deployment of a method that provides a succinct, all around view of IT performances and fit s within the enterprise monitoring system Performance Assessment Periodic review of performance against targets, perform remedial action against initial deviations Board and Executive Reporting Management reports containing progress against set targets Remedial Actions Identification and initiation of remedial actions based on the performance monitoring, assessment and reporting.

COBIT Structure: Monitor & Evaluate ME 2: Monitor and Evaluate Internal Control Monitoring of Internal Control Framework Continuous assessment against industry best practices and benchmarks to improve IT control environment Supervisory Review Compliance with policies and standards, information security, change controls Control Exceptions Record information of exceptions, and ensure proper analysis of underling issues Control Self-assessment Evaluate the completeness and effectiveness of management’s internal controls through a continuing program of self assessment. Assurance of Internal Control Third party review Remedial Actions Identify and initiate remedial actions based on control assessment and reporting; Review negotiation and understanding of management responses

COBIT Structure: Monitor & Evaluate ME 3: Ensure Regulatory Compliance Identification of Laws and Regulations Having Potential Impact on IT Define and implement process to ensure timely identification of local and international regulatory requirement, policies related to information and information service delivery Optimization of Response to Regulatory Requirements Review and optimize IT policies, standards and procedures to ensure legal requirements are covered Evaluation of Compliance with Regulatory Requirements Positive Assurance of Compliance Regularly reporting of corrective actions being taken by process owners Integrated Reporting Integrate IT reporting on regulatory requirements with similar output from other business functions

COBIT Structure: Monitor & Evaluate ME 4: Provide IT Governance Establishment of an IT Governance Framework Define framework including leadership, processes, roles and responsibilities, information requirements, organizational structure Strategic Alignment Develop shared understanding of business and IT. Resource Management Optimize the investment, use and allocation of IT assets through regular assessments Performance Measurement Report performance to board in timely fashion Independent Assurance

Summary

How do you align an IT risk assessment with COBIT controls?

CoBiT vs COSO Targets management controls Targets IT controls specifically Useful for management at large Useful for IT management, users, and auditors How to do What to do

Control Environment Risk Assessment Control Activities Information & Communication Monitoring Plan & Organize Acquire & Implement Delivery & Support Monitor & Evaluate CoBiT vs COSO COSO COBIT Supporting Applications and Related Infrastructure

 

Your Security Check Thank You Logout when you are finished Who knows your password

References new COBiT Version 4.1 available: http://www.isaca.org/cobit http://itknowledgeexchange.techtarget.com/it-compliance/how-do-you-align-an-it-risk-assessment-with-cobit-controls/ http://www.mahindrasatyam.net/services/business_value_enhancement/enterprise_risk_complaince_mngt.asp Ben Kalland ITIL Expert and Cobit Foundation certified consultant [email_address]

Add a comment

Related presentations

Related pages

COBIT 5: A Business Framework for the Governance and ...

COBIT 5. The power of COBIT 5 is in its breadth of tools, resources and guidance. The value of COBIT 5 is in how it applies to your profession. COBIT 5 is ...
Read more

Overview of COBIT standards - Education - docslide.us

Control Objectives for Information and Related Technology - Overview of standards
Read more

COBIT - Wikipedia

COBIT provides an implementable "set of controls over information technology and ... need for a more coherent understanding of how existing standards, ...
Read more

Overview of Frameworks: Cobit, COSO ITIL ISOCOSO, ITIL ...

Overview of Frameworks: Cobit, COSO ITIL ISOCOSO, ITIL, ISO, anddoe more Jennifer F. Alfafara, CISA ... Principals (Financial Accounting Standards Board
Read more

COBIT & ISAE 3402 Zertifizierung - mitsm.de

Informationen zur COBIT Zertifizierung & Schulung: COBIT Foundation / Implementation / Assessor sowie COBIT for SOX. Inhalte, Termine und Ausbildungskosten
Read more