ND EDITION. Framework. Baseline
|
|
- Christian Conley
- 8 years ago
- Views:
Transcription
1 ND EDION 2 Framework Baseline
2 ND EDION 2 quickstart \ kwik stärt\ adj [ME quik, fr. OE cwic] + vb [ME sterten]: That which is essential, light and easy to use; a baseline if you are a beginner and a jumpstart when you have bigger aspirations Framework Baseline 2007 Governance Institute. All rights reserved.
3 COB QUICKSTART,2 ND EDION Governance Institute The Governance Institute (GI) ( was established in 1998 to advance international thinking and standards in directing and controlling an enterprise s information technology. Effective governance helps ensure that supports business goals, optimises business investment in, and appropriately manages -related risks and opportunities. GI offers electronic resources, original research and case studies to assist enterprise leaders and boards of directors in their governance responsibilities. Disclaimer GI (the Owner ) and the author have designed and created this publication, titled COB, 2 nd Edition (the Work ), primarily as an educational resource for control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment. Disclosure 2007 Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of GI. Reproduction of selections of this publication for internal and noncommercial or academic use only is permitted and must include full attribution of the material s source. No other right or permission is granted with respect to this work. Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL USA Phone: Fax: info@itgi.org Web site: ISBN COB, 2 nd Edition Printed in the United States of America GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
4 ACKNOWLEDGEMENTS ACKNOWLEDGEMENTS Governance Institute wishes to recognise: Project s and Thought Leaders Steven De Haes, University of Antwerp Management School, Belgium Bart Peeters, PricewaterhouseCoopers, Belgium Dirk Steuperaert, CISA, PricewaterhouseCoopers, Belgium Francois Van Hees, PricewaterhouseCoopers, Belgium Workshop Participants and Expert Reviewers Roger Stephen Debreceny, Ph.D., FCPA, University of Hawaii, USA Jan Devos, Associatie Universiteit Gent, Belgium Rafael Eduardo Fabius, CISA, Republica AFAP, S.A., Uruguay Gary Hardy, Winners Ltd., South Africa Jimmy Heschl, CISA, CISM, KPMG, Austria John W. Lainhart IV, CISA, CISM, IBM, USA Robert E. Stroud, CA Inc., USA Greet Volders, Voquals NV, Belgium GI Board of Trustees Lynn Lawton, CISA, FCA, FIIA, PIIA, KPMG LLP, UK, International President Georges Ataya, CISA, CISM, CISSP, ICT sa-nv, Belgium, Vice President Avinash Kadam, CISA, CISM, CBCP, CISSP, Miel e-security Pvt. Ltd., India, Vice President Howard Nicholson, CISA, City of Salisbury, Australia, Vice President Jose Angel Pena Ibarra, Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President Robert E. Stroud, CA Inc., USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP, USA, Vice President Frank Yam, CISA, FHKCS, FH KIoD, CIA, CCP, CFE, CFSA, FFA, Focus Strategic Group, Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President Everett C. Johnson, CPA Deloitte & Touche LLP (retired), USA, Past International President Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada, Trustee Tony Hayes, FCPA, Queensland Government, Australia, Trustee Governance Tony Hayes, FCPA, Queensland Government, Australia, Chair Max Blecher, Virtual Alliance, South Africa Sushil Chatterji, Edutech, Singapore Anil Jogani, CISA, FCA, Avon Consulting Ltd., UK John W. Lainhart IV, CISA, CISM, IBM, USA Lucio Molina Focazzio, CISA, Colombia Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada Michael Schirmbrand, Ph. D., CISA, CISM, CPA, KPMG, Austria Robert E. Stroud, CA Inc., USA John Thorp, The Thorp Network Inc., Canada Wim Van Grembergen, Ph.D., University of Antwerp, University of Antwerp Management School, and Alignment and Governance Research Institute (AG), Belgium 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 3
5 COB QUICKSTART,2 ND EDION COB Steering Robert E. Stroud, CA Inc., USA, Chair Gary S. Baker, CA, Deloitte & Touche, Canada Rafael Eduardo Fabius, CISA, Republica AFAP SA, Uruguay Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium Jimmy Heschl, CISM, CISA, KPMG, Austria Debbie A. Lew, CISA, Ernst & Young LLP, USA Maxwell J. Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia Dirk E. Steuperaert, CISA, PricewaterhouseCoopers, Belgium GI Affiliates and Sponsors ISACA chapters American Institute for Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association of Corporate Governance Inc. FIDA Inform Information Security Forum Information Systems Security Association Institut de la Gouvernance des Systèmes d Information Institute of Management Accountants ISACA GI Japan Solvay School University of Antwerp Management School Aldion Consulting Pte. Ltd. Analytix Holdings Pty. Ltd. CA Hewlett-Packard IBM LogLogic Inc. Phoenix and Systems Inc. Symantec Corporation Wolcott Group LLC World Pass Solutions GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
6 TABLE OF CONTENTS TABLE OF CONTENTS utive Summary...6 Introduction to the COB Framework...7 COB Framework...13 Why Do We Need?...14 What Does Provide?...14 What Is the Approach?...16 Who Can Use?...16 How Do I Know Whether Is Suitable for My Organisation?...16 How Is It Presented?...19 How Is It Implemented?...20 Migration Strategies to Move From to Full COB...21 COB Baseline...23 COB and Related Products GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 5
7 COB QUICKSTART,2 ND EDION EXECUTIVE SUMMARY A baseline for many small and medium enterprises (SMEs) and other entities where is less strategic or not absolutely critical for survival, and a starting point for larger enterprises in their first moves towards an appropriate level of control and governance of s for Information and related Technology (COB ) is a comprehensive set of resources that contains all the information that organisations need to adopt an governance and control framework. Implementation is based on a number of factors, including the size of the organisation. COB provides a selection from the components of the complete COB framework. can be used as a baseline and a set of smart things to do for many small- and medium-sized enterprises (SMEs) and other entities where is not strategic or absolutely critical for survival. can also be a starting point for larger enterprises in their first move towards an appropriate level of control and governance of. This selection was made using the top-down philosophy from the Governance Implementation Guide: Using COB and Val TM, 2 nd Edition ( Governance Institute, 2007). This scoping method performs a top-down value and risk analysis starting with business goals, then identifying the supporting goals, defining the processes that need improvement, ending with the control practices that need to be implemented or enhanced. COB provides tools to help the organisation carry out a self-assessment to determine whether is appropriate for its use. However, it is always important to keep in mind that is generic, and if specific areas or processes are considered more important, then extra guidance should be obtained from the full COB material. Moreover, in certain circumstances such as when the organisation operates and manages open (as opposed to closed) systems, i.e., interconnects with customers and suppliers the need to go beyond COB should be at least reviewed as a risk management measure. In support of this, pragmatic migration strategies to move from to a broader COB implementation are provided in this publication. is useful for all types of COB users in appropriate organisations: auditors, managers and implementers of governance who are likely to be dealing with governance and COB for the first time and who wish for a light and easy-to-use approach to get started. Care needs to be taken when using to ensure that it is applied intelligently, given the specific needs and conditions of the enterprise. In addition, while is powerful as a starting point, providing the smart things to do, additional controls will be required in many cases to provide an ongoing basis for effective governance of all processes GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
8 INTRODUCTION TO THE COB FRAMEWORK I NTRODUCTION TO THE C OB F RAMEWORK 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 7
9 COB QUICKSTART,2 ND EDION INTRODUCTION TO THE COB FRAMEWORK For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognise the contribution and benefits of information technology () and use to drive their stakeholders value. These enterprises also understand and manage the associated risks such as increasing regulatory compliance and critical dependence of many business processes on. The need for assurance about the value of, the management of -related risks and increased requirements for control over information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of governance. governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise s sustains and extends the organisation s strategies and objectives. Furthermore, governance integrates and institutionalises good practices to ensure that the enterprise s supports the business objectives. governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. These outcomes require a framework for control over that fits with and supports the of Sponsoring Organisations of the Treadway Commission s (COSO s) Internal Integrated Framework, the widely accepted control framework for enterprise governance and risk management, and similar compliant frameworks. Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management should also optimise the use of available resources, including applications, information, infrastructure and people. To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for and decide what governance and control it should provide. COB provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COB s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise -enabled investments, ensure service delivery and provide a measure to judge against when things do go wrong. For to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COB control framework contributes to these needs by: Making a link to the business requirements Organising activities into a generally accepted process model Identifying the major resources to be leveraged Defining the management control objectives to be considered The business orientation of COB consists of linking business goals to goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and process owners. The process focus of COB is illustrated by a process model that subdivides into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of. Enterprise architecture concepts help to identify the resources essential for process success, i.e., applications, information, infrastructure and people GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
10 INTRODUCTION TO THE COB FRAMEWORK In summary, to provide the information that the enterprise needs to achieve its objectives, resources need to be managed by a set of naturally grouped processes. Management needs to ensure that an internal control system or framework is in place such that supports the business processes. This implies that information, from the business s perspective, is: Effective Efficient Confidential Accurate, useful and timely Available Compliant Reliable The right resources are: Applications Information Infrastructure People The right resources should be available and properly used in the processes of the different domains, which COB defines as: Plan and organise (Plan) Acquire and implement (Build) Deliver and support (Run) Monitor and evaluate (Learn) To this end, COB 4.1 provides 34 processes (shown in figure 1) and 210 control objectives that contain policies, procedures, practices and organisational responsibilities. In addition, the COB management guidelines provide a link between control and governance. They are action-oriented and generic, and provide management direction for getting the enterprise s information and related processes under control by providing inputs and outputs amongst processes, roles and responsibilities for key activities within processes, and goals and metrics for, processes and process activities. COB also provides maturity models to allow for benchmarking and continuous improvement. All these elements help provide answers to typical management questions: How far should the enterprise go in controlling, and is the cost justified by the benefit? What are the indicators of good performance? Who is responsible and accountable for specific processes? What are the risks of not achieving our objectives? What do others do? How does our enterprise measure and compare? A new element introduced in COB 4.0 is the cascade of business goals goals processes. COB 4.1 provides a list of 17 generic business goals and 28 generic goals. The 17 generic business goals are organised according the four perspectives of the business balanced scorecard: Financial Customer Internal Learning and growth 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 9
11 COB QUICKSTART,2 ND EDION Figure 1 Overall COB Framework BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES COB ME1 Monitor and evaluate performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide governance. MONOR AND EVALUATE INFORMATION CRERIA Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability RESOURCES PO1 Define a strategic plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the processes, organisation and relationships. PO5 Manage the investment. PO6 Communicate management aims and direction. PO7 Manage human resources. PO8 Manage quality. PO9 Assess and manage risks. PO10 Manage projects. PLAN AND ORGANISE Applications Information Infrastructure People DELIVER AND SUPPORT ACQUIRE AND IMPLEMENT DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure resources. AI6 Manage changes. AI7 Install and accredit solutions and changes GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
12 INTRODUCTION TO THE COB FRAMEWORK Each business goal is linked to one or more goals which, in turn, are linked to one or more processes. In this way, a full cascade is built up showing how processes enable the achievement of goals which, in turn, enable the achievement of business goals. All the components of COB are accessible via COB Online, a web-based, interactive knowledge base. Furthermore, the Governance Implementation Guide provides users with a method for implementing governance using COB. The Assurance Guide: Using COB provides assurance professionals with detailed guidance and testing steps to plan, scope and execute their assurance activities based on the COB framework. The complete COB family of products is shown in figure 2. The top part provides practices at the board and executive levels. The middle portion focuses on management and its typical needs for measurement and benchmarking. The bottom section provides the detailed support for implementing and assuring adequate control and governance over. (For more information about COB, see the section in this publication on COB and Related Products and/or visit Figure 2 COB Family of Products How does the board exercise its responsibilities? Board Briefing on Governance, 2 nd Edition utives and Boards How do we measure performance? How do we compare to others? And how do we improve over time? and Technology Management Management guidelines Maturity models What is the governance framework? How do we implement it in the enterprise? How do we assess the governance framework? Governance, Assurance, and Security Professionals COB and Val frameworks objectives Key management practices Governance Implementation Guide, 2 nd Edition COB Practices, 2 nd Edition Assurance Guide This COB-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes ( s for Sarbanes-Oxley, 2 nd Edition), for domains such as security (COB Security Baseline, 2 nd Edition and Information Security Governance: Guidance for Boards of Directors and utive Management), or for specific enterprises (COB, 2 nd Edition for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive governance implementation) GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 11
13 COB QUICKSTART,2 ND EDION GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
14 COB QUICKSTART FRAMEWORK C OB Q UICKSTART F RAMEWORK 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 13
15 COB QUICKSTART,2 ND EDION COB QUICKSTART FRAMEWORK WHY DO WE NEED QUICKSTART? COB is a comprehensive set of resources that contains the information that organisations require to adopt an governance and control framework. However, the breadth and depth of the guidance provided by all of COB s resources may be too detailed and overwhelming for smaller organisations. Or, for some larger organisations, COB may require too much time to analyse and focus on when taking the first steps towards governance. The driver behind COB is the need of managers of smaller organisations for a simple-to-use tool that will speed up the implementation of key control objectives. Equally, managers of larger organisations can leverage the tool to quickstart the initial phases of a broader governance implementation. In these circumstances, COB users need out-of-the-box, customised and simplified materials that are consistent with the full COB resources, but are immediately usable as is. COB was not designed as an audit tool; however, it provides a reference for audit and assurance purposes. WHAT DOES QUICKSTART PROVIDE? is based on a selection of the processes and control objectives of COB 4.1. The result is a simplified version including a limited set of processes and management practices (see figure 3). also provides simplified versions of Responsible, Accountable, Consulted and Informed (RACI) charts for each of the retained processes and captures key outcome metrics at the level of the individual control objectives and the processes as a whole. All these elements represent a baseline and the smart things to do. Enterprises can use the baseline as is, without modification, or use it as a starting point to build more detailed management practices and measurement techniques. Figure 3 COB as Compared to COB Domains es s COB This selection from the COB material was made using the same philosophy as that presented in the Governance Implementation Guide: a top-down value and risk analysis starting with business goals, then moving to supporting goals, then to processes that need improvement, and finally arriving at control objectives that need to be implemented or enhanced GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
16 COB QUICKSTART FRAMEWORK The selection was also driven by the following assumptions: The infrastructure is not complex. More complex tasks are outsourced. The goal is less build, more buy. Limited in-house skills exist. Risk tolerance is relatively high. The enterprise is very cost-conscious. A simple command structure is in place. A short span of control exists. These assumptions are representative of the control culture and environment of most SMEs and possibly also of some small subsidiary or autonomous entities of larger organisations. This implies that the resulting set of processes and control objectives is likely to be suitable for an SME environment. It also implies that it can be a starting point for larger organisations wanting to use to launch an governance programme. These organisations need to extend their governance framework depending on their specific business and governance requirements. A road map to plan this implementation is provided later in this document. In addition, when implementing the entire COB framework, the Governance Implementation Guide can be used for guidance. The above assumptions were kept in mind when developing COB and should be considered by any enterprise using to develop its governance and control framework. Why? Because the control culture associated with these assumptions implies that certain controls, formally defined in COB, are exercised informally but effectively. For example, the control and direction that are enabled by close supervision, typical for these types of organisations, are not retained in. Consistent with the full COB 4.1 publication, overarching process controls and applications controls are not addressed in the detailed COB contents. However, it is critical that these controls be considered while implementing, as they are needed by management to have a complete view of all the business control requirements of the enterprise. Figure 4 provides a short summary of these controls; a full list is provided at the end of the baseline. Figure 4 Overarching s and Application s Generic s In addition to the control objectives, each COB process has generic control requirements that are identified by generic process controls (PCn). They should be considered together with the process control objectives to have a complete view of control requirements. The generic process controls are: PC1 Goals and s PC2 Ownership PC3 Repeatability PC4 Roles and PC5 Policy, Plans and Procedures PC6 Performance Improvement Application s COB also addresses the controls embedded in business process applications, commonly referred to as application controls, to achieve accurate, complete and reliable information for management decision making and reporting. COB assumes the design and implementation of automated application controls to be the responsibility of, covered in the Acquire and Implement domain. The operational management and control responsibility for application controls is not with, but with the business process owner. Hence, the responsibility for application controls is an end-to-end joint responsibility between business and. The recommended application control objectives are: AC1 Source Data Preparation and Authorisation AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 ing Integrity and Validity AC5 Output Review, Reconciliation and Error Handling AC6 Transaction Authentication and Integrity 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 15
17 COB QUICKSTART,2 ND EDION WHAT IS THE QUICKSTART APPROACH? COB provides a baseline for control over in SMEs and other entities where is less strategic and not as critical for survival. also provides a starting point to quickstart a broader governance implementation in a larger environment. The baseline consists of 32 pages of material providing processes, control objectives, RACI charts and key metrics, presented in easy-to-read, tabular fashion and in nontechnical language, to encourage rapid adoption and reduced debates and discussion. Because it is a baseline, is viewed generally as common sense and acts as a powerful reminder and checklist of those things that ought to be directed and controlled in, as a minimum. From a top management perspective, it helps organisations focus scarce resources on the basics the potentially easier-to-tackle areas thus providing an efficient tool for initiating governance, without committing large amounts of resource or significant investments. The first reflection when considering is to decide whether it is suitable for the specific organisation. helps the enterprise to make this decision by including tools that enable the organisation to carry out a self-assessment of factors dealing with management and complexity. For larger organisations, it should be acknowledged that can only be a starting point to move towards a broader governance framework. WHO CAN USE QUICKSTART? is aimed at small and medium-sized organisations. However, it also is suitable for any organisation with an appropriate control environment, which is considered to be one that has: A simple command structure Short communications path Limited span of control Not much segregation of responsibilities In addition, it is suitable for organisations in which: The environment is not particularly complex The expenditure is not very significant is not that strategically important The use of is not leading-edge can be used in larger organisations, but as a first step towards implementing governance using COB. is useful for all kinds of users in its targeted types of organisations: auditors, managers and implementers of governance who are likely to be dealing with governance and COB for the first time and who wish for a light and easy-touse approach to get started. HOW DO I KNOW IF QUICKSTART IS SUABLE FOR MY ORGANISATION? COB provides two tests to assess an enterprise s suitability for implementing control over based on the set of controls. They are provided with this publication in the form of an electronic tool GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
18 COB QUICKSTART FRAMEWORK Test 1 Stay in the Blue Zone The first test (Stay in the Blue Zone), as shown in figure 5, helps the organisation determine whether it is appropriate for implementation to manage its risks or it should consider using the full COB guidance. If the results from the assessment are mainly contained in the blue zone, the organisation most likely is suited for using COB. If the results are not in the blue zone, it nevertheless remains management s decision to use the approach anyway. However, management should remain conscious of the control assumptions described previously, as certain controls are not retained in. Figure 5 Suitability Assessment (1) Suitability Assessment (1) <<Stay in the Blue Zone>> Simple Command Structure (SCS) 1. CS is informal and verbal, only short-term and tactical. 2. CS is primarily informal and verbal, somewhat short-term but largely medium-term-oriented, and still primarily tactical. 3. CS is primarily formal and documented, begins looking at the long-term but is more medium-term-oriented, somewhat tactical with strategic views emerging. 4. CS is strictly formal and documented, covers short-, medium- and long-term and is strategy-oriented. Segregation (SEG) 1. Those who monitor have at least two other functions (build, operate or influence). 2. Those who monitor have at most building or operating as other functions. Those who influence also can have building and operating functions. 3. Monitoring is totally segregated, but building and operating can be executed by the same person. Those who influence have at most operating or building as other functions. 4. At most, influencing and monitoring is executed by one person. E SEG I SCS S SCP SOC Short Communications Path (SCP) 1. HE ( of the entity) knows everyone s -related responsibilities. 2. HE knows most people s -related responsibilities. 3. HE knows -related responsibilities only for key personnel. 4. HE does not know all -related responsibilities of key personnel. Span of (SOC) 1. HE directs and monitors everyone s -related responsibilities. 2. HE directs and monitors most people s -related responsibilities. 3. HE directs and monitors only key personnel s -related responsibilities. 4. HE does not direct and monitor all -related responsibilities of key personnel. Expenditure (E) 1. expenditure is not more than profits and not much different from peers. 2. expenditure is different from peers and only marginally increasing every year. 3. expenditure is more than profits or significantly different from peers and is showing an annual increasing trend. 4. expenditure is significantly more than the entity s profits. Strategic Importance (I) 1. Reliable is not critical to the functioning of the enterprise and is not likely to become strategically important. 2. Reliable support is critical to the enterprise s current operation, but the application development portfolio is not fundamental to the enterprise s ability to compete. 3. Uninterrupted functioning of is not absolutely critical to achieving current objectives but applications and technology under development will be critical to future competitive success. 4. Reliable support is critical to the enterprise s current operation, and applications and technology under development are critical to future competitive success. Sophistication (S) 1. Laggard, well behind in technology adoption, with a simple infrastructure 2. Follower, adopting technology after peers, using more, but still standard, components 3. Leader, adopting technology before peers, customising and integrating solutions 4. Pioneer, early adopter of new emerging technology well ahead of the industry, highly complex environment The different dimensions of this suitability test are as follows: Simple command structure This dimension measures the degree to which authority, rules and control are institutionalised in the organisation. This command structure varies from very informal and verbal to strictly formal and documented. Moreover, long-term/short-term orientation and the strategic/tactical direction imposed by the command structure are evaluated. The presence of more formal and documented structures and longer-term strategic views suggests that higher levels of control are needed. Short communication path The communication path component indicates how many layers are situated between the head of the entity (HE) and the staff. This illustrates how directly, quickly and efficiently the HE can communicate with the staff, and is measured by determining how well the HE knows the staff s -related responsibilities. This assumes that the more direct the communication path, the better the -related responsibilities are known. The organisation may need to look for control requirements beyond if the HE does not know most people s responsibilities GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 17
19 COB QUICKSTART,2 ND EDION Span of control Whilst the previous step assessed the degree to which the HE knows everyone s -related responsibilities, this dimension measures the influence the HE has on those responsibilities. This influence is rated by indicating which related responsibilities the HE effectively directs and monitors, varying from directing and monitoring no -related responsibilities at all, to directing and monitoring every -related responsibility. Not knowing responsibilities of at least key personnel is an indicator that a larger control framework is required. sophistication The sophistication component refers to the profile of the organisation with regard to the adoption of new technologies and the complexity of the environment relative to industry and peers. This profile ranges from being a pioneer, adopting new technologies well before industry in a complex environment, to being a laggard, adopting new technologies well behind peers and industry while keeping the infrastructure simple. Taking a technology leadership position and working in a complex environment evoke the possibility of larger risks and wider control requirements. strategic importance This dimension evaluates how dependent the organisation is on to operate and function, and to achieve competitive advantage and success. This dimension is the equivalent of the traditional McFarlan quadrant 1, which positions organisations based on current and future dependency on. From the moment is critical to support current operations, additional controls may be needed to manage that criticality. expenditure The expenditure component is closely linked to the sophistication and strategic importance dimensions, and ranks the organisation based on its expenditure relative to profit and compared to peers. Furthermore, the increasing trend of the total expenditure is taken into account. If expenditure increases yearly, surpasses profits or differs significantly from industry peers, it is prudent to consider stronger controls. Not-for-profit enterprises usually can avoid referring to profits and, instead, judge expenditure based on peer expenditures and their own expenditure trends. Segregation The segregation dimension checks whether the responsibilities for building, operating and influencing solutions and monitoring same are overly concentrated in one person or, instead, are distributed properly over more people. There is insufficient segregation when a single person executes too many of these functions. The fact that management has implemented a certain degree of segregation indicates a level of concern and risk that is more consistent with a larger control framework. If the results from the assessment are contained mainly in the blue zone, the organisation most likely is suited for using COB. However, there may still be specific circumstances that create the need to go beyond (i.e., to use the full COB or to obtain specific extra material from the full COB). This is the case in environments characterised by: Open, as opposed to closed, systems (extended enterprise), i.e., connecting with customers and suppliers The presence of -related regulations, contractual requirements or need to provide outside assurance about Management awareness of issues and questioning whether a minimum baseline is right for the enterprise Management belief that a need exists to improve skills and capabilities A need to define, standardise and document processes in a sustainable manner Management awareness that technology needs to be used to automate some processes to make them more effective and efficient A significant degree of integration within business processes These specific situations imply that, even though the organisation may appear to be suited for COB based on the first suitability test, it should consider looking at the complete set of control objectives from COB to address its governance and control needs beyond. The opposite argumentation can also be made: if an organisation appears to be not suitable for COB, it can still decide to use the model as a way to launch a governance initiative in the organisation GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
20 COB QUICKSTART FRAMEWORK Test 2 Watch the Heat The second test of the suitability tool (Watch the Heat), as shown in figure 6 and also supplied with this publication, can help assess the exception situations described previously. The more the enterprise is in the red zone, the more it needs to consider going beyond COB. Figure 6 Suitability Assessment (2) Suitability Assessment (2) <<Watch the Heat>> The infrastructure is an open, as opposed to closed, system (interconnections with customers, suppliers, etc.). There are -related regulations or contractual requirements applying to the enterprise. There is a need to provide outside assurance about. Definitely disagree Somewhat disagree Neither agree nor disagree Somewhat agree Fully agree Enterprise management is aware of issues and wonders whether a minimum baseline is sufficient. Enterprise management has identified the need for significant formal training relative to. Some practices and procedures have been defined, standardised and documented in a sustainable manner. Enterprise management knows that common tools would make some processes more effective and efficient. The expert(s) of the enterprise are needed for developing/improving business processes. HOW IS PRESENTED? The following pages provide a baseline for management and control over in SMEs and other entities where is less strategic and not as critical for survival. This baseline can also be used by larger organisations as a first step towards implementing governance using COB. It is presented in easy-to-read, tabular fashion, addressing 32 processes grouped in the four COB domains. For each process, there is at least one concrete control objective. For each control objective, information is provided on the RACI chart. Moreover, metrics are defined to measure the outcome of the control objective and the outcome of the process as a whole. Each control objective also contains a reference to the original detailed control objectives of the full COB 4.1 from which they are derived. This can help the user access the full COB material when extending and customising the COB framework for a specific organisation. The charts also provide an implementation status scale from 0 to 7 for each control objective. On this scale, the user can indicate where the enterprise is for a certain control objective (as-is position) and where it would like to be (to-be position). After analysing the gaps between these two positions, projects can be defined and initiated to close the gaps. An example is provided in figure GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 19
21 COB QUICKSTART,2 ND EDION Figure 7 COB Layout es and Good Practices AI6 Manage changes. COB COB of s s The COB baseline, with its control objectives provided on the following pages, is presented in the tabular form illustrated in figure 7 and contains: High-level description of the process COB management practices applicable after the suitability tests, organised by domain (PO, AI, DS and ME), and processes Reference to the full COB objectives used to construct the objective and the number of COB objectives in that process Potential self-assessment approach. Another option is to use traditional maturity levels: 0 Ad Hoc, 1 Initial, 2 Repeatable, 3 Defined, 4 Managed and 5 Optimised. for each of the management practices. For some typical roles in the organisation (executive committee, head of, head operations, head development and business managers), it is defined whether that role should be responsible, accountable, consulted or informed in the context of that specific control objective. The predefined roles should not be seen as full-time equivalents. Some of these roles can be combined in reality and fulfilled by the same person. Most important applicable metrics. These metrics are defined at two levels. For each individual management practice, some key outcome metrics are defined to measure the outcome of that objective (as defined in the column COB ). Next, outcome metrics are defined at the level of a complete processes (corresponding to the highlevel description of the process indicated in the column COB ). HOW IS IMPLEMENTED? Although can be used in a variety of ways, dependent upon the issues to be addressed, the structured process in figure 8 addresses the needs of a full implementation of an governance improvement programme GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
22 COB QUICKSTART FRAMEWORK Figure 8 Implementation PROCESS STEP PROCESS DESCRIPTION DELIVERABLE 1. Assess suitability. Apply the suitability assessment tool provided in to determine if the Decision on use of organisation is a suitable candidate for the use of the approach. The COB outcome will indicate whether the programme can be used as is or as supplemented with some of the more detailed components of the full COB, or the full COB should be applied from the outset. 2. Evaluate Use the baseline charts to define the organisation s as-is position. Typical As-is process positions current state. activities in this step involve basic data gathering, interviewing of key staff responsible for these processes, and review of performance results or audit reports. Alternatively, a working team of knowledgeable staff can be assembled to work with a facilitator to fast-track the process. 3. Determine Consider the organisation s operating environment and plot its to-be position on the To-be process positions target state. process tables. Typical considerations include: Nature of the industry Legal and regulatory requirements Sensitivity of information handled Technology dependency and goals It is important that this positioning be developed by the organisation s management and owners, if possible, but at least approved by them. 4. Analyse gaps. Examine the control practices associated with each process gap (difference between change the as-is and to-be positions) to determine the nature and magnitude of improvements definitions required. 5. Define Group the individual process change requirements logically into improvement improvement improvement projects projects that enable the organisation to make effective progress in projects. manageable stages. 6. Develop an Organise, prioritise and sequence the improvement projects into an integrated Integrated programme integrated programme plan taking into account the organisation s immediate needs, project plan governance interdependencies and resource availability. implementation programme. MIGRATION STRATEGIES TO MOVE FROM QUICKSTART TO FULL COB COB provides a baseline for control over and/or a starting point to a broader governance implementation. Any organisation applying COB can start building on this baseline but should also always analyse how organisationspecific business goals drive goals which, in turn, drive process goals. This analysis is required to identify potential extensions to the baseline as required by the organisation s business and governance objectives. Two approaches are suggested to move towards a more extended implementation of COB once has been implemented: 1. Leverage the cross-references provides a complete overview of cross-references to the full COB. If weaknesses are defined in specific areas, these cross-references can provide guidance to a more extended list of control objectives in specific domains. Based on the organisation s risk and value drivers, extra control objectives can be selected for which as-is and to-be situations can be analysed and translated into improvement programmes. 2. Plan a full governance implementation Follow the guidance provided in the Governance Implementation Guide: Using COB and Val, 2 nd Edition to initiate and plan an governance implementation programme. A road map with suggested activities and tasks is provided GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 21
23 COB QUICKSTART,2 ND EDION GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
24 COB QUICKSTART BASELINE C OB Q UICKSTART B ASELINE 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 23
25 COB QUICKSTART,2 ND EDION es and Good Practices PO1 Define a strategic plan. COB COB Ensure that strategy is aligned with and supports the overall business strategy. 1. Define the necessary contribution to the achievement of the entreprise's strategic objectives, related cost and performance objectives, and assess how can create business opportunities in a strategic plan. 2. Translate the strategic plan into short-term operations, projects and objectives. Assess the tactical performance objectives in terms of availability, functionality, current total cost of ownership and return on investment. PO1.4 PO1.2 PO1.3 PO1.5 PO1.6 of s A R C A R C C I s - related cost and performance objectives in the strategic plan that support the strategic business plan Existence of an approved strategic plan Percent of strategic/ tactical plans meetings where business representatives have actively participated Delay between updates of strategic plan and updates of tactical plans GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
26 COB QUICKSTART BASELINE es and Good Practices PO2 Define the information architecture. COB COB Establish an enterprise data model that incorporates a data classification scheme to ensure the integrity and consistency of all data. 3. Create and maintain one list; identify and describe the major data elements for the enterprise and their syntax rules, and consider who can access and modify. 4. Define and implement measures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives. PO2.2 PO2.3 PO2.4 of s R C A A R C s Frequency of updates to the data enterprise model Percent of data elements that do not have an owner The existence of an approved data model Percent of redundant/ duplicate data elements Percent of non-compliance with the data classification scheme 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 25
27 COB QUICKSTART,2 ND EDION es and Good Practices PO3 Determine technological direction. COB COB Verify that the technology plans are adequate to accommodate likely changes in technology and business direction. 5. Be aware of continuing support for current systems for their expected life span. Compare actual value for money against potential value for money of more recent but proven technology. PO3.1 PO3.3 of A R R s s Frequency of the technology infrastructure plan review/ update The existence of an approved and updated technology infrastructure plan GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
28 COB QUICKSTART BASELINE es and Good Practices PO4 Define the processes, organisation and relationships. COB COB Establish transparent, flexible and responsive organisational structures and define and implement processes with owners, roles and responsibilities integrated into business processes. 6. Assign -related roles and responsibilities clearly, with proper authority and reasonable expectations, and communicate to all; Pay attention to responsibilities in the area of security and quality. 7. Regularly review that -related roles and responsibilities are understood and exercised properly. Assess that people have the resources to exercise these responsibilities and be aware that concentrated roles and responsibilities can be misused. 8. Define where outside contracting and/or outsourcing can be applied and how they are to be controlled. PO4.6 PO4.7 PO4.8 PO4.10 PO4.11 PO4.14 PO4.15 of A R R A/R C C A/R C C s s Percent of roles with documented position and authority descriptions conflicting responsibilities in the view of segregation of duties delayed business initiatives due to organisational inertia or unavailability of necessary capabilities Percent of stakeholders satisfied with responsiveness escalations or unrosolved issues leading to the outsoucing of activities 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 27
29 COB QUICKSTART,2 ND EDION es and Good Practices PO5 Manage the investment. COB COB Make effective and efficient investment and portfolio decisions, and set and track budgets in line with strategy and investment decisions. 9. Plan and manage expenditures within an annual budget, reflecting the entreprise's priorities, and track expenditures against expected benefits. PO5.3 PO5.4 DS6.3 of A/R C C s s Percent of projects with the benefit defined up front Percent of projects with a post-project review Percent of investments exceeding or meeting the predefined business benefit GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED.
30 COB QUICKSTART BASELINE es and Good Practices PO6 Communicate management aims and direction. COB COB Appropriately define and promulgate management aims and directions with respect to. 10. Make decisions, communicate consistently and discuss regularly on the basic rules of the use, acceptable and reasonable behaviour, and operating principles of. 11. Encourage responsiveness in staff relative to applicable external requirements, risks, the protection of resources, the integrity of systems and intellectual property rights of own software and enterprise data. Establish some simple dos and don ts. PO6.3 PO6.4 PO6.5 PO6.2 PO6.3 PO6.4 PO6.5 of s I A/R C C I I A/R C C I s Percentage of stakeholders who understand the control framework Percentage of stakeholders who are non-compliant with the policy Timeliness and frequency of communication to stakeholders Level of understanding of costs, benefits, strategy, policies and service levels 2007 GOVERNANCE I NSTUTE. ALL RIGHTS RESERVED. 29
IT GOVERNANCE ROUNDTABLE: IT GOVERNANCE TRENDS
IT GOVERNANCE ROUNDTABLE: IT GOVERNANCE TRENDS IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing
More information2ND USING COBIT AND VAL IT TM. The Need for IT Governance. The Road Map to IT Governance. Implementation Action Planning EDITION
2ND EDITION USING COBIT AND VAL IT TM The Need for IT Governance The Road Map to IT Governance Implementation Action Planning IT GOVERNANCE IMPLEMENTATION GUIDE, 2 ND EDITION IT Governance Institute The
More informationAN INFORMATION SECURITY SURVIVAL KIT
ND EDITION 2 AN INFORMATION SECURITY SURVIVAL KIT Current Security Risks 44 Steps Towards Security Information Security Survival Kits ND EDITION 2 AN INFORMATION SECURITY SURVIVAL KIT 2007 IT Governance
More informationIT GOVERNANCE USING COBIT AND VAL IT TM :
IT GOVERNANCE USING COBIT AND VAL IT TM : Taking professional practices to higher education IT GOVERNANCE USING COBIT AND VAL IT TM IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org)
More informationMapping of ITILv3 With COBIT 4.1
Mapping of ITILv3 With COBIT 4.1 COBIT MAPPING: MAPPING OF ITIL V3 WITH COBIT 4.1 IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org) is a non-profit, independent research entity
More informationENTERPRISE VALUE: GOVERNANCE. Getting Started With Value Management OF IT INVESTMENTS. An Executive Primer Based on the Val IT Framework 2.
ENTERPRISE VALUE: GOVERNANCE OF IT INVESTMENTS Getting Started With Value Management An Executive Primer Based on the Val IT Framework 2.0 BASED ON C OBIT GETTING STARTED WITH VALUE MANAGEMENT IT Governance
More informationCOBIT 4.1 TABLE OF CONTENTS
COBIT 4.1 TABLE OF CONTENTS Executive Overview....................................................................... 5 COBIT Framework.........................................................................
More informationENTERPRISE VALUE: GOVERNANCE. The Val IT Framework 2.0 Extract OF IT INVESTMENTS BASED ON C OBIT
ENTERPRISE VALUE: GOVERNANCE OF IT INVESTMENTS The Val IT Framework 2.0 Extract BASED ON C OBIT THE VAL IT FRAMEWORK 2.0 EXTRACT IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org)
More informationAligning CobiT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit. A Management Briefing From ITGI and OGC
Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit A Management Briefing From ITGI and OGC IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org) is a non-profit,
More informationITAG RESEARCH INSTITUTE
ITAG RESEARCH INSTITUTE Control and Governance Maturity Survey Establishing a reference benchmark and a self-assessment tool Erik Guldentops Wim Van Grembergen Steven De Haes Control and Governance Maturity
More informationINFORMATION SECURITY CAREER PROGRESSION S U R V E Y R E S U LTS
INFORMATION SECURITY CAREER PROGRESSION S U R V E Y R E S U LTS ISACA With more than 75,000 members in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance,
More information4.1. Excerpt. Executive Summary. Framework
4.1 Excerpt Executive Summary Framework COBIT 4.1 The IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org) was established in 1998 to advance international thinking and standards
More informationAuditors Need to Know June 13th, 2012. ISACA COBIT 5 for Assurance
COBIT 5 What s New, What Auditors Need to Know June 13th, 2012 Anthony Noble Viacom Inc. ISACA COBIT 5 for Assurance Task Force Chair Special thanks to Derek Oliver & ISACA for supplying material for this
More informationAligning COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary. A Management Briefing from ITGI and OGC
Aligning COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary A Management Briefing from ITGI and OGC The IT Governance Institute The IT Governance Institute (ITGI) (www.itgi.org) was established
More informationG13 USE OF RISK ASSESSMENT IN AUDIT PLANNING
IS AUDITING GUIDELINE G13 USE OF RISK ASSESSMENT IN AUDIT PLANNING The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply
More information4.1. Framework. Control Objectives. Management Guidelines. Maturity Models
4.1 Framework Control Objectives Management Guidelines Maturity Models COBIT 4.1 The IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org) was established in 1998 to advance international
More informationG11 EFFECT OF PERVASIVE IS CONTROLS
IS AUDITING GUIDELINE G11 EFFECT OF PERVASIVE IS CONTROLS The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically
More informationIS Standards, Guidelines and Procedures for Auditing and Control Professionals
IS Standards, Guidelines and Procedures for Auditing and Control Professionals Code of Professional Ethics IS Auditing Standards, Guidelines and Procedures IS Control Professionals Standards Current as
More informationow to use CobiT to assess the security & reliability of Digital Preservation
ow to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14-16 April 2004 Greet Volders Managing Consultant - VOQUALS N.V. Vice President & in charge of Education
More informationENTERPRISE VALUE: GOVERNANCE. The Business Case OF IT INVESTMENTS BASED ON C OBIT
ENTERPRISE VALUE: GOVERNANCE OF IT INVESTMENTS The Business Case BASED ON C OBIT VAL IT The IT Governance Institute The IT Governance Institute (ITGI TM ) (www.itgi.org) was established in 1998 to advance
More informationFocus. The newsletter dedicated to the COBIT user community. Applying COBIT With Limited Resources. By Matthew Altman
COBIT Focus July 2008, Volume 3 The newsletter dedicated to the COBIT user community Applying COBIT With Limited Resources By Matthew Altman Many midsize and small businesses, IT departments, and organizations
More informationfor Information Security
for Information Security The following pages provide a preview of the information contained in COBIT 5 for Information Security. The publication provides guidance to help IT and Security professionals
More informationCOBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.
COBIT 5 for Risk CS 3-7: Monday, July 6 4:00-5:00 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net Disclaimer of Use and Association Note: It is understood that
More informationCobiT Strategy and Long Term Vision
CobiT Strategy and Long Term Vision Urs Fischer VP Head IT Risk Mgmt, Security & ICS SwissLife Seite 2 1 Seite 3 Seite 4 2 Session Objective Provide those interested stakeholders with a clear and single
More information4.0. Control Objectives. Management Guidelines. Maturity Models
4.0 Control Objectives Management Guidelines Maturity Models COBIT 4.0 The IT Governance Institute The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking
More information2009 Solvay Brussels School and IT Governance institute
IT Governance Masterclass Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA International VP, IT Governance Institute Professor, Solvay Business School Managing Partner, ICT Control NV 1 Georges Ataya
More informationCOBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30
COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net
More informationNCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation
NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation Market Offering: Package(s): Oracle Authors: Rick Olson, Luke Tay Date: January 13, 2012 Contents Executive summary
More informationITAG RESEARCH INSTITUTE
ITAG RESEARCH INSTITUTE Practices in IT Governance and Business/IT Alignment By Steven De Haes, Ph.D., and Wim Van Grembergen, Ph.D. In many organisations, information technology (IT) has become crucial
More informationIS Audit and Assurance Guideline 2402 Follow-up Activities
IS Audit and Assurance Guideline 2402 Activities The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply
More informationIS Audit and Assurance Guideline 2202 Risk Assessment in Planning
IS Audit and Assurance Guideline 2202 Risk Assessment in Planning The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationApplication Controls Defined. Design and Implementation of Application Controls. Operation and Maintenance of Application Controls
A Management Guide Application Controls Defined Design and Implementation of Application Controls Operation and Maintenance of Application Controls Application Controls and IT General Controls Application
More informationGuidance for Information Security Managers
Guidance for Information Security Managers : Guidance for Information Security Managers : 2 Information Security Governance Guidance for Information Security Managers IT Governance Institute The IT Governance
More informationS11 - Implementing IT Governance An Introduction Debra Mallette
S11 - Implementing IT Governance An Introduction Debra Mallette S11 - Introduction to IT Governance Implementation using COBIT and Val IT Speaker: Debra Mallette, CGEIT, CISA, CSSBB Session Objectives
More informationImplementing COBIT based Process Assessment Model for Evaluating IT Controls
Implementing COBIT based Process Assessment Model for Evaluating IT Controls By János Ivanyos, Memolux Ltd. (H) Introduction New generations of governance models referring to either IT or Internal Control
More informationASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT
Accounting and Management Information Systems Vol. 11, No. 1, pp. 44 55, 2012 ASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT Pavel NĂSTASE 1 and Simona Felicia UNCHIAŞU
More informationITAG RESEARCH INSTITUTE
ITAG RESEARCH INSTITUTE Best Practices in IT governance and alignment Steven De Haes Wim Van Grembergen University of Antwerp Management School IT governance is high on the agenda, but many organizations
More informationLife Cycle Models, CMMI, Lean, Six Sigma Why use them?
Life Cycle Models, CMMI, Lean, Six Sigma Why use them? John Walz IEEE Computer Society, VP for Standards QuEST Forum Best Practices Conference Track 3 What, Where, How & Why Monday, 24-Sep-07, 4:30 5:30
More informationGuideline. Records Management Strategy. Public Record Office Victoria PROS 10/10 Strategic Management. Version Number: 1.0. Issue Date: 19/07/2010
Public Record Office Victoria PROS 10/10 Strategic Management Guideline 5 Records Management Strategy Version Number: 1.0 Issue Date: 19/07/2010 Expiry Date: 19/07/2015 State of Victoria 2010 Version 1.0
More informationS 2 E C O N D E D I T I O N
2 SECOND EDITION IT governance is the term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity.
More informationPresented by. Denis Darveau CISM, CISA, CRISC, CISSP
Presented by Denis Darveau CISM, CISA, CRISC, CISSP Las Vegas ISACA Chapter, February 19, 2013 2 COBIT Definition Control Objectives for Information and Related Technology (COBIT) is an IT governance framework
More informationRevised October 2013
Revised October 2013 Version 3.0 (Live) Page 0 Owner: Chief Examiner CONTENTS: 1. Introduction..2 2. Foundation Certificate 2 2.1 The Purpose of the COBIT 5 Foundation Certificate.2 2.2 The Target Audience
More informationStrategic IT audit. Develop an IT Strategic IT Assurance Plan
Strategic IT audit Develop an IT Strategic IT Assurance Plan Speaker Biography Hans Henrik Berthing is Partner at Verifica and Senior Advisor & Associated Professor at Aalborg University. He is specialized
More informationGobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI
Gobierno de TI Enfrentando al Reto IT Facing the Challenge Everett C. Johnson, CPA International President ISACA and ITGI 1 Add titles Agenda Agenda IT governance keys IT governance focus areas: theory
More informationIT CONTROL OBJECTIVES
IT CONTROL OBJECTIVES FOR SARBANES-OXLEY, 2 ND EDITION THE IMPORTANCE OF IT IN THE DESIGN, IMPLEMENTATION AND SUSTAINABILITY OF INTERNAL CONTROL OVER FINANCIAL REPORTING AND DISCLOSURE EXPOSURE DRAFT 30
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationIntroduction to ISACA and ITGI By Georges Ataya, International Vice President, ISACA
Quality and security in application development Round Table Meeting/Discussion Group Wednesday 23rd May 2007 Introduction to ISACA and ITGI By Georges Ataya, International Vice President, ISACA 1 The International
More informationCritical Elements of Information Security Program Success
Critical Elements of Information Security Program Success Information Systems Audit and Control Association With more than 50,000 members in more than 140 countries, the Information Systems Audit and Control
More informationIT Governance. What is it and how to audit it. 21 April 2009
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
More informationMapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA
Volume 3, July 2014 Come join the discussion! Alberto León Lozano will respond to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 21 July 2014. Mapping COBIT 5 with IT
More informationAligning IT with Business Needs (Why Right-sourcing works)
Aligning IT with Business Needs (Why Right-sourcing works) Mike Ryan Aligning IT with Business Needs (Why Right-sourcing works) Mike Ryan Challanges running IT Keeping IT Running Value Costs Mastering
More informationWhite Paper. Enterprise Information Governance. Date Released: September 2014. Author/s: Astral Consulting. www.astral.com.au.
White Paper Enterprise Information Governance Date Released: September 2014 Author/s: Astral Consulting Disclaimer This White Paper is published for general information purposes only. Nothing in the White
More informationInformation Management Advice 39 Developing an Information Asset Register
Information Management Advice 39 Developing an Information Asset Register Introduction The amount of information agencies create is continually increasing, and whether your agency is large or small, if
More informationApplying Integrated Risk Management Scenarios for Improving Enterprise Governance
Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used
More informationA PASSION FOR QUALITY A QUEST FOR PERFECTION
A PASSION FOR QUALITY A QUEST FOR PERFECTION Bespoke maintainable software, carefully designed, and artistically implemented WE SOFTWARE DEVELOPMENT www.geeks.ltd.uk all of these clients wanted... PERFORMANCE
More informationProcurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Project Management Self-Assessment Contents Introduction 3 User Guidance 4 P3M3 Self-Assessment Questionnaire
More informationEnabling Information PREVIEW VERSION
Enabling Information These following pages provide a preview of the information contained in COBIT 5: Enabling Information. The main benefit of this publication is that it provides COBIT 5 users with a
More informationD-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV
D-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV September 2013 Contents 1 Service Overview 1 2 Detailed Service Description 4 3 Commercials 8 4 Our
More informationCRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.
COBIT 5 Design Paper Exposure Draft ISACA With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy
More informationWhat are the critical factors that measure the success of capital projects?
November 2002 Software Project Risk Management, Success and Training An interview with Max Wideman, first published in Projects & Profits, November 2002 issue (p59). Projects & Profits is a Monthly Digest
More informationTHE IMPORTANCE OF IT IN THE DESIGN, IMPLEMENTATION AND SUSTAINABILITY OF INTERNAL CONTROL OVER DISCLOSURE AND FINANCIAL REPORTING
IT CONTROL OBJECTIVES FOR SARBANES-OXLEY THE IMPORTANCE OF IT IN THE DESIGN, IMPLEMENTATION AND SUSTAINABILITY OF INTERNAL CONTROL OVER DISCLOSURE AND FINANCIAL REPORTING IT CONTROL OBJECTIVES FOR SARBANES-OXLEY
More informationEnterprise Security Architecture
Enterprise Architecture -driven security April 2012 Agenda Facilities and safety information Introduction Overview of the problem Introducing security architecture The SABSA approach A worked example architecture
More informationFinance Effectiveness Efficiency
Business Unit Finance Effectiveness Efficiency An overview Agenda Page 1 Efficiency - An overview 1 2 Our services 7 3 Case study 14 Section 1 Efficiency - An overview 1 Section 1 Efficiency - An overview
More informationMandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July 2005. Hong Kong
Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES First Edition July 2005 Hong Kong Contents Glossary...2 Introduction to Standards...4 Interpretation Section...6
More informationPractical perspectives in advancing data governance to create improved data quality frameworks
Practical perspectives in advancing data governance to create improved data quality frameworks Presented by: Micheal Axelsen Director Applied Insight Pty Ltd INTRODUCTION About this presentation Purpose
More informationCloud Readiness Workshop
Globalisation and economic pressures are changing the business landscape, increasing the pressure to expedite time-to-market with new products and services, while keeping costs down. In addition, for many
More informationMeasuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia
Measuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia MARIO SPREMIĆ, Ph.D., CGEIT, Full Professor Faculty of Economics and Business Zagreb, University of Zagreb
More informationwww.hcltech.com ANALYTICS STRATEGIES FOR INSURANCE
www.hcltech.com ANALYTICS STRATEGIES FOR INSURANCE WHITEPAPER July 2015 ABOUT THE AUTHOR Peter Melville Insurance Domain Lead Europe, HCL He has twenty five years of experience in the insurance industry
More informationUoD IT Job Description
UoD IT Job Description Role: Projects Portfolio Manager HERA Grade: 8 Responsible to: Director of IT Accountable for: Day to day leadership of team members and assigned workload Key Relationships: Management
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationDocument management concerns the whole board. Implementing document management - recommended practices and lessons learned
Document management concerns the whole board Implementing document management - recommended practices and lessons learned Contents Introduction 03 Introducing a document management solution 04 where one
More informationInformation Management
G i Information Management Information Management Planning March 2005 Produced by Information Management Branch Open Government Service Alberta 3 rd Floor, Commerce Place 10155 102 Street Edmonton, Alberta,
More informationEXPLORING THE CAVERN OF DATA GOVERNANCE
EXPLORING THE CAVERN OF DATA GOVERNANCE AUGUST 2013 Darren Dadley Business Intelligence, Program Director Planning and Information Office SIBI Overview SIBI Program Methodology 2 Definitions: & Governance
More informationP3M3 Portfolio Management Self-Assessment
Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire P3M3 Portfolio Management Self-Assessment P3M3 is a registered trade mark of AXELOS Limited Contents Introduction
More informationCOBIT 5 Introduction. 28 February 2012
COBIT 5 Introduction 28 February 2012 COBIT 5 Executive Summary 2012 ISACA. All rights reserved. 2 Information! Information is a key resource for all enterprises. Information is created, used, retained,
More informationEssentials to Building a Winning Business Case for Tax Technology
Essentials to Building a Winning Business Case for Tax Technology The complexity of the tax function continues to evolve beyond manual and time-consuming processes. Technology has been essential in managing
More informationITAG RESEARCH INSTITUTE
ITAG RESEARCH INSTITUTE Using CobiT and the Balanced Scorecard as Instruments for Service Level Management Wim Van Grembergen, University of Antwerp (UA), University of Antwerp Management School (UAMS)
More informationCloud Readiness Consulting Services
Cloud Readiness Consulting Services Globalisation and economic pressures are changing the business landscape, increasing the pressure to expedite time-to-market with new products and services, while keeping
More informationIT Governance and Control: An Analysis of CobIT 4.1. Prepared by: Mark Longo
IT Governance and Control: An Analysis of CobIT 4.1 Prepared by: Mark Longo December 15, 2008 Table of Contents Introduction Page 3 Project Scope Page 3 IT Governance.Page 3 CobIT Framework..Page 4 General
More informationPROCESSING & MANAGEMENT OF INBOUND TRANSACTIONAL CONTENT
PROCESSING & MANAGEMENT OF INBOUND TRANSACTIONAL CONTENT IN THE GLOBAL ENTERPRISE A BancTec White Paper SUMMARY Reducing the cost of processing transactions, while meeting clients expectations, protecting
More informationTransforming risk management into a competitive advantage kpmg.com
INSURANCE RISK MANAGEMENT ADVISORY SOLUTIONS Transforming risk management into a competitive advantage kpmg.com 2 Transforming risk management into a competitive advantage Assessing risk. Building value.
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationITIL AND COBIT EXPLAINED
ITIL AND COBIT EXPLAINED 1 AGENDA Overview of Frameworks Similarities and Differences Details on COBIT Framework (based on version 4.1) Details on ITIL Framework, focused mainly on version.2. Comparison
More informationCLOUD GOVERNANCE: Questions Boards of Directors Need to Ask AN ISACA CLOUD VISION SERIES WHITE PAPER
AN ISACA CLOUD VISION SERIES WHITE PAPER CLOUD GOVERNANCE: Questions Boards of Directors Need to Ask Cloud computing is gaining momentum. As cloud offerings gain maturity, cloud service providers are becoming
More informationUsing QUalysgUard to Meet sox CoMplianCe & it Control objectives
WHITE PAPER Using QualysGuard to Meet SOX Compliance & IT Objectives Using QualysGuard To Meet SOX Compliance and IT Objectives page 2 CobIT 4.0 is a significant improvement on the third release, making
More informationTHE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK
THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK ACCOUNTABLE SIGNATURE AUTHORISED for implementation SIGNATURE On behalf of Chief Executive Officer SAHRA Council Date Date
More informationThis article describes how these seven enablers have contributed towards better information security management at HDFC Bank.
Information Security Management at HDFC Bank: Contribution of Seven Enablers By Vishal Salvi, CISM, and Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CBCP, CISSP, CSSLP HDFC Bank was incorporated in August
More informationThe PMO as a Project Management Integrator, Innovator and Interventionist
Article by Peter Mihailidis, Rad Miletich and Adel Khreich: Peter Mihailidis is an Associate Director with bluevisions, a project and program management consultancy based in Milsons Point in Sydney. Peter
More informationThe Asset Management Landscape
The Asset Management Landscape ISBN 978-0-9871799-1-3 Issued November 2011 www.gfmam.org The Asset Management Landscape www.gfmam.org ISBN 978-0-9871799-1-3 Published November 2011 This version replaces
More informationContents. 2. Why use a Project Management methodology?
Case Study Ericsson Services Ireland The APM Group Limited 7-8 Queen Square High Wycombe Buckinghamshire HP11 2BP Tel: + 44 (0) 1494 452450 Fax + 44 (0) 1494 459559 http://www.apmgroup.co.uk/ Q:\Users\Marie
More informationRequest for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll
Request for Proposal Supporting Document 3 of 4 Contract and Relationship December 2007 Table of Contents 1 Introduction 3 2 Governance 4 2.1 Education Governance Board 4 2.2 Education Capability Board
More informationIT Governance Charter
Version : 1.01 Date : 16 September 2009 IT Governance Network South Africa USA UK Switzerland www.itgovernance.co.za info@itgovernance.co.za 0825588732 IT Governance Network, Copyright 2009 Page 1 1 Terms
More informationGeoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK www.maatconsulting.com
COBIT 5 All together now! Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK www.maatconsulting.com 1 Copyright Notice COBIT is 1996, 1998, 2000, 2005 2012 ISACA and IT Governance Institute.
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT ISACA Releases COBIT 5: Updated Framework for the Governance and Management of IT May 18, 2012 In April, ISACA released COBIT 5 as a replacement for its current globally
More informationIS AUDITING PROCEDURE CONTROL RISK SELF-ASSESSMENT (CRSA) DOCUMENT P5
IS AUDITING PROCEDURE CONTROL RISK SELF-ASSESSMENT (CRSA) DOCUMENT P5 Introduction The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards
More informationBenefits of conducting a Project Management Maturity Assessment with PM Academy:
PROJECT MANAGEMENT MATURITY ASSESSMENT At PM Academy we believe that assessing the maturity of your project is the first step in improving the infrastructure surrounding project management in your organisation.
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationDigital Continuity Plan
Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach
More informationITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting
ITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting Date November 2011 Company UXC Consulting Version Version 1.5 Contact info@uxcconsulting.com.au http://www.uxcconsulting.com.au This summary
More information