Practical Cobit Implemetation Approaches: Implementing Cobit 5 In A Week

Transcription

1 Practical Cobit Implemetation Approaches: Implementing Cobit 5 In A Week Kaya Kazmirci CISA, CISM, CISSP, Cobit 5 Foundations Kazmirci Associates kaya@kayakazmirci.com Kaya Kazmirci Founder ISACA Istanbul Chapter Education Committee Chair and Past Chapter President Chair Cobit 5/CISA Translation Committees Cobit Evangelist (Regulatory Consultant & Trainer) IT Governance and Cyber Security Expert Kazmirci Associates MD Mountain Biker & Sailor Kaya.kazmirci@isaca-istanbul.org Kaya@kayakazmirci.com

2 Project Plan: Short and Sweet Cobit 5 Implementations must build on existing knowledge Training and practical group work Previously completed certifications and documentation (e.g. Cobit 4.1) Motivated team (regulatory/financial pressure and/or visionary leadership) Divide and create value (one process/capability improvement/metric at a time) C5 Training (2 Exercises Days) (1 Day) As-Is To-Be Reporting (2 Days) Kickoff! How do you eat an elephant? Critical Cobit 5 Content

3 Critical Cobit 5 Content: One bite at a time COBIT 5 is based on: 5 principles 7 enablers Goals Cascade 37 Processes in 5 Domains Implementation Approach Capability Model (Formerly Maturity Model) COBIT 5 Principles: Start with the tastiest bits 2012 ISACA All rights reserved. 6

4 Principle 1: Meeting Stakeholder Needs Enterprises have many stakeholders Governance is about Negotiating Deciding amongst different stakeholders value interests Considering all stakeholders when making benefit, resource and risk assessment decisions For each decision, ask: For whom are the benefits? Who bears the risk? What resources are required? How Do You Use The BSC? Does it predict the future? Does it correlate with future customer orders? How to measure it (surveys, consultants, standards, frameworks, metrics, maturity/capability)? Can BSC s be trusted? It costs resources to implement, does it generate ROI? Base employee bonuses on it? Complexity?

5 Principal 1 Cascade Steps (Figure 5) What is the primary Enterprise Goal? Principal 1 Cascade Steps (Figure 6) Enterprise Goals To IT Related Goals

6 Mapping IT Related Goals to C5 Processes: Less is More ITRG s map to C5 Processes Primary/Secondary Support Adopt it to your organization Keep scope narrow Focus on problem areas Principle 4: Enabling a Holistic Approach

7 Enabler 2: Processes ISACA. All rights reserved. 13 Lead and Lag Metrics: Explicit In C4.1 Process Goals (formerly KPI): How the process delivers value to IT Fire Wall Breaches Discovered Credit Card #s Lost Cost of noncompliance (fines, settlements) IT Related Goal (formerly KGI): A measure of how IT is supporting the enterprise rise

8 Process Format/Content Process: Name/Description/Purpose Management/Governance Practices (Critical) Outcomes (Combine/ Reformat) Process Format/Content Work Product Inputs (Nice to Have) Outputs (Combine/ Reformat) Supports (Nice to Have)

9 RACI Charts There Is A Lot (Too Much?) Use what you need and nothing else! 2012ISACA. All rights reserved. Cobit 5 Process Reference Model Choose Carefully! Outsourcing: APO09, 10 Security: APO13, DSS05 HR (Security): APO07, APO08 PM: APO05, 6, BAI01 SW/HW Development: BAI02, 3, 6, 7, 10 Data Center: DSS01 Help Desk: DSS02, 03 Engine Room: BAI04, DSS04

10 New and Modified Processes: APO03 Manage enterprise architecture. (TOGAF) APO04 Manage innovation. (Nice to Have) APO05 Manage portfolio. (PMBOK, Prince2) APO06 Manage budget and costs. (Activity Based Costing/Accounting) APO08 Manage relationships. (Security Impact) APO13 Manage security. (Critical) BAI05 Manage organisational change enablement. (Nice to Have) BAI08 Manage knowledge. (DS10 Manage Data in v3 more useful) BAI09 Manage assets. (Nice to Have) DSS05 Manage security service. (Critical) DSS06 Manage business process controls. (Controversial) 2012ISACA. All rights reserved. What s Missing (Next)? We Want a Camel Now Cobit Framework Suggestions

11 Framework Committee, We have a problem How do we implement Agile/Scrum in C5? Documentation requirements? Which C5 Processes to include? How do we integrate simultaneous multiple processes so they operate smoothly? Capability scores (C5) seem lower than maturity scores (C4.1 and earlier) Clients have spent LOTS improving C4.1 maturity (C5 conversion is a hard sell) Regulators can penalize for low (<3) maturity, where do we set the bar? Capability is not as clear as Maturity (nor as easy to implement) C5 capability is not prescriptive (let s create guidance) What is the value for improved Capability? DSS06 Manage Business Process Controls? What does it mean and how do we implement it in a practical sense ETOM for Telecom, Other sector based guidance would be helpful Cobit 5 Capability Less is more

12 Satisfying Cobit 5 Attributes Improves Capability How Do We Measure Capability? Level 5 Optimizing process PA.5.1 Process Innovation attribute PA.5.2 Process Optimization attribute Level 4 Predictable Process PA.4.1 Process Measurement attribute PA.4.2 Process Control attribute Level 3 Established Process PA.3.1 Process Definition attribute PA.3.2 Process Deployment attribute Level 2 Managed Process PA.2.1 Performance Management attribute PA.2.2 Work Product Management attribute Level 1 Performed process PA.1.1 Process Performance attribute Level 0 Incomplete process 2012 ISACA All rights reserved. 24

13 Process Attribute Rating Scale Cobit Capability scores 3 at a 2.5! N Not achieved 0 to 15 % achievement There is little or no evidence of achievement of the defined attribute in the assessed process P Partially achieved > 15 % to 50 % achievement There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable L Largely achieved > 50 % to 85% achievement There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process F Fully achieved > 85 % to 100 % achievement There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process 25 What Does That Mean? (Practical Guidance) Level 1 Some Management/Governance (M/G) Practices, Some Work Products Level 2 All M/G Practices, Work Product, Process Goals & Targets defined, RACI Level 3 Process commonly implemented, Inputs/Outputs (Training/Sourcing needs) defined, IT Related Goals defined/collected/analyzed Level 4 Process Metrics reported consistently, Goals set, Low performance reviewed Level 5 Improvement Goals set, Improvement Opportunities: Identified, Planned, Tested, Implemented & Post Implemented

14 Still Confused? More Practical Guidance CMMI Maturity seems to map well as it is based on Level 2 All of the Practices Implemented Level 3 All Activities implemented ISO > APO13 Mange Security, DSS05 Manage Security Services ISO > DSS04 Manage Continuity ISO > APO11 Manage Quality ISO > DSS01 Manage Operations, DSS02 Manage Service Requests & Incidents, DSS03 Manage Problems ISO > DSS02 (Customer Complaints) ISO > APO11 Manage Quality ISO > APO12 Manage Risk Independent Audit Financial Reporting Effective Control -> BAI06, 07 Level 4 Common enterprise wide Process Performance and Output metrics Level 5 Consistent Metric based Goals and Improvement Implementation Capability and Gap Analysis: Logistics Provider

15 Capability and Gap Analysis: NPL Collector Traditional COBIT 5 Implementation Program Management Day to day PM Enablement of change Addressing the behavioural and cultural aspects Core Continual improvement this is not a one-off project 2012 ISACA. All Rights Reserved.

16 Use The Goals Cascade to Scope Which Processes To Focus On Appendix 1

17 Start with BSC category step 1 Balanced Scorecard Financial Customer Internal Learning Enterprise Goals IT Related Goal (ITRG) COBIT Process Customer 6. Customer-oriented service culture 7. Business service continuity and availability 8. Agile responses to a changing business environment 9. Information-based strategic decision making 10. Optimisation of service delivery costs 2012 ISACA. All rights reserved. 33 Step 2 Select Enterprise Goal, IT related Goal, and Processes Customer 6. Customer-oriented service culture 7. Business service continuity and availability ITRG 07 Delivery of IT services in line with business requirements ITRG 08 Adequate use of applications, information and technology solutions ITRG 01 Alignment of IT and business strategy ITRG 04 Managed IT-related business risk ITRG 10 Security of information, processing infrastructure and applications ITRG 14 Availability of reliable and useful information for decision making PROCESSES APO09 Manage Service Agreements APO13 Manage Security BAI04 Manage Availability and Capacity BAI08 Manage Knowledge BAI10 Manage Configuration DSS03 Manage Problems DSS04 Manage Continuity PRIMARY IMPORTANCE OR IMPACT P P P P P P P 2012 ISACA. All rights reserved. 34

18 Step.3 Example APO09 Examine Metrics RELATED METRICS The number of business processes with unidentified service agreements % of live IT services covered by service Agreements % of Customers satisfied that service delivery meets agreed-on levels Number & severity of service breaches % of services being monitored to service levels % of service targets being met 2012 ISACA. All rights reserved. 35 Case Studies To Support Training and Group Work Appendix 2

19 Case Study I Case Study I Identification of IT Governance Issues 40 minutes preparation, 20 minutes discussion The objective of this exercise is to become familiar with IT governance issues and be able to explain them to executive management. Imagine that you are the newly hired CIO/IT director of the Company, and you realise that much needs to be done to improve the way IT is managed, if all the IT requirements are to be successfully delivered. You know that you were hired to sort these matters out but you feel that the board should focus on IT and they do not really know much about why it is important, what problems exist and what their responsibilities should be. You are worried that you might not be able to succeed without their full appreciation of the current issues and their support to improve the way IT is managed. You recently heard about COBIT and then discovered ITGI and ISACA on the Internet, and downloaded the Cobit 5 Enabling Processes. You have decided to use this standard to help raise awareness with the board and get them on your side working with you to fix the IT problems. Review the present situation at the Company with your group using the Goals Cascade documents as a guideline. Select Enterprise Goals and IT-Related Goals that your group feels are important to the Company. Pay particular attention to areas that you feel may be presently underserviced. Use the results of your discussion and the IT-Related Goals to Cobit 5 processes map to select 6 Cobit 5 processes which, if improved, would add significant enterprise value to the Company Your task is to work together with the rest of the IT management team (the rest of your course group) to prepare items to go into a presentation which conveys: What the processes are, why you choose them and what value their implementation will add to the Company. Select a spokesperson to present your group work. Gary Hardy Case Study II Case Study II Process Assessment 40 minutes preparation, 20 minutes presentation and discussion the Company has recognised enterprise governance implementation is a priority to enable effective corporate and IT management. After reviewing your previous presentation, the BoD has decided to implement Cobit 5 one process at a time and has asked you to complete an assessment regarding how the most critical process that you presented operates at the Company. In this exercise, you will first select a process (from those examined in Case Study I) and then assess how it operates at the Company. 1. Using what you and your teammates know and referring to the COBIT 5 Enabling Processes, consider the process and assess whether it presently fulfils the defined management/governance practices and related activities as well as delivers the defined outputs. Document any missing outputs. 2. Decide which missing practices would add value if implemented, then list and prioritize the most important 5 of them. 3. Discuss the related Cobit 5 process/it related metrics and assess whether the presently used metrics are adequate. Feel free to suggest 3 metrics that you feel would better meet the Company's needs but be aware that implementing new metrics requires resources so focus on cost effective suggestions. Gary Hardy

20 Case Study III Case Study III Capability Assessment 40 minutes preparation, 20 minutes presentation The objective of this exercise is to understand how to use the capability models in COBIT 5 to perform a capability assessment of a critical process. Use the process from Case Study II and assess its present capability at the Company. Based on its present capability, list what additional attributes need development in order for it to mature to the next level of capability. Hint: Go easy on yourselves as far as documentation requirements go. Partially (P) fullfiled attributes are ok. Work in the same group, and have a workshop as if you are the management team. One person should act as the facilitator gaining consensus as a group on what the critical attributes are and, using the COBIT capability models, considering the current level. Prepare to report the present capability as well what needs to be done to go to the next level. Prepare a short presentation to explain your results. Gary Hardy Goals Cascade Appendix 3

21 Figure 24 Mapping COBIT 5 Enterprise Goals to Governance and Management Questions Figure 24 Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)

22 Figure 22 Mapping COBIT 5 Enterprise Goals to IT-related Goals Figure 23 Mapping COBIT 5 IT-related Goals to Processes

23 Figure 23 Mapping COBIT 5 IT-related Goals to Processes (cont.)