COBIT for IT Governance

Transcription

1 COBIT for IT Governance -Sanjiv Agarwala, CISSP,CISA,CISM,CGEIT,ITIL,MBCI Director, Trainer and Principal Consultant Oxygen Consulting Services Pvt. Ltd.

2 IT Governance issue in Banking environment: Major IT development projects need to be aligned with business strategy IT-enabled investment programmes and other IT assets and services to ascertain that they deliver the greatest possible value in supporting the bank's strategy and objectives IT function supports robust and comprehensive Management Information System in respect of various business functions as per the needs of the business that facilitate decision making by management Tools such as IT balanced scorecard may be considered for implementation, with approval from key stakeholders

3 Project management and quality assurance steps should be implemented to ensure systems are delivered on time, to cost and with the necessary level of functionality Periodical review of all non-performing or irrelevant IT projects in the bank, if any, and taking suitable actions IT management needs to assess IT risks and suitably mitigate them. Bank s risk management processes for its e-banking activities are integrated into its overall risk management approach. Note: RBI has made a reference to COBIT as a framework that can be considered for IT Governance (page 6 of the RBI guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds)

4 COBIT: Governance of Enterprise IT (GEIT) Evolution of scope IT Governance Management Control Audit Val IT 2.0 (2008) Risk IT (2009) COBIT1 COBIT2 COBIT3 COBIT4.0/ / A business framework from ISACA, at Source: COBIT 5 Introduction Presentation 2012 ISACA All rights reserved.

5 COBIT5 Framework and Overview COBIT stands for Control OBjectives for IT and related standards COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-toend business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector. Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.

6 COBIT5 Principles Source: COBIT 5, figure ISACA All rights reserved.

7 Principle 1. Meeting Stakeholder Needs Enterprises exist to create value for their stakeholders. Source: COBIT 5, figure ISACA All rights reserved. 7

8 1. Meeting Stakeholder Needs (cont.) Principle 1. Meeting Stakeholder Needs: Stakeholder needs have to be transformed into an enterprise s practical strategy. The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customised goals within the context of the enterprise, IT-related goals and enabler goals. Source: COBIT 5, figure ISACA All rights reserved. 8

9 Principle 2. Covering the Enterprise End-to-end: COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective. This means that COBIT 5: Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance. Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the IT function, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. Source: COBIT 5 Introduction Presentation 2012 ISACA All rights reserved. 9

10 Principle 3. Applying a Single Integrated Framework: COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises: Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC IT-related: ISO/IEC 38500, ITIL, ISO/IEC series, TOGAF, PMBOK/PRINCE2, CMMI This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references. Source: COBIT 5 Introduction Presentation 2012 ISACA All rights reserved. 10

11 Principle 4. Enabling a Holistic Approach COBIT 5 enablers are: Factors that, individually and collectively, influence whether something will work in the case of COBIT, governance and management over enterprise IT Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve Described by the COBIT 5 framework in seven categories Source: COBIT 5 Introduction Presentation 2012 ISACA All rights reserved. 11

12 Principle 4. Enabling a Holistic Approach Source: COBIT 5, figure ISACA All rights reserved. 12

13 Principle 5. Separating Governance From Management: The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines: Encompass different types of activities Require different organisational structures Serve different purposes Governance In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson. Management In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. Source: COBIT 5 Introduction Presentation 2012 ISACA All rights reserved. 13

14 COBIT5 Difference between Governance and Management Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Source: COBIT 5 Introduction Presentation 2012 ISACA All rights reserved.

15 COBIT 5: Enabling Processes COBIT 5: Enabling Processes complements COBIT 5 and contains a detailed reference guide to the processes that are defined in the COBIT 5 process reference model: In Chapter 2, the COBIT 5 goals cascade is recapitulated and complemented with a set of example metrics for the enterprise goals and the IT-related goals. In Chapter 3, the COBIT 5 process model is explained and its components defined. Chapter 4 shows the diagram of this process reference model. Chapter 5 contains the detailed process information for all 37 COBIT 5 processes in the process reference model. Source: COBIT 5 Introduction Presentation 2012 ISACA All rights reserved. 15

16 COBIT 5: Enabling Processes (cont.) Source: COBIT 5, figure ISACA All rights reserved. 16

17 Governance in COBIT 5 The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two main areas governance and management with management further divided into domains of processes The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. 01 Ensure governance framework setting and maintenance. 02 Ensure benefits delivery. 03 Ensure risk optimisation. 04 Ensure resource optimisation. 05 Ensure stakeholder transparency. The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).

18 References: 1. Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds (RBI) 2. COBIT:

19 COBIT for IT Governance -Sanjiv Agarwala, CISSP,CISA,CISM,CGEIT,ITIL,MBCI Director, Trainer and Principal Consultant Oxygen Consulting Services Pvt. Ltd.