Moving Forward with IT Governance and COBIT

Transcription

1 Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007

2 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around IT Governanance, Risk and Compliance Management and provides practical solutions to address them. Questions How can I reduce compliance costs? How do I move to a risk-based approach to compliance? How can I better manage the thousands of risks we are assessing and provide management a roll-up view? How can I take credit for progress made today yet still show management there is more to be done? How can I improve consistency while allowing freedom in the field? Are we making good decisions? -1-

3 Our Perspective - Cost Reduction Question Driver Deloitte s Perspective How can I reduce compliance costs? Audit, SOX team, Compliance Dept., Information Security, Business Continuity all asking similar questions of the same groups. Compliance costs continue to spiral upward. Assess Once, Test Once Integrated Assessment Programs COBIT Aligned Risk Catalog Common Information Repository Illustrative Testing Screen Case Study Solution Highlights Take credit for all the testing you are already doing; centralized planning w/ 365 Day Compliance Calendar Provides a single view of risk and compliance requirements Internal Audit, External Audit and Self Assess using the same test procedures and understanding of risk and compliance requirements Optimized sampling reduces the overload of testing Risk-based Auditor reliance on self assessments -2-

4 Case Study Highlights Source Source Text Mapped to an Integrated Requirement that is COBIT Aligned -3-

5 Case Study Highlights Integrated Requirement COBIT Aligned Control Objective Individual requirement sources used to develop the integrated requirement Cost Reduction Strategy Because Multiple requirements are mapped to a single integrated requirement you can test once and satisfy many. -4-

6 Our Perspective Risk-Based Approach Question Driver Deloitte s Perspective How do I move to a risk-based approach to compliance? Regulatory and audit demands. Just ticking boxes, not understanding true business risk. Risk-Based Framework Risk-based approach to compliance Control Baseline Common Risk Language Illustrative Risk Assessment Screen Case Study Solution Highlights Standards based risk methodology (ISO 13335, AS/NZ 4360) Tangible and measurable risk rating scale used by multiple parties (ERM, Audit, Self) Qualitative and Quantitative Measurements Compliance criteria determined after controls are selected based on risk assessment results Consider impact and likelihood across multiple dimensions (Financial, Reputation, Contracts, Regulatory, Operations, People) Information & Technology Risks managed in functional risk areas (18 Areas) -5-

7 Our Perspective Top Down and Bottoms Up Question Driver Deloitte s Perspective How can I better manage the thousands of risks we are assessing and provide management a roll-up view? Important risk grows by volumes as you move down the organization (from board to line). Demand for alignment of business goals with self assessment process. Need both Top Down & Bottoms Up Key Risk and KRI for Top Down (Board and Sr. Mgmt) Self assessment using both workshops and questionnaires for Bottoms Up (Line Mgmt) Actual dashboard display will be driven by the choice of solution. -6- Case Study Solution Highlights A business view of what is most important to monitor from a risk perspective Manages to expected losses not unexpected losses Monthly reports with drill down capabilities. Ability to turn detailed disparate data into actionable management information. Custom reports on management hot spots. Trending, analytics and data aggregation. Insight into effectiveness of control spend and where more or less spend may be needed. Integration with golden source feeds for automation

8 Case Study Highlights Key Risks Malicious Code & Virus -7-

9 Case Study Highlights Month over Month Trending Reason for improvement (better process) noted -8-

10 Our Perspective CoBIT based Diagnostics Question Driver Deloitte s Perspective How can I take credit for progress made today yet still show management there is more to be done? CEO and Board want to know where we stand from a GRC perspective. Management spend on GRC needs to be defended. CoBIT based Diagnostics CMMI Continuous Improvement Rating Scale Risk and Compliance Operating Framework with sourced Diagnostics Case Study Solution Highlights Operating Framework Template for Information & Technology Governance, Risk and Compliance (GRC) GRC Organizational Model Template CoBIT Aligned RACI Model for GRC roles CoBIT Aligned CMMI diagnostics for each GRC area to show current and target state CMMI CoBIT Based Diagnostic Template -9-

11 Case Study Highlights We start with the COBIT 4.0 organizational model to establish roles, responsibilities and interactions for each core activity and process Example Risk Management Domain with RACI Model RISK MANAGEMENT ACTIVITIES Determine risk management alignment (e.g., assess risk). CEO CFO Business Executive CIO Head Operations Business Senior Management Chief Architect Head Development Head IT Administration PMO A R/A C C R/A I I Compliance, Audit, Risk, and Security Understand relevant strategic business objectives. Understand relevant business process objectives. Determine Identify risk internal management IT objectives alignment and establish (e.g., assess risk context. risk). Identify events associated with objectives Assess risk associated with events. Evaluate risk responses. Prioritize and plan control activities. Approve and ensure funding for risk action plans. C C R/A C C I C C R/A I A/C A/C A/C A/C A/C R/A A/C A/C C A/C C A/C C A/C A/C I I A/C A R R R R C A/C A R R R R C I I A A/C A R R R R C C C A A R R C C C C A A R I I I I I Maintain and monitor a risk action plan. Legend (A)ccountable - the person who provides direction and authorizes an activity. (R)esponsibility - the person who gets the task done. A C I R R C C C C C R (C)onsulted involved in the process. (I)nformed - knowledgeable and supports the process. -10-

12 Case Study Highlights Risk Management Non Existent (0) Initial/Ad Hoc (1) Repeatable (2) Defined Process (3) Managed (4) Optimized (5) Determine risk management alignment (e.g., assess risk). Understand relevant strategic business objectives. Understand relevant business process objectives. Identify internal IT objectives and establish risk context. Identify events associated with objectives. Assess risk associated with events. Evaluate risk responses. Prioritize and plan control activities. Approve and ensure funding for risk action plans. Maintain and monitor a risk action plan. Establish and execute a process to identify, quantify, and prioritize IT risks (i.e. a risk assessment process). Determine guidelines and procedures for mitigating and treating risks. Establish risk acceptance criteria. Develop appropriate controls to reduce and/or transfer risks Current State 2008 Target State -11-

13 Our Perspective Common Framework Question Driver Deloitte s Perspective How can I improve consistency while allowing freedom in the field? Regulatory and audit demands. Conflicting results reported at Board level. Demand for risk and control decision making autonomy in the field. Single Framework Prescriptive minimum baseline Global, Regional and Local roles Reference Architectures (i.e., Configuration Items in ITIL) Self Assessment Process Template Case Study Solution Highlights End-to-end self assessment process Templates for roles and workflow Technology enabled Provides common repository of risk requirements and risk responses Leverages Reference Architectures for baseline control decisions and allows for documented deviation Allows for independent and automated QA Tracks progress and automates escalation System supported sign-off of results -12-

14 Our Perspective Decision Support Question Driver Deloitte s Perspective Are we making good decisions? Business demands a transparent method to reward risk mitigation. Backlash against best practice standards that aren t operationally sustainable. Analytic Decision Support Business Unit discretion on control selection Risk analytics provide costbenefit business case for decisions Case Study Solution Highlights Aggregate loss model that ties likelihood and impact of risk materializing together Business-unit level risk distributions can be developed Transparent cost-benefit of mitigation strategies Business decides the right risk-reward balance COBIT 4 aligned control objectives Illustrative Risk Response Screen -13-

15 Conclusion COBIT is one of the major ingredients companies use to achieve these objectives. A single view of business requirements. A common risk language (e.g. inherent, target and residual risk) and definition of high, medium, low risk. A process for aligning multiple stakeholder agendas. An IT Risk and Compliance Program integrated with ERM. IT Risk and Compliance Office established with supporting roles and responsibilities defined. A consistent way to define, engineer and assess the environment through reference architectures. A repository of collaborative risk decisions. Ability to test and report consistently across a global enterprise. Ability to validate control design and effectiveness of outsourcers and third parties. Business aligned control decisions. Risk based approach to compliance. Issue and corrective plan tracking. Ad-hoc and audience specific reporting. A 365 day risk and compliance calendar to keep stakeholders aware of activities. -14-

16 7:15 7:30 Q&A Session

17 About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of approximately 135,000 people worldwide, Deloitte delivers services in four professional areas audit, tax, consulting and financial advisory services and serves more than one-half of the world s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names. In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the US member firm s web site at