IT is complicated. IT Governance doesn t have to be. Chayuth Singtongthumrongkul CISSP, CISA, ITIL Intermediate, PMP, IRCA ISMS (ISO/IEC 27001) Director of International Academic Alliance, ACIS Professional Center Co., Ltd.
COBIT 5 is the latest edition of ISACA s globally accepted IT governance framework that ISACA has officially released by on April 12, 2012. COBIT is a registered trademark of ISACA. All other trademarks and company names mentioned are the property of their respective owners. ISACA 2012. All rights reserved. www.isaca.org Reference: This presentation is excerpted and modified from ISACA s COBIT and all related documents. Source: ACIS Research, All have been modified from ISACA s COBIT 5 and all related documents Copyright, ACIS Professional Center Company Limited, All rights reserved 2
COBIT 5 is a major strategic improvement which provides the next generation of ISACA guidance on the governance and management of enterprise information and technology (IT) assets. Building on more than 15 years of practical application, ISACA designed COBIT5 to meet the needs of stakeholders, and to align with current thinking on enterprise governance and management techniques as they relate to Information and related Technology. COBIT 5 integrates all existing related ISACA guidance (COBIT 4.1, Val IT, Risk IT, BMIS) and aligns with the latest relevant other standards and frameworks, and thus provides the unique overarching framework. Copyright, ACIS Professional Center Company Limited, All rights reserved 3
COBIT 5 provides an end-to-end business view of the governance of enterprise IT (GEIT), reflecting the central role of both information and technology in creating value for the business. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from global business and IT leaders and governance experts. Business analysts should become familiar with this framework if they are not already, as this framework embodies the same key principle of business analysis, which is delivering value the business Copyright, ACIS Professional Center Company Limited, All rights reserved 4
Copyright, ACIS Professional Center Company Limited, All rights reserved 5
Copyright, ACIS Professional Center Company Limited, All rights reserved 6
Copyright, ACIS Professional Center Company Limited, All rights reserved 7
Copyright, ACIS Professional Center Company Limited, All rights reserved 8
Copyright, ACIS Professional Center Company Limited, All rights reserved 9
Copyright, ACIS Professional Center Company Limited, All rights reserved 10
Copyright, ACIS Professional Center Company Limited, All rights reserved 11
Copyright, ACIS Professional Center Company Limited, All rights reserved 12
Evolution of scope 360 o IT Management : COBIT 5 and IT Governance Trends COBIT 5: Now One Complete Business Framework for Governance of Enterprise IT IT Governance Management Val IT 2.0 (2008) Control Audit Risk IT (2009) COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5 1996 1998 2000 2005/7 2012 An business framework from ISACA, at www.isaca.org/cobit 2012 ISACA All rights reserved. Copyright, ACIS Professional Center Company Limited, All rights reserved 13
COBIT 5 Product Family - Includes Implementation Guidance - Source: COBIT 5 Implementation, figure 1. 2012 ISACA All rights reserved. Copyright, ACIS Professional Center Company Limited, All rights reserved 14
COBIT 5 Product Family - Includes Implementation Guidance - Documents have been officially released by April 2012 COBIT 5 Framework COBIT 5 Enabling Processes COBIT 5 Implementation Copyright, ACIS Professional Center Company Limited, All rights reserved 15
COBIT 5 Product Family A set of resources to help you implement COBIT 5 effectively in your enterprise. - COBIT 5 Toolkit and Materials, Documents under development - COBIT 5 for Information Security COBIT 5 for GRC COBIT 5 for Risk COBIT Translations COBIT 5 for Assurance COBIT 5 Online COBIT Assessment Programme Other Professional Guides Copyright, ACIS Professional Center Company Limited, All rights reserved 16
COBIT 4.1 and COBIT 5 Copyright, ACIS Professional Center Company Limited, All rights reserved 17
IT GOVERNANCE AND GRC Governance, Risk Management, Compliance IN COBIT 5 Copyright, ACIS Professional Center Company Limited, All rights reserved 18
A GRC Model Example Copyright, ACIS Professional Center Company Limited, All rights reserved 19
Integrated GRC Framework Strategy Copyright, ACIS Professional Center Company Limited, All rights reserved 20
ISO/IEC 38500:2008 Corporate Governance of Information Technology ITG Framework Principles: Principle 1: Responsibility Principle 2: Strategy Principle 3: Acquisition Principle 4: Performance Principle 5: Conformance Principle 6: Human Behavior ITG Model: a) Evaluate b) Direct c) Monitor Copyright, ACIS Professional Center Company Limited, All rights reserved 21
Implementing Governance The integration of the implementation of the GRC activities within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders. Such approaches are typically based on enablers of various types (e.g., principles, policies, models, frameworks, organiational structures). Copyright, ACIS Professional Center Company Limited, All rights reserved 22
IT Governance Defined Integration of Governance and Management Distinction between Governance & Management often misunderstood Effective integration of these two element is critical for successful IT Governance in any enterprise or organization IT Governance is NOT responsible for rending IT infrastructure IT Governance IS responsible for oversight of the management processes that render IT infrastructure Copyright, ACIS Professional Center Company Limited, All rights reserved 23
The Relationship Board of Directors IT Oversight IT Governance Business Management Business/IT Requirements IT Management IT Management IT Processes IT Resources COBIT, ITIL, CMMI, ISO 27001/ISO 27002, etc. IT Assets Management Copyright, ACIS Professional Center Company Limited, All rights reserved 24
Copyright, ACIS Professional Center Company Limited, All rights reserved 25
Governance and Management Processes Copyright, ACIS Professional Center Company Limited, All rights reserved 26
Separating Governance and Process Reference Model Management Divides governance and management processes into two primary domains: - Governance (1 Domain, 5 Processes) Within each process, evaluate, direct, and monitor practices are defined. - Management (4 Domains, 32 Processes) In line with responsibility areas of plan, build, run and monitor, provide an end-to-end coverage of IT Management. The Process cover the full spectrum of business and IT activities related to governance and management of enterprise IT thus making the process model truly enterprise-wide Copyright, ACIS Professional Center Company Limited, All rights reserved 27
New GEIT Principles in COBIT 5 COBIT 5 Principles Source: COBIT 5, figure 2. 2012 ISACA All rights reserved. Copyright, ACIS Professional Center Company Limited, All rights reserved 28
Governance (and Management) in COBIT 5 Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities.
Governance in COBIT 5 (cont.) Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.
Risk Management in COBIT 5 The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. Process Description Ensure that the enterprise s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. Process Purpose Statement Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.
Risk Management in COBIT 5 (cont.) The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. Process Description Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. Process Purpose Statement Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.
Risk Management in COBIT 5 (cont.) Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.
Risk Management in COBIT 5 (cont.) In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. Source: COBIT 5: Enabling Processes, page 108. 2012 ISACA All rights reserved.
Compliance in COBIT 5 The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. Process Description Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. Process Purpose Statement Ensure that the enterprise is compliant with all applicable external requirements.
Compliance in COBIT 5 (cont.) Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.
Compliance in COBIT 5 (cont.) Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governancedetermined principles, policies and procedures.
Compliance in COBIT 5 (cont.) In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source: COBIT 5: Enabling Processes, page 213. 2012 ISACA All rights reserved.
Summary GRC in COBIT 5 The COBIT 5 framework includes the necessary guidance to support enterprise GRC objectives and supporting activities: Governance activities related to GEIT (5 processes) Risk management process and supporting guidance for risk management across the GEIT space Compliance a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements silos of activity!
INFORMATION SECURITY IN COBIT 5 Copyright, ACIS Professional Center Company Limited, All rights reserved 40
COBIT 5: Value Creation Delivering enterprise stakeholder value requires good governance and management of IT assets including information security arrangements. External legal, regulatory and contractual compliance requirements (sometimes covering information security requirements) related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT providing a sound basis for information security arrangements. 41
COBIT 5 Integrates BMIS Components COBIT 5 has also taken the valuable holistic, interrelated component model approach from the Business Model for Information Security (BMIS) work and incorporated it into the framework components. Copyright, ACIS Professional Center Company Limited, All rights reserved 42
COBIT 5 Integrates BMIS Components Several of the BMIS components are now integrated within COBIT 5 as interacting enablers that support the enterprise in achieving its business goals and create stakeholder value: Organisation Process People Human Factors Technology Culture Copyright, ACIS Professional Center Company Limited, All rights reserved 43
COBIT 5 Product Family Includes an Information Security Member Copyright, ACIS Professional Center Company Limited, All rights reserved 44
ITG IMPLEMENTATION APPROACH IN COBIT 5 Copyright, ACIS Professional Center Company Limited, All rights reserved 45
Concepts for New ITG Framework Implementation Life Cycle Implementing and Continually Implementing IT Governance consist of: Create the right environment Programme Management /Project Management Change Enablement Continual Improvement Life Cycle Copyright, ACIS Professional Center Company Limited, All rights reserved 46
COBIT 5 Product Family Includes Implementation Guidance Copyright, ACIS Professional Center Company Limited, All rights reserved 47
COBIT 5 Goals Cascade Overview ACIS Professional Center Company Limited, All rights reserved 48
Stakeholder Needs Internal Stakeholders Board, CEO, chief financial officer (CFO), chief information officer (CIO), business executives, business process owners, business managers, risk managers, security managers, service managers, HR managers, internal audit, privacy officers, IT users, IT managers, etc. External Stakeholders Business partners, suppliers, shareholders, regulators/government external users, customers, standardisation organisations, external auditors, consultants, etc. ACIS Professional Center Company Limited, All rights reserved 49
Stakeholder Needs Internal Stakeholder Needs How do I get value from IT? How do I manage performance of IT? How can I best exploit new technology for new strategic opportunities? How do I know whether I m compliant with all applicable regulations? How do I best build and structure my IT department? What are (control) requirements for Information? Did I address all IT related risks? Am I running an efficient and resilient IT operation? How do I control cost of IT? ACIS Professional Center Company Limited, All rights reserved 50
Stakeholder Needs Internal Stakeholder Needs (cont.) How do I use IT resources in the most effective and efficient manner? What are the most effective and efficient sourcing options? Do I have enough people for IT? How do I develop and maintain their skills, and how do I manage their performance? How do I get assurance over IT? Is the information I am processing well secured? How do I improve business agility through a more flexible IT environment? Is it clear what IT is doing? How often do IT projects fail to deliver what they promised? How critical is IT to sustaining the enterprise? ACIS Professional Center Company Limited, All rights reserved 51
Stakeholder Needs External Stakeholder Needs How do I know my business partner s operations are secure and reliable? How do I know the organisation is compliant with applicable rules and regulations? How do I know the enterprise is maintaining an effective system of internal control? ACIS Professional Center Company Limited, All rights reserved 52
Enterprise Goals Mapped to Governance Objectives Copyright, ACIS Professional Center Company Limited, All rights reserved 53
IT Related Goals Copyright, ACIS Professional Center Company Limited, All rights reserved 54
Mapping COBIT 5 Enterprise Goals to IT Related Goals Copyright, ACIS Professional Center Company Limited, All rights reserved 55
Mapping COBIT 5 IT Related Goals to COBIT 5 Processes Copyright, ACIS Professional Center Company Limited, All rights reserved 56
Mapping COBIT 5 IT Related Goals to COBIT 5 Processes Copyright, ACIS Professional Center Company Limited, All rights reserved 57
Mapping COBIT 5 Enterprise Goals to Stakeholders Needs Copyright, ACIS Professional Center Company Limited, All rights reserved 58
Mapping COBIT 5 Enterprise Goals to Stakeholders Needs Copyright, ACIS Professional Center Company Limited, All rights reserved 59
Thank You Copyright, ACIS Professional Center Company Limited, All rights reserved 60
www.snsconference.com Social Networking Security and Mobile Computing Security Conference www.cdicconference.com Cyber Defense Initiative Conference 2012 CDIC 2012
www.tisa.or.th Thailand Information Security Association www.acisonline.net ACIS Professional Center Co., Ltd. Email : prinya@acisonline.net Facebook : www.facebook.com/prinyah Twitter: www.twitter.com/prinyaacis