COBIT Helps Organizations Meet Performance and Compliance Requirements



Similar documents
Chayuth Singtongthumrongkul

Presented by. Denis Darveau CISM, CISA, CRISC, CISSP

Revised October 2013

Roles, Activities and Relationships

IT Governance Implementation Workshop

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK

Understanding COBIT 5. based on ISACA Materials Prepared by: Deb Mallette, CGEIT, CISA, CSSBB, IMG BSMS EPDM, Process Consultant

Introduction to ITIL for Project Managers

COBIT 5 Implementation Certification Course

ITIL Foundation Certification Course

San Francisco Chapter. Cassius Downs Network Edge LLC

CLOUD SECURITY THROUGH COBIT, ISO ISMS CONTROLS, ASSURANCE AND COMPLIANCE

ITIL's IT Service Lifecycle - The Five New Silos of IT

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

Auditors Need to Know June 13th, ISACA COBIT 5 for Assurance

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Certified Information Security Manager (CISM)

INFORMATION TECHNOLOGY FLASH REPORT

ISACA Roundtable. Cobit and 7 september 2015

White Paper. COBIT 5 & BiSL

COBIT 5 Introduction. 28 February 2012

Consultants Alliance LLC. Professional Development Programs

for Information Security

HOW COBIT CAN COMPLEMENT ITIL TO ACHIEVE BIT

Somewhere Today, A Project is Failing

Moving Forward with IT Governance and COBIT

ISO 21500: Did we need it? A Consultant's Point of View after a first experience. Session EM13TLD04

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

CONCEPTUAL MODEL OF IT GOVERNANCE FOR HIGHER EDUCATION BASED ON COBIT 5 FRAMEWORK

COBIT 5 Foundation Workshop. COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Foundation Bridge in IT Service Management (ITSM) according to ISO/IEC Specification Sheet. ISO/IEC Foundation Bridge TÜV SÜD Akademie

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Frameworks for IT Management

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Terms of Reference for an IT Audit of

Complimentary Relationship Between ITIL and PMBOK

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

October 7, Presented to. The PMI Washington DC Chapter. Pedro Agosto. Director of Client Services, XA Systems, LLC.

COBIT 5 Process Assessment Method (PAM) Debra Mallette, CGEIT, CISA, CSSBB Governance Risk and Compliance -G22

An Implementation Roadmap

ITIL Vs. LAYER - Search Engine Marketing System

Combine ITIL and COBIT to Meet Business Challenges

SPICE for IT-Governance

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

GRC Program Best Practices & Lessons Learned

Requirements Management Practice Description

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

Was muss ein Unternehmen im Griff haben, wenn es IT einsetzt? Jimmy Heschl

INTERMEDIATE QUALIFICATION

2006 Bachelor of Science in Business Informatics (University of Cooperative Education Lörrach, Deutschland)

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Enabling Compliance Requirements using ISMS Framework (ISO27001)

BCS Specialist Certificate in Business Relationship Management Syllabus. Version 1.9 March 2015

ITIL V3 AND THE SERVICE LIFECYCLE PART I THE MISSING COMPONENT

Preparation Guide. IT Service Management Foundation Bridge based on ISO/IEC 20000

sample exam ITMP.EN IT Management Principles (ITMP.EN) edition 2010 content introduction 3 exam 4 answer key 9 evaluation 16

EA vs ITSM. itsmf

Project Management and ITIL Transitions

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

Effectively Using CobiT in IT Service Management

PMP Examination Tasks Puzzle game

SC7-ISO20000 Alignment issues Aligning ITIL to existing ISO JTC1- SC7 Software Engineering Standards

Sound Transit Internal Audit Report - No

IT Governance (Worthwhile Exercise?) January 10, 2013 Presented by Chad Murphy, CISA

Course Catalogue 2015

Metrics 101: Implementing a Metrics Framework to Create Value through Continual Service Improvement

PINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN

EVALUATION FRAMEWORK FOR SERVICE CATALOG MATURITY IN INFORMATION TECHNOLOGY ORGANIZATIONS

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

STRATEGIES IN SECURING THE SOCIAL MEDIA

How To Compare Itil To Togaf

How To Teach A Security Manager

IT Risk Management Life Cycle and enabling it with GRC Technology

Phil Marshall Black Duck Software ISACA Webinar Program ISACA. All rights reserved.

Hans Bos Microsoft Nederland.

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

Preparation Guide. EXIN IT Service Management Executive Consultant/Manager based on ISO/IEC 20000

Certified Software Quality Assurance Professional VS-1085

Assessing the Effectiveness of a Cybersecurity Program

Lecture 8 About Quality and Quality Management Systems

Tutorial on Service Level Management in e- Infrastructures State of the Art and Future Challenges. The FedSMProject Thomas Schaaf & Owen Appleton

Governance. as a tool for Architects. Tuesday, 6 November, 12

The IT Infrastructure Library (ITIL)

Using COSO Small Business Guidance for Assessing Internal Financial Controls

ITIL : the basics. Valerie Arraj, Compliance Process Partners LLC. White Paper July 2013

Recommendation for IT Governance Using the COBIT 4.1 Framework

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

AN APPROACH TO DESIGN SERVICES KEY PERFORMANCE INDICATOR USING COBIT5 AND ITIL V3

Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see

Information Governance Maturity Model

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Transcription:

DISCUSS THIS ARTICLE COBIT Helps Organizations Meet Performance and Compliance Requirements By Sreechith Radhakrishnan, COBIT Certified Assessor, ISO/IEC 20000 LA, ISO/IEC 27001 LA, ISO22301 LA, ITIL Expert, PMP COBIT Focus 6 April 2015 English Many organizations need help meeting performance and compliance requirements. A consulting company in the United Arab Emirates worked with three different organizations to help each organization meet its governance, risk and compliance (GRC) requirements. The organizations included a government organization (5,000-plus employees with 170-plus IT staff members), a large financial institution (8,000-plus employees, operating in 3 countries with 250-plus IT staff members) and a large conglomerate (25,000-plus employees, operating in 10 countries with 200- plus IT staff members). The consultancy determined that the best way to help these clients move from where they were to meeting GRC requirements was by using COBIT 5. Figure 1 indicates the requirements from the clients and why COBIT 5 was determined to be the best framework to employ. Figure 1 Why Use COBIT 5? Requirements From Client Clients are using multiple frameworks and standards including ITIL, ISO/IEC 20000, ISO/IEC 27001, Capability Maturity Model Integration (CMMI ), Enterprise Architecture and Project Management Institute (PMI) Methodology to manage their IT. Individual functions within IT operated in silos and focused on their own framework/standard. There are regulatory compliance requirements from local government and authorities. There are audit findings from regulators for Why COBIT? COBIT 5 is aligned with all these frameworks and standards. By using the COBIT 5 framework, the organization can have overall visibility on the performance. The dependencies of each function are clearly visible when COBIT 5 is used as an integrated model. COBIT 5 supports compliance requirements including information security and risk management. COBIT 5 also helps to narrate an organization s 1 P a g e

internal controls. internal controls (in COBIT 5 practices). Source: Global Success System FZ LLC. IT Domain mapped to COBIT Processes. Reprinted with permission. Each organization had priorities that needed to be addressed. Some of the more critical issues common to all 3 organizations were: Meeting regulatory compliance requirements Performing end-to-end IT process capability assessments to identify strengths, weaknesses and areas in need of improvement Developing IT risk management frameworks Most important, the need to bring all the individual functions within IT into a common, integrated model One of the organizations had been using COBIT 4.1 for 3 years, and migrating to COBIT 5 was also part of the requirement. COBIT 5 s process guidelines and capability assessment model, along with COBIT 4.1 and Risk IT, were used to meet the clients needs. Getting Support From Management Stakeholders know that implementing critical changes in any organization requires the understanding and support of senior management. In these cases, that support was crucial. Support from senior management was obtained by identifying the business pain areas and mapping those to COBIT to explain the need for control-driven IT. The organizations also used COBIT 5 s goals cascade mechanism to explain how these projects would better align with business objectives. The organizations demonstrated the importance of a holistic approach one of the COBIT 5 principles (figure 2) to improve the performance of IT. Figure 2 COBIT 5 Principles Source: ISACA, COBIT 5, USA, 2012 2 P a g e

Each organization had similar goals. Each needed to implement a common vocabulary among all IT functions to meet the performance needs of the business and achieve regulatory compliance and audit requirements. COBIT was identified as the framework to meet the goals of the organizations, and its goals cascade was used to identify the right processes. Achieving the Goals In each case, the organizations used the same approach to achieve their stated goals. First, they performed an initial process capability assessment to identify their strengths, weakness and risk. From there, the most important processes and controls (practices) on which to improve and focus were selected. Priority was given to compliance and audit requirements. A road map was then developed to improve the processes (short-term and long-term projects). For each organization, the improvement journey started with developing Responsible, Accountable, Consulted and Informed (RACI) charts to assign roles and responsibilities, documenting policies and procedures. More focus was given to organizational change management through awareness sessions, train-the-trainer sessions for key personnel and frequently reviewing progress. Figure 3 shows an example of how a specific process or issue was addressed and improved. The project management and systems development life cycle (SDLC) improvements were mapped to COBIT 5 processes and control objectives. Figure 3 Mapping Program and Project Management to COBIT Processes and Control Objectives Domain Process ID Process Description Program and Project Management APO06 APO07 APO08 APO10 BAI01 BAI02 BAI03 BAI06 BAI07 DSS01 MEA01 Manage budget and costs Manage human resources Manage relationships Manage suppliers Manage programs and project Manage requirements definition Manage solutions identification and build Manage changes Manage change acceptance and transitioning Manage operations Monitor, evaluate and assess performance and conformance Source: Global Success System FZ LLC. IT Domain mapped to COBIT Processes. Reprinted with permission. Regulatory compliance requirements were also mapped to COBIT processes and controls (figure 4). 3 P a g e

Figure 4 Mapping Regulatory Compliance Requirements to COBIT Processes and Control Objectives Domain Process ID Process Description Information Security Regulations APO13 BAI09 APO12 DSS02 DSS03 DSS05 DSS01 APO01 DSS04 BAI01 BAI02 BAI03 BAI07 DSS05 MEA01 MEA02 Manage security Manage assets Manage risk Manage service requests and incidents Manage problems Manage security services Manage operations Manage the IT management framework Manage continuity Manage programs and projects Manage requirements definition Manage solutions identification and build Manage change acceptance and transitioning Manage security services Process RACI charts, organization structure Monitor, evaluate and assess performance and conformance Monitor, evaluate and assess the system of internal control Source: Global Success System FZ LLC. Regulatory Compliance Requirements mapped to COBIT Processes. Reprinted with permission. As a result, a model (figure 5) was produced, from which COBIT can be used to meet the IT performance and compliance requirements of the clients. This single integrated model helps the organizations to prioritize their goals and choose the right processes and practices to meet their IT performance and regulatory compliance requirements. 4 P a g e

Figure 5 Meeting IT Performance, Audit and Compliance Requirements Model Source: Global Success System FZ LLC. Integrated IT Performance and Compliance Model. Reprinted with permission. Conclusion COBIT can be used by every organization to improve IT performance. It is not a one-size-fits-all model, so understanding the stakeholder needs and business challenges and then utilizing the goals cascade guidelines (enterprise goals > IT goals > enabler goals) is not only important, but extremely helpful and productive. It is always critical to gain senior management buy-in by showing the business benefit of using the COBIT framework. One of the keys to successful implementation is choosing the required controls (key practices) rather than blindly following the framework and implementing the process. Ensuring that roles and responsibilities within an organization are clearly defined and shared with the team (using RACI charts) is also critical. Dividing the improvement project into small phases helps keep the project going as the organization continues to reap the benefits, and ISACA s COBIT 5 Implementation can be used to assist with this. The process of adopting the COBIT framework is well supported with a number of available guides from ISACA, but at the same time, one should not hesitate to seek help from experts. And, remember to focus more on people rather documentation. Documentation is not the implementation. It is about people and educating them to behave in a new way. Sreechith Radhakrishnan, COBIT Certified Assessor, ISO/IEC 20000 LA, ISO/IEC 27001 LA, ISO22301 LA, ITIL Expert, PMP Is lead trainer and principal consultant with Global Success Systems FZ LLC, United Arab Emirates, where he and his team help organizations improve their IT performance and reap maximum benefit from their IT investments. He is the world's first COBIT 5 Certified Assessor. He is an accredited trainer for multiple disciplines including COBIT, ITIL, PMP and IT Security. He has more than 19 years of dynamic IT management experience including network infrastructure management, project management, IT operations management and service management. 5 P a g e

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information