COBIT 5 Process Assessment Method (PAM) Debra Mallette, CGEIT, CISA, CSSBB Governance Risk and Compliance -G22



Similar documents
Understanding COBIT 5. based on ISACA Materials Prepared by: Deb Mallette, CGEIT, CISA, CSSBB, IMG BSMS EPDM, Process Consultant

Revised October 2013

Auditors Need to Know June 13th, ISACA COBIT 5 for Assurance

CLOUD SECURITY THROUGH COBIT, ISO ISMS CONTROLS, ASSURANCE AND COMPLIANCE

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK

Presented by. Denis Darveau CISM, CISA, CRISC, CISSP

Roles, Activities and Relationships

itsmf USA Problem Management Community of Interest

COBIT Helps Organizations Meet Performance and Compliance Requirements

Increasing IT Value and Reducing Risk. More for Less with COBIT5. IT Governance and Strategy

TIPA : services based on standards

COBIT 5 Introduction. 28 February 2012

BCS Specialist Certificate in Business Relationship Management Syllabus. Version 1.9 March 2015

Sound Transit Internal Audit Report - No

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

S11 - Implementing IT Governance An Introduction Debra Mallette

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process

Terms of Reference for an IT Audit of

Introduction to ITIL for Project Managers

IT Governance Implementation Workshop

Implementing COBIT based Process Assessment Model for Evaluating IT Controls

An Implementation Roadmap

Sound Transit Internal Audit Report - No

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

ISO/IEC Part 2 provides the following copyright release:

Integrating the Project Portfolio Management and Service Portfolio Management: The Governance of Enterprise IT Perspective

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

Governance SPICE. ISO/IEC for Internal Financial Controls and IT Management. By János Ivanyos, Memolux Ltd. (H)

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

ITIL's IT Service Lifecycle - The Five New Silos of IT

Effectively Using CobiT in IT Service Management

Chayuth Singtongthumrongkul

Advanced Topics for TOGAF Integrated Management Framework

BCS Specialist Certificate in Change Management Syllabus

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

Certified Information Security Manager (CISM)

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Information Technology Auditing for Non-IT Specialist

ITSM Reporting Services. Enterprise Service Management. Monthly Metric Report

ESKITP Manage IT service delivery performance metrics

ISO20000: What it is and how it relates to ITIL v3

Measuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia

Internal Audit Report ITS CHANGE MANAGEMENT PROCESS. Report No. SC-11-11

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Preliminary Reference Guide for Software as a Service (SaaS)

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

iso20000templates.com

Using COSO Small Business Guidance for Assessing Internal Financial Controls

ITIL AND COBIT EXPLAINED

BADM 590 IT Governance, Information Trust, and Risk Management

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

PwC Luxembourg. Models for the governance of your investments with Portfolio Management September 2009

IT Governance. Infocom India Presentation. Pathfinder Technology Solutions. December 6, 2006

Systems and software engineering Lifecycle profiles for Very Small Entities (VSEs) Part 5-6-2:

IT Audit in the Cloud

This article describes how these seven enablers have contributed towards better information security management at HDFC Bank.

BCS Specialist Certificate in Service Desk & Incident Management Syllabus

Security Engineering Best Practices. Arca Systems, Inc Boone Blvd., Suite 750 Vienna, VA

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Was muss ein Unternehmen im Griff haben, wenn es IT einsetzt? Jimmy Heschl

INFORMATION TECHNOLOGY FLASH REPORT

Foundation Bridge in IT Service Management (ITSM) according to ISO/IEC Specification Sheet. ISO/IEC Foundation Bridge TÜV SÜD Akademie

Setting goals and measuring the value of Enterprise IT Architecture using COBIT 5 framework

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

ISO 21500: Did we need it? A Consultant's Point of View after a first experience. Session EM13TLD04

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

Achieving Business Imperatives through IT Governance and Risk

ITIL Introduction and Overview & ITIL Process Map

2009 Solvay Brussels School and IT Governance institute

Life Cycle Models, CMMI, Lean, Six Sigma Why use them?

The Self-Assessment Methodology - Guidance

COBIT 5 Foundation Workshop. COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute

HIPAA and HITRUST - FAQ

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

A FRAMEWORK FOR INTEGRATING SARBANES-OXLEY COMPLIANCE INTO THE SOFTWARE DEVELOPMENT PROCESS

Blackhawk Technical College. Information Technology Services. Process Improvement Visioning Document

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

White Paper. COBIT 5 & BiSL

Health Informatics Service Accreditation Manual. Assessment Process. May 2013, Version 1

How to Design and Manage ITIL

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

How small and medium-sized enterprises can formulate an information security management system

Sample Exam. IT Service Management Foundation based on ISO/IEC 20000

Governance and Management of Information Security

How To Implement An Oiso Medical Device Quality Management System

Recent Advances in Automatic Control, Information and Communications

EXIN IT Service Management Foundation based on ISO/IEC 20000

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

Transcription:

COBIT 5 Process Assessment Method (PAM) Debra Mallette, CGEIT, CISA, CSSBB Governance Risk and Compliance -G22

Session Objectives Why Assess Process Capability COBIT 5 Process Assessment Model Relationship to ISO/IEC 15504 An assessment walk through of: Define and manage service levels 2

Why Assess Process Capability? Informs executive management, board of directors and management stakeholders of: the capability of its IT processes targets for improvement based on business requirements Enables fact-based decisions of where and how to apply resources in order to mitigate risks or assure value is delivered 3

When? 2. Where are we now? Define the Problems and Opportunities Form Powerful Guiding Team Assess the Current State 4

COBIT Process Assessment Model 1 st Described in COBIT Process Assessment Model (PAM): Using COBIT 4.1. PAM brings together ISO and ISACA. COBIT 4.1 was adapted into ISO 15504 compliant Process Reference Model for COBIT 4.1 PAM COBIT 5 Enabling Processes designed for ISO 15504 compliance Copyright ISACA 2011. All rights reserved Slide 5 5

What s different? But don t we already have maturity models for COBIT 4.1 processes? The new COBIT assessment programme is: A robust assessment process based on ISO 15504 An alignment of COBIT s maturity model scale with the international standard A capability-based assessment model More rigor results in a more robust, objective and repeatable assessment Caution: Assessment results will likely vary from existing COBIT maturity models (or any other capability and/or maturity model!) Copyright ISACA 2011. All rights reserved Slide 6 6

ISO 15504 Assessment Overview INITIAL INPUT PROCESS PROCESS MEASUREMENT FRAMEWORK ASSESSMENT MODEL REFERENCE MODEL Purpose Capability Levels Scope Process Scope Assessment Model Domain and ASSESSMENT Scope Process Attributes Indicators PROCESS Constraints Process Purpose Rating Scale Mapping Planning OUTPUT Identities Process Outcomes Approach Translation Data Collection Date ROLES AND Data RESPONSIBILITIES Validation Assessment Input Assessor Assessment Process Process Attribute Identification Rating of Evidence competence Sponsor criteria Reporting Assessment Process Used Additional Competent Process Assessor Profiles Information Assessors Additional Information This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO. 7

Assessment Model: Process Reference Model PROCESS REFERENCE MODEL Domain and Scope Process Purpose Process Outcomes Process Assessment Model Assessment Process This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO. 8

COBIT as Process Reference Model PROCESS REFERENCE MODEL Domain and Scope Process Purpose Process Outcomes 4.1 or 5.0? Purpose Outcomes Base Practices Work Products 9

COBIT 5 Process Reference Model in PAM (excerpt from Draft) Purpose Outcomes Base Practices Work Products 10

Process ID: Name Process Description Process Purpose Statement COBIT 5 Process Reference Model APO09 Manage Service Agreements Align IT-enabled services and service levels with enterprise needs and expectations, including identification, specification, design, publishing, agreement, and monitoring of IT services, service levels and performance indicators Ensure that IT services and service levels meet current and future enterprise requirements. in PAM (excerpt from Draft) Purpose: high-level measurable objectives of performing the process and the likely outcomes of effective implementation of the process 11

COBIT 5 Process Reference Model in PAM (excerpt from Draft) Outcomes (O) Number Description APO09-O1 The enterprise can effectively utilize IT services as defined in a catalogue. APO09-O2 Service Agreements reflect enterprise needs and the capabilities of IT. APO09-O3 IT Services perform as stipulated in service agreements. Outcomes: observable results of a process an artefact, a significant change of state or the meeting of specified constraints 12

COBIT 5 Process Reference Model Base Practices (BPs) Number Description Supports APO09- BP1 APO09- BP2 APO09- BP3 APO09- BP4 in PAM (excerpt from Draft) Identify IT services. Catalogue IT-enabled services. Define and prepare service agreements. Monitor and report service levels. APO09-O1 APO09-O1 APO09- O1/O2 APO09-O3 APO09- Review service APO09-O3 BP5 agreements and contracts. Base Practices: activities that, when consistently 13 performed, contribute to achieving the process purpose

COBIT 5 Process Reference Model Work Products (WPs) Inputs in PAM (excerpt from Draft) Number Description Supports EDMO4- WP1 APO02- WP8 APO02- WP9 APO06- WP4 Guiding principles for allocation of resources and capabilities Gaps and changes required to realize target capability Value Benefit statement for target environment IT Budget and plan Work Products: artefacts associated with the execution of a process inputs and outputs APO09-BP2 APO09-O1 14

COBIT 5 Process Reference Model in PAM (excerpt from Draft) Purpose Outcomes Base Practices Work Products 15

COBIT 5 Enabling Processes as Process Reference Model You don t need the COBIT 5 PAM to get started. COBIT 5 Enabling Processes already documented as a ISO 15504 PRM Purpose Outcomes Base Practices Work Products 16

COBIT 5 Enabling Processes Purpose Outcomes Base Practices Work Products APO09 Manage Service Agreements Purpose: Process Purpose Statement is the Purpose. Outcomes: Under Process Goals and Metrics, the Process Goals are the observable outcomes. 17

COBIT 5 Enabling Processes APO09 Manage Service Agreements Base Practices: The Management Practices are the Base Practices. Purpose Outcomes Base Practices Work Products Work Products: The Inputs and Outputs are the Work Products and/or Evidence. 18

Assessment Model: Measurement Framework MEASUREMENT FRAMEWORK Capability Levels Process Attributes Rating Scale 19

Process Capability Levels & Attributes Optimizing The process is continuously improved to meet relevant current and projected business goals. Level 5 PA 5.1 PA 5.2 Optimizing process Process innovation attribute Process optimization attribute Predictable The process is enacted consistently within defined limits. Level 4 PA 4.1 PA 4.2 Predictable process Process measurement attribute Process control attribute Established A defined process is used based on a standard process. Level 3 PA 3.1 PA 3.2 Established process Process definition attribute Process deployment attribute Level 1 PA 1.1 Level 2 PA 2.1 PA 2.2 Performed process Managed process Process performance attribute Performance management attribute Work product management attribute Performed The process is implemented and achieves its process purpose. Managed The process is managed and work products are established, controlled and maintained. Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 20

Process Capability Levels & Attributes Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 21

Process Capability Levels & Attributes Level 1 Performed process PA 1.1 Process performance attribute Performed The process is implemented and achieves its process purpose. Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 22

Process Capability Levels & Attributes Level 2 Managed process PA 2.1 Performance management attribute PA 2.2 Work product management attribute Managed The process is managed and work products are established, controlled and maintained. Level 1 PA 1.1 Performed process Process performance attribute Performed The process is implemented and achieves its process purpose. Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 23

Process Capability Level & Attributes Established A defined process is used based on a standard process. Level 1 PA 1.1 Level 2 PA 2.1 PA 2.2 Performed process Managed process Process performance attribute Level 3 Established process PA 3.1 Process definition attribute PA 3.2 Process deployment attribute Performance management attribute Work product management attribute Performed The process is implemented and achieves its process purpose. Managed The process is managed and work products are established, controlled and maintained. Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 24

Process Capability Levels & Attributes Predictable The process is enacted consistently within defined Established A defined process is used based on a standard process. limits. Level 1 PA 1.1 Level 2 PA 2.1 PA 2.2 Level 3 PA 3.1 PA 3.2 Performed process Managed process Process performance attribute Level 4 Established process Process definition attribute Process deployment attribute Performance management attribute Work product management attribute Predictable process PA 4.1 Process measurement attribute PA 4.2 Process control attribute Performed The process is implemented and achieves its process purpose. Managed The process is managed and work products are established, controlled and maintained. Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 25

Process Capability Levels & Attributes Optimizing The process is continuously Predictable The process is enacted consistently within defined limits. improved to meet relevant current and projected business Level 2 goals. Established A defined process is used based on a standard process. Level 1 PA 1.1 PA 2.1 PA 2.2 Level 3 PA 3.1 PA 3.2 Performed process Managed process Process performance attribute Level 4 PA 4.1 PA 4.2 Level 5 Established process Process definition attribute Process deployment attribute Performance management attribute Work product management attribute Optimizing Predictable process process Process measurement attribute Process control attribute PA 5.1 Process innovation attribute PA 5.2 Process optimization attribute Performed The process is implemented and achieves its process purpose. Managed The process is managed and work products are established, controlled and maintained. Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 26

Process Capability Levels & Attributes Optimizing The process is continuously improved to meet relevant current and projected business goals. Level 5 PA 5.1 PA 5.2 Optimizing process Process innovation attribute Process optimization attribute Predictable The process is enacted consistently within defined limits. Level 4 PA 4.1 PA 4.2 Predictable process Process measurement attribute Process control attribute Established A defined process is used based on a standard process. Level 3 PA 3.1 PA 3.2 Established process Process definition attribute Process deployment attribute Level 1 PA 1.1 Level 2 PA 2.1 PA 2.2 Performed process Managed process Process performance attribute Performance management attribute Work product management attribute Performed The process is implemented and achieves its process purpose. Managed The process is managed and work products are established, controlled and maintained. Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose. 27

Process Attributes Each of the 9 Process Attributes are specified as: Result of Full Achievement of Attribute Generic Practices (GPs) Generic Work Products (GWPs) 28

Capability Level 1: Performed PA1.1 Process Performance Result of Full Achievement of the Attribute The process achieves its defined outcomes. PA1.1-Process Performance Generic Practices (GPs) GP1.1.1 Achieve the process outcomes. There is evidence that the intent of base practice is being performed. Generic Work Products (GWPs) Work products are produced that provide evidence of process outcomes. 29

Capability Level 1: Performed PA1.1 Process Performance Capability Level 1 Performed? PA1.1 Process Performance? Does the process achieve its defined outcomes? As evidenced by: - Production of an object - A significant change of state - Meeting of specified constraints -e.g., requirements, goals 30

Process Attribute Rating Scale COBIT assessment process measures the extent to which a given process achieves the process attributes as: Result of Full Achievement of Attribute Generic Practices (GPs) Generic Work Products (GWPs) 31

Process Attribute Rating Scale N Not COBIT achieved >0 assessment to process 15% achievement measures the extent Little to which or no a given evidence process of achievement achieves the process P Partially attributes. achieved > 15% to 50% achievement Some evidence of approach Some achievement with aspects unpredictable L Largely achieved > 50% to 85% achievement Evidence of systematic approach Significant achievement with some weakness F Fully achieved > 85% to 100% achievement Evidence of a complete & systematic approach Full achievement, no significant weaknesses 32

Process Attribute Rating Heat Map Process Attribute Achievement 85% 85%-100% Fully achieved 50% 50%-85% Largely achieved 15% 15%-50% Partially achieved 0% 0-15% Not achieved 33

Capability Level & Process Attributes Capability Level Process Attribute 1 2 3 4 5 Level 5: Optimizing PA5.1&5.2 L/F Level 4: Predictable PA4.1&4.2 L/F F Level 3: Established PA3.1&3.2 L/F F F Level 2: Managed PA2.1&2.2 L/F F F F Level 1: Performed PA1.1 L/F F F F F Level 0: Incomplete L/F = Largely or Fully Achieved F = Fully Achieved 34

COBIT Assessment Model Overview PROCESS ASSESSMENT MODEL Scope Indicators Mapping Translation 35

COBIT 4.1 PAM: COBIT 4.1 Capability + Attributes & PRM Optimizing Predictable Established Managed Performed Incomplete Capability PRM Measurement Purpose System Outcomes Base Practices Work Products This figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO. 36

COBIT 5 PAM => COBIT 5 Capability + Attributes & PRM Optimizing Predictable Established Managed Performed Incomplete Capability Measurement System PRM Purpose Outcomes Base Practices Work Products 37

Primary and Supporting Processes in PRM 38

Assess Process Capability with PAM: COBIT 5 PAM Example: APO09 Manage Service Agreements 39

APO09 Manage Service Agreements Capability Level 1 Performed? PA1.1 Process Performance? Does the process achieve its defined outcomes? As evidenced by: - Production of an object - A significant change of state - Meeting of specified constraints -e.g., requirements, goals 40

APO09 Manage Service Agreements Capability Level 1 Performed? PA1.1 Process Performance? Does Process the process Attribute achieve Achievement its defined outcomes? 85% As evidenced 85%-100% by: Fully achieved - Production of an object 50% 50%-85% Largely achieved - A significant change of state 15% 15%-50% Partially achieved - Meeting of specified constraints -e.g., requirements, goals 0% 0-15% Not achieved 41

(Draft) COBIT 5 PAM: APO09 Manage Service Agreements Purpose Outcomes Base Practices Work Products 42

Capability Level 2 Managed PA 2.1 Performance Management a.objectives for process performance identified? b.performance of process planned and monitored? c. Performance of process adjusted to meet plans? d.responsibilities and authorities for performing the process defined, assigned and communicated? e.resources and information necessary for performing the process identified, made available, allocated and used? f. Interfaces between involved parties managed to ensure effective communication and clear assignment of responsibility? 43

Capability Level 2: Managed PA2.2 Work Product Management a.have requirements for the work products of the process been defined? b.have requirements for documentation and control of the work products been defined? c. Are work products appropriately identified, documented and controlled? d.are work products reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements? 44

Assessed Process Capability Level Process Assessed Capability Level 0: Incomplete Capability Level 1: Performed Capability Level 2: Managed False if Capability Level =/> 1 PA 1.1 PA2.1 PA2.2 APO09 Manage Service Agreements FALSE 45% 0% 0% Copyright ISACA 2011. All rights reserved Slide 45 45

Assessment Process: Initial Input INITIAL INPUT Purpose Scope Constraints Identities Approach Assessor competence criteria Additional Information 46

Assessment Process: Roles ROLES AND RESPONSIBILITIES Sponsor Competent Assessor Assessors 47

Assessor Roles: COBIT process assessment roles: Lead assessor competent assessor responsible for overseeing the assessment activities Assessor developing assessor competencies; performs assessment activities Competencies-Knowledge, skills and experience: PRM, PAM, Methods & Tools, Rating Processes Processes/Domains being assessed Personal attributes for effective performance ISACA s COBIT Assessor training and certification scheme under development 48

Assessment Process ASSESSMENT PROCESS Planning Data Collection Data Validation Process Attribute Rating Reporting 49

Assessment Process - Planning 1. Initiation 2. Planning the assessment 3. Briefing 4. Data collection 5. Data validation 6. Process attributes rating 7. Reporting the results Copyright ISACA 2011. All rights reserved Slide 50 50 50

Assessment Process - Assessing 1. Initiation 2. Planning the assessment 3. Briefing 4. Data collection 5. Data validation 6. Process attributes rating 7. Reporting the results 51 51

Assessment Process - Reporting 1. Initiation 2. Planning the assessment 3. Briefing 4. Data collection 5. Data validation 6. Process attributes rating 7. Reporting the results Copyright ISACA 2011. All rights reserved Slide 52 52 52

Assessment Process: Output OUTPUT Date Assessment Input Identification of Evidence Assessment Process Used Process Profiles Additional Information 53

A Process Capability Profile Process Capability Level (based on attributes) => Processes Assessed Capability Level 0: Incomplete False if Process Capability is Level 1 or Better Capability Level 1: Performed Process Performance (PA 1.1) Capability Level 2: Managed Performance management (PA2.1) Work Product Management (PA2.2) Definition (PA3.1) Capability Level 3: Established Deployment (PA3.2) Capability Level 4: Predictable Measurement (PA4.1) Control (PA4.2) Innovation (PA5.1) Capability Level 5: Optimizing DS1: Define and Manage Service Levels FALSE 45% 0% 0% 0% 0% N/A N/A N/A N/A DS2: Manage Third Party Services FALSE 30% 0% 0% 0% 0% N/A N/A N/A N/A DS4: Ensure Continuous Service FALSE 35% 0% 0% 0% 0% N/A N/A N/A N/A DS6: Ensure Systems Security FALSE 90% 60% 75% 10% 0% N/A N/A N/A N/A DS8: Manage Service Desk and Incidents FALSE 90% 75% 45% 0% 0% N/A N/A N/A N/A DS9: Manage the Configuration FALSE 60% 0% 0% 0% 0% N/A N/A N/A N/A DS11: Manage Data FALSE 75% 0% 0% 0% 0% N/A N/A N/A N/A ME2: Monitor and Evaluate Internal Control FALSE 90% 25% 20% 0 0% N/A N/A N/A N/A ME3: Ensure Compliance with External Requirements FALSE 90% 60% 70% 45% 0% N/A N/A N/A N/A Optimization (PA5.2) 54

Consequence of Capability Gaps Figure A.3 Consequence of Gaps at Various Capability Levels This figure is reproduced from ISO 15504-4 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO. 55

Risk from Capability Gaps Figure A.4 Risk Associated With Each Capability Level This figure is reproduced from ISO 15504-4 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO. 56

Summary Process Assessment Model Assessment Process Process Capability Level Capability (based on attributes) => Level 0: Incomplete Capability Level 1: Performed Capability Level 2: Managed Capability Level 3: Established Capability Level 4: Predictable Capability Level 5: Optimizing False if Process Work Capability is Process Performance Product Definition Level 1 or Performance management Management Deployment Measurement Control Innovation Optimization Processes Assessed Better (PA 1.1) (PA2.1) (PA2.2) (PA3.1) (PA3.2) (PA4.1) (PA4.2) (PA5.1) (PA5.2) DS1: Define and Manage Service Levels FALSE 45% 0% 0% 0% 0% N/A N/A N/A N/A DS2: Manage Third Party Services FALSE 30% 0% 0% 0% 0% N/A N/A N/A N/A DS4: Ensure Continuous Service FALSE 35% 0% 0% 0% 0% N/A N/A N/A N/A DS6: Ensure Systems Security FALSE 90% 60% 75% 10% 0% N/A N/A N/A N/A DS8: Manage Service Desk and Incidents FALSE 90% 75% 45% 0% 0% N/A N/A N/A N/A DS9: Manage the Configuration FALSE 60% 0% 0% 0% 0% N/A N/A N/A N/A DS11: Manage Data FALSE 75% 0% 0% 0% 0% N/A N/A N/A N/A ME2: Monitor and Evaluate Internal Control FALSE 90% 25% 20% 0 0% N/A N/A N/A N/A ME3: Ensure Compliance with External Requirements FALSE 90% 60% 70% 45% 0% N/A N/A N/A N/A 57

Contact Information: Debra Mallette, CGEIT, CISA, CSSBB PastPresident@sfisaca.org Copyright ISACA 2011. All rights reserved Slide 58 58