Practical Cobit Implemetation Approaches: Implementing Cobit 5 In A Week

Similar documents
Roles, Activities and Relationships

Presented by. Denis Darveau CISM, CISA, CRISC, CISSP

Revised October 2013

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5 Introduction. 28 February 2012

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK

COBIT Helps Organizations Meet Performance and Compliance Requirements

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

INFORMATION TECHNOLOGY FLASH REPORT

Chayuth Singtongthumrongkul

COBIT 5 Process Assessment Method (PAM) Debra Mallette, CGEIT, CISA, CSSBB Governance Risk and Compliance -G22

How To Compare Itil To Togaf

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

Understanding COBIT 5. based on ISACA Materials Prepared by: Deb Mallette, CGEIT, CISA, CSSBB, IMG BSMS EPDM, Process Consultant

2009 Solvay Brussels School and IT Governance institute

CLOUD SECURITY THROUGH COBIT, ISO ISMS CONTROLS, ASSURANCE AND COMPLIANCE

COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process

Auditors Need to Know June 13th, ISACA COBIT 5 for Assurance

Certified Information Security Manager (CISM)

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

ISO 21500: Did we need it? A Consultant's Point of View after a first experience. Session EM13TLD04

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see

White Paper. COBIT 5 & BiSL

Sound Transit Internal Audit Report - No

COBIT 5 Foundation Workshop. COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute

PINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN

COBIT 4.1 TABLE OF CONTENTS

ITIL AND COBIT EXPLAINED

Setting goals and measuring the value of Enterprise IT Architecture using COBIT 5 framework

Introduction to ISACA and ITGI By Georges Ataya, International Vice President, ISACA

G13 USE OF RISK ASSESSMENT IN AUDIT PLANNING

G11 EFFECT OF PERVASIVE IS CONTROLS

Domain 1 The Process of Auditing Information Systems

COBIT 5 ISACA s new framework for IT Governance, Risk, Security and Auditing. An overview

ISACA Roundtable. Cobit and 7 september 2015

Practical perspectives in advancing data governance to create improved data quality frameworks

Somewhere Today, A Project is Failing

S11 - Implementing IT Governance An Introduction Debra Mallette

ITIL Service Lifecycles and the Project Manager

What s New In ITIL V3?

ITIL CSI 2011 Vernon Lloyd

Ann Geyer Tunitas Group. CGEIT Domains

CobiT Strategy and Long Term Vision

IT Governance Implementation Workshop

This article describes how these seven enablers have contributed towards better information security management at HDFC Bank.

IMPLEMENTATION OF HIGH-PERFORMANCE SECURITY MANAGEMENT PROCESSES

Formulating and Implementing an HP IT program strategy using CobiT and HP ITSM

for Information Security

AN APPROACH TO DESIGN SERVICES KEY PERFORMANCE INDICATOR USING COBIT5 AND ITIL V3

Balanced Scorecard: & Challenges. 23rd July Organized by: SMR

1 What does the 'Service V model' represent? a) A strategy for the successful completion of all service management projects

Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

Increasing IT Value and Reducing Risk. More for Less with COBIT5. IT Governance and Strategy

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

IS Management, ITIL, ISO, COBIT...

Enabling Information PREVIEW VERSION

Sound Transit Internal Audit Report - No

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

ITIL Introduction and Overview & ITIL Process Map

Relationship Manager (Banking) Assessment Plan

Enterprise Service Management (ESM)

An Implementation Roadmap

BALANCED SCORECARD What is the Balanced Scorecard?

IT GOVERNANCE PANEL BRING VALUE BY AUDITING IT GOVERNANCE GET THE

Advanced Topics for TOGAF Integrated Management Framework

Information Governance Maturity Model

Presentation on COBIT Education

Free ITIL v.3. Foundation. Exam Sample Paper 1. You have 1 hour to complete all 40 Questions. You must get 26 or more correct to pass

ITSM Reporting Services. Enterprise Service Management. Monthly Metric Report

Company size matters: Perspectives on IT Governance

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

The ITIL v.3. Foundation Examination

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

IT Governance: framework and case study. 22 September 2010

The IT Infrastructure Library (ITIL)

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

itsmf Australia 2007 Conference: Summary of ITSM Standards and Frameworks Survey Responses

Assessing Your Information Technology Organization

How To Use Risk It

CXO Dashboards. How to drive business performance with certainty CXO Dashboards

Introduction to ITIL for Project Managers

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Roles & Grades Rate Cards and Applicable SFIA Skills

PwC Luxembourg. Models for the governance of your investments with Portfolio Management September 2009

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Ensuring Governance in an Agile World

ESKITP Implement procedures and standards relating to metrics for IT service delivery

COBIT 5 Implementation Certifi cate. Training Course & Exam

Introduction: ITIL Version 3 and the ITIL Process Map V3

INFORMATION SECURITY & GOVERNANCE SYSTEMS AND IT INFRASTRUCTURE INFOSEC & TECHNOLOGY TRAINING. forebrook

Transcription:

Practical Cobit Implemetation Approaches: Implementing Cobit 5 In A Week Kaya Kazmirci CISA, CISM, CISSP, Cobit 5 Foundations Kazmirci Associates kaya@kayakazmirci.com +90 532 487 7756 Kaya Kazmirci Founder ISACA Istanbul Chapter Education Committee Chair and Past Chapter President Chair Cobit 5/CISA Translation Committees Cobit Evangelist (Regulatory Consultant & Trainer) IT Governance and Cyber Security Expert Kazmirci Associates MD Mountain Biker & Sailor Kaya.kazmirci@isaca-istanbul.org Kaya@kayakazmirci.com +90-532 487 7756

Project Plan: Short and Sweet Cobit 5 Implementations must build on existing knowledge Training and practical group work Previously completed certifications and documentation (e.g. Cobit 4.1) Motivated team (regulatory/financial pressure and/or visionary leadership) Divide and create value (one process/capability improvement/metric at a time) C5 Training (2 Exercises Days) (1 Day) As-Is To-Be Reporting (2 Days) Kickoff! How do you eat an elephant? Critical Cobit 5 Content

Critical Cobit 5 Content: One bite at a time COBIT 5 is based on: 5 principles 7 enablers Goals Cascade 37 Processes in 5 Domains Implementation Approach Capability Model (Formerly Maturity Model) COBIT 5 Principles: Start with the tastiest bits 2012 ISACA All rights reserved. 6

Principle 1: Meeting Stakeholder Needs Enterprises have many stakeholders Governance is about Negotiating Deciding amongst different stakeholders value interests Considering all stakeholders when making benefit, resource and risk assessment decisions For each decision, ask: For whom are the benefits? Who bears the risk? What resources are required? How Do You Use The BSC? Does it predict the future? Does it correlate with future customer orders? How to measure it (surveys, consultants, standards, frameworks, metrics, maturity/capability)? Can BSC s be trusted? It costs resources to implement, does it generate ROI? Base employee bonuses on it? Complexity?

Principal 1 Cascade Steps (Figure 5) What is the primary Enterprise Goal? Principal 1 Cascade Steps (Figure 6) Enterprise Goals To IT Related Goals

Mapping IT Related Goals to C5 Processes: Less is More ITRG s map to C5 Processes Primary/Secondary Support Adopt it to your organization Keep scope narrow Focus on problem areas Principle 4: Enabling a Holistic Approach

Enabler 2: Processes 201 2012 ISACA. All rights reserved. 13 Lead and Lag Metrics: Explicit In C4.1 Process Goals (formerly KPI): How the process delivers value to IT Fire Wall Breaches Discovered Credit Card #s Lost Cost of noncompliance (fines, settlements) IT Related Goal (formerly KGI): A measure of how IT is supporting the enterprise rise

Process Format/Content Process: Name/Description/Purpose Management/Governance Practices (Critical) Outcomes (Combine/ Reformat) Process Format/Content Work Product Inputs (Nice to Have) Outputs (Combine/ Reformat) Supports (Nice to Have)

RACI Charts There Is A Lot (Too Much?) Use what you need and nothing else! 2012ISACA. All rights reserved. Cobit 5 Process Reference Model Choose Carefully! Outsourcing: APO09, 10 Security: APO13, DSS05 HR (Security): APO07, APO08 PM: APO05, 6, BAI01 SW/HW Development: BAI02, 3, 6, 7, 10 Data Center: DSS01 Help Desk: DSS02, 03 Engine Room: BAI04, DSS04

New and Modified Processes: APO03 Manage enterprise architecture. (TOGAF) APO04 Manage innovation. (Nice to Have) APO05 Manage portfolio. (PMBOK, Prince2) APO06 Manage budget and costs. (Activity Based Costing/Accounting) APO08 Manage relationships. (Security Impact) APO13 Manage security. (Critical) BAI05 Manage organisational change enablement. (Nice to Have) BAI08 Manage knowledge. (DS10 Manage Data in v3 more useful) BAI09 Manage assets. (Nice to Have) DSS05 Manage security service. (Critical) DSS06 Manage business process controls. (Controversial) 2012ISACA. All rights reserved. What s Missing (Next)? We Want a Camel Now Cobit Framework Suggestions

Framework Committee, We have a problem How do we implement Agile/Scrum in C5? Documentation requirements? Which C5 Processes to include? How do we integrate simultaneous multiple processes so they operate smoothly? Capability scores (C5) seem lower than maturity scores (C4.1 and earlier) Clients have spent LOTS improving C4.1 maturity (C5 conversion is a hard sell) Regulators can penalize for low (<3) maturity, where do we set the bar? Capability is not as clear as Maturity (nor as easy to implement) C5 capability is not prescriptive (let s create guidance) What is the value for improved Capability? DSS06 Manage Business Process Controls? What does it mean and how do we implement it in a practical sense ETOM for Telecom, Other sector based guidance would be helpful Cobit 5 Capability Less is more

Satisfying Cobit 5 Attributes Improves Capability How Do We Measure Capability? Level 5 Optimizing process PA.5.1 Process Innovation attribute PA.5.2 Process Optimization attribute Level 4 Predictable Process PA.4.1 Process Measurement attribute PA.4.2 Process Control attribute Level 3 Established Process PA.3.1 Process Definition attribute PA.3.2 Process Deployment attribute Level 2 Managed Process PA.2.1 Performance Management attribute PA.2.2 Work Product Management attribute Level 1 Performed process PA.1.1 Process Performance attribute Level 0 Incomplete process 2012 ISACA All rights reserved. 24

Process Attribute Rating Scale Cobit Capability scores 3 at a 2.5! N Not achieved 0 to 15 % achievement There is little or no evidence of achievement of the defined attribute in the assessed process P Partially achieved > 15 % to 50 % achievement There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable L Largely achieved > 50 % to 85% achievement There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process. Some weakness related to this attribute may exist in the assessed process F Fully achieved > 85 % to 100 % achievement There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process. No significant weaknesses related to this attribute exist in the assessed process 25 What Does That Mean? (Practical Guidance) Level 1 Some Management/Governance (M/G) Practices, Some Work Products Level 2 All M/G Practices, Work Product, Process Goals & Targets defined, RACI Level 3 Process commonly implemented, Inputs/Outputs (Training/Sourcing needs) defined, IT Related Goals defined/collected/analyzed Level 4 Process Metrics reported consistently, Goals set, Low performance reviewed Level 5 Improvement Goals set, Improvement Opportunities: Identified, Planned, Tested, Implemented & Post Implemented

Still Confused? More Practical Guidance CMMI Maturity seems to map well as it is based on 15504 Level 2 All of the Practices Implemented Level 3 All Activities implemented ISO 27001 -> APO13 Mange Security, DSS05 Manage Security Services ISO 22301 -> DSS04 Manage Continuity ISO 9001 -> APO11 Manage Quality ISO 20000 -> DSS01 Manage Operations, DSS02 Manage Service Requests & Incidents, DSS03 Manage Problems ISO 10002 -> DSS02 (Customer Complaints) ISO 13485 -> APO11 Manage Quality ISO 31000 -> APO12 Manage Risk Independent Audit Financial Reporting Effective Control -> BAI06, 07 Level 4 Common enterprise wide Process Performance and Output metrics Level 5 Consistent Metric based Goals and Improvement Implementation Capability and Gap Analysis: Logistics Provider

Capability and Gap Analysis: NPL Collector Traditional COBIT 5 Implementation Program Management Day to day PM Enablement of change Addressing the behavioural and cultural aspects Core Continual improvement this is not a one-off project 2012 ISACA. All Rights Reserved.

Use The Goals Cascade to Scope Which Processes To Focus On Appendix 1

Start with BSC category step 1 Balanced Scorecard Financial Customer Internal Learning Enterprise Goals IT Related Goal (ITRG) COBIT Process Customer 6. Customer-oriented service culture 7. Business service continuity and availability 8. Agile responses to a changing business environment 9. Information-based strategic decision making 10. Optimisation of service delivery costs 2012 ISACA. All rights reserved. 33 Step 2 Select Enterprise Goal, IT related Goal, and Processes Customer 6. Customer-oriented service culture 7. Business service continuity and availability ITRG 07 Delivery of IT services in line with business requirements ITRG 08 Adequate use of applications, information and technology solutions ITRG 01 Alignment of IT and business strategy ITRG 04 Managed IT-related business risk ITRG 10 Security of information, processing infrastructure and applications ITRG 14 Availability of reliable and useful information for decision making PROCESSES APO09 Manage Service Agreements APO13 Manage Security BAI04 Manage Availability and Capacity BAI08 Manage Knowledge BAI10 Manage Configuration DSS03 Manage Problems DSS04 Manage Continuity PRIMARY IMPORTANCE OR IMPACT P P P P P P P 2012 ISACA. All rights reserved. 34

Step.3 Example APO09 Examine Metrics RELATED METRICS The number of business processes with unidentified service agreements % of live IT services covered by service Agreements % of Customers satisfied that service delivery meets agreed-on levels Number & severity of service breaches % of services being monitored to service levels % of service targets being met 2012 ISACA. All rights reserved. 35 Case Studies To Support Training and Group Work Appendix 2

Case Study I Case Study I Identification of IT Governance Issues 40 minutes preparation, 20 minutes discussion The objective of this exercise is to become familiar with IT governance issues and be able to explain them to executive management. Imagine that you are the newly hired CIO/IT director of the Company, and you realise that much needs to be done to improve the way IT is managed, if all the IT requirements are to be successfully delivered. You know that you were hired to sort these matters out but you feel that the board should focus on IT and they do not really know much about why it is important, what problems exist and what their responsibilities should be. You are worried that you might not be able to succeed without their full appreciation of the current issues and their support to improve the way IT is managed. You recently heard about COBIT and then discovered ITGI and ISACA on the Internet, and downloaded the Cobit 5 Enabling Processes. You have decided to use this standard to help raise awareness with the board and get them on your side working with you to fix the IT problems. Review the present situation at the Company with your group using the Goals Cascade documents as a guideline. Select Enterprise Goals and IT-Related Goals that your group feels are important to the Company. Pay particular attention to areas that you feel may be presently underserviced. Use the results of your discussion and the IT-Related Goals to Cobit 5 processes map to select 6 Cobit 5 processes which, if improved, would add significant enterprise value to the Company Your task is to work together with the rest of the IT management team (the rest of your course group) to prepare items to go into a presentation which conveys: What the processes are, why you choose them and what value their implementation will add to the Company. Select a spokesperson to present your group work. Gary Hardy Case Study II Case Study II Process Assessment 40 minutes preparation, 20 minutes presentation and discussion the Company has recognised enterprise governance implementation is a priority to enable effective corporate and IT management. After reviewing your previous presentation, the BoD has decided to implement Cobit 5 one process at a time and has asked you to complete an assessment regarding how the most critical process that you presented operates at the Company. In this exercise, you will first select a process (from those examined in Case Study I) and then assess how it operates at the Company. 1. Using what you and your teammates know and referring to the COBIT 5 Enabling Processes, consider the process and assess whether it presently fulfils the defined management/governance practices and related activities as well as delivers the defined outputs. Document any missing outputs. 2. Decide which missing practices would add value if implemented, then list and prioritize the most important 5 of them. 3. Discuss the related Cobit 5 process/it related metrics and assess whether the presently used metrics are adequate. Feel free to suggest 3 metrics that you feel would better meet the Company's needs but be aware that implementing new metrics requires resources so focus on cost effective suggestions. Gary Hardy

Case Study III Case Study III Capability Assessment 40 minutes preparation, 20 minutes presentation The objective of this exercise is to understand how to use the capability models in COBIT 5 to perform a capability assessment of a critical process. Use the process from Case Study II and assess its present capability at the Company. Based on its present capability, list what additional attributes need development in order for it to mature to the next level of capability. Hint: Go easy on yourselves as far as documentation requirements go. Partially (P) fullfiled attributes are ok. Work in the same group, and have a workshop as if you are the management team. One person should act as the facilitator gaining consensus as a group on what the critical attributes are and, using the COBIT capability models, considering the current level. Prepare to report the present capability as well what needs to be done to go to the next level. Prepare a short presentation to explain your results. Gary Hardy Goals Cascade Appendix 3

Figure 24 Mapping COBIT 5 Enterprise Goals to Governance and Management Questions Figure 24 Mapping COBIT 5 Enterprise Goals to Governance and Management Questions (cont.)

Figure 22 Mapping COBIT 5 Enterprise Goals to IT-related Goals Figure 23 Mapping COBIT 5 IT-related Goals to Processes

Figure 23 Mapping COBIT 5 IT-related Goals to Processes (cont.)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information