COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net

Disclaimer of Use and Association Note: It is understood that the material in this presentation is intended for general information only and should not be used in relation to any specific application without independent examination and verification of its applicability and suitability by professionally qualified personnel. Those making use thereof or relying thereon assume all risk and liability arising from such use or reliance. Whilst I took reasonable care in creating the information in this presentation, this presentation and its contents may contain errors, faults and inaccuracies, and may not be complete or current. If so, I apologize. Any copyrighted material to which this presentation refers remains the sole and complete property of the copyright holder, and its inclusion herein is for educational and other fair use purposes only. I claim no originality or ownership of any of these materials; all included commentary has its roots in pre-existing prior work(s). If you own the rights to any of the material and wish it removed please let me know, I m happy to work with you (and thank you for developing whatever it is I thought was valuable enough to share with others). The views I am about to express are my own and do not necessarily represent the views of my employer, The IIA, or any other association or entity with which I might be, or reasonably be assumed to be, affiliated with. This presentation is not sponsored, endorsed, supported, or otherwise condoned by any entity, person, organization, sect, creed, or interested party other than myself. Warning: Attendance at this presentation could cause you to experience fatigue, sensory overload, dry mouth, nausea, or outrage, but hopefully not vomiting.

Welcome! 20+ years in IT Network/SysAdmin Director, Information Technology & Services Senior Manager, Deloitte AERS Information Security & Risk Management Advisors, LLC Design & implementation of an Information Security Governance program in conjunction with a transition to COBIT 5 Leveraging COBIT 5 for Information Security for a healthcare provider Union Bank - Director, Sr. Audit Manager IT Risk & Gov. Increased organizational value through alignment and efficiency Optimal reliability through consistency and predictability Continuous improvement and shared learning 3

The Evolution of COBIT 5 Governance of Enterprise IT Evolution IT Governance Management Control BMIS (2010) Risk IT (2009) Audit Val IT 2.0 (2008) COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5 1996 1998 2000 2005/7 2012 4

Drivers for COBIT 5 A need for the enterprise to: Achieve increased value creation Obtain business user satisfaction Achieve compliance with relevant laws, regulations and policies Improve the relation between business and IT Increase the return of governance over enterprise IT Connect and align with other major frameworks and standards 5

COBIT 5... Defines the starting point of governance and management activities with the stakeholder needs related to enterprise IT Creates a more holistic, integrated and complete view of enterprise governance and management of IT that is consistent, provides an end-to-end view on all IT-related matters and provides a holistic view Creates a common language between IT and business for the enterprise governance and management of IT Is consistent with generally accepted corporate governance standards, and thus helps to meet regulatory requirements 6

Business Needs Enterprises are under constant pressure to: Increase benefits realization through effective and innovative use of enterprise IT Generate business value from new enterprise investments with a supporting IT investment Achieve operational excellence through application of technology Maintain IT related risk at an acceptable level Contain cost of IT services and technology Ensure business and IT collaboration, leading to business user satisfaction with IT engagement and services Comply with ever increasing relevant laws, regulations and policies 7

COBIT 5 Scope Not simply IT; not only for big business! COBIT 5 is about governing and managing information Whatever medium is used End to end throughout the enterprise Information is equally important to: Global, multinational business National and local government Charities and not for profit enterprises Small to medium enterprises and Clubs and associations 8

Simplified The COBIT 5 Format COBIT 5 directly addresses the needs of the viewer from different perspectives Development continues with specific practitioner guides COBIT 5 is initially in 3 volumes: 1. The Framework Free Download 2. Process Reference Guide Free to Members 3. Implementation Guide - Free to Members COBIT 5 is based on: 5 principles and 7 enablers (if you understand these you can use any process model, any control set, any management framework) 9

COBIT 5 Product Family Config. Mgmt. Process Assessment Program 10

The COBIT 5 Enterprise Enablers 11

New Process Reference Model The COBIT 5 process reference model Introduces a governance domain Several new and modified processes Incorporates the principles of other, non-isaca frameworks Can be used as a guide for adjusting the enterprise s own process model (just like COBIT 4.1). COBIT 5 is still a generic framework 12

13 (37 / 210 / 1,111)

COBIT 5 Processes Cover end-to-end business and IT activities Provide a more holistic and complete coverage of practices Make the involvement, responsibilities and accountabilities of business stakeholders in the use of IT more explicit and transparent 14

Goals & Metrics / Inputs &Outputs COBIT 5 Follows the same goal and metric concepts as COBIT 4.1, Val IT and Risk IT renamed as Enterprise goals IT-related goals Process goals Provides a revised goals cascade Provides inputs and outputs for every management practice COBIT 4.1 only provided these at the process level 15

RACI Charts COBIT 5 Provides RACI* charts describing roles and responsibilities *Responsible, Accountable, Consulted, Informed Provides a more complete, detailed and clearer range of generic business and IT role players and charts For example..... 16

17

COBIT 5 Principles 18

Principle 1: Meeting Stakeholder Needs Enterprises exist to create value for their stakeholders Value creation: realizing benefits at an optimal resource cost while optimizing risk. 19

Principle 1: Meeting Stakeholder Needs Stakeholder needs have to be transformed into an enterprises actionable strategy The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customized goals 20

Example Stakeholder Driver Marketplace Competition Stakeholder Need Retain and grow customer base Enterprise Goal Value our Customers IT Goal Protect the confidentiality of information [Enabler Goals are defined in the COBIT framework e.g. Accessibility and Security ] Activities: deploy and monitor current anti-virus tools using an automated, centralized solution (DSS05.01.2&3) provide security awareness training to all employees (DSS05.01.6) 21

Principle 1: Meeting Stakeholder Needs The COBIT 5 goals cascade allows the definition of priorities for Implementation Improvement Assurance of enterprise governance of IT In practice, the goals cascade: Defines relevant and tangible goals and objectives at various levels of responsibility Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects Clearly identifies and communicates how enablers are used to achieve enterprise goals 22

Principle 2: Covering the Enterprise End to End 23

Principle 2: Covering the Enterprise End to End Main elements of the governance approach Governance Enablers comprising: The organizational resources for governance (e.g. frameworks, structure, processes) The enterprise s resources (e.g. information, people) A lack of resources or enablers may affect the ability of the enterprise to create value Governance Scope comprising: The whole enterprise An entity, a tangible or intangible asset, etc. 24

Principle 3: Applying a Single Integrated Framework COBIT 5: Aligns with the latest relevant standards and frameworks Is complete in enterprise coverage Provides a basis to integrate effectively other frameworks, standards and practices used Integrates all knowledge previously dispersed over different ISACA frameworks Provides a simple architecture for structuring guidance materials and producing a consistent product set 25

26

Principle 3: Applying a Single Integrated Framework The COBIT 5 product family is the connection: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT Released April 10 2012 COBIT 5: Enabling Processes Released April 10 2012 COBIT 5 Implementation Guide Released April 10 2012 COBIT 5 for Information Security Released June 25, 2012 COBIT 5 for Assurance Released May 29, 2013 COBIT 5 for Risk Released October 2, 2013 COBIT 5 Enabling Information Released November 13, 2013 COBIT 5 Online Currently available with enhancements in development A series of other products is planned for specific audiences or topics The perspective concept links the above to external sources for standards 27

Principle 3: Applying a Single Integrated Framework Enablers provide structure to the COBIT 5 knowledge base 28

Principle 4: Enabling a Holistic Approach COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT. COBIT 5 enablers are: Factors that, individually and collectively, influence whether something will work Driven by the goals cascade Described by the COBIT 5 framework in seven categories 29

Principle 4: Enabling a Holistic Approach 30

Enterprise Goals 31

IT Goals 32

Appendix B 33

Principle 4: Enabling a Holistic Approach 34

Principle 4: Enabling a Holistic Approach COBIT 5 enabler dimensions: All enablers have a set of common dimensions that: Provide a common, simple and structured way to deal with enablers Allow an entity to manage its complex interactions Facilitate successful outcomes of the enablers 35

Principle 5: Separating Governance from Management The COBIT 5 framework makes a clear distinction between governance and management Governance and management Encompass different types of activities Require different organizational structures Serve different purposes COBIT 5: Enabling Processes differentiates the activities associated with each 36

37 COBIT 5 Process Reference Model

Principle 5: Separating Governance from Management COBIT 5 Governance and Management Key Areas 38

COBIT 5 Enabling Processes APO12 (1 of 5) 39

COBIT 5 Enabling Processes APO12 (2 of 5) 40

COBIT 5 Enabling Processes APO12 (3 of 5) 41

COBIT 5 Enabling Processes APO12 (4 of 5) 42

COBIT 5 Enabling Processes APO12 (5 of 5) 43

COBIT 5 for Information Security APO 12 (1/2) 44

COBIT 5 for Information Security APO 12 (2/2) 45

46

Thank You for Attending! Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net Questions??? 47