cobit 41 framework

36
COBI T 4.1 Framework Primary source: COBIT 4.1

Upload: yulias-sihombing-ak-mak-cia

Post on 10-Jun-2015

414 views

Category:

Business


1 download

TRANSCRIPT

Page 1: Cobit 41 framework

COBIT4.1

Framework

Primary source: COBIT 4.1

Page 2: Cobit 41 framework
Page 3: Cobit 41 framework

IT governance:

merupakan tanggung jawab eksekutif dan BoD. Terdiri dari kepemimpinan, struktur organisasi dan proses yang menjamin bahwa enterprise’s IT mendukung dan mengembangkan tujuan dan strategi organisasi.

COBIT supports IT governance by providing a framework to ensure that:

IT is aligned with the business

IT enables the business and maximises benefits

IT resources are used responsibly

IT risks are managed appropriately

IT transparency is achieved through performance measurement.

Executive Overview

Page 4: Cobit 41 framework

Executive Overview

Strategic alignment: ensuring linkage of business and IT plan; defining, maintaining and validating IT value proposition; and aligning IT operations with enterprise operations.

Value delivery: executing value proposition throughout delivery cycle, ensuring that IT deliver the promised benefit against strategy, concentrating on optimising costs and proving the intrinsic value of IT.

Resource management: optimal investment in, and proper mgt of critical IT resource: applications, inf, infrastructure and people. Key issue relate to optimisation of knowledge and infrastructure.

Risk management: risk awareness by senior officers, clear understanding of appetite for risk, understanding of compliance requirements, transparency about the sig. risk to enterprise and embedding of RM responsibilities into org.

Perf measurement: track and monitor strategy implement, project completion, resource usage, process perf and service delivery, using, ex: BSC that translate strategy into action to achieve goals measurable beyond conventional accounting.

Page 5: Cobit 41 framework

Cobit Content Diagram

Page 6: Cobit 41 framework

All Cobit component interrelated, providing support for governance, management, control, and assurance needs of different audiences

Business goals

IT goalsIT Processes

Key Activities

requirements information

Control Outcomes Test

Control Objectives

Responsibilities and

Accountibilities Chart

Performance Indicators

Outcomes Measures

Control Design

Test

Control Practices

based on

audit

ed w

ith

implemented with

Maturity Models

derived from

broken down into

measu

red by

audited with

controlled by

perfo

rmed

by

for pe

rform

ance for matuirty

for outcome

Page 7: Cobit 41 framework

COBIT Framework

Page 8: Cobit 41 framework

A control framework for IT governance defines the reasons IT governance is needed, the stakeholders and what it needs to accomplish.

Why

In particular, management needs to know if inf is being managed, so that it is: Likely to achieve its objectives Resilient enough to learn and adapt Judiciously managing the risks it faces Appropriately recognising opportunities and acting upon them

Enterprise cannot deliver effectively against business and governance requirement w/o adopting and implementing a governance and control FW for IT to: Make a link to the business requirements Make performance against these requirements transparent Organise its activities into a generally accepted process model Identify the major resources to be leveraged Define the management control objectives to be considered.

The Need for A Control Framework for IT Governance

Page 9: Cobit 41 framework

Who

A gov and control FW needs to serve a variety of internal and external stakeholders, each of whom has specific needs: Stakeholders within enterprise who have interest in generating value fr IT invest: Internal and external stakeholders who provide IT services: Internal and external stakeholders who have a control/risk responsibility:

What

To meet the requirement listed in previous section, a FW for IT gov and control should: Provide a business focus to enable alignment between business and IT objectives Establish process orientation to define scope and extent of coverage, w/ defined

structure enabling easy navigation of content. Be generally acceptable by being consistent w/ accepted IT good practices and

standard and independent of specific technologies. Supply a common language w/ a set of terms and definitions that are generally

understandable by all stakeholders. Help meet regulatory req by being consistent with generally accepted corporate gov

standard (e.g., COSO) and IT control expected by regulator and external auditor.

The Need for A Control Framework for IT Governance

Page 10: Cobit 41 framework

In response to the needs, the COBIT FW was created w/ main characteristics of being:

business-focused,

process-oriented,

controls-based, and

measurement-driven.

How COBIT Meets The Need

Sumber: IT Governance Institute, COBIT 4.1, 2007

Page 11: Cobit 41 framework

Business orientation is the main theme of COBIT, designed to: (1) be employed by IT service providers, users, and auditors, and (2) to provide comprehensive guidance for mgt and business process owners.

COBIT’S INFORMATION CRITERIA

To satisfy business obj, inf needs to conform to certain control criteria, which refers to as business requirement for inf. Inf criterias are defined as follows:

1. Effectiveness: inf being relevant and pertinent to business process as well as being delivered in a timely, correct, consistent, and usable manner.

2. Efficiency: provision of inf through optimal (productive and eco) use of resource.

3. Confidentiality: the protection of sensitive inf from unauthorised disclosure.

4. Integrity: accuracy and completeness of inf as well as to its validity.

5. Availability: inf being available when required by business process now and in future.

6. Compliance: complying with law, regulation and contractual arrangement.

7. Reliability: provision of appropriate inf for mgt to operate entity and exercise its fiduciary and governance responsibilities.

Business - Focused

Page 12: Cobit 41 framework

BUSINESS GOALS AND IT GOALS

Defining set of business goal and IT goal provides a business-related and refined basis for establishing business req and developing measurement. See Appendix I.

Defining IT Goals and Enterprise Architecture for IT

Business - Focused

Page 13: Cobit 41 framework

IT RESOURCES

IT resources (people, infrastructure, applications, information) together with the processes, constitute an enterprise architecture for IT.

Business - Focused

Enterprise needs to invest in resource to create technical capability (e.g., ERP), to support a capability (e.g., implementing a supply chain), resulting in the desired outcome (increase sales and fin benefit).

The IT resources:

Applications: automated system and manual procedure that process inf.

Information: data, input, processed and output by IS, used by business.

Infrastructur: tech and facilities (HW, OS, DMS, network, multimedia).

People: required to plan, organise, acquire, implement, deliver, support, monitor and evaluate IS and services.

Page 14: Cobit 41 framework

An operational model is initial step toward good gov, and also provide FW for measuring and monitoring IT perf, communicating w/ service providers and integrating best mgt practices.

Within the COBIT framework, generic process model are within four domains:

Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS)

Process – Oriented

Acquire and Implement (AI)—Provides solutions and passes them to be turned into services.

Deliver and Support (DS)—Receives solutions and makes them usable for end user.

Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed

Page 15: Cobit 41 framework

PLAN AND ORGANISE (PO)

PO covers strategy and tactics, and concerns identf of the way IT can best contribute to achievement of business obj, which addresses following mgt questions:

Are IT and the business strategy aligned?

Is the enterprise achieving optimum use of its resources?

Does everyone in the organisation understand the IT objectives?

Are IT risks understood and being managed?

Is the quality of IT systems appropriate for business needs?

ACQUIRE AND IMPLEMENT (AI)

IT solutions need to be identified, developed or acquired, implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered. This domain typically addresses the following mgt questions:

Are new projects likely to deliver solutions that meet business needs?

Are new projects likely to be delivered on time and within budget?

Will the new systems work properly when implemented?

Will changes be made without upsetting current business operations?

Process – Oriented

Page 16: Cobit 41 framework

DELIVER AND SUPPORT (DS)

DS is concerned w/ actual delivery of services, includes mgt of security and continuity, service support, and mgt of data and facilities. It addresses following mgt questions:

Are IT services being delivered in line with business priorities?

Are IT costs optimised?

Is the workforce able to use the IT systems productively and safely?

Are adequate confidentiality, integrity and availability in place for inf security?

MONITOR AND EVALUATE (ME)

ME addresses performance mgt, monitoring of IC, regulatory compliance and governance. It addresses the following mgt questions:

Is IT’s performance measured to detect problems before it is too late?

Does mgt ensure that IC are effective and efficient?

Can IT performance be linked back to business goals?

Are adequate confidentiality, integrity and availability control in place for inf security?

Across these four domains, COBIT has identified 34 IT processes that are generally used (refer to figure 22 for the complete list).

Process – Oriented

Page 17: Cobit 41 framework

PROCESSES NEED CONTROLS

IT control obj provide a complete set of high-level requirements to be considered by mgt for effective control of each IT process, they: Are statements of managerial actions to increase value or reduce risk. Consist of policies, procedures, practices and organisational structures Provide reasonable assurance that business obj will be achieved.

Mgt needs to make choices relative to these control objectives by: Selecting those that are applicable;

Controls – Based

Deciding upon those will be implemented; Choosing how to implement them

(frequency, span, automation, etc.); Accepting the risk of not implementing.

Standard control has analogy: When room temperature (standard) for heating system (process) is set, system will check (compare) ambient room temp (control inf) and will signal (act) system to provide more or less heat.

Page 18: Cobit 41 framework

PROCESSES NEED CONTROLS

To achieve effective gov, controls need to be implemented by operational managers within a defined control FW for all IT processes.

The control obj are identified by a 2-character domain reference (PO, AI, DS and ME) + a process no. and a control obj no. In addition to control obj, each process has generic control requirements that are identified by PCn (process control no.).

PC1 Process Goals and Objectives

Define and communicate specific, measurable, actionable, realistic, results-oriented and timely (SMARRT) process goals and objectives. Ensure that they are linked to the business goals and supported by suitable metrics.

PC2 Process Ownership

Assign owner for each IT process, and clearly define roles and responsibilities of the process owner. Include, for example, responsibility for process design, interaction, accountability, measurement, and identification of improvement.

Controls – Based

Page 19: Cobit 41 framework

PROCESSES NEED CONTROLS

PC3 Process Repeatability

Design and establish each key IT process such that it is repeatable and consistently produces the expected results.

PC4 Roles and Responsibilities

Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of key activities and their documentation as well as accountability.

PC5 Policy, Plans and Procedures

Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training.

PC6 Process Performance Improvement

Identify a set of metrics that provides insight into outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals.

Controls – Based

Page 20: Cobit 41 framework

BUSINESS AND IT CONTROLS

The enterprise’s system of IC impacts IT at 3 levels:

1. At the executive mgt level:

The overall approach to governance and control is established by the board and communicated throughout the enterprise. IT control environment is directed by top-level set of objectives and policies.

2. At the business process level:

Most business processes are automated and integrated w/ IT application system, resulting in many of controls at this level being automated. Known as application control. However, some controls within business process remain as manual procedures, such as authorisation for trans, separation of duties.

3. To support the business processes:

IT provides IT services, in a shared service to many business processes, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, OS and storage). The controls applied to all IT service actv are known as IT general controls. Poor change mgt could jeopardise reliability of automated integrity check.

Controls – Based

Page 21: Cobit 41 framework

IT GENERAL CONTROLS AND APPLICATION CONTROLS

General control: controls embedded in IT processes and services, include: Systems development, Change management, Security, and Computer operation.

Application control: control embedded in business process application, include: Completeness, Accuracy, Validity, Authorisation, and Segregation of duties

Design and implementation of automated AC is responsibility of IT, covered in AI domain, based on COBIT’s information criteria, shown in figure 10. The operational mgt and control responsibility for AC is not w/ IT, but w/ the business process owner.

Hence, the responsibility for AC is an end-to-end joint responsibility between business and IT, but the nature of the responsibilities changes as follows:

The business is responsible to properly:

– Define functional and control requirements

– Use automated services

IT is responsible to:

– Automate and implement business functional and control requirements

– Establish controls to maintain the integrity of applications controls.

Controls – Based

Page 22: Cobit 41 framework
Page 23: Cobit 41 framework

The following list provides a recommended set of AC objectives: AC1 Source Data Preparation and Authorisation

Ensure that source doc are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties.

AC2 Source Data Collection and Entry

Establish that data input is performed in timely manner by authorised n qualified staff. AC3 Accuracy, Completeness and Authenticity Checks

Ensure that transc are accurate, complete, and valid. AC4 Processing Integrity and Validity

Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions.

AC5 Output Review, Reconciliation and Error Handling

Establish procedures and responsibilities, delivered to appr recipient, and protected during transmission; that verification, detection and correction of accuracy of output.

AC6 Transaction Authentication and Integrity

Before passing transc data b/w internal applications and business/opr functions, check it for proper addressing, authenticity of origin and integrity of content.

Controls – Based

Page 24: Cobit 41 framework

Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement.

COBIT deals with these issues by providing:

Maturity model to enable benchmark and identify necessary capability improvement.

Perf goals and metric for IT processes, demonstrating how processes meet business and IT goal and are used for measuring internal process perf based on BSC principle.

Activity goals for enabling effective process performanc

MATURITY MODELS

IT mgt is constantly on lookout for benchmarking and self-assessment tool in response to the need to know what to do in an efficient manner. This responds to 3 needs:

1. A relative measure of where the enterprise is

2. A manner to efficiently decide where to go

3. A tool for measuring progress against the goal.

Maturity model for mgt and control over IT processes is based on a method of evaluating organisation, so it can be rated fr a maturity level of non-existent (0) to optimised (5).

Measurement – Driven

Page 25: Cobit 41 framework

MATURITY MODELS

The purpose is to identify where issues are and how to set priorities for improvements, not to assess the level of adherence to the control objectives.

They are not designed for use as a threshold model, where one cannot move to the next higher level without having fulfilled all conditions of the lower level.

Measurement – Driven

Page 26: Cobit 41 framework

Using MM developed for each of COBIT’s 34 IT processes, mgt can identify:

The actual performance of the enterprise—Where the enterprise is today

The current status of the industry—The comparison

The enterprise’s target for improvement—Where the enterprise wants to be

The required growth path between ‘as-is’ and ‘to-be’.

Measurement – Driven

Page 27: Cobit 41 framework

Capability, coverage and control are all dimensions of process maturity:

Measurement – Driven

Coverage, depth of control, and how the capability is used and deployed are cost-benefit decisions. For example, a high level of security mgt may have to be focused only on most critical enterprise systems. Another example would be choice b/w a weekly manual review and a continuous automated control.

Page 28: Cobit 41 framework

Level Awareness and Communication

Policies, Plan, and Procedures

Tools and Automation

Skill and Expertise

Responsibility and Accountability

Goal Setting and Measurement

1 Recognition of need for the process is emerging

There is sporadic communication of

the issues

Recognition of the need for to process

and practicesThe process and

policies are undefined

Some tools may exits; usage is based on standard desktop

toolsThere is no planned

approach to tool usage

Skills required for the process are not

identifiedA training plan does

not exist and no formal training

occurs

There is no definition of accountability and responsibility. People

take ownership of issue based on their own initiative on a

reactive basis

Goals are not clear and no measurement

take place

2 There is awareness of the need to actMgt communicate the overall issues

Similar and common processes emerge,

but are largely intuitive because of individual expertiseSome aspect of pro-cess are repeatable because of individual expertise, and some docu-mentation and

informal under-standing of policy and procedure are exits

Common approaches to use of tools exits but are based on

solutions developed by key individualsVendor tools may

have been acquired, but are probably not applied correctly, and may even shelfware

Minimum skill requirements are

identified for critical area

Training is provided in response to

needs, rather than on the basis of

agreed plan, and informal training on

the job occurs.

An individual asssumes his/ her

responsibility and is usually held

accountable. even if this is not formally

agreedThere is confusion

about responsibilities when problems occur, and a culture of blame

tends to exist.

Some goals setting occurs; some

financial measures are established, but known only by SM.

There is inconsistency

monitoring in isolated areas.

3 There is understanding of the need to act

Usage of good practices emerges

A plan has been defined for use and

standarization of tools to automate process

Skill requirement are defined and docu-

mented for all areas

Process responsibility and accountability are defined and process

owner’ve been identif’

Some effectiveness goal and measure is set, not communicat-ed, and there’s clear link to businessgoal

Maturity Attribute Table

Page 29: Cobit 41 framework

Level Awareness and Communication

Policies, Plan, and Procedures

Tools and Automation

Skill and Expertise

Responsibility and Accountability

Goal Setting and Measurement

3 Mgt is more formal and structured in its

communication

The process, policies, and procedures are

defined and documented for all

key activities

Tools are being used for their purposes, but

may not all be in accord-ance w/

agreedplan, and may not be integrated w/

one another.

A formal training plan has been developed, but

formal training is still based on individual

initiatives.

The process owner is unlikely to have a full authority to exercise the responsibilities

Measurement processes emerge, but

not consistently applied. IT BSC idea being adopted, as if

intuitive application of rootcause analys

4 There is unders-tanding of the full

requirementsMature communi-cation techniques are applied and

standard commu-nication tools are in

use

The process is sound and comple-te;

internal best practice are applied.

All aspect of proces are documented and

repeatable. Policy been approve and

signed off on by mgt. Standard for

developing and maintaining process and procedure are adopted n followed.

Tools r implemented according to

standirised plan, and some have been

integrated w/ other related tools.

Tools are being used in main areas to

automate management of the process and monitor critical activities and

controls

Skill requirements are routinely updat-

ed for all areas, proficient is ensured for all critical areas, and certification is

encouragedMature training tech-niques are applied

according to training plan and knowledge sharing is encourag-ed. Internal domain experts are involved and effectiveness of

training plan is assessed

Process responsibility and accoutability are accepted and working in way that enables a

process owner to discharge his/her responsibilities.

A reward culture is in place that motivates

positve actions.

Efficiency and effectiveness are

measured and communicated, and

linked to business goal and IT strategic plan.

The IT BCS is implemented in some areas with exceptions noted by mgt and root cause analysis is being

standarised. Continuous

improvement is emerging.

Maturity Attribute Table

Page 30: Cobit 41 framework

Level Awareness and Communication

Policies, Plan, and Procedures

Tools and Automation

Skill and Expertise

Responsibility and Accountability

Goal Setting and Measurement

5 There is advance, forward looking

understanding of requirement

Proactive communication of

issue based on trend exists, mature

communication techniques are

applied, and integrated

communication tools are used

External best practices and

standards are appliedProcess

documentation is evolved to automated

workflows. Processes, policies, and procedures are

standarised and integrated to enable

end-to-end management and

improvement.

Standarised tools sets are used accross

the enterpriseTools are fully

integrated with other related tools to

enable end-to-end support of the

processes.Tools are being used

to support improvement of the

process and automatically detect control exceptions

The organisation formally encourages continuous improve-ment of skills, based

on clearly defined personal and

organization goals.Training and

education support external best

practices and use of leading edge

concept n technique Knowledege sharing

is an enterprise culture, and know-

ledge-based system are being deployed. External expert and industry leaders are used for guidance

Process owners are empowered to make

decision and take actions.

The acceptance of responsibility has

been cascaded down throughout the organization in

consistent fashion

There is integrated performance

measurement system linking IT performance to business goals by the global application

of the IT balanced scorecard. Exceptions

are globally and consistently by

management and root cause analysis is

applied.Continuous

improvement is a way of life.

Maturity Attribute Table

Page 31: Cobit 41 framework

PERFORMANCE MEASUREMENT

Goals and metrics are defined in COBIT at 3 levels:

1. IT goals and metrics: define what business expects from IT and how to measure it.

2. Process goals and metrics: define what the IT process must deliver to support IT’s objectives and how to measure it.

3. Activity goals and metrics: establish what needs to happen inside the process to achieve the required perf and how to measure it

Measurement – Driven

Page 32: Cobit 41 framework

PERFORMANCE MEASUREMENT

Two types of metrics:

Outcome measure: indicate whether the goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’.

Performance indicators: indicate whether goals are likely to be met. They can be measured before the outcome is clear and, therefore, are called ‘lead indicators’.

Outome measures of lower level become performance indicators for higher level. Outcome measures of IT function are often expressed in term of inf criteria:

Availability of information needed to support the business needs

Absence of integrity and confidentiality risks

Cost-efficiency of processes and operations

Confirmation of reliability, effectiveness and compliance

Performance indicators (or performance drivers) define measures that determine how well business, IT function or IT process is performing in enabling the goals to be reached. They often measure the availability of appropriate capabilities, practices and skills, and the outcome of underlying activities.

Measurement – Driven

Page 33: Cobit 41 framework

Relationship among Process, Goals, and Metrics (DS 5)

Maintain enterprise reputation and

leadership

Ensure that ITservices can

resist andrecover from

attacks

Detect and resolveunauthorised

access toinformation,

applications andinfrastructure.

Understandsecurity

requirements,vulnerabilities

and threats

Numbers of incidents causing public embarassment

Number ofactual IT

incidents withbusiness impact

Number ofactual incidents

because ofunauthorised

access

Frequency ofreview of the

type of securityevents to bemonitored

is measured by is measured by is measured by is measured by

Business goals IT goals Process goals Activity goals

Define Goals

Measure A

chievement

Indicate Perfomance

Impr

ove

and

real

lign

Outcome mesures Business metrics Performance

indicators

Outcome mesures IT metrics Performance

indicators

Outcome mesures Process metrics Performance

indicators

Page 34: Cobit 41 framework

•Effectiveness•Efficiency•Confidentiality•Integrity•Availability•Compliance•Reliability

•Applications•Information•Infrastructure•People

Overall COBIT Framework

PO1 Define a strategic IT plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, org and relationshipPO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

ME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance w/ external requirements.ME4 Provide IT governance.

DS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.

AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain tech infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.

BUSINESS OBJECTIVES

GOVERNANCE OBJECTIVES

INFORMATION CRITERIA

PLAN AND ORGANIZE

ACQUIRE AND IMPLEMENT

DELIVERY AND SUPPORT

MONITOR AND EVALUATE

IT RESOUCES

.

Page 35: Cobit 41 framework
Page 36: Cobit 41 framework

Informasi Lebih Lanjut,Hubungi:

Yulias Caesar Sihombing/BPKP

[email protected]

http://facebook.com/Si.Om.Bing

id.linkedin.com/yulias-sihombing-ak-mak-cia