cobit
DESCRIPTION
explaining IT Governance using COBIT, a course material at IMTelkom (http://www.imtelkom.ac.id)TRANSCRIPT
COBITCOBIT
Control ObjectivesControl Objectivesfor Information and related Technologyfor Information and related Technology
Manajemen I dan T
• Meningkatnya kebergantungan suatu perusahaan terhadap informasi dan system yg menyediakannya
• Meningkatnya kerentanan terhadap ancaman• Meningkatnya cakupan dan biaya investasi di
bidang I dan T• Meningkatnya kemampuan teknologi yg mampu
mengubah organisasi dan praktek bisnis, dan sekaligus membuat kesempatan baru dan mengurangi biaya
Fase IT Awareness
1. Centralized Information and Technologysuatu institusi dimana semua hal yg terkait dgn IT dibebankan pada 1 unit
2. Distributed Information and Technologysuatu institusi dimana hal-hal yg terkait dgn IT dibebankan ke unit terkait
3. Distributed Rolesuatu institusi dimana setiap unit telah sadar wewenang-nya masing2 di dalam proses bisnis
sisfosisfo
salessales
salessales
salessales
manajemenmanajemen
Business Process OwnerBusiness Process Owner
3 Actor dalam proses bisnis :1. Submitter2. Approval3. Execution
3 Role dalam proses bisnis :1. Data Owner2. Application Owner3. Business Process Owner
Management’s Questions
• How far should we go in IT?• Is the cost justified by the benefit?• What are the indicators of good performance?• What are the critical success factor?• What are the risk of not achieving our
objectives?• What do others do?• How do we measure and compare?
Support Enabler
• IT sbg Support : perusahaan mengedepankan dan memprioritaskan operasional sebagai tulang punggung perusahaan, IT berfungsi sbg pendukung operasional
• IT sbg Enabler : perusahaan mengedepankan IT sbg tulang punggung yg menggerakkan operasional, operasional ada setelah IT ada
IT Management Guideline
1. Key Goal Indicators2. Key Performance Indicators3. Critical Success Factors4. Maturity Models
Control
• Definisi :policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected
IT Control Objective
• Definisi :statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity
IT Governance
• Definisi:A structure of relationship and process to direct and control the enterprise in order to achieve the enterprise’s goal by adding value while balancing risk versus return over IT and its process
1. Enterprise’s Goal2. Business Process3. Risk4. Control
IT Governance
1. IT is aligned with the business, enables the business and maximizes benefits
2. IT resources are used responsibly
3. IT related risks are managed appropriately
1. IT is aligned with the business, enables the business and maximizes benefits
2. IT resources are used responsibly
3. IT related risks are managed appropriately
Direct
Report1. Manage risks :
1. Security2. Reliability3. Compliance
2. Realize Benefits1. Increase
automation2. Decrease cost
1. Manage risks :1. Security2. Reliability3. Compliance
2. Realize Benefits1. Increase
automation2. Decrease cost
Control vs. Risk• Manajemen harus memutuskan besar investasi yg cukup
untuk menjamin security dan control di bidang IT• Manajemen harus dapat menyeimbangkan antara Risk
dan Control bahkan di lingkungan yang tidak bisa diprediksi spt IT
• Security dan Control hanya mengatur Risk, tidak bisa meniadakan
• Tingkat Risk tidak bisa diketahui dan diukur secara pasti• Manajemen harus memutuskan level Risk yang masih
bisa diterima oleh perusahaan
Control Objective Level
1. Primary : the degree to which the defined control objective directly impacts the information criterion concerned
2. Secondary : the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned
3. Blank : could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process
Data Sales
Informasi Sales Order1. Nama produk : Speedy2. Bandwidth : 1 Mbps3. Harga jual : Rp 800.000,-4. Nama Kastamer : PT. Air Muncul5. Alamat : Jl. Telekomunikasi 1x6. Tipe Kastamer : ISP7. Nama Pemilik : Bpk. Bambang8. Nomor Telpon pemilik : 022-70707070
Control Objective Principlethe control of
which satisfy
is enabled by
considering
Process
ControlControl
COBIT IT Process
IT ResourcesIT Resources
• 7 Information• 5 IT Resources• 4 Domains• 34 Control Objectives• 318 Measurement
Information
1. Effectiveness2. Efficiency3. Confidentiality4. Integrity5. Availability6. Compliance7. Reliability
Information1. Effectiveness, how information being relevant and pertinent to the business
process as well as being delivered in a timely, correct, consistent, and usable manner
2. Efficiency, concerns the provision of information through optimal use of resources
3. Confidentiality, concerns the protection of sensitive information from unauthorized disclosure
4. Integrity, relates to accuracy and completeness of information as well as to its validity
5. Availability, relates to information being available when required by the business process now and in the future
6. Compliance, deals with complying with those laws, regulations, and contractual arrangements to which the business process is subject
7. Reliability, relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities
IT Resources
1. People2. Application system3. Technology4. Facilities5. Data
IT Resources
1. People, including staff skills, awareness, and productivity to plan, organize, acquire, deliver, support, and monitor information system and service
2. Application system, sum of manual and programmed procedures
3. Technology, covers hardware, OS, DBMS, network, multimedia, etc
4. Facilities, all resources to house and support information system
5. Data, are objects in their widest sense (external and internal), structured and unstructured, graphics, sound, etc
Planning & Organization
PO1 : define a strategy IT planPO2 : define the information architecturePO3 : determine the technological directionPO4 : define the IT organization and relationshipPO5 : manage the IT investmentPO6 : communicate management aims and directionPO7 : manage human resourcePO8 : ensure compliance with external requirementsPO9 : assess risksPO10 : manage projectsPO11 : manage quality
Acquisition & Implementation
AI1 : identify automated solutionAI2 : acquire and maintain application softwareAI3 : acquire and maintain technology infrastructureAI4 : develop and maintain proceduresAI5 : install and accredit systemsAI6 : manage changes
Delivery & SupportDS1 : define and manage service levelsDS2 : manage third-party servicesDS3 : manage performance and capacityDS4 : ensure continuous serviceDS5 : ensure systems securityDS6 : identify and allocate costsDS7 : educate and train usersDS8 : assist and advice customersDS9 : manage the configurationDS10 : manage problems and incidentsDS11 : manage dataDS12 : manage facilitiesDS13 : manage operations
Monitoring
M1 : monitor the processM2 : assess internal control adequacyM3 : obtain independent assuranceM4 : provide for independent audit
http://www.imtelkom.ac.id