CobiT 5
Transcription
CobiT 5
Preview of COBIT® 5 (Differences between v4.0/4.1 and v5) December 8, 2011 AGENDA ► ► ► ► ► ► ► ► Introductions Quick COBIT® Overview Drivers of COBIT®5 – Increased focus on Enterprise Governance Benefits of COBIT®5 Updated Process Model Details of the Change New - COBIT® 5 Process Capability Model Wrap Up Page 2 Preview of COBIT5 COBIT® - An Overview COBIT® 4.1 – The IT governance framework CCobiT OBIT best practices repository for • • • • • IT Processes IT Management Processes IT Governance Processes • • The only IT management • and control framework • that covers the end-to-end IT life cycle Page 4 Preview of COBIT5 Internationally accepted good practices Management-oriented Supported by tools and training Freely available Sharing knowledge and leveraging expert volunteers Continually evolving Maintained by reputable notfor-profit organization Maps strongly to all major related standards Is a reference, set of best practices, not an “off-theshelf” cure COBIT® history COBIT® has evolved from an auditor„s tool to an IT governance framework, used increasingly by IT management Governance Management Control Audit COBIT 1 1996 Page 5 COBIT 2 COBIT 3 COBIT 4 1998 2000 2005 Preview of COBIT5 Introduction to COBIT® Page 6 Preview of COBIT5 Waterfall model The control of IT Processes that satisfy Business Requirements is enabled by Control Statements considering Control Practices 4 Domains - 34 Processes - 210 Control Objectives Page 7 Preview of COBIT5 Process orientation Domains Natural grouping of processes, often matching an organizational domain of responsibility A series of joined activities with natural control breaks Processes Activities or tasks Page 8 Actions needed to achieve a measurable result—activities have a life cycle whereas tasks are discrete Preview of COBIT5 Process Orientation IT Domains • Plan and Organize • Acquire and Implement • Deliver and Support • Monitor and Evaluate Natural grouping of processes, often matching an organisational domain of responsibility Page 9 IT Processes • • • • • • • IT strategy Computer operations Incident handling Acceptance testing Change management Contingency planning Problem management A series of joined activities with natural (control) breaks Preview of COBIT5 Activities • • • • • Record new problem. Analyse. Propose solution. Monitor solution. Record known problem. Actions needed to achieve a measurable result— activities have a life cycle whereas tasks are discrete COBIT® processes Planning and Organizing Acquire and Implement Page 10 PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 Define and IT Strategic Plan Define the Information Architecture Determine Technological Direction Define the IT Processes, Organisation and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage IT Human Resources Manage Quality Assess and Manage IT Risks Manage Projects AI1 AI2 AI3 AI4 AI5 AI6 AI7 Identify Automated Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Infrastructure Enable Operation and Use Procure IT Resources Manage Changes Install and Accredit Solutions and Changes Preview of COBIT5 COBIT® processes Deliver and Support Monitor and Evaluate Page 11 DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 Define and Manage Service Levels Manage Third-party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Allocate Costs Educate and Train Users Manage Service Desk and Incidents Manage the Configuration Manage Problems Manage Data Manage the Physical Environment Manage Operations ME1 ME2 ME3 ME4 Monitor and Evaluate IT Performance Monitor and Evaluate Internal Control Ensure Regulatory Compliance Provide IT Governance Preview of COBIT5 COBIT® framework Criteria Business Objectives IT Resources Monitor and Evaluate • • • • • Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Data Application Systems Technology Facilities People Plan and Organise Deliver and Support Page 12 • • • • • • • Acquire and Implement Preview of COBIT5 COBIT® IT processes PO1 PO2 PO3 PO4 ME1 ME2 ME3 ME4 Monitor and evaluate IT performance. Monitor and evaluate internal control. Ensure regulatory compliance. Provide IT governance. PO7 PO8 PO9 PO10 Monitor and Evaluate DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 Page 13 Define and manage service levels. Manage third-party services. Manage performance and capacity. Ensure continuous service. Ensure systems security. Identify and allocate costs. Educate and train users. Manage service desk and incidents. Manage the configuration. Manage problems. Manage data. Manage the physical environment. Manage operations. PO5 PO6 Information Deliver and Support Preview of COBIT5 Define a strategic IT plan. Define the information architecture. Determine technological direction. Define the IT processes, organisation and relationships. Manage the IT investment. Communicate management aims and direction. Manage IT human resources. Manage quality. Assess and manage IT risks. Manage projects. Plan and Organize Acquire and Implement AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. Linking business goals to IT goals Page 14 Preview of COBIT5 Linking IT goals to IT processes Page 15 Preview of COBIT5 For 34 IT processes you have … Process description IT domain & Information indicators IT goals Process goals Key practices Key metrics IT governance & IT resource Page 16 Preview of COBIT5 Five focus areas of IT governance aligning with the business and providing collaborative solutions 2. Value Delivery focus on IT costs and proof of value safeguarding assets, business continuity and compliance 4. Resource Management IT assets, knowledge, infrastructure and partners. 5. Performance Measurement metrics, IT Scorecards and dashboards Page 17 Preview of COBIT5 Are we getting the benefits? V ic t D alu g eli e te n ve ra me t ry S ign l A IT ance t orm n Perf sureme Mea 3. Risk Management Are we doing the right things? Are we doing them the right way? Governance Domains Resource Management R Man isk agem ent FOCUS AREAS 1. Strategic Alignment Are we getting them done well? Governance lifecycle Page 18 Preview of COBIT5 COBIT®5 Update COBIT ®5 initiative ► The initiative charge from the Board of Directors: ► ► “tie together and reinforce all ISACA knowledge assets with COBIT.” The COBIT 5 Task Force: ► ► Page 20 experts from ISACA constituency groups reports to the Framework Committee and then the Knowledge Board Preview of COBIT5 Major Drivers for COBIT® 5 News ► ► Increased Focus on Enterprise Governance Link and reinforce all ISACA‟s Guidance ► ► ► ► ► ► Primary - VAL IT, Risk IT Considering BMIS, ITAF, TGF, Board Briefing Need to connect to other frameworks and standards (such as, ITIL, PMBOK, Prince2, TOGAF, ISO) Further guidance in high interest areas Improve ease of use, consistency in concepts, terminology, & level of detail Scope covers full end-to-end business and IT functional responsibilities Page 21 Preview of COBIT5 News Focus on Enterprise Governance Increased ► Concepts ► ► ► ► ► Page 22 and Objectives Enterprises exist to deliver value to their Stakeholders Achieved within value and risk parameters and use of resources responsibly Governance system “steers” via means and mechanisms within an effective structure Incident caused and legislative driven need Governance at the top of the agenda for most enterprises Preview of COBIT5 Governance Objective Page 23 Preview of COBIT5 Responding Features from COBIT®5 News ► ► ► ► ► ► ► Practical guidance with consideration of all, unique stakeholders Non-technical overarching framework Clear distinction between governance and management Scope addressing management and governance of information Clear migration guidance from prior versions Process model updates addressing innovation and emerging technologies Addressing governance enablers such as behavior, skills and decision making Page 24 Preview of COBIT5 Distinction between Governance and Management Processes Page 25 Preview of COBIT5 COBIT ®5 Governance Enablers Processes Service Capabilities Culture, Ethics, Behaviour Skills & Competencies Principles & Policies Page 26 Preview of COBIT5 Organisational Structures Information Benefits of Using COBIT® 5 ► ► ► Enterprise wide benefits: ► Increased value creation through effective governance and management of enterprise information and technology assets ► Increased business user satisfaction with IT engagement and services–IT seen as a key enabler. ► Increased compliance with relevant laws, regulations and policies IT function becomes more business focused Increases the COBIT ® 5 users‟ contribution to the enterprise Page 27 Preview of COBIT5 Process News Reference Model ► ► ► ► ► ► ► Represents all the processes normally found in an enterprise relating to IT Provides a common reference model understandable to IT and business managers. Provides a common language Provides a framework for measuring, monitoring IT performance, communicating with service providers, and integrating best mgmt. practices Subdivides governance (1) and management (4) domains. 36 Processes VAL IT and Risk IT integrated Page 28 Preview of COBIT5 Process Reference Model Page 29 Preview of COBIT5 Review Newsof Process Changes ► ► 4 Domains to 5 Domains (1 Governance & 4 Management) Domains have 3-character acronyms vs. 2-character acronyms: ► ► ► ► ► ► EDM (Evaluate, Direct & Monitor) APO (Align, Plan & Organization) BAI (Build, Acquire & Implement) DSS (Deliver, Service & Support) MEA (Monitor, Evaluate & Assess) 34 COBIT4.1 processes to 5 Governance processes and 31 Management processes in COBIT 5 = 36 processes Page 30 Preview of COBIT5 Review Newsof Process Changes ► New and modified processes ► ► ► ► ► ► ► ► ► Page 31 APO3 – Manage Enterprise Architecture (combo of PO2 and PO3) APO4 – Management Innovation (new) APO5 – Manage Portfolio (previous PO5 Manage IT Investments) APO6 – Manage Budget and Costs (previous PO5 IT Investments) APO8 – Manage Relationships (new) BAI5 – Enable Organizational Change (new) BAI8 – Knowledge Management (new) DSS2 – Manage Assets (new) DSS8 – Manage Business Process Controls (new) Preview of COBIT5 Process Enabler Model Page 32 Preview of COBIT5 Process News Reference Guide ► ► A separate publication that expands on the process-enabler model Contains full details of the COBIT processes in a similar way to the process documentation in COBIT 4.1 ► Process description and purpose ► Goals cascade (enterprise and IT) ► Process goals and metrics ► Process practices, activities and inputs/Outputs at practice level ► RACI Chart ► Integrates contents of 4.1, VAL IT and RISK IT ► Mapping between COBIT 5 and Legacy ISACA Frameworks Page 33 Preview of COBIT5 ®5 Most important differences between COBIT News and earlier versions. ► ► ► ► Architecture changes emphasizing systemic nature of a governance and management system Process Model changes Integration of COBIT, VAL IT, Risk IT with explicit structural differentiation between governance and management processes Framework components reviewed and simplified Page 34 Preview of COBIT5 Architecture Change Principles News ► Alignment with the most up-to-date views on Governance as expressed in the Taking Governance Forward initiative and ISO/IEC 38500, resulting in an overarching architecture with o o ► Systemic nature of enterprise governance, demonstrated by o o Stakeholder driven governance and management of enterprise IT. Governance Objectives being defined in terms of Value, Risk and Resource Use optimization. A set of interconnected and interrelated enablers to support governance of enterprise IT and ensure objectives are achieved Note: ISO/IEC 38500 Corporate governance of information technology standard, provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations‟ use of IT. Page 35 Preview of COBIT5 COBIT News®5 Architecture Stakeholder Needs Governance Objectives: Value Existing ISACA Guidance (Benefits, Risk, Resource) Risk IT, BMIS, …) (COBIT, Val IT, Other Standards and Frameworks COBIT 5 Enablers Processes Culture, Ethics, Behaviour Service Capabilities Skills and Competencies Principles and Policies Organisational Structures Information COBIT 5 Knowledge Base Current guidance and contents Structure for future contents Knowledge Base Content Filter COBIT 5 Product Family COBIT 5: The Framework COBIT 5 Enabler Guides COBIT 5 : Process Reference Guide Other Enabler Guidance COBIT 5 Practice Guides COBIT 5 : Framework Implementation Guide Other Practice Guides COBIT 5 for Security COBIT 5 Online Collaborative Environment Page 36 Preview of COBIT5 Process News Model Change Principles ► Addition of a separate „Governance‟ domain, which contains five separate governance processes for enterprise IT (5 Domains) ► Continuation of the „Management‟ domains concept, where 31 processes are included, spread over four domains. Domains, although they have now 3- character acronyms compared to 2-character acronyms in COBIT 4.1. (PO, AI, DS, ME to EDM, APO, BAI, DSS, MEA) ► Some of the processes are very similar to their predecessors, some are a consolidation of processes in earlier frameworks, and some new processes have been added. Page 37 Preview of COBIT5 Framework News Component Changes ► The names have been changed from Business Goals to Enterprise Goals, and from IT Goals to IT Related Goals in order to better reflect that COBIT ® 5 is intended for all sorts of enterprises, not only commercial environments, and the fact that COBIT ® 5 is not only about making sure the IT function is performing, but also that the business functions assume their responsibility in providing the right direction, making good use of IT, and following up on IT investments and use. ► There are now 17 Enterprise Goals and also 17 IT Related goals. The goals are now also written more as outcome statements. ► The stakeholders for IT are now explicitly named, and there are also some illustrative stakeholder issues included in the guidance to show how the framework addresses them. Page 38 Preview of COBIT5 News Goals Enterprise Page 39 Preview of COBIT5 ITNews Related Goals Page 40 Preview of COBIT5 NewsStakeholder Needs Internal Page 41 Preview of COBIT5 News Stakeholder Needs External Page 42 Preview of COBIT5 The NEW COBIT ® 5 News Process Capability Model ► Process Capability Model ► Based on ISO/IEC 15504 “Software Engineering – Process Assessment Std.” ► Different from the COBIT ® 4.1 Maturity Model in design and use. ► Focus on capability Page 43 Preview of COBIT5 Process News Capability Model Characteristics Six levels of capability including “incomplete” ► Each level can only be achieved only when the level below is fully achieved ► Level 1 is “largely achieved” and benefits realized by the organization ► Higher capabilities add differing attributes and benefits ► Page 44 Preview of COBIT5 News - COBIT ®5 PCM and COBIT ®4.1 MM Differences ► ► ► ► ► Page 45 Naming and meaning of levels are different Process is described in terms of its purpose and outcomes Maturity level in COBIT ®4 and capability level in COBIT ®5 are not directly comparable and cannot be used interchangeably or mixed. Scores in COBIT ®5 will be lower due to completion of all process capabilities at lower level Nine Process Capability Attributes (v5) vs. six maturity Attributes (v4) Preview of COBIT5 COBIT 4.1 Maturity Model Comparison to COBIT 5 Process Capability Levels Page 46 Preview of COBIT5 Comparison of v4 Maturity Attributes vs. V5 Process Capability Attributes Page 47 Preview of COBIT5 News®5 Preview Summary COBIT ► COBIT ®5 Major changes Consolidation of frameworks ► Adjustment of domains and processes ► ► ► ► Page 48 4 to 5 domains 34 to 36 IT Processes Assessment process changed to focus on Capability using ISO 15504 Preview of COBIT5 The COBIT® 5 Framework – What will be delivered? ► An enterprise wide, “end-to-end” framework addressing governance and management of information and related technology ► The framework structure will include familiar components such as a domain/process model and other components such as governance/management practices, RACI charts and inputs/outputs. ► An initial publication introduces, defines and describes the components that make up the COBIT®5 Framework ► Principles ► Architecture ► Enablers ► Introduction to implementation guidance and the COBIT process assessment approach Page 49 Preview of COBIT5 COBIT® 5 news • As the initiative progresses throughout 2011 and 2012 there will be periodic updates provided: On the ISACA web site, www.isaca.org/COBIT5 In the COBIT Focus newsletter In other ISACA membership communications, events, marketing materials and PR activities • Watch these spaces for more news! Page 50 Preview of COBIT5 Thank you Contact details: Ernst & Young’s IT Risk Management Center of Excellence Josh Turcotte, CISA Email: [email protected] Phone: (214) 969 0678 (Dallas) Stacey Hamaker, CISA CIA Email: [email protected] Phone: (214) 969 8832 (Dallas) This presentation contains materials that are property of ISACA and Ernst & Young. All rights reserved. Page 51 Preview of COBIT5
Similar documents
Comparing COBIT 4.1 and COBIT 5
main areas—governance and management—with management further divided into domains of processes: • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and...
More information