INFORMATION TECHNOLOGY GOVERNANCE

COBIT
Group members:Naeem Jonathan Rohani Kazeem

PRESENTATION OUTLINE
Governance and the Top management Effective ITG & COBIT ITG Focus Areas COBIT COBIT & ITG COBIT products, Framework, Components , History of COBIT COBIT structure COBIT & INDUSTRIES COBIT Mapping COBIT 4.1 COBIT & UIA CONCLUSION

GOVERNANCE
Boards and executive management have long known the need for enterprise and corporate governance. However, most are beginning to realize that there is a need to extend governance to information technology as well, and provide the leadership, organisational structures and processes that ensure that the enterprises IT sustains and extends the enterprises strategies and objectives.

THE BOARDS EXPECTATIONS

Deliver quality IT solutions On time On Budget Harness and exploit IT to return business value Leverage IT to increase efficiency and productivity Manage IT risks

WHAT THE BOARD SEE

Business losses Damaged reputations or weakened competitive positions Unmet deadlines

Higher-than-expected costs
Lower than expected quality

Failure of IT initiatives to deliver promised benefits

SOLUTION

An Effective ITG
Protect shareholder value Makes clear that IT risks are qualified and understood Directs and controls IT investment, opportunity, benefits and risks Aligns IT with the business while accepting IT as a critical input to and component of strategic plan, influencing strategic opportunities Sustains current operations and prepares for the future Is an integral part of global governance structure.

HOW COBIT LOOKS AT EFFECTIVE ITG

An answer to these requirements of determining and monitoring the appropriate IT control and performance level is COBITs definition of: Benchmarking of IT process performance and capability, expressed as maturity models, derived from the Software Engineering Institutes Capability Maturity Model (CMM) Goals and metrics of the IT processes to define and measure their outcome and performance based on the principles of Robert Kaplan and David Nortons balanced business scorecard Activity goals for getting these processes under control, based on COBITs control objectives

ITG Focus Areas

IT Governance Focus Areas

Strategic alignment focuses on ensuring the linkage of business and IT

plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. Resource management is about the optimal investment in, and the proper management of critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprises appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation. Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

What is COBIT
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

COBIT & ITG

COBIT supports IT governance by providing a framework to ensure that: IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT risks are managed appropriately

COBIT & ITG

These IT governance focus areas describe the topics that executive management needs to address to govern IT within their enterprises. Operational management uses processes to organise and manage ongoing IT activities. COBIT provides a generic process model that represents all the processes normally found in IT functions, providing a common reference model understandable to operational IT and business managers. The COBIT process model has been mapped to the IT governance focus areas providing a bridge between what operational managers need to execute and what executives wish to govern. To achieve effective governance, executives require that controls be implemented by operational managers within a defined control framework for all IT processes. COBITs IT control objectives are organised by IT process; therefore, the framework provides a clear link among IT governance requirements, IT processes and IT controls.

COBIT PRODUCTS
The COBIT products have been organised into three levels designed to support: Executive management and boards Business and IT management Governance, assurance, control and security professionals

COBIT Content diagram

The COBIT frame work

COBIT is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to stakeholders. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. COBIT is continuously kept up to date and harmonised with other standards and guidance. Hence, COBIT has become the integrator for IT good practices and the umbrella framework for IT governance that helps in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its high-level, business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT.

Interrelationships of COBIT components

Benefits of COBIT as governance framework

Better alignment, based on a business focus A view, understandable to management, of what IT does Clear ownership and responsibilities, based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders, based on a common language Fulfilment of the COSO requirements for the IT control environment

History of COBIT
COBIT has had four major releases: In 1996, the first edition of COBIT was released. In 1998, the second edition added "Management Guidelines". In 2000, the third edition was released.
In 2003, an on-line version became available.

In December 2005, the fourth edition was initially released

In May 2007, the current 4.1 revision was released.

COBIT Contd
COBIT 4.1 has 34 high level processes that cover 210 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation. COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a companys IT infrastructure. It also helps them corroborate their audit findings.

COBIT Structure
COBIT covers four domains: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate

Plan and organize

Acquire and Implement

Deliver and Support

Monitor and Evaluate

Plan and Organize

This domain covers strategy and tactics and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realization of the strategic vision needs to be planned, communicated and managed for different perspectives. finally, a proper organization as well as technological infrasture must be put in place.

Plan and Organise

PO1 PO2 Define a Strategic IT Plan and direction Define the Information Architecture

PO3
PO4 PO5 PO6 PO7 PO8 PO9 PO10

Determine Technological Direction

Define the IT Processes, Organization and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage IT Human Resources Manage Quality Assess and Manage IT Risks Manage Projects

Acquisition and Implementation

To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for this systems.

IT processes for A& I

AI1 AI2 Identify Automated Solutions Acquire and Maintain Application Software

AI3
AI4 AI5 AI6 AI7

Acquire and Maintain Technology Infrastructure

Enable Operation and Use Procure IT Resources Manage Changes Install and Accredit Solutions and Changes

Delivery and support

This domain is concerned with the actual delivery of required services, which ranges from traditional operations over security and continuity aspects to training. In order to deliver services, the necessary support processes must be set up. This domain include the actual processing of data by application systems, often classified under application controls.

IT processes for D&S

DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 Define and Manage Service Levels Manage Third-party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Allocate Costs Educate and Train Users Manage Service Desk and Incidents Manage the Configuration Manage Problems Manage Data Manage the Physical Environment Manage Operations

Monitoring
All IT processes need to be regularly accessed over time for their quality and compliance with control requirements. This domain thus addresses managements oversight of the organizations control process in independent assurance provided by internal and external audit or obtained from alternative sources.

IT processes for Monitoring

ME1 Monitor and Evaluate IT Processes

ME2

Monitor and Evaluate Internal Control

ME3

Ensure Regulatory Compliance

ME4

Provide IT Governance

COBIT & INDUSTRIES

How Organizations Around the World Are Customizing COBIT to Their Benefit

Consulting/IT Government Education Manufacturing/Transportation Financial Services/Insurance

COBIT Mapping
Val IT COSO ISO/IEC 17799 ITIL PMBOK

VAL IT
Val IT is a suite of documents that provide a framework for the governance of IT investments, produced by the IT Governance Institute (ITGI). It is a formal statement of principles and processes for IT portfolio management. Val IT allows business managers to get business value from IT investments, by providing a governance framework that consists of a set of guiding principles, and a number of processes conforming to those principles that are further defined as a set of key management practices. The major processes are: Value Governance (VG prefix) Portfolio Management (PM prefix) Investment Management (IM prefix)

Relationship to COBIT
Val IT is tightly integrated with COBIT Version 4, also from the Information Systems Audit and Control Association (a.k.a. ISACA). The Framework document explains the difference between COBIT and Val IT as follows: Val IT extends and complements COBIT, which provides a comprehensive control framework for IT governance. Specifically, Val IT focuses on the investment decision (are we doing the right things?) and the realisation of benefits (are we getting the benefits?), while COBIT focuses on the execution (are we doing them the right way, and are we getting them done well?)

COBIT 4.1
COBIT 4.1 is an incremental update to COBIT 4.0. It includes streamlined control objectives and application controls, improved process controls and an enhanced explanation of performance measurement. COBIT 4.1 consists of four sections: The executive overview The framework The core content (control objectives, management guidelines and maturity models) Appendices (mappings and cross references, additional maturity model information, reference material, a project description and a glossary)

COBIT appeals to different users

Executive managementTo obtain value from IT investments and balance risk and control investment in an often unpredictable IT environment Business managementTo obtain assurance on the management and control of IT services provided by internal or third parties IT managementTo provide the IT services that the business requires to support the business strategy in a controlled and managed way AuditorsTo substantiate their opinions and/or provide advice to management on internal controls

COBIT &UIA
http://www.iiu.edu.my/itd/ictgov/index.php/ict-best-practices/cobit.html

CONCLUSION
Successful organizations understand the benefits of information technology (IT) and use this knowledge to drive their shareholders value. They recognize the critical dependence of many business processes on IT, the importance of delivering the value promised by IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk effectively. To aid organizations in successfully linking business and IT goals to meet today's business challenges, COBIT frame work has clearly considered the need of every stakeholder, right from the Board to the users COBIT is oriented toward the objectives and scope of IT governance, ensuring that its control framework is comprehensive, in alignment with enterprise governance principles and, therefore, acceptable to boards, executive management, auditors and regulators.