BISNIS
&
TI
ITG using COBIT
Successful organisations require an appreciation for and a basic understanding
of the risks and constraints of IT at all levels within the enterprise in order to
achieve effective direction and adequate controls. COBIT provides such a
control and security framework for IT.
http://blog.stikom.edu/erwin
[email protected] | [email protected]
erwin.sutomo
Forces Driving IT Governance
Compliance
Business/IT
Alignment
ROI
Project
Execution
Security
IT Governance Needs a Management
Framework
IT
Governance
Domains
Resource
Management
nt
V
De alue
liv
er
y
R
Man isk
agem
e
ance t
orm
n
Perf sureme
Mea
Driving Forces
Map Onto the
IT Governance
Domains
ic t
g
te en
a
r
St ignm
Al
COBIT 4.1—The IT Governance
Framework
CCobiT
OBIT
best practices
repository for
IT Processes
IT Management Processes
IT Governance Processes
The only IT management and control
framework that covers the end-toend IT life cycle
Internationally accepted good
practices
Management-oriented
Supported by tools and training
Freely available at www.itgi.org
Sharing knowledge and leveraging
expert volunteers
Continually evolving
Maintained by reputable not- forprofit organisation
Maps strongly to all major related
standards
COBIT 4.1—The IT Governance
Framework
CCobiT
OBIT
best practices
repository for
IT Processes
IT Management Processes
IT Governance Processes
The only IT management and control
framework that covers the end-toend IT life cycle
Is a reference, set of best
practices, not an ‘off-the-shelf’
cure
Enterprises still to need to analyse
their control requirements and
customise based on:
Value drivers
Risk profile
IT infrastructure, organisation
and project portfolio
IT
IT
Management Governance
Layer
Layer
Governance
Layer
Where COBIT Typically Sits
COSO
COBIT
ITIL
CMM
27001
17799
Concepts That Underpin COBIT
COBIT FRAMEWORK SPECIFICS
• “Control” is defined as the policies, procedures, practices and
organisational structures designed to provide reasonable
assurance that business objectives will be achieved and
undesired events will be prevented or detected and corrected.
• “IT control objective” is defined as a statement of the desired
result or purpose to be achieved by implementing control
procedures in a particular IT activity.
COBIT Cube: Processes, Resources and
Information Criteria
Key Driving Forces for COBIT
The resources made
available to—and
built up by—IT





How IT is organised to respond to the
requirements
IT
Resources
Data
Application systems
Technology
Facilities
People
Business
Requirements
IT Processes




Plan and Organise
Aquire and Implement
Deliver and Support
Monitor and Evaluate







What the
stakeholders expect
from IT
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Information reliability
How Does COBIT Link to ITG?
Direction and
Resourcing
Requirements
Goals
Business
Control
Objectives
Governance
IT
Information the business
needs to achieve its
objectives
Responsibilities
Information executives and
board need to exercise their
responsibilities
IT Governance
Process Orientation
Domains
Natural grouping of processes, often
matching an organisational domain
of responsibility
A series of joined activities with
natural control breaks
Processes
Actions needed to achieve a
measurable result—activities have a
life cycle, whereas tasks are discrete
Activities
or Tasks
Process Orientation
IT Domains
• Plan and
Organise
• Acquire and
Implement
• Deliver and
Support
• Monitor and
Evaluate
Natural grouping of processes,
often matching an
organisational domain of
responsibility
IT Processes
•
•
•
•
•
•
•
IT strategy
Computer operations
Incident handling
Acceptance testing
Change management
Contingency planning
Problem management
A series of joined activities
with natural (control) breaks
Activities
•
•
•
•
•
•
Record new problem.
Analyse.
Propose solution.
Monitor solution.
Record known problem.
Etc. …
Actions needed to achieve a
measurable result—activities have a
life cycle, whereas tasks are discrete
Domains
Process Orientation Plan and Organise
• Description
• This domain covers strategy and tactics, and concerns the identification of the way IT can best
contribute to the achievement of the business objectives. The realisation of the strategic vision
needs to be planned, communicated and managed for different perspectives. Proper
organisation and technological infrastructure must be put in place.
• Topics
• Strategy and tactics
• Vision planned
• Organisation and infrastructure
• Questions
•
•
•
•
•
Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organisation understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
Waterfall Model
The control of
IT Processes
that satisfy
Business
is enabled by
Requirements
Control
considering
Statements
Control
Practices
4 Domains - 34 Processes - 210 Control Objectives
Cobit 4.1
COBIT Processes
Plan and
Organise
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
Define an IT strategic plan.
Define the information architecture.
Determine technological direction.
Define the IT processes, organisation and relationships.
Manage the IT investment.
Communicate management aims and direction.
Manage IT human resources.
Manage quality.
Assess and manage IT risks.
Manage projects.
Acquire and
Implement
AI1
AI2
AI3
AI4
AI5
AI6
AI7
Identify automated solutions.
Acquire and maintain application software.
Acquire and maintain technology infrastructure.
Enable operation and use.
Procure IT resources.
Manage changes.
Install and accredit solutions and changes.
COBIT Processes
Deliver and
Support
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and manage service levels.
Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
Manage service desk and incidents.
Manage the configuration.
Manage problems.
Manage data.
Manage the physical environment.
Manage operations.
Monitor and
Evaluate
ME1
Monitor and evaluate IT performance.
ME2
Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4
Provide IT governance.
COBIT 5
COBIT 5
ITG Framework
• Cobit
• IT control objectives
• ITIL
• IT infrastructure, service and operation management
• ISO 27001
• Information security management
• PMBoK
• Program and project management