Getting to Grips with CobiT
– Enterprise Architecture, a conseptual
approach to IT Covernance or how to
understand the difference between IT
Governance and IT Management
Who am I ?
Jan Bjørnsen: Working with this for nearly 20
years. In-depth skills and knowledge in IT
Governance, Information Security, counceling
and negotiation/contracting.
Author of «Slik får du IT-styring og kontroll» ,
Universitetsforlaget
1: IT Governance and IT Management
The Straw Model
• You need a “Modus Operandi” that will focus on IT Governance and
IT Management and I will give a brief presentation of the Straw
Model to put everything into perspective.
– We will look at Administrative, non-technical issues vs.
Operational, technical activities
– And the balance between Governing Documents vs. Dynamic
documents like guidelines, procedures etc
• Some different sketches....
Frameworks and standards – an overview
ISO
38500
COSO
COBIT
ITIL
v2.5
ITIL v3
ISO
20001
ISO
2700x
ISO Common
900x Criteria
What do we want…
Dynamic
Statisc
Administrative,
Non-technical
Operative,
Technical
Straw Model of Architecture
Vision
Policy
Policy
Governance
Architecture
Principles
Strategy
Valued
Deliveries
IT/IS
Implementation
ITIL/ISO....
Functions
Guide Lines
Risk
Management
Internal
”self- ”control
Continuity/
Cobit
processes
Assessments/etc
Guidelines
Plans
Monitor
Responsibility
Roles
Report
Cobit
Processes
Procedures
Procedures
Plan
Detailed
”workbook”
Straw Model for Security Architecture
Vision
Policy
Policy
Principles
Strategy
Guide Lines
Security
Architecture
Information
security
Implementation
IT/IS
Security
Functions
Data
Recovery
Guidelines
IT Operations
Contingency
Continuity
Plans
Terror
Guidelines
Physical
Security
Perimeter
security
Guidelines
Fraud
Internal
External
Guidelines
Personnel
Security
HSE/
Staff
Guidelines
Internal
control
Cobit
processes
Monitor
Responsibility
Roles
Processes
Report
Procedures
Procedures
Workbook
Instructions
IT Governance
IT Tjenester
Governance
Resource
Management
Governance vs. Management
•IT-strategy
•Organisation potentiale
•Architecture building
•Process management
•Process Implementation
•Operative IT security
•Manage Infrastructure
•Manage Networks
•Incident/Problem handling
•ITIL
IT Tjenester
Governance
•Actionbased monitoring
•Incident/Problem handling
•Implement Self Control
Resource
Management
Resource
•Personnel Management
•Infrastruktur
•Applications
•Systems
•BIA, Criticality Assessments
•Risk Analysis
•Contingency Plans
•Security Standards ISO 2700x
IT Governance vs. IT Management
•
•
•
•
Inhouse expertise
Accountability
„Provide“ responsibility
„Supervise“ responsibility
• Outsourced expertise
• Responsibility
• „Execute/maintenance“
responsibility
”The Triangle of Responsibility”
”Provide”-responsibility
«Accountable» in RACI
Governance/
Inhouse
Responsibility
”Supervise”-responsibility
«Consulted/Informed» in RACI
-Evaluates Control Design
Management/
Outsourced
Responsibility
”Execute”-responsibility
«Responsible» in RACI
-Self Assurance
-Internal Control
Cobit – a de facto standard
( for IT governance, security, assurance, audit etc.)
• Cobit as a tool has matured from the
introduction in 1996 and are today well adept
for understanding, control and measure IT. It
covers many facets today:
– It is a tool for the CIO for governance and control
– It is a tool for the IT Auditor for assurance
– It is a tool to build a good Control Design
– It is a tool for measure compliance and maturity
– It is a tool for Security officers.
Cobit – Different views
Cobit and ITIL
Practical use of CobiT
Security Architecture and The Straw
Model
• Information security and other security functions can use the Straw
Model to put everything into perspective.
• How to create governing documents
• How to present a strategy for implementation
• Creating Dynamic documents like security guidelines, implement
security in procedures etc.
• Different samples.....
Straw Model of Architecture by Cobit
Straw
Model
for Security
Straw
Model
of Architecture
by Architecture
organisation
Vision
Policy
Policy
Principles
Strategy
Guide Lines
Security
Architecture
Information
security
Implementation
IT/IS
Security
Functions
Data
Recovery
Guidelines
IT Operations
Contingency
Continuity
Plans
Terror
Guidelines
Physical
Security
Perimeter
security
Guidelines
Fraud
Internal
External
Guidelines
Personnel
Security
HSE/
Staff
Guidelines
Internal
control
Cobit
processes
Monitor
Responsibility
Roles
Processes
Report
Procedures
Procedures
Workbook
Instructions
Sample of documents
•Principles of Information Security
•Security Guidelines
•Control activity defined in processes
As an example of the 5 IT Governance areas, I have chosen Risk Management
for presentation purposes.
Do Risk Assessment and a Maturity
Mapping
•
Based on requirements in your SLA you need to know the Criticality of each
system to ensure your Continuity plan cover the right systems
(Example SmartRisk Access database)
• You also need to know how mature your organisation are related to Cobit
(Example process DS 4 Ensure Continuous Services- RACI chart Excel)
Risk - CISM manual has a good description of operational risk
•
•
•
•
•
•
•
•
•
Facilities and operational
environment risk
HSE risk
Information Security risk
Control Framework Risk
Legal and regulatory Compliance risk
Corporate Govenance risk
Technology risk
Project management risk
Crime and fraud risk
Personnel risk
Supplier risk
Information management risk
Reputation risk
Strategic risk
Process and attitude risk
Ethical risk
Geopolitical risk
Cultural risk
Clima and weather risk
Contingency
- on its own or as a part of the security architecture
What are your goal(s)?
• Contingency/Continuity
How to incorporate IT Continuity and IT Disaster Recovery plans into the architecture
“Straw Model” with sample of layout and detailed description of time slot activites,
Incident Respone Teams, Disaster Recovery Teams and Instructions and decision
Gates to move through all phases of a critical situation.
•
You need to understand the different levels of Continuity.
– Backup/Restore
– Continuity plans
– IT Disaster Recovery Plans
– Business Continuity Plans
•
You also need to know how mature your organisation are related to Cobit process DS
4 Ensure Continuous Services
Our Framework
Methodology
Contingency plan
BCP
•
DRP
BCP – Business Continuity Plan
- (Using ISACA’s prinsiples)
•
DRP – Disaster Recovery Plan
- (Using CobiT’s Continuity process)
The first critical phases can be solved by using Incident
Response Team.
•
example, (Must be based on your SLA and Criticality Assessments)
Critical Timeslot for FIRST DECISION POINT are 40 minutes
Timeslot for SECOND DECISION POINT are 60 minutes (1 hour)
Timeslot for THIRD DECISION POINT are 120 minutes (2 hours)
T1
T2
T3
Contingency
If your Continuity plan do not solve the problem you must escalate. The IT
Disaster Recovery Plan and BCP have 8 phases
•
1 The Notification phase
–
•
2 The Overview phase
–
•
•
•
Third (3) point of decision (establish operation/production or further escalation)
6 The Operation phase
–
•
•
Second (2) point of decision (establish Disaster management Team or decide “all clear/no danger”)
3 The Response phase
4 The Activity phase
5 The Establishing phase
–
•
First (1) point of decision (further notification of IRT or “all clear/no danger” or move to second decision
point directly)
Fourth (4) point of decision (transition to standard operation or keep the alternately operation)
7 Return to Normal Operation phase
8 The Termination phase
–
Fifth (5) point of decision (wind up the Disaster Management Team and re-establish normal operation)
Sample of documents
•
•
•
•
•
Contingency Principles
Incident Response Team Authorisation Letter
Continuity plan
IT Disaster Recovery Plan
Business Continuity Plan
Questions
Contact Information
Jan Bjørnsen
Scandinavian Business Security Ltd.
Mob: +47 90 18 18 64
E-mail: [email protected]
Web: www.sbsec.com