What Does COBIT Stand For?

1
Information Governance the IT Auditor
Vernon Poole
ISACA London Chapter 26 September 2002
2
Information GovernancePresentation Objective
 This session will show how the Information
Governance framework has developed and how the IT
Governance Institute is now working on ways to
best convince organisations to adopt best
practice the role the IT auditors need to play
3
Information Governance
Agenda

• THE CURRENT IT DILEMMA
• ITS RECORD OF ACHIEVEMENT
• INFORMATION GOVERNANCE BENEFITS
• GOVERNANCE FOCUS BY -
• BOARD
• MANAGEMENT
• IT AUDITOR
• CONCLUSIONS

4
1. CURRENT IT DILEMMA
5
Information Governance
Agenda

• THE CURRENT IT DILEMMA
• ITS RECORD OF ACHIEVEMENT
• INFORMATION GOVERNANCE BENEFITS
• GOVERNANCE FOCUS BY -
• BOARD
• MANAGEMENT
• IT AUDITOR
• CONCLUSIONS

6
2. IT S RECORD OF ACHIEVEMENT ?
(A) MARKET VALUE
PROJECTS
(D) PERFORMANCE MEASUREMENT
(C) PROJECT MANAGEMENT
From 2001 surveys by Brookings Institute,
Standish Group and Acadys
7
2. IT S RECORD OF ACHIEVEMENT (CONTD)
Personal visual contact
Uncertainty, Complexity Growth
IT has been the longest running disappoinment
in business in the last 30 Years! Jack Welch,
Chairman General Electric, World Economic Forum,
Davos, 1997
8
Information Governance
Agenda

• THE CURRENT IT DILEMMA
• ITS RECORD OF ACHIEVEMENT
• INFORMATION GOVERNANCE BENEFITS
• GOVERNANCE FOCUS BY -
• BOARD
• MANAGEMENT
• IT AUDITOR
• CONCLUSIONS

9
RELIABLE INFORMATION TRUSTED SYSTEMS
3. INFORMATION GOVERNANCE BENEFITS

• Guarantee of Quality
• Trading Partner Assurance
• Customer Loyalty
• Security Assurance
• Reputation Enhancement
• Sustainable Growth

10
3. INFORMATION GOVERNANCE BENEFITS
Information Governance

• GOVERNANCE/CONTROL
• TAKE STAKEHOLDER VALUE INTO ACCOUNT
• GIVE DIRECTION TO THE PROCESSES
• ENSURE THEY PROVIDE RESULTS
• ENSURE THEY ACT ON THE RESULTS
• GET RESULTS AND CHALLENGE THEM

11
Information Governance
Agenda

• THE CURRENT IT DILEMMA
• ITS RECORD OF ACHIEVEMENT
• INFORMATION GOVERNANCE BENEFITS
• GOVERNANCE FOCUS BY -
• BOARD
• MANAGEMENT
• IT AUDITOR
• CONCLUSIONS

12
4. INFORMATION GOVERNANCE FOCUS
WHAT SHOULD BOARDS DO ABOUT IT

• Be driven by stakeholder value
• Adopt an information governance framework
• Ask the right questions
• Focus on its
• Strategic alignment
• Value delivery
• It asset management
• Risk management
• Measure results

13
MARKET ANALYSTS VIEW OF IT PRIORITIES 2002

• 1. Strategic Alignment
• ALIGNING WITH THE BUSINESS AND COLLABORATIVE
  SOLUTIONS
• Aligning IT with the business and its goals
• Providing a flexible, integrated information
  infrastructure to support the business strategy
• Instituting cross-functional collaborative
  information systems
• Be an agent of change enabling business
  transformation
• Educating and connecting with the Boardroom
• Effectively communicating with IS users.

14
MARKET ANALYSTS VIEW OF IT PRIORITIES 2002

• 2. Value Delivery
• FOCUS ON COSTS BENEFITS AND PROOF OF VALUE
• Cost-optimisation
• ROI for IT and its bottom-line impact
• Total cost of ownership (TCO) of IT services
• Quality and effectiveness of enterprise-wide
  service delivery
• Keeping users and managers satisfied
• Proving the value of IT.

15
MARKET ANALYSTS VIEW OF IT PRIORITIES 2002

• 3. IT Asset Management
• KNOWLEDGE, INFRASTRUCTURE AND PARTNERS
• Selective outsourcing of non-core processes to
  trusted suppliers
• Leveraging knowledge and skills
• Providing an integrated economical IT
  infrastructure where new technology is
  judiciously introduced and obsolete systems
  updated or replaced
• Availability, training, retention and competence
  of key IT personnel

16
MARKET ANALYSTS VIEW OF IT PRIORITIES 2002

• 4. Risk Management
• SAFEGUARDING ASSETS AND DISASTER RECOVERY
• Establishing IT security to safeguard assets and
  enabling business recovery from IT failures
• Providing privacy and resilience
• Establishing trust in services and partners
• Managing internal threats of misuse and errors
  and external threats from deliberate attacks as
  well as from market volatility and the pace of
  change.

17
OUR VIEW OF IT PRIORITY NO. 5

• NONE OF THESE DOMAINS
• Strategic Alignment
• Value Delivery
• IT Asset Management
• Risk Management
• CAN BE PROPERLY MANAGED WITHOUT

5. Performance Measurement
18
IT GOVERNANCE INSTITUTE OFFERINGS
1.Board Briefing 2001
35,000 downloads in 7 months
2.CEO Guide 2002
3.IT Strategy Committe Guide 2002
19
4. INFORMATION GOVERNANCE FOCUS
WHAT SHOULD MANAGEMENT DO ABOUT IT ?

• Align it strategy with business goals
• Cascade strategy and goals down into the
  organization
• Set up organizational structures that facilitate
  strategy implementation
• Adopt a control and security governance framework
• Provide it infrastructures that facilitate
  creation and sharing of business information
• Embed responsibilities for risk management in the
  organization
• Focus on important it processes and core it
  competencies
• Measure performance (balanced business scorecard)

20
WHAT SHOULD MANAGEMENT DO ABOUT IT ? ADOPT
GLOBAL BEST PRACTICE
1.CobiT3 CobiT4 An IT Control Framework
21
CobiT An IT control framework

• Starts from the premise that IT needs to deliver
  the information that organisations needs to
  achieve its objectives.
• Promotes process focus and process ownership
• Divides IT into 34 processes belonging to 4
  domains and provides a high level control
  objective for each domain
• Looks at fiduciary, quality and security needs
  ,and provides 7 information criteria that can be
  used to define what the organisation requires
  from IT
• Supported by 300 detailed control objectives

• Planning
• Acquiring Implementing
• Delivery Support
• Monitoring

• Effectiveness
• Efficiency
• Availability,
• Integrity
• Confidentiality
• Reliability
• Compliance.

22
CobiT3 Achievements - added a governance layer
Key Goal Indicators a measure of the outcome of
the process a measure of  what  indicator of
business contribution Key Performance Indicators
a measure of  how well  the process is
performing must help in improving the
process Critical Success Factors the most
important things to do observable and
measureable leverage capability, skills and
behaviour
23
CobiT4 Strategy
24
CobiT4 - Product Structure
Practices Responsibilities
Executives Boards

• Performance measures
• Critical success factors
• Maturity models

Business and Technology Management
Audit, control and security professional
25
The Maturity Levels

• Most senior officers (in ISACAs database), from
  800 Fortune500 and significant government
  entities
• 146 responses for 205 entities 17.5

26
CobiT4 - Maturity Benchmark
27
Average IT Governance Maturity Levels
28
CobiT4 - Implementation Guide
MATURITY PROFILE
IT CONTROL DIAGNOSTIC
GAP ANALYSIS
ROADMAP
29
CobiT4 - CobiTOnline
30
CobiT4 - CobiTOnline
31
CobiT4 - CobiTlite
Early stages

• difference in control environment
• preselection of processes objectives
• 15 most important processes
• 318 COs down to 90 plus 15 simplified
• simple presentation form
• brainstorm approach

PO1 define strategic IT plan PO3 determine
technological direction PO5 manage the IT
investment PO9 assess risks PO10manage
projects AI1 identify solutions AI2 acquire
maintain applications s/w AI5 install and
accredit systems AI6 manage changes DS1 define
service levels DS4 ensure continuous service DS5
ensure system security DS10 manage problems and
incidents DS11 manage data M1 monitor the
processes

• short communications path
• effective span of control
• simple command structure
• less build, more buy
• less complex IT infrastructure
• less savvy about IT
• take more risk
• strong profit orientation
• less segregation
• less IT capabilities

control
process
32
CobiT4 - IT Control Practices
Deliverable
Integration with CobiTlite and Implementation
Guide
33
CobiT4 - CobiTlite
Early stages
34
WHAT SHOULD MANAGEMENT DO ABOUT IT ? ADOPT
GLOBAL BEST PRACTICE
2.ISO 17799 An Information Security Framework
35
ISO 17799 - IS Best Practice
1.Became an ISO Standard in December 2000
2.Adopted by IT Governance Institute in its
Information Security Governance booklet -
2001 3.It is the second best selling ISO
Standard - gaining global appeal 4.The
standard is becoming a contractual obligation -
included in service level agreements Therefor
e it is essential to doing business
36
ISO 17799 - IS Best Practice
Standard consists of two parts - 1.Part 1
Code of Practice - referred to as ISO 17799 -
consists of 10 Guiding Principles covering
strategic, operational human issues 2.
Part 2 Information Security Management
System (ISMS) - BS7799-2 requires
organisations to select which of the 127
controls are appropriate to them based on
risk assessment (currently being revised)
37
ISO 17799 - IS Best Practice
1.Information Security Policy 2.Security
Organisation 3.Asset Classification/Control 4.Pers
onnel Security 5.Physical/Environmental
Security 6.Communications Operations
Management 7.System Access Control 8.Systems
Development/Maintenance 9.Business Continuity
Management 10.Compliance
38
ISO 17799 - IS Best Practice
It is therefore imperative that organisations
benchmark themselves against best practice and
assess any gaps in their Information Security to
protect against either internal or external
threats that could jeopardise the reliability of
information. The standard also ensures that
detailed policies and procedures are established
creates an Information Security culture
39
ISO 17799 - IS Best Practice
Current studies show that organisations
who obtain 7799 certification are being respected
as reputable trusted. Future transactions can
be conducted in the knowledge that information
security risks are being effectively
managed. Information Security is therefore an
essential ingredient to sustainable growth
acts as a market differentiator.
40
4. INFORMATION GOVERNANCE FOCUS
WHAT SHOULD IT AUDITORS CONSIDER?

• Obtain an understanding about IT Governance
• Get the Board and Management to focus on the
  issues and their responsibilities
• Recommend the adoption of an IT control and
  governance framework, such as CobIT ISO 17799
• Set up organizational structures that facilitate
  a strategic implementation of such framework
• Measure your own performance (Balanced Business
  Scorecard)

41
WHY SHOULD IT AUDITORS CARE?

• IT is integral and critical to the business
• Shareholders are holding Boards accountable
• Boards are holding management responsible
• An immense shift from tangible to intangible
  assets, the majority of the latter being
  information
• Boards and management will look for support to
  obtain assurance about the cost, return and risk
  of IT to the business

42
IT Governance
Agenda

• THE CURRENT IT DILEMMA
• ITS RECORD OF ACHIEVEMENT
• INFORMATION GOVERNANCE BENEFITS
• IT GOVERNANCE FOCUS BY -
• BOARD
• MANAGEMENT
• IT AUDITOR
• CONCLUSIONS

43
Why get into Information Governance

• Due diligence
• IT involves huge investments and large risk
• Expectations and reality dont match
• IT is critical strategic to the business
• IT does not get the attention it deserves
• Information Governance driven by IT will give you
  Competitive Advantage

44
IT is strategic to most organisations

• If so, dont you want to know if your IT
  Department is
• Likely to achieve its objectives?
• Resilient enough to learn and adapt?
• Judiciously managing the risks it faces?
• Appropriately recognising opportunities and
  acting upon them?

• Why has IT not been
• addressed
• requires more technical insight
• treated as separate entity
• IT is complex

45
IT Balanced Scorecard
46
IT Balanced Scorecard

• Objectives
• Demonstrate the value added by the IT
  Organization
• Determine the effectiveness of the IT
  Organization
• Set guidelines for the IT Strategic plan
• Communicate and motivate about IT performance
• Establish IT Management reporting
• Key result
• The most effective means to achieve IT and
  Business alignment
• Critical success factor
• Approval of the IT Scorecard by key stakeholders

47
Information Governance Framework
48
Information Governance Toolkit
49
Information Governance Lifecycle
Reputation for trust reliability
Increased market share
Increased revenues reduced costs
Competitive advantage
Improve service delivery
Legal Regulatory Compliance
50
Information Governance
Thank you! Any Questions ? Vernon Poole
IT Governance Institute 3701 Algonquin Road,
Suite 1010 Rolling Meadows, IL 60008
USA 1.847.253.1545info_at_isaca.org www.isaca.org w
ww.ITgovernance.org