COBIT 4.0.


83 views
Uploaded on:
Description
COBIT 4.0 - 2005. 4.0 is a redesign of third version better mapping to business objectives, ... November/2006 COBIT FMI Seminar Slide 12. Business Requirements = Information Criteria ...
Transcripts
Slide 1

COBIT 4.0 WHAT YOU NEED TO KNOW Howard DuBois, CISA howard@hallux.ca

Slide 2

Objectives Review structure and substance of COBIT Assess challenges for IT administration Explore effect of a fruitful usage of COBIT on application proprietors

Slide 3

What is COBIT? COBIT is a profoundly respected IT Governance structure delivered and bolstered by the IT Governance Institute (ITGI) COBIT 4.0 is the latest arrival of this model

Slide 4

What Does COBIT Stand For? C ontrol OB jectives I for I nformation T and Related T echnology

Slide 5

Why is COBIT Important? Some fascinating inquiries: Why are "control targets" important to application proprietors and clients? What is the history behind COBIT? Where does IT Governance fit in?

Slide 6

COBIT\'s History COBIT began as a control model for IT inspectors – henceforth control targets for IT associations and operations sooner or later, somebody understood that if the model was adequate for the evaluator to gauge IT control and viability, it was sufficient for administration This turned into an "administration system" when it was understood that great control required usage of best practices

Slide 7

COBIT\'s History Control Objectives delivered as a review item by EDPAF mid 1990\'s COBIT first version - 1996 COBIT second release – 1998 First reference to administration and considering COBIT to be an arrangement of best practices for IT administration COBIT third release – 2000 First reference to ITGI First reference to administration rules

Slide 8

COBIT\'s History COBIT 4.0 - 2005 4.0 is an upgrade of 3 rd version – better mapping to business objectives, further improvement of development models COBIT On-Line presented During the procedure, different items were issued Control Practices – 2004 – more nitty gritty investigation of individual practices seen as best practices

Slide 9

Purpose of COBIT Provide for the most part relevant and acknowledged Standards for Good Practices for Information and Information Technology (IT) Control Based on an administration situated Framework for Control in IT Aligned with De Jure and De Facto Standards and Regulations Create a reasonable and consistent structure

Slide 10

The Pieces of C OBI T Exec Summary - Senior Executives (CEO, CIO) - 16 pages Framework - Senior Operational Management (Directors of IT and IS Audit/Controls) - 68 pages Control Objectives - Middle Management (IT Management and IS Audit/Controls Managers/Seniors) - 148 pages Audit Guidelines - Line Management and Controls Practitioner (Applications or Operations Manager and Auditor) – 226 pages Management Guidelines - Senior Operational Management, Director of IS, Mid-Level IT Management and IT Audit/Control Managers - 122 pages Implementation Tool Set - Director of IS and Audit/Control, Mid-Level IS Management and IS Audit/Control Managers - 86 pages

Slide 11

The Framework\'s Principles Business Requirements IT Processes IT Resources

Slide 12

Business Requirements = Information Criteria Quality Requirements Quality, Cost, Delivery Fiduciary Requirements (COSO Report) Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with Laws and Regulations Security Requirements Confidentiality Integrity Availability

Slide 13

Information Technology Resources Data objects in their amplest sense, i.e., outside and inward, organized and non-organized, illustrations, sound, and so forth. Application Systems Application frameworks is comprehended to be the total of manual and customized strategies. Innovation Technology covers equipment, working frameworks, database administration frameworks, organizing, sight and sound, and so forth. Offices Resources to house and bolster data frameworks. Individuals Staff aptitudes, mindfulness and profitability to arrange, sort out, obtain, convey, backing and screen data frameworks and administrations.

Slide 14

The Framework\'s Principles

Slide 15

Domains Processes Activities IT Domains & Processes Natural gathering of procedures, regularly coordinating an authoritative area of obligation. A progression of joined exercises with normal (control) breaks. Activities expected to accomplish a quantifiable result. Exercises have an existence cycle while undertakings are tactful .

Slide 16

CONTROL OBJECTIVES The DOMAINS * Planning & Organization * Acquisition & Implementation * Delivery & Support * Monitoring

Slide 17

Planning and Organization Define a Strategic IT Plan Define the Information Architecture Determine Technological Direction Define the IT Organization and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality

Slide 18

Acquisition and Implementation Identify Automated Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Infrastructure Develop and Maintain Procedures Install and Accredit Systems Manage Changes

Slide 19

Delivery and Support Define and Manage Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Allocate Costs Educate and Train Users Assist and Advise Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations

Slide 20

Monitoring Monitor the Processes Access Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit

Slide 21

IT Process Overview 1.0 Define a Strategic IT Plan The IT capacity ought to guarantee that there are IT long-and short-run gets ready for overseeing and coordinating all IT assets of the association. These arrangements ought to be opportune and precisely overhauled to suit changes in IT conditions. Appraisals of existing frameworks ought to be performed before creating or changing the key IT arrangement. Moreover, IT administration ought to guarantee that the key IT arrangement is steady with the business destinations and long-and short-go arrangements of the association.

Slide 22

Linking to Control Objectives Control over the IT procedure of DEFINING A STRATEGIC IT PLAN PO-1 that fulfills the business prerequisite to strike an ideal parity of data innovation open doors and IT business necessities and in addition guaranteeing its further achievement is empowered by a key arranging process embraced at normal interims offering ascend to long haul arranges; the long haul arrangements ought to occasionally be interpreted into operational arrangements setting clear and solid fleeting objectives and mulls over: * undertaking business technique * meaning of how IT bolsters the business targets * stock of mechanical arrangements and current base * observing the innovation watch markets * opportune achievability studies and rude awakenings * existing frameworks evaluations * venture position on danger, time-to-business sector, quality * requirement for senior administration purchase in, backing and basic audit

Slide 23

SUMMARY OF C OBI T TO THIS POINT Framework characterizes a develop for investigating and overseeing IT. Four areas are recognized. Inside every area there are procedures - 34 complete. Inside every procedure there are abnormal state IT control destinations characterizing controls that ought to be set up. For each of the 34 forms, there are from 3 to 30 point by point IT control targets. There are navigational apparatuses including a "waterfall" approach. An orderly and sensible technique for characterizing and imparting IT control goals.

Slide 24

AUDIT GUIDELINES The destinations of reviewing are to: give administration sensible affirmation that control targets are being met where there are noteworthy control shortcomings, to substantiate the subsequent dangers exhort administration on restorative activities

Slide 25

AUDIT GUIDELINES The procedure is examined by: Obtaining a comprehension of business prerequisites, related dangers, and applicable control measures Evaluating the propriety of expressed controls Assessing consistence by testing whether the expressed controls are filling in as recommended, reliably and constantly Substantiating the danger of the control goals not being met by utilizing investigative strategies and/or counseling elective sources.

Slide 26

Audit Guidelines 1 Generic Guideline 34 Process Oriented Guidelines A non specific rule distinguishes different assignments to be performed in evaluating ANY control objective inside a procedure. Others are particular procedure arranged undertaking proposals to give administration affirmation that a control is set up and working.

Slide 27

GENERIC AUDIT GUIDELINE O BTAINING A U NDERSTANDING The review ventures to be performed to archive the exercises hidden the control targets and additionally to distinguish the expressed control measures/systems set up . Meeting suitable administration and staff to pick up a comprehension of: * Business necessities and related dangers, Organization structure, * Roles and obligations, Policies and methodology, Laws and directions, Control measures set up, Management reporting (status, execution, activity things) Document the procedure related IT assets especially influenced by the procedure under audit. Affirm the comprehension of the procedure under audit, the Key Performance Indicators (KPI) of the procedure, and the control suggestions (e.g., by a procedure stroll through).

Slide 28

GENERIC AUDIT GUIDELINE E VALUATING THE C ONTROLS The review ventures to be performed in evaluating the viability of control measures set up or the extent to which

Recommended
View more...