COBIT 5: Using or Abusing It Dr. Derek J. Oliver Ravenswood Consultants Ltd. - PowerPoint Presentation

COBIT 5:Using or Abusing It Dr. Derek J. OliverRavenswood Consultants Ltd.

Why me?Derek J. OliverCertified Information Systems AuditorCertified Information Security ManagerCertified in Risk & Information Systems ControlChartered IT Professional Fellow of the British Computer SocietyFellow of the Institute of IT Service ManagementMember of the Institute of Information Security Professionals35+ years in the Profession [ . . . . . with a PhD and DBA to follow an MSc]Past President, ISACA London ChapterPast Member, CISA Certification BoardPast Member, CISA Test Enhancement CommitteeFounding Chair, CISM Test Enhancement CommitteeChair, BMIS Development CommitteeCo-Chair, COBIT 5 Task Force Former Member, ISACA Framework Committee

This evening’s content . . .Where we’re at: COBIT 5 in 2014What has COBIT 5 given to the Enterprise?What is still missing!How has COBIT 5 Helped?Why COBIT 5 is important: To GovernanceTo Management

ISACA Board of Directors: “T ie together and reinforce all ISACA knowledge assets with COBIT.”Provide a renewed and authoritative governance and management framework for enterprise information and related technology, linking together and reinforcing all other major ISACA frameworks and guidance including: Val IT Risk IT BMIS ITAF Board Briefing Taking Governance Forward Connect to other major frameworks and standards in the marketplace (ITIL, ISO standards, etc.) A reminder of the COBIT 5 Objectives

Governance of Enterprise IT COBIT 5 IT Governance C OBI T4.0/4.1 Management C OBI T3 Control C OBI T2 Audit C OBI T1 The Evolution of COBIT 2005/7 2000 1998 Evolution 1996 2012 Val IT 2.0 (2008) Risk IT (2009) BMIS (2010) 5

COBIT 5PAM The Lens Concept6 The Eye of the Beholder: what are you looking for? COBIT 5 For Infosec COBIT 5 For Assurance COBIT 5 For ? COBIT 5 For ? Links to other Standards, Frameworks, Guidelines etc e.g. ISO, ITIL, National Standards. COBIT 5 Framework COBIT 5 For Risk COBIT 5 Enabling Processes Practitioner Guides Implementation Guide COBIT 5 Enabling Information COBIT 5 Toolkit

The COBIT 5 Principles COBIT 5 is used to address specific needs COBIT 5 integrates governance of enterprise IT into enterprise governance COBIT 5 integrates all existing frameworks, standards etc COBIT 5 supports a comprehensive governance and management system for enterprise IT and Information The COBIT 5 framework makes a clear distinction between governance and management

COBIT 5 Enablers

COBIT 5 was initially in 3 volumes in April, 2012: Framework – Free DownloadEnabling Processes– Free to MembersImplementation Guide - Free to Members COBIT 5 Process Assessment Model - Free to Members COBIT 5 for Information Security COBIT 5 for Assurance COBIT 5 for Risk COBIT 5 Enabling Information COBIT 5 Online COBIT 5 in 2014

Enterprise Benefits of the PrinciplesThe Stakeholder ConceptHelps everyone involved to focus on the job in handThe end to end ConceptHelps to look at an issue across the Enterprise The single, integrated frameworkSimplifies the approach to governance & managementThe holistic approachEnables the Enterprise (and its problems) to be viewed as a wholeSeparating Governance & ManagementDirects responsibility within the Enterprise

Enterprise Benefits of the EnablersPrinciples, Policies & FrameworksFocus on the basic infrastructure of both Governance & ManagementProcessesGives a structure to any view of the Enterprise Organisational StructuresSupports enterprise growth & developmentCulture, Ethics & BehaviorsReminds the Enterprise of the impact of “People”!InformationHelps everyone to understand the real meaning of the word!Services, Infrastructure & ApplicationsPuts these aspects in their place in supporting Stakeholder needsPeople, Skills and CompetenciesDirects the Enterprise again at the importance of its People

What’s Missing? . . . MY OPINIONEnabling: Culture, Ethics & BehaviorGreater insight into the impact on the Enterprise of failing to pay attention to these important factorsCurrently covered by the BMIS “Implementing a Culture of Security” publication Enabling: Principles, Policies & FrameworksOK, not easy to write as a “Global” publicationMore detail on what constitutes a “good” Policy etc.Minimum requirements & expectationsDistribution, Training & Maintenance

COBIT 5 for Information SecurityProvides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats and: Reduce complexity and increase cost-effectiveness Increase user satisfaction with information security arrangements and outcomes Improve integration of information security Inform risk decisions and risk awareness Reduce information security incidents Enhance support for innovation and competitivenessLeverages the COBIT 5 framework through a security lens. It is the only security framework that integrates other major frameworks and standards.

Has it helped?As a derivative from BMIS, it has expressed the concepts of the holistic approach to security and the need to avoid “Silo Thinking”Provides greater, more detailed explanations of the security needs of Stakeholders and of each Enabler’s relationship to Information SecurityGives good advice, illustrated by models, on how to implement and maintain a good security infrastructure Focuses on Business Information not simply IT and covers:Business Model for Information Security (BMIS)–ISACAStandard of Good Practice for Information Security (ISF)ISO/IEC 27000 SeriesNIST SP 800-53a PCI-DSS

Lets assurance professionals leverage COBIT 5 when planning and performing assurance reviews, which unifies an organization’s business, IT and assurance professionals around a common framework, objectives and vocabulary making it easier to reach consensus on any needed control improvements.Provides a roadmap built from well-accepted assurance approaches that enable assurance professionals to effectively plan, scope and execute IT assurance initiatives, navigate increasing technology complexity, and demonstrate strategic value to IT and business stakeholders 15COBIT 5 for Assurance

Has it helped?Provides guidance on how to use the COBIT 5 framework to establish and sustain assurance provisioning and an assurance function for the enterprise Provides a structured approach on how to provide assurance over enablers (all of COBIT 5’s defined enablers, e.g., processes, information, organisational structures)Illustrates the structured approach with a number of concrete examples of assurance programmesAssurance providers can rely on the consistency, structure, context and vocabulary of the COBIT 5 framework and its related products Helps the Enterprise Assurance Professionals to express observations, findings, conclusions and recommendations in a structured languageGives advice on setting up and managing the Assurance function as well as approaching assurance projects Like Information Security, it was written by Assurance Professionals under the management of a Task Force

Defines IT risk as the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.Provides: Stakeholders with a better understanding of the current state and risk impact throughout the enterpriseGuidance on how to manage the risk to levels, including an extensive set of measuresGuidance on how to set up the appropriate risk culture for the enterpriseGuidance on risk assessments that enable stakeholders to consider the cost of mitigation and the required resources against the loss exposureOpportunities to integrate IT risk management with enterprise riskImproved communication and understanding amongst all internal and external stakeholders 17COBIT 5 for Risk

Has it helped?Guidance on how to use the COBIT 5 framework to establish the risk governance and management function(s) for the enterprise Guidance and a structured approach on how to use the COBIT 5 principles to govern and manage IT riskA clear understanding of the alignment of COBIT 5 for Risk with other relevant standardsEnd-to-end guidance on how to manage risk A common and sustainable approach for assessment and response Like the other Practitioner Guides, it was managed by a Task Force . . . . but: The Task Force only met TWICE as a group No interim documents were provided for comment The concept of Inherent Risk was ignored and (on my protest) was covered by the statement” COBIT 5 for Risk does not use this concept.”

A reference guide that provides a structured way of thinking about information governance and management issues in any type of organization. This structure can be applied throughout the life cycle of information, from conception and design, through building information systems, securing information, using and providing assurance over information, and to the disposal of information. 19COBIT 5: Enabling Information

Has it helped?Provides Enterprises with:A comprehensive information model that comprises all aspects of information including: Stakeholders, goals (quality)Life cycle stages Good practices (information attributes)Guidance on how to use an established governance and management framework (COBIT 5) to address common information governance and management issues such as: Big dataMaster data managementInformation disintermediationPrivacyAn understanding of the reasons and criticality that information needs to be managed and governed in an appropriate way

COBIT 5 OnlineA multi-phase initiative by ISACA to address a wide variety of member needs for accessing, understanding and applying the COBIT 5 framework. The primary objective of this inaugural version was to provide access to the latest news and insights and easy access to online versions of COBIT 5 publications. A consolidated, comprehensive resource center for governance and management of enterprise IT. Unlike a printed book or pdf, the platform offers dynamic content and helps to increase the utility of COBIT and family of products

Has it helped?Too early to say, but CobiT 4.1 Online was popular and well used so . . . .

Process Assessment ModelProvides a basis for assessing an enterprise’s processes against COBIT 5. Evidence-based to enable a reliable, consistent and repeatable way to assess IT process capabilitiesHelps IT leaders gain C-level and board member buy-in for change and improvement initiativesFollows standard audit/assurance approaches but provides considerably more “granularity” than Capability Maturity ModelsComes as a Model; a Programme and self-Assessment and Assessor Guides (4 publications)

Has it helped?Excellent guide for Auditors & other Assurance ProfessionalsExplains how to assess compliance with the COBIT 5 ProcessesProvides a clear compliance statement that highlights failures and attracts the attention of the “Governance Body” as well as senior management Very useful publication!

COBIT 5 Related Pub’sCOBIT 5-Related Guides:COBIT 5 Principles: Where Did They Come From? (white paper)Controls and Assurance in the Cloud: Using COBIT 5 (book) Relating the COSO Internal Control—Integrated Framework and COBIT (white paper)Vendor Management: Using COBIT 5 (book)Securing Mobile Devices Using COBIT 5 for Information Security (book) Transforming Cybersecurity: Using COBIT 5 (book)Configuration Management Using COBIT 5 (book) RBI Guidelines Mapping With COBIT 5 (India WP)Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT 5   (India WP)