Dr. Derek J. Oliver Ravenswood Consultants Ltd. COBIT 5:Using or Abusing It
Why me? • Derek J. Oliver • Certified Information Systems Auditor • Certified Information Security Manager • Certified in Risk & Information Systems Control • Chartered IT Professional • Fellow of the British Computer Society • Fellow of the Institute of IT Service Management • Member of the Institute of Information Security Professionals • 35+ years in the Profession [ . . . . . with a PhD and DBA to follow an MSc] • Past President, ISACA London Chapter • Past Member, CISA Certification Board • Past Member, CISA Test Enhancement Committee • Founding Chair, CISM Test Enhancement Committee • Chair, BMIS Development Committee • Co-Chair, COBIT 5 Task Force • Former Member, ISACA Framework Committee
This evening’s content . . . • Where we’re at: COBIT 5 in 2014 • What has COBIT 5 given to the Enterprise? • What is still missing! • How has COBIT 5 Helped? • Why COBIT 5 is important: • To Governance • To Management
A reminder of theCOBIT 5 Objectives • ISACA Board of Directors: • “Tie together and reinforce all ISACA knowledge assets with COBIT.” • Provide a renewed and authoritative governance and management framework for enterprise information and related technology, linking together and reinforcing all other major ISACA frameworks and guidance including: Val IT Risk IT BMIS ITAF Board Briefing Taking Governance Forward • Connect to other major frameworks and standards in the marketplace (ITIL, ISO standards, etc.)
Governance of Enterprise IT IT Governance Evolution Management Control Audit COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 COBIT 5 1996 1998 2000 2005/7 The Evolution of COBIT BMIS (2010) Val IT 2.0 (2008) Risk IT (2009) 2012
The Lens Concept The Eye of the Beholder: what are you looking for? COBIT 5 Toolkit Implementation Guide COBIT 5 Framework COBIT 5 Enabling Processes COBIT 5 Enabling Information COBIT 5 For Infosec COBIT 5 For Risk COBIT 5 For Assurance COBIT 5 For ? COBIT 5 For ? Practitioner Guides Links to other Standards, Frameworks, Guidelines etc e.g. ISO, ITIL, National Standards. COBIT 5 PAM
The COBIT 5 Principles COBIT 5 is used to address specific needs The COBIT 5 framework makes a clear distinction between governance and management COBIT 5 integrates governance of enterprise IT into enterprise governance COBIT 5 supports a comprehensive governance and management system for enterprise IT and Information COBIT 5 integrates all existing frameworks, standards etc
COBIT 5 in 2014 • COBIT 5 was initially in 3 volumes in April, 2012: • Framework – Free Download • Enabling Processes– Free to Members • Implementation Guide - Free to Members • COBIT 5 Process Assessment Model - Free to Members • COBIT5 for Information Security • COBIT 5 for Assurance • COBIT 5 for Risk • COBIT 5 Enabling Information • COBIT 5 Online
Enterprise Benefits of the Principles • The Stakeholder Concept • Helps everyone involved to focus on the job in hand • The end to end Concept • Helps to look at an issue across the Enterprise • The single, integrated framework • Simplifies the approach to governance & management • The holistic approach • Enables the Enterprise (and its problems) to be viewed as a whole • Separating Governance & Management • Directs responsibility within the Enterprise
Enterprise Benefits of the Enablers • Principles, Policies & Frameworks • Focus on the basic infrastructure of both Governance & Management • Processes • Gives a structure to any view of the Enterprise • Organisational Structures • Supports enterprise growth & development • Culture, Ethics & Behaviors • Reminds the Enterprise of the impact of “People”! • Information • Helps everyone to understand the real meaning of the word! • Services, Infrastructure & Applications • Puts these aspects in their place in supporting Stakeholder needs • People, Skills and Competencies • Directs the Enterprise again at the importance of its People
What’s Missing? . . . MY OPINION • Enabling: Culture, Ethics & Behavior • Greater insight into the impact on the Enterprise of failing to pay attention to these important factors • Currently covered by the BMIS “Implementing a Culture of Security” publication • Enabling: Principles, Policies & Frameworks • OK, not easy to write as a “Global” publication • More detail on what constitutes a “good” Policy etc. • Minimum requirements & expectations • Distribution, Training & Maintenance
COBIT 5 for Information Security • Provides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats and: • Reduce complexity and increase cost-effectiveness • Increase user satisfaction with information security arrangements and outcomes • Improve integration of information security • Inform risk decisions and risk awareness • Reduce information security incidents • Enhance support for innovation and competitiveness • Leverages the COBIT 5 framework through a security lens. It is the only security framework that integrates other major frameworks and standards.
Has it helped? • As a derivative from BMIS, it has expressed the concepts of the holistic approach to security and the need to avoid “Silo Thinking” • Provides greater, more detailed explanations of the security needs of Stakeholders and of each Enabler’s relationship to Information Security • Gives good advice, illustrated by models, on how to implement and maintain a good security infrastructure • Focuses on Business Information not simply IT and covers: • Business Model for Information Security (BMIS)–ISACA • Standard of Good Practice for Information Security (ISF) • ISO/IEC 27000 Series • NIST SP 800-53a • PCI-DSS
COBIT 5 for Assurance Lets assurance professionals leverage COBIT 5 when planning and performing assurance reviews, which unifies an organization’s business, IT and assurance professionals around a common framework, objectives and vocabulary making it easier to reach consensus on any needed control improvements. Provides a roadmap built from well-accepted assurance approaches that enable assurance professionals to effectively plan, scope and execute IT assurance initiatives, navigate increasing technology complexity, and demonstrate strategic value to IT and business stakeholders
Has it helped? • Provides guidance on how to use the COBIT 5 framework to establish and sustain assurance provisioning and an assurance function for the enterprise • Provides a structured approach on how to provide assurance over enablers (all of COBIT 5’s defined enablers, e.g., processes, information, organisational structures) • Illustrates the structured approach with a number of concrete examples of assurance programmes • Assurance providers can rely on the consistency, structure, context and vocabulary of the COBIT 5 framework and its related products • Helps the Enterprise Assurance Professionals to express observations, findings, conclusions and recommendations in a structured language • Gives advice on setting up and managing the Assurance function as well as approaching assurance projects • Like Information Security, it was written by Assurance Professionals under the management of a Task Force
COBIT 5 for Risk • Defines IT risk as the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. • Provides: • Stakeholders with a better understanding of the current state and risk impact throughout the enterprise • Guidance on how to manage the risk to levels, including an extensive set of measures • Guidance on how to set up the appropriate risk culture for the enterprise • Guidance on risk assessments that enable stakeholders to consider the cost of mitigation and the required resources against the loss exposure • Opportunities to integrate IT risk management with enterprise risk • Improved communication and understanding amongst all internal and external stakeholders
Has it helped? • Guidance on how to use the COBIT 5 framework to establish the risk governance and management function(s) for the enterprise • Guidance and a structured approach on how to use the COBIT 5 principles to govern and manage IT risk • A clear understanding of the alignment of COBIT 5 for Risk with other relevant standards • End-to-end guidance on how to manage risk • A common and sustainable approach for assessment and response • Like the other Practitioner Guides, it was managed by a Task Force . . . . but: • The Task Force only met TWICE as a group • No interim documents were provided for comment • The concept of Inherent Risk was ignored and (on my protest) was covered by the statement” COBIT 5 for Risk does not use this concept.”
COBIT 5: Enabling Information A reference guide that provides a structured way of thinking about information governance and management issues in any type of organization. This structure can be applied throughout the life cycle of information, from conception and design, through building information systems, securing information, using and providing assurance over information, and to the disposal of information.
Has it helped? • Provides Enterprises with: • A comprehensive information model that comprises all aspects of information including: • Stakeholders, goals (quality) • Life cycle stages • Good practices (information attributes) • Guidance on how to use an established governance and management framework (COBIT 5) to address common information governance and management issues such as: • Big data • Master data management • Information disintermediation • Privacy • An understanding of the reasons and criticality that information needs to be managed and governed in an appropriate way
COBIT 5 Online A multi-phase initiative by ISACA to address a wide variety of member needs for accessing, understanding and applying the COBIT 5 framework. The primary objective of this inaugural version was to provide access to the latest news and insights and easy access to online versions of COBIT 5 publications. A consolidated, comprehensive resource center for governance and management of enterprise IT. Unlike a printed book or pdf, the platform offers dynamic content and helps to increase the utility of COBIT and family of products
Has it helped? Too early to say, but CobiT 4.1 Online was popular and well used so . . . .
Process Assessment Model Provides a basis for assessing an enterprise’s processes against COBIT 5. Evidence-based to enable a reliable, consistent and repeatable way to assess IT process capabilities Helps IT leaders gain C-level and board member buy-in for change and improvement initiatives Follows standard audit/assurance approaches but provides considerably more “granularity” than Capability Maturity Models Comes as a Model; a Programme and self-Assessment and Assessor Guides (4 publications)
Has it helped? Excellent guide for Auditors & other Assurance Professionals Explains how to assess compliance with the COBIT 5 Processes Provides a clear compliance statement that highlights failures and attracts the attention of the “Governance Body” as well as senior management Very useful publication!
COBIT 5 Related Pub’s COBIT 5-Related Guides: COBIT 5 Principles: Where Did They Come From? (white paper) Controls and Assurance in the Cloud: Using COBIT 5 (book) Relating the COSO Internal Control—Integrated Framework and COBIT (white paper) Vendor Management: Using COBIT 5 (book) Securing Mobile Devices Using COBIT 5 for Information Security (book) Transforming Cybersecurity: Using COBIT 5 (book) Configuration Management Using COBIT 5 (book) RBI Guidelines Mapping With COBIT 5 (India WP) Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT 5(India WP)