COBIT - II

1
COBIT - II
2
(No Transcript)
3
Process Orientation
4
Domains

• COBIT defines IT activities in a generic process
  model within four domains.
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

5
Plan and Organise

• Description
• This domain covers strategy and tactics, and
  concerns the identification of how IT can best
  contribute to the achievement of the business
  objectives. Furthermore, the realisation of the
  strategic vision needs to be planned,
  communicated and managed for different
  perspectives. Finally, a proper organisation as
  well as technological infrastructure must be put
  in place.
• Topics
• Strategy and tactics
• Vision planned
• Organisation and infrastructure
• Questions
• Are IT and the business strategy aligned?
• Is the enterprise achieving optimum use of its
  resources?
• Does everyone in the organisation understand the
  IT objectives?
• Are IT risks understood and being managed?
• Is the quality of IT systems appropriate for
  business needs?

6
Plan and Organise

• PO1 Define a strategic information
  technology plan
• PO2 Define the information architecture
• PO3 Determine the technological direction
• PO4 Define the IT organisation and
  relationships
• PO5 Manage the investment in information
  technology
• PO6 Communicate management aims and direction
• PO7 Manage human resources
• PO8 Ensure compliance with external
  requirements
• PO9 Assess risks
• PO10 Manage projects
• PO11 Manage quality

.
7
Acquire and Implement

• Description
• To realise the IT strategy, IT solutions need to
  be identified, developed or acquired, as well as
  implemented and integrated into the business
  process. In addition, changes in and maintenance
  of existing systems are covered by this domain to
  make sure that the life cycle is continued for
  these systems.
• Topics
• IT solutions
• Changes and maintenance
• Questions
• Are new projects likely to deliver solutions that
  meet business needs?
• Are new projects likely to deliver on time and
  within budget?
• Will the new systems work properly when
  implemented?
• Will changes be made without upsetting current
  business operations?

8
Acquire and Implement

• AI1 Identify automated solutions
• AI2 Acquire and maintain application software
• AI3 Acquire and maintain technology
  infrastructure
• AI4 Develop and maintain IT procedures
• AI5 Install and accredit systems
• AI6 Manage changes

9
Deliver and Support

• Description
• This domain is concerned with the actual delivery
  of required services, which range from
  traditional operations over security and
  continuity aspects to training. To deliver
  services, the necessary support processes must be
  set up. This domain includes the actual
  processing of data by application systems, often
  classified under application controls.
• Topics
• Delivery of required services
• Setup of support processes
• Processing by application systems
• Questions
• Are IT services being delivered in line with
  business priorities?
• Are IT costs optimised?
• Is the work force able to use the IT systems
  productively and safely?
• Are adequate security, integrity and availability
  in place?

10
Deliver and Support

• DS1 Define and manage service levels
• DS2 Manage third-party services
• DS3 Manage performance and capacity
• DS4 Ensure continuous service
• DS5 Ensure systems security
• DS6 Identify and allocate costs
• DS7 Educate and train users
• DS8 Assist and advise customers
• DS9 Manage the configuration
• DS10 Manage problems and incidents
• DS11 Manage data
• DS12 Manage facilities
• DS13 Manage operations

11
Monitor and Evaluate

• Description
• All IT processes need to be regularly assessed
  over time for their quality and compliance with
  control requirements. This domain thus addresses
  managements oversight of the organisations
  control process and independent assurance
  provided by internal and external audit or
  obtained from alternative sources.
• Topics
• Assessment over time, delivering assurance
• Managements oversight of the control system
• Performance measurement
• Questions
• Can ITs performance be measured and can problems
  be detected before it is too late?
• Is independent assurance needed to ensure
  critical areas are operating as intended?

12
Monitor and Evaluate

• M1 Monitor the process
• M2 Assess internal control adequacy
• M3 Obtain independent assurance
• M4 Provide for independent audit

13
Business Requirements

• Quality Requirements
• Quality
• Delivery
• Cost
• Security Requirements
• Confidentiality
• Integrity
• Availability
• Fiduciary Requirements
• Effectiveness and efficiency of operations
• Compliance with laws and regulations
• Reliability of financial reporting

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability of information

Treadway Commission reqs that management must
attest to its organisations effectiveness and
efficiency of operations, reliability of
financial reporting (not financial reports), and
compliance with laws and regulations.
14
What the stakeholders expect from IT
The resources made available toand built up byIT
Business Requirements
IT Resources
IT Processes

• Data
• Application systems
• Technology
• Facilities
• People

• Plan and Organise
• Aquire and Implement
• Deliver and Support
• Monitor and Evaluate

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Information reliability

15
DS2 Example - Manage third-party services
Drilling Down the COBIT model