CobiT Strategy and Long Term Vision

(1)

CobiT Strategy and

Long Term Vision

Urs Fischer

VP Head IT Risk Mgmt, Security & ICS

(2)

Seite 3

März

(3)

Seite 5

März

2007 ISACA After Hours Seminar - CobiT Strategy and Long Term Vision - Herr Urs Fischer

Session Objective

Provide those interested stakeholders with a

clear and single consensus view of CobiT

goals, products and activities

Some findings of the ITGI survey

°

of over 500 executives

18%

27%

2003 2005

Executive awareness

of COBIT

C

OBI

T - Global Status

COBIT is the preferred way to

implement effective IT governance

Executive awareness is up

Perception that it is difficult to

implement

More than half

of those who

know it, know

its contents

More than

1/3rd of those

who know the

(4)

Seite 7

März

• The COBIT strategy depends on the organisational structure, processes and

reporting mechanisms established by ISACA and ITGI to support the goals of

COBIT through:

– Attracting thought leaders,

– Resourcing projects, product support and volunteer development groups,

– Marketing and selling the products, and

– Providing effective oversight and governance

C

OBI

T - the organisation

Core

Team

Strategy

Execution

Brussels

London

Chicago

DC

Cape

Town

Regional Teams

Development

Lab

Development

Lab

Development

Lab

C

OBI

T - the organisation

CobiT

Steering

Committee

Ad Hoc

Canberra

Copen

-

-hagen

hagen

San

Francisco

ITG

Committee

Los

Angeles

(5)

Seite 9

März

Governance

2005

C

OBI

T4

Management

2000

C

OBI

T3

Control

1998

C

OBI

T2

An open standard at

www.isaca.org

CobiT : An IT control framework

E

volution

Audit

1996

C

OBI

T1

Is internationally accepted

Maps to all major related frameworks and standards and is recognised as an integrator

for such frameworks, standards and best practices

Supports the IT-related component of existing and emerging regulations, particularly

those related to corporate governance and compliance

Is a complete family of products that evolves continuously

Is supported by tools and training

Is maintained by a reputable not for profit organisation

Is technology / platform neutral and independent

Is based on expert volunteer input

Is both management and assurance oriented

Appeals to a broad IT community

(6)

Seite 11

März

C

OBI

T - Value and Limitations

CobiT Mission Statements

• CobiT to remain the de-facto standard of IT governance

• ITGI to be the recognized global leader in IT Governance,

control and assurance, and to provide the organisational

support and thought leadership for sustaining COBIT

developments

• ISACA to enhance the reputation, independence and

professionalism of ISACA and provide member benefits,

while leveraging the knowledge of the membership,

volunteers, subject matter experts (SME) and other

advisors as appropriate

(7)

Seite 13

März

CobiT Mission Statements

• Focus on the target group as identified by the ‘IT Governance

global Status Report – 2006’, that is aware of the IT governance

concept, knows IT governance solution providers, prefers CobiT

for it but has not implemented it.

CobiT Strategic Goals

• CONTENT Ensure currency and quality of the CobiT knowledge

base

• SUPPORT Enable individual and enterprise users to get value out

of the CobiT products

• ADOPTION Achieve wide global adoption amongst all audiences

--Board and Executive, IT management and professionals,

in the domains of IT Governance, Assurance and

Security

• REVENUE Operate a business model that makes access to CobiT

products and services non-prohibitive while being

financially prudent and able to sustain.

(8)

Seite 15

März

Support ISACA/ITGI Strategy

COBIT

-

product portfolio

(9)

Seite 17

März

COBIT

-

product hierarchy

An open standard at

www.isaca.org

• Resourcing the development

of CobiT is an immense

challenge

• CobiT 4.0 has been a 2 year

effort with many

interconnected projects

• Empirical Analysis to

prove return on IT

governance practices

• Mapping to other

standards

• Support for regulatory

compliance

• Workbench

IT Management Processes

IT Governance Processes

IT Management Processes

IT Governance Processes

Current Development

Future Research

Research and Development

(10)

Seite 19

März

CobiT Certification

Trainer accreditation

CobiT Implementer Certification

Education Certificates

Enterprise

compliance

Product certification

People

capability

and

experience

Strategic Direction

YES

NO

CobiT Education

Internet based training for CobiT “Foundation” level

– 3rd party development, volunteer design, ISACA’s IP

– Rolled out July 2005

– Course delivered via network of Distributors; ISACA site

advertises and provides click-through

– Business model is based on royalty to ISACA and a

discount to its members (350$ for 3 months)

– Individuals: 500 sold, 100 exams and 500 prospects

– Corporates: 8 sold and 100+ prospects

Foundation

Implementation

Assurance

Education Strategy

Implementation – being

aligned to CobiT4.0

Assurance – design done,

under development

Foundation – rolled out

C

OBI

T

FO

U

N

D

AT

IO

N

(11)

Seite 21

März

Current Development Activity

• CobiT Online now has CobiT 4.0 content

included; 3.2 still available to support transition

• Updated Implementation Guide, Control

Practices, and Assurance Guide (replaces Audit

Guidelines) will be published 19.4.2007

• Updating Quickstart, Security Baseline and

others to reflect new CobiT Framework

• Updating/expanding CobiT Mapping research

papers and will include maps to CMM, PMBOK,

Prince 2, NIST FISMA standards, and others

• Improving alignment of CobiT to Val IT content

Urs Fischer

CobiT Steering Committee

ISACA

is our name.

IT Governance

is our brand.

CobiT

is our product.

Conclusion

(12)

Seite 23

März

Outlook to the Future

• The IT Governance Framework dates back to 1998 and

is only very high level and IT Governance guidance is

not completely covered (yet).

• The current frameworks, CobiT and ValIT, being owned

and having grown organically through different

committees contain a mix of Management and

Governance guidance.

• The tendency of each new initiative to develop its own

framework can be an obstacle for alignment.

• There is the perception that the target audience for the

current frameworks is not well defined or too broad in

some instances or only audit and control focused.

(13)

Seite 25

März

• A simple and complete framework for

IT Governance that

– enhances our ability to communicate

about the IT Governance BOK

– enables adoption by

• Boards

• enterprise management

• IT management

Our Need is for …

We should be providing a Governance

Framework or a clear generic model of the

processes required so that enterprises can

develop and implement a governance

architecture suitable for their requirements ..

But which is aligned to needs of IT

(14)

Seite 27

März

• We need to draw loose boundaries

between

– Enterprise (corporate) governance

– IT governance

– IT management

• .. in order to subsequently define the

structure of the ITGF

Boundaries

Portfolio

Management

Performance

Measurement

set

report

set

report

Value

Management

(investments &

benefits)

Risk

Management

(operational &

compliance)

direct

Enterprise

Governance &

Strategy

Value

Governance

Risk

drive

report

drive

report

Enterprise governance

framework

drives overall

value and risk

governance in IT

IT Governance drives

Value and Risk

Management

Value and Risk

Management drives

IT service delivery

Systematic

Performance

Measurement tools

as essential feedback

Enterprise

Architecture

Plan

Deliver

Operate

Enterprise

Governance

IT

Governance

IT

Management

(15)

Seite 29

März

IT GOVERNANCE

IT MANAGEMENT

Translate strategy into action

• Make the business more effective and efficient

• Make IT more effective and efficient

• Manage risks (security, reliability & compliance)

• Manage service delivery consistency

Set Objectives

• Align business and IT

• Enable the business and maximise benefits

• Ensure effective and efficient use of resources

• Manage IT risk as part of ERM

• Fulfil compliance requirements

Translate

direction into

strategy

Measure and

report

performance

Provide

direction

Evaluate

performance

Governance and Management

ENTERPRISE GOVERNANCE

Set Objectives

• Set enterprise objectives and directions

• Build control environment

• Establish decision rights and responsibilities

• Manage Enterprise Risk

• Fulfil compliance requirements

Provide

direction

Evaluate

performance

An IT Governance Framework is a defined

conceptual structure to support

governance expectations by organising IT

tasks and activities into discrete processes

while providing a business focus. It

supplies a common language for IT

activities and key management practices

involved and is consistent with generally

accepted IT good practices and corporate

governance standards.

(16)

Seite 31

März

• ITGI has developed

– Guidance

• Board Briefings

– Frameworks

• CobiT

• Val IT

– and more to come?

• Both frameworks contain components at

Governance layer and Management layer

• Frameworks overlap to certain degree

Where we are now …

IT Governance

IT Management

View 1 – Board Briefing

(17)

Seite 33

März

IT Governance

PO

Plan and Organise

AI

Acquire and Implement

Deliver and Support

DS

ME

Monitor and Evaluate

IT Management

View 2 - CobiT

IT Governance

View 3a – Val IT

(18)

Seite 35

März

IT Governance

View 3b – Val IT

IT Management

IT Governance

PO

Plan and Organise

AI

Acquire and Implement

DS

Deliver and Support

ME

Monitor and Evaluate

IT Management

View 4 – Board Briefing, CobiT

& ValIT

VG

Value Governance

PM

Portfolio Management

IM

Investment Management

Board Briefing

(19)

Seite 37

März

Alternative 1 – “As Is”

Maintain and develop all frameworks in a ‘loosely’

coupled way

IT GOVERNANCE

IT MANAGEMENT

Translate strategy into action

• Make the business effective

• Make the business efficient

• Manage risks (security, reliability & compliance)

• Manage service delivery consistency

Set Objectives

• Align business and IT

• Enable the business and maximise benefits

• Ensure effective and efficient use of resources

• Manage IT risk as part of ERM

• Fulfil compliance requirements

Translate

direction into

strategy

Measure and

report

performance

Provide

direction

Evaluate

performance

ValIT

RiskIT

CobiT

Alternative 2

Integrated Framework

Integrate existing frameworks into a new ITGF

IT GOVERNANCE

Translate strategy into action

• Make the business effective

• Make the business efficient

• Manage risks (security, reliability & compliance)

Set Objectives

• Align business and IT

• Enable the business and maximise benefits

• Ensure effective and efficient use of resources

• Manage IT risk as part of ERM

• Fulfil compliance requirements

Translate

direction into

strategy

Measure and

report

performance

Provide

direction

Evaluate

performance

IT Governance Framework

(20)

Seite 39

März

Alternative 3 - Two Frameworks

- Build new IT Governance Framework

- Reposition CobiT as an IT Management Framework

IT GOVERNANCE

IT MANAGEMENT

Translate strategy into action

• Make the business effective

• Make the business efficient

• Manage risks (security, reliability & compliance)

• Manage service delivery consistency

Set Objectives

• Align business and IT

• Enable the business and maximise benefits

• Ensure effective and efficient use of resources

• Manage IT risk as part of ERM

• Fulfil compliance requirements

Translate

direction into

strategy

Measure and

report

performance

Provide

direction

Evaluate

performance

IT Governance Framework

CobiT

Alternative 4 - 3 Frameworks Combined

-

Build ITGV set of principles as an integrating tool

- Reposition VAlIT and CobiT

- Build out RiskIT

IT GOVERNANCE

Translate strategy into action

• Make the business effective

• Make the business efficient

• Manage risks (security, reliability & compliance)

• Manage service delivery consistency

Set Objectives

• Align business and IT

• Enable the business and maximise benefits

• Ensure effective and efficient use of resources

• Manage IT risk as part of ERM

• Fulfil compliance requirements

Translate

direction into

strategy

Measure and

report

performance

Provide

direction

Evaluate

performance

ValIT

RiskIT

CobiT

IT Governance Framework

(21)

For more information…

Information Systems Audit and Control Association (ISACA)

IT Governance Institute (ITGI)

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

Phone

+1.847.253.1545 (ISACA)

+1.847.590.7491 (ITGI)

Fax

+1.847.253.1443 (both)

ISACA E-mail

[email protected]

ISACA Web Site

www.isaca.org

ITGI E-mail

[email protected]

ITGI Web Site

www.itgi.org

Urs

Fischer

CobiT

Steering Committee

[email protected]

CobiT Strategy and Long

Term Vision

Zürich, CH

March

27, 2007

Thank You

Swiss Life

Urs Fischer, Vice President

Head IT Risk Management, Security & ICS

General-Guisan-Quai 40

P.O. Box, 8022 Zurich

T +41 43 284 58 86

F +41 43 338 58 86

[email protected]