Transcript Document

Welcome ISACA Baton Rouge
Chapter
Moving from COBIT 4.1 to COBIT 5
May 24, 2012
Agenda
• Differences between COBIT 4.1 and COBIT 5
• Review of COBIT 5 Framework and Enabling
Processes
• Incorporation of Application Level Controls
• LA Legislative Auditor’s Office Implementation
of COBIT 5
COBIT 4.1 and COBIT 5
Compare and Contrast
COBIT 5
• Created by the IT Governance Institute
• How is COBIT different and why do we use it?
o
o
o
Contains IT best practices that can be used by
auditors and IT management
Generally acceptable with third parties and
regulators
Fulfills the COSO requirements for the IT control
environment
COBIT 5 Principles
1: Meeting Stakeholder Needs
• “The COBIT 5 Goals
Cascade translates
stakeholder needs
into specific,
actionable, and
customized goals
within the context
of the enterprise, ITrelated goals, and
enabler goals.”
2: Covering the Enterprise
End-to-End
COBIT 5:
• Integrates governance of
enterprise IT into
enterprise governance.
• Covers all functions and
processes required to
govern and manage
enterprise information
and related technologies
wherever that information
may be processed.
3: Applying a Single
Integrated Framework
4: Enabling a Holistic Approach
• Enablers are factors that, individually and collectively,
influence whether something will work.
• COBIT 4.1 contained enablers, but more emphasis
has been placed on enablers in COBIT 5.
5: Separating Governance from
Management
• Governance: ensures that stakeholder needs, conditions,
and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved; setting
direction through prioritization and decision making; and
monitoring performance and compliance against agreedon direction and objectives.
• Management: plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives.
5: Separating Governance from
Management
• These two disciplines encompass different types of
activities, require different organizational structures,
and serve different purposes.
COBIT 5 Framework and
Enabling Processes
Notable Process Mapping
COBIT 4.1
COBIT 5
Topic Covered
ME4
EDM1, 2, 3, 4, 5
IT Governance
AC 1, 2, 3, 4, 5, 6
BAI3 & DSS6
Manage Business Process Controls
PO1
APO2
Strategic Planning
PO4
APO1
Organization, Processes, and Relationships
PO8
APO11
Manage Quality
PO9
APO12
Manage Risk
PO10
BAI1
Manage Programs and Projects
AI4
BAI8
Manage Knowledge
AI5 & DS2
APO10
Manage Suppliers
DS1
APO9
Manage Service Agreements
DS3
BAI4
Manage Availability and Capacity
DS5 & DS12
DSS5
Manage Security Services
DS5
APO13
Manage Security
Practices and Activities
• COBIT 5 Practices and Activities are equivalent
to COBIT 4.1 Control Objectives and Val IT and
Risk IT processes.
RACI Charts
Application Level Controls
Holistic Approach
• The terms “general controls” and “application
controls” are still commonly used, COBIT 5 does
not distinguish between the two as did COBIT 4.1.
• The holistic approach maps common enterprise
goals and objectives to IT goals as “primary” or
“secondary.”
• IT goals are mapped to processes and attributes
as “primary” or “secondary” that enable an
enterprise to achieve the IT goals.
Louisiana Legislative Auditor’s Office
Implementation of COBIT 5 into
Standard Auditing Procedures
LA Legislative Auditor
• Oversee 3500 audits of state and local
governments, and conducts independent
financial and performance audits of State
agencies, colleges, and universities.
Our Approach
Control Matrix for Information Technology
(CoMIT) Tool
We needed a tool based on CoBIT Criteria
• Use of IT has grown and we are resource
challenged
• Standardize our procedures and have a
common measuring tool
21
Confidentiality?!
Control Matrix for Information Technology
(CoMIT)
• Governance Enterprise Management Matrix
o
o
“Primary Controls”
Organized according to the five domains
• Transaction and Application Level Matrix
o
o
Evaluates key controls at a more granular level
Organized in accordance with the Confidentiality,
Integrity, and Availability (CIA) Triad
Transaction and Application Level
COBIT 5 Family
You Might Be An IT Auditor If…
• You have more letters behind your name than a can of
alphabet soup
• You have a gadget on your desk that you have fondly
given a name
• Bean counter references make you mad
• Balancing your checkbook is fun
• When you have your computer repaired, you ask for all
the parts back, labeled, and itemized
• Your idea of vacation is field work
• You and your coworkers represent more nationalities
than anywhere else in the office