IT Governance:
Download
Report
Transcript IT Governance:
IT Governance:
COBIT, ISO17799
&
ITIL
Introduction
COBIT
ISO17799
Others
ITIL
Introduction
Effectiveness
Internal
Stakeholders
IT Governance
Efficiency
External
Stakeholders
Introduction
IT governance:
• Effective
• Meets management’s requirements
• Risks managed
• Controlled
• Provides value for money
Introduction
“We are fast approaching the stage of IT evolution at which
innovation must translate into overall process improvements, as
it did in the mainframe world of 20 years ago.”
Source: Forrester
COBIT
Control Objectives for Information and related Technology
by ISACA / ITGI
COBIT
Plan and organize
Acquire and implement
Deliver and support
Monitor and evaluate
COBIT - Plan and Organize
Define strategic IT plan
Define information architecture
Determine technological direction
Define IT processes, organization and relationships
Manage IT investment
Communicate management aims and direction
Manage IT human resources
Manage quality
Assess and manage IT risks
Manage projects
COBIT - Acquire and Implement
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Enable operation and use
Procure IT resources
Manage changes
Install and accredit solutions and changes
COBIT - Deliver and Support
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
Ensure systems security
Identify and allocate costs
Educate and train users
Manage service desk and incidents
Manage configuration
Manage problems
COBIT - Deliver and Support (cont.)
Manage data
Manage physical environment
Manage operations
COBIT - Monitor and Evaluate
Monitor and evaluate IT performance
Monitor and evaluate internal control
Ensure regulatory compliance
Provide IT governance
ISO17799
Information Technology / Security Techniques - Code of Practice for
information Security Management
by International Standards Organization (ISO)
ISO17799
Security policy
Organizing information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information system acquisition, development and maintenance
Information security incident management
Business continuity management
Compliance
ITIL
Information Technology Infrastructure Library
by UK government / Office of Government Commerce
ITIL
Service support
Service delivery
ITIL - Service Support
Incident management
Configuration management
Problem management
Change management
Release management
ITIL - Service Delivery
Service level management
Capacity management
Availability management
Security management
Continuity management
Financial management
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO1 – Define strategic IT plan
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO2 – Define information architecture
ISO17799:
•
Asset management (classification)
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO3 – Determine technological direction
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO4 – Define IT processes, organization and relationships
ISO17799:
•
Organizing information security (internal)
•
Asset management (responsibility)
•
Access control (users)
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO5 – Manage IT investment
ISO17799:
•
-
ITIL:
•
Financial management for IT services (budgeting)
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO6 – Communicate management aims and direction
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO7 – Manage IT human resources
ISO17799:
•
Human resources security
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO8 – Manage quality
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO9 – Assess and manage IT risks
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
PO10 – Manage projects
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
AI1 – Identify automated solutions
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
AI2 – Acquire and maintain application software
ISO17799:
•
Assess control (development)
•
Information system acquisition, development and maintenance (development –
software)
ITIL:
•
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
AI3 – Acquire and maintain technology infrastructure
ISO17799:
•
Information system acquisition, development and maintenance (development –
infrastructure)
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
AI4 – Enable operation and use
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
AI5 – Procure IT resources
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
AI6 – Manage changes
ISO17799:
•
Access control (maintenance)
•
Information system acquisition, development and maintenance (maintenance)
ITIL:
•
Change management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
AI7 – Install and accredit solutions and changes
ISO17799:
•
Information system acquisition, development and maintenance (maintenance)
ITIL:
•
Release management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS1 – Define and manage service levels
ISO17799:
•
-
ITIL:
•
Service level management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS2 – Manage third-party services
ISO17799:
•
Organizing information security (external)
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS3 – Manage performance and capacity
ISO17799:
•
Communication and operations management
ITIL:
•
Capacity management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS4 – Ensure continuous service
ISO17799:
•
Business continuity management
ITIL:
•
IT service continuity management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS5 – Ensure system security
ISO17799:
•
Security policy
•
Communications and operations management (security)
•
Access control (security)
•
Information system acquisition, development and maintenance (security
Mapping COBIT, ISO17799 & ITIL
ITIL:
•
Security management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS6 – Identify and allocate costs
ISO17799:
•
-
ITIL:
•
Financial management of IT services (costing)
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS7 – Educate and train users
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS8 – Manage service desk and incidents
ISO17799:
•
Information security incident management
ITIL:
•
Incident management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS9 – Manage configuration
ISO17799:
•
-
ITIL:
•
Configuration management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS10 – Manage problems
ISO17799:
•
-
ITIL:
•
Problem management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS11 – Manage data
ISO17799:
•
Communications and operations management (backups)
ITIL:
•
Availability management
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS12 – Manage physical environment
ISO17799:
•
Physical and environmental security
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
DS13 – Manage operations
ISO17799:
•
Communication and operations management (operations)
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
ME1 – Monitor and evaluate IT performance
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
ME2 – Monitor and evaluate internal control
ISO17799:
•
Compliance (audit)
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
ME3 – Ensure regulatory compliance
ISO17799:
•
Compliance (standards)
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Mapping COBIT, ISO17799 & ITIL
COBIT:
ME4 – Provide IT governance
ISO17799:
•
-
ITIL:
•
-
Key:
Strong relationship
Weak relationship
No relationship
Case Study
0
Non-Existent: No processes
1
Initial: Processes are ad hoc
2
Repeatable: Processes are regular
3
Defined: Processes are repeatable, as well as documented and communicated
4
Managed: Processes are defined, as well as measured and monitored
5
Optimized: Processes are managed, and best practices are followed and
automated
Key:
Maturity level
≥3
Maturity level
2 – 2.9
Maturity level
≤ 1.9
Case Study
Plan &
Organize
Acquire &
Implement
Deliver &
Support
Monitor & Evaluate
Define
Strategic
IT Plan
Define
Information
Architecture
Identify
Automated
Solutions
Acquire &
Maintain
Application
Software
Define & Manage
Service Level
Manage Thirdparty Services
Manage
Performance &
Capacity
Monitor &
Evaluate IT
Performance
Determine
Technological
Direction
Define IT
Processes,
Organization,
Relationships
Acquire &
Maintain
Technology
infrastructure
Enable Operation
& Use
Ensure
Continuous
Service
Ensure System
Security
Identify &
Allocate Costs
Monitor &
Evaluate Internal
Control
Manage IT
Investment
Communicate
Management
Aims &
Direction
Procure IT
Resources
Manage Changes
Educate & Train
Users
Manage Service
Desk & Incidents
Manage
Configuration
Ensure
Regulatory
compliance
Manage IT
Human
Resources
Manage Quality
Install &
Accredit
Solutions &
Changes
Manage
Problems
Manage Data
Manage Physical
Environment
Provide IT
Governance
Assess &
Manage IT Risks
Manage Projects
Manage
Operations
Case Study
Plan &
Organize
Acquire &
Implement
Deliver &
Support
Monitor & Evaluate
Define
Strategic
IT Plan
Define
Information
Architecture
Identify
Automated
Solutions
Acquire &
Maintain
Application
Software
Define & Manage
Service Level
Manage Thirdparty Services
Manage
Performance &
Capacity
Monitor &
Evaluate IT
Performance
Determine
Technological
Direction
Define IT
Processes,
Organization,
Relationships
Acquire &
Maintain
Technology
infrastructure
Enable Operation
& Use
Ensure
Continuous
Service
Ensure System
Security
Identify &
Allocate Costs
Monitor &
Evaluate Internal
Control
Manage IT
Investment
Communicate
Management
Aims &
Direction
Procure IT
Resources
Manage Changes
Educate & Train
Users
Manage Service
Desk & Incidents
Manage
Configuration
Ensure
Regulatory
compliance
Manage IT
Human
Resources
Manage Quality
Install &
Accredit
Solutions &
Changes
Manage
Problems
Manage Data
Manage Physical
Environment
Provide IT
Governance
Assess &
Manage IT Risks
Manage Projects
Manage
Operations
Case Study
Conclusion
More dependent upon information systems that support their
business critical functions
Challenge of ensuring confidentially, integrity and availability of
these information systems, as well as protecting related technology
infrastructure
Due to increasingly more complex environments and demanding
expectations of management, organizations are using number of
international standards to achieve international best practice related
to IT governance
Conclusion
Assess
Design
Present
Implement
Future
Roadmap