Capitolo di Milano

COBIT 5 l’evoluzione rispetto CobiT 4.1

Manno, 25 gennaio 2012

Presentato da:

Alberto Piamonte alberto.piamonte@alice.it

Capitolo di Milano

COBIT 5

Nel 2011 sono usciti:

• COBIT 5 Framework (85 pp) – Principi

– Architettura

– Enablers

• COBIT 5 Process Reference Guide (218 pp)

• COBIT Assessment Program (per CobiT 4.1 ma usato anche da COBIT 5) – COBIT Assessment Model (PAM) 73pp

– COBIT Assessor Guide 47pp

– COBIT Self-assessment Guide 31pp

A valle delle prime esperienze di utilizzo, alcune note . . .

Capitolo di Milano

C’era una volta il CUBO . . .

Capitolo di Milano

Information Criteria

Risorse IT

Processi IT

Business Strategy

CobiT 4.1

Capitolo di Milano

Information

Criteria

IT Resources

IT Processes

Business Strategy

CobiT 4.1

•Efficacia

•Efficienza

•Riservatezza

•Integrità

•Disponibilità

•Conformità

•Affidabilità

Capitolo di Milano

Information Criteria

• Efficacia

• Efficienza

• Riservatezza

• Integrità

• Disponibilità

• Conformità

• Affidabilità

Financial

1 Provide a good return on investment of IT-enabeled business investments.

2 Manage IT-related business risk.

3 Improve corporate governance and transparancy.

Customer

4 Improve customer orientation and service.

5 Offer competitive products and services.

6 Establish service continuity and availability.

7 Create agility in responding to changing business requirements (time to market).

8 Achieve cost optimalisation of service delivery.

9 Obtain reliable and useful information for strategic decision making.

Internal

10 Improve and maintain business process functionality.

11 Lower process costs.

12 Provide compliance with external laws, regulations and contracts.

13 Provide compliance with internal policies.

14 Manage business change.

15 Improve and maintain operational and staff productivity.

Learning 16 Manage product and business innovation.

17 Acquire and maintain skilled and motivated people.

Balanced Score Cards (BSC)

Capitolo di Milano

Criteri BSC

Business Goals

IT Resources

IT Processes

Business Strategy

COBIT5 : architettura

Service

Capabilities

Processes

Culture,

Ethics,

Behaviour

Organisational

Structures

InformationPrinciples &

Policies

Skills &

Competencies

Importanza relativa

COBIT 5 Enablers

Capitolo di Milano

COBIT 5 Principi

Capitolo di Milano

1 - Integrator fremework

• Partendo dall’attuale COBIT framework, riunendo le attuali frameworks e linee guida ISACA quali:

Val IT Risk IT

BMIS ITAF

Board Briefing Taking Governance Forward

• Mantenendo il collegamento con le principali frameworks e standards presenti sul mercato (ITIL, ISO , ecc.)

• Non solo in prospettiva IT, ma estendibile ad altri aspetti di business

© 2010 ISACA. All rights reserved. 9

Capitolo di Milano

Enterprise Goals

Governance Objectives

Benefits realisatio

n

Risk optimizati

on

Resource optimizati

on

Financial

Compliance with external laws and regulations p

Managed business risks (safeguarding of assets) p s

Portfolio of competitive products and services p s

Stakeholder value of business investments p

Financial transparency p s s

Customer

Customer‐oriented service culture p s

Business service continuity and availability p

Agile responses to a changing business

environment p s

Information‐based strategic decision making p p p

Optimisation of service delivery costs p s

Internal

Optimisation of business process functionality p p

Optimisation of business process costs p p

Managed business change programmes p p s

Operational and staff productivity p p

Compliance with internal policies p

Learning & Growth Skilled and motivated people s s p

Product and business innovation culture p

Importanza Relativa (P/S) dei :

COBIT Processes

e degli altri Enablers !

2/3 - Stakeholder Value driven and Business focussed

Capitolo di Milano

4 – Enablers based

• Per raggiungere gli obiettivi di business, bisogna considerare un insieme di Enablers tra loro interconnessi:

1. Processi

2. Cultura, etica e comportamenti

3. Strutture organizzative

4. Informazioni

5. Principi e procedure

6. Skill e competenze

7. Capacità di erogare Servizi

Service

Capabilities

Processes

Culture,

Ethics,

Behaviour

Organisational

Structures

InformationPrinciples &

Policies

Skills &

Competencies

Systemic Governance

Stakeholder needs

Capitolo di Milano

• Un modello comune a tutti gli Enablers

Misurabile (ISO)

Capitolo di Milano

Process Enabler Model

Relazioni: •Informazioni in input o in output •Strutture organizzative, •Servizi

•Producono o necessitano di Policy e procedure •Gli aspetti ambientali e/o culturali influenzano le modalità di esecuzione del processo

Capitolo di Milano

Process Reference Model

How many processes now? 36!

Capitolo di Milano

Process Reference Guide

• A separate publication that expands on the process-enabler model

• Contains full details of the COBIT processes in a similar way to the process documentation in COBIT 4.1

Capitolo di Milano

Information Model

Un’evoluzione degli Information Criteria CobiT 4.1 …..

Capitolo di Milano

Organisational Structures Model

Capitolo di Milano

Modello Skills e Competenze

Capitolo di Milano

Capitolo di Milano

Capitolo di Milano

Anche le Applicazioni e le Infrastrutture !

Capitolo di Milano

5 - Governance e Management

Governance definizione e controllo delle strategie

Management esecuzione e gestione delle risorse

Nel Process Model del COBIT 5 viene fatta una chiara distinzione tra le due discipline

Capitolo di Milano

Commenti …..

• Possibilità di una transizione graduale e progressiva da 4.1 a 5

• COBIT 5 può essere utilizzato in “CobiT 4.1 mode”, per acquisire successivamente le novità che servono

• …

Capitolo di Milano

ISACA’s COBIT Assessment Programme

Capitolo di Milano

What is the new COBIT assessment process?

The COBIT process programme is described in COBIT® Process Assessment Model (PAM): Using COBIT ® 4.1.

PAM brings together two proven ‘heavyweights’ in the IT arena, ISO and ISACA.

The COBIT PAM adapts the existing COBIT 4.1 content into an ISO 15504 compliant process assessment model.

Copyright ISACA 2011. All rights reserved Slide 25

Capitolo di Milano

Assessment Overview

This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.

Process Assessment Model

Assessment Process

Copyright ISACA 2011. All rights reserved Slide 27

Capitolo di Milano

Process Reference Model

The high-level measurable objectives of performing the process

and the likely outcomes of effective implementation of the process

The activities that, when consistently performed, contribute to

achieving the process purpose

The artefacts associated with the

execution of a process—defined in

terms or process ‘inputs’ and process

“outputs”

An observable result of a process—an artefact, a significant

change of state or the meeting of specified constraints

Capitolo di Milano

PRM Based on COBIT 4.1

Process ID DS1

Process Name Define and Manage Service Levels

Purpose Satisfy the business requirement of ensuring the alignment of key IT services with the business needs.

Outcomes (Os) Number Description

DS1-O1 A service management framework is in place to define the organisational structure for service level management, covering the base

definitions of services, roles, tasks and responsibilities of internal and external service providers and customers.

DS1-O2 Internal and external SLAs are formalised in line with customer requirements and delivery capabilities.

DS1-O3 Operating level agreements (OLAs) are developed to specify the technical processes required to support SLAs.

DS1-O4 Processes are in place to monitor (and periodically review) SLAs and achievements.

Base Practices (BPs) Number Description Supports

DS1-BP1 Create a framework for defining IT services. DS1-O1

DS1-BP2 Build an IT service catalogue. DS1-O1, O2

DS1-BP3 Define SLAs for critical IT services. DS1-O2

DS1-BP4 Define OLAs for meeting SLAs. DS1-O3

DS1-BP5 Monitor and report end-to-end service level performance. DS1-O4

DS1-BP6 Review SLAs and underpinning contracts. DS1-O4

DS1-BP7 Review and update the IT service catalogue. DS1-O1

DS1-BP8 Create a service improvement plan. DS1-O1

Work Products (WPs)

Inputs

Number Description Supports

PO1-WP1 Strategic IT plan DS1-O1, O2, O3, O4

PO1-WP4 IT service portfolio DS1-O1, O2, O3, O4

PO2-WP5 Assigned data classifications DS1-O1

PO5-WP3 Updated IT service portfolio DS1-O4

AI2-WP4 Initial planned SLAs DS1-O3

AI3-WP7 Initial planned OLAs DS1-O3

DS4-WP5 Disaster service requirements, including roles and responsibilities DS1-O1

ME1-WP1 Performance input to IT planning DS1-O1, O2

Outputs

Number Description Input To Supports

DS1-WP1 Contract review report DS2 DS1-O1, O4

DS1-WP2 Process performance reports ME1 DS1-O4

DS1-WP3 New/updated service requirements PO1 DS1-O2, O3

DS1-WP4 SLAs AI1, DS2, DS3, DS4, DS6, DS8, DS13 DS1-O2

DS1-WP5 OLAs DS4 to DS8, DS11, DS13 DS1-O3

DS1-WP6 Updated IT service portfolio PO1 DS1-O1, O4

Copyright ISACA 2011. All rights reserved Slide 29

Capitolo di Milano

Assessment Overview

This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.

30 Copyright ISACA 2011. All rights reserved Slide 30

Capitolo di Milano

Measurement Framework

COBIT assessment process measures the extent to which a given process achieves specific attributes relative to that process— ‘process attributes’.

COBIT assessment process defines 9 process attributes (based on ISO/IEC 15504-2)

• PA 1.1 Process performance

• PA 2.1 Performance management

• PA 2.2 Work product management

• PA 3.1 Process definition

• PA 3.2 Process deployment

• PA 4.1 Process measurement

• PA 4.2 Process control

• PA 5.1 Process innovation

• PA 5.2 Continuous optimization

Copyright ISACA 2011. All rights reserved Slide 31

Capitolo di Milano

Process Capability

Base Practice and Work Products

Generic Practice and Generic Work Products

Instance view /

individual knowledge

Enterprise view /

corporate knowledge

Capitolo di Milano

Process Attributes (example)

PA 1.1 Process performance

• The process performance attribute is a measure of the extent to which the process purpose is achieved.

• As a result of full achievement of this attribute, the process achieves its defined outcomes.

Copyright ISACA 2011. All rights reserved Slide 33

Capitolo di Milano

Process Attributes (example)

PA 2.1 Performance management

• A measure of the extent to which the performance of the process is managed. As a result of full achievement of this attribute:

a. Objectives for the performance of the process are identified.

b. Performance of the process is planned and monitored.

c. Performance of the process is adjusted to meet plans.

d. Responsibilities and authorities for performing the process are defined, assigned and communicated.

e. Resources and information necessary for performing the process are identified, made available, allocated and used.

f. Interfaces between the involved parties are managed to ensure effective communication and clear assignment of responsibility.

PA 2.2 Work product management

• A measure of the extent to which the work products produced by the process are appropriately managed. As a result of full achievement of this attribute:

a. Requirements for the work products of the process are defined.

b. Requirements for documentation and control of the work products are defined.

c. Work products are appropriately identified, documented and controlled.

d. Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements.

Copyright ISACA 2011. All rights reserved Slide 34

Capitolo di Milano

Process Attribute Rating Scale

N Not achieved—0 to 15% achievement

There is little or no evidence of achievement of the defined attribute in the assessed

process.

P Partially achieved—> 15% to 50% achievement

There is some evidence of an approach to, and some achievement of, the defined

attribute in the assessed process. Some aspects of achievement of the attribute may

be unpredictable.

L Largely achieved—> 50% to 85% achievement

There is evidence of a systematic approach to, and significant achievement of,

the defined attribute in the assessed process. Some weakness related to this

attribute may exist in the assessed process.

F Fully achieved—> 85% to 100% achievement

There is evidence of a complete and systematic approach to, and full achievement

of, the defined attribute in the assessed process. No significant weaknesses related

to this attribute exist in the assessed process.

Copyright ISACA 2011. All rights reserved Slide 35

Capitolo di Milano

Process Capability Levels

Level 0 Incomplete process Incomplete The process is not implemented or fails to achieve its purpose.

Level 1 Performed process PA 1.1 Process performance attribute

Performed The process is implemented and achieves its process purpose.

Level 2 Managed process PA 2.1 Performance management attribute

PA 2.2 Work product management ttribute

Managed The process is managed and work products are established, controlled and maintained.

Level 4 Predictable process PA 4.1 Process measurement attribute

PA 4.2 Process control attribute

Predictable The process is enacted consistently within defined limits.

Level 5 Optimizing process PA 5.1 Process innovation attribute

PA 5.2 Process optimization attribute

Optimizing The process is continuously improved to meet relevant current and projected business goals.

Level 3 Established process PA 3.1 Process definition attribute

PA 3.2 Process deployment attribute

Established A defined process is used based on a standard process.

36 Copyright ISACA 2011. All rights reserved Slide 36

Capitolo di Milano

COBIT Assessment Process Overview

This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.

37 Copyright ISACA 2011. All rights reserved Slide 37

Capitolo di Milano

Process Attributes and Capability Levels

This figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO.

Incomplete

Performed

Managed

Established

Predictable

Optimizing

38

9 Process Attributes Process Attribute Indicators (PAI)

Copyright ISACA 2011. All rights reserved Slide 38

Capitolo di Milano

Process Attribute Rating

Assessment indicators in the PAM are used to support the assessors’ judgement in rating process attributes:

• Provide the basis for repeatability across assessments

A rating is assigned based on objective, validated evidence for each process attribute.

Traceability needs to be maintained between an attribute rating and the objective evidence used in determining that rating.

Copyright ISACA 2011. All rights reserved Slide 39

Capitolo di Milano

Un esempio: AI7 Install and Accredit Solutions and Changes Satisfy the business requirement of implementing new or changed systems that function without major problems after installation.

PO3 Technology standards

PO4 Documented system owners

PO8 Development standards

PO10 Project management guidelines

PO10 Detailed project plans

AI3 Configured system to be tested/installed

AI4 User, operational, support, technical and administration manuals

AI5 Procured items

AI6 Change authorisation

Released configuration items

DS8, DS9

Known and accepted errors

AI4

Promotion to production DS13

Software release and distribution plan

DS13

Post-implementation review

PO2, PO5, PO10

Internal control monitoring

ME2

Base Practice

• A test strategy/plan based on organisational standards for testing of the system and data conversion is prepared and followed.

• Release planning, including planned approval and fallback mechanisms is undertaken.

• An appropriate environment for testing, including training, is established.

• Test results are evaluated and approved by business management prior to approval of release to production.

• Build and review implementation plans.

• Define and review a test strategy (entry and exit criteria) and an operational test plan methodology.

• Build and maintain a business and technical requirements repository and test cases for accredited systems.

• Perform system conversion and integration tests on the test environment.

• Deploy the test environment and conduct final acceptance tests.

• Recommend promotion to production based on agreed-upon accreditation criteria.

Generic Practice

ISO/IEC 155094 Attribute Rating Scale (N,P,L,F)

WP in

WP out

Process Outcomes

Capitolo di Milano

Assessor Certification

COBIT process assessment roles:

• Lead assessor—a ‘competent’ assessor responsible for overseeing the assessment activities

• Assessor—an individual, developing assessor competencies, who performs the assessment activities

Assessor competencies:

• Knowledge, skills and experience:

• With the process reference model; process assessment model, methods and tools; and rating processes

• With the processes/domains being assessed

• Personal attributes that contribute to effective performance

A training and certification scheme is being developed for COBIT 4.1 and will also be established for COBIT 5, following publication in January 2012.

Copyright ISACA 2011. All rights reserved Slide 41

Capitolo di Milano

COBIT Mapping e Assessment Class

ISACA (e AIEA Milano) hanno pubblicato una serie di “Mappature” del COBIT. Tali mappature si riferiscono ai processi ed in particolare agli Obiettivi di Controllo che corrispondono agli Outcomes del PAM !

Alcune Mappature disponibili • Business Goals • Governance Focus Areas and COSO • Sorbanes – Oxley Act • Basilea II • Cloud Computing

• Public • Private • Hibrid

• Sistema di Controllo Interno della Legge 262/2005 • Altri Standard (ISO 27001, ITIL, ecc.)

Sono definite e formalizzate tre classi di assessment con obiettivi e precisione differenti.

Rigore, e di conseguenza costo, crescono dal livello 1 al livello 3 1. Confronto con altre organizzazioni 2. Internal reporting formale ed affidabile da usare, ad esempio, come base per un piano di

miglioramento 3. Test e comprensione del Processo in esame e base per assessment di classe 2 o 3

Capitolo di Milano

Nuovo COBIT Capability Model

• Il maturity model di COBIT 4.1 (e quindi anche del COBIT 5) viene sostituito dal Capability Model basato sull’ISO/IEC 15504 , secondo la nuova iniziativa ISACA: COBIT Assessment Program (CAP).

• Vantaggi:

– Mantiene l’attenzione al processo

– Semplifica, evitando duplicazioni (MM, Control Objectives, Proc. Controls).

– Migliore affidabilità e ripetibilità delle valutazione eliminando ambiguità di interpretazione. Metodo rigoroso e formale, proponibile all’interno ma anche all’esterno.

– Conforme ad uno standard affermato (SPICE), applicabile anche ad altri contesti : COSO, ITIL, Basel II, …

– E’ prevista formazione e certificazione ad hoc per gli “assessors”

Capitolo di Milano

… non solo COBIT

Improving Operational Risk Management

Systems by Formalizing the Basel II Regulation with Goal Models and the ISO/IEC 15504

Approach

Capitolo di Milano

Internal Financial Control Assessment

Capitolo di Milano

Capitolo di Milano