CobiT Experiences at SwissLife Benefits and Lessons Learned

1
CobiT? Experiences at SwissLifeBenefits and
Lessons Learned

• Urs Fischer, 12. September 2006

2
Implementing IT Governance Ensure Compliance by
Using the CobiT?
3
Agenda - Overview

• 1. IT Governance
• 2. IT Compliance
• 3. Six Steps to Compliance
• 4. Proper Controls CobiT?
• CobiT? Maturity Model
• SwissLife Roadmap
• 7. Summary

4
IT Governance Domains

• Strategic Alignment
• Value Delivery
• Resource Management
• Risk Management
• Performance Measurement

5
Basis

• Solvency II (EU)
• Schweizerisches Versicherungsaufsichtsgesetz
  (VAG)
• Swiss Solvency Test (SST)

6
Emphasis Risk Based
It is accepted, that certain Risks (operational
risks like IT Risks) cannot be assessed in a
quantitative manner and therefore do not need to
be secured through capital. These Risks can be
assessed in a qualitative manner, e.g. with an
adequate control environment.
7
The Way of Swiss Life IT
Qualitative Assessment of IT Risks
With an adequate control environment
Control Framework is COBIT?
8
Agenda - Overview

• 1. IT Governance
• 2. IT Compliance
• 3. Six Steps to Compliance
• 4. Proper Controls CobiT?
• CobiT? Maturity Model
• SwissLife Roadmap
• 7. Summary

9
Requirements

• Customer Privacy
• Data Security
• Information Integrity
• Enhancing Financial Controls

10
Agenda - Overview

• 1. IT Governance
• 2. IT Compliance
• 3. Six Steps to Compliance
• 4. Proper Controls CobiT?
• CobiT? Maturity Model
• SwissLife Roadmap
• 7. Summary

11
Six Steps to ComplianceStep 1

• Lead by Example
• Compliance starts at the top. Management must be
  serious and accountable for compliance.

12
Six Steps to ComplianceStep 2

• Implement proper controls
• Embrace proper processes and procedures to
  safeguard business operations from accidental or
  premeditated harm.

13
Six Steps to ComplianceStep 3

• Audit regularly
• Revisit your controls on a regular basis, and
  strengthen weak controls as soon as possible.

14
Six Steps to ComplianceStep 4

• Train and communicate regularly
• Tell all employees whats expected of them in
  regular written and electronic communications,
  and follow-up with verbal discussions.

15
Six Steps to ComplianceStep 5

• Listen to Critics
• Have a process in place that allows employees to
  raise concerns without fear of retribution. This
  can include an anonymous tip hotline.

16
Six Steps to ComplianceStep 6

• Act Fast and Appropriately
• When compliance issues or problems arise, perform
  an investigation/audit and take disciplinary or
  corrective action wherever warranted.

17
Agenda - Overview

• 1. IT Governance
• 2. IT Compliance
• 3. Six Steps to Compliance
• 4. Proper Controls CobiT?
• CobiT? Maturity Model
• SwissLife Roadmap
• 7. Summary

18
IT Control System
CobiT? The IT Risk Management Control
Frameworkfor Swiss Life
19
CobiT? - Products
20
Interrelationshipsof CobiT? Components
21
Agenda - Overview

• 1. IT Governance
• 2. IT Compliance
• 3. Six Steps to Compliance
• 4. Proper Controls CobiT?
• CobiT? Maturity Model
• SwissLife Roadmap
• 7. Summary

22
CobiT? Maturity Model
The maturity model provided by CobiT? for all of
the 34 IT processes is becoming an increasingly
popular tool to manage the timeless issue of
balancing risk and control in a cost-effective
manner.
23
CobiT? Maturity Model

• The CobiT? Maturity Model is an IT governance
  tool used to measure how well developed the
  management processes are with respect to internal
  controls.
• The maturity model allows an organisation to
  grade itself from non-existent (0) to optimised
  (5).
• A fundamental feature of the maturity model is
  that it allows an organisation to measure as-is
  maturity levels, and define to-be maturity levels
  as well as gaps to fill. As a result, an
  organisation can discover practical improvements
  to the system of internal controls of IT.

24
CobiT Maturity Model

• However, maturity levels are not a goal, but
  rather they are a means to evaluate the adequacy
  of the internal controls with respect to company
  business objectives. IT should support, for
  example
• Raising awareness
• Identifying weaknesses
• Identifying priority improvements

25
Maturity Modell Example
26
Generic Maturity Modell
27
CobiT? Maturity Level Objective
28
Benchmark Approach (1)

• The most common approach of measuring maturity is
  a multidisciplinary group of people whoin a
  facilitated workshop styledebate and come to a
  consensus as to the enterprise's current level of
  maturity.
• The principle of not assigning a higher level
  when not all elements of the lower level are
  being applied (threshold approach) should be
  followed wherever possible but one should not be
  too stringent about it.

29
Benchmark Approach (2)

• Another very pragmatic approach adopted by some
  is to decompose the maturity descriptions into a
  number of statements to which management can
  provide their level of agreement (e.g., "a lot,"
  "largely," "somewhat," "marginally" or "not at
  all").
• ? Our Approach

30
The Method
31
The Questionnaire
32
Compliance Value
33
Maturity Level per Process
34
Agenda - Overview

• 1. IT Governance
• 2. IT Compliance
• 3. Six Steps to Compliance
• 4. Proper Controls CobiT?
• CobiT? Maturity Model
• SwissLife Roadmap
• 7. Summary

35
2004

• Process and Method agreed with IT-Management
• Process and Method agreed with Operational Risk
  Management
• Describe approach to Audit and get principle
  agreement on responsibilities for assessments -
  who does assessments
• Complete questionnaires for 12 selected processes
  (Pilot)
• Set up assessment workshops
• Perform workshops for the 12 selected processes

36
2005

• Develop questionnaires for remaining 22 processes
• Perform workshops for remaining 22 processes
• Analysis of Results
• Measurements / Prioritisation
• Implementation of Measures (ev. within projects)

37
2006 / 2007

• Analysis of Results
• Measurements / Prioritisation
• Implementation of Measures (ev. within projects)

38
Rising Star ChartDocumenting as-is and to-be
39
Implementation of MeasuresClosing of Gaps
40
Define Where Your Are
4
41
Define Where You Want to Be
4
42
Analyse Gaps
4
43
Define Projects
44
Opportunity Grid
45
Improvement Plan
46
Agenda - Overview

• 1. IT Governance
• 2. IT Compliance
• 3. Six Steps to Compliance
• 4. Proper Controls CobiT?
• CobiT? Maturity Model
• SwissLife Roadmap
• 7. Summary

47

• As long as companies are succeeding, controls are
  the last things on their mind, once their success
  starts flattening out, cost management and
  controls start taking a more important role in
  their activities.
• However, often it is to late for a change.

48
Thank You
Swiss Life Urs Fischer Leiter IT Risk Management
Security General-Guisan-Quai 40 Postfach, 8022
Zürich T 41 43 284 58 86 F 41 43 338 58
86 urs.fischer_at_swisslife.ch www.swisslife.ch
49
Back-UpStandards
50
CobiT - an IT Control Framework

• Integrator of technical standards
• Interface to business standards

51
CobiT - an IT Control Framework
?

• Governance
• Strategy
• Planning
• Value delivery
• Performance measurement
• Risk management
• Control and assessment

• ITIL for service delivery
• CMM for software development
• Prince2 for project management
• ..

Strategic
COBIT
ISO17799
CMM
Process Control
XY
XY
XY
XY
XY
ITIL





Process Execution
Work Instruction

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

52
CobiT - an IT Control Framework
?

• Governance
• Strategy
• Planning
• Value delivery
• Performance measurement
• Risk management
• Control and assessment

• ITIL for service delivery
• CMM for software development
• Prince2 for project management
• ..

Strategic
COBIT
ISO17799
CMM
Process Control
XY
XY
XY
XY
XY
ITIL





Process Execution
Work Instruction

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

• Workinstruction
• 2
• 3
• 4,5,6.

53
Acquire Implement (AI Process Domain)
Plan Organise (PO Process Domain)
Deliver Support (DS Process Domain)
Monitor (M Process Domain)
54
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Manage Projects
Manage Quality
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
55
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
56
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
57
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
58
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
59
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
60
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
plus ISO 9001 Quality Management
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
61
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
plus ISO 9001 Quality Management
plus Application Services Library (ASL)
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
62
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
plus ISO 9001 Quality Management
plus Application Services Library (ASL)
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
plus Investors In People (IIP)
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
63
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
plus ISO 9001 Quality Management
plus Application Services Library (ASL)
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
plus Investors In People (IIP)
plus ISO 17799 Information Security
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
64
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
plus ISO 9001 Quality Management
plus Application Services Library (ASL)
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
plus Investors In People (IIP)
plus ISO 17799 Information Security
plus Gartners 21 Best Practices
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
65
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
plus ISO 9001 Quality Management
plus Application Services Library (ASL)
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
plus Investors In People (IIP)
plus ISO 17799 Information Security
plus Gartners 21 Best Practices
plus EFQM
Deliver Support
Monitor
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
66
Planning Organization Acquire
Implement
Plan Organise
Define Strategic IT Plan
Determine Technological Direction
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Acquire Maintain Technology Infrastructure
Develop Maintain IT Procedures
Install Accredit Systems
Manage Change
Define IT Organization Relationships
Manage IT Investment
Communicate Aims Direction
ITIL
Service Delivery
Service Support
plus PRINCE2 Project Management
Manage Human Resource
Ensure Compliance With External Standards
Assess Risks
Service Level Management
Availability Management
Capacity Management
Service Desk
Incident Management
Problem Management
plus ISO 9001 Quality Management
plus Application Services Library (ASL)
Financial Management
Continuity Management
Manage Projects
Manage Quality
Change Management
Release Management
Configuration Management
plus Investors In People (IIP)
plus ISO 17799 Information Security
plus Gartners 21 Best Practices
plus EFQM
Deliver Support
Monitor
plus SixSigma
Assess Internal Control Adequacy
Monitor The Process
Manage Performance Capacity
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Manage Third-Party Services
Define Manage Service Levels
Manage Operations
Obtain Independent Assurance
Educate Train Users
Assist Advise IT Customers
Manage Configuration
Manage Problems Incidents
Manage Data
Manage Facilities
Provide Independent Audit
67
CobiT - an IT Control Framework
How is it being used?
IT Governance
Audit Methodology
IT Governance
Security
Security
Sarbanes
-
Oxley
CobiT
Sarbanes
-
Oxley
CobiT
Framework
Framework
Outsourcing
Process Standards
Outsourcing
Policy
Policy