IT Governance:

1
IT Governance

• COBIT, ISO17799
• ITIL

2
Introduction
COBIT
ISO17799
Others
ITIL
3
Introduction
Effectiveness
External Stakeholders
Internal Stakeholders
IT Governance
Efficiency
4
Introduction

• IT governance
• Effective
• Meets managements requirements
• Risks managed
• Controlled
• Provides value for money

5
Introduction
We are fast approaching the stage of IT
evolution at which innovation must translate into
overall process improvements, as it did in the
mainframe world of 20 years ago. Source
Forrester
6
COBIT
Control Objectives for Information and related
Technology by ISACA / ITGI
7
COBIT
Plan and organize Acquire and implement Deliver
and support Monitor and evaluate
8
COBIT - Plan and Organize
Define strategic IT plan Define information
architecture Determine technological
direction Define IT processes, organization and
relationships Manage IT investment Communicate
management aims and direction Manage IT human
resources Manage quality Assess and manage IT
risks Manage projects
9
COBIT - Acquire and Implement
Identify automated solutions Acquire and maintain
application software Acquire and maintain
technology infrastructure Enable operation and
use Procure IT resources Manage changes Install
and accredit solutions and changes
10
COBIT - Deliver and Support
Define and manage service levels Manage
third-party services Manage performance and
capacity Ensure continuous service Ensure systems
security Identify and allocate costs Educate and
train users Manage service desk and
incidents Manage configuration Manage problems
11
COBIT - Deliver and Support (cont.)
Manage data Manage physical environment Manage
operations
12
COBIT - Monitor and Evaluate
Monitor and evaluate IT performance Monitor and
evaluate internal control Ensure regulatory
compliance Provide IT governance
13
ISO17799
Information Technology / Security Techniques -
Code of Practice for information Security
Management by International Standards
Organization (ISO)
14
ISO17799
Security policy Organizing information
security Asset management Human resources
security Physical and environmental
security Communications and operations
management Access control Information system
acquisition, development and maintenance Informati
on security incident management Business
continuity management Compliance
15
ITIL
Information Technology Infrastructure Library by
UK government / Office of Government Commerce
16
ITIL
Service support Service delivery
17
ITIL - Service Support
Incident management Configuration
management Problem management Change
management Release management
18
ITIL - Service Delivery
Service level management Capacity
management Availability management Security
management Continuity management Financial
management
19
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO1 Define strategic IT plan
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
20
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO2 Define information architecture
• ISO17799
• Asset management (classification)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
21
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO3 Determine technological direction
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
22
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO4 Define IT processes, organization and
  relationships
• ISO17799
• Organizing information security (internal)
• Asset management (responsibility)
• Access control (users)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
23
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO5 Manage IT investment
• ISO17799
• -
• ITIL
• Financial management for IT services (budgeting)

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
24
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO6 Communicate management aims and direction
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
25
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO7 Manage IT human resources
• ISO17799
• Human resources security
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
26
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO8 Manage quality
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
27
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO9 Assess and manage IT risks
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
28
Mapping COBIT, ISO17799 ITIL

• COBIT
• PO10 Manage projects
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
29
Mapping COBIT, ISO17799 ITIL

• COBIT
• AI1 Identify automated solutions
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
30
Mapping COBIT, ISO17799 ITIL

• COBIT
• AI2 Acquire and maintain application software
• ISO17799
• Assess control (development)
• Information system acquisition, development and
  maintenance (development software)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
31
Mapping COBIT, ISO17799 ITIL

• COBIT
• AI3 Acquire and maintain technology
  infrastructure
• ISO17799
• Information system acquisition, development and
  maintenance (development infrastructure)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
32
Mapping COBIT, ISO17799 ITIL

• COBIT
• AI4 Enable operation and use
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
33
Mapping COBIT, ISO17799 ITIL

• COBIT
• AI5 Procure IT resources
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
34
Mapping COBIT, ISO17799 ITIL

• COBIT
• AI6 Manage changes
• ISO17799
• Access control (maintenance)
• Information system acquisition, development and
  maintenance (maintenance)
• ITIL
• Change management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
35
Mapping COBIT, ISO17799 ITIL

• COBIT
• AI7 Install and accredit solutions and changes
• ISO17799
• Information system acquisition, development and
  maintenance (maintenance)
• ITIL
• Release management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
36
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS1 Define and manage service levels
• ISO17799
• -
• ITIL
• Service level management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
37
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS2 Manage third-party services
• ISO17799
• Organizing information security (external)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
38
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS3 Manage performance and capacity
• ISO17799
• Communication and operations management
• ITIL
• Capacity management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
39
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS4 Ensure continuous service
• ISO17799
• Business continuity management
• ITIL
• IT service continuity management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
40
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS5 Ensure system security
• ISO17799
• Security policy
• Communications and operations management
  (security)
• Access control (security)
• Information system acquisition, development and
  maintenance (security

41
Mapping COBIT, ISO17799 ITIL

• ITIL
• Security management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
42
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS6 Identify and allocate costs
• ISO17799
• -
• ITIL
• Financial management of IT services (costing)

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
43
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS7 Educate and train users
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
44
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS8 Manage service desk and incidents
• ISO17799
• Information security incident management
• ITIL
• Incident management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
45
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS9 Manage configuration
• ISO17799
• -
• ITIL
• Configuration management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
46
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS10 Manage problems
• ISO17799
• -
• ITIL
• Problem management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
47
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS11 Manage data
• ISO17799
• Communications and operations management
  (backups)
• ITIL
• Availability management

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
48
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS12 Manage physical environment
• ISO17799
• Physical and environmental security
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
49
Mapping COBIT, ISO17799 ITIL

• COBIT
• DS13 Manage operations
• ISO17799
• Communication and operations management
  (operations)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
50
Mapping COBIT, ISO17799 ITIL

• COBIT
• ME1 Monitor and evaluate IT performance
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
51
Mapping COBIT, ISO17799 ITIL

• COBIT
• ME2 Monitor and evaluate internal control
• ISO17799
• Compliance (audit)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
52
Mapping COBIT, ISO17799 ITIL

• COBIT
• ME3 Ensure regulatory compliance
• ISO17799
• Compliance (standards)
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
53
Mapping COBIT, ISO17799 ITIL

• COBIT
• ME4 Provide IT governance
• ISO17799
• -
• ITIL
• -

Key Key Key Key Key Key
Strong relationship Weak relationship No relationship
54
Case Study
0 Non-Existent No processes 1 Initial Processes
are ad hoc 2 Repeatable Processes are
regular 3 Defined Processes are repeatable, as
well as documented and communicated 4 Managed
Processes are defined, as well as measured and
monitored 5 Optimized Processes are managed, and
best practices are followed and automated
Key Key Key Key Key Key
Maturity level 3 Maturity level 2 2.9 Maturity level 1.9
55
Case Study
Deliver Support
Acquire Implement
Plan Organize
Monitor Evaluate
Define Strategic IT Plan
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Define Manage Service Level
Manage Third-party Services
Manage Performance Capacity
Monitor Evaluate IT Performance
Determine Technological Direction
Define IT Processes, Organization, Relationships
Acquire Maintain Technology infrastructure
Enable Operation Use
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Monitor Evaluate Internal Control
Manage IT Investment
Communicate Management Aims Direction
Procure IT Resources
Manage Changes
Educate Train Users
Manage Service Desk Incidents
Manage Configuration
Ensure Regulatory compliance
Manage Quality
Manage IT Human Resources
Install Accredit Solutions Changes
Manage Problems
Manage Data
Manage Physical Environment
Provide IT Governance
Manage Projects
Assess Manage IT Risks
Manage Operations
56
Case Study
Deliver Support
Acquire Implement
Plan Organize
Monitor Evaluate
Define Strategic IT Plan
Define Information Architecture
Identify Automated Solutions
Acquire Maintain Application Software
Define Manage Service Level
Manage Third-party Services
Manage Performance Capacity
Monitor Evaluate IT Performance
Determine Technological Direction
Define IT Processes, Organization, Relationships
Acquire Maintain Technology infrastructure
Enable Operation Use
Ensure Continuous Service
Ensure System Security
Identify Allocate Costs
Monitor Evaluate Internal Control
Manage IT Investment
Communicate Management Aims Direction
Procure IT Resources
Manage Changes
Educate Train Users
Manage Service Desk Incidents
Manage Configuration
Ensure Regulatory compliance
Manage Quality
Manage IT Human Resources
Install Accredit Solutions Changes
Manage Problems
Manage Data
Manage Physical Environment
Provide IT Governance
Manage Projects
Assess Manage IT Risks
Manage Operations
57
Case Study
58
Conclusion
More dependent upon information systems that
support their business critical
functions Challenge of ensuring confidentially,
integrity and availability of these information
systems, as well as protecting related technology
infrastructure Due to increasingly more complex
environments and demanding expectations of
management, organizations are using number of
international standards to achieve international
best practice related to IT governance
59
Conclusion
Assess
Design
Implement
Present
Future
Roadmap