1COBITPart1ITGovernance---IT治理框架

1、COBIT Part 1 IT Governance2009 年 3 月1SITC: Service &Security开场时间请简单介绍您自己名字公司/产业别工作性质贵公司推行IT治理的程度在这堂课中,想了解的事情任何愿意和大家分享的事?2SITC: Service &Security前沿小站3SITC: Service &SecurityIT management to IT GovernanceISO31000ISO38500BS25999Prince2PMBOKCOBITITIL V3ISO27001ISPLSCAMPITOGAFSecurity & Availability MgtI

2、SO17799ISO13335ISO9001SW-CMMIQuality Management SystemIT Governance & Service MgtGovernance & Risk MgtISO15408Project Mgt (New service)ITIL v2IT ManagementITSCMChange&Release MgtTicketITNIST800SLM /BR/Configuration MgtITSMSupplier MgtMgt system & OrgFinance & CapacityMgtISO15504Appraisal & audit Mgt

3、MOF&MSFISO200004SITC: Service &SecurityCOBIT foundation examThe exam consists of 40 multiple-choice questions. To pass the exam, an individual must correctly answer 28 or more questions or attain a score of 70% or higher.PrerequisitesNone.Learning OutcomesHow IT management issues are affecting organ

4、izationsThe need for a control framework driven by the need for IT governanceHow COBIT meets the requirement for an IT governance frameworkHow COBIT is used with other standards and best practicesThe COBIT framework and all the components of COBITHow to apply COBIT in a practical situationHow the us

5、e of COBIT is supported by ITGICOBIT is a registered trademark of ISACA5SITC: Service &SecurityCertifications overviewISO38500ISO20000ISO27001COBIT foundation examITIL Foundation examService ManagerExpertCISA/CISMCISSPBUSINESSINDIVIDUAL6SITC: Service &Security学习目标了解何為IT治理及為何需要IT治理7SITC: Service &Sec

6、urityAgendaGovernance to why we need IT GovernanceWhat is IT GovernanceIT Governance FrameworkIT AlignmentValue DeliveryRisk ManagementResource ManagementPerformance ManagementISO38500:2008 VS CGEITConclusions8SITC: Service &SecurityWorld-class IT?Aligned with the business and providing transparent

7、valueTop management attention through appropriate IT Governance mechanismsEngaged in performance measurementCommitted to continuous improvement9SITC: Service &SecurityEnterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:Pro

8、viding strategic directionEnsuring that objectives are achievedAscertaining that risks are managed appropriately Verifying that the enterprises resources are used responsiblyEnterprise GovernancePERFORMANCEMEASUREMENTRESOURCEMANAGEMENTRISKMANAGEMENTVALUEDELIVERYSTRATEGICALIGNMENT10SITC: Service &Sec

9、urityEnterprise governance is about: ConformanceAdhering to legislation, internal policies, audit requirements, etc.PerformanceImproving profitability, efficiency, effectiveness, growth, etc.Enterprise Governance Drives IT GovernanceEnterprise governance and IT governance require a balance between c

10、onformance and performance goals directed by the board.PerformanceConformance11SITC: Service &SecurityScenario IT-GovernanceIT is an intensively discussed topic in Organisations and Enterprises. Discussion ranges from cost factor to business enabler.A close link between the Enterprise-Strategy and I

11、T-strategy is key, but it seems the distance between Enterprise-Management and IT is growing.Top Managers come very often from the classical“ disciplines.CIOs are not very often members of the Board.For many Enterprises are Consolidation“, Concentration on core business“ and Operational Excellence“

12、additional priorities of today. 12SITC: Service &SecurityOrganizations require a structured approach for managing these and other challenges.This will ensure that there are agreed objectives for IT, good management controls in place and effective monitoring of performance to keep on track and avoid

13、unexpected outcomes.The Need for IT GovernanceKeeping IT RunningSecurityValue/CostManaging ComplexityAligningIT with BusinessRegulatory Compliance13SITC: Service &Security 2007 IT Governance Institute. All rights reserved. Forces Driving IT GovernanceComplianceSecurityBusiness/ITAlignment ROIProject

14、Execution14SITC: Service &SecurityRole of ITSource of differentiation and advantageSupport core businessprocessesSupportback officeCopyright The Boston Consulting Group1960s1970s1980s1990s2000sAirlinesRetailingAutomotiveHealth CareFinancial Services2010sIT evolution over timeITroleIT needs to be lin

15、ked with business strategy to generate value for the businessCopyright The Boston Consulting GroupDevelopment Exhausted Or New Future Push To Be Expected?(1) IT evolving from Support Tool into Source of Competitive Advantage.15SITC: Service &SecurityWhy get into IT Governance?“Due diligenceIT is cri

16、tical to the businessExpectations and reality dont matchIT hasnt gotten the attention it deservesIT involves huge investments and large risks16SITC: Service &SecuritySarbanes-Oxley(cont.)17SITC: Service &SecuritySarbanes-Oxley (cont.)Effects of Sarbanes-OxleyCreated the Public Company Accounting Ove

17、rsight Board(PCAOB)Reinforces Auditor IndependenceStrengthen Internal Control Structure with organizationsUpgrade financial DisclosuresCreated Accountability at the Executive LevelProtect Investors18SITC: Service &Security“中国萨班斯企业内部控制根本标准 2008/6/28 由财政部、证监会、审计署、银监会、保监会联合公布。2009/7/1起首先在上市公司范围内施行参照美国于

18、2002/7/30公布的2002年萨班斯-奥克斯利法案而制定萨班斯法案对公司治理、会计师行业监管、证券市场监管等方面提出了许多新的严格要求，并设定了内控风险管理的问责机制和相应的惩罚措施。自此，全球也掀起了加强企业内部控制和风险管理的飓风迎接内控时代到来19SITC: Service &Security規範的要求及突破针对国内财务及会计监控体制的开展趋势，以及企业内部的委托-代理关系等各个方面的需求，要求上市公司应当对公司内部控制的有效性进行自我评价，披露年度自我评价报告，在企业内确定内部控制要素，建立内部控制机制突破界定了内部控制的内涵，强调内部控制是由企业董事会、监事会、经理层和全体员工实

19、施的、在实现控制目标的过程，有利于树立全面、全员、全过程控制的理念。20SITC: Service &Security內控框架五大目標 五大要素五大目標(合理保证)企业战略企业经营管理合法合规财务报告及相关信息真实完整提高经营效率和效果，促进企业实现开展战略资产平安五大要素(相互联系、相互促进)构建以内部环境为重要基础以风险评估为重要环节以控制活动为重要手段以信息与沟通为重要条件以内部监督为重要保证以企业为主体、以政府监管为促进、以中介机构审计为重要组成局部的内部控制实施机制。21SITC: Service &SecurityBasel II: Risk ClassificationTotal

20、 RiskCredit RiskMarket RiskOther RisksConsideredNot considered22SITC: Service &SecuritySample QuestionsWhich one of the following is currently driving the interest in IT best practices?Convergence in many technologiesIndustry standardisationIncreasingly complex IT-related risks.Lower cost of technol

21、ogy23SITC: Service &SecuritySample QuestionsGovernance and control frameworks provide IT management with best practice for which one of the following?performing computer operationsresolving disputes with IT vendorsremunerating IT staffcomplying with regulatory requirements24SITC: Service &SecuritySa

22、mple QuestionsWhich of the following is a common reason why IT projects exceed budget expectations or deadlines?Cost of IT specialistUnavailability of the latest technologyUnderestimation of the effort requiredLack of automation of development tools25SITC: Service &SecuritySample QuestionsWhich of t

23、he following is the most likely reason why IT projects exceed budget expectations or deadlines?Technical problemsShortage of skilled resourcesPoor development methodologiesHigh cost of IT experts26SITC: Service &SecurityAgendaGovernance to why we need IT GovernanceWhat is IT GovernanceIT Governance

24、FrameworkIT AlignmentValue DeliveryRisk ManagementResource ManagementPerformance ManagementISO38500:2008 VS CGEITConclusions27SITC: Service &SecurityGovernanceInherent Risk - Control = Residual Risk Local Management are Concerned with these Senior Management are concerned with thisWho makes decision

25、s, why, and how28The COSO Internal Control FrameworkThe Committee On Sponsoring Organizations (COSO)Internal Control-Integrated FrameworkPublished in 1992Reissued in 1994For Sarbanes-Oxley, Section 404,management must select framework as their basis for control review.COSO is the most widely recogni

26、zed internal control frameworkSponsored by AICPA,AAA,IIA,IMA,FEI29SITC: Service &SecurityNew frameworkInternal ControlToEnterprise Risk ManagementObjectivescomponentsEntity Structure30SITC: Service &SecurityThe COSO ERM frameworkEnterprise Risk Management FrameworkFramework for evaluating controls a

27、nd riskIncreased focus on risk managementFramework to effectively identify, assess, and manage riskPublished in 2004Expands on the Integrated Framework31SITC: Service &Security“IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterpris

28、e governance and consists of the leadership and organizational structures and processes that ensure that the organizations IT sustains and extends the organizations strategies and objectives.I.T. GovernanceITGI, Board Briefing on IT Governance32SITC: Service &SecurityWhat is IT GovernanceIT provides

29、 valueIT does not provide surprisesIT pushes the envelopeA decision rights and accountability framework to encourage desirable behavior in the use of ITExpectationNeedDefinition“IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterpri

30、se governance and consists of the leadership and organizational structures and processes that ensure that the organizations IT sustains and extends the organizations strategies and objectives.33SITC: Service &SecurityIT Governance Focus AreasStrategic alignmentValue deliveryResource managementRisk m

31、anagementPerformance measurement PERFORMANCEMEASUREMENTRESOURCEMANAGEMENTRISKMANAGEMENTVALUEDELIVERYSTRATEGICALIGNMENT34SITC: Service &SecurityCOSO / COBIT CubeCourtesy of the IT Governance Institutes document : “IT Control Objectives for Sarbanes-Oxley35SITC: Service &SecurityIT Governance Principl

32、esDirect and controlResponsibilityAccountabilityActivitySet directionsCompareSet objectives and MeasuresReportsMeasuresMeasuresReportsPerformActivitiesDirectControlResponsibilityAccountabilityActivitiesBoardITOrganizations36SITC: Service &Security2007 IT Governance InstituteIT Governance Stakeholder

33、sBusiness managementSet direction for IT, monitor results and insist on corrective measuresDefines business requirements for IT and ensures that value is delivered and risks are managedDelivers and improves IT services as required by the businessProvides independent assurance to demonstrate that IT

34、delivers what is neededMeasures compliance with policies and focuses on alerts to new risksRisk and compliance IT auditIT managementBoard and executive37SITC: Service &SecurityIT Governance in ContextIT governance and associated governance mechanisms provide the linkage between responsible corporate

35、 governance and effective IT managementCorporate GovernanceIT GovernanceIT managementCorporate GovernanceIT GovernanceIT managementOverall decision making and accountability structureEstablish goals, measures, policiesEnsures shareholders interests are respectedOverall IT decision making and account

36、abilityEnsures value is delivered to shareholders through IT investments and actionsCreates business value through IT manages IT budgets, resources, projects, operations, vendorsRuns IT as a business38SITC: Service &SecurityQuality SystemIT PlanningProject MgmtIT SecurityAP. Dev. (SDLC)Service Mgmt.

37、IT OperationsIT Governance ModelCOSOCOBITSOXISOSIXSigmaCMMIISO17799PMITSO ISStrategyISO20000Quality Systems& Mgmet. FrameworksISO3850039SITC: Service &SecurityCompliance frameworkThere are four compatible frameworks, operating at different level of detail and scope, that provide a set of controls an

38、d governance for ITLevel1: COSOOrganization wide controlsLevel2:COBITCan satisfy and extend COSO controls relating to ITLevel3:ITILCan satisfy and extend COBIT controls relating to ITLevel4:ISO27002/17799IT Security controls to meet and extend COBIT security40SITC: Service &SecurityKey Findings of t

39、he SurveyIT Governance Global Status Report2008.Although championship for IT governance within the enterprise comes from the C-level, in daily practiceIT governance is still very much a CIO/IT director issue. The few non-IT people in the sample have a muchmore positive view of IT than do the IT prof

40、essionals themselves.The importance of IT continues to increase.Self-assessment regarding IT governance has increased and is quite positive.Communication between IT and users is improving, but slowly.There is still substantial room for improvement in alignment between IT governance and corporate gov

41、ernanceas well as for IT strategy and business strategy.IT-related problems persist. While security/compliance is an issue, people are the most critical problem.Good IT governance practices are known and applied, but not universally.Organisations know who can help them implement IT governance, but a

42、ppreciation for the available expertise and delivery capability is only average.Action is being taken or plans are underway to implement IT governance activities. A large increase is evident when compared to the 2006 report.Organisations use the well-known frameworks and solutions.COBIT awareness ha

43、s exceeded 50 percent, and adoption and use remain around 30 percent.a. Twenty-five to 35 percent of respondents apply COBIT to the letter or are very strict.b. Fifty percent of respondents indicate that COBIT is one of the reference sources.c. In general, there is high appreciation of COBIT, as has

44、 been seen in prior reports.More than half of the respondents apply or plan to apply Val IT principles, but are not familiar with theVal IT brand itself.Major obstacles to adoption and use of Val IT principles include uncertainty regarding the return on investment (ROI) and lack of knowledge/experti

45、se.41SITC: Service &SecuritySelected IT Governance Frameworks42SITC: Service &SecurityBenefits of IT GovernanceConfidence of top managementResponsiveness of IT to businessHigher return on investment (ROI)More reliable servicesMore transparency43SITC: Service &SecurityIT GovernanceIT governance is an

46、 integral part of corporate governance and analogously combines leadership, organizational structures, and processes that ensure that IT sustains and extends the organizations strategies and objectivesIT governance provides guidelines, establishes criteria and standards for decision making, monitori

47、ng, measuring, and improving the performance of ITIT governance is the responsibility of the executive board and the executive management (incl. IT) and supports the interaction of all the organizations parties involved with ITWhat?How?Who?Though guided by it, daily operations or operative project m

48、anagement, are not core part of IT governance nor can IT governance substitute for a sound business strategyWhat not?Our Definition of IT Governance emphasizes the close Link of IT to the Organization as a whole .44SITC: Service &SecurityWhat is IT Governance? Its about organization leadership Decis

49、ion making that leads to better alignment of IT and the business IT delivering more business value IT resources are used responsibly IT risks are managed appropriately45SITC: Service &SecuritySample QuestionsWhich of the following is a key benefit of IT governance?Improved business processesGreater

50、awareness of available technical solutionsResponsiveness of ITGreater use of technologyIncreased budget for IT projects46SITC: Service &SecuritySample QuestionsThe COSO framework is a framework to help organizations establish and determine:Accounting standardsAuditing standardsInvestment decisionsTh

51、e effectiveness of their internal controls47SITC: Service &SecuritySample QuestionsWhich statement below best describes the Committee of Sponsoring Organisations of the Treadway Commission (COSO)s Internal ControlIntegrated Framework?A framework for internal auditing.A framework for systems manageme

52、nt.A framework for risk management.A framework for information systems48SITC: Service &SecuritySample QuestionsWhich of the following is an IT Governance concern of a trading partner?Confidential company information is not given to competitorsThe IT systems are based on the latest technologySystem c

53、hanges are not made without the partners approvalThe IT operation is cost effective and efficient49SITC: Service &SecuritySample QuestionsWhich of the following is a principle of IT governance?AccountabilityReliabilityAvailabilityProbability 50SITC: Service &SecurityAgendaGovernance to why we need I

54、T GovernanceWhat is IT GovernanceIT Governance FrameworkIT AlignmentValue DeliveryRisk ManagementResource ManagementPerformance ManagementISO38500:2008 VS CGEITConclusions51SITC: Service &SecurityIT Governance FrameworkSet ObjectivesIT is aligned with the businessIT enables the business and maximize

55、s benefitsIT resources are used responsiblyIT-related risks are managed appropriatelyCompareProvideDirectionMeasurePerformanceIT ActivitiesIncrease automation (make the business effective) Decrease cost (make the enterprise efficient)Manage risks (security, reliability and compliance)52SITC: Service

56、 &SecurityBe driven by stakeholder valueAsk the right questionsFocus on ITs:Alignment with the businessValue deliveryRisk managementMeasure resultsAdopt an IT governance frameworkIT Value DeliveryStakeholder Value DriversPerformance MeasurementRisk ManagementITStrategicAlignmentWhat should Boards do

57、 about it?53SITC: Service &SecurityIT Value DeliveryStakeholder Value DriversPerformance MeasurementRisk ManagementITStrategicAlignmentI.T. Governance FocusWhat does it cover?54SITC: Service &SecurityWhat should Management do about it?Align IT strategy with business goalsCascade strategy and goals d

58、own into the organizationSetup organizational structures that facilitate strategy implementationAdopt and IT control and governance frameworkProvide IT infrastructures that facilitate creation and sharing of business informationEmbed responsibilities for risk management in the organizationFocus on i

59、mportant IT process and core IT competenciesMeasure performance (Balanced Business Scorecard)55SITC: Service &SecurityWhat should Auditors do about it?Obtain an understanding about IT GovernanceGet the Board and Management to focus on the issues in the previous two slidesRecommend the adoption of an

60、 IT control and governance framework, such as COBITSet up organizational structures in your areas that facilitate a strategic implementation of such a frameworkMeasure your own performance (Balance Business Scorecard)56SITC: Service &SecurityIT Governance Focus AreasValue deliveryFocuses on ensuring