#3b-IT Governance COBIT
#3b-IT Governance COBIT
#3b-IT Governance COBIT
1
Agenda: IT Governance
• IT Governance Principles (Weil & Ross)
• CobiT
• COSO, ISO 27000, ...
• IT Compliance
– SOX, Euro-SOX, ....
2
IT Governance Archetypes: Styles
WHO HAS DECISION OR INPUT
STYLE
RIGHTS?
§ A group of business executives or
Business individual executives (CxOs), includes
Monarchy committees of senior business executives
(may include CIO)
IT Monarchy § Individuals or groups of IT executives
§ Business unit leaders, key process owners
Feudal or their delegates
§ IT Executives and one other group (e.g.
IT Duopoly CxO or business unit or process leaders)
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, 3
Bicycle Wheel and T-Shaped IT Duopolies
Executive committee
BU BU
X X X X Y X X X X
RM RM
Y
IT
Y
IT committee
Y
Y
RM RM
Y
Y
BU BU
X = Business manager
RM = Business/ IT Relationship Manager Y = IT manager
BU = Business unit
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 62.
4
IT Governance Archetypes: Key Players
C-level executives Corporate IT Business unit
and/or business leaders or key
unit IT business process
owners
Business
Monarchy
IT Monarchy
Feudal
Federal
IT Duopoly
Anarchy
5
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 60,
IT Governance Archetypes: Key Players
C-level executives Corporate IT Business unit
and/or business leaders or key
unit IT business process
owners
Business ✓
Monarchy
IT Monarchy ✓
Feudal ✓
Federal ✓ ✓ ✓
✓ ✓
IT Duopoly ✓ ✓
✓ ✓
Anarchy
6
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 60,
(Five) Key IT Governance Decisions
IT Governance IT Decision Areas
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, 7
(Five) Key IT Governance Decisions
IT Principles decisions
High-level statements about how IT is used in the business
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, 8
Typical Enterprise IT Governance
DECISION IT Principles IT IT Business IT
Architecture Infrastructure Application Investment
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision
ARCHETYPE
Business
Monarchy
IT
Monarchy (i) Which Archetypes are responsible for
Feudal providing key input in IT Governance
Federal Decisions?
Duopoly (ii)Which Archetypes are responsible for
Anarchy
making which decisions?
No data or
don’t know
9
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 64,
Enterprise IT Governance – Case Study
DECISION IT Principles IT IT Business IT
Architecture Infrastructure Application Investment
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision
ARCHETYPE
Business
Monarchy
IT
Monarchy
Feudal
Federal
Duopoly
Anarchy
No data or
don’t know
10
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 64,
Enterprise IT Governance – Case Study
DECISION IT Principles IT IT Business IT
Architecture Infrastructure Application Investment
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision
ARCHETYPE
Business
Monarchy 0 27 0 6 0 7 1 12 1 30
IT
Monarchy 1 18 20 73 10 59 0 8 0 9
Feudal
0 3 0 0 1 2 1 18 0 3
Federal
83 14 46 4 59 6 81 30 93 27
Duopoly
15 36 34 15 30 23 17 27 6 30
Anarchy
0 0 0 1 0 1 0 3 0 1
No data or
don’t know 1 2 0 1 0 2 0 2 0 0
Research conducted at 256 11
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 64,
enterprises in 23 countries
Ex De
ec c is
uti
ve i on
Percent of
CIO ranked
IT or -m
effetiveness
lea sen ak
de
rsh ior i ng Participants Using
ip ma Str
5 (highly effective)
co na uc
mm ge
me tur
n
0
itte
50
es
1 (ineffective) to 100
Pro ec tc
ce om om
ss pri mi
tte
tea sin e
3.5
ms gI
B w T e
IT usi ith xe
co ne IT cu
un
3.8
ss/ me tiv
cil IT m es
co r ela be
mp
ris tio r s
ing nsh
3.4
bu ipm
sin an
ess ag
3.9
an er s
Ar d IT
ch ex
ec
ite
ct u
uti
3.7
Ca re ve
pit
al co s
ap mm
pro itte
3.1
Tr a
va
l co e
cki mm
ng itte
of Ali
g e
3.1
IT n
pro me
jec nt
ts
an Pro
dr ce
eso sse
S
urc
e
s
Fo er v sc
rm ice on
all -le sum
yt v el
3.4
rac ag ed
kin
gb r e em
usi en
ne ts
3.2
Ch ss
arg v alu
eb eo
ack f IT
2.9
Wo Co arr
rk mm an
wi ge
th u me
2.8
ma ni c nts
na ati
ge
rs o nA
wh pp
Se o do roa
nio n‘t ch
rm fol es
an low
Common Governance Mechanisms
Of ag
fic em the
eo en rul
fC ta es
n
3.2
We IO no
or un
b-b off ce
ase ice me
2.9
dp of nts
ort IT
als go
an ve
rna
3.6
di nc
ntr
an e
ets
for
2.9
IT
in 23 countries
at 256 enterprises
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, S.87.
Research conducted
12
Enterprise IT Governance – Case Study
State Street (Financial Services Industry)
DECISION IT Principles IT Architecture IT Infrastructure Strategies Business Application IT Investment
Needs
Input Decisio Input Decision Input Decision Input Decision Input Decisio
n n
ARCHETYPE
IT Monarchy CIO
Arch. CIO
IT Leaders
Offfice IT Leaders
Feudal
Duopoly Business
Leaders
IT Org.
IT Leaders
Anarchy
No data or don’t
know
§ Business flexibility
IT intensity: Exceptions: Percent
of projects Data measured
using:
§ Money
Business IT Joint
Business
- = + + Top performers*
§IT principles
§Business = No difference
application 29 7 24
needs
- Poor performers*
Types of §IT investment
Decisions
IT
- = = *Statistically significant
§IT relationship with
architecture governance performance
§Infrastructure 5 27 8
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, P.135.
16
Enterprise IT Governance – Case Study
Best &IT GOVERNANCE
Worst DIFFERENT
Arrangements
ARRANGEMENTS OF BEST & WORST
DECISION IT Principles IT IT Business IT Investment
Architecture Infrastructure Application
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision
ARCHETYPE
Business
Monarchy
IT
Monarchy
Feudal –
Federal + – – – + –
IT Duopoly – + – +
Anarchy
Business 3 3 3 2 3
Monarchy
IT 1 1
Monarchy 2 2
Feudal
Federal 1 3
IT Duopoly 1 2 2 1
Anarchy
1 2 3 = Top three governance performers (achieving four performance objectives, weighted by importance) performance objectives
are for example cost, growth, and flexibility
Source: MIT Sloan School Center for Information Systems Research
19
IT Governance for SMEs -Recommendations
• R1: Senior Management should be involved through
joint formal & informal IT Governance interactions.
• R2: Corporate executives should be involved in IT
Governance Process
• R3: Operational executives should be involved in IT
Governance Process
• R4: IT Governance policies, guidelines and processes
should be communicated through a number of
channels
• R5: IT Governance policies, guidelines and processes
should be communicated through accessible channels
Rui Huang, Robert W. Zmud, and R. Leon Price. „IT Governance Practises in Small &
Medium Sized Enterprises“. Published in G. Dhillon, B.C. Stahl, and R. Baskerville (Eds.):
CreativeSME 2009, IFIP AICT 301, pp. 158–179, 2009.
20
IV Management – Reifegrad#1
„Stages of Growth Model“ Nolan
Nolan‘s 4 Theses regarding IT development:
1. Development of IT in distinct Stages
2. A new stage can only be „started“ when the
previous stage has been completed
3. An organisation „can‘t buy skippipng“ of a
developmental stage.
4. There must be a balance between the aeras of
IT-Costs, IT-Ressources, IT-Management, IT-User
/ IT-Customer und IT-Application Domains.
Richard L. Nolan, Managingthecomputerresource: a stagehypothesis. Commun. ACM 16, 7 (Jul. 1973), S. 399-405
King, John Leslie; Kramer, Kenneth L. (1984). "Evolution and organizationalinformationsystems: an assessment of Nolan'sstagemodel".
Communications of the ACM (ACM) 27 (5): 466–475.
21
IV Management – Maturity Model#1
„Stages of Growth Model“ Nolan
23
IV Management – Reifegrad#2
CMMI
Value
Delivery
Performance
Measurement
Business Requirements
Idea:
IT-Resources
Control Domains
• Representation of different CobiT dimensions
IT-Processes
Activities
Business Requirements
IT-Resources
Control Domains
IT-Processes
Process
Activities
29
CobiT
Control
Domains
30
CobiT Domain: Plan and Organise
31
CobiT Domain: Plan and Organise
PO1 Define a Strategic IT Plan
PO1.1 IT Value Management
PO1.2 Business-IT Alignment
PO1.3 Assessment of Current Capability and
Performance
PO1.4 IT Strategic Plan
PO1.5 IT Tactical Plans
PO1.6 IT Portfolio Management
32
CobiT Domain: Plan and Organise
PO1 Define a Strategic IT Plan
PO1.4: Create a strategic plan that defines, in co-operation
PO1.1 IT Value Management
with relevant stakeholders, how IT goals will contribute to the
PO1.2 Business-IT Alignment
enterprise’s strategic objectives and related costs and risks. It
PO1.3 Assessment
should include howof ITCurrent Capability
will support and
IT-enabled investment
programs, IT services and IT assets. IT should define how the
Performance
objectives will be met, the measurements to be used and the
PO1.4 IT Strategic
procedures Planformal sign-off from the stakeholders.
to obtain
The IT strategic plan should cover investment/operational
PO1.5 IT Tactical Plans
budget, funding sources, sourcing strategy, acquisition strategy,
PO1.6 IT
andPortfolio Management
legal and regulatory requirements. The strategic plan
should be sufficiently detailed to allow for the definition of
tactical IT plans.
33
CobiT Domain: Plan and Organise
(PO, Plan & Organize)
& IT-Governance Domains
Performa
Value Resource Risk
IT- Strategic nce
Description Priority Delive Managem Managem
Process Alignment Managem
ry ent ent
ent
PO1 Define a Strategic IT Plan H P S S
Define the Information
PO2 Architecture L P S P S
…
PO9 Assess and Manage IT Risks H P P
PO10 Manage Projects H P S S S S
34
Mapping: Control Domains to
Resources & Business Requirements
Control Domain: PO, Plan and Organize Resources Information Criteria / Business Rquirements
Infrastructur Efficienc Confiden Availabili Complia Reliabilit
IT-Prozess Description Staff Information Applications Effectivity Integrity
e y tiality ty nce y
PO1 Define a Strategic IT Plan X X X X P S
PO2 Define the Information Architecture X X S P S P
…
PO9 Assess and Manage IT Risks X X X X S S P P P S S
PO10 Manage Projects X X X P P
36
37
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
38
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
39
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
Mapping: IT Goals to Business Goals
Note:
28 Predefined IT Goals
40
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
Mapping: IT-Processes to IT Goals
43
CobiT Domain: Plan and Organise
44
Enterprise Architecture / IT
Architecture
• Alle statischen und dynamischen Aspekte der IT in einer
Organisation bezeichnet, z. B. .
– Infrastruktur (Hardware, Standorte, Netzwerke, Software
(Anwendungen), Daten)
– Dazugehöriges Management (Konfigurations- und
Kapazitätsplanung, Lastverteilung, Datensicherung, Verfügbarkeit,
Ausfallsicherheit, Katastrophenfall-Planung, etc.).
– Funktionale Aspekte wie die notwendigen Schnittstellen, zur IT-
Unterstützung der Prozesse
• 2 Ebenen: Grundstrukturen & Definition von Regeln, zur
Koordination des Zusammenspiels aller Komponenten
• Analogie: Vergl. IT-Architektur mit einem Bebauungsplan für
die Stadtplanung: zentraler Leitfaden für alle an IT-Planung und
-Betrieb von IT-Systemen und IT-Infrastrukturen Beteiligten.
46
Zachman Framework
47
TOGAF – The Open Group Architecture Framework
§48
TOGAF Model /
TOGAF ADM
Quelle:
http://www.opengroup.org/togaf/cert/sho 49
wcase/participants/detecon/index.html
Enterprise Architectures
51
CobiT: Mapping Processes & Goals
52
RACI Table
Source: http://www.continentalsoftware.com/itil-figures/cobit/ds01_raci-chart.gif ,
Last accessed 21 August 2013
53
Additional CobiT Elements
• Controls
– Business Controls (low Priority)
– Application Controls
– IT General Controls (IT Infrastructure)
• ITGI CobiT Implementation Guide, CobiT Quickstart (Small &
Medium Enterprises): concrete Step-by-step guidance for
implementation
• CobiT Maturity Model
– Derived from CMMI
– Facilitates systematic Evaluation of 34 CobiT Processes
54
Cobit Maturity Model
55
CMMI
Wikipedia
57
DS2 Maturity Model
DS2 Manage Third-party Services
Management of the process Manage third-party services that satisfies the business requirement for IT of providing satisfactory
third-party services whilst being transparent about benefits, costs and risks is:
0 Non-existent when
Responsibilities and accountabilities are not defined. There are no formal policies and procedures regarding contracting with third
parties. Third-party services are neither approved nor reviewed by management. There are no measurement activities and no
reporting by third parties. In the absence of a contractual obligation for reporting, senior management is not aware of the quality
of the service delivered.
58
Ó 2007 IT Governance Institute. All rights reserved. www.itgi.org 58
DS2 Maturity Model cont.
3 Defined when
Well-documented procedures are in place to govern third-party services, with clear processes for vetting and negotiating with
vendors. When an agreement for the provision of services is made, the relationship with the third party is purely a contractual one.
The nature of the services to be provided is detailed in the contract and includes legal, operational and control requirements. The
responsibility for oversight of third-party services is assigned. Contractual terms are based on standardised templates. The business
risk associated with the third-party services is assessed and reported.
5 Optimised when
Contracts signed with third parties are reviewed periodically at predefined intervals. The responsibility for managing suppliers and
the quality of the services provided is assigned. Evidence of contract compliance to operational, legal and control provisions is
monitored, and corrective action is enforced. The third party is subject to independent periodic review, and feedback on
performance is provided and used to improve service delivery. Measurements vary in response to changing business conditions.
Measures support early detection of potential problems with third-party services. Comprehensive, defined reporting of service level
achievement is linked to the third-party compensation. Management adjusts the process of third-party service acquisition and
monitoring based on the measurers.
59
Ó 2007 IT Governance Institute. All rights reserved. www.itgi.org 59
COBIT: A High Level Control Objective
• Control over the IT process of managing changes
– that satisfies the business requirement to minimize the likelihood of
disruption, unauthorized alterations and errors
– is enabled by a management system which provides for the analysis,
implementation and follow-up of all changes requested and made to the
existing IT infrastructure
• Consideration areas
– identification of changes
– categorization, prioritization and emergency procedures
– impact assessment
– change authorization
– release management
– software distribution
– configuration management
– business process re-design
60
Associated Detailed Control Objective
6.1 Change Request Initiation and Control
CONTROL OBJECTIVE
IT management should ensure that all requests for
changes, system maintenance and supplier
maintenance are standardized and are subject to
formal change management procedures. Changes
should be categorized and prioritized and specific
procedures should be in place to handle urgent
matters. Change requestors should be kept informed
about the status of their request.
61
Another Detailed Control Objective
6.3 Control of Changes
CONTROL OBJECTIVE
IT management should ensure that change
management and software control and distribution
are properly integrated with a comprehensive
configuration management system. The system
used to monitor changes to application systems
should be automated to support the recording and
tracking of changes made to large, complex
information systems.
62
CobiT – Component
Relationships
Business Source: (Moeller, 2008: 122)
Information
IT Controlled by Control
Processes Objectives
Made Translated Implemented
Measured Audited
effective & into with
by by
efficient
64
CobiT – Critical Aspects
• COBIT formulated in rather general terms, no inclusion of
concrete technologies
– Adoption / implementation of CobiT requires additional informations
and documents
– COBIT does not define how Control Objectives shall be implemented
(COBIT only facilitates whether IT-Processes exist)
– Additional methods / reference model to establish required steps
65
Conceptual Metamodelling of CobiT
Goeken, M., Alter, S.: IT Governance Frameworks as Methods. Proceedings of the 10th International Conference on Enterprise 66
Information Systems. Barcelona/Spain (2008).
Meta Modeling
• "Metamodeling" is the construction of a collection of "concepts" (things, terms, etc.) within
a certain domain. A model is an abstraction of phenomena in the real world; a metamodel is
yet another abstraction, highlighting properties of the model itself. A model conforms to its
metamodel in the way that a computer program conforms to the grammar of the
programming language in which it is written.
• Common uses for metamodels are:
– As a schema for semantic data that needs to be exchanged or stored
– As a language that supports a particular method
– As a language to express additional semantics of existing information
• Because of the "meta" character of metamodeling, both the praxis and theory of
metamodels are of relevance to metascience, metaphilosophy, metatheories and systemics,
and meta-consciousness. The concept can be useful in mathematics, and has practical
applications in computer science and computer engineering/software engineering.
http://en.wikipedia.org/wiki/Metamodeling
67
Conceptual Metamodelling of CobiT
Up to now, there has been little academic support for the challenges of
IT governance/IT management. As a reaction, various best practice
frameworks – like COBIT or CMMI - were developed.
Due to their origin, these frameworks lack of a sound basis or scientific
foundation. To undertake a step in this direction, we propose the use of
modeling notation and techniques to represent frameworks as
conceptual metamodels. Accordingly, we present the well-known
framework COBIT metamodeled in a conceptual way and, thereby,
represent the underlying logically and semantically rich structures.
We furthermore discuss the benefits of using conceptual metamodeling
to analyze frameworks coming from practice. Using the metamodel, we
are also able to demonstrate ways to improve the frameworks and
configure them according to the specific needs of an enterprise or an
industry. To have a sound basis for any improvement we discuss the
process of metamodeling and derive some requirements for “good”
metamodeling.
Goeken, M., Alter, S.: Towards Conceptual Metamodelling of IT Governance Frameworks. Approach - Use – Benefits. In: Proceedings
of the 42nd Annual Hawaii International Conference on System Sciences. Waikoloa, Big Island, Hawaii, Januar 2009
Goeken, M., Alter, S.: IT Governance Frameworks as Methods. Proceedings of the 10th International Conference on Enterprise 68
Information Systems. Barcelona/Spain (2008).
Conceptual Metamodelling of CobiT
Goeken, M., Alter, S.: Towards Conceptual Metamodelling of IT Governance Frameworks. Approach - Use – Benefits. In: Proceedings 69
of the 42nd Annual Hawaii International Conference on System Sciences. Waikoloa, Big Island, Hawaii, Januar 2009