apmg-international.

com

[Webinar] A case study

Implementing COBIT 5®
Presenter, Mark Thomas, Escoute
September 2018
apmg-international.com 1
© The APMG Group Ltd. 2018. All rights reserved.
 Before We Get Started…

This session is being Your feedback will help us to

recorded. The recording improve future webinars.
and slides will be sent to Please send any comments
you after the webinar. and suggestions to:

mark.constable@apmg-
international.com.

apmg-international.com 2
© The APMG Group Ltd. 2018. All rights reserved.
 Your Presenters
Mark Thomas (CRISC, CGEIT)
President, Escoute Consulting

Mark Thomas (CRISC, CGEIT) is a well-known ITIL and COBIT

expert with more than 22 years of professional experience, with
leadership roles from CIO to IT Governance Consulting.

Mark has led large teams in outsourced IT arrangements, conducted

PMO, Service Management and governance activities for major
project teams, managed enterprise applications implementations,
and implemented governance processes across multiple industries.

Mark's industry experience with ‘Big Five’ type consulting spans the
health care, finance/banking, manufacturing / distribution, services,
high technology, and government verticals.

Additionally, Mark has forged a reputable competency as a

consultative trainer and speaker in several disciplines receiving
exemplary evaluations.

apmg-international.com 3
© The APMG Group Ltd. 2018. All rights reserved.
 Your Presenters
Dr. Ramzi Sunna
President, Scanwave C.T.S.
PhD in Cyber Security
COBIT 5 Lead Assessor, PCI DSS QSA, ISO Lead Auditor and
implementor, GDPR, InfoSec and Cyber Security Expert, CEH,
ECSA, LPT,....

Recently in middle east region witnessed increasing successful IT

hacking attempts into governmental and private financial institutions
databases, and critical web application portals, Dr. Ramzi has been
in the IT security field since 15 years leading several enterprise and
international security projects, he is an InfoSec advisor and world
class security expert, he has a proven security track in ethical
hacking, web application assessment, wireless assessment,
infrastructure, configuration security reviews, polices and
procedures, project management, deep knowledge in common
Vulnerabilities and Exposures research, cyber nation protection in
Jordan and establishment of advanced cyber security operations
centers

apmg-international.com 4
© The APMG Group Ltd. 2018. All rights reserved.
 Background
• Balancing performance and conformance in in an enterprise can be a
daunting task.

• Adding up the various regulatory, compliance and conformance needs of

any organization can have a major effect on enterprise performance if not
governed and managed effectively.

• In the country of Jordan, the Central Bank has mandated that all banks
become “COBIT Compliant,” which has caused a flurry of activity amongst
boards and executive management across the banks throughout the
country.

• We will explore the emerging importance of a solid Governance of

Enterprise IT (GEIT) program and how leveraging the COBIT5 framework
products can greatly enhance not only compliance but can also be a positive
move towards enhancing the overall governance posture.

apmg-international.com 5
© The APMG Group Ltd. 2018. All rights reserved.
 Learning Objectives
• Gain an understanding of the importance of balancing
performance and conformance with a GEIT program.
• Appreciate the value of the various COBIT and training
products (Foundation, Implementation and Assessment)
in the Jordanian Banking system mandate.
• Learn about the positive aspects and lessons learned of
the COBIT5 process capability assessments.

apmg-international.com 6
© The APMG Group Ltd. 2018. All rights reserved.
 Agenda
The emergence of governing enterprise IT

Spotlight on the Jordanian banking system

Getting to 5, the challenges and the plan

Results to date

Looking forward

Lessons learned

Closing and questions

apmg-international.com 7
© The APMG Group Ltd. 2018. All rights reserved.
 Creating Value

Stakeholder Needs

Drive
Governance Objective: Value Creation

Benefits Risk Resource

Realization Optimization Optimization

apmg-international.com 8
© The APMG Group Ltd. 2018. All rights reserved.
 Standards and Frameworks

apmg-international.com 9
© The APMG Group Ltd. 2018. All rights reserved.
 Agenda
The emergence of governing enterprise IT

Spotlight on the Jordanian banking system

Getting to 5, the challenges and the plan

Results to date

Looking forward

Lessons learned

Closing and questions

apmg-international.com 10
© The APMG Group Ltd. 2018. All rights reserved.
 Central Bank of Jordan (CBJ)
The law establishing the CBJ stipulates that "the objectives of the
Central Bank shall be to maintain monetary stability in the Kingdom, to
ensure the convertibility of the Jordanian Dinar, and to promote the
sustained growth of the Kingdom's economy in accordance with the
general economic policy of the government."

• CBJ is always aware of the international standards and frameworks that can
benefit the financial sector in Jordan, and always encourage the Jordanian
banks to be on top of every new opportunity to create competitive
advantage in the region.
• CBJ has issued many regulations in the past years for the financial sector in
Jordan to comply with PCI standard, COBIT Framework, Cyber Security
Framework and recently asking the Jordanian banks for a plan to comply
with GDPR.
• This makes the CBJ one of the pioneers and unique regulatory bodies in the
region who is playing a significant role in enhancing the financial sector.
Information from the Central Bank of Jordan Website.

apmg-international.com 11
© The APMG Group Ltd. 2018. All rights reserved.
 Central Bank Requirements
• Use the 17 Enterprise Goals as per the COBIT 5 Framework.
• Use the 17 IT-related Goals as per the COBIT 5 Framework.
• Implement the 37 Processes of the COBIT 5 framework targeting the
following capability levels (all fully achieved according the Process
Assessment Model (PAM) using COBIT 5:

Achieve capability level 3, Established

Process, after a maximum of eighteen months
from the date of publishing the regulation.

0 1 2 3 4 5

Achieve capability level 5, Optimized Process,

three years from the date of publishing the regulation.

apmg-international.com 12
© The APMG Group Ltd. 2018. All rights reserved.
 Central Bank Requirements
• Have a minimum set of policies for the governance framework.
• Have a minimum set of reports for the governance framework.
• Establish and maintain the infrastructure that supports the
governance framework.
• Adopt the necessary matrices of competencies and policies of
human resources management to achieve the requirements of
GEIT, and to ensure that the appropriate human resources are in
place.
• Adopt a code of conduct that reflects professional behavior related
to the management of information and its related technology that
clearly define the desired behavioral rules and consequences.

apmg-international.com 13
© The APMG Group Ltd. 2018. All rights reserved.
 Central Bank Requirements
Establishing two committees for the governance and management
of information and related technologies:

Committee of Governance of Information

Technology

Directive/Steering Committee of IT

apmg-international.com 14
© The APMG Group Ltd. 2018. All rights reserved.
 Central Bank Requirements
Committee of Governance of Information Technology

• The Board shall form a committee of governance of information technology from its
members, and this committee shall be formed from three members at least, and
preferably include people with experience or strategic knowledge in information
technology.
• The committee may hire, when necessary, and at the expense of the bank and
coordination with the chairman of the Board, external experts in the field. The
committee may invite any of the bank’s management members to attend meetings for
consultation purposes.
• The Board determines its objectives and delegates their powers, according to a charter
that illustrates this, taking into consideration that the board will remain the ultimate
accountable party.
• The committee shall meet on a quarterly basis at least and maintain documented
records of their meetings.

apmg-international.com 15
© The APMG Group Ltd. 2018. All rights reserved.
 Central Bank Requirements
Directive/Steering Committee of IT

• The senior executive management shall form necessary directive

committees to ensure a strategic alignment of information technology to
achieve the strategic objectives of the bank and that shall be in a sustainable
manner.
• Therefore, a committee named the Directive Committee of IT shall be formed
and headed by the general manager and with the membership of senior
executive management managers, including the head of information
technology, head of risk management and head of information security.
• One of its members shall be elected to be an observer member in this
committee as well as the head of internal audit, and can invite third parties to
attend the meetings, when needed.

apmg-international.com 16
© The APMG Group Ltd. 2018. All rights reserved.
 Agenda
The emergence of governing enterprise IT

Spotlight on the Jordanian banking system

Getting to 5, the challenges and the plan

Results to date

Looking forward

Lessons learned

Closing and questions

apmg-international.com 17
© The APMG Group Ltd. 2018. All rights reserved.
 Challenges
• Aggressive timeline and capability requirements: 18 months to achieve
capability level three and then another 18 months to reach capability level five, all
fully archive for he COBIT 5 37 processes.

• The Central Bank mandated COBIT as a standard not framework.

• Assuming all organizations have the same envirment, resources, complexity to

apply all the 37 processes within the same timeframe.

• Multiple mandatory standards: Following COBIT 5 regulations, the central bank

has issued many other regulations such as the Cloud, Cyber security, GDPR.
Noting that all these requirements can be aligned in one program to avoid
redundancy in implementation.

• Lack of training capabilities and expertise in Jordan, which lead ScanWave to seek
ISACA’s direct involvement.

apmg-international.com 18
© The APMG Group Ltd. 2018. All rights reserved.
 Challenges
• Lack of flexibility in choosing the goals and processes. Ignoring the goals cascade
mechanism in COBIT 5.

• The banks didn’t have the option to select the most the imploratory processes –
no prioritization.

• Limited time frame: 18 months for 37 process: this means implementing two
processes in a month up to capability level three – fully achieved!

• The Governance and COBIT concept and awareness in the MENA region is not
matured, lack of awareness and experts.

• Project target is beyond the banks budget and capabilities.

• L4 and L5 implementation require high resource capabilities.

apmg-international.com 19
© The APMG Group Ltd. 2018. All rights reserved.
 The Plan
• Provide assessments
• Provide roadmaps to meet
the standard
• Provide assistance
• Build and publish a
governance framework
• Conduct frequent proper
reflections
• Report compliance towards each milestone

apmg-international.com 20
© The APMG Group Ltd. 2018. All rights reserved.
 Agenda
The emergence of governing enterprise IT

Spotlight on the Jordanian banking system

Getting to 5, the challenges and the plan

Results to date

Looking forward

Lessons learned

Closing and questions

apmg-international.com 21
© The APMG Group Ltd. 2018. All rights reserved.
 Results to Date
• Using COBIT as a standard
has been successful.
• General findings:
o IT Policies
o Enterprise Architecture
o IT Risk Management
o IT Security: Device and information
security
o Business Continuity Plan

• Banks are showing progress

reaching their target capability
levels.

apmg-international.com 22
© The APMG Group Ltd. 2018. All rights reserved.
 Sample results as of 2017

Bank A

Bank B

apmg-international.com 23
© The APMG Group Ltd. 2018. All rights reserved.
 Sample results as of 2018

apmg-international.com 24
© The APMG Group Ltd. 2018. All rights reserved.
 Sample results as of 2018

apmg-international.com 25
© The APMG Group Ltd. 2018. All rights reserved.
 Sample results as of 2018

apmg-international.com 26
© The APMG Group Ltd. 2018. All rights reserved.
 Agenda
The emergence of governing enterprise IT

Spotlight on the Jordanian banking system

Getting to 5, the challenges and the plan

Results to date

Looking forward

Lessons learned

Closing and questions

apmg-international.com 27
© The APMG Group Ltd. 2018. All rights reserved.
 Looking Forward
• Maintain existing capability levels
• Get to the appropriate capability
levels
• Continue to measure performance
• Continually improve the levels
required
• Integrate with the latest
regulations and requirements
(GDPR, Cyber, etc.)

apmg-international.com 28
© The APMG Group Ltd. 2018. All rights reserved.
 Agenda
The emergence of governing enterprise IT

Spotlight on the Jordanian banking system

Getting to 5, the challenges and the plan

Results to date

Looking forward

Lessons learned

Closing and questions

apmg-international.com 29
© The APMG Group Ltd. 2018. All rights reserved.
 Lessons Learned
• Training is crucial, but should be conducted
earlier
o COBIT5 Foundation
o COBIT5 Implementation
o COBIT5 Capability Assessment
• Information sharing between banks and the
regulatory body
o Successes
o Pain points
• Implementing COBIT requires time, qualifications,
resources and management support
• COBIT is not just about documentation

apmg-international.com 30
© The APMG Group Ltd. 2018. All rights reserved.
 Agenda
The emergence of governing enterprise IT

Spotlight on the Jordanian banking system

Getting to 5, the challenges and the plan

Results to date

Looking forward

Lessons learned

Closing and questions

apmg-international.com 31
© The APMG Group Ltd. 2018. All rights reserved.
 Roles

Independent not-for-profit, Global exam and Premium provider of

global association for accreditation institute security solutions for
information systems. business acceleration in
Appointed by ISACA to Jordan
Owners of COBIT® 5 accredit COBIT® 5 Training
Providers, assuring the Worked with Mark
quality of training and Thomas/Escoute to
certification offered provide COBIT® 5 training
and implementation
services

apmg-international.com 32
© The APMG Group Ltd. 2018. All rights reserved.
 In summary:
• Requiring COBIT5 has been a
positive journey
• Improved confidence and skills
through approved training
• Adoption vs. Continuous
implementation
• External assistance and
consultancy

apmg-international.com 33
© The APMG Group Ltd. 2018. All rights reserved.
 Get in touch….

www.apmg-international.com www.isaca.org www.scanwave.org www.escoute.com

@APMG_Inter @ISACANews [email protected] @ESCOUTE1

Mark Thomas: https://www.linkedin.com/in/markthomas8/

Dr. Ramzi Sunna: https://www.linkedin.com/in/dr-ramzi-s-1b0062146/

TRAINING & CERTIFICATION

www.apmg-international.com/cobit5

apmg-international.com 34
© The APMG Group Ltd. 2018. All rights reserved.
 If you have any questions or feedback, please do not hesitate to contact me:
[email protected] / +44 (0)1494 836131

apmg-international.com 35
© The APMG Group Ltd. 2018. All rights reserved.