COBIT
Para quem quer dominar completamente COBIT - fica a dica do site http://www.isaca.org/ manual, sumário executivo e outros documentos...
The IT Governance Institute®
The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original research, electronic resources and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.
For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognise the benefits of information technology and use it to drive their stakeholders’ value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on information technology (IT). The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of IT governance. IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
Furthermore, IT governance integrates and institutionalises good practices to ensure that the enterprise’s IT supports the business objectives. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. These outcomes require a framework for control over IT that fits with and supports the Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework, the widely accepted control framework for enterprise governance and risk management, and similar compliant frameworks. Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management should also optimise the use of available IT resources, including applications, information, infrastructure and people. To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide.
Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.
For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
• Making a link to the business requirements
• Organising IT activities into a generally accepted process model
• Identifying the major IT resources to be leveraged
• Defining the management control objectives to be considered
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identify the resources essential for process success, i.e., applications, information, infrastructure and people.
In summary, to provide the information that the enterprise needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.
But how does the enterprise get IT under control such that it delivers the information the enterprise needs? How does it manage the risks and secure the IT resources on which it is so dependent? How does the enterprise ensure that IT achieves its objectives and supports the business?
First, management needs control objectives that define the ultimate goal of implementing policies, plans and procedures, and organisational structures designed to provide reasonable assurance that:
• Business objectives are achieved
• Undesired events are prevented or detected and corrected
Second, in today’s complex environments, management is continuously searching for condensed and timely information to make difficult decisions on value, risk and control quickly and successfully. What should be measured, and how? Enterprises need an objective measure of where they are and where improvement is required, and they need to implement a management tool kit to monitor this improvement.
Management Information
How do responsible managers keep the ship on course? => DASHBOARD=> Indicators?
How can the enterprise achieve results that are satisfactory for the largest possible segment of stakeholders? => SCORECARDS => Measures?
How can the enterprise be adapted in a timely manner to trends and developments in its environment? => BENCHMARKING => Scales?
An answer to these requirements of determining and monitoring the appropriate IT control and performance level is COBIT’s definition of:
• Benchmarking of IT process performance and capability, expressed as maturity
models, derived from the Software Engineering Institute’s Capability Maturity Model (CMM)
• Goals and metrics of the IT processes to define and measure their outcome and performance based on the principles of Robert Kaplan and David Norton’s balanced business scorecard (BSC-TI)
• Activity goals for getting these processes under control, based on COBIT’s control objectives The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation. After identifying critical IT processes and controls, maturity modelling enables gaps in capability to be identified and demonstrated to management. Action plans can then be developed to bring these processes up to the desired capability target level. Thus, COBIT supports IT governance by providing a framework to ensure that:
• IT is aligned with the business
• IT enables the business and maximises benefits
• IT resources are used responsibly
• IT risks are managed appropriately
IT Governance Focus Areas:
• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.
• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.
• Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.
• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
Performance measurement is essential for IT governance. It is supported by COBIT and includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how to deliver it (process capability and performance). Many surveys have identified that the lack of transparency of IT’s cost, value and risks is one of the most important drivers for IT governance. While the other focus areas contribute, transparency is primarily achieved through performance measurement.
These IT governance focus areas describe the topics that executive management needs to address to govern IT within their enterprises. Operational management uses processes to organise and manage ongoing IT activities. COBIT provides a generic
process model that represents all the processes normally found in IT functions, providing a common reference model understandable to operational IT and business managers. The COBIT process model has been mapped to the IT governance focus areas
(see appendix II, Mapping IT Processes to IT Governance Focus Areas, COSO, COBIT IT Resources and COBIT Information Criteria), providing a bridge between what operational managers need to execute and what executives wish to govern.
To achieve effective governance, executives require that controls be implemented by operational managers within a defined control framework for all IT processes. COBIT’s IT control objectives are organised by IT process; therefore, the framework provides a clear link among IT governance requirements, IT processes and IT controls.
COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level. COBIT has been aligned and harmonised with other, more detailed, IT standards and good practices (see appendix IV, COBIT 4.1 Primary Reference Material). COBIT acts as an integrator of these different guidance materials, summarising key objectives under one umbrella framework that also links to governance and business requirements.
COSO (and similar compliant frameworks) is generally accepted as the internal control framework for enterprises. COBIT is the generally accepted internal control framework for IT.
The COBIT products have been organised into three levels (figure 3) designed to support:
• Executive management and boards
• Business and IT management
• Governance, assurance, control and security professionals
Briefly, the COBIT products include:
• Board Briefing on IT Governance, 2nd Edition— Helps executives understand why
IT governance is important, what its issues are and what their responsibility is for managing it
• Management guidelines/maturity models— Help assign responsibility, measure
performance, and benchmark and address gaps in capability
• Frameworks—Organise IT governance objectives and good practices by IT domains
and processes, and link them to business requirements
• Control objectives—Provide a complete set of high-level requirements to be considered by management for effective control of each IT process
• IT Governance Implementation Guide: Using COBIT ® and Val IT TM, 2nd Edition—Provides a generic road map for implementing IT governance using the COBIT and Val ITTM resources
• COBIT® Control Practices: Guidance to Achieve Control Objectives for Successful IT
Governance, 2nd Edition—Provides guidance on why controls are worth implementing and how to implement them
• IT Assurance Guide: Using COBIT ®—Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives
The COBIT content diagram depicted in figure 3 presents the primary audiences, their questions on IT governance and the generally applicable products that provide responses. There are also derived products for specific purposes, for domains such as security or for specific enterprises.
All of these COBIT components interrelate, providing support for the governance, management, control and assurance needs of the different audiences.
COBIT is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to stakeholders. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. COBIT is continuously kept up to date and harmonised with other standards and guidance. Hence, COBIT has become the integrator for IT good practices and the umbrella framework for IT governance that helps in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its high-level,
business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT.
The benefits of implementing COBIT as a governance framework over IT include:
• Better alignment, based on a business focus
• A view, understandable to management, of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, based on a common language
• Fulfilment of the COSO requirements for the IT control environment
The most complete and up-to-date information on COBIT and related products, including online tools, implementation guides, case studies, newsletters and educational materials can be found at www.isaca.org/cobit.
The IT Governance Institute®
The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original research, electronic resources and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.
For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognise the benefits of information technology and use it to drive their stakeholders’ value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on information technology (IT). The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of IT governance. IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
Furthermore, IT governance integrates and institutionalises good practices to ensure that the enterprise’s IT supports the business objectives. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. These outcomes require a framework for control over IT that fits with and supports the Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework, the widely accepted control framework for enterprise governance and risk management, and similar compliant frameworks. Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management should also optimise the use of available IT resources, including applications, information, infrastructure and people. To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide.
Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.
For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
• Making a link to the business requirements
• Organising IT activities into a generally accepted process model
• Identifying the major IT resources to be leveraged
• Defining the management control objectives to be considered
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identify the resources essential for process success, i.e., applications, information, infrastructure and people.
In summary, to provide the information that the enterprise needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.
But how does the enterprise get IT under control such that it delivers the information the enterprise needs? How does it manage the risks and secure the IT resources on which it is so dependent? How does the enterprise ensure that IT achieves its objectives and supports the business?
First, management needs control objectives that define the ultimate goal of implementing policies, plans and procedures, and organisational structures designed to provide reasonable assurance that:
• Business objectives are achieved
• Undesired events are prevented or detected and corrected
Second, in today’s complex environments, management is continuously searching for condensed and timely information to make difficult decisions on value, risk and control quickly and successfully. What should be measured, and how? Enterprises need an objective measure of where they are and where improvement is required, and they need to implement a management tool kit to monitor this improvement.
Management Information
How do responsible managers keep the ship on course? => DASHBOARD=> Indicators?
How can the enterprise achieve results that are satisfactory for the largest possible segment of stakeholders? => SCORECARDS => Measures?
How can the enterprise be adapted in a timely manner to trends and developments in its environment? => BENCHMARKING => Scales?
An answer to these requirements of determining and monitoring the appropriate IT control and performance level is COBIT’s definition of:
• Benchmarking of IT process performance and capability, expressed as maturity
models, derived from the Software Engineering Institute’s Capability Maturity Model (CMM)
• Goals and metrics of the IT processes to define and measure their outcome and performance based on the principles of Robert Kaplan and David Norton’s balanced business scorecard (BSC-TI)
• Activity goals for getting these processes under control, based on COBIT’s control objectives The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation. After identifying critical IT processes and controls, maturity modelling enables gaps in capability to be identified and demonstrated to management. Action plans can then be developed to bring these processes up to the desired capability target level. Thus, COBIT supports IT governance by providing a framework to ensure that:
• IT is aligned with the business
• IT enables the business and maximises benefits
• IT resources are used responsibly
• IT risks are managed appropriately
IT Governance Focus Areas:
• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.
• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.
• Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.
• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
Performance measurement is essential for IT governance. It is supported by COBIT and includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how to deliver it (process capability and performance). Many surveys have identified that the lack of transparency of IT’s cost, value and risks is one of the most important drivers for IT governance. While the other focus areas contribute, transparency is primarily achieved through performance measurement.
These IT governance focus areas describe the topics that executive management needs to address to govern IT within their enterprises. Operational management uses processes to organise and manage ongoing IT activities. COBIT provides a generic
process model that represents all the processes normally found in IT functions, providing a common reference model understandable to operational IT and business managers. The COBIT process model has been mapped to the IT governance focus areas
(see appendix II, Mapping IT Processes to IT Governance Focus Areas, COSO, COBIT IT Resources and COBIT Information Criteria), providing a bridge between what operational managers need to execute and what executives wish to govern.
To achieve effective governance, executives require that controls be implemented by operational managers within a defined control framework for all IT processes. COBIT’s IT control objectives are organised by IT process; therefore, the framework provides a clear link among IT governance requirements, IT processes and IT controls.
COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level. COBIT has been aligned and harmonised with other, more detailed, IT standards and good practices (see appendix IV, COBIT 4.1 Primary Reference Material). COBIT acts as an integrator of these different guidance materials, summarising key objectives under one umbrella framework that also links to governance and business requirements.
COSO (and similar compliant frameworks) is generally accepted as the internal control framework for enterprises. COBIT is the generally accepted internal control framework for IT.
The COBIT products have been organised into three levels (figure 3) designed to support:
• Executive management and boards
• Business and IT management
• Governance, assurance, control and security professionals
Briefly, the COBIT products include:
• Board Briefing on IT Governance, 2nd Edition— Helps executives understand why
IT governance is important, what its issues are and what their responsibility is for managing it
• Management guidelines/maturity models— Help assign responsibility, measure
performance, and benchmark and address gaps in capability
• Frameworks—Organise IT governance objectives and good practices by IT domains
and processes, and link them to business requirements
• Control objectives—Provide a complete set of high-level requirements to be considered by management for effective control of each IT process
• IT Governance Implementation Guide: Using COBIT ® and Val IT TM, 2nd Edition—Provides a generic road map for implementing IT governance using the COBIT and Val ITTM resources
• COBIT® Control Practices: Guidance to Achieve Control Objectives for Successful IT
Governance, 2nd Edition—Provides guidance on why controls are worth implementing and how to implement them
• IT Assurance Guide: Using COBIT ®—Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives
The COBIT content diagram depicted in figure 3 presents the primary audiences, their questions on IT governance and the generally applicable products that provide responses. There are also derived products for specific purposes, for domains such as security or for specific enterprises.
All of these COBIT components interrelate, providing support for the governance, management, control and assurance needs of the different audiences.
COBIT is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to stakeholders. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. COBIT is continuously kept up to date and harmonised with other standards and guidance. Hence, COBIT has become the integrator for IT good practices and the umbrella framework for IT governance that helps in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its high-level,
business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT.
The benefits of implementing COBIT as a governance framework over IT include:
• Better alignment, based on a business focus
• A view, understandable to management, of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, based on a common language
• Fulfilment of the COSO requirements for the IT control environment
The most complete and up-to-date information on COBIT and related products, including online tools, implementation guides, case studies, newsletters and educational materials can be found at www.isaca.org/cobit.
Comentários