COBIT® v5 Informační management VIKMA07 Mgr. Jan Matula, PhD. jan.matula@fpf.slu.cz V. blok COBIT • COBIT je framework vytvořený mezinárodní asociací ISACA pro správu a řízení informatiky (IT Governance). • Jedná se o soubor praktik, které by měly umožnit dosažení strategických cílů organizace díky efektivnímu využití dostupných zdrojů a minimalizaci IT rizik. • Prakticky je tedy určen především top manažerům k posuzování fungování ICT a auditorovi pro provádění auditu systému řízení ICT. Na rozdíl od ITIL, který je určen více manažerovi IT (CIO). COBIT 5 - Struktura dokumentů • Cobit 5 Framework; popisuje základní rámec (principy, předpoklady, vazby na jiné rámce), • Cobit 5 Enabler Guides; jde o dokumenty, které jsou obecným návodem na vytváření předpokladů pro efektivní řízení IT; z těchto dokumentů byl k srpnu 2012 uvolněn dokument Cobit 5 Enabling processes, • Cobit 5 Processional Guides; jde o dokumenty určené pro jednotlivé specialisty, jako například auditory, specialisty pro informační bezpečnost, specialisty pro řízení rizik, apod.; z tento dokumentů byl k srpnu 2012 uvolněn dokument Cobit 5 Implementation, • Colaborativní on-line dokumenty, jejichž prostřednictvím budou uživatelé Cobit 5 sdílet svoje znalosti získané aplikací předešlých dokumentů. COBIT 5 - Struktura dokumentů COBIT 5 - Model Procesy v COBIT COBIT v5 popisuje 37 procesů vždy ve stejné struktuře popisu: • identifikaci procesu, oblasti Governance/management, domény, • popis procesu (Process Description), • popis účelu procesu (Process Purpose Statement), • tabulku obsahující IT cíle, na které má daný proces primární vazbu a metriky pro tyto cíle, • tabulku obsahující cíle procesu a metriky k těmto cílům, • tabulku ukazující vazby mezi klíčovými procesními praktikami a typickými rolemi na všech úrovních řízení a typ odpovědnosti (RACI Chart), • tabulku popisující vstupy a výstupy pro jednotlivé procesní praktiky a dále aktivity spojené s jednotlivými procesními praktikami (Process Practices, Inputs/Outputs and Activities), • tabulku vazeb procesu na jiné standardy (Related Guidance). COBIT Principy Principle 1: Meeting Stakeholder Needs • Enterprises exist to create value for their stakeholders. Consequently, any enterprise—commercial or not—will have value creation as a governance objective. Value creation means realising benefits at an optimal resource cost while optimising risk. Benefits can take many forms, e.g., financial for commercial enterprises or public service for government entities. Benefits of the COBIT 5 Goals Cascade The goals cascade is important because it allows the definition of priorities for implementation, improvement and assurance of governance of enterprise IT based on (strategic) objectives of the enterprise and the related risk. In practice, the goals cascade: • Defines relevant and tangible goals and objectives at various levels of responsibility • Filters the knowledge base of COBIT 5, based on enterprise goals, to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects • Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals COBIT 5 Goals Cascade • Every enterprise operates in a different context; this context is determined by external factors (the market, the industry, geopolitics, etc.) and internal factors (the culture, organisation, risk appetite, etc.), and requires a customised Governance and management system. • Stakeholder needs have to be transformed into an enterprise’s actionable strategy. COBIT 5 Goals Cascade • The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customised enterprise goals, ITrelated goals and enabler goals. This translation allows setting specific goals at every level and in every area of the enterprise in support of the overall goals and stakeholder requirements, and thus effectively supports alignment between enterprise needs and IT solutions and services. COBIT 5 Goals Cascade Step 1. Stakeholder Drivers Influence Stakeholder Needs • Stakeholder needs are influenced by a number of drivers, e.g., strategy changes, a changing business and regulatory • environment, and new technologies. COBIT 5 Goals Cascade Step 2. Stakeholder Needs Cascade to Enterprise Goals • Stakeholder needs can be related to a set of generic enterprise goals. These enterprise goals have been developed using the balanced scorecard (BSC) dimensions, and they represent a list of commonly used goals that an enterprise may define for itself. Although this list is not exhaustive, most enterprise-specific goals can be mapped easily onto one or more of the generic enterprise goals. A table of stakeholder needs and enterprise goals is presented in appendix D. • COBIT 5 defines 17 generic goals. COBIT 5 Goals Cascade Step 3. Enterprise Goals Cascade to IT-related Goals Achievement of enterprise goals requires a number of IT-related outcomes,2 which are represented by the IT-related goals. IT-related stands for information and related technology, and the ITrelated goals are structured along the dimensions of the IT balanced scorecard (IT BSC). COBIT 5 defines 17 IT-related goals. COBIT 5 Goals Cascade Step 4. IT-related Goals Cascade to Enabler Goals • Achieving IT-related goals requires the successful application and use of a number of enablers. The enabler concept is • explained in detail in chapter 5. Enablers include processes, organisational structures and information, and for each enabler • a set of specific relevant goals can be defined in support of the ITrelated goals. Principle 2: Covering the Enterprise End-to- end • Integrates governance of enterprise IT into enterprise governance. That is, the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system. COBIT 5 aligns with the latest views on governance. • Covers all functions and processes required to govern and manage enterprise information and related technologies wherever that information may be processed. Given this extended enterprise scope, COBIT 5 addresses all the relevant internal and external IT services, as well as internal and external business processes. Principle 2: Covering the Enterprise End-to- end Governance Enablers • Governance enablers are the organisational resources for governance, such as frameworks, principles, structures, processes and practices, through or towards which action is directed and objectives can be attained. Enablers also include the enterprise’s resources—e.g., service capabilities (IT infrastructure, applications, etc.), people and information. • A lack of resources or enablers may affect the ability of the enterprise to create value. Governance Scope • Governance can be applied to the entire enterprise, an entity, a tangible or intangible asset, etc. That is, it is possible to define different views of the enterprise to which governance is applied, and it is essential to define this scope of the governance system well. • The scope of COBIT 5 is the enterprise—but in essence COBIT 5 can deal with any of the different views. Roles, Activities and Relationships • A last element is governance roles, activities and relationships. It defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system. • In COBIT 5, clear differentiation is made between governance and management activities in the governance and management domains, as well as the interfacing between them and the role players that are involved. Principle 3: Applying a Single Integrated Framework • It aligns with other latest relevant standards and frameworks, and thus allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. • It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks, standards and practices used. A single overarching framework serves as a consistent and integrated source of guidance in a nontechnical, technology-agnostic common language. • It provides a simple architecture for structuring guidance materials and producing a consistent product set. Principle 4: Enabling a Holistic Approach COBIT 5 Enablers Enablers are factors that, individually and collectively, influence whether something will work—in this case, Governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve. 7 Enablers (předpoklady pro dosažení cílů) 1. Principy, politiky a rámce; 2. Procesy; 3. Organizační struktury; 4. Kultura, etika a chování; 5. Informace; 6. Služby, infrastruktura a aplikace; 7. Lidé, dovednosti a kompetence. COBIT 5 Enablers • Principles, policies and frameworks are the vehicle to translate the desired behaviour into practical guidance for day-to-day management. • Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. • Organisational structures are the key decision-making entities in an enterprise. • Culture, ethics and behaviour of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. COBIT 5 Enablers • Information is pervasive throughout any organisation and includes all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. • Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. • People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions. COBIT 5 Enablers COBIT 5 Enabler Dimensions Principle 5: Separating Governance From Management • The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes. • Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives. • Management plans, builds, runs and monitors activities in alignment with the direction set by the Governance body to achieve the enterprise objectives. Separating Governance From Management Separating Governance From Management • Governance—Contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. • Management—Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM), and provides end-toend coverage of IT. – Align, Plan and Organise (APO) – Build, Acquire and Implement (BAI) – Deliver, Service and Support (DSS) – Monitor, Evaluate and Assess (MEA)