COBITFramework_ManagementGuidelines---IT治理框

SITC:Service&Security1COBITPart2–Framework&ManagementGuidelines2009年3月SITC:Service&Security2学习目标•COBIT是甚么•COBIT的框架•COBIT的組成•COBIT的瀏覽SITC:Service&Security3AgendaCOBITOverviewCOBITFrameworkBusiness-focusedProcess-orientedControls-basedMeasurement-drivenConclusionsSITC:Service&Security4COBITCOBIT®=ControlOBjectivesforInformationandRelatedTechnologyProcess-orientedframeworkforITGovernanceFocusedonbusinessgoalsandhowITsupportstheirachievementAtoolfor•Businessmanagement•ITmanagement•ITprocessmanagersFirstdevelopedin1992IssuedbyITGovernanceInstituteContentismanagedbytheCOBITSteeringCommitteeAcceptedgloballyasthedefactocontrolframeworkforITGovernanceDocumentscanbedownloadedfromwww.isaca.orgSITC:Service&Security5COBIT’sMissionToresearch,develop,publicizeandpromoteanauthoritative,up-to-date,internationallyacceptedITgovernancecontrolframeworkforadoptionbyenterprisesandday-to-dayusebybusinessmanagers,ITprofessionalsandassuranceprofessionalsCOBIT’sVisonTobethemodelforITgovernance!SITC:Service&Security6InformationSystemsAuditandControlAssociationTherecognizedgloballeadersinITgovernance,controlandassurance.Foundedin1969astheEDPAuditorsAssociationMorethan50,000membersinover140countriesMorethan170chaptersinover70countriesworldwideProvidesServiceandProgramsDesignedtoPromoteandEstablishExcellenceonITGovernanceandAuditResearchconductedthroughFoundationProjectsareselectedtohelpMembersandtheProfessionkeeppacewithever-changingITandbusinessenvironmentSITC:Service&Security7CISAintheWorkplaceMorethan1,100arenowemployedinorganizationsastheCEO,CFOorequivalentexecutivepositionMorethan2,300serveaschiefauditexecutives,auditpartnersorauditheadsMorethan2,800serveasCIOs,CISOs,securitydirectors,securitymanagersorconsultantsMorethan4,200serveasauditdirectors,managersorconsultantsNearly8,300areemployedinmanagerialorconsultingpositionsinIToperationsorcomplianceSITC:Service&Security8ITGovernanceInstitute(ITGI)FoundedbyISACAin1998.TheITGovernanceInstitute(ITGI)existstoassistenterpriseleadersintheirresponsibilitytoensurethatITgoalsalignwiththoseofthebusiness,itdeliversvalue,itsperformanceismeasured,itsresourcesproperlyallocatedanditsrisksmitigated.Throughoriginalresearch,symposiaandelectronicresources,theITGIhelpsensurethatboardsandexecutivemanagementhavethetoolsandinformationtheyneedforITtodeliveragainstexpectations.SITC:Service&Security9CobithistoryCOBIThasevolvedfromanauditor‘stooltoanITgovernanceframework,usedincreasinglybyITmanagementGovernanceCOBIT42005COBIT3Management2000COBIT2Control1998COBIT1Audit1996EvolutionSITC:Service&Security10HowCOBIT4.1ChangedFrom4.0EnhancedexecutiveoverviewExplanationofgoalsandmetricsintheframeworksectionBetterdefinitionsofthecoreconcepts.Itisimportanttomentionthatthedefinitionofacontrolobjectivechanged,shiftingmoretowardamanagementpracticestatement.ImprovedcontrolobjectivesresultingfromupdatedcontrolpracticesandValITdevelopmentactivity.Somecontrolobjectivesweregroupedand/orrewordedtoavoidoverlapsandmakethelistofcontrolobjectiveswithinaprocessmoreconsistent.Thesechangesresultedintherenumberingoftheremainingcontrolobjectives.Someothercontrolobjectiveswererewordedtomakethemmoreaction-orientedandconsistentinwording.Specificrevisionsinclude:-AI5.5andAI5.6werecombinedwithAI5.4-AI7.9,AI7.10andAI7.11werecombinedwithAI7.8-ME3wasrevisedtoincludecompliancewithcontractualrequirementsinadditiontolegalandregulatoryrequirementsApplicationcontrolshavebeenreworkedtobemoreeffective,basedonworktosupportcontrolseffectivenessassessmentandreporting.Thisresultedinalistofsixapplicationcontrolsreplacingthe18applicationcontrolsinCOBIT4.0,withfurtherdetailprovidedinCOBITControlPractices,2ndEdition.ThelistofbusinessgoalsandITgoalsinappendixIwasimproved,basedonnewinsightsobtainedduringvalidationresearchexecutedbytheUniversityofAntwerpManagementSchool(Belgium).Thepull-outhasbeenexpandedtoprovideaquickreferencelistoftheCOBITprocesses,andtheoverviewdiagramdepictingthedomainshasbeenrevisedtoincludereferencetotheprocessandapplicationcontrolelementsoftheCOBITframework.ImprovementsidentifiedbyCOBITusers(COBIT4.0andCOBITOnline)havebeenreviewedandincorporatedasappropriate.SITC:Service&Security11ITGovernanceModelITGovernancehelpsascertainhowautomatedsystems:•Simplifyoperations•CutcostsNeedanITControlframework•IncreaserevenueSITC:Service&Security12WhydoesITneedacontrolframework?ManagementneedstogetITundercontrolProvidevalue/Nosurprises/PushtheenvelopeSITC:Service&Security13Whoneedsacontrolframework?BoardandExecutiveToensuremanagementfollowsandimplementsthestrategicdirectionforITManagementTomakeITinvestmentdecisionsTobalanceriskandcontrolinvestmentTobenchmarkexistingandfutureITenvironmentUsersToObtainassuranceonsecurityandcontrolofproductsandservicesacquireinternallyorexternallyAuditorsTosubstantiateopinionstomanagementoninternalcontrolsToadviseonwhatminimumcontrolsarenecessarySITC:Service&Security14ThefivecharacteristicsofcontrolframeworkBusinessfocusProcessorientationGeneralacceptabilityCommonlang