COBIT5-and-GRC

DateGRCGRC:Governance,riskmanagementandcomplianceAnincreasinglyused‘umbrellaterm’thatcoversthesethreeareasofenterpriseactivitiesTheseareasofactivityareprogressivelybeingmorealignedandintegratedtoimproveenterpriseperformanceanddeliveryofstakeholderneeds.GRCDefinitionsGRC:Governance—Exerciseofauthority;control;government;arrangement.Risk(management)—Hazard;danger;peril;exposuretoloss,injury,ordestruction(Theactorartofmanaging;themanneroftreating,directing,carryingon,orusing,forapurpose;conduct;administration;guidance;control)Compliance—Theactofcomplying;ayielding;astoadesire,demand,orproposal;concession;submissionWebster’sOnlineDictionaryTypesofGovernanceDifferenttypesofgovernanceexist:CorporategovernanceProjectgovernanceInformationtechnologygovernanceEnvironmentalgovernanceEconomicandfinancialgovernanceEachtypehasoneormoresourcesofguidance,eachwithsimilargoalsbutoftenvaryingtermsandtechniquesfortheirachievement.ImplementingGovernanceTheintegrationoftheimplementationoftheGRCactivitieswithinanenterpriserequiresasystemicapproachforreliablyachievingthebusinessgoalsofitsstakeholders.Suchapproachesaretypicallybasedonenablersofvarioustypes(e.g.,principles,policies,models,frameworks,organisationalstructures).AGRCModelExampleFromtheOCEGRedBookGRCCapabilityModelversion2.1CorporateGovernanceofITISO/IEC38500:2008Corporategovernanceofinformationtechnology1.1ScopeThisstandardprovidesguidingprinciplesfordirectorsoforganizations(includingowners,boardmembers,directors,partners,seniorexecutives,orsimilar)ontheeffective,efficient,andacceptableuseofInformationTechnology(IT)withintheirorganizations.Thisstandardappliestothegovernanceofmanagementprocesses(anddecisions)relatingtotheinformationandcommunicationservicesusedbyanorganization.TheseprocessescouldbecontrolledbyITspecialistswithintheorganizationorexternalserviceproviders,orbybusinessunitswithintheorganization.CorporateGovernanceofIT(cont.)ISO/IEC38500:2008Corporategovernanceofinformationtechnology2.1Principles2.1.1Principle1:Responsibility2.1.2Principle2:Strategy2.1.3Principle3:Acquisition2.1.4Principle4:Performance2.1.5Principle5:Conformance2.1.6Principle6:HumanBehaviourCorporateGovernanceofIT(cont.)ISO/IEC38500:2008Corporategovernanceofinformationtechnology2.2ModelDirectorsshouldgovernITthroughthreemaintasks:a)EvaluatethecurrentandfutureuseofIT.b)DirectpreparationandimplementationofplansandpoliciestoensurethatuseofITmeetsbusinessobjectives.c)Monitorconformancetopolicies,andperformanceagainsttheplans.ISACAandCOBITISACAactivelypromotesresearchthatresultsinthedevelopmentofproductsbothrelevantandusefultoITgovernance,risk,control,assuranceandsecurityprofessionals.ISACAdevelopedandmaintainstheinternationallyrecognisedCOBITframework,helpingITprofessionalsandenterpriseleadersfulfiltheirITgovernanceresponsibilitieswhiledeliveringvaluetothebusiness.GovernanceofEnterpriseITCOBIT5ITGovernanceCOBIT4.0/4.1ManagementCOBIT3ControlCOBIT2AbusinessframeworkfromISACA,at:GovernanceofEnterpriseIT(GEIT)2005/720001998Evolutionofscope19962012ValIT2.0(2008)RiskIT(2009)Source:COBIT®5IntroductionPresentation©2012ISACA®Allrightsreserved.COBIT5inOverviewCOBIT5bringstogetherthefiveprinciplesthatallowtheenterprisetobuildaneffectivegovernanceandmanagementframeworkbasedonaholisticsetofsevenenablersthatoptimisesinformationandtechnologyinvestmentanduseforthebenefitofstakeholders.TheCOBIT5FrameworkSimplystated,COBIT5helpsenterprisestocreateoptimalvaluefromITbymaintainingabalancebetweenrealisingbenefitsandoptimisingrisklevelsandresourceuse.COBIT5enablesinformationandrelatedtechnologytobegovernedandmanagedinaholisticmannerforthewholeenterprise,takinginthefullend-to-endbusinessandfunctionalareasofresponsibility,consideringtheIT-relatedinterestsofinternalandexternalstakeholders.TheCOBIT5principlesandenablersaregenericandusefulforenterprisesofallsizes,whethercommercial,not-for-profitorinthepublicsector.COBIT5PrinciplesSource:COBIT®5,figure2.©2012ISACA®Allrightsreserved.COBIT5EnterpriseEnablersSource:COBIT®5,figure12.©2012ISACA®Allrightsreserved.Governance(andManagement)inCOBIT5Governanceensuresthatenterpriseobjectivesareachievedbyevaluatingstakeholderneeds,conditionsandoptions;settingdirectionthroughprioritisationanddecisionmaking;andmonitoringperformance,complianceandprogressagainstagreeddirectionandobjectives(EDM).Managementplans,builds,runsandmonitorsactivitiesinalignmentwiththedirectionsetbythegovernancebodytoachievetheenterpriseobjectives(PBRM).Exercisinggovernanceandmanagementeffectivelyinpracticerequiresappropriatelyusingallenablers.TheCOBITprocessreferencemodelallowsustofocuseasilyontherelevantenterpriseactivities.GovernanceinCOBIT5•TheCOBIT5processreferencemodelsubdividestheIT-relatedpracticesandactivitiesoftheenterpriseintotwomainareas—governanceandmanagement—withmanagementfurtherdividedintodomainsofprocesses•TheGOVERNANCEdomaincontainsfivegovernanceprocesses;withineachprocess,evaluate,directandmonitor(EDM)practicesaredefined.•01Ensuregove