SlideShare ist ein Scribd-Unternehmen logo

Cobit5 and-grc

Als PPT, PDF herunterladen
Tatto Sugiopranoto
Tatto Sugiopranoto
TechnologieBusiness
1 von 31
Date
GRC GRC:  Governance, risk management and compliance  An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities  These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.
GRC Definitions GRC:  Governance—Exercise of authority; control; government; arrangement.  Risk (management )—Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control)  Compliance—The act of complying; a yielding; as to a desire, demand, or proposal; concession; submission  Webster’s Online Dictionary
Types of Governance  Different types of governance exist:  Corporate governance  Project governance  Information technology governance  Environmental governance  Economic and financial governance  Each type has one or more sources of guidance, each with similar goals but often varying terms and techniques for their achievement.
Implementing Governance  The integration of the implementation of the GRC activities within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders.  Such approaches are typically based on enablers of various types (e.g., principles, policies, models, frameworks, organisational structures).
A GRC Model Example  From the OCEG Red Book GRC Capability Model version 2.1
Corporate Governance of IT  ISO/IEC 38500: 2008  Corporate governance of information technology  1.1 Scope  This standard provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.  This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.
Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.1 Principles 2.1.1 Principle 1: Responsibility 2.1.2 Principle 2: Strategy 2.1.3 Principle 3: Acquisition 2.1.4 Principle 4: Performance 2.1.5 Principle 5: Conformance 2.1.6 Principle 6: Human Behaviour
Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans.
ISACA and COBIT  ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals.  ISACA developed and maintains the internationally recognised COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.
COBIT: Governance of Enterprise IT (GEIT) Evolution of scope IT Governance Val IT 2.0 Management (2008) Control Risk IT (2009) Audit COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 1996 1998 2000 2005/7 2012 A business framework from ISACA, at www.isaca.org/cobit Source: COBIT® 5 Introduction Presentation © 2012 ISACA® All rights reserved.
COBIT 5 in Overview COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
The COBIT 5 Framework  Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.  COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.  The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector.
COBIT 5 Principles Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
COBIT 5 Enterprise Enablers Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
Governance (and Management) in COBIT 5  Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM).  Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).  Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities.
Governance in COBIT 5 • The COBIT 5 process reference model subdivides the IT- related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimisation. •04 Ensure resource optimisation. •05 Ensure stakeholder transparency. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).
Governance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Risk Management in COBIT 5 • The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. • Process Description • Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. • Process Purpose Statement • Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.
Risk Management in COBIT 5 (cont.) • The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description • Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement • Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.
Risk Management in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Risk Management in COBIT 5 (cont.) • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. • APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/ mitigate/control, share/transfer/accept).
Risk Management in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved.
Compliance in COBIT 5 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description • Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement • Ensure that the enterprise is compliant with all applicable external requirements.
Compliance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Compliance in COBIT 5 (cont.) • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures.
Compliance in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved.
Summary • The COBIT 5 framework includes the necessary guidance to support enterprise GRC objectives and supporting activities: • Governance activities related to GEIT (5 processes) • Risk management process—and supporting guidance for risk management across the GEIT space • Compliance—a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture • Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements—silos of activity!

Empfohlen

COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
Sherri Booher
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
IT Governance
IT GovernanceIT Governance
IT Governance
Carlos Chalico
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdf
mohammed539963
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019
Gregor Polančič
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT management
Christian F. Nissen
 

Empfohlen

COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
Sherri Booher
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
IT Governance
IT GovernanceIT Governance
IT Governance
Carlos Chalico
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
cobit 2019 presentation.pdf
cobit 2019 presentation.pdfcobit 2019 presentation.pdf
cobit 2019 presentation.pdf
mohammed539963
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019
Gregor Polančič
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT management
Christian F. Nissen
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 Introduction
Mohammad Reda Katby
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
Emmacuet
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
Burcu Pelin TELLİ
 
IT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentIT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability Assessment
Eryk Budi Pratama
 
What is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAFWhat is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAF
xavblai
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
Eryk Budi Pratama
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT together
Rob Akershoek
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard
Andrew Smart
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
It governance
It governanceIt governance
It governance
Mahetab Khan
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
Magdalena Matell
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
Obrina Candra, CISA, ISMS-LA
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
Real IRM
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
Tatto Sugiopranoto
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
suhaskokate
 

Weitere ähnliche Inhalte

Was ist angesagt?

COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
Emmacuet
 

Was ist angesagt? (20)

Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 Introduction
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
COBIT® Presentation Package.ppt
COBIT® Presentation Package.pptCOBIT® Presentation Package.ppt
COBIT® Presentation Package.ppt
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
IT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability AssessmentIT Governance - COBIT 5 Capability Assessment
IT Governance - COBIT 5 Capability Assessment
 
What is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAFWhat is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAF
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT together
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
It governance
It governanceIt governance
It governance
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
 

Ähnlich wie Cobit5 and-grc

Implementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance FrameworkImplementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance Framework
IJCSIS Research Publications
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
ssusera19f45
 

Ähnlich wie Cobit5 and-grc (20)

Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
COBIT5-IntroductionS
COBIT5-IntroductionSCOBIT5-IntroductionS
COBIT5-IntroductionS
 
Cobit 5 introduction plgr
Cobit 5 introduction plgrCobit 5 introduction plgr
Cobit 5 introduction plgr
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
02-cobit5-introduction.ppt
02-cobit5-introduction.ppt02-cobit5-introduction.ppt
02-cobit5-introduction.ppt
 
Cobit
CobitCobit
Cobit
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
 
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptxPPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
PPT-UEU-Topik-dalam-IT-Resources-Management-13.pptx
 
Cobit_5_Checklist.pdf
Cobit_5_Checklist.pdfCobit_5_Checklist.pdf
Cobit_5_Checklist.pdf
 
Audit rizkie hafizzah
Audit rizkie hafizzahAudit rizkie hafizzah
Audit rizkie hafizzah
 
Cobit 5 Business Framework -Governance and Management of Enterprise IT
Cobit 5 Business Framework -Governance and Management of Enterprise ITCobit 5 Business Framework -Governance and Management of Enterprise IT
Cobit 5 Business Framework -Governance and Management of Enterprise IT
 
Co5bit
Co5bitCo5bit
Co5bit
 
COBIT 5 FAQ
COBIT 5 FAQCOBIT 5 FAQ
COBIT 5 FAQ
 
Implementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance FrameworkImplementation of a Decision System for a Suitable IT Governance Framework
Implementation of a Decision System for a Suitable IT Governance Framework
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
01 intro-cobit
01 intro-cobit01 intro-cobit
01 intro-cobit
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Cobit5 and-grc

  • 2.
  • 3. GRC GRC:  Governance, risk management and compliance  An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities  These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.
  • 4. GRC Definitions GRC:  Governance—Exercise of authority; control; government; arrangement.  Risk (management )—Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control)  Compliance—The act of complying; a yielding; as to a desire, demand, or proposal; concession; submission  Webster’s Online Dictionary
  • 5. Types of Governance  Different types of governance exist:  Corporate governance  Project governance  Information technology governance  Environmental governance  Economic and financial governance  Each type has one or more sources of guidance, each with similar goals but often varying terms and techniques for their achievement.
  • 6. Implementing Governance  The integration of the implementation of the GRC activities within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders.  Such approaches are typically based on enablers of various types (e.g., principles, policies, models, frameworks, organisational structures).
  • 7. A GRC Model Example  From the OCEG Red Book GRC Capability Model version 2.1
  • 8. Corporate Governance of IT  ISO/IEC 38500: 2008  Corporate governance of information technology  1.1 Scope  This standard provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.  This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.
  • 9. Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.1 Principles 2.1.1 Principle 1: Responsibility 2.1.2 Principle 2: Strategy 2.1.3 Principle 3: Acquisition 2.1.4 Principle 4: Performance 2.1.5 Principle 5: Conformance 2.1.6 Principle 6: Human Behaviour
  • 10. Corporate Governance of IT (cont.) ISO/IEC 38500: 2008 Corporate governance of information technology 2.2 Model Directors should govern IT through three main tasks: a) Evaluate the current and future use of IT. b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives. c) Monitor conformance to policies, and performance against the plans.
  • 11. ISACA and COBIT  ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals.  ISACA developed and maintains the internationally recognised COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.
  • 12.
  • 13. COBIT: Governance of Enterprise IT (GEIT) Evolution of scope IT Governance Val IT 2.0 Management (2008) Control Risk IT (2009) Audit COBIT1 COBIT2 COBIT3 COBIT4.0/4.1 1996 1998 2000 2005/7 2012 A business framework from ISACA, at www.isaca.org/cobit Source: COBIT® 5 Introduction Presentation © 2012 ISACA® All rights reserved.
  • 14. COBIT 5 in Overview COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
  • 15. The COBIT 5 Framework  Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.  COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.  The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for -profit or in the public sector.
  • 16. COBIT 5 Principles Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
  • 17. COBIT 5 Enterprise Enablers Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
  • 18.
  • 19. Governance (and Management) in COBIT 5  Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM).  Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).  Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference model allows us to focus easily on the relevant enterprise activities.
  • 20. Governance in COBIT 5 • The COBIT 5 process reference model subdivides the IT- related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes • The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. •01 Ensure governance framework setting and maintenance. •02 Ensure benefits delivery. •03 Ensure risk optimisation. •04 Ensure resource optimisation. •05 Ensure stakeholder transparency. • The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM).
  • 21. Governance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
  • 22. Risk Management in COBIT 5 • The GOVERNANCE domain contains five governance processes, one of which focuses on stakeholder risk-related objectives: EDM03 Ensure risk optimisation. • Process Description • Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. • Process Purpose Statement • Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.
  • 23. Risk Management in COBIT 5 (cont.) • The MANAGEMENT Align, Plan and Organise domain contains a risk-related process: APO12 Manage risk. • Process Description • Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. • Process Purpose Statement • Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.
  • 24. Risk Management in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
  • 25. Risk Management in COBIT 5 (cont.) • All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities • EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. • APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. • All other processes include practices and activities that are designed to treat related risk (avoid, reduce/ mitigate/control, share/transfer/accept).
  • 26. Risk Management in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include risk-related roles. Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved.
  • 27. Compliance in COBIT 5 • The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. • Process Description • Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. • Process Purpose Statement • Ensure that the enterprise is compliant with all applicable external requirements.
  • 28. Compliance in COBIT 5 (cont.) Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
  • 29. Compliance in COBIT 5 (cont.) • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03). • In addition to MEA03, all enterprise activities include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures.
  • 30. Compliance in COBIT 5 (cont.) • In addition to activities, COBIT 5 suggests accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process. These include a compliance-related role. Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved.
  • 31. Summary • The COBIT 5 framework includes the necessary guidance to support enterprise GRC objectives and supporting activities: • Governance activities related to GEIT (5 processes) • Risk management process—and supporting guidance for risk management across the GEIT space • Compliance—a specific focus on compliance activities within the framework and how they fit within the complete enterprise picture • Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements—silos of activity!