Student Handbook for COBIT5 Implementation Training

May 7, 2017 | Author: manu_ya | Category: N/A
Share Embed Donate


Short Description

Student Handbook for COBIT5 Implementation Training...

Description

COBIT5: Implementation

A Business Framework for the Governance  and Management of Enterprise IT

COBIT5® is a registered trademark of ISACA. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 0: Introduction

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

2

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Module 0: Agenda • • • • • • • • •

Administration Copyright and Acknowledgement “Do’”s and “Don’t”s Administration Course Information Participant Introduction Learning Objectives Course Topics Examination Information, Procedures and Tips

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

3

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Copyright & Acknowledgements •

COBIT5® is a registered trademark of AXELOS® Limited

• This document is exclusively created for and by 4P Advisory Services, an ISACA Partner through Peoplecert.

No part of this documents can be directly

/indirectly copied in any form. • Any one doing so is legally liable for financial damages to be paid to and the Author of this document. • Anyone informing the breach may suitably be rewarded. • Feedback & Inquiries: [email protected]

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

4

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Do’s and Don’ts DO

DON’T

Get involved

Use Laptops, Tablets, Smart phones, Smart Watches

Ask questions

Talk to the colleagues in the class

Share experiences

Lead to irrelevant out of scope  discussions

Keep an open mind

Be disruptive

Take calls outside the room

Not do homework

Agree to disagree!

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

5

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Administration  Fire safety  Planned fire alarm tests  Evacuation procedures and fire exits  Toilets/ Washrooms  Security of belongings  Course timings and breaks  Mobiles/blackberries  Photo ID and pencils for examinations  Lots of questions/discussion please!

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

6

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Course Information  Course Structure and Approach  Presentation sessions  Group exercises  Case Studies  Exam preparation  Course Materials @ (www.isaca.org) – COBIT5® Kit can be downloaded. – COBIT5® Implementation Guide can be downloaded.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

7

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Course Syllabus Information The syllabus is presented by syllabus areas. This is the unit of learning which may relate to a chapter from the manual/guidance or several concepts commonly grouped together in a training course module. The following syllabus areas are identified. • IP Initiate the program (What are the drivers? ‐Phase 1) • DP Define Problems & Opportunities (Where are we now and where do we want to be? ‐Phases 2 & 3) • PE Plan & Execute the program (What needs to be done & How do we get there? ‐Phases 4 & 5) • RB Realize Benefits and Review effectiveness (Did we get there and how do we keep the momentum going? ‐Phases 6 & 7)

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

8

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Course Reference Information Reference Material: • COBIT 5 Implementation Guide • COBIT 5 Enabling Processes Guide • The COBIT 5 Toolkit (contains tools that will be referenced and used in the  training) 

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

9

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

COBIT5 Publications COBIT 5 Publications:  COBIT 5*  COBIT 5 Implementation  COBIT 5: Enabling Processes  COBIT 5: Enabling Information COBIT 5 Professional Guides  COBIT 5 for Information Security  COBIT 5 for Assurance  COBIT 5 for Risk COBIT5 Assessment Programme Publications  Process Assessment Model  Self‐Assessment Guide  Assessor Guide *The COBIT5 Framework No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

10

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Exam Information •

COBIT 5 Implementation: Delivery Computer (web) or Paper based  Type 4 Multiple choice questions (20 items each)  Single response, one of four possible answers  Multiple response, X of Y possible answers  Matching response  Assertion response  Each question is awarded one (1) mark  Duration 150 minutes  Pass Mark 50% (40 or more marks)  Open Book : ‘COBIT 5 Implementation’ book only Prerequisites COBIT 5 Foundation Certificate

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

11

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Participant Introductions • Trainer’s Introduction • Participant’s Introduction • Name • Role & experience in the IT Governance domain • Professional experience  • Current role & corresponding responsibilities • What you know about the topics under coverage? • What you expect from the session?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

12

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Learning Objective •

Analyse the enterprise drivers 



Apply the implementation challenges, their root causes and success factors 



Assess current process capability 



Determine target process capability 



Scope and plan improvements 



Consider practical implementation factors 



Identify and avoid potential pitfalls 



Leverage the latest good practices 

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

13

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Course Modules :1 of 2 Module 3   IP Initiate the program (What are the  drivers? ‐ Phase 1) Module 4  Module 2    DP: DP Define Problems &  Introduction to COBIT5 and  Opportunities Implementation Practices  IC Introduction to COBIT‐ Principles,   Module 3.1 DP Define Problems &  Opportunities (Where are we now  Enablers, Processes and PRM  Phase 2)  (Process Reference Model)  Module 3.2 DP Define Problems &   CS Case Study and Discussions Opportunities (Where do we want to   PM CSI Model and Program  be? ‐ Phases 3) Management for COBIT  Implementation Module 1   Introduction to COBIT 

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

14

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

Course Modules: 2 of 2 Module 5  PE: PE Plan & Execute the  program  4.1 PE Plan & Execute the  program (What needs to be  done? – Phase 4) – Change  Enablement?  4.2 PE Plan & Execute the  program (How do we get there?  – Phase 5)

Module 6  RB: Realize Benefits and Review  effectiveness  5.1 RB Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)  5.2 RB Realize Benefits and Review  effectiveness (How do we keep the  momentum going? – Phase 7) Module 7   CE&CI Change Enablement and  Continuous Improvement Module 8  COBIT 5 Assessment Steps

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

15

0

COBIT5: Implementation COBIT5 Implementation

Introduction

4P Advisory Services

About ISACA ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT‐related risk and compliance. Founded in 1969, the non‐profit, independent, ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISCTM) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfil their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

16

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 1: Introduction to Governance and COBIT5 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

17

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Corporate Governance vs. IT Governance Corporate governance is the set of processes, customs, policies, laws, management practices and institutions affecting the way an entity is controlled and managed. It incorporates all the relationships among the many stakeholders involved and aims to organise them to meet the goals of the organisation in the most effective and efficient manner possible. An effective corporate governance strategy allows an organisation to manage all aspects of its business in order to meet its objectives. Information technology governance, however, is a subset discipline of Corporate Governance. Although it is sometimes mistaken as a field of study on its own, IT Governance is actually a part of the overall Corporate Governance Strategy of an organisation.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

18

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Learning Outcomes  Understand the concepts relating to the structure and format of the  framework, the drivers and business benefits of using the COBIT 5  framework, Specifically to identify: o The drivers for the development of COBIT 5, specifically the needs for  the next generation of ISACA’s guidance on the enterprise governance  and management of IT. o The benefits to the enterprise stakeholders by using the COBIT 5  framework

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

19

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Defining Governance Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through Prioritisation and decision making; and monitoring performance, compliance and progress a against agreed direction and objectives Governance is about Negotiating and deciding amongst different stakeholders’  value interests. Wikipedia: Governance refers to "all processes of governing, whether  undertaken by a government, market or network, whether over a family,  tribe, formal or informal organization or territory and whether through laws,  norms, power or language.“ ISACA: Governance—Exercise of authority; control; government; arrangement

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

20

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Defining Management •

Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

21

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Purpose of Governance & Management Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT5 process reference model allows us to focus easily on the relevant enterprise activities. Purpose of a Governance Framework like COBIT5: To help enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels

 Key Activities of Governance : • Set principles and policies. • Sets direction and is responsible to the Owners and stakeholders  Key component of a Governance System: Setting up the Governance Framework Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson. Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

22

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Why  COBIT 5 Developed? COBIT 5:  ISACA Board of Directors directive: “Tie together and reinforce all ISACA knowledge assets with COBIT.”  Provide a renewed and authoritative governance and management framework for enterprise information and related technology  Integrate all other major ISACA frameworks and guidance  Align with other major frameworks and standards

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

23

1

COBIT5: Implementation COBIT5 Implementation

Introduction to COBIT Introduction

4P Advisory Services

The Evolution of COBIT 5

Governance of Enterprise IT IT Governance

BMIS

Evolution

(2010)

Management Val IT 2.0 (2008)

Control

Risk IT

Audit

(2009)

COBIT2

COBIT1

1996

1998

COBIT3

2000

COBIT4.0/4.1

2005/7

COBIT 5

2012

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

24

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Scope  Not simply IT; not only for big business!  COBIT 5 is about governing and managing information  Whatever medium is used  End to end throughout the enterprise  Information is equally important to:  Global, multinational business  National and local government  Charities and not for profit enterprises  Small to medium enterprises and  Clubs and associations

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

25

1

COBIT5: Implementation COBIT5 Implementation

Introduction to COBIT Introduction

4P Advisory Services

Benefits    Information is the business currency of the 21st Century  Information has a life cycle: it is created, used, retained, disclosed and destroyed  Technology plays a key role in these actions.  Technology is becoming pervasive in all aspects of business and personal life  Every form of enterprise needs to be able to rely on quality information to support quality executive decisions!

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

26

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Enterprise Benefits Enterprises and their executives strive to:  Maintain quality information to support business decisions.  Generate business value from IT‐enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.  Achieve operational excellence through reliable and efficient application of technology.  Maintain IT‐related risk at an acceptable level.  Optimise the cost of IT services and technology. How can these benefits be realised to create enterprise stakeholder value?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

27

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Stakeholder Value  Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets.  Enterprise boards, executives and management have to embrace IT like any other significant part of the business.  External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached.  COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

28

1

COBIT5: Implementation COBIT5 Implementation

Introduction to COBIT Introduction

4P Advisory Services

Benefits . . .   COBIT 5 :  Defines the starting point of governance and management activities with the stakeholder needs related to enterprise IT  Creates a more holistic, integrated and complete view of enterprise governance and management of IT that is consistent, provides an end‐to‐end view on all IT‐related matters and provides a holistic view  Creates a common language between IT and business for the enterprise governance and management of IT  Is consistent with generally accepted corporate governance standards, and thus helps to meet regulatory requirements

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

29

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Examples: Factors, which may indicate a need for the improved  governance of enterprise IT:  Significant incidents related to IT risk, such as data loss or project failure,  have been experienced.  Lack of confidence in IT management  IT investments and risks were being managed by various IT departments in  isolation, resulting in duplicated efforts in some areas and gaps in others.  Lack of  information consistency and accountability across all IT groups.  IT goals and perspectives not clearly aligned to the organizational goals.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

30

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

The COBIT 5 Format  Simplified  COBIT 5 directly addresses the needs of the viewer from different  perspectives  Development continues with specific practitioner guides  COBIT 5 is initially in 3 volumes: 1. The Framework  2. Process Reference Guide  3. Implementation Guide   COBIT 5 is based on:  5 principles and  7 enablers

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

31

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT5: Principles

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

32

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Principle 1: Meeting Stakeholder Needs  The COBIT 5 goals cascade allows the definition of priorities for  Implementation  Improvement  Assurance of enterprise governance of IT  In practice, the goals cascade:  Defines relevant and tangible goals and objectives at various levels of responsibility  Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects  Clearly identifies and communicates how enablers are used to achieve enterprise goals No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

33

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Principle 2: Covering the Enterprise End–to–End

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

34

1

COBIT5: Implementation COBIT5 Implementation

Introduction to COBIT Introduction

4P Advisory Services

Principle 3 ‐ Single Integrated Framework.

One Simple  Architecture

Completeness in  Enterprise  Coverage

Alignment with  other relevant  framework s &  Standards

Integration of  Knowledge across  domains Single  Integrated   Framework

ISO/ IEC 15504 for  Assessment

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

35

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Principle 4: Enabling a Holistic Approach

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

36

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Principle 5 ‐ Governance and Management Defined

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

37

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Product Family

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

38

1

COBIT5: Implementation COBIT5 Implementation

Introduction to COBIT Introduction The COBIT5 Integrator Model links COBIT 5 to existing  ISACA guidance publications.

4P Advisory Services

COBIT and Other IT Governance Frameworks COSO

COBIT ISO 27002 ISO 9000

WHAT

ITIL 2011

HOW

SCOPE OF COVERAGE

Source ISACA No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

39

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Mapping Specifics ..1  ISO/IEC 38500 o ISO’s 6 principles map to COBIT 5  The following areas and domains are covered by ITIL 2011: o A subset of process in the DSS domain o A subset of processes in the BAI domain o Some processes in the APO domain  ISO/IEC 27000 (currently 27001:2013) o Security and IT‐related processes in domains EDM, APO and DSS o Some monitoring of security monitoring activities in MEA  ISO/IEC 31000 o Risk management related activities in EDM and APO

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

40

1

Introduction to COBIT Introduction

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Mapping Specifics ..2  TOGAF (The Open Group Architecture Framework) o Resource‐related processes in EDM o TOGAF components of the architecture board and governance areas o Enterprise architecture processes of APO  PRINCE2 o Programme and project management processes in the BAI domain o Portfolio related processes in the APO domain  CMMI o Some Organizational and quality‐related processes in the APO domain o Application –building and acquisition related processes in BAI

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

41

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 2: An Introduction to COBIT5 Implementation

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

42

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Implementation   ISACA has developed the COBIT5 framework to help enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT5.  However, frameworks, best practices and standards are useful only if they are adopted and adapted effectively. There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully.  COBIT 5 Implementation Guide provides the guidance on how to do this. COBIT5‐Ver2‐Implementation.pdf

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

43

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Implementation cont.    

The COBIT 5 Implementation Guide was released at the same time as the COBIT 5 Framework and COBIT 5 Enabling Processes Information and information technology are increasingly part of every aspect of business. The need to drive more value from IT investments and manage an increasing array of IT‐related risk has never been greater Increasing regulation and legislation is also raising awareness of the importance of good governance

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

44

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Challenges to Success  What are the drivers?  Where are we now and where do we want to be?  What needs to be done?  How do we get there?  Did we get there and how do we keep the momentum going?

© 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

45

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles in Creating an Appropriate Environment

© 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

46

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

RACI chart for Creating an Appropriate Environment

© 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

47

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Components of the Lifecycle Program Management 1. Initiate program 2. Define problems and  opportunities 3. Define roadmap 4. Develop program plan 5. Execute plan 6. Realize benefits 7. Review program  effectiveness 8. Sustain

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

48

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Implementation 

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

49

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Enterprise Internal and External factors  Understanding the Enterprise Internal and external factors as they apply to  change management such as: o Ethics and culture o Applicable laws, regulations and policies o Mission, vision and values o Governance policies and practices o Business plans and strategic intentions o Operating Model o Management style o Risk appetite o Capabilities and available resources o Industry practices No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

50

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Key Success Factors  Top Management providing the direction and mandate for the initiative as  well as on‐going commitment  All parties supporting the governance and management processes to  understand the business and IT objectives.  Ensuring effective communication and enablement of the necessary changes  Tailoring COBIT and other supporting good practices and standards to fit the  unique context of the enterprise and  Focusing on quick wins and prioritising the most beneficial improvements  that are easiest to implement.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

51

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continuous Improvement through 7 enablers

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

52

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: IT Governance Initiative A major financial services organization has recently been purchased by a large overseas competitor and is now subject to new overseas compliance regulations. Following the takeover the local organization is now known as the ‘local office’ and the purchaser is known as the ‘Overseas Head Office’.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

53

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Background and Current Issues The organization currently is experiencing issues with change management. As a  result of the takeover, further changes are being introduced which the existing processes  cannot handle. The problems are being exacerbated by the size and the volume of the  required changes. Although the takeover from the overseas company is recent, Overseas Regulators  are already seeking visibility of compliance. Prior to being taken over the current Board had on‐going concerns with IT security.  These concerns are expected to increase given the demands of passing information overseas  to the new Overseas Head Office. Also prior to the takeover, relationships between IT and the Enterprise were not  good due to previous IT project failures and lack of visibility of project benefits. Staff morale has been very low with an above average staff turnover. Due to the  recent takeover, there have been senior management changes and a further increase in staff  turnover due to the job uncertainty. The organization has a new and inexperienced team in IT Governance. 

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

54

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Current projects in place There are two existing projects underway: HR Project ‐ There is currently a HR project in progress to address the high level of staff  turnover. Its objective is to reduce the current turnover levels. IT Security – The local office has recently engaged a team of external security specialists to  review the current level of IT security and to recommend appropriate solutions.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

55

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Roles and Responsibilities An extract of the organizational structure of the Financial Services Organisation (not including  the Overseas Head Office) is given below.

IT Management consists of the CIO and his direct reports. The Audit Manager is from the Overseas Head Office and is responsible for the local Audit team The IT Governance, Risk and Compliance (IT GRC) Manager is newly appointed and has recently attended a  COBIT 5 course. The Technical Support Manager has been with the enterprise for over 20 years and takes a very ‘hands on’  approach. This role is responsible for ensuring the ongoing availability of the network infrastructure. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

56

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: IT Governance Initiative Start‐up As a result of the overseas compliance regulations the IT Governance, Risk and  Compliance (IT GRC) Manager has decided to launch a major IT Governance Initiative. The initiative will incorporate the compliance requirements mandated by the  Overseas Head Office in addition to improvements in governance and change management.  The existing projects will be included within the scope. The Overseas Head Office will sponsor the programme and the IT GRC Manager has  been appointed as the Programme Manager. However, some problems have already been  experienced: • Although the IT GRC Manager has launched an initiative it is not clear who is  supporting the initiative and which processes are required to be targeted. • Current attempts by the IT GRC Manager to get the initiative off the ground have  currently been unsuccessful.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

57

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Mapping of Processes to Issues The IT GRC Manager completed a small assessment of the issues facing the new organisation including the two existing projects on HR and Security and a report summarising their security  issues. He discovered more issues related to the existing change management and HR and  Security problems. He has mapped these to risks and recommended the following COBIT  processes to be included in the improvement programme in order to assist and leverage best  practice for the following Issues and Problem areas: PROBLEMS & ISSUES

RISKS

1. HR ISSUES  APO07 ‐ High turnover. ‐ Skills & competences not  matched to business  requirements. ‐ No process for contract staff.

COBIT PROCESSES APO07

Departure or unavailability of key IT  staff. ‐ Lack of business understanding by  IT staff ‐ Lack of or mismatch of IT‐related  skills. Contractual obligations by  contractors not met.

APO07 APO07

APO07

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

58

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Mapping of Processes to Issues PROBLEMS & ISSUES 2. Security Issues ‐ Access by external  contractors poorly controlled

RISKS

COBIT PROCESSES

Users circumventing logical access rights ‐ DSS05; DSS04 Users obtaining access to unauthorized information. ‐No policy and process for End  ‐Loss/disclosure of portable media, lap DSS05 Point security including mobile  tops mobile devices etc. devices. ‐ Accidental disclosure of sensitive information.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

59

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Mapping of Processes to Issues PROBLEMS & ISSUES 3. Change Management Issues ‐ New organisation cannot cope  with change requests for  processes.

RISKS

COBIT PROCESSES BAI05 Business managers not involved in important BAI05 It investment decision making regarding new applications, prioritisations or new technology opportunities

4. Project Delivery Issues BAI01/ BAI02 ‐ Poor project delivery in terms  ‐ Projects failing due to cost delays, scope BAI01 of on time and to budget. creep or changed business priorities ‐ Insufficient quality of project deliverables due to software, documentation or compliance with functional requirements. ‐Failure to understand business  ‐ Business not assuming accountability over IT  BAI02 requirements. areas such as functional requirements.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

60

2

An Introduction to COBIT5  Implementation Practices

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Plan and Execute the Program Awareness of the business’ frustration about the lack of visibility of the compliance  program has reached the Overseas Head Office.  As a result of this, the Overseas Head Office  has instructed the Financial Services Organization to quickly solve this issue relating to the  poor relationships between IT and the business.  The instruction has come down for IT to  solve this as part of the Governance Initiative.  The IT GRC Manager is already overloaded with work and hence has asked one of  his junior members of his team to take ownership of the task.  He has told the junior member that the solution to this issue will be to include  information relating to the compliance program on the Financial Services Organization’s  existing Intranet.  Access to this Intranet is already available to the business. Due to budget  constraints, there will be a limit on the amount of information that can be added to the  Intranet.  This work must be done in‐house.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

61

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 3: IP Initiate the program

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

62

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continual Improvement Life cycle  Phase‐1

Ref .”Figure 15 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

63

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles in Phase 1

Ref .”Figure 16 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

64

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 Description (1/4) 

Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

65

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 Description (2/4) 

Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

66

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 Description (3/4) 

Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

67

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 Description (4/4) 

Ref .”Figure 17 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

68

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase‐1 RACI Chart 

Ref .”Figure 18 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

69

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 – What Are the Drivers? The Basics Initiate the Programme  Establish desire to change:  Recognise need to act

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

70

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 – What Are the Drivers?  Need for new or improved IT governance organization is usually recognized by pain points and/or trigger events  Board and executive management should:  Analyze pain points to identify root cause  Look for opportunities during trigger events  The goal of this phase of the lifecycle includes:  Outlining the business case  Identification of stakeholders and roles & responsibilities  IT governance program “wake‐up call” and kick‐off communications

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

71

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 – SWOT?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

72

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 ‐ Typical Pain Points  Failed IT initiatives  Rising costs   Perception of low business value  for IT investments   Significant incidents related to IT  risk (e.g. data loss)  Service delivery problems  Failure to meet regulatory or  contractual requirements  Audit findings for poor IT  performance or low service  levels  Hidden and/or rogue IT spending

 Resource waste through 

  

 

duplication or overlap in IT  initiatives Insufficient IT resources IT staff burnout / dissatisfaction IT enabled changes frequently  failing to meet business needs  (late deliveries or budget  overruns) Multiple and complex IT assurance  efforts Board members or senior  managers that are reluctant to  engage with IT © 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

73

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 1 ‐ Relevant Trigger Events  Merger, acquisition or divestiture  Shift in the market, economy or  competitive position   Change in business operating  model or sourcing arrangements  New regulatory or compliance  requirements  Significant technology change or  paradigm shift

 An enterprise‐wide governance 

focus or project  A new CIO, CFO, COO or CEO   External audit or consultant  assessments  A new business strategy or  priority

By using pain points or trigger events as the launching point  for IT governance initiatives, the business case for GEIT  improvement can be related to issues being  experienced,  which will improve buy‐in to the business case. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

74

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Additional Phase 1 Information In trying to understand where the Financial Services Organization currently stands in  respect to Governance, the IT GRC Manager has identified a number of issues: The local office management is confused about what the Initiative is trying to achieve and  doesn’t appear to be fully engaged Concerns have also been expressed as to the potential cost of the proposed  Initiative for what appears to be very little benefit. Suggestions have even been made that if  the Overseas Head Office wants the work completing then it should pay for it Additionally, the long standing relationship issue between IT and Business  Management caused by previous project failures is still very much in existence 

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

75

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 001 1. Which reason is a root cause for a lack of Senior Management buy‐in to an improvement initiative according to the COBIT 5 Implementation Guide? A. Lack of dedicated resources. B. Poor perception of the credibility of the IT function. C. Best practices are copied and are NOT adopted. D. Continual improvement is NOT part of the culture. 2. Which reason is a root cause of why IT could have difficulty in getting the required business  participation according to the COBIT 5 Implementation Guide? A. Barriers between IT and the business inhibit participation. B. IT budget committed to infrastructure. C. Priorities incorrectly allocated. D. Fear of revealing inadequate practices. 3. Which reason is a root cause for the lack of current enterprise policy and direction within an  organization according to the COBIT 5 Implementation Guide? A. IT budget committed to infrastructure. B. Best practices are copied and are NOT adopted. C. Overly optimistic goals. D. Weak enterprise risk management. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

76

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 001 4. Which 2 documents are Inputs to Phase 1? A. Outline Business Case for the Governance Initiative. B. Reports showing the volume of changes since the takeover. C. A report from HR on staff turnover. D. A list of stakeholders at the local office and Overseas Head Office. E. Documented approval from the CEO to proceed. 5. Which 2 documents are Outputs from Phase 1? A. A process for engaging local Management about the Governance Initiative. B. A report showing the local office’s capability to cope with the required amount of process change as a result of  the Governance Initiative. C. An agreed list of the local office’s Roles and Responsibilities for the Governance Initiative. D. Reports showing the volume of changes since the takeover. E. Report on the Security issues. 6. Which 2 activities are Programme Management tasks performed during Phase 1? A. Understand full impact of the Governance Initiative. B. Raise awareness of compliance issues with the local office. C. Obtain buy‐in and approval from the CEO to proceed. D. Produce outline Governance Initiative business case. E. Identify other project dependencies such as the Security and HR projects. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

77

3

IP: Initiate the program (What are the  drivers? ‐ Phase 1)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 001 7. Which 2 activities are Change Enablement tasks performed during Phase 1? A. Obtain approval from the CEO to proceed. B. Produce outline Governance Initiative business case. C. Understand full impact of the Governance Initiative. D. Raise awareness of compliance issues with the local office. Issue the change plan based on the overseas compliance requirements. 8. Which 2 activities are Continual Improvement tasks performed during Phase 1? A. Ensure the understanding of the Overseas Head Office’s compliance requirements for the local office is  correct. B. Understand full impact of the Governance Initiative. C. Raise awareness of compliance issues with the local office. D. Identify other project dependencies such as the Security and HR projects. E. Raise local Management’s awareness of the importance of the Initiative.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

78

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 4: DP Define Problems & Opportunities

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

79

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 4.1: Phase 2 Where are we now?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

80

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continual Improvement Life Cycle Phase‐2

Ref .”Figure 19 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

81

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles in Phase 2

Ref .”Figure 20 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

82

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 2 Description (1/5)

Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

83

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 2 Description (2/5)

Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

84

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 2 Description (3/5)

Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

85

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 2 Description (4/5)

Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

86

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 2 Description (5/5)

Ref .”Figure 21 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

87

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase‐2 RACI Chart

Ref .”Figure 22 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

88

4.1

DP Define Problems & Opportunities (Where are we now Phase 2)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 2 – Where are We Now?  Define the problems and opportunities [Programme Management] o Understand the pain points that have been identified as governance problems o Take advantage of trigger events that provide opportunity for improvement  Form a powerful guiding team [Change Enablement] o Knowledge of the business environment o Insight into influencing factors  Assess the current state [Continual Improvement Life cycle attribute] o Identify the IT goals in respect to enterprise goals o Identify the most important processes o Understand management risk appetite o Understand the maturity of existing governance o Related processes © 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

89

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 4.2: Phase 3 Where do we want to be?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

90

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continual Improvement Life Cycle Phase‐3

Ref .”Figure 23 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

91

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles in Phase 3

Ref .”Figure 24 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

92

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 3 Description (1/5)

Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

93

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 3 Description (2/5)

Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

94

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 3 Description (3/5)

Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

95

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 3 Description (4/5)

Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

96

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 3 Description (5/5)

Ref .”Figure 25 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

97

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 3 RACI Chart

Ref .”Figure 26 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

98

4.2

DP Define Problems & Opportunities (Where do we want to be? ‐ Phase 3)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 3 – Where Do We Want to Be?  Define the roadmap o Describe the high level change enablement plan and objectives  Communicate desired vision o Develop a communication strategy o Communicate the vision o Articulate the rationale and benefits of the change  o Set the tone at the top  Define target state and perform gap analysis o Define the target for improvement o Analyze the gaps o Identify potential improvements

© 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

9 9

99

4

DP Define Problems & Opportunities

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Additional Phase 2 & 3 Information The CIO approached the IT GRC manager and is not convinced that he has captured all of the  COBIT processes needed to mitigate the risks associated with their issues.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

100

4

DP Define Problems & Opportunities

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 002 1. Which 2 reasons are root causes of the inability to gain the backing of local business management, according to  the COBIT 5 Implementation Guide? A. The recent takeover has left uncertainty and the threat of further changes. B. The priorities of the Initiative are NOT in line with the objectives of the local office. C. There is poor communication about the expected successes of the Initiative. D. More change is being enforced and the current processes are unable to cope with the existing amount of  change. E. The implementation solution appears to have too many manual workarounds. 2. Which 2 reasons are root causes of why the cost of the IT Governance Initiative appears to exceed any benefit at  the local office, according to the COBIT 5 Implementation Guide? A. There is a perception that there is a lack of required compliance skills at the local office. B. Structure of the IT Governance Initiative does NOT demonstrate what the benefits will be at this stage of the  programme. C. The recent takeover has left uncertainty and the threat of further changes. D. Budget funds have already been spent on the takeover and this is seen as a further drain on resources. E. There is poor communication about the expected successes of the Initiative.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

101

4

DP Define Problems & Opportunities

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 002 3. Which 2 actions are success factors which should help resolve the current lack of trust between the local office IT  function and Business Management, according to the COBIT 5 Implementation Guide? A. Produce a RACI matrix for Governance related roles for the local office. B. Educate the business by running a COBIT 5 training course. C. Produce a plan of expected changes for the year ahead which take account of the compliance requirements. D. Only implement improvements that add value to the local office. E. Ensure all resources are full time and dedicated to the Governance Initiative. 4. Which 2 actions are success factors should help resolve the inability to gain support from the local office’s  business management, according to the COBIT 5 Implementation Guide? A. Produce a RACI matrix for Governance related roles for the local office. B. Only implement improvements that add value to the local office. C. Express the Governance Initiative in terms that are relevant to business management.  D. Set up a regular Compliance forum which includes members of both local and Overseas Business Management  and local IT Management. E. Ensure all resources are full time and dedicated to the Governance Initiative

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

102

4

DP Define Problems & Opportunities

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 002 5. Which 2 actions are success factors should help resolve the concerns that the local office has regarding the cost  of improvements outweighing any potential benefits, according to the COBIT 5 Implementation Guide? A. Liaise with Business Management to identify initiatives that can be resolved quickly. B. Secure secondments* of compliance staff from the overseas office. C. Ensure all resources are full time and dedicated to the Governance Initiative. D. Only implement improvements that add value to the local office. E. Focus on the change process as an area to be tackled by the Initiative. 6. There is a current lack of ownership for both the business and IT in respect of who has a role to play in this  Governance Initiative. Which CE task is executed to address the concern of lack of ownership for the Governance  Initiative at the local office during Phase 2? A. Engage with HR about producing a communications plan about the future benefits of the Initiative. B. Develop an escalation process. C. Elect key representatives from the local office and the Overseas Head Office. D. Create steering committees for relevant parts of the Initiative.

*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

103

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 5: PE Plan & Execute the program

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

104

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 5.1: Phase 4 What needs to be done?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

105

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continual Improvement Life Cycle Phase 4

Ref .”Figure 27 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

106

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles In Phase 4

Ref .”Figure 28 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

107

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 4 Description (1/5)

Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

108

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 4 Description (2/5)

Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

109

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 4 Description (3/5)

Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

110

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 4 Description (4/5)

Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

111

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 4 Description (5/5)

Ref .”Figure 29 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

112

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 4 RACI Chart

Ref .”Figure 30 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

113

5.1

PE Plan & Execute the program (What needs to be done? – Phase 4)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 4 – What Needs to Be Done?  Develop program plan  Prioritize potential initiatives  Develop formal and justifiable projects  Use plans that include contribution and program objectives  Empower role players and identify quick wins  High benefit, easy implementations should come first  Obtain buy‐in by key stakeholders affected by the change  Identify strengths in existing processes and leverage accordingly  Design and build improvements  Plot improvements onto a grid to assist with prioritization  Consider approach, deliverables, resources needed, costs, estimated  time scales, project dependencies and risks © 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

114

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 5.2: Phase 5 How do we get there?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

115

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continual Improvement Life Cycle Phase 5

Ref .”Figure 31 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

116

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles in Phase 5

Ref .”Figure 32 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

117

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 5 Description

Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

118

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 5 Description

Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

119

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 5 Description

Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

120

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 5 Description

Ref .”Figure 33 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

121

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 5 RACI Chart

Ref .”Figure 34 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

122

5.2

PE Plan & Execute the program (How do we get there? – Phase 5)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 5 – How Do We Get There?  Execute the plan  Execute projects according to an integrated program plan  Provide regular update reports to stakeholders  Document and monitor the contribution of projects while managing  risks identified  Enable operation and use  Build on the momentum and credibility of quick wins  Plan cultural and behavioral aspects of the broader transition  Define measures of success  Implement improvements  Adopt and adapt best practices to suit the enterprise’s approach to  policies and process changes © 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

123

5

PE Plan & Execute the program

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Additional Phase 4 & 5 Information The CIO approached the IT GRC manager and is not convinced that he has captured all of the  COBIT processes needed to mitigate the risks associated with their issues

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

124

5

PE Plan & Execute the program

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 003 1. Which 2 additional processes should be selected to help mitigate all of the risks associated  with the security issues (issue 2)? A. APO07  B. DSS01 C. BAI06 D. APO01 E. APO08 2. Which 2 additional processes should be selected to help mitigate the risks of projects failing  due to cost, delays, scope creep or changed business priorities associated with the project delivery issues  (issue 4)? A. BAI03 B. APO03 C. EDM04 D. MEA01 E. APO06

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

125

5

PE Plan & Execute the program

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Additional Phase 4 & 5 Information Using the Scenario, answer the following questions about change enablement tasks. The  project is now at Phase 4 ‘What needs to be done?’ The IT GRC Manager called a Project  planning meeting and decided on some Change Enablement objectives in order to ‘get things  moving’. Decide whether the action taken by the IT GRC Manager to address each objective is  an appropriate Phase 4 Change Enablement (CE) task and select the response that supports  your decision.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

126

5

PE Plan & Execute the program

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 003 3. Objective 1:‐ Obtain buy‐in from the local office. Action: The IT GRC Manager has held a workshop  with key members of business and IT to review and confirm the proposed change management process? Is this  action an appropriate Phase 4 CE task for Objective No 1? A. No, because any required changes will be enforced through local management or the Overseas Head Office. B. No, because the commitment to make the change should have been obtained in Phase 3. C. Yes, because consulting affected stakeholders will help make them responsible to accept results. D. Yes, because this will ensure the change management process is implemented as a quick win.

4. Objective 2:‐ Speed up the implementation for a new Change process which will apply to both the  business and IT. Action: The IT GRC Manager has decided to implement an IT version of the change response plans.  Is this action an appropriate Phase 4 CE task to address Objective No 2? A. No, because engagement should have been made with all affected areas prior to the implementation e.g. the  business management. B. No, because the implementation of the change response plan should have been performed at Phase 3. C. Yes, because a Phase 4 CE task is about understanding what IT solutions will be needed to support the Overseas  Head Office compliance requirements. D. Yes, because a Phase 4 CE task is to prioritize and select improvements.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

127

5

PE Plan & Execute the program

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 003 5. Objective 3:‐ Build on Phase 2 ‘Where are we now’ and identify tasks that don’t take long to  implement. Action: The IT GRC Manager has decided to go ahead and implement quick wins in as short as time as  possible without immediate consultation with the business. Is this action an appropriate Phase 4 CE task to address  Objective No 3? A. No, because changes to existing processes at the local office should be designed during Phase 1. B. No, because visibility of the changes by methods such as a workshop is needed. C. Yes, because providing the concept of the change has been proven. D. Yes, because a Phase 4 activity is to perform a gap analysis to identify the improvements needed to the change  management process. 6. Objective 4:‐ Leverage existing processes (from the Overseas Head Office). Action: The IT GRC  Manager has obtained details of a number of compliance related processes from the Overseas Head Office which  are used successfully to manage Compliance. The plan is to adapt these processes for use at the local office. Is this  action an appropriate Phase 4 CE task to address Objectives No 4? A. No, because changes to existing processes at the local office should have been designed during Phase 1. B. No, because the processes should be implemented ‘as is’ if they have been used successfully at the Overseas  Head Office. C. Yes, because a Phase 4 CE task is to identify existing strengths. D. Yes, because identifying work already performed in the organisation prevents duplication of effort and  encourages re‐use. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

128

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 6: RB: Realize benefits and review effectiveness

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

129

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 6.1: Phase 6 Did we get there?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

130

6.1

RB: Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continual Improvement Life Cycle Phase 6

Ref .”Figure 35 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

131

6.1

RB: Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles in Phase 6

Ref .”Figure 36 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

132

6.1

RB: Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 6 Description (1/3)

Ref .”Figure 37 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

133

6.1

RB: Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 6 Description (2/3)

Ref .”Figure 37 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

134

6.1

RB: Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 6 Description (3/3) 

Ref .”Figure 37 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

135

6.1

RB: Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 6 RACI Chart

Ref .”Figure 38 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

136

6.1

RB: Realize Benefits and Review  effectiveness (Did we get there? ‐ Phase 6)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 6 – Did We Get There?  Realize benefits o Monitor the overall performance of the program against business case  objectives o Monitor and measure the investment performance  Embed new approaches o Provide transition from project mode to business as usual mode o Monitor whether new roles and responsibilities have been taken on o Track and assess objectives of the change response plans o Maintain communication and ensure communication between  appropriate stakeholders continues  Operate and measure o Set targets for each metric o Measure metrics against targets o Communicate results and adjust targets as necessary © 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

137

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 6.2: Phase 7 How do we keep the momentum going?

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

138

6.2

RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Continual Improvement Life Cycle Phase 7

Ref .”Figure 39 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

139

6.2

RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Roles in Phase 7

Ref .”Figure 40 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

140

6.2

RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 7 Description (1/3)

Ref .”Figure 41 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

141

6.2

RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 7 Description (2/3)

Ref .”Figure 41 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

142

6.2

RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 7 Description (3/3)

Ref .”Figure 41 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

143

6.2

RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 7 RACI Chart

Ref .”Figure 42 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

144

6.2

RB: Realize Benefits and Review effectiveness (How do we keep the momentum going? – Phase 7)

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Phase 7 – How Do We Keep Momentum?  Continual improvements – keeping the momentum is critical to  sustainment of the lifecycle  Review the program benefits o Review program effectiveness through a program review gate  Sustain o Conscious reinforcement (reward achievers) o Ongoing communication campaign (feedback on performance) o Continuous top management commitment  Monitor and evaluate o Identify new governance objectives based on program experience o Communicate lessons learned and further improvement requirements  for the next iteration of the cycle © 2012 ISACA. All Rights Reserved.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

145

6

RB: Realize Benefits and Review  effectiveness

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Case Study Scenario: Additional Phase 6 & 7 Information The following questions about the root causes of the challenges encountered when  identifying whether the implementation has met its objectives. The IT GRC Manager decided  to speak to a number of key members of the local office Management to gauge feedback on  the Governance Initiative. The following issues were obtained from various members of local  office staff:‐ • The change management process is seen as too hard to understand and has resulted in  low usage of the process within the local office. Additionally there was feedback that the  solution looked like it was a direct copy of the Overseas Head Office process without  consideration of local factors. • The IT staff working on the Initiative is de‐motivated as they felt they had been left to  manage the project with little or no assistance from the Business Management. • A lot of feedback was asking the question ‘what have we achieved?’ as there was a belief  that very little had changed and concerns were raised as to the overall value of the  Initiative.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

146

6

RB: Realize Benefits and Review  effectiveness

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 004 1. Which 2 actions are success factors that should help to resolve the lack of take up of the change management  process? A. Obtain compliance input from the Overseas Head Office auditors. B. Involve the business process owners in the future refinement of the change process. C. Ensure all resources are full time and dedicated to the Governance Initiative. D. Arrange a training course for users of the change process. E. Produce a RACI matrix for Governance related roles for the local office. 2. Which 2 actions are success factors that should help to resolve the de‐motivation of the IT staff working on the  Governance Initiative? A. Produce a RACI matrix for Governance related roles for the local office. B. Seek to second a Compliance resource from the Overseas Head Office. C. Organise a road show with the Business Management ‐ Revisiting stakeholders. D. Ensure all resources are full time and dedicated to the Governance Initiative. E. Arrange a training course for users of the change process.

*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

147

6

RB: Realize Benefits and Review  effectiveness

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 004 3. Which 2 actions are success factors that should help to resolve the concern raised over the overall value of the  Governance Initiative? A. Issue a Compliance health check showing progress made. B. Arrange a training course for users of the change process. C. Seek to second a compliance resource from the Overseas Head Office. D. Issue a compliance article on the Intranet site in business terms. E. Produce a RACI matrix for Governance related roles for the local office. 4. Which 2 documents are Inputs to the Phase 6 review of the Change Management process? A. Revised process documentation.  B. A signed‐off copy of the Change Management Procedure. C. IT and business measures added into the ongoing monitoring of the change process, (post‐ project). D. A copy of the Change Management process before the implementation. E. A copy of the Benefits of the Change Process.

*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

148

6

RB: Realize Benefits and Review  effectiveness

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 004 5. Which 2 documents are Outputs of the Phase 6 review of the Change Management process? A. A signed off copy of the Business Case.  B. Revised process documentation.  C. Business and IT agreed measures to monitor the change process. D. A signed off copy of the Change Management Procedure. E. Identification of the appropriate Change agents within the local office. 6. Which 2 activities are Programme Manager tasks to be performed during the Phase 6 review of the Change  Management process? A. Review if the Change Management process is meeting its original intentions. B. Understand what went well and what didn’t. C. Develop an escalation procedure to Management. D. Communicate the results of the Change Management procedure to relevant Business and IT parties. E. Produce a report of the success factors required to be met for a successful implementation of the Change  Management process.

*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

149

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 7: The Inner Layers: Change Enablement and Continuous Improvement No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

150

7

CE&CI Change Enablement and  Continuous Improvement

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

The Relationship: IMPL‐ Prg M‐ CE ‐ CI

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

151

7

CE&CI Change Enablement and  Continuous Improvement

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Change enablement relationships to Programme management  Steps The seven phases and shown as the program management steps they relate to. The below table outlines  the seven enablers (the second or red circle) and the relationship to the seven program management  steps (the outer ring or dark blue ring).:

PHASE & PROGRAMME STEP

CHANGE ENABLER RELATED CONTINUAL IMPROVEMENT  TO THAT STEP LIFE CYCLE

Initiate Program

Establish Desire to change

Recognise need to act

Define Problems & Opportunities Form Implementation Team

Assess current state

Define Road Map

Communicate Outcome

Define target state

Plan Programme

Identify role players

Build improvement

Execute Plan

Operate and use

Implement Improvements

Realise Benefits

Embed new approaches

Operate and Measure

Review Effectiveness

Sustain

Monitor and Evaluate

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

152

7

CE&CI Change Enablement and  Continuous Improvement

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Making the Business Case ie.: Justification to the Board   The characteristics of a good business case: o The importance of a business case cannot be over stated. An appropriate level of urgency needs to be instilled and the key stakeholders should be aware of the risk of not taking action. An initiative should be owned by a sponsor (senior), involve all key stakeholders, and be based on a business case. o Initially this can be a high‐level business case dealing with the strategic benefits and costs and then progress to a more detailed business case. It is a valuable tool available to management in guiding the creation of business value.

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

153

7

CE&CI Change Enablement and  Continuous Improvement

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Characteristics of  Good Business Case  At a minimum a Business case should include: o The business benefits that will be realized o The business changes required o The investments needed o The on‐going IT operating costs o Constraints and dependencies derived from the risk assessment o Roles, responsibilities and accountabilities relative to other initiative o How the investment and value creation will be monitored throughout the economic life cycle

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

154

7

CE&CI Change Enablement and  Continuous Improvement

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Exercise 005

Make a project Plan for the COBIT5 Implementation with  typical timelines. Allocate teams the relevant roles Decide and Highlight the “Target State” metrics, compared to  the current ones.

*Secondment : A temporary transfer of an official or worker to another position or employment. No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

155

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

Module 8: Process Assessment / Verification

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

156

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Overview

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

157

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

COBIT 5 Process Reference Model

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

158

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Components of ISO/IEC 15504 Process Assessment

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

159

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

Assessment Process Activities  1 – Initiation 2 – Planning the Assessment 3 – Briefing 4 – Data Collection 5 – Data Validation 6 – Process Attribute Rating 7 – Reporting the Results

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

160

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

1. Initiation  Identify the sponsor and define the purpose of the assessment  why it is being carried out  Define the scope of the assessment  which processes are being assessed  what constraints, if any, apply to the assessment  Identify any additional information that needs to be gathered,  Select the assessment participants, the assessment team and define the roles of team members,  Define assessment inputs and outputs  Have them approved by the sponsor

161 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

161

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

2. Planning the Assessment  An assessment plan describing all activities performed in conducting the assessment is  developed and  documented together with  an assessment schedule  Identify the project scope,  Secure the necessary resources to perform the assessment  Determine the method of collating, reviewing, validating and documenting the information required for the assessment  Co‐ordinate assessment activities with the Organizational Unit being assessed

162 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

162

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

3. Briefing  The Assessment Team Leader ensures that the assessment team understands the assessment  input,  process and  output  Brief the Organizational Unit on the performance of the assessment  PAM, assessment scope, scheduling, constraints, roles and responsibilities, resource requirements, etc.

163 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

163

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

4. Data Collection  The assessor obtains (and documents) an understanding of the process(es)  including process purpose, inputs, outputs and work products, sufficient to  enable and support the assessment  Data required for evaluating the processes within the scope of the   assessment is collected in a systematic manner  The  strategy  and  techniques for  the  selection,  collection,  analysis  of   data  and  justification  of  the ratings  are  explicitly  identified and  demonstrable  Each  process identified in the assessment scope is assessed on  the basis of  objective evidence  The  objective  evidence  gathered  for  each  attribute  of  each process  assessed  must  be   sufficient  to  meet  the  assessment  purpose  and  scope  Objective  evidence  that supports the assessors’ judgement of process attribute ratings is  recorded and maintained in the Assessment Record.   This  Record  provides  evidence  to  substantiate  the  ratings  and  to  verify  compliance   with  the requirements.  164 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

164

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

5. Data Validation  Actions are taken to ensure that the data is accurate and sufficiently covers  the assessment scope, including   seeking  information from first  hand, independent  sources;   using  past  assessment  results; and  holding feedback sessions to validate the information collected.   Some data validation may occur as the data is being collected 

165 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

165

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

6. Process Attribute Rating  For each process assessed, a rating is assigned for each process attribute up  to and including the highest  capability level defined in the assessment scope  The rating is based on data validated in the previous activity  Traceability  shall  be  maintained  between  the  objective  evidence   collected  and  the  process  attribute  ratings  assigned   For each process attribute rated, the relationship between the indicators and  the objective evidence is recorded

166 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

166

8

Process Assessment / Verification

COBIT5: Implementation COBIT5 Implementation

4P Advisory Services

7. Reporting the Results  The  results  of  the  assessment  are  analysed  and  presented  in  a  report   The  report  also covers any key issues raised during the assessment such as: • observed areas of strength and weakness • findings of high risk   i.e. magnitude of gap between assessed capability and  desired/required capability

167 No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

167

Corporate Training, Consulting, Examinations, Process COBIT5: Implementation Improvements, Assessments

No part of this document may be reproduced in any form without the explicit written permission of both the 4P Advisory Services and ISACA®. Trademarks, acknowledged.

168

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF