CobIT 5 est le nouveau cadre de gouvernance IT conçu pour assister les entreprises dans l'atteinte de leurs objectifs concernant la gouvernance et la gestion des technologies de l'information. Il fournit aux gestionnaires, aux auditeurs et professionnels de l'informatique un ensemble de mesures généralement acceptées (best practices), des indicateurs de performance, des processus et des meilleures pratiques destinées à les aider à générer de la valeur ajoutée pour le business, tout en maximisant les avantages, la gestion et la réduction des risques et en optimisant les ressources.
1. ITIL V3 Foundation
Les nouveautés de COBIT 5
Connaissances fondamentales
et mise en œuvre de COBIT 5
Lausanne, 13.9.2012
Stephane Perroud, SP Consulting
Raphael Rues, Digicomp Academy Suisse Romande SA
2. Orateur Stéphane Perroud
Formations
Ingénieur ETS / HES
Economiste HEC
Master en Management de la Sécurité des SI
Expériences
Développeur J2EE et Web (LODH)
Auditeur informatique (PwC)
Consultant en Management de la Sécurité des SI
Formateur en Gouvernance, Sécurité et Audit (COBIT,
CISA, CISSP, CISM, ISO 27001, ITIL, Sécurité, Réseau,
Gestion des Risques) (HEG Genève et Digicomp)
Consultant en Gouvernance, Audit et Sécurité( Stéphane
Perroud Consulting)
Certifications et examens
Gestion appliquée de projets, COBIT Foundation 4.1,
Management of Risk, CISA, CISM, ITIL v3 Foundation,
CISSP, Lead Auditor ISO 20’000, Lead Auditor
ISO27001
Stéphane Perroud
www.sperroud.ch
consulting@sperroud.com
3. Orateur Raphael Rues
Formations
Wirtschaftsinformatiker II Eidg. Dipl
BA Histoire Economique et MSc en Gestion des Risques
Expériences
Responsable IT Security Helsana Dübendorf
Risk Manager, Digicomp Zürich
Co-Fondateur, Co-Directeur Digicomp Romandie
Auditeur informatique, Consultant en Management de la
Sécurité des SI, MinimaRisk Zug
Formateur en IT Management (COBIT, Security, ITIL)
Certifications et examens
ITIL Service Manager V2, ITIL Expert V3, COBIT,
Management of Risk, Lead Auditor ISO 20000, Lead
Auditor ISO27001, Prince2
Raphael Rues
www.digicomp.ch
raphael.rues@digicomp.ch
6. Gouvernance / Management
La Gouvernance assure que les objectifs de l'entreprise sont
atteints en évaluant les besoins des intervenants, les
conditions et les options; l’établissement de l'orientation en
priorisant et prenant des décisions; la surveillance du
rendement, de la conformité et des progrès par rapport à
l'orientation et aux objectifs convenus (EDM).
Le Management planifie, construit, exécute et surveille les
activités en alignement avec la direction fixée par l'organe de
gouvernance afin d’atteindre les objectifs de l'entreprise
(PBRM).
8. Historique
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
2005/720001998
Evolutiondupérimètre
1996 2012
Val IT 2.0
(2008)
Risk IT
(2009)
9. Changements dans COBIT 5
Nouveaux Principes GEIT (Governance of Enterprise IT)
Concentration accrue sur les catalyseurs
Nouveau modèle de référence des processus
Nouveaux et amélioration des processus
Pratiques et activités
Objectifs et métriques
Entrées et sorties des processus
Tableaux RACI
Les modèles de maturité
L’évaluations des processus
23. Facteurs clés de succès
Engagement et soutien de la direction, qui donne l’orientation
Compréhension des objectifs métiers et informatiques
Communication et management efficaces des changements
nécessaires
Modifier COBIT et autres standards pour s'adapter au
contexte de l'entreprise
Mettre l'accent sur les gains rapides et prioriser les
améliorations les plus utiles et plus faciles
28. Conclusions
COBIT 5 rassemble 5 principes qui permettent à l'entreprise de
construire une gouvernance efficace et d'un cadre de
management fondés sur un ensemble holistique de 7
catalyseurs qui optimisent les investissements IT et leur
utilisation au profit des parties prenantes.
29. Digicomp et Cobit: What’s next
Printemps 2013 : nouveau examen Foundation avec ISACA
et APMG, disponible qu’en Anglais
Cobit 4.1 Foundation : http://www.digicomp.ch/cours/CB1.html
Cobit 5 Nouveautés : http://www.digicomp.ch/cours/CB2.html
Value creation means realizing benefits at an optimal resource cost while optimising risk. Benefits can take many forms, e.g., financial for commercial enterprises or public service for government entities.For each decision, questions should be asked: For whom are the benefits? Who bears the risk? What resources are required?
Every enterprise operates in a different context : external and internal factors, and requires customized governance and management systemStakeholder needs have to be transformed into an enterprise’s actionable strategy.The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customized enterprise goals, IT-related goals and enabler goals:Allows setting specific goals at every levelSupports alignment between enterprise needs and IT solutions and servicesIdentifies and communicate how enablers are important to achieve enterprise goals Each enterprise should build its own goals cascade, compare it with COBIT and then refine it.
Means:Integrates governance of enterprise IT into enterprise governance.Covers all functions and processes related to IT (internal and external, IT and business).Governance approach:Enablers (frameworks, principles, structures, processes, practices, resources, people, information, …)Scope (enterprise [COBIT 5], entity, tangible or intangible asset, …)Roles, activities and relationships (who is involved, how they are involved, what they do, how they interact)
COBIT 5 framework delivers to its stakeholders the most complete and up-to-date guidance on governance and management of enterprise IT by:New content development (COBIT+VALIT+RISK IT, needed updates, alignment to other standards and framework (ITIL, ISO, TOGAF, …))Set of governance and management enablersCOBIT 5 knowledge base with all guidance and contentReference of good practices
Enablers are factors that influence whether governance and management over enterprise IT will work. They are driven by the goals cascade.Principles, policies and frameworks are the vehicle to translate the desired behaviour into practical guidance for day-to-day management.Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.Organisational structures are the key decision-making entities in an enterprise.Culture, ethics and behaviourof individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.Information is pervasive throughout any organisation and includes all information produced and used by the enterprise.Services, infrastructure and applications provide the enterprise with information technology processing and services.People, skills and competencies are required for successful completion of all activities and for making correct decisions and taking corrective actions.
Set of common dimensions: simple and structured way to deal with enablers.Enablers dimensionsEnablers have:Stakeholders: internal or externalGoals (expected outcomes, application or operation of the enabler): Intrinsic quality: work accurately, objectively, (accurate, objective, reputable results)Contextual quality: enablers and outcomes fit for purpose given the context. Outcomes are relevant, complete, current, appropriate, consistent, easy to use, …Access and security: enablers and outcomes are accessible and securedLife cycle: enablers have life cycleGood practices: how to best implement enablers, required inputs and outputsEnabler performance managementExpect positive outcomes from application and use of enablers. Monitoring and metrics on regular basis (see Enabling Processes):Are stakeholder needs addressed? (KGI - lag indicator)Are enabler goals achieved? (KGI - lag indicator)Is enabler life cycle managed? (KPI - lead indicator)Are good practices applied? (KPI - lead indicator)
Clear distinction between governance and management: different types of activities, require different organisational structures and serve different purposes.Governance: ensures that stakeholder needs are evaluated to determine enterprise objectives; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.Responsibility of the board of directors under the leadership of the chairperson.Management: plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.Responsibility of the executive management under the leadership of the CEO.
Defines and describes in detail 37 governance and management processes normally found in an enterprise relating to IT activities. Each enterprise must define its own process set, taking into account its specific situation.2 main process domains:Governance: Contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined.Management: Contains four domains, in line with plan, build, run and monitor (PBRM),and provides end-to-end coverage of IT. These domains are an evolution of the COBIT 4.1 domain and process structure:– Align, Plan and Organise (APO)– Build, Acquire and Implement (BAI)– Deliver, Service and Support (DSS)– Monitor, Evaluate and Assess (MEA)
Governance and management of enterprise IT will be different for every enterprise, context needs to be understood, adapt COBIT implementation of governance and management of enterprise IT enablers.Practical and guidance in publication “COBIT 5 Implementation”Supported by an implementation tool kit containing assessment, measurement and diagnostic tools, documentation for various audiences, articles and explanations.
Address complexity and challenges encountered during implementation.3 components of the life cycle are the:1. Continual improvement life cycle2. Enablement of change3. Management of the programmePhase 1: identifies desire to changePhase 2: defines scope of implementation or improvement initiative. Assessment of the current statePhase 3: set the targetPhase 4: creates business casesPhase 5: solution implemented into day-to-day practicesPhase 6: operate and monitor of benefitsPhase 7: review for continual improvement
Process maturity models used to measure the current maturity of an enterprise’s IT-related processes, to define a required state of maturity, and to determine the gap between them and how to improve the process to achieve the desired maturity level.COBIT 5 is based on ISO/IEC 15504 Software Engineering—Process Assessment standard.Different from the COBIT 4.1 maturity model in its design and use.
Assessing a process maturity:Assessment whether control objectives for the process were metObtain maturity profile of the process from maturity modelUse generic maturity model for the process to obtain detail view on maturity levelReview process controls
Differences:Cannot compare COBIT 4.1 and COBIT 5 capability scales. Meaning is different. Score in COBIT 5 will be lower.9 process attributes in ISO 15504. Not identical with COBIT 4.1 (overlap, map to a certain extent).Benefits of the changes:Improved focus on process to confirm it achieves purpose and delivers outcomes as expected.Simplified, more reliable and usable process assessment (COBIT 4.1 needed number of specific components)Compliance with process assessment standard.