CobiT The Governance Framework CobiT COB best practices repository for Processes Management Processes Governance Processes The only management and control framework that covers the end to end life cycle Merupakan kumpulan best practices yang diterima secara Internasional Berorientasi manajemen Tersedia secara gratis di www.itgi.org Terus dikembangkan Dikelola oleh organisasi non Profit yang reputable Dipetakan 100% dengan COSO Pemetaan yang kuat dengan hampir semua standard utama lain yang terkait Merupakan referensi, kumpulan best practices, bukan obat Instant langsung pakai Organisasi masih butuh utk menganalisis kebutuhan kontrolnya dan menkustomisasinya berdasarkan: Value drivers Risk profile infrastructure, organisation and project portfolio 15 CobiT diantara Standard Lain 16 16
Process Orientation Business Requirements Processes Resources Domains Processes Activities or Tasks Pengelompokan proses, sering bersesuaian juga dengan domain tanggung-jawab organisasi. Contoh: Plan & Organize, Acquire & Implement, Deliver & Support, Monitor & Evaluate Kelompok aktifitas-aktifitas sejenis Contoh: Incident Management, Problem Management, Strategy Plan, Change Management, dst. Aksi-aksi yang dibutuhkan untuk mencapai sebuah hasil terukur Contoh: record new problem, propose solution, analisis, monitor solution, dst. 17 Control dan Control Objective Definition of Control The Policies, Procedures, Practices and Organisational Structures, Designed to Provide Reasonable Assurance that Business Objectives will be Achieved and that Undesired Events will be Prevented or Detected and Corrected. Definition of Control Objective A Statement of the Desired Result or Purpose to be Achieved by Implementing Control Procedures in a Particular Activity. 18
Process Orientation Plan and Organise Domains Deskripsi Domain ini mencakup strategi, taktik, dan identifikasi cara bagaimana dapat berkontribusi terbaik dalam pencapaian obyektif bisnis. Realisasi dari visi strategis organisasi perlu direncanakan, dikomunikasikan dan dikelola dalam segala aspeknya. Topik Strategi dan taktik Visi yang direncanakan Organisasi dan Infrastruktur Pertanyaan Apakah selaras dengan strategi bisnis? Business Requirements Processes Resources Apakah organisasi menggunakan sumber daya yang dimilikinya secara optimal? Apakah semua pihak dalam organisasi memahami obyektif obyektif? Apakah risiko risiko telah dipahami dan dikelola? Apakah kualitas dari sistem sesuai dengan kebutuhan bisnis? 19 BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES COB Framework ME1 ME2 ME3 ME4 Monitor and evaluate performance. Monitor and evaluate internal control. Ensure compliance with external requirements. Provide governance. DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. C O B I T F R A M E W O R K MONOR EVALUATE Efficiency Effectiveness Compliance Reliability DELIVER SUPPORT INFORMATION RESOURCES Applications Information Infrastructure People Integrity Availability Confidentiality ACQUIRE IMPLEMENT PLAN ORGANISE PO1 Define a strategic plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the processes, organisation and relationships. PO5 Manage the investment. PO6 Communicate management aims and direction. PO7 Manage human resources. PO8 Manage quality. PO9 Assess and manage risks. PO10 Manage projects. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. 20
CobiT Waterfall Model The control of Processes that satisfy Business Requirements Control Statements is enabled by considering Control Practices 4 Domains 34 Processes 210 Control Objectives 21 Contoh: DS2 Waterfall Proses TI Key Control Key Performance 22
Contoh: DS2 Management Guidelines Dari mana saja Input Proses ini? Hasil dari Proses ini menjadi input untuk proses mana? Aktifitas apa yang terdapat dalam proses ini? Siapa yang bertanggung jawab? 23 23 Control Practices Petunjuk detail untuk setiap Control Objectives? Contoh: DS2 Manage Third party Services Control Objectives: DS2.1 Identification of All Supplier Relationship Identify all supplier services, and categorise them according to supplier type, significance and criticality. Maintain formal documentation of technical and organisational relationships covering the roles and responsibilities, goals, expected deliverables, and credentials of representatives of these suppliers. Control Practices: 1.Define and regularly review criteria to identify and categorise all supplier relationships according to supplier type, significance and criticality of service. The list should include a category describing vendors as preferred, non preferred or not recommended. 2.Establish and maintain a detailed register of suppliers, including name, scope, purpose of the service, expected deliverables, service objectives and key contact details. 24
Assurance/Audit Guide Bagaimana menguji keberjalanan kontrol pada setiap proses? Contoh: DS2 Manage Third party Services Control Objectives: DS2.1 Identification of All Supplier Relationship Identify all supplier services, and categorise them according to supplier type, significance and criticality. Maintain formal documentation of technical and organisational relationships covering the roles and responsibilities, goals, expected deliverables, and credentials of representatives of these suppliers. Test the Control Design Enquire whether and confirm that a register of supplier relationship is maintained. Obtain and inspect supplier relationship criteria for reasonableness and completeness of categorisations by supplier type, significance and criticality Determine if the supplier categorisation scheme is sufficiently detailed to categorise all supplier relationship based on the nature of contracted services Verify wheter past histories on supplier selection/rejection are kept and used. Inspect the register of supplier relationships to ensure that it is up to date, appropriately categorised and sufficiently detailed to ensure that it provides a foundation for monitoring of existing suppliers. Inspect a representative sample of supplier contracts, SLAs and other documentation to ensure that they correspond with the supplier register. 25 25 Process Maturity Assessment 0 non existent: tidak teridentifikasi ada proses. Organisasi tidak sadar akan adanya masalah 1 Initial: organisasi sadar ada masalah dan perlu diatasi. Pendekatan lebih banyak bersifat ad hoc dan kasuistis 2 Repeatable: sudah ada standard proses yang dapat terus diulang. Tingkat ketergantungan individu masih tinggi. 3 defined: prosedur sudah standard, terdokumentasi, terformalisasi, dan dikomunikasikan melalui training training. 4 Managed: dapat dimonitor dan diukur tingkat kepatuhannya hingga prosedur tindakan utk merespon penyelewengan. Proses berada dalam kerangka constant improvement. 5 Optimised: proses proses sudah disempurnakan sesuai dng best practices, berbasis hasil continous improvement. sudah benar benar terintegrasi dengan bisnis 26