Einsatz von COBIT. Informatik-Projekte: Eine Falle für die Revision?

Transkript

1 Informatik-Projekte: Ein Fall für die Revision? Einsatz von COBIT Peter R. Bitterli, CISA Bitte beachten Sie das Urheberrecht: Sie dürfen diese Folien ausschliesslich zusammen mit diesem Copyright- Vermerk an Dritte weitergeben. Wenn Sie Teile daraus in eigenen Referaten oder Darstellungen verwenden, bitte ich Sie um einen entsprechenden Quellenhinweis so wie auch ich bei allen von anderen Personen oder Stellen übernommenen Darstellungen einen entsprechenden Hinweis aufführe. Auszug aus meinem persönlichen ethischen Verhaltenscodex (siehe Ich will fair die Leistungen Dritter erwähnen

2 Informatik-Projekte: Eine Falle für die Revision? Einsatz von COBIT Peter R. Bitterli Bitte beachten Sie das Urheberrecht: Sie dürfen diese Folien ausschliesslich zusammen mit diesem Copyright- Vermerk an Dritte weitergeben. Wenn Sie Teile daraus in eigenen Referaten verwenden, bitte ich Sie um einen entsprechenden Quellenhinweis so wie auch ich bei allen von anderen Personen oder Stellen über-nommenen Darstellungen einen entsprechenden Hinweis aufführe. Auszug aus meinem persönlichen ethischen Verhaltenscodex (siehe Ich will ehrliche Kritik der Arbeiten suchen und akzeptieren; Fehler bestätigen und korrigieren und fair die Leistungen Dritter erwähnen

3 Informatik-Projekte: Eine Falle für die Revision? Informatik-Projekte Arten von Projektrisiken Projektbegleitende Revision Anwendung von COBIT Kurzeinführung COBIT 2 nd Edition IT Governance COBIT 3 rd Edition Schlussfolgerungen

4 Informatik-Projekte Systementwicklung in der Wirtschaftsinformatik (Böhm, Fuchs, Pacher) Gemeinsamkeiten von Projekten: komplexe Vorhaben überschreiten Organisationsformen einmalige Vorhaben sollen bestimmtes Resultat Idee Problem hervorbringen Auftrag zeitlich begrenzt mit zahlreichen Unsicherheiten verbunden Vorstudie Vorstudie Vorstudie Vorstudie Vorstudie Hauptstudie 3-Phasen-Modell für Kleinprojekte Hauptstudie Evaluierungsprojekte Hauptstudie Hauptstudie/ Evaluierung 5-Phasen-Modell Detailstudie Prototyping Systembau & Einführung Implementierung Entwicklung Prototyp 1 Prototyp 2 Prototyp 3 4-Phasenmodell für empirisches Vorgehen Systembau Einführung Einführung neues System Vorstudie Phasenvorgehen mit CASE Anforderungsanalyse Anforderungsspezifikation Logisches Systemdesign Physisches Design & Implem.

5 Projektrisiken Prüffelder gemäss Checkliste der Treuhand-Kammer Projektorganisation Entwicklungsrichtlinien Testrichtlinien Dokumentation Programmänderungen Programmidentität Programmsicherung

6 Projektrisiken Projektmanagement in der Wirtschaftsinformatik (B.Jenny) Entwicklungsrisiken Managementrisiken Soziale Risiken Einführungsrisiko Projektleitungsrisiko Motivationsrisiko Applikationsrisiko Planungsrisiko Politisches Risiko Zulieferungsrisiko Informations- und und Kommunikationsrisiko Mitarbeiterrisiko Koordinationsrisiko

7 Projektbegleitende Revision Versuch einer Begriffs-Abgrenzung Beurteilung der Anwendung während der Entwicklung (eigentliche) projektbegleitende Revision Beurteilung der Entwicklungsumgebung Prüfung von Methoden & Standards der Systementwicklung bei der Abnahme Software-Zertifizierung Prüfung von Test- und Abnahmeverfahren während dem Betrieb applikationsabhängige Prüfung Prüfung von Methoden & Standards der Wartung

8 Mögliche Arten der Begleitung gross volles Mitglied in der Projektgruppe und aktive Mitarbeit volles Mitglied in der Arbeitsgruppe und aktive Mitarbeit Aufwand Mitarbeit in Projekt- oder Arbeitsgruppe auf Wunsch des Projektleiters Mitarbeit in Teilbereichen auf Wunsch der Revision periodische Orientierung durch Projektleiter klein Stellungnahme zu Phasenpapieren keine Beteiligung klein Nutzen gross

9 Beizug Revision Kriterien: Revisionspraxis ca Grundsätzliche Ziele: Ordnungsmässigkeits- Kriterien Internes Kontrollsystem Überwachung/Nachprüfbarkeit Gesetzeskonformität Dokumentation Wirtschaftlichkeits-Kriterien Effizienz Projektorganisation Benutzer-Anforderungen Kriterien für für Beizug: Projektumfang Projektdauer Projektspezialitäten Projektbedeutung Projektkomplexität Projektkosten Projektrisiken Projektintensität

10 Beizug Revision Kriterien: Projektmanagement-Risiken Kriterien für für Beizug: Beizug: Entwicklungsrisiken Einführungsrisiken Einführungsrisiken Applikationsrisiken Applikationsrisiken Zulieferungsrisiken Zulieferungsrisiken Managementrisiken Projektleitungs-/Planungsrisiken Informations-/Kommunikationsrisiken Koordinationsrisiken Koordinationsrisiken Soziale Soziale Risiken Risiken Motivationsrisiken Motivationsrisiken Politische Politische Risiken Risiken Mitarbeiterrisiken Mitarbeiterrisiken Analyse der Projektmanagement-Risiken Thema Erläuterung Aufgeführt sind stichwortartig die "Bereiche", welche auf ihre Risiken untersucht und bewertet werden müssen. Angegeben werden muss das höchste Risiko in diesem Bereich. Entwicklungsrisiken Einführung Applikation Zulieferung Total Entwicklungsrisiken Managementrisiken Projektleitung Einbindung Endbenutzer in Design; ausreichende, rechtzeitige Schulung; klare und verständliche Abläufe Komplexität; spez. Technologien; Innovationsgrad; Anz. Schnittstellen Zugelieferte Hardware-/ Software- Komponenten: Zahl, Komplexität, Anz. beteiligte Firmen langjährige Erfahrung als Projektleiter, abgeschlossene Ausbildung Stufe WI2; ausgewiesene Kompetenz im betreffenden Fachbereich; ausgezeichneter Ruf als PL (Erfolge) Wertung (0 = nicht anwendbar) 1 = Risiko ist niedrig 2 = Risiko ist mittel 3 = Risiko ist hoch Total Sozial-Risiken Gesamttotal Planung Information/ Kommunikation Koordination Total Managementrisiken Sozial-Risiken Motivation politisches Umfeld Mitarbeiter Systematische Planung aller Aktivitäten bezüglich Zeit und Aufwand (Zahlen basieren auf Messungen und nicht auf Schätzungen) Regelmässige und systematische Kommunikation (Sitzungen, Status- Berichte, Problemreports, ) mit allen (!) Beteiligten Straffe Koordination aller Teilprojekte inkl. aller eingekauften (outgesourcten) Dienstleistungen; offene Führung von Pendenzen mit Statusangaben Stimmung in allen Projektteams; zeitliche Belastung von Schlüsselpersonen (auch in anderen Projekten); Übernahme "fremder" Aufgaben; Anreize" Sponsoring durch GL; Einigkeit mit anderen Fachbereichen; realistische Betrachtung durch GL und höhere Kader Fachliche Qualifikationen der Projektmitarbeiter; ausreichende Entlastung in anderen Projekten; klare Integration in Teams; Teilnahme über gesamte Dauer Gewicht (Vorgabe sollte nicht verändert werden) Resultat "Wertung" x "Gewicht"

11 Beizug Revision Kriterien: BFI-Weisung Risikoabschätzung gemäss BFI * Anwendung maximale Ausfalldauer Finanzrelevanz höchste Stufe der Anwendung Stufe 1 Stufe 2 Stufe 3 Kriterien für für Risikoanalyse: Datensammlung Klassifizierung Klassifizierung Datenschutzrelevanz Datenschutzrelevanz Wiederherstellungsaufwand Archivierungspflicht Archivierungspflicht Anwendung Ausfalldauer Ausfalldauer Finanzrelevanz Finanzrelevanz System System Wert Wert Datensammlung Klassifizierung Datenschutzrelevanz Wiederherstellungsaufwand Archivierungspflicht n.a. höchste Stufe der Datensammlung System Wert der Informatikmittel höchster Wert Datensammlungen höchster Wert Anwendungen höchste Stufe des Systems * Weisung Nr. S02 des Bundesamts für Informatik

12 Beizug Revision Kriterien: COBIT Information Criteria Kriterien Risikoanalyse: Sicherheit Vertraulichkeit Vertraulichkeit Verfügbarkeit Verfügbarkeit Integrität Integrität Qualität Wirtschaftlichkeit Wirtschaftlichkeit Wirksamkeit Wirksamkeit Ordnungsmässigkeit (Fiduciary) Zuverlässigkeit Zuverlässigkeit Compliance Compliance Vereinfachte Risikoabschätzung niedrig mittel hoch Vertraulichkeit frei oder intern vertraulich ; besonders schützenswert oder Persönlichkeitsprofile nach DSG; beschränkter Personenkreis; hat Konsequenzen geheim ; nur kleinem Kreis namentlich bekannter Personen zugänglich; erhebliche Auswirkungen Verfügbarkeit 1 Woche 1 Arbeitstag 1 Arbeitsstunde Integrität Zuverlässigkeit Wirtschaftlichkeit Wirksamkeit Recht/Verträge Maximum aller Kriterien keine Frage mit ja beantwortet Informationen dienen nicht internen Entscheiden keinerlei finanzielle Auswirkungen (Gewinn) keine Lieferung an andere Systeme, kein Sicherheitssystem keine gesetzliche oder vertragliche Anforderungen mehr als 1 Frage mit ja beantwortet für Unternehmensentscheide verwendet direkt finanzielle Auswirkungen möglich zentrale Dienstleistungen oder Sicherheitssystem gesetzliche oder vertragliche Anforderungen buchhalterisch relevante Information werden verarbeitet mehr als 1 Zusatzfrage mit ja beantwortet wesentlicher Anteil an Gewinn heute oder in Zukunft mehr als 1 Zusatzfrage mit ja beantwortet erhebliche Auswirkungen bei Nichteinhalten

13 Corporate Governance COSO & OECD Principles of of Corporate Governance, Corporate Governance also also provides the the structure through through which which the the objectives of of an an organisation are are set, set, and and the the means means of of attaining attaining those those objectives, and and determines monitoring performing guidelines. Good Good corporate governance should should provide provide proper proper incentives for for board board and and management to to pursue pursue objectives that that are are in in the the interest interest of of the the company and and shareholders and and should should facilitate facilitate effective effective monitoring, thereby thereby encouraging firms firms to to use use resources more more efficiently. Organisation for for Economic Cooperation and and Development (OECD) (OECD) Responsibility for for Control Control In In order order to to discharge management s responsibilities as as well well as as to to achieve achieve its its objectives, they they must must establish an an adequate system system of of internal internal control. control. This This control control system system or or framework must must be be in in place place to to support support business requirements for for effectiveness and and efficiency of of operations, reliability of of information and and compliance with with laws laws and and regulations. Committee for for Sponsoring Organisations (COSO) (COSO)

14 Enterprise Governance Model The Value of Control Objectives for Senior Management Source: Control Objectives for Enterprise Governance; IT Governance Institute: Business Control Objectives Core Business Activities Enterprise Activities Business Control Objectives Core business events activities (products, services, etc.) Enterprise resources activities (human, facilities, etc.) Organisational Communication Control Objectives Planning Activities Origination Knowledge Management Activities Monitoring Activities Transaction Organisational Communication Control Objectives Planning activities (goal sharing) Monitoring activities (status sharing) Knowledge management activities (knowledge sharing) IT Control Objectives Control Objectives for Net Centric Technology Net Centric Technology Activities IT Resources Activities IT Control Objectives Link to COBIT (IT resources) Control Objectives for Net Centric Technology Intranet/Extranet/Internet activities Data Warehouse activities OLTP activities

15 IT Governance a Definition The Value of Control Objectives for Senior Management IT IT Governance means: IT IT is is aligned with business, enables the business and maximises benefits IT IT resources are used responsibly IT IT related risks are managed appropriately IT IT governance is is an an inclusive term, which encompasses: Information systems technology and and communication Business, legal legal and and other issues All All concerned stakeholders, directors, senior management, process owners, IT IT suppliers, users, auditors,

16 DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13 IT Process Information Criteria IT Resources IT Governance Approach COBIT Governance, Control and Audit for Information and Related Technology M 1 Monitor the Processes M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit Monitoring Delivery & Support Define Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Attribute Costs Educate and Train Users Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations Business Processes IT Resources data applications technology facilites people COBIT information criteria effectiveness efficiency confidentiality integrity availability compliance reliability Acquisition & Implementation Planing & Organisation PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 Define a Strategic IT Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks PO 9 PO 10 Manage Projects PO 11 Manage Quality AI 1 Identify Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Architecture AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes effectiveness efficiency confidentiality integrity availability compliance reliability people applications technology PO1 Define a Strategic Information Technology Plan P S PO2 Define the Information Architecture P S S S PO3 Determine Technological Direction P S PO4 Define the IT Organisation and Relationships P S PO5 Manage the Investment in Information Technology P P S PO6 Communicate Management Aims and Direction P S PO7 Manage Human Resources P P PO8 Ensure Compliance with External Requirements P P S PO9 Assess Risks S S P P P S S PO10 Manage Projects P P PO11 Manage Quality P P P S AI1 Identify Solutions P S AI2 Acquire and Maintain Application Software P P S S S AI3 Acquire and Maintain Technology Architecture P P S AI4 Develop and Maintain IT-Procedures P P S S S AI5 Install and Accredit Systems P S S AI6 Managing Changes P P P P S DS1 Define Service Levels P P S S S S S DS2 Manage Third-Party Services P P S S S S S DS3 Manage Performance and Capacity P P S DS4 Ensure Continuous Service P S P DS5 Ensure Systems Security P P S S S DS6 Identify and Allocate Costs P P DS7 Educate and Train Users P S DS8 Assisting and Advising IT-Customers P DS9 Manage the Configuration P S S DS10 Manage Problems and Incidents P S DS11 Manage Data P P DS12 Manage Facilities P P DS13 Manage Operations P P S S M1 Monitor the Process P S S S S S S M2 Assess Internal Control Adequacy P P S S S S S M3 Obtain Independent Assurance P P S S S S S facilities M4 Provide for Independent Audit P P S S S S S P = primary criteria = covers these resources S = secondary criteria data

17 In COBIT integrierte Quellen insgesamt 36 nationale und internationale Standards Technical standards from ISO, EDIFACT, etc. Codes of conduct issued by Council of Europe, OECD, ISACA, etc. Qualification criteria for IT systems and processes: ITSEC, TCSEC, ISO 9000, SPICE, TickIT, Common Criteria, etc. Industry practices and requirements from industry forums (ESF, I4) and government-sponsored platforms (IBAG, NIST, DTI), etc. Emerging industry-specific requirements such as from banking, electronic commerce and IT manufacturing Professional standards in internal control and auditing: COSO Report, IFAC, AICPA, IIA, ISACA, PCIE, GAO standards, etc.

18 The Framework s Principles IT Governance und das COBIT-Framework (2 nd Edition) Linking the management s IT expectations with the management s IT responsibilities

19 Business Requirements IT Governance und das COBIT-Framework (2 nd Edition) Business Requirements IT Processes IT Resources Quality Security Fiduciary effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources. confidentiality - concerns protection of sensitive information from unauthorized disclosure. integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations. availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources. compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria. reliability of information - relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.

20 IT Resources IT Governance und das COBIT-Framework (2 nd Edition) Business Requirements IT Processes IT Resources Data : Data objects in their widest sense, i.e., external and internal, structured and non-structured, graphics, sound, etc. Application Systems : understood to be the sum of manual and programmed procedures. Technology : covers hardware, operating systems, database management systems, networking, multimedia, etc.. Facilities : Resources to house and support information systems. People : Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services.

21 Zentrale Definitionen Definition Kontrollen Kontrollen sind die Konzepte, Verfahren, Praktiken und Organisationsstrukturen, welche eine angemessene Gewissheit verschaffen, dass die Geschäftsziele erreicht werden und dass unerwünschte Ereignisse verhindert oder erkannt und korrigiert werden. Definition IT Kontrollziel Aussage zum gewünschten Resultat (Zweck), das mit der Implementierung von Kontrollen in einer bestimmten Aktivität erreicht werden soll.

22 PO10: Projektmanagement Beispiele Kontrollziel PO10.9 und Inhalte des IT-Prozesses PO Projektmanagement-Rahmen 10.2 Beteiligung der Fachbereiche bei der Projektinitiierung 10.3 Projektteam-Mitgliedschaft und Verantwortlichkeiten 10.4 Projektdefinition 10.5 Projektfreigabe 10.6 Freigabe der Projektphasen 10.7 Projektmasterplan 10.8 System-Qualitätssicherungsplan 10.9 Planung von QS-Methoden Formelles Projektrisikomanagement Testplan Schulungsplan Prüfung nach der Einführung Zwei typische Kontrollziele PO 10.9 Planung von QS-Methoden Qualitätssicherungsaufgaben müssen während der Planungsphase der Projektmanagementmethode identifiziert werden. QS-Aufgaben sollten die Zulassung von neuen oder geänderten Systemen unterstützen und gewährleisten, dass interne Kontrollen und Sicherheitseinrichtungen den damit verbundenen Anforderungen entsprechen. PO Formelles Projektrisikomanagement Das Management sollte ein formelles Projektrisikomanagementprogramm einführen, um die mit den einzelnen Projekten verbundenen Risiken zu eliminieren oder zu minimieren (d.h. Identifikation und Kontrolle derjenigen Bereiche oder Ereignisse, die über das Potential verfügen, unerwünschte Änderungen zu verursachen.

23 IT Governance and COBIT (1) IT Governance und das COBIT-Framework (2 nd Edition) IT Governance means: IT is aligned with business, enables the business and maximises benefits Information and technology support business objectives Information Criteria effectiveness efficiency confidentiality integrity availability compliance reliability IT Resources people applications technology IT Process facilities PO1 Define a Strategic Information Technology Plan P S PO3 Determine Technological Direction P S PO4 Define the IT Organisation and Relationships P S PO6 Communicate Management Aims and Direction P S PO10 Manage Projects P P AI1 Identify Solutions P S AI6 Managing Changes P P P P S DS1 Define Service Levels P P S S S S S DS8 Assisting and Advising IT-Customers P M1 Monitor the Process P S S S S S S M2 Assess Internal Control Adequacy P P S S S S S data P = primary criteria = covers these resources S = secondary criteria

24 COBIT Control Objectives (1) IT Governance und das COBIT-Framework (2 nd Edition) PO 1.1 IT as Part of the organisation s Long- and Short-Range Plan AI 1.1 Definition of Information Requirements PO 1.2 Information Technology Long-Range Plan AI 1.4 Third-Party Service Requirements PO 1.5 Short-Range Planning for the Information Services Function AI 1.7 Information Architecture PO 1.6 Assessment of Existing Systems AI 1.11 Ergonomics PO 2.1 Information Architecture Model AI 2.2 Major Changes to Existing Systems PO 3.1 Technological Infrastructure Planning AI 2.3 Design Approval PO 3.2 Monitor Future Trends and Regulations AI 2.12 Controllability PO 3.5 Technology Standards AI 2.16 User Reference and Support Materials PO 4.1 The Information Services Function Planning or Steering Committee AI 4.1 Future Operational Requirements and Service Levels PO 4.2 Organisational Placement of Information Services Function AI 4.2 User Procedures Manuals PO 4.3 Review of Organisational Achievements AI 4.3 Operations Manual PO 4.4 Roles and Responsibilities AI 4.4 Training Materials PO 4.7 Ownership and Custodianship AI 5.6 Final Acceptance Test PO 4.8 Data and System Ownership AI 5.10 Evaluation of Meeting User Requirements PO 4.9 Supervision AI 5.11 Management s Post-Implementation Review PO 4.15 Relationships AI 6.1 Change Request Initiation and Control PO 6.1 Positive Information Control Environment DS 1.1 Service Level Agreement Framework PO 6.8 Security and Internal Control Framework Policy DS 1.4 Monitoring and Reporting PO 10.2 User Department Participation in Project Initiation DS 1.7 Service Improvement Programme PO 10.4 Project Definition DS 2.2 Owner Relationships PO 10.5 Project Approval DS 2.5 Outsourcing Contracts PO 10.6 Project Phase Approval DS 8.1 Help Desk PO 10.7 Project Master Plan DS 8.5 Trend Analysis and Reporting PO 10.8 System Quality Assurance Plan DS 10.1 Problem Management System PO Formal Project Risk Management M 1.3 Assessing Customer Satisfaction PO Training Plan M 1.4 Management Reporting PO Post-Implementation Review Plan M 2.1 Internal Control Monitoring PO 11.1 General Quality Plan M 2.2 Timely Operation of Internal Controls PO 11.8 Coordination and Communication M 2.3 Internal Control Level Reporting PO 11.9 Acquisition and Maintenance Framework for the Technology Infrastructure M 3.4 Independent Effectiveness Evaluation of Third-Party Service Providers PO Third-Party Implementor Relationships

25 IT Governance and COBIT (2) IT Governance und das COBIT-Framework (2 nd Edition) IT Governance means: IT resources are used responsibly Resources are used responsibly Information Criteria effectiveness efficiency confidentiality integrity availability compliance reliability IT Resources people applications technology IT Process facilities PO4 Define the IT Organisation and Relationships P S PO5 Manage the Investment in Information Technology P P S PO10 Manage Projects P P PO11 Manage Quality P P P S AI1 Identify Solutions P S AI2 Acquire and Maintain Application Software P P S S S AI3 Acquire and Maintain Technology Architecture P P S AI4 Develop and Maintain IT-Procedures P P S S S DS1 Define Service Levels P P S S S S S DS2 Manage Third-Party Services P P S S S S S DS3 Manage Performance and Capacity P P S DS6 Identify and Allocate Costs P P DS7 Educate and Train Users P S DS8 Assisting and Advising IT-Customers P DS9 Manage the Configuration P S S M1 Monitor the Process P S S S S S S M2 Assess Internal Control Adequacy P P S S S S S data P = primary criteria = covers these resources S = secondary criteria

26 COBIT Control Objectives (2) IT Governance und das COBIT-Framework (2 nd Edition) PO 1.6 Assessment of Existing Systems AI 4.1 Future Operational Requirements and Service Levels PO 3.2 Monitor Future Trends and Regulations DS 1.1 Service Level Agreement Framework PO 4.1 The Information Services Function Planning or Steering Committee DS 1.3 Performance Procedures PO 4.4 Roles and Responsibilities DS 1.4 Monitoring and Reporting PO 4.7 Ownership and Custodianship DS 1.6 Chargeable Items PO 4.8 Data and System Ownership DS 1.7 Service Improvement Programme PO 4.9 Supervision DS 2.5 Outsourcing Contracts PO 5.1 Annual Information Services Function Operating Budget DS 2.8 Monitoring PO 5.2 Cost and Benefit Monitoring DS 3.3 Monitoring and Reporting PO 5.3 Cost and Benefit Justification DS 3.5 Proactive Performance Management PO 6.1 Positive Information Control Environment DS 3.6 Workload Forecasting PO 10.1 Project Management Framework DS 3.7 Capacity Management of Resources PO 10.2 User Department Participation in Project Initiation DS 3.8 Resources Availability PO 10.4 Project Definition DS 3.9 Resources Schedule PO 10.5 Project Approval DS 6.1 Chargeable Items PO 10.6 Project Phase Approval DS 6.2 Costing Procedures PO 10.7 Project Master Plan DS 6.3 User Billing and Chargeback Procedures PO 10.9 Planning of Assurance Methods DS 8.1 Help Desk PO Formal Project Risk Management DS 8.5 Trend Analysis and Reporting PO Post-Implementation Review Plan DS 9.4 Configuration Control PO 11.9 Acquisition and Maintenance Framework for the Technology Infrastructure DS 10.1 Problem Management System PO Third-Party Implementor Relationships DS 10.2 Problem Escalation AI 1.1 Definition of Information Requirements DS 10.3 Problem Tracking and Audit Trail AI 1.3 Formulation of Acquisition Strategy DS 13.1 Processing Operations Procedures and Instructions Manual AI 1.4 Third-Party Service Requirements M 1.1 Collecting Monitoring Data AI 1.6 Economic Feasibility Study M 1.2 Assessing Performance AI 1.8 Risk Analysis Report M 1.3 Assessing Customer Satisfaction AI 1.9 Cost-Effective Security Controls M 1.4 Management Reporting AI 1.13 Procurement Control M 2.1 Internal Control Monitoring AI 1.14 Software Product Acquisition M 2.2 Timely Operation of Internal Controls AI 2.12 Controllability M 2.3 Internal Control Level Reporting AI 3.1 Assessment of New Hardware and Software M 3.3 Independent Effectiveness Evaluation of Information Technology Services AI 3.2 Preventative Maintenance for Hardware M 3.4 Independent Effectiveness Evaluation of Third-Party Service Providers

27 IT Governance and COBIT (3) IT Governance und das COBIT-Framework (2 nd Edition) IT Governance means: IT related risks are managed appropriately Schaden Wahrscheinlichkeit +++ Risks are managed appropriately Information Criteria effectiveness IT Resources efficiency confidentiality integrity availability compliance reliability people applications technology IT Process facilities PO3 Determine Technological Direction P S PO4 Define the IT Organisation and Relationships P S PO7 Manage Human Resources P P PO8 Ensure Compliance with External Requirements P P S PO9 Assess Risks S S P P P S S PO11 Manage Quality P P P S AI3 Acquire and Maintain Technology Architecture P S S AI4 Develop and Maintain IT-Procedures P P S S S AI5 Install and Accredit Systems P S S AI6 Managing Changes P P P P S DS1 Define Service Levels P P S S S S S DS2 Manage Third-Party Services P P S S S S S DS4 Ensure Continuous Service P S P DS5 Ensure Systems Security P P S S S DS7 Educate and Train Users P S DS9 Manage the Configuration P S S DS10 Manage Problems and Incidents P S DS11 Manage Data P P DS12 Manage Facilities P P DS13 Manage Operations P P S S M1 Monitor the Process P S S S S S S M2 Assess Internal Control Adequacy P P S S S S S M3 Obtain Independent Assurance P P S S S S S P = primary criteria = covers these resources S = secondary criteria data

28 COBIT Control Objectives (3) IT Governance und das COBIT-Framework (2 nd Edition) PO 2.2 PO 2.3 PO 2.4 PO 3.2 PO 3.3 PO 4.4 PO 4.5 PO 4.6 PO 4.7 PO 4.8 PO 4.9 PO 4.10 PO 4.13 PO 6.1 PO 6.2 PO 6.3 PO 6.4 PO 6.5 PO 6.6 PO 6.7 PO 6.8 PO 6.9 PO 6.10 PO 6.11 PO 7.4 PO 7.5 PO 7.7 PO 8.1 PO 8.2 PO 8.3 PO 8.4 PO 8.6 PO 9.1 PO 9.2 PO 9.3 PO 9.4 PO 9.5 PO 9.6 PO 10.8 PO 10.9 PO PO 11.1 PO 11.2 PO 11.3 Corporate Data Dictionary and Data Syntax Rules PO 11.4 The Quality Assurance Review of Adherence to the DS 4.1 Information Technology Continuity Framework DS 11.9 Data Processing Integrity Data Classification Scheme Information Services function s Standards and DS 4.2 IT Continuity Plan Strategy and Philosophy DS Data Processing Validation and Editing Security Levels Procedures DS 4.3 Information Technology Continuity Plan Contents DS Data Processing Error Handling Monitor Future Trends and Regulations PO Programme Testing Standards DS 4.4 Minimising IT Continuity Requirements DS Output Balancing and Reconciliation Technological Infrastructure Contingency PO System Testing Standards DS 4.5 Maintaining the IT Continuity Plan DS Output Review and Error Handling Roles and Responsibilities PO Parallel/Pilot Testing DS 4.6 Testing the Information Technology Continuity Plan DS Security Provision for Output Reports Responsibility for Quality Assurance PO System Testing Documentation DS 4.7 Information Technology Continuity Plan Training DS Protection of Sensitive Information Responsibility for Logical and Physical Security PO Quality Assurance Evaluation DS 4.8 Information Technology Continuity Plan Distribution DS Protection of Disposed Sensitive Information Ownership and Custodianship PO The Quality Assurance Review DS 4.9 User Department Alternative Processing Back-up DS Retention Periods and Storage Terms Data and System Ownership PO Quality Metrics Procedures DS Back-up and Restoration Supervision PO Reports of Quality Assurance Reviews DS 4.10 Critical Information Technology Resources DS Back-up Jobs Segregation of Duties AI 1.8 Risk Analysis Report DS 4.11 Back-up Site and Hardware DS Back-up Storage Key Information Technology Personnel AI 1.9 Cost-Effective Security Controls DS 4.12 Wrap-up Procedures DS Archiving Positive Information Control Environment AI 1.10 Audit Trails Design DS 5.1 Manage Security Measures DS Protection of Sensitive Messages Management s Responsibility for Policies AI 1.15 Third-Party Software Maintenance DS 5.2 Identification, Authentication and Access DS Authentication and Integrity Communication of Organisation Policies AI 2.12 Controllability DS 5.3 Security of Online Access to Data DS Electronic Transaction Integrity Policy Implementation Resources AI 2.13 Availability as a Key Design Factor DS 5.4 User Account Management DS Continued Integrity of Stored Data Maintenance of Policies AI 2.14 IT Integrity Provisions in Application Programmes DS 5.5 Management Review of User Accounts DS 12.1 Physical Security Compliance with Policies, Procedures and Standards AI 2.15 Application Software Testing DS 5.6 User Control of User Accounts DS 12.2 Low Profile of the Information Technology Site Quality Commitment AI 3.2 Preventative Maintenance for Hardware DS 5.7 Security Surveillance DS 12.3 Visitor Escort Security and Internal Control Framework Policy AI 3.3 System Software Security DS 5.8 Data Classification DS 12.4 Personnel Health and Safety Intellectual Property Rights AI 3.6 System Software Change Controls DS 5.9 Central Identification and Access Rights Management DS 12.5 Protection Against Environmental Factors Issue Specific Policies AI 5.4 Testing of Changes DS 5.10 Violation and Security Activity Reports DS 12.6 Uninterruptable Power Supply Communication of IT Security Awareness AI 5.5 Parallel / Pilot Testing Criteria and Performance DS 5.11 Incident Handling DS 13.5 Processing Continuity Cross-Training or Staff Back-up AI 5.6 Final Acceptance Test DS 5.12 Re-Accreditation M 1.1 Collecting Monitoring Data Personnel Clearance Procedures AI 5.7 Security Testing and Accreditation DS 5.13 Counterparty Trust M 2.1 Internal Control Monitoring Job Change and Termination AI 5.8 Operational Test DS 5.14 Transaction Authorisation M 2.2 Timely Operation of Internal Controls External Requirements Review AI 5.9 Promotion to Production DS 5.15 Non-Repudiation M 2.3 Internal Control Level Reporting Practices and Procedures for Complying with External AI 6.1 Change Request Initiation and Control DS 5.16 Trusted Path M 2.4 Operational Security and Internal Control Assurance Requirements AI 6.2 Impact Assessment DS 5.17 Protection of Security Functions M 3.1 Independent Security and Internal Control Safety and Ergonomic Compliance AI 6.3 Control of Changes DS 5.18 Cryptographic Key Management Certification/Accreditation of IT Services Privacy, Intellectual Property and Data Flow AI 6.5 Authorised Maintenance DS 5.19 Malicious Software Prevention, Detection and M 3.2 Independent Security and Internal Control Compliance with Insurance Contracts AI 6.6 Software Release Policy Correction Certification/Accreditation of Third-Party Service Business Risk Assessment AI 6.7 Distribution of Software DS 5.20 Firewall Architectures and Connections with Public Providers Risk Assessment Approach DS 1.1 Service Level Agreement Framework Networks M 3.3 Independent Effectiveness Evaluation of IT Services Risk Identification DS 1.4 Monitoring and Reporting DS 5.21 Protection of Electronic Value M 3.4 Independent Effectiveness Evaluation of Third-Party Risk Measurement DS 2.2 Owner Relationships DS 7.3 Security Principles and Awareness Training Service Providers Risk Action Plan DS 2.3 Third-Party Contracts DS 8.1 Help Desk M 3.5 Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Risk Acceptance DS 2.4 Third-Party Qualifications DS 9.4 Configuration Control Commitments System Quality Assurance Plan DS 2.6 Continuity of Services DS 9.5 Unauthorised Software M 3.6 Independent Assurance of Compliance with Laws and Planning of Assurance Methods DS 2.7 Security Relationships DS 10.1 Problem Management System Regulatory Requirements and Contractual Formal Project Risk Management DS 2.8 Monitoring DS 10.2 Problem Escalation Commitments by Third-Party Service Providers General Quality Plan DS 3.1 Availability and Performance Requirements DS 11.2 Source Document Authorisation Procedures M 3.7 Competence of Independent Assurance Function Quality Assurance Approach DS 3.2 Availability Plan DS 11.4 Source Document Error Handling M 3.8 Proactive Audit Involvement Quality Assurance Planning DS 3.3 Monitoring and Reporting DS 11.6 Data Input Authorisation Procedures Kammer-Seminar: Einsatz von COBIT DS 11.7 Accuracy, Completeness and Authorisation Checks Peter R. Bitterli,

29 COBIT for Project Work IT Governance und das COBIT-Framework (2 nd Edition) Project Manager Use COBIT as a general framework for minimal project and quality assurance Standards Use COBIT to help ensure that project plans incorporate generally accepted phases in IT planning, acquisition and development, service delivery and project management, and assessment Developer Use COBIT as minimal guidance for controls to be applied within development processes as well as for internal control to be integrated in information systems being built Use COBIT to ensure that all applicable IT control objectives in the development project have been addressed

30 PO10: Manage Projects COBIT 3 rd Edition (Exposure Draft ) Control over the IT process of managing projects that satisfies the business requirements to set priorities and to deliver on time and within budget is is measured by by Key Key Goal Goal Indicators Timely Timely project project schedule and and budget budget information that that are are readily readily accessible on on an an on-going basis basis Increased number of of projects on on time time and and on on budget budget Improved timeliness of of project project management decisions Decrease in in systemic, i.e., i.e., widespread and and common, project project management problems Improved timeliness of of project project risk risk identification

31 PO10: Manage Projects Control Self Assessment with COBIT 3 rd Edition (Exposure Draft) enabled by the organisation identifying and prioritising projects in line with the operational plan; moreover; the organisation should adopt and apply sound project management techniques for each project undertaken measured by by Key Key Performance Indicators Increased number of of projects delivered in in accordance with with a defined defined methodology Percent Percent of of stakeholder participation in in projects Number of of project project management training days days per per project project team team member Number of of project project milestone and and budget budget reviews reviews Percent Percent of of projects with with post post project project reviews reviews Average number of of years years of of experience of of project project managers

32 PO10: Manage Projects Control Self Assessment with COBIT 3 rd Edition (Exposure Draft) determined by by Critical Success Factors, primarily: Availability of of experienced and and skilled skilled project project managers. Existence of of an an accepted and and standard programme management. There There is is senior senior management sponsorship of of projects, and and stakeholders and and IT IT staff staff share share in in the the definition, implementation and and management of of projects. There There is is an an understanding of of the the abilities and and limitations of of the the enterprise and and the the IT IT organization in in managing large, large, complex projects. Good Good traceable work work breakdown structures are are implemented All All projects have have a plan plan with with effective task task decomposition, reasonably accurate estimates, skill skill requirements, issues issues to to track, track, a quality quality plan plan and and a transparent change change process. The The transition from from the the implementation team team to to the the operational team team is is a wellmanaged process. well-

33 Control Self Assessment Control Self Assessment with COBIT 3 rd Edition (Exposure Draft) Für alle 34 IT-Prozesse Key Goal Indicators Key Perfomance Indicators Critical Success Factors und Control Self Assessment Massstab Sechs Stufen: Non-existent (0). Initial/Ad Hoc (1). Repeatable but Intuitive (2). Defined Process (3). Managed and Measurable (4). Optimized (5).

34 PO10: Manage Projects Control Self Assessment with COBIT 3 rd Edition (Exposure Draft) Control over the process Manage projects within the business goal of setting priorities and delivering on time and within budget is: Non-existent (0). Project management techniques are not used and the organization does not consider business impacts associated with project mismanagement and development project failures. Initial/Ad Hoc (1). The organization is generally aware of the need for projects to be structured and is aware of the risks of poorly managed projects. The use of project management techniques and approaches within IT is a decision left to individual IT managers. Projects are generally poorly defined and do not incorporate business and technical objectives of the organization or the business stakeholders. There is a general lack of management commitment and project ownership and IT is left to make critical decisions without user management or customer input. There is little or no customer/user involvement in defining IT projects. Within IT projects, there is no clear project organization, and roles and responsibilities are not defined. Project schedules and milestones are poorly defined. Budgets are not tracked for time or expenses involved in the project.

35 PO10: Manage Projects Control Self Assessment with COBIT 3 rd Edition (Exposure Draft) Repeatable Repeatable but but Intuitive Intuitive (2). (2). Senior Senior management management has has gained gained and and communicated communicated an an awareness awareness of of the the need need for for IT IT project project management. management. The The organization organization is is in in the the process process of of learning learning and and repeating repeating certain certain techniques techniques and and methods methods from from project project to to project. project. IT IT projects projects have have informally informally defined defined business business and and technical technical objectives. objectives. There There is is limited limited stakeholder stakeholder involvement involvement in in IT IT project project management. management. Some Some guidelines guidelines have have been been developed developed for for most most aspects aspects of of project project management, management, but but their their application application is is left left to to the the discretion discretion of of the the individual individual project project manager. manager. Defined Defined Process Process (3). (3). The The IT IT project project management management process process and and methodology methodology have have been been formally formally established established and and communicated. communicated. IT IT projects projects are are defined defined with with appropriate appropriate business business and and technical technical objectives. objectives. Stakeholders Stakeholders are are involved involved in in the the management management of of IT IT projects. projects. The The IT IT project project organization organization and and some some roles roles and and responsibilities responsibilities are are defined. defined. IT IT projects projects have have defined defined and and updated updated milestones, milestones, schedules, schedules, budget budget and and performance performance measurements. measurements. IT IT projects projects have have formal formal post post system system implementation implementation procedures. procedures. Informal Informal project project management management training training is is provided provided Quality Quality assurance assurance procedures procedures and and post post system system implementation implementation activities activities have have been been defined, defined, but but are are not not broadly broadly applied applied by by IT IT managers. managers. Policies Policies for for using using a a balance balance of of internal internal and and external external resources resources are are being being defined. defined.

36 PO10: Manage Projects Control Self Assessment with COBIT 3 rd Edition (Exposure Draft) Managed Managed and and Measurable Measurable (4). (4). Management Management requires requires formal formal and and standardized standardized project project metrics metrics and and lessons lessons learned learned to to be be reviewed reviewed following following project project completion. completion. Project Project management management is is measured measured and and evaluated evaluated throughout throughout the the organization organization and and not not just just within within IT. IT. Enhancements Enhancements to to the the project project management management process process are are formalized formalized and and communicated, communicated, and and project project team team members members are are trained trained on on all all enhancements. enhancements. Risk Risk management management is is performed performed as as part part of of the the project project management management process. process. Stakeholders Stakeholders actively actively participate participate in in the the projects projects or or lead lead them. them. Project Project milestones milestones as as well well as as the the criteria criteria for for evaluating evaluating success success at at each each milestone milestone have have been been established. established. Value Value and and risk risk are are measured measured and and managed managed prior prior to, to, during, during, and and after after the the completion completion of of projects. projects. Management Management has has established established a a programme programme management management function function within within IT. IT. Projects Projects are are defined, defined, staffed staffed and and managed managed to to increasingly increasingly address address enterprise enterprise goals, goals, rather rather than than only only IT IT specific specific ones. ones. Optimized Optimized (5). (5). A proven, proven, full full life-cycle life-cycle project project methodology methodology is is implemented implemented and and enforced, enforced, and and is is integrated integrated into into the the culture culture of of the the entire entire organization. organization. An An on-going on-going programme programme to to identify identify and and institutionalize institutionalize best best practices practices has has been been implemented. implemented. There There is is strong strong and and active active project project support support from from senior senior management management sponsors sponsors as as well well as as stakeholders. stakeholders. IT IT management management has has implemented implemented a a project project organization organization structure structure with with documented documented roles, roles, responsibilities responsibilities and and staff staff performance performance criteria. criteria. A long-term long-term IT IT resources resources strategy strategy is is defined defined to to support support development development and and operational operational outsourcing outsourcing decisions. decisions. An An integrated integrated programme programme management management office office is is responsible responsible for for projects projects from from inception inception to to post post implementation. implementation. The The programme programme management management office office is is under under the the management management of of the the business business units units and and requisitions requisitions and and directs directs IT IT resources resources to to complete complete projects. projects. Enterprise Enterprise wide wide planning planning of of projects projects ensures ensures that that user user and and IT IT resources resources are are best best utilized utilized to to support support strategic strategic initiatives. initiatives.

37 Schlussfolgerung COBIT gute Basis für Informatik-Projekte COBIT enthält klare Zielvorgaben IT-Projekte gesamtheitlich angehen COBIT 3 rd Edition (Draft) SEHR interessant ermöglicht Control Self Assessment enthält klare Indikatoren Key Goal Indicators Key Performance Indicators Critical Success Factors