Governare l’IT Significa ricercare soluzioni che abbiano un giusto equilibrio tra benefici e rischi, con una corretta gestione delle risorse Richiede quindi visione «end-to-end» e rinnovata capacità di comunicare e di cooperare all’interno delle Aziende e Pubbliche Amministrazioni Oggi sono disponibili Modelli – Framework e Buone Pratiche (Good Practices) che affrontano la tematica in modo innovativo COBIT 5® Alberto Piamonte [email protected] 1 Di cosa c’è bisogno ? • L’esperienza insegna che ci vuole una visione globale nella quale l’Azienda veda nell’IT una componente integrante del modo di fare business ( non più una componente separata con regole specifiche e scollegate dai reali obiettivi aziendali) • Business ed IT devono condividere obiettivi, collaborare dividendosi i ruoli di Governo e Gestione Quindi : • Sono necessari strumenti / schemi / frameworks che consentano, in generale, di capire : – Chi / cosa / come / quando è coinvolto – Relazioni di causa -> effetto in una visione possibilmente globale e condivisa A classic example is the notion of utopia as described in Plato's best-known work, The Republic. This means that the "ideal city" as depicted in The Republic is not given as something to be pursued, or to present an orientationpoint for development; rather, it shows how things would have to be connected, and how one thing would lead to another, if one would opt for certain principles and carry them through rigorously. 2 NIST Cybersecurity Framework Frameworks The Framework Core is not a checklist of activities to perform; it presents key cybersecurity outcomes that are aligned with activities known to manage cybersecurity risk. These activities are mapped to a subset of commonly used standards and guidelines. BI : DISPOSIZIONI PRELIMINARI E PRINCIPI GENERALI 1. Premessa Il sistema dei controlli interni è un elemento fondamentale del complessivo sistema di governo delle banche; esso assicura che l’attività aziendale sia in linea con le strategie e le politiche aziendali ................... La presente disciplina: ....... rappresenta la cornice generale del sistema dei controlli aziendali • Chech-box mentatlity • Tactical & reactive • Achieve point-in-time Compliance Certification Risk-Based Approach • Proactive & Holistic • Continous Monitoring • Proactive mentality Compliance Driven Approach 3 Costruiamo il Framework di Governance 4 COBIT5® «UNIVERSAL» Framework Perché Benefici Evitare Rischi Gestione ottimale Risorse Interventi Dove operare • Processi • Principi – Policies – Frameworks • Sistemi • Persone • Organizzazione • Informazioni disponibili • Cultura / etica Come operare • Pratiche / Attività Base •Consolidate e universalmente accettate •Riferimento ai principali Standard •Priorità in funzione obiettivi di business Quando Attori Governo CDA Pianificazione Business Organizzazione Impostazione IT / IS Definizione Soluzioni IT Controllo Erogazione Servizi Supporto Misura e Controllo . . . . . In modo strutturato e connesso. . . . . 5 Governance Strumenti COBIT5 ® • • • «UNIVERSAL» Framework Info Security • Risk • Contesto • Aziendale Vendor Mgmt Privacy EU ..... Problem(s) specific Framework Principi Enablers Goals Assessment Guide all’ Implementazione Information Security Assurance Enabler Information Risk Vendor Mgmt Conoscere il Contesto e le Problematiche 6 I Pilastri del Framework : i Principi di COBIT 5 7 1 – Meeting Stakeholders needs 1. Capire le esigenze 2. Trasformarle in obiettivi di Business 3. Trasformarli in obiettivi IT Stakeholder Drivers (Environment, Technology Evolution, ...) Stakeholder Needs Benefits Risk Resource Realisation Optimisation Optimisation Enterprise Goals Questa è la nostra area di intervento ed a questo livello dobbiamo individuare e gestire gli obiettivi / rischi IT traducendoli in azioni concrete : in una prospettiva «aziendale» IT-related Goals Enabler Goals 8 Balanced Scorecard : la «Visione» aziendale «equilibrata» : partire col piede giusto • Stakeholder value of business investments • Portfolio of competitive products and services Financial Stakeholder Drivers (Environment, Technology Evolution, ...) • Managed business risks (safeguarding of assets) • Compliance with external laws and regulations • Financial transparency • Customer-oriented service culture Stakeholder Needs Benefits Realisation Risk Optimisation Resource Optimisation Enterprise Goals • Business service continuity and availability Customer • Agile responses to a changing business environment • Information-based strategic decision making IT-related Goals • Optimisation of service delivery costs Process and Enabler Goals • Optimisation of business process functionality Internal • Optimisation of business process costs • Managed business change programmes Learning & Growth • Operational and staff productivity • Compliance with internal policies • Skilled and motivated people • Product and business innovation culture 9 Principio 2: Covering the Enterprise End–to–End 10 Principle 3: Un’unico Framework Integrato COBIT 5: Allineato con gli altri standard e framework oggi disponibili Coprire tutta l’Azienda Fornire la base per integrare efficacemente gli altri standard, framework e prassi utilizzate Integrare tutti i precedenti prodotti ISACA Un’architettura per dare struttura alle regole di governo e produrre un insieme coerente di strumenti pratici © 2012 ISACA. All Rights Reserved. 11 Principle 3: Un’unico Framework Integrato 12 13 13 Principle 4: Consentire un approccio Olistico COBIT 5 definisce un insieme di enablers per la realizzazione di un Sistema integrale di governance e management per l’IT nell’azienda. COBIT 5 enablers sono: Fattori che , da soli o congiuntamente, influiscono sul fatto che qualcosa funzioni Collegati alla goals cascade Descritti nel framework COBIT 5 in sette categorie © 2012 ISACA. All Rights Reserved. 14 Principio 5 – Separazione tra Governance e Management 15 Principio 5 Separazione tra Governance e Management • Governance garantisce che le esigenze, condizioni ed alternative degli stakeholder siano: – Valutate per definire gli obiettivi da raggiungere, in modo bilanciato e concordato – Stabilire la direzione stabilendo indirizzi e priorità – Monitorare le prestazioni ed i progressi nel rispetto degli obiettivi e delle priorità concordati (EDM) • Management pianifica, realizza, opera e controlla le attività rivolte al raggiungimento degli obiettivi definiti dalla Governance per raggiungere gli obiettivi aziendali (PBRM) © 2012 ISACA. All Rights Reserved. 16 The COBIT 5 Enterprise Enablers 17 Le dimensioni di un qualsiasi Enabler COBIT 5 Chi ha un ruolo attivo nel Come si gestisce un determinare enabler ? cosa ci si attende dall’ enabler Ha portato i risultati Porterà i risultati attesi ? attesi ? 18 Enabler : Processi • COBIT 5 Enablers: Processes • costituisce il Manuale di riferimento per i 37 Processi COBIT5 19 Life Cycle Pratiche “generalizzate” (GP) quali quelle contenute nel COBIT5 Process Assessment Model (basate sullo standard ISO/IEC 15504 ) assistono nella definizione, esecuzione, monitoraggi ed ottimizzazione di un processo. Process Practices: COBIT 5 Enabling Processes descrive le “internal Process Practices” in termini di: pratiche, attività ed attività di dettaglio Come si gestisce il Processo ? Porterà i risultati attesi ? 20 COBIT 5 Process Reference Model Processi : Visione olistica Governare Pianificare ed Organizzare Gestire Realizzare Erogare 21 21 Schema di un Processo COBIT5 Descrizione Processo Purpose IT Related Goal Related Metrics Process Goals Related Metrics Descrizione RACI Practice Input Output Attività Da a Dettaglio attività 22 22 Descrizione Descrizione Purpose Purpose Purpose IT Related Goal Related Metrics Process Goals Related Metrics RACI IT Related Goal Related Metrics Process Goals Related Metrics RACI Input Output Activity IT Related Goal Related Metrics Process Goals Related Metrics RACI Description Description Practice Processo C Descrizione Processo B Processo A Connessione tra Processi COBIT5 From To Practice Input Output Description From Practice To Activity Input Output From To Activity Un insieme molto dettagliato (ed esaustivo) di relazioni comprendente, per ogni G/M Practice (210) : Responsabilità (RACI) (25) Work Products ( circa 700) Attività (1112+n) ( + attività di dettaglio ) utilizzabile operativamente 23 23 Purpose IT – Related Goals (primary) Goals (outcomes) 24 24 RACI Base Practices Excel RACI 25 25 Base Practice WP in / out Activities 26 26 27 27 ISO/IEC 15504 (SPICE) ISACA Capitolo di Milano ISO/IEC 15504 • SPICE Project 1993 • Esigenza di strumenti di valutazione forniture per acquisizione di Sistemi (difesa e telecomunicazioni) con alto contenuto di Sw • 2003 rilascio ISO/IEC 15504 • Focus su : • Come definire un processo per essere poi in grado di prevederne la capacità (capability vs. maturity) di produrre i risultati attesi (outcomes) • Come eseguire la misura 29 29 ISO/IEC 15504 La Misura della Process Capability ISO/IEC 15504-2:2003 identifies the measurement framework for process capability and the requirements for: – – – – The requirements for process assessment defined in ISO/IEC 15504-2:2003 form a structure which: – – – – – – ASSESSMENT : Objective Impartial Consistent Repeatable Representative Comparable performing an assessment; process reference models; process assessment models; verifying conformity of process assessment. facilitates self-assessment; provides a basis for use in process improvement and capability determination; takes into account the context in which the assessed process is implemented; produces a process rating; addresses the ability of the process to achieve its purpose; is applicable across all application domains and sizes of organization; and may provide an objective benchmark between organizations. The minimum set of requirements defined in ISO/IEC 15504-2:2003 ensures that assessment results are objective, impartial, consistent, repeatable and representative of the assessed processes. Results of conformant process assessments may be compared when the scopes of the assessments are considered to be similar;. 30 30 ISO/IEC 15504 – Process Assessment Model (PAM) 31 31 PAM : PRM & MF 32 32 33 ISACA’s COBIT Assessment Programme What is the new COBIT assessment process? • • • • The COBIT process programme is described in COBIT® Process Assessment Model (PAM): Using COBIT ® 5. PAM brings together two proven ‘heavyweights’ in the IT arena, ISO and ISACA. ISACA decided to adopt ISO/IEC 15504-2:2003 Information technology—Process assessment—Part 2: Performing an assessment, that support , among others, both the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control—Integrated Framework and ITIL Version 3 assessments using the ISO approach. The COBIT PAM uses the existing COBIT 5 content : an ISO 15504 compliant process assessment model. 35 35 Process Attributes and Capability Levels This figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO. 36 36 36 Medesimo schema Descrizione IT Related Goal Related Metrics Process Goals Related Metrics Supports Processo Purpose Practice RACI Description Input Output From To Activity 37 37 PAM - Capability levels Level 5 Optimizing process Predictable process is continuously improved to meet relevant, current and projected business goals, incorporating process innovation and optimisation. Level 4 Predictable process Established process operates within defined limits to achieve its process outcomes, as a measured and controlled process. Level 3 Established process Managed process is implemented as a defined process that is capable of achieving its process outcomes. Level 2 Managed process Performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained. Level 1 Performed process The implemented process achieves its process purpose. Level 0 Incomplete process The process is not implemented, or fails to achieve its process purpose. No evidence of any systematic achievement of the process purpose. 38 38 COBIT5 Process Assessment Model highlights 39 PAM Performance Indicators (Level 1) Level 1 Performances Indicators Descrizione (riferimento: Cobit5-Enabling Process) Outcomes Obiettivi del Processo (Process Goals) Base Practices Practices del Processo Work Product Inputs/Outputs delle Practices Per evidenziare se il Processo è implementato e persegue gli obiettivi (livello 1) 40 Level 1 example: EDM03 Process Performances Indicators Outcomes Base Practices Work product 41 PAM Capability Indicators (Levels 2-5) Level 2-5 Capability Indicators Descrizione Generic Practices Attività che qualifica il livello di Capability Generic Resources Risorse utilizzate nella Practices Generic Work Product Risultato della Practices Per evidenziare l’adeguatezza («capabilities») del Processo (livelli 2-5) 42 Process attributes rating and Capabilities levels Scale Process attributes dex Process attributes code Rating Level 1 Process Performance PA 1.1 Largely or fully Level 2 Level 1 Performance Management Work Product Management PA 1.1 PA 2.1 PA 2.2 Fully Largely or fully Largely or fully Level 3 Level 1 Level 2 Process Definition Process Deployment PA PA PA PA 1.1 2.1/2.2 3.1 3.2 Fully Fully Largely or fully Largely or fully Level 4 Level 1 Level 2 Level 3 Process Measurement Process Control PA PA PA PA PA 1.1 2.1/2.2 3.1/3.2 4.1 4.2 Fully Fully Fully Largely or fully Largely or fully Level 5 Level 1 Level 2 Level 3 Level 4 Process Innovation Process Optimization PA PA PA PA PA PA 1.1 2.1/2.2 3.1/3.2 4.1/4.2 5.1 5.2 Fully Fully Fully Fully Largely or fully Largely or fully N Not achieved 0 to 15% achievement P Partially achieved 15% to 50% achievement L Largely achieved 50% to 85% achievement F Fully achieved 85% to 100% achievement 43 Generic Practice & Work Product Level 2 GENERIC PRACTICE GP 2.1.1 Identify the objectives for the performance of the process GP 2.1.2 Plan and monitor the performance of the process to fulfil the identified objectives GP 2.1.3 Adjust the performance of the process GP 2.1.4 Define responsibilities and authorities for performing the process GP 2.1.5 Identify and make available resources to perform the process according to plan GP 2.1.6 Manage the interfaces between involved parties GP 2.2.1 Define the requirements for the work products, including content structure and quality criteria GP 2.2.2 Define the requirements for documentation and control of the work products GP 2.2.3 Identify, document and control the work products GP 2.2.4 Review and adjust work products to meet the defined requirements WORK PRODUCT 44 GENERIC PRACTICE GP 3.1.1 Define the standard process that will support the deployment of the defined process GP 3.1.2 Determine the sequence and interaction between processes so that they work as an integrated system of processes GP 3.1.3 Identify the roles and competencies for performing the standard process GP 3.1.4 Identify the required infrastructure and work environment for performing the standard process GP 3.1.5 Determine suitable methods to monitor the effectiveness and suitability of the standard process GP 3.2.1 Deploy a defined process that satisfies the context GP 3.2.2 Assign and communicate roles, responsibilities and authorities for performing the defined process GP 3.2.3 Ensure necessary competencies for performing the defined process GP 3.2.4 Provide resources and information to support the performance of the defined process GP 3.2.5 Provide adequate process infrastructure to support the performance of the defined process GP 3.2.6 Collect and analyse data about performance of the process to demonstrate its suitability and effectiveness WORK PRODUCT 45 Generic Practice & Work Product Level 4 GENERIC PRACTICE GP 4.1.1 Identify process information needs, in relation with business goals GP 4.1.2 Derive process measurement objectives from process information needs GP 4.1.3 Establish quantitative objectives for the performance of the defined process, according to the alignment of the process with the business goals GP 4.1.4 Identify product and process measures that support the achievement of the quantitative objectives for process performance GP 4.1.5 Collect product and process measurement results through performing the defined process GP 4.1.6 Use the results of the defined measurement to monitor and verify the achievement of the process performance objectives GP 4.2.1 Determine analysis and control techniques appropriate to control the process performance GP 4.2.2 Define parameters suitable to control the process performance GP 4.2.3 Analyse process and product measurement results to identify variations in process performance GP 4.2.4 Identify and implement corrective actions to address assignable causes GP 4.2.5 Re-establish control limits following corrective action WORK PRODUCT 46 46 GENERIC PRACTICE GP 5.1.1 Define the process improvement objectives for the process that supports the relevant business goals GP 5.1.2 Analyse measurement data of the process to identify real and potential variations in process performance GP 5.1.3 Identify improvement opportunities of the process based on innovation and best practices GP 5.1.4 Derive improvement opportunities of the process from new technologies and process concepts GP 5.1.5 Define an implementation strategy based on long-term improvement vision and objectives GP 5.2.1 Assess the impact of each proposed change against the objectives of the defined and standard process GP 5.2.2. Manage the implementation of agreed changes to selected areas of the defined and standard process according to the implementation strategy GP 5.2.3 Based on actual performance, evaluate the effectiveness of process change against process performance, capability objectives and business goals WORK PRODUCT 47 Generic Work Product Indicators (ISO 15504) 48 Altre «SPICES» • Industria – AUTOMOTIVESPICE • Finanza – AML – Financial Control Assessment – EEC Funds • Enterprise Spice • Altri – – – – SEDA 2012 Medi Spice ITIL ISO 15504-10 Safety extension 49 QUESTIONS & COMMENTS © 2013 ISACA. All rights reserved
© Copyright 2024 ExpyDoc
