Cobit - Gap Analysis.ppt

17
IS GOVERNANCE: COBIT – Gap Analysis ADVISORY INTERNAL AUDIT, RISK & COMPLIANCE Jan, 20XX

Transcript of Cobit - Gap Analysis.ppt

Page 1: Cobit - Gap Analysis.ppt

IS GOVERNANCE: COBIT – Gap Analysis

ADVISORY

INTERNAL AUDIT, RISK & COMPLIANCE

Jan, 20XX

Page 2: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 2

Index

Page

Executive Summary 2

Plan and Organize Gap Analysis 3

Acquire and Implement Gap Analysis 20

Deliver and Support Gap Analysis 42

Monitor and Evaluate Gap Analysis 57

Page 3: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 3

Executive Summary

This document illustrates the analysis made as a result of the validation process of the controls based on the COBIT Quick Start framework, related to the current practice of the IT Department.

Its purpose is to present the analysis of the current situation / current work practices, issues identified and recommendations in order to improve the IT control environment under the COBIT Quick Start framework.

This report should be used to generate an IT High-Level Work Plan that will close the gaps identified, and take corrective action in a cost-benefit manner, in the context of implementing an internal control system.

This report present the controls for each four domain that comprises COBIT Quick Start framework.

Page 4: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 4

Plan & Organize Gap Analysis

Page 5: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 5

Plan and Organize Gap Analysis

COBIT domain: Plan and OrganizeProcess Description: PO1 Define a Strategic IT Plan

Sub process Current Practice Gap Recommended Actions

IT Value Management

IT investments related to IT projects are estimated based on referrals from past acquisitions or provider market position. Investments are prepared independently by IT or business areas. Afterward, IT Department centralizes the estimations and proceeds to evaluate them.

IT investments does not contain programmes that include business cases.

• Ensure the management activities of IT-enabled investments use a formal process that requires business cases that include: cost-benefit analysis, risk assessments, SLAs for IT Services and the impact to the current portfolio.

• Ensure that accountability for value delivery is clearly assigned at an appropriate level.

Business-IT Alignment

IT Manager was involve during the process of the strategic planning. IT Manager established the initiatives which are aligned and integrated to business strategies.

User areas prepare their own initiatives and they sometimes do not communicate that to IT department. IT department knows about that when user areas are requesting a quick answer to implement the initiatives and take action as soon as possible.

• Ensure that IT management contributes to business strategy planning and identifies capabilities available to support enterprise goals and other opportunities to contribute to business value.

• Make the scope of the IT strategic and planning initiatives enterprise wide such that they address, document and consider all business and support activities.

Assessment of Current Capability and Performance

IT Department evaluates the current capability and performance of its services only when the budget is being prepared.

System tools are not used on a regular basis to evaluate the current capability and performance.

• Ensure that enterprise management and key stakeholders discuss with IT management future business directions and enterprise goals to collaborate and develop a common understanding of the potential for IT to enable business goals.

• For actual requirements, compare the actual IT capabilities (systems, resources, people) with future requirements, in order to deliver the required solutions and services in a timely manner.

Page 6: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 6

Plan and Organize Gap Analysis

COBIT domain: Plan and OrganizeProcess Description: PO1 Define a Strategic IT Plan

Sub process Current Practice Gap Recommended Actions

IT Strategic Plan

There is an IT Strategic Plan that is defined and formally approved.

Some business requirements are not incorporated into the IT Plan, and must be treated separately , because they are reported to IT manager out of time.

• Ensure that IT has established a process to identify, document and adequately address organizational changes, technology evolution, regulatory requirements, business process re-engineering, staffing, in- and outsourcing opportunities, etc., in the planning process.

• Formally approve and communicate the IT strategic plan and ensure that it is clearly understood by those who need to translate it into budgets, tactical plans, sourcing and acquisition strategies, processes, and organizational structures.

IT Tactical Plans

IT initiatives are defined in a high level mode.

Lack of IT tactical plans that should be sufficiently detailed to allow the definition of project plans.

• Translate the approved IT strategic plan into tactical plans.

• Ensure that the content of the tactical plans includes clearly stated project definitions for all programmes, project time frames and deliverables, required resources, and business benefits to be monitored .

IT Portfolio Management

IT initiatives have been defined and planned to be deployed during the period 2010-2012.

Each IT initiatives have a specific beginning and end date

Even if each IT initiatives have a specific beginning and end date, execution could not be performed on time due to lack of enough personnel.

• Develop and promulgate prioritization schemes relating prioritization criteria to business goals and technical requirements. Project prioritization may be modified due to the availability of scarce resources, implementation alternatives, funding methods, risks, and timing of competing or complementary projects.

• Communicate projects that will be delayed, postponed or not continued so that business and IT management can use resources in an efficient and effective manner.

Page 7: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 7

Plan and Organize Gap Analysis

COBIT domain: Plan and Organize Process Description: PO2 Define the Information Architecture

Sub process Current Practice Gap Recommended Actions

Enterprise Data Dictionary and Data Syntax Rules

A data dictionary is in place for some systems such as balance, SIAF, Accounting.

Syntax rules are not documented. • Establish and maintain data syntax guidelines that are valid throughout the organization.

• Implement data dictionary management software to manage and maintain the organization's data dictionary and data syntax rules .

Data Classification Scheme

Data classification scheme is not defined and implemented.

Data ownership is assigned to C-Level but it is not formally established.

Lack of data classification policy and procedure.

• Define data classification levels for each of the defined attributes.

• Identify business owners accountable for information (data owners).

• Ensure that the data owner classifies all information using the defined scheme and levels. Classification covers the whole life cycle of information from creation to disposal. Where an asset has been assessed as having a certain classification, any component inherits the same classification.

Integrity Management

Some procedures to ensure the integrity and consistency of all data are documented. However, these procedures have not been formalized and communicate to Exploration Department who manages their own systems.

Lack of procedures to manage and maintain all data integrity and consistency in Exploration Department.

• Implement procedures to manage and maintain data integrity and consistency throughout the complete data process and life cycle.

Page 8: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 8

Plan and Organize Gap Analysis

COBIT domain: Plan and Organize Process Description: PO3 Determine Technological Direction

Sub process Current Practice Gap Recommended Actions

Technological Direction Planning

Existing and emerging technologies are known by IT Department and documented as initiatives in the IT Strategic Plan.

There are some deviations due to that the IT Department does not know about the initiatives from user areas on a timely basis

• Perform a SWOT (strengths, weaknesses, opportunities, threats) analysis of all current critical and significant IT assets on a regular basis.

• Identify what is needed in terms of technological directions for business systems architecture, migration strategies and contingency aspects of infrastructure components.

Monitor Future Trends and Regulations

Law/regulatory conditions are managed by Legal Department.

Future trends to acquire technical software and hardware are reviewed by both IT Department and Exploration Department.

C-Levels has not established a process to monitor future trends and regulatory conditions.

• Ensure that adequately skilled staff members within the IT department routinely monitor technological developments, competitor activities, infrastructure issues, legal requirements and regulatory environment changes, and provide relevant information to senior management.

• Ensure that the organization's legal counsel monitors legal and regulatory conditions in all relevant locations and informs the IT steering committee of any changes that may impact the technology infrastructure plan.

Technology Standards

IT Manager has established standards to acquire notebooks, PCs / Servers and office software.

Technology standards are not documented and formally approved.

• Ensure that management establishes and maintains an approved list of vendors and system components that conform with the technological infrastructure plan and technology standards.

• Establish a process to prevent the acquisition of non-conforming systems or applications.

Page 9: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 9

Plan and Organize Gap Analysis

COBIT domain: Plan and Organize Process Description: PO4 Define the IT Processes, Organization and Relationships

Sub process Current Practice Gap Recommended Actions

IT Steering Committee

The IT Manager does not play a key role in the Management Committee meetings, only participates when an explanation of current projects are required.

There is not an IT Steering Committee. IT Manager participates in the Management Committee once a week or on demand.

• Establish and IT Steering Committee (or equivalent) composed of executive, business and IT management.

• Determine that the responsibilities for the committee include at least:

o Determination of prioritization of IT-enabled investment programmes in line with the enterprise’s business strategy and priorities.

o Tracking of status of projects and resolution of resource conflict.

o Monitoring of service levels and service improvements.

Establishment of Roles and Responsibilities

Tasks and responsibilities have been documented on November 20XX for all IT staff, except for the new position related with “Information Security Officer”.

• Job descriptions and responsibilities for key positions are still under reviewing of Human Resources Department.

• Information Security Officer responsibilities are not clearly defined.

• Formalize the skills, experience, authority, responsibility and accountability for each IT task, and get approval of High Level manager.

• Ensure that management initiates regular training and awareness campaigns to reinforce staff knowledge of roles. This may be supplemented with occasional assessments of understanding and compliance.

Page 10: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 10

Acquire and Implement Gap Analysis

Page 11: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 11

Acquire and Implement Gap Analysis

COBIT domain: Acquire and ImplementProcess Description: AI1 Identify automated solutions

Sub process Current Practice Gap Recommended Actions

Definition and maintenance of business functional and technical requirements

Based on the methodology of development and maintenance known as RAD (Rapid Application Development), business requirements are presented in "Information Collection“ format. As a reference: Local Balance (development prepared 3 years ago). IT Department uses a format to manage change requests from applications.

Documentation was developed for a project of information systems 3 years ago and may not include the necessary elements that control the functional and technical aspects.

• Define and implement a requirements definition and maintenance procedure and a requirements repository that are appropriate for the size, complexity, objectives and risks of the business initiative that the organization is considering undertaking. This procedure should take into account the nature of the enterprise’s business, strategic direction, strategic and tactical IT plans, in-house and outsourced business and IT processes, emerging regulatory requirements, people skills and competencies, structure, business case, and enabling technology.

• Confirm that all user, functional and technical requirements, including relevant acceptance criteria, are considered, captured, prioritized and recorded in a way that is understandable, and includes business sponsors and technical implementation personnel.

Feasibility study and formulation of alternative courses of action

Feasibility studies are not prepared. There is an initial definition of system information context, where requirements are defined in a top level overview in order to begin the development.

Lack of working procedures and documentation supporting the feasibility study and the establishment of alternative solutions in a technical manner.

• Define and implement a procedure that document and formalize a feasibility study that clearly and concisely describes the key alternative courses of action that will satisfy the business and functional requirements with an evaluation of their technological and economic feasibility. Identify required actions for the acquisition or development, and take into account scope and/or time and/or budget limitations.

• Review the alternative courses of action with all stakeholders, and select the most appropriate one based on feasibility criteria, including risks and cost.

• Translate the preferred course of action into a high-level acquisition/development plan identifying resources to be used and stages requiring a go or no-go decision.

Page 12: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 12

Deliver and Support Gap Analysis

Page 13: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 13

Deliver and Support Gap Analysis

COBIT domain: Deliver and SupportProcess Description: DS01 Define and Manage Service Level

Sub process Current Practice Gap Recommended Actions

Service Level Management Framework

Service Level Agreements (SLAs) have not been defined and documented yet, but some Key Performance Indicators (KPI) have been established by Planning Department.

There is not a framework for IT management services.

• Define and document an SLA framework to manage the IT service life cycle. The process should involve senior management representing both the business and IT functions.

• The framework should include processes for creating service requirements, service definitions, SLAs, OLAs and funding sources

Review of Service Level Agreements and Contracts

No control activities have been identified.

SLAs not defined and documented, including Exploration Department.

• Conduct reviews of SLAs and Underpinning contracts (Ucs) on a regular basis with all impacted parties to ensure that they remain effective and are in alignment with business objectives.

Page 14: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 14

Monitor and Evaluate Gap Analysis

Page 15: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 15

Monitor and Evaluate Gap Analysis

COBIT domain: Monitor and EvaluateProcess Description: ME1 Monitor and evaluate IT performance

Sub process Current Practice Gap Recommended Actions

Definition and Collection of Monitoring Data

There is an informal process of gathering information on a limited basis particularly in support activities, and does not include all IT services. It also does not include IT services areas from Exploration Department that manages its own data center.

Lack of procedures to collect information, analyzing and reporting.

• Define targets for the IT metrics in line with the coverage and characteristics of the metrics defined in the monitoring framework. Obtain IT and business management approval for the targets.

• Collect performance data needed by the monitoring approach in an automated fashion wherever feasible. Compare the measured performance to the targets at agreed-to intervals.

• Ensure consistency, completeness and integrity of performance monitoring source data. Ensure control over all changes to performance monitoring data sources.

• Define performance targets and focus on those that provide the largest insight-to-effort ratio.

• Assess the integrity of the data collected by carrying out reconciliation and control checks at agreed-upon intervals.

Page 16: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 16

Monitor and Evaluate Gap Analysis

COBIT domain: Monitor and EvaluateProcess Description: ME1 Monitor and evaluate IT performance

Sub process Current Practice Gap Recommended Actions

Performance Assessment

IT Department have established maintenance activities for inventory of applications, patching, help desk. There are some reports of Novell network servers and actions for improvement the technology platform. There is a schedule for implementing these activities. However, there are no common practices.

Lack of procedures to execute performance assessment.

• Compare the performance values to internal targets and benchmarks and, where possible, to external benchmarks (industry and key competitors).

• Consider implementing in parallel with the performance management system a less formal feedback mechanism to obtain alternative measures of perceived performance. Use the data to improve the performance measurement system and, where necessary, solution and service delivery.

• Assess performance against targets and analyze results. Compare measured performance to targets at agreed-to intervals. Ensure that performance targets and results are communicated to IT and senior and business management via the established performance monitoring framework.

• Analyze the cause of deviations against targets, initiate remedial actions, assign responsibilities for remediation, and follow up. At appropriate times, review all deviations and search for root causes, where necessary. Document the issues for further guidance if the problem recurs. Collect and retain the appropriate evidence and documentation to support the analysis.

• Where feasible, link achievement of performance targets to the organizational reward compensation system.

Page 17: Cobit - Gap Analysis.ppt

© 2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes de KPMG afiliadas a KPMG International Cooperative (“KPMG International”), una entidad suiza. Derechos reservados. Impreso en el Perú 17

Monitor and Evaluate Gap Analysis

COBIT domain: Monitor and EvaluateProcess Description: ME1 Monitor and evaluate IT performance

Sub process Current Practice Gap Recommended Actions

Board and Executive Reporting

There is a level of reporting through e-mail and a formal way in a quarterly basis both in Lima and Mirafloes offices. This includes project activities with IT suppliers related with important issues.

Lack of procedures to report activities in a formal manner.

• Establish a board and executive reporting process, based on the performance monitoring framework, for regular, accurate and timely reporting on IT’s contribution to the business by measuring achievement of IT goals, mitigation of IT risks and the usage of resources.

• Design senior management reports to highlight key issues (positive and negative) generally relating to IT’s contribution to the business and specifically to IT solution and service delivery capability and performance.

• Consolidate results of IT performance measurement. Translate them into business performance impacts (positive or negative) and incorporate the results into standard periodic reports to the board. Clearly link IT performance measurement to business outcomes and identify how IT supports business strategy.