Costruiamo il Framework di Governance

Governare l IT Significa ricercare soluzioni che abbiano un giusto equilibrio tra benefici e rischi, con una corretta gestione delle risorse Richiede quindi visione «end-to-end» e rinnovata capacità di comunicare e di cooperare all interno delle Aziende e Pubbliche Amministrazioni Oggi sono disponibili Modelli Framework e Buone Pratiche (GoodPractices) che affrontano la tematica in modo innovativo COBIT 5 Alberto Piamonte alberto.piamonte@aiea.it 1

Di cosa c è bisogno? L esperienza insegna che ci vuole una visione globale nella quale l Azienda veda nell ITuna componente integrante del modo di fare business ( non più una componente separata con regole specifiche e scollegate dai reali obiettivi aziendali) Business ed ITdevono condividereobiettivi, collaborare dividendosi i ruoli di Governo e Gestione Quindi : Sono necessari strumenti / schemi / frameworks che consentano, in generale, di capire : Chi / cosa / come / quando è coinvolto Relazioni di causa -> effetto in una visione possibilmente globale e condivisa A classic example is the notion ofutopiaas described inplato's best-known work,the Republic. This means that the "ideal city" as depicted inthe Republic is not given as something to be pursued, or to present an orientationpoint for development; rather, it shows how things would have to be connected, and how one thing would lead to another, if one would opt for certain principles and carry them through rigorously. 2

Frameworks NISTCybersecurityFramework The Framework Core is not a checklist of activities to perform; it presents key cybersecurity outcomes that are aligned with activitiesknown to manage cybersecurity risk. These activities are mapped to a subset of commonly used standards and guidelines. BI : DISPOSIZIONI PRELIMINARI E PRINCIPI GENERALI 1. Premessa Il sistema dei controlli interni è un elemento fondamentale del complessivo sistema di governo delle banche; esso assicura che l attività aziendale sia in linea con le strategie e le politiche aziendali... La presente disciplina:... rappresenta la cornice generale del sistema dei controlli aziendali Chech-box mentatlity Tactical& reactive Achieve point-in-time Compliance Certification Compliance Driven Approach Risk-Based Approach Proactive& Holistic Continous Monitoring Proactive mentality 3

Costruiamo il Framework di Governance 4

COBIT5 «UNIVERSAL» Framework Perché Interventi Quando Attori Benefici Evitare Rischi Gestione ottimale Risorse Dove operare Processi Principi Policies Frameworks Sistemi Persone Organizzazione Informazioni disponibili Cultura / etica Come operare Pratiche / Attività Base Consolidate e universalmente accettate Riferimento ai principali Standard Priorità in funzione obiettivi di business Governo Pianificazione Organizzazione Impostazione Definizione Soluzioni IT Erogazione Servizi Supporto Misura e Controllo..... In modo strutturato e connesso..... CDA Business IT / IS Controllo 5

Governance Strumenti Principi Enablers Goals Assessment COBIT5 «UNIVERSAL» Framework Info Security Vendor Mgmt Risk Privacy EU Contesto... Aziendale Guide all Implementazione Information Security Assurance EnablerInformation Risk Vendor Mgmt Problem(s) specific Framework Conoscere il Contesto e le Problematiche 6

I Pilastri del Framework : i Principi di COBIT5 7

1 Meeting Stakeholders needs 1. Capire le esigenze 2. Trasformarle in obiettivi di Business 3. Trasformarli in obiettivi IT Stakeholder Drivers (Environment, Technology Evolution,...) Stakeholder Needs Benefits Realisation Risk Optimisation Resource Optimisation Enterprise Goals Questa è la nostra area di intervento ed a questo livello dobbiamo individuare e gestire gli obiettivi / rischi ITtraducendoli in azioni concrete : in una prospettiva «aziendale» IT-related Goals Enabler Goals 8

BalancedScorecard: la «Visione»aziendale «equilibrata» : partire col piede giusto Stakeholder value of business investments Portfolio of competitive products and services Financial Managed business risks (safeguarding of assets) Stakeholder Drivers (Environment, Technology Evolution,...) Stakeholder Needs Compliance with external laws and regulations Financial transparency Customer-oriented service culture Benefits Realisation Risk Optimisation Resource Optimisation Business service continuity and availability Enterprise Goals Customer Agile responses to a changing business environment IT-related Goals Process and Enabler Goals Information-based strategic decision making Optimisation of service delivery costs Optimisation of business process functionality Internal Learning & Growth Optimisation of business process costs Managed business change programmes Operational and staff productivity Compliance with internal policies Skilled and motivated people Product and business innovation culture 9

Principio 2: Covering the Enterprise End to End 10

Principle 3: Un unicoframework Integrato COBIT 5: Allineatocon glialtristandard e framework oggi disponibili Coprire tutta l Azienda Fornire la base per integrare efficacemente gli altri standard, framework e prassi utilizzate Integrare tutti i precedenti prodotti ISACA Un architettura per dare struttura alle regole di governoe produrreun insiemecoerentedi strumenti pratici 2012 ISACA. All Rights Reserved. 11

Principle 3: Un unicoframework Integrato 12

13 13

Principle 4: Consentireun approccio Olistico COBIT 5 definisceun insiemedi enablersper la realizzazionedi un Sistema integraledi governance e management per l IT nell azienda. COBIT 5 enablers sono: Fattori che, da soli o congiuntamente, influiscono sul fatto che qualcosa funzioni Collegati alla goals cascade Descritti nel framework COBIT 5 in sette categorie 2012 ISACA. All Rights Reserved. 14

Principio 5 Separazione tra Governance e Management 15

Principio 5 SeparazionetraGovernance e Management Governance garantiscechele esigenze, condizioniedalternative deglistakeholder siano: Valutate per definiregliobiettivida raggiungere, in modo bilanciato e concordato Stabilirela direzionestabilendoindirizzie priorità Monitorare le prestazioni ed i progressi nel rispetto degli obiettivi e delle priorità concordati (EDM) Management pianifica, realizza, opera e controlla le attività rivolte al raggiungimento degliobiettividefinitidallagovernance per raggiungere gli obiettivi aziendali(pbrm) 2012 ISACA. All Rights Reserved. 16

The COBIT 5 Enterprise Enablers 17

Le dimensionidi un qualsiasienabler COBIT 5 Chi ha un ruolo attivo nel determinare cosaci si attende dall enabler Comesigestisce un enabler? Ha portato i risultati attesi? Porterài risultati attesi? 18

Enabler : Processi COBIT 5 Enablers: Processes costituisce il Manualedi riferimentoper i37 Processi COBIT5 19

Life Cycle Pratiche generalizzate (GP) quali quelle contenute nel COBIT5 Process Assessment Model (basate sullo standard ISO/IEC 15504 ) assistono nella definizione, esecuzione, monitoraggi ed ottimizzazione di un processo. Process Practices: COBIT 5 Enabling Processes descrive le internal Process Practices in termini di: pratiche, attività ed attività di dettaglio Comesigestisce il Processo? Porterà i risultati attesi? 20

COBIT 5 Process Reference Model Processi : Visione olistica Governare Pianificare ed Organizzare Gestire Realizzare Erogare 21 21

Schema di un Processo COBIT5 Descrizione Purpose Processo IT Related Goal Process Goals Related Metrics Related Metrics Descrizione RACI Practice Input Da Output a Attività Dettaglio attività 22 22

Connessione tra Processi COBIT5 Descrizione Descrizione Descrizione Purpose Purpose Purpose Processo A IT Related Goal Process Goals Related Metrics Related Metrics RACI Processo B IT Related Goal Process Goals Related Metrics Related Metrics RACI Processo C IT Related Goal Process Goals Related Metrics Related Metrics RACI Description Description Description Practice Input From Practice Input From Practice Input From Output To Output To Output To Activity Activity Activity Un insieme molto dettagliato (ed esaustivo) di relazioni comprendente, per ogni G/M Practice(210) : Responsabilità (RACI) (25) Work Products( circa 700) Attività (1112+n) ( + attività di dettaglio ) utilizzabile operativamente 23 23

Purpose IT Related Goals (primary) Goals (outcomes) 24 24

RACI Base Practices Excel RACI 25 25

Base Practice WP in / out Activities 26 26

27 27

ISO/IEC 15504 (SPICE) ISACA Capitolo di Milano

ISO/IEC 15504 SPICE Project 1993 Esigenza di strumenti di valutazione forniture per acquisizione di Sistemi (difesa e telecomunicazioni) con alto contenuto di Sw 2003 rilascio ISO/IEC 15504 Focus su : Come definire un processo per essere poi in grado di prevederne la capacità (capabilityvs. maturity) di produrre i risultati attesi (outcomes) Come eseguire la misura 29 29

ISO/IEC 15504 La Misura della Process Capability ASSESSMENT: Objective Impartial Consistent Repeatable Representative Comparable ISO/IEC 15504-2:2003 identifies the measurement framework for process capability and the requirements for: performingan assessment; processreferencemodels; processassessmentmodels; verifying conformity of process assessment. The requirementsfor processassessmentdefinedin ISO/IEC 15504-2:2003 form a structure which: facilitatesself-assessment; providesa basisfor use in processimprovementand capabilitydetermination; takes into account the context in which the assessed processisimplemented; producesa processrating; addressesthe abilityof the processto achieveitspurpose; isapplicableacrossallapplicationdomainsand sizesof organization; and mayprovidean objectivebenchmark between organizations. The minimum set of requirementsdefinedin ISO/IEC 15504-2:2003 ensures that assessment resultsare objective, impartial, consistent, repeatable and representative of the assessed processes. Results of conformant process assessmentsmaybe comparedwhenthe scopesof the assessmentsare consideredto be similar;. 30 30

ISO/IEC 15504 Process Assessment Model (PAM) 31 31

PAM : PRM & MF 32 32

33

ISACA s COBIT Assessment Programme

What is the new COBIT assessment process? The COBIT process programme is described in COBIT Process Assessment Model (PAM): Using COBIT 5. PAM brings together two proven heavyweights in the IT arena, ISO and ISACA. ISACA decided to adopt ISO/IEC 15504-2:2003Information technology Process assessment Part 2: Performing an assessment, that support, among others, both the Committee of Sponsoring Organizations of the TreadwayCommission sinternal Control Integrated Frameworkand ITIL Version 3 assessments using the ISO approach. The COBIT PAM uses the existing COBIT 5 content : an ISO 15504 compliant process assessment model. 35 35

Process Attributes and Capability Levels This figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO. 36 36 36

Medesimo schema Descrizione Purpose Processo IT Related Goal Process Goals Supports Related Metrics Related Metrics RACI Description Practice Input From Output To Activity 37 37

PAM- Capability levels Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Optimizing process Predictable process is continuously improved to meet relevant, current and projected business goals, incorporating process innovation and optimisation. Predictable process Established process operates within defined limits to achieve its process outcomes, as a measured and controlled process. Established process Managed process is implemented as a defined process that is capable of achieving its process outcomes. Managed process Performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained. Performed process The implemented process achieves its process purpose. Incomplete process The process is not implemented, or fails to achieve its process purpose. No evidence of any systematic achievement of the process purpose. 38 38

COBIT5 Process Assessment Model highlights 39

PAM Performance Indicators(Level 1) Level 1 Performances Indicators Outcomes Base Practices Work Product Descrizione (riferimento: Cobit5-Enabling Process) Obiettivi del Processo (Process Goals) Practices del Processo Inputs/Outputs delle Practices Per evidenziare se il Processo è implementato e persegue gli obiettivi (livello 1) 40

Level 1 example: EDM03 Process Performances Indicators Outcomes Base Practices Work product 41

PAM Capability Indicators(Levels 2-5) Level 2-5 Capability Indicators Generic Practices Generic Resources Generic Work Product Descrizione Attività che qualifica il livello di Capability Risorse utilizzate nella Practices Risultato della Practices Per evidenziare l adeguatezza («capabilities») del Processo (livelli 2-5) 42

Process attributes rating and Capabilities levels Scale Process attributes dex Process attributes code Rating Level 1 Process Performance PA 1.1 Largely or fully Level 2 Level 3 Level 4 Level 5 Level 1 Performance Management Work Product Management Level 1 Level 2 Process Definition Process Deployment Level 1 Level 2 Level 3 Process Measurement Process Control Level 1 Level 2 Level 3 Level 4 Process Innovation Process Optimization PA 1.1 PA 2.1 PA 2.2 PA 1.1 PA 2.1/2.2 PA 3.1 PA 3.2 PA 1.1 PA 2.1/2.2 PA 3.1/3.2 PA 4.1 PA 4.2 PA 1.1 PA 2.1/2.2 PA 3.1/3.2 PA 4.1/4.2 PA 5.1 PA 5.2 Fully Largely or fully Largely or fully Fully Fully Largely or fully Largely or fully Fully Fully Fully Largely or fully Largely or fully Fully Fully Fully Fully Largely or fully Largely or fully N Not achieved P Partially achieved L Largely achieved F Fully achieved 0 to 15% achievement 15% to 50% achievement 50% to 85% achievement 85% to 100% achievement 43

Generic Practice& Work Product Level 2 GENERIC PRACTICE GP 2.1.1 Identify the objectives for the performance of the process GP 2.1.2 Plan and monitor the performance of the process to fulfil the identified objectives GP 2.1.3 Adjust the performance of the process GP 2.1.4 Define responsibilities and authorities for performing the process GP 2.1.5 Identify and make available resources to perform the process according to plan GP 2.1.6 Manage the interfaces between involved parties GP 2.2.1 Define the requirements for the work products, including content structure and quality criteria GP 2.2.2 Define the requirements for documentation and control of the work products GP 2.2.3 Identify, document and control the work products GP 2.2.4 Review and adjust work products to meet the defined requirements WORK PRODUCT 44

GENERIC PRACTICE GP 3.1.1 Define the standard process that will support the deployment of the defined process GP 3.1.2 Determine the sequence and interaction between processes so that they work as an integrated system of processes GP 3.1.3 Identify the roles and competencies for performing the standard process GP 3.1.4 Identify the required infrastructure and work environment for performing the standard process GP 3.1.5 Determine suitable methods to monitor the effectiveness and suitability of the standard process GP 3.2.1 Deploy a defined process that satisfies the context GP 3.2.2 Assign and communicate roles, responsibilities and authorities for performing the defined process GP 3.2.3 Ensure necessary competencies for performing the defined process GP 3.2.4 Provide resources and information to support the performance of the defined process GP 3.2.5 Provide adequate process infrastructure to support the performance of the defined process GP 3.2.6 Collect and analyse data about performance of the process to demonstrate its suitability and effectiveness WORK PRODUCT 45

GENERIC PRACTICE Generic Practice& Work Product Level 4 GP 4.1.1 Identify process information needs, in relation with business goals GP 4.1.2 Derive process measurement objectives from process information needs GP 4.1.3 Establish quantitative objectives for the performance of the defined process, according to the alignment of the process with the business goals GP 4.1.4 Identify product and process measures that support the achievement of the quantitative objectives for process performance GP 4.1.5 Collect product and process measurement results through performing the defined process GP 4.1.6 Use the results of the defined measurement to monitor and verify the achievement of the process performance objectives GP 4.2.1 Determine analysis and control techniques appropriate to control the process performance GP 4.2.2 Define parameters suitable to control the process performance GP 4.2.3 Analyse process and product measurement results to identify variations in process performance GP 4.2.4 Identify and implement corrective actions to address assignable causes GP 4.2.5 Re-establish control limits following corrective action WORK PRODUCT 46 46

GENERIC PRACTICE GP 5.1.1 Define the process improvement objectives for the process that supports the relevant business goals GP 5.1.2 Analyse measurement data of the process to identify real and potential variations in process performance GP 5.1.3 Identify improvement opportunities of the process based on innovation and best practices GP 5.1.4 Derive improvement opportunities of the process from new technologies and process concepts GP 5.1.5 Define an implementation strategy based on long-term improvement vision and objectives GP 5.2.1 Assess the impact of each proposed change against the objectives of the defined and standard process GP 5.2.2. Manage the implementation of agreed changes to selected areas of the defined and standard process according to the implementation strategy GP 5.2.3 Based on actual performance, evaluate the effectiveness of process change against process performance, capability objectives and business goals WORK PRODUCT 47

GenericWork Product Indicators(ISO 15504) 48

Altre «SPICES» Industria AUTOMOTIVESPICE Finanza AML Financial Control Assessment EEC Funds Enterprise Spice Altri SEDA 2012 Medi Spice ITIL ISO 15504-10 Safety extension 49

QUESTIONS & COMMENTS 2013 ISACA. All rights reserved