COBIT ed oltre

COBIT 5 2013... ed oltre Sessione di Studio 28 novembre 2013 Torino Alberto Piamonte

Argomenti della Sessione COBIT5 Principi ed Enablers Process Assessment 4.1 -> 5 Esempi Information Security Enabling Information Assurance Risk Q&A 2

COBIT5 «UNIVERSAL» Framework Perché Interventi Quando Attori Benefici Evitare Rischi Gestione ottimale Risorse Dove operare Processi Principi Policies Frameworks Sistemi Persone Organizzazione Informazioni disponibili Cultura / etica Come operare Pratiche / Attività Base Consolidate e universalmente accettate Riferimento ai principali Standard Priorità in funzione obiettivi di business Governo Pianificazione Organizzazione Impostazione Definizione Soluzioni IT Erogazione Servizi Supporto Misura e Controllo..... In modo strutturato e connesso..... CDA Business IT / IS Controllo 3

Frameworks NIST Cybersecurity Framework The Framework Core is not a checklist of activities to perform; it presents key cybersecurity outcomes that are aligned with activities known to manage cybersecurity risk. These activities are mapped to a subset of commonly used standards and guidelines. BI : DISPOSIZIONI PRELIMINARI E PRINCIPI GENERALI 1. Premessa Il sistema dei controlli interni è un elemento fondamentale del complessivo sistema di governo delle banche; esso assicura che l attività aziendale sia in linea con le strategie e le politiche aziendali... La presente disciplina:... rappresenta la cornice generale del sistema dei controlli aziendali Chech-box mentatlity Tactical & reactive Achieve point-in-time Compliance Certification Compliance Driven Approach Risk-Based Approach Proactive & Holistic Continous Monitoring Proactive mentality 4

Governance Si studia Strumenti Principi Enablers Goals Assessment Si adatta COBIT5 «UNIVERSAL» Framework Info Security Risk Contesto Aziendale Vendor Mgmt Privacy EU... Guide Information Security Assurance Enabler Information Risk Si applica Problem(s) specific Framework based on COBIT5 Guida Implementazione 5

Principi COBIT 5 6

1 Meeting Stakeholders needs 1. Capire le esigenze 2. Trasformarle in obiettivi di Business 3. Trasformarli in obiettivi IT Stakeholder Drivers (Environment, Technology Evolution,...) Stakeholder Needs Benefits Realisation Risk Optimisation Resource Optimisation Enterprise Goals Questa è la nostra area di intervento ed a questo livello dobbiamo individuare e gestire gli obiettivi / rischi IT traducendoli in azioni concrete : in una prospettiva «aziendale» IT-related Goals Enabler Goals 7

Balanced Scorecard : la «Vision» aziendale «equilibrata» : partire col piede giusto This simple test will give you insights into your strategy, and help you to avoid some of the many pitfalls of poor strategy design, management and implementation. Stakeholder value of business investments Portfolio of competitive products and services Financial Managed business risks (safeguarding of assets) Stakeholder Drivers (Environment, Technology Evolution,...) Stakeholder Needs Compliance with external laws and regulations Financial transparency Customer oriented service culture Benefits Realisation Risk Optimisation Resource Optimisation Business service continuity and availability Enterprise Goals Customer Agile responses to a changing business environment IT-related Goals Information based strategic decision making Optimisation of service delivery costs Process and Enabler Goals Optimisation of business process functionality Internal Learning & Growth Optimisation of business process costs Managed business change programmes Operational and staff productivity Compliance with internal policies Skilled and motivated people Product and business innovation culture 8

Principio 2: Covering the Enterprise End to End Owners and Stakeholders Stakeholder Drivers (Environment, Technology Evolution,...) Accountable Delegate Stakeholder Needs Governing Body Benefits Realisation Risk Optimisation Resource Optimisation Monitor Set Direction Management Enterprise Goals Report Instruct and Align IT-related Goals Operations and Execution Enabler Goals 9

Principle 3: Un unico Framework Integrato COBIT 5: Allineato con gli altri standard e framework oggi disponibili Coprire tutta l Azienda Fornire la base per integrare efficacemente gli altri standard, framework e prassi utilizzate Integrare tutti i precedent prodotti ISACA Un architettura per dare struttura alle regole di governo e produrre un insieme coerente di strumenti pratici 2012 ISACA. All Rights Reserved. 10

Principle 3: Un unico Framework Integrato 11

12 12

COBIT5 Product Family 13

Pubblicazioni COBIT5 (28/11/2013) Documento Pagg soci (AIEA MI) non soci COBIT 5 Framework 94 COBIT 5 Enabling Processes 230 $ 135 COBIT 5 Implementation + tool kit 78 $ 150 COBIT 5 for Information Security 220 $ 35 $ 175 COBIT 5 for Assurance 318 $ 35 $ 175 COBIT 5 for Risk 216 $ 35 $ 175 COBIT Assessment Programme COBIT Process Assessment Model (PAM): Using COBIT 5 144 $ 40 COBIT Assessor Guide: Using COBIT 5 52 $ 30 $ 80 COBIT Self-Assessment Guide: Using COBIT 5 + tool kit 24 $ 40 COBIT 5: Enabling Information 90 $ 135 COBIT Translations (?) COBIT 5 Online (4 Q 2013 / 2014) Vendor Management Using COBIT 5 Configuration Management Using COBIT 5 88 $ 55 Transforming Cybersecurity Using COBIT 5 190 $ 35 $ 60 Securing Mobile Devices Using COBIT 5 for Information Security 138 $ 75 Security Considerations for Cloud Computing 80 $ 75 (Appendix C. Mapping Threats and Mitigating Actions to COBIT 5 for Information Security) Security-Considerations-Cloud-Computing-Tool-Kit Advanced Persistent Threats: How To Manage The Risk To Your Business 132 $ 35 Big Data White Paper 18 Totale 2112 $ 170 $ 1.405 14 14

Chi riconosce COBIT5? Regulatory and Legislative Recognition USA, Canada, India, Giappone, Brasile, Argentina, Australia, UAE - Dubai, Colombia, Costa Rica, Mexico, Paraguay, Uruguay, Venezuela, Grecia, Lithuania, Romania EU riconosce il COBIT come Framework Turchia Sud Africa Russia??? PRC??? 15

Principle 4: Consentire un approccio Olistico COBIT 5 definisce un insieme di enablers per la realizzazione di un Sistema integrale di governance e management per l IT nell azienda. COBIT 5 enablers sono: Fattori che, da soli o congiuntamente, influiscono sul fatto che qualcosa funzioni Collegati alla goals cascade Descritti nel framework COBIT 5 in sette categorie 2012 ISACA. All Rights Reserved. 16

Principio 5 Separazione tra Governance e Management 17

Principio 5 Separazione tra Governance e Management Governance garantisce che le esigenze, condizioni ed alternative degli stakeholder siano: Valutate per definire gli obiettivi da raggiungere, in modo bilanciato e concordato Stabilire la direzione stabilendo indirizzi e priorità Monitorare le prestazioni ed i progressi nel rispetto degli obiettivi e delle priorità concordati (EDM) Management pianifica, realizza, opera e controlla le attività rivolte al raggiungimento degli obiettivi definiti dalla Governance per raggiungere gli obiettivi aziendali (PBRM) 2012 ISACA. All Rights Reserved. 18

The COBIT 5 Enterprise Enablers 19

Le dimensioni di un qualsiasi Enabler COBIT 5 Chi ha un ruolo attivo nel determinare cosa ci si attende dall enabler Come si gestisce un enabler? Ha portato i risultati attesi? Porterà i risultati attesi? 20

Enabler Principi, Policies & Frameworks Lo scopo di questo enabler è quello di comunicare indirizzi ed istruzioni della Direzione Aziendale. Sono strumenti per comunicare regole ed istruzioni a supporto degli obiettivi di Governo e dei valori aziendali. Good practices 21

Enabler Strutture Organizzative Le Good Practices per le strutture organizzative possono venir ragruppate in: Principi operativi Assetto pratico di come la struttura opererà, Span of control I confini entro i quali si esercita il potere decisionale Livello di autorità Le decisioni che la struttura è autorizzata a prendee. Delega di responsabilità La struttura può delegare un sottoinsieme di decisioni ad strutture a suo riporto Procedure di Escalation Percorsi da seguire in caso di problemi nel prendere decisioni. 22

Enabler : Processi COBIT 5 Enablers: Processes costituisce il Manuale di riferimento per i 37 Processi COBIT5 23

Life Cycle Pratiche generalizzate (GP) quali quelle contenute nel COBIT5 Process Assessment Model (basate sullo standard ISO/IEC 15504 ) assistono nella definizione, esecuzione, monitoraggi ed ottimizzazione di un processo. Process Practices: COBIT 5 Enabling Processes descrive le internal Process Practices in termini di: pratiche, attività ed attività di dettaglio Come si gestisce il Processo? Porterà i risultati attesi? 24

COBIT 5 Process Reference Model Processi : Visione olistica Governare Pianificare ed Organizzare Gestire Realizzare Erogare 25 25

Processo Schema di un Processo COBIT5 Descrizione Purpose IT Related Goal Related Metrics Process Goals Related Metrics Descrizione RACI Practice Input Da Output a Attività Dettaglio attività 26 26

Processo A Processo B Processo C Connessione tra Processi COBIT5 Descrizione Descrizione Descrizione Purpose Purpose Purpose IT Related Goal Related Metrics IT Related Goal Related Metrics IT Related Goal Related Metrics Process Goals Related Metrics Process Goals Related Metrics Process Goals Related Metrics RACI RACI RACI Description Description Description Practice Input From Practice Input From Practice Input From Output To Output To Output To Activity Activity Activity Un insieme molto dettagliato (ed esaustivo) di relazioni comprendente, per ogni G/M Practice (210) : Responsabilità (RACI) (25) Work Products ( circa 700) Attività (1112+n) ( + attività di dettaglio ) utilizzabile operativamente 27 27

Purpose IT Related Goals (primary) Goals (outcomes) 28 28

RACI Base Practices Excel RACI 29 29

Base Practice WP in / out Activities 30 30

31 31

ISO/IEC 15504 (SPICE) ISACA Capitolo di Milano

ISO/IEC 15504 SPICE Project 1993 Esigenza di strumenti di valutazione forniture per acquisizione di Sistemi (difesa e telecomunicazioni) con alto contenuto di Sw 2003 rilascio ISO/IEC 15504 Focus su : Come definire un processo per essere poi in grado di prevederne la capacità (capability vs. maturity) di produrre i risultati attesi (outcomes) Come eseguire la misura 33 33

ISO/IEC 15504 ASSESSMENT : Objective Impartial Consistent Repeatable Representative Comparable ISO/IEC 15504-2:2003 identifies the measurement framework for process capability and the requirements for: performing an assessment; process reference models; process assessment models; verifying conformity of process assessment. The requirements for process assessment defined in ISO/IEC 15504-2:2003 form a structure which: facilitates self-assessment; provides a basis for use in process improvement and capability determination; takes into account the context in which the assessed process is implemented; produces a process rating; addresses the ability of the process to achieve its purpose; is applicable across all application domains and sizes of organization; and may provide an objective benchmark between organizations. The minimum set of requirements defined in ISO/IEC 15504-2:2003 ensures that assessment results are objective, impartial, consistent, repeatable and representative of the assessed processes. Results of conformant process assessments may be compared when the scopes of the assessments are considered to be similar;. 34 34

ISO/IEC 15504 Process Assessment Model (PAM) 35 35

PAM : PRM & MF 36 36

37

ISACA s COBIT Assessment Programme

What is the new COBIT assessment process? The COBIT process programme is described in COBIT Process Assessment Model (PAM): Using COBIT 5. PAM brings together two proven heavyweights in the IT arena, ISO and ISACA. ISACA decided to adopt ISO/IEC 15504-2:2003 Information technology Process assessment Part 2: Performing an assessment, that support, among others, both the Committee of Sponsoring Organizations of the Treadway Commission s Internal Control Integrated Framework and ITIL Version 3 assessments using the ISO approach. The COBIT PAM uses the existing COBIT 5 content : an ISO 15504 compliant process assessment model. 39 39

Assessment Overview Process Assessment Model Assessment Process 40 40

The high-level measurable objectives of performing the process and the likely outcomes of effective implementation of the process An observable result of a process an artefact, a significant change of state or the meeting of specified constraints The activities that, when consistently performed, contribute to achieving the process purpose The artefacts associated with the execution of a process defined in terms or process inputs and process outputs 41

Supports Processo Medesimo schema Descrizione Purpose IT Related Goal Related Metrics Process Goals Related Metrics RACI Description Practice Input From Output To Activity 42 42

Process Attributes and Capability Levels This figure is reproduced from ISO 15504-5 2006 with the permission of ISO at www.iso.org. Copyright remains with ISO. 43 43 43

Livelli 2-5 It should be noted that WPs for some processes provide higher capability requirements for other processes. This will result in a progressive implementation of processes. The initial focus on any process assessment would be the core (sometimes called primary) processes, which are primarily part of the BAI and DSS domains. Processes in the APO and MEA domains will be required to support improvement in the capability of these core processes past level 1. An example is APO01 Manage the IT management framework, which is required as part of establishing the IT process framework, to document roles and responsibilities required by processes at capability level 2. 44 44

Performance e Capability 45

Setting Target (Cost vs. Benefit) Il punto «ottimale» dipende anche dalla tipologia e dimensione dell Azienda e quindi posso usare la misura della capability per ottimizzare il ROI Possible Deviation from Business Objectives RISK TARGET COST Soldi buttati EFFECTIVENESS OF PROTECTION 46

Assessment Process Activities 1. Initiation 2. Planning the assessment 3. Briefing 4. Data collection 5. Data validation 6. Process attributes rating 7. Reporting the results 47 47 47

COBIT 4.1?

Where Have All the Control Objectives Gone? 49 49

Erik Guldentops Isaca Journal 4 2011 COBIT 4.1 Control Objectives Molto utili Manca una chiara distinzione tra obiettivo ed azione COBIT 5 (e CobiT 4.1 PAM-med) Non ci sono più: sostituiti da G&M Practices e Outcomes CobiT 4.1 Poco sviluppato il concetto di sequenza di attività COBIT 5 (e CobiT 4.1 PAM-med) WP in -> G&M Practices -> WP out 50 50

Vediamo il tutto graficamente CobiT 4.1 COBIT CobiT 4.1 5.0 PAM-med Maturity IT-related Goal Model Control Objectives + PC1 6 Control Activities Practices Processo Descrizione WP Inputs from Outcomes (Goals) Outputs WP out to PAM Activities Practices (RACI) 51

CobiT 4.1, ValIT, RiskIT Mapping Cobit 4.1 Application Controls Control Objectives ValIT Key Management Practice RiskIT Key Management Practice COBIT 5 G/M Practices 6 (mapped) 210 (207 mapped, 3 deleted) 43 (mapped) 43 (mapped) 210 (177 da CobiT 4.1, 33 new) V. Allegato 52 52

CobiT 4.1 Control Objective -> COBIT 5 BP + I/O + Activity CobiT 4.1 Control Objective AI1.4 Requirements and Feasibility Decision and Approval COBIT 5 Verify that the process requires the business sponsor to approve and sign off on business functional and technical requirements and feasibility study reports at predetermined key stages. The business sponsor should make the final decision with respect to the choice of solution and acquisition approach. 53 53

CobiT 4.1 Control Objective -> COBIT 5 BP + I/O + Activity CobiT 4.1 Control Objective COBIT 5 DS4.6 IT Continuity Plan Training Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster. Verify and enhance training according to the results of the contingency tests. 54 54

Enabler Cultura, Etica e Comportamenti Le Good practices per creare, favorire e mantenere i comportamenti desiderati sono: Comunicazione dei comportamenti desiderati e dei valori dell Azienda ( Codici etici) Consapevolezza di quali siano i comportamenti desiderati Incentivi Regole, norme e sanzioni 55

Enabler Information... quando le Informazioni costituiscono il fattore (abilitante) principale... ad esempio 56

Addressing Information Governance and Management Issues Using COBIT 5 57

Information Governance/ Management Issue: Marketing Situational Awareness (Big Data Dimension 1: Variety of Information) Marketing Function Goal Risk...... 4.3.1 Issue Description and Business Context An enterprise marketing team wishes to increase its awareness of and capacity to respond to public perceptions of its company s offerings. Data sources include social media postings, such as micro and traditional blogs, social sites, and audio conversations between customers and service representatives. The enterprise wishes to correlate the sentiment detected in both online and call centre channels with sales trends in various segments and regions around the world. Speech-to-text conversion, web indexing and natural language text processing are required. In big data terms, this is a variety issue.... COBIT5 : non più solo IT Function! 58

Una nuova dimensione per COBIT5 Stakeholder Drivers (Environment, Technology Evolution,...) Stakeholder Needs Resource Benefits Risk Optimisation Optimisation Realisation Enterprise Goals IT-Function Goals Marketing and Sales Function Goals Enablers for IT Function Enablers for Marketing and Sales 59

Enabler 6 Servizi, Infrastrutture ed Applicazioni Good Practices per l enabler. Architettura : principi e regole generali che guidino l implementazione e l utilizzo di risorse IT. Ad esempio : Riutilizzo Componenti comuni da riutilizzare. Buy vs. build Regole di decisione (ad es. Le soluzioni vanno acquistate a meno esista un preciso razionale per lo sviluppo ionterno, ecc.) Semplicità L architettura va progettata e mantenuta garantendo la massima semplicità, compatibilmante con gli obiettivi. Flessibilità (Agility) Rispondere a mutate esigenze in modo efficace ed efficente. Openness - Utilizzare il più possibile soluzioni basate su Open Industry Standards. 60

Enabler 7 Persone, Capacità e Competenze Good practices in particolare per : Descrivere vari livelli di competenza per i var ruoli. Definire la capacità per ogni ruolo Mappare le categorie di skill categories per domini dei processi COBIT 5 (APO; BAI etc.) v. prossima slide In particolare in corrispondenza della attività legate all IT, e.s. business analysis, information management etc. Usare fonti esterne per defire le good practices= come : The Skills Framework for the information age (SFIA) 61

COBIT 5 Implementation Need for new or improved IT governance organization is usually recognized by pain points and/or trigger events 62

COBIT 5 Due esempi di utilizzo 63

Esempio 1 Proposta Perché Nuovo Regolamento Interventi Europeo Protezione Dati Personali Benefici Evitare Rischi Gestione ottimale Risorse Dove operare Processi Principi Policies Frameworks Sistemi Persone Organizzazione Informazioni disponibili Cultura / etica SECTION 3 RECTIFICATION AND ERASURE Article 16 Right to rectification Quando Attori The data subject shall have the right to obtain from the controller the Governo rectification of personal data relating to them which are CDA inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, including Pianificazione by way of supplementing a corrective Business statement. Definizione È una: «Service request» Soluzioni che richiede IT una «Service capability», Controllo come? Come operare Erogazione Servizi Area : Management - Domain : Deliver, Service and Support Supporto Pratiche / Attività Base DSS02 - Manage Service Requests and Incidents Consolidate e universalmente accettate Riferimento ai principali Standard Priorità in funzione obiettivi di business Organizzazione Impostazione IT / IS Misura e Process Description Controllo Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfill user requests; and record, investigate, diagnose, escalate and resolve incidents. Valore aggiunto COBIT5 64

DSS02 - Management Practices DSS02.01 - Define incident and service request classification schemes. DSS02.02 - Record, classify and prioritise requests and incidents. DSS02.03 - Verify, approve and fulfil service requests. DSS02.04 - Investigate, diagnose and allocate incidents. DSS02.05 - Resolve and recover from incidents. DSS02.06 - Close service requests and incidents. DSS02.07 - Track status and produce reports. + RACI Description Define incident and service request classification schemes and models. Identify, record and classify service requests and incidents, and assign a priority according to business criticality and service agreements. Select the appropriate request procedures and verify that the service requests fulfil defined request criteria. Obtain approval, if required, and fulfil the requests. Identify and record incident symptoms, determine possible causes, and allocate for resolution. Document, apply and test the identified solutions or workarounds and perform recovery actions to restore the IT-related service. Verify satisfactory incident resolution and/or request fulfilment, and close. Regularly track, analyse and report incident and request fulfilment trends to provide information for continual improvement. 65

... activities DSS02.01 - Define service request classification schemes (Output) To Description Internal Internal Incident and service request classification schemes and models Rules for incident escalation DSS02.01 - Activities 1. Define incident and service request classification and prioritisation schemes and criteria for problem registration, to ensure consistent approaches for handling, informing users about and conducting trend analysis. 2. Define incident models for known errors to enable efficient and effective resolution. 3. Define service request models according to service request type to enable self-help and efficient service for standard requests. 4. Define incident escalation rules and procedures, especially for major incidents and security incidents. 5. Define incident and request knowledge sources and their use. 1. Define and communicate the nature and characteristics of potential security-related incidents so they can be easily recognised and their impact understood to enable a commensurate response. 66

Solo per un articolo? Service Capabilities / Requests Art EU Cancellazione automatica dati scaduti ( Art. 17) Article 17 - Right to be forgotten and to erasure - 7 Ci sono molte «istanze» per le quali è richiesta Article 17 la - capacità Right to be forgotten di erogare and to un erasure servizio o gestire un incidente (DSS02) Cancellazione dati su richiesta Communicate rect / erasure Artt 16 and 17 Comunicazione relativa applicazione o meno Art 13, 15, 19 Confirmation Data are (are not) processed Article 13 - Rights in relation to recipients Article 12 - Procedures and mechanisms for exercising the rights of the data subject - 2 Article 12 - Procedures and mechanisms for exercising the rights of the data subject - 3 Article 15 - Right of access for the data subject Consent withdraw Article 7 - Conditions for consent - 3 Data Breach notification to Data Subject Article 32 - Communication of a personal data breach to the data subject Data breach notification to Supervisory Authority Article 31 - Notification of a personal data breach to the supervisory authority Inform third parties that Personal Data are to be erased Privacy Awareness Article 17 - Right to be forgotten and to erasure Article 37 - Tasks of the data protection officer - 1 - (b) Restrict processing instead of erasure Article 17 - Right to be forgotten and to erasure - 4 Rettifica dati Richiesta via informatica informazioni da parte interessato (Art 12) Trasmit Copy of Data undergoing processing. Article 16 - Right to rectification Article 12 - Procedures and mechanisms for exercising the rights of the data subject - 1 Article 18 - Right to data portability. 67

Per le Aziende di qualsiasi dimensione? Dimensione Piccola Si domanda al «Commecialista» Media COBIT5 DSS02 Grande COBIT5 DSS02 + + ISO 15504 Capability Assessment 68

69

Uno schema: life cycle! Setup Contratto Operations Transition-out Requisiti Call for tender Valutazione Shortlist Negoziazione Accordo Deliverables Livelli di Servizio Metriche Costi Legale Avviamento Gestione operazioni Monitoring Phase out operativo Trasferimento delle conoscenze e della gestione operativa al nuovo fornitore Cambio Fornitore Cambio contratto modifiche Lo schema è utilizzabile per : Assegnare responsabilità Identificare minacce e valutare impatti associandole a relative azioni correttive Mappare il Processo sulla realtà aziendale Identificare Strumenti / Documenti di supporto (Enabler Information!) 70

Assegnare le responsabilità 71

Identificare minacce e pesare i rischi conseguenti Recent research reveals that approximately one out of five enterprises (19 percent) does not invest sufficient effort to manage vendors and vendor-provided services effectively. T1 Vendor selection Minaccia Rischio conseguente Impatto Financial, operational, reputational and legal/compliance T2 Contract development Financial, operational and legal/compliance? T3 Requirements Financial, operational, reputational and legal/compliance T4 Governance Financial, operational and legal/compliance? T5 Strategy Financial, operational and legal/compliance??? 72

Per ogni minaccia Una o più azioni correttive Una indicazione agli enablers (1) coinvolti 1 - Enablers: 1. Principles, policies and frameworks 2. Processes 3. Organizational structures 4. Culture, ethics and behaviour 5. Information 6. Services, infrastructure and applications 7. People, skills and competencies 73

T1 T2 T3 T4 T5 Identificare minacce e valutare impatti associandole a relative azioni correttive Azione correttiva Minaccia 1 Diversify sourcing strategy to avoid overreliance or vendor lockin x 2 Establish policies and procedures for vendor management x 3 Establish a vendor management governance model x 4 Set up a vendor management organization within the enterprise x 5 Foresee requirements regarding the skills and competencies of the vendor employees x 6 Use standard documents and templates x 7 Formulate clear requirements x 8 Perform adequate vendor selection x 9 Cover all relevant life-cycle events during contract drafting x 10 Determine the adequate security and controls needed during the relationship x x 11 Set up SLAs x 12 Set up operating level agreements (OLAs) and underpinning contracts x 13 Set up appropriate vendor performance/service level monitoring and reporting x x 14 Establish a penalties and reward model with the vendor x 15 Conduct adequate vendor relationship management during the life cycle x 16 Review contracts and SLAs on a periodic basis x 17 Conduct vendor risk management x 18 Perform an evaluation of compliance with enterprise policies x 19 Perform an evaluation of vendor internal controls x 20 Plan and manage the end of the relationship x x 21 Use a vendor management system x x x x 22 Create data and hardware disposal stipulations x x 74

excel

COBIT5 «Vendor Management Framework» 76

Olistico!!! Risk- Based approach? Cosa manca?

E gli altri enablers? 21 11 3 4 5 4 1 Process Principles, Policies and Frameworks Information Services, Infrastructure and Applications Organisational Structures Ethics, Culture and Behaviour People, Skills and Competencies

Enabler Information Call for Tender Vendor Contract Service Level Agreements SLAs Defined How to Create Successful SLAs SLA Common Pitfalls Benefits of Effective Service Level Management OLAs and Underpinning Contracts Managing a Cloud Service Provider Excerpt From Security Considerations for Cloud Computing Appendix A. Vendor Selection Dashboard Criteri (pesati) di selezione Appendix B. Call for Tender Template Appendix C. Call for Tender Checklist Appendix D. Drafting the Contract: High-level Legal Checklist for Nonlegal Stakeholders Appendix E. Example Contract Template Appendix F. SLA Template Appendix G. Service Level Agreement (SLA) Checklist Appendix H. Example SLA Template Appendix I. Example Generic SLA Appendix J. Example SLA Slim Version Appendix K. Example SLA for Back Office and Local Area Network (LAN) Services Appendix L. High-level Mapping of COBIT 5 and ITIL V3 for Vendor Management 79

COBIT 5 for Assurance

Scope of the Assurance Publication In this publication, two perspectives on assurance are identified: Assurance function perspective Describes what is needed in an enterprise to build and provide assurance function(s). COBIT 5 is an end-to-end framework, meaning that it considers the provisioning and use of assurance as part of the overall governance and management of enterprise IT. Assessment perspective Describes the subject matter over which assurance needs to be provided. In this case, the subject matter is enterprise IT, which is described in ample detail in the COBIT 5 framework and COBIT 5: Enabling Processes and is therefore not covered in detail in the assurance guide itself.

Two Perspectives on Assurance Provided by COBIT 5 Both perspectives are built on the seven common governance and management enablers of the COBIT 5 framework.

Assurance Framework 83

Indice di Assurance Assurance utilizzando tutti gli Enablers Esempi di Assurance con COBIT5 1. Change management 2. Risk management 3. Bring your own device (BYOD) 84

Risk Framework 20/12/2013 85

COBIT5 for Information Security Giugno 2012 220 pagg 86 86

87

Implementing Info Sec Initiatives 1. Principles, Policies and Frameworks 1. Model 2. Information Security Principles 3. Information Security Policies 4. Adapting Policies to the Enterprise s Environment 5. Policy Life Cycle 2. Processes 1. Process Model 2. Governance and Management Processes 3. Information Security Governance and Management Processes 4. Linking Processes to Other Enablers 3. Organisational Structures 1. Model 2. Information Security Roles and Structures 3. Accountability Over Information Security COBIT5 for Info Security : Struttura 4. Culture, Ethics and Behaviour 1. Model 2. Culture Life Cycle 3. Leadership and Champions 4. Desirable Behaviour 5. Information 1. Model 2. Information Types 3. Information Stakeholders 4. Information Life Cycle 6. Services, Infrastructure and Applications 1. Model 2. Information Security Services, Infrastructure and Applications 7. People, Skills and Competencies 1. Model 2. Information Security-related Skills and Competencies Detailed Guidance Detailed Guidance Appendici Detailed Mapping 88

Gruppi di Ricerca Risk Management COBIT5 Framework per : BI - Nuove disposizioni di vigilanza prudenziale per le banche Nuovo regolamento EU Protezione dei Dati Personali Sistema di Controlli Interni a presidio del Rischio Riciclaggio Outsourcing 89

QUESTIONS & COMMENTS 2013 ISACA. All rights reserved