Getting to Grips with Cobi T Enterprise Architecture

Getting to Grips with Cobi. T – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance and IT Management

Who am I ? Jan Bjørnsen: Working with this for nearly 20 years. In-depth skills and knowledge in IT Governance, Information Security, counceling and negotiation/contracting. Author of «Slik får du IT-styring og kontroll» , Universitetsforlaget

1: IT Governance and IT Management The Straw Model • You need a “Modus Operandi” that will focus on IT Governance and IT Management and I will give a brief presentation of the Straw Model to put everything into perspective. – We will look at Administrative, non-technical issues vs. Operational, technical activities – And the balance between Governing Documents vs. Dynamic documents like guidelines, procedures etc • Some different sketches. .

Frameworks and standards – an overview ISO 38500 COSO COBIT ITIL v 2. 5 ITIL v 3 ISO 20001 ISO 2700 x ISO Common 900 x Criteria

What do we want… Dynamic Statisc Administrative, Non-technical Operative, Technical

Straw Model of Architecture Vision Policy Governance Architecture Principles Strategy Valued Deliveries IT/IS Implementation ITIL/ISO. . Functions Guide Lines Risk Management Internal ”self-”control Continuity/ Cobit processes Assessments/etc Guidelines Plans Monitor Responsibility Roles Report Cobit Processes Procedures Plan Detailed ”workbook”

IT Governance V De alu liv e er y Resource Management Man Risk age men e anc form ent Per agem n Ma IT Tjenester Governance t gic nt e ra St gnm i Al

Governance vs. Management • IT-strategy • Organisation potentiale • Architecture building ion t cu Se rv ice xe E d o vis Ad V De alu liv e er y e anc form ment e Per nag Ma ing IT Tjenester Governance r nito Mo • Actionbased monitoring • Incident/Problem handling • Implement Self Control gic nt e ra St gnm i Al na Resource Management ge me nt Man Risk age men t Ris k. H and ling r n ya Ma Resource • Personnel Management • Infrastruktur • Applications • Systems • Process management • Process Implementation • Operative IT security • Manage Infrastructure • Manage Networks • Incident/Problem handling • ITIL • BIA, Criticality Assessments • Risk Analysis • Contingency Plans • Security Standards ISO 2700 x

IT Governance vs. IT Management • • Inhouse expertise Accountability „Provide“ responsibility „Supervise“ responsibility • Outsourced expertise • Responsibility • „Execute/maintenance“ responsibility

”The Triangle of Responsibility” ”Provide”-responsibility «Accountable» in RACI Governance/ Inhouse Responsibility ”Supervise”-responsibility «Consulted/Informed» in RACI -Evaluates Control Design Management/ Outsourced Responsibility ”Execute”-responsibility «Responsible» in RACI -Self Assurance -Internal Control

Cobit – a de facto standard ( for IT governance, security, assurance, audit etc. ) • Cobit as a tool has matured from the introduction in 1996 and are today well adept for understanding, control and measure IT. It covers many facets today: – It is a tool for the CIO for governance and control – It is a tool for the IT Auditor for assurance – It is a tool to build a good Control Design – It is a tool for measure compliance and maturity – It is a tool for Security officers.

Cobit – Different views

Cobit and ITIL

Practical use of Cobi. T Security Architecture and The Straw Model • Information security and other security functions can use the Straw Model to put everything into perspective. • How to create governing documents • How to present a strategy for implementation • Creating Dynamic documents like security guidelines, implement security in procedures etc. • Different samples. . .

Straw Model of Architecture by Cobit

Straw Model of Architecture by organisation

Sample of documents • Principles of Information Security • Security Guidelines • Control activity defined in processes As an example of the 5 IT Governance areas, I have chosen Risk Management for presentation purposes.

Do Risk Assessment and a Maturity Mapping Based on requirements in your SLA you need to know the Criticality of each system to ensure your Continuity plan cover the right systems (Example Smart. Risk Access database) • You also need to know how mature your organisation are related to Cobit (Example process DS 4 Ensure Continuous Services- RACI chart Excel) •

Risk - CISM manual has a good description of operational risk • • • Facilities and operational environment risk HSE risk Information Security risk Control Framework Risk Legal and regulatory Compliance risk Corporate Govenance risk Technology risk Project management risk Crime and fraud risk Personnel risk Supplier risk Information management risk Reputation risk Strategic risk Process and attitude risk Ethical risk Geopolitical risk Cultural risk Clima and weather risk

Contingency - on its own or as a part of the security architecture What are your goal(s)? • Contingency/Continuity How to incorporate IT Continuity and IT Disaster Recovery plans into the architecture “Straw Model” with sample of layout and detailed description of time slot activites, Incident Respone Teams, Disaster Recovery Teams and Instructions and decision Gates to move through all phases of a critical situation. • You need to understand the different levels of Continuity. – Backup/Restore – Continuity plans – IT Disaster Recovery Plans – Business Continuity Plans • You also need to know how mature your organisation are related to Cobit process DS 4 Ensure Continuous Services

Our Framework Methodology Contingency plan BCP DRP • BCP – Business Continuity Plan • DRP – Disaster Recovery Plan - (Using ISACA’s prinsiples) - (Using Cobi. T’s Continuity process)

The first critical phases can be solved by using Incident Response Team. • example, (Must be based on your SLA and Criticality Assessments) Critical Timeslot for FIRST DECISION POINT are 40 minutes Timeslot for SECOND DECISION POINT are 60 minutes (1 hour) Timeslot for THIRD DECISION POINT are 120 minutes (2 hours) T 1 T 2 T 3

Contingency If your Continuity plan do not solve the problem you must escalate. The IT Disaster Recovery Plan and BCP have 8 phases • 1 The Notification phase – • 2 The Overview phase – • • • Third (3) point of decision (establish operation/production or further escalation) 6 The Operation phase – • • Second (2) point of decision (establish Disaster management Team or decide “all clear/no danger”) 3 The Response phase 4 The Activity phase 5 The Establishing phase – • First (1) point of decision (further notification of IRT or “all clear/no danger” or move to second decision point directly) Fourth (4) point of decision (transition to standard operation or keep the alternately operation) 7 Return to Normal Operation phase 8 The Termination phase – Fifth (5) point of decision (wind up the Disaster Management Team and re-establish normal operation)

Sample of documents • • • Contingency Principles Incident Response Team Authorisation Letter Continuity plan IT Disaster Recovery Plan Business Continuity Plan

Questions Contact Information Jan Bjørnsen Scandinavian Business Security Ltd. Mob: +47 90 18 18 64 E-mail: jtb@sbsec. com Web: www. sbsec. com