ISACA & ROSI
SdS AIEA Roma 15 dicembre 2010
ISACA & ROSI ?
• G 41
• CobiT & ROSI
– Risk Drivers / Value Drivers
– Capire cosa vuole il Business ?
– Gestire l’investimento
• Val IT
SdS AIEA Roma 15 dicembre 2010
Driving Value From Information Security:
A Governance Perspective
Determining the ROSI of information security projects helps in crystallizing the
intangible benefits and nonquantifiable considerations. This enables management to
weigh all the factors in the right perspective and to arrive at informed decisions,
rather than relying on instinct alone.
ISACA JOURNAL VOLUME 2, 2009
Costs/benefits of IT security projects largely depend on the human factor, cost and
revenue drivers, business objectives, security metrics, and organizational
characteristics, which can substantially influence end results. Refining ROSI estimates
through learning experience and by comparing estimated and realized ROSI will
improve this tool with each successive project, resulting in better calibration and
more accurate estimates. Thus, ROSI, with a balanced scorecard focus, will become a
tool of choice for the future, in the hands of decision makers.
SdS AIEA Roma 15 dicembre 2010
SdS AIEA Roma 15 dicembre 2010
IS Auditing Guideline: G41 Return on Security Investment(ROSI)
maggio 2010
1. BACKGROUND
2. ROSI
3. OBJECTIVES
3.1 Audit
4. CONSIDERATIONS
4.1 Audit
5. EFFECTIVE DATE
5.1 This guideline is effective for all information systems
audits beginning on or after 1 May 2010.
SdS AIEA Roma 15 dicembre 2010
1.1 Linkage to Standards
1.1.1 Standard S10 IT Governance states the IT audit
and assurance professional should review:
• and assess whether the IT function aligns with the
enterprise’s mission, vision, values, objectives and
strategies
• whether the IT function has a clear statement
about the performance expected by the business
(effectiveness and efficiency) and assess its
achievement
• and assess the effectiveness of IT resources and
performance management processes
SdS AIEA Roma 15 dicembre 2010
1.2 Linkage to COBIT
• 1.2.1 Selection of the most relevant material in
COBIT applicable to the scope of the particular audit
is based on the choice of specific COBIT IT processes
and consideration of COBIT’s control objectives and
associated management practices.
• ……..
• The process and control objectives to be selected
and adapted may vary depending on the specific
scope and terms of reference of the assignment.
SdS AIEA Roma 15 dicembre 2010
1.3 Purpose of the Guideline
• 1.3.1 Enterprises are increasingly finding it
challenging to make a case to invest in IT
security. ……
1.3.2 Enterprises cannot afford to ignore the
value propositions of security metrics to
effectively achieve appropriate ROSI. ….
1.3.3 IT audit and assurance professionals
must have a clear understanding of the value
proposition for ROSI. ….
SdS AIEA Roma 15 dicembre 2010
1.5 Risk Management
1.5.1 There should be collaborative periodic risk assessment developed
amongst those responsible for securing information assets and the
responsible senior management, with the business owner(s) managing the
information assets of the enterprise. …
1.5.2 There is an inherent risk that the subject matter may be highly
complicated coupled with security engineers/administrators who may not
adequately understand all of the risks to the enterprise and the necessary
mitigating control processes. …
1.5.3 There is inherent audit risk resulting from the auditor responsible for
performing an independent assessment not adequately understanding
and/or reviewing the necessary control processes commensurate with the
level of risk. … Thus, management should be alerted that audit will not
guarantee that the auditor will completely identify, test and conclude on the
adequacy of all controls. Accordingly, additional oversight and independent
assessment of the auditor’s evaluation may be warranted given the size,
complexity and significance of the enterprise’s information assets.
SdS AIEA Roma 15 dicembre 2010
4.1 Audit
4.1.1 There are various ROSI models and there is no one model
that fits all enterprises.
4.1.2 Enterprises must have a well-defined process of data
collection for security breaches and lapses.
4.1.3 Security investments are made after proper analyses of
security requirements, risk assessments, product
performance, vendor service level agreement and, most
importantly, alignment of the security plan to the overall
business objectives.
4.1.4 No security is complete without adequate insurance. The
enterprise should be adequately protected by
appropriate insurance
4.1.5 Security must be considered as a business protector and
enabler not as an inhibitor.
4.1.6 Trust is the highest form of security.
•
…
SdS AIEA Roma 15 dicembre 2010
CobiT & ROSI
SdS AIEA Roma 15 dicembre 2010
®
COBIT Defines Processes, Goals and Metrics
Relationship
Amongst
Process,
Goals and
Metrics
(DS5)
SdS AIEA Roma 15 dicembre 2010
€ 2009 ISACA All Rights reserved. 12
I ritorni in termini di Business :
Value Drivers & Risk Drivers
• 788 Risk Drivers
• 736 Value Drivers
• Associati a 980 Control practices
SdS AIEA Roma 15 dicembre 2010
Ritorni
Investimenti
SdS AIEA Roma 15 dicembre 2010
Impatti in termini di business
SdS AIEA Roma 15 dicembre 2010
CobiT - Extended Balanced Scorecards
Improve customer
orientation and
service
Offer competitive
products and
services
Establish service
continuity and
availability
Obtain reliable and useful
information for strategic
decision making
Achieve cost optimalisation
of service delivery
Operational excellence
Improve and maintain
business process
functionality
Manage
business
change
Improve and
maintain
operational and
staff productivity
Provide compliance
with external laws,
regulations and
contracts
Compliance with
internal policies
SdS AIEA Roma 15 dicembre 2010
Improve
corporate
governance and
transparancy
Create agility in
responding to changing
business requirements
(time to market)
Customer orientation
Lover process cost
Manage ITrelated business
risk
Provide a good
return on
investment of
IT-enabeled
business
investments
Financial contribution
Vision
and
Strategy
Future orientation
Manage product
and business
innovation
€ L’IT è adeguata ?
€ Dove
intervenire
?
Acquire
and
maintain skilled
and motivated
people
€ Cosa fare, come ?
16
…. in altre parole: da dove comincio ?
Dov’è
l’Agility
?
SdS AIEA Roma 15 dicembre 2010
Dov’è l’Agility ?
Proviamo a chiederlo al : COBIT
SdS AIEA Roma 15 dicembre 2010
!
Valutazione degli obiettivi di business – Fase1
SdS AIEA Roma 15 dicembre 2010
19
Valutazione degli obiettivi di business – Fase2
Assegnazione importanza ai Processi IT
SdS AIEA Roma 15 dicembre 2010
20
Importanza del dominio / processo
PO
PO 10 Gestire progetti
AI
AI 1 Identificare soluzioni automatizzate
DS
DS 1 Definire e gestire i livelli di servizio
DS 3 Gestire le prestazioni e la capacità produttiva
ME
ME 1 Monitorare e valutare le prestazioni dell’IT
Si vedono chiaramente complementarietà tra aspetti strutturali /
organizzativi ed aspetti operativi / strumentali
SdS AIEA Roma 15 dicembre 2010
Impatti in termini di business
• Si possono usare anche bottom-up :
– Come giustificare un progetto che automatizza
Configuration Management e Sw Distribution
SdS AIEA Roma 15 dicembre 2010
ROSI : due ulteriori considerazioni
• ROSI per partire . . . e poi ?
• Evoluzione del ruolo dell’IT
• Val IT™
SdS AIEA Roma 15 dicembre 2010
SdS AIEA Roma 15 dicembre 2010
The Business Case Process Maturity
SdS AIEA Roma 15 dicembre 2010
The Seven Principles of Val IT™
IT-enabled investments will:
1. Be managed as a portfolio of investments
2. Include the full scope of activities required to achieve business value
3. Be managed through their full economic life cycle
Value delivery practices will:
4. Recognise different categories of investments to be
evaluated and managed differently
5. Define and monitor key metrics and respond quickly
to any changes or deviations
6. Engage all stakeholders and assign appropriate accountability
for delivery of capabilities and realisation of business benefits
7. Be continually monitored, evaluated and improved
SdS AIEA Roma€15
dicembre
2009
ISACA 2010
All rights reserved.
26
A New Perspective
IT Investments
Investments in
IT-enabled Change
27
SdS AIEA Roma 15 dicembre 2010
Source: The Information Paradox