The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Similar documents
Achieving ICT Service Management Excellence with ITIL and ISO20000 Frameworks

BRING EXPERT TRAINING TO YOUR WORKPLACE.

COBIT 5 With COSO 2013

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

Certified Information Security Manager (CISM) Course Overview

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

ISO/ IEC (ITSM) Certification Roadmap

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

Invest in. ISACA-certified professionals, see the. rewards.

Getting Started with IT Service Management

Manchester Metropolitan University Information Security Strategy

Planning and Implementing ITIL in ICT Organisations

San Francisco Chapter. Cassius Downs Network Edge LLC

IT risks and controls

Symantec Data Center Transformation

Les joies et les peines de la transformation numérique

The Presentation Will Begin At 12PM EST

Accelerate Your Enterprise Private Cloud Initiative

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Information technology Service management. Part 11: Guidance on the relationship between ISO/IEC :2011 and service management frameworks: ITIL

Revisit the Foundations of ITSM SMSG

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Company Overview. global-lynx. Version: September 30, 2015

COBIT 5 Foundation. Certification-led Audit, Security, Governance & Risk

Contents. List of figures. List of tables. 5 Managing people through service transitions 197. Preface. Acknowledgements.

INFORMATION SECURITY GOVERNANCE, RISK & COMPLIANCE CLOUD CONSULTING SERVICES CIO & CISO SERVICES. forebrook

"Charting the Course... ITIL 2011 Managing Across the Lifecycle ( MALC ) Course Summary

Effective COBIT Learning Solutions Information package Corporate customers

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

EXIN BCS SIAM TM Foundation Certification Training - Brochure

Getting Started with IT Service Management

Predstavenie štandardu ISO/IEC 27005

ICT Mentors e-learning portfolio provides our delegates with materials for study at the comfort of their homes, work place etc.

BECOME TOMORROW S LEADER, TODAY. SEE WHAT S NEXT, NOW

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities

itsm003 v.3.0 NISTCSF.COM NICE Training Curriculum & Workforce Planning Program

ITIL Foundation Exam Study Guide

EXIN Expert in IT Service Management based on ISO/IEC Preparation Guide

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

itsm003 v.3.0 DxCERTS IT & NIST Cybersecurity Digital Transformation (Dx) Enterprise Training Curriculum

Introduction... 1 Part I: How ITIL Can Help You... 7

Implementation PREVIEW VERSION

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Position Description IT Auditor

ITIL 2 or ITIL 3? Barry Corless

ISACA MADRID DECEMBER Robert E Stroud CEGIT CRISC International President December 2014

Information Technology Infrastructure Library (ITIL) V3 for the Database Administrator. Timothy McAliley

Navigating the Clouds Fortifying ITIL for Cloud Governance

IS Audit and Assurance Guideline 2002 Organisational Independence

NISTCSF Enterprise Training Solutions. By David Nichols & Rick Lemieux December 2018

HCL GRC IT AUDIT & ASSURANCE SERVICES

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Virtustream Managed Services Drive value from technology investments through IT management solutions. Tim Calahan, Manager Managed Services

ITIL Managing Across the Lifecycle Course

Introduction to ISO/IEC 27001:2005

2018 CALENDAR OF ACTIVITIES

Connecting ITSM to IT Governance

ITIL Foundation Program Certification Program. The Minimum number of students per session is 6 where the maximum is 25.

What is ISO/IEC 20000?

itsm003 v.3.0 NISTCSF.COM Role-Based IT & NIST Cybersecurity Curriculum Solutions

ITIL 2011 Foundation Certification Training - Brochure

ROLE DESCRIPTION IT SPECIALIST

ITIL 2011 Overview - 1 Day (English and French)

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

The secret of the service catalogue. Panel discussion 9 th April 2014

Altius IT Policy Collection Compliance and Standards Matrix

New Zealand Government IbM Infrastructure as a service

ITIL Service Lifecycle Strategy

COBIT 5 Foundation Certification Training Course - Brochure

MY CERTIFICATION HELPED ME GET HERE. MY MEMBERSHIP HELPS KEEP ME HERE.

Assurance over Cybersecurity using COBIT 5

Digital Service Management (DSM)

Training and Certification. Guide to Learning and Certification Paths

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Getting Started with ITIL

Frameworks and Standards

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

SERVICE DESCRIPTION ISO Lex. Certifications

ISACA International Perspective

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

COURSE BROCHURE CISA TRAINING

Training Services TRAINING SERVICES. Translating Knowledge into Results

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Next Generation Policy & Compliance

Securing Your Digital Transformation

Goals for Today s Presentation

Rethinking Information Security Risk Management CRM002

Altius IT Policy Collection Compliance and Standards Matrix

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

ITIL v3. Qualification & Certification scheme. itsmf International The IT Service Management Forum 1

Data Governance Quick Start

Going UP? More you know, less you no! How to talk about Privacy with your boss in the elevator?

IS Audit and Assurance Guideline 2001 Audit Charter

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

building for my Future 2013 Certification

ISO/IEC ISO/IEC White Paper

Transcription:

The Experience of Generali Group in Implementing COBIT 5 Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Generali Group at a glance

Let me introduce myself Marco Salvato CISA, CISM, CGEIT, CRISC Areas of expertise COBIT Information System Audit (CISA) Governance of Enterprise IT (CGEIT) Information Security Management (CISM) Risk Management (CRISC) Experience Process governance Freelance software developer ISACA Venice Chapter Board Member Information Security Governance Risk Governance Compliance Governance

Let me introduce myself Andrea Pontoni CISA Areas of expertise COBIT Information System Audit (CISA) Experience IT Audit IT Project Leader ISACA Venice Chapter Board Member

Quick overview on the overall scenario Which is the company environment?

Group Strategy Generali's strategic imperatives for the operating platform GENERALI INVESTOR DAY, London, May 2015

Group Strategy Operational Excellence Consolidation, centralization and standardization are currently underway.

Group Strategy IT Transformation Transformation of IT Systems required to accelerate digitalization and industrialization. GENERALI INVESTOR DAY, London, May 2015

Triggers for COBIT 5 Implementation Strong alignment with the business strategy and the customer needs Need to establish an overall view to ensure a centralized enterprise governance Define an harmonized process framework, cross countries Improve efficiency Resources optimization Ensure the cross-countries compliance Ensure an approach risk-based Ensure a centralized management for audit activities

The COBIT story in Generali How the Group started using COBIT

The COBIT story in Generali Before 2008 The Group was using COBIT 3.x and 4.x to fulfil some audit or compliance requirements The main good practices used were ITIL and some ISOs

The COBIT story time line in Generali The Generali Audit function starts the COBIT adoption all over the Group companies Many Generali Group companies start to implement COBIT in their own Process Framework GBS deliver a COBIT 5 training program for > 300 employees in 2 years: COBIT 5 Introduction & COBIT 5 Foundation The new COBIT 5 is coming and GBS subscribe a GBS hosted a Corporate License with workshop to ISACA about COBIT 5 understand its library benefit with external guests from University of Antwerp Generali Group subscribe a Corporate License with ISACA about COBIT 5 library GBS deliver a COBIT 5 for Executives training GBS and GIS continue to plan new COBIT 5 training: COBIT 5 Introduction & COBIT 5 Foundation 2008 2009 2010 2011 2012 2013 2014 2015 2016 GBS = Generali Business Solutions GIS = Generali Infrastructure Services

Generali Infrastructure Services (GIS) The experience of GIS using COBIT

Generali Infrastructure Services WHO WE ARE... The creation of GIS, as a Generali shared service provider reflects that. Our purpose is to enable Generali strategy both locally and globally, support innovation, and manage efficient and reliable infrastructure services.

Generali Infrastructure Services WHERE WE ARE GOING... Our ambition is to be a global, agile, business partner that brings relevant, addedvalue and shared solutions. We aim at developing, integrating and delivering simple, fitting and maintainable services.

The main challenges GIS was created in 2014 focusing in deliver shared common infrastructure services and there were some critical challenges: Align business strategy with IT strategy Harmonize processes and services Define a centralized governance Improve the added value of the services provided Deal with different cultures

What we did We defined some workstream managed through a centralized governance within a cross-countries program. One of them was focused on the process landscape definition and the members were Group experts in different good practices (ITIL, CMMi, COBIT, ISOs, ). When a first draft of the process landscape was defined, the responsibility of its improvement and implementation was transferred to the line functions. A Process Governance Board was establish to support the evaluation of the main changes.

Good practices and framework Which good practices and framework has been used?

Good practices and framework Best practises and standards used in GIS Process Framework: IT Infrastructure Library (ITIL 2011 edition) Service Strategy, Design, Transition, Operation and Improvement ISACA COBIT 5 Governance and Management of Enterprise IT ISO 31000 series Risk Management ISO/IEC 38500:2008 Corporate Governance of IT ISO/IEC 27001:2013 Information Security Management Systems Project Management Body of Knowledge (PMBOK ) Project Management

Risk Governance Financial Governance & Opt. Strategic Alignment Service Value & Quality Service Portfolio Management Project Portfolio Management Business Relationship Mgmt Procurement Design Coordination Service Level Management Architecture Management IT Service Continuity Mgmt Innovation Management Incident Management Problem Management Request Fulfilment Change Management Release & Deployment Mgmt Capacity Management Knowledge Management Security Services Service Asset & Config. Mgmt Event Management Identity & Access Management Availability License Management Project Management Supplier Management Financial Management Charge Back Risk Management Regulatory & Compliance Management Information Security Management HR Management Process Framework Management Mapping with COBIT 5 P = Primary match S = Secondary match Generali Infrastructure Services GIS Process Book Governance Service Strategy Service Developement Service Management & Operations Enterprise Management COBIT 5 DOMAIN COBIT 5 PROCESSES 2 EDM01 Ensure Governance Framework Setting and Maintenance S S 1 EDM02 Ensure Benefits Delivery P Evaluate, Direct 1 EDM03 Ensure Risk Optimisation P and Monitor 1 EDM04 Ensure Resource Optimisation P 1 EDM05 Ensure Stakeholder Transparency S 1 APO01 Manage the IT Management Framework P 1 APO02 Manage Strategy P 1 APO03 Manage Enterprise Architecture P 1 APO04 Manage Innovation P 2 APO05 Manage Portfolio P P 2 APO06 Manage Budget and Costs P S Align, Plan and 1 APO07 Manage Human Resources Organise 1 APO08 Manage Relationships P P 2 APO09 Manage Service Agreements S P 2 APO10 Manage Suppliers S P 2 APO11 Manage Quality P S 2 APO12 Manage Risk P S 2 APO13 Manage Security P S 2 BAI01 Manage Programmes and Projects S P 1 BAI02 Manage Requirements Definition P 1 BAI03 Manage Solutions Identification and Build P 2 BAI04 Manage Availability and Capacity P P 1 Build, Acquire and BAI05 Manage Organisational Change Enablement S 1 Operate BAI06 Manage Changes P 1 BAI07 Manage Change Acceptance and Transitioning P 1 BAI08 Manage Knowledge P 2 BAI09 Manage Assets P S 1 BAI10 Manage Configuration P 6 DSS01 Manage Operations S S S S P S 2 DSS02 Manage Service Requests and Incidents P P 1 Deliver, Service DSS03 Manage Problems P 2 and Support DSS04 Manage Continuity P S 2 DSS05 Manage Security Services P S 0 DSS06 Manage Business Process Controls 2 MEA01 Monitor, Evaluate and Assess Perform. and Conformance S S Monitor, Evaluate 1 MEA02 Monitor, Evaluate and Assess the System of Internal Control P and Assess 1 MEA03 Monitor, Evaluate and Assess Compl. with Ext. Requirements P 1 1 3 2 1 2 1 1 4 3 1 2 1 1 1 1 1 1 1 1 3 2 1 2 2 1 1 1 1 1 1 3 2 2 3

Mapping with ITIL

Why these governance processes COBIT 5 makes a distinction between governance and management in alignment with the guidance of ISO/IEC 38500-2008 Directors should govern the IT through three main tasks: a) Evaluate the current and future use of IT, b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives, c) Monitor conformance to policies and performance against the plans. IT governance processes ensure that enterprise goals are achieved by evaluating stakeholder needs; setting direction through prioritization and decision making; monitoring performance, compliance and progress against plans. ISO, ISO/IEC 38500:2008 Corporate governance of information technology, Switzerland, 2008, www.iso.org Based on the governance activities, the business and IT management will plan, build, run and monitor activities to ensure alignment with the direction set by the governance body to achieve the enterprise objectives.

Why these governance processes Stakeholder needs are always about value creation Benefit Realisation Risk Optimisation Resource Optimisation Risk Governance Service Value & Quality Financial Governance & Optimization Strategic Alignment

IT Audit How we using COBIT in IT Audit activities

The story of COBIT in Internal Audit The first version of IT Group Audit Methodology based on COBIT 4.1 and also on the other most important IT Governance and Management Frameworks (i.e. ITIL and ISO27002) was presented and adopted by all the countries in 2008. In 2012, after the launch of the new version of COBIT 5 by ISACA, we decided to update the internal IT Audit Methodology adopting the new COBIT 5 Framework. An international project was launched with the following goals: update the current IT Audit Process Tree considering the new processes model defined by COBIT 5; define a set of control objectives associated to the processes of the IT Audit Matrix; review the control activities within the Engagement Matrix for the most important IT processes; define a set of testing activities for each control activity; define specific IT Risks associated to the control activities and aligned with the Operational Risks defined by the Group Risk Management.

The adoption of COBIT 5 in Internal Audit Project Scope: during the project the three main elements (steps) of our Group IT Audit Methodology (IT Audit Process Tree, Audit Matrix and Engagement Matrix) were revised and updated according to the new COBIT 5 framework:

IT Audit Process Tree The new IT Audit Process Tree is based on the latest version of COBIT (COBIT 5), includes 34 IT processes. (COBIT 5 includes 37 processes). Three processes in grey were dismissed according to the assessment procedure developed in the first step of the project.

IT Audit Process Tree Processes excluded: During the first step of the project, a deep analysis of the COBIT 5 processes was performed and as a result, three processes were excluded.

IT Audit Matrix The new version of the Audit Matrix includes 34 IT processes of process tree. The Audit priority is defined in terms of Significance of Controls and Control Risk.

Engagement Matrix

Engagement Matrix New information have been included in the engagement matrix in order to obtain detailed information about controls level inside the process

Engagement Matrix

Conclusions Pros & Cons

Pros & Cons Being aware of different process definitions was recognized as a culture step further also if it was time consuming Thanks to the corporate license agreement we were able to provide the COBIT 5 documentation in the right moment it was recognized as an enabler Being open mind and ready to highlight the right benefits from the different good practices let us to design the car using the best spare parts available on the market Top down cascading training and awareness sessions were time consuming but really successfully For sure, the top management trust and commitment was really a success key

Conclusions The frameworks, as well as the best practices, are a common languages that can go over the boundaries between countries The double approach, from the top through the audit function and from the bottom, through the process cards and the employees training, was a good choice Using different good practices, for the processes definition, was really a good chance to share experiences and skills between different countries Merging different good practices required deep skills in each topic and a lot of effort, but the final result worth it

Questions? Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback