1COBITPart1ITGovernance---IT治理框架

SITC:Service&Security1COBITPart1–ITGovernance2009年3月马怡骢SITC:Service&Security2开场时间请简单介绍您自己名字公司/产业别工作性质贵公司推行IT治理的程度在这堂课中,想了解的事情任何愿意和大家分享的事????SITC:Service&Security3前沿小站SITC:Service&Security4ITmanagementtoITGovernanceISO31000ISO38500BS25999Prince2PMBOKCOBITITILV3ISO27001ISPLSCAMPITOGAFSecurity&AvailabilityMgtISO17799ISO13335ISO9001SW-CMMIITGovernance&ServiceMgtGovernance&RiskMgtISO15408ITILv2ITManagementChange&ReleaseMgtTicketITNIST800SupplierMgtMgtsystem&OrgFinance&CapacityMgtISO15504Appraisal&auditMgtMOF&MSFISO20000SITC:Service&Security5COBITfoundationexamTheexamconsistsof40multiple-choicequestions.Topasstheexam,anindividualmustcorrectlyanswer28ormorequestionsorattainascoreof70%orhigher.PrerequisitesNone.LearningOutcomesHowITmanagementissuesareaffectingorganizationsTheneedforacontrolframeworkdrivenbytheneedforITgovernanceHowCOBITmeetstherequirementforanITgovernanceframeworkHowCOBITisusedwithotherstandardsandbestpracticesTheCOBITframeworkandallthecomponentsofCOBITHowtoapplyCOBITinapracticalsituationHowtheuseofCOBITissupportedbyITGICOBITisaregisteredtrademarkofISACASITC:Service&Security6CertificationsoverviewISO38500ISO20000ISO27001•COBITfoundationexam•ITIL•Foundationexam•ServiceManager•Expert•CISA/CISM•CISSPBUSINESSINDIVIDUALSITC:Service&Security7学习目标了解何為IT治理及為何需要IT治理SITC:Service&Security8AgendaGovernancetowhyweneedITGovernanceWhatisITGovernanceITGovernanceFrameworkITAlignmentValueDeliveryRiskManagementResourceManagementPerformanceManagementISO38500:2008VSCGEITConclusionsSITC:Service&Security9World-classIT?AlignedwiththebusinessandprovidingtransparentvalueTopmanagementattentionthroughappropriateITGovernancemechanismsEngagedinperformancemeasurementCommittedtocontinuousimprovementSITC:Service&Security10Enterprisegovernanceisasetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwiththegoalof:•Providingstrategicdirection•Ensuringthatobjectivesareachieved•Ascertainingthatrisksaremanagedappropriately•Verifyingthattheenterprise’sresourcesareusedresponsiblyEnterpriseGovernanceRESOURCEMANAGEMENTwww.itgi.orgwww.itgi.orgSITC:Service&Security11Enterprisegovernanceisabout:Conformance•Adheringtolegislation,internalpolicies,auditrequirements,etc.Performance•Improvingprofitability,efficiency,effectiveness,growth,etc.EnterpriseGovernanceDrivesITGovernanceEnterprisegovernanceandITgovernancerequireabalancebetweenconformanceandperformancegoalsdirectedbytheboard.PerformanceConformanceSITC:Service&Security12ScenarioIT-GovernanceITisanintensivelydiscussedtopicinOrganisationsandEnterprises.Discussionrangesfrom‘costfactor’to‘businessenabler’.AcloselinkbetweentheEnterprise-StrategyandIT-strategyiskey,butitseemsthedistancebetweenEnterprise-ManagementandITisgrowing.TopManagerscomeveryoftenfromthe„classical“disciplines.CIO’sarenotveryoftenmembersoftheBoard.FormanyEnterprisesare„Consolidation“,„Concentrationoncorebusiness“and„OperationalExcellence“additionalprioritiesoftoday.SITC:Service&Security13Organizationsrequireastructuredapproachformanagingtheseandotherchallenges.ThiswillensurethatthereareagreedobjectivesforIT,goodmanagementcontrolsinplaceandeffectivemonitoringofperformancetokeepontrackandavoidunexpectedoutcomes.TheNeedforITGovernanceKeepingITRunningSecurityValue/CostManagingComplexityAligningITwithBusinessRegulatoryComplianceSITC:Service&Security142007ITGovernanceInstitute.Allrightsreserved.www.itgi.orgForcesDrivingITGovernanceComplianceSecurityBusiness/ITAlignmentROIProjectExecutionSITC:Service&Security15RoleofITSourceofdifferentiationandadvantageSupportcorebusinessprocessesSupportbackofficeCopyright©TheBostonConsultingGroup1960's1970's1980's1990's2000'sAirlinesRetailingAutomotiveHealthCareFinancialServices2010'sITevolutionovertimeITroleITneedstobelinkedwithbusinessstrategytogeneratevalueforthebusinessCopyright©TheBostonConsultingGroupDevelopmentExhaustedOrNewFuturePushToBeExpected?(1)ITevolvingfromSupportToolintoSourceofCompetitiveAdvantage...SITC:Service&Security16WhygetintoITGovernance?“Duediligence”ITiscriticaltothebusinessExpectationsandrealitydon’tmatchIThasn’tgottentheattentionitdeservesITinvolveshugeinvestmentsandlargerisksSITC:Service&Security17Sarbanes-Oxley(cont.)SITC:Service&Security18Sarbanes-Oxley(cont.)EffectsofSarbanes-OxleyCreatedthePublicCompanyAccountingOversightBoard(PCAOB)ReinforcesAuditorIndependenceStrengthenInternalControlStructurewithorganizationsUpgradefinancialDisclosuresCreatedAccountabilityattheExecutiveLevelProtectInvestorsSITC:Service&Security19“中国萨班斯”－《企业内部控制基本规范》2008/6/28由财政部、证监会、审计署、银监会、保监会联合颁布。2009/7/1起首先在上市公司范围内施行参照美国于2002/7/30颁布的《2002年萨班斯-奥克斯利法案》而制定萨班斯法案对公司治理、会计师行业监管、证券市场监管等方面提出了许多新的严格要求，并设定了内控风险管理的问责机制和相应的惩罚措施。自此，全球也掀起了加强企业内部控制和风险管理的飓风迎接内控时代到来SITC:Service&Security20規範的要求及突破针对国内财务及会计监控体制的发展趋势，以及企业内部的委托-代理关系等各个方面的需求，要求上市公司应当对公司内部控制的有效性进行自我评价，披露年度自我评价报告，在企业内确定内部控制要素，建立内部控制机制突破界定了内部控制的内涵，强调内部控制是由企业董事会、监事会、经理层和全体员工实施的、在实现控制目标的过程，有利于树立全面、全员、全过程控制的理念。SITC:Service&Security21內控框架－五大目標五大要素五大目標(合理保证)企业战略企业经营管理合法合规财