Download Cobit Foundation v.41 Sınavı Çalışma Notları Değerli arkadaşlar

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts

Phase-gate process wikipedia , lookup

PRINCE2 wikipedia , lookup

Construction management wikipedia , lookup

Transcript 
Cobit Foundation v.41 Sınavı Çalışma Notları
Değerli arkadaşlar,
Cobit Foundation v.41 sınavına hazırlık sürecinde çeşitli kaynaklardan derlediğim sizi sınava
hazırlayacak ve Cobit standartları konusunda bilgi dağarcığınızı yükselteceğine inandığım bilgileri bu
dokümanda sizlere sunuyorum. Faydalı olması dileğimle her türlü soru ve eleştirileriniz için e-mail
adresim stoksoz[at]gmail.com
Suat TOKSÖZ
GRC Uzmanı
Cobit foundation sertifika sınavı ISACA tarafından internet ortamında çoktan seçmeli bir sınav olarak
yapılmaktadır. Sıvan 40 sorudan oluşur ve geçer puan almak için sorulara %70 ve üzerinde doğru
cevap verilmesi gerekmektedir. Sınav sonucunda başarılı olan adaylara ISACA tarafından Cobit 4.1
Foundation Certificate verilmektedir.
Cobit foundation sınavının içeriği ve sınavdaki yüzdelik dilimleri aşağıdaki gibidir.
Responding to IT Challenges (15%)
COBIT Framework (30%)
What COBIT Provides (30%)
Applying COBIT (10%)
COBIT Products and Support from ISACA (15%)
Cobit 4.1 Foundation Exam Review
IT Challeges:







Keep IT Running
Value
Cost
Mastering Complexity
Aligning IT with Business
Regulatory Compliance
Security
Principles of IT Governance:




Direct and Control
Responsibility
Accountability
Activities
Internal Stakeholders:




IT Manager
Risk and Compliance Manager
Board, Executive and Business Manager
IT Auditor
External Stakeholders:




External Auditors
Regulators
Customers
Suppliers
1
IT Governance: Focus Areas





Strategic Alignment
Value Delivery
Risk Management
Resource Management
Performance Management
Benefits of IT Governance:





More reliable services
More transparency
Responsiveness of IT to business
Confidence of the top management
Higher return on Investment (ROI)
Characteristics of a Control Framework





Business Focus
Process Orientation
General Acceptability
Common Language
Regulatory Requirements
Cobit’s Main Characteristics




Business Focused
Process Oriented
Controls Based
Measurement Driven
Cobit Components:




IT Resources
IT Processes
Enterprise Information
Business Requirements
Cobit Cube
2
Cobit Domains




PO
AI
DS
ME
: Plan and Organize
: Acquire and Implement
: Deliver and Support
: Monitor and Evaluate
Processes are series of activities with natural breaks. 34 processes across the 4 domains. 34
processes specify what the business needs to achieve its objectives.
The delivery of information is controlled through 34 high level control objective one for each process.
PO Objectives




Formulating strategy and tactics
Identify how IT can best contribute to achieving business objectives
Planning, communicating, and managing the realization of the strategic vision
Implementing organizational and technological infrastructure
AI Objectives


Identify, developing or acquiring , implementing and integrating IT solutions
Changing and maintaining existing system
DS Objectives



The actual delivery of required services, including service delivery
The management of security, continuity, data and operational facilities
Service support for users
ME Objectives




Performance Management
Monitoring of Internal Control
Regulatory Compliance
Governance
Cobit










Has internationally accepted good practices
Is management-oriented
Is supported by tools and training
Free available
Maps COSO 100%
Allows sharing and leveraging of knowledge
Continually evolves
Is maintained by a reputable nonprofit organization
Maps strongly all major related standards
Is a reference not an “off the shelf” cure
Enterprises need to customize Cobit Based



Value drivers
Risk profile
IT infrastructure, organization and project portfolio
Val IT Focuses On

Re-investment decisions
3

Realization of benefits
Val IT Goal Statement

The goal of the Val IT initiative is to help management ensure that organizations realize
optimal value from IT-enabled business investments at an affordable cost with a known and
acceptable level of risk.
Val IT Principles







A portfolio of investment
Full scope of activities
Full economic life cycle
Different categories of investments
Key metrics
Appropriate accountability
Continually monitored, evaluated improved
Val IT Areas




Strategic
Value
Architecture
Delivery
Are we doing the right thing?
Are we getting the benefits?
Are we doing them the right way?
Are we getting them done well?
Val IT



VG
IM
PM
Value Governance
Investment Management
Portfolio Management
Val IT Processes




Business and IT strategy
Investment management
Portfolio, program and project management
Monitoring and evaluating value delivery
The Cobit Framework


Links to business requirements
Maps business goals to IT goals to process goals
Each Cobit Process Has






A business requirement that it satisfies
Key goals that focuses on
Key controls that help achieve the goals
Key metrics that help measure performance
Control objectives
Control practices for each control objective
Cobit Management Guidelines

Management guidelines provide tools to set measureable objectives for each process and
measure and compare the organization’s current capability in each process.
o Dashboard/Indicators
o Scorecards/Measures
 Financial
 Customer
4
o

 Internal Process
 Learning/Innovation
Benchmarking/Comparison
Provide resources for the 34 processes to help the management understand the performance
of the organization. Each process has:
o Process Input
: What a process owner needs from others
o Process Output
: What the process owner has to deliver
o Key Activity/RACI
: Show RACI
IT Goals and Metrics
Define what the business expects from IT, that is, what the business would use to measure IT.
Maturity Models help organizations measure process capability from 0-5.

KGI – Outcome Measure:
Key performance indicator; measures that determine how well the process is performing in
enabling the goal to be reached. They are lead indicators of whether a goal will likely be
reached, and are good indicators of capabilities, practices and skills. They measure the
activity goals, which are the actions the process owner must take to achieve effective process
performance.
Key goal indicator; measures that tell management, after the fact, whether an IT process has
achieved its Business requirements, usually expressed in terms of information criteria. Define
measures that inform the management –after the fact- whether an IT function, process, or
activity has achieved its goals.
DS2 ve PO10 başlıkları için örnek KGI:
DS2 – KGI
o Number of user complaints due to contracted services
o Percent of purchase spend subject to competitive procurement
o Percent of major suppliers meeting clearly defined requirements and service levels
o Number of formal disputes with suppliers
o Percent of supplier invoices disputed
PO10 - KGI
o
o
o

Percent of projects meeting stakeholders expectations (on time, on budget and
meeting requirements—weighted by importance)
Percent of projects on time and on budget
Percent of projects meeting stakeholder expectations
KPI – Performance Indicators:
Define measure that determine how well the business , IT function , or IT process is
performing in enabling the reaching of goals. They are lead indicators of whether goals will be
reached, driving the higher-level goals.
DS2 ve PO10 başlıkları için örnek KPI:
P010-KPI
o Percent of projects following Project management standards and practices
o Percent of certified or trained Project managers
o Percent of projects receiving postimplementation reviews
o Percent of stakeholders participating in projects (involvement index)
DS2-KPI
5
o
o
o
o
o
Percent of major suppliers subject to clearly defined requirements and service levels
Percent of major suppliers subject to monitoring
Level of business satisfaction with effectiveness of communication from the supplier
Level of supplier satisfaction with effectiveness of communication from the Business
Number of significant incidents of supplier non-compliance per time period
IT Goals

Process
Activities
Benchmarking:
Provide a scale to benchmark company practices against industry standards and guidelines.
o (0) Nonexistent : Process are not applied at all
o (1) Initial :Processes are ad hoc and disorganized
o (2) Repeatable : Processes follow a regular pattern
o (3) Defined : Documented and communicated
o (4) Managed : Monitored and measured
o (5) Optimized : Good practices, automated
Assurance Guide



To provide guidance on how to use Cobit to support a variety of IT assurance
To enable the users to leverage Cobit when planning and performing assurance reviews, so
that business ,IT, and assurance professionals are all aligned around a common framework
and objectives
To provide guidance on planning, scoping and executing assurance reviews
The Assurance Guide Roadmap Stages



Planning
Scoping
Execution
Management Guidelines Provide





Process inputs and outputs
Process activities and RACI charts
Business ,IT, process ,and activity goals
Metrics-KGI/KPI
Maturity models
The Execution Phase Stages






Refine understanding
Refine scope
Test control design
Test control outcome
Document impact
Communicate conclusions
SOX
: Establishing, evaluating, and monitoring the effectiveness of internal control over
financial reports.
ITIL
: IT service management
ISO1779
: Information Security Management
CMM
: Software Delivery
COSO
: Internal Controls
6
The Standards and Frameworks/Cobit






Cobit is harmonized with other frameworks
Cobit is aligned with COSO
Cobit is positioned centrally at the General Level, helping integrate technical and specific
practices with broader business practices.
Cobit IT processes also relate to multiple COSO components
Cobit can be used to ensure compliance with laws and regulations
Cobit’s processes and controls can be tailored to meet specific regulations such as SOX.
Cobit ONLINE





Browsing
o Browse all contents
o New filter/My Cobit
o Pdf downloads
o Cobit summary table
Benchmarking
Benchmarking is another component of Cobit Online. The benchmarking feature enables
users to input scores such as
o Process maturity levels
o Importance of a process
o Importance of a control objective
o Importance of process goals
o Importance of IT goals
o Control practices
o Extract comparisons with other users
Feedback & Survey
Periodically, ISACA initiates surveys on Cobit usage and invites all Cobit online users to
participate in the surveys. This help raise awareness of common Cobit issues/experiences
among users.
Community
The community feature allows the sharing of information and queries among users
Help
The help, faq, glossary, search, and email features are available on every page of Cobit
Online.
Cobit QUICSTART




Enables you to adopt the important elements of Cobit by providing a summarized version of
Cobit resources.
Focuses on IT processes, control objectives and metrics.
Provides a baseline of control objectives for small and medium-sized(SME) enterprises, and
small entities of large enterprises, where IT is not strategic or critical for survival.
Serves a starting point for other enter prices in their move toward an appropriate level of
control and governance.
Cobit Quickstart: Baseline



Is available as a publication
Helps rapidly understand important issues and management priorities. In addition, it can be
followed by nontechnical people or managers who want principles, not details; and it acts as a
springboard to Cobit.
Can be used to perform and assessment to prioritize the Cobit processes when starting a
Cobit implementation or IT governance project.
IT Governance Implementation Guide

Provides a methodology, a detailed road map and a toolset to implement a continuous IT
governance life cycle using Cobit.
7
IT Governance Implementation Guide: Focus Areas




Why IT governance is important and why organizations should implement it.
How Cobit is linked to IT governance and how Cobit enables the implementation of IT
governance.
Stakeholders who have an interest in IT governance
A road map to implement IT governance using Cobit.
Implementation Guide Approach


The implementation guide approach identifies the need to create and preserve value in a way
that aligns formulation and execution with the organization’s business objectives.
The approach involves performing a gap analysis the as-is and to-be positions, leading to
project identification and initiation.
Cobit Security Baseline





Provides information security survival kits in simple language for any organization or
individual who needs to understand how to implement the Cobit framework.
Security survival kits are available for all levels of personnel such as , home users,
professionals, executives and managers.
Serves as a nontechnical security guide and a quick start for security objectives.
Has a cross-reference to ISO/IEC 17799
Is available as a pdf/ as a booklet with laminated survival kits form the ISACA bookstore.
Cobit Development Strategy




Values
o
o
o
Vision
o
Sharing knowledge
Leveraging expertise
Influencing good practices
To ve internationally accepted standard for good practice in the governance and
control of IT and to assist users, right from assessment to implementation.
Mission
o To further influence and support an expending target audience with online,
continuously up-to-date knowledge of IT control, assurance, and governance through
a coherent, up-to-date product set.
Target Audience
o Who
 Executive and boards
 Management
 Professionals
o What
 Direct and provide leadership
 Assess and prioritize
 Implement
Business Requirements


Quality Requirements:
o Quality
o Cost
o Delivery
Fiduciary Requirements (COSO Report)
o Effectiveness and Efficiency of Operations
o Reliability of Information
o Compliance with Laws and Regulations
Security Requirements
8



Confidentiality
Integrity
Availability
Control Objective & Control Practices
Control Objective
A statement of the desired result or purpose to be achieved by implementing control procedures in a
particular Process
Control Practice
Key control mechanism that supports the achievement of control objectives through responsible use of
resources, appropriate management of risk and alignment of IT with Business
DS2.1 SUPPLIER INTERFACES
CONTROL OBJECTIVE
Management should ensure that all third-party providers’ services are properly identified and the
technical and organisational interfaces with suppliers are documented.
Control Practices



Policy and procedures in relation to maintaining a register of key suppliers to the IT function
are developed. The register details the name of supplier and nature, scope and purpose of the
relationship. Procedures link to, and should be integrated with, procurement and configuration
management procedures.
The register of IT suppliers is periodically reviewed to ensure that it remains current.
Policy and procedures in relation to maintaining a register of system interfaces are developed.
The register details the name of the interface, the systems it relates to and the purpose (in
both business and IT terms). Procedures link to, and should be integrated with, configuration
and change management procedures.
DS2.2 OWNER RELATIONSHIPS
CONTROL OBJECTIVE
The customer organisation management should appoint a relationship owner who is responsible for
ensuring the quality of the relationships with third-parties.
Control Practices





Management retains accountability for provision and quality of services delivered by third
parties.
Roles and responsibilities for management of overall supplier relationship and management of
individual supplier contracts are formalised.
Roles are assigned to appropriate personnel based on experience and qualifications. These
roles are communicated within the organisation to ensure awareness.
Reporting lines between the organisation and the third party, and within the organisation itself,
are defined and documented.
Formal measures for the quality of the relationship with third parties are determined,
implemented and monitored. Management agrees to specific, measurable, achievable,
results-oriented and time-bound (SMART) service levels with the supplier management and
assesses compliance with these SLAs with agreed frequency.
9
PO10.1 Project Management Framework
CONTROL OBJECTIVE
Management should establish a general Project management framework that defines the scope and
boundaries of managing projects, as well as the project management methodology to be adopted and
applied to each project undertaken. The methodology should cover, at a minimum, the allocation of
responsibilities, task breakdown, budgeting of time and resources, milestones, check points and
approvals.
Control Practices








Management establishes a project management framework to be adopted and applied to each
project.
The project management framework is consistent with, and an integral component of, the
organisation’s programme management framework. The framework is subject to periodic
assessment to ensure its ongoing appropriateness in light of changing conditions.
The project management framework establishes senior management sponsorship of projects.
The project sponsor’s role, responsibilities and accountabilities are clearly defined and
supported by the required level of decision-making authority within the organisation. An
indication of the level of involvement required to effectively fulfil the role is included in the role
description.
The organisation performs a periodic assessment of its programme and project management
capabilities against the project management framework and the organisation’s portfolio of
projects. Gaps in capability are identified and addressed appropriately.
The project management framework includes guidance on the role and use of an existing
programme or project office, or the creation of such a function for a project.
The project management framework includes a change control process for recording,
evaluating, communicating and authorising changes to the project scope, Project
requirements or system design.
The project management framework considers the requirements for controlling the
organisation’s portfolio of projects.
The project management framework satisfies local statute and regulatory requirements for
project management.
Örnek sınavlar ve faydalı linkler:
http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-1.html
http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-2.html
http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-3.html
http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-4.html
http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-5.html
http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-6.html
http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-7.html
http://www.itpreneurs.nl/quiz/cobit/
http://armwebs.org/cobit/My%20Quizzes/cobit1.html
http://armwebs.org/cobit/My%20Quizzes/cobit3.html
http://armwebs.org/cobit/My%20Quizzes/cobit2.html
http://armwebs.org/cobit/My%20Quizzes/cobit4.html
http://www.bestpracticehelp.com/cobitquiz.php
10
Related documents
5 Essential Facts
5 Essential Facts
COBIT
COBIT
Security Standards and Threat Evaluation
Security Standards and Threat Evaluation
Alignment of COBIT to Botswana IT Audit Presentation
Alignment of COBIT to Botswana IT Audit Presentation
Alignment of Botswana Audit methodology to COBIT Paper
Alignment of Botswana Audit methodology to COBIT Paper
Accounting Information Systems and Internal Controls
Accounting Information Systems and Internal Controls
OWASP-v1.0
OWASP-v1.0
Program Plan
Program Plan
• FRAMEWORK The LGRRC-CAR is designed to support DILG
• FRAMEWORK The LGRRC-CAR is designed to support DILG
world civil society forum
world civil society forum
Post-Arab Spring Patterns
Post-Arab Spring Patterns