Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cobit Foundation v.41 Sınavı Çalışma Notları Değerli arkadaşlar, Cobit Foundation v.41 sınavına hazırlık sürecinde çeşitli kaynaklardan derlediğim sizi sınava hazırlayacak ve Cobit standartları konusunda bilgi dağarcığınızı yükselteceğine inandığım bilgileri bu dokümanda sizlere sunuyorum. Faydalı olması dileğimle her türlü soru ve eleştirileriniz için e-mail adresim stoksoz[at]gmail.com Suat TOKSÖZ GRC Uzmanı Cobit foundation sertifika sınavı ISACA tarafından internet ortamında çoktan seçmeli bir sınav olarak yapılmaktadır. Sıvan 40 sorudan oluşur ve geçer puan almak için sorulara %70 ve üzerinde doğru cevap verilmesi gerekmektedir. Sınav sonucunda başarılı olan adaylara ISACA tarafından Cobit 4.1 Foundation Certificate verilmektedir. Cobit foundation sınavının içeriği ve sınavdaki yüzdelik dilimleri aşağıdaki gibidir. Responding to IT Challenges (15%) COBIT Framework (30%) What COBIT Provides (30%) Applying COBIT (10%) COBIT Products and Support from ISACA (15%) Cobit 4.1 Foundation Exam Review IT Challeges: Keep IT Running Value Cost Mastering Complexity Aligning IT with Business Regulatory Compliance Security Principles of IT Governance: Direct and Control Responsibility Accountability Activities Internal Stakeholders: IT Manager Risk and Compliance Manager Board, Executive and Business Manager IT Auditor External Stakeholders: External Auditors Regulators Customers Suppliers 1 IT Governance: Focus Areas Strategic Alignment Value Delivery Risk Management Resource Management Performance Management Benefits of IT Governance: More reliable services More transparency Responsiveness of IT to business Confidence of the top management Higher return on Investment (ROI) Characteristics of a Control Framework Business Focus Process Orientation General Acceptability Common Language Regulatory Requirements Cobit’s Main Characteristics Business Focused Process Oriented Controls Based Measurement Driven Cobit Components: IT Resources IT Processes Enterprise Information Business Requirements Cobit Cube 2 Cobit Domains PO AI DS ME : Plan and Organize : Acquire and Implement : Deliver and Support : Monitor and Evaluate Processes are series of activities with natural breaks. 34 processes across the 4 domains. 34 processes specify what the business needs to achieve its objectives. The delivery of information is controlled through 34 high level control objective one for each process. PO Objectives Formulating strategy and tactics Identify how IT can best contribute to achieving business objectives Planning, communicating, and managing the realization of the strategic vision Implementing organizational and technological infrastructure AI Objectives Identify, developing or acquiring , implementing and integrating IT solutions Changing and maintaining existing system DS Objectives The actual delivery of required services, including service delivery The management of security, continuity, data and operational facilities Service support for users ME Objectives Performance Management Monitoring of Internal Control Regulatory Compliance Governance Cobit Has internationally accepted good practices Is management-oriented Is supported by tools and training Free available Maps COSO 100% Allows sharing and leveraging of knowledge Continually evolves Is maintained by a reputable nonprofit organization Maps strongly all major related standards Is a reference not an “off the shelf” cure Enterprises need to customize Cobit Based Value drivers Risk profile IT infrastructure, organization and project portfolio Val IT Focuses On Re-investment decisions 3 Realization of benefits Val IT Goal Statement The goal of the Val IT initiative is to help management ensure that organizations realize optimal value from IT-enabled business investments at an affordable cost with a known and acceptable level of risk. Val IT Principles A portfolio of investment Full scope of activities Full economic life cycle Different categories of investments Key metrics Appropriate accountability Continually monitored, evaluated improved Val IT Areas Strategic Value Architecture Delivery Are we doing the right thing? Are we getting the benefits? Are we doing them the right way? Are we getting them done well? Val IT VG IM PM Value Governance Investment Management Portfolio Management Val IT Processes Business and IT strategy Investment management Portfolio, program and project management Monitoring and evaluating value delivery The Cobit Framework Links to business requirements Maps business goals to IT goals to process goals Each Cobit Process Has A business requirement that it satisfies Key goals that focuses on Key controls that help achieve the goals Key metrics that help measure performance Control objectives Control practices for each control objective Cobit Management Guidelines Management guidelines provide tools to set measureable objectives for each process and measure and compare the organization’s current capability in each process. o Dashboard/Indicators o Scorecards/Measures Financial Customer 4 o Internal Process Learning/Innovation Benchmarking/Comparison Provide resources for the 34 processes to help the management understand the performance of the organization. Each process has: o Process Input : What a process owner needs from others o Process Output : What the process owner has to deliver o Key Activity/RACI : Show RACI IT Goals and Metrics Define what the business expects from IT, that is, what the business would use to measure IT. Maturity Models help organizations measure process capability from 0-5. KGI – Outcome Measure: Key performance indicator; measures that determine how well the process is performing in enabling the goal to be reached. They are lead indicators of whether a goal will likely be reached, and are good indicators of capabilities, practices and skills. They measure the activity goals, which are the actions the process owner must take to achieve effective process performance. Key goal indicator; measures that tell management, after the fact, whether an IT process has achieved its Business requirements, usually expressed in terms of information criteria. Define measures that inform the management –after the fact- whether an IT function, process, or activity has achieved its goals. DS2 ve PO10 başlıkları için örnek KGI: DS2 – KGI o Number of user complaints due to contracted services o Percent of purchase spend subject to competitive procurement o Percent of major suppliers meeting clearly defined requirements and service levels o Number of formal disputes with suppliers o Percent of supplier invoices disputed PO10 - KGI o o o Percent of projects meeting stakeholders expectations (on time, on budget and meeting requirements—weighted by importance) Percent of projects on time and on budget Percent of projects meeting stakeholder expectations KPI – Performance Indicators: Define measure that determine how well the business , IT function , or IT process is performing in enabling the reaching of goals. They are lead indicators of whether goals will be reached, driving the higher-level goals. DS2 ve PO10 başlıkları için örnek KPI: P010-KPI o Percent of projects following Project management standards and practices o Percent of certified or trained Project managers o Percent of projects receiving postimplementation reviews o Percent of stakeholders participating in projects (involvement index) DS2-KPI 5 o o o o o Percent of major suppliers subject to clearly defined requirements and service levels Percent of major suppliers subject to monitoring Level of business satisfaction with effectiveness of communication from the supplier Level of supplier satisfaction with effectiveness of communication from the Business Number of significant incidents of supplier non-compliance per time period IT Goals Process Activities Benchmarking: Provide a scale to benchmark company practices against industry standards and guidelines. o (0) Nonexistent : Process are not applied at all o (1) Initial :Processes are ad hoc and disorganized o (2) Repeatable : Processes follow a regular pattern o (3) Defined : Documented and communicated o (4) Managed : Monitored and measured o (5) Optimized : Good practices, automated Assurance Guide To provide guidance on how to use Cobit to support a variety of IT assurance To enable the users to leverage Cobit when planning and performing assurance reviews, so that business ,IT, and assurance professionals are all aligned around a common framework and objectives To provide guidance on planning, scoping and executing assurance reviews The Assurance Guide Roadmap Stages Planning Scoping Execution Management Guidelines Provide Process inputs and outputs Process activities and RACI charts Business ,IT, process ,and activity goals Metrics-KGI/KPI Maturity models The Execution Phase Stages Refine understanding Refine scope Test control design Test control outcome Document impact Communicate conclusions SOX : Establishing, evaluating, and monitoring the effectiveness of internal control over financial reports. ITIL : IT service management ISO1779 : Information Security Management CMM : Software Delivery COSO : Internal Controls 6 The Standards and Frameworks/Cobit Cobit is harmonized with other frameworks Cobit is aligned with COSO Cobit is positioned centrally at the General Level, helping integrate technical and specific practices with broader business practices. Cobit IT processes also relate to multiple COSO components Cobit can be used to ensure compliance with laws and regulations Cobit’s processes and controls can be tailored to meet specific regulations such as SOX. Cobit ONLINE Browsing o Browse all contents o New filter/My Cobit o Pdf downloads o Cobit summary table Benchmarking Benchmarking is another component of Cobit Online. The benchmarking feature enables users to input scores such as o Process maturity levels o Importance of a process o Importance of a control objective o Importance of process goals o Importance of IT goals o Control practices o Extract comparisons with other users Feedback & Survey Periodically, ISACA initiates surveys on Cobit usage and invites all Cobit online users to participate in the surveys. This help raise awareness of common Cobit issues/experiences among users. Community The community feature allows the sharing of information and queries among users Help The help, faq, glossary, search, and email features are available on every page of Cobit Online. Cobit QUICSTART Enables you to adopt the important elements of Cobit by providing a summarized version of Cobit resources. Focuses on IT processes, control objectives and metrics. Provides a baseline of control objectives for small and medium-sized(SME) enterprises, and small entities of large enterprises, where IT is not strategic or critical for survival. Serves a starting point for other enter prices in their move toward an appropriate level of control and governance. Cobit Quickstart: Baseline Is available as a publication Helps rapidly understand important issues and management priorities. In addition, it can be followed by nontechnical people or managers who want principles, not details; and it acts as a springboard to Cobit. Can be used to perform and assessment to prioritize the Cobit processes when starting a Cobit implementation or IT governance project. IT Governance Implementation Guide Provides a methodology, a detailed road map and a toolset to implement a continuous IT governance life cycle using Cobit. 7 IT Governance Implementation Guide: Focus Areas Why IT governance is important and why organizations should implement it. How Cobit is linked to IT governance and how Cobit enables the implementation of IT governance. Stakeholders who have an interest in IT governance A road map to implement IT governance using Cobit. Implementation Guide Approach The implementation guide approach identifies the need to create and preserve value in a way that aligns formulation and execution with the organization’s business objectives. The approach involves performing a gap analysis the as-is and to-be positions, leading to project identification and initiation. Cobit Security Baseline Provides information security survival kits in simple language for any organization or individual who needs to understand how to implement the Cobit framework. Security survival kits are available for all levels of personnel such as , home users, professionals, executives and managers. Serves as a nontechnical security guide and a quick start for security objectives. Has a cross-reference to ISO/IEC 17799 Is available as a pdf/ as a booklet with laminated survival kits form the ISACA bookstore. Cobit Development Strategy Values o o o Vision o Sharing knowledge Leveraging expertise Influencing good practices To ve internationally accepted standard for good practice in the governance and control of IT and to assist users, right from assessment to implementation. Mission o To further influence and support an expending target audience with online, continuously up-to-date knowledge of IT control, assurance, and governance through a coherent, up-to-date product set. Target Audience o Who Executive and boards Management Professionals o What Direct and provide leadership Assess and prioritize Implement Business Requirements Quality Requirements: o Quality o Cost o Delivery Fiduciary Requirements (COSO Report) o Effectiveness and Efficiency of Operations o Reliability of Information o Compliance with Laws and Regulations Security Requirements 8 Confidentiality Integrity Availability Control Objective & Control Practices Control Objective A statement of the desired result or purpose to be achieved by implementing control procedures in a particular Process Control Practice Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with Business DS2.1 SUPPLIER INTERFACES CONTROL OBJECTIVE Management should ensure that all third-party providers’ services are properly identified and the technical and organisational interfaces with suppliers are documented. Control Practices Policy and procedures in relation to maintaining a register of key suppliers to the IT function are developed. The register details the name of supplier and nature, scope and purpose of the relationship. Procedures link to, and should be integrated with, procurement and configuration management procedures. The register of IT suppliers is periodically reviewed to ensure that it remains current. Policy and procedures in relation to maintaining a register of system interfaces are developed. The register details the name of the interface, the systems it relates to and the purpose (in both business and IT terms). Procedures link to, and should be integrated with, configuration and change management procedures. DS2.2 OWNER RELATIONSHIPS CONTROL OBJECTIVE The customer organisation management should appoint a relationship owner who is responsible for ensuring the quality of the relationships with third-parties. Control Practices Management retains accountability for provision and quality of services delivered by third parties. Roles and responsibilities for management of overall supplier relationship and management of individual supplier contracts are formalised. Roles are assigned to appropriate personnel based on experience and qualifications. These roles are communicated within the organisation to ensure awareness. Reporting lines between the organisation and the third party, and within the organisation itself, are defined and documented. Formal measures for the quality of the relationship with third parties are determined, implemented and monitored. Management agrees to specific, measurable, achievable, results-oriented and time-bound (SMART) service levels with the supplier management and assesses compliance with these SLAs with agreed frequency. 9 PO10.1 Project Management Framework CONTROL OBJECTIVE Management should establish a general Project management framework that defines the scope and boundaries of managing projects, as well as the project management methodology to be adopted and applied to each project undertaken. The methodology should cover, at a minimum, the allocation of responsibilities, task breakdown, budgeting of time and resources, milestones, check points and approvals. Control Practices Management establishes a project management framework to be adopted and applied to each project. The project management framework is consistent with, and an integral component of, the organisation’s programme management framework. The framework is subject to periodic assessment to ensure its ongoing appropriateness in light of changing conditions. The project management framework establishes senior management sponsorship of projects. The project sponsor’s role, responsibilities and accountabilities are clearly defined and supported by the required level of decision-making authority within the organisation. An indication of the level of involvement required to effectively fulfil the role is included in the role description. The organisation performs a periodic assessment of its programme and project management capabilities against the project management framework and the organisation’s portfolio of projects. Gaps in capability are identified and addressed appropriately. The project management framework includes guidance on the role and use of an existing programme or project office, or the creation of such a function for a project. The project management framework includes a change control process for recording, evaluating, communicating and authorising changes to the project scope, Project requirements or system design. The project management framework considers the requirements for controlling the organisation’s portfolio of projects. The project management framework satisfies local statute and regulatory requirements for project management. Örnek sınavlar ve faydalı linkler: http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-1.html http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-2.html http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-3.html http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-4.html http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-5.html http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-6.html http://www.portalgsti.com.br/2009/10/simulado-cobit-foundation-7.html http://www.itpreneurs.nl/quiz/cobit/ http://armwebs.org/cobit/My%20Quizzes/cobit1.html http://armwebs.org/cobit/My%20Quizzes/cobit3.html http://armwebs.org/cobit/My%20Quizzes/cobit2.html http://armwebs.org/cobit/My%20Quizzes/cobit4.html http://www.bestpracticehelp.com/cobitquiz.php 10