Tata Kelola Teknologi Informasi Pertemuan - 6 Tata Kelola Teknologi Informasi
Tata Kelola IT diartikan sebagai bagian terintegrasi dari pengelolaan perusahaan yang mencakup kepemimpinan, serta proses yang mengarahkan dan mengatur organisasi dalam rangka mencapai tujuannya dengan memberikan nilai tambah dari pemanfaatan teknologi informasi sambil menyeimbangkan resiko dibandingkan dengan hasil yang diberikan oleh teknologi informasi dan prosesnya.
IT governance merupakan satu kesatuan dengan sukses dari enterprise governance melalui peningkatan dalam efektivitas dan efisiensi dalam proses perusahaan yang berhubungan. IT governance menyediakan struktur yang menghubungkan proses TI, sumber daya TI dan informasi bagi strategi dan tujuan perusahaan.
IT governance menggabungkan good (best) practice dari perencanaan dan pengorganisasian TI, pembangunan dan pengimplemantasian, delivery dan support, serta memonitor kinerja TI untuk memastikan kalau informasi perusahaan dan teknologi yang berhubungan mendukung tujuan bisnis perusahaan.
IT governance memungkinkan perusahaan untuk memperoleh keuntungan penuh dari informasinya, dengan memaksimalkan keuntungan dari peluang dan keuntungan kompetitif yang dimiliki.
Kerangka Kerja Tata Kelola TI
Contoh ukuran TI - Balanced Scorecard
Apa Pengaruh TI terhadap Audit ? Changes in Evidence Collection Changes in Evidence Evaluation Auditing Changes in Auditors ?
COBIT Framework & ITIL : An approach of their complementarity
COBIT as a response to the needs Why and how is COBIT used? COBIT as a response to the needs Incorporates major international standards Has become the de facto standard for overall control over IT Starts from business requirements Is process-oriented COBIT CobiT COBIT CobiT best practices best practices Standards and regulations covered in COBIT: Technical standards from International Organisation for Standardisation (ISO), United Nations Directories for Electronic Data Interchange for Administration, Commerce and Transport (EDIFACT), etc. Codes of Conduct issued by Council of Europe, Organization for Economic Co-operation and Development (OECD), ISACA, etc. Qualification criteria for IT systems and processes: Information Technology Security Evaluation Criteria (ITSEC), Trusted Computer System Evaluation Criteria (TCSEC), ISO9000, Software Process Improvement and Capability Determination (SPICE), Guide to Software Quality Management System Construction and Certification (TickIT), Common Criteria, etc. Professional standards in internal control and auditing: Committee of Sponsoring Organisations of the Treadway Commission (COSO) report, Canadian Institute of Chartered Accountants (CICA), International Federation of Accountants (IFAC) Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA), Government Accountability Office (GAO), President's Council on Integrity and Efficiency (PCIE), ISACA standards, etc. Industry practices and requirements from industry forums, such the European Security Forum (ESF), I4 and government-sponsored platforms, such as the Infosec Business Advisory Group (IBAG), National Institute of Standards and Technology (NIST), Department of Trade and Industry (DTI), British Standard (BS) 7799, etc. Emerging industry specific requirements, for example, from banking, electronic commerce, health and pharmaceutical and IT manufacturing COBIT: Focuses on generally applicable and accepted international standard for good practice for IT controls Application to enterprisewide information systems, regardless of technology Starts from business requirements for information Is management and business process owner-oriented Based on ITGI's COBIT Control Objectives Aligned with the de jure and de facto standards and regulations Based on critical review of tasks and activities or process focus Includes existing standards and regulations: ISO, EDIFACT and others Codes of Conduct issued by the Council of Europe Professional standards in auditing: COSO, IFAC, IIA, ISACA, AICPA, etc. Was first published in April 1996, with 2nd edition issued in 1998 and 3rd edition in July 2000 Has become the de facto standard for control over IT Is fundamental in achieving IT governance repository for repository for IT Processes IT Processes IT Processes IT Processes IT Management Processes IT Management Processes IT Management Processes IT Management Processes IT Governance Processes IT Governance Processes IT Governance Processes IT Governance Processes
COBIT Framework Business Objectives IT RESOURCES PLAN AND ORGANISE PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality Effectiveness Efficiency Confidenciality Integrity Availability Compliance Reliability Criteria IT RESOURCES Data Application systems Technology Facilities People PLAN AND ORGANISE ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit MONITOR AND EVALUATE DS1 Define service levels DS2 Manage third-party services DS3 Manage peformance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations AI1 Identify automated solutions AI2 Acquire and mantain application software AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT procedures AI5 Install and accredit systems AI6 Manage changes
How Does COBIT Link to IT Governance? Direction Requirements (IT Strategy and Policy) Control Goals Responsibilities Objectives Business Business IT IT Governance Information the Information (IT Business Needs to Control, Risk and Achieve Its Objectives Assurance) IT Governance
Introduction & objective COBIT is a framework for Governance, Control and Audit for Information and Related Technology developed byISACA (Information Systems Audit and Control Association) ITIL is a comprehensive description of the processes involved in management IT infrastructures (e.g. Helpdesk, ChangeManagement…) based on best practices Both are IT Governance mechanisms The question is not : “What is the best for my IT context ?” BUT “How is possible to obtain the best complementarities ?”
Disiplin Ilmu pembentuk IT Auditing Konsep ttg control Information system management Pembangunan sistem Traditional auditing Information System Auditing System efficiency Computer science People problems Behavioural science Source: Information System Control and Audit, Ron Weber (1999)
COBIT ver 4.1 Control Objectives for Information and related Technology (COBIT, saat ini edisi ke-4.1) adalah sekumpulan dokumentasi best practices untuk IT governance yang dapat membantu auditor, manajemen and pengguna ( user ) untuk menjembatani gap antara risiko bisnis, kebutuhan kontrol dan permasalahan-permasalahan teknis.