Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Evaluation
IT Measurement
Objectives
Management (IT and business) can be kept
informed of the activity and progress of the IT
organization.
Introduction
Measurement is needed to measure how well IT
is performing or wheter IT is meeting the
demands of the firm
In general organizations want to measure, to
know how effective and efficient the Information
technology performing
The Challenge is choosing what and when to
measure:
Financial measure value of IT, but do not
provide indication of how well the process being
performed and how they can be enchanced
Introduction
Questions :
Is the process meeting the needs of the business
partner ?
Is the process operating a its optimum levels?
Is the process often non functional or inoperable ?
MEASURING IT
Pressure to IT managers
Evaluate and justify the contribution of IT
Expenditures to:
Productivity
Quality
Competitiveness of the organizations
Overview
COBIT consists of a framework of IT processes and
control objectives that can be implemented to control,
audit and manage the IT organization.
The framework is based on best practices and audit
and control of information systems. It particularly aims
at helping leaders understand and manage the risks
relating to IT and the links between the management
processes, the technical questions, the need for control
and the risks.
COBIT is structured around four main fields of
management implying 34 processes of management
associated with information technology.
Monitoring
31.Monitor the processes
32.Assess internal control adequacy
33.Obtain independent assurance
34.Provide for independent audit
INFORMATION TECHNOLOGY
CONTROL GUIDELINES (CICA)
Overview
This model, developed by the Canadian Institute of
Chartered Accountants (CICA), is based on the concept of
organizational roles and establishes responsibilities for
security and control processes.
In this context, the roles are classified into seven
categories:
1.
2.
3.
4.
5.
6.
7.
Senior management
CIO
Owners
Stakeholders
End users of the information systems
Suppliers of services for development
IT operations and systems support
Activities
Approve the strategies, policies and standards; define
responsibilities; and develop and approve the business plans.
Owners
Stakeholders
End Users
IT planning
Acquisition, development and maintenance of IT systems
IT operations and support of systems
IT security
Continuity plans and resumption of IT services
Applications controls
Overview
This model, developed by the US General Accounting
Office, identifies the critical processes that ensure the
success of investments in IT and organizes them
around five levels of maturity.
This model focuses on investments in IT, according to
the following phases:
Selection of the projects: determination of the projects
that best support the mission of the organization, by taking
into account the risks and returns on the investment
Control of the projects: assurance that the projects
continue to meet the needs and the required service levels
Evaluation of the projects: comparison of the anticipated
and reached results
3 Developing a complete
investment portfolio
Critical processes
IT expenditure without a structured investment
processes
IT investment board operations
IT investment board operations
IT project oversight
IT asset alignment
Business needs identification for IT projects
Proposal selection
IT investment board
Portfolio selection criteria definition
Investment analysis
Development portfolio
Portfolio oversight performance
Post-implementation reviews and feedback
Portfolio performance evaluation and improvement
Investment benchmarking process
IT-driven strategic business changes
In addition, the GAO provides a structured process of
evaluation using the above described model.
Overview
The American Institute of Public Certified
Accountants (AICPA) and the Canadian Institute
of Chartered Accountants (CICA) have jointly
developed SysTrust, a framework for evaluating
the reliability of information systems.
The two organizations also are offering an
education program to train assessors in providing
a certification of IT organizations based on
SysTrust principles.
SOFTWARE DEVELOPMENT
CAPABILITY MATURITY MODEL
Overview
This model was developed by the Software Engineering
Institute (SEI) of the Carnegie Mellon University in
Pittsburgh, PA, USA.
It is used to evaluate the capability of the IT
organization in the development and maintenance of
information systems.
It includes 18 key sectors to be addressed at five levels
of maturity
The SEI capability maturity model provided some of
the basic concepts used in developing process maturity
models for the 34 IT processes of COBIT, as published
in the COBIT Management Guidelines in July 2000.
Level of maturity
1 Initial
2 Can be replicated
3 Defined
4 Controlled
5 Optimized
Key sectors
None
Management of needs and requirements
Planning of software development projects
Follow-up and supervision of the software
development projects
Management of subcontract software
Quality assurance of software
Software configuration management
Organizational focus on the processes
Definition of the organization's processes
Training approach
Software integration management
Software engineering of products
Coordination joint committee
Peer review
Quantitative management of processes
Software quality management
Prevention of deficiencies and weaknesses
Management of technological changes
Management of process changes
Overview
This reference work is the result of the
accumulated experiences of the Information
Technology Resources Board (ITRB), a group of
leaders in IT from US federal government
agencies.
It is a tool for evaluating how the strategic
implementation of IT supports the organization's
mission and improves its products and services.
The analysis is supported by nearly 300
questions, with yes/no answers, gathered around
critical issues
Critical Issues
Overview
This guide from the Project Management Institute
focuses on best practices for project management.
It positions the various phases of a project (initiation,
planning, implementation and control) as well as the
practices of project management related to each one
of these phases.
The practices of project management can be
considered according to two dimensions: the processes
to be satisfied (e.g., management of the cost of the
projects) and the phases of the projects (e.g., planning
of the activities to be performed)
Nine expertise
1.
2.
3.
4.
Nine Expertise
5.
6.
7.
8.
9.
Overview
Initiated by the US National Security Agency, describes
the essential characteristics of an organizational
architecture of IT security, according to practices
generally observed in agencies of the US federal
government. It covers the following aspects:
1. The complete life cycle of an information system
2. A review of activities covering the entire organization,
including those with a technical focus such as software
engineering and the interoperability among the various IT
areas of the organization
3. Coordinating activities with other operational areas of
the organization, such as asset acquisitions, systems
management and internal auditing
Overview
This set of best practices is based on reviews
conducted by the US GAO in eight agencies
recognized as leaders in IT security.
It identifies critical issues required to ensure
an adequate management of IT security.
Overview
The model analyzes IT security according to
three criteria:
1. The evaluation of the riskdetermination and
scope of the threats,
2. The setting in place of measurementdesign
and implementation of the required solutions,
and
3. Assurancecorroboration and need for security.
Overview
It examines the status of 22 practical issues of IT
security and management and compares them
with a table of maturity levels that is defined in
terms of expected results.
Level of maturity:
Level 1 implies that all the activities related to security
are carried out at least in a basic way,
Level 2 the activities are planned and followed
Level 3 well defined
Level 4 Controlled quantitatively
Level 5.
Coordination of activities
Establish an organizational group dedicated to
IT security.
Ensure access to senior management by the
management of the security function.
Provide the security group with the required
human and financial resources.
Ensure continuous training and required
professional certifications.
Implementation of programs to
ensure organizational involvement
Train end users and stakeholders to address
identified risks and comply with policies.
Conclusion
Following the survey and assessment of evaluation models that
address the needs of the audit of electronic service delivery, the
authors selected COBIT 3rd Edition as the main evaluation tool.
The main rationale for selecting COBIT is that it is up-to-date
(released in July 2000) and that it integrates the key issues that
must be considered when managing and controlling IT activities.
COBIT integrates the key IT processes of an organization and
supports the different perspectives and needs of IT management
and of audit and control professionals.
As COBIT is a process-oriented framework, it also provides the
basis for communicating well with end users and general
management.
Conclusion
Selected 11 of the 34 IT processes of COBIT, which they believed to
be most pertinent, from the following areas:
Planning and Organization:
Monitoring:
Monitor the processes
Obtain independent assurance
Teknik Audit
Auditing Around The Computer
Untuk SI yang simpel, tidak terintegrasi, sehingga
pemrosesan di dalam komputer dianggap benar. Piranti
lunak pemroses dianggap sebagai black box. Audit hanya
meliputi input dan outputnya saja.
Performance Measurement
Approaches
Monitoring organisational
effectiveness
Information Economics