Penjelasan COBIT 4.0 Framework from wikipedia

COBIT structure

COBIT covers four domains:

  • Plan and Organize
  • Acquire and Implement
  • Deliver and Support
  • Monitor and Evaluate

Plan and Organize

The Plan and Organize domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the IT processes contained in the Planning and Organization domain.

PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

Acquire and Implement

The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the IT processes contained in the Acquire and Implement domain.

AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

Deliver and Support

The Deliver and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results as well as the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the IT processes contained in the Deliver and Support domain.

DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Monitor and Evaluate

The Monitor and Evaluate domain deals with a company’s strategy in assessing the needs of the company and whether or not the current system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the IT processes contained in the Monitor and Evaluate domain.

ME1 Monitor and Evaluate IT Processes
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

Total Solusi dari IBM untuk Software Development Life Cycle (SDLC)

Architecture Management

IBM architecture management solutions are provided in two categories: Enterprise Architecture Management and Architecture, Design, and Construction.

  • Enterprise Architecture Management (EAM) solution connects the business and technology needs of an organization into a cohesive and dynamic blueprint, providing key capabilities for managing the impact of business-driven change.

    EAM helps maximize cost savings from consolidations, mergers and acquisitions, and other change initiatives, while minimizing associated risks. It also helps identify potential areas to improve operational efficiency. Because EAM enables organizations to build connections from strategy to solution delivery, it can help you realize optimal business results from technology solutions.

    The IBM Rational® Enterprise Architecture Management solution can help you:

    • Make faster, better-informed strategic and tactical decisions
    • Prioritize IT investments to support business goals
    • Improve risk management of organizational transformation
    • Turn strategy into execution and measure the results

    IBM enterprise architecture solutions include:

Requirements Definition and Management

IBM Rational offers best practices in requirements definition and management proven to save time and money by helping you:

  • Reduce rework, improve quality of feedback, and accelerate time to market by collaborating with your stakeholders in more effective ways
  • Increase productivity by controlling and managing changes to requirements, as well as more efficiently organizing and finding requirements information
  • Align project deliverables with business goals and software requirements to deliver a solution that meets stakeholder needs
  • Reduce cost and minimize risk by analyzing the impact of changes as they occur
  • Demonstrate compliance by ensuring full traceability of requirements

IBM requirements definition and management solutions include these products:

Change and Release Management

IBM Rational offers comprehensive, integrated change and release management products for successful software delivery. These solutions help software and systems development teams improve productivity and team collaboration, gain better visibility into projects, automate processes, improve quality, manage distributed teams, and provide traceability across the software development lifecycle. IBM change and release management solutions include:

Process and Portfolio Management

IBM Rational product, project, and portfolio management solutions transform the way organizations define and deliver value. By enabling teams to align software and product investments to business objectives and to improve predictability of project success through best practice guidance and measurement, these solutions help companies achieve predictable and consistent business value from their software and systems delivery investments. They are open, integrated, and role-based, spanning the complete application lifecycle. IBM product, project and portfolio management solutions include:

Quality Management

IBM Rational software testing and quality management solutions transform the way that teams work together to deliver enduring quality. Offering a full set of software delivery process guidance, best practices, and integrated tools, these solutions support a broad range of heterogeneous applications to help testers and software quality teams achieve improvements in cost efficiency, quality metrics, and time-to-value for business-critical projects.

Our solutions accelerate discovery and diagnosis, ensuring clean communication between the business, development, quality assurance, and IT operations. These offerings are optimized to provide actionable development asset traceability, accelerated problem determination, and early detection of post-deployment availability risks.

Web Site Security and Compliance

IBM® Rational® AppScan® and Rational Policy Tester are Web site security and compliance solutions that automate application and content analysis. These tools help organizations identify vulnerabilities, assess compliance requirements, and improve the accuracy and reliability of online systems.

  • Web application security
    Rational AppScan provides Web application security vulnerability scanning, testing, and reporting.
  • Web site compliance
    Rational Policy Tester provides content scanning analysis for privacy, quality, and accessibility compliance testing and reporting.

For information on other Rational solutions, follow these links:

Learn about Jazz technology: IBM Rational’s new technology platform for collaborative software delivery.

Enterprise modernization: Increase ROI and reduce risk by leveraging proven code on IBM® System i®, IBM® System z® and distributed platforms.

SOA lifecycle management: Streamline the delivery and management of your SOA.

SOA governance: Realize the full benefit of your service-oriented architecture.

Rational Software Platform for Systems: Discover integrated solutions for systems engineering and embedded software development.

Regulatory compliance: Support mandates and standards better.

IT Compliance PBI, COBIT, ISO27001

Berikut ini adalah salah satu Guidance mengenai IT AUDIT, yaitu Mapping antara PBI 9/15/2007, COBIT dan ISO27001,
Selain  itu ada guidance ITIL dan SDLC yang juga menjadi guidance utama standar pengelolaan IT.

No PBI 09/15/2007 Area COBIT Area ISO27001
1 Management IT Management A.5 Security policy
IT Strategic Plan P01 Define a Strategic IT Plan
IT Organization P07 Manage IT Human Resources A.6 Organization of information security
Personnel Control A.8 Human resources security
Project Management P05 Manage the IT Investment
Management Information System
IT Risk Awareness Program P09 Assess and Manage IT Risks
Risk Monitoring & Measurement
2 System Dev & Acquisition Project Management P10 Manage Projects A.12 IS Acquisition, Development & Maintenance
Program Change Management A06 Manage Changes
Application Development Risk Management A02 Acquire and Maintain Application Software
Acquisition, Procurement & Outsourcing A05 Procure IT Resources
3 IT Operational Activities Data Center Operational A04 Enable Operation and Use
Capacity Planning DS03 Manage Performance and Capacity
Hardware & Software Configuration DS09 Manage the Configuration
Problem & Incident Management DS08 Manage Service Desk and Incidents A.13 Information Security Incident Mgmt
Datawarehouse Management
Library Function
QA Function P08 Manage Quality
Third Party Relationship DS01 Define and Manage Service Levels
Disposal Management
IT Operation Risk Management DS13 Manage Operations
4 Communication Network Network Management A.10 Communications & Operations Mgmt
Network Access Control A.11 Access control
Backup & Recovery
5 Information Security Aset Management DS05 Ensure Systems Security A.7 Asset management
Human Resources Management
Physical & Environment Security DS12 Manage Physical Environment A.9 Physical and environmental security
Logical Security
6 Business Continuity Plan Active Management Monitoring DS04 Ensure Continuous Service A.14 Business Continuity Management
Business Impact Analysis
7 End User Computing EUC Policies and Procedures
EUC Risk Management
8 Electronic Banking Risk Management of E-banking
Reporting of Plan & Realization
9 IT Internal Audit IT Audit Referrence M02 Monitor and Evaluate Internal Control A.15.3 IS Audit considerations
IT Audit conducted by other parties
Internal Audit on other party services
IT Internal Audit Review A.15 Compliance
10 The use of IT Service provider IT Outsourcing DS02 Manage Third-Party Services

taken from anjar’s blog.

IT Security Taxonomy – Artikel dan Guidance mengenai IT Security Issues

IT Security adalah pembahasan yang tidak bisa dilewatkan jika anda menjadi IT System Architect. Dengan mempertimbangkan tingkat keamanan yang ada, maka anda dapat merancang sistem menjadi lebih aman dan handal.

Berikut ini ada beberapa hal yang dapat dimulai untuk memahami betapa pentingnya pembahasan mengenai IT Security :

1. Making information security everybody’s business!

http://www.noticebored.com/html/about_noticebored.html

2. The Psychology Behind Security
https://www.issa.org/images/upload/files/Sternberg-Psychology%20Behind%20Security.pdf

3. Improving Information Security! (an endless task) – By Dan Swanson
http://www.auditnet.org/articles/DSIA201006.htm (121 good security resources)

4. Improve IT Security: Educate Staff
In today’s healthcare environment, information security and protection of information assets are critical activities for all organizations. Information is the lifeblood of the organization and a vital business asset. IT systems connect every internal department of an organization and connect the enterprise to a myriad of suppliers, partners, and others on the outside, too.
http://www.ahia.org/audit_library/newperspectivesarchive/new_perspectives/2009/Spring2009/TheITPerspective_ImproveITSecurity_EducateStaffbyDanSwanson.pdf

5. Other Security Resources:

1. CERT has issued extensive guidance regarding information security. The CERT® Program is part
of the Software Engineering Institute (SEI), a federally funded research and development center at
Carnegie Mellon University.

a. Evaluating security risks, practices & insider threats.
http://www.cert.org/nav/index_green.html

b. Establishing a computer security incident response team (CSIRT).
http://www.cert.org/csirts/

c. Governing for Enterprise Security
(The PDF). http://www.cert.org/archive/pdf/05tn023.pdf

d. Governing for Enterprise Security
(Web Site). http://www.cert.org/governance/ges.html

e. The “build security in” initiative.
https://buildsecurityin.us-cert.gov/portal/

2. Management Guide (IS Security Auditing).
http://www.gao.gov/special.pubs/mgmtpln.pdf

3. A series of landmark reports published by The IIA.

a. Information Security Management and Assurance: A Call to Action for Corporate Governance.
www.theiia.org/download.cfm?file=22398

b. Information Security Governance: What Directors Need to Know.
www.theiia.org/download.cfm?file=7382

c. Building, Managing and Auditing Information Security.
www.theiia.org/download.cfm?file=33288

6. Information Security Awareness Readings:
– Building an Information Security Awareness Program (Mark Desman)
– Building an IT Security Awareness Program (NIST)
– True Value of Info. Security Awareness Program (Gary Hinson)
– Implementing User Security Awareness Training (Kelly Allison)
– Security Awareness—“Are Users Clued In”? (Robert Held)
– Security Awareness Training Program in Your Environment (Kelly Nichol)
– A Business Need for Information Security (Rebecca Herold)
– Security Awareness with Protecting Information (InformationShield)

7. Managing an Information Security Awareness Program (by Rebecca Herold).
http://www.rebeccaherold.com/

8. Internet and Computer Ethics for Kids (and Parents and Teachers Who Haven’t Got a Clue)
http://www.thesecurityawarenesscompany.com/Ethics.html

9. A Better Way of Motivating People
http://newsystemsthinking.com/article_details.asp?ID=29

10.  Training and Awareness Articles
http://www.privacyguidance.com/etraining_awareness.html

11.  Social Psychology and INFOSEC: Psycho-Social Factors in the Implementation of Information Security Policy
http://www.mekabay.com/infosecmgmt/Soc_Psych_INFOSEC.pdf

12. IT World Canada IT Security Resource Blog
http://blogs.itworldcanada.com/security/

Silahkan dinikmati Resources mengenai IT Security tersebut.

Seven Characteristics of Companies that went from Good to Great

1. They had quiet, self-effacing leaders. People who had a “paradoxical blend” of humility and professional will. They were more like Lincoln and Socrates, Collins argued, than Patton or Caesar.
2. These leaders placed the highest priority on surrounding themselves with great people. Rather than focus on vision or strategy, they spent most of their time trying to “put the right people on the bus and get the wrong people off the bus.”
3. They embraced the “Stockdale paradox” – that you must accept and confront the worst facts of your situation while maintaining an unwavering faith that you can overcome them.
4. They found something they could do better than any other company in the world. Even if it meant abandoning their core concept and moving on to something else, they maintained that lofty standard.
5. They developed a corporate culture where employees were so committed to the company’s core values that disciplinary rules were not necessary.
6. They used technology to support their core values, not as the driving force of the business.
7. The process they used to make improvements was incremental, not revolutionary. It resembled “relentlessly pushing a giant heavy flywheel in one direction, turn upon turn, building momentum until a point of breakthrough and beyond.”