CobIT Overview

Control Objective for IT-related Technology (CobIT)

Premise

CobIT notes that "Successful organisations ensure interdependence between their strategic planning and their IT activities." The alignment of the IT service provider with organizational vision, goals and objectives is, therefore, crucial to success. These goals and objectives provide organizational direction which indicates requisite enterprise activities, using the enterprise’s resources. The results of the enterprise activities are measured and reported on, providing input to the constant revision and maintenance of the controls, beginning the cycle again.

The underpinning concept of the COBIT Framework is that control in IT is approached by looking at information that is needed to support the business objectives or requirements, and by looking at information as being the result of the combined application of IT-related resources that need to be managed by IT processes. To satisfy business objectives, information needs to conform to certain criteria, which COBIT refers to as business requirements for information.

The COBIT framework helps align IT with the business by focusing on business information requirements and organizing IT resources. COBIT provides the framework and guidance to implement IT Governance. An organization depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.

Elements

Reworking this logical flow results in the following framework..

A - Business Strategy

To satisfy business objectives, information needs to conform to certain criteria, which COBIT refers to as business requirements for information.

Service Quality and Cost - priority is directed at properly managing risks:
- The usability aspect of Quality is transcribes into the Effectiveness Information criterion.
- The delivery aspect of Quality was considered to overlap with the Availability aspect of the Security requirements and also to some extent Effectiveness and Efficiency.
- Cost is also considered covered by Efficiency.
Fiduciary Requirements - includes best practice areas and audit requirements^N:
- Effectiveness and Efficiency of operations
- Reliability of Information^N
- Compliance with laws and regulations
Security Requirements - world-wide agreement on three elements:
- Confidentiality
- Integrity
- Availability

B - Information Criteria

how IT is organized to meet those requirements.

Effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.
Efficiency - concerns the provision of information through the optimal (most productive and economical) use of resources.
Confidentiality - concerns the protection of sensitive information from unauthorised disclosure.
Integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
Availability - relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria.
Reliability of Information - relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities.

C - IT Resources

a means to identify the resources required to execute processes.

Data - are objects in their widest sense (i.e., external and internal), structured and non-structured, graphics, sound, etc.)
Application Systems - are understood to be the sum of manual and programmed procedures.
Technology - covers hardware, operating systems, database management systems, networking, multimedia, etc.
Facilities - are all the resources to house and support information systems.
People - include staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services.

D - IT Processes

what stakeholders expect from IT.

Model consists of 34 processes organizaed in four primary domains:

Planning and Organization - covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.
Acquisition and Implementation - identification, development, acquisition, implementation of IT solutions. ^N
Support and Delivery - actual delivery of required services, which range from traditional operations over security and continuity aspects to training. In order to deliver services, the necessary support processes must be set up.
Monitoring - regular assessment of processes for their quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources.^N

CobIT Management Guidelines

CobIT Management Guidelines provide a mechanism to utilize the above framework to assess the operational characteristics of an organization. This model is based upon the following logic...

Governance over information technology and its processes with the business goal of adding value, while balancing risk versus return
ensures delivery of information to the business that addresses the required Information Criteria and is measured by Key Goal Indicators
is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT
considers Critical Success Factors that leverage all IT Resources and is measured by Key Performance Indicator

Measure Description Generic Measures
Key Goal Indicators predefined measures that indicate if an IT process met its business requirements in terms of the relevant information criteria. KGIs are lag indicators and they indicate if we achieved our objectives.

Enhanced performance and cost management
Improved return on major IT investments
Improved time to market
Increased quality, innovation and risk management
Appropriately integrated and standardised business processes
Reaching new and satisfying existing customers
Availability of appropriate bandwidth, computing power and IT delivery mechanisms
Meeting requirements and expectations of the customer of the process on budget and on time
Adherence to laws, regulations, industry standards and contractual commitments
Transparency on risk taking and adherence to the agreed organisational risk profile
Benchmarking comparisons of IT governance maturity
Creation of new service delivery channels

Key Performance Indicators predefined measures that determine how well the IT process enables the goal to be achieved. They indicate whether or not a goal is likely to be achieved, and are good indicators of capabilities, practices, and skills. KPIs are lead indicators used to measure our progress towards our goal.

Improved cost-efficiency of IT processes (costs vs. deliverables)
Increased number of IT action plans for process improvement initiatives
Increased utilisation of IT infrastructure
Increased satisfaction of stakeholders (survey and number of complaints)
Improved staff productivity (number of deliverables) and morale (survey)
Increased availability of knowledge and information for managing the enterprise
Increased linkage between IT and enterprise governance
Improved performance as measured by IT balanced scorecards

Critical Success Factors highlight important issues or actions for management to achieve control over IT processes. CSFs are generally management-oriented implementation guidelines. They identify the most important factors from strategic, technical, organizational, or procedural perspectives.

IT governance activities are integrated into the enterprise governance process and leadership behaviours
IT governance focuses on the enterprise goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands
IT governance activities are defined with a clear purpose, documented and implemented, based on enterprise needs and with unambiguous accountabilities
Management practices are implemented to increase efficient and optimal use of resources and increase the effectiveness of IT processes
Organisational practices are established to enable: sound oversight; a control environment/culture; risk assessment as standard practice; degree of adherence to established standards; monitoring and follow up of control deficiencies and risks
Control practices are defined to avoid breakdowns in internal control and oversight
There is integration and smooth interoperability of the more complex IT processes such as problem, change and configuration management
An audit committee is established to appoint and oversee an independent auditor, focusing on IT when driving audit plans, and review the results of audits and third-party reviews.

Maturity Models are a method of measuring proficiency so that an organization can make a systematic attempt to improve. This approach is derived from the Maturity Model defined by the Software Engineering Institute for the maturity of software development capabilities.

Non-existent: There is a complete lack of any recognisable IT governance process. The organisation has not even recognised that there is an issue to be addressed and hence there is no communication about the issue.
Initial /Ad Hoc: There is evidence that the organisation has recognised that IT governance issues exist and need to be addressed. There are, however, no standardised processes, but instead there are ad hoc approaches applied on an individual or case-by-case basis. Management’s approach is chaotic and there is only sporadic, nonconsistent communication on issues and approaches to address them. There may be some acknowledgement of capturing the value of IT in outcome-oriented performance of related enterprise processes. There is no standard assessment process. IT monitoring is only implemented reactively to an incident that has caused some loss or embarrassment to the organisation.
Repeatable but Intuitive: There is global awareness of IT governance issues. IT governance activities and performance indicators are under development, which include IT planning, delivery and monitoring processes. As part of this effort, IT governance activities are formally established into the organisation’s change management process, with active senior management involvement and oversight. Selected IT processes are identified for improving and/or controlling core enterprise processes and are effectively planned and monitored as investments, and are derived within the context of a defined IT architectural framework. Management has identified basic IT governance measurements and assessment methods and techniques, however, the process has not been adopted across the organisation. There is no formal training and communication on governance standards and responsibilities are left to the individual. Individuals drive the governance processes within various IT projects and processes. Limited governance tools are chosen and implemented for gathering governance metrics, but may not be used to their full capacity due to a lack of expertise in their functionality.
Defined Process: The need to act with respect to IT governance is understood and accepted. A baseline set of IT governance indicators is developed, where linkages between outcome measures and performance drivers are defined, documented and integrated into strategic and operational planning and monitoring processes. Procedures have been standardised, documented and implemented. Management has communicated standardised procedures and informal training is established. Performance indicators over all IT governance activities are being recorded and tracked, leading to enterprise-wide improvements. Although measurable, procedures are not sophisticated, but are the formalisation of existing practices. Tools are standardised, using currently available techniques. IT Balanced Business Scorecard ideas are being adopted by the organization. It is, however, left to the individual to get training, to follow the standards and to apply them. Root cause analysis is only occasionally applied. Most processes are monitored against some (baseline) metrics, but any deviation, while mostly being acted upon by individual initiative, would unlikely be detected by management. Nevertheless, overall accountability of key process performance is clear and management is rewarded based on key performance measures.
Managed and Measurable: There is full understanding of IT governance issues at all levels, supported by formal training. There is a clear understanding of who the customer is and responsibilities are defined and monitored through service level agreements. Responsibilities are clear and process ownership is established. IT processes are aligned with the business and with the IT strategy. Improvement in IT processes is based primarily upon a quantitative understanding and it is possible to monitor and measure compliance with procedures and process metrics. All process stakeholders are aware of risks, the importance of IT and the opportunities it can offer. Management has defined tolerances under which processes must operate. Action is taken in many, but not all cases where processes appear not to be working effectively or efficiently. Processes are occasionally improved and best internal practices are enforced. Root cause analysis is being standardised. Continuous improvement is beginning to be addressed. There is limited, primarily tactical, use of technology, based on mature techniques and enforced standard tools. There is involvement of all required internal domain experts. IT governance evolves into an enterprise-wide process. IT governance activities are becoming integrated with the enterprise governance
Optimised: There is advanced and forward-looking understanding of IT governance issues and solutions. Training and communication is supported by leadingedge concepts and techniques. Processes have been refined to a level of external best practice, based on results of continuous improvement and maturity modeling with other organisations. The implementation of these policies has led to an organisation, people and processes that are quick to adapt and fully support IT governance requirements. All problems and deviations are root cause analysed and efficient action is expediently identified and initiated. IT is used in an extensive, integrated and optimised manner to automate the workflow and provide tools to improve quality and effectiveness. The risks and returns of the IT processes are defined, balanced and communicated across the enterprise. External experts are leveraged and benchmarks are used for guidance. Monitoring, selfassessment and communication about governance expectations are pervasive within the organisation and there is optimal use of technology to support measurement, analysis, communication and training. Enterprise governance and IT governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise.

Governance over information technology and its processes with the business goal of adding value, while balancing risk versus return
	ensures delivery of information to the business that addresses the required Information Criteria and is measured by Key Goal Indicators
		is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT
			considers Critical Success Factors that leverage all IT Resources and is measured by Key Performance Indicator

Measure	Description	Generic Measures
Key Goal Indicators	predefined measures that indicate if an IT process met its business requirements in terms of the relevant information criteria. KGIs are lag indicators and they indicate if we achieved our objectives.	Enhanced performance and cost management Improved return on major IT investments Improved time to market Increased quality, innovation and risk management Appropriately integrated and standardised business processes Reaching new and satisfying existing customers Availability of appropriate bandwidth, computing power and IT delivery mechanisms Meeting requirements and expectations of the customer of the process on budget and on time Adherence to laws, regulations, industry standards and contractual commitments Transparency on risk taking and adherence to the agreed organisational risk profile Benchmarking comparisons of IT governance maturity Creation of new service delivery channels
Key Performance Indicators	predefined measures that determine how well the IT process enables the goal to be achieved. They indicate whether or not a goal is likely to be achieved, and are good indicators of capabilities, practices, and skills. KPIs are lead indicators used to measure our progress towards our goal.	Improved cost-efficiency of IT processes (costs vs. deliverables) Increased number of IT action plans for process improvement initiatives Increased utilisation of IT infrastructure Increased satisfaction of stakeholders (survey and number of complaints) Improved staff productivity (number of deliverables) and morale (survey) Increased availability of knowledge and information for managing the enterprise Increased linkage between IT and enterprise governance Improved performance as measured by IT balanced scorecards
Critical Success Factors	highlight important issues or actions for management to achieve control over IT processes. CSFs are generally management-oriented implementation guidelines. They identify the most important factors from strategic, technical, organizational, or procedural perspectives.	IT governance activities are integrated into the enterprise governance process and leadership behaviours IT governance focuses on the enterprise goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands IT governance activities are defined with a clear purpose, documented and implemented, based on enterprise needs and with unambiguous accountabilities Management practices are implemented to increase efficient and optimal use of resources and increase the effectiveness of IT processes Organisational practices are established to enable: sound oversight; a control environment/culture; risk assessment as standard practice; degree of adherence to established standards; monitoring and follow up of control deficiencies and risks Control practices are defined to avoid breakdowns in internal control and oversight There is integration and smooth interoperability of the more complex IT processes such as problem, change and configuration management An audit committee is established to appoint and oversee an independent auditor, focusing on IT when driving audit plans, and review the results of audits and third-party reviews.
Maturity Models	are a method of measuring proficiency so that an organization can make a systematic attempt to improve. This approach is derived from the Maturity Model defined by the Software Engineering Institute for the maturity of software development capabilities.	Non-existent: There is a complete lack of any recognisable IT governance process. The organisation has not even recognised that there is an issue to be addressed and hence there is no communication about the issue. Initial /Ad Hoc: There is evidence that the organisation has recognised that IT governance issues exist and need to be addressed. There are, however, no standardised processes, but instead there are ad hoc approaches applied on an individual or case-by-case basis. Management’s approach is chaotic and there is only sporadic, nonconsistent communication on issues and approaches to address them. There may be some acknowledgement of capturing the value of IT in outcome-oriented performance of related enterprise processes. There is no standard assessment process. IT monitoring is only implemented reactively to an incident that has caused some loss or embarrassment to the organisation. Repeatable but Intuitive: There is global awareness of IT governance issues. IT governance activities and performance indicators are under development, which include IT planning, delivery and monitoring processes. As part of this effort, IT governance activities are formally established into the organisation’s change management process, with active senior management involvement and oversight. Selected IT processes are identified for improving and/or controlling core enterprise processes and are effectively planned and monitored as investments, and are derived within the context of a defined IT architectural framework. Management has identified basic IT governance measurements and assessment methods and techniques, however, the process has not been adopted across the organisation. There is no formal training and communication on governance standards and responsibilities are left to the individual. Individuals drive the governance processes within various IT projects and processes. Limited governance tools are chosen and implemented for gathering governance metrics, but may not be used to their full capacity due to a lack of expertise in their functionality. Defined Process: The need to act with respect to IT governance is understood and accepted. A baseline set of IT governance indicators is developed, where linkages between outcome measures and performance drivers are defined, documented and integrated into strategic and operational planning and monitoring processes. Procedures have been standardised, documented and implemented. Management has communicated standardised procedures and informal training is established. Performance indicators over all IT governance activities are being recorded and tracked, leading to enterprise-wide improvements. Although measurable, procedures are not sophisticated, but are the formalisation of existing practices. Tools are standardised, using currently available techniques. IT Balanced Business Scorecard ideas are being adopted by the organization. It is, however, left to the individual to get training, to follow the standards and to apply them. Root cause analysis is only occasionally applied. Most processes are monitored against some (baseline) metrics, but any deviation, while mostly being acted upon by individual initiative, would unlikely be detected by management. Nevertheless, overall accountability of key process performance is clear and management is rewarded based on key performance measures. Managed and Measurable: There is full understanding of IT governance issues at all levels, supported by formal training. There is a clear understanding of who the customer is and responsibilities are defined and monitored through service level agreements. Responsibilities are clear and process ownership is established. IT processes are aligned with the business and with the IT strategy. Improvement in IT processes is based primarily upon a quantitative understanding and it is possible to monitor and measure compliance with procedures and process metrics. All process stakeholders are aware of risks, the importance of IT and the opportunities it can offer. Management has defined tolerances under which processes must operate. Action is taken in many, but not all cases where processes appear not to be working effectively or efficiently. Processes are occasionally improved and best internal practices are enforced. Root cause analysis is being standardised. Continuous improvement is beginning to be addressed. There is limited, primarily tactical, use of technology, based on mature techniques and enforced standard tools. There is involvement of all required internal domain experts. IT governance evolves into an enterprise-wide process. IT governance activities are becoming integrated with the enterprise governance Optimised: There is advanced and forward-looking understanding of IT governance issues and solutions. Training and communication is supported by leadingedge concepts and techniques. Processes have been refined to a level of external best practice, based on results of continuous improvement and maturity modeling with other organisations. The implementation of these policies has led to an organisation, people and processes that are quick to adapt and fully support IT governance requirements. All problems and deviations are root cause analysed and efficient action is expediently identified and initiated. IT is used in an extensive, integrated and optimised manner to automate the workflow and provide tools to improve quality and effectiveness. The risks and returns of the IT processes are defined, balanced and communicated across the enterprise. External experts are leveraged and benchmarks are used for guidance. Monitoring, selfassessment and communication about governance expectations are pervasive within the organisation and there is optimal use of technology to support measurement, analysis, communication and training. Enterprise governance and IT governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise.