1. Information Technology Management (ITM101)
Week 02: IT Standards & Governance
Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

2. Governance?
Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives
IT governance aims to ensure that expectations for IT are met and IT risks are mitigated.

3. IT Governance

4. Why is IT Governance a ‘Hot Topic’?
Increased sensitivity to protecting stakeholder interests
Shareholders (see: Sarbanes Oxley)
Consumers (see: HIPAA)
Suppliers (see: PCI)
This is what you will find by googling ‘IT Governance’ or looking it up on Wikipedia. Auditors should be very familiar will all of these. Businesses are under more and more legal / regulatory pressure to properly protect and use information assets in their possession. However, this is definitely not everything.

5. Forces Driving Governance
Business/IT Alignment ROI
Compliance
Project Execution
Security

6. Other ‘Non-Regulatory’ Reasons…
Recognized need for tight business linkage
Strategic Alignment
Value Delivery
Resource Management
Risk Management
Performance Management
Effective Management of Outsourced IT Suppliers
Relationship Management
Financial Management
Contract Management
Recognized need - businesses with strong IT governance are more likely to achieve their objectives.
All of these from CobiT
• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.
• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.
• Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.
• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

7. Definitions

8. IT Governance Definitions
IIA International Professional Practices Framework:
[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives.
[IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.
[Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

9. Definition of IT Governance From COBIT
IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.
CobiT definition combines elements of the IIA definitions

10. Common Framework Structure

11. Governance: High Level View
The business of running IT vs. running the technology
Setting the rules and assuring they are followed
An ethical responsibility to stakeholders
Principal - business
Commonwealth - people
Each other - reputation

12. IT Governance Objectives
The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally:
Governance should be a top-down process
Linkages to business process and strategy exist for all actions
Information in oral, paper, and electronic forms
Governance transcends physical boundaries
Through governance, acceptable practices, policies, and procedures are established
Business Drivers
Internal Environment
Entrustment Framework
Decision Model and Framework
Value Realization and Delivery Framework
Performance Management
Value Management

13. Responsibility for IT Governance
Management Board
Information Security Steering Committee
Responsibility:
IT governance is the responsibility of the board of directors and executive management.
Integral part of enterprise governance
Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.
Sub-Committees:
Architecture, Security, etc.
The foundation of a successful information security program begins with strong upper-level management support.
This support establishes a focus on security within the highest levels of the organization.
Without a solid foundation (i.e., proactive support of those persons in positions that control IT resources), the effectiveness of the security program can fail when pressured by politics and budget limitations.
Any information security program must get its direction from executive management.
The requirements of today’s laws and regulations have identified either the organization’s board of directors or an executive management steering committee as responsible for instituting an effective program.
Service Delivery & Functional Operation Management Teams
Applications
Systems
Operations
Networks
Desktop

14. IT Governance: COBIT Focus Areas
Strategic Alignment
Value Delivery
Resource Management
Risk Management
Performance Measurement
We have seen these before.

15. Focus Areas of IT Governance
Five main focus areas for IT governance, all driven by stakeholder value.
Stakeholder Value Drivers
IT Value Delivery
Risk Management
Performance Management
IT Strategic Alignment
IT Resource Management
Two are outcomes:
Value delivery
Risk management.
Three are drivers:
Strategic alignment
Performance measurement
Resource management (which overlays them all)

16. Security Strategy: Elements & Controls
5 Key Security Strategy Elements
Element #
Element Name 1
Policies 2
Procedures 3
Authentication 4
Authorization 5
Recovery Plan
4 Key Control Elements
Element #
Element Name 1
Preventive 2
Detective 3
Containment 4
Recovery
An effective security strategy requires at a minimum five key elements:
policies,
procedures,
authentication,
authorization, and
recovery plan because people have a tendency to wipe things out inadvertently.
Estimated that 65% of information loss still comes from errors and omissions.
So you have to have a recovery plan to be able to recover the information as you go through the process.
An effective security function requires a well-administered security and privacy policy meaning that not only do we have the written word but that you check it from time to time to make sure it continues to meet the goals and objectives of an organization and that it can be marked through this post development life cycle.
Security strategy must become part of the business and System Development Life Cycle (SDLC). I prefer business process life cycle because the things that we implement in this controlled environment are such that it’s not just for information technology; it is for the entire organization.
It’s a business process because all of those things that we have to do in developing systems and applications are to be done whenever we have a project or business process that is to be developed.
Information is not the IT purview.
Information is a corporate activity and corporate function and should not be part of IT.

17. Security Program Infrastructure
Measuring Maturity
Security Program Infrastructure
Maturity Level
Description
Level 1
Control objectives have been documented in a policy
Level 2
Security control processes have been documented in procedures
Level 3
Supporting procedures have been implemented (stakeholders
have been made aware and trained)
Level 4
Policies, procedures and controls are tested and reviewed to
ensure continued adequacy
Level 5
Procedures and controls are fully integrated into the culture of the organization
All security decisions must be linked to the organization’s business objectives or mission statement.
As with other organization wide policies, the information security program must be established by the implementation of a Global or Tier 1 policy.
This type of policy is organization wide and requires that all areas of the organization comply with the policy.
To be successful, the security and privacy policies and procedures must have three key elements. They must be:
Documented
Communicated
Current
To supplement an information security policy, the organization
must offer awareness programs, user training, and support education.
Information security’s goal is not to stop all access to all
information but to provide a safe and secure process for all authorized personnel to gain access. The information strategy must, therefore, address three key concepts:
Identification
Authentication
Authorization

18. IT Governance Frameworks
ISO Family (1799, 20000, 27001)
International Standard Organization’s Security Management Standards
Framework of standards that provide best practices for information security management
ITIL
IT Infrastructure Library
Best practices framework drawn from the public and private sectors internationally
COSO
Committee of Sponsoring Organizations of the Treadway Commission
Organization dedicated to financial reporting through business ethics, internal controls, and corporate governance
COBIT
Control Objectives for Information and related Technology
Framework and supporting toolset to bridge the gap between control requirements, technical issues, and business risks
FISMA
Federal Information Security Management Act of 2002
Mandatory set of processes required by legislation for US federal information systems
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation
Risk based strategic assessment and planning technique for security
CMMI
Capability Maturity Model Integration
An approach to governance based on process maturity

19. Clear Business Ownership and Direction
Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)
Enterprise Strategy
Business Goals for IT
IT Goals
Enterprise Architecture for IT
IT Scorecard
Flow is from the top to the bottom, and then repeat. The Enterprise Strategy creates Business Goals for IT, which then are codified into IT Goals and Enterprise Architecture for IT. IT progress is tracked on a scorecard, which then can feed into the Enterprise Strategy.

20. Linking Technical and Business Risk
Risk is the ‘lingua franca’ of business.
Management needs to be able to compare IT Risks with other risks.
IT Governance must do an effective job of translating technical risks to business risks.
Originally lingua Franca (or Sabir) referred to a mixed language composed mostly of Italian with a broad vocabulary drawn from Persian, French, Greek and Arabic. Lingua Franca literally means "Frankish language". This originated from the Arabic custom of referring to all Europeans as Franks. This mixed language was used for communication throughout the medieval and early modern Middle East[citation needed] as a diplomatic language;
Work with the board to define the enterprise’s appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. Embed risk management responsibilities into the organisation, ensuring that the business and IT regularly assess and report IT-related risks and their impact and that the enterprise’s IT risk position is transparent to all stakeholders.

21. Linking Technical and Business Risk
Technical Risk
Incidents resulting from Changes
Equipment Age
Audit Scores
Information Security Incidents
Overdue Controls Issues
Business Exposures
Disruptions to Critical Business Processes (i.e.: Orders to Cash)
Compromise Company Reputation
Compromise Company Secrets
Organizational Capacity / Health
Financial Goals May not be Met
This is a partial list of Technical Risks. What is not necessarily clear in CobiT is the need to translate into your own Company business risk lingua franca. This allows risks to be compared. As with other Governance skills, to the extent you can speak the lingua franca, and to the extent you fundamentally understand the risks of other parts of the business, you can be more effective at making the case to invest in IT to reduce either IT risk or business risk.
The business exposures is also a partial list. Connections between the right column and the left column depend on the nature of your own business.

22. IT Governance in a Sourced Environment

23. IT Governance in a Sourced Environment
Business Strategy and Processes
IT Governance
Commercial
Relationship
Commercial
Relationship
Suppliers’ IT Strategy and Processes
Instead of your own internal IT Strategy and Process, you now run on Strategies and Processes which are to some extent out of your control. A strong commercial relationship is needed to assure business Strategies and Processes are met - which is just what IT Governance is all about.
Strategic Alignment
Value Delivery
Resource Management
Risk Management
Performance Measurement

24. Considerations in a Sourced Environment
Sourcing Strategy
Contract Management
Finance Management
Relationship Management
Performance Management

25. Sourcing Strategy Part of IT Strategic Plan
Inventory of critical Supplier relationships
Update based on changes to Business, IT or Supplier Strategies
May contain intervention plans
Key word in this is ‘Strategy’ - the biggest risks are the ones that are strategic, as they generally have the most downside risk. And the IT Strategic Plan had better be part of the Business Strategic Plan!
Inventory should include all supplier relationships that are critical to the business, how they inter-relate, whether a supplier is on the ascendency or not, opportunities for substitution, etc.
MUST be sensitive to and in touch with Strategy changes. Is IT becoming more / less strategic to the business? Is IT moving toward a shared services environment or not? Is a Supplier making strategic changes in the way they offer services?
Intervention plans are needed in the case something goes ‘sproing’.

26. Contract Management Initial negotiation and in-life change management
Defines Services/Quality
Defines ownership of Intellectual Property
Compliance with Law and Policy
Audit Rights
Contract management is all about imagining situations you may get caught in sometime in the future, and attempting to address them in advance.
Depending on the nature of the relationship, services can be defined either very tightly (short term agreement, commodity deliverables) or somewhat loosely (longer term agreement, non-commodity deliverables). Which party benefits from Moore’s Law?

27. Contract Change Management
Required by either changing business needs or to address ambiguity.
Should be viewed as a negotiation.
Each party will attempt to get concessions not previously obtained - value is at risk
Depend on Relationship Management for smaller changes to avoid this risk
Process is managed by the Contract Owner - remember Clear Business Ownership!
All large agreements have an inherent level of ambiguity. It is NOT possible to tie down each and every loose end in a complex deal - this risks deadlock. And there is some part of ‘you don’t know what you don’t know’.
Contract changes should be viewed as a continuation of the original negotiations and or preparation for deal renewal. Each party will attempt to get concessions.
Many contract changes are routine.
Avoid risk by having a contract change process agreed before you need to use it.

28. Intellectual Property
Supplier IP may be used to deliver efficiencies ($)
However, use of Supplier IP may limit sourcing flexibility.
Who owns process ‘know-how’ and does this change over time?
What risk does this represent?
Lawyers may refer to IP as “Customer Data” or “Customer Developed Materials” or similar. There is a balance here. On the one hand, you may want to leverage Supplier’s ability to spread fixed costs across multiple Customers - this may be the only way Supplier has to provide Services at the agreed cost. On the other hand, you do NOT want to be in a lock-in situation.

29. Intellectual Property Mitigations
Inventory, inventory, inventory
IT processes supporting the business
Materials (documents, rights, etc.)
Risk Management discussion with business
Seek legal help
Follow up!
Best mitigation is the result of good IT governance. This is why you should have a fundamental understanding and documentation of the critical business processes IT supports, and what information flow, IT infrastructure, and IT processes are associated with those critical business processes. To the extent you don’t know, there is an exposure (see risk management).
Once everything is documented, don’t stop! If you abandon the inventory and documentation to the Supplier, then you risk it becoming theirs, even if the agreement says otherwise.

30. Audit Rights Business requirements drive specifics.
Must be in the initial contract
For supplier shared services, SAS70 Type II
Audit rights should be unlimited and at no cost.
This is another area where the process inventory comes in handy. That will help you determine what the business risks really are, and therefore the level of assurance that is needed. You must get the language right in the initial agreement, as anything afterwards will likely cost you money.
Suppliers can and do use third party assessments (SAS70 Type II, ISO certifications). These are NOT the same and you need to determine if and how these can be ‘fit’ into your overall controls environment.
Suppliers should also be obligated to communicate ANY controls weakness they identify that could in any way affect the Customer environment. This is hard to get, but worth it.

31. Finance Management Service receipt Credits Incentives
Deal financials reporting
Invoice Verification
Service receipt
Credits
Incentives
Internal cost recovery

32. Finance Management
This is THE PLACE to receive an independent confirmation of IT value delivery.
Budgets are a very unforgiving reality check!
If you don’t know your finance people, get to know them now. They know how budgets work, how money flows within your business, where there is flexibility, etc. Powerful stuff.

33. Relationship Management
Overall Supplier management
Monitor business needs
Communication Forums
Issue Management
Risk Management
Project Management
Relationship Management is where it all comes together in assuring the health of the Customer - Supplier Relationship. This area is tasked with routinely polling the business to determine the satisfaction with Supplier services. ‘Satisfaction’ here is more of a squishy, qualitative measure that may be used to confirm (or not) the quantitative measures of Performance Management.
Communications forums depend on the nature of the deal. The more strategic, the more likely there will be ‘top to top’ executive level meetings in addition to routine business management and service delivery meetings.
All Issues (contract change interpretation requests, disputes, etc.) are managed here.
Importantly, there is a risk management connection here. The overall risk (contract, performance, financial, relationship) is monitored here and used both with the internal ERM processes as well as for Supplier dialog.
Lastly, Project Management is here, as the PMO sets the rules by with other areas operate.

34. Risk Management
IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total.
As before, there may be a translation here from technical risk to business risk.
Can use Probability x Business Impact as the metric. The business should supply the Impact.
This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.
This Relationship Management process is the linkage from the IT risk space (technical risk, financial risk, service delivery risk) to the Enterprise Risk Management space. There are specific added risks such as Supplier Financial viability.

35. Project Management Good Project Management helps assure value delivery
Define ‘project’ vs. ‘daily work’ in the contract.
Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables)
NPS
Project Management in this case sets the rules that other parts of the organization follow. It is critically important to know what you may already be paying for as part of the ‘daily work’ part of your agreement. Otherwise, you risk paying twice, once as daily work, another time as project effort. It is not assured the Supplier resources developing project responses are as familiar with your overall agreement as, say, the contract manager.

36. Performance Management
Aligning Service Delivery Requirements
Managing and Reporting against SLAs
Management of individual projects
Work prioritization
Aligning Service Delivery Requirements includes adjustments as needed when business requirements change. Can be in terms of system availability, but can also be in terms of security, business continuity, and disaster recovery. Extra special bonus points here for describing Service Delivery in terms of business process terms (i.e.: business process availability, business process interruptions.
SLAs in a sourced environment are generally, but not always, subject to financial performance credits. Not penalties, but credits. The goal is to have an SLA structure than continually encourages good performance.
Management of individual projects vs. Project Management. This includes verification that the services were received / performed as specified, tracking milestones, etc. PMO sets the rules, service delivery executes against the rules.
Work Prioritization - generally an issue for Daily Work as no Supplier has infinite capacity. You didn’t have infinite capacity when the area was in-sourced either. Work with the business to determine what can be put off, what needs to be done now. Alternatively, contract for short term capacity.

37. An Audit Checklist for IT Governance
NOTE: Should be 30 Minutes into the presentation at this point.
This is going to be a VERY short review of some very high level watch-outs. If IT Governance is a hot topic, can auditing of IT Governance be far behind as a hot topic. MISTI has a day long webcast on the topic. However, it is geared to IT Auditors....

38. IT Governance Audit Planning
Audit Team Composition
Audit Criteria
Learnings from the Balanced Scorecard Approach

39. Audit Team Composition
Leadership - Business or IT?
Audit Supervision and Auditor in Charge Independence is a must
Beware setting up an audit team that may reflect corporate IT Governance issues
Consider sourcing knowledgeable auditors
There are a number of risks that must be considered when setting up an IT Governance audit team as IT Governance effectiveness depends in large part on how well it straddles a line between business and IT, as we have described. If IT Governance is the responsibility of the Board and the Executives - then politics are in play.
Managing the audit out of the IT side of the internal audit activity may mean the audit supervisor or AIC may be asked to provide and defend findings related to IT Management - people that could in theory affect the IT Auditor’s career, depending on how your shop is set up. Alternatively, a business audit supervisor or AIC may not have an appreciation for IT.
Bottom line, if there are corporate culture or tone issues that affect IT Governance, the same culture or tone issues may affect an internal audit team.

40. IT Governance Audit Criteria / Standards
IIA Governance Auditing Standards
ISACA / ITGI IT Governance Auditing Guidelines
ITGI Risk IT Framework
ITGI Val IT Framework
<< Insert your Company business policies here >>
Important consideration here is to assure you meet the IIA IPPF requirement to either have corporate policy regarding IT Governance that has already been deployed or agree on the Criteria to be used prior to beginning the audit.
Criteria and Standards MUST cover corporate compliance. For example, SOX requirements that system changes are performed in accordance with management intent. See ITIL Change and Configuration Management.

41. Learnings from the Balanced Scorecard
Consider IT Governance from various business points of view (1)
Corporate
Customer
Operational Excellence
Future / Sustainability
This is a novel concept. Evaluate IT Governance in terms of how other parts of the business see it (corporate, customer), how well IT is delivering (Operational Excellence) and whether the operation is really sustainable. Source as shown.
1. “Measuring and Improving IT Governance Through the Balanced Scorecard”
Information Systems Control Journal, Volume 2, 2005

42. Balanced Scorecard: Corporate View
Objective
Example Metrics
Business/ IT Alignment
Operational budget approval
Value Delivery
Business Unit Performance
Cost Management
Attainment of expense and recovery targets
Risk Management
Results of Internal Audits
Intercompany Synergy
Single System Solutions

43. Balanced Scorecard: Customer View
Objective
Example Metrics
Customer Satisfaction
Business Unit Survey ratings
Competitive Costs
Attainment of unit cost targets
Development Performance
Major Project Scores
Operational Performance
Attainment of targeted levels

44. Balanced Scorecard: Operational View
Objective
Example Metrics
Development Process
Function Point Measures
Operational process
Change Management effectiveness
Process Maturity
Level of IT Processes
Enterprise Architecture
State of the infrastructure assessment

45. Balanced Scorecard: Future View
Objective
Example Metrics
Human Resource Management
Staff Turnover
Employee Satisfaction
Satisfaction survey scores
Knowledge Management
Implementation of learned lessons

46. CobIT as a RoadMap to IT Governance

47. COBIT as a RoadMap to IT
Globally standard released as a set of tools that ensures IT is working effectively
Functions as an overarching framework
Provides common language to communicate goals, objectives and expected results to all stakeholders
Based on, and integrates, industry standards and good practices in:
Strategic alignment of IT with business goals
Value delivery of services and new projects
Risk management
Resource management
Performance measurement
The COBIT mission is to research, continually update, publicise and promote an authoritative, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. Now in its 4.1 release, the framework has been used successfully by IT organisations and business executives in many industries and of many sizes. COBIT provides a common language to communicate goals, objectives and expected results. A common language benefits all levels of IT, including management and stakeholders.

48. COBIT:Processes, Goals and Metrics
Relationship Amongst Process, Goals and Metrics (DS5)
The chart illustrates the relationship between the business, IT, process and activity goals, and the different metrics. From top left to top right, the goals cascade is illustrated. Below the goal is the outcome measure for the goal. The small arrow indicates that the same metric is a performance indicator for the higher-level goal.
The example provided is from DS5 Ensure systems security. COBIT provides metrics only up to the IT goals outcome as delineated by the dotted line. While they are also performance indicators for the business goals for IT, COBIT does not provide business goal outcome measures.
The metrics have been developed with the following characteristics in mind:
• A high insight-to-effort ratio (i.e., insight into performance and the
achievement of goals as compared to the effort to capture them)
• Comparable internally (e.g., percent against a base or numbers over time)
• Comparable externally irrespective of enterprise size or industry
• Better to have a few good metrics (may even be one very good one
that could be influenced by different means) than a longer list of
lower-quality metrics
• Easy to measure, not to be confused with targets

49. Defined Responsibilities for Each Process
RACI Chart
A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.
Functions
Activities
Link business goals to IT goals. C I
A/R
Identify critical dependencies and current performance. R
Build an IT strategic plan. A
Build IT tactical plans.
Analyze program portfolios and manage project and service portfolios.
COBIT also provides information on what processes should be delegated and to whom they should be delegated. This helps to ensure that IT processes are being managed at the appropriate level within an enterprise. The ‘RACI’ Chart is defined for each process and indicates who is responsible, accountable, consulted or should be informed about specific tasks within a given process.
The roles in the RACI chart are categorized for all processes as:
• Chief executive officer (CEO)
• Chief financial officer (CFO)
• Business executives
• Chief information officer (CIO)
• Business process owner
• Head operations
• Chief architect
• Head development
• Head IT administration (for large enterprises, the head of functions such
as human resources, budgeting and internal control)
• The project management officer (PMO) or function
• Compliance, audit, risk and security (groups with control responsibilities
but not operational IT responsibilities)

50. The COBIT Framework
Let’s take a closer look at the COBIT framework. COBIT defines IT activities in a generic process model within four domains along with a set of information criteria. The four domains are: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor. The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps towards good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined.
• Plan and Organise (PO)—Provides direction to solution delivery (AI) and service
delivery (DS) (example controls: Define Strategic IT Plan, Manage Quality)
• Acquire and Implement (AI)—Provides the solutions and passes them to be turned
into services (example controls: Identify Automated Solutions, Manage Changes)
• Deliver and Support (DS)—Receives the solutions and makes them usable for end
users (example controls: Define and Manage Service Levels, Identify and Allocate Costs
• Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction
provided is followed (example controls: Ensure Regulatory Compliance, Monitor and
Evaluate IT Performance)

51. Key Driving Forces for COBIT
The ressources made available to—and built up by—IT
How IT is organized to respond to the requirements
What the stakeholders expect from IT
Business Requirements
IT Resources
IT Processes
Plan and Organize
Aquire and Implement
Deliver and Support
Monitor and Evaluate
Data
Application systems
Technology
Facilities
People
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Information reliability

52. How Does COBIT Link to IT Governance?
Goals
Responsibilities
Control
Objectives
Requirements
Business IT
Governance
Information the business needs to achieve its objectives
Information executives and board need to exercise their responsibilities
Direction and Resourcing
IT Governance

53. Process Orientation
Domains
Natural grouping of processes, often matching an organisational domain of responsibility
Processes
A series of joined activities with natural control breaks
Activities
or Tasks
Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

54. Process Orientation Plan and Organise Acquire and Implement
IT Domains
Plan and
Organise
Acquire and Implement
Deliver and Support
Monitor and Evaluate
IT Processes
IT strategy
Computer operations
Incident handling
Acceptance testing
Change management
Contingency planning
Problem management
Activities
Record new problem.
Analyse.
Propose solution.
Monitor solution.
Record known problem.
Etc. …
Natural grouping of processes, often matching an organisational domain of responsibility
A series of joined activities with natural (control) breaks
Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

55. Process Orientation Plan and Organise
Description
This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place.
Topics
Strategy and tactics
Vision planned
Organisation and infrastructure
Questions
Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its resources?
Does everyone in the organisation understand the IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business needs?
Domains

56. COBIT Processes Plan and Organize Acquire and Implement PO1
Define an IT strategic plan.
PO2
Define the information architecture.
PO3
Determine technological direction.
PO4
Define the IT processes, organisation and relationships.
PO5
Manage the IT investment.
PO6
Communicate management aims and direction.
PO7
Manage IT human resources.
PO8
Manage quality.
PO9
Assess and manage IT risks.
PO10
Manage projects.
Plan and Organize
AI1
Identify automated solutions.
AI2
Acquire and maintain application software.
AI3
Acquire and maintain technology infrastructure.
AI4
Enable operation and use.
AI5
Procure IT resources.
AI6
Manage changes.
AI7
Install and accredit solutions and changes.
Acquire and Implement

57. COBIT Processes Deliver and Support Monitor and Evaluate DS1
Define and manage service levels.
DS2
Manage third-party services.
DS3
Manage performance and capacity.
DS4
Ensure continuous service.
DS5
Ensure systems security.
DS6
Identify and allocate costs.
DS7
Educate and train users.
DS8
Manage service desk and incidents.
DS9
Manage the configuration.
DS10
Manage problems.
DS11
Manage data.
DS12
Manage the physical environment.
DS13
Manage operations.
Deliver and Support
ME1
Monitor and evaluate IT performance.
ME2
Monitor and evaluate internal control.
ME3
Ensure compliance with external
Provide IT Governance requirements.
ME4
Monitor and Evaluate

58. Where COBIT Typically Sits
King
COSO
Governance Layer
COBIT
Governance Layer IT
ITIL
17799
Management
Layer IT
CMM
TickIT