Presentation on theme: "Information Technology Management (ITM101)"— Presentation transcript:
1 Information Technology Management (ITM101) Week 02: IT Standards & GovernanceMatthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP
2 Governance?Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectivesIT governance aims to ensure that expectations for IT are met and IT risks are mitigated.
4 Why is IT Governance a ‘Hot Topic’? Increased sensitivity to protecting stakeholder interestsShareholders (see: Sarbanes Oxley)Consumers (see: HIPAA)Suppliers (see: PCI)This is what you will find by googling ‘IT Governance’ or looking it up on Wikipedia. Auditors should be very familiar will all of these. Businesses are under more and more legal / regulatory pressure to properly protect and use information assets in their possession. However, this is definitely not everything.
6 Other ‘Non-Regulatory’ Reasons… Recognized need for tight business linkageStrategic AlignmentValue DeliveryResource ManagementRisk ManagementPerformance ManagementEffective Management of Outsourced IT SuppliersRelationship ManagementFinancial ManagementContract ManagementRecognized need - businesses with strong IT governance are more likely to achieve their objectives.All of these from CobiT• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT.• Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
8 IT Governance Definitions IIA International Professional Practices Framework:[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives.[IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.[Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
9 Definition of IT Governance From COBIT IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.CobiT definition combines elements of the IIA definitions
11 Governance: High Level View The business of running IT vs. running the technologySetting the rules and assuring they are followedAn ethical responsibility to stakeholdersPrincipal - businessCommonwealth - peopleEach other - reputation
12 IT Governance Objectives The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally:Governance should be a top-down processLinkages to business process and strategy exist for all actionsInformation in oral, paper, and electronic formsGovernance transcends physical boundariesThrough governance, acceptable practices, policies, and procedures are establishedBusiness DriversInternal EnvironmentEntrustment FrameworkDecision Model and FrameworkValue Realization and Delivery FrameworkPerformance ManagementValue Management
13 Responsibility for IT Governance Management BoardInformation Security Steering CommitteeResponsibility:IT governance is the responsibility of the board of directors and executive management.Integral part of enterprise governanceConsists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.Sub-Committees:Architecture, Security, etc.The foundation of a successful information security program begins with strong upper-level management support.This support establishes a focus on security within the highest levels of the organization.Without a solid foundation (i.e., proactive support of those persons in positions that control IT resources), the effectiveness of the security program can fail when pressured by politics and budget limitations.Any information security program must get its direction from executive management.The requirements of today’s laws and regulations have identified either the organization’s board of directors or an executive management steering committee as responsible for instituting an effective program.Service Delivery & Functional Operation Management TeamsApplicationsSystemsOperationsNetworksDesktop
14 IT Governance: COBIT Focus Areas Strategic AlignmentValue DeliveryResource ManagementRisk ManagementPerformance MeasurementWe have seen these before.
15 Focus Areas of IT Governance Five main focus areas for IT governance, all driven by stakeholder value.Stakeholder Value DriversIT Value DeliveryRisk ManagementPerformance ManagementIT Strategic AlignmentIT Resource ManagementTwo are outcomes:Value deliveryRisk management.Three are drivers:Strategic alignmentPerformance measurementResource management (which overlays them all)
17 Security Program Infrastructure Measuring MaturitySecurity Program InfrastructureMaturity LevelDescriptionLevel 1Control objectives have been documented in a policyLevel 2Security control processes have been documented in proceduresLevel 3Supporting procedures have been implemented (stakeholdershave been made aware and trained)Level 4Policies, procedures and controls are tested and reviewed toensure continued adequacyLevel 5Procedures and controls are fully integrated into the culture of the organizationAll security decisions must be linked to the organization’s business objectives or mission statement.As with other organization wide policies, the information security program must be established by the implementation of a Global or Tier 1 policy.This type of policy is organization wide and requires that all areas of the organization comply with the policy.To be successful, the security and privacy policies and procedures must have three key elements. They must be:DocumentedCommunicatedCurrentTo supplement an information security policy, the organizationmust offer awareness programs, user training, and support education.Information security’s goal is not to stop all access to allinformation but to provide a safe and secure process for all authorized personnel to gain access. The information strategy must, therefore, address three key concepts:IdentificationAuthenticationAuthorization
18 IT Governance Frameworks ISO Family (1799, 20000, 27001)International Standard Organization’s Security Management StandardsFramework of standards that provide best practices for information security managementITILIT Infrastructure LibraryBest practices framework drawn from the public and private sectors internationallyCOSOCommittee of Sponsoring Organizations of the Treadway CommissionOrganization dedicated to financial reporting through business ethics, internal controls, and corporate governanceCOBITControl Objectives for Information and related TechnologyFramework and supporting toolset to bridge the gap between control requirements, technical issues, and business risksFISMAFederal Information Security Management Act of 2002Mandatory set of processes required by legislation for US federal information systemsOCTAVEOperationally Critical Threat, Asset, and Vulnerability EvaluationRisk based strategic assessment and planning technique for securityCMMICapability Maturity Model IntegrationAn approach to governance based on process maturity
19 Clear Business Ownership and Direction Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)Enterprise StrategyBusiness Goals for ITIT GoalsEnterprise Architecture for ITIT ScorecardFlow is from the top to the bottom, and then repeat. The Enterprise Strategy creates Business Goals for IT, which then are codified into IT Goals and Enterprise Architecture for IT. IT progress is tracked on a scorecard, which then can feed into the Enterprise Strategy.
20 Linking Technical and Business Risk Risk is the ‘lingua franca’ of business.Management needs to be able to compare IT Risks with other risks.IT Governance must do an effective job of translating technical risks to business risks.Originally lingua Franca (or Sabir) referred to a mixed language composed mostly of Italian with a broad vocabulary drawn from Persian, French, Greek and Arabic. Lingua Franca literally means "Frankish language". This originated from the Arabic custom of referring to all Europeans as Franks. This mixed language was used for communication throughout the medieval and early modern Middle East as a diplomatic language;Work with the board to define the enterprise’s appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. Embed risk management responsibilities into the organisation, ensuring that the business and IT regularly assess and report IT-related risks and their impact and that the enterprise’s IT risk position is transparent to all stakeholders.
21 Linking Technical and Business Risk Technical RiskIncidents resulting from ChangesEquipment AgeAudit ScoresInformation Security IncidentsOverdue Controls IssuesBusiness ExposuresDisruptions to Critical Business Processes (i.e.: Orders to Cash)Compromise Company ReputationCompromise Company SecretsOrganizational Capacity / HealthFinancial Goals May not be MetThis is a partial list of Technical Risks. What is not necessarily clear in CobiT is the need to translate into your own Company business risk lingua franca. This allows risks to be compared. As with other Governance skills, to the extent you can speak the lingua franca, and to the extent you fundamentally understand the risks of other parts of the business, you can be more effective at making the case to invest in IT to reduce either IT risk or business risk.The business exposures is also a partial list. Connections between the right column and the left column depend on the nature of your own business.
23 IT Governance in a Sourced Environment Business Strategy and ProcessesIT GovernanceCommercialRelationshipCommercialRelationshipSuppliers’ IT Strategy and ProcessesInstead of your own internal IT Strategy and Process, you now run on Strategies and Processes which are to some extent out of your control. A strong commercial relationship is needed to assure business Strategies and Processes are met - which is just what IT Governance is all about.Strategic AlignmentValue DeliveryResource ManagementRisk ManagementPerformance Measurement
24 Considerations in a Sourced Environment Sourcing StrategyContract ManagementFinance ManagementRelationship ManagementPerformance Management
25 Sourcing Strategy Part of IT Strategic Plan Inventory of critical Supplier relationshipsUpdate based on changes to Business, IT or Supplier StrategiesMay contain intervention plansKey word in this is ‘Strategy’ - the biggest risks are the ones that are strategic, as they generally have the most downside risk. And the IT Strategic Plan had better be part of the Business Strategic Plan!Inventory should include all supplier relationships that are critical to the business, how they inter-relate, whether a supplier is on the ascendency or not, opportunities for substitution, etc.MUST be sensitive to and in touch with Strategy changes. Is IT becoming more / less strategic to the business? Is IT moving toward a shared services environment or not? Is a Supplier making strategic changes in the way they offer services?Intervention plans are needed in the case something goes ‘sproing’.
26 Contract Management Initial negotiation and in-life change management Defines Services/QualityDefines ownership of Intellectual PropertyCompliance with Law and PolicyAudit RightsContract management is all about imagining situations you may get caught in sometime in the future, and attempting to address them in advance.Depending on the nature of the relationship, services can be defined either very tightly (short term agreement, commodity deliverables) or somewhat loosely (longer term agreement, non-commodity deliverables). Which party benefits from Moore’s Law?
27 Contract Change Management Required by either changing business needs or to address ambiguity.Should be viewed as a negotiation.Each party will attempt to get concessions not previously obtained - value is at riskDepend on Relationship Management for smaller changes to avoid this riskProcess is managed by the Contract Owner - remember Clear Business Ownership!All large agreements have an inherent level of ambiguity. It is NOT possible to tie down each and every loose end in a complex deal - this risks deadlock. And there is some part of ‘you don’t know what you don’t know’.Contract changes should be viewed as a continuation of the original negotiations and or preparation for deal renewal. Each party will attempt to get concessions.Many contract changes are routine.Avoid risk by having a contract change process agreed before you need to use it.
28 Intellectual Property Supplier IP may be used to deliver efficiencies ($)However, use of Supplier IP may limit sourcing flexibility.Who owns process ‘know-how’ and does this change over time?What risk does this represent?Lawyers may refer to IP as “Customer Data” or “Customer Developed Materials” or similar. There is a balance here. On the one hand, you may want to leverage Supplier’s ability to spread fixed costs across multiple Customers - this may be the only way Supplier has to provide Services at the agreed cost. On the other hand, you do NOT want to be in a lock-in situation.
29 Intellectual Property Mitigations Inventory, inventory, inventoryIT processes supporting the businessMaterials (documents, rights, etc.)Risk Management discussion with businessSeek legal helpFollow up!Best mitigation is the result of good IT governance. This is why you should have a fundamental understanding and documentation of the critical business processes IT supports, and what information flow, IT infrastructure, and IT processes are associated with those critical business processes. To the extent you don’t know, there is an exposure (see risk management).Once everything is documented, don’t stop! If you abandon the inventory and documentation to the Supplier, then you risk it becoming theirs, even if the agreement says otherwise.
30 Audit Rights Business requirements drive specifics. Must be in the initial contractFor supplier shared services, SAS70 Type IIAudit rights should be unlimited and at no cost.This is another area where the process inventory comes in handy. That will help you determine what the business risks really are, and therefore the level of assurance that is needed. You must get the language right in the initial agreement, as anything afterwards will likely cost you money.Suppliers can and do use third party assessments (SAS70 Type II, ISO certifications). These are NOT the same and you need to determine if and how these can be ‘fit’ into your overall controls environment.Suppliers should also be obligated to communicate ANY controls weakness they identify that could in any way affect the Customer environment. This is hard to get, but worth it.
32 Finance ManagementThis is THE PLACE to receive an independent confirmation of IT value delivery.Budgets are a very unforgiving reality check!If you don’t know your finance people, get to know them now. They know how budgets work, how money flows within your business, where there is flexibility, etc. Powerful stuff.
33 Relationship Management Overall Supplier managementMonitor business needsCommunication ForumsIssue ManagementRisk ManagementProject ManagementRelationship Management is where it all comes together in assuring the health of the Customer - Supplier Relationship. This area is tasked with routinely polling the business to determine the satisfaction with Supplier services. ‘Satisfaction’ here is more of a squishy, qualitative measure that may be used to confirm (or not) the quantitative measures of Performance Management.Communications forums depend on the nature of the deal. The more strategic, the more likely there will be ‘top to top’ executive level meetings in addition to routine business management and service delivery meetings.All Issues (contract change interpretation requests, disputes, etc.) are managed here.Importantly, there is a risk management connection here. The overall risk (contract, performance, financial, relationship) is monitored here and used both with the internal ERM processes as well as for Supplier dialog.Lastly, Project Management is here, as the PMO sets the rules by with other areas operate.
34 Risk ManagementIT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total.As before, there may be a translation here from technical risk to business risk.Can use Probability x Business Impact as the metric. The business should supply the Impact.This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.This Relationship Management process is the linkage from the IT risk space (technical risk, financial risk, service delivery risk) to the Enterprise Risk Management space. There are specific added risks such as Supplier Financial viability.
35 Project Management Good Project Management helps assure value delivery Define ‘project’ vs. ‘daily work’ in the contract.Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables)NPSProject Management in this case sets the rules that other parts of the organization follow. It is critically important to know what you may already be paying for as part of the ‘daily work’ part of your agreement. Otherwise, you risk paying twice, once as daily work, another time as project effort. It is not assured the Supplier resources developing project responses are as familiar with your overall agreement as, say, the contract manager.
36 Performance Management Aligning Service Delivery RequirementsManaging and Reporting against SLAsManagement of individual projectsWork prioritizationAligning Service Delivery Requirements includes adjustments as needed when business requirements change. Can be in terms of system availability, but can also be in terms of security, business continuity, and disaster recovery. Extra special bonus points here for describing Service Delivery in terms of business process terms (i.e.: business process availability, business process interruptions.SLAs in a sourced environment are generally, but not always, subject to financial performance credits. Not penalties, but credits. The goal is to have an SLA structure than continually encourages good performance.Management of individual projects vs. Project Management. This includes verification that the services were received / performed as specified, tracking milestones, etc. PMO sets the rules, service delivery executes against the rules.Work Prioritization - generally an issue for Daily Work as no Supplier has infinite capacity. You didn’t have infinite capacity when the area was in-sourced either. Work with the business to determine what can be put off, what needs to be done now. Alternatively, contract for short term capacity.
37 An Audit Checklist for IT Governance NOTE: Should be 30 Minutes into the presentation at this point.This is going to be a VERY short review of some very high level watch-outs. If IT Governance is a hot topic, can auditing of IT Governance be far behind as a hot topic. MISTI has a day long webcast on the topic. However, it is geared to IT Auditors....
38 IT Governance Audit Planning Audit Team CompositionAudit CriteriaLearnings from the Balanced Scorecard Approach
39 Audit Team Composition Leadership - Business or IT?Audit Supervision and Auditor in Charge Independence is a mustBeware setting up an audit team that may reflect corporate IT Governance issuesConsider sourcing knowledgeable auditorsThere are a number of risks that must be considered when setting up an IT Governance audit team as IT Governance effectiveness depends in large part on how well it straddles a line between business and IT, as we have described. If IT Governance is the responsibility of the Board and the Executives - then politics are in play.Managing the audit out of the IT side of the internal audit activity may mean the audit supervisor or AIC may be asked to provide and defend findings related to IT Management - people that could in theory affect the IT Auditor’s career, depending on how your shop is set up. Alternatively, a business audit supervisor or AIC may not have an appreciation for IT.Bottom line, if there are corporate culture or tone issues that affect IT Governance, the same culture or tone issues may affect an internal audit team.
40 IT Governance Audit Criteria / Standards IIA Governance Auditing StandardsISACA / ITGI IT Governance Auditing GuidelinesITGI Risk IT FrameworkITGI Val IT Framework<< Insert your Company business policies here >>Important consideration here is to assure you meet the IIA IPPF requirement to either have corporate policy regarding IT Governance that has already been deployed or agree on the Criteria to be used prior to beginning the audit.Criteria and Standards MUST cover corporate compliance. For example, SOX requirements that system changes are performed in accordance with management intent. See ITIL Change and Configuration Management.
41 Learnings from the Balanced Scorecard Consider IT Governance from various business points of view (1)CorporateCustomerOperational ExcellenceFuture / SustainabilityThis is a novel concept. Evaluate IT Governance in terms of how other parts of the business see it (corporate, customer), how well IT is delivering (Operational Excellence) and whether the operation is really sustainable. Source as shown.1. “Measuring and Improving IT Governance Through the Balanced Scorecard”Information Systems Control Journal, Volume 2, 2005
42 Balanced Scorecard: Corporate View ObjectiveExample MetricsBusiness/ IT AlignmentOperational budget approvalValue DeliveryBusiness Unit PerformanceCost ManagementAttainment of expense and recovery targetsRisk ManagementResults of Internal AuditsIntercompany SynergySingle System Solutions
43 Balanced Scorecard: Customer View ObjectiveExample MetricsCustomer SatisfactionBusiness Unit Survey ratingsCompetitive CostsAttainment of unit cost targetsDevelopment PerformanceMajor Project ScoresOperational PerformanceAttainment of targeted levels
44 Balanced Scorecard: Operational View ObjectiveExample MetricsDevelopment ProcessFunction Point MeasuresOperational processChange Management effectivenessProcess MaturityLevel of IT ProcessesEnterprise ArchitectureState of the infrastructure assessment
47 COBIT as a RoadMap to ITGlobally standard released as a set of tools that ensures IT is working effectivelyFunctions as an overarching frameworkProvides common language to communicate goals, objectives and expected results to all stakeholdersBased on, and integrates, industry standards and good practices in:Strategic alignment of IT with business goalsValue delivery of services and new projectsRisk managementResource managementPerformance measurementThe COBIT mission is to research, continually update, publicise and promote an authoritative, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. Now in its 4.1 release, the framework has been used successfully by IT organisations and business executives in many industries and of many sizes. COBIT provides a common language to communicate goals, objectives and expected results. A common language benefits all levels of IT, including management and stakeholders.
48 COBIT:Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5)The chart illustrates the relationship between the business, IT, process and activity goals, and the different metrics. From top left to top right, the goals cascade is illustrated. Below the goal is the outcome measure for the goal. The small arrow indicates that the same metric is a performance indicator for the higher-level goal.The example provided is from DS5 Ensure systems security. COBIT provides metrics only up to the IT goals outcome as delineated by the dotted line. While they are also performance indicators for the business goals for IT, COBIT does not provide business goal outcome measures.The metrics have been developed with the following characteristics in mind:• A high insight-to-effort ratio (i.e., insight into performance and theachievement of goals as compared to the effort to capture them)• Comparable internally (e.g., percent against a base or numbers over time)• Comparable externally irrespective of enterprise size or industry• Better to have a few good metrics (may even be one very good onethat could be influenced by different means) than a longer list oflower-quality metrics• Easy to measure, not to be confused with targets
49 Defined Responsibilities for Each Process RACI ChartA RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.FunctionsActivitiesLink business goals to IT goals.CIA/RIdentify critical dependencies and current performance.RBuild an IT strategic plan.ABuild IT tactical plans.Analyze program portfolios and manage project and service portfolios.COBIT also provides information on what processes should be delegated and to whom they should be delegated. This helps to ensure that IT processes are being managed at the appropriate level within an enterprise. The ‘RACI’ Chart is defined for each process and indicates who is responsible, accountable, consulted or should be informed about specific tasks within a given process.The roles in the RACI chart are categorized for all processes as:• Chief executive officer (CEO)• Chief financial officer (CFO)• Business executives• Chief information officer (CIO)• Business process owner• Head operations• Chief architect• Head development• Head IT administration (for large enterprises, the head of functions suchas human resources, budgeting and internal control)• The project management officer (PMO) or function• Compliance, audit, risk and security (groups with control responsibilitiesbut not operational IT responsibilities)
50 The COBIT FrameworkLet’s take a closer look at the COBIT framework. COBIT defines IT activities in a generic process model within four domains along with a set of information criteria. The four domains are: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor. The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps towards good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined.• Plan and Organise (PO)—Provides direction to solution delivery (AI) and servicedelivery (DS) (example controls: Define Strategic IT Plan, Manage Quality)• Acquire and Implement (AI)—Provides the solutions and passes them to be turnedinto services (example controls: Identify Automated Solutions, Manage Changes)• Deliver and Support (DS)—Receives the solutions and makes them usable for endusers (example controls: Define and Manage Service Levels, Identify and Allocate Costs• Monitor and Evaluate (ME)—Monitors all processes to ensure that the directionprovided is followed (example controls: Ensure Regulatory Compliance, Monitor andEvaluate IT Performance)
51 Key Driving Forces for COBIT The ressources made available to—and built up by—ITHow IT is organized to respond to the requirementsWhat the stakeholders expect from ITBusiness RequirementsIT ResourcesIT ProcessesPlan and OrganizeAquire and ImplementDeliver and SupportMonitor and EvaluateDataApplication systemsTechnologyFacilitiesPeopleEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceInformation reliability
52 How Does COBIT Link to IT Governance? GoalsResponsibilitiesControlObjectivesRequirementsBusinessITGovernanceInformation the business needs to achieve its objectivesInformation executives and board need to exercise their responsibilitiesDirection and ResourcingIT Governance
53 Process OrientationDomainsNatural grouping of processes, often matching an organisational domain of responsibilityProcessesA series of joined activities with natural control breaksActivitiesor TasksActions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete
54 Process Orientation Plan and Organise Acquire and Implement IT DomainsPlan andOrganiseAcquire and ImplementDeliver and SupportMonitor and EvaluateIT ProcessesIT strategyComputer operationsIncident handlingAcceptance testingChange managementContingency planningProblem managementActivitiesRecord new problem.Analyse.Propose solution.Monitor solution.Record known problem.Etc. …Natural grouping of processes, often matching an organisational domain of responsibilityA series of joined activities with natural (control) breaksActions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete
55 Process Orientation Plan and Organise DescriptionThis domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place.TopicsStrategy and tacticsVision plannedOrganisation and infrastructureQuestionsAre IT and the business strategy aligned?Is the enterprise achieving optimum use of its resources?Does everyone in the organisation understand the IT objectives?Are IT risks understood and being managed?Is the quality of IT systems appropriate for business needs?Domains
56 COBIT Processes Plan and Organize Acquire and Implement PO1 Define an IT strategic plan.PO2Define the information architecture.PO3Determine technological direction.PO4Define the IT processes, organisation and relationships.PO5Manage the IT investment.PO6Communicate management aims and direction.PO7Manage IT human resources.PO8Manage quality.PO9Assess and manage IT risks.PO10Manage projects.Plan and OrganizeAI1Identify automated solutions.AI2Acquire and maintain application software.AI3Acquire and maintain technology infrastructure.AI4Enable operation and use.AI5Procure IT resources.AI6Manage changes.AI7Install and accredit solutions and changes.Acquire and Implement
57 COBIT Processes Deliver and Support Monitor and Evaluate DS1 Define and manage service levels.DS2Manage third-party services.DS3Manage performance and capacity.DS4Ensure continuous service.DS5Ensure systems security.DS6Identify and allocate costs.DS7Educate and train users.DS8Manage service desk and incidents.DS9Manage the configuration.DS10Manage problems.DS11Manage data.DS12Manage the physical environment.DS13Manage operations.Deliver and SupportME1Monitor and evaluate IT performance.ME2Monitor and evaluate internal control.ME3Ensure compliance with externalProvide IT Governance requirements.ME4Monitor and Evaluate
58 Where COBIT Typically Sits KingCOSOGovernance LayerCOBITGovernance LayerITITIL17799ManagementLayerITCMMTickIT