IT Governance course : COBIT’s Management Guidelines

March 2, 2008

COBIT’s Management Guidelines

COBIT’s Management Guidelines consist of maturity models, critical success factors (CSFs), key goal indicators (KGIs) and key performance indicators (KPIs). This structure delivers a significantly improved framework responding to management’s need for control and measurability of IT by providing management with tools to assess and measure their organisation’s IT environment against COBIT’s 34 IT processes.

COBIT’s Management Guidelines are generic and action-oriented for the purpose of addressing the following types of management concerns:

  • Performance measurement — What are the indicators of good performance?

  • IT control profiling — What’s important? What are the critical success factors for control?

  • Awareness — What are the risks of not achieving our objectives?

  • Benchmarking — What do others do? How do we measure and compare?

An answer to these requirements of determining and monitoring the appropriate IT security and control level is the definition of specific:

  • Benchmarking of IT control practices (expressed as maturity models)

  • Performance indicators of the IT processes — for their outcome and their performance

  • Critical success factors for getting these processes under control

The Management Guidelines are consistent with and build upon the principles of the Balanced Business Scorecard. [5] In "simple terms", these measures will assist management in monitoring their IT organisation by answering the following questions:

  1. What is the management concern?

    Make sure that the enterprise needs are fulfilled.

  2. Where is it measured?

    On the Balanced Business Scorecard as a key goal indicator, representing an outcome of the business process.

  3. What is the IT concern?

    That the IT processes deliver on a timely basis the right information to the enterprise, enabling the business needs to be fulfilled. This is a critical success factor for the enterprise.

  4. Where is that measured?

    On the IT Balanced Scorecard, as a key goal indicator representing the outcome for IT, which is that information is delivered with the right criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability).

  5. What else needs to be measured?

    Whether the outcome is positively influenced by a number of critical success factors that need to be measured as key performance indicators of how well IT is doing.

Each element of the Management Guidelines will be examined in further detail.

Maturity Models

IT management is constantly on the lookout for benchmarking and self-assessment tools in response to the need to know what to do in an efficient manner. Starting from COBIT’s processes and high-level control objectives, the process owner should be able to incrementally benchmark against that control objective. This creates three needs:

  • A relative measure of where the organisation is

  • A manner to decide efficiently where to go

  • A tool for measuring progress against the goal

The approach to maturity models for control over IT processes consists of developing a method of scoring so that an organisation can grade itself from non-existent to optimised (from 0 to 5). This approach is based on the maturity model that the Software Engineering Institute defined for the maturity of the software development capability. [6] Whatever the model, the scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable.

In contrast, one should concentrate on maturity levels based on a set of conditions that can be unambiguously met. Against levels developed for each of COBIT’s 34 IT processes, management can map:

  • The current status of the organisation — where the organisation is today

  • The current status of (best-in-class in) the industry — the comparison

  • The current status of international standard guidelines — additional comparison

  • The organisation’s strategy for improvement — where the organisation wants to be

For each of the 34 IT processes, there is an incremental measurement scale, based on a rating of 0 through 5. The scale is associated with generic qualitative maturity model descriptions ranging from Non-existent to Optimised as follows:

  • 0 Non-existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed.

  • 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case-bycase basis. The overall approach to management is disorganised.

  • 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.

  • 3 Defined. Procedures have been standardised and documented, and communicated through training. It is, however, left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.

  • 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

  • 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

The maturity model scales help professionals explain to managers where IT management shortcomings exist and set targets for where they need to be by comparing their organisation’s control practices to the best practice examples. The right maturity level will be influenced by the enterprise’s business objectives and operating environment. Specifically, the level of control maturity depends on the enterprise’s dependence on IT, its technology sophistication and, most importantly, the value of its information.

A strategic reference point for an organisation to improve security and control could also consist of looking at emerging international standards and best-in-class practices. The emerging practices of today may become the expected level of performance of tomorrow and are therefore useful for planning where an organisation wants to be over time.

In summary, maturity models:

  • Refer to business requirements and the enabling aspects at the different maturity levels

  • Are a scale that lends itself to pragmatic comparison, where differences can be made measurable in an easy manner

  • Help setting "as-is" and "to-be" positions relative to IT Governance, security and control maturity

  • Lend themselves to gap analysis to determine what needs to be done to achieve a chosen level

  • Avoid, where possible, discrete levels that create thresholds that are difficult to cross

  • Increasingly apply critical success factors

  • Are not industry-specific nor always applicable. The type of business defines what is appropriate.

Critical Success Factors

Critical success factors provide management with guidance for implementing control over IT and its processes. They are the most important things to do that contribute to the IT process achieving its goals. They are activities that can be of a strategic, technical, organisational, process or procedural nature. They are usually dealing with capabilities and skills and have to be short, focused and action-oriented, leveraging the resources that are of primary importance in the process under consideration.

A number of critical success factors can be deduced that apply to most IT processes:

Applying to IT in General

  • IT processes are defined and aligned with the IT strategy and the business goals.

  • The customers of the process and their expectations are known.

  • Processes are scalable and their resources are appropriately managed and leveraged.

  • The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, retrain) exist.

  • IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability. IT management is rewarded based on these measures.

  • A continuous quality improvement effort is applied.

Applying to Most IT Processes

  • All process stakeholders (users, management, etc.) are aware of the risks, of the importance of IT and the opportunities it can offer, and provide strong commitment and support.

  • Goals and objectives are communicated across all disciplines and understood; it is known how processes implement and monitor objectives, and who is accountable for process performance.

  • People are goal-focused and have the right information on customers, on internal processes and on the consequences of their decisions.

  • A business culture is established, encouraging cross-divisional co-operation, teamwork and continuous process improvement.

  • There is integration and alignment of major processes, e.g., change, problem and configuration management.

  • Control practices are applied to increase efficient and optimal use of resources and improve the effectiveness of processes.

Applying to IT Governance

  • Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and scalability, and avoid breakdowns in internal control and oversight.

  • Practices that enable sound oversight are applied: a control environment and culture; a code of conduct; risk assessment as a standard practice; self-assessments; formal compliance on adherence to established standards; monitoring and follow-up of control deficiencies and risk.

  • IT Governance is recognised and defined, and its activities are integrated into the enterprise governance process, giving clear direction for IT strategy, a risk management framework, a system of controls and a security policy.

  • IT Governance focuses on major IT projects, change initiatives and quality efforts, with awareness of major IT processes, the responsibilities and the required resources and capabilities.

  • An audit committee is established to appoint and oversee an independent auditor, drive the IT audit plan and review the results of audits and third party opinions.

In summary, critical success factors are:

  • Essential enablers focused on the process or supporting environment

  • A thing or a condition that is required to increase the probability of success of the process

  • Observable — usually measurable — characteristics of the organisation and process

  • Either strategic, technological, organisational or procedural in nature

  • Focused on obtaining, maintaining and leveraging capability and skills

  • Expressed in terms of the process, not necessarily the business

Key Goal Indicators

A key goal indicator, representing the process goal, is a measure of what has to be accomplished. It is a measurable indicator of the process achieving its goals, often defined as a target to achieve. By comparison, a key performance indicator is a measure of how well the process is performing.

How are business and IT goals and measures linked? The COBIT Framework expresses the objectives for IT in terms of the information criteria that the business needs in order to achieve the business objectives, which will usually be expressed in terms of:

  • Availability of systems and services

  • Absence of integrity and confidentiality risks

  • Cost-efficiency of processes and operations

  • Confirmation of reliability, effectiveness and compliance

The goal for IT can then be expressed as delivering the information that the business needs in line with these criteria. These information criteria are provided in the Management Guidelines with an indication whether they have primary or secondary importance for the process under review. In practice, the information criteria profile of an enterprise would be more specific. The degree of importance of each of the information criteria is a function of the business and the environment in which the enterprise operates.

Key goal indicators are lag indicators, as they can be measured only after the fact, as opposed to key performance indicators, which are lead indicators, giving an indication of success before the fact. They also can be expressed negatively, i.e., in terms of the impact of not reaching the goal.

Key goal indicators should be measurable as a number or percentage. These measures should show that information and technology are contributing to the mission and strategy of the organisation. Because goals and targets are specific to the enterprise and its environment, many key goal indicators have been expressed with a direction, e.g., increased availability, decreased cost. In practice, management has to set specific targets which need to be met, taking into account past performance and future goals.

In summary, key goal indicators are:

  • A representation of the process goal, i.e., a measure of what, or a target to achieve

  • The description of the outcome of the process and therefore lag indicators, i.e., measurable after the fact

  • Immediate indicators of the successful completion of the process or indirect indicators of the value the process delivered to the business

  • Possibly descriptions of a measure of the impact of not reaching the process goal

  • Focused on the customer and financial dimensions of the Balanced Business Scorecard

  • IT-oriented but business-driven

  • Expressed in precise, measurable terms wherever possible

  • Focused on those information criteria that have been identified as most important for this process

Key Performance Indicators

Key performance indicators are measures that tell management that an IT process is achieving its business requirements by monitoring the performance of the enablers of that IT process. Building on Balanced Business Scorecard principles, the relationship between key performance indicators and key goal indicators is as follows: key performance indicators are short, focused and measurable indicators of performance of the enabling factors of the IT processes, indicating how well the process enables the goal to be reached. While key goal indicators focus on what, the key performance indicators are concerned with how. They often are a measure of a critical success factor and, when monitored and acted upon, identify opportunities for the improvement of the process. These improvements should positively influence the outcome and, as such, key performance indicators have a cause-effect relationship with the key goal indicators of the process.

While key goal indicators are business-driven, key performance indicators are process-oriented and often express how well the processes and the organisation leverage and manage the needed resources. Similar to key goal indicators, they often are expressed as a number or percentage. A good test of a key performance indicator is to see whether it really does predict success or failure of the process goal and whether or not it assists management in improving the process.

Some generic key performance indicators follow that usually are applicable to all IT processes:

Applying to IT in General

  • Reduced cycle times (i.e., responsiveness of IT production and development)

  • Increased quality and innovation

  • Utilisation of communications bandwidth and computing power

  • Service availability and response times

  • Satisfaction of stakeholders (survey and number of complaints)

  • Number of staff trained in new technology and customer service skills

Applying to most IT Processes

  • Improved cost-efficiency of the process (cost vs. deliverables)

  • Staff productivity (number of deliverables) and morale (survey)

  • Amount of errors and rework

Applying to IT Governance

  • Benchmark comparisons

  • Number of non-compliance reportings

In summary, key performance indicators:

  • Are measures of how well the process is performing

  • Predict the probability of success or failure in the future, i.e., are lead indicators

  • Are process-oriented, but IT-driven

  • Focus on the process and learning dimensions of the Balanced Business Scorecard

  • Are expressed in precisely measurable terms

  • Help in improving the IT process when measured and acted upon

  • Focus on those resources identified as the most important for this process

Comments (0)

IT Governance course : COBIT

Introducing COBIT

Control Objectives for Information and related Technology (COBIT) was initially published by the Information Systems Audit and Control Foundation (ISACF in 1996, and was followed by a second edition in 1998. The third edition, which incorporates all-new material on IT Governance and Management Guidelines, was issued by the IT Governance Institute in 2000. COBIT presents an international and generally accepted IT control framework enabling organisations to implement an IT Governance structure throughout the enterprise.

Since its first issuance, COBIT has been adopted in corporations and by governmental entities throughout the world.

All portions of COBIT, except the Audit Guidelines, are considered an open standard and may be downloaded on a complimentary basis from the Information Systems Audit and Control Association’s web site, www.isaca.org/cobit.htm. The Audit Guidelines are available on a downloadable basis to ISACA members only.

The COBIT Framework

Business orientation is the main theme of COBIT. It begins from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. It is designed to be employed as comprehensive guidance for management and business process owners. Increasingly, business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. In particular, this includes providing adequate controls. COBIT promotes a process focus and process ownership.


The COBIT Framework provides a tool for the business process owner that facilitates the discharge of this responsibility. The Framework starts from a simple and pragmatic premise:

In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.

The Framework continues with a set of 34 high-level Control Objectives, one for each of the IT processes, grouped into four domains:

  • Planning and Organisation: This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.

  • Acquisition and Implementation: To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the lifecycle is continued for these systems.

  • Delivery and Support: This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. In order to deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls.

  • Monitoring: All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources.

Corresponding to each of the 34 high-level control objectives is an Audit Guideline to enable the review of IT processes against COBIT’s 318 recommended detailed control objectives to provide management assurance and/or advice for improvement.

The Management Guidelines further enhance and enable enterprise management to deal more effectively with the needs and requirements of IT Governance. The guidelines are action-oriented and generic and provide management direction for getting the enterprise’s information and related processes under control, for monitoring achievement of organisational goals, for monitoring performance within each IT process and for benchmarking organisational achievement.

COBIT also contains an Implementation Tool Setthat provides lessons learned from those organisations that quickly and successfully applied COBIT in their work environments. It has two particularly useful tools — Management Awareness Diagnostic and IT Control Diagnostic — to assist in analyzing an organisation’s IT control environment.

Over the next few years, the management of organisations will need to demonstrably attain increased levels of security and control. COBIT is a tool that allows managers to bridge the gap with respect to control requirements, technical issues and business risks and communicate that level of control to stakeholders. COBIT enables the development of clear policy and good practice for IT control throughout organisations worldwide. Thus, COBIT is designed to be the break-through IT Governance tool that helps in understanding and managing the risks and benefits associated with information and related IT.

The COBIT Control Objectives

For the purposes of COBIT, the following definitions are provided. "Control" is adapted from the COSO Report (Internal Control — Integrated Framework, Committee of Sponsoring Organisations of the Treadway Commission, 1992) and "IT Control Objective" is adapted from the SAC Report (Systems Auditability and Control Report, The Institute of Internal Auditors Research Foundation, 1991 and 1994).

Control is defined as the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

IT Control Objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

To satisfy business objectives, information needs to conform to certain criteria, which COBIT refers to as business requirements for information. In establishing the list of requirements, COBIT combines the principles embedded in existing and known reference models:

  • Quality requirements — Quality, Cost, Delivery

  • Fiduciary requirements (COSO Report) — Effectiveness and Efficiency of operations; Reliability of Information; Compliance with laws and regulations

  • Security requirements — Confidentiality; Integrity; Availability

Starting the analysis from the broader Quality, Fiduciary and Security requirements, seven distinct, certainly overlapping, categories were extracted. COBIT’s working definitions are as follows:

  • Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.

  • Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.

  • Confidentiality concerns the protection of sensitive information from unauthorised disclosure.

  • Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.

  • Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

  • Compliance deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria.

  • Reliability of Information relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities.

The IT resources identified in COBIT can be explained/defined as follows:

  • Data are objects in their widest sense (i.e., external and internal), structured and non-structured, graphics, sound, etc.

  • Application Systems are understood to be the sum of manual and programmed procedures.

  • Technology covers hardware, operating systems, database management systems, networking, multimedia, etc.

  • Facilities are all the resources to house and support information systems.

  • People include staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services.

COBIT consists of high-level control objectives for each process which identify which information criteria are most important in that IT process, state which resources will usually be leveraged and provide considerations on what is important for controlling that IT process. The underlying theory for the classification of the control objectives is that there are, in essence, three levels of IT efforts when considering the management of IT resources. Starting at the bottom, there are the activities and tasks needed to achieve a measurable result. Activities have a lifecycle concept while tasks are more discrete. The lifecycle concept has typical control requirements different from discrete activities. Processes are then defined one layer up as a series of joined activities or tasks with natural (control) breaks. At the highest level, processes are naturally grouped together into domains. Their natural grouping is often confirmed as responsibility domains in an organisational structure and is in line with the management cycle or lifecycle applicable to IT processes.

Thus, the conceptual framework can be approached from three vantage points: (1) information criteria, (2) IT resources and (3) IT processes.

It is clear that all control measures will not necessarily satisfy the different business requirements for information to the same degree.

  • Primary is the degree to which the defined control objective directly impacts the information criterion concerned.

  • Secondary is the degree to which the defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned.

  • Blank could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process.

Similarly, all control measures will not necessarily impact the different IT resources to the same degree. Therefore, the COBIT Framework specifically indicates the applicability of the IT resources that are specifically managed by the process under consideration (not those that merely take part in the process). This classification is made within the COBIT Framework, based on a rigorous process of input from researchers, experts and reviewers, using the strict definitions previously indicated.


Each high-level control objective is accompanied by detailed control objectives, 318 in all, providing additional detail on how control should be exercised over that particular process. In addition, extensive audit guidelines are included for building on the objectives.

Sample high-level control objectives, with their related detailed control objectives, are provided at the end of the chapter for PO9, the Assess Risks process in the Planning and Organisation domain, and DS5, the Ensure System Security process in the Delivery and Support domain.

 

 

Comments (0)

Get free blog up and running in minutes with Blogsome | Theme designs available here