COBIT 5: an evolutionary framework and only ... - Semantic Scholar

58 downloads 193 Views 55KB Size Report
15 years of practical usage and application of COBIT by many enterprises and ... Keywords. IT Governance, IT Management,
COBIT 5: an evolutionary framework and only framework to address the governance and management of enterprise IT Slindile Khanyile 64 Jasper Hill, 309 1st Road Midrand, 1686 +2772 026 2656

Hanifa Abdullah University of South Africa (UNISA) P.O. Box 392 UNISA 0003

[email protected]

[email protected]

ABSTRACT

1.

In many organizations, Information Technology (IT) has become vital in the support, sustainability and growth of the business. This pervasive use of technology has created a dependency on IT that calls for a specific focus on IT Governance. IT Governance is an integral part of enterprise governance exercised by the Board overseeing the definition and implementation of processes, structures and relational mechanism in the organization. This enables both the business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments. When approaching IT Governance, there are a number of frameworks, maintained by various governing bodies. The focus of this paper will be on the COBIT 5 framework as this framework concerns the governance and management of enterprise information. In order to operate a business both governance and management is needed.

Originally, Information Technology was implemented to automate processes of enterprises and enable gains in productivity [1]. Over the years, IT has become the backbone of businesses to the point where it is impossible for many to function without it [2]. More and more organizations are becoming increasingly dependent on a broad range of technologies to manage and grow their business. IT is an integral part of most organizations today and will certainly become more critical in the future [3]. It is for this reason that organizations are now increasingly concerned about the accountability for making decisions around the use of IT in the best interest of the board, executives and all other stakeholders.

The Control Objectives for Information and related Technology (COBIT) framework has become a globally accepted standard for IT governance. COBIT 5 is a major strategic improvement for ISACA, providing the next generation of ISACAs guidance on the enterprise governance of IT. Building on the more than 15 years of practical usage and application of COBIT by many enterprises and users from the business, IT, security and assurance communities, COBIT 5 is designed to meet the current needs of stakeholders and align with the most up-todate thinking in enterprise governance and IT management techniques.

Categories and Subject Descriptors K.6.0 [Management Systems]

of

Computing

and

Information

General Terms Management, Measurement, Standardization, Theory

Documentation,

Security,

INTRODUCTION

This has brought about an increased focus on IT governance. While there is no single, complete, off-the-shelf IT governance framework, there are a number of frameworks available that can serve as useful starting points for developing a governance model. Most of the existing frameworks are complementary, with strengths in different areas and so a mix-and match approach is often taken [4]. Weill and Ross state that in order to operate a business, it is necessary to have both good governance and management. [5] The difference between governance and management is that governance is about who makes the decisions whereas management has to do with making and implementing the decisions. Tracker supports this assertion by stating, "If management is about running the business, governance is about seeing that it is run properly. All companies thus require management as well as governance." [6]. ITIL and ISO 17799 only address governance whereas COBIT 5 addresses both governance and management, thus making it a comprehensive framework for operating an organization. This paper looks at how frameworks help organizations achieve IT governance with COBIT 5 being the focus because of its completeness. It makes a detailed examination of COBIT 5’s history, framework, benefits, principles, domains and processes, implementation and changes from COBIT 4.1.

Keywords IT Governance, IT Management, COBIT, Val IT, Risk IT, ITIL, ISO

2.

IT GOVERNANCE

Gartner defines IT governance as the set of processes that ensure the effective and efficient use of IT enabling an

organization to achieve its goals. IT is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure the organization’s IT sustains and extends the organization’s strategies and objectives [7]. Doughty defines IT governance to be a framework that supports the effective and efficient management of information resources (e.g. people, funding and information) to facilitate the achievement of corporate objectives. The focus is on the measurement and management of IT performance to ensure that the risks and costs associated with IT are appropriately controlled [7]. Gartner states that IT governance addresses two major topics: IT demand governance (“doing the right thing”) and IT supplyside governance (“doing things right”). These three definitions, although they are defining the same thing are similar yet distinct. This leads to the conclusion that there is more than one school of thought when it comes to IT governance. Musson states that there are three principal schools of thoughts on IT governance which are IT governance as a framework or an audit process, IT governance as IT decisionmaking and IT governance as a branch of corporate governance [31]. The focus of this paper is on COBIT 5 framework and how it covers both the governance and management of IT.

3.

IT GOVERNANCE AND MANAGEMENT FRAMEWORK

The following section will provide an overview of the Cobit 5 framework.

3.1

COBIT

The Control Objectives for Information and Related Technology (COBIT) has become a globally accepted standard for IT governance, created by the Information Systems Audit and Control Association (now known as simply “ISACA”) and the IT Governance Institute (ITGI) in 1996 [8]. COBIT 5 is an end-to-end umbrella framework that pulls together many existing frameworks that is designed to meet the current needs of stakeholders and align with the most up-to-date thinking in enterprise governance and IT management techniques. COBIT 5 concerns “the governance and management of enterprise information.” It is more than IT governance and includes information governance. It also adopts the ISO 38500 view that both IT governance and IT management are required and uses the Evaluate, Direct and Monitor model of ISO 38500 [32]. COBIT 5 addresses both IT and business functional areas across the enterprise and considers the IT related interests of all stakeholders. It helps organizations to create value to IT investments by maintaining a balance between optimizing risk levels and realizing benefits.

3.1.1

Background of COBIT 5

COBIT has had the following major releases: In 1996, the first edition of COBIT was released. In 1998, the second edition added “Management Guidelines”. In 2000, the third edition was released. In 2003, an on-line version became available. In December 2005, the fourth edition was initially released and in May 2007, the 4.1 revision was released [16]. COBIT 5 was released in April 2012; it addresses governance and management of enterprise IT. COBIT 5 combines COBIT 4.1, Val IT 2.0 and Risk IT as well as concepts from the Business Model for Information for a detailed framework for the effective governance and management of IT enabled business [18]. While COBIT 4.1 ensures that IT is working as effectively as possible to maximize the benefits of technology investment, Val IT helps enterprises make better decisions about where to invest, ensuring that the investment is consistent with the business strategy. Similarly, COBIT 4.1 provides a set of controls to mitigate IT risk in IT processes whilst Risk IT provides a framework for enterprises to identify, govern and manage ITrelated risks. COBIT 5 also aligns itself at a high level with existing frameworks such as ITIL and TOGAF, PMBOK, PRINCE 2 and ISO which makes it an umbrella for governance and management or IT [18].

3.1.2

Drivers of COBIT 5

COBIT 4.1 was widely accepted across the IT community as the framework for IT governance. However following an extensive review of the stakeholders, a number of drivers were identified leading to the development of COBIT 5. These drivers included [19].  The requirement to help stakeholders to understand how various frameworks, good practices and standards can be used together.  The need to ensure that the scope covers the full end-toend business and functional IT responsibilities, as well as the need to cover all aspects that lead to effective IT governance and management of enterprise IT.  The need to provide further guidance in high areas of interest, such as enterprise architecture, asset and service management, management of IT innovation and emerging technologies.  The need to link together and reinforce all major ISACA research, frameworks and guidance i.e. COBIT, Val IT and Risk IT.  The need to connect to and align with (where relevant) with other major frameworks and standards such as ITIL, TOGAF, PMBOK, PRINCE 2 and ISO.

3.1.3

Benefits of implementing COBIT 5

According to the IT Governance Institute, when looking at business outcomes of the Governance of Enterprise IT (GEIT), companies who have implemented COBIT 5 are experiencing improved management of IT- related risk, improved

communication and relationships between business and IT, lower IT costs, improved IT delivery of business objectives and improved competitiveness [20]. COBIT 5 provides a clear distinction between governance and management of IT, providing a holistic view of the enterprise which covers the business and IT from end-to-end and enables the effective governance and management of enterprise IT assets [21]. It enables business user satisfaction with IT engagement to the business to achieve business objectives [22]. COBIT 5 also provides an easy to access Process Reference Guide at the same level of detail because it consolidates all previous research of ISACA [21].

3.1.4

COBIT 5 Principles

COBIT 5 is built on 5 key principles for the governance and management of enterprise Information Technology [18]. The following section provides an overview of the principles. Principle 1: Meeting Stakeholder Needs Enterprises exist to create value for their stakeholders; therefore value creation is a governance objective for any enterprise. Value creation means realizing benefits at an optimal resource cost whilst optimizing risk. Principle 2: Covering the Enterprise End-to-End COBIT 5 integrates the governance of enterprise IT into enterprise governance; it therefore covers the organization holistically, the focus is not just on the IT function. It also covers the enterprise end to end for all matters relating to IT thereby providing a basis to effectively integrate other frameworks, standards and practices used. 

types of activities and require different organizational structures. Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM) Management plans builds runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).

3.1.5

COBIT5 Domains and Processes

COBIT 5 has 5 domains which are divided into governance and management domains; each domain has processes which enable it to achieve its objective(s) [18]. One domain addresses the governance and the other four domains cover management. The governance of enterprise IT (EDM) domain contains five processes within each process, evaluate, direct and monitor practices are defined. The management of enterprise IT domains are in line with the responsibility areas of plan, build, run and monitor. The 32 processes in these for domains are broken up as follows:  Align, Plan and Organize (APO): 13 processes  Build, Acquire and Implement (BAI): 10 processes  Deliver, Service and Support (DSS): 6 processes  Monitor, Evaluate and Assess (MEA): 3 processes

3.1.5.1 Governance of Enterprise IT Principle 3: Applying a Single Integrated Framework Most IT related standards and best practices only address a certain portion of IT activities, COBIT aligns with other relevant standards and frameworks at a high level thereby making it an overarching framework for governance and management of enterprise IT Principle 4: Enabling a Holistic Approach Effective governance and management of enterprise IT requires a holistic approach to IT, COBIT 5 implements comprehensive governance and management of enterprise IT through enablers. Enablers are things that enable the enterprise to achieve its objectives. COBIT 5 defines 7 categories of enablers:  Principles, Policies and Frameworks  Processes  Organizational Structures  Culture, Ethics and Behavior  Information  Services, Infrastructure and Applications  People, Skills and Competencies Principle 5: Separating Governance from Management The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines fundamentally serve a different purpose, each include different

The following table lists the high-level IT processes for the EDM domain. Table 1 High Level Processes for the EDM Domains Ensure Governance Framework Setting and EDM01 Maintenance Ensure Benefits Delivery EDM02 Ensure Risk Optimization EDM03 Ensure Resource Optimization EDM04 Ensure Stakeholder Transparency EDM05

3.1.5.2 Management of Enterprise IT The following sections examine the four domains and the processes that fall under the management of enterprise IT [23]

3.1.5.2.1 Align, Plan and Organize (APO) The Planning and Organization domain covers the use of information and technology and how best it can be used in an organization to help achieve the organization’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high-level IT processes for the APO domain.

Table 2 High Level IT Processes for the APO Domain APO01 Manage the IT Management Framework APO02 Manage Strategy APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Relations APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security

3.1.5.2.2

Build, Acquire and Implement (BAI)

The Build, Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. The following table lists the high level control objectives for the BAI domain. Table 3 High-level Processes for the BAI Domain BAI01 Manage Programs and Projects BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organizational Change Enablement BAI06 Manage Changes BAI07 Manage Changes Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration

3.1.5.2.3 Deliver, Service and Support (DSS) The Deliver, Service and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. The following table lists the high level control objectives for the DSS domain. Table 4 High-level Processes for the DSS Domain DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls

3.1.5.2.4

Monitor, Evaluate and Assess (MEA)

The Monitor, Evaluate and Assess domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply

with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the MEA domain. Table 5 High-level Processes for the MEA Domains MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Evaluate and Assess Compliance with External Requirements

3.1.6

Implementing COBIT 5

COBIT 5 builds on previous versions of COBIT, Val IT and Risk IT. Enterprises can build on the work they have put into their previous version of COBIT [24]. When implementing COBIT 5, the organization must determine which stakeholder interests have priority, what their expectations are, what the IT functions capability to satisfy these expectations are and who is accountable for doing so. This requires knowledge about the underlying processes and management system that supports the IT function to deliver the services and performance expected [24]. Upgrading existing implementations of the COBIT 4.1 process model will require minor adjustments such as combining existing processes and moving practices between processes [18].

3.1.6.1 Changes from COBIT 4.1 The following section provides an overview of the changes from COBIT 4.1 [25]. Stakeholder Expectations and Value Driven: The main driver behind COBIT 5 is stakeholder expectations and values. These changes ensure that the needs of both internal and external customers are considered in addition to the enterprise strategy and goals which are emphasized in COBIT 4.1 for benefits realization, risk balancing and cost optimization. Domain Areas: COBIT 5 has five domains under governance and management. The governance section provides guidance on evaluation, direction and monitoring of IT processes and is aligned with the ISO38500 “standard for corporate governance of information technology.” The management domains are in line with the four equivalent domains of COBIT 4.1. Process Model and Areas: COBIT 5 has 36 processes (COBIT 4.1 has 34). A few processes from COBIT 4.1 are merged in COBIT 5 and some single processes from COBIT 4.1 are split to form separate processes in COBIT 5 to allow for more specific guidance. For

example, ME4 – Provide it Governance from COBIT 4.1 is split into five separate processes (EDM1 to EDM5) under the new Governance Domain. Two new processes are introduced:  AP01- Define Management Framework for IT  BA18 – Knowledge Management. Integrated Framework: Different frameworks such as Val IT, Risk IT, BMIS, ITAF and relevant data points from various standards and best practices from organization such as ISO, ITIL, PMBOK, TOGAF and COBIT 4.1 are consolidated into a single framework providing a single source of guidance. This integration will support a holistic view of management and governance in the enterprise. Capability/Maturity Model: COBIT 4.1 has a process maturity model to assess the maturity of current state of enterprise and identify the steps to improve the process to achieve desired maturity level. This older maturity model is replaced by a process capability model based on ISO 15504 which is a software process assessment standard. Capability-level names are adopted from that standard. The new levels for the capability and maturity model are mentioned in section 3.3.4.

3 4

5

6

7

Goals Cascade: COBIT 5 provides a link between stakeholders’ expectations and practical goals providing more specific details. IT goals are derived from enterprise business goals, which in turn are derived from stakeholder expectations and values. This goal linkage is represented as a goal cascade in 5. Enablers: COBIT 5 has seven categories of interrelated enablers and is driven by the goal cascade. The seven enablers for achieving enterprise goals are  Principles, Policies and Frameworks  Processes  Organizational Structures  Culture, Ethics and Behavior  Information  Services, Infrastructure and Applications  People, Skills and Competencies Control Objectives: Unlike the 210 control objectives in COBIT 4.1, there is no separate mention of control objectives in 5; such objectives are part of 208 management and governance practices. COBIT 5 is driven by stakeholder needs and not primarily by best practices. Summary of Changes: The following table summarizes the significant differences between COBIT 4.1 and COBIT 5 [27]. Table 6 Summary of Changes Section Parameter COBIT 4.1 1 Best Practice Driver 2

Domain Areas

4 Domain Areas

COBIT 5 Stakeholder Expectation 5 Domain Areas through

Process Areas Framework

34 Processes

Capability/ Maturity Model Goals Cascade

Maturity Models

Enablers Control Objectives

4.

Only COBIT 4.1 Framework

IT goals are derived from business goals of maintaining enterprise reputation and leadership No mention of enablers 210 Control Objectives

HOW COBIT GOVERNANCE

name are different , they align with the domains in 4.1 36 Processes Integrated framework – Val IT, Risk IT, ITAF, BMIS etc. with COBIT 4.1 Process Capability Model IT goals are derived from stakeholder needs and expectations

Identified 7 enablers No separate mention of control objectives but included as part of Management and Governance Practices

ACHIEVES

IT

The COBIT 5 Evaluate, Direct and Monitor (EDM) process set is designed to govern and encapsulate the processes of all other management processes. This major upgrade in COBIT 5 is intended to increase awareness of the need for a structured governance framework for all organizations at an enterprisewide level, from operations to the strategic board [26]. Governance practices are considered at their best when they are linked and embedded as continuous management life cycles, such as enterprise risk management, in all processes within an. In the past the distinction between governance and management has been blurry, adopting COBIT 5 is an opportunity to clarify and address the difference.

5.

CONCLUSION

COBIT 5 is the only framework that addresses governance and management of enterprise IT. There are lots of opportunities for future research as COBIT 5 is still very new.

6.

REFERENCES

[1] STACHTCHENKO, P. 2008. Value Management Guidance for Assurance Professionals: Using Val IT 2.0. Rolling Meadows, IL: ISACA. [2] VAN GREMBERGEN,G., DE HAES, S. 2008. Analysing the Relationship between IT Governance and Business/ IT Alignment Maturity. In: Proceedings of the 41st Hawaii International Conference on System Science, January 2008, IEEE Computer Society,Waikoloa, HI, 428. [3] SELIG, G. 2006. IT Governance – An Integrated Framework and Roadmap: How to Plan, Deploy and Sustain for Competitive Advantage. http://www.ca.com/files/whitepapers/it_governance_white paper.pdf [4] SYMONS, C. 2005. IT Governance Framework. Forrester. http://i.bnet.com/whitepapers/051103656300.pdf [5] WEILL, P. & ROSS, J. W. 2004. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business Press. [6] TRICKER, R. 1984. Corporate Governance: Practices. Procedures and Powers in British Companies and Their Boards of Directors. Gower Publishing, Aldershot. [7] DOUGHTY, K.. 2005. IT Governance: Pass or Fail?. Information Systems Control Journal 3. [8] HINES, G. 2005. ITIL and COBIT Similarities, Differences and Interrelationships. ISACA. http://www.isacacentralohio.org/archive/presentations/2005_01ITIL%20and%20COBIT.pdf [9] ITSMF. 2007. An Introductory Overview of ITIL V3. itSMF. http://www.itsmfi.org/files/itSMF_ITILV3_Intro_Overvie w_0.pdf [10] CHAN,P., DURANT,S., GALL V., AND RAISINGHANI M. 2009. Aligning Six Sigma and ITIL to Improve IT Service Management. International Journal of E-Services and Mobile Applications, 1, 2, 62-82. [11] NABIOLLAHI, A. AND BIN SAHIBUDDIN, S. 2008. Considering Service Strategy in ITILV3 as a Framework for IT Governance, Information Technology International Symposium 1, August 2008, IEEE Computer Society, Kuala Lumpur, 1-5. [12] RADOVANOVIC, D., LUCIC, D., RADOJEVIC, T. AND SARAC, M. 2011. Information Technology Governance – COBIT model. Proceedings of the 34th International Convention. May 2011, Opatija, 1426 – 1429. [13] ISO 17799. 2005. Information Technology - Code of Practice for Information Security Management. [14] DEY, M., 2007. Information security management – a practical approach. Africon, 1 – 6. [15] LIU, H., ZHU, Y. 2009. Measuring Effectiveness of Information Security Management. International Symposium on Computer Network and Multimedia Technology. January 2009, Wuhan, 1-4. [16] SVATA, V. 2011. IS Audid Considerations in Respect of Current Economic Environment. Journal of Systems Integration, 02. http://www.sijournal.org/index.php/JSI/article/viewFile/79/51

[17] SYMONS, C. 2005. IT Governance Framework. Forrester. http://i.bnet.com/whitepapers/051103656300.pdf [18] ISACA. COBIT 5 A Business Framework for the Governance and Management of IT. ISACA. http://www.isaca.org/cobit/Pages/CobitFramework.aspx [19] PROTIVITI. 2012. ISACA Release COBIT 5: Update Framework for the Governance and Management of IT. Protiviti. http://www.knowledgeleader.com/KnowledgeLeader/Cont ent.nsf/dce93ca8c1f384d6862571420036f06c/914126f4d7 e82ec988257a08006b2133/$FILE/ISACA%20Releases%2 0COBIT%205%20Updated%20Framework%20for%20the %20Governance%20and%20Management%20of%20IT% 20-%20Flash%20Report.pdf [20] ISACA and ITGI. Global Status Report on the Governance of Entreprise IT (GEIT) -2011. ISACA. http://www.isaca.org/KnowledgeCenter/Research/Documents/Global-Status-Report-GEIT10Jan2011-Research.pdf [21] ITPRENEURS. 2011. COBIT 5 –News and Views. COBIT 5: Highlights and Benefits.http://www.itpreneurs.com/en/thoughtleadership/knowledge-center/latest-news/item/31cobit%C3%82%C2%AE-5%C3%A2%E2%82%AC%E2%80%9C-news-and-views [22] EMAILWIRE. 2012. EIN News. COBIT 5 Publication Suite now available for IT Governance. http://www.emailwire.com/release/88980-COBIT-5Publication-Suite-now-available-from-ITGovernance.html [23] QUALIFIED ADVICE PARTNERS. 2012. COBIT Domains and Processes (COBIT 5/4.1). COBIT 5. http://www.qualified-auditpartners.be/index.php?cont=463&lgn=3 [24] IT Governance.com. 2012. COBIT 5 Implementation Seminar. IT Governance.com. http://www.itgovernance.com/cobit18-20jun.pdf [25] ISACA 2012. Comparing COBIT 4.1 and COBIT 5. ISACA. http://www.isaca.org/COBIT/Documents/Compare-with4.1.pdf [26] MENEVSE, A. 2011. Toward Better IT Governance With COBIT 5. ISACA. http://www.isaca.org/KnowledgeCenter/cobit/Documents/COBIT-Focus-Toward-Better-ITGovernance-with-COBIT-5.pdf [27] GARTNER. 2012. Update in COBIT 5 Aim for Greater Relevance to Wider Business Audience. Analysis. http://www.gartner.com/id=1982323 [28] BUCKBY S., BEST P. AND STEWARD J. 2009. The Current State of Information Technology Governance Literature. In Information Technology Governance and Service Management: Frameworks and Adaptations. Aileen Cater-Steel (University of Southern Queensland Australia), Australia, 1-43. [29] GERRARD, M.. 2010. IT Governance: Key Initiative Overview. Gartner. http://www.gartner.com/it/initiatives/pdf/KeyInitiativeOve rview_ITGovernance.pdf.

[30] NATIONAL COMPUTING CENTRE. IT Governance Developing a successful governance strategy. ISACA. http://www.isaca.org/Certification/CGEIT-Certified-inthe-Governance-of-Enterprise-IT/Prepare-for-theExam/Study-Materials/Documents/Developing-aSuccessful-Governance-Strategy.pdf [31] MUSSON, D., 2009. IT Governance: A Critical Review of the Literature. In Information Technology Governance and Service Management: Frameworks and Adaptations. Aileen Cater-Steel (University of Southern Queensland Australia), Australia, 44-62. [32] ISACA. COBIT 5: Framework, BMIS, Implementation and Future Information Security Guidance. ISACA.