a practitioner's view on cobit 5

A practitioner’s view on COBIT 5 Vasilijs Mihailovs MBA, ACMA, CISA, CISM, CISSP, ITIL Expert

ISACA Post President Council Meeting Event – Tel Aviv

March 2013

A practitioner’s view on COBIT 5

Agenda

Goals cascade Process model Maturity model

How it worked in COBIT 4.1

How it works in COBIT 5

Summary: compare and contrast

Conclusions Origins of COBIT 5

► Need for master

framework

► COBIT factsheet

► COBIT 5

Development

milestones

► COBIT 5 product

family

► Benefits

► Integration

framework

► Challenges

► On balance

Origins of COBIT 5


Origins of COBIT 5 The need for master framework

► Businesses are challenged to map IT costs to value created

► Need for a method and a library which would help

► Create a fully traceable mesh among business goals and IT processes

► Identify controls and risks introduced by not implementing these controls

► Technology landscape changes rapidly

► Technology-based frameworks obsolete soon after they emerge

► Need for a technology-independent IT control framework

► Regulatory landscape becomes increasingly complex

► Requirements listed in laws and regulations overlap significantly

► Need for a consolidated framework mapped to multiple regulations


Origins of COBIT 5 COBIT factsheet

► Control Objectives for Information and related Technologies

► Version 5 (2012), 4.1 (2007), 4 (2005), 3 (2000), 2 (1998), 1 (1996)

► Principal library of control objectives in IT

► Used for design, implementation, management and audit of IT

► Owned and maintained by ISACA

► Based on internal control framework defined by COSO

► Committee of Sponsoring Organizations of the National Commission on

Fraudulent Financial Reporting (COSO), in 1992, revised in 2001

► Mapped to multiple frameworks

► Version 4.0/4.1 mapped to SOx 404, ISO 27002, ITIL, TOGAF etc.

► Version 5 mapped to version 4.1


Origins of COBIT 5 COBIT 5 development milestones

April 2012

2005

2006

2007

2008

2009

2011

http://www.cobitonline4.info/Pages/Public/Home.aspx


Origins of COBIT 5 COBIT 5 product family

Reproduced from:

Figure 1 on Page 11 in COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012


Agenda Goals cascade





Goals cascade How it worked in COBIT 4.1


Goals cascade How it worked in COBIT 4.1: Goals cascade at a glance

Business Goals

► 17 generic goals

► Defined by the business strategy

IT Goals


► Mapped to Business Goals

IT Processes

► 34 generic

processes

► Mapped to IT Goals

IT Control Objectives

► 318 specific practices

► Grouped by IT Processes


Goals cascade How it worked in COBIT 4.1: Goals cascade at a glance

Point of entry

Internal control

system for IT

Goals

Goals

Evaluation

Evaluation

Goals

Business Goals



IT Goals



IT Processes

► 34 generic

processes





Goals cascade How it works in COBIT 5


Goals cascade How it works in COBIT 5: Overview

Stakeholder Drivers

► 22 generic IT-related points of concern to the businesses

Enterprise Goals


► Mapped to Stakeholder Drivers

IT-related Goals


► Mapped to Enterprise Goals

Enabler Goals

► 37 generic processes

► Mapped to IT-Related Goals

Management Practices


► Grouped by enabler goals


Goals cascade How it works in COBIT 5: Comparison to COBIT 4.1

Stakeholder Drivers


Enterprise Goals



IT-related Goals



Enabler Goals


► Mapped to IT-related Goals



► Grouped by enabler goals

Business Goals



IT Goals



IT Processes

► 34 generic

processes






Goals cascade How it works in COBIT 5: Stakeholder drivers

How do I best build and structure my IT department?

Is the information I am processing well secured?

How dependent am I on external providers? How well are

IT outsourcing agreements being managed? How do I

obtain assurance over external providers?

What has been the average overrun of the IT operational

budgets? How often and how much do IT projects go over

budget?

Does IT support the enterprise in complying with

regulations and service levels? How do I know whether I

am compliant with all applicable regulations?

How do I get assurance over IT?

Stakeholder Drivers



Goals cascade How it works in COBIT 5: Stakeholder drivers in COBIT 4.1

How do I best build and structure my IT department?

Is the information I am processing well secured?

How dependent am I on external providers? How well are

IT outsourcing agreements being managed? How do I

obtain assurance over external providers?

What has been the average overrun of the IT operational

budgets? How often and how much do IT projects go over

budget?

Does IT support the enterprise in complying with

regulations and service levels? How do I know whether I

am compliant with all applicable regulations?

How do I get assurance over IT?

Stakeholder Drivers


Pages 19-21 of this publication contains a list of typical pain points and

triggers which may be considered an input in Stakeholder Drivers in

COBIT 5.

These items have not been incorporated into the COBIT 4.1 goal cascade.


Goals cascade How it works in COBIT 5: Enterprise & IT-related Goals

Balanced Scorecard Balanced Scorecard

Internal

dimension

Learning and Growth

dimension

Financial

dimension Customer

dimension

Internal

dimension

Learning and Growth

dimension

Financial

dimension Customer

dimension

Enterprise Goals


► Mapped to stakeholder drivers

IT-related Goals


► Mapped to enterprise goals


Enterprise Goals

IT-related Goals

Goals cascade How it works in COBIT 5: Enterprise & IT-related Goals in COBIT 4.1

Balanced Scorecard Balanced Scorecard

Internal

dimension

Learning and growth

dimension

Financial

dimension Customer

dimension

Internal

dimension

Learning and growth

dimension

Financial

dimension Customer

dimension

Balanced Scorecard approach has not been utilised at the goals level in COBIT 4.1; however, the idea of

using a Balanced Scorecard for IT performance measurement has been implied through the framework.

Goals were rephrased to stress the business focus at Enterprise Goals level and the IT focus on IT-related

Goals level, and reworked into Critical Success Factor statements in COBIT 5.


Goals cascade How it works in COBIT 5: Enabler goals

APO01-APO13

Align, Plan,

and Organise BAI01-BAI10

Build, Acquire,

and Implement

DSS01-DSS06

Deliver, Service,

and Support

MEA01-MEA03

Monitor, Evaluate,

and Assess

Direct Monitor

Evaluate

EDM01-EDM05

Management

feedback

Governance

Management

Enabler Goals


► Mapped to IT-related goals


Goals cascade How it works in COBIT 5: Enabler goals in COBIT 4.1

AI1-AI7

Acquire and

Implement

ME1-ME4

Monitor and

Evaluate

PO1-PO10

Plan and

Organise

DS1-DS13

Deliver and

Support

APO01-APO13

Align, Plan,


Build, Acquire,

and Implement

DSS01-DSS06

Deliver, Service,

and Support

MEA01-MEA03

Monitor, Evaluate,

and Assess

Direct Monitor

Evaluate

EDM01-EDM05

Management

feedback

Governance

Management

Enabler Goals


► Mapped to IT-related goals

IT Processes


► Mapped to IT goals

Goals cascade Summary


Goals cascade Summary: COBIT 4.1 goals cascade at a glance

Business Goals



IT Goals



IT Processes

► 34 generic

processes






Goals cascade Summary: COBIT 4.1 goals cascade at a glance

Point of entry

Internal control

system for IT

Goals

Goals

Evaluation

Evaluation

Goals

Business Goals



IT Goals



IT Processes

► 34 generic

processes






Goals cascade Summary: COBIT 5 goal cascade at a glance

Stakeholder Drivers


Enterprise Goals



IT-related Goals



Enabler Goals





► Grouped by Enabler Goals


Goals cascade Summary: COBIT 5 goal cascade at a glance

Point of entry

Internal

dimension

Learning and growth

dimension

Financial

dimension Customer

dimension

Balanced Scorecard Internal control

system for IT

CSF

CSF

KPI

KPI

Stakeholder Drivers


Enterprise Goals



IT-related Goals



Enabler Goals







Goals cascade Summary: COBIT 5 cascade comparison to COBIT 4.1 cascade

Internal control

system for IT

Point of entry

Internal

dimension

Learning and growth

dimension

Financial

dimension Customer

dimension

Balanced Scorecard

CSF

CSF

KPI

KPI

Point of entry

Internal control

system for IT

Goals

Goals

Evaluation

Evaluation

Goals


Agenda Goals cascade: End of section






Agenda Process model





Process model How it worked in COBIT 4.1


Process model How it worked in COBIT 4.1: General principle

Each IT Control Objective (e.g., DS4 Ensure Continuous Service) includes:

► Process description

► Control over ... that satisfies the business requirement for IT of ... by focusing on ...

is achieved by ... and is measured by ...

► Control objectives

► Management guidelines

► Inputs & Outputs, RACI chart for the process, Goals & Metrics

► Maturity model for the IT process



► Grouped by IT processes

AI1-AI7

Acquire and

Implement

ME1-ME4

Monitor and

Evaluate

PO1-PO10

Plan and

Organise

DS1-DS13

Deliver and

Support

Process model How it works in COBIT 5


Process model How it works in COBIT 5: Enabler goals

APO01-APO13

Align, Plan,


Build, Acquire,

and Implement

DSS01-DSS06

Deliver, Service,

and Support

MEA01-MEA03

Monitor, Evaluate,

and Assess

Direct Monitor

Evaluate

EDM01-EDM05

Management

feedback

Governance

Management

Enabler Goals




Process model How it works in COBIT 5: Enabler goals in COBIT 4.1

APO01-APO13

Align, Plan,


Build, Acquire,

and Implement

DSS01-DSS06

Deliver, Service,

and Support

MEA01-MEA03

Monitor, Evaluate,

and Assess

Direct Monitor

Evaluate

EDM01-EDM05

Management

feedback

Governance

Management

Enabler Goals



IT Processes



AI1-AI7

Acquire and

Implement

ME1-ME4

Monitor and

Evaluate

PO1-PO10

Plan and

Organise

DS1-DS13

Deliver and

Support


Process model How it works in COBIT 5: DSS04 Manage Continuity process

Reproduced from: Page 185 in COBIT 5: Enabling Processes, ISACA, 2012


Process model How it works in COBIT 5: DS4 Ensure Continuous Service process


Reproduced from:

Page 113 in COBIT 4.1: Framework, Control Objectives, Management Guidelines, Maturity Models, ISACA, 2007


Process model How it works in COBIT 5: DSS04.06 Conducting Continuity Training



Process model How it works in COBIT 5: DS4.6 IT Continuity Plan Training


Reproduced from:



Process model How it works in COBIT 5: Goals & Metrics of DSS04 process

Stakeholder Drivers


Enterprise Goals



IT-related Goals



Enabler Goals








IT-related Goals



Enabler Goals




Process model How it works in COBIT 5: Goals & Metrics of DS4 process

Reproduced from:



Process model How it works in COBIT 5: RACI matrix of DSS04 process


Responsible

Accountable

Consulted

Informed


Reproduced from:

Page 186 in COBIT 5: Enabling Processes, ISACA, 2012


Process model How it works in COBIT 5: RACI matrix of DS4 process

Responsible

Accountable

Consulted

Informed


Process model How it works in COBIT 5: What goes out and what comes in?

In

Out

► Process purpose statements for each Enabler Goal

► Consistent and enlarged list of stakeholders in RACI matrix for each Enabler Goal

► Precise mapping of each individual Management Practice to its own RACI matrix

► Inputs and outputs for each Management Practice rather than for each Enabler Goal

► Structured description of activities for each Management Practice

► References to external standards for each Enabler Goal

► Management Practice level Key Goal Indicators for each Enabler Goal

► Incorporated in individual activities for each Management Practice

► Enabler Goal specific Maturity Model

► Introduction of ISO 15504 aligned Process Assessment Model

► Business requirements for information and IT resources

► Incorporated in Management Practices, but not defined under individual headings

Process model Summary


Process model Summary: COBIT 5 Enabler goals and COBIT 4.1 IT Processes

APO01-APO13

Align, Plan,


Build, Acquire,

and Implement

DSS01-DSS06

Deliver, Service,

and Support

MEA01-MEA03

Monitor, Evaluate,

and Assess

Direct Monitor

Evaluate

EDM01-EDM05

Management

feedback

Governance

Management

Enabler Goals



IT processes



AI1-AI7

Acquire and

Implement

ME1-ME4

Monitor and

Evaluate

PO1-PO10

Plan and

Organise

DS1-DS13

Deliver and

Support


Process model Summary: COBIT 5 Structure of Management Practices at a glance

Each Management Practice (e.g., DSS04 Manage Continuity) includes:

► Process Description

► Process Purpose Statement

► IT-related Goals supported by the Management Practice

► Process Goals and Metrics related to the Management Practice

► RACI chart for all activities constituting the Management Practice

► Description of activities constituting the Management Practice

► Description of activity, Inputs & Outputs

► Steps involved in performing the activity

► Reference to non-COBIT standards related to the Management Practice


Process model Summary: Structure of Management Practices compared to COBIT 4.1

Each Management Practice (e.g., DSS04 Manage Continuity) includes:

► Process Description

► Process Purpose Statement

► IT-related Goals supported by the Management Practice

► Process Goals and Metrics related to the Management Practice

► RACI chart for all activities constituting the Management Practice

► Description of activities constituting the Management Practice

► Description of activity , inputs and outputs

► Steps involved in performing the activity

► Reference to non-COBIT standards related to the Management Practice

Significant improvement in content,

usability and/or structure compared to

the same component in COBIT 4.1

The component has not been used or has

been used in a different way in IT Control

Objectives description in COBIT 4.1


Agenda Process model: End of Section






Agenda Maturity model





Maturity model How it worked in COBIT 4.1


Maturity model How it worked in COBIT 4.1: Assessing maturity levels

► Maturity levels represent profiles of IT processes

► Useful for the description of current and future states

► No intention to measure the maturity level precisely

► NOT designed as a threshold model

► In a threshold model the next maturity level cannot be achieved before all

conditions relevant to the lower levels have been met


Maturity model How it worked in COBIT 4.1: Generic maturity profiles

Awareness &

Communication

Policies, Plans

& Procedures

Tools &

Automation

Skills &

Expertise

Responsibility &

Accountability

Goal Setting

& Measurement

Initial / Ad Hoc (1)

Repeatable but Intuitive (2)

Defined Process (3)

Managed and Measurable (4)

Optimised (5)

Non-existent (0)


Maturity model How it worked in COBIT 4.1: Process-specific maturity profiles

1 Initial/Ad Hoc when

Responsibilities for continuous service are informal, and the authority to execute responsibilities is

limited. Management is becoming aware of the risks related to and the need for continuous

service. The focus of management attention on continuous service is on infrastructure resources,

rather than on the IT services. Users implement workarounds in response to disruptions of

services. The response of IT to major disruptions is reactive and unprepared. Planned outages are

scheduled to meet IT needs but do not consider business requirements.

DS4: Ensure Continuous Service

4 Managed and Measurable when

Responsibilities and standards for continuous service are enforced. The responsibility to maintain

the continuous service plan is assigned. Maintenance activities are based on the results of

continuous service testing, internal good practices, and the changing IT and business

environment. Structured data about continuous service are being gathered, analysed, reported

and acted upon. Formal and mandatory training is provided on continuous service processes.

System availability good practices are being consistently deployed. Availability practices and

continuous service planning influence each other. Discontinuity incidents are classified, and the

increasing escalation path for each is well known to all involved. Goals and metrics for continuous

service have been developed and agreed upon but may be inconsistently measured.

Maturity model How it works in COBIT 5


Maturity model How it works in COBIT 5: Assessing maturity levels

► Maturity levels are based on ISO 15504 standard

► ISO 15504 Information technology — Process assessment

► Part 2: process assessment model definition

► Part 3: guidance to fulfil the requirements listed in Part 2

► Also known as SPICE

► Software Process Improvement and Capability Evaluation

► Provides tools to measure the maturity level precisely

► Designed as a threshold model

► Next maturity level cannot be achieved before all conditions relevant to the

lower levels have been met

► First introduced for COBIT 4.1 in 2011

► Released for COBIT 5 in February 2013


Maturity model How it works in COBIT 5: Generic capability profiles

Optimizing

Level 1

Predictable Established Managed Performed

Level 2 Level 3 Level 4

Process

performance

A list of process

outcomes

defined for each

Enabler Goal

Performance

management

Work product

management

Process

definition

Process

deployment

Process

measurement

Process

control

Level 5

Process

innovation

Process

optimization

Level 0

Incomplete

Process not

implemented or

fails to achieve

its purpose

Standard generic criteria for the capability level outlined in ISO 15504

Standard generic criteria for the capability level outlined in ISO 15504

Evaluation: N (not achieved, 0%-15%) P (partially achieved, 15%-50%)

L (largely achieved, 50%-85%) F (fully achieved, 85%-100%)

To achieve a certain capability maturity level, all attributes on the previous levels must be fully

achieved and all attributed on the attempted level must be largely or fully achieved

Maturity model Summary


Match by design Expected to match Expected to match

in many cases in some cases

Maturity model Summary: Matching maturity levels

Optimizing

Level 1

Predictable Established Managed Performed

Level 2 Level 3 Level 4 Level 5 Level 0

Incomplete

Optimised

Level 1

Managed and

measurable

Defined

process

Repeatable

but intuitive Initial / Ad Hoc

Level 2 Level 3 Level 4 Level 5 Level 0

Non-existent


Maturity model Summary: Benefits of COBIT 5 approach

► Elimination of duplicate components

► Maturity model was based on multi-level components

► Generic maturity, process, control objectives, process controls

► Improved reliability and repeatability of maturity assessment

► Granular methodology and consistent decision rules

► Process assessment training and formal certification for individual assessors

► Compliance with ISO 15504 standard

► CMMI and ISO 15504 are the two most commonly accepted standards

► CMMI and ISO 15504 are consistent and compatible between themselves

► Mapping between CMMI and ISO 15504 has been developed


Agenda Maturity model: End of Section





Conclusions


Conclusions Benefits

► Formalisation of the Balanced Scorecard approach

► More practical entry point to the goal cascade

► Better suitability for goal setting, achievement and monitoring

► Higher granularity and clearer connections

► Powerful support for structured control framework design

► References to connecting standards, frameworks and regulations

► Updated implementation guide: COBIT 5 Implementation

► Builds on COBIT 4.1 implementation guide

► Integration with other widely used frameworks

► Project management methodologies

► ITIL Continual Service Improvement process


Conclusions Integration framework

Reproduced from:

Figure 25 on Page 61 in COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012


Conclusions Challenges

► Steeper learning curve than for COBIT 4.1

► Not a big difference for an entry-level user

► Maturity model / Process Assessment Model may present additional challenge

► Realisation of benefits resulting from higher granularity needs experience

► Limited support publications

► COBIT5 Quickstart, SOx 404 guide etc.

► COBIT5 direct mapping to ISO 27002, ISO 38500, PCI DSS etc.

► Online collaboration space / COBIT 5 online

► Substantial switching costs

► Major reorganisation of Enterprise, IT-related and Enabler Goals

► Business goals, IT goals, IT processes – using COBIT 4.1 terminology


Conclusions Challenges: Perception

► COBIT 5 is more “human language” than COBIT 4.1

► “What do you want to do?” style entry point

► Large number of statements are rephrased to a better language style

► Many complex diagrams are replaced with intuitive tables and schemes

► Ambiguity is significantly reduced by establishing more precise linkages

► However,

► Not easy to find the correct entry point for a non-prepared reader

► You may consider starting at page 55 (appendix D) before going to page 1 ► COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012

COBIT is not written in a human language!...

Head of IT in a mid-sized financial

services company about COBIT 4.1


Conclusions On balance

► Mature IT governance and management tool

► Business approach to goal setting, achievement and monitoring

► Very granular guidance to all covered practices and models

► Needs to build the momentum

► Will take a few years before COBIT 5 is fully understood by practitioners

► COBIT 4.1 practitioners will need to update their knowledge database

► Homo sapiens cobitus typically know most processes by heart

► Favours complicated implementations

► Multinational corporations may benefit significantly even in short-term

► Switchover may be time-consuming and resource-intensive

► Small and medium-sized enterprises may wait for COBIT5 Quickstart


picture

Vasilijs Mihailovs

MBA, ACMA, CISA, CISM, CISSP, ITIL Expert

Ernst & Young EMEIA FSO

FSO IT Risk & Assurance, Ireland

Email: [email protected]

About this presentation Contacts and acknowledgements

Acknowledgements

► Jerry O’Sullivan, EY Ireland


► Rob van den Eijnden, EY Netherlands


Contacts in Israel

► Galit Dayan, EY Tel Aviv


Thank you!


Important information

► The information in this pack is intended to provide only a general

outline of the subjects covered. It should not be regarded as

comprehensive or sufficient for making decisions, nor should it be

used in place of professional advice.

► Accordingly, Ernst & Young accepts no responsibility for loss arising

from any action taken or not taken by anyone using this pack.

► The information in this pack will have been supplemented by matters

arising from any oral presentation by us, and should be considered in

the light of this additional information.

► If you require any further information or explanations, or specific

advice, please contact us and we will be happy to discuss matters

further.

a practitioner's view on cobit 5

Documents