• Bookmark

Adopting COBIT 5 in a Government Entity

By Sean Atkinson, CISA, CISM, CGEIT, CRISC, COBIT 5 Foundation, CCSA, CEH, CFE, CISSP, CRMA, CSM, GCIH, N+, PMP, SCTS, Sec+, and Roger F. Aucoin, COBIT 5 Foundation, PMP

COBIT Focus | 19 January 2015 Spanish

Sean Atkinson Roger F. Aucoin Imagine being on the ground floor of a new government agency in the United States, first conceived in 1994 and implemented in 2012, with the initial responsibility of developing an information system that would eventually process well over US $1 billion in payments monthly, produce enterprisewide reporting, be implemented as Software as a Service (SaaS) to more than 85,000 users in 72 external agencies and by more than 100,000 vendors. Further, imagine that your responsibility included ensuring that the fledgling enterprise accomplished this mission while following its documented processes and procedures.


Where to begin? How would one know whether existing processes were sufficient?


In the original request for proposal (RFP) for the software (2008), COBIT was selected to be implemented as a holistic framework to manage and govern the software. Until 2012, the enterprise used COBIT 4.1 on a limited basis only due to the lack of development and maturity in the enterprise’s overall processes.


In September 2012, the decision was made by executive management to expand the application of COBIT in a more holistic manner and to adopt COBIT 5 and all 37 processes (which have come to be known internally as “enterprise processes”) across the enterprise (which does not include the vendors or external agencies noted previously). The focus of COBIT would now be utilized as the governance and management framework that provides an integrated process in which to review, manage and control the enterprise.


The planning process, Phase 1, began with the use of COBIT 5 Implementation and COBIT 5: Enabling Processes for direction on how to proceed. After digesting the contents of these 2 documents, a business case was drafted using the 7-phase approach recommended in the COBIT 5 Implementation, and submitted to the executive sponsor for approval. Adopting a holistic framework for any entity is a daunting task, as is the decision leading up to the commitment of the necessary resources. Upon approval of the business case, the original implementation team moved forward with the adoption of COBIT 5. The COBIT 5 implementation team was formed with staff from 2 separate areas of the enterprise: 2 staff members from security operations (1 certified COBIT Foundation trainer) and 3 staff members from the process quality/compliance team. Bringing together staff from the 2 different areas of the organization provided 2 different perspectives that fostered a deeper understanding of the value and challenge of the full adoption.


Phase 2, the “Where are we now?” step, entailed staff identifying all existing processes and procedures as well as any that were needed that did not yet exist. These processes were mapped to the 210 COBIT 5 practices. This gap analysis indicated that the enterprise had no documented processes that could be related to 11 of the COBIT processes and incomplete processes that could be related to the remaining 26 COBIT processes. This discovery prompted the team to revise the original business case to include the recommendation to management that the organization needed to examine the regulatory and process requirements for all 37 COBIT processes on a detailed level and decide which were indeed needed for this specific business. This moved the project into phase 3 from COBIT 5 Implementation, the “Where do we want to be?” phase.


The executive sponsor was not surprised by this development due to the evolution of the enterprise, its overall structure and the enterprise’s fast-paced progression, the latter of which had not allowed for a comprehensive review and understanding of the governance and regulatory processes needed for the business.


In phase 3, the team needed the assistance of subject matter experts (SMEs) to get a better picture of the situation along with their support to close the gaps. To begin, the team members and executive sponsor earned their COBIT 5 Foundation certificates. Executive management was engaged through a modified training session in COBIT 5 Foundation, which included discussion of the results of the initial gap analysis, a live demonstration of the process the COBIT 5 team performed to identify the gaps (called the “Process Author Approach”), and the proposed plan for moving forward (figure 1). This generated the needed buy-in for the next stages of the plan, which included presenting the 2-hour executive management training session to the direct reports of the executive managers (team leads), along with a half-hour overview session for all staff members (“All Staff” meeting in figure 1).


Figure 1—Overall Approach to COBIT 5 Implementation
Figure 1
View Large Graphic
Source: Atkinson and Aucoin; reprinted with permission.


Because the enterprise set out to formally align itself with the 37 COBIT 5 processes, 37 organizational documents were created and referred to as enterprise process documents. Each document contains the original COBIT 5 process overview and description; the practices and the activities; Responsible, Accountable, Consulted and Informed (RACI) matrices, modified to fit the organization’s management structure; and the inputs, outputs and related guidance tables.1


Figure 1 displays a graphical representation of the implementation up to the point where all the enterprise process documents are created and the gaps are identified. The starting point to this stage of engagement was the Process Author Approach. This approach involved identifying which team lead owned each enterprise process. After this was determined, the lead staff person became the process author for that enterprise process document. For example, APO07 Manage human resources was clearly in the domain of the human resources (HR) unit of the enterprise, so the organization’s HR lead became the process author. However, in the case of BAI06 Manage changes, which crossed a series of domains within the organization, multiple team leads became process authors, each responsible for their individual part of the process. The process authors then identified the SMEs to be involved and the development discussions began.


To facilitate the multiple owners of a process, the implementation team served as the intermediary to coordinate the overall goal and successful completion of items within the process.


This then led to the heart of the approach: the enterprise-process-facilitated sessions. At these meetings, the COBIT 5 team engaged the process author and received input from SMEs. This approach provided several benefits: Initially, it set the stage for teams to get to know their processes and develop a sense of ownership of them. It also allowed for input from the implementation team who provided relevant materials, direction on compliance and best practice recommendations.


Within the overall update process (figure 2), the process authors were sent the enterprise process document they were responsible to develop to determine the need for assistance. The implementation team then met with each process author separately (along with any support SMEs identified by the process author) to develop the enterprise process document by determining the following:

  • Is the enterprise process one the organization needs?
  • Is the COBIT 5 definition of the process accurate for the enterprise? If not, it was modified.
  • Is the COBIT 5 definition of each practice accurate? If not, it was modified.

Figure 2—Enterprise Process Development—Activity Flow
Figure 2
View Large Graphic


The implementation team encouraged process authors to make modifications to the COBIT wording to better represent how the process related to the organization, but without changing the original intent. As an overall implementation step, the original versions of the processes, practices and activities were preserved for ease of future reference, should any question arise. The enterprise processes were notated where any wording was modified.


The next step was a review of the COBIT 5 activities—all 1,112 activities. The reviews were complicated by the fact that the IT infrastructure of this enterprise has functions that are performed by service providers; therefore, not all activities were seen as necessary for the enterprise. Each activity was examined using the same approach (process authors and SMEs) to augment the delivered COBIT 5 literature regarding each activity: Wording was modified as necessary to make the process document relevant to the enterprise, and each activity was categorized to simplify and sort the answers:

  • Is the activity done, but not documented?
  • Is the activity done, but documentation needs to be updated?
  • Is the activity done, documented and not in need of updating?
  • Is the activity not done, but needed?
  • Is the activity not done and not needed at this time?
  • Is the activity done by 1 or more of the enterprise’s service providers?

Finally, the RACI matrix was examined for any needed changes to reflect titles and responsibilities specific to the enterprise.


Enterprise process documents were then sent to the full team, which included executive management and all of the process authors/team leads, for final review to determine if any further changes were needed before releasing the documents for further development. Given that each document averaged 10 to 12 pages and the reviews were spread over 6 review meetings, the task was manageable. Approvals to move the document forward were formed though a consensus of executive management, the members of which based their decision on achievability and sustainability through the review and subsequent improvement processes. The organization defines approval to mean simply that the larger team agreed with the gap analysis and any updates made during the review meetings, and that executive management authorized the work that is needed to close the gaps in order to begin. It was gratifying to note that these review and approval meetings were lively at times and not simply rubber-stamping approvals of the documents. This speaks to the value seen by the participants in the overall process.


After they were approved for further development, the documents were stored in the organization’s central document repository. The activities requiring modifications were prioritized by the process authors with input from management, and the work was scheduled to be done. Each enterprise process schedule was determined by the process author(s) and was managed though the central repository.


All of this activity provided the scope of work for phase 4, “What needs to be done?” For perspective, the initial results included that:

  • 9 enterprise processes were identified as complete (not in need of any further modification)
  • 28 enterprise processes had gaps (at least 1 activity needed further development)
  • At the activity level:
    • 139 activities were done, but not documented
    • 208 activities were done, but documentation needs to be updated
    • 476 activities were done, documented and not in need of updating
    • 189 activities were not done, but were needed
    • 47 activities were not done and were not needed at this time
    • 53 activities were done by 1 or more of the enterprise’s service providers

The enterprise then moved into the 5th, or “How do we get there?,” phase. This is where team members are currently engaged and this phase is expected to last 18 months. The activities belonging to 1 or more service provider will be reviewed with the service provider and included in the service level agreement (SLA), as appropriate, and metrics will be used to enable the tracking of progress and celebrate success as it occurs.


After a document is deemed complete and all needed processes and procedures are in place and working, the process improvement cycle for each enterprise process document begins and is set at 1 year. This moves the organization into phase 6 (“Did we get there?”) in a piecemeal fashion until all 37 documents are complete. Completion is planned for the end of 2015.


Process assessments and audits will then enable phase 7, the “How do we keep the momentum going?” phase, to engage the enterprise in continuous improvement. The new EDMO1 Ensure Governance Framework Setting and Maintenance Audit/Assurance Program document (which includes a focus on the assessment of the process enabler) and/or the COBIT Assessment Programme (COBIT Assessor Guide: Using COBIT 5 and COBIT Process Assessment Model (PAM)): Using COBIT 5, which focuses on COBIT 5 process capability), can be used to effectively assess the enterprise processes and the organizational GEIT arrangements as a whole. These will assist in identifying processes and procedures (practices and activities) or other aspects of GEIT that need attention to enhance their performance.


Get Started With COBIT 5

At this point, one might be asking, “What is in it for my organization?” or “Where do I begin?” Any organization can begin as this one did by following the same steps:

  1. Do not be overwhelmed by the wealth of knowledge encapsulated in COBIT 5 and its scope, as it can seem daunting.
  2. Begin with COBIT 5 Implementation. Use this to understand the implementation process that underpins COBIT 5 and recognize that it will take time to fully adopt. Seek to break up the work into bite-sized pieces so that your organization is not overwhelmed with the work.
  3. Then engage with COBIT 5: Enabling Processes. Consciously examine all the processes, practices and activities to answer the same questions asked here and put a plan in place to resolve any identified gaps.

Or one might be tempted to say, “We have everything we need already.” If that is the case, COBIT 5 provides the opportunity to self-assess where the organization is and potentially illuminate areas that might need some work to ensure the organization can reasonably accomplish its mission.


Evolving With COBIT 5

Understanding COBIT 5 and its implementation life cycle is well underway for the enterprise in this case example. As it moves forward, collaboration between units and process owners will be required as the defined processes will cross organizational lines and bridge the gaps between service support, operational management and overall governance of the organization. These intended consequences of an integrated, operational environment will allow the enterprise to measure the return on investment (ROI) and evaluate the contribution of COBIT 5 toward the overall goal of a holistic and managed enterprise, encourage collaboration, and create a systematic process of excellence among all teams. Progression through the implementation life cycle to a point of measuring capability is the next step in the evolution as an implementation team.


Sean Atkinson, CISA, CISM, CGEIT, CRISC, COBIT 5 Foundation, CCSA, CEH, CFE, CISSP, CRMA, CSM, GCIH, N+, PMP, SCTS, Sec+

Is an internal control officer, risk manager and information security officer with more than 10 years of experience working in both security and auditing roles. He also teaches an introduction to computer science course for a local college.


Roger F. Aucoin, COBIT 5 Foundation, PMP

Has more than 34 years of experience in information technology, 16 of those years as a project manager and most recently managing the adoption of COBIT 5. He also teaches an online project management course for a local college.


Endnotes

1 The titles for these sections came from the “10 COBIT 5 Governance and Management Practices Activities” Microsoft Excel document available in the COBIT 5 Tool Kit and COBIT 5: Enabling Processes.

THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR PRIVACY POLICY IS LOCATED HERE.