• Bookmark

COBIT 5 Supports Cloud Computing Migration in the Brazilian Public Sector

By Wellington Evangelista and Joao Souza Neto, Ph.D., CGEIT, CRISC, COBIT Certified Assessor

COBIT Focus | 9 February 2015

Cloud computing has been seen by industry experts as able to revolutionize information technology, because it significantly changes the way IT is consumed and provided. Cloud computing transforms the landscape in which organizations manage the IT environment to one where all IT is consumed as a service.

In this new scenario, IT services are provided and consumed in a similar way to what happens with other common resources/utilities, such as water, electricity and telephone services. Thus, cloud computing enables end users to make use of computing resources without knowledge of their location or how the resources are delivered and to charge only for the resources actually consumed. Thus, this new IT paradigm can provide reduced costs, increased flexibility and business agility.

However, despite its numerous advantages, cloud computing, like any innovation, also carries some risk. The main ones are related to information security and continuity of services, but there are others, such as a lack of technical standards to enable portability between providers and insufficient/inadequate legislation to deal with the issues raised by the new paradigm. Besides, as IT assets are no longer under the control of the organization that uses them, their governance becomes a challenge that needs to be handled with special care.

Organizations, public and private, can benefit from the use of cloud computing. In the case of the Brazilian public sector, for example, one has to consider that they are subject to specific laws and own specific risk related mainly to information privacy, integrity and confidentiality. To assess if an organization of the Brazilian public sector is able to use Software as a Service (SaaS), a questionnaire was developed and applied by researchers from Universidade Catolica de Brasilia. The goal of the questionnaire was to give the organizations a tool to evaluate their capabilities to migrate to the cloud prior to approving a cloud project, avoiding costly reworks and delays. Five Brazilian public sector organizations that intended to start a cloud project were selected for the first evaluation. If an organization had failed to comply with the requirements outlined in the questionnaire, related COBIT 5 processes were presented to guide the necessary process improvement.

Results and Discussion

The SaaS questionnaire is divided into 2 areas (figures 1 and 2)—organization and technology—and 7 domains—operation (organization), enterprise strategy, service management and contract, operation (technology), information security, IT infrastructure, and software. The questionnaire’s goal is to determine the feasibility of an organization of the Brazilian public sector to use a SaaS product. For this purpose, the presence of some essential requirements was investigated.

Figure 1—Questions Related to the Organization


Q1: Has the organization’s IT department service level agreement (SLA) agreed with its business areas

Q2: Was the capacity of the major cloud providers in the market to provide the organization the necessary means for monitoring the performance of the services investigated?

Q3: Does the organization’s IT department have a clear understanding of the challenges that the use of a public cloud will impose on IT management, demanding strong integration between the technical teams of the organization and the provider in order to achieve the intended business goals?

Enterprise Strategy

Q4: Have the business processes that will be impacted by migration or adoption of cloud computing been identified?

Q5: Is the use of applications available on a public cloud in conflict with any relevant Brazilian legislation or internal regulation?

Q6: Does the organization’s IT department have the necessary resources to manage the SaaS contracted services?

Service Management and Contract

Q7: Was a feasibility analysis of the project performed?

Q8: Is the risk management capability of the organization‘s IT department able to identify and mitigate or eliminate relevant risk early enough to prevent security incidents?

Q9: Is there a contingency plan for the services to be hired?

Q10: Is there a formal contract management process that is followed by the organization‘s IT department?

Source: Wellington Evangelista and João Souza Neto. Reprinted with permission.

Figure 2—Questions Related to Technology


Q1: Is there a contingency plan for the business processes to be used in the event of interruption of the services provided by the cloud provider?

Q2: Are the major cloud providers in the market able to support the SLA agreed to by the organization‘s IT department with its business areas?

Information Security

Q3: Considering the required level of privacy of the information affected by the service, does the data network between the organization and the provider have the appropriate mechanisms (i.e., encryption) to guarantee this requirement?

Q4: Considering the confidentiality of the data to be handled by the applications, have the relevant laws governing data stored with third parties in foreign countries been analyzed and has it been determined that there is little to no risk to the business?

Q5: Has the feasibility of access to the cloud provider’s environment for auditing purposes in compliance with Brazilian regulatory standards been verified with leading cloud service providers in the market?

IT Infrastructure

Q6: Has it been verified that the IT infrastructure of the organization is able to consume applications available in data centers located outside of its facilities, resulting in higher consumption of the Internet access network?

Q7: Is it likely that the application processing usage profile may show spikes in short periods of time, or even significant demand increases or decreases that derail the provisions of the service internally?


Q8: Do the contractor’s business areas demand access to the service through various means, such as mobile devices, or from various geographical locations in the country or abroad?

Q9: Must the application be integrated with other applications running on the organization‘s IT environment?

Source: Wellington Evangelista and João Souza Neto. Reprinted with permission.

The questionnaire was applied to five Brazilian public sector organizations and the results are shown in figure 3.

Figure 3—Results for Brazilian Public Sector Organizations

Source: Wellington Evangelista and João Souza Neto. Reprinted with permission

Analysis of the results shows that none of the organizations can adopt SaaS services safely. For example, though organization 3 demonstrates excellent results in software, IT infrastructure, and service management and contract categories, it needs improvements in the categories of enterprise strategy and operation-technology, key factors for the success of a cloud computing deployment strategy.

On the other hand, organization 4 demonstrates poor performance for all aspects assessed by the model and gets a null score for the domains IT infrastructure, information security and enterprise strategy.

The assumptions present in the questionnaire can be supported by various COBIT 5 governance and management processes. Starting with the stakeholder needs in a cloud environment, the cascade presented in figure 4 shows five relevant enterprise goals, and its related IT goals and processes. Therefore, in order to be able to implement a proper cloud solution to achieve these enterprise and IT goals, COBIT 5 processes APO09, APO10, APO12, APO13, DSS05 and MEA03 must be implemented in a mature way.

Figure 4—Goals Cascade for Cloud Computing

Source: Controls and Assurance in the Cloud: Using COBIT 5, 2014

Figure 5 shows the relationship between management processes and the questions of the proposed questionnaire. One can see that question 4 of technology has the largest number of COBIT 5 management processes involved. Regarding the COBIT 5 processes, APO13 Manage security has the most influence for the questionnaire, producing effects on 4 questions in both areas. Another strong influencer is DSS05 Manage security services. This is justified by the fact that the questionnaire and the framework emphasize aspects related to information security and the monitoring of the IT environment, which are of greatest concern to those who hire cloud computing services.

Figure 5—Relationship Between Management Processes and Questions of the Proposed Questionnaire




  Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9
APO09 X                                    
APO10           X                          
APO12                           X          
APO13   X                     X X X        
DSS05                         X X          
MEA03               X           X          

Besides improving processes selected using the goals cascade (starting with the pain points), special attention should be given to the processes listed in figure 5.


The relationship between the questions in the questionnaire and the 6 COBIT 5 management processes demonstrates that the implementation of the proper COBIT 5 processes can support the operation of cloud computing services, taking advantage of its benefits and mitigating risk. Furthermore, COBIT 5 Implementation gives objective guidance for such an initiative.

The five Brazilian public sector organizations that were analyzed received a report with their results, and all of them are in the process of implementing corrective measures in order to ensure a safe migration to the cloud.

Wellington Evangelista

Is a software architect at the Brazilian Supreme Court and has more than 15 years of experience in software development. He has extensive experience on IT governance and management.

Joao Souza Neto, Ph.D., CGEIT, CRISC, COBIT Certified Assessor

Has more than 8 years of experience in IT governance, applying COBIT within Brazil Post. He is also responsible for the IT governance research area in the Universidade Catolica de Brasilia. He is founder and institutional director of the ISACA Brasilia (Brazil) Chapter.