Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Internal Control System – Whose System Is It Anyway?

Auditors have a wealth of knowledge acquired through engagement with employees at all levels of the organization, but they can never replace the role management and the business process owner play in ensuring that controls are adequately designed, implemented and are continuously functioning. No matter how many ‘red’ audit reports auditors issue, as long as management is not on board, the role of an auditor is of no value to the organization.

It is quite interesting to evaluate the significant impact that each of the players in the three lines of defense have in ensuring a sound system of internal controls. To analyse this and dispel some of the myths about the role of auditors in the internal control system, I reviewed the COBIT 5 process MEA02 – Monitor, Evaluate and Assess System of Internal Controls. I will first start by defining the RACI model, which shows the pieces each player has.

The RACI model outlines the roles and responsibility of each actor in the process being reviewed. I will describe it the way I tell my auditees. This is, to simplify and get them to clearly understand how our work affects one another (see Table 1)

Table 1

RACI Acronyms


Responsible The guy or girl whose hands get dirty.
Accountable The wind breaker or simply the fall guy or girl.
Consulted I am not getting my hands dirty but I can share my knowledge.
Informed Just want to know what you are up to.

See Table 2 below for proposed roles and responsibility of actors in internal control systems

COBIT 5 MEA02 Monitor, Evaluate and Assess System of Internal Controls

Table 2

Management Practice
Chief Executive Officer Business Executive Business Process Owners Chief Risk Officer Audit Chief Information Officer
Monitor internal controls
 I     R   R   R   A 
Review business process controls effectiveness
 I   A   R   I   R   C 
Perform control self-assessments
 I     R   R   R   A 
Identify and report control deficiencies
 I     R    I   R   A 
Ensure that assurance providers are independent and qualified
     R     A   R 
Plan assurance initiatives
 A     R     C   R 
Scope assurance initiatives
     R     A   R 
Execute assurance initiatives
     R     A   R 

To analyze the internal control system, I will discuss five keys about the responsibility of audit, risk and management.

Internal auditors are not accountable for ensuring that controls are monitored. Auditors are only responsible for ascertaining that controls have been adequately designed, implemented and are operating effectively, thus including assurance on the monitoring of controls by IT management. It’s a fact that auditors can get their hands dirty but they are not the fall people. The accountability and responsibility role in monitoring of controls does not seem to be clear. The majority of controls relating to monitoring of certain controls by management are almost always in the audit report; for example, the monitoring of user access, audit logs and activities carried out by users with high privileges. The accountability of management over internal controls should not be considered mitigating control, as many have relegated it to be.

Auditors and business process owners share the same responsibility of reviewing the effectiveness of the controls. Refer to table two above, MEA02.02. A prudent manager always carries out a self-audit and reports on the department’s weaknesses. I have sat in meetings where the manager of a division would say, “I am worried about this area. Could you ensure that you focus on it?” It’s not wrong for management to request internal audit to scrutinize a certain area in his or her division, but it’s always worrying when the tone appears to suggest that the manager has no idea of the processes followed in that particular area. That shows that the manager is not aware of his or her responsibility to ensure effective controls. The auditor’s role in assuring effectiveness is only for reporting purposes, while the process owner’s role is for operational purposes and is far more imperative than the auditor’s report. Likewise, self-control assessments coordinated by the risk division are the responsibility of the process owner.

IT management has a right to ensure that qualified internal auditors carry out audit assignments in a professional manner. A balance needs to be found when training auditors, especially on complex assignments. I know this is potentially stepping on my own toes, but after management gives time and resources to the auditor to carry out their work, it is disappointing for management to receive a report that does not show that the auditor understood the process being audited. It is not surprising then, when reviewing Table 2 above MEA02.05, to note that the process owner and IT management have been tasked with responsibility of ensuring that qualified assurers are engaged.

The business process owners’ fingerprints are all over the entire internal control system. From Table 2 above, it is clear that the process owner is responsible for all controls within the process of monitoring the internal control system. This why it’s imperative for internal auditors to work hand-in-hand with the process owner, as the latter’s input is required in all aspects of the system. The notion that we will only disclose information that the auditors ask for does not hurt the internal auditor but, rather, hurts the process owner. Auditors merely provide feedback on the status of the system while the process owner builds the system.

In an analysis of the roles that audit, risk, process owner and chief information officer play in monitoring the internal control system, it is clear that all players have their hands dirty. Those with a quantitative mindset can count the R’s listed in table 2 under each player. It then becomes quite clear that all actors have a role to play. For the internal control system to mature, each player needs to understand their role and support others where their input is required, even if it is just to receive information. The goal of the system is not to police, expose gaps, or show faults but rather to ensure that collective efforts lead to a more sustainable operation environment.

Connecting Business and IT Goals Through COBIT 5

Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.

This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.

“The main purpose of the governance of enterprise IT is to achieve strategic alignment of information and related technology with the goals of the enterprise,” Jasinski said. “However, a continuing challenge for enterprises is how to achieve and maintain the alignment as stakeholder needs and enterprise goals change. The COBIT goals cascade provides context, structure and content for consistency of goals and meeting stakeholder needs.”

The COBIT 5 goals cascade provides a model to define and link enterprise goals and IT goals in support of stakeholder needs.

Decisions on how to utilize IT assets and resources should be made by business managers in an overall governance and management context, according to Jasinski. Directors should govern IT through three main tasks:

  1. Evaluate the current and future use of IT;
  2. Direct implementation of plans and policies to ensure the use of IT meets business objectives;
  3. Monitor conformance to policies and performance against the plans.

COBIT 5, which aligns with other relevant standards and frameworks used worldwide, provides a technology-agnostic common language to more effectively address information and cyber security, risk, vendor management, cloud controls and many other challenges faced by enterprises. Distinctions between governance and management also are addressed.

“If you’re looking for context, structure and content to address your biggest digital business challenges and opportunities, you must have an understanding the COBIT goals cascade, enabling processes and the entire COBIT library,” Jasinski said. “COBIT can help you understand how to connect all the dots, and fit the puzzle pieces together. This is important stuff.”

Further ISACA insights on the topic can be found in the white paper, “COBIT 5 Principles: Where Did They Come From?

Editor’s note: The ISACA Podcast is now available on iTunes, Google Play and SoundCloud. Listen to experts in cyber security, audit, governance and more as they explain the latest trends and issues facing professionals.

New COBIT 5/CMMI Tool Goes Beyond Traditional Mapping

ISACA and CMMI each have a deep well of expertise and rich sources of guidance and leading models in the areas they cover: ISACA in the world of governance of enterprise IT (GEIT) with COBIT, and CMMI in the world of enterprise process maturity.

Together, we have teamed up to create a new product that leverages the deep guidance available within each of the models. Specifically, COBIT 5 and the CMMI maturity models each have extensive guidance in establishing practices that permit users to better align stakeholder requirements with the utilization of IT-enabled investments; using them both together can yield a resultant value that is greater than the sum of their respective parts.

Many users of framework products look for mapping tools to assist them in using both models or to reduce initial planning and implementation resources needed to bring the second model into use. Mapping tools serve a useful purpose in that regard but have always had one significant drawback: They only attempt to reveal direct connection points between the models being mapped. That serves to speed up implementation time for the second model, but is limiting in the degree to which it unlocks the additional value that using that second model could bring.

The other issue that comes up with traditional mapping tools is that they are designed to be used in one direction only. That is, a user looks up an element in model A and finds which element or elements in model B relate are related. What if you want to start with an element in model B? That element likely exists in multiple places throughout the map and isn’t easy to isolate to determine what in model A is related. These traditional maps are unidirectional.

ISACA and CMMI saw an opportunity in this gap to produce a tool between COBIT 5 and the CMMI maturity model. Called the COBIT 5 CMMI Practices Pathway Tool, users will now be able to quickly and easily navigate from either COBIT 5 or CMMI and uncover relevant guidance in the other model. This bidirectional capability is unique and will permit users greater flexibility in deriving value from the tool.

The tool is built in Excel to provide access to a larger number of people. It takes advantage of native functionality in Excel and uses filtering to provide a quick and easy means of selecting elements of interest. There also is a guidance document with the tool to better describe its function and use.

The end result will be the ability for business IT practitioners to deliver additional value to their stakeholders.

Integrated Content Libraries – What You Should Know and Questions to Ask

Having worked for most of the “Big Four” as well as several boutique consultancies, I have witnessed a well-marketed shift and the birth of a new industry as it pertains to integrated regulatory content. When I refer to integrated regulatory content, I mean taking statements from individual sources and mapping those to a single control statement. For example, PCI 3.2, Requirement 2.1 states that default account passwords for accounts shipped with a Commercial Off The Shelf (COTS) product should be changed.

Similarly, supplemental guidance from control enhancement 5, of the SA-4 control family of NIST SP 800-53r4, mentions very similar control language. In an integrated framework, one would have a single control named something such as “Access Management – Password Management – Default Accounts,” and both the language from NIST 800-53r4 and PCI would be mapped to that single integrated requirement as opposed to managing similar requirements independently across frameworks. This mapping would ostensibly allow one to create controls and control procedures that could reduce testing and compliance efforts within most organizations.

What used to exist in separate, industry-centric silos has now been ported into frameworks with the promise of “test once and satisfy many.” Every risk consulting firm I worked for had a matrix that we tried to leverage to help our customers consolidate controls and testing efforts. Now, we have companies such as the HITRUST Alliance and the Unified Compliance Framework that base their entire business off the integrated content they produce.

We also have consortiums of volunteers such as those that support the Cloud Security Alliance’s Common Controls Matrix. Integrated content is generating tens of millions of dollars a year in content and professional services work, but for 95 percent of the regulatory content out there, it is free to use.

Companies now exist with business based solely upon integrated framework content. As I look at the landscape, there are many attributes of content libraries that one should question before investing in an integrated content library. The list I have generated is as follows:

Who Mapped This?

You want mappings to be done by people that know IT risk, security and controls. Having credible personnel can reduce mismappings and reduce potential doubt as your integrated library further permeates your organization.

Are there proprietary sources in use? If so, do you have the proper licensing with the source bodies?

I have worked for multiple firms that baked ISO, COBIT 5 and other proprietary frameworks into their source content. Companies need to ensure they have more than a single purchased license of documents that are to be purchased on an individual basis. Ask the question so there are no surprises or lawsuits as you move forward.

Are there other integrated source libraries mapped?

HITRUST and the CSA CCM are already integrated , so effectively mapping those frameworks to another integrated framework is not feasible. Be wary of anyone that is mapping already integrated frameworks into a proprietary framework as they likely do not understand the impact of issues to the data model.

How does content get updated?

Will you receive an email? Will you receive the update in XML or CSV? Is it a feed or manually provided? Will you have to have someone take the data and apply it to your GRC environment and then perform testing to ensure it was applied correctly?

How frequent are updates implemented?

Some content providers do not provide updates. Any upkeep is the responsibility of the client. Others provide quarterly updates and some use an ad-hoc schedule. If you have to be PCI compliant and need that mapped into your framework by a specific timeline, you need to have a good understanding of the timing for when the PCI update will hit your framework or you may have to map manually.

What is your QA process?

What tools and techniques are used to ensure that mappings are comprehensive? What personnel do you have who are qualified to perform content-specific mapping quality assurance? Do you look for issues in copy and paste translations, or do you search for syntax errors? Do you embed HTML in your mapping content? All of these are questions to ask about the quality of what you get from a library.

How many customers do you have in my industry?

Many libraries are heavy on financial services content because they are one of the most highly regulated industries. If you are a healthcare entity or industrial power supply organization, ask how many other peer companies use their content and request to speak with representatives of those companies to help reduce headaches down the road.

I do not use 70 percent of the mappings in your library, so why am I paying for them?

Often, I have seen companies paying for a library of 200 sources, but they really only use 30 of those. Ask what the cost is if you just pay for the 30 that you need, as you should not be held to paying for a universe of content that does not apply to your company. Also, I have seen companies using sliding pricing models based upon the company size. A Fortune 50 company may be paying 100 percent more than a smaller entity in some cases. This is another area where speaking with a broad swath of the customer base before you buy can be critical.

Aside from cost, also inquire about how to reduce the noise of the library. Most robust sources have hundreds or thousands of regulatory sources mapped to them. It is likely your organization only needs a percentage of those, so ask how you can ensure that unnecessarily mapped content does not show up in your content universe.

How do new sources get vetted for evaluation into your framework?

Gaining an understanding of the evaluation and mapping process for new sources is important. Often, it’s critical mass that drives a mapping priority, but sometimes it is a high-profile client of the integrated library content provider that gets mapping moved up on the docket. Know the process that applies to your library and get an understanding of what you may need to make your requirements a priority.

What is the data model as it pertains to sources, source sections and control statements?

Understand the relationships that are in place among the decomposed layers of the content library. Some content providers try to differentiate on their library content data model. Getting perspective from a technical resource that understands database relationships can be very useful in this scenario, as they can help to analyze and validate the layout of the content from a relational perspective. This can be important if the data model is overly complex.

What if any subjective work has been performed on the content that is not germane to the content itself?

The question likely does not make sense upon first reading it, but knowing the answer can be impactful. Once you buy content and begin to integrate it, if you learn facts about the content along the way, it may be too difficult to turn back. For example, some content libraries provide subjective key and non-key control delineations for integrated requirements out of the box. If one begins to implement using those delineations without any rationalization for the control based upon the environment or the system at hand, those definitions could impact testing cycles and associated level of effort. Ask your provider if they have subjectively done anything to their library that may impact your organization’s implementation of the content.

How searchable and filterable is the content?

Get clarity on how the content is presented for consumption and analysis. UCF has a very nice front end that they use to create cuts of library content and produce filterable results. Most libraries I have seen in the past exist in large Excel files where filtering and reporting is limited to Excel’s capabilities. To make effective use of the content, you will likely need to port it into a GRC tool or a database. Make sure to gain perspective on searching and filtering as content is extended to the user.

What are the licensing terms?

If you are paying more than US $10,000 a year in content that is largely free, you are getting taken. When feasible, do not sign up for multi-year agreements, especially initially. Take your first year and learn how the content will impact your organization. Ask if you can try the content for a period of time before purchasing. This gives you time to investigate and perform due diligence.

Will the content stand up in a court of law?

I have spoken to peers who believe that integrated regulatory content, especially from those one-off sources, may have trouble being defended in a court of law should due diligence, due care and compliance questions come into play. Many of my peers feel that in a court system, only those well-respected and industry-vetted sources would be resolute enough to endure scrutiny, so ask your content provider if they have perspective to share on that topic.

Mapping can be difficult and time-intensive. Companies are fearful of a mismapping or a missed mapping, which could call their libraries into question from completeness and accuracy perspectives. Before purchasing integrated content, ask to speak with current customers of the content and dig into the details. You may be surprised at what you find.

Support Design Should Begin at the Start

Everyone can think of a moment when they have experienced a problem with goods or services. Everyone can also think of a moment after the problem that…wait for it (drumroll)…there was poor customer support or no support at all.

So where does the disconnect between an enterprise’s strategic objectives and its failure in the eyes of the customer begin? Could this failure have been avoided from the start?

Here’s how it happens:  Oftentimes an enterprise reviews its strategic plan, which is a process that often generates new ideas and a new focus on how to achieve its objectives. A critical factor in achieving these objectives is IT. As part of this effort business cases are created and reviewed with due diligence and care, focusing on risk analysis, costing and other key planning issues. Approvals are given at various levels, and once the green light is reached, we then develop the product/service/upgrade, with implementation to follow.

Imagine that all of the above stages are completed and the enterprise has just successfully launched a new service to customers through its digital channel. The product is marketed well and it is disruptive, so this results in huge demand from customers. At this point it may seem that all is well and good; however, as with all things, problems are going to occur and customers (internal/external) will be affected.

This is where the true test begins and where many enterprises fail because proper support systems were not put in place at the start. There are several reasons why this can occur, including a lack of foresight at the beginning, a focus on being first to market over competition, improper resource analysis, a lack of training, a poorly developed service level agreement (SLA) or no SLA review.

Just as security and risk are key considerations, proper support mechanisms should be considered when implementing your enterprise IT governance structure since this is a form of risk mitigation in itself. You can implement the most state of the art IT infrastructure that strategically aligns with your enterprise’s objectives and delivers super-fast service; however, if there is no support for the 100 percent certainty that something will go wrong, then all becomes useless. Design your framework so that failures are welcomed and not left to chance.

The Future of COBIT—We Need Your Input

It is time to consider the next evolution of the COBIT framework beyond COBIT 5—and here is your chance to play an important role.

As you are well aware, COBIT is the premier IT governance framework, helping organizations around the world realize significant value. ISACA is seeking your help to ensure that COBIT continues to evolve as a vibrant framework that encompasses the new capabilities and threats (Internet of Things, big data, cyber security, DevOps, etc.) constantly arising in the world of IT governance.

We are in the process of evaluating and fundamentally changing COBIT to better serve COBIT users and would like to get your feedback and thoughts. A key part of the evaluation process is our belief that, to fully enable organizations worldwide, we recommend changing the delivery model by providing COBIT-as-a-Service (CaaS).

As a starting point, we have considered usage feedback and market data of existing COBIT 5 and COBIT 4.1 frameworks, as well as enhancements leveraging the recent acquisition of the CMMI Institute.

What We Know:

  • COBIT is highly regarded as the single comprehensive IT framework and has excellent brand recognition globally.
  • There are no direct competitors with “like” products that include IT audit, cyber security, IT risk, IT governance and business principles.
  • COBIT 5 is 5 years old and it needs to be dynamically updated going forward.
  • Key industry trends of crowdsourcing and open sourcing solutions improve relevance of products.

We Want Your Input on This New Idea—Providing COBIT-as-a-Service (CaaS):

  • Provide a fully-online, interactive COBIT framework, COBIT Implementation, COBIT Enabling Processes and COBIT Enabling Information to ALL. Crowdsource to members and non-members to ensure currency in a dynamic and changing environment through frequent content refresh.
  • Determine whether we need to provide oversight to updates or leave it up to the practitioner base to address any issues that arise.
  • Add additional domains and industry-specific content with data tags to allow users to create a custom/tailored COBIT to allow many different views of COBIT—e.g., by subject area, by role, by industries, etc.
  • Partner with internal (e.g., CMMI) and external organizations to go deeper in areas of expertise (e.g., cyber security), and also with organizations that go outside the traditional areas of focus for COBIT (e.g., IT supporting product development).
  • Provide cross-linkage to externally referenced frameworks (e.g., ITIL).
  • Create unique and relevant principles, policies, processes, practices and tools for specific industries (e.g., health care) and audiences (e.g., privacy).
  • Develop a digital platform (mobile/web) for viewing, updating and using COBIT content.
  • Build a broader community of experts and involve them in thought leadership.

We Need Your Help to Achieve This Future State
Please provide your thoughts and comments on the vision for COBIT by 1 December, and let us know what else you would like by emailing [email protected].

About the authors:

John Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/US, serves as the Cybersecurity Fellow, emeritus for IBM’s Center for the Business of Government. He is also on the Board of Directors of George Washington University’s Center for Cyber and Homeland Security, serves on the Cyber Maryland Advisory Board and as an advisor to the ISACA Board of Directors.

Matthew Conboy, CISA, is a strategic operations manager at Cigna, and has over 10 years of experience leading and consulting within the strategy, project execution and risk/audit domains, with special focus on the bridge between IT and Business. Since 2008 he has been on the board of his local Greater Hartford Connecticut (GHC) ISACA chapter, and currently is the chapter’s vice president and chair of the Education and Marketing and Communications Committees.

Frank Schettini, MBA, is Chief Innovation Officer of ISACA. Prior to joining ISACA, he worked as vice president of information technology at Project Management Institute (PMI). His experience includes more than 30 years in various industries in the areas of strategic planning; project, program and portfolio management; process improvement; enterprise architecture; and change management.

Poland’s Supreme Audit Office Chooses COBIT 4.1 To Assess IT Security

In a testament to COBIT's universal acceptance, the Supreme Audit Office of Poland (NIK) recently used the COBIT 4.1 framework to assess the level of security of the major IT systems used by Poland’s government agencies.

The process began in 2014 when the NIK reviewed the involvement and performance of Poland’s government agencies to ensure IT security. The results of the review, published last year, showed that Poland, at the state level, was not prepared to deal with the serious threats coming from cyberspace.

To address this major cybersecurity shortcoming, the NIK decided to verify the security of the information processed in the information systems the state relies upon to operate. The audit, using COBIT 4.1, included 6 systems managed by different ministries and government agencies.

To achieve an objective and comparable assessment of the level of security management of the selected systems, the NIK decided to use the control objectives of process DS5 Ensure Systems Security, as the source of the control objectives and process maturity model for the audit. The COBIT framework is recommended to supreme audit institutions in the "INTOSAI GOV 9100 Guidelines for Internal Control Standards for the Public Sector" and the "WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions" developed by the INTOSAI Development Initiative (IDI).

The audit found only one government agency’s systems security was assessed to be at level 3, meaning it had a defined DS5 process (see diagram below). Three agencies were at level 2, meaning the process was repeatable. Two were at level 1, which are initial or ad hoc processes.

The results of the audit were recently published in Polish on the NIK's web site. They were also presented by Krzysztof Kwiatkowski, president of the Supreme Audit Office of Poland during CyberGOV, an important conference on cyber security for the public sector in Poland.

In its report, the NIK also included conclusions on its findings and recommendations for the audited organizations as well as specific recommendations for the Ministry of Digitization, which is responsible for coordinating cybersecurity in Poland. The significance of the findings has been widely commented on and analyzed by stakeholders responsible for implementing the NIK’s recommendations.

Since the report was completed, there has been a rise in interest in the COBIT framework and the ISACA Cybersecurity Nexus (CSX) program in Poland. Poland’s two ISACA chapters have been busy answering questions and providing guidance on how to implement governance and security processes that can enable Poland to deal with cyber security threats.

ISACA has since released COBIT 5 in Polish. The following processes are recommended to prepare an audit of Information Security:
APO13 Manage Security
DSS05 Manage Security Services
MEA02 Monitor, Evaluate and Assess the System of Internal Control

COBIT publications in Polish include COBIT 5 Framework, COBIT 5 for Risk, COBIT 5 for Information Security, COBIT Process Assessment Model (PAM):  Using COBIT 5, and COBIT Self-assessment Guide:  Using COBIT 5. In addition to English, COBIT materials are also available in the following languages:


View Large Graphic.


COBIT recently celebrated its 20th anniversary. For fun graphics, highlights and more information click here.

Process Improvement for Management of IT-related Processes

Most organizations have objectives for quality and improvement. Enterprises want employees to continually look for opportunities that fuel effectiveness and strengthen the company. The improvement theme is both a nice to have and a basis to survive, providing a direction to get better and a model for personal behavior and work culture. The basic improvement model is one of common sense, similar to those used in psychology and coaching. It can be teamed with any process reference model.

The improvement model has evolved over time with influences from many thought leaders, good practices and industries, including Dr. Edwards Deming, a key influence with the Plan-Do-Check-Act (PDCA) cycle (preferred over Guess-Do-Pray-Hope); John Kotter with organizational change; international standards such as those from the International Organization for Standardization (ISO), ISO 90001 for Quality, ISO 20000 for IT Service Management, ISO 27001 for IT Security; COBIT, ITIL, the National Institute of Standards and Technology (NIST) and Project Management Body of Knowledge (PMBOK), all of which incorporate or support improvement themes; and, Six Sigma programs, which have an improvement phase and so should you.

How do you do it? You can hire a Six Sigma person or you can do it yourself. It’s not difficult. For most of you, read a book or gain some awareness. ISACA offers a book titled COBIT® 5 Implementation in the COBIT product family. While the focus is on implementing governance of enterprise IT, one could add an alternative title:  Process Improvement for Management of IT-related Processes.

The book highlights a cycle of phases and component parts, all building on good practices. The 7 phases of the COBIT® 5 Implementation lifecycle include:

  1. What Are the Drivers?
  2. Where Are We Now?
  3. Where Do We Want To Be?
  4. What Needs To Be Done?
  5. How Do We Get There?
  6. Did We Get There?
  7. How Do We Keep the Momentum Going?

Each phase is supported by 3 components:  program management (PM), change enablement (CE) and continual improvement (CI). This is a good practice approach. 

As an example, the components of the first 3 phases include:

  1. What are the drivers?
    1. CI - Recognize the need to act
    2. CE -Establish a desire to change
    3. PM - Initiate a program
  2. Where we are today?
    1. CI - Assess the current state
    2. CE - Form a team
    3. PM - Define opportunities or challenges
  3. Where do we want to be?
    1. CI - Define the target state
    2. CE - Communicate the desired outcome
    3. PM - Define a roadmap

Each component has suggested or potential key activities, inputs and outputs. Warning:  If you miss addressing any of these phases or components, or get overly creative with the order, you might increase the risk of failure. Like software, avoid customization.

Where to Start?
Where to start? Pain points and triggers are obvious. To gain a quick win and show how it is done, consider focusing on one process—your favorite process.

The COBIT 5 Implementation book gives you a starting place—allowing you to move forward with confidence on a solid foundation. Think of it as a playbook or recipe. Project managers like the 3 components as they address areas of frequent challenge, such as change enablement. Copy and save this model into your head and project templates.

COBIT 5 Implementation offers all of us consistent context and structure for current or potential activities. It contributes to the success of you and your team. The focus is on people—all of us; up, down and across the organization in any business line.  

Editor’s note:  John Jasinski holds all ISACA certifications and certificates and teaches COBIT. He is an ISACA member and has been an active volunteer at local and international levels since 2006. COBIT 5 Implementation is available as a free PDF download for ISACA members. The printed hard copy is available from the ISACA bookstore. John suggests you buy a bunch and share them with your team. COBIT is currently celebrating its 20th anniversary. Learn more here.

Implementing the NIST Cybersecurity Framework Using COBIT

There is no argument that today’s cybersecurity attacks are likely a foreshadowing of more intense and harmful events to come, as seen by the growth of such incidents in the last few years alone. Cyber attackers have both the desire and the means to conduct these offenses, are organized, well supported and use more sophisticated methods. 

Intersect this with the fact that our society has become highly dependent on the use of technology and connectivity through things such as mobile devices, Internet of Things (IoT), and demands to share information quickly, the need to protect against cybersecurity attacks is paramount. Couple these scenarios with the ever-increasing threats to critical infrastructure, and the stakes grow exponentially.

Recognition that the U.S. needed broad safeguards against attacks that could disrupt critical systems led President Barack Obama to issue Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The order directs the government, in collaboration with industry, to develop a voluntary risk-based cybersecurity framework. EO 13636 states:  “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”

The EO 13636 initiatives include:

  • Develop a technology-neutral voluntary cybersecurity framework
  • Promote and incentivize adoption of cybersecurity practices
  • Increase volume, timeliness and quality of cyber threat information sharing
  • Incorporate strong privacy and civil liberties protections into every initiative to secure critical infrastructure
  • Explore the use of existing regulation to promote cyber security

In response to the order, the National Institute of Standards and Technology (NIST) collaborated with ISACA and industry partners to create a risk-based framework focused on cybersecurity. This framework, the Cybersecurity Framework (CSF), supports quick wins by using an iterative approach to adopting a stronger cybersecurity posture. 

The CSF’s components include the framework core, implementation tiers and profiles. The framework core consists of five functions (identify, protect, detect, respond and recover) and includes activities, desired outcomes, and applicable references (COBIT, for example). Implementation tiers provide context and identify the degree to which practices exhibit the characteristics defined in the framework (comparable to COBIT process capability levels) and range from tier 1, partial to tier 4, adaptive. Profiles are outcomes based on business needs. This is the analysis of current and target profiles which help determine the prioritization of efforts based on risk.  Additionally, the CSF provides implementation guidance using an iterative, flexible seven-step process.

The adoption of a framework in an enterprise can typically be boiled down to two general approaches:  1) a gradual approach, starting small and building on initial successes, and 2) going “all in” across the enterprise.

Regardless of type or size of target environment, it is generally best to use a gradual approach, which is exactly why this is a great fit with COBIT. COBIT is principles-based, provides a holistic approach for adoption of governance and management of enterprise IT, has a solid implementation methodology, and the assessment program offers a great approach based on industry standards. Therefore, COBIT is a natural fit to adopting not only governance of enterprise IT (GEIT), but cybersecurity practices based on the CSF, as well.

Figure 1 below shows the alignment between the CSF and COBIT’s implementation steps and principles.

Figure 1—Implementation Alignment of NIST and COBIT

Organizations execute policies and deliver services through the use of processes, practices and activities. In order to adopt the cybersecurity needs within an organization, it makes sense to leverage a framework that already has industry recognition with regard to processes. COBIT’s process reference model is a well-organized and helpful reference, fitting nicely with the CSF, which, ultimately, helps enterprises achieve the governance objective of realizing benefits while optimizing risks and resources.

COBIT is also consistent with generally accepted corporate governance standards and maps to a multitude of relevant standards, frameworks and bodies of knowledge that help create a common language between IT and business yielding a more holistic, integrated and complete view of enterprise governance and management of enterprise IT that is ultimately based on stakeholder needs.

If you are looking for a more detailed and informative discussion on using the CSF and COBIT in your environment, you should consider coming to the 2016 GRC Conference 22-24 August in Fort Lauderdale, Florida, USA. There will be a pre-conference course that dives into the steps of the CSF implementation cycle using COBIT. Click here to register.

Editor’s note:  Thomas will present The Intersection of IT and Audit by Leveraging COBIT 5 at the 2016 GRC Conference. COBIT recently celebrated its 20th Anniversary. Thomas will serve as the master of ceremonies for the GRC Conference.

Implementation Life Cycle “Posterized” in Free COBIT 5 Download

COBIT 5’s Seven Phases of the Implementation Life Cycle have been “posterized” into a free download that illustrates the framework’s program management, change enablement and continual improvement life cycle.

The poster is part of the COBIT 5 framework for the governance and management of enterprise IT, which is highly valued by commercial, not-for-profit and public-sector organizations. Enterprise executives, IT professionals and business consultants depend on its globally accepted principles, practices, analytical tools and models to drive business value from trusted information and technology. Among the more popular elements from COBIT® 5 are the diagrams illustrating important practical concepts.

The July COBIT 5 poster centers on the Seven Phases of the Implementation Life Cycle diagram. The seven phases include:

Phase 1—What Are the Drivers? Which identifies current change drivers and creates at executive management levels a desire to change that is then expressed in an outline of a business case.
Phase 2—Where Are We Now? Which aligns IT-related objectives with enterprise strategies and risk, and prioritizes the most important enterprise goals, IT-related goals and processes.
Phase 3—Where Do We Want To Be? Which sets a target for improvement followed by a gap analysis to identify potential solutions. Some solutions will be quick wins and others more challenging, long-term tasks.
Phase 4—What Needs To Be Done? Which plans feasible and practical solutions by defining projects supported by justifiable business cases and developing a change plan for implementation.
Phase 5—How Do We Get There? Which provides for the implementation of the proposed solutions into day-to-day practices and the establishment of measures and monitoring systems to ensure that business alignment is achieved and performance can be measured.
Phase 6—Did We Get There? Which focuses on sustainable transition of the improved governance and management practices into normal business operations and monitoring achievement of the improvements using the performance metrics and expected benefits.
Phase 7—How Do We Keep the Momentum Going? Which reviews the overall success of the initiative, identifies further governance or management requirements and reinforces the need for continual improvement. It also prioritizes further opportunities to improve GEIT.

COBIT® 5 – The Seven Phases of the Implementation Life Cycle

View Full Size PDF

Previous COBIT 5 posters of the month include:

June 2016:  COBIT 5—Summary of Process Capability Model
May 2016:  COBIT 5—Process Reference Model
April 2016:  COBIT 5—Governance and Management Key Areas
March 2016:  COBIT 5—Enterprise Enablers
February 2016:  Roles, Activities and Relationships
January 2016:  Goals Cascade
December 2015: Governance Objective: Value Creation
November 2015: COBIT 5 Principles

For more information on COBIT 5 click here, and to see/download all of the COBIT 5 posters, click here.

1 - 10 Next