Business leaders must take accountability for governing and managing IT-related assets within their units and functions just as they would other assets, such as those involving physical plant or human resources.
This is critical as achieving enterprise goals becomes increasingly interconnected with successfully managing and governing its technology. COBIT 5 provides the framework needed to connect business goals with IT goals while utilizing non-technical, business language, as explored in a recent ISACA podcast. John Jasinski, a COBIT certified assessor, discusses the framework’s core principles and enablers, and ways in which enterprises can successfully leverage them.
“The main purpose of the governance of enterprise IT is to achieve strategic alignment of information and related technology with the goals of the enterprise,” Jasinski said. “However, a continuing challenge for enterprises is how to achieve and maintain the alignment as stakeholder needs and enterprise goals change. The COBIT goals cascade provides context, structure and content for consistency of goals and meeting stakeholder needs.”
The COBIT 5 goals cascade provides a model to define and link enterprise goals and IT goals in support of stakeholder needs.
Decisions on how to utilize IT assets and resources should be made by business managers in an overall governance and management context, according to Jasinski. Directors should govern IT through three main tasks:
- Evaluate the current and future use of IT;
- Direct implementation of plans and policies to ensure the use of IT meets business objectives;
- Monitor conformance to policies and performance against the plans.
COBIT 5, which aligns with other relevant standards and frameworks used worldwide, provides a technology-agnostic common language to more effectively address information and cyber security, risk, vendor management, cloud controls and many other challenges faced by enterprises. Distinctions between governance and management also are addressed.
“If you’re looking for context, structure and content to address your biggest digital business challenges and opportunities, you must have an understanding the COBIT goals cascade, enabling processes and the entire COBIT library,” Jasinski said. “COBIT can help you understand how to connect all the dots, and fit the puzzle pieces together. This is important stuff.”
Further ISACA insights on the topic can be found in the white paper, “COBIT 5 Principles: Where Did They Come From?”
Editor’s note: The ISACA Podcast is now available on iTunes, Google Play and SoundCloud. Listen to experts in cyber security, audit, governance and more as they explain the latest trends and issues facing professionals.
ISACA and CMMI each have a deep well of expertise and rich sources of guidance and leading models in the areas they cover: ISACA in the world of governance of enterprise IT (GEIT) with COBIT, and CMMI in the world of enterprise process maturity.
Together, we have teamed up to create a new product that leverages the deep guidance available within each of the models. Specifically, COBIT 5 and the CMMI maturity models each have extensive guidance in establishing practices that permit users to better align stakeholder requirements with the utilization of IT-enabled investments; using them both together can yield a resultant value that is greater than the sum of their respective parts.
Many users of framework products look for mapping tools to assist them in using both models or to reduce initial planning and implementation resources needed to bring the second model into use. Mapping tools serve a useful purpose in that regard but have always had one significant drawback: They only attempt to reveal direct connection points between the models being mapped. That serves to speed up implementation time for the second model, but is limiting in the degree to which it unlocks the additional value that using that second model could bring.
The other issue that comes up with traditional mapping tools is that they are designed to be used in one direction only. That is, a user looks up an element in model A and finds which element or elements in model B relate are related. What if you want to start with an element in model B? That element likely exists in multiple places throughout the map and isn’t easy to isolate to determine what in model A is related. These traditional maps are unidirectional.
ISACA and CMMI saw an opportunity in this gap to produce a tool between COBIT 5 and the CMMI maturity model. Called the COBIT 5 CMMI Practices Pathway Tool, users will now be able to quickly and easily navigate from either COBIT 5 or CMMI and uncover relevant guidance in the other model. This bidirectional capability is unique and will permit users greater flexibility in deriving value from the tool.
The tool is built in Excel to provide access to a larger number of people. It takes advantage of native functionality in Excel and uses filtering to provide a quick and easy means of selecting elements of interest. There also is a guidance document with the tool to better describe its function and use.
The end result will be the ability for business IT practitioners to deliver additional value to their stakeholders.
Having worked for most of the “Big Four” as well as several boutique consultancies, I have witnessed a well-marketed shift and the birth of a new industry as it pertains to integrated regulatory content. When I refer to integrated regulatory content, I mean taking statements from individual sources and mapping those to a single control statement. For example, PCI 3.2, Requirement 2.1 states that default account passwords for accounts shipped with a Commercial Off The Shelf (COTS) product should be changed.
Similarly, supplemental guidance from control enhancement 5, of the SA-4 control family of NIST SP 800-53r4, mentions very similar control language. In an integrated framework, one would have a single control named something such as “Access Management – Password Management – Default Accounts,” and both the language from NIST 800-53r4 and PCI would be mapped to that single integrated requirement as opposed to managing similar requirements independently across frameworks. This mapping would ostensibly allow one to create controls and control procedures that could reduce testing and compliance efforts within most organizations.
What used to exist in separate, industry-centric silos has now been ported into frameworks with the promise of “test once and satisfy many.” Every risk consulting firm I worked for had a matrix that we tried to leverage to help our customers consolidate controls and testing efforts. Now, we have companies such as the HITRUST Alliance and the Unified Compliance Framework that base their entire business off the integrated content they produce.
We also have consortiums of volunteers such as those that support the Cloud Security Alliance’s Common Controls Matrix. Integrated content is generating tens of millions of dollars a year in content and professional services work, but for 95 percent of the regulatory content out there, it is free to use.
Companies now exist with business based solely upon integrated framework content. As I look at the landscape, there are many attributes of content libraries that one should question before investing in an integrated content library. The list I have generated is as follows:
Who Mapped This?
You want mappings to be done by people that know IT risk, security and controls. Having credible personnel can reduce mismappings and reduce potential doubt as your integrated library further permeates your organization.
Are there proprietary sources in use? If so, do you have the proper licensing with the source bodies?
I have worked for multiple firms that baked ISO, COBIT 5 and other proprietary frameworks into their source content. Companies need to ensure they have more than a single purchased license of documents that are to be purchased on an individual basis. Ask the question so there are no surprises or lawsuits as you move forward.
Are there other integrated source libraries mapped?
HITRUST and the CSA CCM are already integrated , so effectively mapping those frameworks to another integrated framework is not feasible. Be wary of anyone that is mapping already integrated frameworks into a proprietary framework as they likely do not understand the impact of issues to the data model.
How does content get updated?
Will you receive an email? Will you receive the update in XML or CSV? Is it a feed or manually provided? Will you have to have someone take the data and apply it to your GRC environment and then perform testing to ensure it was applied correctly?
How frequent are updates implemented?
Some content providers do not provide updates. Any upkeep is the responsibility of the client. Others provide quarterly updates and some use an ad-hoc schedule. If you have to be PCI compliant and need that mapped into your framework by a specific timeline, you need to have a good understanding of the timing for when the PCI update will hit your framework or you may have to map manually.
What is your QA process?
What tools and techniques are used to ensure that mappings are comprehensive? What personnel do you have who are qualified to perform content-specific mapping quality assurance? Do you look for issues in copy and paste translations, or do you search for syntax errors? Do you embed HTML in your mapping content? All of these are questions to ask about the quality of what you get from a library.
How many customers do you have in my industry?
Many libraries are heavy on financial services content because they are one of the most highly regulated industries. If you are a healthcare entity or industrial power supply organization, ask how many other peer companies use their content and request to speak with representatives of those companies to help reduce headaches down the road.
I do not use 70 percent of the mappings in your library, so why am I paying for them?
Often, I have seen companies paying for a library of 200 sources, but they really only use 30 of those. Ask what the cost is if you just pay for the 30 that you need, as you should not be held to paying for a universe of content that does not apply to your company. Also, I have seen companies using sliding pricing models based upon the company size. A Fortune 50 company may be paying 100 percent more than a smaller entity in some cases. This is another area where speaking with a broad swath of the customer base before you buy can be critical.
Aside from cost, also inquire about how to reduce the noise of the library. Most robust sources have hundreds or thousands of regulatory sources mapped to them. It is likely your organization only needs a percentage of those, so ask how you can ensure that unnecessarily mapped content does not show up in your content universe.
How do new sources get vetted for evaluation into your framework?
Gaining an understanding of the evaluation and mapping process for new sources is important. Often, it’s critical mass that drives a mapping priority, but sometimes it is a high-profile client of the integrated library content provider that gets mapping moved up on the docket. Know the process that applies to your library and get an understanding of what you may need to make your requirements a priority.
What is the data model as it pertains to sources, source sections and control statements?
Understand the relationships that are in place among the decomposed layers of the content library. Some content providers try to differentiate on their library content data model. Getting perspective from a technical resource that understands database relationships can be very useful in this scenario, as they can help to analyze and validate the layout of the content from a relational perspective. This can be important if the data model is overly complex.
What if any subjective work has been performed on the content that is not germane to the content itself?
The question likely does not make sense upon first reading it, but knowing the answer can be impactful. Once you buy content and begin to integrate it, if you learn facts about the content along the way, it may be too difficult to turn back. For example, some content libraries provide subjective key and non-key control delineations for integrated requirements out of the box. If one begins to implement using those delineations without any rationalization for the control based upon the environment or the system at hand, those definitions could impact testing cycles and associated level of effort. Ask your provider if they have subjectively done anything to their library that may impact your organization’s implementation of the content.
How searchable and filterable is the content?
Get clarity on how the content is presented for consumption and analysis. UCF has a very nice front end that they use to create cuts of library content and produce filterable results. Most libraries I have seen in the past exist in large Excel files where filtering and reporting is limited to Excel’s capabilities. To make effective use of the content, you will likely need to port it into a GRC tool or a database. Make sure to gain perspective on searching and filtering as content is extended to the user.
What are the licensing terms?
If you are paying more than US $10,000 a year in content that is largely free, you are getting taken. When feasible, do not sign up for multi-year agreements, especially initially. Take your first year and learn how the content will impact your organization. Ask if you can try the content for a period of time before purchasing. This gives you time to investigate and perform due diligence.
Will the content stand up in a court of law?
I have spoken to peers who believe that integrated regulatory content, especially from those one-off sources, may have trouble being defended in a court of law should due diligence, due care and compliance questions come into play. Many of my peers feel that in a court system, only those well-respected and industry-vetted sources would be resolute enough to endure scrutiny, so ask your content provider if they have perspective to share on that topic.
Mapping can be difficult and time-intensive. Companies are fearful of a mismapping or a missed mapping, which could call their libraries into question from completeness and accuracy perspectives. Before purchasing integrated content, ask to speak with current customers of the content and dig into the details. You may be surprised at what you find.
Everyone can think of a moment when they have experienced a problem with goods or services. Everyone can also think of a moment after the problem that…wait for it (drumroll)…there was poor customer support or no support at all.
So where does the disconnect between an enterprise’s strategic objectives and its failure in the eyes of the customer begin? Could this failure have been avoided from the start?
Here’s how it happens: Oftentimes an enterprise reviews its strategic plan, which is a process that often generates new ideas and a new focus on how to achieve its objectives. A critical factor in achieving these objectives is IT. As part of this effort business cases are created and reviewed with due diligence and care, focusing on risk analysis, costing and other key planning issues. Approvals are given at various levels, and once the green light is reached, we then develop the product/service/upgrade, with implementation to follow.
Imagine that all of the above stages are completed and the enterprise has just successfully launched a new service to customers through its digital channel. The product is marketed well and it is disruptive, so this results in huge demand from customers. At this point it may seem that all is well and good; however, as with all things, problems are going to occur and customers (internal/external) will be affected.
This is where the true test begins and where many enterprises fail because proper support systems were not put in place at the start. There are several reasons why this can occur, including a lack of foresight at the beginning, a focus on being first to market over competition, improper resource analysis, a lack of training, a poorly developed service level agreement (SLA) or no SLA review.
Just as security and risk are key considerations, proper support mechanisms should be considered when implementing your enterprise IT governance structure since this is a form of risk mitigation in itself. You can implement the most state of the art IT infrastructure that strategically aligns with your enterprise’s objectives and delivers super-fast service; however, if there is no support for the 100 percent certainty that something will go wrong, then all becomes useless. Design your framework so that failures are welcomed and not left to chance.
It is time to consider the next evolution of the COBIT framework beyond COBIT 5—and here is your chance to play an important role.
As you are well aware, COBIT is the premier IT governance framework, helping organizations around the world realize significant value. ISACA is seeking your help to ensure that COBIT continues to evolve as a vibrant framework that encompasses the new capabilities and threats (Internet of Things, big data, cyber security, DevOps, etc.) constantly arising in the world of IT governance.
We are in the process of evaluating and fundamentally changing COBIT to better serve COBIT users and would like to get your feedback and thoughts. A key part of the evaluation process is our belief that, to fully enable organizations worldwide, we recommend changing the delivery model by providing COBIT-as-a-Service (CaaS).
As a starting point, we have considered usage feedback and market data of existing COBIT 5 and COBIT 4.1 frameworks, as well as enhancements leveraging the recent acquisition of the CMMI Institute.
What We Know:
- COBIT is highly regarded as the single comprehensive IT framework and has excellent brand recognition globally.
- There are no direct competitors with “like” products that include IT audit, cyber security, IT risk, IT governance and business principles.
- COBIT 5 is 5 years old and it needs to be dynamically updated going forward.
- Key industry trends of crowdsourcing and open sourcing solutions improve relevance of products.
We Want Your Input on This New Idea—Providing COBIT-as-a-Service (CaaS):
- Provide a fully-online, interactive COBIT framework, COBIT Implementation, COBIT Enabling Processes and COBIT Enabling Information to ALL. Crowdsource to members and non-members to ensure currency in a dynamic and changing environment through frequent content refresh.
- Determine whether we need to provide oversight to updates or leave it up to the practitioner base to address any issues that arise.
- Add additional domains and industry-specific content with data tags to allow users to create a custom/tailored COBIT to allow many different views of COBIT—e.g., by subject area, by role, by industries, etc.
- Partner with internal (e.g., CMMI) and external organizations to go deeper in areas of expertise (e.g., cyber security), and also with organizations that go outside the traditional areas of focus for COBIT (e.g., IT supporting product development).
- Provide cross-linkage to externally referenced frameworks (e.g., ITIL).
- Create unique and relevant principles, policies, processes, practices and tools for specific industries (e.g., health care) and audiences (e.g., privacy).
- Develop a digital platform (mobile/web) for viewing, updating and using COBIT content.
- Build a broader community of experts and involve them in thought leadership.
We Need Your Help to Achieve This Future State
Please provide your thoughts and comments on the vision for COBIT by 1 December, and let us know what else you would like by emailing [email protected].
About the authors:
John Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/US, serves as the Cybersecurity Fellow, emeritus for IBM’s Center for the Business of Government. He is also on the Board of Directors of George Washington University’s Center for Cyber and Homeland Security, serves on the Cyber Maryland Advisory Board and as an advisor to the ISACA Board of Directors.
Matthew Conboy, CISA, is a strategic operations manager at Cigna, and has over 10 years of experience leading and consulting within the strategy, project execution and risk/audit domains, with special focus on the bridge between IT and Business. Since 2008 he has been on the board of his local Greater Hartford Connecticut (GHC) ISACA chapter, and currently is the chapter’s vice president and chair of the Education and Marketing and Communications Committees.
Frank Schettini, MBA, is Chief Innovation Officer of ISACA. Prior to joining ISACA, he worked as vice president of information technology at Project Management Institute (PMI). His experience includes more than 30 years in various industries in the areas of strategic planning; project, program and portfolio management; process improvement; enterprise architecture; and change management.
In a testament to COBIT's universal acceptance, the Supreme Audit Office of Poland (NIK) recently used the COBIT 4.1 framework to assess the level of security of the major IT systems used by Poland’s government agencies.
The process began in 2014 when the NIK reviewed the involvement and performance of Poland’s government agencies to ensure IT security. The results of the review, published last year, showed that Poland, at the state level, was not prepared to deal with the serious threats coming from cyberspace.
To address this major cybersecurity shortcoming, the NIK decided to verify the security of the information processed in the information systems the state relies upon to operate. The audit, using COBIT 4.1, included 6 systems managed by different ministries and government agencies.
To achieve an objective and comparable assessment of the level of security management of the selected systems, the NIK decided to use the control objectives of process DS5 Ensure Systems Security, as the source of the control objectives and process maturity model for the audit. The COBIT framework is recommended to supreme audit institutions in the "INTOSAI GOV 9100 Guidelines for Internal Control Standards for the Public Sector" and the "WGITA – IDI Handbook on IT Audit for Supreme Audit Institutions" developed by the INTOSAI Development Initiative (IDI).
The audit found only one government agency’s systems security was assessed to be at level 3, meaning it had a defined DS5 process (see diagram below). Three agencies were at level 2, meaning the process was repeatable. Two were at level 1, which are initial or ad hoc processes.
The results of the audit were recently published in Polish on the NIK's web site. They were also presented by Krzysztof Kwiatkowski, president of the Supreme Audit Office of Poland during CyberGOV, an important conference on cyber security for the public sector in Poland.
In its report, the NIK also included conclusions on its findings and recommendations for the audited organizations as well as specific recommendations for the Ministry of Digitization, which is responsible for coordinating cybersecurity in Poland. The significance of the findings has been widely commented on and analyzed by stakeholders responsible for implementing the NIK’s recommendations.
Since the report was completed, there has been a rise in interest in the COBIT framework and the ISACA Cybersecurity Nexus (CSX) program in Poland. Poland’s two ISACA chapters have been busy answering questions and providing guidance on how to implement governance and security processes that can enable Poland to deal with cyber security threats.
ISACA has since released COBIT 5 in Polish. The following processes are recommended to prepare an audit of Information Security:
APO13 Manage Security
DSS05 Manage Security Services
MEA02 Monitor, Evaluate and Assess the System of Internal Control
COBIT publications in Polish include COBIT 5 Framework, COBIT 5 for Risk, COBIT 5 for Information Security, COBIT Process Assessment Model (PAM): Using COBIT 5, and COBIT Self-assessment Guide: Using COBIT 5. In addition to English, COBIT materials are also available in the following languages:
View Large Graphic.
COBIT recently celebrated its 20th anniversary. For fun graphics, highlights and more information click here.
Most organizations have objectives for quality and improvement. Enterprises want employees to continually look for opportunities that fuel effectiveness and strengthen the company. The improvement theme is both a nice to have and a basis to survive, providing a direction to get better and a model for personal behavior and work culture. The basic improvement model is one of common sense, similar to those used in psychology and coaching. It can be teamed with any process reference model.
The improvement model has evolved over time with influences from many thought leaders, good practices and industries, including Dr. Edwards Deming, a key influence with the Plan-Do-Check-Act (PDCA) cycle (preferred over Guess-Do-Pray-Hope); John Kotter with organizational change; international standards such as those from the International Organization for Standardization (ISO), ISO 90001 for Quality, ISO 20000 for IT Service Management, ISO 27001 for IT Security; COBIT, ITIL, the National Institute of Standards and Technology (NIST) and Project Management Body of Knowledge (PMBOK), all of which incorporate or support improvement themes; and, Six Sigma programs, which have an improvement phase and so should you.
How do you do it? You can hire a Six Sigma person or you can do it yourself. It’s not difficult. For most of you, read a book or gain some awareness. ISACA offers a book titled COBIT® 5 Implementation in the COBIT product family. While the focus is on implementing governance of enterprise IT, one could add an alternative title: Process Improvement for Management of IT-related Processes.
The book highlights a cycle of phases and component parts, all building on good practices. The 7 phases of the COBIT® 5 Implementation lifecycle include:
- What Are the Drivers?
- Where Are We Now?
- Where Do We Want To Be?
- What Needs To Be Done?
- How Do We Get There?
- Did We Get There?
- How Do We Keep the Momentum Going?
Each phase is supported by 3 components: program management (PM), change enablement (CE) and continual improvement (CI). This is a good practice approach.
As an example, the components of the first 3 phases include:
- What are the drivers?
- CI - Recognize the need to act
- CE -Establish a desire to change
- PM - Initiate a program
- Where we are today?
- CI - Assess the current state
- CE - Form a team
- PM - Define opportunities or challenges
- Where do we want to be?
- CI - Define the target state
- CE - Communicate the desired outcome
- PM - Define a roadmap
Each component has suggested or potential key activities, inputs and outputs. Warning: If you miss addressing any of these phases or components, or get overly creative with the order, you might increase the risk of failure. Like software, avoid customization.
Where to Start?
Where to start? Pain points and triggers are obvious. To gain a quick win and show how it is done, consider focusing on one process—your favorite process.
The COBIT 5 Implementation book gives you a starting place—allowing you to move forward with confidence on a solid foundation. Think of it as a playbook or recipe. Project managers like the 3 components as they address areas of frequent challenge, such as change enablement. Copy and save this model into your head and project templates.
COBIT 5 Implementation offers all of us consistent context and structure for current or potential activities. It contributes to the success of you and your team. The focus is on people—all of us; up, down and across the organization in any business line.
Editor’s note: John Jasinski holds all ISACA certifications and certificates and teaches COBIT. He is an ISACA member and has been an active volunteer at local and international levels since 2006. COBIT 5 Implementation is available as a free PDF download for ISACA members. The printed hard copy is available from the ISACA bookstore. John suggests you buy a bunch and share them with your team. COBIT is currently celebrating its 20th anniversary. Learn more here.
There is no argument that today’s cybersecurity attacks are likely a foreshadowing of more intense and harmful events to come, as seen by the growth of such incidents in the last few years alone. Cyber attackers have both the desire and the means to conduct these offenses, are organized, well supported and use more sophisticated methods.
Intersect this with the fact that our society has become highly dependent on the use of technology and connectivity through things such as mobile devices, Internet of Things (IoT), and demands to share information quickly, the need to protect against cybersecurity attacks is paramount. Couple these scenarios with the ever-increasing threats to critical infrastructure, and the stakes grow exponentially.
Recognition that the U.S. needed broad safeguards against attacks that could disrupt critical systems led President Barack Obama to issue Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The order directs the government, in collaboration with industry, to develop a voluntary risk-based cybersecurity framework. EO 13636 states: “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
The EO 13636 initiatives include:
- Develop a technology-neutral voluntary cybersecurity framework
- Promote and incentivize adoption of cybersecurity practices
- Increase volume, timeliness and quality of cyber threat information sharing
- Incorporate strong privacy and civil liberties protections into every initiative to secure critical infrastructure
- Explore the use of existing regulation to promote cyber security
In response to the order, the National Institute of Standards and Technology (NIST) collaborated with ISACA and industry partners to create a risk-based framework focused on cybersecurity. This framework, the Cybersecurity Framework (CSF), supports quick wins by using an iterative approach to adopting a stronger cybersecurity posture.
The CSF’s components include the framework core, implementation tiers and profiles. The framework core consists of five functions (identify, protect, detect, respond and recover) and includes activities, desired outcomes, and applicable references (COBIT, for example). Implementation tiers provide context and identify the degree to which practices exhibit the characteristics defined in the framework (comparable to COBIT process capability levels) and range from tier 1, partial to tier 4, adaptive. Profiles are outcomes based on business needs. This is the analysis of current and target profiles which help determine the prioritization of efforts based on risk. Additionally, the CSF provides implementation guidance using an iterative, flexible seven-step process.
The adoption of a framework in an enterprise can typically be boiled down to two general approaches: 1) a gradual approach, starting small and building on initial successes, and 2) going “all in” across the enterprise.
Regardless of type or size of target environment, it is generally best to use a gradual approach, which is exactly why this is a great fit with COBIT. COBIT is principles-based, provides a holistic approach for adoption of governance and management of enterprise IT, has a solid implementation methodology, and the assessment program offers a great approach based on industry standards. Therefore, COBIT is a natural fit to adopting not only governance of enterprise IT (GEIT), but cybersecurity practices based on the CSF, as well.
Figure 1 below shows the alignment between the CSF and COBIT’s implementation steps and principles.
Figure 1—Implementation Alignment of NIST and COBIT
Organizations execute policies and deliver services through the use of processes, practices and activities. In order to adopt the cybersecurity needs within an organization, it makes sense to leverage a framework that already has industry recognition with regard to processes. COBIT’s process reference model is a well-organized and helpful reference, fitting nicely with the CSF, which, ultimately, helps enterprises achieve the governance objective of realizing benefits while optimizing risks and resources.
COBIT is also consistent with generally accepted corporate governance standards and maps to a multitude of relevant standards, frameworks and bodies of knowledge that help create a common language between IT and business yielding a more holistic, integrated and complete view of enterprise governance and management of enterprise IT that is ultimately based on stakeholder needs.
If you are looking for a more detailed and informative discussion on using the CSF and COBIT in your environment, you should consider coming to the 2016 GRC Conference 22-24 August in Fort Lauderdale, Florida, USA. There will be a pre-conference course that dives into the steps of the CSF implementation cycle using COBIT. Click here to register.
Editor’s note: Thomas will present The Intersection of IT and Audit by Leveraging COBIT 5 at the 2016 GRC Conference. COBIT recently celebrated its 20th Anniversary. Thomas will serve as the master of ceremonies for the GRC Conference.
COBIT 5’s Seven Phases of the Implementation Life Cycle have been “posterized” into a free download that illustrates the framework’s program management, change enablement and continual improvement life cycle.
The poster is part of the COBIT 5 framework for the governance and management of enterprise IT, which is highly valued by commercial, not-for-profit and public-sector organizations. Enterprise executives, IT professionals and business consultants depend on its globally accepted principles, practices, analytical tools and models to drive business value from trusted information and technology. Among the more popular elements from COBIT® 5 are the diagrams illustrating important practical concepts.
The July COBIT 5 poster centers on the Seven Phases of the Implementation Life Cycle diagram. The seven phases include:
Phase 1—What Are the Drivers? Which identifies current change drivers and creates at executive management levels a desire to change that is then expressed in an outline of a business case.
Phase 2—Where Are We Now? Which aligns IT-related objectives with enterprise strategies and risk, and prioritizes the most important enterprise goals, IT-related goals and processes.
Phase 3—Where Do We Want To Be? Which sets a target for improvement followed by a gap analysis to identify potential solutions. Some solutions will be quick wins and others more challenging, long-term tasks.
Phase 4—What Needs To Be Done? Which plans feasible and practical solutions by defining projects supported by justifiable business cases and developing a change plan for implementation.
Phase 5—How Do We Get There? Which provides for the implementation of the proposed solutions into day-to-day practices and the establishment of measures and monitoring systems to ensure that business alignment is achieved and performance can be measured.
Phase 6—Did We Get There? Which focuses on sustainable transition of the improved governance and management practices into normal business operations and monitoring achievement of the improvements using the performance metrics and expected benefits.
Phase 7—How Do We Keep the Momentum Going? Which reviews the overall success of the initiative, identifies further governance or management requirements and reinforces the need for continual improvement. It also prioritizes further opportunities to improve GEIT.
COBIT® 5 – The Seven Phases of the Implementation Life Cycle
View Full Size PDF
Previous COBIT 5 posters of the month include:
June 2016: COBIT 5—Summary of Process Capability Model
May 2016: COBIT 5—Process Reference Model
April 2016: COBIT 5—Governance and Management Key Areas
March 2016: COBIT 5—Enterprise Enablers
February 2016: Roles, Activities and Relationships
January 2016: Goals Cascade
December 2015: Governance Objective: Value Creation
November 2015: COBIT 5 Principles
For more information on COBIT 5 click here, and to see/download all of the COBIT 5 posters, click here.
Last year I wrote an article that discussed using COBIT 5 to audit cyber controls, in this instance the Australian Signals Directorate (ASD) Top 4. At the time of writing this article I had the privilege of being an expert reviewer on a draft ISACA white paper on creating an audit program. This white paper has now been released.
In the Australian government, as with all governments around the world, compliance against legislative and regulatory requirements is an important factor for the various government entities responsible for the delivery of functions for the Australian government. As a result, the internal audit programs for these government entities generally have a strong focus on compliance factors. Within the Australian government, entities are required to comply with a myriad of legislation, regulations and rules, including (but not limited to):
- The Protective Security Policy Framework
- The Information Security Manual
- The Public Governance Performance and Accountability Act (and associated legislation)
- The Commonwealth Procurement Rules
- The Commonwealth Risk Management Policy
- Whole-of-government ICT Policy
- The Commonwealth Fraud Control Policy
Each government entity is also required to comply with their individual enabling legislation and regulations, as well as laws and regulations that any business and organization must comply with. In recent times, the following have been a focus of internal audit programs:
- Workplace health and safety requirements
- The Privacy Act
As discussed in my article about the ASD Top 4, internal audit has traditionally taken a yes/no approach to auditing compliance in government. For instance, if an audit on procurement was scheduled on the audit program, an auditor would take a sample of recent procurements, assess them against the regulatory requirements and internal policy and procedures, and produce a report that outlined instances of noncompliance.
In my opinion, this approach is useless. It does not help management understand why there was noncompliance and how they can prevent noncompliance. This white paper goes through a 5-step process to develop an audit plan:
- Develop an audit plan.
- Define audit objective.
- Set audit scope.
- Perform audit planning.
- Determine steps for data gathering
These five steps provide details on how to put together an effective audit plan that can ensure that you help management. It very deliberately guides you on what to consider and prepare in the planning process so you are better prepared to undertake the audit. This will help ensure that when undertaking an audit of legislative compliance in government, you move away from the traditional yes/no approach and consider the factors or, to use a COBIT 5 term, the enablers that actually help management achieve compliance.