I love COBIT. Why? To begin with, COBIT is useful and usable. Secondly, the newly updated framework combines community knowledge and flexibility.
The What Is COBIT and What Is It Not section from COBIT 2019 Framework: Introduction and Methodology is very clear, and demonstrates how useful and usable the updated version of COBIT will be.
COBIT users know that COBIT in its last two versions utilized the components (formerly enablers) to plan, build and maintain a governance system. They were and are principles, policies and procedures, processes, organizational structures, information flows, culture and behaviors, skills, and infrastructure.
We can find these components in all organizations, and work with them to fix some problems or weaknesses in order to improve the current and future maturity of their governance system and, thus, create value for relevant stakeholders. These “magic resources” that create an appropriate solution are the first element to confirm that COBIT is usable and useful.
New design factors are the second one, and the new Design Guide was published this week. They should be considered by the enterprise to build a best-fit governance system. Not all organizations need the same solution with the same kind and quantity of resources. It is all about the best combination of needed resources to achieve expected or required benefits with a good balance or acceptable level of risks.
Not all organizations have the same strategy, goals, risk profile, I&T-related issues and threats. Compliance requirements, size and role, adoption strategy, sourcing model and implementation methods of IT are factors that we must complete soon.
Design factors influence in different ways the tailoring of the governance system of an enterprise. COBIT 2019 distinguishes three different types of impact, illustrated below.
The New COBIT 2019 Framework: Governance and Management Objectives are free for members and non-members. I believe this is a remarkable step to increase the number of COBIT followers and professional community engagement. How many students and professionals will benefit from these complimentary publications? How many of them will be influenced by COBIT 2019 and decide to initiate an IT career or improve it through a certification?
Will these new followers influence COBIT’s future design? I am sure of it.
Editor’s note: For more information about COBIT 2019 guidance, products and training, visit www.isaca.org/cobit, or view a webinar on the COBIT framework here or the Design Guide and Implementation Guide here.
One of the biggest challenges for modern businesses isn’t being able to collect data, but finding a way to organize it systematically and using the data that piles up. Learning how to interpret random data points and unstructured information often proves to be more than some companies can handle, but it doesn’t have to be.
Finding value in a heap of unstructured data
“Increasing the volume of quality content being fed into big data analytics tools dramatically increases the value of the output – whether it’s improved decision-making or better product design, risk reduction, and enhanced customer experience,” Scott Mackey writes for Adlib Software, a global leader in files analytics and data enrichment solutions. “To realize these benefits, however, organizations must develop the capability to process massive storehouses of unstructured data into a format that big data analytics tools can work with.”
Unstructured data, also known as “dark data,” poses a potential risk on multiple fronts. For starters, it represents a huge missed opportunity in terms of information that could be used to benefit the company’s bottom line.
But the issue goes much deeper than that. In an age when data needs to be encrypted and properly stored, unstructured data is often extremely vulnerable to getting hacked or stolen.
“When data isn’t used, there is a tendency for people to forget its content, purpose or even its existence,” data expert John Spacey explains. “There is a further tendency for such data to go unmanaged and be more vulnerable to security risks, such as unauthorized access that may leak trade secrets and other proprietary knowledge.”
Unstructured data is also resource-intensive and expensive to maintain. It can divert attention from the structured data that the firm needs to stay focused on.
The question is, how do you find value in something that appears so useless? In order to identify the true value in unstructured data, you need a plan of attack. The following tips should help you achieve some positive movement in this endeavor.
1. Get everyone on the same page.
The first step is to ensure everyone is on the same page. Specifically, gatekeepers and decision-makers within the firm must see the importance of tapping into unstructured data so it can be used for practical purposes.
2. Figure out where unstructured data is coming from.
Where is your unstructured data coming from? In other words, what’s the point of ingestion? It might be your website, social media profiles, system log files, healthcare information, financial data, CRM outputs, or a mobile app. If you don’t nail the point of entry, it will be nearly impossible to do anything else with the material.
3. Categorize ASAP.
The best time to apply structure to unstructured data is at the point of ingestion. Once you’ve figured out when and where the information comes from, you may implement systems that will filter and channel the data.
4. Eliminate the waste.
Although a lot of unstructured data can be valuable, there’s likely to be plenty that’s worthless for your organization. Instead of keeping that content around, go ahead and eliminate the waste. This will reduce your overhead and prevent energy from being expended on activities that don’t matter.
5. Combine unstructured and structured data.
Perhaps the best way to use unstructured data is to place it alongside appropriate structured data. When the two play nicely together, they can generate some surprisingly powerful and deep insights that neither would provide in isolation.
“While structured data is often easier to process and analyze, it can only reveal overall trends – not the reason behind those changes,” explains Eric Pendleton, a project training manager at a text analytics firm. “Unstructured data can reveal a deep understanding of the why behind the data; it’s just more difficult to track and may be dismissed by skeptical executives who reason that ‘it’s just what a few people say.' "
By combining the “what” (structured data) with the “how” and “why” (unstructured data), you will gain a much more complete and cohesive picture of reality … particularly as it pertains to customer-facing endeavors.
Use data; don’t let it use you
Collecting data for the sake of amassing information is pointless. If you aren’t careful, you’ll end up responsible for massive repositories of information, with nothing to show for it.
But if you develop a strategy for handling unstructured data, you may flip the script and make the most of the information-centric environment your business finds itself having to inhabit.
Practitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with a significant refresh to the COBIT framework. Today, the first two books of COBIT 2019 have been released, with additional publications to follow later this year.
I could go on for hours about the elements of COBIT 2019 that I believe will be well-received by our passionate global community of COBIT users (and considering I am one of those passionate COBIT users, if I catch you in person at an ISACA event, I might just do so). For the purposes of this blog post, I will put forward a list of five aspects of COBIT 2019 that I consider especially appealing.
1. Sharper clarity. Past iterations of COBIT, most recently COBIT 5, helped practitioners across the world solve countless business challenges and help their enterprises better manage and govern enterprise IT. There was a lot to like, but that doesn’t mean they were perfect. In COBIT 2019, we have identified areas for improvement to ensure that COBIT users are able to extract even more value from the framework while making the content more accessible and straightforward.
For example, I often was asked to describe the COBIT 5 enablers, and it was difficult for me to succinctly explain, so I started calling them ingredients. We now have transitioned to referring to them as components of a governance system, a much clearer characterization. Throughout the COBIT 2019 publications, the terminology is less academic and more applicable, allowing users to streamline the adoption timeline.
2. New focus areas. I’m enthused about the new focus areas that are set up to organize certain hot governance topics, such as small/medium sized businesses, cybersecurity, digital transformation, cloud computing, privacy and DevOps.
While the COBIT framework has thrived for 20-plus years because it addresses core business principles that are every bit as true now as they were in the 1990s, it nonetheless was important to provide updated guidance pertinent to key drivers of the current technology landscape, and COBIT 2019 takes a big step forward in that regard.
3. New design factors. COBIT 2019 highlights new factors that can influence the design of an enterprise’s governance system and position organizations for success in the use of information and technology. These include:
- Enterprise strategy
- Enterprise goals
- Risk profile
- Enterprise size
- Threat landscape
- Compliance requirements
- Role of IT
- Sourcing model for IT
- IT implementation methods
- Technology adoption strategy
These design factors take into account enterprise strategy and allow users to better customize COBIT to a specific organizational structure.
4. Updated goals cascade. The new goals cascade supports the prioritization of governance and management objectives based on enterprise goals. Starting with stakeholder drivers and needs, this model seeks to avoid the frequent misunderstanding that these goals indicate purely internal objectives of the IT department within an enterprise. The alignment goals have also been consolidated, reduced, updated and clarified where necessary. These goals are organized using the Balanced Scorecard view and include example metrics to measure the achievement of each goal.
5. Integration between the CMMI maturity model and our current capability model. Performance management is an essential part of a governance and management system. It expresses how well the system and all components of an enterprise work, and how they can be improved up to the required level. As such, it includes concepts and methods such as capability and maturity levels. COBIT 2019 performance management leverages both the current capability model and the CMMI maturity model using the following principles:
- Simple to understand and use
- Consistent with and supports the COBIT conceptual model
- Provides reliable, repeatable and relevant results
- Supports different types of assessments
Editor’s note: For more information on COBIT 2019, its publications and guidance, and new training opportunities, visit www.isaca.org/cobit.
Big data and machine learning have rocketed to the top of the corporate agenda. Executives look with admiration at how Google, Amazon and others have eclipsed competitors with powerful new business models derived from an ability to exploit data. They also see that big data is attracting serious investment from technology leaders such as IBM and Hewlett-Packard. Meanwhile, the tide of private-equipment and venture-capital investments in big data continues to swell.
AI/machine learning also continued to rise toward the top of technologies considered to have the highest potential to deliver transformative value to organizations. While placing second in these rankings according to ISACA’s 2018 Digital Transformation Barometer, AI/machine learning went from 18 points behind big data in 2017 to just 3 points behind big data in 2018. As the perceived value of AI continues to increase, the proportion of organizations planning to deploy AI continues to increase as well, with a 35 percent increase over the 2017 report.
What audit, risk, assurance and security practitioners and executives should know about big data and machine learning projects
Perhaps you have heard about a new algorithm that can drive a car? Invent a recipe? Detect fraud ? Scan a picture and find your face in a crowd? It appears every week that companies are discovering new uses for algorithms that adapt as they encounter new data. Machine learning has tremendous potential to transform companies, but in practice it is usually far more mundane than robot drivers and chefs. Think of it simply as a branch of statistics, designed for a world of big data. Executives who want to get the most out of their companies’ data should understand:
- What it is
- What it can do
- What to watch out for when using it
The enormous scale of data available to firms can pose several challenges. Of course, big data may require advanced software and hardware to handle and store it. Machine learning is about how the analysis of the data must also adapt to the size of the dataset. This is because big data is not just long but wide as well.
Big data projects versus traditional IT projects
“90% of the effort in successful machine learning is not about the algorithm or the model or the learning. It’s about the logistics.”
—From Machine Learning Logistics by Dunning and Friedman (O’Reilly, 2017)
Logistics are not the only issue that matters for success. Connecting AI and machine learning projects to real business value is of huge importance. The social and cultural structures of your organization make a big difference, as well.
The following table shows the distinction between big data and traditional IT projects, tapping into COBIT 5 components (Five Principles, Seven Enablers, Trigger Events, Pain Points and the seven phases of Program Management used in the life cycle model).
BIG DATA PROJECT
TRADITIONAL IT PROJECT
TYPICAL PAIN POINT/TRIGGER EVENT
Develop a new shared understanding of customers’ needs and behaviors
Predict future growth markets
Install an ERP system
Automate a claims-handling process
Optimize supply chain performance
ENABLER 4 CULTURE, ETHICS AND BEHAVIOR
Change how employee think about use of data
Challenge the assumptions and biases employees bring to decision-making
Use new insights to serve customers better, build new businesses and predict outcomes
THE SEVEN PHASES OF PROGRAM MANAGEMENT USED IN THE LIFE CYCLE MODEL
DISCOVERY-DRIVEN PROJECT MANAGEMENT:
Identify relevant data
Refine hypotheses in response to findings
Repeat the process
TRADITIONAL PROJECT MANAGEMENT:
Define desired outcomes
Redesign work processes
Specify technology needs
Develop detailed plans to deploy IT
Manage organizational change and train users
ENABLER 7 – PEOPLE, SKILLS AND COMPETENCIES
IT professionals with engineering, computer science, and math backgrounds (in some cases)
People who know the business
Cognitive and behavioral scientists
IT professional with engineering, computer science, and math backgrounds
People who know the business
CHALLENGES TO SUCCESS: DID WE GET THERE AND HOW DO WE KEEP THE MOMENTUM GOING?
Employee bases decision on data and evidence
Employee uses data to generate new insights in new contexts
Project comes in on time to plan, and within budget
Project achieves the desired process change
In conclusion, big data and machine learning projects involve new technology and new development approaches, and are inherently risky. If you are doing significant data exploration or discovery with big data, you will occasionally fail—which is not really a problem if you learn from the failures. Big data and machine learning projects are still more like R&D than production applications.
Shadow IT is an (in)famous phenomenon in today’s business environments. Business departments source, develop and maintain systems on their own to support their processes. Although shadow IT supports critical business functions and is therefore accompanied by many risks, it still cannot be prohibited nor suppressed. Because of these risks, there is an urgent need to manage shadow IT. As COBIT 5 is a powerful framework for managing enterprise IT, it is interesting to look into the relationship of shadow IT and COBIT.
In this blog post I would like to focus on three different questions:
1. Which COBIT processes are meant for an organization affected by the existence of shadow IT?
2. Which COBIT processes are missing or lack maturity when business departments run their own IT?
3. How can someone start and run a shadow IT initiative?
The first question concerns the overall IT maturity. In COBIT 5, there are several processes that deal with the overall integrity and effectiveness of a company’s IT. Risk and compliance management and enterprise architecture are topics that require an integrated view on IT. The existence of shadow IT hinders this integrated view, so these important functions are disturbed.
In the case of risk management, for example, processes like EDM03 and APO12 ask for the definition of risk appetite and the definition of a risk-aware culture. Furthermore, all relevant risk should be reported and managed accordingly. Shadow IT by nature is not managed. In our studies, for example, we have never seen a shadow IT-related risk in any risk map, where in more than 16% of all cases, a shadow IT system was critical for processes with an accepted recovery time of less than one day (see Figure 1).
Regarding IT compliance management, we can observe a similar situation: the current European GDPR requirements can be violated by shadow IT, as it may exceed the purpose of data processing that has been agreed with a customer. Furthermore, shadow IT is often unknown, so that a company cannot report all systems with personal data. Finally, shadow systems often lack technical features, making it difficult to control data access and prove deletion of data records.
In terms of the overall enterprise architecture, shadow IT can also be a roadblock to the successful management of a company’s system and technology landscape.
Because shadow IT systems often are not known across the company, its architecture models, inventories and data definitions are incomplete, and thus processes like APO01 and APO03 may be incomplete. Also, processes like EDM04 are ignored as architecture principles may not be followed.
The second question covers the individual quality of shadow IT systems. When assessing existing shadow IT instances, it is important to understand the quality of its current management. Again, COBIT 5 offers a good starting point for this task: several processes deal with the individual IT services and can be used to assess the quality of each instance. As to be expected, business departments lack professionalism in IT management topics; therefore, they omit important processes from the BAI and DSS process areas. Mostly tasks like cost management, service planning, testing and security are not considered. For example, is DSS05.04 asking for a user identity management, which typically does not exist in shadow IT systems? You can find some project examples in Figure 2 below.
Figure 2: Missing COBIT processes
Our third question deals with the justification and the set-up of a shadow IT initiative. As explained above, shadow IT interferes with the overall quality of IT management and lacks individual quality. Both aspects justify starting a shadow IT initiative, as these quality issues impose risks to the company. Nevertheless, do MEA02 and MEA03 require assurance for internal and external compliance, which also includes searching for shadow IT? Also, in executing processes BAI10.05 and DSS04.04, an IT auditor can watch out for shadow IT.
A shadow IT initiative should aim for the identification and evaluation of all existing shadow IT instances as well as the definition of measures to mitigate existing risks. Mitigation, for example, can be achieved by transferring the responsibility for a shadow IT service to the IT department or setting up quality standards for the business department. In addition to the identification of existing shadow IT instances, such an initiative also gives insights into the deficits of a company’s current IT governance.
Shadow IT can be a critical topic. Therefore, it is recommended to watch out for some major success factors: just sending out questionnaires to collect a list of shadow IT instances is everything but promising. Identifying shadow IT by direct interviews is typically more successful but can be very time-consuming. Thus, it is recommended to undertake some pilot projects to create stories and experience within an organization. From there, business departments can identify and analyze their shadow IT in a self-assessment approach. This self-assessment should be embedded within an adaptive IT governance framework that assigns responsibilities between the business and IT department on a flexible basis. The IT audit function should take the role of facilitator and bring the topic to the table to let it be solved by business and IT. After implementation, of course, IT audit needs to assure the quality of the self-assessment approach and functioning of the adaptive IT governance.
Governance, risk and compliance professionals shared ideas and gathered insights on how their roles are evolving in light of enterprises’ digital transformation efforts, evolving trends in innovation, and growing regulatory and security risks recently at the sold-out 2018 GRC Conference in Nashville, Tennessee, USA.
The conference, organized by The Institute of Internal Auditors (IIA) and ISACA, took place 13-15 August. Key takeaways from the conference include:
It’s time to challenge conventions
Keynote speaker Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, told a packed opening session audience that organizations seldom take the time to question the underlying reasons why existing practices and procedures were put in place, stifling opportunities for innovation.
Williams said enterprises are often “paralyzed by possibility” with an abundance of incremental ideas for improvement, but tend to lack the unconventional, bold strategy options capable of delivering a major impact. Eventually, he said, organizations that lack a forward-looking openness to change will be overtaken by competitors.
Artificial intelligence brings great potential – and risks
While artificial intelligence and machine learning are gaining traction – and generating plenty of buzz along the way – organizations face difficult decisions in knowing where and when to introduce AI. In a session on the ethical considerations related to AI, co-presenters Kirsten Lloyd and Josh Elliot highlighted an extensive list of powerfully compelling uses for AI, such as advancing new medical treatments, preventing cyberattacks, improving energy efficiency and increasing crop yields. They also encouraged organizations to create an ethical review board and the position of chief ethics officer to deal with the related risks.
ISACA board Chair and closing day keynote presenter Rob Clyde implored the audience to focus on safeguards to prevent unintentional harm from AI projects and services.
Audit and governance professionals must actively address cyber risk
The volume and complexity of today’s cyber threats demand that GRC professionals, along with internal auditors, support their colleagues who are in cybersecurity roles and work to provide assurance to ensure organizations are prepared to navigate cyber threats.
In a session on advancing IT audit capabilities in cybersecurity, co-presenters David Dunn and Jon Coughlin noted that the traditional belief that a good internal auditor can audit anything is being challenged by the growing cyber threat landscape, and that standard controls might be insufficient. Internal audit functions must deepen their skills across a range of cybersecurity frameworks.
In the conference’s final keynote, Deloitte Managing Director Theresa Grafenstine called cyber risk a top priority for GRC professionals. When organizations fail to adequately address the risk, said the former Inspector General for the US House of Representatives, it is generally due to a lack of knowledge and resources, rather than not recognizing its importance.
Compliance must become more adaptive
A combination of new regulatory requirements, such as the General Data Protection Regulation (GDPR), and a flurry of emerging technologies being deployed to enable digital transformation call for the recalibration of compliance policies and procedures.
Session presenter Ralph Villanueva encouraged compliance professionals to understand – rather than memorize – the intent of frameworks they are implementing to have a more strategic understanding of how those frameworks best align with enterprise goals. He said compliance professionals also must anticipate how emerging technologies might impact the organization’s compliance protocols going forward.
Security measurement must be improved
While more organizations are recognizing the importance of areas such as risk management and information and cyber security, it can be difficult to quantify the effectiveness of the related investments – a major concern for the C-Suite. Session presenter Brian Contos said organizations need to develop more sophisticated security metrics beyond performing vulnerability scans and patching. Contos addressed several platforms capable of removing guesswork and assumptions from the security equation, while potentially freeing up resources by phasing out outdated tools that no longer serve their intended purpose.
The next GRC Conference will take place 12-14 August 2019 in Fort Lauderdale, Florida.
Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted. You are going to own this.
At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!
You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).
GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time. We’ve heard it all.
Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.
The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.
Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:
- Rapport is critical. If they don’t like you, send in someone else they do. We can’t persuade someone who doesn’t like us.
- Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
- Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive.
- Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
- In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
- Use how, not why, when requesting support. To most people, “why?” feels like an accusation. Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
- Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.
This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.
I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.
Enterprises are becoming increasingly digital. Consider a bank that refers to itself as an information technology firm that happens to process financial transactions. Or, perhaps a manufacturer that likewise refers to itself as a technology company. The management of data is critical to all enterprises.
A breach can cause enormous harm outside of the core business of the enterprise. Target had a significant data breach that caused the company material damage. Technology firms are obviously at risk. Witness the recent breach at Equifax – the repercussions of that event are still being measured.
The short story is that no matter what business you’re in, data must be cared for!
The Getting Started with Data Governance using COBIT 5 paper looks at these issues from the perspective of using enablers to put goals and internal controls in place that will assist in the good shepherding of data. The paper extends the application of the COBIT 5 framework to the practice of data governance. The practice of data governance is described, and then elements of COBIT 5: Enabling Information are explored. Specific examples are provided against each of the COBIT 5 enablers.
Data maintenance and management are becoming ever more complicated. Data environments (e.g., the cloud) change rapidly, and so do internal enterprise data requirements. COBIT 5 provides definitions, good practices and modeling to assist practitioners in dealing with the critical role of data within the enterprise. Strong management provides the underpinning of good data governance.
Corporate governance and IT governance are credited with putting frameworks and standards in place to assist enterprises in using their resources effectively and efficiently to create and deliver value to their stakeholders. Data governance uses the same concepts, but applies them more narrowly to the protection and use of data. Enterprises must still define their needs for data and what resources will be available to accomplish those goals.
Once the right resources are in place, there needs to be performance measurement mechanisms put in place to ensure that the newly created, or altered, processes are functioning as needed. Reporting on the performance of data governance processes completes the data governance cycle. The governing body can then make additional, or new, directives to accomplish the enterprise’s data governance needs.
CMMI Institute became a subsidiary of ISACA in 2016, and the organizations focused attention on the synergies between the current offerings in their combined suite of products. The first joint project was to map COBIT 5, with its enterprise-wide IT governance focus, to the CMMI’s Development reference model for software development and delivery.
Employing a similar approach, ISACA and CMMI Institute engaged in mapping COBIT 5 to the Data Management Maturity (DMM)SM Model. The DMM is a reference model of fundamental data management best practices. It focuses on management of data as an enterprise asset, emphasizing the ownership and activities of business line staff over the data they create and manage. Data governance is a very important element of the DMM; 104 of the model’s 414 functional practices address approvals, decisions, and collaborative efforts concerning enterprise data. Since data governance is an important component of overall IT governance for an organization, one can view the DMM as extending the scope of COBIT to focus in detail on the data layer.
The COBIT 5/DMM Practices Pathway Tool, built in Excel for ease in navigation and end-user modification, is available for download on ISACA’s website. It is designed to be applied bi-directionally. Users of COBIT 5 can search for aligned practices in the DMM, and users of the DMM can search for aligned practices found in COBIT 5.
For instance, if starting from the DMM’s Data Quality category, the user can select a statement identifier from the DMM and retrieve COBIT-specific guidance. Conversely, if starting from the COBIT 5 Build, Acquire, and Implement domain, the user can select a specific practice and retrieve DMM-specific guidance.
Editor’s note: For more information on this topic, view an archived version of the “Leveraging COBIT 5 and DMM” webinar, which addresses scope and conceptual affinities between COBIT 5 and the DMM; how we approached creating this mapping tool; and a demonstration of how it can be applied from either the COBIT 5 or the DMM perspective.
The world has seen a surge of attention regarding cyber activity, and it has not been in a positive light.
Many organizations have experienced the threat that accompanies the adverse intentions these activities come with, especially organizations that have not prioritized nor made cyber risk part of their risk management agenda. Being exposed to cyber threats is no longer something that only affects big multinationals with massive data centers. Cyber threats are applicable to any organization that operates on, and is connected to the Internet grid. A cyber breach, which almost always would have adverse impact to an organization, is no longer a matter of if; it is a matter of when.
The question that leadership of organizations should be asking is how prepared they are from a risk management perspective to deal with risks that come with the use of information and technology. Is this a prominent and standing agenda item on the board’s and executive committee’s meetings? If the answer to each of these questions in not affirmative, then the organization is more exposed to the risk of a cyberattack, and of not being able to recover operations as quickly as would be required to enable business to carry on as usual.
To ensure the continuity of business, the board should ensure that the organization’s risk management framework addresses cyber risks. Cyber risks must be identified, quantified in relation to the organization’s environment, and appropriate actions taken to minimize the impact of cyber-related incidents. The leadership of the organization should ensure that business continuity plans and arrangements are in place for incidents that may result from a cyberattack.
It is no longer the responsibility of only the operational staff in the IT department to deal with cyber risks. Cyber threats are too great to not afford them the level of attention they require at board and senior leadership levels.
Cyber security, risk management and business continuity planning must be standing items on the board and executive committee’s agendas. This will ensure that appropriate attention is given to areas where gaps may exist. This way, commitment will be afforded to enable the implementation of the required processes and solutions to address identified gaps and minimize risk exposure, as well as the impact that risk poses to the business.
Editor’s note: See more commentary on this topic from Emily, as well as from several other leading industry experts, at www.isaca.org/tech-governance-impact.