Delivering Business Benefits With COBIT: An Introduction to COBIT 5
By Derek Oliver, Ph.D., CISA, CISM, CRISC, and John Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G
COBIT® is an evolutionary framework derived from 15 years of international IT, business, security, risk, assurance and consulting professionals providing their input into what a governance and management framework must provide. COBIT was first introduced in 1996 and has evolved through several major upgrades to its present state, COBIT® 4.1, and the soon-to-be released COBIT® 5.
COBIT 5 is ISACA’s newest iteration of its management and governance of enterprise IT (GEIT) framework. It is built on five principles and seven governance enabler models. COBIT 5 is intended for enterprises of all types and sizes. COBIT 5 ties together and reinforces all ISACA knowledge assets, i.e., COBIT 4.1, Val IT™, Risk IT, the Business Model for Information Security™ (BMIS™), the IT Assurance Framework™ (ITAF™), Taking Governance Forward (TGF), and Board Briefing on IT Governance, 2nd Edition.
COBIT 5 is designed to deliver business benefits to enterprises, including:
- Increased value creation from use of IT; user satisfaction with IT engagement and services; and compliance with laws, regulations and policies
- The development of a more business-focused IT function
- Increased user contribution to the enterprise
Many volunteers contributed to the design and development of COBIT 5 over the last two years. In addition to the ISACA volunteer leadership groups, the Framework Committee and the COBIT 5 Task Force, volunteers have supported two workshops and have provided subject-matter-expert feedback on the draft products to expand and refine the results to maximise the benefits of the guidance to all IT, business, security, risk, assurance and consulting professionals. The outcome is probably the most significant evolution in the framework since its inception—highlighting the difference between the governance and management activities involved in enterprise IT.
At this point, the framework and supporting guidance are still under development, and to this end, two initial products were made public in June 2011 as exposure drafts to solicit feedback from IT, business, security, risk, assurance and consulting professionals worldwide. Please visit the COBIT 5 page of the ISACA web site to review the initial products and provide feedback.
Following this feedback period and with direction from volunteer leaders, the final touches will put on the COBT 5 framework material with plans to launch the final products in early 2012. The COBIT 5 web page will be updated regularly with current status information.
The new COBIT 5 presentation and extended guidance will provide IT, business, security, risk, assurance and consulting professionals with a more robust framework for establishing GEIT. The COBIT 5 guidance will initially comprise three products: The Framework, Process Reference Guide and an implementation guide. The implementation guide will be released in early 2012 with the other two COBIT 5 products. Additional products focusing on particular constituency needs (information security, assurance and risk), enablers (information) and other topics will be planned and developed in the future to support the use of COBIT.
Principles and Enablers
COBIT 5 is based on five principles and seven enablers. The principles that underpin COBIT 5 are identified in figure 1.
The enablers that should be considered to help foster the achievement of the enterprise’s framework objectives and deliver value are:
- Skills and competencies
- Culture, ethics and behaviour
- Principles and policies
- Organisational structures
- Service capabilities
Each enabler is developed from a generic model, supporting consistency, completeness, and ease of understanding and use.
COBIT 5 principles and enablers are described in COBIT 5: The Framework.
The Process Enabler
COBIT 5 includes a process enabler, since most enterprises organise their activities in this way. There is a process model that defines the content and structure of a COBIT process. There is also a process reference model, with five domains and 36 processes, that forms the structure for the detailed COBIT 5 process guidance. These models are described in detail in COBIT® 5: Process Reference Guide.
The COBIT 5 processes contain governance and management practices. In the 36 COBIT 5 processes, there are 208 governance and management practices. Each practice has associated specific activities. COBIT 5 is a guidance framework, and therefore, these generic practices and activities are not an exhaustive list of requirements. COBIT 5 users will utilise the guidance as it suits their enterprise and adjust or add others as needed.
Process Capability and Maturity
COBIT 4.1 users are familiar with the COBIT capability maturity model (CMM) approach—one for each of the 34 COBIT 4.1 processes. These provide a scale and related descriptions by which to measure the maturity of an enterprise’s IT processes. COBIT users define their enterprise’s current capability maturity levels and determine what level would be desirable. The gap between the two identifies areas for improvement.
COBIT 5 is designed and built to support a new approach to the assessment of process capability, one that follows ISO/IEC 15504, Information technology—Process assessment, for process capability assessments. The new COBIT process reference model is a key part of the new approach. The International Organization for Standardization (ISO) approach provides a more rigorous, robust and repeatable approach to process capability assessment. This new approach and the new capability assessment model are introduced in The Framework.
ISACA is developing the required guidance, training and materials to support the new assessment approach for both the COBIT 4.1 and, soon, COBIT 5 frameworks. COBIT® Assessment Programme: COBIT® 4.1 Process Assessment Model Exposure Draft was issued by ISACA for public review and feedback earlier this year.
Derek J. Oliver, Ph.D., CISA, CISM, CRISC
is an information governance, audit and security specialist with more than 28 years of experience. He is currently acting as head of information governance and security at an NHS Primary Care Trust (PCT), helping to steer it through the development of both a Clinical Commissioning Group and a local Community Healthcare Social Enterprise. Oliver was president of ISACA’s London (England, UK) Chapter from 1995 to 1997 and has served on many ISACA international boards and committees. He currently co-chairs the COBIT 5 Task Force and is a member of ISACA’s Framework Committee. Oliver is a chartered fellow of the British Computer Society, a fellow of the Institute of IT Service Management and a member of the Institute of Information Security Professionals.
John Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G
is the IBM Global Business Services global security and privacy service area leader and public sector cybersecurity and privacy service area leader. He represents IBM on the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee’s Data Integrity Task Force and the Strategic Advisory Council for the Center for Internet Security. Currently a member of ISACA’s Framework Committee and a co-chair of the COBIT 5 Task Force, Lainhart has held numerous positions with ISACA and the IT Governance Institute (ITGI), including international president.
Modeling Architecture for COBIT
By Reinhold Thurner, Ph.D.
Models and frameworks are used as a means to describe the structure and properties of processes and to provide guidelines on how these processes should be organized, monitored and assessed. These models (descriptions) are voluminous and complex artifacts. So, the question is: How can one describe these artifacts so that the information contained in the models can be properly managed?
This article answers this question and demonstrates how to do so in practice. For that purpose, a model of COBIT was designed and stored along with the full content of the COBIT® 4.1 framework, IT Assurance Guide: Using COBIT® and the COBIT® 4.1 Process Assessment Model Exposure Draft in a metasafe repository. The results are meaningful, not only for the existing version of COBIT®, but also for the upcoming COBIT® 5.
Information Models About Models
There are many publications about COBIT and how to use it. These publications exist in several languages and in various formats such as hard copies, e-books (PDF files), CDs, Excel files and online digital versions. The publications contain detailed descriptions in a top-down structure and also some cross-references between the components of the COBIT framework.
The basis for all these documents and the essence of the system is the information model of COBIT. From a purely structural point of view, such a model consists of entities that are described by their properties and connected by relationships. The publications are merely specific views derived from this information base.
Such an information base is a tool to:
- Write, review the components of the model and its structure, and maintain versions
- Create different views (e.g., for different stakeholders) and to produce the products for publication
- Translate the text into other languages while preserving the original structure
- Compare a model with other models (e.g., COBIT to Software Process Improvement and Capability Determination [SPICE], ITIL, or Capability Maturity Model Integration [CMMI])
- Clone and adapt a model to a specific environment and purpose without losing the structure of and reference to the original
- Teach a model. The audience must understand the structure and purpose, but does not necessarily need to learn about all the details.
- Use or extend a model for an assessment. The results of an assessment are collected and stored in the information base and combined to create a report or even a plan/control a process for improvement.
A (simplified) architecture for an information model (figure 1) consists of:
- The metamodel—Describes the structure of the model (“the information base”)
- The model—Contains all the instances in a fine-grained information base
- Views—Provide individual views of selected entities, attributes and relationships. Views are not an additional level within this structure, but a selection of an arbitrary set of elements of the structure. Views may show only a subset and may overlap.
Creation of a Metamodel for COBIT
A metamodel is not a theoretical construct but has a very clear purpose: It must explain the terms (such as management guideline, work product, process and resource), the properties of these terms (such as description, title, measured by, issues and level) and the relationships (such as uses, has, has output, is input and is responsible). Therefore, one can start with the extraction of the terminology from the available documents. Then, one can connect these elements to reflect the logical structure of the terms. The result for COBIT (after several refinements) was the metamodel draft in figure 2.
Click to Enlarge Graphic
The draft model was then stored in the metasafe repository, and the picture of the model was generated by the repository. The model reflects the structure of the COBIT 4.1 framework, IT Assurance Guide: Using COBIT and COBIT 4.1 Process Assessment Model Exposure Draft, with an extension as explained in the figure. The extension of some attributes in the assurance model is included to show how a model can be adapted to specific requirements (e.g., the support of an assessment process) and still keep the original model.
The model shows all the important terms, their properties and their relationships. It can be used to teach, design and structure the information base that will contain the model. This is not the metamodel, but it is what the authors wanted to express or show about the model. It is also only a draft or proof of concept of the architecture; however, it is a good basis from which to start and can be extended or changed easily for use in other intended purposes.
Beyond the descriptive function, the model is also intended to structure the information base where the instances of the model with the complete textual information are stored, maintained and documented.
Preparation of the Information Base
COBIT is available in hard copy and as a PDF download and can be browsed using COBIT Online®. COBIT Online provides the facility to download the content of COBIT as Word files or in an Access database. IT Assurance Guide: Using COBIT was also published as an Excel spreadsheet. The COBIT 4.1 Process Assessment Model Exposure Draft is published as a PDF file and consists of plaintext. It had to be taken apart and structured appropriately to be loaded into the information base.
For the purposes of this analysis, the available documentation was taken apart and converted into strictly structured Excel maps to provide the input for the information base. A strictly structured Excel map contains sets of entity tables and relationship tables. Entity tables contain all occurrences of a given entity type, with its attributes similar to a table of a relational database. Relationship tables describe the connection between entities and reflect the structure of the system. This entity-relationship view (figure 3) corresponds directly with the conceptual model of the system.
Figure 3 shows the tables that describe the input-output flow of work products, as defined in the COBIT 4.1 Process Assessment Model Exposure Draft. The final result of the preparation was three Excel maps with a total of 87 sheets, 5,400 entity rows and 8,200 relationship rows. The Excel maps were then loaded into the information base of the metasafe repository with the Excel import facility.
Viewing the Content of the Information Base
The content of the information base can be viewed with a generic viewer, which is controlled by the metamodel. Because the viewer/editor is completely controlled by the metamodel, no additional programming is required to:
- Browse across the model in an arbitrary direction, e.g., forward and backward, and starting anywhere, e.g., one could start with an organizational function (such as chief information officer [CIO]), see all the responsibilities, select one and find the affected process, select one and see the description, or move on to the corresponding management guideline
- Select a graphical view and browse using the graphics (graphics are dynamically created from the model)
- Update the descriptions (updating is protected by user-update rights)
- Export parts of the information
- Create and export arbitrary cross-references
Figure 4 shows the browse tree with forward and backward branches in the left pane. The right pane contains, on top, the descriptive elements of a process and, below the context, a graph of the input/output of the selected process. With a click on one of the outcomes, the graph moves automatically to the selected element. Once a user of the viewer logs in to the system with a specific view, the user will see only the elements and structures defined in this view.
Click to Enlarge Graphic
It is important to note that such a model-based viewer can also cope with any extension of the model. This is especially important when a model is in development or when extensions and enhancements are introduced. Such a generic viewer is not a replacement for a dedicated system such as COBIT Online; however, one could create this kind of application on top of the repository using the metasafe application programming interface (Java-API).
Extension to Support an Assessment
To explain the extensibility of the repository technology, some attributes have been added in the assessment guide model (figure 5). (The additional attributes have been marked to avoid misunderstandings.) This view was defined as the assessment view in the model and provides fields to enter the assessment for specific items. Other extensions could include:
- Grouping assessments and assignments of assesments to selected assessors
- Accepting attached documents
- Creating clones for several branches
Click to Enlarge Graphic
The consolidated results of all assessments can then be extracted and reported using the business intelligence and reporting tool (BIRT).
A metamodel and an information base (repository) can ease the development, publication, adaption and practical use of process models. The publications in connection with COBIT 4.1 have been used to demonstrate the concept and its implementation. The concept and tools can be applied to any process model.
Based on this architecture, generic model-based tools can been used to create the metamodel; to load the model; and to browse, update or export the model.
The tools used in this article belong to the metasafe repository that is based on the Eclipse Software Framework and on the metasafe Java-API. This infrastructure can be used to create additional tools as required for specific purposes. The metasafe repository is available as a software product; however, the content of the information base is not available for distribution because it is copyrighted material of ISACA and was only used for the proof of concept.
Reinhold Thurner, Ph.D.
is founder and chief executive officer (CEO) of Metasafe GmbH in Switzerland (metasafe-repository.com) a software company specialized in modeling techniques and the developer of the general purpose repository metasafe. He has more than 30 years of experience in IT, especially in the area of software engineering, model-based development, software generators, compilers and metadata bases.
Maitland Utilizes COBIT to Improve ICT Governance
By Tim Brown, Ph.D.
Maitland is a privately owned, international firm providing wealth services to private and institutional clients. The enterprise creates, preserves and manages its clients’ wealth and commercial success through a uniquely personal, proactive and responsive approach.
The firm was founded in Luxembourg in 1976 and now employs more than 550 people in 11 offices across Europe, the Caribbean and South Africa. Maitland has more than US $120 billion in international assets under administration.
Need for COBIT
Increasing business oversight and accountability for the information and communication technology (ICT) asset is a cornerstone of Maitland’s future ICT governance state. In order to create a shared understanding of ICT and its purpose, the enterprise recognized that a governance framework was needed.
Governance principles for general business use were already well understood by Maitland’s senior management. Aligning ICT governance to COBIT was regarded as a natural extension of the overall organizational governance practices. Maitland had first learned about and used COBIT in early 2004 while undertaking research for a governance framework to guide general ICT management.
Maitland’s COBIT deployment has been fundamental in achieving its goal of a considered and responsible transition in governance models. The enterprise’s COBIT training rollout was designed to include both business and ICT resources; in this way, a shared understanding and common governance language was created, which served as a lens to visualize the desired state for the emerging ICT domain. This approach has worked well, and the enterprise continues to benefit from the improved governance maturity.
The design and deployment of Maitland’s project office environment has given the enterprise the opportunity to gain control over the number and diversity of projects that had been undertaken previously. The environment is now successfully orchestrated and offers both visibility and credibility to business projects (including ICT-related projects), while ensuring greater opportunity for success.
Maitland is increasingly using the COBIT framework as a guide to structure and position the enterprise’s thinking in many ICT subject areas. Also, Maitland has found that the governance principles noted in COBIT are universally applicable—not exclusive to the ICT domain—and is in the process of applying them enterprisewide.
Tim Brown, Ph.D.
is CIO of the Maitland Group. His previous roles include founder and managing director of Aqute Business Intelligence, which offers a range of prebuilt analytics for the short-term insurance industry, and founder and chief operations officer (COO) of WebSoft (later WebSoft Maven), which provided an extensive range of software, general technology and consulting services for the insurance industry. Brown’s areas of interest include ICT governance and organizational performance, and organizational dematerialization as a consequence of technological pervasiveness.
Did Someone Say “Value”? Delivering Enterprise Value the Metrics Way
By Sandeep Khanna, CGEIT, ITIL-F, PMP, TOGAF
Company ABC was expecting significant growth within its industry, so management decided to pursue a value creation program. During this period, the company witnessed revenue/profit growth and its internal projections demonstrated a positive outlook. Based on these data, if viewed in isolation, one would argue that the organization’s strategy was well defined and working. Yet, when overlaid with the fact that, during this period, the organization’s market share dropped in comparison to its competition (because the competition grew by a healthier margin), the perception of value undergoes a marked shift.
Almost all experienced professionals have seen an example such as this, or a variant of this, during their career, and they can pinpoint fairly well what was going wrong. There are numerous examples in history of corporations that became irrelevant by losing value over time—something that was unthinkable when the organizations first came to be. This article attempts to present one tool, from the many tools in an executive’s toolbox, that can be used to effectively address value creation and retention efforts.
Value: What Is It?
Value is in the eyes of the beholder. It means different things to different people. Yet, fundamentally, it is the same in all contexts. ISACA defines value as the “total life-cycle benefits net of related costs, adjusted for risk and for time value of money.”1 The Four Ares model succinctly captures the value paradigm (figure 1).2
The Four Ares concept provides the basic “value” framework. It begs to ask some very simple questions whose detailed responses provide the path to “value” delivery.
Metrics: A Foundation of Good Governance
Metrics are a set of measurements that quantify results. A business metric is any type of measurement used to gauge some quantifiable component of a company’s performance, such as return on investment (ROI); employee and customer churn rates; revenues; and earnings before interest, taxes, depreciation and amortization (EBITDA).3
As the saying goes, “Tell me how you measure me, and I will tell you how I will behave!”4 The key to value delivery through metrics is to measure costs and benefits of all organizational entities across their life cycles. Metrics do more than communicate data; they tell others what is thought to be important and what is viewed as a risk or a concern.5 They tell staff what management is watching. They are the means by which success is measured.
The Metrics Way of Delivering Value, One Approach
In the metrics view of the world, one can extend the Four Ares concept, beyond its originally intended use, by utilizing it as a new analytical tool for each organizational resource and work product. The Four Ares analysis provides a framework to evaluate value realization from all organizational resources in a holistic manner. It provides a context in which everything is viewed as an investment, and its ROI is calculated on an ongoing basis. The result is a 360-degree view of the enterprise and its constituents.
All organizations are in the business of delivering value. This is done by using business drivers as input and applying organizational resources in a manner that delivers optimum value. Deming’s plan-do-check-act (PDCA) cycle (figure 2) provides a model by which metrics can be appropriately planned/created, implemented and adjusted/retired/acted on so that it creates internal resonance between different lifetime organizational measures. Such internal resonance provides an environment where all components are in balance/harmony, and it leads to optimum value realization.
The overall organizational lifetime values can be broadly classified as follows:
- Employee lifetime value (ELV)—This refers to the value provided by the employee to the organization after joining the organization and the projected value based on the outlook. There are a number of approaches available, including comparisons with the components of customer lifetime value.6 As a starting point in calculation of ELV, a simplistic profitability/value equation7 can be used:
Total Profit = Profit/Employee × Number of Employees
The goal of any organization should be to maximize both of the expressions on the right of the equation. This insight calls for value realization—working on one employee at a time.
- Customer lifetime value (CLV)—High-maintenance customers can be unprofitable regardless of their sales volume. It is key that the organization develops its own way of measuring (and attaching numeric value) its customers for their tangible and intangible value, with the goal of increasing this value over time. Figure 3 depicts one way of looking at CLV.
- Project (and program) lifetime value (PLV)—All projects (and programs) of the organization8 should be tracked for their overall lifetime value, which includes all costs starting from inception to retirement of the work product, including the operational life. In effect, the PLV concept introduces a shift in measuring the value of the project (and program) by taking an end-to-end view. It extends the traditional lifetime of tracking the project or program because most of the value realization happens when the work product is in operations. This viewpoint is further reinforced by the third foundational principle of Val IT and the supporting Business Case Guide.9
- Nonhuman resources lifetime value (NhLV)—This category includes all nonhuman resources of the organization, which includes software, hardware, the data center, networking and property/building leases—spanning their entire life cycles, from injection into the environment until retirement. With increased commoditization of nonhuman resources and availability of pay-as-you-go services, including cloud offerings, businesses must carefully consider the alternatives and leverage the scale and expertise of organizations specializing in noncore functions. There are firms that have their payment models linked to the delivered client value, i.e., payment is based on the incremental savings to the client. Value optimization in nonhuman resources could yield significant value impact, given the typical 54 percent IT spends on infrastructure.10 As the organization matures in using these models, NhLV can, over time, become a subcomponent of PLV. However, until that happens, it should be run as a separate effort.
Value is delivered one component at a time. At a minimum, the Four Ares analysis should be applied to optimize value across all of the previously mentioned components. As organizations mature in usage of metrics, they can set a standard for the minimum acceptable level of value across each lifetime value concept, thereby benchmarking it and taking measures to further enhance its value delivery capability.
For true value delivery, the following questions need to be addressed:
- Is a 360-degree view of the project available? Do all projects have a business case? Is the project value tracked throughout the life cycle? Are there any stage-gate reviews? What happens if the results (or future forecasts) happen to diverge significantly from the plans?
- How are projects selected for implementation? Is a portfolio approach followed? What are the selection criteria? Do the projects have incremental value delivery or big-bang value delivery implementations?
- How is accuracy of the costs and benefits ensured? What is the confidence level of all the assumptions? Are the assumptions validated, or are they skewed to provide a favorable business case?
- What are the top metrics for the organization at each layer of the chain? Does someone own metrics life-cycle management, i.e., introduction and retirement of metrics? Is a documented definition of each metric and its usage available? How frequently is it reviewed?
- Is a 360-degree view of organizational resources available? Are the life cycles of metrics captured for individuals in any organization? Of more importance, are they effectively utilized in decision making to deliver more positive outcomes and to refresh organizational resources?
- How is value fraud prevented? How is the quality of the data life cycle ensured? If fraud is found, how is it handled? Are there built-in mechanisms to prevent value leak?
- Is the information available in real time via a drill-down dashboard?
- For any issue, is the true root cause identified and fixed, or are only the symptoms addressed (leaving the real problem to manifest itself in a different scenario)? Does the organization have a mature process to address these issues?
- Are the internal facing and external facing metrics in balance?
- Is everyone in the organization on the same bus?11 Does a shared vision exist?
Value delivery rests on a strong governance process, one that is grounded in facts. The metrics must clearly articulate the facts, not only as outcome results, but also as the leading indicators for appropriate decision making. Metrics are one of the most powerful tools in any organizational arsenal. If used appropriately, they have the potential to deliver breakthrough results. If used inappropriately, they stand to cut the organization inside out, with “value” leaking out of the organization. Extreme caution is advised.
Sandeep Khanna, CGEIT, ITIL-F, PMP, TOGAF
is a senior IT governance professional with 19 years of global IT experience, spanning executive and board leadership roles. He can be reached at email@example.com.
All views expressed in this article are those of the author and do not necessarily reflect those of the organizations where he currently works or where he has worked in the past.
1 ISACA, Glossary, “Value,” www.isaca.org/glossary
2 IT Governance Institute (ITGI), Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0, USA, 2008. The Val IT reference is based on the Four Ares as described by John Thorp in his book, The Information Paradox—Realizing the Business Benefits of Information Technology, written jointly with Fujitsu, first published in 1998 and revised in 2003, McGraw-Hill, Canada.
3 TechTarget, “Business Metric,” SearchCRM.com, December 2003, http://searchcrm.techtarget.com/definition/business-metric
4 Goldratt, Eliyahu M.; Jeff Cox; The Goal: A Process of Ongoing Improvement, North River Press, USA, 1992
5 McDonald, Mark P.; “Technically Oriented IT Metrics: One of the CIOs and IT Executives Make It Easier to Separate Business From IT,” Gartner, 21 January 2010, http://blogs.gartner.com/mark_mcdonald/2010/01/21/technically-oriented-it-metrics-one-of-the-cios-and-it-executives-make-it-easier-to-separate-business-from-it
6 The Forum, “Employee Lifetime Value: The Critical Companion to Customer Lifetime Value,” PerformanceForum.org, www.performanceforum.org/associations/12672/files/employee_lifetime_value_critical_companion.pdf
7 Lowell, Bryan L.; “The New Metrics of Corporate Performance: Profit Per Employee,” The McKinsey Quarterly, no. 1, 2007, www.massmac.org/newsline/0707/McKinsey.pdf
8 While Val IT defines “project” as a “structured set of activities concerned with delivering a defined capability” and “program” as a “structured grouping of interdependent projects that are both necessary and sufficient to achieve a desired business outcome and create value,” in practice, some enterprises do plan and deliver business value through their own projects. Hence, an all-inclusive term, “projects (and programs),” is used here.
9 ISACA, The Business Case Guide: Using Val IT 2.0, USA, 2010
10 Weill, Peter; Sinan Aral; “Managing the IT Portfolio: Returns From Different IT Asset Classes,” Center for Information Systems Research—Massachusetts Institute of Technology and Sloan School of Management (MIT Sloan) Research Briefing, vol. IV, no. 1A, March 2004
11 Collins, Jim; Good to Great: Why Some Companies Make the Leap…and Others Don’t, HarperCollins, USA, 2001
Patrick Stachtchenko, CISA, CGEIT, CA, France, chair
Steven A. Babb, CGEIT, CRISC, UK
Sushil Chatterji, CGEIT, Singapore
Sergio Fleginsky, CISA, Uruguay
John W. Lainhart IV, CISA, CISM, CGEIT, CRISC, USA
Anthony P. Noble, CISA, USA
Derek J. Oliver, Ph.D., DBA, CISA, CISM, CITP, FBCS, FISM, UK
Rolf M. von Roessing, CISA, CISM, CGEIT, Germany
Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at firstname.lastname@example.org.
COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at email@example.com.