What Does COBIT 5 Mean for Your Business?
By Sagar Anisingaraju
When it comes to enterprise use of IT assets, executives are looking for answers to three things:
- Is the organization getting IT right?
- Is the organization buying or building the right IT capabilities?
- Are there any gaps in capabilities exposing the business to unwarranted risk?
For most companies, the answers to these questions come from understanding the underlying multiple frameworks used across operations. For example, COBIT1, 2, enables companies to improve IT governance by ensuring that appropriate process, governance and management enablers are used to build IT capabilities to achieve stakeholder goals. As a framework that can be used to measure and monitor IT services and implement best practices for those services, ITIL3 provides an operational level of service management. The ISO/IEC 27000 series4 comprises the preferred standards used by IT security professionals. For companies that compete in regulated segments such as banking, insurance, utilities or health care, additional industry specific standards, frameworks and guidelines may be in use.
When an organization leverages multiple standards, frameworks and guidelines, it may end up creating separate controls recommended by each that are managed separately. As a result, it not only creates duplicate work, as controls may be overlapping, but more important, it becomes challenging for executives to get a comprehensive understanding of their organization’s IT risk exposure and governance process. Current tools that enable organizations to create a shared library of common controls across frameworks are cumbersome to use and manage. Control libraries often become huge and complex to use for most companywide governance, risk and compliance (GRC) initiatives.
COBIT 5, the latest edition of ISACA’s globally accepted framework for governance and management of enterprise IT (GEIT), addresses this issue. It provides an end-to-end business view that integrates other standards, frameworks and guidelines, such as ITIL and ISO/IEC 27001, into an overall enterprise governance and management framework. With a COBIT 5-inspired model, stakeholders such as security professionals, IT operations executives and IT auditors can see how their work relates to the overall scope of governance and management. COBIT 5 does not replace these other sources of reference. Instead, it is an overarching umbrella framework that helps them all fit together. For example, COBIT 5 is the frame on which ITIL can provide additional color for daily management of IT operations. Using this frame embodies the same essential principles of business analysis, helping information and technology teams to achieve strategic business goals.
IT has always had to deal with risk factors such as cyberattacks, external hacking and disgruntled employees. New risk factors are, however, driven by consumerization of IT—ranging from bring your own device (BYOD) to social media and associated big data.
With these new unstructured external threats, the security perimeter is changing. COBIT 5 for Information Security offers additional, security-specific guidance designed to help your IT department implement an effective framework and reduce risk exposures.
The key changes in COBIT 5 include:
- A clear distinction between governance and management, bringing greater relevance to a wider business audience
- A linkage between specific IT-enabler goals and broader enterprise-level goals. It also includes more explicit guidance to levers of change (enablers) beyond process, such as culture, ethics, behavior, people, skills and competencies.
- Modifications to the process model, including new processes
- A new process capability assessment approach, which replaces the COBIT 4.1 capability maturity model (CMM)-based modeling
COBIT 5 is not a panacea. It is not something to lift and use exactly as-is. Each enterprise needs to map it and mold it to the business’s requirements, organizational structure and processes. The comprehensive scope of COBIT 5 guidance may overwhelm new users and inhibit its adoption. Use of all available ISACA guidance and tools, as well as having key staff take the COBIT 5 training available in the marketplace (COBIT Foundation, COBIT Implementation and COBIT Assessor courses), is highly recommended.
COBIT 5 should be implemented to ensure that the organization has a road map that will allow it to address all of its IT governance and risk issues. If the organization is already using some level of COBIT selectively within pockets of the organization, the changes in COBIT 5 should be reviewed to identify where it can help address specific issues or organizational changes. In addition, with COBIT 5 as a single enterprisewide IT GRC framework, the organization can implement a comprehensive analytics solution that enables it to continuously measure and improve its governance status, risk exposure, and overall compliance with policies and regulations. There will be no further need to reconcile multiple silos through reports to assess the organization’s overall risk or compliance status.
COBIT 5 is an important milestone. Adopting it will be a very promising journey to simplify the organization’s efforts in implementing a single organizationwide GRC framework. If the organization already has a mature GRC environment, it will quickly realize that COBIT 5 gives it a better handle on GEIT. If the organization is just starting, COBIT 5 will give it the formal road map it needs for a fast-track approach.
Is the chief strategy officer at Saama Technologies Inc. Anisingaraju creates strategic initiatives to lead Saama into emerging business areas with competitive differentiation. He enjoys his time spent with customers to understand their business problems specifically related to big data. He was the winner of the 2013 Chief Strategy Officer of the Year award, presented by Innovation Enterprise
1 ISACA, COBIT 5, USA, 2012
2 ISACA, COBIT 5 Training and Accreditation FAQs
3 APM Group Ltd., ITIL
4 International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27000, Information Security Management Systems (ISMS) standards
Using COBIT 5 for Risk Management
By Steven Babb, CGEIT, CRISC, ITIL
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT (GEIT). Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of responsibility and the requirements of internal and external stakeholders.
COBIT 5 for Risk builds on the COBIT 5 framework. Focused on risk, it provides more detailed and practical guidance for risk professionals and other interested parties at all levels of the enterprise on how to use COBIT 5 to support a variety of IT risk activities. It also elaborates on using the COBIT 5 enablers for risk management in practice. Finally, it introduces and aligns the elements of COBIT 5 found in COBIT 5 for Risk with relevant IT or ERM standards and practices, including COSO Enterprise Risk Management, ISO 31000, ISO/IEC 27005 and ISO Guide 73.
For an enterprise that is already using COBIT 5 as its framework for GEIT, COBIT 5 for Risk enables the enterprise to leverage COBIT 5 when planning how to build and sustain a risk function and how to optimize risk and identify, analyze, respond to and report on risk on a daily basis.
There are multiple drivers for risk management in the enterprise; they contribute to improving business outcomes, decision making and overall strategy. Improving these areas is accomplished by providing stakeholders with substantiated and consistent opinions on the current state of risk throughout the enterprise, guidance on how to manage the risk to levels within the enterprise’s risk appetite, guidance on how to set up the appropriate risk culture for the enterprise, and, wherever possible, quantitative risk assessments that enable stakeholders to consider the cost of mitigation and the required resources against the loss exposure.
As it uses COBIT 5 for Risk, the enterprise will gain risk-related capabilities. And, through development of greater risk capabilities, an enterprise can attain various benefits. These potential benefits include:
- More accurate identification of risk and measurement of success in addressing risk
- Better understanding of the risk impact on the enterprise
- End-to-end guidance on how to manage risk
- Knowledge of how to capitalize on investments related to IT risk management practices
- Understanding of how effective IT risk management optimizes value with business process effectiveness and efficiency, improved quality, and reduced waste and costs
- Opportunities to integrate IT risk management with enterprise risk and compliance structures
- Improved communication and understanding among all internal and external stakeholders, due to the use of a common and sustainable globally accepted framework and language for assessing and responding to risk
- Promotion of risk responsibility and acceptance across the enterprise
- A complete risk profile, identifying the full enterprise risk exposure and enabling better utilization of enterprise resources
- Improved risk awareness throughout the enterprise
COBIT 5 for Risk appeals to multiple parties, each finding various benefits. Boards and executive management can gain a better understanding of their responsibilities and roles with regard to IT risk management and the implications of IT risk on enterprise strategic objectives. Risk managers responsible for enterprise risk management (ERM) can find assistance with managing IT risk according to generally accepted ERM principles and incorporating IT risk into enterprise risk. Operational risk managers can link back to COBIT 5 and gain guidance on identifying operational losses or developing key risk indicators (KRIs).
Steven A. Babb, CGEIT, CRISC, ITIL
Is head of governance, risk and assurance for Betfair, one of the world’s largest online sports betting providers. Babb leads a global team of security, risk, compliance and assurance professionals. Prior to this, he was head of technology risk in the UK practice of KPMG’s risk consulting team and has more than 16 years of consulting and assurance experience covering areas such as IS governance, IT risk and control, service management, and program and project management. Babb chairs ISACA’s Framework Committee and the COBIT for Risk Task Force and was also a member of ISACA’s Risk IT and COBIT 5 development teams.
COBIT and the CPA Firm
R. Curtis Thompson, CISA, CPA.CITP
With the introduction of COBIT 5, the framework is moving toward a more global application to the enterprise. But, can a smaller organization still take advantage of COBIT 5 to help direct its IT function? This is an account of one organization’s beginning steps toward implementing COBIT 5.
Yount, Hyde & Barbour is a mid-sized regional accounting firm with 21 shareholders and 140 employees. The firm has six locations, with at least 20 people working remotely or at a client’s location at any given time. Thus, there is a complexity to the IT function that is greater than the size of the organization would suggest. The loss of the firm’s IT manager and an IT staff member reduced the IT staff to a single person. While this was a major issue for an accounting firm in the middle of its busiest season, it was an opportunity to redefine the IT function for the entire firm. Several short-term fixes were initiated (hiring an IT generalist and relying on an outsourced vendor to fill in gaps in staffing).
The shareholders of the firm had always had an IT steering committee to communicate the firm’s direction and needs to the IT manager, but the committee had not taken a true governance role. The risk advisory services team was comprised of several Certified Information Systems Auditors (CISAs), including the principal, who was the chair of the IT steering committee. Therefore, it was a logical direction for the IT steering committee to look to the newly released COBIT 5 as the framework on which to develop a better IT function.
COBIT 5 has a diagram that perfectly illustrates the separation of governance and management (figure 1). Defining management’s role as planning, building, running and monitoring appropriately separates it from the role of governance. Defining governance’s role as monitoring, evaluating and giving direction enables the IT steering committee to understand its role and eliminate a tendency for micromanaging the IT function.
The COBIT 5 process reference model illustrates the various processes (figure 2). It lays out the overall scope of the IT function nicely, but is this excessive for an IT department with only one to three staff members? In an accounting firm with 21 partners, all with different practices, there is a great variety of requirements and opinions. While a full implementation of the framework would likely be overly burdensome, there is a great advantage to using the model to design the processes and roles. Some areas will need to be fully documented and formally put in place; others may be more ad hoc and informal.
View large graphic.
The firm is a small organization with a lot of demands on resources. The effort to organize the IT function using a framework so that it can be efficient and fill the needs and expectations of the stakeholders is ongoing. COBIT 5 is a solution for organizing and integrating the IT function within the overall organization. One advantage that the firm has is that the shareholders and staff understand the importance of IT to filling the needs of the firm and its clients effectively and efficiently.
COBIT 5 Implementation lays out seven phases for implementing COBIT 5. Using this guide, the firm began by identifying the drivers as well as the challenges of the initiative (phase 1, What are the drivers?). There were several drivers for the firm. There was a general disconnect between IT and the needs of the professionals. With different practices across the firm there are different needs that were not always understood or addressed. While IT spending was within budget, spending did not always follow the needs of the firm. And for the IT department, one of the biggest issues was the rarely consistent, individual demands of 21 individual shareholders.
The firm is currently between phase 2 (Where are we now?) and phase 3 (Where do we want to be?). These phases are logically being worked on concurrently but are challenging. The busy schedules of the professional staff and the demands on a small IT department tend to interfere with planning sessions and discussions. Milestones and deadlines are now being put in place to help keep the project on track. Some departments have completed the process of identifying where they are and where they want to be. This has been accomplished through planning sessions and discussions. With the input of the IT steering committee, the remaining departments will get these phases completed so the next phases can begin. Plans are in place to begin phase 4 (What needs to be done?) and phase 5 (How do we get there?) in early November.
COBIT 5 has helped the firm think about its IT processes and how they interrelate with the objectives of the firm. Even in a small organization like Yount, Hyde & Barbour, there is room for a framework to help direct the structure and function.
R. Curtis Thompson, CISA, CPA.CITP
Is a shareholder at Yount, Hyde & Barbour, PC, a regional CPA firm. His practice is focused on technology and internal controls services for various industries with a concentration in financial institutions.
COBIT 5: Enabling Information Update
By Steven De Haes, Ph.D.
The latest publication in the COBIT 5 product family, COBIT 5: Enabling Information, will be published in November 2013. Focusing on the information asset as an enabler, the main advantage COBIT 5: Enabling Information will provide is the reference guide to assist COBIT 5 users with structured thinking about information and typical information governance and management issues in any type of organization. This structured thinking can be applied throughout the life cycle of information, from conception and design, through building information systems, securing information, using information, providing assurance over information, and disposing of information.
This guide will provide information practitioners with the following three key benefits:
- A comprehensive information model, based on the generic COBIT 5 enabler model, that comprises all aspects of information, e.g., stakeholders, goals (quality), life-cycle stages and good practices (information attributes). The information model allows practitioners to effectively consider and develop relevant, usable information models from a governance and management point of view.
- Guidance on how to use an established governance and management framework (COBIT 5) to address common information governance and management issues (e.g., big data, master data management, information disintermediation and privacy) and how COBIT 5 principles and concepts, especially the enablers, can address these issues
- An understanding of the reasons why information needs to be managed and governed in an appropriate way and the criticality of information that is contained within a given context
The guide will assist enterprises with information issues and challenges such as:
- Demand-side/use of information
- Big data, covering three areas:
- Marketing situational awareness (variety of information)
- Fraud detection (volume of information)
- IT predictive analytics (velocity of information)
- Master and reference data management
- End-user computing
- Regulatory compliance
The intent of this guide is to provide readers with a better understanding of information governance and management issues and improve their ability to generate benefits and manage information-related risk. This guide supports readers in their efforts to use information-centric thinking about their enterprise.
The target audience groups for this publication include a broad range of business and IT professionals, since all work with information as a resource and/or asset, including:
- Board and executive management (i.e., chief executive officers, chief operating officers, chief financial officers)
- Business process owners and business process architects
- Information architects, information solution builders, information managers, IT architects and IT developers
- Chief information officers and IT management, technology service providers (internal and external), and application managers
- IT operations
- IT security and continuity professionals
- Assurance professionals, including internal and external auditors
- External audit staff
- Records management professionals and knowledge managers
- Data governance and management professionals
- Government and regulators
- Privacy professionals
- Compliance and risk professionals
- Data owners
COBIT 5: Enabling Information builds on COBIT 5 (the framework). Relevant key concepts of COBIT 5 are repeated and elaborated on in this guide, making it a fairly stand-alone guide—not requiring any prerequisite knowledge of COBIT 5. However, an understanding of COBIT 5 principles, concepts and structure at the foundation level can accelerate and improve comprehension of the contents of this guide.
Steven De Haes, Ph.D.
Is associate professor at the University of Antwerp and the Antwerp Management School (Belgium) and academic director of the IT Alignment and Governance (ITAG) Research Institute and the Executive Masters in IT Governance & Assurance and Enterprise IT Architecture. He can be contacted at email@example.com.
Information and Communications Technology Study of Public Health Institutions in Mexico
By Carlos Zamora Sotelo, CISA, CISM, CGEIT, and Carlos H. Garcia Orozco
Health services are a crucial activity worldwide and reflect the level of awareness and social development of a country. In Mexico, 44 percent of the people perceive the main problem of health services to be poor quality, with the affecting factors being timely care services, quality of diagnosis and treatment.1 Another crucial issue is the availability of medical records among public health institutions in which information and communication technologies (ICTs) play a key role. According to the Organisation for Economic Co-operation and Development (OECD), Mexico is among the countries with the lowest expenditure on health. However, it has been increasing steadily over the previous decade.2
The ICT Study of Public Health Institutions in Mexico3 was conducted under the sponsorship of Strategic Consulting Information Technology (ConSETI) and Brio Software Mexico (Brio). ConSETI and Brio are using this study to help evolve health services in Mexico. The study includes a gap/risk analysis of the current ICT situation, proposing recommendations that will lead to the improvement and implementation of better ICT objectives in the public health institutions. For this purpose, the sponsors became convinced of the importance of using COBIT 5 and recognize it as the best practice framework for the governance and management of enterprise IT (GEIT). It provides a holistic view, and a common language between ICT and business. Thus, for the as-is stage of this study—the understanding and evaluation of the current situation—the goals sought through COBIT were to:
- Select the main processes
- Identify the current health services’ capacities, gaps and risk factors related to those gaps
- Reach implementation and maturity goals
COBIT 5 utilization in the ICT assessment of public health institutions in Mexico was focused on the following areas:
- Defining the IT substantive processes—According to COBIT 5 and as a first step, ConSETI and Brio selected the business objectives that had higher impact on the citizens. Eight were selected and mapped, as shown in figure 1, resulting in 13 IT-related objectives, highlighted in green in figure 1.
The second step was to map IT-selected objectives vs. the 37 primary COBIT processes. Figure 2 is an example of the Align, Plan and Organize (APO) process with seven priority processes. The total number of processes selected was 34.
- Scoring processes capacities—For this assessment, the COBIT 4.1 process maturity model was used rather than the newer COBIT Process Assessment Model (PAM) because the PAM framework was released after the conclusion of the assessment.
The COBIT 4.1 process maturity model was used for scoring IT-selected processes, taking into account the following attributes: responsibility and accountability; skills and expertise; policies, plans and procedures; awareness and communication; goal setting and measurement; and tools and automation. Every attribute was evaluated according to the level of maturity defined in COBIT, to obtain the final score for every selected process, as shown in figure 3.
- Gap analysis—To determine gaps, the fourth maturity level of capacity (the process is able to generate the results defined) was defined as the goal to achieve and it was contrasted against the capacity level evaluated previously. Process capability level 4 (ensure efficient and effective health services, and make predictable processes) was established as the goal and is the basis for further definition of the strategy and action plan.
- Associated risk—To identify the risk factors of each COBIT process selected, identified gaps were taken into the gap analysis performed, thus evaluating the potential negative impact that these gaps could have if not adequately addressed and materialized. Relevant and inherent risk scenarios for each process were generated. For this, it was necessary to build on the mapping of COBIT risk scenarios. Figure 4 is an example of the mapping performed.
It is important to mention that, in the identification of risk scenarios, ConSETI and Brio did not evaluate the frequency of occurrence of identified risk.
Integrating the COBIT 5 framework into the ICT Study of Public Health Institutions in Mexico has resulted in the following positive impacts:
- The development of a well-defined, standardized analysis methodology, to determine gaps and risk factors associated to the main IT processes selected for health services institutions, related and aligned to major problems, such as the availability of health records and medical consultation time improvement
- Better alignment among IT and business goals and pain points
- The generation of proposals, projects and IT strategies based on gap and risk analysis, according to the capacity goal defined
At this point, COBIT 5 has been used only in the as-is diagnosis. In the future, the sponsors of this study plan to use the same framework for the to-be state, in order to define a competitive products and services portfolio, within and while implementing governance of enterprise IT assurance.
Carlos Zamora Sotelo, CISA, CISM, CGEIT
Is the chief executive officer at ConSETI and has more than 15 years of experience in IT audit and training more than 3,000 people. He can be contacted at firstname.lastname@example.org.
Carlos H. García Orozco
Is vice president at Brio and has more than 15 years of experience in IT, software development, and business intelligence assessment and implementation. He can be contacted at email@example.com.
1 The Organisation for Economic Co-operation and Development (OECD), Mexico
3 A summary of the study is available at www.tissmexico.net. The complete study is available only for Mexican Public Health Federal Agencies at the Panamerican Public Health Organization Library in Mexico and Washington DC, USA, offices.
Gain From Practical Guidance Based on COBIT 5
By Rolf von Roessing, CISA, CISM, CGEIT
In addition to the publications in the COBIT 5 product family, ISACA supports COBIT users and ISACA constituents with practical guidance to address specific business and technical issues they address in their work. Such products include white papers, which provide a high-level introduction to relevant issues; audit/assurance programs to support effective evaluation of specific aspects of IT use; and survey reports.
This practical guidance also includes a number of larger products to address major topics such as cloud technologies, mobile devices and cybersecurity. These larger products frequently use COBIT as the basis for addressing the issues covered. Two recent examples of such products are:
- Securing Mobile Devices Using COBIT 5 for Information Security (November 2012)
- Transforming Cybersecurity Using COBIT 5 (May 2013)
Securing Mobile Devices Using COBIT 5 for Information Security is intended for several audiences who use mobile devices directly or indirectly, including end users, IT administrators, information security managers, service providers for mobile devices and IT auditors. The main purpose of applying COBIT 5 to mobile device security is to establish a uniform management framework and to give guidance on planning, implementing and maintaining comprehensive security for mobile devices in the context of enterprises. The secondary purpose is to provide guidance on how to embed security for mobile devices in a corporate governance, risk management and compliance (GRC) strategy, using COBIT 5 as the overarching framework for GRC.
Transforming Cybersecurity Using COBIT 5 is intended for several audiences who are dealing with cybersecurity directly or indirectly, including information security managers, corporate security managers, end users, service providers, IT administrators and IT auditors. The primary purpose of applying COBIT 5 to the transformation of cybersecurity is to enable a uniform governance, risk management and security management framework for enterprises and other organizations. The secondary purpose is to provide guidance on detailed concepts and steps in transforming cybersecurity and to align these concepts and steps with the existing information security strategy and processes. This publication complements the ISACA publication Responding to Targeted Cyberattacks by integrating cybersecurity and the COBIT 5 product family. Transforming Cybersecurity Using COBIT 5 provides step-by-step guidance to address detailed cybersecurity issues and apply relevant parts of COBIT 5 to them.
These practical products as well as other ISACA research products help professionals address specific business and technical issues effectively and efficiently. Visit the Research page of the ISACA web site for more information on these and other ISACA research products.
Rolf von Roessing, CISA, CISM, CGEIT
Is the president of Forfa AG, a Swiss consulting network, and a retired partner at KPMG Germany. He has served as a consultant with large international banks and insurance companies and was responsible for international projects in business continuity management and information security. Prior to entering the consulting sector, he was head of IT for the EMEA region in a leading global security firm. Von Roessing is a member of ISACA’s Professional Influence and Advocacy Committee and is a past international vice president of ISACA.
Steven A. Babb, CGEIT, CRISC, ITIL, UK, chair
David Cau, ITIL, MSP, Prince2, France
Sushil Chatterji, CGEIT, Singapore
Frank Cindrich, CGEIT, CIPP, CIPP/G, USA
Joanne De Vito De Palma, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria
Katherine McIntosh, CISA, USA
Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil
Paras Shah, CISA, CGEIT, CRISC, CA, Australia
Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at firstname.lastname@example.org.
COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors’ content.
© ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at email@example.com.