COBIT 5 as an IT Management Best Practices Framework - by Goh Boon Nam

© 2010 NUS. All Rights Reserved Unless

Otherwise Stated.

ATA/Lucid/2010-01-25 MUS/

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0

COBIT® 5 as IT Management Best

Practice Framework

1

Please see Acknowledgements & Notices in last few slides


Otherwise Stated.



What is COBIT?

Control OBjectives for Information and related Technology

International framework from ISACA and IT Governance Institute

Helps maximise value of IT to businesses

Originally, more for monitoring/ audit /risk assessment of IT management processes

Increasingly recognised as comprehensive framework of IT Management best practices ■ Advises on WHAT to do

■ Some high-level of how to do

Currently Version 5

2


Otherwise Stated.



COBIT - Governance and Management

3

Strategic Tactical Operational

Nb: Words in green above NOT part of COBIT but added by the author of this presentation.

generally, the responsibility of

Board of Directors


Otherwise Stated.



COBIT5 Processes

4

Align, Plan &

Organise

Build, Acquire &

Implement

Monitor, Evaluate &

Assess

Deliver, Service &

Support

• Manage the IT Management Framework

• Manage Strategy • Manage Innovation • Manage Enterprise Architecture

• Manage Portfolio • Manage Budget and Costs • Manage Human Resources • Manage Relationships • Manage Service Agreements • Manage Suppliers • Manage Quality • Manage Risk • Manage Security

• Manage Programmes & Projects

• Manage Requirements Definition

• Manage Solutions Identification and Build

• Manage Availability & Capacity

• Manage Change Acceptance and Transitioning

• Manage Organisational Change Management

• Manage Changes • Manage Knowledge • Manage Assets • Manage Configuration

• Monitor, Evaluate and Assess Performance & Conformance

• Monitor, Evaluate and Assess the System of Internal Control

• Monitor, Evaluate and Assess Compliance with External Requirements

Governance

• Manage Operations • Manage Service Requests & Incidents

• Manage Problems • Manage Continuity • Manage Security Services • Manage Business Process Controls

• Ensure Governance Framework Setting and Maintenance

• Ensure Benefits Delivery • Ensure Risk Optimisation • Ensure Resource Optimisation • Ensure Stakeholder Transparency

Domains Processes


Otherwise Stated.



Domain BAI - Build, Acquire & Implement

5

Nb: Bold headings are

author’s own categorisation

& are not part of COBIT

Programmes

■ Manage Programmes (and Projects)

Projects

■ Manage (Programmes and) Projects

Requirements

■ Manage Requirements Definition

■ Manage Availability & Capacity

Design & Build

■ Manage Solutions Identification and Build

Test & Implement

■ Manage Change Acceptance and Transitioning

Changes

■ Manage (IT) Changes

■ Manage Organisational Change Management

Supporting Processes

■ Manage Knowledge

■ Manage Assets

■ Manage Configuration


Otherwise Stated.



Domain BAI - Build, Acquire & Implement

6

Build, Acquire

& Implement

(BAI)

Nb: Above is NOT part of COBIT. Used only to help in explaining the relationships within COBIT.

Programme Management

(Generic) Project Management

IT Systems Devt Life Cycle Mgt

Support Processes

Knowledge, Asset, Configuration

Requirements &

Feasibility

Design &

Build

Test &

Implement

Manage Changes

IT and Organisational


Otherwise Stated.



IT Strategy / Innovation / Ent. Architecture / Portfolio Management

BAI Relationship with APO

7

Build, Acquire

& Implement

(BAI)

Align, Plan

& Organise

(APO)


Pre-Project Development Production




Support Processes


Requirements &

Feasibility

Design &

Build

Test &

Implement

Manage Changes

IT and Organisational (Tactical)

(Strategic)

IT

Ongoing

Management


Otherwise Stated.



Domain APO – Align, Plan & Organise

Strategy/ Architecture / Portfolio

■ Manage the IT Management Framework

■ Manage Strategy

■ Manage Innovation

■ Manage Enterprise Architecture

■ Manage Portfolio

IT Ongoing Management

■ Manage Budget and Costs

■ Manage Human Resources

■ Manage Relationships

■ Manage Service Agreements

■ Manage Suppliers

■ Manage Quality

■ Manage Risk

■ Manage Security

8




IT Strategy / Architecture / Portfolio Management




Support Processes


Requirements &

Feasibility

Design &

Build

Test &

Implement

Manage Changes

IT and Organisational

IT

Ongoing

Management


Otherwise Stated.



COBIT Domains – Deliver, Service &

Support (DSS)

Service Operations

■ Manage Operations

■ Manage Service Requests &

Incidents

■ Manage Problems

■ Manage Continuity

■ Manage Security Services

■ Manage Business Process

Controls

9





Otherwise Stated.



DSS Relationship with BAI & APO

10


Support Processes

Knowledge, Assets, Configuration

Requirements

& Feasibility

Design &

Build

Test &

Implement

Manage Changes

IT & Organisational

Build,

Acquire &

Implement

(BAI)

Align, Plan

& Organise

(APO)

Deliver,

Service &

Support (DSS)

Service

Operations






IT

Ongoing

Management

(Strategic)

(Tactical)

(Operational)


Otherwise Stated.



COBIT Domains – Monitor, Evaluate &

Assess

Monitor, Evaluate and Assess

■ Performance & Conformance

■ System of Internal Control

■ Compliance with External Requirements

11





Otherwise Stated.



MEA Relationship with APO / BAI / DSS

12


Support Processes


Requirements

& Feasibility

Design &

Build

Test &

Implement

Manage Changes

IT & Organisational

Build,

Acquire &

Implement

(BAI)

Align, Plan

& Organise

(APO)

Deliver,

Service &

Support (DSS)

Service

Operations






IT

Ongoing

Management

Measure,

Evaluate

&

Assess

Measure,

Evaluate &

Assess (MEA)

(Strategic)

(Tactical)

(Operational)


Otherwise Stated.



COBIT Domains – Governance

Monitor, Evaluate & Direct to:

■ Ensure Governance Framework Setting

and Maintenance

■ Ensure Benefits Delivery

■ Ensure Risk Optimisation

■ Ensure Resource Optimisation

■ Ensure Stakeholder Transparency

13





Otherwise Stated.



Governance Relationship To Management

14


Support Processes


Requirements

& Feasibility

Design &

Build

Test &

Implement

Manage Changes

IT & Organisational

Build,

Acquire &

Implement

(BAI)

Align, Plan

& Organise

(APO)

Deliver, Service &

Support (DSS)

Service

Operations






IT

Ongoing

Management

Measure,

Evaluate

&

Assess

Measure,

Evaluate &

Assess (MEA)

(Strategic Mgt)

(Tactical Mgt)

(Operational Mgt)

(Governance)

Monitor

Evaluate

Direct


Otherwise Stated.



Further Process Details

COBIT provides further details to the Process

■ Breakdown of Process

• Process

– Management Practices

» Activities

■ RACI for Management Practices

■ Inputs-Outputs for each Activity

■ Metrics for the overall process

• IT-related

• Process-related

15


Otherwise Stated.



COBIT Process Details – Management

Practices

16

Manage Programmes and Projects ■ Maintain a standard approach for programme and project

management

■ Initiate a programme.

■ Manage stakeholder engagement.

■ Develop and maintain the programme plan.

■ Launch and execute the programme

■ Monitor, control and report on the programme outcomes.

■ Start up and initiate projects within a programme.

■ Plan projects

■ Manage programme and project quality

■ Manage programme and project risk

■ Monitor and control projects

■ Manage project resources and work packages.

■ Close a project or iteration

■ Close a programme.

Process

Management

Practices


Otherwise Stated.



COBIT Process Details – Management

Practices and Activities

17

Manage Programmes and Projects

■ Maintain a standard approach for programme and project management

■ Initiate a programme

• Agree on programme sponsorship and appoint a programme board/committee with members who have

strategic interest in the programme, have responsibility for the investment decision making, will be

significantly impacted by the programme and will be required to enable delivery of the change.

• Confirm the programme mandate with sponsors and stakeholders. Articulate the strategic objectives for

the programme, potential strategies for delivery, improvement and benefits that are expected to result,

and how the programme fits with other initiatives.

• Develop a detailed business case for a programme, if warranted. Involve all key stakeholders to develop

and document a complete understanding of the expected enterprise outcomes, how they will be

measured, the full scope of initiatives required, the risk involved and the impact on all aspects of the

enterprise. Identify and assess alternative courses of action to achieve the desired enterprise outcomes.

• Develop a benefits realisation plan that will be managed throughout the programme to ensure that

planned benefits always have owners and are achieved, sustained and optimised.

• Prepare and submit for in-principle approval the initial (conceptual) programme business case, providing

essential decision-making information regarding purpose, contribution to business objectives, expected

value created, time frames, etc

• Appoint a dedicated manager for the programme, with the commensurate competencies and skills to

manage the programme effectively

• and efficiently.

■ Manage stakeholder engagement.

■ …

Process

Management

Practices

Activities


Otherwise Stated.



COBIT Process Details – RACI for

Management Practices

18


Otherwise Stated.



COBIT Process Details – Inputs-

Outputs for Each Activity

19


Otherwise Stated.



COBIT Process Details – IT-Related

Metrics

20

Example - from Manage Programmes and Projects process


Otherwise Stated.



COBIT Process Details – Process-

Related Metrics

21

Example - from Manage Programmes and Projects process


Otherwise Stated.



Other Key Elements of COBIT

Principles

Enablers

Lifecycle Approach

Process Capability Model

COBIT 5 Product Family

22


Otherwise Stated.



Principles

23


Otherwise Stated.



Enablers

24


Otherwise Stated.



Lifecycle Approach

25


Otherwise Stated.



Process Capability Model

26


Otherwise Stated.



COBIT 5 Product Family

27


Otherwise Stated.



COBIT 5 Mapping to Other Frameworks

28

Nb: Some of the other frameworks can map to more than one COBIT domain (eg. ITIL/COBIT) but for simplicity, only one domain is mapped here

http://www.scrumalliance.org/


Otherwise Stated.



For Further Information

For further details on COBIT course

■ http://www.iss.nus.edu.sg/ProfessionalCourse

s/SearchCourse/CourseDetail/tabid/267/cid/20

/cname/nicf-cobit-foundation/Default.aspx

For other related courses:

■ http://www.iss.nus.edu.sg/ProfessionalCourse

s/CourseCatalogue.aspx

29

http://www.iss.nus.edu.sg/ProfessionalCourses/SearchCourse/CourseDetail/tabid/267/cid/20/cname/nicf-cobit-foundation/Default.aspx







http://www.iss.nus.edu.sg/ProfessionalCourses/CourseCatalogue.aspx

http://www.iss.nus.edu.sg/ProfessionalCourses/CourseCatalogue.aspx


Otherwise Stated.



Acknowledgements & Sources

Sources used in this presentation:

■ Information Systems Audit and Control

Association. (2012). COBIT 5: Enabling

processes. Rolling Meadows, IL: ISACA.

30


Otherwise Stated.



Acknowledgements & Notices COBIT® is a registered trade mark of ISACA and the IT Governance Institute

CGEIT® is a registered trade mark of ISACA

TOGAF is a registered trademark of The Open Group in the United States and other countries

CBAP® is a registered certification mark owned by International Institute of Business Analysis

CISSP is a registered Trademark of (ISC)2

SCRUM Alliance REP SM is a service mark of Scrum Alliance, Inc.

PMP is a registered mark of Project Management Institute, Inc.

ITIL®, PRINCE2®, P3O®, MSP® are registered trade marks of the Cabinet Office

CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University

The Swirl logo™ is a trade mark of the Cabinet Office

© 2011 NUS unless otherwise stated. The contents of this document may not be reproduced in any form or by any means, without the written permission of ISS, NUS, other than for the purpose for which it has been supplied


Otherwise Stated.



The End

32