Embed Size (px)
Citation preview
Volume 4, October 2013
In This Issue:
Call for Articles
How are you using COBIT® at your enterprise?
We welcome articles on your
experiences with this framework. Deadline to submit copy for
volume 1, 2014: 4 December 2013
Submit articles for
peer review to: [email protected]
Case Studies
Visit the COBIT Recognition and
Case Studies pages to read more COBIT 5 and COBIT 4.1
case studies.
• What Does COBIT 5 Mean for Your Business? • Using COBIT 5 for Risk Management • COBIT and the CPA Firm • COBIT 5: Enabling Information Update • Information and Communications Technology Study of Public Health Institutions in Mexico • Gain From Practical Guidance Based on COBIT 5
What Does COBIT 5 Mean for Your Business? By Sagar Anisingaraju When it comes to enterprise use of IT assets, executives are looking for answers to three things: 1. Is the organization getting IT right? 2. Is the organization is buying or building the right IT capabilities? 3. Are there any gaps in capabilities exposing the business to unwarranted risk?
For most companies, the answers to these questions come from understanding the underlying multiple frameworks used across operations. For example, COBIT®1, 2 enables companies to improve IT governance by ensuring that appropriate process, governance and management enablers are used to build IT capabilities to achieve stakeholder goals. As a framework that can be used to measure and monitor IT services and implement best practices for those services, ITIL3 provides an operational level of service management. The ISO/IEC 27000 series4 comprises the preferred standards used by IT security professionals. For companies that compete in regulated segments such as banking, insurance, utilities or health care, additional industry specific standards, frameworks and guidelines may be in use.
When an organization leverages multiple standards, frameworks and guidelines, it may end up creating separate controls recommended by each that are managed separately. As a result, it not only creates duplicate work, as controls may be overlapping, but more important, it becomes challenging for executives to get a comprehensive understanding of their organization’s IT risk exposure and governance process. Current tools that enable organizations to create a shared library of common controls across frameworks are cumbersome to use and manage. Control libraries often become huge and complex to use for most companywide governance, risk and compliance (GRC) initiatives.
COBIT® 5, the latest edition of ISACA’s globally accepted framework for governance and management of enterprise IT (GEIT), addresses this issue. It provides an end-to-
Come join the discussion! Sagar Anisingaraju will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.
Volume 4, October 2013 Page 2
end business view that integrates other standards, frameworks and guidelines, such as ITIL and ISO/IEC 27001, into an overall enterprise governance and management framework. With a COBIT 5-inspired model, stakeholders such as security professionals, IT operations executives and IT auditors can see how their work relates to the overall scope of governance and management. COBIT 5 does not replace these other sources of reference. Instead, it is an overarching umbrella framework that helps them all fit together. For example, COBIT 5 is the frame on which ITIL can provide additional color for daily management of IT operations. Using this frame embodies the same essential principles of business analysis, helping information and technology teams to achieve strategic business goals.
IT has always had to deal with risk factors such as cyberattacks, external hacking and disgruntled employees. New risk factors are, however, driven by consumerization of IT—ranging from bring your own device (BYOD) to social media and associated big data.
With these new unstructured external threats, the security perimeter is changing. COBIT® 5 for Information Security offers additional, security-specific guidance designed to help your IT department implement an effective framework and reduce risk exposures.
The key changes in COBIT 5 include: • A clear distinction between governance and management, bringing greater relevance to a wider business audience • A linkage between specific IT-enabler goals and broader enterprise-level goals. It also includes more explicit guidance to
levers of change (enablers) beyond process, such as culture, ethics, behavior, people, skills and competencies. • Modifications to the process model, including new processes • A new process capability assessment approach, which replaces the COBIT 4.1 capability maturity model (CMM)-based
modeling
COBIT 5 is not a panacea. It is not something to lift and use exactly as-is. Each enterprise needs to map it and mold it to the business’s requirements, organizational structure and processes. The comprehensive scope of COBIT 5 guidance may overwhelm new users and inhibit its adoption. Use of all available ISACA guidance and tools, as well as having key staff take the COBIT 5 training available in the marketplace (COBIT Foundation, COBIT Implementation and COBIT Assessor courses), is highly recommended.
COBIT 5 should be implemented to ensure that the organization has a road map that will allow it to address all of its IT governance and risk issues. If the organization is already using some level of COBIT selectively within pockets of the organization, the changes in COBIT 5 should be reviewed to identify where it can help address specific issues or organizational changes. In addition, with COBIT 5 as a single enterprisewide IT GRC framework, the organization can implement a comprehensive analytics solution that enables it to continuously measure and improve its governance status, risk exposure, and overall compliance with policies and regulations. There will be no further need to reconcile multiple silos through reports to assess the organization’s overall risk or compliance status.
COBIT 5 is an important milestone. Adopting it will be a very promising journey to simplify the organization’s efforts in implementing a single organizationwide GRC framework. If the organization already has a mature GRC environment, it will quickly realize that COBIT 5 gives it a better handle on GEIT. If the organization is just starting, COBIT 5 will give it the formal road map it needs for a fast-track approach.
Sagar Anisingaraju Is the chief strategy officer at Saama Technologies Inc. Anisingaraju creates strategic initiatives to lead Saama into emerging business areas with competitive differentiation. He enjoys his time spent with customers to understand their business problems specifically related to big data. He was the winner of the 2013 Chief Strategy Officer of the Year award, presented by Innovation Enterprise.
Endnotes 1 ISACA, COBIT 5, USA, 2012 2 ISACA, COBIT 5 Training and Accreditation FAQs 3 APM Group Ltd., ITIL 4 International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27000, Information Security
Management Systems (ISMS) standards
Volume 4, October 2013 Page 3
Using COBIT 5 for Risk Management By Steven Babb, CGEIT, CRISC, ITIL COBIT® 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT (GEIT). Simply stated, it helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of responsibility and the requirements of internal and external stakeholders.
COBIT® 5 for Risk builds on the COBIT 5 framework. Focused on risk, it provides more detailed and practical guidance for risk professionals and other interested parties at all levels of the enterprise on how to use COBIT 5 to support a variety of IT risk activities. It also elaborates on using the COBIT 5 enablers for risk management in practice. Finally, it introduces and aligns the elements of COBIT 5 found in COBIT 5 for Risk with relevant IT or ERM standards and practices, including COSO Enterprise Risk Management, ISO 31000, ISO/IEC 27005 and ISO Guide 73.
For an enterprise that is already using COBIT 5 as its framework for GEIT, COBIT 5 for Risk enables the enterprise to leverage COBIT 5 when planning how to build and sustain a risk function and how to optimize risk and identify, analyze, respond to and report on risk on a daily basis.
There are multiple drivers for risk management in the enterprise; they contribute to improving business outcomes, decision making and overall strategy. Improving these areas is accomplished by providing stakeholders with substantiated and consistent opinions on the current state of risk throughout the enterprise, guidance on how to manage the risk to levels within the enterprise’s risk appetite, guidance on how to set up the appropriate risk culture for the enterprise, and, wherever possible, quantitative risk assessments that enable stakeholders to consider the cost of mitigation and the required resources against the loss exposure.
As it uses COBIT 5 for Risk, the enterprise will gain risk-related capabilities. And, through development of greater risk capabilities, an enterprise can attain various benefits. These potential benefits include: • More accurate identification of risk and measurement of success in addressing risk • Better understanding of the risk impact on the enterprise • End-to-end guidance on how to manage risk • Knowledge of how to capitalize on investments related to IT risk management practices • Understanding of how effective IT risk management optimizes value with business process effectiveness and efficiency,
improved quality, and reduced waste and costs • Opportunities to integrate IT risk management with enterprise risk and compliance structures • Improved communication and understanding among all internal and external stakeholders, due to the use of a common
and sustainable globally accepted framework and language for assessing and responding to risk • Promotion of risk responsibility and acceptance across the enterprise • A complete risk profile, identifying the full enterprise risk exposure and enabling better utilization of enterprise resources • Improved risk awareness throughout the enterprise
COBIT 5 for Risk appeals to multiple parties, each finding various benefits. Boards and executive management can gain a better understanding of their responsibilities and roles with regard to IT risk management and the implications of IT risk on enterprise strategic objectives. Risk managers responsible for enterprise risk management (ERM) can find assistance with managing IT risk according to generally accepted ERM principles and incorporating IT risk into enterprise risk. Operational risk managers can link back to COBIT 5 and gain guidance on identifying operational losses or developing key risk indicators (KRIs).
Steven A. Babb, CGEIT, CRISC, ITIL Is head of governance, risk and assurance for Betfair, one of the world’s largest online sports betting providers. Babb leads a global team of security, risk, compliance and assurance professionals. Prior to this, he was head of technology risk in the UK practice of KPMG’s risk consulting team and has more than 16 years of consulting and assurance experience covering areas such as IS governance, IT risk and control, service management, and program and project management. Babb chairs ISACA’s Framework Committee and the COBIT for Risk Task Force and was also a member of ISACA’s Risk IT and COBIT 5 development teams.
Volume 4, October 2013 Page 4
COBIT and the CPA Firm R. Curtis Thompson, CISA, CPA.CITP With the introduction of COBIT® 5, the framework is moving toward a more global application to the enterprise. But, can a smaller organization still take advantage of COBIT 5 to help direct its IT function? This is an account of one organization’s beginning steps toward implementing COBIT 5.
Yount, Hyde & Barbour is a mid-sized regional accounting firm with 21 shareholders and 140 employees. The firm has six locations, with at least 20 people working remotely or at a client’s location at any given time. Thus, there is a complexity to the IT function that is greater than the size of the organization would suggest. The loss of the firm’s IT manager and an IT staff member reduced the IT staff to a single person. While this was a major issue for an accounting firm in the middle of its busiest season, it was an opportunity to redefine the IT function for the entire firm. Several short-term fixes were initiated (hiring an IT generalist and relying on an outsourced vendor to fill in gaps in staffing).
The shareholders of the firm had always had an IT steering committee to communicate the firm’s direction and needs to the IT manager, but the committee had not taken a true governance role. The risk advisory services team was comprised of several Certified Information Systems Auditors (CISAs), including the principal, who was the chair of the IT steering committee. Therefore, it was a logical direction for the IT steering committee to look to the newly released COBIT 5 as the framework on which to develop a better IT function.
COBIT 5 has a diagram that perfectly illustrates the separation of governance and management (figure 1). Defining management’s role as planning, building, running and monitoring appropriately separates it from the role of governance. Defining governance’s role as monitoring, evaluating and giving direction enables the IT steering committee to understand its
role and eliminate a tendency for micromanaging the IT function.
The COBIT 5 process reference model illustrates the various processes (figure 2). It lays out the overall scope of the IT function nicely, but is this excessive for an IT department with only one to three staff members? In an accounting firm with 21 partners, all with different practices, there is a great variety of requirements and opinions. While a full implementation of the framework would likely be overly burdensome, there is a great advantage to using the model to design the processes and roles. Some areas will need to be fully documented and formally put in place; others may be more ad hoc and informal.
Come join the discussion! R. Curtis Thompson will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.
Figure 1—COBIT 5 Governance and Management Key Areas
Source: ISACA, COBIT 5, USA, 2012, figure 15
Volume 4, October 2013 Page 5
The firm is a small organization with a lot of demands on resources. The effort to organize the IT function using a framework so that it can be efficient and fill the needs and expectations of the stakeholders is ongoing. COBIT 5 is a solution for organizing and integrating the IT function within the overall organization. One advantage that the firm has is that the shareholders and staff understand the importance of IT to filling the needs of the firm and its clients effectively and efficiently.
COBIT 5 Implementation lays out seven phases for implementing COBIT 5. Using this guide, the firm began by identifying the drivers as well as the challenges of the initiative (phase 1, What are the drivers?). There were several drivers for the firm. There was a general disconnect between IT and the needs of the professionals. With different practices across the firm there are different needs that were not always understood or addressed. While IT spending was within budget, spending did not always follow the needs of the firm. And for the IT department, one of the biggest issues was the rarely consistent, individual demands of 21 individual shareholders.
The firm is currently between phase 2 (Where are we now?) and phase 3 (Where do we want to be?). These phases are logically being worked on concurrently but are challenging. The busy schedules of the professional staff and the demands on a small IT department tend to interfere with planning sessions and discussions. Milestones and deadlines are now being put in place to help keep the project on track. Some departments have completed the process of identifying where they are and where they want to be. This has been accomplished through planning sessions and discussions. With the input of the IT steering committee, the remaining departments will get these phases completed so the next phases can begin. Plans are in place to begin phase 4 (What needs to be done?) and phase 5 (How do we get there?) in early November.
Figure 2—COBIT 5 Process Reference Model
Source: ISACA, COBIT 5, USA, 2012, figure 16
Volume 4, October 2013 Page 6
Training Update
COBIT 5 Foundation
The COBIT 5 Foundation course introduces the candidate to
COBIT’s five basic principles and includes extensive guidance on
enablers for governance and management of enterprise IT
(GEIT).
COBIT 5 Implementation
This is a practitioner-level course in which candidates acquire the knowledge to apply the COBIT 5
good-practice, continual-improvement, life-cycle approach
to GEIT and tailor it to suit the needs of a specific enterprise.
COBIT 5 Assessor
This practitioner-level course is part of the COBIT Certified Assessor program, which
focuses on how to apply the COBIT Process Assessment
Model and how to analyze the results. Upon successful
completion of the Assessor course, passing the Assessor
exam, and attaining five or more years of work experience
performing process-based activities, candidates may apply
to become a COBIT Certified Assessor.
COBIT 5 has helped the firm think about its IT processes and how they interrelate with the objectives of the firm. Even in a small organization like Yount, Hyde & Barbour, there is room for a framework to help direct the structure and function.
R. Curtis Thompson, CISA, CPA.CITP Is a shareholder at Yount, Hyde & Barbour, PC, a regional CPA firm. His practice is focused on technology and internal controls services for various industries with a concentration in financial institutions.
COBIT 5: Enabling Information Update By Steven De Haes, Ph.D. The latest publication in the COBIT® 5 product family, COBIT® 5: Enabling Information, will be published in November 2013. Focusing on the information asset as an enabler, the main advantage COBIT® 5: Enabling Information will provide is the reference guide to assist COBIT 5 users with structured thinking about information and typical information governance and management issues in any type of organization. This structured thinking can be applied throughout the life cycle of information, from conception and design, through building information systems, securing information, using information, providing assurance over information, and disposing of information.
This guide will provide information practitioners with the following three key benefits: • A comprehensive information model, based on the generic COBIT 5 enabler model,
that comprises all aspects of information, e.g., stakeholders, goals (quality), life-cycle stages and good practices (information attributes). The information model allows practitioners to effectively consider and develop relevant, usable information models from a governance and management point of view.
• Guidance on how to use an established governance and management framework (COBIT 5) to address common information governance and management issues (e.g., big data, master data management, information disintermediation and privacy) and how COBIT 5 principles and concepts, especially the enablers, can address these issues
• An understanding of the reasons why information needs to be managed and governed in an appropriate way and the criticality of information that is contained within a given context
The guide will assist enterprises with information issues and challenges such as: • Demand-side/use of information • Big data, covering three areas:
- Marketing situational awareness (variety of information) - Fraud detection (volume of information) - IT predictive analytics (velocity of information)
• Master and reference data management • End-user computing • Disintermediation • Regulatory compliance • Privacy
The intent of this guide is to provide readers with a better understanding of information governance and management issues and improve their ability to generate benefits and manage information-related risk. This guide supports readers in their efforts to use information-centric thinking about their enterprise.
Volume 4, October 2013 Page 7
The target audience groups for this publication include a broad range of business and IT professionals, since all work with information as a resource and/or asset, including: • Board and executive management (i.e., chief executive officers, chief operating officers, chief financial officers) • Business process owners and business process architects • Information architects, information solution builders, information managers, IT architects and IT developers • Chief information officers and IT management, technology service providers (internal and external), and application
managers • IT operations • IT security and continuity professionals • Assurance professionals, including internal and external auditors • External audit staff • Records management professionals and knowledge managers • Data governance and management professionals • Government and regulators • Educators • Privacy professionals • Compliance and risk professionals • Data owners
COBIT 5: Enabling Information builds on COBIT 5 (the framework). Relevant key concepts of COBIT 5 are repeated and elaborated on in this guide, making it a fairly stand-alone guide—not requiring any prerequisite knowledge of COBIT 5. However, an understanding of COBIT 5 principles, concepts and structure at the foundation level can accelerate and improve comprehension of the contents of this guide.
Steven De Haes, Ph.D. Is associate professor at the University of Antwerp and the Antwerp Management School (Belgium) and academic director of the IT Alignment and Governance (ITAG) Research Institute and the Executive Masters in IT Governance & Assurance and Enterprise IT Architecture. He can be contacted at [email protected].
Information and Communications Technology Study of Public Health Institutions in Mexico By Carlos Zamora Sotelo, CISA, CISM, CGEIT, and Carlos H. Garcia Orozco Health services are a crucial activity worldwide and reflect the level of awareness and social development of a country. In Mexico, 44 percent of the people perceive the main problem of health services to be poor quality, with the affecting factors being timely care services, quality of diagnosis and treatment.1 Another crucial issue is the availability of medical records among public health institutions in which information and communication technologies (ICTs) play a key role. According to the Organisation for Economic Co-operation and Development (OECD), Mexico is among the countries with the lowest expenditure on health. However, it has been increasing steadily over the previous decade.2
The ICT Study of Public Health Institutions in Mexico3 was conducted under the sponsorship of Strategic Consulting Information Technology (ConSETI) and Brio Software Mexico (Brio). ConSETI and Brio are using this study to help evolve health services in Mexico. The study includes a gap/risk analysis of the current ICT situation, proposing recommendations that will lead to the improvement and implementation of better ICT objectives in the public health institutions. For this purpose, the sponsors became convinced of the importance of using COBIT® 5 and recognize it as the best practice framework for the governance and management of enterprise IT (GEIT). It provides a holistic view, and a common language between ICT and
Come join the discussion! Carlos Zamora Sotelo and Carlos H. García Orozco will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.
Volume 4, October 2013 Page 8
business. Thus, for the as-is stage of this study—the understanding and evaluation of the current situation—the goals sought through COBIT® were to: • Select the main processes • Identify the current health services’ capacities, gaps and risk factors related to those gaps • Reach implementation and maturity goals
Development COBIT 5 utilization in the ICT assessment of public health institutions in Mexico was focused on the following areas: • Defining the IT substantive processes—According to COBIT 5 and as a first step, ConSETI and Brio selected the
business objectives that had higher impact on the citizens. Eight were selected and mapped, as shown in figure 1, resulting in 13 IT-related objectives, highlighted in green in figure 1.
Figure 1—Mapping Business Objectives vs. IT Objectives
BUSINESS OBJECTIVES
Law
s an
d R
egul
atio
ns
Com
plia
nce
Fina
ncia
l Tra
nspa
renc
y
Cus
tom
er S
ervi
ce-o
rient
ed
Cul
ture
Con
tinui
ty a
nd A
vaila
bilit
y B
usin
ess
Ser
vice
s
Opt
imiz
atio
n of
Org
aniz
atio
nal
Pro
cess
es F
unct
iona
lity
Cha
nge
Pro
gram
s A
dmin
istra
tion
in th
e O
rgan
izat
ion
Sta
ff W
ith th
e S
kills
and
M
otiv
atio
n R
equi
red
by th
e O
rgan
izat
ion
Org
aniz
atio
nal P
rodu
ct a
nd
Ser
vice
s In
nova
tion
Cul
ture
4 5 6 7 11 13 16 17
IT-RELATED OBJECTIVE F C P A
Financial
1 IT and business strategy alignment P P S S
2 IT as a contribution to laws and regulations compliance P
3 Commitment of the board for decision making related to ICT S S S S
4 IT risk administration S P S S
5 IT investments generating value P S S
6 Transparency in the management of costs, benefits and risks of IT P
Citizens/clients 7 Product and service delivery in adherence to
internal/external client business requirements S P S S S S S
8 Proper use of applications, information and technology solutions S S P S S
Internal processes
9 IT capacity and timely deployment S P S S S
10 Processing, infrastructure and application systems, and information security.
P S
11 IT resources, capabilities and asset optimization S S S
12 Application integration and technology infrastructure for business processes S P S S
13 Time and cost fulfillment, and standard quality of program delivery S P
14 Availability of reliable and useful information for decision-making process support
S P
15 IT management compliance through internal policies and procedures S
Learning and growth
16 Competent and motivated IT staff S P S
17 Initiatives, knowledge base and experience as enablers of innovation. S S S S P
Volume 4, October 2013 Page 9
The second step was to map IT-selected objectives vs. the 37 primary COBIT processes. Figure 2 is an example of the Align, Plan and Organize (APO) process with seven priority processes. The total number of processes selected was 34.
Figure 2—Mapping IT Objectives to COBIT Processes
IT OBJECTIVES
IT a
nd B
usin
ess
Stra
tegy
Alig
nmen
t
IT a
nd B
usin
ess
Stra
tegy
Alig
nmen
t
IT R
isk
Adm
inis
tratio
n
IT In
vest
men
ts G
ener
atin
g Va
lue
Tran
spar
ency
in th
e M
anag
emen
t of C
osts
, B
enef
its a
nd R
isk
of IT
Pro
per U
se o
f App
licat
ions
, Inf
orm
atio
n an
d Te
chno
logy
Sol
utio
ns
IT C
apac
ity a
nd T
imel
y D
eplo
ymen
t
Pro
cess
ing,
Infra
stru
ctur
e an
d A
pplic
atio
n S
yste
ms,
and
Info
rmat
ion
Sec
urity
App
licat
ion
Inte
grat
ion
and
Tech
nolo
gy
Infra
stru
ctur
e fo
r Bus
ines
s P
roce
ss
Tim
e an
d C
ost F
ulfil
lmen
t, an
d S
tand
ard
Qua
lity
of P
rogr
am D
eliv
ery
Ava
ilabi
lity
of R
elia
ble
and
Use
ful I
nfor
mat
ion
for D
ecis
ion-
mak
ing
Pro
cess
Sup
port
Com
pete
nt a
nd M
otiv
ated
IT S
taff
Initi
ativ
es, K
now
ledg
e B
ase
and
Exp
erie
nce
as E
nabl
ers
of In
nova
tion
COBIT PROCESSES Financial Clients Internal Processes Learning/ Growth
Alig
n, P
lan
and
Org
aniz
e
APO01 Manage IT administration framework P P P P S S S S S S S
AP002 Manage strategy P S S S S S S S S S
APO03 Manage enterprise architecture S S S S S P S S S S
APO04 Manage innovation S S S P S S S P
APO05 Manage portfolio P S P S S S P S
AP006 Manage budget and costs S S P P S S
APO07 Human resources management S S S S S S S S
APO08 Relationship management S S S S S S S S S
APO09 SLA’s management S S S S S S S S S
APO10 Third-party services management S S S S S S S S S S
APO11 Quality management S S S S S S S S S S
APO12 Manage risk S S S S S S S S S S
APO13 Manage security S S S S P S
Volume 4, October 2013 Page 10
• Scoring processes capacities—For this assessment, the COBIT® 4.1 process maturity model was used rather than the
newer COBIT Process Assessment Model (PAM) because the PAM framework was released after the conclusion of the assessment.
The COBIT 4.1 process maturity model was used for scoring IT-selected processes, taking into account the following attributes: responsibility and accountability; skills and expertise; policies, plans and procedures; awareness and communication; goal setting and measurement; and tools and automation. Every attribute was evaluated according to the level of maturity defined in COBIT, to obtain the final score for every selected process, as shown in figure 3.
• Gap analysis—To determine gaps, the fourth maturity level of capacity (the process is able to generate the results
defined) was defined as the goal to achieve and it was contrasted against the capacity level evaluated previously. Process capability level 4 (ensure efficient and effective health services, and make predictable processes) was established as the goal and is the basis for further definition of the strategy and action plan.
• Associated risk—To identify the risk factors of each COBIT process selected, identified gaps were taken into the gap analysis performed, thus evaluating the potential negative impact that these gaps could have if not adequately addressed and materialized. Relevant and inherent risk scenarios for each process were generated. For this, it was necessary to build on the mapping of COBIT risk scenarios. Figure 4 is an example of the mapping performed.
It is important to mention that, in the identification of risk scenarios, ConSETI and Brio did not evaluate the frequency of occurrence of identified risk.
Figure 4—COBIT Risk Scenario Mapping
Risk Scenario COBIT Process
ICT program selection
An inadequate ICT program selection could result in the following risk factors: 1. Incorrect programs are selected for implementation, and these
programs are misaligned with the institution strategy and priorities. 2. The communication of the IT strategy to the direction is not effective.
APO02 Manage strategy
Integration of ICT within business processes
An inadequate integration of ICT within the business could result in the following risk factors: 1. The ICT solutions are separated and not integrated with the support
business processes. 2. The ICT solutions do not offer the maximum value to the institute.
EDM01 Ensure governance framework setting and maintenance
Figure 3—Maturity Scoring Table Scoring Process Capacities
Responsibility
and Accountability
Skills and Expertise
Policies, Plans and Procedures
Awareness and Communication
Goal Setting and Measurement
Tools and Automation
Alig
n, P
lan
and
Org
anize
APO01 Manage IT administration framework 3 2 2 3 2 2
AP002 Manage strategy 2 2 2 2 2 2
APO03 Manage enterprise architecture 2 2 2 3 2 2
APO04 Manage innovation 2 2 2 2 2 2
APO05 Manage portfolio 2 2 2 2 3 2
AP006 Manage budget and costs 3 3 3 3 2 2
APO13 Manage security 2 2 2 2 2 2
PEOPLE PEOPLE PROCESS PROCESS PROCESS TECHNOLOGY
Volume 4, October 2013 Page 11
Research Update
Recently Released COBIT 5 Materials
• COBIT® 5 for Risk • Configuration Management:
Using COBIT® 5
Upcoming Fourth Quarter 2013 COBIT 5 Releases
• COBIT® 5: Enabling Information
Additional COBIT 5 Initiatives in Development
• COBIT® 5 Online: - Access to publications in
the COBIT 5 product family (tentative release fourth quarter 2013)
- Access to other non-COBIT ISACA content and current, relevant GEIT material (tentative release first quarter 2014)
- Ability to customize COBIT with multiple-user access (tentative release third quarter 2014)
For more information on COBIT publications, visit the COBIT 5
page of the ISACA web site.
COBIT 5 translations are available on the COBIT Product
Family page.
Benefits Integrating the COBIT 5 framework into the ICT Study of Public Health Institutions in Mexico has resulted in the following positive impacts: • The development of a well-defined, standardized analysis methodology, to
determine gaps and risk factors associated to the main IT processes selected for health services institutions, related and aligned to major problems, such as the availability of health records and medical consultation time improvement
• Better alignment among IT and business goals and pain points • The generation of proposals, projects and IT strategies based on gap and risk
analysis, according to the capacity goal defined
At this point, COBIT 5 has been used only in the as-is diagnosis. In the future, the sponsors of this study plan to use the same framework for the to-be state, in order to define a competitive products and services portfolio, within and while implementing governance of enterprise IT assurance.
Carlos Zamora Sotelo, CISA, CISM, CGEIT Is the chief executive officer at ConSETI and has more than 15 years of experience in IT audit and training more than 3,000 people. He can be contacted at [email protected].
Carlos H. García Orozco Is vice president at Brio and has more than 15 years of experience in IT, software development, and business intelligence assessment and implementation. He can be contacted at [email protected].
Endnotes 1 The Organisation for Economic Co-operation and Development (OECD), Mexico 2 Ibid. 3 A summary of the study is available at www.tissmexico.net. The complete study is available only for
Mexican Public Health Federal Agencies at the Panamerican Public Health Organization Library in Mexico and Washington DC, USA, offices.
Gain From Practical Guidance Based on COBIT 5 By Rolf von Roessing, CISA, CISM, CGEIT In addition to the publications in the COBIT® 5 product family, ISACA® supports COBIT® users and ISACA constituents with practical guidance to address specific business and technical issues they address in their work. Such products include white papers, which provide a high-level introduction to relevant issues; audit/assurance programs to support effective evaluation of specific aspects of IT use; and survey reports.
This practical guidance also includes a number of larger products to address major topics such as cloud technologies, mobile devices and cybersecurity. These larger products frequently use COBIT as the basis for addressing the issues covered. Two recent examples of such products are: • Securing Mobile Devices Using COBIT® 5 for Information Security (November 2012) • Transforming Cybersecurity Using COBIT® 5 (May 2013)
Volume 4, October 2013 Page 12
Framework Committee Steven A. Babb, CGEIT, CRISC, ITIL, UK, chair David Cau, ITIL, MSP, Prince2, France Sushil Chatterji, CGEIT, Singapore Frank Cindrich, CGEIT, CIPP, CIPP/G, USA Joanne De Vito De Palma, USA Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria Katherine McIntosh, CISA, USA Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil Paras Shah, CISA, CGEIT, CRISC, CA, Australia
Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at [email protected].
COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors’ content.
© ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at [email protected].
Securing Mobile Devices Using COBIT 5 for Information Security is intended for several audiences who use mobile devices directly or indirectly, including end users, IT administrators, information security managers, service providers for mobile devices and IT auditors. The main purpose of applying COBIT 5 to mobile device security is to establish a uniform management framework and to give guidance on planning, implementing and maintaining comprehensive security for mobile devices in the context of enterprises. The secondary purpose is to provide guidance on how to embed security for mobile devices in a corporate governance, risk management and compliance (GRC) strategy, using COBIT 5 as the overarching framework for GRC.
Transforming Cybersecurity Using COBIT 5 is intended for several audiences who are dealing with cybersecurity directly or indirectly, including information security managers, corporate security managers, end users, service providers, IT administrators and IT auditors. The primary purpose of applying COBIT 5 to the transformation of cybersecurity is to enable a uniform governance, risk management and security management framework for enterprises and other organizations. The secondary purpose is to provide guidance on detailed concepts and steps in transforming cybersecurity and to align these concepts and steps with the existing information security strategy and processes. This publication complements the ISACA publication Responding to Targeted Cyberattacks by integrating cybersecurity and the COBIT 5 product family. Transforming Cybersecurity Using COBIT 5 provides step-by-step guidance to address detailed cybersecurity issues and apply relevant parts of COBIT 5 to them.
These practical products as well as other ISACA research products help professionals address specific business and technical issues effectively and efficiently. Visit the Research page of the ISACA web site for more information on these and other ISACA research products.
Rolf von Roessing, CISA, CISM, CGEIT Is the president of Forfa AG, a Swiss consulting network, and a retired partner at KPMG Germany. He has served as a consultant with large international banks and insurance companies and was responsible for international projects in business continuity management and information security. Prior to entering the consulting sector, he was head of IT for the EMEA region in a leading global security firm. Von Roessing is a member of ISACA’s Professional Influence and Advocacy Committee and is a past international vice president of ISACA.
©2013 ISACA. All rights reserved.
