COBIT as IT Management Best Practice

Framework

Adapted from Jan 2011

Management Update Seminar:
“Beyond IT Project Management: Advanced IT Management Best Practices”

Goh BoonNam
Institute of Systems Science

ISACA®, IT Governance Institute® and CobiT® are registered trademarks of ISACA, Use of these trademarks in this document does NOT imply any association, sponsorship, affiliation, or endorsement by ISACA.

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 1

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
What is COBIT?
 Control OBjectives for Information and related Technology

 International framework from ISACA (Information Systems

Control & Audit Association) and IT Governance Institute
 Helps maximise value of IT to business and minimise issues
such as those listed earlier

 Originally, more for monitoring/audit /risk assessment of IT

management processes
 Increasingly recognised as comprehensive framework of IT
Management best practices
■ Advises on WHAT to do
■ Some high-level of how to do

 Currently Version 4.1

COBIT References: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 2

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
Why COBIT?
 Why COBIT as IT Management Best Practice
Framework?
■ Comprehensive coverage of IT Management
■ Helps avoids issues such as:
• Strategic oversights
• Architecture oversights
• Implementation oversights
• Service Delivery oversights
• Governance oversights

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 3

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
Avoid Issue #1 – Strategic Oversight
 Past report from Director of Audit of a large
organisation:
■ no formal IT strategy exists which leads to
piecemeal development and absence of
monitoring and evaluation (of projects).
■ hence, additional expenditure had to be
incurred ….
■ systems cannot satisfy objectives

Reference: http://www.gov.mu/portal/site/auditsite/menuitem.afcc311f8d4ff832b4c3bb4e52a521ca/?content_id=a4ac207a78d48010VgnVCM100000ca6a12acRCRD

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 4

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
Avoid Issue #2 - Architecture oversights
 A leading European bank
■ struggled with a tangle of applications that
hampered its retail-banking operations
■ the lack of unifying standards created
difficulties in satisfying bank-wide business
requirements, such as speeding time to
market for a new banking services

Reference : https://www.mckinseyquarterly.com/Overhauling_banks_IT_systems_2554

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 5

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
IT Issue #3 - Implementation oversights
 Passport system in a European country:
■ half a million new passports couldn't be issued on
time
■ Passport Agency had brought in a new system
that was (not properly designed/developed and)
without sufficient testing and staff training
■ hundreds of people missed their holidays with
money in the millions spent in compensation for
staff overtime and umbrellas for the poor people
queuing in the rain for passports

Reference : http://www.zdnet.com/news/the-top-10-it-disasters-of-all-time/177729

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 6

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
IT Issue #4 - Service Delivery oversights
 Bank in a European country:
■ Online banking services, that had been in
operation for some time, suddenly went down
for nearly a week

Reference : http://www.computerweekly.com/blogs/management-matters/2010/07/has-the-private-sector-caught-the-public-sector-it-disease.html

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 7

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
IT Issue #5 - Governance oversights
 The Office of Inspector General (OIG) of the U.S. House
of Representatives (House) sought to improve IT activities
within the House.
■ A large number of the first audit reports issued by the OIG
addressed weaknesses in various IT operations of the
House - including the lack of policies and procedures (e.g.,
systems development life cycle), poor systems design and
development, the lack of planning and performance
measures, poor management of the mainframe and the lack
of adequate information security.

■ Management needed to take control of the situation and

establish clear roles and responsibilities…and adopt an IT
governance framework.

Reference : http://www.isaca.org/Knowledge-Center/cobit/Pages/US-House-of-Representatives.aspx

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 8

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/

COBIT - Overview
• Monitor and Evaluate IT
Processes
• Monitor and Evaluate Internal
Control
• Ensure Regulatory Compliance
• Provide IT Governance
• Define and Manage Service
Levels
• Manage Third-party Services
• Manage Performance and
Capacity
• Ensure Continuous Service
• Ensure Systems Security
• Identify and Allocate Costs
• Educate and Train Users
• Manage Service Desk and
Incidents
• Manage the Configuration
• Manage Problems
• Manage Data
• Manage the Physical
Environment
• Manage Operations
• Define a Strategic IT Plan
• Define the Information
Architecture
• Determine Technological
Direction
• Define the IT Processes,
Organization and Relationships
• Manage the IT Investment
• Communicate Management Aims
and Direction
• Manage IT Human Resources
Monitor & Evaluate Plan & Organise
• Manage Quality
• Assess and Manage IT Risks
• Manage Projects
Deliver & Support Acquire & Implement
• Identify Automated Solutions
• Acquire and Maintain Application
Software
• Acquire and Maintain Technology
Infrastructure
• Enable Operation and Use
• Procure IT Resources
• Manage Changes
• Install and Accredit Solutions and
Changes
ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 9
COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
COBIT Components • Define a Strategic IT Plan
• Define the Information Architecture
PROCESSES • Determine Technological Direction
• Define the IT Processes, Organization and
Relationships
• Manage the IT Investment
• Communicate Management Aims and Direction
• Manage IT Human Resources
Monitor & Evaluate Plan & Organise • Manage Quality
• Assess and Manage IT Risks
• Manage Projects
• Programme Management Framework
• Project Management Framework
• Project Management Approach
• Stakeholder Commitment
Deliver & Support Acquire & Implement • Project Scope Statement
• Project Phase Initiation
• Integrated Project Plan
• Project Resources
• Project Risk Management
• Project Quality Plan
DOMAINS • Project Change Control
• Project Planning of Assurance Methods
• Project Performance Measurement, Reporting and
CONTROL Monitoring
• Project Closure
OBJECTIVES

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 10

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
COBIT Domains – Plan & Organise (PO)
Plan &
 Strategy / Architecture / Portfolio
■ Define a Strategic IT Plan
Monitor &
Evaluate Organise

■ Define the Information Architecture

■ Determine Technological Direction
Deliver & Acquire &
Support Implement

 Programme & Project Management

 IT Organisation Management
Nb: Bold headings are
author’s own categorisation
& are not part of COBIT
■ Manage Projects
■ Define the IT Processes, Organization and
Relationships
■ Manage the IT Investment
■ Communicate Management Aims and
Direction
■ Manage IT Human Resources
■ Manage Quality
■ Assess and Manage IT Risks

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 11

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
Plan & Organise (PO)
Strategic Pre-Project Development Production

IT Strategy /
Architecture /
Portfolio Management
Level of Work

IT
Programme Organisation
Management Management

Project
Management

Tactical

Nb: Above is NOT part of COBIT. Used only to help in explaining the relationships within PO.

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 12

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
COBIT Domains – Acquire & Implement (AI)

Monitor &
 Requirements & Feasibility
■ Identify Automated Solutions
Plan & Organise
Evaluate

Deliver &
Acquire &
 Design & Build
Support
Implement
■ Acquire and Maintain Application Software
■ Acquire and Maintain Technology
Infrastructure
 Test & Implement
■ Install and Accredit Solutions and Changes
■ Enable Operation and Use
 Changes
■ Manage Changes
Nb: Bold headings are
author’s own categorisation
& are NOT part of COBIT
 Procurement Management
 Procure IT Resources
ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 13
COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
AI Relationship with PO
Pre-Project Development Production

IT Strategy / Architecture / Portfolio Management

Plan & Programme Management

Organise
(PO)
(Generic) Project Management

IT Systems Devt Life Cycle Mgt

Requirements & Design & Test &
Acquire & Feasibility Build Implement
Implement Manage (System-Related) Changes
(AI)
Procurement Management
Nb: Above is NOT part of COBIT. Used only to help in explaining the relationships within COBIT.

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 14

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
COBIT Domains – Deliver & Support
 Service Delivery
■ Define and Manage Service Levels Monitor &
Evaluate
Plan & Organise

■ Manage Third-party Services

■ Manage Performance and Capacity Deliver &
Acquire &
Implement

■ Ensure Continuous Service Support

■ Ensure Systems Security
■ Identify and Allocate Costs
 Service Support
■ Educate and Train Users
■ Manage Service Desk and Incidents
■ Manage the Configuration Nb: Bold headings are
author’s own categorisation
■ Manage Problems & are not part of COBIT
■ Manage Data
■ Manage the Physical Environment
■ Manage Operations

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 15

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
 DS Relationship with AI & PO
Pre-Project Development Production

IT Strategy / Architecture / Portfolio Management

Plan & Programme Management

Organise
(PO)
(Generic) Project Management

IT Systems Devt Life Cycle Mgt

Acquire & Requirements &
Feasibility
Design &
Build
Test &
Implement
Implement Manage (System-Related) Changes
(AI)
Procurement Management

Deliver & Service Delivery

Support
Service Support
(DS) Nb: Above is NOT part of COBIT. Used only to help in explaining the relationships within COBIT.

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 16

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
COBIT Domains – Monitor & Evaluate
 Monitor & Evaluate Monitor &
Evaluate
■ Monitor and Evaluate IT Processes
Plan & Organise

■ Monitor and Evaluate Internal Control Deliver &

Support
Acquire &
Implement

■ Ensure Regulatory Compliance

 Direct
■ Provide IT Governance

Nb: Bold headings are

author’s own categorisation
& are not part of COBIT

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 17

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
 COBIT Overview
ME Relationship with PO / AI / DS Measure &
Pre-Project Development Production Evaluate
(ME)
IT Strategy / Architecture / Portfolio Management

Plan &
Programme Management
Organise
(PO)
(Generic) Project Management
Measure &
Evaluate
IT
IT Systems Devt Life Cycle Mgt
Organisation
Acquire & /
Management Requirements Design & Test &
Implement & Feasibility Build Implement
Direct
(AI) Manage (System-Related) Changes

Procurement Management

Deliver &
Service Delivery
Support
(DS) Service Support

Nb: Above is NOT part of COBIT. Used only to help in explaining the relationships within COBIT.

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 18

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
Other Elements of COBIT
 Besides
■ Domains
■ Processes
■ Control Objectives
 Some Key Elements
■ Management Guidelines
• roles and responsibilities
• goals and metrics
■ Maturity Model
■ Associated Toolkits (for ISACA members)
• Implementation Guide
• Assurance Guide

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 19

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
 COBIT Mapping to Other Frameworks
P3O
TOGAF
PRINCE2
PMP
CITPM
CMMI
SCRUM
CBAP
COMIT
ISO20000
CISSP
ITIL Monitor &
Plan & Organise
CGEIT Evaluate
COBIT

Acquire &
Deliver & Support
Implement

Nb: Some of the other frameworks can map to more than one COBIT domain (eg. ITIL/COBIT) but for simplicity, only one domain is mapped here

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 20

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
Future of COBIT as IT Management
Framework – Draft COBIT v5

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 21

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
Future of COBIT as IT Management
Framework – Draft COBIT v5
 Some Key New Features
■ Explicit recognition of COBIT as covering
IT Management processes in addition to IT
Governance processes
■ Identification of degree of involvement of
IT and Business in the various processes
■ Enterprise Architecture (instead of
Information Architecture of prior versions)
■ Consolidation into one new “Manage the
IT Organisation” process those v4.1
processes that were for internal IT
organisation support - eg.
• Define IT Processes, Organization and
Relationships
• Communicate Management Aims and
Direction
• Manage IT Human Resources etc

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 22

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
For Further Information

Please refer to:

http://www.iss.nus.edu.sg/

Or email BoonNam Goh at:

issgbn@nus.edu.sg

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 23

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/
 The End

ATA/Lucid/2010-01-25 MUS/ © NUS. All Rights Reserved. 24

COBIT as IT Mgt Bst-Prctce Frmwrk.ppt/v1.0 http://www.iss.nus.edu.sg/