Professional Documents
Culture Documents
Presentaciones Compressed
Presentaciones Compressed
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved.
DISCLAIMER
The information contained in this session may contain privileged and confidential
information.
This presentation is for information only. Before acting on any ideas presented in this
session; security, legal, technical, and reputational risks should be independently
evaluated considering the unique factual circumstances surrounding each institution.
Any views or opinions presented do not necessarily state or reflect those of the
presenter’s organization, ISACA, or any other entity.
The following information presented is confidential and/or proprietary and is intended for
the express use by attendees. Any unauthorized release of this information is prohibited.
© 2018 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse.
2
MODULE 1
COURSE INTRODUCTION
3
MODULE 1 TOPICS
Introductions
Course Description
Learning Objectives
Intended Audience
Course Modules
Exam Requirements
4
INTRODUCTIONS
5
FACILITATOR INTRODUCTION
Facilitator name
6
COURSE DESCRIPTION
7
COURSE DESCRIPTION
8
LEARNING OBJECTIVES
9
COURSE LEARNING OBJECTIVES
Recognize the target audience of COBIT 2019. Understand the relationship between Governance and
Management Objectives and Governance Components.
Recognize the context, benefits and key reasons COBIT
is used as an information and technology governance Differentiate COBIT based performance management
framework. using maturity and capability perspectives.
Recognize the descriptions and purposes of the COBIT Discover how to design a tailored governance system
product architecture. using COBIT.
Recall the alignment of COBIT with other applicable Explain the key points of the COBIT business case.
frameworks, standards and bodies of knowledge.
Understand and recall the phases of the COBIT
Understand and describe the governance “system” and implementation approach.
governance “framework” principles.
Describe the relationships between the COBIT Design
Describe the components of a governance system. and Implementation Guides.
Understand the overall structure and contents of the Prepare for the COBIT 2019 Foundation exam.
Goals Cascade.
10
INTENDED AUDIENCE
11
INTENDED AUDIENCE
12
COURSE MODULES
Module 1
Module 7
• Principles Module 9
Module 4
• Implementation
• Governance System and Components
Module 5
Module 10
• Performance Management
13
EXAM REQUIREMENTS
14
14
MODULE 2
FRAMEWORK INTRODUCTION
15
MODULE 2 TOPICS AND LEARNING OBJECTIVES
16
ENTERPRISE GOVERNANCE OF I&T
17
ENTERPRISE GOVERNANCE OF
INFORMATION AND TECHNOLOGY
18
IT VERSUS I&T
The framework:
• recognizes that information and technology may reside
outside of the traditional IT department.
• encompasses all information and technology the
enterprise generates, processes and uses to achieve its
goals as well as the technology to support that
throughout the enterprise.
19
ENTERPRISE GOVERNANCE OF INFORMATION AND
TECHNOLOGY
Given the centrality of I&T for enterprise risk management and value
generation, a specific focus on enterprise governance of information
and technology (EGIT) has arisen over the last two decades.
• EGIT is an integral part of corporate governance.
• Exercised by the board that oversees the definition and implementation of
processes, structures and relational mechanisms.
• Enables both business and IT people to execute their responsibilities in
support of business/IT alignment.
• Enables creation of business value from I&T-enabled business investments.
20
20
ENTERPRISE GOVERNANCE OF INFORMATION AND TECHNOLOGY
Enterprise
Business/IT Value
Governance
Alignment Creation
of IT
21
BENEFITS OF INFORMATION
AND TECHNOLOGY
GOVERNANCE
22
EGIT EXAMPLE
23
COBIT AS AN I&T FRAMEWORK
24
COBIT AS AN I&T FRAMEWORK
25
25
INTENDED AUDIENCE
Boards
Risk Executive
Managem Managem
ent ent
Internal
Stakeholders
Assuran Busines
ce s
Provider Manage
s rs
IT
Manage
rs
26
INTERNAL STAKEHOLDERS
Boards
•Provides insights on how to get value from the use of I&T and explains relevant board responsibilities.
Executive Management
•Provides guidance on how to organize and monitor performance of I&T across the enterprise.
Business Managers
•Helps to understand how to obtain the I&T solutions enterprises require and how best to exploit new technology for new strategic
opportunities.
IT Managers
•Provides guidance on how best to build and structure the IT department, manage performance of IT, run an efficient and effective
IT operation, control IT costs, align IT strategy to business priorities, etc.
Assurance Providers
•Provides guidance on how best to build and structure the IT department, manage performance of IT, run an efficient and effective
IT operation, control IT costs, align IT strategy to business priorities, etc.
Risk Management
•Helps to ensure the identification and management of all IT-related risk.
27
INTENDED AUDIENCE
Regulators
External
Stakeholders
Business
Partners
IT Vendors
28
EXTERNAL STAKEHOLDERS
Regulators
• Helps to ensure the enterprise is compliant with applicable rules and regulations and has the
right governance system in place to manage and sustain compliance.
Business Partners
• Helps to ensure that a business partner’s operations are secure, reliable and compliant with
applicable rules and regulations.
IT Vendors
• Helps to ensure that an IT vendor’s operations are secure, reliable and compliant with
applicable rules and regulations.
29
WHAT COBIT IS
COBIT is a framework for the governance and management of enterprise information and technology.
COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance
system.
COBIT addresses governance issues by grouping relevant governance components into governance and
management objectives that can be managed to the required capability levels.
30
GOVERNANCE VS MANAGEMENT
31
31
GOVERNANCE VS MANAGEMENT
32
GOVERNANCE VS MANAGEMENT
Management plans, builds, runs and monitors activities, in alignment with the direction
set by the governance body, to achieve the enterprise objectives.
33
WHAT COBIT IS NOT
34
COBIT FORMAT AND PRODUCT ARCHITECTURE
35
COBIT OVERVIEW AND PRODUCT ARCHITECTURE
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 4 Basic Concepts
36
COBIT OVERVIEW AND PRODUCT ARCHITECTURE
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 4 Basic Concepts
37
MAJOR DIFFERENCES BETWEEN
COBIT 5 AND COBIT 2019
38
MAJOR DIFFERENCES
39
MAJOR DIFFERENCES
40
COBIT AND OTHER STANDARDS
41
COBIT AND OTHER STANDARDS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 10 COBIT and Other Standards
42
COBIT AND OTHER STANDARDS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 10 COBIT and Other Standards
43
TRAINING AND CERTIFICATION
44
COBIT 2019 TRAINING AND CERTIFICATE SCHEME
45
GROUP DISCUSSION QUESTIONS
46
GROUP DISCUSSION QUESTIONS
47
47
MODULE SUMMARY
48
MODULE 2 SUMMARY
49
SAMPLE QUESTION
50
50
MODULE 3
PRINCIPLES
51
MODULE 3 TOPICS AND LEARNING OBJECTIVES
Topics
• Governance “System” Principles
• Governance “Framework” Principles
• Module Summary
Learning Objectives
• Understand and describe the governance “system” and governance “framework”
principles.
• Prepare for the COBIT 2019 Foundation exam.
52
GOVERNANCE “SYSTEM” PRINCIPLES
53
PRINCIPLES
54
GOVERNANCE SYSTEM
PRINCIPLES
Provide
Stakeholder
Value
End-to-End Holistic
Governance Approach
There are Six Principles for a Governance System
System.
Governance
Distinct From
Management
55
GOVERNANCE SYSTEM
PRINCIPLES
Provide
Stakeholder
Value
End-to-End Holistic
Provide Stakeholder Value Governance Approach
System
Each enterprise needs a governance
system to satisfy stakeholder needs and
to generate value from the use of I&T.
Value reflects a balance among benefits, Tailored to
Dynamic
Governance
risks and resources, and enterprises need Enterprise Needs
System
an actionable strategy and governance
system to realize this value. Governance
Distinct From
Management
56
GOVERNANCE SYSTEM
PRINCIPLES
Provide
Stakeholder
Value
End-to-End Holistic
Governance Approach
System
Holistic Approach
A governance system for enterprise I&T is
built from a number of components that
Dynamic
can be of different types and that work Tailored to
Governance
Enterprise Needs
together in a holistic way. System
Governance
Distinct From
Management
57
GOVERNANCE SYSTEM
PRINCIPLES
Provide
Stakeholder
Value
58
GOVERNANCE SYSTEM
PRINCIPLES
Provide
Stakeholder
Value
End-to-End Holistic
Governance Approach
System
Governance Distinct from Management
A governance system should clearly
distinguish between governance and Dynamic
Tailored to
management activities and structures. Enterprise Needs
Governance
System
Governance
Distinct From
Management
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 3 COBIT Principles
59
GOVERNANCE SYSTEM
PRINCIPLES
Provide
Stakeholder
Value
End-to-End Holistic
Governance Approach
System
Tailored to Enterprise Needs
A governance system should be
customized to the enterprise’s needs,
using a set of design factors as Tailored to Dynamic
parameters to customize and prioritize the Enterprise Governance
System
Needs
governance system components.
Governance
Distinct From
Management
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 3 COBIT Principles
60
GOVERNANCE SYSTEM
PRINCIPLES
Provide
Stakeholder
Value
End-to-End Holistic
Governance Approach
End-to-End Governance System System
A governance system should cover the
enterprise end to end, focusing not only
on the IT function but on all technology
Dynamic
and information processing the enterprise Tailored to
Governance
Enterprise Needs
puts in place to achieve its goals, System
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 3 COBIT Principles
61
GOVERNANCE “FRAMEWORK” PRINCIPLES
62
GOVERNANCE FRAMEWORK
PRINCIPLES
63
GOVERNANCE FRAMEWORK
PRINCIPLES
64
GOVERNANCE FRAMEWORK
PRINCIPLES
65
GOVERNANCE FRAMEWORK
PRINCIPLES
Based on
Aligned to Major Standards Conceptual
A governance framework Model
should align to relevant major
Open and
related standards, Flexible
frameworks and regulations.
Aligned to
Major
Standards
66
SUMMARY
67
MODULE 3 SUMMARY
68
SAMPLE QUESTION
69
69
SAMPLE QUESTION
70
70
MODULE 4
GOVERNANCE SYSTEMS AND COMPONENTS
71
MODULE 4 TOPICS AND LEARNING OBJECTIVES
72
GOVERNANCE AND MANAGEMENT OBJECTIVES
73
GOVERNANCE AND MANAGEMENT OBJECTIVES
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
74
GOVERNANCE AND MANAGEMENT OBJECTIVES
Governance and management objectives in COBIT are grouped into five domains. The
domains have names with verbs that express the key purpose and areas of activity of the
objectives contained in them:
Governance
Management Objectives
Objectives
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
75
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
COMPONENTS OF THE GOVERNANCE SYSTEM
77
COMPONENTS OF A
GOVERNANCE SYSTEM
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
78
COMPONENTS OF A GOVERNANCE SYSTEM
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
79
PROCESS COMPONENT
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Processes describe an organized set of
practices and activities to achieve Governa
certain objectives and produce a set of nce
Culture, System Information
outputs that support achievement of Ethics and Flows and
overall IT-related goals. Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
80
ORGANIZATIONAL STRUCTURES COMPONENT
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
81
INFORMATION COMPONENT
Processes
Services,
Infrastructu Organizatio
re and nal
Information is pervasive throughout any Application Structures
s
organization and includes all
information produced and used by the Governa
enterprise. COBIT focuses on nce
Culture, System Information
information required for the effective Ethics and Flows and
functioning of the governance system Behaviour Items
of the enterprise.
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
82
PEOPLE, SKILLS AND COMPETENCIES COMPONENT
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
83
PRINCIPLES, POLICIES AND PROCEDURES COMPONENT
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
84
CULTURE, ETHICS AND BEHAVIOR COMPONENT
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Culture, ethics and behavior of
individuals and of the enterprise are Governa
often underestimated as factors in the nce
Culture, System Information
success of governance and Ethics and Flows and
management activities. Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
85
SERVICES, INFRASTRUCTURES AND APPLICATIONS COMPONENT
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Services, infrastructure and
applications include the infrastructure, Governa
technology and applications that nce
Culture, System Information
provide the enterprise with the Ethics and Flows and
governance system for I&T processing. Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
86
COMPONENTS OF A GOVERNANCE SYSTEM
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
87
87
FOCUS AREAS
88
FOCUS AREAS
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
89
DESIGN FACTORS
90
DESIGN FACTORS
Design factors
Design factors are factors that can influence the design of an include any
enterprise’s governance system and position it for success in combination of the
the use of I&T. following:
• The design factors are listed here and the potential impacts they Enterprise strategy
can have on the governance system are noted in Module 7, Enterprise goals
Designing a Tailored Governance System. Risk profile
• More information and detailed guidance on how to use the design IT-related issues
factors for designing a governance system can be found in the Threat landscape
COBIT® 2019 Design Guide publication. Compliance requirements
Role of IT
Sourcing model for IT
IT implementation methods
Technology adoption
strategy
Enterprise size
Future factors
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
91
DESIGN FACTORS
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
92
DESIGN FACTOR 1: ENTERPRISE STRATEGY
Enterprises can have different strategies, which can be expressed as (a combination of)
the archetypes shown below. Organizations typically have a primary strategy and, at
most, one secondary strategy.
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
93
DESIGN FACTOR 2: ENTERPRISE GOALS
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
94
DESIGN FACTOR 3: RISK PROFILE
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
95
DESIGN FACTOR 4: I&T RELATED ISSUES
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
96
DESIGN FACTOR 5: THREAT LANDSCAPE
The threat landscape under which the enterprise operates can be classified as shown
below.
High Due to its geopolitical situation, industry sector or particular profile, the
enterprise is operating in a high-threat environment.
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
97
DESIGN FACTOR 6: COMPLIANCE REQUIREMENTS
Normal compliance The enterprise is subject to a set of regular compliance requirements that
requirements are common across different industries.
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
98
DESIGN FACTOR 7: ROLE OF IT
Strategic IT is critical for both running and innovating the organization’s business
processes
Reference: COBIT 2019 Framework: Basic Concepts: Governanceand services.
Systems and Components, Chapter 4
99
DESIGN FACTOR 8: SOURCING MODEL FOR IT
The sourcing model for IT the enterprise adopts can be classified as shown below.
Hybrid A mixed model is applied, combining the other three models in varying
degrees.
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
100
DESIGN FACTOR 9: IT IMPLEMENTATION METHODS
The IT implementation methods the enterprise adopts can be classified as shown below.
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
101
DESIGN FACTOR 10: TECHNOLOGY ADOPTION STRATEGY
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
102
DESIGN FACTOR 11: ENTERPRISE SIZE
Two categories are identified for the design of an enterprise’s governance system. Micro-
enterprises, i.e., enterprises with fewer than 50 staff members, are not considered in this
view.
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
103
GOALS CASCADE
104
GOALS CASCADE
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
105
GOALS CASCADE –ENTERPRISE GOALS
BSC BSC
REF ENTERPRISE GOAL REF ENTERPRISE GOAL
DIMENSION DIMENSION
EG01 Financial Portfolio of competitive EG08 Internal Optimization of internal
products and services business process
EG02 Financial Managed business risk functionality
EG03 Financial Compliance with external EG09 Internal Optimization of business
laws and regulations process costs
EG04 Financial Quality of financial EG10 Internal Staff skills, motivation and
information productivity
EG05 Customer Customer-oriented service EG11 Internal Compliance with internal
culture policies
EG06 Customer Business service EG12 Growth Managed digital
continuity and availability transformation programs
EG07 Customer Quality of management EG13 Growth Product and business
information innovation
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
106
GOALS CASCADE – ALIGNMENT GOALS
BSC BSC
REF ALIGNMENT GOAL REF ENTERPRISE GOAL
DIMENSION DIMENSION
AG01 Financial IT compliance and support for AG08 Internal Enabling and supporting
business compliance with external business processes by
laws and regulations integrating applications and
AG02 Financial Managed information- and technology
technology-related risk AG09 Internal Delivery of programs on time,
AG03 Financial Realized benefits from on budget, and meeting
information- and technology- requirements and quality
enabled investments and services standards
portfolio
AG10 Internal Quality of IT management
AG04 Financial Quality of technology-related
information
financial information
AG05 Customer Delivery of I&T services in line AG11 Internal IT compliance with internal
with business requirements policies
AG06 Customer Agility to turn business AG12 Learning and Competent and motivated staff
requirements into operational Growth with mutual understanding of
solutions technology and business
AG07 Internal Security of information, processing AG13 Learning and Knowledge, expertise and
infrastructure and applications, Growth initiatives for business
and privacy innovation
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
107
EXERCISE AND MODULE SUMMARY
108
GROUP EXERCISE SCENARIO
NAMECO is an IT Managed Service Provider in North America. They are an aggressive, for profit organization that strives to aggressively grow revenues while providing a
stable client base. NAMECO is considered one of the top five MSPs in the industry and operates in a high threat environment with multiple competitors who are constantly
attempting to challenge their position in the market.
With over 400 tenet clients and 15,000 end users, each one has a very unique set of compliance requirements: 1) 30% of their clients are publicly traded entities, 2) 7% are
heath care related, 3) 87% process credit cards, and 4) 6% have private information regarding EU citizens.
The enterprise risk management group has identified multiple risk scenarios that have the potential of inhibiting the aggressive growth goals identified by the governing
body. These include: 1) recruiting and maintaining qualified and skilled staff, 2) the threat of competitors, 3) complex compliance requirements from multiple requirements
(NAMECO has private information from users across the globe, including EU citizens), and 4) the unknown risks of vendors who provide critical services to NAMECO.
The IT organization also supports the company’s staff of 300 FTEs and is currently considered a “necessity” which has caused some issues. Due to the nature of its
business, NAMECO cannot continue with its strategy unless IT is seen as a key success factor. Most of the services provided by IT are a mix of insourced, cloud, and
outsourced services and IT generally adopts new technologies once they have been proven in the market. Although the organization is primarily a waterfall model for
delivery, there are two full time agile teams that support the core applications of the business. This model has worked up to this point, but there are pressures from the
business to deploy services faster.
With the aggressive growth of the company, the IT organization has experienced multiple issues that have resulted in unsatisfactory client reviews. The key concerns
include: 1) failure to meet Service Level Agreements (many of these failures are due to suppliers), 2) multiple audit findings of non-compliance of data privacy, and 3)
Insufficient IT resources/knowledge required to support the goals of the enterprise.
Other key observations include: 1) there are no documented or well-understood decision matrices in the organization, 2) policies exist, but have not been updated in the last
3 years, 3) the leadership of the organization endorse a ‘risk taking’ culture, but do not support risky decisions that fail, 4) no skills matrix exists that identifies the skills and
competencies required to support IT services, 5) an IT service catalog exists, but is not acknowledged or followed, 6) there is no formal recognition of IT processes, they
are ad hoc and not well documented, and 7) there is no real understanding of the data/information architectures or flows and there is an absence of information
classification.
109
109
GROUP EXERCISE
110
110
MODULE 4 SUMMARY
Focus areas
Design factors
Goals cascade
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
111
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
112
112
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
113
113
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
114
114
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
115
115
MODULE 5
GOVERNANCE AND MANAGEMENT OBJECTIVES
116
MODULE 5 TOPICS AND LEARNING OBJECTIVES
117
OVERVIEW OF THE COBIT CORE MODEL
118
COBIT 2019 FRAMEWORK: GOVERNANCE AND MANAGEMENT
OBJECTIVES PUBLICATION
119
COBIT CORE MODEL
Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction
120
COBIT CORE MODEL
Governance
Management Objectives
Objectives
Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction
121
COBIT CORE MODEL
Governance
Management Objectives
Objectives
Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction
122
COBIT CORE MODEL
Governance
Management Objectives
Objectives
Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction
123
COBIT CORE MODEL
Governance
Management Objectives
Objectives
Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction
124
COBIT CORE MODEL
Governance
Management Objectives
Objectives
MEA
EDM APO BAI DSS
Monitor,
Evaluate, Direct and Align, Plan and Build, Acquire Deliver, Service
Monitor Organize Evaluate and
and Implement and Support
Assess
Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction
125
COBIT CORE MODEL
Reference: COBIT 2019 Framework: Governance and Management Objectives, Chapter 1 Introduction
126
COBIT CORE MODEL
EDM01 Ensured Governance APO01 Managed I&T BAI01 Managed Programs DSS01 Managed Operations MEA01 Managed
Framework Setting Framework Performance and
BAI02 Managed DSS02 Managed Service
and Maintenance Conformance
APO02 Managed Strategy Requirements Requests & Incidents
Monitoring
EDM02 Ensured Benefits Definition
APO03 Managed Enterprise DSS03 Managed Problems
Delivery MEA02 Managed System of
Architecture BAI03 Managed Solutions
DSS04 Managed Continuity Internal Control
EDM03 Ensured Risk Identification and
APO04 Managed Innovation
Optimization Build DSS05 Managed Security MEA03 Managed
APO05 Managed Portfolio Services Compliance with
EDM04 Ensured Resource BAI04 Managed Availability
External
Optimization APO06 Managed Budget & and Capacity DSS06 Managed Business Requirements
Costs Process Controls
EDM05 Ensure Stakeholder BAI05 Managed
MEA04 Managed Assurance
Engagement APO07 Managed Human Organizational
Resources Change
APO08 Managed BAI06 Manage IT Changes
Relationships
BAI07 Manage IT Change
APO09 Managed Service Acceptance and
Agreements Transitioning
APO10 Managed Vendors BAI08 Managed Knowledge
APO11 Managed Quality BAI09 Managed Assets
APO12 Managed Risk BAI10 Managed Reference: COBIT 2019 Framework:
Configuration Governance and Management Objectives,
APO13 Managed Security Chapter 1 Introduction
BAI11 Managed Projects
APO14 Managed Data
127
GOVERNANCE AND MANAGEMENT OBJECTIVES
PURPOSE STATEMENTS
128
OBJECTIVES AND PURPOSE STATEMENTS - EDM
129
OBJECTIVES AND PURPOSES STATEMENTS - APO
130
OBJECTIVES AND PURPOSE STATEMENTS - APO
131
OBJECTIVE AND PURPOSE STATEMENTS - BAI
BAI01 Realize desired business value and reduce the risk of unexpected delays, costs and value erosion. To
Managed Programs do so, improve communications to and involvement of business and end users, ensure the value and
quality of program deliverables and follow up of projects within the programs, and maximize program
contribution to the investment portfolio.
BAI02 Create optimal solutions that meet enterprise needs while minimizing risk.
Managed Requirements
Definition
BAI03 Ensure agile and scalable delivery of digital products and services. Establish timely and cost-effective
Managed Solutions solutions (technology, business processes and workflows) capable of supporting enterprise strategic
Identification and Build and operational objectives.
BAI04 Maintain service availability, efficient management of resources and optimization of system
Managed Availability and performance through prediction of future performance and capacity requirements.
Capacity
BAI05 Prepare and commit stakeholders for business change and reduce the risk of failure.
Managed Organizational
Change
BAI06 Enable fast and reliable delivery of change to the business. Mitigate the risk of negatively impacting
Managed
References:ITCOBIT
Changes the stability
2019 Framework Introduction andor integrity ofChapter
Methodology, the changed
5 environment.
132
OBJECTIVE AND PURPOSE STATEMENTS - BAI
133
OBJECTIVES AND PURPOSE STATEMENTS - DSS
134
OBJECTIVE AND PURPOSE STATEMENTS - MEA
135
GOVERNANCE AND MANAGEMENT OBJECTIVES
RELATED GUIDANCE
136
GOVERNANCE AND MANAGEMENT OBJECTIVES RELATIONSHIPS
Processes Governance
Components
Each Governance To satisfy
and Management Governance and
objective always Management
relates to one objectives,
process in the Governance
COBIT Core. Components are
identified (one of
these components
is Processes).
137
GOVERNANCE AND MANAGEMENT OBJECTIVES DESCRIPTIONS
High-level
Goals Cascade Related Components Related Guidance
Information
• Domain name • Supported Alignment • Processes • Standards,
• Focus area goals • Organizational frameworks and
• Governance or • Applicable Enterprise structures compliance
management goals • Information flows and requirements
objective name • Example metrics items • Detailed reference
• description • People, skills and • Related guidance is
• Purpose statement competencies found under each of
• Policies and the applicable
frameworks components – this is
different from COBIT
• Culture, ethics and
5 where this was
behavior
applied only to the
• Services, process level.
infrastructure and
applications
138
HIGH-LEVEL INFORMATION
139
HIGH-LEVEL INFORMATION EXAMPLE
BAI06 – MANAGED IT CHANGES
140
GOALS CASCADE
141
GOALS CASCADE EXAMPLE BAI06 – MANAGED IT CHANGES
142
GOALS CASCADE – ENTERPRISE GOALS
BSC BSC
REF ENTERPRISE GOAL REF ENTERPRISE GOAL
DIMENSION DIMENSION
EG01 Financial Portfolio of competitive EG08 Internal Optimization of internal
products and services business process
EG02 Financial Managed business risk functionality
EG03 Financial Compliance with external EG09 Internal Optimization of business
laws and regulations process costs
EG04 Financial Quality of financial EG10 Internal Staff skills, motivation and
information productivity
EG05 Customer Customer-oriented service EG11 Internal Compliance with internal
culture policies
EG06 Customer Business service EG12 Growth Managed digital
continuity and availability transformation programs
EG07 Customer Quality of management EG13 Growth Product and business
information innovation
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
143
GOALS CASCADE – ALIGNMENT GOALS
BSC BSC
REF ALIGNMENT GOAL REF ENTERPRISE GOAL
DIMENSION DIMENSION
AG01 Financial IT compliance and support for AG08 Internal Enabling and supporting
business compliance with external business processes by
laws and regulations integrating applications and
AG02 Financial Managed information- and technology
technology-related risk AG09 Internal Delivery of programs on time,
AG03 Financial Realized benefits from on budget, and meeting
information- and technology- requirements and quality
enabled investments and services standards
portfolio
AG10 Internal Quality of IT management
AG04 Financial Quality of technology-related
information
financial information
AG05 Customer Delivery of I&T services in line AG11 Internal IT compliance with internal
with business requirements policies
AG06 Customer Agility to turn business AG12 Learning and Competent and motivated staff
requirements into operational Growth with mutual understanding of
solutions technology and business
AG07 Internal Security of information, processing AG13 Learning and Knowledge, expertise and
infrastructure and applications, Growth initiatives for business
and privacy innovation
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
144
GOALS CASCADE – ENTERPRISE GOALS TO ALIGNMENT GOALS
145
GOALS CASCADE – ALIGNMENT GOALS TO GOVERNANCE AND
MANAGEMENT OBJECTIVES
146
ALIGNMENT WITH COMPONENTS
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
147
PROCESS COMPONENT DISPLAY
148
PROCESS COMPONENT EXAMPLE
BAI06 – MANAGED CHANGES
149
CAPABILITY LEVELS
150
RELATED GUIDANCE
The Related Guidance is updated in COBIT 2019 and refers to all standards,
frameworks, compliance requirements and other guidance that are relevant for the
process at hand.
• References to other standards and guidance are included where relevant.
• Detailed references cite specific chapters or sections within related guidance.
• A complete list of sources for the related guidance is included in Appendix C of the Governance
and Management Objectives publication.
• If no “related guidance” is listed, no applicable references are known from the sources mapped.
• The practitioner community is encouraged to suggest related guidance.
151
RELATED GUIDANCE EXAMPLE
BAI06 – MANAGED CHANGES
152
ALIGNMENT WITH COMPONENTS
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
153
ORGANIZATIONAL STRUCTURES DISPLAY
154
ORGANIZATIONAL STRUCTURES EXAMPLE
BAI06 – MANAGED CHANGES
155
ROLES AND ORGANIZATIONAL STRUCTURES
The following roles and organizational structures have been defined in the context of COBIT 2019:
Board Enterprise Risk Committee Head Architect
156
RESPONSIBLE AND ACCOUNTABLE
157
CONSULTED AND INFORMED
158
RELATED GUIDANCE
Where relevant, references to other standards and additional guidance are included in
the organizational structure components section.
159
RELATED GUIDANCE EXAMPLE
BAI06 – MANAGED CHANGES
160
ALIGNMENT WITH COMPONENTS
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
161
INFORMATION FLOWS AND ITEMS
This component provides guidance on the information flows and items linked with
process practices. Each practice includes inputs and outputs, with indications of origin
and destination.
• Each output is sent to one or a number of destinations, typically another COBIT process practice.
• Outputs become inputs to their destinations.
• A number of outputs have many destinations and are not listed as inputs in the target processes
(for readability).
• Where relevant, references to other standards and additional guidance are included in the
information flows and items component.
162
INFORMATION FLOWS AND ITEMS COMPONENT DISPLAY
• A number of outputs have many destinations (e.g., all COBIT processes or all processes within a
domain).
• For readability reasons, these outputs are not listed as inputs in the target processes
• For some inputs/outputs, “internal” is cited as a destination if input and output are shared
between activities within the same process.
163
INFORMATION FLOWS AND ITEMS EXAMPLE
BAI06 – MANAGED CHANGES
164
ALIGNMENT WITH COMPONENTS
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
165
PEOPLE, SKILLS AND COMPETENCIES COMPONENT
This component identifies human resources and skills required to achieve the
governance or management objective.
COBIT 2019 based this guidance on the Skills Framework for the Information Age
(SFIA®) V6.
166
PEOPLE, SKILLS AND COMPETENCIES COMPONENT DISPLAY
167
PEOPLE, SKILLS AND COMPETENCIES EXAMPLE
BAI06 – MANAGED CHANGES
168
ALIGNMENT WITH COMPONENTS
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
169
PRINCIPLES, POLICIES AND PROCEDURES COMPONENT
This component provides detailed guidance on policies and procedures that are relevant
for the governance or management objective.
• The name of relevant policies and procedures is included, with a description of the purpose and
content of the policy.
• Where relevant, references to other standards and additional guidance are included in the
information flows and items component.
170
PRINCIPLES, POLICIES AND PROCEDURES COMPONENT DISPLAY
171
PRINCIPLES, POLICIES AND PROCEDURES EXAMPLE
BAI06 – MANAGED CHANGES
172
ALIGNMENT WITH COMPONENTS
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
173
CULTURE, ETHICS AND BEHAVIOR COMPONENT
This component provides detailed guidance on desired cultural elements within the
organization that support the achievement of a governance or management objective.
• The Related Guidance cites specific chapters or sections within related guidance where more
information can be consulted.
• Where relevant, references to other standards and additional guidance are included.
174
CULTURE, ETHICS AND BEHAVIOR COMPONENT DISPLAY
175
CULTURE, ETHICS AND BEHAVIOR EXAMPLE
BAI06 – MANAGED CHANGES
176
ALIGNMENT WITH COMPONENTS
Processes
Services,
Infrastructu Organizatio
re and nal
Application Structures
s
Governa
nce
Culture, System Information
Ethics and Flows and
Behaviour Items
People,
Principles,
Skills and
Policies,
Competenc
Procedures
ies
177
SERVICES, INFRASTRUCTURE AND SERVICES COMPONENT
178
SERVICES, INFRASTRUCTURE AND SERVICES COMPONENT
DISPLAY
179
SERVICES, INFRASTRUCTURE AND SERVICES EXAMPLE
BAI06 – MANAGED CHANGES
180
PRACTICAL WALKTHROUGH
181
181
EXERCISE
182
GROUP EXERCISE – GOALS CASCADE
For each Enterprise Goal, circle the appropriate Balanced Scorecard dimension.
183
GROUP EXERCISE – GOALS CASCADE
For each Alignment Goal, circle the appropriate Governance or Management Objective that has a
PRIMARY relationship.
184
GROUP EXERCISE – GOVERNANCE AND MANAGEMENT
OBJECTIVES PURPOSE STATEMENTS
Match each purpose statement with the appropriate Governance or Management objective.
185
GROUP EXERCISE – GOVERNANCE COMPONENTS
Match each description with the appropriate Governance Component as it applies to Governance
and Management Objectives.
Based on the Skills Process Organizational Information People, Skills, Policies Culture and Services,
Framework for the Structures Competencies Ethics Infrastructure
and
Information Age, or SFIA. Applications
COBIT 2019 only suggests Process Organizational Information People, Skills, Policies Culture and Services,
responsible and accountable Structures Competencies Ethics Infrastructure
and
roles. Applications
Third-party services, types of Process Organizational Information People, Skills, Policies Culture and Services,
infrastructure and categories Structures Competencies Ethics Infrastructure
and
of applications that can be Applications
applied to support the
achievement of a
governance or management
objective.
186
GROUP SCENARIO
NAMECO is an IT Managed Service Provider in North America. They are an aggressive, for profit organization that strives to aggressively grow revenues while providing a
stable client base. NAMECO is considered one of the top five MSPs in the industry and operates in a high threat environment with multiple competitors who are constantly
attempting to challenge their position in the market.
With over 400 tenet clients and 15,000 end users, each one has a very unique set of compliance requirements: 1) 30% of their clients are publicly traded entities, 2) 7% are
heath care related, 3) 87% process credit cards, and 4) 6% have private information regarding EU citizens.
The enterprise risk management group has identified multiple risk scenarios that have the potential of inhibiting the aggressive growth goals identified by the governing
body. These include: 1) recruiting and maintaining qualified and skilled staff, 2) the threat of competitors, 3) complex compliance requirements from multiple requirements
(NAMECO has private information from users across the globe, including EU citizens), and 4) the unknown risks of vendors who provide critical services to NAMECO.
The IT organization also supports the company’s staff of 300 FTEs and is currently considered a “necessity” which has caused some issues. Due to the nature of its
business, NAMECO cannot continue with its strategy unless IT is seen as a key success factor. Most of the services provided by IT are a mix of insourced, cloud, and
outsourced services and IT generally adopts new technologies once they have been proven in the market. Although the organization is primarily a waterfall model for
delivery, there are two full time agile teams that support the core applications of the business. This model has worked up to this point, but there are pressures from the
business to deploy services faster.
With the aggressive growth of the company, the IT organization has experienced multiple issues that have resulted in unsatisfactory client reviews. The key concerns
include: 1) failure to meet Service Level Agreements (many of these failures are due to suppliers), 2) multiple audit findings of non-compliance of data privacy, and 3)
Insufficient IT resources/knowledge required to support the goals of the enterprise.
Other key observations include: 1) there are no documented or well-understood decision matrices in the organization, 2) policies exist, but have not been updated in the last
3 years, 3) the leadership of the organization endorse a ‘risk taking’ culture, but do not support risky decisions that fail, 4) no skills matrix exists that identifies the skills and
competencies required to support IT services, 5) an IT service catalog exists, but is not acknowledged or followed, 6) there is no formal recognition of IT processes, they
are ad hoc and not well documented, and 7) there is no real understanding of the data/information architectures or flows and there is an absence of information
classification.
187
187
GROUP EXERCISE
188
188
MODULE SUMMARY
189
MODULE SUMMARY
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 3
190
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 3
191
191
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 3
192
192
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 3
193
193
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 3
194
194
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 3
195
195
MODULE 6
PERFORMANCE MANAGEMENT
196
MODULE 6 TOPICS AND OBJECTIVES
Topics Objectives
• Performance management definition, • Differentiate COBIT based performance
principles and overview management using maturity and
• Managing performance of processes capability perspectives.
• Managing Performance of Other • Prepare for the COBIT 2019 Foundation
Governance System Components exam.
• Module summary
197
PERFORMANCE MANAGEMENT DEFINITION,
PRINCIPLES AND OVERVIEW
198
COBIT PERFORMANCE MANAGEMENT
DEFINITION AND PRINCIPLES
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
199
COBIT PERFORMANCE MANAGEMENT OVERVIEW
The CPM model largely aligns to and extends CMMI® Development 2.0 concepts:
• Process activities are associated to capability levels. This is included in the COBIT Framework:
Governance and Management Objectives guide.
• Other governance and management component types (e.g., organizational structures,
information) may also have capability levels defined for them in future guidance that ISACA may
release.
• Maturity levels are associated with focus areas (i.e., a collection of governance and management
objectives and underlying components) and will be achieved if all required capability levels are
achieved.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
200
COBIT PERFORMANCE MANAGEMENT OVERVIEW
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
201
MANAGING PERFORMANCE OF PROCESSES
202
PROCESS CAPABILITY LEVELS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
203
RATING CAPABILITY LEVELS
A capability level can be achieved to varying degrees, which can be expressed by a set of ratings.
The range of available ratings depends on the context in which the performance assessment is
made.
Some formal methods leading to independent certification use a binary pass/ fail set of ratings.
Less formal methods that are often used in performance-improvement contexts work better with a
larger range of ratings, such as the following set:
• Fully—The capability level is achieved for more than 85 percent.
• This remains a judgment call, but it can be substantiated by the examination or assessment of the
components of the enabler, such as process activities, process goals or organizational structure good
practices.
• Largely—The capability level is achieved between 50 percent and 85 percent.
• Partially—The capability level is achieved between 15 percent and 50 percent.
• Not—The capability level is achieved less than 15 percent.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
204
FOCUS AREA MATURITY LEVELS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
205
MANAGING PERFORMANCE OF OTHER
GOVERNANCE SYSTEM COMPONENTS
206
MANAGING PERFORMANCE OF OTHER
GOVERNANCE SYSTEM COMPONENTS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
207
PERFORMANCE MANAGEMENT OF ORGANIZATIONAL
STRUCTURES
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
208
PERFORMANCE MANAGEMENT OF INFORMATION ITEMS
The information item component for a governance system of I&T is more or less
equivalent to the process work products as described in COBIT® 2019 Framework:
Governance and Management Objectives.
Although no generally accepted or formal method exists for assessing information items,
they can be less formally assessed according to the information reference model first
presented in COBIT® 5: Enabling Information.
This model defines three main quality criteria for information and 15 sub criteria, as
illustrated on the following slides.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
209
PERFORMANCE MANAGEMENT OF INFORMATION ITEMS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
210
PERFORMANCE MANAGEMENT OF INFORMATION ITEMS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
211
PERFORMANCE MANAGEMENT OF INFORMATION ITEMS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
212
PERFORMANCE MANAGEMENT OF CULTURE AND BEHAVIOR
For the culture and behavior governance component, it should be possible to define a set
of desirable (and/or undesirable) behaviors for good governance and management of IT,
and to assign different levels of capability to each.
From there, it is possible to assess the extent to which these conditions or behaviors are
met.
Focus area content, which will contain a more detailed set of desired behaviors, will be
developed going forward.
The user is advised to consult isaca.org/cobit for the latest status and available focus
area guidance.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
213
MODULE SUMMARY
214
MODULE 6 SUMMARY
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
215
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
216
216
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
217
217
MODULE 7
DESIGNING A TAILORED GOVERNANCE SYSTEM
218
MODULE 7 TOPICS AND OBJECTIVES
Topics
• Introduction to designing a tailored governance system
• Impact of design factors
• Designing a tailored system
• Module summary
Objectives
• Discover how to design a tailored governance system using COBIT
• Prepare for the COBIT 2019 Foundation exam
219
INTRODUCTION TO DESIGNING
A TAILORED GOVERNANCE SYSTEM
220
INTRODUCTION TO DESIGNING A TAILORED GOVERNANCE
SYSTEM
Governance over a complex matter like information and technology requires a multitude
of components, including processes, organizational structures, information flows,
behaviors, etc.
For that reason we will refer to the tailored governance solution every enterprise should
build as the ‘governance system for enterprise information & technology’, or ‘governance
system’ in short.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
221
THE NEED FOR TAILORING
Each enterprise is distinct in many various aspects: size, sector, regulatory landscape, threat
landscape, role of IT for the organization, tactical technology related choices and others.
Organizations should tailor their governance system to gain the most value out of their use of
Information and Technology.
There is no unique governance system for enterprise Information and Technology that fits all.
Tailoring means that an enterprise starts from the COBIT Core model and applies changes to this
generic framework based on the relevance and importance of a series of design factors.
This process is called ‘designing the governance system for enterprise information and technology’.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
222
IMPACT OF DESIGN FACTORS
223
DESIGN FACTORS
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
224
IMPACT OF DESIGN FACTORS
Management
Objective
Priority and
Target
Capability
Levels
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
225
IMPACT OF DESIGN FACTORS
Managem
ent
Objective
Priority
and Target
Capability Management Objective Priority and
Levels
Target Capability Levels
Design factor influence can make some governance
Desig and management objectives more important than
n others. In practice, this higher importance translates
Factor into setting higher target capability levels.
s
Specific Componen
Focus t
Areas Variations
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
226
IMPACT OF DESIGN FACTORS
An enterprise that is very risk averse will give more priority to management objectives that aspire to govern and
manage risk and security. Governance and management objectives EDM03 Ensured risk optimization, APO12
Managed risk, APO13 Managed security and DSS05 Managed security services will become important parts of
that enterprise’s governance system and will have higher target capability levels defined for them.
An enterprise operating within a high threat landscape will require highly capable security-related processes:
APO13 Managed security and DSS05 Managed security services.
An enterprise in which the role of IT is strategic and crucial to the success of the business will require high
involvement of IT-related roles in organizational structures, a thorough understanding of business by IT
professionals (and vice versa), and a focus on strategic processes such as APO02 Managed strategy and
APO08 Managed relationships.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
227
IMPACT OF DESIGN FACTORS
Managem
ent
Objective
Priority
and Target
Capability
Levels
Component Variations
Components are required to achieve governance and
Desig management objectives. Some design factors can
n influence the importance of one or more components or
Factor can require specific variations.
s
Specific Componen
Focus t
Areas Variations
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
228
IMPACT OF DESIGN FACTORS
Small and medium-sized enterprises might not need the full set of roles and organizational
structures as laid out in the COBIT core model, but may use a reduced set instead. This reduced set
of governance and management objectives and the included components is defined in the Small
and Medium Enterprise focus area (in development).
An enterprise which operates in a highly regulated environment will attribute more importance to
documented work products and policies and procedures and to some roles, e.g. the compliance
officer function.
An enterprise that uses DevOps in solution development and operations will require specific
activities, organizational structures, culture, etc., focused on BAI03 Managed solutions identification
and build and DSS01 Managed operations.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
229
IMPACT OF DESIGN FACTORS
Managem
ent
Objective
Priority
and Target
Capability
Levels
Specific Focus Areas
Some design factors, such as threat landscape, specific
Desig risk, target development methods and infrastructure set-
n up, will drive the need for variation of the core COBIT
Factor model content to a specific context.
s
Specific Componen
Focus t
Areas Variations
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
230
IMPACT OF DESIGN FACTORS
Enterprises adopting a DevOps approach will require a governance system that has a variant of
several generic COBIT processes, described in the DevOps focus area guidance (in development) for
COBIT.
Small and medium enterprises have less staff, fewer IT resources, and shorter and more direct
reporting lines, and differ in many more aspects from large enterprises. For that reason, their
governance system for I&T will have to be less onerous, compared to large enterprises. This is
described in the SME focus area guidance of COBIT (in development).
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
231
DESIGNING A TAILORED SYSTEM
232
DESIGNING A TAILORED SYSTEM
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
233
MODULE SUMMARY
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved.
MODULE 7 SUMMARY
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System
235
SAMPLE QUESTION
References: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System COBIT 2019 Design Guide
236
236
SAMPLE QUESTION
References: COBIT 2019 Framework: Introduction and Methodology Chapter 7 Designing a Tailored Governance System COBIT 2019 Design Guide
237
237
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
238
238
MODULE 8
GETTING STARTED WITH COBIT: MAKING THE CASE
239
MODULE 8 TOPICS AND OBJECTIVES
Topics
• Making a case for getting started
• Overview of the COBIT business case
• Example scenario
• Module summary
Objectives
• Explain the key points of the COBIT business case.
240
MAKING A CASE FOR GETTING STARTED
241
INTRODUCTION TO THE COBIT BUSINESS CASE
Every enterprise has its own reasons for improving EGIT and
its own approach to preparing business cases. Common business
practices dictates
The COBIT 2019 Framework: Introduction and Methodology preparing a business
publication provides an example scenario. case to analyze and
justify the initiation
of a large project
and/or financial
investment.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 9 The COBIT Business Case
242
OVERVIEW OF THE COBIT BUSINESS CASE
243
THE COBIT BUSINESS CASE COMPONENTS
Executive Summary
Background
Business Challenges
•Gap Analysis and Goal
Alternatives Considered
Proposed Solution
•Phase 1. Pre-Planning
•Phase 2. Program Implementation
•Program Scope
•Program Methodology and Alignment
•Program Deliverables
•Program Risk
•Stakeholders
•Cost-Benefit Analysis
•Challenges and Success Factors
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 9 The COBIT Business Case
244
EXAMPLE SCENARIO
245
EXAMPLE SCENARIO – ACME CORPORATION
The example scenario is Acme Corporation, a large multinational enterprise with a mixture
of traditional, well-established business units as well as new Internet-based businesses
adopting the very latest technologies. Many of the business units have been acquired and
exist in various countries with different local political, cultural and economic environments.
The central group’s executive management team has been influenced by the latest
enterprise governance guidance, including COBIT, which they have used centrally for some
time. They want to make sure that rapid expansion and adoption of advanced IT will deliver
the value expected; they also intend to manage significant new risk. They have, therefore,
mandated enterprise wide adoption of a uniform EGIT approach. This approach includes
involvement by the audit and risk functions and internal annual reporting by business unit
management of the adequacy of controls in all entities.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 9 The COBIT Business Case
246
246
GROUP SCENARIO
NAMECO is an IT Managed Service Provider in North America. They are an aggressive, for profit organization that strives to aggressively grow revenues while providing a
stable client base. NAMECO is considered one of the top five MSPs in the industry and operates in a high threat environment with multiple competitors who are constantly
attempting to challenge their position in the market.
With over 400 tenet clients and 15,000 end users, each one has a very unique set of compliance requirements: 1) 30% of their clients are publicly traded entities, 2) 7% are
heath care related, 3) 87% process credit cards, and 4) 6% have private information regarding EU citizens.
The enterprise risk management group has identified multiple risk scenarios that have the potential of inhibiting the aggressive growth goals identified by the governing
body. These include: 1) recruiting and maintaining qualified and skilled staff, 2) the threat of competitors, 3) complex compliance requirements from multiple requirements
(NAMECO has private information from users across the globe, including EU citizens), and 4) the unknown risks of vendors who provide critical services to NAMECO.
The IT organization also supports the company’s staff of 300 FTEs and is currently considered a “necessity” which has caused some issues. Due to the nature of its
business, NAMECO cannot continue with its strategy unless IT is seen as a key success factor. Most of the services provided by IT are a mix of insourced, cloud, and
outsourced services and IT generally adopts new technologies once they have been proven in the market. Although the organization is primarily a waterfall model for
delivery, there are two full time agile teams that support the core applications of the business. This model has worked up to this point, but there are pressures from the
business to deploy services faster.
With the aggressive growth of the company, the IT organization has experienced multiple issues that have resulted in unsatisfactory client reviews. The key concerns
include: 1) failure to meet Service Level Agreements (many of these failures are due to suppliers), 2) multiple audit findings of non-compliance of data privacy, and 3)
Insufficient IT resources/knowledge required to support the goals of the enterprise.
Other key observations include: 1) there are no documented or well-understood decision matrices in the organization, 2) policies exist, but have not been updated in the last
3 years, 3) the leadership of the organization endorse a ‘risk taking’ culture, but do not support risky decisions that fail, 4) no skills matrix exists that identifies the skills and
competencies required to support IT services, 5) an IT service catalog exists, but is not acknowledged or followed, 6) there is no formal recognition of IT processes, they
are ad hoc and not well documented, and 7) there is no real understanding of the data/information architectures or flows and there is an absence of information
classification.
247
247
GROUP EXERCISE
248
248
MODULE SUMMARY
249
MODULE 8 SUMMARY
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 9 The COBIT Business Case
250
SAMPLE QUESTION
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 3 COBIT Principles
251
251
MODULE 9
IMPLEMENTING ENTERPRISE GOVERNANCE OVER IT
252
MODULE 9 TOPICS AND OBJECTIVES
Topics
• Implementation guide purpose and scope
• Implementation phases
• Design guide and implementation guide relationships
• Module summary
Objectives
• Understand and recall the phases of the COBIT implementation approach.
• Describe the relationships between the COBIT Design and Implementation
Guides
253
IMPLEMENTATION GUIDE PURPOSE AND SCOPE
254
IMPLEMENTATION GUIDE PURPOSE AND SCOPE
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
255
IMPLEMENTATION LIFECYCLE
256
IMPLEMENTATION STEPS
257
PHASE 1 WHAT ARE THE DRIVERS?
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
258
PHASE 2 WHERE ARE WE NOW?
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
259
PHASE 3 WHERE DO WE WANT TO BE?
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
260
PHASE 4 WHAT NEEDS TO BE DONE?
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
261
PHASE 5 HOW DO WE GET THERE?
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
262
PHASE 6 DID WE GET THERE?
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
263
PHASE 7 HOW DO WE KEEP THE MOMENTUM GOING?
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
264
DESIGN GUIDE AND IMPLEMENTATION GUIDE
RELATIONSHIPS
265
DESIGN GUIDE AND IMPLEMENTATION GUIDE RELATIONSHIPS
The workflow explained in the COBIT 2019 Design Guide elaborates a set of tasks defined in the
Implementation Guide and has the following connection points:
COBIT Implementation Guide COBIT Design Guide
Phase 1
What are the drivers? Step 1 – Understand the enterprise context and
(Continuous improvement (CI) strategy
Tasks)
Step 2 – Determine the initial scope of the
Phase 2 governance system
Where are we now? Step 3 – Refine the scope of the governance system
(CI Task) Step 4 – Conclude the governance system design
Phase 3
Where do we want to be? Step 4 – Conclude the governance system design
(CI Tasks)
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
266
MODULE SUMMARY
267
MODULE 9 SUMMARY
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 8, Implementing Enterprise Governance of IT
268
SAMPLE QUESTION
269
269
SAMPLE QUESTION
270
270
MODULE 10
CLOSING
271
COURSE SUMMARY
272
Q&A
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved.