Copyright © 2007 ISACA. All rights reserved. www.isaca.org.
A Cosmological Approach to IT Governance:
Val IT and COBIT Lessons Learned at the United Nations
By Jason Bellone, Dino Cataldo Dell’Accio, CISA, CISM, CIA, ISMS LA, and Juan Rodriguez
As Carl Sagan once said, “If you want to make an apple pie
from scratch, you must first create the universe.” This tenet
served as the basis for an IT governance restructuring within
the United Nations (UN) Secretariat. The project has been
underway for nearly one year, and many outcomes and lessons
learned have emerged. By taking a “cosmological” approach to
defining and managing a governance system, the methodology
has produced positive results to institutionalizing a Val
IT/COBIT-based governance framework. The approach, tools
and lessons learned are provided as a case study of this
experience.
Organizational Context
The UN places high demand on IT as an “enabler” to the
organization’s mission. IT services contribute to nearly all
operational activities, yet as requirements and demand grow,
the budget does not. In the quest to better prioritize which IT
investments to make and to govern their implementation, the
organization referenced the IT Governance Institute (ITGI)
best practices defined in the Val IT and Control Objectives for
Information and related Technology (COBIT) models. The Val
IT model was adopted to support the decision-making process
for IT investments, ultimately responding to the question of
which initiatives achieve the highest return. The COBIT
governance framework is used to govern the subsequent
execution of the IT investments, addressing key questions of
whether and how the return is achieved.
Figure 1, taken from the 2008-2009 budget instructions
directive, reflects the alignment between the information and
communication technology (ICT) strategic framework and the
COBIT governance model. As shown, the budget framework is
logically linked with the corresponding COBIT domains.
The adoption of COBIT was a perfect fit for the UN’s
results-based management and budgeting approach. The
project was initially designed with reference to COBIT 3rd
Figure 1—2008-2009 Budget Framework
Objective of the organization:
To ensure that ICT services efficiently and effectively support the
operational objectives of the organization
Expected accomplishments:
1. Improved alignment of ICT initiatives with the organization’s
operational objectives
2. Improved timeliness and effectiveness of ICT acquisition and
implementation processes
3. Increased efficiency and effectiveness in delivering and supporting
ICT applications, systems and services
4. Increased responsiveness in closing operational gaps
JOURNALONLINE
Edition and then updated with the control structure and goals
and metrics of COBIT 4.0.
The governance model includes a mapping of each IT
organizational unit and its respective projects/activities and
processes with the organizational goals. Each of the expected
accomplishments is decomposed into performance indicators
taken from COBIT key goal indicator (KGI) and key
performance indicator (KPI) baselines. The model is supported
by defined sources of data, processes, documents and
responsible owners, to allow for the systematic collection of
data and periodic reporting. Clearly, this effort requires a
systematic approach supported by well-defined policy,
processes and tools. Efforts to establish a governance universe
are synopsized in this case study.
Val IT: The Galaxy
The Val IT model is based on three domains of processes:
Value Governance, Portfolio Management and Investment
Management. The three domains are further detailed by a set
of 40 management practices, logically linkable to the control
objectives defined in the COBIT framework. These linkages
provide the basis for a complementing analysis, ultimately
leading to a comprehensive review of the entire IT investment
life cycle.
In this context, the support from IT investments to the
achievement of the organization’s strategic goals is guided by a
set of value management processes, enabled by management
best practices and control objectives, and measured by key
outcome and performance metrics. The definition of the metric
system was derived from an adaptation of some of the goal
indicators included in COBIT 4.0.
COBIT Cosmology: Mapping the Universe
The COBIT governance framework, composed of four
domains; 34 high-level control objectives; more than 200
detailed control objectives; and thousands of goals, metrics,
gaps, risks and assets, is a complex system. When the various
business processes and best practices, such as information
security, quality assurance, service delivery, project
management, budget and risk management, are integrated with
the framework, there are an unwieldy number of permutations.
Each must be managed individually and collectively, both as a
star and a universe. A question emerges: how can one manage
such a complex system?
The answer was to logically map the universe and create a
real-time atlas of the governance system. As figure 2
illustrates, a rendering of the universe was created based off a
number of models, strategic directions, programmatic
1
 objectives, controls and processes. The atlas represents a
holistic understanding of the system and the numerous
interrelationships and interdependencies of governance
activities. The figure is not a graphic but a dynamically
generated visualization rendered from a governance schema
(database) where dozens of governance, management and
workflow processes are structured. The perspective offers some
deterministic insights to forces of influence, dualities,
synergies, and macro- and micro-level planning structures.
COBIT Constellations
Within the universe model, several subject-specific
constellations were defined to represent lines of activity and
process models. Based on a use-case approach, all actors and
perspectives (auditor, senior management, process owner,
project manager) are represented. A process model for each
high-level control objective is established and integrated with
its companion “practitioner” workflow.
Take, for example, DS5 Ensure system security and the
correlating processes that would be employed by referencing
ISO 27000 and the establishment of a well-functioning
information security management system (ISMS). By creating
a vortex between the COBIT framework and the ISMS process
model, a constellation is formed based on the intended results.
Figure 3 illustrates the concept. Based on the principle of
duality, the approaches are integrated and a synergy is formed.
Figure 2—Atlas of the Governance System
2 INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004
The same approach was taken for service management (ITIL),
quality assurance (ISO 9000) and numerous others.
The constellation represents a structured workflow
representing two different orientations—in this case, the
management and audit of an activity. The duality presents a
number of opportunities for coordination and position for
continuous audit. The chief information security officer
(CISO) oversees the process, and the audit function is enabled
by real-time access to the status of the implementation—where
the gaps are, what the risks are, which controls are applied and,
most important, how the process is managed. This facility has
fostered a stronger harmonization between the activities of
managing and monitoring a program.
MyStar: Encouraging Ownership
and Accountability
The concept of constellations and modeling of processes is
necessary to establish workflows and, most important,
encouraging ownership and accountability for implementation
of controls. A critical success factor to the project was to
ensure that all actors could interact, participate and contribute
to the exploration of the universe and drill down to a
constellation (activity) of interest. In the case of managing an
ISMS, the standard calls for a plan-do-check-act (PDCA) life
cycle. This point of view is fully represented with the full
range of activities of the life cycle.
 Figure 3—Constellation Based on Intended Results
As figure 4 demonstrates, each activity and “do” task is
fully represented in the system and coupled to assignment of
ownership. The figure is indicative of the tight binding of
perspectives reflecting the points of view between audit and
auditee, senior management and project managers, and
business units and service providers. The approach has created
a more harmonious relationship among organizationally
separated peer groups and enabled a more collaborative forum.
Hubble Views: Checking and Reporting
As processes become increasingly integrated, the value of
this approach becomes apparent in the facility by which one
can analyze and report, particularly in the way of Capability
Maturity Model (CMM)-oriented dashboarding, assessment of
risk or budgetary reporting. As figure 5 illustrates, telescopic
views enable dynamic monitoring of the governance system
and its interconnected subsystems.
In the case of the UN, where results-based budgeting serves
as the basis for justifying funding, linking projects to CMM
performance objectives is vital. Return on investment is tightly
coupled to performance objectives (and gaps) related to a
maturity indicator for each line of activity. Most important, the
supporting data are dynamic and updated through the natural
course of the PDCA life cycle. The question “Where are we
today?” is not answered tomorrow.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004
6 Degrees: An IT Governance and
Management Tool Kit
A tool is not the end to the means, but is vital; therefore, a
tool was needed to examine governance. This article’s
illustrations represent a tool kit developed and named after the
concept known as the six-link rule: 6 Degrees. True to its
name, 6 Degrees has paid dividends in ensuring the necessary
linkages and harmonization of governance initiatives.
Borrowing from the visualization technologies of the
scientific and informatics industries, the 6 Degrees system was
developed based on five conceptual layers:
1. A logical model (database) integrating all high-level
structures and processes of the governance system
2. A workflow-based input/output interface to ensure process
and data-driven currency and accuracy
3. A quantitative analysis engine using OLAP methods
4. A visualization gateway to the model adopted from the fields
of social network analysis and complex systems theory
5. A real-time reporting and dashboarding facility
The 6 Degrees system was established on the proverbial
shoestring budget using open source resources, but the
returns have proved invaluable. The portal provides a single
source window and analytical tool kit for extending the
organization’s ability toward more complex analysis and
quantitative measurement—what ifs, simulation, cost-benefit
analysis, budget formulation, resource allocation and
business intelligence.
3
 Figure 4—Varied Perspectives
Figures 2 through 5 are generated on demand from
workflow-related inputs. 6 Degrees is providing a powerful means
of making invisible patterns of workflow and collaboration in
strategically important groups visible. The benefits to audit and
continuous improvement have shown tremendous promise. Gap
analysis, diagnostic reviews, risk assessments and compliance
reports are generated on demand and reflect the multidimensional
alignment with resources and processes.
Lessons Learned
The system was designed to address two main needs:
1. To govern projects, activities and processes using
strategically constructed integrations among workflows
2. To present strategy and report on its implementation to the
senior management and oversight bodies
Since the initiation of this project, several noteworthy
benefits have been realized. In particular, the organization was
able to achieve a clearer and controllable reporting system about
the performance of the IT function. Predefined metrics have
allowed the organization to identify baselines for comparative
analysis and consistently monitor the performance of the IT
function over time. Because of the previously mentioned
mapping among organizational units, projects, activities and
processes, and organizational goals, the system allows for a
better representation of how resources (financial and human) are
allocated and used to achieve the goals.
The achievements can be best expressed by the greatest benefit
4 INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004
of an understanding of the sum of the parts and the strategy of the
whole. Actors have an increased appreciation for their role and
contribution to the governance system. Thanks to the construction
of the universe, the system is no longer abstract; it is planned and
organized. The system has received positive feedback and
acknowledgment from all these entities. The governance
framework is gaining increasing acceptance as it is woven into the
culture of the organization. The approach is increasingly
institutionalized and rooted, and it is equally embraced by the
practitioner, as it is an audit guideline. The approach,
complemented with the tool kit, has provided new capability to the
organization toward continuous improvement practices, compliance
with industry standards and decision-making support
The tangibility of the benefits is growing and has become
increasingly evident. Recently, the UN received ISO 27000
certification. During the certification audit, the organization
was asked to show auditors its ISMS. The staff members
clicked a button and said “Here.” There were no additional
questions, tedious explanations or confusion.
While many steps lie ahead for this path of ICT governance,
a map is drawn and the universe is charted. If Carl Sagan was
right, the apple pie should be forthcoming.
Author’s Note:
Readers are invited to contact the authors for further details.
The web-based tool 6 Degrees described in this paper will be
made freely available to interested parties upon request.
 Figure 5—Dynamic Monitoring

Jason Bellone enterprisewide risk assessments, developing and implementing

is chief of the ICT quality assurance and risk management
section in the information technology services division of the
UN Secretariat in New York (USA). He coordinates an
enterprisewide campaign to implement COBIT-based IT
governance systems and related best practices worldwide. Prior
to taking post with the UN, Jason held several public service
positions with the US government.
Dino Cataldo Dell’Accio, CISA, CISM, CIA,
ISMS Lead Auditor
is an information security officer in the UN in New York. In
this capacity, he has been involved in several projects
pertaining to the implementation of information security
systems and controls. He has experience in conducting
ISO-based diagnostic reviews, and auditing strategies, and
control mechanisms with reference to widely accepted
professional standards and best practices. He has held various
positions as auditor in the UN system and finance sector.
Juan Rodriguez
is an ICT security expert and serves as the UN ICT quality
assurance and risk management section’s resident technical
guru where he has been dedicated to the development of an
open source ICT governance tool known as 6 Degrees. He has
worked in several international organizations, including the
UN, UN Children’s Fund (UNICEF), Berlitz International and
General Electric, and he has more than 10 years of experience
in the IT industry.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.

© Copyright 2007 by ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004 5