COBIT Framework

Worapat Paireekreng

AI3

1.

IT

IT

IT
Governance
IT

2.

Sarbanes-Oxley Act (SOX)

COSO

5
Control environment
Risk assessment
Control activities
Information and communication

2.

ITIL

2.

ISO 17799:2005

2005

2.

(Capability Maturity
Model Integration)

5
1
(Initial)
2
(Managed)
3
(Defined)

2.

COBIT

COBIT

2.

COBIT

IT Governance
5
(Strategic
Alignment)
(Value
Delivery)
(Resource
Management)
(Risk

2.

COBIT

(Planning and Organization : PO)

(Acquisition
and Implementation : AI)
(Delivery
and Support : DS)

(Monitoring and Evaluation : ME)

2.

COBIT

7
(effectiveness) ,

3.

3.1

Level 0 :
Level 1 :
Level 2 :
Level 3 :

3.

3.1

Level 0

E-Transaction Law

r
Level 1

Level 2

Level 3

COSO

no

COBIT
}

IT

r

o

ITIL
o

ISO/IEC17799:2000
}

3.

3.2 COBIT

COBIT

COBIT
IT Governance

3.

3.2 COBIT

KPIs (Key
Performance Indicators)
KGI
(Key Goal Indicators)

3.

3.2 COBIT

3.

3.2 COBIT

3.

3.2 COBIT

COBIT, ,

3.

3.2 COBIT

COBIT

IT

IT

3.

3.2 COBIT

COBIT

3.

3.3

IT Governance

COSO

COBIT

3.

3.3

High-level Control
Objective

Detailed Control Objective

Management
Guildelines

Maturity Model

COBIT

3.

3.3

3.

3.3

IT Governance
COBIT

3.

3.3

,
( DS5) COBIT 4.0

4.

AI3 : Acquire and Maintain

Technology Infrastructure

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

1. High-level Control Objectives

Objectives

Organisations should have processes for the

acquisition, implementation and upgrade of the
technology infrastructure.
This requires a planned approach to acquisition,
maintainance and protection of infrastructure in line
with with agreed technology strategies and the
provision of development and test environments.
This ensures that there is ongoing technological
support for business applications.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

1. High-level Control Objectives

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

1. High-level Control Objectives

Control over the IT process of

Acquire and maintain technology infrastructure

that satisfies the business requirement for IT of

acquiring and maintaining an integrated and standardised IT

infrastructure

by focusing on

providing appropriate platforms for the business applications

in line with the defined IT architecture and technology
standards

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

1. High-level Control Objectives

is achieved by

Producing a technology acquisition plan that aligns to the

technology infrastructure plan
Planning infrastructure maintenance
Implementing internal control, security and auditability
measures

and is measured by

Percent of platforms that are not in line with the defined IT

architecture and technology standards
Number of critical business processes supported by obsolete
(or soon to be) infrastructure
Number of infrastructure components that are no longer
supportable (or will not be in the near future)

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

2. Detailed Control Objectives

AI3.1 Technological Infrastructure Acquisition Plan

AI3.2 Infrastructure Resource Protection and Availability
AI3.3 Infrastructure Maintenance
AI3.4 Feasibility Test Environment

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

2. Detailed Control Objectives

AI3.1 Technological Infrastructure Acquisition

Plan

Produce a plan for the acquisition, implementation and

maintenance of the technological infrastructure that meets
established business functional and technical requirements
and is in accord with the organisations technology direction.
The plan should consider future flexibility for capacity
additions, transition costs, technical risks and the lifetime of
the investment for technology upgrades.
Assess the complexity costs and the commercial viability of
the vendor and product when adding new technical capability.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

2. Detailed Control Objectives

AI3.2 Infrastructure Resource Protection and

Availability

Implement internal control, security and auditability

measures during configuration, integration and
maintenance of hardware and infrastructural software to
protect resources and ensure availability and integrity.
Responsibilities for using sensitive infrastructure
components should be clearly defined and understood by
those who develop and integrate infrastructure
components.
Their use should be monitored and evaluated.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

2. Detailed Control Objectives

AI3.3 Infrastructure Maintenance

Develop
Develop aa strategy
strategy and
and plan
plan for
for infrastructure
infrastructure maintenance
maintenance and
and
ensure
ensure that
that changes
changes are
are controlled
controlled in
in line
line with
with the
the organisations
organisations
change
change management
management procedure.
procedure.
Include
Include periodic
periodic review
review against
against business
business needs,
needs, patch
patch
management
management and
and upgrade
upgrade strategies,
strategies, risks,
risks, vulnerabilities
vulnerabilities
assessment
assessment and
and security
security requirements.
requirements.

AI3.4 Feasibility Test Environment

Establish
Establish development
development and
and test
test environments
environments to
to support
support effective
effective
and
and efficient
efficient feasibility
feasibility and
and integration
integration testing
testing of
of applications
applications and
and
infrastructure
infrastructure in
in the
the early
early stages
stages of
of the
the acquisition
acquisition and
and development
development
process.
process.
Consider
Consider functionality,
functionality, hardware
hardware and
and software
software configuration,
configuration,
integration
integration and
and performance testing,
testing, migration
migration between
between
environments,
environments, version
version control,
control, test
test data
data and
and tools,
tools, and
and security.
security.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

3. Management Guidelines
INPUT
PO3

Technology infrastructure plan,

standards and opportunitites;
regular state of technology updates

PO8

Acquisition and development

standards

PO10

Project management guidelines and

detailed project plans

AI1

Business requirements feasibility study

AI6

Change process description

DS3

Performance and capacity plan

(requirements)

PROCESS
Control
Objectives
AI3.1
AI3.2
AI3.3
AI3.4

OUTPUT
AI5

Procurement decisions

AI7

Configured system to be
tested/installed

DS12

Physical environment
requirements

PO3

Updates for technology

standards

DS3

System monitoring
requirements

AI4

Infrastructure knowledge

DS1

Initial planned OLAs

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

3. Management Guidelines

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

3. Management Guidelines
Business Goals

IT Goals

Define Goals

Process Goals
KPIs
Activity Goals

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

3. Management Guidelines
Activity Goals

Key Performance Indicators

#

and type of emergency changes to

the infrastructure components
# of outstanding acquisition requests
Average time to configure
infrastructure components

Producing

a technology
acquisition plan that aligns to the t
echnology infrastructure plan
Planning infrastructure
maintenance
Providing development and test
environment infrastructure
Implementing internal control,
security and auditability measures

Activity
Goal

Process
Goal

IT
Goal

DEFINE GOALS

Business
Goal

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

3. Management Guidelines
Process Goals

Process Key Goal Indicators

Provide

appropriate platforms
for the business applications in li
ne with the defined IT architectur
e and technology standards.
Provide a reliable and secure IT
infrastructure.

Activity
Goal

Process
Goal

of platforms that are not in line with

the defined IT architecture and technolo
gy standards
# of different technology platforms by
function across the enterprise
% of infrastructure components
acquired outside the acquisition proces
s
# of infrastructure components that are
no longer supportable (or will not be in
the near future)

IT
Goal

DEFINE GOALS

Business
Goal

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

3. Management Guidelines
IT Goals

IT Key Goal Indicators

Acquire

and maintain an
integrated and standardised IT i
nfrastructure.
Optimise the IT infrastructure,
resources and capabilities.
Create IT agility

Activity
Goal

Process
Goal

of critical business processes

supported by obsolete (or soon to
be) infrastructure

IT
Goal

DEFINE GOALS

Business
Goal

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model
5 Optimised
4 Managed and Measurable
3 Defined Process
2 Repeatable but Intuitive
1 Initial/Ad Hoc
0 Non-existent

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model

0 Non-existent when

Managing the technology infrastructure is not recognised as

a sufficiently important topic to be addressed.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model

1 Initial/ Ad Hoc when

There are changes made to infrastructure for every new

application, without any overall plan.
Although there is an awareness that the IT infrastructure is
important, there is no consistent overall approach.
Maintenance activity reacts to short-term needs.
The production environment is the test environment.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model

2 Repeatable but Intuitive when

There is a consistency among tactical approaches when

acquiring and maintaining the IT infrastructure.
Acquisition and maintenance of IT infrastructure is not based
on any defined strategy and does not consider the needs of
the business applications that must be supported.
There is an understanding that the IT infrastructure is
important, supported by some formal practices.
Some maintenance is scheduled, but it is not fully scheduled
and co-ordinated.
For some environments, a separate test environment exists.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model

3 Defined Process when

A clear, defined and generally understood process exists for

acquiring and maintaining IT infrastructure.
The process supports the needs of critical business
applications and is aligned to IT and business strategy but it
is not consistently applied.
Maintenance is planned, scheduled and co-ordinated.
There are separate environments for test and production.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model

4 Managed and Measurable when

The acquisition and maintenance process for technology

infrastructure has developed to the point where it works well
for most situations, is followed consistently and is focused on
reusability.
The IT infrastructure adequately supports the business
applications.
The process is well organised and proactive.
The cost and lead time to achieve the expected level of
scalability, flexibility and integration are partially optimised.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model

5 Optimised when

The acquisition and maintenance process for technology

infrastructure is proactive and closely aligned with critical
business applications and the technology architecture.
Good practices regarding technology solutions are followed
and the organisation is aware of the latest platform
developments and management tools. Costs are reduced by
rationalising and standardising infrastructure components
and by using automation. A high level of technical
awareness can identify optimum ways to proactively improve
performance, including consideration of outsourcing options.
The IT infrastructure is seen as the key enabler to leveraging
the use of IT.

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

4. Maturity Model
Level

Awareness
Policies,
Tools and
and
Standards and Automation
Communicatio Procedures
n

Skill and
Expertise

Responsibility Goal Setting

and
and
Accountability Measurement

AI3
AI3 :: Acquire
Acquire and
and Maintain
Maintain Technology
Technology Infrastructure
Infrastructure

5. Link to Business
IT

4.

19.

19.

5.

14.

5.

COBIT