CobiT definition:

Establish an IT strategy committee at the board level. This committee should ensure that IT governance, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board.

Bill says,

One of the important things to remember when looking at a framework such as CobiT is that it isn’t right for everyone, or rather, parts of it may need to be adjusted to fit your organization. Whether your IT Strategy Committee will be a different group than your IT Steering Committee (which is the next control object), is a question of the size, maturity and industry of your company. As defined by Cobit, this IT Strategy Committee is at the board level, which may very well work in certain companies. Perhaps those companies have boards interested in having an IT Strategy Committee alongside their Executive Compensation Committee. But not in my experience.

Certainly large IT investments or directions changes that have a material impact on the business should be raised to the board level, but at least in my company we would never form such a committee at the board level; there simply would be no interest in it. Does that mean you shouldn’t do this? Of course not – if you an get the interest at the board level then go for it! Otherwise, you simply implement your IT Strategy Committee at a lower level in the organization, certainly including senior business managers.

At my company we have both an IT Strategy Committee, which meets only once a year, and an IT Steering Committee, which meets quarterly. The Strategy Committee’s role is very big picture and simply serves as a beacon of “true north” from an IT investment and direction standpoint. Every decision we make should align with the annual strategy developed and/or approved by the IT Strategy Committee.

The governance around how that strategy comes to fruition is done at the IT Steering Committee level, which we’ll discuss next.

The second step in Defining the IT Processes, Organization and Relationships is to form a solid IT Strategy Committee.

No related posts.

Post from: IT Governance - COBIT AND ITIL

PO4.2 IT Strategy Committee

CobiT definition:

Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It should provide integration amongst the processes that are specific to IT, enterprise portfolio management, business processes and business change processes. The IT process framework should be integrated into a quality management system (QMS) and the internal control framework.

Bill says,

First of all, for those of you subscribed and reading in a reader, I apologize for the rash of posts yesterday – I decided it would be easier for me to keep these updates coming if I fleshed out the entire CobiT framework first so that now all I need to focus on is the content and updating the links in the tables of contents. So I think that meant I posted 25 or so posts yesterday. Certainly not the norm!

Speaking of frameworks, this control objective talks about establishing an IT Process Framework. Now I don’t take this to mean overall IT governance, that is something not addressed until we get to the Monitor and Evaluate domain. But I do feel as though this is related. The very first thing that we did in CobiT is to define our Strategic IT Plan and this control objective is all about establishing the rules for how you will ensure adherence to that strategic plan. A plan is useless unless followed!

In the definition it refers to an internal control framework and to be honest that is something I struggle with because rather than that being something different I see the process framework as basically the same thing. But remember, I am coming from a small organization so I do tend to see things differently as I prefer to lump many of these control objectives together where it makes sense.

Here is the bottom line for me – what you need is some sort of plan for how you will keep your people and your processes aligned to your strategic plan. There needs to be some gating mechanisms and some methods for reporting and analyzing results. The key is that this is something that just needs to be included in everyone’s daily work, not some thing you whip out when reviewing your strategic plan with the Board.

The first step in Defining the IT Processes, Organization and Relationships is to define a solid IT Process Framework.

No related posts.

Post from: IT Governance - COBIT AND ITIL

PO4.1 IT Process Framework

CobiT definition:

Establishing an effective governance framework includes defining organisational structures, processes, leadership, roles and responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives.

Control over the IT process of
Provide IT governance

that satisfies the business requirement for IT of
integrating IT governance with corporate governance objectives and complying with laws, regulations and contracts

by focusing on
preparing board reports on IT strategy, performance and risks, and responding to governance requirements in line with board directions

is achieved by

• Establishing an IT governance framework integrated into corporate governance
• Obtaining independent assurance over the IT governance status

and is measured by

• Frequency of board reporting on IT to stakeholders (including maturity)
• Frequency of reporting from IT to the board (including maturity)
• Frequency of independent reviews of IT compliance

Control objectives:

ME4 Provide IT Governance

ME4.1 Establishment of an IT Governance Framework
ME4.2 Strategic Alignment
ME4.3 Value Delivery
ME4.4 Resource Management
ME4.5 Risk Management
ME4.6 Performance Measurement
ME4.7 Independent Assurance

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

ME4 Provide IT Governance

CobiT definition:

Effective oversight of compliance requires the establishment of a review process to ensure compliance with laws, regulations and contractual requirements. This process includes identifying compliance requirements, optimising and evaluating the response, obtaining assurance that the requirements have been complied with and, finally, integrating IT’s compliance reporting with the rest of the business.

Control over the IT process of
Ensure compliance with external requirements

that satisfies the business requirement for IT of
ensuring compliance with laws, regulations and contractual requirements

by focusing on
identifying all applicable laws, regulations and contracts and the corresponding level of IT compliance and optimising IT processes to reduce the risk of non-compliance

is achieved by

• Identifying legal, regulatory and contractual requirements related to IT
• Assessing the impact of compliance requirements
• Monitoring and reporting on compliance with these requirements

and is measured by

• Cost of IT non-compliance, including settlements and fines
• Average time lag between identification of external compliance issues and resolution
• Frequency of compliance reviews

Control objectives:

ME3 Ensure Compliance With External Requirements

ME3.1 Identification of External Legal, Regulatory and Contractual Compliance Requirements
ME3.2 Optimisation of Response to External Requirements
ME3.3 Evaluation of Compliance With External Requirements
ME3.4 Positive Assurance of Compliance
ME3.5 Integrated Reporting

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

ME3 Ensure Compliance With External Requirements

CobiT definition:

Establishing an effective internal control programme for IT requires a well-defined monitoring process. This process includes the monitoring and reporting of control exceptions, results of self-assessments and third-party reviews. A key benefit of internal control monitoring is to provide assurance regarding effective and efficient operations and compliance with applicable laws and regulations.

Control over the IT process of
Monitor and evaluate internal control

that satisfies the business requirement for IT of
protecting the achievement of IT objectives and complying with IT-related laws, regulations and contracts

by focusing on
monitoring the internal control processes for IT-related activities and identifying improvement actions

is achieved by

• Defining a system of internal controls embedded in the IT process framework
• Monitoring and reporting on the effectiveness of the internal controls over IT
• Reporting control exceptions to management for action

and is measured by

• Number of major internal control breaches
• Number of control improvement initiatives
• Number and coverage of control self-assessments

Control objectives:

ME2 Monitor and Evaluate Internal Control

ME2.1 Monitoring of Internal Control Framework
ME2.2 Supervisory Review
ME2.3 Control Exceptions
ME2.4 Control Self-assessment
ME2.5 Assurance of Internal Control
ME2.6 Internal Control at Third Parties
ME2.7 Remedial Actions

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

ME2 Monitor and Evaluate Internal Control

CobiT definition:

Effective IT performance management requires a monitoring process. This process includes defining relevant performance indicators, systematic and timely reporting of performance, and prompt acting upon deviations. Monitoring is needed to make sure that the right things are done and are in line with the set directions and policies.

Control over the IT process of
Monitor and evaluate IT performance

that satisfies the business requirement for IT of
transparency and understanding of IT cost, benefits, strategy, policies and service levels in accordance with governance requirements

by focusing on
monitoring and reporting process metrics and identifying and implementing performance improvement actions

is achieved by

• Collating and translating process performance reports into management reports
• Reviewing performance against agreed-upon targets and initiating necessary remedial action

and is measured by

• Satisfaction of management and the governance entity with the performance reporting
• Number of improvement actions driven by monitoring activities
• Percent of critical processes monitored

Control objectives:

ME1 Monitor and Evaluate IT Performance

ME1.1 Monitoring Approach
ME1.2 Definition and Collection of Monitoring Data
ME1.3 Monitoring Method
ME1.4 Performance Assessment
ME1.5 Board and Executive Reporting
ME1.6 Remedial Actions

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

ME1 Monitor and Evaluate IT Performance

CobiT definition:

Complete and accurate processing of data requires effective management of data processing procedures and diligent maintenance of hardware. This process includes defining operating policies and procedures for effective management of scheduled processing, protecting sensitive output, monitoring infrastructure performance and ensuring preventive maintenance of hardware. Effective operations management helps maintain data integrity and reduces business delays and IT operating costs.

Control over the IT process of
Manage operations

that satisfies the business requirement for IT of
maintaining data integrity and ensuring that IT infrastructure can resist and recover from errors and failures

by focusing on
meeting operational service levels for scheduled data processing, protecting sensitive output, and monitoring and maintaining infrastructure

is achieved by

• Operating the IT environment in line with agreed-upon service levels and defined instructions
• Maintaining the IT infrastructure

and is measured by

• Number of service levels impacted by operational incidents
• Hours of unplanned downtime caused by operational incidents
• Percent of hardware assets included in preventive maintenance schedules

Control objectives:

DS13 Manage Operations

DS13.1 Operations Procedures and Instructions
DS13.2 Job Scheduling
DS13.3 IT Infrastructure Monitoring
DS13.4 Sensitive Documents and Output Devices
DS13.5 Preventive Maintenance for Hardware

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

DS13 Manage Operations

CobiT definition:

Protection for computer equipment and personnel requires well-designed and well-managed physical facilities. The process of managing the physical environment includes defining the physical site requirements, selecting appropriate facilities, and designing effective processes for monitoring environmental factors and managing physical access. Effective management of the physical environment reduces business interruptions from damage to computer equipment and personnel.

Control over the IT process of
Manage the physical environment

that satisfies the business requirement for IT of
protecting computer assets and business data and minimising the risk of business disruption

by focusing on
providing and maintaining a suitable physical environment to protect IT assets from access, damage or theft

is achieved by

• Implementing physical security measures
• Selecting and managing facilities

and is measured by

• Amount of downtime arising from physical environment incidents
• Number of incidents due to physical security breaches or failures
• Frequency of physical risk assessment and reviews

Control objectives:

DS12 Manage the Physical Environment

DS12.1 Site Selection and Layout
DS12.2 Physical Security Measures
DS12.3 Physical Access
DS12.4 Protection Against Environmental Factors
DS12.5 Physical Facilities Management

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

DS12 Manage the Physical Environment

CobiT definition:

Effective data management requires identifying data requirements. The data management process also includes the establishment of effective procedures to manage the media library, backup and recovery of data, and proper disposal of media. Effective data management helps ensure the quality, timeliness and availability of business data.

Control over the IT process of
Manage data

that satisfies the business requirement for IT of
optimising the use of information and ensuring that information is available as required

by focusing on
maintaining the completeness, accuracy, availability and protection of data

is achieved by

• Backing up data and testing restoration
• Managing onsite and offsite storage of data
• Securely disposing of data and equipment

and is measured by

• Percent of user satisfaction with availability of data
• Percent of successful data restorations
• Number of incidents where sensitive data were retrieved after media were disposed

Control objectives:

DS11 Manage Data

DS11.1 Business Requirements for Data Management
DS11.2 Storage and Retention Arrangements
DS11.3 Media Library Management System
DS11.4 Disposal
DS11.5 Backup and Restoration
DS11.6 Security Requirements for Data Management

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

DS11 Manage Data

CobiT definition:

Effective problem management requires the identification and classification of problems, root cause analysis and resolution of problems. The problem management process also includes the formulation of recommendations for improvement, maintenance of problem records and review of the status of corrective actions. An effective problem management process maximises system availability, improves service levels, reduces costs, and improves customer convenience and satisfaction.

Control over the IT process of
Manage problems

that satisfies the business requirement for IT of
ensuring end users’ satisfaction with service offerings and service levels, and reducing solution and service delivery defects and rework

by focusing on
recording, tracking and resolving operational problems; investigating the root cause of all significant problems; and defining solutions for identified operations problems

is achieved by

• Performing root cause analysis of reported problems
• Analysing trends
• Taking ownership of problems and progressing problem resolution

and is measured by

• Number of recurring problems with an impact on the business
• Percent of problems resolved within the required time period
• Frequency of reports or updates to an ongoing problem, based on the problem severity

Control objectives:

DS10 Manage Problems

DS10.1 Identification and Classification of Problems
DS10.2 Problem Tracking and Resolution
DS10.3 Problem Closure
DS10.4 Integration of Configuration, Incident and Problem Management

Check out the links for details on the control objectives.

No related posts.

Post from: IT Governance - COBIT AND ITIL

DS10 Manage Problems