CobiT definition:

Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It should provide integration amongst the processes that are specific to IT, enterprise portfolio management, business processes and business change processes. The IT process framework should be integrated into a quality management system (QMS) and the internal control framework.

Bill says,

First of all, for those of you subscribed and reading in a reader, I apologize for the rash of posts yesterday – I decided it would be easier for me to keep these updates coming if I fleshed out the entire CobiT framework first so that now all I need to focus on is the content and updating the links in the tables of contents. So I think that meant I posted 25 or so posts yesterday. Certainly not the norm!

Speaking of frameworks, this control objective talks about establishing an IT Process Framework. Now I don’t take this to mean overall IT governance, that is something not addressed until we get to the Monitor and Evaluate domain. But I do feel as though this is related. The very first thing that we did in CobiT is to define our Strategic IT Plan and this control objective is all about establishing the rules for how you will ensure adherence to that strategic plan. A plan is useless unless followed!

In the definition it refers to an internal control framework and to be honest that is something I struggle with because rather than that being something different I see the process framework as basically the same thing. But remember, I am coming from a small organization so I do tend to see things differently as I prefer to lump many of these control objectives together where it makes sense.

Here is the bottom line for me – what you need is some sort of plan for how you will keep your people and your processes aligned to your strategic plan. There needs to be some gating mechanisms and some methods for reporting and analyzing results. The key is that this is something that just needs to be included in everyone’s daily work, not some thing you whip out when reviewing your strategic plan with the Board.

The first step in Defining the IT Processes, Organization and Relationships is to define a solid IT Process Framework.

Related posts:

1. PO4 Define the IT Processes, Organisation and Relationships CobiT definition: An IT organisation is defined by considering requirements for staff, skills, functions, accountability, authority, roles and responsibilities, and...
2. PO3.5 IT Architecture Board CobiT definition: Establish an IT architecture board to provide architecture guidelines and advice on their application, and to verify compliance....
3. ME2 Monitor and Evaluate Internal Control CobiT definition: Establishing an effective internal control programme for IT requires a well-defined monitoring process. This process includes the monitoring...

CobiT definition:

Establishing an effective governance framework includes defining organisational structures, processes, leadership, roles and responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives.

Control over the IT process of
Provide IT governance

that satisfies the business requirement for IT of
integrating IT governance with corporate governance objectives and complying with laws, regulations and contracts

by focusing on
preparing board reports on IT strategy, performance and risks, and responding to governance requirements in line with board directions

is achieved by

• Establishing an IT governance framework integrated into corporate governance
• Obtaining independent assurance over the IT governance status

and is measured by

• Frequency of board reporting on IT to stakeholders (including maturity)
• Frequency of reporting from IT to the board (including maturity)
• Frequency of independent reviews of IT compliance

Control objectives:

ME4 Provide IT Governance

ME4.1 Establishment of an IT Governance Framework
ME4.2 Strategic Alignment
ME4.3 Value Delivery
ME4.4 Resource Management
ME4.5 Risk Management
ME4.6 Performance Measurement
ME4.7 Independent Assurance

Check out the links for details on the control objectives.

Related posts:

1. ME2 Monitor and Evaluate Internal Control CobiT definition: Establishing an effective internal control programme for IT requires a well-defined monitoring process. This process includes the monitoring...
2. AI6 Manage Changes CobiT definition: All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally...
3. ME1 Monitor and Evaluate IT Performance CobiT definition: Effective IT performance management requires a monitoring process. This process includes defining relevant performance indicators, systematic and timely...

CobiT definition:

Effective oversight of compliance requires the establishment of a review process to ensure compliance with laws, regulations and contractual requirements. This process includes identifying compliance requirements, optimising and evaluating the response, obtaining assurance that the requirements have been complied with and, finally, integrating IT’s compliance reporting with the rest of the business.

Control over the IT process of
Ensure compliance with external requirements

that satisfies the business requirement for IT of
ensuring compliance with laws, regulations and contractual requirements

by focusing on
identifying all applicable laws, regulations and contracts and the corresponding level of IT compliance and optimising IT processes to reduce the risk of non-compliance

is achieved by

• Identifying legal, regulatory and contractual requirements related to IT
• Assessing the impact of compliance requirements
• Monitoring and reporting on compliance with these requirements

and is measured by

• Cost of IT non-compliance, including settlements and fines
• Average time lag between identification of external compliance issues and resolution
• Frequency of compliance reviews

Control objectives:

ME3 Ensure Compliance With External Requirements

ME3.1 Identification of External Legal, Regulatory and Contractual Compliance Requirements
ME3.2 Optimisation of Response to External Requirements
ME3.3 Evaluation of Compliance With External Requirements
ME3.4 Positive Assurance of Compliance
ME3.5 Integrated Reporting

Check out the links for details on the control objectives.

Related posts:

1. ME2 Monitor and Evaluate Internal Control CobiT definition: Establishing an effective internal control programme for IT requires a well-defined monitoring process. This process includes the monitoring...
2. DS3 Manage Performance and Capacity CobiT definition: The need to manage performance and capacity of IT resources requires a process to periodically review current performance...
3. DS7 Educate and Train Users CobiT definition: Effective education of all users of IT systems, including those within IT, requires identifying the training needs of...

CobiT definition:

Establishing an effective internal control programme for IT requires a well-defined monitoring process. This process includes the monitoring and reporting of control exceptions, results of self-assessments and third-party reviews. A key benefit of internal control monitoring is to provide assurance regarding effective and efficient operations and compliance with applicable laws and regulations.

Control over the IT process of
Monitor and evaluate internal control

that satisfies the business requirement for IT of
protecting the achievement of IT objectives and complying with IT-related laws, regulations and contracts

by focusing on
monitoring the internal control processes for IT-related activities and identifying improvement actions

is achieved by

• Defining a system of internal controls embedded in the IT process framework
• Monitoring and reporting on the effectiveness of the internal controls over IT
• Reporting control exceptions to management for action

and is measured by

• Number of major internal control breaches
• Number of control improvement initiatives
• Number and coverage of control self-assessments

Control objectives:

ME2 Monitor and Evaluate Internal Control

ME2.1 Monitoring of Internal Control Framework
ME2.2 Supervisory Review
ME2.3 Control Exceptions
ME2.4 Control Self-assessment
ME2.5 Assurance of Internal Control
ME2.6 Internal Control at Third Parties
ME2.7 Remedial Actions

Check out the links for details on the control objectives.

Related posts:

1. ME1 Monitor and Evaluate IT Performance CobiT definition: Effective IT performance management requires a monitoring process. This process includes defining relevant performance indicators, systematic and timely...
2. CobiT Domain – Monitor and Evaluate The fourth domain in CobiT is Monitor and Evaluate (ME). It is made up of 4 processes and 25 control...
3. DS1 Define and Manage Service Levels CobiT definition: Effective communication between IT management and business customers regarding services required is enabled by a documented definition of...

CobiT definition:

Effective IT performance management requires a monitoring process. This process includes defining relevant performance indicators, systematic and timely reporting of performance, and prompt acting upon deviations. Monitoring is needed to make sure that the right things are done and are in line with the set directions and policies.

Control over the IT process of
Monitor and evaluate IT performance

that satisfies the business requirement for IT of
transparency and understanding of IT cost, benefits, strategy, policies and service levels in accordance with governance requirements

by focusing on
monitoring and reporting process metrics and identifying and implementing performance improvement actions

is achieved by

• Collating and translating process performance reports into management reports
• Reviewing performance against agreed-upon targets and initiating necessary remedial action

and is measured by

• Satisfaction of management and the governance entity with the performance reporting
• Number of improvement actions driven by monitoring activities
• Percent of critical processes monitored

Control objectives:

ME1 Monitor and Evaluate IT Performance

ME1.1 Monitoring Approach
ME1.2 Definition and Collection of Monitoring Data
ME1.3 Monitoring Method
ME1.4 Performance Assessment
ME1.5 Board and Executive Reporting
ME1.6 Remedial Actions

Check out the links for details on the control objectives.

Related posts:

1. ME2 Monitor and Evaluate Internal Control CobiT definition: Establishing an effective internal control programme for IT requires a well-defined monitoring process. This process includes the monitoring...
2. CobiT Domain – Monitor and Evaluate The fourth domain in CobiT is Monitor and Evaluate (ME). It is made up of 4 processes and 25 control...
3. DS3 Manage Performance and Capacity CobiT definition: The need to manage performance and capacity of IT resources requires a process to periodically review current performance...

CobiT definition:

Complete and accurate processing of data requires effective management of data processing procedures and diligent maintenance of hardware. This process includes defining operating policies and procedures for effective management of scheduled processing, protecting sensitive output, monitoring infrastructure performance and ensuring preventive maintenance of hardware. Effective operations management helps maintain data integrity and reduces business delays and IT operating costs.

Control over the IT process of
Manage operations

that satisfies the business requirement for IT of
maintaining data integrity and ensuring that IT infrastructure can resist and recover from errors and failures

by focusing on
meeting operational service levels for scheduled data processing, protecting sensitive output, and monitoring and maintaining infrastructure

is achieved by

• Operating the IT environment in line with agreed-upon service levels and defined instructions
• Maintaining the IT infrastructure

and is measured by

• Number of service levels impacted by operational incidents
• Hours of unplanned downtime caused by operational incidents
• Percent of hardware assets included in preventive maintenance schedules

Control objectives:

DS13 Manage Operations

DS13.1 Operations Procedures and Instructions
DS13.2 Job Scheduling
DS13.3 IT Infrastructure Monitoring
DS13.4 Sensitive Documents and Output Devices
DS13.5 Preventive Maintenance for Hardware

Check out the links for details on the control objectives.

Related posts:

1. DS5 Ensure Systems Security CobiT definition: The need to maintain the integrity of information and protect IT assets requires a security management process. This...
2. DS1 Define and Manage Service Levels CobiT definition: Effective communication between IT management and business customers regarding services required is enabled by a documented definition of...
3. DS9 Manage the Configuration CobiT definition: Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete...

CobiT definition:

Protection for computer equipment and personnel requires well-designed and well-managed physical facilities. The process of managing the physical environment includes defining the physical site requirements, selecting appropriate facilities, and designing effective processes for monitoring environmental factors and managing physical access. Effective management of the physical environment reduces business interruptions from damage to computer equipment and personnel.

Control over the IT process of
Manage the physical environment

that satisfies the business requirement for IT of
protecting computer assets and business data and minimising the risk of business disruption

by focusing on
providing and maintaining a suitable physical environment to protect IT assets from access, damage or theft

is achieved by

• Implementing physical security measures
• Selecting and managing facilities

and is measured by

• Amount of downtime arising from physical environment incidents
• Number of incidents due to physical security breaches or failures
• Frequency of physical risk assessment and reviews

Control objectives:

DS12 Manage the Physical Environment

DS12.1 Site Selection and Layout
DS12.2 Physical Security Measures
DS12.3 Physical Access
DS12.4 Protection Against Environmental Factors
DS12.5 Physical Facilities Management

Check out the links for details on the control objectives.

Related posts:

1. DS5 Ensure Systems Security CobiT definition: The need to maintain the integrity of information and protect IT assets requires a security management process. This...
2. DS11 Manage Data CobiT definition: Effective data management requires identifying data requirements. The data management process also includes the establishment of effective procedures...
3. DS8 Manage Service Desk and Incidents CobiT definition: Timely and effective response to IT user queries and problems requires a well-designed and well-executed service desk and...

CobiT definition:

Effective data management requires identifying data requirements. The data management process also includes the establishment of effective procedures to manage the media library, backup and recovery of data, and proper disposal of media. Effective data management helps ensure the quality, timeliness and availability of business data.

Control over the IT process of
Manage data

that satisfies the business requirement for IT of
optimising the use of information and ensuring that information is available as required

by focusing on
maintaining the completeness, accuracy, availability and protection of data

is achieved by

• Backing up data and testing restoration
• Managing onsite and offsite storage of data
• Securely disposing of data and equipment

and is measured by

• Percent of user satisfaction with availability of data
• Percent of successful data restorations
• Number of incidents where sensitive data were retrieved after media were disposed

Control objectives:

DS11 Manage Data

DS11.1 Business Requirements for Data Management
DS11.2 Storage and Retention Arrangements
DS11.3 Media Library Management System
DS11.4 Disposal
DS11.5 Backup and Restoration
DS11.6 Security Requirements for Data Management

Check out the links for details on the control objectives.

Related posts:

1. DS3 Manage Performance and Capacity CobiT definition: The need to manage performance and capacity of IT resources requires a process to periodically review current performance...
2. DS4 Ensure Continuous Service CobiT definition: The need for providing continuous IT services requires developing, maintaining and testing IT continuity plans, utilising offsite backup...
3. DS9 Manage the Configuration CobiT definition: Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete...

CobiT definition:

Effective problem management requires the identification and classification of problems, root cause analysis and resolution of problems. The problem management process also includes the formulation of recommendations for improvement, maintenance of problem records and review of the status of corrective actions. An effective problem management process maximises system availability, improves service levels, reduces costs, and improves customer convenience and satisfaction.

Control over the IT process of
Manage problems

that satisfies the business requirement for IT of
ensuring end users’ satisfaction with service offerings and service levels, and reducing solution and service delivery defects and rework

by focusing on
recording, tracking and resolving operational problems; investigating the root cause of all significant problems; and defining solutions for identified operations problems

is achieved by

• Performing root cause analysis of reported problems
• Analysing trends
• Taking ownership of problems and progressing problem resolution

and is measured by

• Number of recurring problems with an impact on the business
• Percent of problems resolved within the required time period
• Frequency of reports or updates to an ongoing problem, based on the problem severity

Control objectives:

DS10 Manage Problems

DS10.1 Identification and Classification of Problems
DS10.2 Problem Tracking and Resolution
DS10.3 Problem Closure
DS10.4 Integration of Configuration, Incident and Problem Management

Check out the links for details on the control objectives.

Related posts:

1. DS8 Manage Service Desk and Incidents CobiT definition: Timely and effective response to IT user queries and problems requires a well-designed and well-executed service desk and...
2. DS1 Define and Manage Service Levels CobiT definition: Effective communication between IT management and business customers regarding services required is enabled by a documented definition of...
3. DS2 Manage Third-party Services CobiT definition: The need to assure that services provided by third parties (suppliers, vendors and partners) meet business requirements requires...

CobiT definition:

Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability, minimises production issues and resolves issues more quickly.

Control over the IT process of
Manage the configuration

that satisfies the business requirement for IT of
optimising the IT infrastructure, resources and capabilities, and accounting for IT assets

by focusing on
establishing and maintaining an accurate and complete repository of asset configuration attributes and baselines, and comparing them against actual asset configuration

is achieved by

• Establishing a central repository of all configuration items
• Identifying configuration items and maintaining them
• Reviewing integrity of configuration data

and is measured by

• Number of business compliance issues caused by improper configuration of assets
• Number of deviations identified between the configuration repository and actual asset configurations
• Percent of licences purchased and not accounted for in the repository

Control objectives:

DS9 Manage the Configuration

DS9.1 Configuration Repository and Baseline
DS9.2 Identification and Maintenance of Configuration Items
DS9.3 Configuration Integrity Review

Check out the links for details on the control objectives.

Related posts:

1. DS5 Ensure Systems Security CobiT definition: The need to maintain the integrity of information and protect IT assets requires a security management process. This...
2. DS6 Identify and Allocate Costs CobiT definition: The need for a fair and equitable system of allocating IT costs to the business requires accurate measurement...
3. AI6 Manage Changes CobiT definition: All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally...