IT Governance Blog

As I have delved more into CobiT I have become a believer in its use not only as an overall IT Control and Management framework but also as a management framework that can be used as guidance for a team within IT.

As CIO I will be accountable for the overall framework and so sections like setting IT Strategy will naturally fall to me. But one of my managers could just as well tweak those control objectives to be targetted specifcally for her team - not for the benefit of the auditors but as a guide to help her manage her business more effectively. For example my network team will have certain control objectives that they are accountable for as part of the overall IT Governance framework. But they could have their own framework as well, substituting control objects like “IT Strategy” with “Networking Team Strategy”, etc.

I’m really trying not to incorporate too much additional process but on the other hand we all need to improve in how we manage our own business and I think my managers can learn a lot by taking a more structured approach.

The next release of COBIT is 4.1 which is due out in early May. ISACA has posted a list of the changes from the current version, 4.0, here.

For those too lazy to click the link, here is the information:

• Enhanced executive overview
• Explanation of goals and metrics in the framework section
• Better definitions of the core concepts. It is important to mention that the definition of a control objective changed, shifting more toward a management practice statement.
• Improved control objectives resulting from updated control practices and Val IT development activity. Some control objectives were grouped and/or reworded to avoid overlaps and make the list of control objectives within a process more consistent. These changes resulted in the renumbering of the remaining control objectives. Some other control objectives were reworded to make them more action-oriented and consistent in wording. Specific revisions include:
• - AI5.5 and AI5.6 were combined with AI5.4
• - AI7.9, AI7.10 and AI7.11 were combined with AI7.8
• - ME3 was revised to include compliance with contractual requirements in addition to legal and regulatory requirements
• Application controls have been reworked to be more effective, based on work to support controls effectiveness assessment and reporting. This resulted in a list of six application controls replacing the 18 application controls in COBIT 4.0, with further detail provided in COBIT Control Practices, 2nd Edition.
• The list of business goals and IT goals in appendix I was improved, based on new insights obtained during validation research executed by the University of Antwerp Management School (Belgium).
• The pull-out has been expanded to provide a quick reference list of the COBIT processes, and the overview diagram depicting the domains has been revised to include reference to the process and application control elements of the COBIT framework.
• Improvements identified by COBIT users (COBIT 4.0 and COBIT Online) have been reviewed and incorporated as appropriate.

I’ve started my reading on COBIT because the changes don’t look that significant, but I would hold off on actually doing too much with it until 4.1 is released.

At this point I am aware of two IT Governance frameworks, or methodolgies, and the first on my list is COBIT.

ISACA defines COBIT as:

COBIT, issued by the IT Governance Institute and now in its fourth edition, is an internationally applicable and accepted IT governance and control framework for aligning IT with business objectives, delivering value and managing associated risks. It provides a reference framework for management, users, and IS audit, control and security practitioners. Its guidance enables an enterprise to implement effective governance over the IT that is pervasive and intrinsic throughout the enterprise.

COBIT helps provide answers to typical management questions:

• How far should we go in controlling IT, and is the cost justified by the benefit?
• What are the indicators of good performance?
• What are the key management practices to apply?
• What do others do?
• How do we measure and compare?

The best thing about COBIT is it is free! Anyone can download the complete framework publications from the primary website (linked in my sidebar) and have at them. This is a huge differentiator from ITIL, which seems to cost a fortune.

I’ll be spending the next few articles on COBIT.

Wikipedia describes IT Governance as:

Information Technology Governance, IT Governance or ICT Governance, is a subset discipline of Corporate Governance focused on information technology systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the performance of an organization.

Certainly in my case both of these reasons for interest in IT Governance rings true. As a small technology company looking to go public in a couple of years we realize that getting a handle on our SOX compliance now is an absolute must. We do a good job now managing projects but of course we can always improve. What I will be looking for are processes we can implement that don’t slow down the go-getter spirit we have established within our project teams. I am concerned about what too much governance overhead will do to us and will be trying to balance the needs carefully.

This website is about documenting my journey from IT Governance Neophyte to, hopefully, IT Governance Guru. I’ve got a long way to go! As a young CIO I’ve been able to succeed by hard work, grit, determination, luck, and a flat out get-it-done-whatever-it-takes approach. Does this jibe with the stoggy old world of IT Governance? I really don’t know. That’s what I am here to find out.

Why are you here? I would guess for the very same reason I am. To learn about topic such as COBIT, ITIL and other governance frameworks as well as Sarbanes-Oxley and other compliance issues. So come along with me as I help us learn together, both on the path to enlightenment. To being an IT Governance guru.