CobiT definition:
To provide consistent, effective and secure technological solutions enterprisewide, establish a technology forum to provide
technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with
these standards and guidelines. This forum should direct technology standards and practices based on their business relevance, risks
and compliance with external requirements.
Bill says,
This control objective has a number of different but important elements – in fact if I had been drafting this governance framework I may well have separated what I see to be two major points being addressed here.
The guidance is to establish a forum for the purpose of establishing technology guidelines and providing advice, but then it goes on to say that this forum would also measure compliance with the standards and guidelines. I don’t mind this forum providing both advice and measuring compliance, but it just seems like the kind of thing that needs to be separate.
In any case, I’ll address it together. So, what is the number one question about this control objective? It would have to be, “what is a forum?” The next control objective talks about establishing a board, so then is a forum different than a board? One could imagine that a forum is simply an informal discussion group but then that doesn’t align very well with the idea that the forum would also be measuring compliance – at least it doesn’t for me.
The advice clearly states that the forum should direct technology standards but is that different than setting them? If in fact the technology standards forum is different than the architecture board, then it would seem perhaps that this approach is too “big company” for a lot of us. I for one can’t see having different groups advise and set standards let alone measure compliance. We don’t have enough people!
Here is what I think is being said here and the difference between this and the next control objective, which is to form an IT Architecture Board. While the latter is meant to be focused on big picture, general architecture design decisions (should we go to a meshed MPLS network, for example) the former is designed to address all levels of technology, including end user devices. Will we be supporting iPhones? What model laptops are we going with this quarter? And so on. In my case we do all of these discussions at the IT Architecture Board level because I don’t have enough staff to have multiple groups.
Remember, this is one man’s opinion. What’s yours? What do you think a forum is?
The fourth step in Determining the Technological Direction is Technology Standards.
Related posts:
- PO3.3 Monitor Future Trends and Regulations CobiT definition: Establish a process to monitor the business sector, industry, technology, infrastructure, legal and regulatory environment trends. Incorporate the...
{ 1 trackback }
{ 0 comments… add one now }