COBIT 5

Study online at quizlet.com/_2dx72a

1. Enterprise stakeholder needs: - Maintain high quality 12. Stakeholder needs have to be transformed into: An
information to support business decisions. actionable strategy.
- Generate business value from IT. 13. Goals cascade is the mechanism to: Translate stakeholder
- Achieve operational excellence through the reliable and needs into specific, actionable and customized.
efficient application of technology. - Enterprise goals.
- Maintain an acceptable level of risk. - IT related goals.
- Optimize the cost of IT. - Enabler goals.
- Ensure regulatory compliance.
14. Goals Cascade: - Stakeholder drivers - environment,
2. Cobit DRIVERS: - More stakeholder involvement. technology evolution etc. influence;
- Increasing dependency of third parties. - Stakeholder Needs of benefit realization, resource
- Ever increasing volume of information. optimization and risk optimization;
- IT becoming an integral part of the business. - Which cascades to Enterprise Goals;
3. Cobit DRIVERS: - A need for an end to end management and - These cascade to IT related Goals - which consist of
governance framework. enterprise goals mapped to IT related goals;
- Better control over user based IT solutions. - These cascade to Enabler Goals.
- Alignment with other guidance and integration of ISACA 15. Stakeholder needs are influenced by a number of drivers: 1.
frameworks. Strategy changes.
4. Cobit's Benefits: 1. Starting point of governance and 2. Changing business and regulatory environment.
management activities. 3. New technologies.
2. Holistic, integrated and complete view of enterprise 16. Enterprise goals: Business or Balanced Scorecard:
governance and management of IT. - Consists of BSC dimensions, enterprise goal.
3. Creates a common language between IT and the business. - Relation to governance objective.
4. IT consistent with generally accepted corporate governance
17. Balance (Business) Score Card dimensions: Clif...
standards.
- Customer (enterprise goals).
5. Cobit Initially in 3 volumes: - Framework. - Learning and growth (enterprise goals).
- Process reference guide. - Internal (enterprise goals).
- Implementation guide. - Financial (enterprise goals).
6. Cobit is based on: 5 principles. 18. Relation to governance objectives (primary, secondary, N/A):
7 enablers. - Benefit realization.
7. Cobit Enabler guides: - Enabling processes. - Risk optimization.
- Enabling information. - Resource optimization.
- Other enabler guides. 19. IT Related Goals: I T, BSC Dimensions:
8. Cobit Professional Guides: 1. Implementation. - Customer;
2. Information Security. - Learning and growth;
3. Assurance. - Internal;
4. Risk. - Financial.
5. Other Professional Guides. 20. Goals Cascade Step 1: Stakeholder drivers:
9. Cobit 5 Principles: 1. Meet stakeholder needs. - Strategy changes.
2. Cover enterprise end to end. - Changing business and regulatory environment.
3. Apply a Single integrated framework. - New technologies.
4. Enable a holistic approach. Influence stakeholder's needs.
5. Separate governance from management. 21. Goals Cascade Step 2: Stakeholder needs cascade to
10. Principle 1 - Meeting Stakeholder Needs.: Governance Enterprise goals.
objective - Value creation through. - Stakeholder needs can be translated to a series of generic
- Benefit realization. enterprise goals using the balanced score card dimensions.
- Risk optimization. 22. Goals Cascade Step 3: Enterprise goals cascade to IT related
- Resource optimization. goals.
11. Every enterprise operates in a different context which is - Achievement of enterprise goals requires a number of IT
determined by: 1. External factors - market industry, related goals .
geopolitics, etc. - Structured along a dimension of an IT balanced scorecard.
2. Internal factors - culture, organization, risk appetite, etc.
23. Goals Cascade Step 4: IT related goals cascade to Enabler 32. Processes: An organized set of practices and activities to
goals. achieve certain objectives
- Achieving IT related goals requires the successful application 33. Organizational structures: The key decision making entities in
and use of enablers. an enterprise
- Enablers include: Processes, Organization structures and
34. Culture, ethics and behavior: An often underestimated success
Information.
factor in governance and management activities
- For each enabler a set of specific relevant goals can be
defined. 35. Information: All information produced and used by the
enterprise
24. Principle 2 - Covering the Enterprise end to end.: Addresses
36. Service, infrastructure and applications: The infrastructure,
all
technology and applications that provide the enterprise with
- Relevant internal and external IT services;
information technology
- Internal and external business processes.
37. People, skills and competencies: Are required for successful
Enablers are enterprise wide and end to end. completion of all activities and for making correct decisions or
- Include everything and everyone; taking corrective actions
- Internal and external IT services; 38. Each enabler needs the input of: Other enablers to fully and
- Internal and external IT business processes. effective deliver output to the benefit of other enablers.
25. Principle 2 - Covering the Enterprise end to end.: 39. Principle 5: Separating governance from management
Information is a key enabler. 40. Governance and management: Encompass different types of
- Stakeholders define extensive and complete requirements for activities:
information. 1. Require different organizational structures.
- Connects the business and its need for adequate information 2. Serve different purposes .
and the IT function.
41. Governance: - Responsibility of the board of directors under
26. Governance enablers: Organizational resources: the leadership of the chairperson.
1. Frameworks. - Ensures that stakeholder needs, conditions and options are
2. Principles. evaluated to determine balanced, agreed-on enterprise
3. Structures. objectives to be achieved, monitoring performance and
4. Processes and practices. compliance against agreed-on direction and objectives.
27. Governance enablers: Enterprise resources: 42. Management: - Responsibility of the executive management
1. Service capabilities. under the leadership of the CEO
2. People. - Plans, builds, runs and monitors activities in alignment with
3. information. the direction set by the governance body to achieve the
enterprise objectives.
Can be applied to:
43. Role of governance: E D M
1. Entire enterprise.
- Evaluate.
2. An entity.
- Direct.
3. Tangible or intangible asset.
- Monitor.
28. Principle 3: Applying a single integrated framework.
44. Role of management: P B R M
- Aligns with latest relevant standards
- Plan, A P O: 13 process.
29. Principle 4: Enabling a Holistic Approach. - Build, B A I: 10 processes.
- Set of enablers to support the implementation of the - Run, D S S: 6 processes.
governance. - Monitor, M E A: 3 processes.
30. Cobit 5 Enablers: 1. Principles, Policies and Frameworks. 45. Order of Governance and Management: E D P B R M M
2. Processes. - Evaluate;
3. Organizational Structures. - Direct;
4. Culture, Ethics and Behavior. - Plan;
5. Information. - Build;
6. Services, Infrastructure and Applications. - Run;
7. People Skills and Competencies. - Monitor, management;
31. Principles, policies and frameworks: The vehicle to translate - Monitor, governance.
desired behavior into practical guidance for day to day
management
46. Governance - EDM, has 6 processes: EDM01 Ensure 51. Cobit Enabler 1: Principles, policies and frameworks.
Governance Framework Setting and Maintenance; a. Communicate the rules of the enterprise, support
EDM02 Ensure Benefits Delivery; governance objectives and enterprise values;
EDM03 Ensure Risk Optimisation; b. Principles express the organizations core values;
EDM04 Ensure Resource Optimisation; c. Policies give detailed guidance;
EDM05 Ensure Stakeholder Transparency; d. Frameworks provide a structure to define consistent
47. Management. guidance;
Align Plan and Organize - APO, has 13 processes: APO01 52. Principle: An enabler of governance and management
Manage the IT Management Framework; comprised of values and fundamental assumptions of the
APO02 Manage Strategy; enterprise, beliefs that guide and set boundaries for decision
APO03 Manage Enterprise Architecture; making and communication within and outside of the
APO04 Manage Innovation; enterprise.
APO05 Manage Portfolio; 53. Policies: Overall intention and direction as formally expressed
APO06 Manage Budget and Costs; by management.
APO07 Manage Human Resources;
54. Framework: Provide management with structure, guidance,
APO08 Manage Relationships;
tools, etc. that allow proper governance of IT
APO09 Manage Service Agreements;
55. A policy must be...: Effective.
APO10 Manage Suppliers;
- Achieve the stated purpose
APO11 Manage Quality;
APO12 Manage Risk; 56. A policy must be...: Non-intrusive.
APO13 Manage Security; - Appear logical and do not create unnecessary resistance by
those who must comply with it.
48. Management.
Build, Acquire, Implement - BAI, has 10 processes: BAI01 57. Policy frameworks: Provide a consistent view of policies,
Manage Programmes and Projects; navigation to and between policies, a structure for policy
BAI02 Manage Requirements Definition; maintenance
BAI03 Manage Solutions Identification and Build; 58. Policy lifecycle: - Create,
BAI04 Manage Availability and Capacity; - Review,
BAI05 Manage Organisational Change Enablement; - Amend,
BAI06 Manage Changes; -Dispose.
BAI07 Manage Change Acceptance and Transitioning; 59. Policies should be: - A part of an overall governance and
BAI08 Manage Knowledge; management structure;
BAI09 Manage Assets; - Aligned to the organizations risk appetite;
BAI10 Manage Configuration; - Re-validated and updated on a regular basis.
49. Management. 60. Policies require statements of: - Scope and validity;
Deliver, Service and Support - DSS, has 6 processes: DSS01 - Consequence of non-compliance;
Manage Operations; - Means of handling exceptions;
DSS02 Manage Service Requests and Incidents; - Means by which compliance is monitored.
DSS03 Manage Problems;
61. Policies relationship with other enablers: - Processes are most
DSS04 Manage Continuity;
important vehicle for executing policies;
DSS05 Manage Security Services;
- Organizational structures can define and implement policies;
DSS06 Manage Business Process Controls;
- Policies are a part of information.
50. Management
62. Cobit enabler 2: Processes.
Monitor, Evaluate, Assess - MEA, has 3 processes: MEA01
- A collection of practices influenced by the enterprise's
Monitor, Evaluate and Assess Performance and Conformance;
policies and procedures that takes inputs and produces
MEA02 Monitor, Evaluate and Assess the System of Internal
outputs - e.g. products or services.
Control;
MEA03 Monitor, Evaluate and Assess Compliance with 63. Processes are...: - Defined;
External Requirements; - Created;
- Operated;
- Monitored;
- Adjusted/updated;
- Retired;
64. Process stakeholders: Can be internal or external, their
responsibilities are defined in a RACI chart for each process.
65. Process goals: Are the base of the goals cascade 78. Information - security/accessibility quality: The extent to
66. Enabling process: Practices to activities to detailed activities which information is available or obtainable which includes
availability/timeliness, restricted access.
67. Practices: - Statements of actions to deliver benefits, optimize
the level or risk and use of resources. 79. The information life cycle: Business processes/IT processes:
- Aligned with accepted standards. - Generate and process - Data;
- Generic enough for adaptation for each enterprise - Data - is transformed into information;
Applicable to business and IT. - Information is transformed into Knowledge;
- Organizations should tune practices according to their need. -Knowledge creates value;
-Value drives business processes/IT processes;
68. Activities: - Describe a set of necessary and sufficient action
oriented implementation steps to achieve a governance or 80. Full life cycle of information as described in Cobit: - Plan;
management practice. - Design;
- Has clear roles and responsibilities. - Build/acquire;
- Use/operate;
69. Process performance management: Metrics should be
- Monitor;
SMART.
- Dispose.
- Specific;
- Measurable; 81. Proposed structure of Information properties: A six layer
- Actionable; model of information properties and their attributes.
- Relevant; 1. Physical world - information carrier or media;
- Timely. 2. Empiric - attribute that identifies the information access
channel (e.g. user interface);
70. Process goals categories: - Intrinsic goals, fit for purpose;
3. Syntactic - code / language: representational format or
- Contextual goals, fit for use;
language used to encode information;
- Accessibility and security goals, communicated and
controlled. 82. Proposed structure of Information properties: 4. Semantic -
information type - e.g. Financial; currency - past, present,
71. Enabler 3: Organizational structures.
future; level - degree of detail.
- Good practices and escalation
5. Pragmatic - retention period; status - operational or
72. Enabler 4: Culture, ethics, and behavior. archived; novelty - new, current, old; contingency.
Relate to how well the following are achieved: 6. Social world - context in which information makes sense, is
- Organizational ethics dictated by the enterprise; used and has value.
- Individual ethics.
83. Possible uses of the information model: - Information
73. Enabler 5: Information. specification;
Stakeholders for information can be formalized into role types, - Determine required protection;
based on the reason for their interest in information such as - Determine ease of data use.
architect, owner, consumer, producer, etc.
84. Information relationship to other enablers: - Processes need
74. Goals: Goals relate to how well the following are achieved information.
75. Goals for information quality: Seven criteria for information - Organizational structures identify decision-making.
quality: - Policies and skills definitions are information sources.
1. Effectiveness; - Information is a service capability used in the delivery of
2. Efficiency; services.
3. Integrity; 85. Enabler 6: Services, infrastructure and applications.
4. Reliability; Are important to:
5. Availability; - Stakeholders - service capabilities;
6. Confidentiality; - Goals - level of service;
7. Compliance. - Life cycle (ITIL).
76. Information - intrinsic quality: Extent that data values confirm 86. Architectural principles to guide the implementation and
to and with actual true values in terms of Accuracy, objectivity, use of enterprise resources: - Re-use;
believability and reputation. - Buy versus build;
77. Information - contextual and representational quality: Extent - Simplicity;
to which information is applicable to the task of the - Agility;
information user including relevancy, completeness, currency, - Openness.
appropriate amount of information, concise representation,
interpretability, understandability and ease of manipulation.
87. Services relationship with other Enablers: - Service 95. Enterprise context (internal and external factors): - Ethics
capabilities are leveraged through processes; and culture;
- Cultural and behavioral aspects are relevant when building - Applicable laws;
service oriented cultures; - Mission vision and values;
- Information is one of the service capabilities. - Governance policies and practices;
88. Enabler 7: People, skills and competencies. - Business plans and strategic intentions;
- Stakeholders, internal or external; - Operating model;
- Goals relate to education, qualifications, expertise, - Management style;
experience, knowledge; - Risk appetite;
- Life cycle skills and competencies; - Capabilities and available resources;
- Good practice - defining the objective skill requirements for - Industry practices.
each role; 96. Implementation life cycle - 7 phases: - Program
89. A.P.O. Skill Categories - 13 processes: Relates to. Management, outer ring, quality and cost;
- IT Policy Formulation; - Change Enablement, middle ring, addressing behavioral and
- IT Strategy; cultural aspects;
- Enterprise Architecture; - Continual Improvement cycle, inner ring, identify that this is
- Innovation; not a one-off project.
- Financial Management; 97. Generic heading for each stage: 1. What are the drivers?
- Portfolio management. 2. Where are we now?
90. B.A.I. Skill Categories - 10 processes: Relates to. 3. Where do we want to be?
- Business analysis; 4. What needs to be done?
- Project management; 5. How do we get there?
- Usability evaluation; 6. Did we get there?
- Requirements definition and management; 7. How do we keep the momentum going?
- Programming; 98. Program Management phases. - outer ring: 1. Initiate program;
- System ergonomics; 2. Define problems and opportunities;
- Software decommissioning; 3. Define road map;
- Capacity management. 4. Plan program;
91. D.S.S. Skill Categories - 6 processes: Relates to. 5. Execute plan;
- Availability management; 6. Realize benefits;
- Problem management; 7. Review effectiveness.
- Service desk and incident management; 99. Change Enablement phases. - middle ring.: 1. Establish desire
- Security administration; to change;
- IT operations; 2. Form implementation team;
- Database administration. 3. Communicate outcome;
92. M.E.A. Skill Categories - 3 processes: Relates to. 4. Identify role players;
- Compliance review; 5. Operation and use;
- Performance monitoring; 6. Embed new approaches;
- Controls audit. 7. Sustain.

93. People, skills and competencies relationship with other 100. Continual Service Improvement phases. - inner ring: 1.
enablers: - Required to perform processes; Recognise need to act;
- Individual behaviors influence competencies; 2. Assess current state;
- Skills definitions are also information. 3. Define target state;
4. Build Improvements;
94. Cobit Implementation life cycle: - Creating a business case,
5. Implement improvements;
- Recognizing pain points, creating an appropriate environment
6. Operate and Measure;
for successful change,
7. Monitor and Evaluate.
- Leveraging Cobit to identify gaps and guide the
development of the enablers, 101. P M: Programme Management.
- Address any specific challenges such as enterprise context - Implementation Life cycle's outer ring
of change. 102. C E: Change Enablement
- Implementation Life cycle's middle ring
103. C S I: Continual Service Improvement, also known as C.I. -
Continual Improvement.
- Implementation Life cycle's inner ring
104. Phase 1: What are the Drivers: 1. PM - Initiate the program
2. CE - Establish the desire to change
3. CSI - Recognize the need to act
105. What are the Drivers includes...: The identification of pain
points and triggers
106. Pain points and trigger events: Are typical factors that may
indicate a need for improved governance and management of
enterprise IT.
- It ensures the business case relates to everyday issues that
are being experienced.
- Normally produces buy-in and creates a sense of urgency.
107. Typical pain points: 1. Failed IT initiatives.
2. Rising cost.
3. Perception of low business value of IT investments.
4. Significant incidents related to IT risk.
5. Service delivery problems.
6. Failure to meet regulatory or contractual requirements.
7. Audit findings for poor IT performance, etc.
108. Trigger events: 1. Mergers, acquisitions.
2. Shift in market.
3. Change in business operating model.
4. New Regulatory compliance requirements, etc.
109. Phase 2: Where are we now?: 1. PM - define the problem and
opportunities.
2. CE - form implementation team.
3. CSI - assess current state.
110. Phase 2: where are we now breakdown - PM: 1. PM - define
the problem and opportunities.
a. Understand the pain points;
b. Take advantage of trigger events that provide opportunity
for improvement;
c. Define the scope of the improvement initiative or
implementation - don't do too much at once.
111. Phase 2: where are we now breakdown - CE: 2. CE - form an
implementation team.
a. Know of the business environment;
b. Insight into influencing factors.
112. Phase 2: where are we now breakdown - CI: 3. CI - Assess
the current state.
a. Identify the IT goals in respect to the enterprise goals -
makes good use of the goal cascade;
b. Identify the most important processes;
c. Understand management risk appetite;
d. Understand the maturity of existing governance;
e. Related processes.
113. Phase 3: where do we want to be: 1. PM - define the roadmap.
2. CE - communicate outcome.
3. CSI - define target state.
114. Phase 3: where do we want to be breakdown: 1. Once the
target state is set, a gap analysis can be carried out.
2. Potential solutions identified.
3. Develop a communication strategy for the stakeholders, set
the tone.
115. Phase 4: what needs to be done: 1. PM: Plan the program.
2. CE: identify role players.
3. CI - build improvements.
116. Phase 4: what needs to be done breakdown: 1. Prioritize
initiatives.
2. Empower role players.
3. Obtain buy in from stakeholders.
4. Consider approach, deliverables, resources needed, costs,
estimated time, scales, project dependencies and risks.
117. Phase 5: how do we get there: 1. PM - execute the plan.
2. CE - operate and use.
3. CI - implement improvements.
118. Phase 5: how do we get there breakdown: 1. PM - Execute
project according to an integrated project plan.
2. PM -Provide regular update reports to stakeholders.
3. CE- Build on the momentum and credibility of quick wins.
4. CE - define measures of success.
5. CI - adapt best practices.
119. Phase 6: Did we get there: 1. PM - realize the new benefits.
2. CE - embed new approaches.
3. CI - operate and measure.
120. Phase 6: Did we get there breakdown: 1. The life cycle
should be followed iteratively building a sustainable approach
to governance and management;
2. Embed new approaches - provide transition from project
mode to business as usual, monitor if new roles have been
taken on.
121. Phase 7: how do we keep the momentum going: 1. PM -
Review effectiveness - review should take place of the overall
success of the initiative.
2. CE - Sustain - further requirements may be identified.
3. CI - monitor and evaluate - need for continual improvement
should be reinforced.
122. Process assessment: ISO/IEC identifies a process assessment
as an activity that can be performed either as part of a
process improvement initiative or as part of a capability
determination approach.
- Process capability determination is to identify the strengths,
weaknesses and risks of selected processes.
123. Cobit Assessment Program: Brings together Cobit and
ISO/IEC 15504
124. ISO/IEC 15504: Also known as SPICE, is a reference model
against which the assessors can place the evidence that they
collect during an assessment.
125. Maturity assessment: - Maturity assessment is carried out at
the Enterprise or organizational level where the output is a
model of the maturity profile of an organization.
126. Capability assessment: - A capability assessment is carried
out at the Process level for the purpose of process
improvement and confirms that it is actually achieving its
purpose and delivering its outcomes.
127. Process reference model: - Model composed of definitions
of processes in a life cycle described in terms of processes
and outcomes.
- Represents all of IT processes normally found in an
enterprise.
- Each enterprise must define their own process set.
- Provide the framework for measuring and monitoring IT
performance.
128. Process purpose: High level measurable objectives of
performing the process and the likely outcomes of effective
implementation of the process.
129. Process outcomes - IT-related goals: An observable result of
a process
130. Base practices - management practice: The activities that
when consistently performed, contribute to achieving the
specific process purpose
131. Work product: Input and outputs
132. An artifact associated with the execution of a process: -
Defined in terms of process inputs and process outputs.
133. Process assessment model: A two dimensional - process and
capability model of process capability.
- Process dimension - processes are defined and classified into
process categories.
- Capability dimension - a set of process attributes grouped
into capability levels.
134. Scope of assessment defined by: - Selected processes taken
from the process reference model.
- Capability levels selected from the measurement framework
135. Capability Levels 0 and 1: Level 0 - INCOMPLETE process -
process is not implemented or fails to achieve its purpose.
Level 1 - PERFORMED process - process achieves its process
purpose.
136. Capability Level 2: Level 2 - MANAGED process - level 1
process implemented in a managed fashion (planned,
monitored and adjusted) and its work products are
appropriately established, controlled and maintained.
137. Capability Level 3: Level 3 - ESTABLISHED process - level 2
managed process is now implemented using a defined process
capable of achieving its process outcomes.
138. Capability Levels 4 and 5: Level 4 - PREDICTABLE process -
level 3 established process now operates within defined limits
to achieve the outcomes.
Level 5 - OPTIMIZING process - level 4 predictable process is
continuously improved to meet relevant current and predicted
business goals.
139. Process' - 9 attributes: PA 1.1 - process performance;
PA 2.1 - performance management;
PA 2.2 - Work Product management;
PA 3.1 - Process definition;
PA 3.2 - Process deployment;
PA 4.1 - Process measurement;
PA 4.2 - Process control;
PA 5.1 - Process innovation;
PA 5.2 - Process Optimization.
140. Process Attribute Rating scale: F - fully achieved > 85.
L - largely achieved >50 and <= 85.
P - partially achieved >15 and <= 50.
Not achieved <= 15.
141. To pass a process capability assessment a process must...: -
To pass process capability level, a process must achieve a
rating of either L or F.
- To be able to move to the next process capability level, the
current process level must achieve a rating of F - fully.
142. Consider where the organization wants to be: Consider how
much value the IT processes have to the business and the
level of risk if they are not fully mature.
If a process is mature, and the business depends on it, then
there is an increased level of risk to the business.
If a process is very mature yet provides little to the business,
then the organization may be over investing in the process.
143. Target process capabilities: - A useful output of an
organizations governance activities would be to set target
process capability levels for each process based on the level
of capability needed to support the enterprise.
- Where the assessed level does not meet the target level,
then this indicates an area for improvement.
144. Benefits of the capability assessment approach: 1. Improved
focus on the process being performed.
2. Improved reliability and repeatability.
3. Increased usability of the results.
4. Compliance with a generally accepted process assessment
standard.