Professional Documents
Culture Documents
COBIT Focus Volume 4 2013 NLT 1013
COBIT Focus Volume 4 2013 NLT 1013
In This Issue:
• What Does COBIT 5 Mean for Your Business?
• Using COBIT 5 for Risk Management
• COBIT and the CPA Firm
• COBIT 5: Enabling Information Update
• Information and Communications Technology Study of Public Health Institutions in Mexico
• Gain From Practical Guidance Based on COBIT 5
IT has always had to deal with risk factors such as cyberattacks, external hacking and disgruntled employees. New risk
factors are, however, driven by consumerization of IT—ranging from bring your own device (BYOD) to social media and
associated big data.
®
With these new unstructured external threats, the security perimeter is changing. COBIT 5 for Information Security offers
additional, security-specific guidance designed to help your IT department implement an effective framework and reduce risk
exposures.
COBIT 5 is not a panacea. It is not something to lift and use exactly as-is. Each enterprise needs to map it and mold it to the
business’s requirements, organizational structure and processes. The comprehensive scope of COBIT 5 guidance may
overwhelm new users and inhibit its adoption. Use of all available ISACA guidance and tools, as well as having key staff take
the COBIT 5 training available in the marketplace (COBIT Foundation, COBIT Implementation and COBIT Assessor courses),
is highly recommended.
COBIT 5 should be implemented to ensure that the organization has a road map that will allow it to address all of its IT
governance and risk issues. If the organization is already using some level of COBIT selectively within pockets of the
organization, the changes in COBIT 5 should be reviewed to identify where it can help address specific issues or
organizational changes. In addition, with COBIT 5 as a single enterprisewide IT GRC framework, the organization can
implement a comprehensive analytics solution that enables it to continuously measure and improve its governance status, risk
exposure, and overall compliance with policies and regulations. There will be no further need to reconcile multiple silos
through reports to assess the organization’s overall risk or compliance status.
COBIT 5 is an important milestone. Adopting it will be a very promising journey to simplify the organization’s efforts in
implementing a single organizationwide GRC framework. If the organization already has a mature GRC environment, it will
quickly realize that COBIT 5 gives it a better handle on GEIT. If the organization is just starting, COBIT 5 will give it the formal
road map it needs for a fast-track approach.
Sagar Anisingaraju
Is the chief strategy officer at Saama Technologies Inc. Anisingaraju creates strategic initiatives to lead Saama into emerging
business areas with competitive differentiation. He enjoys his time spent with customers to understand their business
problems specifically related to big data. He was the winner of the 2013 Chief Strategy Officer of the Year award, presented
by Innovation Enterprise.
Endnotes
1
ISACA, COBIT 5, USA, 2012
2
ISACA, COBIT 5 Training and Accreditation FAQs
3
APM Group Ltd., ITIL
4
International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27000, Information Security
Management Systems (ISMS) standards
For an enterprise that is already using COBIT 5 as its framework for GEIT, COBIT 5 for Risk enables the enterprise to
leverage COBIT 5 when planning how to build and sustain a risk function and how to optimize risk and identify, analyze,
respond to and report on risk on a daily basis.
There are multiple drivers for risk management in the enterprise; they contribute to improving business outcomes, decision
making and overall strategy. Improving these areas is accomplished by providing stakeholders with substantiated and
consistent opinions on the current state of risk throughout the enterprise, guidance on how to manage the risk to levels within
the enterprise’s risk appetite, guidance on how to set up the appropriate risk culture for the enterprise, and, wherever
possible, quantitative risk assessments that enable stakeholders to consider the cost of mitigation and the required resources
against the loss exposure.
As it uses COBIT 5 for Risk, the enterprise will gain risk-related capabilities. And, through development of greater risk
capabilities, an enterprise can attain various benefits. These potential benefits include:
• More accurate identification of risk and measurement of success in addressing risk
• Better understanding of the risk impact on the enterprise
• End-to-end guidance on how to manage risk
• Knowledge of how to capitalize on investments related to IT risk management practices
• Understanding of how effective IT risk management optimizes value with business process effectiveness and efficiency,
improved quality, and reduced waste and costs
• Opportunities to integrate IT risk management with enterprise risk and compliance structures
• Improved communication and understanding among all internal and external stakeholders, due to the use of a common
and sustainable globally accepted framework and language for assessing and responding to risk
• Promotion of risk responsibility and acceptance across the enterprise
• A complete risk profile, identifying the full enterprise risk exposure and enabling better utilization of enterprise resources
• Improved risk awareness throughout the enterprise
COBIT 5 for Risk appeals to multiple parties, each finding various benefits. Boards and executive management can gain a better
understanding of their responsibilities and roles with regard to IT risk management and the implications of IT risk on enterprise
strategic objectives. Risk managers responsible for enterprise risk management (ERM) can find assistance with managing IT risk
according to generally accepted ERM principles and incorporating IT risk into enterprise risk. Operational risk managers can link
back to COBIT 5 and gain guidance on identifying operational losses or developing key risk indicators (KRIs).
Yount, Hyde & Barbour is a mid-sized regional accounting firm with 21 shareholders and 140 employees. The firm has six
locations, with at least 20 people working remotely or at a client’s location at any given time. Thus, there is a complexity to the
IT function that is greater than the size of the organization would suggest. The loss of the firm’s IT manager and an IT staff
member reduced the IT staff to a single person. While this was a major issue for an accounting firm in the middle of its busiest
season, it was an opportunity to redefine the IT function for the entire firm. Several short-term fixes were initiated (hiring an IT
generalist and relying on an outsourced vendor to fill in gaps in staffing).
The shareholders of the firm had always had an IT steering committee to communicate the firm’s direction and needs to the IT
manager, but the committee had not taken a true governance role. The risk advisory services team was comprised of several
Certified Information Systems Auditors (CISAs), including the principal, who was the chair of the IT steering committee.
Therefore, it was a logical direction for the IT steering committee to look to the newly released COBIT 5 as the framework on
which to develop a better IT function.
COBIT 5 has a diagram that perfectly illustrates the separation of governance and management (figure 1). Defining
management’s role as planning, building, running and monitoring appropriately separates it from the role of governance.
Defining governance’s role as monitoring, evaluating and giving direction enables the IT steering committee to understand its
role and eliminate a tendency
for micromanaging the IT
Figure 1—COBIT 5 Governance and Management Key Areas function.
The firm is a small organization with a lot of demands on resources. The effort to organize the IT function using a framework
so that it can be efficient and fill the needs and expectations of the stakeholders is ongoing. COBIT 5 is a solution for
organizing and integrating the IT function within the overall organization. One advantage that the firm has is that the
shareholders and staff understand the importance of IT to filling the needs of the firm and its clients effectively and efficiently.
COBIT 5 Implementation lays out seven phases for implementing COBIT 5. Using this guide, the firm began by identifying the
drivers as well as the challenges of the initiative (phase 1, What are the drivers?). There were several drivers for the firm.
There was a general disconnect between IT and the needs of the professionals. With different practices across the firm there
are different needs that were not always understood or addressed. While IT spending was within budget, spending did not
always follow the needs of the firm. And for the IT department, one of the biggest issues was the rarely consistent, individual
demands of 21 individual shareholders.
The firm is currently between phase 2 (Where are we now?) and phase 3 (Where do we want to be?). These phases are logically
being worked on concurrently but are challenging. The busy schedules of the professional staff and the demands on a small IT
department tend to interfere with planning sessions and discussions. Milestones and deadlines are now being put in place to
help keep the project on track. Some departments have completed the process of identifying where they are and where they
want to be. This has been accomplished through planning sessions and discussions. With the input of the IT steering committee,
the remaining departments will get these phases completed so the next phases can begin. Plans are in place to begin phase 4
(What needs to be done?) and phase 5 (How do we get there?) in early November.
COBIT 5: Enabling Information builds on COBIT 5 (the framework). Relevant key concepts of COBIT 5 are repeated and
elaborated on in this guide, making it a fairly stand-alone guide—not requiring any prerequisite knowledge of COBIT 5.
However, an understanding of COBIT 5 principles, concepts and structure at the foundation level can accelerate and improve
comprehension of the contents of this guide.
Come join the discussion! Carlos Zamora Sotelo and Carlos H. García Orozco will respond to questions in
the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.
BUSINESS OBJECTIVES
Optimization of Organizational
Processes Functionality
Administration in the
Business Services
Change Programs
Organization
Organization
Compliance
Culture
4 5 6 7 11 13 16 17
IT-RELATED OBJECTIVE F C P A
1 IT and business strategy alignment P P S S
IT as a contribution to laws and regulations
2 P
compliance
Commitment of the board for decision making related
3 S S S S
Financial to ICT
4 IT risk administration S P S S
5 IT investments generating value P S S
Transparency in the management of costs, benefits
6 P
and risks of IT
business. Thus, for the as-is stage of this study—the understanding and evaluation of the current situation—the goals sought
®
through COBIT were to:
• Select the main processes
• Identify the current health services’ capacities, gaps and risk factors related to those gaps
• Reach implementation and maturity goals
Development
COBIT 5 utilization in the ICT assessment of public health institutions in Mexico was focused on the following areas:
• Defining the IT substantive processes—According to COBIT 5 and as a first step, ConSETI and Brio selected the
business objectives that had higher impact on the citizens. Eight were selected and mapped, as shown in figure 1,
resulting in 13 IT-related objectives, highlighted in green in figure 1.
as Enablers of Innovation
Benefits and Risk of IT
IT Risk Administration
Technology Solutions
Learning/
COBIT PROCESSES Financial Clients Internal Processes
Growth
Manage IT administration
APO01 P P P P S S S S S S S
framework
Manage enterprise
APO03 S S S S S P S S S S
architecture
Human resources
APO07 S S S S S S S S
management
Relationship
APO08 S S S S S S S S S
management
Third-party services
APO10 S S S S S S S S S S
management
The COBIT 4.1 process maturity model was used for scoring IT-selected processes, taking into account the following
attributes: responsibility and accountability; skills and expertise; policies, plans and procedures; awareness and
communication; goal setting and measurement; and tools and automation. Every attribute was evaluated according to the
level of maturity defined in COBIT, to obtain the final score for every selected process, as shown in figure 3.
• Gap analysis—To determine gaps, the fourth maturity level of capacity (the process is able to generate the results
defined) was defined as the goal to achieve and it was contrasted against the capacity level evaluated previously. Process
capability level 4 (ensure efficient and effective health services, and make predictable processes) was established as the
goal and is the basis for further definition of the strategy and action plan.
• Associated risk—To identify the risk factors of each COBIT process selected, identified gaps were taken into the gap
analysis performed, thus evaluating the potential negative impact that these gaps could have if not adequately addressed
and materialized. Relevant and inherent risk scenarios for each process were generated. For this, it was necessary to
build on the mapping of COBIT risk scenarios. Figure 4 is an example of the mapping performed.
It is important to mention that, in the identification of risk scenarios, ConSETI and Brio did not evaluate the frequency of
occurrence of identified risk.
At this point, COBIT 5 has been used only in the as-is diagnosis. In the future, the
sponsors of this study plan to use the same framework for the to-be state, in order to Upcoming Fourth Quarter 2013
define a competitive products and services portfolio, within and while implementing COBIT 5 Releases
governance of enterprise IT assurance. • COBIT® 5: Enabling
Information
Carlos Zamora Sotelo, CISA, CISM, CGEIT
Is the chief executive officer at ConSETI and has more than 15 years of experience in
IT audit and training more than 3,000 people. He can be contacted at
czamora@conseti.com. Additional COBIT 5 Initiatives
in Development
Carlos H. García Orozco • COBIT® 5 Online:
Is vice president at Brio and has more than 15 years of experience in IT, software - Access to publications in
development, and business intelligence assessment and implementation. He can be
contacted at carlos.garcia@brio.com.mx. the COBIT 5 product
family (tentative release
Endnotes fourth quarter 2013)
- Access to other non-
1
The Organisation for Economic Co-operation and Development (OECD), Mexico COBIT ISACA content
and current, relevant
2
Ibid.
Transforming Cybersecurity Using COBIT 5 is intended for several audiences who are dealing with cybersecurity directly or
indirectly, including information security managers, corporate security managers, end users, service providers, IT
administrators and IT auditors. The primary purpose of applying COBIT 5 to the transformation of cybersecurity is to enable a
uniform governance, risk management and security management framework for enterprises and other organizations. The
secondary purpose is to provide guidance on detailed concepts and steps in transforming cybersecurity and to align these
concepts and steps with the existing information security strategy and processes. This publication complements the ISACA
publication Responding to Targeted Cyberattacks by integrating cybersecurity and the COBIT 5 product family. Transforming
Cybersecurity Using COBIT 5 provides step-by-step guidance to address detailed cybersecurity issues and apply relevant
parts of COBIT 5 to them.
These practical products as well as other ISACA research products help professionals address specific business and
technical issues effectively and efficiently. Visit the Research page of the ISACA web site for more information on these and
other ISACA research products.