Running head: COBIT 2019 GOVERNANCE FRAMEWORK 1

Improving Information Security Performance using COBIT 2019

By

Student’s Name

Institution

Instructor

Date
COBIT 2019 GOVERNANCE FRAMEWORK 2

Introduction

Business organizations heavily rely on information technology for growth and

sustainability. Information and technology help organizations in effective management and

analysis of data before making critical management decisions. Besides, IT helps firms integrate

the functions of various departments towards a common goal. The advancements in technology

have enhanced the efficiency of business operations by improving communication, enhancing

stakeholder engagement, and ensuring fast transactions. However, the riches of developments in

technology also comes with multiple uncertainties and vulnerabilities. Advancements in

technology have also resulted in the development of sophisticated and more severe security

threats. Cybercriminals are continuously developing advanced malware, which is capable of

enormous damages in seconds. Therefore, for long term success, organizations need a strong

connection between IT and business activities to maximize benefits and reduce the uncertainties

and vulnerabilities of IT systems.

The increasing complexities of information security threats require continuous

development in the efficiency and effectiveness of IT. Cybercriminals mainly target large

organizations that handle large data volumes and significant financial transactions. The aims of

cyberattacks are mainly to steal money or stakeholders’ information or to interfere with the

organizations’ data. Therefore, IT governance (ITG) has become an integral part of management

in most organizations to counter the IT security threats. IT Governance refers to the “processes

that guide and control investments, decisions, and practices relating to IT within the organization

in order to achieve the desired objectives” (Alreemy et al. 2016). Since the use of IT combines

organizational, technical, and cultural aspects, effective ITG is necessary to orchestrate them.
COBIT 2019 GOVERNANCE FRAMEWORK 3

Hospitals, both public and private, use information and communication technology (ICT)

in delivering healthcare services, capturing, and storing patient information. Patient information

is highly confidential and crucial in ensuring right and effective treatment. Therefore, there is a

need for a robust and efficient ITG framework to manage cyberattacks, which could interfere or

steal crucial patient information. Stealing or interfering with patient information comprises the

treatment process and may lead to death or lifetime complications. However, health services

have not fully implemented the necessary IT security measures, and are, therefore, vulnerable to

cyberattacks. The objective of this paper is to develop a customized IT governance framework,

together with a change management intervention based on the COBIT 2019 governance

framework.

Overview of the COBIT 2019 Governance Framework

COBIT framework involves both governance and management of information and

technology, with a goal of integrating the functions of an organization. It includes all the

technology and information processing that organizations put in place to achieve the set

objectives. Governance and management are two distinct entities in the COBIT framework,

having different organizational structures, and serving different purposes. The governance aspect

serves three functions. The first function is evaluating and determining a balance between

stakeholder needs, operating conditions, and available options to achieve an organization’s

objectives. The function is providing directions through prioritization and decision-making.

Lastly, governance help in monitoring compliance and performance against the set objectives

and objectives (Alreemy et al. 2016; ISACA, 2018). Management, on the other hand, involves

planning, building, running, and monitoring of activities based on the directives provided by the
COBIT 2019 GOVERNANCE FRAMEWORK 4

governance aspect. Therefore, COBIT provides an open-ended approach that can easily be

customized to suit the objectives of various enterprises.

The COBIT 2019 comprises 40 governance and management objective, which are

organized in five domains. The governance domain comprises of EDM (Evaluate, Direct, and

Monitor). The management domains are Align, Plan, and Organize (APO), Build, Acquire, and

Implement (BAI), Deliver, Service, and Support (DSS), and Monitor, Evaluate, and Assess

(MEA) (COBIT 2019 implementation guide). The domains have different objectives, as shown

in the figure below.

COBIT 2019 core model (ISACA 2018)

COBIT 2019 GOVERNANCE FRAMEWORK 5

The EDM domain involves evaluating strategic plans, directing top management on the

most appropriate strategic options, and closely monitoring the achievement of the chosen

strategies. APO helps in addressing the overall organizational structure, strategies, and

supporting activities for an organization’s information and technology. BAI involves defining,

acquiring, and implementing IT solutions as well as integrating the solutions in the business

processes. The DSS encompasses operational delivery and support of IT services and security.

Lastly, the MEA domain is used in monitoring performance and conformance of information and

technology with internal goals, control objectives, and external requirements (ISACA, 2018).

IT Governance Framework

Information Technology Governance Framework defines methods and strategies that

organizations use in implementing, managing, and monitoring IT governance in an organization.

The IT governance framework provides measures and guidelines that an organization uses to

utilize IT resources and processes effectively. It defines elements needed in an operating model,

the rules, principles, and processes needed for effective decision-making (Toomey & Juiz, 2015).

Besides, the framework governs the process of decision-making, identifies who has the authority

to make decisions, and the communication channels to be used. Therefore, an IT governance

framework must be suitable for a given organization to address the objectives effectively.

Additionally, the IT governance framework should be flexible to accommodate various changes

in business requirements, including the executive, commercial, and operational needs.

IT governance framework focuses on making businesses more effective and efficient,

enhancing security, improving reliability, and ensuring compliance to standards. Information

technology is widely used in hospitals in the management and storage of patient information.

Therefore, there is a need for a comprehensive IT governance framework to ensure efficient and
COBIT 2019 GOVERNANCE FRAMEWORK 6

effective management of IT resources in order to maximize benefits and reduce potential risks

and uncertainties of information technology. The figure below shows a customized IT

governance framework that hospitals can use to ensure effective management IT resources for

their benefits.

A customized IT governance framework

The framework is based on the governance aspect of the COBIT 2019 framework. The

governance domain comprises of EDM (Evaluate, Direct, and Monitor). The EDM has five

objectives: to ensure governance framework setting and maintenance, delivery of benefits,

optimization of risks, engagement of stakeholders, and resource optimizations (ISACA, 2018).

Evaluating, directing, and monitoring activities enable customization of governance systems to

suit a particular organization.

COBIT 2019 GOVERNANCE FRAMEWORK 7

Under framework setting and maintenance, the governance provides a consistent and

integrated approach that is in line with an organization’s governance approach. IT decisions are

made based on the organization’s objectives and desired values. In support of this, the first

objective in the above IT governance framework is to align IT with the hospital’s activities. This

ensures that the end result is effective and transparent and complies with the required legal

standards of the health care facility. Besides, aligning IT with the hospital processes ensures

contractual and regulatory requirements are adhered to, and requirements of board members are

also met.

The second objective of EDM is to ensure the delivery of benefits to the organization.

This aims at securing optimal value from IT initiatives, services, and assets. It comprises of cost-

effective delivery of services, accurate, and reliable operations (Ahlemann, Urbach, &

Buchwald, 2014). Accuracy and reliability are of great importance for hospitals. Automation and

centralized clinical databases are some of the approaches that can improve the effectiveness and

efficiency of hospital operations to realize maximum benefits to all the relevant stakeholders.

The framework above includes automation and cost-reduction as the key activities of IT

governance. Low costs and effective services ensure patient-satisfaction and great job experience

for health practitioners.

Risk optimization is another key aspect of EDM. The goal here is to reduce or possibly

eliminate the uncertainties and vulnerabilities of an organization’s IT system. Hospitals capture

and store vital and confidential information that must not be tampered with for better care.

Therefore, risks should be managed and kept a minimum for better healthcare results. The

hospital information technology must thus, be secure, reliable, and comply with the set IT

security standards. Strategies, such as regular system updates, use of robust firewalls, and
COBIT 2019 GOVERNANCE FRAMEWORK 8

licensed software, should be implemented to ensure effective management of IT-related risks in

hospitals.

Resource optimization is also a vital element of EDM that is exceptionally crucial for

healthcare facilities. Effective management of resources increases the possibilities of benefit-

realization and readiness for changes in the future (ISACA, 2018). Measuring performance is

one of the effective ways of assessing resource utilization in an organization. Further, comparing

the performances of various IT aspects to some preset standards helps in evaluating the

effectiveness of the IT governance framework. The framework designed helps in measuring and

comparing the performance of the hospital’s IT system before making management decisions.

The measurement and comparison results are used to provide necessary directions on the actions

necessary. Therefore, the framework designed is in the form of a closed-loop system, where

inputs are in the form of objectives. The results of the IT system are measured and compared

against the desired values, and appropriate actions are recommended based on outputs.

However, technology is characterized by rapid changes due to innovations, inventions,

and diffusion of processes in various organizations. The riches on technological advancements

are also accompanied by new and more sophisticated information security threats. Innovations

lead to the development of advanced malware, which is capable of severe damages within

microseconds. Therefore, the IT governance framework should be flexible to accommodate

future changes with minimum disruptions and at a minimum cost possible (Buchwald, Urbach, &

Ahlemann, 2014). This implies there is no comprehensive IT governance framework that can

work effectively for an organization forever. The section that follows discusses appropriate

change management interventions to help Health facilities adapt its IT governance framework to

changes in technology.
COBIT 2019 GOVERNANCE FRAMEWORK 9

Change Management Plan to Implement COBIT 2019 Framework

Information technology change management refers to the process of controlling the

lifecycle of all changes with minimum disruptions to IT services. The purpose of IT Change

Management intervention is to prevent unforeseen IT breach consequences as well as to ensure

that future changes to a given system are implemented based on an approved governing

framework (Buchwald, Urbach, & Ahlemann, 2014).

The COBIT 2019 IT Governance framework is specially designed to address the latest

changes in technologies, trends in businesses, and evolving security needs. The framework

contains IT change management frameworks, including ITIL, TOGAF, and CMMI, which

focuses on unifying different processes taking place in an organization (Rongala, 2019). The

major areas of focus of COBIT 2019 are information security, risk management, and IT

governance. Clearly, the customized change management model is in line with the COBIT 2019

change management objectives. The new concepts of COBIT 2019, which include the 40

governance and management objectives, offers great flexibility, allowing for customization of IT

governance strategy to suit various organizations (ISACA, 2018; Rongala, 2019).

According to ISACA, COBIT 2019 has been updated to include the following aspects.

The first aspect is focusing on key areas and design factors that create clear governance systems

for various business needs. This helps in addressing specific business needs for continuity of

business organizations. The other aspect is to ensure continuous system updates, which helps in

incorporating new changes, thus, preventing obsolesces. Besides, the framework has an open-
COBIT 2019 GOVERNANCE FRAMEWORK 10

source model, which allows organizations to receive feedback from the global governance

community to enhance updates (ISACA, 2018).

The auditor general audited the IT system of Barwon Health, the Royal Children’s

Hospital and the Royal Victorian Eye and Ear Hospital. The Digital Health branch and Health

Technology solutions aspects of the Department of Health and Human Services was also audited

to assess their support to health services. The audit identified weaknesses in the health facilities’

approach to data security, especially lack of awareness among the staff and poor network

monitoring. Also, the audit report identified that the Digital Health branch of DHHS has a well-

established program for improving various approaches to data security. However, the hospitals

identified inadequate resources for ICT projects and lack of skilled cybersecurity staff as some of

the factors limiting the full implementation of controls. Other key weaknesses identified include

inadequate user access controls, weak passwords, and limited monitoring systems to detect

suspicious ICT network behaviors. Lastly, the audit general found confusion around whose

responsibility was data security – the third party or the hospital.

COBIT 2019 is a canvas framework for governance and management of information and

technology in business enterprises. The framework includes audit and assurance, risk

management, regulatory and compliance, governance of IT, and information security (ISACA,

2018). Therefore, the framework is the best suited for handling the identified weaknesses in the

health services’ data security. However, full implementation of COBIT 2019 to manage the

identified data security faults requires a detailed and systematic change management plan to

avoid unnecessary disruptions in the daily processes in the hospitals. The following is a

customized change management plan that the hospitals can use in implementing COBIT 2019

framework in managing data security issues.

COBIT 2019 GOVERNANCE FRAMEWORK 11

System Analysis

COBIT 2019
Training
IT Loopholes and
Interventions
Governance
Framework

Implementation
of Changes

The proposed change management model depicts a continuous process with four distinct

stages: system analysis, identification of loopholes and recommendation of interventions,

implementation of changes, and training. The first two stages, system analysis and loopholes and

interventions, almost occur concurrently. The first stage prepares the organization for change. It

involves a critical analysis of the system and compliance with quality standards. IT specialists

and quality control team critically analyze various aspects of the IT Governance framework and

identify possible security loopholes. The analysis is done at regular intervals to avoid obsolesces.

Activities at the first two stages include surveying the state of the organization, checking for

updates, and assessing legal compliance to IT ISO standards. The activities then help in

identifying potential security gaps, which aid in developing appropriate interventions. To avoid

unnecessary hurdles, the specialists should liaise with the top management to offer the necessary

resources.
COBIT 2019 GOVERNANCE FRAMEWORK 12

After identifying appropriate interventions, the next stage involves the implementation of

the changes. Effective and timely communication is vital at this stage. All the relevant

stakeholders must be informed of the changes, their significances, and precautions to be

observed while incorporating the new changes. The stage will involve employees actively by

incorporating their opinions in the process. Emerging changes will be handled instantly to avoid

delays. This is the most critical stage in the change management model since a mistake would

result in severe consequences not only to the IT governance framework but also to the entire

hospital management.

Training is the last stage, according to the model. Change means new procedures and

sometimes changes in the chronology of performing various activities in an organization.

Therefore, to maintain efficiency and effectiveness expected, regular training should be given to

the employees on the changes being implemented (Guide to COBIT 2019, 2019). The staff need

training on how to identify suspicious network activities, create stronger passwords, and protect

computers by locking when not in use. The training will also help in developing on the skills,

thus, contributing to employee development.

Further, the new model is better aligned with global standards and best practices, making

it relevant to every organization. Additionally, COBIT 2019 contains more tools, which enable

organizations to develop customized or “best-fit” IT governance systems (Rongala, 2019).

Therefore, COBIT 2019 is more of a prescriptive model, making it suitable for managing

unintended changes in an organization. The new remote collaborative feature is another key

aspect of COBIT 2019 that organizations utilize in enhancing the decision-making process.

Lastly, COBIT 2019 is an excellent tool for measuring IT performance and alignment to IT ISO

standards.
COBIT 2019 GOVERNANCE FRAMEWORK 13

Disadvantages of COBIT 2019 Framework

Despite the numerous benefits, COBIT 2019 also has some setbacks that make some

organizations hesitant in implementing it in their IT framework. The first disadvantage is the

implementation of COBIT to establish IT management and governance framework is cost. Most

business organizations avoid implementing COBIT due to costs of running the framework. The

major costs associated with COBIT framework include its demand for vast knowledge and skills

in order to operate appropriately in enhancing an organization’s IT performance (Guide to

COBIT 2019, 2019; Toomey, & Juiz, 2015). Therefore, before implementing COBIT 2019

framework, Hospitals should ensure it has the necessary expertise as well as train its employees.

In addition, the COBIT framework lacks sufficient information about its connections

between the postulated benefits and its actual reflection of its featured maturity model. The

framework contains a detailed description of processes, activities, and responsibilities but does

not show their connections. Therefore, performing a detailed assessment of an organization’s

information technology requires experienced and skilled IT analysts, in which there is no

assurance that the analyst will establish the necessary solutions that suit an organization’s

information technology (Toomey, & Juiz, 2015). However, the benefits of the COBIT 2019

framework outdo the disadvantages, thus, making it the most suitable for the healthcare centers’

IT governance.

For effective quality management, the hospital should consider acquiring ISO

information security standards. For instance, Health facilities should acquire ISO IEC 20000-

1Information Technology Service Management. The ISO IEC 20000-1 comprises of various

standards for IT services that will help the hospital to effectively maintain security, deliver

consistent services, and easily adapt to new technologies (NQA Global Certification Body, n.d.).
COBIT 2019 GOVERNANCE FRAMEWORK 14

The standards contain well-defined system requirements, control processes, codes of practice,

and relationships, among other vital features.

Conclusion

Information technology is vital for the effective running of health facilities and

management of patients’ information. Besides communication, hospitals require information

technology in delivering better healthcare, capturing patient information, and monitoring patient

conditions. Patient information is highly confidential; thus, health facilities need a

comprehensive risk management system to avoid cyberattacks, which may paralyze clinical

services. Therefore, health centers require a well-defined IT governance framework. The COBIT

2019 is an excellent framework that helps organizations to various IT governance and

management risks. The COBIT 2019 IT Governance framework is specially designed to address

the latest changes in technologies, trends in businesses, and evolving security needs. This report

provides a detailed of a customized IT governance framework as well as an improvised change

management model to help hospitals manage information and communication technology risks.

The IT governance framework and change management model are designed based on the COBIT

2019 framework.
COBIT 2019 GOVERNANCE FRAMEWORK 15

References

Alreemy, Z., Chang, V., Walters, R., & Wills, G. (2016). Critical success factors (CSFs) for

information technology governance (ITG). International Journal of Information

Management, 36(6), 907-916.

Buchwald, A., Urbach, N., & Ahlemann, F. (2014). Business value through controlled IT:

Toward an integrated model of IT governance success and its impact. Journal of

Information Technology, 29(2), 128-147.

Guide to COBIT 2019. (2019, May 13). Infosec Resources.

https://resources.infosecinstitute.com/guide-to-cobit-2019/#gref

ISACA (2018). COBIT 2019 Design Guide: Designing an Information and Technology

Governance Solution. ISBN 978-1-60420-765-1.

ISACA (2018). COBIT 2019 Implementation Guide: Implementing and Optimizing an

Information and Technology Governance Solution. Retrieved from www.isaca.org

ISACA (2018). COBIT® 2019 Framework: Governance and Management Objectives. Retrieved

from www.isaca.org

Rongala, A. (2019, February 21). Evolution of COBIT 2019 from COBIT 5 | COBIT 2019

update. Certification Training Courses | ITIL, PMP, PRINCE2, Six Sigma, COBIT 5 |

Invensis Learning. https://www.invensislearning.com/resources/it-security-

governance/cobit-2019-update
COBIT 2019 GOVERNANCE FRAMEWORK 16

Toomey, M. & Juiz, C. (2015). To Govern IT, or Not to Govern IT? Business leaders may

bemoan the burdens of governing IT, but the alternative could be much worse. Vol.58,

no.2.

What standards apply to the information technology industry? (n.d.). NQA Global Certification

Body. https://www.nqa.com/en-gb/certification/sectors/information-technology

William, M. (2017). Predictors of effective change management: A literature review. African

Journal of Business Management, 10(23), 585–593.

https://doi.org/10.5897/ajbm2016.8208