#3b-IT Governance COBIT

Download as pdf or txt
Download as pdf or txt
You are on page 1of 63

IT Governance – Governance

Prinples & COBIT


Instructor: Prof. Dr. Martin Knahl
[email protected]

1
Agenda: IT Governance
• IT Governance Principles (Weil & Ross)
• CobiT
• COSO, ISO 27000, ...
• IT Compliance
– SOX, Euro-SOX, ....

2
IT Governance Archetypes: Styles
WHO HAS DECISION OR INPUT
STYLE
RIGHTS?
§ A group of business executives or
Business individual executives (CxOs), includes
Monarchy committees of senior business executives
(may include CIO)
IT Monarchy § Individuals or groups of IT executives
§ Business unit leaders, key process owners
Feudal or their delegates
§ IT Executives and one other group (e.g.
IT Duopoly CxO or business unit or process leaders)

§ Business Units & Business Executives & IT


Federal Units

Anarchy § Each individual user

Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, 3
Bicycle Wheel and T-Shaped IT Duopolies
Executive committee
BU BU

X X X X Y X X X X
RM RM

Y
IT
Y

IT committee
Y
Y
RM RM
Y
Y
BU BU

X = Business manager
RM = Business/ IT Relationship Manager Y = IT manager
BU = Business unit
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 62.
4
IT Governance Archetypes: Key Players
C-level executives Corporate IT Business unit
and/or business leaders or key
unit IT business process
owners
Business
Monarchy
IT Monarchy
Feudal
Federal

IT Duopoly

Anarchy
5
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 60,
IT Governance Archetypes: Key Players
C-level executives Corporate IT Business unit
and/or business leaders or key
unit IT business process
owners
Business ✓
Monarchy
IT Monarchy ✓
Feudal ✓
Federal ✓ ✓ ✓
✓ ✓
IT Duopoly ✓ ✓
✓ ✓
Anarchy
6
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 60,
(Five) Key IT Governance Decisions
IT Governance IT Decision Areas

§ Defines the enterprise operating model and the role of IT


with desired behaviour of IT and funding
IT Principles

§ Defines core business processes, data, technical


IT Architecture capabilities & technology choices

§ Defines infrastructure services, globalization, service levels,


IT Infrastructure pricing, sourcing, and change

Business application § Evaluates opportunities for new business applications;


needs defines the approach for business need justification,
integration into architectural standards, and ownership with
change mgmt
§ Sets priorities for process changes and enhancements,
evaluates the IT portfolio regarding enterprise objectives;
IT Investments and resolves conflicts between business units specific and global
Prioritization priorities

Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, 7
(Five) Key IT Governance Decisions
IT Principles decisions
High-level statements about how IT is used in the business

IT architecture decisions IT infrastructure IT investment and


decisions priorization decisions
Organizing logic for data,
applications, and Centrally coordinated, Decisions about how much
infrastructure captured in shared IT services that and where to invest in IT,
a set of policies, provide the foundation for including project
relationships, and the enterprise‘s IT approvals and justification
technical choices to capability techniques
achieve desired business Business applications
and technical needs
standardization and
integration Specifying the business
need for purchased or
internally developed IT
applications

Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, 8
Typical Enterprise IT Governance
DECISION IT Principles IT IT Business IT
Architecture Infrastructure Application Investment
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision

ARCHETYPE

Business
Monarchy
IT
Monarchy (i) Which Archetypes are responsible for
Feudal providing key input in IT Governance
Federal Decisions?
Duopoly (ii)Which Archetypes are responsible for
Anarchy
making which decisions?
No data or
don’t know
9
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 64,
Enterprise IT Governance – Case Study
DECISION IT Principles IT IT Business IT
Architecture Infrastructure Application Investment
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision

ARCHETYPE

Business
Monarchy
IT
Monarchy
Feudal

Federal

Duopoly

Anarchy

No data or
don’t know
10
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 64,
Enterprise IT Governance – Case Study
DECISION IT Principles IT IT Business IT
Architecture Infrastructure Application Investment
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision

ARCHETYPE

Business
Monarchy 0 27 0 6 0 7 1 12 1 30
IT
Monarchy 1 18 20 73 10 59 0 8 0 9
Feudal
0 3 0 0 1 2 1 18 0 3
Federal
83 14 46 4 59 6 81 30 93 27
Duopoly
15 36 34 15 30 23 17 27 6 30
Anarchy
0 0 0 1 0 1 0 3 0 1
No data or
don’t know 1 2 0 1 0 2 0 2 0 0
Research conducted at 256 11
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 64,
enterprises in 23 countries
Ex De
ec c is
uti
ve i on
Percent of
CIO ranked

IT or -m
effetiveness

lea sen ak
de
rsh ior i ng Participants Using
ip ma Str
5 (highly effective)

co na uc
mm ge
me tur
n

0
itte
50
es
1 (ineffective) to 100

Pro ec tc
ce om om
ss pri mi
tte
tea sin e
3.5

ms gI
B w T e
IT usi ith xe
co ne IT cu
un
3.8

ss/ me tiv
cil IT m es
co r ela be
mp
ris tio r s
ing nsh
3.4

bu ipm
sin an
ess ag
3.9

an er s
Ar d IT
ch ex
ec
ite
ct u
uti
3.7

Ca re ve
pit
al co s
ap mm
pro itte
3.1

Tr a
va
l co e
cki mm
ng itte
of Ali
g e
3.1

IT n
pro me
jec nt
ts
an Pro
dr ce
eso sse
S
urc
e
s
Fo er v sc
rm ice on
all -le sum
yt v el
3.4

rac ag ed
kin
gb r e em
usi en
ne ts
3.2

Ch ss
arg v alu
eb eo
ack f IT
2.9

Wo Co arr
rk mm an
wi ge
th u me
2.8

ma ni c nts
na ati
ge
rs o nA
wh pp
Se o do roa
nio n‘t ch
rm fol es
an low
Common Governance Mechanisms

Of ag
fic em the
eo en rul
fC ta es
n
3.2

We IO no
or un
b-b off ce
ase ice me
2.9

dp of nts
ort IT
als go
an ve
rna
3.6

di nc
ntr
an e
ets
for
2.9

IT
in 23 countries
at 256 enterprises

Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, S.87.
Research conducted

12
Enterprise IT Governance – Case Study
State Street (Financial Services Industry)
DECISION IT Principles IT Architecture IT Infrastructure Strategies Business Application IT Investment
Needs

Input Decisio Input Decision Input Decision Input Decision Input Decisio
n n

ARCHETYPE

Business Monarchy IT Exec. IT Exec.


Committ Committ
ee ee

IT Monarchy CIO
Arch. CIO
IT Leaders
Offfice IT Leaders

Feudal

Federal CIO IT Org. Budgets


IT Leaders Arch. SLAs
Business Office Activity
Leaders Business Tracking
IT Org. Leaders IT Leaders

Duopoly Business
Leaders
IT Org.
IT Leaders

Anarchy

No data or don’t
know

IT Org.: Federated IT Organisation (vertical and horizontal IT units)


13
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004. P. 180,
Assessing IT Governance Performance
Assessing IT Governance Performance
Setting Governance Governance Governance Financial
arrangements awareness performance performance
Strategy: Key IT decisions and Percent of managers Average of four Profit:
archetypes in leadership performance
§ Operational positions who can measures weighted § Percent margin
excellence describe by importance
governance § ROE
§ Customer intimacy Mechanisms: Score out of 100
§ ROI
§ Product leadership § Councils
Communication
§ SLAs approaches: Effective use of IT
for: Asset utilization:
Size: Number of BUs § IT organization § Meetings ROA
§ Cost control
§ Chargeback § Documents
Synergy and/or § Growth
§ Architecture § Portal Growth: Percent
autonomy of BUs change in revenue
Committee § Asset utilization

§ Business flexibility
IT intensity: Exceptions: Percent
of projects Data measured
using:
§ Money

§ People Three-year average


industry-adjusted
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, P.120. percent change 14
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, P.120.
Who makes better IT decisions – Business or IT
Managers?
Who Makes Better IT Decisions – Business or IT Managers?

DECISION RIGHTS (%)

Business IT Joint
Business
- = + + Top performers*
§IT principles

§Business = No difference
application 29 7 24
needs
- Poor performers*
Types of §IT investment
Decisions
IT
- = = *Statistically significant
§IT relationship with
architecture governance performance

§Infrastructure 5 27 8

Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, P.135.
16
Enterprise IT Governance – Case Study
Best &IT GOVERNANCE
Worst DIFFERENT
Arrangements
ARRANGEMENTS OF BEST & WORST
DECISION IT Principles IT IT Business IT Investment
Architecture Infrastructure Application
Strategies Needs
Input Decision Input Decision Input Decision Input Decision Input Decision
ARCHETYPE

Business
Monarchy
IT
Monarchy
Feudal –

Federal + – – – + –

IT Duopoly – + – +

Anarchy

§ Decisions by a Federal group hardly ever make sense! + = top performers


§ Input by an IT Duopoly is sometimes ineffective
§ Federal Input makes sometimes sense – = poor performers
Source: Weill, Peter; Ross, Jeanne W.: IT-Governance. Harvard Business School Press, 2004, P.131.
18
Enterprise IT Governance – Case Study
Top 3 Governance Performers
DECISION IT Principles IT IT Business IT Investment
Architecture Infrastructure Application
Strategies Needs
ARCHETYPE

Business 3 3 3 2 3
Monarchy
IT 1 1
Monarchy 2 2

Feudal

Federal 1 3

IT Duopoly 1 2 2 1

Anarchy

1 2 3 = Top three governance performers (achieving four performance objectives, weighted by importance) performance objectives
are for example cost, growth, and flexibility
Source: MIT Sloan School Center for Information Systems Research
19
IT Governance for SMEs -Recommendations
• R1: Senior Management should be involved through
joint formal & informal IT Governance interactions.
• R2: Corporate executives should be involved in IT
Governance Process
• R3: Operational executives should be involved in IT
Governance Process
• R4: IT Governance policies, guidelines and processes
should be communicated through a number of
channels
• R5: IT Governance policies, guidelines and processes
should be communicated through accessible channels
Rui Huang, Robert W. Zmud, and R. Leon Price. „IT Governance Practises in Small &
Medium Sized Enterprises“. Published in G. Dhillon, B.C. Stahl, and R. Baskerville (Eds.):
CreativeSME 2009, IFIP AICT 301, pp. 158–179, 2009.
20
IV Management – Reifegrad#1
„Stages of Growth Model“ Nolan
Nolan‘s 4 Theses regarding IT development:
1. Development of IT in distinct Stages
2. A new stage can only be „started“ when the
previous stage has been completed
3. An organisation „can‘t buy skippipng“ of a
developmental stage.
4. There must be a balance between the aeras of
IT-Costs, IT-Ressources, IT-Management, IT-User
/ IT-Customer und IT-Application Domains.
Richard L. Nolan, Managingthecomputerresource: a stagehypothesis. Commun. ACM 16, 7 (Jul. 1973), S. 399-405
King, John Leslie; Kramer, Kenneth L. (1984). "Evolution and organizationalinformationsystems: an assessment of Nolan'sstagemodel".
Communications of the ACM (ACM) 27 (5): 466–475.
21
IV Management – Maturity Model#1
„Stages of Growth Model“ Nolan

Stage I is brought about by the introduction


of the computer in the organization.
Einzelne Personen ergreifen die Initiative, beschaffen die Technik,
sind Entwickler und Nutzer zugleich.
Die übrigen Mitglieder der Organisation verstehen kaum,
was ihre Kollegen tun und wollen es zumeist auch noch nicht verstehen.

Stage II is characterized by a managerial climate of concern for strategies


to encourage alienated users to investigate the potential for computing.
Generally impressive cost savings in clerical areas,
as weIl as a few of the inevitable "spectacular successes“
reported in the trade journals, give a "time is of the essence" element to the movement.

23
IV Management – Reifegrad#2
CMMI

CMMI primarily aimed to analyse SW


Development Process....
Can you see other applications for maturity levels?
Source:
http://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration, 24
2 March 2010
IT Governance
• Strategic
Alignment
• Value Delivery
• Resource
Management
• Risk
Management
• Performance
Measurement
(Fröhlich, 2007:49)
Source: COBiT 4.0 25
IT Governance Process
IT
Resources

Value
Delivery

Strategic Stakeholder Risk


Alignment Value Drivers Management

Performance
Measurement

s.a. (Johannsen, 2007: 47)


Quelle: COBiT 4.0 26
Cobit Cube

Business Requirements

Idea:

IT-Resources
Control Domains
• Representation of different CobiT dimensions
IT-Processes

• Conceptual Model to represent overall IT


Governance
Processdomain

Activities

s.a. (Johannsen, 2007: 55)


Quelle: COBiT 4.0 27
CobiT Informational Space (Cobit Cube)

Business Requirements

IT-Resources
Control Domains
IT-Processes

Process

Activities

s.a. (Johannsen, 2007: 55)


Quelle: COBiT 4.0 28
CobiT
Cube

29
CobiT
Control
Domains

30
CobiT Domain: Plan and Organise

PO1 Define a Strategic IT Plan


PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

31
CobiT Domain: Plan and Organise
PO1 Define a Strategic IT Plan
PO1.1 IT Value Management
PO1.2 Business-IT Alignment
PO1.3 Assessment of Current Capability and
Performance
PO1.4 IT Strategic Plan
PO1.5 IT Tactical Plans
PO1.6 IT Portfolio Management

32
CobiT Domain: Plan and Organise
PO1 Define a Strategic IT Plan
PO1.4: Create a strategic plan that defines, in co-operation
PO1.1 IT Value Management
with relevant stakeholders, how IT goals will contribute to the
PO1.2 Business-IT Alignment
enterprise’s strategic objectives and related costs and risks. It
PO1.3 Assessment
should include howof ITCurrent Capability
will support and
IT-enabled investment
programs, IT services and IT assets. IT should define how the
Performance
objectives will be met, the measurements to be used and the
PO1.4 IT Strategic
procedures Planformal sign-off from the stakeholders.
to obtain
The IT strategic plan should cover investment/operational
PO1.5 IT Tactical Plans
budget, funding sources, sourcing strategy, acquisition strategy,
PO1.6 IT
andPortfolio Management
legal and regulatory requirements. The strategic plan
should be sufficiently detailed to allow for the definition of
tactical IT plans.

33
CobiT Domain: Plan and Organise
(PO, Plan & Organize)
& IT-Governance Domains

Control Domain: PO, Plan and Organize IT Governance Domains

Performa
Value Resource Risk
IT- Strategic nce
Description Priority Delive Managem Managem
Process Alignment Managem
ry ent ent
ent
PO1 Define a Strategic IT Plan H P S S
Define the Information
PO2 Architecture L P S P S

PO9 Assess and Manage IT Risks H P P
PO10 Manage Projects H P S S S S

34
Mapping: Control Domains to
Resources & Business Requirements

Control Domain: PO, Plan and Organize Resources Information Criteria / Business Rquirements
Infrastructur Efficienc Confiden Availabili Complia Reliabilit
IT-Prozess Description Staff Information Applications Effectivity Integrity
e y tiality ty nce y
PO1 Define a Strategic IT Plan X X X X P S
PO2 Define the Information Architecture X X S P S P

PO9 Assess and Manage IT Risks X X X X S S P P P S S
PO10 Manage Projects X X X P P

36
37
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
38
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
39
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
Mapping: IT Goals to Business Goals

Note:
28 Predefined IT Goals

40
Source: www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf , 24 May 2011
Mapping: IT-Processes to IT Goals

Control Domain: PO, Plan and Organize IT Goal


IT-Process Description 1 2 3 …
PO1 Define a Strategic IT Plan X X
PO2 Define the Information Architecture X

PO9 Asess and Manage IT Risks
PO10 Manage Projects X X

43
CobiT Domain: Plan and Organise

PO1 Define a Strategic IT Plan


PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

44
Enterprise Architecture / IT
Architecture
• Alle statischen und dynamischen Aspekte der IT in einer
Organisation bezeichnet, z. B. .
– Infrastruktur (Hardware, Standorte, Netzwerke, Software
(Anwendungen), Daten)
– Dazugehöriges Management (Konfigurations- und
Kapazitätsplanung, Lastverteilung, Datensicherung, Verfügbarkeit,
Ausfallsicherheit, Katastrophenfall-Planung, etc.).
– Funktionale Aspekte wie die notwendigen Schnittstellen, zur IT-
Unterstützung der Prozesse
• 2 Ebenen: Grundstrukturen & Definition von Regeln, zur
Koordination des Zusammenspiels aller Komponenten
• Analogie: Vergl. IT-Architektur mit einem Bebauungsplan für
die Stadtplanung: zentraler Leitfaden für alle an IT-Planung und
-Betrieb von IT-Systemen und IT-Infrastrukturen Beteiligten.
46
Zachman Framework

47
TOGAF – The Open Group Architecture Framework

• Approach for design, Planning, Implementation,


Documentation and Maintenance of Enterprise
Architectures, Feb. 09 Version 9
• Published by Open Group (Merged Open Software
Group und X/Open)
• TOGAF based on TAFIM (developed by US military)
• 4 Domains
• Business Architecture
• Information- und Data Architecture
• Application Architecture
• Technology Architecture

§48
TOGAF Model /
TOGAF ADM

SAP Enterprise Architecture


Framework:
Extension of TOGAF, focus on
off-the-shelf Software and
Service-Oriented
Architecture.

Quelle:
http://www.opengroup.org/togaf/cert/sho 49
wcase/participants/detecon/index.html
Enterprise Architectures

• In Unternehmen gibt es keine isolierten Bereiche


– Beleg: Unternehmensdatenmodell von Scheer (1988)
– Folge: Anwendungssysteme müssen integriert werden
– Es entstehen „System Landscapes“ (oder integrierte
Anwendungssystemlandschaften / Softwarelandschaften / IT-
Architekturen / IT Portfolios / … ) bis hin zu Very Large Business
Applications (VLBAs)
• Ziel von e-Business Organisation
– Methoden zu Entwurf, Gestaltung & Betrieb von System
Landscapes
CobiT
Control
Domains

51
CobiT: Mapping Processes & Goals

52
RACI Table

Source: http://www.continentalsoftware.com/itil-figures/cobit/ds01_raci-chart.gif ,
Last accessed 21 August 2013

53
Additional CobiT Elements
• Controls
– Business Controls (low Priority)
– Application Controls
– IT General Controls (IT Infrastructure)
• ITGI CobiT Implementation Guide, CobiT Quickstart (Small &
Medium Enterprises): concrete Step-by-step guidance for
implementation
• CobiT Maturity Model
– Derived from CMMI
– Facilitates systematic Evaluation of 34 CobiT Processes
54
Cobit Maturity Model

Quelle: http://guru-indonesia.net/admin/file/f_10942_cobit-maturity-model.JPG , last accessed 23 August 2013

55
CMMI

Capability Maturity Model Integration (CMMI) in software engineering and


organizational development is a process improvement approach that provides
organizations with the essential elements for effective process improvement. It
can be used to guide process improvement across a project, a division, or an entire
organization. CMMI helps integrate traditionally separate organizational functions,
set process improvement goals and priorities, provide guidance for quality
processes, and provide a point of reference for appraising current processes.
Wikipedia
56
SCAMPI
The Standard CMMI Appraisal Method for Process Improvement (SCAMPI) is the
official SEI method to provide benchmark-quality ratings relative to CMMI
models.
SCAMPI appraisals are used to identify strengths and weaknesses of current
processes, reveal development/acquisition risks, and determine capability and
maturity level ratings. They are mostly used either as part of a process
improvement program or for rating prospective suppliers. The method defines
the appraisal process as consisting of preparation; on-site activities; preliminary
observations, findings, and ratings; final reporting; and follow-on activities.
SEI: The Carnegie Mellon Software Engineering Institute (SEI)

Wikipedia

57
DS2 Maturity Model
DS2 Manage Third-party Services

Management of the process Manage third-party services that satisfies the business requirement for IT of providing satisfactory
third-party services whilst being transparent about benefits, costs and risks is:

0 Non-existent when
Responsibilities and accountabilities are not defined. There are no formal policies and procedures regarding contracting with third
parties. Third-party services are neither approved nor reviewed by management. There are no measurement activities and no
reporting by third parties. In the absence of a contractual obligation for reporting, senior management is not aware of the quality
of the service delivered.

1 Initial/Ad Hoc when


Management is aware of the need to have documented policies and procedures for third-party management, including signed
contracts. There are no standard terms of agreement with service providers. Measurement of the services provided is informal
and reactive. Practices are dependent on the experience (e.g., on demand) of the individual and the supplier.

2 Repeatable but Intuitive when


The process for overseeing third-party service providers, associated risks and the delivery of services is informal. A signed, pro
forma contract is used with standard vendor terms and conditions (e.g., the description of services to be provided). Reports on
the services provided are available, but do not support business objectives.

58
Ó 2007 IT Governance Institute. All rights reserved. www.itgi.org 58
DS2 Maturity Model cont.
3 Defined when
Well-documented procedures are in place to govern third-party services, with clear processes for vetting and negotiating with
vendors. When an agreement for the provision of services is made, the relationship with the third party is purely a contractual one.
The nature of the services to be provided is detailed in the contract and includes legal, operational and control requirements. The
responsibility for oversight of third-party services is assigned. Contractual terms are based on standardised templates. The business
risk associated with the third-party services is assessed and reported.

4 Managed and Measurable when


Formal and standardised criteria are established for defining the terms of engagement, including scope of work,
services/deliverables to be provided, assumptions, schedule, costs, billing arrangements and responsibilities. Responsibilities for
contract and vendor management are assigned. Vendor qualifications, risks and capabilities are verified on a continual basis. Service
requirements are defined and linked to business objectives. A process exists to review service performance against contractual
terms, providing input to assess current and future third-party services. Transfer pricing models are used in the procurement
process. All parties involved are aware of service, cost and milestone expectations. Agreed-upon goals and metrics for the oversight
of service providers exist.

5 Optimised when
Contracts signed with third parties are reviewed periodically at predefined intervals. The responsibility for managing suppliers and
the quality of the services provided is assigned. Evidence of contract compliance to operational, legal and control provisions is
monitored, and corrective action is enforced. The third party is subject to independent periodic review, and feedback on
performance is provided and used to improve service delivery. Measurements vary in response to changing business conditions.
Measures support early detection of potential problems with third-party services. Comprehensive, defined reporting of service level
achievement is linked to the third-party compensation. Management adjusts the process of third-party service acquisition and
monitoring based on the measurers.

59
Ó 2007 IT Governance Institute. All rights reserved. www.itgi.org 59
COBIT: A High Level Control Objective
• Control over the IT process of managing changes
– that satisfies the business requirement to minimize the likelihood of
disruption, unauthorized alterations and errors
– is enabled by a management system which provides for the analysis,
implementation and follow-up of all changes requested and made to the
existing IT infrastructure
• Consideration areas
– identification of changes
– categorization, prioritization and emergency procedures
– impact assessment
– change authorization
– release management
– software distribution
– configuration management
– business process re-design
60
Associated Detailed Control Objective
6.1 Change Request Initiation and Control
CONTROL OBJECTIVE
IT management should ensure that all requests for
changes, system maintenance and supplier
maintenance are standardized and are subject to
formal change management procedures. Changes
should be categorized and prioritized and specific
procedures should be in place to handle urgent
matters. Change requestors should be kept informed
about the status of their request.
61
Another Detailed Control Objective
6.3 Control of Changes
CONTROL OBJECTIVE
IT management should ensure that change
management and software control and distribution
are properly integrated with a comprehensive
configuration management system. The system
used to monitor changes to application systems
should be automated to support the recording and
tracking of changes made to large, complex
information systems.
62
CobiT – Component
Relationships
Business Source: (Moeller, 2008: 122)
Information

IT Controlled by Control
Processes Objectives
Made Translated Implemented
Measured Audited
effective & into with
by by
efficient

Activity Audit Control


For
For Maturity Goals Guidelines Practices
Performance For
Outcomes

Activity Audit Control


Goals Guidelines Practices
63
CobiT - Contribution
• IT-Control Objectives
– Structured according to processes
– Provide link between IT Governance Requirements, IT-Orocesses and IT Controls
• COBIT Best-Practices support (esp. In the case of irregularities):
– Analysis / Improvemen of IT investments
– Protection of IT services
– Evaluation of processes (e.g. Key Goal Indicators und Performance Indicators)
• Business orientated: Alignment of Enterprise- to IT-Goals
– Provision of Measurment-Paramenters and Maturity / Capability models to calculate
target fulfillment
• Identification of resposibilities
• Unified language based upon CobiT definitions and terms
• Continuously improves („Free Knowledge Base“); Integration and alignment with other
standards and reference models (e.g. ITIL)
• IT-Processes and Control Objectives: detailed explanation, however general so facilitate
adoption in a specific business context: „Good Practices“ fore IT-Governance

64
CobiT – Critical Aspects
• COBIT formulated in rather general terms, no inclusion of
concrete technologies
– Adoption / implementation of CobiT requires additional informations
and documents
– COBIT does not define how Control Objectives shall be implemented
(COBIT only facilitates whether IT-Processes exist)
– Additional methods / reference model to establish required steps

65
Conceptual Metamodelling of CobiT

Goeken, M., Alter, S.: IT Governance Frameworks as Methods. Proceedings of the 10th International Conference on Enterprise 66
Information Systems. Barcelona/Spain (2008).
Meta Modeling
• "Metamodeling" is the construction of a collection of "concepts" (things, terms, etc.) within
a certain domain. A model is an abstraction of phenomena in the real world; a metamodel is
yet another abstraction, highlighting properties of the model itself. A model conforms to its
metamodel in the way that a computer program conforms to the grammar of the
programming language in which it is written.
• Common uses for metamodels are:
– As a schema for semantic data that needs to be exchanged or stored
– As a language that supports a particular method
– As a language to express additional semantics of existing information
• Because of the "meta" character of metamodeling, both the praxis and theory of
metamodels are of relevance to metascience, metaphilosophy, metatheories and systemics,
and meta-consciousness. The concept can be useful in mathematics, and has practical
applications in computer science and computer engineering/software engineering.
http://en.wikipedia.org/wiki/Metamodeling

67
Conceptual Metamodelling of CobiT
Up to now, there has been little academic support for the challenges of
IT governance/IT management. As a reaction, various best practice
frameworks – like COBIT or CMMI - were developed.
Due to their origin, these frameworks lack of a sound basis or scientific
foundation. To undertake a step in this direction, we propose the use of
modeling notation and techniques to represent frameworks as
conceptual metamodels. Accordingly, we present the well-known
framework COBIT metamodeled in a conceptual way and, thereby,
represent the underlying logically and semantically rich structures.
We furthermore discuss the benefits of using conceptual metamodeling
to analyze frameworks coming from practice. Using the metamodel, we
are also able to demonstrate ways to improve the frameworks and
configure them according to the specific needs of an enterprise or an
industry. To have a sound basis for any improvement we discuss the
process of metamodeling and derive some requirements for “good”
metamodeling.
Goeken, M., Alter, S.: Towards Conceptual Metamodelling of IT Governance Frameworks. Approach - Use – Benefits. In: Proceedings
of the 42nd Annual Hawaii International Conference on System Sciences. Waikoloa, Big Island, Hawaii, Januar 2009
Goeken, M., Alter, S.: IT Governance Frameworks as Methods. Proceedings of the 10th International Conference on Enterprise 68
Information Systems. Barcelona/Spain (2008).
Conceptual Metamodelling of CobiT

Goeken, M., Alter, S.: Towards Conceptual Metamodelling of IT Governance Frameworks. Approach - Use – Benefits. In: Proceedings 69
of the 42nd Annual Hawaii International Conference on System Sciences. Waikoloa, Big Island, Hawaii, Januar 2009

You might also like