What is CobIT Why implement

COBIT 5: A framework for governance and management of IT

Transcript

1 Optimize the value of IT with COBIT 5 COBIT 5 1 is a framework for a comprehensive IT governance and management system that supports companies in optimizing the value of IT. The objective of COBIT 5 is to ensure a balanced relationship between added value on the one hand and the optimization of risks and resources on the other. COBIT 5 provides a proven method for aligning business and IT and can help to change the role of the CIO sustainably, from an IT expert to a strategic business partner with special responsibility for information management. In view of the complexity of the framework, a COBIT 5 implementation without suitable tool support is difficult and time-consuming. Based on the proven software for company modeling, process4.biz has therefore developed a tool with which COBIT 5 implementations can be carried out quickly, efficiently and transparently. The p4b module for COBIT 5 guarantees the simplicity of use, with which the full potential of the COBIT 5 framework can only be exploited in order to optimize the value of IT. COBIT 5: A framework for the governance and management of IT The COBIT 5 framework, which was published by ISACA in April 2012, integrates the previously separate COBIT 4.1, Val IT and Risk IT frameworks and is closely coordinated with other IT standards, like ITIL, TOGAF, PMBOK, PRINCE2, COSO, SOX and ISO. With the alignment to ISO / IEC with regard to the specification and evaluation of the processes, COBIT 5 is a significant further development of the previous COBIT 4.1 approach. On the basis of this standard, the COBIT 5 processes can now be assessed or certified in a standardized form. COBIT 5 contains a target cascade with which the IT goals can be derived from the company goals or the requirements of the stakeholders. The importance of these IT goals, which are necessary for the fulfillment of the strategic company goals, determines the priority of the associated IT processes. IT processes are defined on the basis of the ISO / IEC reference model. For each process, COBIT 5 specifies the process purpose, the process objectives (process results), the basic practices with the associated activities, the input and output of the work products as well as the roles and responsibilities. The process assessment in COBIT 5 is based on process attributes and key figures in accordance with ISO / IEC and differentiates between the evaluation of the process execution for level 1 and the determination of the process capability for levels 2 to 5. The scope and the high level of detail of the process Reference and assessment models place special demands on their practical implementation. The challenge is to set up and operate an IT governance and management system according to COBIT 5 in such a way that it can also be efficiently implemented and operated sensibly by lean IT organizations. 1 COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, 2012 ISACA Page 1 of 8

2 The p4b module for COBIT 5 was developed for this purpose, which supports the entire life cycle of a COBIT 5 implementation, from the application of the target cascade and definition of the IT strategy, through the prioritization and implementation of the IT processes required for this, to evaluation and improvement of these processes. Fast, efficient and transparent COBIT 5 implementation with process4.biz The p4b module for COBIT 5 is an expansion module from process4.biz that was developed in close cooperation with BITC 2, a content partner in the areas of IT governance and compliance. Process4.biz is a modeling software based on MS Visio and MS SQL Server, which is used for a variety of applications, such as: Business Process Management (BPM), Enterprise Architecture Management (EAM), Quality and Risk Management Systems (QRMS), ISO certifications as well as Governance, Risk and Compliance (GRC) initiatives. Using Visio as a user interface avoids the typical media break between the modeling environment and documentation. This means that redundancies and the associated additional expenses and inconsistencies can be avoided. In addition, the intuitive modeling environment significantly reduces the training effort and enables distributed use in a collaborative environment. Different modeling notations can be implemented, which can be easily adapted to specific user requirements in order to improve comprehensibility and acceptance. In addition to the functionality for actual company modeling, process4.biz contains a large number of additional functions and extensions that support the shared use, maintenance and further development of the Visio-based models. These include: Approval management for Visio diagrams and objects (Visio Shapes) Authorization management down to the object and attribute level Version management Flexible and powerful database queries Data synchronization with external sources Publication of the models in a web portal Automated creation of documents Multilingual user interface and model content Automated updating and modification of multiple Visio diagrams The high degree of consistency that is generated with this modeling and the ability to generate the documentation directly from the model content make process4.biz particularly suitable for critical applications with high requirements for regulatory compliance. 2 BITC Business & Informationtechnology Consulting GmbH Page 2 of 8

3 The process4.biz module for COBIT 5 Navigation through the COBIT 5 implementation The entry diagram of the p4b module for COBIT 5 is used to navigate through the COBIT 5 implementation. The smart tags on the navigation shapes open the linked diagrams that support the respective implementation steps. The upper row of the navigation shapes represents the target cascade with which the IT strategy is derived from the corporate strategy or the stakeholder requirements and with which the priority of the IT processes is determined. The middle row of the navigation shapes leads to the local IT processes of the various COBIT 5 domains. Obviously the module cannot include these processes; the corresponding links are added as part of the implementation of the module. Additional process4.biz content modules are available for specific standards such as ITIL, ISO, etc. The template processes that are delivered with these modules are also accessible via the navigation shapes in the middle row. The bottom row of navigation shapes leads through the assessment steps defined in COBIT 5. Corresponding key figures are defined in COBIT 5 for each goal of the target cascade. The p4b module for COBIT 5 supports both the assessment of the company and IT goals and the evaluation of the process implementation for process capability level 1. Page 3 of 8

4 Use of the COBIT 5 target cascade The following diagrams show how the p4b module supports the use of the COBIT 5 target cascade. Each goal can be assigned a priority, which is evaluated with the aid of the assignment tables contained in COBIT 5 in order to determine the weighted priority of the derived goals. This weighted priority is then used to determine the respective priorities of the next level of the target cascade. With this functionality, an IT strategy can be designed quickly and efficiently. It is also possible to use different what-ifs? - to explore scenarios in order to e.g. to evaluate the influence of new strategic company goals or a new requirement of the stakeholders on the IT processes and their priorities. Allocation table of the COBIT 5 target cascade The speed and simplicity of the use of the target cascade, which is possible with the p4b module for COBIT 5, can be an essential factor in improving the alignment between business and IT, based on clear communication about the IT-relevant implications new or changed business needs. Page 4 of 8

5 Managing the COBIT 5 processes The core of the p4b module for COBIT 5 is the process cockpit, which provides the process-relevant information for an efficient COBIT 5 implementation in a condensed and at the same time transparent form. The weighted priority number WP is specified for each process, which is calculated from the associated IT goals using the COBIT 5 assignment table, taking into account the goal priority. The weighted priority numbers serve as the basis for determining the process priorities, which are graphically displayed with the different colors. In addition, the result of the process evaluation is displayed for each process, using the COBIT 5 evaluation levels. We would like to point out that the respective results of the process evaluations are not entered manually in this diagram. Rather, they are determined on the basis of the process indicators contained in the process assessment diagrams presented below. The smart tags attached to the respective processes lead to the process reference and assessment diagrams, which are presented in the next section. The seamless connection of high-level process information and direct navigation to the next level of detail make this process cockpit a powerful tool to evaluate the status of a COBIT 5 implementation and to identify those areas to which management should pay special attention. Page 5 of 8

6 Applying the process reference model COBIT 5 specifies the processes using a reference model according to ISO / IEC For each process, the basic practices, the input and output of the work products, the responsibilities and the associated activities are defined. The p4b module for COBIT 5 contains these elements of the process reference model in the form of the diagrams below, which cover the entire scope of the COBIT 5 document Enabling Processes. The elements of the COBIT 5 process reference model, such as The COBIT activities can be linked to the local processes and assessed with a compliance status, which can be displayed via a color code. With the help of this functionality, weak point analyzes can be carried out quickly and efficiently. Process4.biz can also be used to manage the improvement measures initiated due to the weak points. With the help of the database functionality contained in process4.biz, the status of a COBIT 5 implementation can be assessed very easily. Status reports can be generated as queries about the model content, e.g. to create a list of all elements of the reference model with serious deficiencies for the high priority processes, including the links to the local processes and the associated improvement measures. This makes the p4b module for COBIT 5 an effective enabler for a fast, efficient and transparent COBIT 5 implementation, which supports the entire life cycle of the implementation with a high degree of consistency. Page 6 of 8

7 Applying the process assessment model The process assessment model contained in COBIT 5 defines six levels of process capability that are not comparable with the previous maturity levels of COBIT 4.1. COBIT 5 differentiates between the evaluation of the process execution for level 1 and the evaluation of the process capability for the higher levels. A process capability level of level 1 means that the process fulfills its process purpose and reliably achieves the results specified for it individually. For the higher levels of process capability, COBIT 5 refers to the generic attributes of ISO / IEC.As a basis for further process improvement, the p4b module for COBIT 5 focuses on reaching level 1 of process capability, which is defined by the process-specific reference model. For each process, the p4b module for COBIT 5 contains the process purpose, the respective process results and the associated key figures in a diagram, as shown below. Based on the current assessment of the local processes, each key figure is evaluated in accordance with the DIN / ISO scale for evaluating process attributes. The individual evaluations are combined into a consolidated evaluation for the process. Priorities can be assigned to the individual process results in order to achieve a relative weighting of the respective key figures. The final result of this process assessment, namely the consolidated process evaluation, is shown graphically on the shape itself. This information can therefore also be made available on other diagrams that contain this shape, e.g. the process cockpit already described above. The evaluation of all process evaluations, together with the respective weak point analyzes in relation to the reference model, can be used to define the necessary corrective measures and serves as the basis for the continuous improvement of the processes. Page 7 of 8

8 Improving IT with process4.biz process4.biz The p4b module for COBIT 5 is not an isolated solution. It can be seamlessly integrated into other models and connected to additional p4b content modules. In addition to COBIT 5, an ITIL module is available. This module contains template processes with a higher level of detail that cover the entire scope of ITIL. The process templates are based on practical experience and best practices and are designed in such a way that they can be used directly by small and medium-sized companies and implemented quickly and efficiently. Other content modules can be made available if required, e.g. for the implementation of an ISMS (Information Security Management System) and an ISO certification. should. Due to its high flexibility, process4.biz can be used in a wide range of applications. This makes process4.biz the ideal tool for modeling and documenting the entire IT environment. The framework developed by BITC for modeling IT covers all layers of an information architecture that are taken into account to support major change programs, system implementations, certifications as well as IT compliance and improvement initiatives.The use of process4.biz as a modeling environment offers a number of unique advantages : The modeling and the documentation take place in just one work step. The creation of a Visio diagram creates the documentation and at the same time generates the model content without additional effort. Automated creation of IT documents directly from the model content, using the p4b extensions QueryBuilder and DocumentComposer. Better communication between business and IT. The use of process4.biz enables the creation of different views of the IT architecture. A logical, business-oriented view of IT can be seamlessly combined with a physical, technology-oriented view. Better collaboration in a common, transparent IT environment. The model contents can be published in a web portal, either statically or dynamically, with an optional interface to MS SharePoint. Better and more efficient compliance. A high degree of consistency with minimal redundancies, flexible database queries for evaluating compliance and the option of generating documents directly from the model content form an ideal platform for certification, risk management and other compliance initiatives. For detailed information about the process4.biz basic software, the process4.biz extensions and the other process4.biz content modules, please visit our website or contact us on page 8 of 8