Design Guide Chapter 1 - 3 Flashcards
A Governance or management objective
Always relates to one objective
A governance objetive relates to a
Governance process
A management objective relates to a
Management process
Boards and executive management are typically accountable for
Governance Process
Management processes are the domain of
Senior and Middle Management
Governance Objectives are grouped in
Evaluate, Direct and Monitor (EDM)
EDM - Evaluate, Direct and Monitor
Governing body evaluates strategic options, directs senior management and monitors the achievement of the strategy
Management objectives are
APO - Align, Plan, and Organize
BAI - Build Acquire, and Implement
DSS - Deliver, Service, and Support
MEA - Monitor, Evaluate and Assess
APO
Align, Plan, and Organize - Addresses the overall organization, Strategy, and supporting activities for I&T
BAI
Build, Acquire, and Implement - treats the definition, acquisition, and implementation of I&T solutions and their integration in the business process.
DSS
Deliver, Service, and Support - Addresses operational delivery and support of I&T services, including security.
MEA
Monitor, Evaluate, and Assess - Addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives and external requirements.
EDM01
Ensured governance framework setting and maintenance
EDM02
Ensured benefits delivery
EDM03
Ensured risk optimization
EDM04
Ensured resource optimization
EDM05
Ensured stakeholder engagement
APO01
Managed I&T Management Framework
APO02
Managed Strategy
APO3
Managed Enterprise Arquitecture
APO04
Managed Innovation
APO05
Managed Portfolio
APO06
Managed Budget and Costs
APO07
Managed Human Resources
APO08
Managed Relationships
APO09
Managed Service Agreements
APO10
Managed Vendors
APO11
Managed Quality
APO12
Managed Risks
APO13
Managed Security
APO14
Managed Data
BAI01
Managed Programs
BAI02
Managed Requirement Definitions
BAI03
Managed Solution Identification and build
BAI04
Managed Availability and Capacity
BAI05
Managed Organization Change
BAI06
Managed IT Changes
BAI07
Managed IT Change Acceptance and Transitioning
BAI08
Managed Knowledge
BAI09
Managed Assets
BAI10
Managed Configuration
BAI11
Management Projects
DSS01
Managed Operations
DSS02
Managed Service Requests and Incidents
DSS03
Managed Problems
DSS04
Managed Continuity
DSS05
Managed Security Service
DSS06
Managed Business Process Control
MEA01
Managed Performance and Conforming Monitoring
MEA02
Managed System and Internal Control
MEA03
Managed Compliance with External Requirements
MEA04
Managed Assurance
Components are factors that
Individually and collectively, contribute to the good operations of the enterprises governance system over I&T
Components interact with each other
resulting in a holistic governance system for I&T
Components can be of different types:
Processes; Organizational Structures; Policies and Procedures; Information items; Culture and behavior; Skills and Competencies; and services, infrastructure, and applications.
Generic Component are
the described in the COBIT Core Model; apply in any situation, but need to be customized.
Variant Components are
based on generic components but tailored for a specific context or purpose within a focus area.
Focus Area
Describe a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their governance.
Examples of Focus Areas
Small and Middle Enterprises;
Cybersecurity;
Digital Transformation;
Cloud Computing;
Privacy;
DevOps.
Capability Levels (CMMI - Capability Mature Model Integration)
Measure for how well a process is implemented and performing.
Capability Level - 0
*Lack of any basic capability;
*Incomplete approach to addressing governance and management purpose;
*May or may not be meeting the intent of any process practice.
Capability Level - 1
The process more or less achieves its purpose through the application of an incomplete set of activities that can be characterized initial or intuitive - not very organized
Capability Level - 2
The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed.
Capability Level - 3
The process achieves its purpose in a much more organized way using organizational assets. Processes are typically well-defined.
Capability Level - 4
The process achieves its purpose, as well defined, and its performance is (quantitatively) measured.
Capability Level - 5
The process achieves its purpose, is well defined, performance is measured to improve performance and continuous improvement is pursued.
Capability Level - Any level at 3 or up is called …
Higher
Capability Level - Anything below 3 is called …
Lower
Design Factors are
Factors that can influence the design of an enterprise’s governance system and position it for success in the use of I&T.
The Design Factors are:
Enterprise Strategy
Enterprise Goal
Risk Profile
I&T Related Issues
Threat Landscape
Compliance Requirements
Role of IT
Sourcing Model for IT
IT implementation Methods
Technology Adoption Strategy
Enterprise Size
Enterprise Strategy
Enterprises can have different strategies, which can be expressed as one or more of the archetypes.
Organizations typically have a primary strategy and, at most, one secondary strategy.
Example of Enterprise Strategies
**Growth/Acquisition - The enterprise has a focus on growing revenues.
**Innovation/Differentiation - The enterprise has a focus on offering different and/or innovative products and services to their clients.
**Cost Leadership - The enterprise has a focus on short-term cost minimization
**Client Service/Stability - The enterprise has a focus on providing a stable and client-oriented service.
Enterprise goals
Supporting the enterprise strategy - Enterprise strategy is realized by the achievement of (a set of) enterprise goals. These goals are defined in the COBIT framework, and structured along the balanced scorecard (BSC) dimensions:
Financial
Customer
Internal
Growth
Enterprise Goal - Financial
EG01 - Portfolio of competitive products and services
EG02 - Managed business risk
EG03 - Compliance with external laws and regulations
EG04 - Quality of financial information
Enterprise Goal - Customer
EG05 - Customer-oriented service culture
EG06 - Business service continuity and availability
EG07 - Quality of management information
Enterprise Goal - Internal
EG08 - Optimization of internal business process functionality
EG09 - Optimization of business process costs
EG10 - Staff skills, motivation and productivity
EG11 - Compliance with internal policies
Enterprise Goal - Growth
EG12 - Managed digital transformation programs
EG13 - Product and business innovation
Risk Profile
The enterprise and current issues in relation to I&T—The risk profile identifies the sort of IT related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite.
Risk Category
1.-IT-investment decision making, portfolio definition, and maintenance
Risk Scenarios
A. Programs selected for implementation misaligned with corporate strategy and priorities
B. Failure of IT-related Investments to support digital strategy of the enterprise
C. Selection of wrong software (in terms of cost, performance, features, compatibility,
redundancy, etc.) for acquisition and implementation
D. Selection of wrong infrastructure (in terms of cost, performance, features,
compatibility, etc.) for implementation
E. Duplication or important overlaps between different investment initiatives
F. Long-term incompatibility between new investment programs and enterprise
architecture
G. Misallocation, inefficient manage
Risk Category
2.-Program and projects lifecycle management
A. Failure of senior management to terminate failing projects (due to cost explosion, excessive delays, scope creep, and changed business priorities)
B. Budget overruns for I&T projects
C. Lack of quality of I&T projects
D. Late delivery of I&T projects
E. Failure of third-party outsourcers to deliver projects as per contractual agreements
(any combination of exceeded budgets, quality problems, missing functionality,
late delivery)
Risk Category
3.-IT cost and oversight
A. Extensive dependency on, and use of, user-created, user-defined, user-maintained
applications and ad hoc solutions
B. Excess cost and/or ineffectiveness of I&T-related purchases outside of the I&T
procurement process
C. Inadequate requirements leading to ineffective Service Level Agreements (SLAs)
D. Lack of funds for I&T related investments
Risk Category
4.-IT expertise, skills and behavior
A. Lack or mismatch of IT-related skills within IT (e.g., due to new technologies or
working methods)
B. Lack of business understanding by IT staff that affects service delivery/project quality
C. Inability to recruit and retain IT staff
D. Recruitment of unsuitable profiles because of lack of due diligence in the recruitment
process
E. Lack of I&T training
F. Overreliance for I&T services on key staff
Risk Category
5.-Enterprise/IT architecture
A. Complex, inflexible enterprise architecture (EA), obstructing further evolution and
expansion, and leading to missed business opportunities
B. Failure to timely adopt and exploit new infrastructure or abandon obsolete
infrastructure
C. Failure to timely adopt and exploit new software (functionality, optimization, etc.)
or to abandon obsolete applications
D. Undocumented EA leading to inefficiencies and duplications
E. Excessive number of exceptions on enterprise architecture standards
Risk category
6.-IT operational infrastructure incidents
A. Accidental damaging of IT equipment
B. Errors by IT staff (during backup, during upgrades of systems, during maintenance
of systems, etc.)
C. Incorrect information input by IT staff or system users
D. Destruction of data center (sabotage, etc.) by staff
E. Theft of device with sensitive data
F. Theft of a key infrastructure component
G. Erroneous configuration of hardware components
H. Intentional tampering with hardware (security devices, etc.)
I. Abuse of access rights from prior roles to access IT infrastructure
J. Loss of backup media or backups not checked for effectiveness
K. Loss of data by cloud provider
L. Operational-service interruption by cloud providers
Risk Category
7.-Unauthorized actions
A. Tampering with software
B. Intentional modification or manipulation of software leading to incorrect data
C. Intentional modification or manipulation of software leading to fraudulent actions
D. Unintentional modification of software leading to inaccurate results
E. Unintentional configuration and change-management errors
Risk Category
8.- Software adoption/usage problems
A. Nonadoption of new application software by users
B. Inefficient use of new software by users
Risk Categoty
9.-Hardware incidents
A. System instability in wake of installing new infrastructure, leading to operational
incidents (e.g., BYOD program)
B. Inability of systems to handle transaction volumes when user volumes increase
C. Inability of systems to handle load when new applications or initiatives are deployed
D. Utilities failure (telecom, electricity)
E. Hardware failure due to overheating and/or other environmental conditions like
humidity
F. Damaging of hardware components leading to destruction of data by internal staff
G. Loss/disclosure of portable media containing sensitive data (CD, USB-drives,
portable disks, etc.)
H. Extended resolution time or support delays in case of hardware incidents
Risk Category
10.-Software failures
A. Inability to use the software to realize desired outcomes (e.g., failure to make
required business model or organizational changes)
B. Implementation of immature software (early adopters, bugs, etc.)
C. Operational glitches when new software is made operational
D. Regular software malfunctioning of critical application software
E. Obsolete application software (outdated, poorly documented, expensive to
maintain, difficult to extend, not integrated in current architecture, etc.)
F. Inability to revert back to former versions in case of operational issues with a new
version
G. Software-induced corrupted data(base) leading to inaccessible data
Risk Category
11.-Logical attacks (hacking, malware,etc.)
A. Unauthorized (internal) users trying to break into systems
B. Service interruption due to denial-of-service (DoS) attack
C. Website defacement
D. Malware attack
E. Industrial espionage
F. Hacktivism
G. Disgruntled employee implements a time bomb which leads to data loss
H. Company data stolen through unauthorized access gained by a phishing attack
I. Foreign government attacks on critical systems
Risk Category
12.-Third-party/supplier incidents
A. Inadequate performance of outsourcer in large-scale, long-term outsourcing
arrangement (e.g., through lack of supplier due diligence regarding financial
viability, delivery capability and sustainability of supplier’s service)
B. Accepting unreasonable terms of business from IT suppliers
C. Inadequate support and services delivered by vendors, not in line with SLA
D. Noncompliance with software license agreements (use and/or distribution of
unlicensed software)
E. Inability to transfer to alternative suppliers due to overreliance or overdependence
on current supplier
F. Purchase of IT services (especially cloud services) by the business without
consultation /involvement of IT, resulting in inability to integrate the service with inhouse
services.
G. Inadequate or unenforced SLA to obtain agreed services and penalties in case of
noncompliance
Risk Category
13.-Noncompliance
A. Noncompliance with national or international regulations (e.g., privacy, accounting,
manufacturing, environmental, etc.)
B. Lack of awareness of potential regulatory changes that may have a business
impact
C. Operational obstacles caused by regulations
D. Failure to comply with internal procedures
Risk Category
14.-Geopolitical issues
A. Lack of access due to disruptive incident in other premises
B. Government interference and national policies impacting the business
C. Targeted action from government-sponsored groups or agencies
Risk Category
15.-Industrial action
A. Facilities and building inaccessible because of labor union strike
B. Third-party providers unable to provide services because of strike
C. Key staff unavailable through industrial action (e.g., transportation or utilities strike)
Risk Category
16.-Acts of nature
A. Earthquake destroying or damaging important IT infrastructure
B. Tsunami destroying critical premises
C. Major storms and tropical cyclone or tornado damaging critical infrastructure
D. Major wildfire
E. Flooding
F. Rising water table leaving critical location unusable
G. Rising temperature rendering critical locations uneconomical to operate
Risk Category
17.-Technology-based innovation
A. Failure to identify new and important technology trends
B. Failure to appreciate the value and potential of new technologies
C. Failure to adopt and exploit new technologies in a timely manner (functionality,
process optimization, etc.)
D. Failure to provide technology support new business models
Risk Category
18.-Environmental
A. Environmentally unfriendly equipment (e.g., power consumption, packaging)
Risk Category
19.-Data and information management
A. Discovery of sensitive information by unauthorized persons due to inefficient
retaining/archiving/disposing of information
B. Intentional illicit or malicious modification of data
C. Unauthorized disclosure of sensitive information through email or social media
D. Loss of IP and/or leakage of competitive information
I&T-related issues
A related method for an I&T risk assessment for the enterprise is to consider which I&Trelated issues it currently faces, or, in other words, what I&T-related risk has materialized.
I&T-related issues A
Frustration between different IT entities across the organization because of a perception of low contribution to business value
I&T-related issues B
Frustration between business departments (i.e., the IT customer) and the IT department because of failed initiatives or a perception of low contribution to business value
I&T-related issues C
Significant IT related incidents, such as data loss, security breaches, project failure, application errors, etc. linked to IT
I&T-related issues D
Service delivery problems by the IT outsourcer(s)
I&T-related issues E
Failures to meet IT related regulatory or contractual requirements
I&T-related issues F
Regular audit findings or other assessment reports about poor IT performance or reported IT quality or service problems
I&T-related issues G
Substantial hidden and rogue IT spending, that is, IT spending by user departments outside the control of the normal IT investment decision mechanisms and approved budgets
I&T-related issues H
Duplications or overlaps between various initiatives or other forms of wasting resources
I&T-related issues I
Insufficient IT resources, staff with inadequate skills or staff burnout/dissatisfaction
I&T-related issues J
IT-enabled changes or projects frequently failing to meet business needs and delivered late or over budget
I&T-related issues K
Reluctance by board members, executives or senior management to engage with IT, or lack of committed business sponsors for IT
I&T-related issues L
Complex IT operating model and/or unclear decision mechanisms for IT-related decisions
I&T-related issues M
Excessively high cost of IT
I&T-related issues N
Obstructed or failed implementations of new initiatives or innovations caused by the current IT architecture and system
I&T-related issues O
Gap between business and technical knowledge which leads to business users and IT and/or technology specialists speaking different languages
I&T-related issues P
Regular issues with data quality and integration of data across various sources
I&T-related issues Q
High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation
I&T-related issues Q
High level of end-user computing, creating (among other problems) a lack of oversight and quality control over the applications that are being developed and put in operation
I&T-related issues R
Business departments implementing their own information solutions with little or no involvement of the enterprise IT department
I&T-related issues S
Ignorance and/or noncompliance with security and privacy regulations
I&T-related issues T
Inability to exploit new technologies or to innovate using I&T
Threat landscape
The threat landscape under which the enterprise operates can be classified
Threat landscape - Normal
The enterprise is operating under what are considered normal threat levels
Threat landscape - High
Due to its geopolitical situation, industry sector or particular profile, the enterprise is
operating in a high-threat environment.
Compliance requirements
The compliance requirements to which the enterprise is subject to and can be classified
according to the categories:
**Low compliance requirements
**Normal compliance requirements
**High compliance requirements
Low compliance requirements
The enterprise is subject to a minimal set of regular compliance requirements that
are lower than average.
Low compliance requirements
The enterprise is subject to a minimal set of regular compliance requirements that
are lower than average.
Normal compliance requirements
The enterprise is subject to a set of regular compliance requirements that are
common across different industries.
High compliance requirements
The enterprise is subject to higher than average compliance requirements, most
often related to industry sector or geopolitical conditions.
Role of IT
The role of IT for the enterprise can be classified as Support, Factory, Turnaround and Strategic.
Role of IT - Support
IT is not crucial for the running and continuity of the business process and services, nor for their innovation.
Role of IT - Factory
When IT fails, there is an immediate impact on the running and continuity of the business processes and services. However, IT is not seen as a driver for innovating business processes and services.
Role of IT - Turnaround
IT is seen as a driver for innovating business processes and services. At this moment, however, there is not a critical dependency of IT for the current running and continuity of the business processes and services.
Role of IT - Strategic
IT is critical for both running and innovating the organization’s business processes and services.
Sourcing model for IT
The sourcing model the enterprise adopts can be classified as:
**Outsourcing
**Cloud
**Insourced
**Hybrid
Sourcing model for IT - Outsourcing
The enterprise calls upon the services of a third party to provide IT services.
Sourcing model for IT - Cloud
The enterprise maximizes the use of the cloud for providing IT services to its users.
Sourcing model for IT - Insourced
The enterprise provides for their own IT staff and services.
Sourcing model for IT - Hybrid
A mixed model is applied, combining the three models above in varying degrees.
IT implementation methods
The methods the enterprise adopts can be classified as noted:
**Agile
**DevOps
**Traditional
**Hybrid
IT implementation methods - Agile
The enterprise uses Agile development working methods for its software development.
IT implementation methods - DevOps
The enterprise uses DevOps working methods for software building, deployment and operations.
IT implementation methods - Traditional
The enterprise uses a more classic approach towards software development (waterfall) and separates software development and operations.
IT implementation methods - Hybrid
The enterprise uses a mix of traditional and modern IT implementation, often referred to as “bimodal IT.”
Technology adoption strategy
The technology adoption strategy can be classified as listed:
**First mover
**Follower
**Slow adopter
Technology adoption strategy - First mover
The enterprise generally adopts new technologies as early as possible and tries to
gain first-mover advantage.
Technology adoption strategy - Follower
The enterprise typically waits for new technology to become mainstream and proven
before adopting them.
Technology adoption strategy - Slow adopter
The enterprise is very late with their adoption of new technologies.
Enterprise size
Two categories:
**Large enterprise (default) - Enterprises with more than 250 full-time employees (FTEs)
**Small and medium enterprise - Enterprise with 50 to 250 FTEs
Why is There no Industry Sector Design Factor?
Every industry sector has its own unique set of requirements regarding expectations from the use of I&T. However, it is possible to capture the key characteristics of an industry sector by a combination of the design factors listed in the preceding tables.
Impact of Design Factors
Design factors influence in different ways the tailoring of the governance system of an enterprise. This publication distinguishes three different types of impact:
1.-Management Objective Priority and Target Capability Levels
2.-Component Variations
3.-Specific Focus Areas
Impact of Design Factors - Management objective priority/selection
The COBIT core model contains 40 governance. and management
objectives, each consisting of the process and a number of related components. They are intrinsically equivalent; there is no natural order of priority among them. However, design factors can influence this equivalence and make some governance and management objectives more important than others.
Example: When an enterprise identifies the most relevant enterprise goal(s) from the enterprise goal list and applies the goals cascade, this will lead to a selection of priority management objectives. For example, when EG01 Portfolio of competitive products and services is ranked as very high by an enterprise, this will make management objective APO05 Managed portfolio an important part of this enterprise’s governance system.
Example: An enterprise that is very risk averse will give more priority to management objectives that aspire to govern and manage risk and security. Governance and management objectives EDM03 Ensured risk optimization,
APO12 Managed risk, APO13 Managed security and DSS05 Managed security services will become important parts of that enterprise’s governance system and will have higher target capability levels defined for them.
Example: An enterprise in which the role of IT is strategic and crucial to the success of the business will requirehigh involvement of IT-related roles in organizational structures, a thorough understanding of business by IT professionals (and vice versa), and a focus on strategic processes such as APO02 Managed strategy and APO08 Managed relationships.
Impact of Design Factors - Component Variation
Components are required to achieve governance and management objectives. Design
factors can mandate specific variations of components or can influence the importance of components.
Example: Small and medium enterprises might not need the full set of roles and organizational structures as laid out in the COBIT core model, but may use a reduced set instead. This reduced set of governance and management objectives and the included components is defined in the small and medium enterprise focus area.
Example: An enterprise which operates in a highly regulated environment will attribute more importance to documented work products and policies and procedures and to some roles, e.g., the compliance officer function.
Example: An enterprise that uses DevOps in solution development and operations will require specific activities, organizational structures, culture, etc., focused on BAI03 Managed solutions identification and build and DSS01 Managed operations.
Impact of Design Factors - Need for specific focus area guidance
Some design factors, such as threat landscape, specific risk, target development methods, infrastructure set-up, will drive the need for variation of the core COBIT model content to a specific context.
Example: Enterprises adopting a DevOps approach will require a governance system that has a variant of several generic COBIT processes, described in the DevOps focus area guidance for COBIT.
Example: Small and medium enterprises have less staff, fewer IT resources, and shorter and more direct reporting lines, and differ in many more aspects from large enterprises. For that reason, their governance system for I&T will have to be less onerous, compared to large enterprises. This is described in the SME focus area guidance of COBIT.
