cobit hw eda emriye faruk
DESCRIPTION
iuoiTRANSCRIPT
COBITCOBITControl Objectives for Information and Related Control Objectives for Information and Related
Technologies Technologies (Bilgi ve İlgili Teknolojiler İçin Kontrol Hedefleri)(Bilgi ve İlgili Teknolojiler İçin Kontrol Hedefleri)
ISE501ISE501Foundations in IT ManagementFoundations in IT Management
Eda TOPALOĞLUEda TOPALOĞLU Emriye COŞKUNEmriye COŞKUN Faruk TİFTİKCİFaruk TİFTİKCİ120510001120510001 120510004120510004 120501004120501004
What is COBIT?What is COBIT?Provide us understanding of ITProvide us understanding of ITWe can decide more efficiently about ITWe can decide more efficiently about ITBy using it, we can By using it, we can understand and manage understand and manage
IT investmentsIT investmentsIdentifIdentifiesies the major IT resources the major IT resourcesDefinDefineses the management control objectives the management control objectivesOrganises IT activitiesOrganises IT activitiesBetter quality IT servicesBetter quality IT services
What is COBIT?What is COBIT?
reduce related risks
increase the value of ITCOBIT helps to banagers, controller, IT users to
reachs to their goalsCOBIT is focused on what is required to achieve
What is dWhat is differences between the ifferences between the COBIT 4.1 and COBIT 5COBIT 4.1 and COBIT 5 ??
New GEIT PrinciplesNew GEIT Principles Increased Focus on EnablersIncreased Focus on Enablers New Process Reference ModelNew Process Reference Model New and Modified ProcessesNew and Modified Processes Practices and ActivitiesPractices and Activities Goals and MetricsGoals and Metrics Inputs and OutputsInputs and Outputs RACI ChartsRACI Charts Process Capability Maturity Models and Process Capability Maturity Models and
AssessmentsAssessments
1. 1. New GEIT PrinciplesNew GEIT PrinciplesCOBIT 5 is based on five key principlesCOBIT 5 is based on five key principles
1.1. Meeting Stakeholder Needs1.1. Meeting Stakeholder Needs
Enterprises have many stakeholders.
Value creation means realising benefits at an optimal resource cost while optimising risk.
Enterprises exist to create value for their stakeholders.
The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.
1.1. Meeting Stakeholder Needs1.1. Meeting Stakeholder Needs Stakeholder needs have to
be transformed into an enterprises’ actionable strategy.
The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customised enterprise goals.
1.2. Covering the Enterprise End-to-End1.2. Covering the Enterprise End-to-End COBIT 5 addresses the governance and
management of information and related technology from an enterprise-wide, end-to-end perspective.
This means that COBIT 5: Integrates governance of enterprise IT into enterprise governance.
Covers all functions and processes within the enterprise.
1.2. Covering the Enterprise End-to-End 1.2. Covering the Enterprise End-to-End
1.3. Applying a Single Integrated Framework1.3. Applying a Single Integrated Framework
COBIT 5 is a single and integrated framework, because;
it aligns with other latest relevant standards and frameworks used by enterprises
it provides a simple architecture for structuring guidance materials
it integrates different ISACA frameworks such as Val IT, Risk IT, BMIS
This allows the enterprise to use COBIT 5 as the governance and management framework integrator
1.3. Applying a Single Integrated Framework1.3. Applying a Single Integrated FrameworkThe following frameworks, standards and
other guidance were used as reference material and input for the development of COBIT 5; ITIL
TOGAF ISOFEA (Federal Enterprise Architecture)CEAF (The Commission Enterprise IT
Architecture Framework)APM (Association for Project Management)etc.
1.3. Applying a Single Integrated Framework1.3. Applying a Single Integrated Framework
1.4. 1.4. Enabling a Holistic ApproachEnabling a Holistic Approach The COBIT 5 framework describes seven
categories of enablers1.Principles, policies and frameworks2.Processes3.Organisational structures4.Culture, ethics and behaviour5.Information6.Services, infrastructure and
applications7.People, skills and competencies
1.4. 1.4. Enabling a Holistic Approach Enabling a Holistic Approach
1.4.1. Principles,policies and frameworks1.4.1. Principles,policies and frameworksPrinciples, policies and frameworks are
the vehicle to translate the desired behaviour into practical guidance for day-to-day management
1.4.2. Processes1.4.2. ProcessesProcesses describe an organised set of
practices.Processes describe the activities to achieve
certain objectives and produce a set of outputs
1.4.3. Organisational Structures1.4.3. Organisational StructuresOrganisational structures are the decision
mechanism in an enterprises
1.4.4. Culture, ethics and behaviour 1.4.4. Culture, ethics and behaviour Culture, ethics and behaviour of
individuals are very often ignored in governance and management activities
1.4.5. Information1.4.5. InformationInformation is pervasive throughout any
organisation. Information is required for keeping the organisation running
1.4.6 Services, infrastructure and 1.4.6 Services, infrastructure and applicationsapplications
Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology
1.4.7. Organisational Structures1.4.7. Organisational StructuresPeople, skills and competencies are
linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions.
1.5. 1.5. Separating GovernanceSeparating Governance f from rom ManagementManagement
The COBIT 5 framework makes a clear distinction between governance and management
These two disciplines; Encompass different types of activities Require different organisational structures Serve different purposes
1.5. 1.5. Separating GovernanceSeparating Governance f from rom ManagementManagement
Governance : In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.
Management : In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.
1.5. 1.5. Separating GovernanceSeparating Governance f fromrom ManagementManagement
Governance : Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced.
Management : Management plans, builds, runs and monitors activities to achieve the enterprise objectives.
22
1.5. 1.5. Separating GovernanceSeparating Governance f from rom ManagementManagement
Val IT and Risk IT frameworks are principles-basedCOBIT 5 includes RiskIT and ValIT
Risk ITRisk ITIT risk is a part of business risk IT risk is a part of business risk Provides an end-to-end, comprehensive view Provides an end-to-end, comprehensive view
of all risksof all risksUnderstand how to manage the risk Understand how to manage the risk Risk can be categorised;Risk can be categorised; -IT Benefit/Value enabler -IT Benefit/Value enabler -IT Operation and Service Delivery -IT Operation and Service Delivery
-IT Programme/Project delivery-IT Programme/Project delivery
Val ITVal ITIs a governance framework that can be used
to create business value from IT investmentsThis framework is used to valuable
investments
2. 2. Increased Focus on EnablersIncreased Focus on Enablers
COBIT 4.1 did not have enablersInformation, infrastructure, applications
(services) and people (people, skills and competencies) were COBIT 4.1 resources
This part is related Enabling a Holistic Approach
3. 3. New Process Reference ModelNew Process Reference Model
COBIT 5 is based on a revised process reference model with a new governance domain and several new and modified processes that now cover enterprise activities end-to-end, i.e., business and IT function areas.
COBIT 5 consolidates COBIT 4.1, Val IT and Risk IT into one framework
3. 3. New Process Reference ModelNew Process Reference Model
4. 4. New and Modified ProcessesNew and Modified Processes
COBIT 5 introduces five new governance processes that have leveraged and improved COBIT 4.1, Val IT and Risk IT governance approaches.
This guidance:Helps enterprises to further refine and strengthen
executive management-level GEIT practices and activities
4. 4. New and Modified ProcessesNew and Modified ProcessesThere are several new and modified processes
that reflect current thinking, in particular:APO03 Manage enterprise architecture.APO04 Manage innovation.APO05 Manage portfolio.APO06 Manage budget and costs.APO08 Manage relationships.APO13 Manage security.BAI05 Manage organisational change
enablement.BAI08 Manage knowledge.BAI09 Manage assets.DSS05 Manage security service.DSS06 Manage business process controls.
4. 4. New and Modified ProcessesNew and Modified Processes
COBIT 5 processes now cover end-to-end business and IT activities, i.e., a full enterprise-level view.
This provides for a more holistic and complete coverage of practices reflecting the pervasive enterprise wide nature of IT use.
5. 5. Practices and ActivitiesPractices and Activities
The COBIT 5 governance or management practices are equivalent to the COBIT 4.1 control objectives and Val IT and Risk IT processes.
The COBIT 5 activities are equivalent to the COBIT 4.1 control practices and Val IT and Risk IT management practices
6. 6. Goals and MetricsGoals and Metrics
COBIT 5 follows the same goal and metric concepts as COBIT 4.1, Val IT and Risk IT, but these are renamed enterprise goals, IT-related goals and process goals reflecting an enterprise level view.
COBIT 5 provides a revised goals cascade based on enterprise goals driving IT-related goals and then supported by critical processes.
7. 7. Inputs and OutputsInputs and Outputs
COBIT 5 provides inputs and outputs for every management practice, whereas COBIT 4.1 only provided these at the process level.
This provides additional detailed guidance for designing processes to include essential work products and to assist with interprocess integration.
8. 8. RACI ChartsRACI Charts
COBIT 5 provides RACI charts describing roles and responsibilities in a similar way to COBIT 4.1, Val IT and Risk IT.
COBIT 5 provides a more complete, detailed and clearer range of generic business and IT role players and charts than COBIT 4.1 for each management practice, enabling better definition of role player responsibilities or level of involvement when designing and implementing processes.
8. 8. RACI ChartsRACI Charts
Source: COBIT® 5: Enabling Processes, page 31. © 2012 ISACA® All rights reserved.
Source: COBIT® 4.1, page 39. © 2007 IT Governance Institute® All rights reserved.
9. 9. Process Capability Models and Process Capability Models and AssessmentsAssessments
COBIT 5 discontinues the COBIT 4.1, Val IT and Risk IT CMM-based capability maturity modelling approach.
COBIT 5 will be supported by a new process capability assessment approach based on ISO/IEC 15504, and the COBIT Assessment Programme has already been established for COBIT 4.1 as an alternative to the CMM approach.
9. 9. Process Capability Models and Process Capability Models and AssessmentsAssessments
9. 9. Process Capability Models and Process Capability Models and AssessmentsAssessments
The COBIT Assessment Programme approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method.
The COBIT Assessment Programme supports:Formal assessments by accredited
assessors (assessor training is being developed)
Less rigorous self-assessments for internal gap analysis and process improvement planning
9. 9. Process Capability Models and Process Capability Models and AssessmentsAssessments
COBIT 4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Programme approach will need to realign their previous ratings, adopt and learn the new method, and initiate a new set of assessments in order to gain the benefits of the new approach.
Although some of the information gathered from previous assessments may be reusable, care will be needed in migrating this information forward because there are significant differences in requirements.
CCOBIT 5 FRAMEWORKOBIT 5 FRAMEWORK
DEFINITIONCOBIT 5 is a governance and management
framework for information and related technology that starts from stakeholder needs with regard to information and technology.
The COBIT 5 framework is intended for all enterprises, including non‐profit and public sector.
COBIT 5 Framework - 5 Principles
The cobit 5 framework based on 5 principles.
Principle 1: Integrator FrameworkCOBIT 5 is an integrator
framework since it:Brings together existing
ISACA guidance on governance and management of enterprise IT
Aligns with the latest relevant other standards and frameworks
Provides a simple architecture for structuring guidance materials and producing a consistent product set
2. The Governance Objective: Stakeholder ValueEnterprises exist to create value for their
stakeholders, so the governance objective for any enterprise is value creation.
Vaue creation: realising benefits at an optimal resource cost whilst optimising risk
3. Business & Context Focus
focussing on enterprise goals and objectives, by covering all of the critical business elements
every organisation operates in a different context; this context is determined by external factors
requires that every organisation builds their own, customised governance and management system.
4. The COBIT 5 Governance Approach—Enabler based‐
4. The COBIT 5 Governance Approach—Enabler based‐Governance Enablers:They are the organisational
resources for governance, such as frameworks, principles,structure, processes and practices, toward or through which action is directed and objectives can be attained.
Governance Scope: Governance can be applied to the whole enterprise, an entity, a tangible or intangible asset.
4. The COBIT 5 Governance Approach—Enabler based‐
Roles, Activities and Relationships: how they are involved what they do how they interact
5. Governance and Management structured‐ ‐Cobit 5 frameworks makes a clear
distinction between governence and management.
These two disciplines include: different types of activities require different organisational structures serve different purposes
5. Governance and Management structured‐ ‐Gonernance: It ensures that stakeholder needs,
conditions & options are evaluated to determine: balance, agreed-on enterprise objectives to be
achieved; setting direction through prioritisation & decision
making; monitoring performance, compliance compliance against agreed-on direction & objectives
Management: It plans, builts, runs & monitors activities in alignment with the direction set by thev governance body to achieve the enterprise objectives.
COBIT 5 Architecture
COBIT 5 ArchitectureThe Governance Objectives
Existing ISACA guidance (COBIT 4.1, Val IT 2, Risk IT, BMIS, etc.
Other relevant standards and frameworks Cobit 5 Enablers
Processes, Culture Ethics Behavior, Organizational Structure Information Principles & Policies Skills & Competencies Service Capabilities
COBIT 5 ArchitectureCobit 5 Knowledge Base:
Current guidance and content Structure for future contents
Cobit 5 Product Family COBIT 5: The Framework(this volume) COBIT 5: Process Reference Guide COBIT 5: Implementation Guide COBIT 5: Practice guide
Value criationThe governance objective is value creation means
realising benefits at an optimal resource cost whilst optimising risk.
The stakeholders for enterprice IT can be Internal External
Governance ObjectivesGovernance objectives are based on the stakeholders needs
and the value criation( benefits, resources and risks )The existing ISACA guidance is used: COBIT 4.1, Val IT,
Risk IT, BMIS, ITAF, TGF, Board Briefing.Other relevant frameworks: ITIL, TOGAF
Goals CascadeGovernance objectives translate into enterprise goalsRealising enterprise goals requires IT related goalsFor IT related goals to be achieved, enablers are required
Goals CascadeEnterprise goals mapped to Governance
Objectives
Goals CascadeIT related goals
Enablers are tangible and intangible elements that make governance and management over enterprise IT work. The enablers are driven by the goal cascade.
Enablers
Enablers
This model is a key component of the COBIT 5 framework because it is the basic structure for all seven categories of enablers.
The generic model identifies a number of components that are common for each enabler:
Generic Enabler Model
Enabler Capability LevelsThe process maturity model of COBIT 4.1 has been
replaced with a capability model based on ISO/IEC 15504.
Knowledge based & productsThe knowledge base contains all guidance and
contentSeries of products built from the knowledge base
Governance & Management Processes Cobit 5 defend an opinion that organization implement governance and
management processes, such that the key areas above are covered. The GOVERNANCE domain, contains five governance processes; within
each process; within each process, evaluate, direct and monitor practices are defined The 4 MANAGEMENT domains, in line with the responsibility areas of
plan, build, run and monitor provides an end‐to‐end coverage of IT.
Process Reference Model1 governance domain: EDM4 management domains: APO, BAI, DDS,
MEA
Process Reference ModelThe complete set of 36 processes: 5 governance & 36
management processes.
ImplementationThe 7 phases of the implementataion life cycle
COBIT 4.1 MAPPING ITIL v3Every organisation needs to adapt the use of
standards and practices to suit its individual requirements.
COBIT helps to define what should be done and ITIL provides the how for service management aspects.
COBIT 4.1 MAPPING ITIL v3Typical uses for the standards and practices are: To support governance by:– Providing a management policy and control framework– Enabling process ownership, clear responsibility and accountability
for IT activities– Aligning IT objectives with business objectives, setting priorities and
allocating resources– Ensuring return on investments and optimizing costs– Making sure that significant risks have been identified and are
transparent to management, responsibility for risk management has been assigned and embedded in the organisation, and assurance that effective controls are in place has been provided to management
– Ensuring resources have been organised efficiently and sufficient capability (technical infrastructure, process and skills) exists to execute the IT strategy
– Making sure that critical IT activities can be monitored and measured, so problems can be identified and corrective action can be taken
COBIT 4.1 MAPPING ITIL v3 To define requirements in service and project definitions,
internally and with service providers. For example:– Improving IT service and business process alignment and
integration– Setting clear, business-related IT objectives and metrics– Defining services and projects in end-user terms– Creating SLAs and contracts that can be monitored by customers– Making sure that customer requirements have been cascaded
properly into technical IT operational requirements– Considering services and project portfolios collectively so
relative priorities can be set and resources can be allocated on an equitable and achievable basis
COBIT 4.1 MAPPING ITIL v3To verify provider capability or demonstrate
competence to the market by:– Independent third-party assessments and audits– Contractual commitments– Attestations and certifications
COBIT 4.1 MAPPING ITIL v3To facilitate continuous improvement by:– Maturity assessments– Gap analyses– Benchmarking– Improvement planning– Avoidance of reinventing already-proven good approaches
COBIT 4.1 MAPPING ITIL v3As a framework for audit/assessment and an external
view through:– Objective and mutually understood criteria– Benchmarking to justify weaknesses and
gaps in control– Increasing the depth and value of
recommendations by following generally accepted preferred approaches
HIGH LEVEL MAPPING
STRUCTURAL COMPARISON
COVERAGE OF IT GOVERNANCE FOCUS AREAS
COVERAGE OF IT GOVERNANCE FOCUS AREAS ( Cont.)
COVERAGE OF IT GOVERNANCE FOCUS AREAS ( Cont.)
COVERAGE OF IT GOVERNANCE FOCUS AREAS ( Cont.)
COVERAGE OF IT GOVERNANCE FOCUS AREAS ( Cont.)
DETAILED MAPPING COBIT TO ITIL
DETAILED MAPPING COBIT TO ITIL
DETAILED MAPPING COBIT TO ITIL
DETAILED MAPPING COBIT TO ITIL
DETAILED MAPPING COBIT TO ITIL
COBIT & ITIL MAPPING
Incident ManagementITIL v3: part of Service OperationCOBIT : part of Deliver & Support
Major tasks: – Identify and track incidents in a timely manner. – Classify the incident and provide initial support. – Localise potential causes of the incident. – Recover the services and manage closure. – Take ownership of the incident. – Monitor, track and communicate the execution
Problem ManagementITIL v3: part of Service OperationCOBIT : part of Deliver & Support
Major tasks: – Identify and record problems. – Classify the problem, focused on the impact
on the business. – Investigate the root cause of the problem. – Resolve the cause of the problem. – Close the problem.
Configuration Management ITIL v3: part of Service TransitionCOBIT : part of Deliver & SupportMajor tasks: – Identify the demand for relevant information (purpose, scope,
objectives, policies and procedures for sound configuration). – With the owner, identify and label configuration items (CI),
available documentation, versions and interrelationships. – Document CIs in a central configuration management
database (CMDB). – Establish procedures and documentation standards to ensure
that only authorised and identifiable CIs are recorded and historical,
traceable information is available. – Ensure permanent accountability of data (status accounting). – Verify and audit the physical existence of CIs recorded in the
CMDB.
Change Management ITIL v3: part of Service TransitionCOBIT : part of Acquire & Implement Major tasks: – Record, log and filter requests for change (RFCs). – Prioritise and categorise the RFC. – Assess the impact of the RFC on the infrastructure and other
services as well as on non-IT processes (e.g., information security) and effects of not implementing the RFC.
– Identify required resources for implementing the RFC. – Obtain approval for the RFC. – Schedule the implementation. – Implement the RFC. – Review the implementation of the RFC. – Establish an entity in charge of the authorisation process of those
RFCs identified with major impact; this entity is called the change advisory board (CAB)
Capacity ManagementITIL v3: part of Service DeliveryCOBIT : part of Deliver & Support
Major tasks: – Define, plan and manage the requirements. – Provide resources for the services. – Monitor the performance of resources and
adjust if necessary. – Plan and implement improvements. – Establish and maintain a capacity plan.23
What are What are DS3-DS4-DS8-DS9-DS10-DS11-DS3-DS4-DS8-DS9-DS10-DS11-DS13-A16-ME1DS13-A16-ME1 items? items?
DS-3
DS3- MANAGE PERFORMANCE & CAPACITY
•Require a process to periodically review current performance and capacity of IT resources •Include forecasting future needs based on workload, storage and contingency requirements•Provide assurance that information resources supporting business requirements are continually available
DS3 has 5 principles.
DS3.1 Performance and Capacity PlanningEstablish a planning process for the review of
performance and capacity of IT resources Leverage appropriate modeling techniques to
produce a model of the current and forecasted performance, capacity and throughput of the IT resources.
DS3.2 Current Performance and CapacityDetermine if sufficient capacity and
performance exist to deliver against agreed-upon service levels.
DS3.3 Future Performance and CapacityConduct performance and capacity forecasting
of IT resources at regular intervals to minimize the risk of service disruptions
Identify workload trends and determine forecasts to be input to performance and capacity plans.
DS3.4 IT Resources AvailabilityProvide the required capacity and
performance, taking into account aspectsPlans properly address availability, capacity
and performance of individual IT resources.DS3.5 Monitoring and ReportingMaintain and tune current performance
within IT and address To report delivered service availability to the
business, as required by the SLAs
DS-4
DS4 ENSURE CONTINUOUS SERVICEProvide continuous IT services requires
developing, maintaining and testing IT continuity plans
Minimize the probability and impact of a major IT service interruption on key business functions and processes.
DS4 has 10 principles.
DS4.1 IT Continuity FrameworkDevelop a framework for IT continuity to support
enterprise wide business continuity management using a consistent process.
Adress the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the planning processes
DS4.2 IT Continuity PlansDevelop IT continuity plans based on the
framework and designed to reduce the impact of a major disruption
Cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.
DS4.3 Critical IT ResourcesBuild in resilience and establish priorities in
recovery situationsAvoid the distraction of recovering less-critical
items and ensure responseConsider resilience, response and recovery
requirements for different tiersDS4.4 Maintenance of the IT Continuity PlanEncourage IT management to define and
execute change control procedures Communicate changes in procedures and
responsibilities clearly and in a timely manner.
DS4.5 Testing of the IT Continuity PlanTest the IT continuity plan on a regular basis Require careful preparation, documentation,
reporting of test results and, according to the results, implementation of an action plan
DS4.6 IT Continuity Plan TrainingProvide all concerned parties with regular
training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster.
DS4.7 Distribution of the IT Continuity PlanDetermine a defined and managed distribution
strategy that are properly and securely distributed and available to authorized interested parties
DS4.8 IT Services Recovery and ResumptionPlan the actions to be taken for the period when
IT is recovering and resuming servicesInclude activation of backup sites, initiation of
alternative processing, customer and stakeholder communication, and resumption procedures
DS4.9 Offsite Backup StorageStore offsite all critical backup media,
documentation and other IT resources necessary for IT recovery and business continuity plans
Determine the content of backup storage in collaboration between business process owners and IT personnel
DS4.10 Post-resumption ReviewDetermine whether IT management has
established procedures for assessing the adequacy of the plan and update the plan accordingly.
DS-8
DS8 MANAGE SERVICE DESK AND INCIDENTS
Timely and effective response to IT user queries and problems requires a well-designed and well-executed service desk and incident management process
Include setting up a service desk function with registration, incident escalation, trend and root cause analysis, and resolution
Include increased productivity through quick resolution of user queries
DS8 has 5 principles.
DS8.1 Service DeskEstablish a service desk functionInclude monitoring and escalation procedures
based on agreed-upon service levelsDS8.2 Registration of Customer QueriesEstablish a function and system to allow logging
and tracking of calls, incidents, service requests and information needs
Work such processes as incident management, problem management, change management, capacity management and availability management.
DS8.3 Incident EscalationEstablish service desk proceduresEnsure that incident ownership and life
cycle monitoring remain with the service desk for user-based incidents, regardless which IT group is working on resolution activities.
DS8.4 Incident ClosureEstablish procedures for the timely
monitoring of clearance of customer queries. When the incident has been resolved, the
service desk records the resolution stepsDS8.5 Reporting and Trend Analysis
Produce reports of service desk activity to enable management to measure service performance and service response times
Identify trends or recurring problems
DS-9
DS9 MANAGE THE CONFIGURATIONRequire the establishment and
maintenance of an accurate and complete configuration repository
Include collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed
DS9 has 3 principles.
DS9.1 Configuration Repository and Baseline
Establish a supporting tool and a central repository to contain all relevant information on configuration items
Monitor and record all assets and changes to assets.
Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes
DS9.2 Identification and Maintenance of Configuration Items
Establish configuration procedures to support management and logging of all changes to the configuration repositoryDS9.3 Configuration Integrity Review
Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration
Periodically review installed software against the policy for software usage
DS-10
DS10 MANAGE PROBLEMSRequire the identification and classification of
problems, root cause analysis and resolution of problems
Include the formulation of recommendations for improvement, maintenance of problem records and review of the status of corrective actions
Maximize system availability, improves service levels, reduces costs, and improves customer convenience and satisfaction
DS10 has 4 principles.
DS10.1 Identification and Classification of Problems
Implement processes to report and classify problems that have been identified as part of incident management.
Categorize problems as appropriate into related groups or domains (e.g., hardware, software, support software)
DS10.2 Problem Tracking and ResolutionAllow tracking, analyzing and determining the
root cause of all reported problems considering:• All associated configuration items• Outstanding problems and incidents• Known and suspected errors• Tracking of problem trends
DS10.3 Problem ClosurePut in place a procedure to close problem records
either after confirmation of successful elimination of the known error or after agreement
DS10.4 Integration of Configuration, Incident and Problem Management
Integrate the related processes of configuration, incident and problem management to ensure effective management of problems and enable improvements.
DS-11
DS11 MANAGE DATARequire identifying data requirementsInclude the establishment of effective
procedures to manage the media library, backup and recovery of data, and proper disposal of media
Helps ensure the quality, timeliness and availability of business data
DS11.1 Business Requirements for Data Management
Verify that all data expected for processing are received and processed completely
Support restart and reprocessing needsDS11.2 Storage and Retention ArrangementsDefine and implement procedures for effective
and efficient data storage, retention and archiving to meet business objectives, the organization’s security policy and regulatory requirements
DS10 has 6 principles.
DS11.3 Media Library Management System
Define and implement procedures to maintain an inventory of stored and archived media to ensure their usability and integrity
DS11.4 DisposalDefine and implement procedures to ensure
that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred
DS11.5 Backup and RestorationDefine and implement procedures for backup
and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan
DS11.6 Security Requirements for Data Management
Define and implement policies and procedures to identify and apply security requirements
DS-13
DS13 MANAGE OPERATIONSComplete and accurate processing of data
requires effective management of data processing procedures and diligent maintenance of hardware.
Includes defining operating policies and procedures for effective management
Helps maintain data integrity and reduces business delays and IT operating costs.
DS13 has 5 principles.DS13.1 Operations Procedures and InstructionsDefine, implement and maintain procedures for IT
operationsCover shift handover (formal handover of activity,
status updates, operational problems, escalation procedures and reports on current responsibilities)
DS13.2 Job SchedulingOrganize the scheduling of jobs, processes and
tasks into the most efficient sequence, maximizing throughput and utilization to meet business requirements
DS13.3 IT Infrastructure MonitoringDefine and implement procedures to monitor the IT
infrastructure and related eventsDS13.4 Sensitive Documents and Output
DevicesEstablish appropriate physical safeguards,
accounting practices and inventory management over sensitive IT assets
DS13.5 Preventive Maintenance for HardwareDefine and implement procedures to ensure timely
maintenance of infrastructure to reduce the frequency and impact of failures or performance degradation
ME-1
ME1 MONITOR AND EVALUATE IT PERFORMANCE
Effective IT performance management requires a monitoring process
Include defining relevant performance indicators, systematic and timely reporting of performance, and prompt acting upon deviations
ME1 has 6 principles.
ME1.1 Monitoring ApproachEstablish a general monitoring framework
and approach to define the scope, methodology and process
Integrate the framework with the corporate performance management system
ME1.2 Definition and Collection of MonitoringData
Work with the business to define a balanced set of performance targets
Have them approved by the business and other relevant stakeholders
Define benchmarks with which to compare the targets, and identify available data to be collected to measure the targets
Establish processes to collect timely and accurate data to report on progress against targets.
ME1.3 Monitoring MethodDeploy a performance monitoring methodCapture measurements Provide a succinct, all-around view of IT
performanceME1.4 Performance AssessmentPeriodically review performance against
targetsAnalyze the cause of any deviationsInitiate remedial action to address the
underlying causes
ME1.5 Board and Executive ReportingDevelop senior management reports on IT’s
contribution to the businessInclude in status reports the extent to which
planned objectives have been achieved, budgeted resources used, set performance targets met and identified risks mitigated
ME1.6 Remedial Actions Identify and initiate remedial actions based on
performance monitoring, assessment and reporting
Include follow-up of all monitoring, reporting and assessments through:Review, negotiation and establishment of management responsesAssignment of responsibility for remediation Tracking of the results of actions committed
AI-6AI6- MANAGE CHANGESAll changes, including emergency
maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner
Provide mitigation of the risks of negatively impacting the stability or integrity of the production environment.
A16 has 5 principles.
AI6.1 Change Standards and ProceduresSet up formal change management procedures to
handle in a standardized manner all requestsAI6.2 Impact Assessment, Prioritization and
AuthorizationAssess all requests for change in a structured
way to determine the impact on the operational system and its functionality
AI6.3 Emergency ChangesEstablish a process for defining, raising, testing,
documenting, assessing and authorizing emergency changes
AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system to
document rejected changesCommunicate the status of approved and in-
process changes, and complete changesAI6.5 Change Closure and DocumentationWhenever changes are implemented, update the
associated system and user documentation and procedures accordingly
References http://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf
http://www.isaca.org/Knowledge-Center/cobit/Documents/CobiT-4.1-Brochure.pdf
http://en.wikipedia.org/wiki/COBIT
http://www.google.com.tr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&sqi=2&ved=0CCIQFjAA&url=http%3A%2F%2Fwww.isaca.org%2FCOBIT%2FDocuments%2FCOBIT5-Compare-With-4.1.ppt&ei=Ta17UKyeKYrCswaN74HoBg&usg=AFQjCNEf4XzkLoXZxfFYQLKOHICaXSlESg&sig2=i1HTIOC97nMm4k1kMmk1jQ
http://www.bpmwatch.com/columns/changing-role-of-governance-in-outsourcing-contract/
References COBIT5-Framework-ED-27JUNE2011.pdf Miha.ef.uni-lj.si/_dokumenti3plus2/192073/ITIL-COBIT_nov.pdf COBIT%20Mapping%202nd%20Edition[1].pdf Scillani%20Article%20Combining%20ITIL%20with%20Cobit%20and
%2017799[1].pdf COBIT%20Mapping%202nd%20Edition[1].pdf itgovernance.co.uk/files/ITIL-COBiT-ISO17799JointFramework.pdf www.financialexecutives.org/COBIT5-Update-Research-.pptx http://www.qualified-audit-partners.be/user_files/
QECB_IIA_COBIT5_EN_Overview_201111.pdf http://www.slideshare.net/Billy82/microsoft-powerpoint-marrying-cobit-and-itil-for-
effective#btnNext http://www.mitsm.de/itil-wiki/process-descriptions-english/incident-management http://www.slideshare.net/hafeezi/business-it-management-intro-to-cobit-itil-
9568869#btnNext http://www.isaca.org/Education/Conferences/Documents/EuroCACS-
Presentations/323.pdf