refining it processes using cobit
TRANSCRIPT
-
7/29/2019 Refining IT Processes Using COBIT
1/2
IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L , VO L U M E 3 , 2 0 0 5
Refining IT Processes Using COBITBy Stephen Reingold, CISA
Perhaps the most compelling reason for refining ITprocesses is the potential for IT and business
management to change the way they think about IT
services. As organizations begin to examine and refine IT
processes, there is a good chance that management will start
challenging assumptions and ask questions such as, Why are
we doing this? or Should we be doing something else?
Other benefits of continually refining IT processes include
(but are not limited to):
Increased IT process efficiency and effectiveness
Greater IT process and product quality
Increased strategic and tactical alignment between IT and the
business
Improved productivityWhile an organization can expect to realize one or more of
these benefits, it may actually experience a paradigm shift in
the way it views and delivers IT services.
Best PracticesIT process refinement follows a life cycle approach
(figure 1).1, 2 As seen in figure 1, step 3 feeds back into step 1.
The results of each IT process ref inement evaluation are fed
back into step 1, and the process starts all over again.
How Can COBIT Help?Control Objectives for Information and related Technology
(COBIT) can be used to facilitate each of the three IT process
refinement steps shown in figure 1.
Step 1: Evaluate Current IT Processes
COBITs maturity models define six process maturity levels
against which the maturity (or sophistication) of IT processes
may be gauged. There are six maturity levels, ranging from
nonexistent to optimized. COBITManagement Guidelines
defines these six maturity levels as follows:
0 Nonexistent: Management processes are not applied at all.
1 Initial: Processes are ad hoc and disorganized.
2 Repeatable: Processes follow a regular pattern. 3 Defined: Processes are documented and communicated.
4 Managed: Processes are monitored and measured.
5 Optimized: Best practices are followed and automated.
COBITs maturity models also define six IT management
practice groupings against which the six maturity levels from
Management Guidelines are applied at increasing levels. The
six IT management practice groupings consist of:
1. Understanding and awareness of risks and control issues
2. Training and communication applied on the issues
3. Process and practices that are implemented
4. Techniques and automation to make processes more
effective and efficient
5. Degree of compliance to internal policy, laws and regulations
6. Type and extent of expertise employed
While it is certainly possible to benchmark all of an
organizations IT processes (COBITFrameworkdefines 34 such
processes), one might want to select a smaller, more
manageable number of processes to benchmark.
By objectively assessing each of the selected IT processes
against the six IT management practice groupings, the
organization can quickly see where the IT process strengths
and weaknesses lie.
Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Step 1:Evaluatecurrent ITprocesses.
Step 2: Identifyprocess improvementgoals.
Step 3: Evaluateimprovementefforts.
Figure 1IT Process Refinement Cycle
Figure 2Assessing Business Risks
IT Management Understanding Training and Implementation Techniques and Compliance ExpertiseDomain: and Awareness Communication of Processes Automation
and Practices
IT Process:
Managechanges
2 3 3 2 1 0
Manage servicelevels
1 4 5 0 0 3
Legend:
0-1 Maturity level: low 2-3 Maturity level: medium 4-5 Maturity level: high
-
7/29/2019 Refining IT Processes Using COBIT
2/2
IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L , VO L U M E 3 , 2 0 0 5
Figure 2 contains an example of how one might graphically
depict the findings. As can be seen from figure 2, it is easy to
determine the strengths and weaknesses of each IT processes.
Considerations for Benchmarking
To kick off the benchmarking activities, the right people
must be involved, including user representative(s), the IT
process owner, members of the IT department and an auditor.
The primary advantage of including auditors in an
organizations benchmarking exercise is that they have a broad,cross-organizational perspective of IT processes.
Step 2: Identify IT Process Improvement Goals
The results of step 1 can be used to identify IT process
improvement goals. Essentially, anything that falls between
maturity levels of 0 and 3 requires some level of improvement.
Users who are most impacted by each of the IT processes
chosen for review should be consulted to determine which IT
processes (and IT process refinement opportunities) are most
important to the organization.
How Much Improvement?
According to COBIT,
The right maturity level will be influenced by the
enterprises business objectives and operating
environment. Specifically, the level of control maturity
will depend on the enterprises dependence on IT, the
technology sophistication and, most important, the value
of its information.
Organizations should not try to move too far up the maturity
ladder at once (e.g., from a 1 to a 4). As indicated earlier, IT
process refinement should be viewed as an iterative process.
Improving IT processes gradually has the additional benefit of
giving organizations an opportunity to gauge progress and
learn from experience. Another major benefit of improvinggradually is that it may reduce the initial resistance that comes
whenever change is introduced.
Step 3: Evaluate Improvement Efforts
In addition to maturity models, COBITManagement
Guidelines defines key goal indicators (KGIs) and key
performance indicators (KPIs) that can be used to measure IT
process refinements:
KGIs tell managementafter the factwhether an IT
process has achieved its business requirements.
KPIs define measures to determine how well the IT process is
performing in enabling the goal to be reached.
KGIs and KPIs can be used to evaluate the result of process
refinement efforts. KPIs are best suited to measuring
improvements in efficiency, since they are process-oriented,
and KGIs are best suited to evaluating improvements in
effectiveness, since they are business goal-oriented.
A manageable number of KGIs and KPIs (between three
and five) for which information is readily available should be
selected. For the three to f ive KGIs and KPIs selected for eachIT process refinement effort, how the selected IT processes
stack up against each of the KGIs and KPIs should be
determined before undertaking the refinement of those
processes.
ConclusionIT process refinement is not only beneficial for improving
process efficiency and effectiveness, but also for changing the
way IT and business managers view IT services. The three-step
model presented demonstrates how an organization can refine
its IT processes, not once, but continually. COBITs maturity
models may be used to facilitate an organizations IT process
refinement efforts.
Endnotes1 META Group; IT Process Refinement and Performance
Measurement: Leveraging Best Practices Executive Briefing,
20042 ITGI; Control Objectives for Information and related
Technology (COBIT) 3rd Edition,Management Guidelines,
2000
Stephen Reingold, CISA
has been working for the internal audit division of the
government of Ontario, Canada, for more than five years. In
addition to auditing data security and Internet applicationsecurity, Reingold has performed extensive SDLC and security
consultations with clients.
DisclaimerThe opinions expressed by the author are personal and do
not necessarily represent the views of either the Management
Board Secretariat or the Ontario, Canada, government.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of thisJournal. Information Systems Control Journaldoes not attest to the originality of authors' content.
Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association.All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org