Mapping of PMBOK With COBIT 4.0

Transcription

1 Mapping of PMBOK With COBIT 4.0

2 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 IT Governance Institute The IT Governance Institute (ITGI TM ) ( was established in 1998 to advance international thinking and standards in directing and controlling an enterprise s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Disclaimer The IT Governance Institute (the Owner ) and the author have designed and created this publication, titled COBIT Mapping: Mapping of PMBOK With COBIT 4.0 (the Work ), primarily as an educational resource for control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment. Disclosure 2006 IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ITGI. Reproduction of selections of this publication for internal and noncommercial or academic use only is permitted and must include full attribution of the material s source. No other right or permission is granted with respect to this work. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide) Third Edition, Project Management Institute Inc., Copyright and all rights reserved. Material from this publication has been reproduced with the permission of PMI. IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL USA Phone: Fax: info@itgi.org Web site: ISBN X COBIT Mapping: Mapping of PMBOK With COBIT 4.0 Printed in the United States of America 2

3 ACKNOWLEDGEMENTS ACKNOWLEDGEMENTS From the Publisher IT Governance Institute wishes to recognise: The Researcher Maxwell J. Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia ITGI Board of Trustees Everett C. Johnson, CPA, Deloitte & Touche (retired), USA, International President Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General s Office, Singapore, Vice President William C. Boni, CISM, Motorola, USA, Vice President Jean-Louis Leignel, MAGE Conseil, France, Vice President Lucio Augusto Molina Focazzio, CISA, Colombia, Vice President Howard Nicholson, CISA, City of Salisbury, Australia, Vice President Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President Frank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FHKCS, FHKIoD, Focus Strategic Group, Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President Robert S. Roussey, CPA, University of Southern California, USA, Past International President Emil D Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, Trustee Ronald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium, Advisor to the Board The ITGI Committee William C. Boni, CISM, Motorola, USA, Chair Jean-Louis Leignel, MAGE Conseil, France, Vice Chair Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium Tony Hayes, FCPA, Queensland Government, Australia Anil Jogani, CISA, FCA, Tally Solutions Limited, UK John W. Lainhart IV, CISA, CISM, IBM, USA Michael Schirmbrand, CISA, CISM, CPA, KPMG LLP, Austria Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium Ronald Saull, CSP, Great-West Life and IGM Financial, Canada Expert Reviewers Mark Adler, CISA, CISM, CIA, CFSA, CISSP, Allstate Insurance Company, USA Kelvin J. Arcelay, CISM, CISSP, PMP, Citas Group LLC, USA Max Blecher, Virtual Alliance, South Africa Dirk Bruyndonckx, CISA, CISM, KPMG Advisory, Belgium Peter De Bruyne, CISA, BANKSYS, Belgium Monique Garsoux, Dexia Bank, Belgium Jimmy Heschl, CISA, CISM, KPMG, Austria Linda Kostic, CISA, CPA, E*TRADE Financial, USA Mario Micaleff, CPAA, FIA, National Australia Bank Group, Australia Peter Van Mol, CISA, Helios-IT NV, Belgium Greet Volders, Voquals NV, Belgium Members of the ISACA Atlanta (Georgia, USA) COBIT Development Group Expert Reviewers Kelvin Arcelay, CISM, CISSP, PMP, Citas Group LLC, USA Keith Braddock, Knowledge Institute, USA Ngy Ea, Citas Group LLC, USA Reid Eastburn, Eastburn Associates Inc., USA Kevin Morgan, CISA, CFE, MSIS, Arris Group, USA Barry Sievers, Citas Group LLC, USA Donnie Sievers, Citas Group LLC, USA Phyllis St. John, PMP, Affinia Group Inc., USA 3

4 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 The ITGI Affiliates and Sponsors ISACA chapters American Institute of Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association of Corporate Governance Inc. Information Security Forum The Information Systems Security Association Institut de la Gouvernance des Systèmes d Information Institute of Management Accountants ISACA Solvay Business School University of Antwerp Management School CA Hewlett-Packard IBM LogLogic Inc. Phoenix Business and Systems Process Inc. Symantec Corporation Wolcott Systems Group World Pass IT Solutions ACKNOWLEDGEMENTS cont. 4

5 TABLE OF CONTENTS TABLE OF CONTENTS 1. Purpose of the Document Methodology for the Mapping COBIT Overview PMBOK Overview High-level Mapping Detailed Mapping References

6 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT PURPOSE OF THE DOCUMENT In 1996, the Information Systems Audit and Control Foundation (ISACF ) created Control Objectives for Information and related Technology (COBIT ). The second edition, containing enhancements and additional content, followed in In 1998, ITGI was founded for the purpose of conducting research into the increasingly important area of IT governance, with a special focus on the COBIT framework, processes, control objectives and maturity models. In time, ISACF and ITGI became one entity, and that organisation issued a third edition of COBIT in 2000, followed by COBIT 4.0 in The COBIT framework enables CIOs to help stakeholders better understand IT processes and services and easily integrate different standards. For their part, stakeholders can use COBIT as an instrument to govern the information provided by IT to support business processes. COBIT does not operate in a vacuum. Today, several other standards and collections of best practices are available that prescribe how to manage specific facets of the IT function within organisations. Guidance has been published by international standards organisations as well as several private or partially private organisations. However, no common framework has been available for comparing these various guidance documents. This publication provides a framework to make those comparisons and, as a result, coherently drive process compliance and improvement. When detailed comparisons can be made, management of the IT function can be enhanced and, consequently, better decisions can be made. Given the importance of IT within enterprises and the plethora of guidance on its governance, management and control, it is clear that there is a need for a reference that can answer questions such as: What should be defined? What is an appropriate level of detail? What should be measured? What should be automated? What is good practice? Is there a certification available? Although many of these questions can be addressed using the openly available COBIT guidance, several have remained unresolved, until now. This project addresses the gaps by undertaking to map the most important and commonly used standards 1 and guidance to the COBIT processes and control objectives. The project consists of two components: 1. High-level overview of a variety of international standards and guidance. COBIT Mapping: Overview of International IT Guidance, 2 nd Edition is posted on the ISACA web site at 2. A series of more detailed mapping documents focusing on individual standards or guidance. The following mapping documents are posted for ISACA members at COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, 2 nd Edition COBIT Mapping: Mapping of SEI s CMM for Software With COBIT 4.0 Other planned detailed mappings for ISACA members include: COBIT Mapping: Mapping ISO 17799:2005 With COBIT 4.0 COBIT Mapping: Mapping PRINCE2 With COBIT 4.0 COBIT Mapping: Mapping ITIL With COBIT 4.0 COBIT Mapping: Mapping NIST FISMA With COBIT 4.0 COBIT Mapping: Mapping IT Baseline Protection Manual With COBIT 4.0 COBIT Mapping: Mapping TOGAF With COBIT 4.0 This publication contains a detailed mapping of A Guide to the Project Management Body of Knowledge (PMBOK Guide) Third Edition (2004), with COBIT 4.0 as well as the classification of the standards discussed in this paper as presented in COBIT Mapping: Overview of International IT Guidance, 2 nd Edition. A brief overview of the standards mapped against each other in this document is as follows: COBIT Originally released as an IT process and control framework linking IT to business requirements, COBIT was initially used mainly by the assurance community in conjunction with business and IT process owners. With the addition of management guidelines in 1998, COBIT is now used increasingly as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework. In 2005, ITGI published COBIT The term standard is used in this document to encompass guidance publications. 6

7 1. PURPOSE OF THE DOCUMENT PMBOK Guide Described as the sum of knowledge within the profession of project management, and published by Project Management Institute (PMI), it is an American National Standard ANSI/PMI The processes and techniques described in PMBOK are applicable to all projects. However, while they are applicable to projects involving IT, they do not specifically address IT technical, IT management and IT governance issues. PMBOK is aimed at providing a foundational reference for anyone interested in the profession of project management. This document does not contain all of the details of PMBOK. It was agreed with the PMI to include references as they are provided in their publication, but it is recommended that a copy be obtained of the original document from PMI to implement project management in a sound manner. The document is available from the PMI web site, OVERVIEW COBIT identifies the IT processes that should exist to ensure that IT is aligned with and supports the business in an effective manner. COBIT and its supporting publications identify control objectives, techniques and practices commonly required for each processes. An overview of COBIT is provided in section 3, COBIT Overview. PMBOK identifies the best practice process for project management, together with the knowledge and techniques required for those processes to be effective. PMBOK can be designed to be applied to any industry, including IT. An overview of PMBOK is provided in section 4, PMBOK Overview. While the two frameworks are at different levels of focus and detail, they overlap and can be used to support each other, as shown in figure 1. Figure 1 Overlap of COBIT and PMBOK COBIT identifies project management as a process of IT but does not deal with project management in the same detail as PMBOK. Thus, when implementing process improvements using COBIT, IT process owners can make use of PMBOK as a source of best practice. Controls Required for IT Projects COBIT PMBOK Project Management Best Practice COBIT highlights specific IT practices that should be considered when applying PMBOK to projects involving IT. The primary purpose of this mapping is to provide guidance to IT process owners by identifying the COBIT processes for which PMBOK provides more detailed guidance and to highlight the areas of PMBOK that should be considered for each process. Therefore, the mapping highlights how the processes in PMBOK can support COBIT. A secondary objective of the mapping is to provide guidance to those using PMBOK as the basis for project management practices as to the areas of COBIT they should be considering when applying the practices to projects involving IT. The mapping also identifies the COBIT control objectives that should be applied during various PMBOK processes. The methodology of the mapping is provided in section 2, a high-level mapping in section 5 and the detailed mapping in section 6. 7

8 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT METHODOLOGY FOR THE MAPPING The broad approach adopted for the mapping between the two frameworks involved identifying the normative statements in each and mapping those statements to determine areas of alignment and areas in which there were gaps. The normative parts of any standard or framework are those that specify to what best practices should conform. Non-normative parts consist of examples, extended explanations, and other matters not dealing directly with the specifications. COBIT s normative statements are expressed as high-level control objectives within IT process areas. PMBOK s normative statements outlined in the core of the document, chapters 4 through 12, describe the best practice for managing a project, unless there are reasons otherwise. PMBOK chapters 1 to 3 are of a descriptive nature and set the scene of context for chapters 4 to 12. The steps taken in the detailed mapping process are specified in figure 2. Figure 2 Detailed Mapping Process Step Description 1 The processes in chapters 4 to 12 of the PMBOK Guide were mapped to one or more COBIT control objectives and documented in the detailed mapping in figure 10. PMBOK s chapters 1 to 3 were also mapped to COBIT when they provided guidance for the implementation of the COBIT processes. They were labelled as informative. 2 COBIT processes in the Acquire and Implement (AI) domain and some aspects of the Deliver and Support (DS) domain represent components of the project life cycle. The control practices in AI2 should be considered when planning projects involving IT. These were identified and mapped as a COBIT-to-PMBOK mapping. 3 A high-level mapping or summary of COBIT-to-PMBOK mapping was prepared and included in section 5, High-level Mapping. The coverage of the mapped information requirements is noted in four different levels: E The requirements stated in PMBOK exceed the requirements of COBIT; therefore, PMBOK should be seen as a primary source for further information and guidance to improve the process or control objective. C The requirements of the control objective are covered by the mapped requirements of the guidance in PMBOK. A Some aspects of the control objectives are addressed by PMBOK, but the requirements of the control objective are not covered completely. NA There is no match between the requirements of COBIT and PMBOK. The following example is to depict the process of the detailed mapping: PMBOK requires in chapter 8 that quality management processes include Quality Planning. This involves identifying which quality standards are relevant to the project and determining how to satisfy them. This requirement was mapped to COBIT control objective PO10.10 Project quality plan and classified as C, since the requirements of the control objective are covered by the mapped requirements of the guidance in PMBOK. The requirement was more generally mapped to PO10.12 Project planning of assurance methods, PO 8.1 Quality management system, PO8.2 IT standards and quality practices, PO8.4 Customer focus and PO8.5 Continuous improvement. These were classified as A, since some aspects of the control objectives are addressed by PMBOK, but the control objective s specific IT requirements are not covered completely. 8

9 3. COBIT OVERVIEW DOCUMENT TAXONOMY 3. COBITOVERVIEW COBIT represents a collection of documents that can be classified as generally accepted best practice for IT governance, control and assurance. ISSUER The first edition of COBIT was issued by ISACF in In 1998, the second edition was published with additional control objectives and the Implementation Tool Set. The third edition was issued by ITGI in 2000, and included the management guidelines and several other detailed control objectives. In 2005, the ITGI finalised a complete rework of the COBIT content and published the current version, COBIT 4.0. GOAL OF THE PUBLICATION The COBIT mission is: To research, develop, publicise and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. 2 BUSINESS DRIVERS FOR IMPLEMENTING THE GUIDANCE, INCLUDING TYPICAL SITUATIONS COBIT is usually implemented subject to one or more of the following business cases: There is a need for IT governance. Services delivered by IT are to be aligned with business goals. IT processes are to be standardised/automated. A framework for overall IT processes is needed. IT processes are to be unified. A framework is needed for a quality management system for IT. A structured IT audit approach is to be defined. Mergers and acquisitions are occurring with an IT impact. IT cost-control initiatives are desired. Part or all of the IT function is to be outsourced. Compliance with external requirements (e.g., regulators, organisations or third parties) is of concern. RELATED RISKS OF NON-COMPLIANCE Risks of not implementing COBIT include: Misaligned IT services, divergence Weak support of business goals due to misalignment Wasted opportunities due to misalignment Persistence of the perception of IT as a black box Shortfall between management s measurements and expectations Know-how tied to key individuals, not to the organisation Excessive IT cost and overhead Erroneous investment decisions and projections Dissatisfaction of business users with IT services supplied Regulatory breaches with potential significant financial penalties on organisations, restrictions on operating licences, and fiduciary liability on directors and officers if deemed not to have exercised due care and responsibility 2 IT Governance Institute, COBIT 4.1, USA, 2006 (in development) 9

10 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 TARGET AUDIENCE All types of organisations, public and private companies, and external assurance and advisory professionals form the relevant target group. Within organisations, three levels are addressed: management, IT users and professionals, and assurance professionals. Primary and secondary audiences are identified in figure 3. TIMELINESS Activities Figure 4 Chart of COBIT Audiences Functions: Primary (P), Secondary (S) to the pertinence of COBIT to that particular audience. Chief Executive Officer (CEO) Chief Financial Officer (CFO) COBIT S S P P P S S S S S P Business Executive Chief Information Officer (CIO) Business Process Owner Head Operations Chief Architect Head Development Head IT Administration Project Management Office (PMO) Compliance,Audit, Risk and Security The core content of COBIT was updated in November 2005, resulting in COBIT 4.0. The research conducted for the update addressed components of the control objectives and management guidelines. Some specific areas that were addressed: COBIT IT governance bottom-up and top-down alignment COBIT and other detailed standards Detailed mapping between COBIT and ITIL, CMM, COSO, PMBOK, ISF and ISO to enable harmonisation with those standards in language, definitions and concepts Key goal indicator (KGI) and key performance indicator (KPI) causal relationships analysis Review of the quality of the KGIs/KPIs/critical success factors (CSFs) Based on the KPI/KGI causal relationship analysis, splitting CSFs into what you need from others and what you need to do yourself. CSFs were replaced by process inputs (success factors needed from others) and activity goals that the process owner must address. Detailed analysis of metrics concepts Detailed development with metrics experts to enhance the metrics concepts, building up a cascade of process-it-business metrics and defining quality criteria for metrics Linking of business goals, IT goals and IT processes Detailed research in eight different industries resulting in a more detailed insight into how COBIT processes support the achievement of specific IT goals and, by extension, business goals Review of maturity model contents Ensured consistency and quality of maturity levels amongst and within processes, including better definitions of maturity model attributes Enhancements to COBIT at the time of this publication include: COBIT Quickstart COBIT Online IT Governance Implementation Guide Control practices COBIT Foundation Course IT Control Objectives for Sarbanes-Oxley COBIT Security Baseline Aligning COBIT, ITIL and ISO for Business Benefit COBIT Mapping: Overview of International IT Guidance, 2 nd Edition COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT, 2 nd Edition COBIT Mapping: Mapping SEI s CMM for Software With COBIT CERTIFICATION OPPORTUNITIES The audit guidelines from COBIT 3 rd Edition contain information for auditing and self-assessment against the control objectives, but there is no certification for organisations. However, the COBIT framework is used frequently by Certified Public Accountants (CPAs) and Chartered Accountants (CAs), when performing a Statement on Auditing Standards (SAS) No. 70 service organisations review, SysTrust certification or Sarbanes-Oxley compliance. At the time of this writing, the IT Assurance Guide aligned with COBIT 4.0 is in development to update the information for auditing and self-assessment against the control objectives; it will replace the third edition s audit guidelines. 10

11 3. COBIT OVERVIEW For certification of individuals, the COBIT Foundation Course is offered. Non-COBIT certification is available through ISACA, ITGI s affiliated association, in the form of the Certified Information Systems Auditor TM (CISA ) and Certified Information Security Manager (CISM ) certifications. CIRCULATION COBIT is used worldwide. In addition to the English version, it has been translated into French, German, Hungarian, Italian, Japanese, Korean, Portuguese and Spanish. COMPLETENESS COBIT addresses a broad spectrum of duties in IT management. It includes the most significant parts of IT management, including those covered by other standards. Although no technical details have been included, the necessary tasks for complying with the control objectives are self-explanatory. Therefore, it is classified as relatively high level, aiming to be generically complete but not specific. AVAILABILITY COBIT is open and readily accessible for complimentary electronic download on the ITGI or ISACA web sites, or COBIT Online can be purchased at COBIT Online allows users to customise a version of COBIT just right for their own enterprise, then store and manipulate that version as desired. It offers online, real-time surveys and benchmarking. COBIT 3 rd Edition s audit guidelines are posted for complimentary download for ISACA members. The print version of COBIT 4.0 can be purchased from the ISACA Bookstore, COBIT PROCESSES ADDRESSED 1 2 Plan and Organise Monitor and Evaluate COBIT processes addressed by COBIT Deliver and Support Acquire and Implement Note: The chart is not a comparison; this is COBIT itself. INFORMATION CRITERIA ADDRESSED Information Criteria + Effectiveness + Efficiency + Confidentiality + Integrity + Availability + Compliance + Reliability (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed Note: The chart is not a comparison; this is COBIT itself. 11

12 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 IT RESOURCES CONCERNED IT Resources + Applications + Information + Infrastructure + People (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed Note: The chart is not a comparison; this is COBIT itself. DESCRIPTION OF THE GUIDANCE AND ITS CONTENT Enterprise governance (the system by which organisations are governed and controlled) and IT governance (the system by which the organisation s IT is governed and controlled) are from a COBIT point of view highly interdependent. Enterprise governance is inadequate without IT governance and vice versa. IT can extend and influence the performance of the organisation, but it has to be subject to adequate governance. On the other hand, business processes require information from the IT processes, and this interrelationship has to be governed as well. In this subject matter, the plan-do-check-act (PDCA) cycle becomes evident. The concept of the PDCA cycle is usually used in structured problem-solving and continuous improvement processes. The PDCA cycle is also known as the Deming cycle or the Deming wheel of a continuous improvement process. Both the information need (corporate governance) and the information offer (IT governance) have to be planned with measurable and constructive indicators (plan). The information and, possibly, information systems have to be implemented, delivered and used (do). The outcome of the information delivered and used is measured against the indicators defined in the planning phase (check). Deviation is investigated and corrective action is taken (act). Considering these interdependencies, it is apparent that the IT processes are not an end in themselves; instead, they are a means to an end that is highly integrated with the management of business processes. ITGI has defined IT governance as follows: IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation s IT sustains and extends the organisation s strategies and objectives. 3 COBIT Framework Organisations must satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management must also optimise the use of available IT resources, including information, applications, infrastructure and people. To discharge these responsibilities and achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide. COBIT defines IT activities in a generic process model within four domains: Plan and Organise (PO) Acquire and Implement (AI) Deliver and Support (DS) Monitor and Evaluate (ME) The framework provides a reference process model and common language to view and manage IT activities. COBIT s good practices represent the consensus of experts. They are focused strongly on control and less on execution. They help optimise IT-enabled investments and provide a measure against which to judge when things do go wrong. 3 ITGI, Board Briefing on IT Governance, 2 nd Edition, 2003, p

13 3. COBIT OVERVIEW Control Objectives COBIT provides a set of 34 high-level control objectives, one for each of the IT processes, grouped into the four domains. This structure covers all aspects of information and the technology that supports it. By addressing these 34 high-level control objectives, the business process owner can ensure that an adequate control system is provided for the IT environment. Each high-level control objective has a number of detailed control objectives. As a whole, they are the characteristics of a wellmanaged process. In addition to the detailed control objectives, each COBIT process has generic control requirements that are identified by a process control number (PCn). They should be considered with the detailed process control objectives to have a complete view of control requirements. Management Guidelines COBIT 4.0 contains updated management guidelines. A basic need for every enterprise is to understand the status of its own IT systems and decide what level of management and control the enterprise should provide. Obtaining an objective view of an enterprise s own performance level is not easy. What should be measured and how? Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement. To determine the right level, management should ask itself: How far should we go in controlling IT? Is the cost justified by the benefit? COBIT deals with these issues by providing: Maturity models to enable benchmarking and identification of necessary capability improvements Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles Activity goals for enabling effective process performance Maturity Models Maturity modelling for management and control over IT processes is based on a method of self-evaluation by the organisation. A maturity model has been defined for each of the 34 COBIT IT processes, providing an incremental measurement scale from 0, non-existent, through 5, optimised. Using the maturity models developed for each IT process, management can identify: The actual performance of the enterprise Where the enterprise is today The current status of the industry The comparison The enterprise s target for improvement Where the enterprise wants to be Control Practices Control practices were developed for COBIT 3 rd Edition to expand the capabilities of COBIT by providing the practitioner with an additional level of detail. The COBIT IT processes, business requirements and detailed control objectives define what needs to be done to implement an effective control structure. The IT control practices provide the more detailed how and why needed by management, service providers, end users and control professionals to implement highly specific controls based on an analysis of operational and IT risks. At the time of this writing, they are in the process of being updated to align with COBIT 4.0 and will be available in the upcoming publication IT Governance Implementation Guide Using COBIT and Val IT TM, 2 nd Edition. Audit Guidelines To achieve the desired goals and objectives, the enterprise must constantly and consistently audit its procedures. The audit guidelines in COBIT 3 rd Edition outline and suggest actual assessment activities to be performed, corresponding to each of the 34 high-level IT control objectives, to evaluate control processes, assess compliance and substantiate the risk of control objectives not being met. At the time of this writing, the IT Assurance Guide is in development to update the information for auditing and self-assessment against the control objectives in COBIT

14 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 COBIT Quickstart This special version of COBIT is a baseline for use by many small to medium enterprises and other entities where IT is not mission-critical or essential for survival. It can also serve as a starting point for other enterprises in their move toward an appropriate level of control and governance of IT. For purposes of the publication, small to medium enterprises have not been defined according to any financial or staffing measurement. Instead, the strategic nature of IT to the business is evaluated, a self-assessment form has been developed, and exceptions are reviewed. Those enterprises for which the strategic nature of IT is relatively low, that fall within certain ranges on the self-assessment and that do not have any of the exceptions that might indicate a higher level of dependence on IT are considered small to medium enterprises. This publication was developed in response to comments that COBIT, in its complete form, can be a bit overwhelming. Those who operate with a small IT staff often do not have the resources to implement all of COBIT. This version of COBIT constitutes a subset of the entire COBIT volume. Only the control objectives considered the most critical are included, so that implementation of COBIT s fundamental principles can take place easily, effectively and relatively quickly. COBIT Online This online version of COBIT allows users to customise a version of COBIT for their own enterprise, then store and manipulate that version as desired. It offers online, real-time surveys, benchmarking and a discussion facility for sharing experiences and questions. IT Governance Implementation Guide The objective of the IT Governance Implementation Guide is to provide readers with a methodology for implementing and improving IT governance, using COBIT. The guide is focused on a generic methodology for implementing IT governance, covering the following subjects: Why IT governance is important and why organisations should implement it The IT governance life cycle The COBIT framework How COBIT is linked to IT governance and enables its implementation The stakeholders who have an interest in IT governance A road map for implementing IT governance using COBIT A second edition is in development at the time of this writing. THE COBIT IT PROCESSES The processes are grouped into four domains, as indicated in figure 4. Any service delivered by IT and all services provided to the core processes must be integrated into the IT service life cycle, as indicated in figure 4. Plans and organisational structures already developed could be adopted, depending on the significance of each service, rather than developing a new plan for the IT service. Services are subsequently implemented, and all necessary precautions for ongoing service, delivery and monitoring are to be considered. From the IT governance point of view, single services are merely in the background. The focus must be on the PDCA cycle discussed previously for the sum of services delivered by and with IT. The strict top-down approach of COBIT is depicted in figure 5. 14

15 3. COBIT OVERVIEW Figure 4 COBIT IT Processes Defined Within the Four Domains BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES COBIT ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure regulatory compliance. ME4 Provide IT governance. MONITOR AND EVALUATE INFORMATION Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT RESOURCES PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. PLAN AND ORGANISE Applications Information Infrastructure People DELIVER AND SUPPORT ACQUIRE AND IMPLEMENT DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. 15

16 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 Each process is described by using the following information: High-level control objective Detailed control objectives Information criteria affected by the process IT resources used by the process IT governance focus areas Inputs and outputs Responsible, Accountable, Consulted and Informed (RACI) chart Goals and metrics, including KPIs and KGIs INFORMATION CRITERIA Figure 5 Top-down Approach Domains Processes Information delivered to the core business processes has to fulfill certain criteria, which are summarily characterised as follows: Quality requirements: Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Efficiency Concerns the provision of information through the optimal (most productive and economical) use of resources Security requirements: Confidentiality Concerns the protection of sensitive information from unauthorised disclosure Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations Availability Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Fiduciary requirements: Compliance Deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria, as well as internal policies Reliability Relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities IT RESOURCES Activities/ Tasks Following the COBIT definition, the resources used by IT are identified as follows: Applications are automated user systems and manual procedures that process the information. Information is the data in all their forms input, processed and output by the information systems in whatever form is used by the business. Infrastructure is the technology and facilities (hardware, operating systems, database management systems, networking, multimedia, etc., and the environment that houses and supports them) that enable the processing of the applications. People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required. 16

17 3. COBIT OVERVIEW COBIT CUBE The previously mentioned components (IT processes, business requirements of information and resources) are three-dimensional, thus illustrating the IT function. These dimensions, as shown in figure 6, represent the COBIT cube. IT GOVERNANCE USING COBIT Effectiveness Figure 6 COBIT Cube Efficiency Confidentiality Integrity Business Requirements Availability Compliance Reliability IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise s IT sustains and extends the organisation s strategies and objectives. COBIT supports IT governance by providing a framework to ensure that: IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT risks are managed appropriately Performance measurement is essential for IT governance. It is supported by COBIT and includes setting and monitoring measurable objectives of what IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). IT Processes DOMAINS PROCESSES ACTIVITIES Applications Information Infrastructure People IT Resources FURTHER REFERENCES Internet ISACA ITGI 17

18 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 DOCUMENT TAXONOMY 4. PMBOK OVERVIEW The PMBOK Guide is described as the sum of knowledge within the profession of project management. PBMOK is an American National Standard ANSI/PMI ISSUER PMBOK Guide, published by PMI, is a basic reference for anyone interested in project management. GOAL OF THE GUIDANCE The primary purpose of PMBOK Guide is to identify that subset of the Project Management Body of Knowledge that is generally recognised as good practice. The PMBOK Guide also provides and promotes a common lexicon for discussing, writing and applying project management. BUSINESS DRIVER FOR IMPLEMENTING THE GUIDANCE The main business driver for implementing PMBOK in an organisation is the achievement of consistent project success through the implementation of a common framework for all enterprise projects. PMBOK is usually selected as the basis for that framework because it considered a worldwide standard for project management that identifies the processes required for project management, based on industry best practice. RELATED RISKS OF NON-COMPLIANCE Inconsistent or inadequate project management practices will increase the risk of project failure. Symptoms of project failure include: Different project management approaches within the organisation Inconsistent reporting of the organisation s reporting structure Scope creep Reduced quality of deliverables Late projects and unachieved milestones Unexpected issues that impact delivery Budget overruns Projects failing to meet objectives TARGET AUDIENCE PMBOK is aimed at providing a foundational reference for anyone interested in managing projects, as shown in figure 7. Figure 7 Chart of PMBOKAudiences Activities Functions: Primary (P), Secondary (S) to the pertinence of PMBOK to the particular audience Chief Executive Officer (CEO) Chief Financial Officer (CFO) PMBOK S S P P S S S S S P S Business Executive Chief Information Officer (CIO) Business Process Owner Head Operations Chief Architect Head Development Head IT Administration Project Management Office (PMO) Compliance,Audit, Risk and Security 18

19 4. PMBOK OVERVIEW TIMELINESS PMBOK has been subject to periodic review and update by PMI since it was initially developed and published in The current edition is A Guide to the Project Management Body of Knowledge, Third Edition, published in CERTIFICATION OPPORTUNITIES PMI offers the Project Management Professional (PMP ) certification program for project managers. This is based on a PMP Examination Specification for the examination, describing the tasks (competencies) that PMPs perform, and the project management knowledge and skill that PMPs use to complete each task. PMI also offers the Certified Associate in Project Management (CAPM ) certification, which is designed for project team members and entry-level project managers, as well as qualified undergraduate and graduate students who want a credential to recognise their value to project team performance. CIRCULATION PMBOK Guide is used internationally and is available in Arabic, Chinese, English, French, German, Italian, Japanese, Korean, Portuguese, Russian and Spanish. COMPLETENESS PMBOK Guide provides more detail about the practices and techniques required to address the requirements of sound project management. It describes aspects of programme and portfolio management but is not a standard for such activities. This is dealt with in a separate document, Organisational Project Management Maturity Model (OPM3). AVAILABILITY PMBOK Guide is available for purchase in paperback and on CD-ROM from PMI. COBIT PROCESSES ADDRESSED Plan and Organise Monitor and Evaluate COBIT processes addressed by PMBOK Deliver and Support Acquire and Implement

20 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 INFORMATION CRITERIA ADDRESSED Information Criteria + Effectiveness + Efficiency - Confidentiality - Integrity - Availability - Compliance - Reliability (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed IT RESOURCES CONCERNED IT Resources - Applications - Information - Infrastructure + People (+) Frequently addressed (o) Moderately addressed (-) Not or rarely addressed DESCRIPTION OF THE GUIDANCE AND ITS CONTENT Project Management Framework Chapters 1 and 2 of PMBOK Guide provide a description of the project management framework and the context in which it operates. This includes: 1. Introduction 1.1 Purpose of the PMBOK Guide 1.2 What Is a Project? 1.3 What Is Project Management 1.4 The PMBOK Guide Structure 1.4 Areas of Expertise 1.6 Project Management Context 2. Project Lifecycle and Organisation 2.1 The Project Lifecycle 2.2 Project Stakeholders 2.3 Organisational Influences The Standard for Project Management Chapter 3 of the guide identifies the project management processes, segmented into five process groups with 44 processes. The high-level process groups interactions are illustrated in figure 8. The five process groups are: 1. Initiating process group Defines and authorises the project or a project phase 2. Planning process group Defines and refines objectives, and plans the courses of action required to attain the objectives and scope that the project was undertaken to address 3. Executing process group Integrates people and other resources to carry out the project management plan for the project 4. Controlling process group Regularly measures and monitors progress to identify variances from the project management plan so that corrective action can be taken when necessary to meet project objectives 5. Closing process group Formalises acceptance of the product, service or result and brings the project or project phase to an orderly end 20

21 4. PMBOK OVERVIEW Figure 8 High-level Summary of Process Groups Interactions Enterprise Environmental Factors Organisation s culture Project management information system Human resource pool Initiating Process Group Statement of work Contract Project Initiator of Sponsor Organisational Process Assets Policies, procedures, standards, guidelines Defined processes Historical information Lessons learned Project Charter Preliminary Project Scope Statement Planning Process Group Project Management Plan Executing Process Group Deliverables Requested Changes Implemented Change Requests Implemented Corrective Actions Implemented Preventive Actions Implemented Defect Repair Work Performance Information Monitoring and Controlling Process Group Approved Change Requests Rejected Change Requests Approved Corrective Actions Approved Preventive Actions Approved Defect Repair Project Management Plan (updates) Project Scope Statement (updates) Recommended Corrective Actions Recommended Prevention Actions Performance Reports Recommended Defect Repair Forecasts Validated Defect Repair Approved Deliverables Organizational process assets (updates) Customer Final product, service, result Closing Process Group Administrative Closure Procedure Contract Closure Procedure Source: Project Management Institute Inc., A Guide to the Project Management Body of Knowledge (PMBOK Guide), Third Edition, All rights reserved. 21

22 COBIT MAPPING: MAPPING OF PMBOK WITH COBIT 4.0 The Project Management Knowledge Areas Nine knowledge areas and 44 processes that represent best practice in project management are identified in chapters 4 through 12 of the PMBOK Guide, as shown in figure 9. Each process is further described in terms of its inputs, outputs, and tools and techniques. Figure 9 Overview of Project Management Knowledge Areas and Project Management Processes PROJECT MANAGEMENT 4. Project Integration Management 4.1 Develop Project Charter 4.2 Develop Preliminary Project Scope Statement 4.3 Develop Project Management Plan 4.4 Direct and Manage Project Execution 4.5 Monitor and Control Project Work 4.6 Integrated Change Control 4.7 Close Project 5. Project Scope Management 5.1 Scope Planning 5.2 Scope Definition 5.3 Create WBS 5.4 Scope Verification 5.5 Scope Control 6. Project Time Management 6.1 Activity Definition 6.2 Activity Sequencing 6.3 Activity Resource Estimating 6.4 Activity Duration Estimating 6.5 Schedule Development 6.6 Schedule Control 7. Project Cost Management 7.1 Cost Estimating 7.2 Cost Budgeting 7.3 Cost Control 8. Project Quality Management 8.1 Quality Planning 8.2 Perform Quality Assurance 8.3 Perform Quality Control 9. Project Human Resource Management 9.1 Human Resouce Planning 9.2 Acquire Project Team 9.3 Develop Project Team 9.4 Manage Project Team 10. Project Communications Management 10.1 Communications Planning 10.2 Information Distribution 10.3 Performance Reporting 10.4 Manage Stakeholders 11. Project Risk Management 11.1 Risk Management Planning 11.2 Risk Identification 11.3 Qualitative Risk Analysis 11.4 Quantitative Risk Analysis 11.5 Risk Response Planning 11.6 Risk Monitoring and Control 12. Project Procurement Resource Management 12.1 Plan Purchase and Acquisitions 12.2 Plan Contracting 12.3 Request Seller Responses 12.4 Select Sellers 12.5 Contract Administration 12.6 Contract Closure Source: PMI, A Guide to the Project Management Body of Knowledge (PMBOK Guide), Third Edition, All rights reserved. 22

23 4. PMBOK OVERVIEW The knowledge areas as presented in chapters 4 to 12 of PMBOK are: 4. Project Integration Management The processes and activities that integrate the various elements of project management, which are identified, defined, combined, unified and co-ordinated within the project management process groups. It consists of: 4.1 Develop Project Charter 4.2 Develop Preliminary Project Scope Statement 4.3 Develop Project Management Plan 4.4 Direct and Manage Project Execution 4.5 Monitor and Control Project Work 4.6 Integrated Change Control 4.7 Close Project 5. Project Scope Management The processes involved in ascertaining that the project includes all the work required, and only the work required, to complete the project successfully. It consists of: 5.1 Scope Planning 5.2 Scope Definition 5.3 Create WBS 5.4 Scope Verification 5.5 Scope Control 6. Project Time Management The processes concerning the timely completion of the project. It consists of: 6.1 Activity Definition 6.2 Activity Sequencing 6.3 Activity Resource Estimating 6.4 Activity Duration Estimating 6.5 Schedule Development 6.6 Schedule Control 7. Project Cost Management The processes involved in planning, estimating, budgeting and controlling costs so that the project is completed within the approved budget. It consists of: 7.1 Cost Estimating 7.2 Cost Budgeting 7.3 Cost Control 8. Project Quality Management The processes involved in assuring that the project will satisfy the needs for which it was undertaken. It consists of: 8.1 Quality Planning 8.2 Perform Quality Assurance 8.3 Perform Quality Control 9. Project Human Resource Management The processes that organise and manage the project team. It consists of: 9.1 Human Resource Planning 9.2 Acquire Project Team 9.3 Develop Project Team 9.4 Manage Project Team 10. Project Communications Management The processes concerning the timely and appropriate generation, collection, dissemination, storage and ultimate disposition of project information. It consists of : 10.1 Communications Planning 10.2 Information Distribution 10.3 Performance Reporting 10.4 Manage Stakeholders 11. Project Risk Management The processes concerned with conducting risk management on a project. It consists of: 11.1 Risk Management Planning 11.2 Risk Identification 11.3 Qualitative Risk Analysis 11.4 Quantitative Risk Analysis 11.5 Risk Response Planning 11.6 Risk Monitoring and Control 12. Project Procurement Resource Management The processes that purchase or acquire products, services or results, as well as contract management processes. It consists of: 12.1 Plan Purchases and Acquisitions 12.2 Plan Contracting 12.3 Request Seller Responses 12.4 Select Sellers 12.5 Contract Administration 12.6 Contract Closure 23