Comparative study of COBIT with other IT Governance Frameworks

Transcription

1 IJCSI Internatinal Jurnal f Cmputer Science Issues, Vlume 11, Issue 6, N 1, Nvember Cmparative study f COBIT with ther IT Gvernance Framewrks Saïd RAMLAOUI 1 and Alami SEMMA 2 1 Department f Mathematics and Cmputer Science, Faculty f science and Techniques, Hassan 1 University Settat, Mrcc 2 Department f Mathematics and Cmputer Science, Faculty f science and Techniques, Hassan 1 University Settat, Mrcc Abstract The meaning f Infrmatin Technlgy (IT) has changed frm just being available t accelerating and facilitating prcesses t an integral part f the enterprise missin and strategy. Therefre, IT gvernance is ne f these cncepts that suddenly emerged and became an imprtant issue in the infrmatin technlgy area. Benchmarking the standard framewrks in market place is ne f imprtant appraches fr selecting apprpriate standard framewrks used in IT gvernance in rder t achieve the rganizatin gal. This study prpses a benchmarking f the different standard framewrks used fr IT gvernance in rder t detect cmplementarities and intersectin in rder t facilitate the implementatin. Keywrds: IT Gvernance, IT Strategy, COBIT, ITIL, CMMI, PMBOK, TOGAF, Framewrk, Prcess. 1. Intrductin IT utilizatin and a business gal f an rganizatin is a fundatin f efficient and effective IT gvernance. A cmpany bard and executives need t pay intentin t IT as an imprtant tl fr business perfrmance. Mst enterprises attempt t rganize high quality f infrmatin and IT readiness in rder t supprt decisin makings in business areas. IT investment is a track fr generating business value. Setting up IT investment as a strategic gal f enterprises lead t gain mre business benefits and achieve peratinal excellence. It is reasnable t pint ut that maintaining IT related risk at an acceptable level, ptimizing cst f IT services and technlgy, cmplying with laws, regulatins, cntractual agreements and plicy are gd perfrmances fr handling IT gvernance. Mst enterprises need standard tls t assist their executives t perfrm gd IT gvernance including the IT best practice management. A number f IT gvernance framewrks, such as ITIL, COBIT, CMMI, PMBOK, TOGAF, ISO/IEC invlved IT, etc, are develped t prvide guidance and tls fr better IT gvernance. The enterprises intricately chse the apprpriate framewrks because they have t spend lng time fr studying all standards in market places. A benchmark f each standard is an imprtant key apprach fr making decisin n selecting the standard tls fr IT gvernance. 2. Definitin Gvernance is the framewrk, principles, structure, prcesses and practices t set directin and mnitr cmpliance and perfrmance aligned with the verall purpse and bjectives f an enterprise [1]. IT Gvernance is an apprach that enterprises arrange IT strategies within their business t ensure achievement with regards t the strategies including implementatin f apprpriate methds t evaluate IT perfrmance [2]. All the gvernance principles and practices are generally tp dwn and the IT gvernance is n exceptin t this hierarchical initiative and respnsibility. IT gvernance, as a subset f crprate gvernance, als requires t be driven frm the bard level. The cre f the IT gvernance is t create IT strategy that frms part f the effective crprate strategic planning prcess and thus ensuring alignment f IT design and its cntrls with the business gals. The basic bjectives f the IT gvernance can be summarized as fllws [3]: Aligning IT strategy with Business Strategy IT as strategic resurce t deliver value IT risk management IT resurce and financial management IT perfrmance management 2014 Internatinal Jurnal f Cmputer Science Issues

2 IJCSI Internatinal Jurnal f Cmputer Science Issues, Vlume 11, Issue 6, N 1, Nvember IT Gvernance / IT Management Separating gvernance and management prmtes accuntability at all levels. It als prvides a mechanism fr gd enterprise gvernance that fcuses n stakehlder value by balancing perfrmance and cnfrmance [4]. Gvernance shuld: Evaluate t determine balanced, agreed-n enterprise bjectives t be achieved Direct thrugh priritizatin and decisin making Mnitr perfrmance, cmpliance and prgress against agreed directin and bjectives This means that a key respnsibility f gvernance is t evaluate, direct, and mnitr. Management, n the ther hand, plans, builds, runs, and mnitrs activities t align with and supprt the gvernance bjectives. Gvernance is a respnsibility f the bard, while management is a respnsibility f the executive management. actins r make decisins - are authrized and accuntable fr their actins. Respnsibility: Each cntracted party is required t act respnsibly t the rganizatin and its stakehlders. Fairness: All decisins taken, prcesses used, and their implementatin will nt be allwed t create unfair advantage t any ne particular party. 3. IT Gvernance Framewrks 3.1 Scpe f the study The scpe f the study is restricted t COBIT, ITIL, CMMI, PMBOK and TOGAF: five framewrks currently ften mentined in the IT Gvernance studies. Other framewrks, mdels and best practices gaining recent awareness are COSO, Six Sigma, Balanced Screcard, ISO 17799, etc. In the last versin, COBIT 5 cnslidates COBIT 4.1, Val IT and Risk IT int ne framewrk, and has been updated t align with current best practices such as TOGAF. 3.2 COBIT Fig.1 IT Gvernance vs IT Management 2.2 The characteristics f IT Gvernance The fllwing characteristics have been adapted frm Naid (2002) and are psitined here t highlight bth the value and necessity fr gvernance as an apprach t be adpted within rganizatins and their dealings with all invlved parties [5]: Discipline: All invlved parties will have a cmmitment t adhere t prcedures, prcesses, and authrity structures established by the rganizatin. Transparency: All actins implemented and their decisin supprt will be available fr inspectin by authrized rganizatin and prvider parties. Independence: All prcesses, decisin-making, and mechanisms used will be established s as t minimize r avid ptential cnflicts f interest. Accuntability: Identifiable grups within the rganizatin - e.g., gvernance bards wh take The Cntrl Objectives fr Infrmatin and related Technlgy (COBIT) prvides a cmprehensive framewrk that assists enterprises t achieve their bjectives fr the gvernance and management f enterprise IT. COBIT 5 integrates the knwledge previusly dispersed ver the three ISACA framewrks: COBIT, Val IT, and Risk IT. It cvers the lifecycle f gvernance, strategic, and tactical management within the IT dmain [3]. COBIT 5 principles: Meeting stakehlders needs Cvering the enterprise End-t-End Applying a single integrated framewrk Enabling a hlistic apprach Separating gvernance frm management COBIT 5 prcesses: EDM (Evaluate, Direct, Mnitr) dmain: Ensure Gvernance Framewrk Setting and Maintenance Ensure Benefits Delivery Ensure Resurce Optimizatin Ensure Stakehlder Transparency APO (Align, Plan, Organize) dmain : Manage the IT Management Framewrk Manage Strategy Manage Enterprise Architecture Manage Innvatin 2014 Internatinal Jurnal f Cmputer Science Issues

3 IJCSI Internatinal Jurnal f Cmputer Science Issues, Vlume 11, Issue 6, N 1, Nvember Manage Prtfli Manage Budget and Csts Manage Human Relatins Manage Relatinships Manage Service Agreements Manage Suppliers Manage Quality Manage Risk Manage Security BAI (Build, Acquire, Implement) dmain: Manage Prgrams and Prjects Manage Requirements Definitin Manage Slutins Identificatin and Build Manage Availability and Capacity Manage Organizatinal Change Enablement Manage Changes Manage Changes Acceptance and Transitining Manage Knwledge Manage Assets Manage Cnfiguratin DSS (Distribute, Service, Supprt) dmain: Manage Operatins Manage Service Requests and Incidents Manage Prblems Manage Cntinuity Manage Security Services Manage Business Prcess Cntrls Mnitr, Evaluate and Assess Perfrmance and Cnfrmance MEA (Mnitr, Evaluate, Assess) dmain: Mnitr, Evaluate and Asses the System f Internal Cntrl Evaluate and Assess Cmpliance with External Requirements 3.3 ITIL Infrmatin Technlgy Infrastructure Library (ITIL) describes Best Practice in IT servicee management. It prvides a framewrk fr the gvernance f IT and fcuses n the cntinual measurement and imprvement f the quality f IT service delivered, frm bth a business and a custmer perspective. This fcus is a majr factr in ITIL s wrldwide success and has cntributed t its prlific usage and t the key benefits btained by thse rganizatins deplying the techniques and prcesses thrughut their rganizatins. The current versin f ITIL (Versin 3) prvides a Service Lifecycle structure and is rganized int five high-level cre disciplines described in five cre bks [6]: Fig.2 ITIL Lifecycle Service Strategy prcesses: Strategy Management fr IT Services Service Prtfli Management Financial Management fr IT Services Demand Management Business Relatinship Management Service Design prcesses: Design Crdinatin Service Catalgue Management Service Level Management Risk Management Capacity Management Availability Management IT Service Cntinuity Management Infrmatin Security Management Cmpliance Management Architecturee Management Supplier Management Service Prtfli Management Service Transitin prcesses: Change Management Change Evaluatin Prject Management Applicatin Develpment Release and Deplyment Management Service Validatin and Testing Service Asset and Cnfiguratin Management Knwledge Management Service Operatin prcesses: Event Management Incident Management Request Fulfillment Access Management Prblem Management IT Operatins Cntrl Facilities Management Applicatin Management Technical Management Cntinual Service Imprvement prcesses: Service Review Prcess Evaluatin 2014 Internatinal Jurnal f Cmputer Science Issues

4 IJCSI Internatinal Jurnal f Cmputer Science Issues, Vlume 11, Issue 6, N 1, Nvember PMBOK Definitin f CSI Initiatives Mnitring f CSI Initiatives The Prject Management Bdy f Knwledge (PMBOK) is a cllectin f prcesses and knwledge areas accepted as best practice fr the prject management prfessin. As an internatinally recgnized standard (ANSI/PMI and IEEE ) it prvides prject managers with the fundamental practices needed t achieve rganizatinal results and excellence in the practice f prject management. PMBOK fifth editin recgnizes 5 basic prcess grups and 10 knwledge areas typical f almst all prjects. The basic cncepts are applicable t prjects, prgrammes and peratins. The five basic prcess grups are: Fig.3 PMBOK prcess grups The prcesses gruped by the10 knwledge areas are [7]: Prject Integratin Management: Develp Prject Charter, Develp Prject Management Plan, Direct and Manage Prject Executin, Mnitr and Cntrl Prject Wrk, Perfrm Integrated Change Cntrl, Clse Prject r Phase. Prject Scpe Management: Plan Scpe Management, Cllect Requirements, Define Scpe, Create WBS, Validate Scpe, Cntrl Scpe. Prject Time Management: Plan Schedule Management, Define Activities, Sequence Activities, Estimate Activity Resurces, Estimate Activity Duratins, Develp Schedule, Cntrl Schedule. Prject Cst Management: Plan Cst Management, Estimate Csts, Determine Budget, Cntrl Csts. Prject Quality Management: Plan Quality Management, Perfrm Quality Assurance, Perfrm Quality Cntrl. Prject Human Resurce Management: Plan Human Resurce Management, Acquire Prject Team, Develp Prject Team, Manage Prject Team. Prject Cmmunicatins Management: Plan Cmmunicatins Management, Manage Cmmunicatin, Cntrl Cmmunicatin. Prject Risk Management: Plan Risk Management, Identify Risks, Perfrm Qualitative Risk Analysis, Perfrm Quantitative Risk Analysis, Plan Risk Respnses, Cntrl Risks. Prject Prcurement Management: Plan Prcurement Management, Cnduct Prcurements, Cntrl Prcurements, Clse Prcurements. Prject Stakehlder Management: Identify Stakehlders, Plan Stakehlder Management, Manage Stakehlder Engagement, Cntrl Stakehlder Engagement. 3.5 CMMI The Capability Maturity Mdel Integratin (CMMI) is a wrld-class perfrmance imprvement framewrk fr cmpetitive rganizatins that want t achieve highperfrmance peratins [8]. Building upn an rganizatin s business perfrmance bjectives, CMMI prvides a set f practices fr imprving prcesses, resulting in a perfrmance imprvement system that paves the way fr better peratins and perfrmance. Under the CMMI mdel, prcesses are rated accrding t their maturity levels, which are defined as: Initial, Managed, Defined, Quantitatively Managed, Optimizing. CMMI currently addresses three areas f interest: Prduct and service develpment (CMMI-DEV) Service establishment, management(cmmi-svc) Prduct and service acquisitin (CMMI-ACQ) Depending n the CMMI areas f interest (acquisitin, services, develpment) used, the prcess areas it cntains will vary. Prcess areas are the areas that will be cvered by the rganizatin s prcesses. The table belw lists the cllectin f sixteen CMMI cre prcess areas that are present fr all CMMI areas f interest in CMMI V1.3: Name Area Causal Analysis and Reslutin Supprt Cnfiguratin Management Supprt Decisin Analysis and Reslutin Supprt Integrated Prject Management Prject Management Measurement and Analysis Supprt Organisatinnel Prcess Definitin Prcess Management Organisatinnel Prcess Fcus Prcess Management Organisatinnel Perfrmance Management Prcess Management Organisatinnel Prcess Perfrmance Prcess Management Organisatinnel Training Prcess Management Prject Mnitring and Cntrl Prject Management Prject Planning Prject Management Prcess and Prduct Quality Assurance Supprt Quantitative Prject Management Prject Management Requirements Management Prject Management 2014 Internatinal Jurnal f Cmputer Science Issues

5 IJCSI Internatinal Jurnal f Cmputer Science Issues, Vlume 11, Issue 6, N 1, Nvember Risk Management Supplier Agreement Management 3.6 TOGAF Table 1: CMMI cre prcess areas Prject Management Supprt The Open Grup Architecture Framewrk (TOGAF) is a framewrk, a detailed methd and a set f supprting tls fr develping an enterprise architecture. TOGAF is develped and maintained by members f The Open Grup, wrking within the Architecture Frum [9]. Specifically, use f TOGAF will: Enable users t implement and gain the benefits f genuinely pen systems slutins at reduced cst Simplify the related prcesses f pen systems design, planning, prduct prcurement, and implementatin Help the IT functin t better cmmunicate its gals and strategy t crprate management and the Slutins Cntinuum. The Architecture Cntinuum specifies the structuring f reusable architecture assets, and includes rules, representatins and relatinships f the infrmatin system(s) available t the enterprise. The Slutins Cntinuum describes the implementatin f the Architecture Cntinuum by defining reusable slutins building blcks. Architecture Develpment Methd The Architecture Develpment Methd (ADM) is applied t develp an enterprise architecture which will meet the business and infrmatin technlgy needs f an rganizatin. It may be tailred t the rganizatin s needs and is then emplyed t manage the executin f architecture planning activities. The prcess is iterative and cyclic. Each step checks with Requirements. Phase C invlves sme cmbinatin f bth Data Architecture and Applicatins Architecture. Additinal clarity can be added between steps B and C in rder t prvide cmplete infrmatin architecture. TOGAF tpics: Enterprise architecture dmains TOGAF is based n fur pillars, called architecture dmains: Business architecture r business prcess architecture which defines the business strategy, gvernance, rganizatin, and key business prcesses f the rganizatin Applicatins architecture which prvides a blueprint fr the individual applicatin systems t be deplyed, the interactins between the applicatin systems, and their relatinships t the cre business prcesses f the rganizatin with the framewrks fr services t be expsed as business functins fr integratin. Data architecture which describes the structure f an rganisatin's lgical and physical data assets and the assciated data management resurces Technical architecture r technlgy architecture which describes the hardware, sftware and netwrk infrastructure needed t supprt the deplyment f cre, missin-critical applicatins Enterprise Cntinuum The Enterprise Cntinuum may be viewed as a "virtual repsitry" f all the architecture assets available t an rganizatin. These include architectural mdels, architectural patterns, architecture descriptins, and ther artifacts. These artifacts may exist within the enterprise and als in the IT industry at large. The Enterprise Cntinuum cnsists f bth the Architecture Cntinuum Fig.4 TOGAF Architecture Methd (ADM) 4. Framewrks mapping and cmplimentarily 4.1 COBIT and ITIL Bth ITIL and COBIT help rganizatins t manage IT frm a business perspective and achieve business gals while measuring prgress and ensuring effective IT gvernance. Because f this, there is ften cnfusin abut whether they d the same thing r cntradict each ther. In reality, the tw framewrks are cmplementary. Indeed, ITIL is mre fcused n service management and prvides guidance n hw t develp and implement effective slutins. COBIT prvides an verall, high level gvernance framewrk which is applicable t mst rganizatins but is nt specific abut certain aspects f 2014 Internatinal Jurnal f Cmputer Science Issues

6 IJCSI Internatinal Jurnal f Cmputer Science Issues, Vlume 11, Issue 6, N 1, Nvember the business like IT service management r infrmatin security. As ITIL cvers particular areas in mre detail, it can be mapped t COBIT t enhance the framewrk and build a hierarchy f prcesses. This means that COBIT can be used t shape ITIL prcesses t the business needs and measure the success f ITIL implementatin. Service Strategy 3 7 EDM APO BAI DSS MEA Service Design Service Transitin 8 Service Operatin 5 Cntinual Service Imprvement 3 3 Table 2: COBIT and ITIL mapping [10] When used tgether, the pwer f bth appraches is amplified, with a greater likelihd f management supprt and directin, and a mre cst-effective use f implementatin resurces. 4.2 COBIT and CMMI "CMMI fr services and CMMI fr acquisitins are cmplementary t COBIT, in that these aspects are nt adequately cvered by COBIT. Bth CMMI and COBIT include a maturity mdel, hwever the CMMI standards include gals and prcedures which are nt part f the COBIT maturity mdel" [11]. CMMI cvers these aspects in detail, even thugh it is fcused n system develpment having limited cverage f IT gvernance and management issues. In COBIT 5 the Maturity Mdel is changed, assigning mre imprtance t the prcesses. The task f the new Prcess Capability Mdel is the same as the Maturity Mdel, but the structure f the framewrk is mdified. The number f levels fr assessing a prcess is the same cmpared t the Maturity Mdel, althugh the name, the meaning, and especially the attributes fr assessing a prcess are different. Accrding t [10] the tw framewrks culd seem similar, but there are differences in scpe and intents. The difference f intents between levels is linked t the significant fcus n the achievement f the IT prcesses purpses and a mre frmal assessment brught by the new framewrk. Accrding t [10], the six levels f the COBIT 5 Prcess Capability Mdel are: Level 0: Incmplete prcess. The prcess is nt placed r it cannt reach its bjective. At this level the prcess has n bjective t achieve. Fr this reasn this level has n attribute. Level 1: Perfrmed prcess. The prcess is in place and achieves its wn purpse. This level has nly Prcess Perfrmance as prcess attribute. Level 2: Managed prcess. The prcess is implemented fllwing a series f activities such as planning, mnitring and adjusting activities. The utcmes are established, cntrlled and maintained. This level has Perfrmance Management and Wrk Prduct Management as prcess attributes. Level 3: Established prcess. The previus level is nw implemented fllwing a defined prcess that allws the achievement f the prcess utcmes. This level has Prcess Definitin and Prcess Deplyment as prcess attributes. Level 4: Predictable prcess. This level implements prcesses within a defined bundary that allws the achievement f the prcesses utcmes. This level has Prcess Management and Prcess Cntrl as prcess attributes. Level 5: Optimizing prcess. This level implements prcesses in the way that makes it pssible t achieve relevant, current and prjected business gals. This level has Prcess Innvatin and Prcess Optimizatin as prcess attributes. In COBIT 5 t achieve a given level f capability, the previus level has t be cmpletely achieved The fllwing COBIT 5 areas and dmains are cvered by CMMI: Applicatin-building-and acquisitin related prcesses in the BAI dmain Sme rganizatinal and quality-related prcesses frm the APO dmain 4.3 COBIT and PMBOK PMBOK defines best practices and techniques fr prject management and des nt cver aspects f IT management and IT gvernance. COBIT and PMBOK cannt be directly related as they are nt many similar bjectives. Only a handful f features are cmmn between PMBOK and COBIT. PMBOK address these features f COBIT relatively well as illustrated belw: 2014 Internatinal Jurnal f Cmputer Science Issues

7 IJCSI Internatinal Jurnal f Cmputer Science Issues, Vlume 11, Issue 6, N 1, Nvember EDM COBIT Ensure stakehlder transparency APO Manage prtfli Manage budget and csts Manage human resurces Manage suppliers Manage quality Manage risk BAI PMBOK Knwledge Areas Prject Integratin Management Prject Scpe Management Prject Time Management Prject Cst Management Prject Quality Management Prject Human Resurce Management Prject Cmmunicatins Management Prject Risk Management Prject Prcurement Management Prject Stakehlder Management Manage prgrammes and prjects Manage requirements definitin Manage changes Table 3: COBIT and PMBOK mapping [12] 4.4 COBIT and TOGAF The fllwing COBIT 5 areas and dmain are cvered by TOGAF [12]: Resurce-related prcesses in the EDM (gvernance) dmain The TOGAF Cmpnents f an Architecture Bard, Architecture Gvernance and Architecture Maturity Mdels Map t resurce ptimizatin The enterprise architecture in the APO dmain. In the cre f TOGAF is the Architecture Develpment Methd cycle, which maps t the COBIT 5 practices f develping an architecture visin (ADM phase A), defining reference architectures (ADM phases B, C, D), selecting pprtunities and slutins (ADM phase E), and defining architecture implementatin (ADM phases F, G). A number f TOGAF cmpnents map t the COBIT 5 practice f prviding enterprise architecture services. These include: ADM Requirements Management Architecture Principles Stakehlder Management Business Transfrmatin Readiness Assessment Risk Management Capability-based Planning Architecture cmpliance Architecture cntracts assists in ensuring that the enterprise can sustain its peratins and implement the strategies required t extend its activities int the future. It prvides assurance that expectatins fr IT are met and IT risks are addressed. In summary, IT gvernance ensures that IT gals are met and IT risks are mitigated such that IT delivers value t sustain and grw the enterprise. Hwever, because f their plurality, chice r integratin f multiple IT Gvernance framewrks can be very difficult. In this paper the ppular framewrks fr the IT Gvernance have been intrduced and evaluated based n the EDM, APO, BAI, DDS and MEA parameters (the imprtant parameters f COBIT 5). Fr future wrk integrating ther parameters fr evaluating such as agility, ethic and envirnment will be cnstructive. Based n the literature review and the analysis perfrmed, it is apparent that framewrks subjects f the study are cmplementary. Mst cmpanies g with COBIT r ITIL, but thers can make ther chices. Fr peratins, try ITIL. Fr applicatin develpment and lifecycle issues, try CMMI. COBIT is als a great umbrella framewrk. But cmbining framewrks can als make sense. COBIT can be used as an verall framewrk; then ITIL fr peratins, CMMI fr develpment, PMBOK fr prject management and TOGAF fr enterprise architecture. References [1] "Taking Gvernance Frward Initiative", ITGI [2] "Develping a successful gvernance strategy", NCC [3] "COBIT5 Framewrk, ISACA [4] "Pur une guvernance SI intégrée", APMG-Internatinal [5] Architecture Gvernance, " [6] P.HILL and K. Turbitt, "Cmbine ITIL and COBIT t Meet Business Challenges", ITGI [7] "PMBOK 5 th Editin, PMI [8] "CMMI fr Service", Sftware Engineering Sftware, 2010 [9] "TOGAF Versin 9", The Open Grup [10] M. Samitakis, ISACA Athens Chapter, April 2013 [11] Praeg and Spath, 2011 [12] "Appendix E. Mapping f COBIT 5 With the mst relevant related standards and framewrks", ISACA 5. Cnclusins IT gvernance framewrks helps bards and management understand the issues and strategic imprtance f IT, and 2014 Internatinal Jurnal f Cmputer Science Issues