[project.headway] Integrating Project HEADWAY And COBIT

Transcription

1 [project.headway] I N T E G R A T I O N S E R I E S Integrating Project HEADWAY And COBIT

2 P R O J E C T H E A D W A Y W H I T E P A P E R Integrating Project HEADWAY And COBIT Introduction This white paper has been developed to discuss the integration and alignment between the COBIT (the Control Objectives for Information and related Technology) developed by the IT Governance Institute (ITGI) and the Project HEADWAY framework developed and made available to corporate members by gantthead.com The COBIT framework and Project HEADWAY were developed for different specific purposes, but have distinct alignment opportunities that when understood can result in greater benefits to the organizations that use them. In this paper, we explore the backgrounds and purpose of each model, and how Project HEADWAY can support organizations that are using or seeking to adopt COBIT as a framework for their IT audit practices or for improving their overall approach to IT governance. COBIT Overview What is COBIT? COBIT is a framework for the governance of Information Technology. More specifically, its intention is to define the controls that are viewed as necessary in ensuring appropriate governance of the IT function within organizations. The COBIT framework itself is essentially a maturity model it has 34 IT processes, each of which is assessed against a five-level framework. The five levels are defined using the same terms used within SEI s CMMI, although the definitions used by COBIT for each of these terms are different. The stated purpose of the COBIT framework is as a guideline to allow organizations to define and attain their objectives for IT governance, specifically focussing upon: Benchmarking of the actual organization where the organization is today in its performance The current status of the industry a comparison of other, comparable organizations relative to the organization being assessed The target improvement objectives of the organization where the organization wants to get to relative to the defined framework COBIT Background & History The COBIT framework was developed by the IT Governance Institute, a self-described research think tank that was established in 1998 to support the improvement of IT governance within organizations and help ensure that the IT function supports the business needs. Their primary focus is on research and development of concepts and application of IT governance, and a key product is the COBIT framework. Now in its fourth version, the COBIT framework has been developed to define the various dimensions that an IT function should address in an effective, architecturally driven capability that supports the overall enterprise. The framework was developed through the input and review of a number of stakeholders from organizations around the world. An important focus of COBIT is its emphasis on controls, rather than processes. In essence, it is focussing on what should be looked for to ensure functions are being performed, rather than the processes by which the function should be performed. A primary vehicle for introduction of COBIT to organizations is through the internal audit function, where COBIT is used as the criteria to support audits and assessments. One of the primary proponents of the COBIT framework is the Information Systems Audit and Control Association (ISACA). COBIT Structure There are four essential dimensions of assessment that are defined within the COBIT framework: Plan and Organize. This dimension primarily focuses on the planning of the IT function and ensuring that there is an appropriate planning framework by which IT delivers on the business goals. The key processes within the Plan and Organize dimension are: o Define a strategic IT plan o Define the information architecture o Determine the technological direction o Define the IT processes, organizations and relationships o Manage the IT investment o Communicate management aims and directions o Manage IT human resources o Manage quality

3 o Assess and manage IT risks o Manage projects Acquire and Implement. This dimension focuses on the development or acquisition of the IT capabilities necessary to attain the defined strategy, and their implementation within the organization. The key processes within the Acquire and Implement dimension are: o Identify automated solutions o Acquire and maintain application software o Acquire and maintain technology infrastructure o Enable operation and use o Procure IT resources o Manage changes o Install and accredit solutions and changes Deliver and Support. This dimension focuses on the delivery of on-going IT services, including security, support, data management and operations. The key processes within the Deliver and Support dimension are: o Define and manage service levels o Manage third-party services o Manage performance and capacity o Ensure continuous service o Ensure system security o Identify and allocate costs o Educate and train users o Manage service desks and incidents o Manage the configuration o Manage problems o Manage data o Manage the physical environment o Manage operations Monitor and Evaluate. This dimension addresses the overall monitoring and control of the IT function, addressing the areas of performance measurement, regulatory compliance and governance. The key processes within the Monitor and Evaluate dimension are: o Monitor and evaluate IT performance o Monitor and evaluate internal control o Ensure regulatory compliance o Provide IT governance Additional Resources More information about COBIT can be found at the ITGI web site, located at: and the ISACA web site, located at Specific COBIT resources that are available include: General Information. ( This site provides a comprehensive overview of COBIT, including a download to the version 4.0 framework. The framework is a free download, but requires becoming a member of the site COBIT Mapping Overview of International IT Guidance. ( This document provides a comprehensive overview of how various international standards map to the COBIT framework, including CMMI, the PMBOK and Prince2. Project HEADWAY Overview What Is Project HEADWAY? Project HEADWAY is a project management methodology developed and published by gantthead.com. It provides a comprehensive framework for managing projects in an organizational context. The framework is fully compliant with the 2004 version of the Project Management Body of Knowledge (PMBoK ) of the Project Management Institute (PMI) and the latest version provides direct integration between the activities and steps within Project HEADWAY and the PMBoK guide. Project HEADWAY Background & History The methodology is based upon the JPACE project process originally developed by James Martin & Associates (now Headstrong) and is made available to corporate members of gantthead.com. In 2006, the Project HEADWAY process was enhanced and updated. Changes included directly aligning Project Headway with the PMBoK, as well as introducing guidelines for the management of three different project models, differentiated on size. Project HEADWAY defines all of the project management activities necessary to support the full management and delivery of projects, as well as supporting integration with a variety of product and service development processes. Project HEADWAY Structure The structure of Project HEADWAY is based upon five discrete phases of work:

4 Justify. The Justify phase focuses on articulating the purpose and business drivers for undertaking a project. This phase articulates the activities necessary to build a viable project charter, as well as to develop and sell the project business case. Plan. The Plan phase describes the work necessary to plan a project in detail. It defines the full range of activities necessary to produce a project plan, including determining the objectives and scope of the project, selecting the project approach, developing the detailed work plans and determining the project management activities necessary to successfully deliver the project. Activate. The Activate phase articulates the work necessary to initiate a project once it has been approved, including securing team members, managing stakeholder communications and awareness and ensuring the resources are in place to deliver the project. Control. The Control phase defines the work necessary to monitor and control the project throughout its life. It addresses the steps required to monitor project progress, take corrective action as required and control the various aspects of the plan, including schedule, cost, scope and risk. End. The End project phase addresses the activities required to successfully close the project and evaluate success. It addresses the administrative requirements necessary to complete the project and any associated contracts, the evaluation of project success, redeployment of staff and the identification of future improvement opportunities and the ability to reuse the capabilities produced in this project. Integration & Alignment How Project HEADWAY Supports COBIT Within Project HEADWAY, there is a strong philosophical support for the principles defined in COBIT. In particular, there is a strong emphasis on governance, sponsorship, oversight and the measurable delivery of project results. The Project HEADWAY process itself inherently supports the control objectives of COBIT, in that the process clearly defines the outputs and expectations of each step, and there is an intrinsic level of measurability incorporated into the process. That said, COBIT defines the framework for full governance of the IT function, with a strong emphasis on the operational and functional processes and controls necessary to manage an effective IT organization. While projects are a component of COBIT, they are only one aspect of a much larger framework. Support for COBIT Criteria As reflected in evaluating the other project management frameworks compared by the IT Governance Institute in their document COBIT Mapping Overview of International IT Guidance, the primary emphasis supported by Project HEADWAY is on a smaller subset of the practice areas: Process Supports Contributes Does Not Comments Support Plan & Organize Define a strategic IT plan Project HEADWAY embraces the principle of a strategic approach to project selection, and governance and executive oversight are critical elements. Define the information architecture Determine the technological direction Define the IT processes, organizations and relationships From a project perspective, Project HEADWAY guides definition of the processes and the stakeholder organizations and relationships involved in the project efforts.

5 Process Supports Contributes Does Not Comments Support Manage the IT investment From a project perspective, Project HEADWAY defines a means of managing budgets and tracking and controlling costs. Communicate management aims and directions From a project perspective, Project HEADWAY provides a strong framework for defining and managing the delivery of communications. Manage IT human resources From a project perspective, Project HEADWAY provides excellent support for the identification, management and development of project team members and their ultimate reintroduction to the organization. Manage quality From a project perspective, Project HEADWAY provides guidelines for defining quality expectations and managing the inspection and acceptance of project deliverables. Assess and manage IT risks From a project perspective, Project HEADWAY provides a robust framework for identifying, planning for and managing and controlling project risks. Manage projects Project HEADWAY serves as an excellent basis for the project management expectations within the Manage projects process of COBIT. Acquire & Implement Identify automated solutions Much of the identification of automated solutions is done in a project context, and Project HEADWAY provides excellent support for the definition of requirements and identification and procurement planning activities necessary to identify candidate solutions. Acquire and maintain application software Project HEADWAY provides direct support and guidance for the acquisition or development of application solutions, whether delivered on a supplier basis or developed internally. The on-going maintenance of software, once acquired and delivered, becomes an operational support role. Acquire and maintain technology infrastructure The acquisition of required technology infrastructure is explicitly addressed within Project HEADWAY. The on-going maintenance and support, once acquired and implemented, becomes an operational support role. Enable operation and use Project HEADWAY provides support for the transition of project deliverables into an operational mode, and encourages identification of the operational and support requirements as part of the project effort.

6 Process Supports Contributes Does Not Comments Support Procure IT resources Project HEADWAY provides explicit guidance for identifying resource requirements and procuring resources to support projects. Manage changes Project HEADWAY provides support for the management of changes in a project context. Install and accredit solutions and changes Project HEADWAY supports the installation and accreditation of solutions managed in a project context. Deliver & Support Define and manage service levels As part of the process of closing out projects, Project HEADWAY provides guidance for identifying and defining organizational service levels. The on-going management of service levels, however, is an operational or functional activity. Manage third-party services Manage performance and capacity Ensure continuous service Ensure system security Identify and allocate costs Educate and train users Manage service desks and incidents Manage the configuration Manage problems Manage data Manage the physical environment Manage operations Monitor & Evaluate Monitor and evaluate IT performance In a project context, Project HEADWAY provides strong support for the monitoring and evaluating project performance. Monitor and evaluate internal control Ensure regulatory compliance Provide IT governance Project HEADWAY provides strong support for establishing governance of the projects in an IT context.

7 Using Project HEADWAY to Support COBIT Initiatives While Project HEADWAY provides support for some of the key criteria associated with COBIT, it is also an ideal management framework for organizations that are seeking to use and apply COBIT in either conducting audits or implementing capabilities based upon the COBIT standard. For most organizations, the most common application of COBIT is in the conducting of audits and assessments. The initial introduction of the COBIT criteria to an organization is in establishing the criteria that will be applied to audit the IT function. In managing the design and delivery of an audit engagement, understanding the process by which the engagement is managed is as important as for any other project effort. Project HEADWAY is a generic management framework, and provides the means by which the overall project is managed. Within that framework, project teams still need to define the specific activities and deliverables necessary to supply the work products expected from the project. As with many other projects, the first step in conducting an audit or assessment engagement is performing a needs assessment to ensure that the auditor and the organization being assessed have a shared understanding of the elements to be reviewed and the planned results of the audit. The tools and techniques applied in conducting the needs assessment can be varied, including interviews, materials review, surveys, questionnaires and direct observation. Once agreement is attained between the organizations regarding the audit approach to be used, the formal audit process itself commences. The overall audit process consists of the following key steps. Definition & agreement of audit objectives. The auditors identify the specific objectives of the audit, and the most appropriate audit strategy to deliver on the audit objectives. Establishment & confirmation of audit criteria. Audit criteria can be based upon either organizational or industry standards. Depending upon the audit, the criteria can be based upon the specific objectives or the process a project was initiated using, the internal organizational standards or adopt and incorporate recognized industry standards and practices. Depending upon the stage of implementation of COBIT within an organization, aspects of the COBIT framework may have been incorporated into a project, the framework itself may have been implemented within the organization, or the standard may be relied upon as an independent framework based upon which the audit is being conducted. Conducting of a pre-audit meeting. The auditors conduct a pre-audit meeting with the key management representatives of all stakeholder organizations, as appropriate for the specific audit being conducted. The purpose of this meeting is to set expectations regarding the audit process, review the criteria, confirm the timeline and approach that will be adopted, and confirm expectations in terms of support and resource availability. This provides a formal recognition of the audit process commencing, and provides stakeholders with appropriate information to understand the process and expectations. Conducting of the audit process. The audit process is conducted based upon the agreed upon approach for the audit. The auditors conduct interviews, file and document reviews and gather other data and evidence as required to support the specific expectations and objectives of the audit. Upon completion of the investigation activities, the auditors develop their findings, analysis and recommendations resulting from the audit. Conducting of the audit exit meeting. Delivery of a successful audit requires acceptance of the findings and recommendations and a commitment to action by the organization being audited. To validate the findings and ensure they are clear and understandable, auditors typically use an audit exit meeting to review the draft findings with the organizational stakeholders prior to finalization of the audit report and recommendations. Based upon the results of these meetings, another draft of the findings may be prepared and reviewed. Finalization of the audit and presentation of findings. The final audit documentation is prepared in the agreed upon format, and presented to the organization being audited. As a result of the presentation, senior management within the organization will typically provide a management response that indicates their feedback regarding the audit findings, and the actions that they intend to take as a result. As well as supporting the management of audit initiatives, Project HEADWAY also provides strong support for the management of improvement activities resulting from an audit and the implementation of the processes and controls within COBIT where it is being adopted by an organization as its governance framework. Project HEADWAY offers a number of key advantages in this regard, including: There is an emphasis on overall sponsorship and governance oversight within Project HEADWAY, which is the core principle on which the entire COBIT framework is based. The methodology strongly embraces the same core principles of control and improvement upon which the COBIT framework is based.

8 As well as supporting the Project Management process, Project HEADWAY reinforces and aligns with a number of the other process areas within COBIT with respect to how organization controls and governance structures are managed. The overall procedure defined within Project HEADWAY is process independent, enabling organizations to adopt the process improvement, change management and systems development techniques that most appropriate support realization of their overall improvement objectives. Conclusions Overall, there is good alignment and support between the principles defined within COBIT and the capabilities delivered by Project HEADWAY. COBIT is a controls-based framework for governance, and Project HEADWAY has been designed to ensure the requisite governance, assessment capabilities and controls are in place to support the managed delivery of projects. That said, COBIT is a governance framework that addresses the full scope of the IT function, including support, operations and maintenance activities, which are typically managed using functional rather than project processes. Where an IT organization is conducting projects, Project HEADWAY provides a strong basis to support project management and delivery in an environment seeking to adhere to the COBIT framework. Project HEADWAY aligns well with the principles of COBIT, and can support building a strong understanding of organizational plans, requirements and governance expectations. The project support expectations of COBIT, while a subset of the overall framework, are well supported by the Project HEADWAY methodology, and the methodology itself offers a sound means of managing the introduction of the COBIT framework to an organization or the management of the audit and improvement activities that are often associated with an organization s initial introduction to COBIT.