COBIT - II Process Orientation Domains Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural control breaks Processes Activities or Tasks Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete. Domains • COBIT defines IT activities in a generic process model within four domains. 1. Plan and Organize 2. Acquire and Implement 3. Deliver and Support 4. Monitor and Evaluate Plan and Organise Description This domain covers strategy and tactics, and concerns the identification of how IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place. Topics Strategy and tactics Vision planned Organisation and infrastructure Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? Plan and Organise PO1 Define a strategic information PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 . PO11 technology plan Define the information architecture Determine the technological direction Define the IT organisation and relationships Manage the investment in information technology Communicate management aims and direction Manage human resources Ensure compliance with external requirements Assess risks Manage projects Manage quality Acquire and Implement Description To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems. Topics IT solutions Changes and maintenance Questions Are new projects likely to deliver solutions that meet business needs? Are new projects likely to deliver on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business operations? Acquire and Implement AI1 Identify automated solutions AI2 Acquire and maintain application software AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT procedures AI5 Install and accredit systems AI6 Manage changes Deliver and Support Description This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. To deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls. Topics Delivery of required services Setup of support processes Processing by application systems Questions Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the work force able to use the IT systems productively and safely? Are adequate security, integrity and availability in place? Deliver and Support DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 Define and manage service levels Manage third-party services Manage performance and capacity Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations Monitor and Evaluate Description All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources. Topics Assessment over time, delivering assurance Management’s oversight of the control system Performance measurement Questions Can IT’s performance be measured and can problems be detected before it is too late? Is independent assurance needed to ensure critical areas are operating as intended? Monitor and Evaluate M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit Business Requirements Quality Requirements: • Quality • Delivery • Cost Security Requirements • Confidentiality • Integrity • Availability Fiduciary Requirements* • Effectiveness and efficiency of operations • Compliance with laws and regulations • Reliability of financial reporting Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of *Treadway Commission req’s that management must attest to its organisation’s effectiveness and efficiency of operations, reliability of financial reporting (not financial reports), and compliance with laws and regulations. information The resources made available to—and built up by—IT IT Resources How IT is organised to respond to the requirements What the stakeholders expect from IT IT Processes Business Requirements Data Plan and Organise Application systems Aquire and Implement Technology Facilities People Deliver and Support Monitor and Evaluate Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability DS2 Example - Manage third-party services Drilling Down the COBIT model