IT Governance Capability Maturity
within Government
Vernon John
SITA
Topics
Enterprise
Governance
IT
Governance
Capability performance
management
+
Risk Management
=
Optimal delivery of IT
services
(business value)
Preamble
Brief overview of COBIT
Overall COBIT Framework
IT Governance Capability Maturity
Assessment Framework
Assessment Approach
Assessment Results
 Importance and Performance
General observations
Conclusion
References:
Control Objectives for information and related Technology (COBIT)
2
Preamble
Objective: Gauge IT Governance capability maturity levels
 IT Governance Capability Maturity
Assessment Framework
 Development of templates
(assessment and reports)
 13 government departments were
measured
• Board briefing on IT Governance 2nd Edition,
ITGI
• COBIT 4.1 ® Management Guidelines
• COBIT Implementation Guide
• IT Governance Implementation Guide, ITGI
• Maturity Measurement –Fit the Purpose, Then
The Method, Guldentops E, ISACA, 2003
• 4 x National Departments
• 4 x Provincial Departments
• 5 x Municipalities
This presentation provides insight into:
•
IT Governance Capability Maturity Assessment Framework
and assessment approach
Measurement outcomes
•
3
Brief overview of COBIT
 A set of accepted best practices for IT management and guidance materials for IT
Governance
 Developed by the Information Systems Audit and Control Association (ISACA) and
the IT Governance Institute (ITGI)
 According to ISACA, “COBIT is an IT governance framework and supporting toolset
that allows managers to bridge the gap between control requirements, technical
issues and business risks. COBIT enables clear policy development and good practice
for IT control throughout organizations. COBIT emphasizes regulatory compliance,
helps organizations to increase the value attained from IT, enables alignment and
simplifies implementation of the COBIT framework
Domains
(4)
4
Processes
(34)
Control
Objectives
(> 200)
Control Test
Statements
(> 800)
Overall COBIT Framework
Business objectives
Governance objectives
ME1
ME2
ME3
ME4
Monitor and evaluate IT
performance.
Monitor and evaluate
internal control.
Ensure compliance with
external requirements.
Provide IT governance.
DS1 Define and manage service
levels.
DS2 Manage third-party
services.
DS3 Manage performance and
capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and
incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical
environment.
DS13 Manage operations.
5
For achieving
Business Processes
Monitor
and
Evaluate
Plan
and
Organise
To
Information
Efficiency
Effectiveness
Compliance
Reliability
Confidentiality
Integrity
PO1 Define a strategic IT plan.
PO2 Define the information
architecture.
PO3 Determine technological
direction.
PO4 Define the IT processes,
organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management
aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Availability
AI1
AI2
Provide
AI3
Deliver
and
Support
IT
Resources
Applications
Infrastructure
Information
People
Acquire
and
Implement
AI4
AI5
AI6
AI7
Identify automated solutions.
Acquire and maintain
application software.
Acquire and maintain
technology infrastructure.
Enable operation and use.
Procure IT resources.
Manage changes.
Install and accredit solutions
and changes.
IT Governance Capability Maturity
Assessment Framework
Determine Target
Capability
Maturity
PO1..POn
Analyse Gaps
and Identify
Improvement
Initiatives
Accountable
Responsible
AI1…AIn
Importance
Audited
Maturity
Model
Control Weaknesses
DS1…DSn
ME1…MEn
Plan Solution
6
Technology Used
Vulnerabilities
(Technology)
Performance
Goal setting and
Measurement
Responsibility
and
Accountability
Skills and
Expertise
Attributes
Tools and
Automation
COBIT
Assess Current
Capability
Maturity
Policies, Plans
and Procedures
Envision Solution
Awareness and
Communication
Raise awareness
IT Governance Capability Maturity
Assessment Framework
Determine Target
Capability
Maturity
PO1..POn
Analyse Gaps
and Identify
Improvement
Initiatives
Importance
1 -Not at all
2 - Can survive without it if need be
Maturity
3 - Make things easier
Model
4 - Very significant
5 - Critical
Audited
Control Weaknesses
DS1…DSn
ME1…MEn
Plan Solution
7
Technology Used
Vulnerabilities
(Technology)
Performance
Goal setting and
Measurement
Responsibility
and
Accountability
Accountable
Responsible
AI1…AIn
Skills and
Expertise
Attributes
Tools and
Automation
COBIT
Assess Current
Capability
Maturity
Policies, Plans
and Procedures
Envision Solution
Awareness and
Communication
Raise awareness
IT Governance Capability Maturity
Assessment Framework
Determine Target
Capability
Maturity
PO1..POn
Analyse Gaps
and Identify
Improvement
Initiatives
Accountable
Responsible
AI1…AIn
Importance
1 - Some aspects rarely
2 - Some aspects sometimes
Maturity
3 - All aspects sometimes
Model
4 - Parts are always done well
5 - All is always done well
Audited
Control Weaknesses
DS1…DSn
ME1…MEn
Plan Solution
8
Technology Used
Vulnerabilities
(Technology)
Performance
Goal setting and
Measurement
Responsibility
and
Accountability
Skills and
Expertise
Attributes
Tools and
Automation
COBIT
Assess Current
Capability
Maturity
Policies, Plans
and Procedures
Envision Solution
Awareness and
Communication
Raise awareness
IT Governance Capability Maturity
Assessment Framework
Determine Target
Capability
Maturity
PO1..POn
Importance
Audited
Maturity
Analyse Gaps
and Identify
Improvement
Initiatives
COBIT 4.1 Maturity
ModelAttribute Table
Control Weaknesses
DS1…DSn
ME1…MEn
Technology Used
Vulnerabilities
(Technology)
Performance
Plan Solution
Note: Assessment results
excluded from this presentation
9
Goal setting and
Measurement
Responsibility
and
Accountability
Accountable
Responsible
AI1…AIn
Skills and
Expertise
Attributes
Tools and
Automation
COBIT
Assess Current
Capability
Maturity
Policies, Plans
and Procedures
Envision Solution
Awareness and
Communication
Raise awareness
Assessment approach
 SITA facilitated a two-day work-session with IT representatives
 During the work-session the following was done


Created an awareness of IT Governance and our assessment framework and approach
Presented on the 34 COBIT processes and control objectives. Thereafter, the representatives we given an
opportunity to:
•
•
•
•

Provide information related to the IT process such as Accountability, Responsibility and whether or not the process has been
Audited
Rate test statements for control objectives ito Importance and Performance
Rate the process maturity attributes per IT process ito how well they perceived that they are currently performing and where they
would like to perform. The facilitator probed participants to ensure that they understand the process and control objectives and to
support a more informed scoring
The ratings were used to calculate the overall maturity levels
A sample of evidence was requested by the SITA assessment team from the Department representatives to
support ratings provided
 The assessment outcomes were analysed and initiatives to improve IT governance were identified and
prioritised
Given the short duration of the exercise the assessment was not done in too low a level of detail, but
it was sufficient to provide a sense of the IT Governance maturity level and identify areas for
improvement
Report
10
Assessment results
Importance and Performance Per Domain
5.00
4.50
4.00
3.50
3.00
2.50
2.00
1.50
1.00
0.50
0.00
National
Level
Level
All
5.00
4.50
4.00
3.50
3.00
2.50
2.00
1.50
1.00
0.50
0.00
PO
AI
DS
ME
PO
AI
DS
ME
Imp
4.08
4.05
3.85
3.87
Imp
4.18
4.34
4.09
3.98
Perf
2.02
2.12
1.82
1.72
Perf
2.42
2.63
2.12
2.10
Local
5.00
4.50
4.00
3.50
3.00
2.50
2.00
1.50
1.00
0.50
0.00
Level
Level
Provincial
5.00
4.50
4.00
3.50
3.00
2.50
2.00
1.50
1.00
0.50
0.00
PO
AI
DS
ME
PO
AI
DS
ME
Imp
4.28
4.20
4.09
4.19
Imp
3.78
3.61
3.38
3.45
Perf
1.90
1.88
1.67
1.52
Perf
1.73
1.85
1.67
1.53
Legend
11
Importance (Imp)
1 - Not at all
2 - Can survive without it
(if need be)
3 - Make things easier
4 - Very significant
5 - Critical
Performance (Perf)
1 - Some aspects rarely
2 - Some aspects sometimes
3 - All aspects sometimes
4 - Parts are always done well
5 - All is always done well
Assessment results
Importance and Performance Per Domain
5.00
4.50
4.00
Level
3.50
3.00
2.50
2.00
1.50
1.00
0.50
0.00
All
Nat
Pro
Loc
All
Nat
Pro
Loc
All
Nat
Pro
Loc
All
Nat
Pro
Loc
Imp 4.08
4.18
4.28
3.78
4.05
4.34
4.20
3.61
3.85
4.09
4.09
3.38
3.87
3.98
4.19
3.45
Per 2.02
2.42
1.90
1.73
2.12
2.63
1.88
1.85
1.82
2.12
1.67
1.67
1.72
2.10
1.52
1.53
PO
AI
DS
Legend
12
Importance (Imp)
1 - Not at all
2 - Can survive without it
(if need be)
3 - Make things easier
4 - Very significant
5 - Critical
Performance (Perf)
1 - Some aspects rarely
2 - Some aspects sometimes
3 - All aspects sometimes
4 - Parts are always done well
5 - All is always done well
ME
Assessment results
Average Importance and Performance Per Process Per Domain
Process
Perf
Imp
% Diff
Process
Perf
Imp
% Diff
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and
Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
PO Average
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
2.17
1.50
1.93
2.03
4.14
3.93
3.97
4.13
91.04% DS1 Define and Manage Service Levels
161.86% DS2 Manage Third-party Services
105.59% DS3 Manage Performance and Capacity
103.05% DS4 Ensure Continuous Service
1.77
2.00
1.73
1.51
3.72
3.98
3.96
4.44
109.82%
99.48%
129.38%
195.18%
2.42
2.06
2.28
1.72
1.99
2.06
2.02
2.01
2.08
2.04
2.11
2.87
1.88
3.95
4.01
4.16
4.18
4.27
4.08
4.08
4.06
3.92
4.11
3.89
4.24
4.15
1.91
1.46
1.86
2.16
1.67
1.80
1.79
2.26
1.74
1.82
1.79
1.63
1.73
4.07
2.62
3.62
4.07
3.69
4.12
4.05
3.97
3.77
3.85
3.80
3.79
3.87
112.99%
79.66%
94.81%
88.42%
120.55%
128.26%
127.02%
75.40%
116.24%
111.71%
112.78%
132.37%
123.46%
AI7 Install and Accredit Solutions and Changes
Average AI
1.85
2.12
3.99
4.05
63.49% DS5 Ensure Systems Security
94.89% DS6 Identify and Allocate Costs
82.32% DS7 Educate and Train Users
143.01% DS8 Manage Service Desk and Incidents
114.93% DS9 Manage the Configuration
98.39% DS10 Manage Problems
102.56% DS11 Manage Data
101.94% DS12 Manage the Physical Environment
88.04% DS13 Manage Operations
101.09% DS Average
84.62% ME1 Monitor and Evaluate IT Performance
47.91% ME2 Monitor and Evaluate Internal Control
121.47% ME3 Ensure Compliance With External
Requirements
116.00% ME4 Provide IT Governance
91.18% ME Average
1.71
1.72
4.03
3.87
135.40%
125.78%
Legend
13
Importance (Imp)
1 - Not at all
2 - Can survive without it
(if need be)
3 - Make things easier
4 - Very significant
5 - Critical
Performance (Perf)
1 - Some aspects rarely
2 - Some aspects sometimes
3 - All aspects sometimes
4 - Parts are always done well
5 - All is always done well
Assessment results
Very Significant Processes (17)
Process
Perf
Imp
Process with highest Performance (17)
% Diff
Process
Perf
Imp
% Diff
DS4 Ensure Continuous Service
PO9 Assess and Manage IT Risks
AI5 Procure IT Resources
PO8 Manage Quality
1.51
1.99
2.87
1.72
4.44
4.27
4.24
4.18
195.18%
114.93%
47.91%
143.01%
AI5 Procure IT Resources
PO5 Manage the IT Investment
PO7 Manage IT Human Resources
DS12 Manage the Physical Environment
2.87
2.42
2.28
2.26
4.24
3.95
4.16
3.97
47.91%
63.49%
82.32%
75.40%
PO7 Manage IT Human Resources
AI6 Manage Changes
PO1 Define a Strategic IT Plan
PO4 Define the IT Processes, Organisation and
Relationships
DS10 Manage Problems
2.28
1.88
2.17
2.03
4.16
4.15
4.14
4.13
82.32%
121.47%
91.04%
103.05%
PO1 Define a Strategic IT Plan
DS8 Manage Service Desk and Incidents
AI4 Enable Operation and Use
AI2 Acquire and Maintain Application Software
2.17
2.16
2.11
2.08
4.14
4.07
3.89
3.92
91.04%
88.42%
84.62%
88.04%
1.80
4.12
128.26%
PO6 Communicate Management Aims and Direction
2.06
4.01
94.89%
AI3 Acquire and Maintain Technology Infrastructure
2.04
4.11
101.09%
PO10 Manage Projects
2.06
4.08
98.39%
PO10 Manage Projects
DS5 Ensure Systems Security
DS8 Manage Service Desk and Incidents
AI1 Identify Automated Solutions
DS11 Manage Data
ME4 Provide IT Governance
PO6 Communicate Management Aims and Direction
2.06
1.91
2.16
2.01
1.79
1.71
2.06
4.08
4.07
4.07
4.06
4.05
4.03
4.01
98.39%
112.99%
88.42%
101.94%
127.02%
135.40%
94.89%
AI3 Acquire and Maintain Technology Infrastructure
PO4 Define the IT Processes, Organisation and Relationships
AI1 Identify Automated Solutions
DS2 Manage Third-party Services
PO9 Assess and Manage IT Risks
PO3 Determine Technological Direction
DS5 Ensure Systems Security
2.04
2.03
2.01
2.00
1.99
1.93
1.91
4.11
4.13
4.06
3.98
4.27
3.97
4.07
101.09%
103.05%
101.94%
99.48%
114.93%
105.59%
112.99%
Legend
14
Importance
1 - Not at all
2 - Can survive without it
(if need be)
3 - Make things easier
4 - Very significant
5 - Critical
Performance
1 - Some aspects rarely
2 - Some aspects sometimes
3 - All aspects sometimes
4 - Parts are always done well
5 - All is always done well
Assessment results
Process with highest “Differences” (17)
Very Significant Processes (17)
Process
Perf
Imp
Process
% Diff
Perf
Imp
% Diff
DS4 Ensure Continuous Service
PO9 Assess and Manage IT Risks
AI5 Procure IT Resources
PO8 Manage Quality
1.51
1.99
2.87
1.72
4.44
4.27
4.24
4.18
195.18%
114.93%
47.91%
143.01%
DS4 Ensure Continuous Service
PO2 Define the Information Architecture
PO8 Manage Quality
ME4 Provide IT Governance
1.51
1.50
1.72
1.71
4.44
3.93
4.18
4.03
195.18%
161.86%
143.01%
135.40%
PO7 Manage IT Human Resources
AI6 Manage Changes
PO1 Define a Strategic IT Plan
PO4 Define the IT Processes, Organisation and
Relationships
DS10 Manage Problems
2.28
1.88
2.17
2.03
4.16
4.15
4.14
4.13
82.32%
121.47%
91.04%
103.05%
ME2 Monitor and Evaluate Internal Control
DS3 Manage Performance and Capacity
DS10 Manage Problems
DS11 Manage Data
1.63
1.73
1.80
1.79
3.79
3.96
4.12
4.05
132.37%
129.38%
128.26%
127.02%
1.80
4.12
128.26%
ME3 Ensure Compliance With External Requirements
1.73
3.87
123.46%
AI3 Acquire and Maintain Technology Infrastructure
2.04
4.11
101.09%
AI6 Manage Changes
1.88
4.15
121.47%
PO10 Manage Projects
DS5 Ensure Systems Security
DS8 Manage Service Desk and Incidents
AI1 Identify Automated Solutions
DS11 Manage Data
ME4 Provide IT Governance
PO6 Communicate Management Aims and Direction
2.06
1.91
2.16
2.01
1.79
1.71
2.06
4.08
4.07
4.07
4.06
4.05
4.03
4.01
98.39%
112.99%
88.42%
101.94%
127.02%
135.40%
94.89%
DS9 Manage the Configuration
DS13 Manage Operations
AI7 Install and Accredit Solutions and Changes
PO9 Assess and Manage IT Risks
DS5 Ensure Systems Security
ME1 Monitor and Evaluate IT Performance
DS1 Define and Manage Service Levels
1.67
1.74
1.85
1.99
1.91
1.79
1.77
3.69
3.77
3.99
4.27
4.07
3.80
3.72
120.55%
116.24%
116.00%
114.93%
112.99%
112.78%
109.82%
Legend
15
Importance
1 - Not at all
2 - Can survive without it
(if need be)
3 - Make things easier
4 - Very significant
5 - Critical
Performance
1 - Some aspects rarely
2 - Some aspects sometimes
3 - All aspects sometimes
4 - Parts are always done well
5 - All is always done well
Overall average
 The overall average level was between a level 1 and a level 2. According to the
COBIT Generic Maturity Model the level 1 and 2 description are as follows
 “1 Initial/Ad Hoc—There is evidence that the enterprise has recognised that the
issues exist and need to be addressed. There are, however, no standardised
processes; instead, there are ad-hoc approaches that tend to be applied on an
individual or case-by-case basis. The overall approach to management is
disorganised.
 2 Repeatable but Intuitive—Processes have developed to the stage where similar
procedures are followed by different people undertaking the same task. There is
no formal training or communication of standard procedures, and responsibility
is left to the individual. There is a high degree of reliance on the knowledge of
individuals and, therefore, errors are likely. “
16
Observations


Participants gave their full cooperation and were well receptive to the final reports
The was an awareness of IT Governance at a conceptual level but limited knowledge on the details as
stipulated in COBIT or on IT Governance implementation
 Participants understood the importance of IT Governance and acknowledged that they have a key role
to play in the implementation thereof. However, in many instances emphasis was placed more on
“operational responsibilities” being a higher priority than on IT Governance type responsibilities.
 Some participants were not able to effectively indicate who was accountable and responsible for the
execution of IT processes
 Very few had explicit IT Governance and IT Process frameworks
 Some formal IT policies, processes, procedures or plans have been instituted, however this was not
done in the context of an overall IT Governance framework and furthermore there was limited periodic
reviews done
 Some IT processes underwent auditing albeit that some are done on ad hoc basis
 There are limited tools used in support of executing the IT processes. Desktop productivity tools are
primarily used and has limited functionality to support effective and efficient execution of the IT
processes
 Unavailability of funds
17
Conclusion
 COBIT is a very comprehensive IT Governance framework and there is
a need to simplify the implementation of COBIT IT Governance within
Government departments, which could be done by:
 Establishing a “minimum” IT Governance framework
 Compiling an implementation method for the “minimum” IT Governance
framework
 Compiling and making available e.g. generic policies and process that are
aligned to the “minimum” framework and that could be easily adapted
 Initiating IT Governance practitioner training
 Conducting periodic assessments
18
Thank You