Embed or link this publication
Popular Pages
p. 2
cobit 4.1 the it governance institute® the it governance institute itgitm www.itgi.org was established in 1998 to advance international thinking and standards in directing and controlling an enterprise s information technology effective it governance helps ensure that it supports business goals optimises business investment in it and appropriately manages it-related risks and opportunities itgi offers original research electronic resources and case studies to assist enterprise leaders and boards of directors in their it governance responsibilities disclaimer itgi the owner has designed and created this publication titled cobit® 4.1 the work primarily as an educational resource for chief information officers cios senior management it management and control professionals the owner makes no claim that use of any of the work will assure a successful outcome the work should not be considered inclusive of any proper information procedures and tests or exclusive of other information procedures and tests that are reasonably directed to obtaining the same results in determining the propriety of any specific information procedure or test cios senior management it management and control professionals should apply their own professional judgement to the specific circumstances presented by the particular systems or it environment disclosure copyright © 2007 by the it governance institute all rights reserved no part of this publication may be used copied reproduced modified distributed displayed stored in a retrieval system or transmitted in any form by any means electronic mechanical photocopying recording or otherwise without the prior written authorisation of itgi reproduction of selections of this publication for internal and non-commercial or academic use only is permitted and must include full attribution of the material s source no other right or permission is granted with respect to this work it governance institute 3701 algonquin road suite 1010 rolling meadows il 60008 usa phone +1.847.590.7491 fax +1.847.253.1443 e-mail info@itgi.org web site www.itgi.org isbn 1-933284-72-2 cobit® 4.1 printed in the united states of america © 2007 it governance institute all rights reserved www.itgi.org[close]
p. 3
cobit 4.1 acknowledgements it governance institute wishes to recognise expert developers and reviewers mark adler cisa cism cia cissp allstate ins co usa peter andrews cisa citp mcmi pja consulting uk georges ataya cisa cism cissp mscs pba solvay business school belgium gary austin cisa cia cissp cgfm kpmg llp usa gary s baker ca deloitte touche canada david h barnett cism cissp applera corp usa christine bellino cpa citp jefferson wells usa john w beveridge cisa cism cfe cgfm cqa massachusetts office of the state auditor usa alan boardman cisa cism ca cissp fox it uk david bonewell cisa cissp-issep accomac consulting llc usa dirk bruyndonckx cisa cism kpmg advisory belgium don canilglia cisa cism usa luis a capua cism sindicatura general de la nación argentina boyd carter pmp elegantsolutions.ca canada dan casciano cisa ernst young llp usa sean v casey cisa cpa usa sushil chatterji edutech singapore edward chavannes cisa cissp ernst young llp usa christina cheng cisa cissp sscp deloitte touche llp usa dharmesh choksey cisa cpa cissp pmp kpmg llp usa jeffrey d custer cisa cpa cia ernst young llp usa beverly g davis cisa federal home loan bank of san francisco usa peter de bruyne cisa banksys belgium steven de haes university of antwerp management school belgium peter de koninck cisa cfsa cia swift sc belgium philip de picker cisa mca national bank of belgium belgium kimberly de vries cisa pmp zurich financial services usa roger s debreceny ph.d fcpa university of hawaii usa zama dlamini deloitte touche llp south africa rupert dodds cisa cism fca kpmg new zealand troy dumoulin pink elephant canada bill a durrand cisa cism ca ernst young llp canada justus ekeigwe cisa mbcs deloitte touche llp usa rafael eduardo fabius cisa republica afap s.a uruguay urs fischer cisa cia cpa swiss swiss life switzerland christopher fox aca pricewaterhousecoopers usa bob frelinger cisa sun microsystems inc usa zhiwei fu ph d fannie mae usa monique garsoux dexia bank belgium edson gin cisa cfe sscp usa sauvik ghosh cisa cia cissp cpa ernst young llp usa guy groner cisa cia cissp usa erik guldentops cisa cism university of antwerp management school belgium gary hardy it winners south africa jimmy heschl cisa cism kpmg austria benjamin k hsaio cisa federal deposit insurance corp usa tom hughes acumen alliance australia monica jain csqa covansys corp us wayne d jones cisa australian national audit office australia john a kay cisa usa lisa kinyon cisa countrywide usa rodney kocot systems control and security inc usa luc kordel cisa cism cissp cia re rfa dexia bank belgium linda kostic cisa cpa usa john w lainhart iv cisa cism ibm usa philip le grand capita education services uk elsa k lee cisa cism csqa advansoft international inc usa kenny k lee cisa cissp countrywide smart governance usa debbie lew cisa ernst young llp usa it g overnance institute 1[close]
p. 4
cobit 4.1 acknowledgements cont donald lorete cpa deloitte touche llp usa addie c.p lui mcsa mcse first hawaiian bank usa debra mallette cisa cssbb kaiser permanente usa charles mansour cisa charles mansour audit risk service uk mario micallef cpaa fia national australia bank group australia niels thor mikkelsen cisa cia danske bank denmark john mitchell cisa cfe citp fbcs fiia miia qica lhs business control uk anita montgomery cisa cia countrywide usa karl muise cisa city national bank usa jay s munnelly cisa cia cgfm federal deposit insurance corp usa sang nguyen cisa cissp mcse nova southeastern university usa ed o donnell ph.d cpa university of kansas usa sue owen department of veterans affairs australia robert g parker cisa ca cmc fca robert g parker consulting canada robert payne trencor services pty ltd south africa thomas phelps iv cisa pricewaterhousecoopers llp usa vitor prisca cism novabase portugal martin rosenberg ph.d it business management uk claus rosenquist cisa trygvesata denmark jaco sadie sasol south africa max shanahan cisa fcpa max shanahan associates australia craig w silverthorne cisa cism cpa ibm business consulting services usa chad smith great-west life canada roger southgate cisa cism fcca cubeit management ltd uk paula spinner csc usa mark stanley cisa toyota financial services usa dirk e steuperaert cisa pricewaterhousecoopers belgium robert e stroud ca inc usa scott l summers ph.d brigham young university usa lance m turcato cisa cism cpa city of phoenix it audit division usa wim van grembergen ph.d university of antwerp management school belgium johan van grieken cisa deloitte belgium greet volders voquals nv belgium thomas m wagner gartner inc usa robert m walters cisa cpa cga office of the comptroller general canada freddy withagels cisa capgemini belgium tom wong cisa cia cma ernst young llp canada amanda xu cisa pmp kpmg llp usa itgi board of trustees everett c johnson cpa deloitte touche llp retired usa international president georges ataya cisa cism cissp solvay business school belgium vice president william c boni cism motorola usa vice president avinash kadam cisa cism cissp cbcp gsec gcih miel e-security pvt ltd india vice president jean-louis leignel mage conseil france vice president lucio augusto molina focazzio cisa colombia vice president howard nicholson cisa city of salisbury australia vice president frank yam cisa fhkiod fhkcs ffa cia cfe ccp cfsa focus strategic group hong kong vice president marios damianides cisa cism ca cpa ernst young llp usa past international president robert s roussey cpa university of southern california usa past international president ronald saull csp great-west life and igm financial canada trustee it governance committee tony hayes fcpa queensland government australia chair max blecher virtual alliance south africa sushil chatterji edutech singapore anil jogani cisa fca tally solutions limited uk john w lainhart iv cisa cism ibm usa rómulo lomparte cisa banco de crédito bcp peru michael schirmbrand ph.d cisa cism cpa kpmg llp austria ronald saull csp great-west life assurance and igm financial canada 2 © 2007 it governance institute all rights reserved www.itgi.org[close]
p. 5
cobit 4.1 cobit steering committee roger debreceny ph.d fcpa university of hawaii usa chair gary s baker ca deloitte touche canada dan casciano cisa ernst young llp usa steven de haes university of antwerp management school belgium peter de koninck cisa cfsa cia swift sc belgium rafael eduardo fabius cisa república afap sa uruguay urs fischer cisa cia cpa swiss swiss life switzerland erik guldentops cisa cism university of antwerp management school belgium gary hardy it winners south africa jimmy heschl cisa cism kpmg austria debbie a lew cisa ernst young llp usa maxwell j shanahan cisa fcpa max shanahan associates australia dirk steuperaert cisa pricewaterhousecoopers llc belgium robert e stroud ca inc usa itgi advisory panel ronald saull csp great-west life assurance and igm financial canada chair roland bader f hoffmann-la roche ag switzerland linda betz ibm corporation usa jean-pierre corniou renault france rob clyde cism symantec usa richard granger nhs connecting for health uk howard schmidt cism r&h security consulting llc usa alex siow yuen khong starhub ltd singapore amit yoran yoran associates usa itgi affiliates and sponsors isaca chapters american institute for certified public accountants asis international the center for internet security commonwealth association of corporate governance fida inform information security forum the information systems security association institut de la gouvernance des systèmes d information institute of management accountants isaca itgi japan solvay business school university of antwerp management school aldion consulting pte lte ca hewlett-packard ibm loglogic inc phoenix business and systems process inc symantec corporation wolcott group llc world pass it solutions © 2007 it governance institute all rights reserved www.itgi.org 3[close]
p. 6
cobit 4.1 table of contents executive overview 5 cobit framework 9 plan and organise 29 acquire and implement 73 deliver and support 101 monitor and evaluate 153 appendix i tables linking goals and processes 169 appendix ii mapping it processes to it governance focus areas coso cobit it resources and cobit information criteria 173 appendix iii maturity model for internal control 175 appendix iv cobit 4.1 primary reference material 177 appendix v cross-references between cobit 3rd edition and cobit 4.1 179 appendix vi approach to research and development 187 appendix vii glossary 189 appendix viii cobit and related products 195 your feedback on cobit 4.1 is welcomed please visit www.isaca.org/cobitfeedback to submit comments 4 © 2007 it governance institute all rights reserved www.itgi.org[close]
p. 8
executive overview executive overview for many enterprises information and the technology that supports it represent their most valuable but often least understood assets successful enterprises recognise the benefits of information technology and use it to drive their stakeholders value these enterprises also understand and manage the associated risks such as increasing regulatory compliance and critical dependence of many business processes on information technology it the need for assurance about the value of it the management of it-related risks and increased requirements for control over information are now understood as key elements of enterprise governance value risk and control constitute the core of it governance it governance is the responsibility of executives and the board of directors and consists of the leadership organisational structures and processes that ensure that the enterprise s it sustains and extends the organisation s strategies and objectives furthermore it governance integrates and institutionalises good practices to ensure that the enterprise s it supports the business objectives it governance enables the enterprise to take full advantage of its information thereby maximising benefits capitalising on opportunities and gaining competitive advantage these outcomes require a framework for control over it that fits with and supports the committee of sponsoring organisations of the treadway commission s coso s internal control integrated framework the widely accepted control framework for enterprise governance and risk management and similar compliant frameworks organisations should satisfy the quality fiduciary and security requirements for their information as for all assets management should also optimise the use of available it resources including applications information infrastructure and people to discharge these responsibilities as well as to achieve its objectives management should understand the status of its enterprise architecture for it and decide what governance and control it should provide control objectives for information and related technology cobit® provides good practices across a domain and process framework and presents activities in a manageable and logical structure cobit s good practices represent the consensus of experts they are strongly focused more on control less on execution these practices will help optimise it-enabled investments ensure service delivery and provide a measure against which to judge when things do go wrong for it to be successful in delivering against business requirements management should put an internal control system or framework in place the cobit control framework contributes to these needs by · making a link to the business requirements · organising it activities into a generally accepted process model · identifying the major it resources to be leveraged · defining the management control objectives to be considered the business orientation of cobit consists of linking business goals to it goals providing metrics and maturity models to measure their achievement and identifying the associated responsibilities of business and it process owners the process focus of cobit is illustrated by a process model that subdivides it into four domains and 34 processes in line with the responsibility areas of plan build run and monitor providing an end-to-end view of it enterprise architecture concepts help identify the resources essential for process success i.e applications information infrastructure and people in summary to provide the information that the enterprise needs to achieve its objectives it resources need to be managed by a set of naturally grouped processes but how does the enterprise get it under control such that it delivers the information the enterprise needs how does it manage the risks and secure the it resources on which it is so dependent how does the enterprise ensure that it achieves its objectives and supports the business first management needs control objectives that define the ultimate goal of implementing policies plans and procedures and organisational structures designed to provide reasonable assurance that · business objectives are achieved · undesired events are prevented or detected and corrected © 2007 it governance institute all rights reserved www.itgi.org 5[close]
p. 9
cobit 4.1 second in today s complex environments management is continuously searching for condensed and timely information to make difficult decisions on value risk and control quickly and successfully what should be measured and how enterprises need an objective measure of where they are and where improvement is required and they need to implement a management tool kit to monitor this improvement figure 1 shows some traditional questions and the management information tools used to find the responses but these dashboards need indicators scorecards need measures and benchmarking needs a scale for comparison figure 1 management information how do responsible managers keep the ship on course how can the enterprise achieve results that are satisfactory for the largest possible segment of stakeholders how can the enterprise be adapted in a timely manner to trends and developments in its environment dashboard indicators scorecards measures benchmarking scales an answer to these requirements of determining and monitoring the appropriate it control and performance level is cobit s definition of · benchmarking of it process performance and capability expressed as maturity models derived from the software engineering institute s capability maturity model cmm · goals and metrics of the it processes to define and measure their outcome and performance based on the principles of robert kaplan and david norton s balanced business scorecard · activity goals for getting these processes under control based on cobit s control objectives the assessment of process capability based on the cobit maturity models is a key part of it governance implementation after identifying critical it processes and controls maturity modelling enables gaps in capability to be identified and demonstrated to management action plans can then be developed to bring these processes up to the desired capability target level thus cobit supports it governance figure 2 by providing a framework to ensure that · it is aligned with the business · it enables the business and maximises benefits · it resources are used responsibly · it risks are managed appropriately performance measurement is essential for it governance it is supported by cobit and includes setting and monitoring measurable objectives of what the it processes need to deliver process outcome and how to deliver it process capability and performance many surveys have identified that the lack of transparency of it s cost value and risks is one of the most important drivers for it governance while the other focus areas contribute transparency is primarily achieved through performance measurement figure 2 it governance focus areas · strategic alignment focuses on ensuring the linkage of business and it plans defining maintaining and validating the it value proposition and aligning it operations with enterprise operations · value delivery is about executing the value proposition throughout the delivery cycle ensuring that it delivers the promised benefits against the strategy concentrating on optimising costs and proving the intrinsic value of it · resource management is about the optimal investment in and the proper management of critical it resources applications information infrastructure and people key issues relate to the optimisation of knowledge and infrastructure · risk management requires risk awareness by senior corporate officers a clear understanding of the enterprise s appetite for risk understanding of compliance requirements transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation · performance measurement tracks and monitors strategy implementation project completion resource usage process performance and service delivery using for example balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting 6 © 2007 it governance institute all rights reserved www.itgi.org[close]
p. 10
executive overview these it governance focus areas describe the topics that executive management needs to address to govern it within their enterprises operational management uses processes to organise and manage ongoing it activities cobit provides a generic process model that represents all the processes normally found in it functions providing a common reference model understandable to operational it and business managers the cobit process model has been mapped to the it governance focus areas see appendix ii mapping it processes to it governance focus areas coso cobit it resources and cobit information criteria providing a bridge between what operational managers need to execute and what executives wish to govern to achieve effective governance executives require that controls be implemented by operational managers within a defined control framework for all it processes cobit s it control objectives are organised by it process therefore the framework provides a clear link among it governance requirements it processes and it controls cobit is focused on what is required to achieve adequate management and control of it and is positioned at a high level cobit has been aligned and harmonised with other more detailed it standards and good practices see appendix iv cobit 4.1 primary reference material cobit acts as an integrator of these different guidance materials summarising key objectives under one umbrella framework that also links to governance and business requirements coso and similar compliant frameworks is generally accepted as the internal control framework for enterprises cobit is the generally accepted internal control framework for it the cobit products have been organised into three levels figure 3 designed to support · executive management and boards · business and it management · governance assurance control and security professionals figure 3 cobit content diagram how does the board exercise its responsibilities board briefing on it governance 2nd edition executives and boards briefly the cobit products include · board briefing on it governance how do we measure performance 2nd edition helps executives understand how do we compare to others management guidelines and how do we improve over time why it governance is important what its maturity models issues are and what their responsibility is business and technology management for managing it · management guidelines/maturity models what is the how do we how do we assess help assign responsibility measure it governance implement it in the it governance framework the enterprise framework performance and benchmark and address gaps in capability governance assurance control and security professionals · frameworks organise it governance objectives and good practices by it it governance domains and processes and links them to cobit and val it it assurance guide implementation guide frameworks business requirements 2nd edition · control objectives provide a complete control objectives set of high-level requirements to be cobit control practices 2nd edition considered by management for effective key management control of each it process practices · it governance implementation guide this cobit-based product diagram presents the generally applicable products and their primary audience there are also derived products for specific purposes it control objectives for sarbanes-oxley 2nd edition for domains such as security using cobit ® and val it tm 2nd edition cobit security baseline and information security governance guidance for boards of directors and executive management provides a generic road map for or for specific enterprises cobit quickstart for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive it governance implementation implementing it governance using the cobit and val ittm resources · cobit ® control practices guidance to achieve control objectives for successful it governance 2nd edition provides guidance on why controls are worth implementing and how to implement them · it assurance guide using cobit ® provides guidance on how cobit can be used to support a variety of assurance activities together with suggested testing steps for all the it processes and control objectives the cobit content diagram depicted in figure 3 presents the primary audiences their questions on it governance and the generally applicable products that provide responses there are also derived products for specific purposes for domains such as security or for specific enterprises © 2007 it governance institute all rights reserved www.itgi.org 7[close]
p. 11
cobit 4.1 all of these cobit components interrelate providing support for the governance management control and assurance needs of the different audiences as shown in figure 4 figure 4 interrelationships of cobit components business goals requirements information it goals it processes int o s ea u d re by bro ke o nd wn co ntr audited with oll ed by m pe rfo b ed rm y fo r r pe fo a rm for outcom e key activities e nc control outcome tests rit y derived from control objectives dw ith im ple me nte fo atu rm au e dit dw ith responsibility and accountability chart performance indicators outcome measures maturity models control design tests based on control practices cobit is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements technical issues and business risks and communicate that level of control to stakeholders cobit enables the development of clear policies and good practice for it control throughout enterprises cobit is continuously kept up to date and harmonised with other standards and guidance hence cobit has become the integrator for it good practices and the umbrella framework for it governance that helps in understanding and managing the risks and benefits associated with it the process structure of cobit and its high-level business-oriented approach provide an end-to-end view of it and the decisions to be made about it the benefits of implementing cobit as a governance framework over it include · better alignment based on a business focus · a view understandable to management of what it does · clear ownership and responsibilities based on process orientation · general acceptability with third parties and regulators · shared understanding amongst all stakeholders based on a common language · fulfilment of the coso requirements for the it control environment the rest of this document provides a description of the cobit framework and all of the core cobit components organised by cobit s four it domains and 34 it processes this provides a handy reference book for all of the main cobit guidance several appendices are also provided as useful references the most complete and up-to-date information on cobit and related products including online tools implementation guides case studies newsletters and educational materials can be found at www.isaca.org/cobit 8 © 2007 it governance institute all rights reserved www.itgi.org[close]
p. 13
cobit framework cobit framework cobit mission to research develop publicise and promote an authoritative up-to-date internationally accepted it governance control framework for adoption by enterprises and day-to-day use by business managers it professionals and assurance professionals the need for a control framework for it governance a control framework for it governance defines the reasons it governance is needed the stakeholders and what it needs to accomplish why increasingly top management is realising the significant impact that information can have on the success of the enterprise management expects heightened understanding of the way it is operated and the likelihood of its being leveraged successfully for competitive advantage in particular top management needs to know if information is being managed by the enterprise so that it is · likely to achieve its objectives · resilient enough to learn and adapt · judiciously managing the risks it faces · appropriately recognising opportunities and acting upon them successful enterprises understand the risks and exploit the benefits of it and find ways to deal with · aligning it strategy with the business strategy · assuring investors and shareholders that a `standard of due care around mitigating it risks is being met by the organisation · cascading it strategy and goals down into the enterprise · obtaining value from it investments · providing organisational structures that facilitate the implementation of strategy and goals · creating constructive relationships and effective communication between the business and it and with external partners · measuring it s performance enterprises cannot deliver effectively against these business and governance requirements without adopting and implementing a governance and control framework for it to · make a link to the business requirements · make performance against these requirements transparent · organise its activities into a generally accepted process model · identify the major resources to be leveraged · define the management control objectives to be considered furthermore governance and control frameworks are becoming a part of it management good practice and are an enabler for establishing it governance and complying with continually increasing regulatory requirements it good practices have become significant due to a number of factors · business managers and boards demanding a better return from it investments i.e that it delivers what the business needs to enhance stakeholder value · concern over the generally increasing level of it expenditure · the need to meet regulatory requirements for it controls in areas such as privacy and financial reporting e.g the us sarbanes-oxley act basel ii and in specific sectors such as finance pharmaceutical and healthcare · the selection of service providers and the management of service outsourcing and acquisition · increasingly complex it-related risks such as network security · it governance initiatives that include adoption of control frameworks and good practices to help monitor and improve critical it activities to increase business value and reduce business risk · the need to optimise costs by following where possible standardised rather than specially developed approaches · the growing maturity and consequent acceptance of well-regarded frameworks such as cobit it infrastructure library itil iso 27000 series on information security-related standards iso 9001:2000 quality management systems requirements capability maturity model® integration cmmi projects in controlled environments 2 prince2 and a guide to the project management body of knowledge pmbok · the need for enterprises to assess how they are performing against generally accepted standards and their peers benchmarking © 2007 it governance institute all rights reserved www.itgi.org 9[close]
p. 14
cobit 4.1 who a governance and control framework needs to serve a variety of internal and external stakeholders each of whom has specific needs · stakeholders within the enterprise who have an interest in generating value from it investments those who make investment decisions those who decide about requirements those who use it services · internal and external stakeholders who provide it services those who manage the it organisation and processes those who develop capabilities those who operate the services · internal and external stakeholders who have a control/risk responsibility those with security privacy and/or risk responsibilities those performing compliance functions those requiring or providing assurance services what to meet the requirements listed in the previous section a framework for it governance and control should · provide a business focus to enable alignment between business and it objectives · establish a process orientation to define the scope and extent of coverage with a defined structure enabling easy navigation of content · be generally acceptable by being consistent with accepted it good practices and standards and independent of specific technologies · supply a common language with a set of terms and definitions that are generally understandable by all stakeholders · help meet regulatory requirements by being consistent with generally accepted corporate governance standards e.g coso and it controls expected by regulators and external auditors how cobit meets the need in response to the needs described in the previous section the cobit framework was created with the main characteristics of being business-focused process-oriented controls-based and measurement-driven business-focused business orientation is the main theme of cobit it is designed not only to be employed by it service providers users and auditors but also and more important to provide comprehensive guidance for management and business process owners the cobit framework is based on the following principle figure 5 to provide the information that the enterprise requires to achieve its objectives the enterprise needs to invest in and manage and control it resources using a structured set of processes to provide the services that deliver the required enterprise information managing and controlling information are at the heart of the cobit framework and help ensure alignment to business requirements figure 5 basic cobit principle which responds to business requirements drive the investments in enterprise information cobit it resources to deliver it processes that are used by cobit s information criteria to satisfy business objectives information needs to conform to certain control criteria which cobit refers to as business requirements for information based on the broader quality fiduciary and security requirements seven distinct certainly overlapping information criteria are defined as follows · effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely correct consistent and usable manner · efficiency concerns the provision of information through the optimal most productive and economical use of resources · confidentiality concerns the protection of sensitive information from unauthorised disclosure 10 © 2007 it governance institute all rights reserved www.itgi.org[close]
p. 15
cobit framework · integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations · availability relates to information being available when required by the business process now and in the future it also concerns the safeguarding of necessary resources and associated capabilities · compliance deals with complying with the laws regulations and contractual arrangements to which the business process is subject i.e externally imposed business criteria as well as internal policies · reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities business goals and it goals whilst information criteria provide a generic method for defining the business requirements defining a set of generic business and it goals provides a business-related and more refined basis for establishing business requirements and developing the metrics that allow measurement against these goals every enterprise uses it to enable business initiatives and these can be represented as business goals for it appendix i provides a matrix of generic business goals and it goals and shows how they map to the information criteria these generic examples can be used as a guide to determine the specific business requirements goals and metrics for the enterprise if it is to successfully deliver services to support the enterprise s strategy there should be a clear ownership and direction of the requirements by the business the customer and a clear understanding of what needs to be delivered and how by it the provider figure 6 illustrates how the enterprise strategy should be translated by the business into objectives related to it-enabled initiatives the business goals for it these objectives should lead to a clear definition of it s own objectives the it goals which in turn define the it resources and capabilities the enterprise architecture for it required to successfully execute it s part of the enterprise s strategy.1 figure 6 defining it goals and enterprise architecture for it enterprise strategy business goals for it it goals enterprise architecture for it it scorecard business requirements require governance requirements information services influence deliver information it processes run applications imply information criteria need infrastructure and people business goals for it enterprise architecture for it once the aligned goals have been defined they need to be monitored to ensure that actual delivery matches expectations this is achieved by metrics that are derived from the goals and captured in an it scorecard for the customer to understand the it goals and it scorecard all of these objectives and associated metrics should be expressed in business terms meaningful to the customer this combined with an effective alignment of the hierarchy of objectives will ensure that the business can confirm that it is likely to support the enterprise s goals appendix i tables linking goals and processes provides a global view of how generic business goals relate to it goals it processes and information criteria the tables help demonstrate the scope of cobit and the overall business relationship between cobit and enterprise drivers as figure 6 illustrates these drivers come from the business and from the governance layer of the enterprise the former focusing more on functionality and speed of delivery the latter more on cost-efficiency return on investment roi and compliance 1 it needs to be noted that the definition and implementation of an enterprise architecture for it will also create internal it goals that contribute to but are not directly derived from the business goals © 2007 it governance institute all rights reserved www.itgi.org 11[close]
Comments
no comments yet