|
Robert N. Phillips
CEO, Lasotell Pty Ltd.
www.lasotell.com.au
If you are involved in trying to understand the various
facets of Information Technology (IT) service delivery or of
an IT organisation in general, there are two very useful
models/methodologies you can investigate. They take all the
mystique out of such tasks—including documenting them:
- Information Technology Infrastructure Library (ITIL)
- Control Objectives for Information and related Technology (CobiT)—yes,
that is the correct capitalisation.
This, the second article, deals with CobiT. You can read the
first article at
www.infomanagementcenter.com/enewsletter/200203/downunder.htm
CobiT is the most useful tool of its kind for IT that I have
seen in the last 15 years. You may not have an immediate
need for it, but it is worth keeping in your drawer.
In a nutshell, CobiT defines 34 processes that are needed to
manage an IT organisation (and 318 control objectives below
them). Each process is described in two pages. The first
page contains
- The objective of the process
- Critical Success Factors—the most important things to do that
contribute to the process achieving its goals (but leaves it to you to determine
how to implement them)
- Key Goal Indicators—to measure (in percentage or numeric terms) what
has been accomplished
- Key Performance Indicators—to measure (in percentage or numeric terms)
how well the process is performing
The second page contains
- a description of the process under five levels of maturity
For more information about CobiT, visit
www.itgovernance.com. To download the
five major documents (all less than 500KB in size), visit
www.isaca.org/ct_dwnld.shtml.
The following are a few paragraphs from the Executive Summary
of the downloadable Management Guidelines document.
How do we get Information Technology under control such that
it delivers the information the organisation needs? How do
we manage the risks and secure the infrastructure we are so
dependent on? As with many issues facing management, these
broad strategic questions generate the following traditional
questions to which we will provide answers:
- What is the issue/problem?
- What is the solution?
- What does it consist of?
- Will it work?
- How do I do it?
An approach to addressing these issues has been provided by
the CobiT Framework. CobiT stands for Control Objectives for
Information and related Technology and is an open standard
for control over information technology, developed and
promoted by the IT Governance Institute. This framework
identifies 34 information technology (IT) processes, a
high-level approach to control over these processes, as well
as 318 detailed control objectives and audit guidelines to
assess the 34 IT processes. It provides a generally
applicable and accepted standard for good IT security and
control practices to support management's needs in
determining and monitoring the appropriate level of IT
security and control for their organisations.
The IT Governance Institute has further built on this with
leading-edge research, in cooperation with world-wide
industry experts, analysts and academics. This has resulted
in the definition of Management Guidelines for CobiT, which
consist of Maturity Models, Critical Success Factors (CSFs),
Key Goal Indicators (KGIs) and Key Performance Indicators
(KPIs). This delivers a significantly improved framework
responding to management's need for control and
measurability of IT by providing management with tools to
assess and measure their organisation's IT environment
against the 34 IT processes CobiT identifies.
There are numerous changes in IT and in networking that
emphasise the need to better manage IT related risks.
Dependence on electronic information and IT systems is
essential to support critical business processes. Successful
businesses need to better manage the complex technology that
is pervasive throughout their organisations in order to
respond quickly and safely to business needs. In addition,
the regulatory environment is mandating stricter control
over information. This in turn, is driven by increasing
disclosures of information system disasters and increasing
electronic fraud. The management of IT related risks is now
being understood as a key part of enterprise governance.
Within enterprise governance, IT governance is becoming more
and more prominent in achieving the organisation's goals by
adding value while balancing risk versus return over IT and
its processes. IT governance is integral to the success of
enterprise governance by assuring efficient and effective
measurable improvements in related enterprise processes. IT
governance provides the structure that links IT processes,
IT resources and information to enterprise strategies and
objectives. Furthermore, IT governance integrates and
institutionalises good (or best) practices for planning and
organising, acquiring and implementing, delivering and
supporting, and monitoring IT performance to ensure that the
enterprise's information and related technology support its
business objectives. IT governance thus enables the
enterprise to take full advantage of its information,
thereby maximising benefits, capitalising on opportunities
and gaining competitive advantage.
|
