Good IT governance requires IT services that contribute to the achievement of the organisation’s objectives. To satisfy those business objectives, the information that is delivered by IT to the business and its processes needs to conform to certain control criteria, which COBIT refers to as seven business requirements for information:
• Effectiveness deals with information being relevant and pertinent to the
business process as well as being delivered in a timely, correct, consis- tent, and usable manner.
• Efficiency concerns the provision of information through the optimal
• Confidentiality concerns the protection of sensitive information from unauthorised disclosure.
• Integrity relates to the accuracy and completeness of information, as well
as to its validity in accordance with business values and expectations. • Availability relates to information being available when required by the
business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
• Compliance deals with complying with those laws, regulations, and
contractual arrangements to which the business process is subject, that is, externally imposed business criteria, as well as internal policies. • Reliability relates to the provision of appropriate information for man-
agement to operate the entity and exercise its fiduciary and governance responsibilities.
Because these criteria are generic they can be applied in each organisation. On the other hand, the definitions may be too abstract, making it more difficult to translate the information criteria to a specific situation. In the context of further COBIT development, a more comprehensive research is conducted together with the University of Antwerp Management School (UAMS) in order to obtain a better view on business goals and IT goals and the way they support one another.
Based on this research, conducted in eight different industry segments, a set of generic business and IT goals was identified and an analysis was done how they are linked to each other.
Figure 1 presents a matrix on how IT goals can support the achievement of business goals for companies in the financial sector: “P” represents a primary link and “S” a secondary link. This figure shows for example that the IT goal “developing innovative IT services with a focus on information security” is important in supporting the business goals “improving competitiveness through IT” and “improving customer orientation and service.”
This research resulted in the definition of 20 generic business goals and 28 generic IT goals that now serve as a base for COBIT 4.0 (see Figures 2 and 3). When combining both figures, they illustrate the relationship between busi- ness goals, IT goals, and IT processes. Figure 2 lists the 20 generic business goals, organised according the four perspectives of the business balanced scorecard, being financial perspective, customer perspective, internal per-
Figure 1. Linking business and IT goals in the financial sector (Van Grem- bergen, De Haes, & Moons, 2005)
IT Go als Deve loping inno vative IT se rvice s with a focus o n info rmati on se curity Fulfill ing SL A's wit h busi ness depa rtmen ts Increa sing I T dep artme nt eff iciency Integ ration and co nsolid ation of di fferen t IT depa rtmen ts IT disa ster re cove ry an d busi ness conti nuity IT go verna nce IT str ategic align ment Lowe ring co st of transa ction proce ssing Makin g IT m easu rable Optim izing t he IT infra struct ure Rapid deve lopme nt of new IT se rvice s Redu ce am ount of IT insou rcing Stand ardizin g IT syst ems Takin g IT m easu res to satisf y Base l II requir emen ts Business Goals
Achieving compliance with Basel II
regulations S P
Improving competitiveness through IT P S P
Improving customer orientation and
service P S P S P S
Post-merger integration and
consolidation P S S S
Reducing operational cost P P S P P P P P
Reducing transaction cost P S P P S S
Risk management S P S S P S P S
Shortening service development S P
Tailoring solutions for different target
groups P
spective, and learning and growth perspective. Each business goal is linked
to one or more IT goals that support the business goal. These are indicated by numbers, representing the IT goals of Figure 3.
For example, the IT goal “ensure the satisfaction of end users with service
offerings and service levels” (3) supports the business goal “improve cus- tomer orientation and service.” Additionally, for each business goal, the most
relevant information criteria are indicated. The relevant information criteria for IT goals can be found in Figure 3, together with the IT processes, that support the IT goal. These are indicated with the process indices, explained later in the chapter. For example, the IT process DS1, which stands for “de-
fine and manage service levels,” may help achieving the aforementioned IT
goal “ensure the satisfaction of end users with service offerings and service
levels.” In this way a cascade is formed from business goals to IT goals to
IT processes.
Further, COBIT refers to four IT related resources that can be applied: • Information refers to the data in all their forms handled by the informa-
tion systems, in whatever form is used by the business.
• Applications are the automated user systems and manual procedures
that process the information.
• Infrastructure includes the technology and facilities (hardware, operat-
ing systems, database management systems, networking, multimedia, etc., and the environment that houses and supports them) that enable the processing of the applications.
• People refers to the personnel required to plan, organise, acquire, imple-
ment, deliver, support, monitor, and evaluate the information systems and services.
The previous edition of COBIT refers to a fifth element, being facilities, which is now incorporated into the infrastructure resource.
Following the COBIT framework, information retrieved from IT systems is the result of a combined effort of IT related resources, managed by IT processes. It is important that IT processes are managed and controlled in an effective way, so that the delivered information satisfies the defined quality standards.
COBIT 4.0 defines 34 IT processes, categorised into four domains: planning and organisation, acquisition and implementation, delivery and support, and monitoring and evaluation (Figure 4).
The domain “Planning and organisation” concerns the identification of the way IT can best contribute to the achievement of the business objectives. Therefore it needs strategy and tactics for the information architecture, tech- nology architecture, a good structured IT organisation, budget control and management, the way management objectives are communicated (such as awareness around security), IT human resource management, quality manage- ment, risk assessment and risk management, and project management. The domain “Acquisition and implementation” is concerned with the iden- tification of IT solutions (insourcing or outsourcing), the acquisition and/or development and maintenance of software applications, the acquisition and maintenance of hardware and system software, the production of documen- tation and training of users, the acquisition of the necessary IT, the process for managing application changes, and installing and accrediting solutions and changes.
The domain “Delivery and support” is concerned with the actual delivery of required services and contains those processes that deal with configuration management, problem management, data management, management of the
physical environment (data centre and other facilities), computer operations management and performance and capacity management of the hardware. This domain also holds the definition of service level agreements (SLAs) and the management of third party vendors, like outsourcers, the assurance for continuous service (like a disaster recovery plan), security management,
Figure 4. Thirty four IT processes of COBIT 4.0 (ITGI, 2005) Planning and organisation (PO)
PO1. define a strategic IT plan PO2. define the information architecture
PO3. determine technological direction
PO4. define the IT processes, organisation, and relationships PO5. manage the IT investment PO6.communicate management aims
and direction
PO7. manage IT human resources PO8. manage quality
PO9. assess and manage risk PO10. manage projects
Delivery and support (DS)
DS1. define and manage service levels
DS2. manage third party services DS3. manage performance and capacity
DS4. ensure continuous service DS5. ensure systems security DS6. identify and allocate costs DS7. educate and train users DS8. manage service desk and incidents
DS9. manage the configuration DS10. manage problems DS11. manage data
DS12. manage the physical environment
DS13.manage operations
Acquisition and implementation (AI)
AI1. identify automated solutions AI2. acquire and maintain application software
AI3. acquire and maintain technology infrastructure
AI4. enable operation and use AI5. procure IT resources AI6. manage changes
AI7. install and accredit solutions and changes
Monitor and evaluate (ME)
ME1. monitor and evaluate IT performance
ME2. monitor and evaluate internal control
ME3. ensure regulatory compliance ME4. provide IT governance
the identification and allocation of costs, education and training of users and the support and assistance for end-users by means of a service desk.
The fourth domain, “Monitor and evaluate,” includes those processes that are responsible for the quality assessment in compliance with the control
requirements for all previous mentioned processes. It addresses performance management, monitoring of internal control, regulatory compliance, and providing governance.
Figure 5 summarises the overall COBIT framework graphically. The organi- sation defines the business and governance objectives, directly impacting the quality requirements of the IT information criteria. While managing the IT resources, the 34 generic IT processes, organised in four domains, can de- liver the information to the business according the business and governance objectives.
For each of the 34 processes the COBIT framework defines control objec- tives, management guidelines, and a maturity model. Within the COBIT 4.0 publication each process is typically described over four pages: two pages detailing the (high-level and detailed) control objectives, one page describ- ing the management guidelines and one page for the maturity model. The following sections will further explore these different COBIT components.