Cobit QuickStart - Tribunal Regional do Trabalho 13ª Região

Transcrição

2
ND
EDITION
Framework
Baseline
2
ND
EDITION
quickstart \’kwik’stärt\ adj [ME quik, fr. OE cwic] + vb [ME sterten]:
That which is essential, light and easy to use; a baseline if you are a
beginner and a jumpstart when you have bigger aspirations
© 2007 IT Governance Institute. All rights reserved.
Framework
Baseline
COBIT QUICKSTART, 2 EDITION
ND
IT Governance Institute®
The IT Governance Institute (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling
an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and
appropriately manages IT-related risks and opportunities. ITGI offers electronic resources, original research and case studies to assist enterprise leaders
and boards of directors in their IT governance responsibilities.
Disclaimer
ITGI (the ‘Owner’) and the author have designed and created this publication, titled COBIT® Quickstart, 2nd Edition (the ‘Work’), primarily as an
educational resource for control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work
should not be considered inclusive of any proper information procedures and tests or exclusive of other information, procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, controls professionals
should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology
environment.
Disclosure
© 2007 IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored
in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written
authorisation of ITGI. Reproduction of selections of this publication for internal and noncommercial or academic use only is permitted and must include
full attribution of the material’s source. No other right or permission is granted with respect to this work.
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.660.5700
Fax: +1.847.253.1443
E-mail: [email protected]
Web site: www.itgi.org
ISBN 978-1-893209-54-1
COBIT® Quickstart, 2nd Edition
Printed in the United States of America
2
© 2007 IT GOVERNANCE INSTITUTE. ALL
RIGHTS
RESERVED
.
ACKNOWLEDGEMENTS
ACKNOWLEDGEMENTS
IT Governance Institute wishes to recognise:
Project Managers and Thought Leaders
Steven De Haes, University of Antwerp Management School, Belgium
Bart Peeters, PricewaterhouseCoopers, Belgium
Dirk Steuperaert, CISA, PricewaterhouseCoopers, Belgium
Francois Van Hees, PricewaterhouseCoopers, Belgium
Workshop Participants and Expert Reviewers
Roger Stephen Debreceny, Ph.D., FCPA, University of Hawaii, USA
Jan Devos, Associatie Universiteit Gent, Belgium
Rafael Eduardo Fabius, CISA, Republica AFAP, S.A., Uruguay
Gary Hardy, ITWinners Ltd., South Africa
Jimmy Heschl, CISA, CISM, KPMG, Austria
John W. Lainhart IV, CISA, CISM, IBM, USA
Robert E. Stroud, CA Inc., USA
Greet Volders, Voquals NV, Belgium
ITGI Board of Trustees
Lynn Lawton, CISA, FCA, FIIA, PIIA, KPMG LLP, UK, International President
Georges Ataya, CISA, CISM, CISSP, ICT Control sa-nv, Belgium, Vice President
Avinash Kadam, CISA, CISM, CBCP, CISSP, Miel e-Security Pvt. Ltd., India, Vice President
Howard Nicholson, CISA, City of Salisbury, Australia, Vice President
Jose Angel Pena Ibarra, Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President
Robert E. Stroud, CA Inc., USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP, USA, Vice President
Frank Yam, CISA, FHKCS, FH KIoD, CIA, CCP, CFE, CFSA, FFA, Focus Strategic Group, Hong Kong, Vice President
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President
Everett C. Johnson, CPA Deloitte & Touche LLP (retired), USA, Past International President
Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada, Trustee
Tony Hayes, FCPA, Queensland Government, Australia, Trustee
IT Governance Committee
Tony Hayes, FCPA, Queensland Government, Australia, Chair
Max Blecher, Virtual Alliance, South Africa
Sushil Chatterji, Edutech, Singapore
Anil Jogani, CISA, FCA, Avon Consulting Ltd., UK
John W. Lainhart IV, CISA, CISM, IBM, USA
Lucio Molina Focazzio, CISA, Colombia
Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada
Michael Schirmbrand, Ph. D., CISA, CISM, CPA, KPMG, Austria
Robert E. Stroud, CA Inc., USA
John Thorp, The Thorp Network Inc., Canada
Wim Van Grembergen, Ph.D., University of Antwerp, University of Antwerp Management School, and IT Alignment and
Governance Research Institute (ITAG), Belgium
RIGHTS
RESERVED
.
3
ND
COBIT Steering Committee
Robert E. Stroud, CA Inc., USA, Chair
Gary S. Baker, CA, Deloitte & Touche, Canada
Rafael Eduardo Fabius, CISA, Republica AFAP SA, Uruguay
Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland
Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium
Jimmy Heschl, CISM, CISA, KPMG, Austria
Debbie A. Lew, CISA, Ernst & Young LLP, USA
Maxwell J. Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia
Dirk E. Steuperaert, CISA, PricewaterhouseCoopers, Belgium
ITGI Affiliates and Sponsors
ISACA chapters
American Institute for Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association of Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants
ISACA
ITGI Japan
Solvay Business School
University of Antwerp Management School
Aldion Consulting Pte. Ltd.
Analytix Holdings Pty. Ltd.
CA
Hewlett-Packard
IBM
LogLogic Inc.
Phoenix Business and Systems Process Inc.
Symantec Corporation
Wolcott Group LLC
World Pass IT Solutions
4
RIGHTS
RESERVED
.
TABLE OF CONTENTS
TABLE OF CONTENTS
Executive Summary ...................................................................................................................................................................6
Introduction to the COBIT Framework.............................................................................................................................7
COBIT Quickstart Framework .........................................................................................................................................13
Why Do We Need Quickstart? ...........................................................................................................................................14
What Does Quickstart Provide? .........................................................................................................................................14
What Is the Quickstart Approach? .....................................................................................................................................16
Who Can Use Quickstart? ..................................................................................................................................................16
How Do I Know Whether Quickstart Is Suitable for My Organisation? .........................................................................16
How Is It Presented? ...........................................................................................................................................................19
How Is It Implemented? .....................................................................................................................................................20
Migration Strategies to Move From Quickstart to Full COBIT .........................................................................................21
COBIT Quickstart Baseline .....................................................................................................................................................23
COBIT and Related Products ................................................................................................................................................57
RIGHTS
RESERVED
.
5
ND
EXECUTIVE SUMMARY
A baseline for many small and medium enterprises (SMEs) and other entities where IT is less strategic or not absolutely
critical for survival, and a starting point for larger enterprises in their first moves towards an appropriate level of control and
governance of IT
Control Objectives for Information and related Technology (COBIT®) is a comprehensive set of resources that contains all the
information that organisations need to adopt an IT governance and control framework. Implementation is based on a number of
factors, including the size of the organisation.
COBIT Quickstart provides a selection from the components of the complete COBIT framework. Quickstart can be used as a
baseline and a set of ‘smart things to do’ for many small- and medium-sized enterprises (SMEs) and other entities where
IT is not strategic or absolutely critical for survival. Quickstart can also be a starting point for larger enterprises in their first
move towards an appropriate level of control and governance of IT.
This selection was made using the top-down philosophy from the IT Governance Implementation Guide: Using COBIT® and
ValITTM, 2nd Edition (IT Governance Institute, 2007). This scoping method performs a top-down value and risk analysis starting
with business goals, then identifying the supporting IT goals, defining the IT processes that need improvement, ending with the
control practices that need to be implemented or enhanced.
COBIT Quickstart provides tools to help the organisation carry out a self-assessment to determine whether Quickstart is
appropriate for its use. However, it is always important to keep in mind that Quickstart is generic, and if specific areas or
processes are considered more important, then extra guidance should be obtained from the full COBIT material. Moreover, in
certain circumstances—such as when the organisation operates and manages open (as opposed to closed) systems, i.e.,
interconnects with customers and suppliers—the need to go beyond COBIT Quickstart should be at least reviewed as a risk
management measure. In support of this, pragmatic migration strategies to move from Quickstart to a broader COBIT
implementation are provided in this publication.
Quickstart is useful for all types of COBIT users in appropriate organisations: auditors, IT managers and implementers of
IT governance who are likely to be dealing with IT governance and COBIT for the first time and who wish for a light and
easy-to-use approach to get started.
Care needs to be taken when using Quickstart to ensure that it is applied intelligently, given the specific needs and conditions of
the enterprise. In addition, while Quickstart is powerful as a starting point, providing the ‘smart things to do’, additional
controls will be required in many cases to provide an ongoing basis for effective governance of all IT processes.
6
RIGHTS
RESERVED
.
INTRODUCTION TO THE COBIT FRAMEWORK
INTRODUCTION TO THE
COBIT FRAMEWORK
RIGHTS
RESERVED
.
7
ND
For many enterprises, information and the technology that supports it represent their most valuable, but often least understood,
assets. Successful enterprises recognise the contribution and benefits of information technology (IT) and use IT to drive their
stakeholders’ value. These enterprises also understand and manage the associated risks such as increasing regulatory compliance
and critical dependence of many business processes on IT.
The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over
information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of IT
governance.
IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational
structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
Furthermore, IT governance integrates and institutionalises good practices to ensure that the enterprise’s IT supports the
business objectives. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits,
capitalising on opportunities and gaining competitive advantage. These outcomes require a framework for control over IT that
fits with and supports the Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Internal Control—
Integrated Framework, the widely accepted control framework for enterprise governance and risk management, and similar
compliant frameworks.
Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management
should also optimise the use of available IT resources, including applications, information, infrastructure and people. To
discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise
architecture for IT and decide what governance and control it should provide.
COBIT provides good practices across a domain and process framework and presents activities in a manageable and logical
structure. COBIT’s good practices represent the consensus of experts. They are strongly focused—more on control, less on
execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure to judge
against when things do go wrong.
For IT to be successful in delivering against business requirements, management should put an internal control system or
framework in place. The COBIT control framework contributes to these needs by:
• Making a link to the business requirements
• Organising IT activities into a generally accepted process model
• Identifying the major IT resources to be leveraged
• Defining the management control objectives to be considered
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to
measure their achievement, and identifying the associated responsibilities of business and IT process owners.
The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with
the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help
to identify the resources essential for process success, i.e., applications, information, infrastructure and people.
8
RIGHTS
RESERVED
.
In summary, to provide the information that the enterprise needs to achieve its objectives, IT resources need to be managed by a
set of naturally grouped processes.
Management needs to ensure that an internal control system or framework is in place such that IT supports the business
processes. This implies that information, from the business’s perspective, is:
• Effective
• Efficient
• Confidential
• Accurate, useful and timely
• Available
• Compliant
• Reliable
The right resources are:
• Applications
• Information
• Infrastructure
• People
The right resources should be available and properly used in the processes of the different IT domains, which COBIT defines as:
• Plan and organise (Plan)
• Acquire and implement (Build)
• Deliver and support (Run)
• Monitor and evaluate (Learn)
To this end, COBIT 4.1 provides 34 processes (shown in figure 1) and 210 control objectives that contain policies, procedures,
practices and organisational responsibilities. In addition, the COBIT management guidelines provide a link between IT control
and IT governance. They are action-oriented and generic, and provide management direction for getting the enterprise’s
information and related processes under control by providing inputs and outputs amongst processes, roles and responsibilities
for key activities within processes, and goals and metrics for IT, IT processes and IT process activities. COBIT also provides
maturity models to allow for benchmarking and continuous improvement. All these elements help provide answers to typical
management questions:
• How far should the enterprise go in controlling IT, and is the cost justified by the benefit?
• What are the indicators of good performance?
• Who is responsible and accountable for specific processes?
• What are the risks of not achieving our objectives?
• What do others do?
• How does our enterprise measure and compare?
A new element introduced in COBIT 4.0 is the cascade of business goals—IT goals—IT processes. COBIT 4.1 provides a list of
17 generic business goals and 28 generic IT goals. The 17 generic business goals are organised according the four perspectives
of the business balanced scorecard:
• Financial
• Customer
• Internal
• Learning and growth
RIGHTS
RESERVED
.
9
ND
Figure 1—Overall COBIT Framework
BUSINESS OBJECTIVES
GOVERNANCE OBJECTIVES
COBIT
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
INFORMATION
CRITERIA
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
MONITOR AND
EVALUATE
PLAN AND
ORGANISE
IT RESOURCES
Applications
Information
Infrastructure
People
DELIVER AND
SUPPORT
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
10
ACQUIRE AND
IMPLEMENT
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
RIGHTS
RESERVED
.
Each business goal is linked to one or more IT goals which, in turn, are linked to one or more IT processes. In this way, a full
cascade is built up showing how IT processes enable the achievement of IT goals which, in turn, enable the achievement of
business goals.
All the components of COBIT are accessible via COBIT Online, a web-based, interactive knowledge base. Furthermore,
the IT Governance Implementation Guide provides users with a method for implementing IT governance using COBIT.
The IT Assurance Guide: Using COBIT ® provides assurance professionals with detailed guidance and testing steps to plan,
scope and execute their assurance activities based on the COBIT framework.
The complete COBIT family of products is shown in figure 2. The top part provides practices at the board and executive levels.
The middle portion focuses on management and its typical needs for measurement and benchmarking. The bottom section
provides the detailed support for implementing and assuring adequate control and governance over IT.
(For more information about COBIT, see the section in this publication on COBIT and Related Products and/or visit
www.itgi.org.)
Figure 2—COBIT Family of Products
How
does the
board exercise
its responsibilities?
Board Briefing on IT
Governance, 2nd Edition
Executives and Boards
How do we measure performance?
How do we compare to others?
And how do we improve over time?
Management guidelines
Maturity models
Business and Technology Management
What is the
IT governance
framework?
How do we
implement it in
the enterprise?
How do we assess
the IT governance
framework?
Governance, Assurance, Control and Security Professionals
COBIT and Val IT
frameworks
Control objectives
IT Governance
Implementation Guide,
2nd Edition
IT Assurance Guide
COBIT Control Practices,
2nd Edition
Key management
practices
This COBIT-based product diagram presents the generally applicable products and their primary audience. There are also derived products
for specific purposes (IT Control Objectives for Sarbanes-Oxley, 2nd Edition), for domains such as security (COBIT Security Baseline, 2nd Edition
and Information Security Governance: Guidance for Boards of Directors and Executive Management), or for specific enterprises
(COBIT Quickstart, 2nd Edition for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive
IT governance implementation).
RIGHTS
RESERVED
.
11
ND
12
RIGHTS
RESERVED
.
COBIT QUICKSTART FRAMEWORK
COBIT Q
UICKSTART
FRAMEWORK
RIGHTS
RESERVED
.
13
ND
WHY DO WE NEED QUICKSTART?
COBIT is a comprehensive set of resources that contains the information that organisations require to adopt an IT governance
and control framework. However, the breadth and depth of the guidance provided by all of COBIT’s resources may be too
detailed and overwhelming for smaller organisations. Or, for some larger organisations, COBIT may require too much time to
analyse and focus on when taking the first steps towards IT governance.
The driver behind COBIT Quickstart is the need of IT managers of smaller organisations for a simple-to-use tool that will speed
up the implementation of key IT control objectives. Equally, IT managers of larger organisations can leverage the tool to
‘quickstart’ the initial phases of a broader IT governance implementation.
In these circumstances, COBIT users need ‘out-of-the-box’, customised and simplified materials that are consistent with the full
COBIT resources, but are immediately usable as is.
COBIT Quickstart was not designed as an audit tool; however, it provides a reference for audit and assurance purposes.
WHAT DOES QUICKSTART PROVIDE?
Quickstart is based on a selection of the processes and control objectives of COBIT 4.1. The result is a simplified version
including a limited set of processes and management practices (see figure 3). Quickstart also provides simplified versions of
Responsible, Accountable, Consulted and Informed (RACI) charts for each of the retained processes and captures key outcome
metrics at the level of the individual control objectives and the IT processes as a whole. All these elements represent a baseline
and the ‘smart things to do’. Enterprises can use the baseline as is, without modification, or use it as a starting point to build
more detailed management practices and measurement techniques.
Figure 3—COBIT Quickstart as Compared to COBIT
COBIT
Quickstart
Domains
4
4
Processes
Control
Objectives
34
32
210
59
This selection from the COBIT material was made using the same philosophy as that presented in the IT Governance
Implementation Guide: a top-down value and risk analysis starting with business goals, then moving to supporting IT goals,
then to IT processes that need improvement, and finally arriving at control objectives that need to be implemented or enhanced.
14
RIGHTS
RESERVED
.
The selection was also driven by the following assumptions:
• The IT infrastructure is not complex.
• More complex tasks are outsourced.
• The goal is less build, more buy.
• Limited in-house IT skills exist.
• Risk tolerance is relatively high.
• The enterprise is very cost-conscious.
• A simple command structure is in place.
• A short span of control exists.
These assumptions are representative of the control culture and IT environment of most SMEs and possibly also of some small
subsidiary or autonomous entities of larger organisations.
This implies that the resulting set of processes and control objectives is likely to be suitable for an SME environment. It also
implies that it can be a starting point for larger organisations wanting to use Quickstart to launch an IT governance programme.
These organisations need to extend their governance framework depending on their specific business and governance
requirements. A road map to plan this implementation is provided later in this document. In addition, when implementing the
entire COBIT framework, the IT Governance Implementation Guide can be used for guidance.
The above assumptions were kept in mind when developing COBIT Quickstart and should be considered by any enterprise using
Quickstart to develop its IT governance and control framework. Why? Because the control culture associated with these
assumptions implies that certain controls, formally defined in COBIT, are exercised informally but effectively. For example, the
control and direction that are enabled by close supervision, typical for these types of organisations, are not retained in Quickstart.
Consistent with the full COBIT 4.1 publication, overarching process controls and applications controls are not addressed in the
detailed COBIT Quickstart contents. However, it is critical that these controls be considered while implementing Quickstart, as
they are needed by management to have a complete view of all the business control requirements of the enterprise. Figure 4
provides a short summary of these controls; a full list is provided at the end of the Quickstart baseline.
Figure 4—Overarching Process Controls and Application Controls
Generic Process Controls
In addition to the control objectives, each COBIT process has
generic control requirements that are identified by generic process
controls (PCn). They should be considered together with the
process control objectives to have a complete view of control
requirements. The generic process controls are:
• PC1 Process Goals and Objectives
• PC2 Process Ownership
• PC3 Process Repeatability
• PC4 Roles and Responsibilities
• PC5 Policy, Plans and Procedures
• PC6 Process Performance Improvement
Application Controls
COBIT also addresses the controls embedded in business process
applications, commonly referred to as application controls, to
achieve accurate, complete and reliable information for
management decision making and reporting. COBIT assumes the
design and implementation of automated application controls to
be the responsibility of IT, covered in the Acquire and Implement
domain. The operational management and control responsibility
for application controls is not with IT, but with the business
process owner. Hence, the responsibility for application controls
is an end-to-end joint responsibility between business and IT.
The recommended application control objectives are:
• AC1 Source Data Preparation and Authorisation
• AC2 Source Data Collection and Entry
• AC3 Accuracy, Completeness and Authenticity Checks
• AC4 Processing Integrity and Validity
• AC5 Output Review, Reconciliation and Error Handling
• AC6 Transaction Authentication and Integrity
RIGHTS
RESERVED
.
15
ND
WHAT IS THE QUICKSTART APPROACH?
COBIT Quickstart provides a baseline for control over IT in SMEs and other entities where IT is less strategic and not as critical
for survival. Quickstart also provides a starting point to ‘quickstart’ a broader IT governance implementation in a larger
environment.
The baseline consists of 32 pages of material providing processes, control objectives, RACI charts and key metrics, presented in
easy-to-read, tabular fashion and in nontechnical language, to encourage rapid adoption and reduced debates and discussion.
Because it is a baseline, Quickstart is viewed generally as ‘common sense’ and acts as a powerful reminder and checklist of
those things that ought to be directed and controlled in IT, as a minimum. From a top management perspective, it helps
organisations focus scarce resources on the basics—the potentially easier-to-tackle areas—thus providing an efficient tool for
initiating IT governance, without committing large amounts of resource or significant investments.
The first reflection when considering Quickstart is to decide whether it is suitable for the specific organisation. Quickstart helps
the enterprise to make this decision by including tools that enable the organisation to carry out a self-assessment of factors
dealing with management and IT complexity. For larger organisations, it should be acknowledged that Quickstart can only be a
starting point to move towards a broader IT governance framework.
WHO CAN USE QUICKSTART?
Quickstart is aimed at small and medium-sized organisations. However, it also is suitable for any organisation with an
appropriate control environment, which is considered to be one that has:
• A simple command structure
• Short communications path
• Limited span of control
• Not much segregation of responsibilities
In addition, it is suitable for organisations in which:
• The IT environment is not particularly complex
• The IT expenditure is not very significant
• IT is not that strategically important
• The use of IT is not leading-edge
Quickstart can be used in larger organisations, but as a first step towards implementing IT governance using COBIT.
Quickstart is useful for all kinds of users in its targeted types of organisations: auditors, IT managers and implementers of IT
governance who are likely to be dealing with IT governance and COBIT for the first time and who wish for a light and easy-touse approach to get started.
HOW DO I KNOW IF QUICKSTART IS SUITABLE FOR MY ORGANISATION?
COBIT Quickstart provides two tests to assess an enterprise’s suitability for implementing control over IT based on the Quickstart
set of controls. They are provided with this publication in the form of an electronic tool.
16
RIGHTS
RESERVED
.
Test 1—Stay in the Blue Zone
The first test (Stay in the Blue Zone), as shown in figure 5, helps the organisation determine whether it is appropriate for
Quickstart implementation to manage its IT risks or it should consider using the full COBIT guidance. If the results from the
assessment are mainly contained in the blue zone, the organisation most likely is suited for using COBIT Quickstart. If the
results are not in the blue zone, it nevertheless remains management’s decision to use the Quickstart approach anyway.
However, management should remain conscious of the control assumptions described previously, as certain controls are not
retained in Quickstart.
Figure 5—Suitability Assessment (1)
Simple Command Structure (SCS)
1. CS is informal and verbal, only short-term and tactical.
2. CS is primarily informal and verbal, somewhat short-term but largely
medium-term-oriented, and still primarily tactical.
3. CS is primarily formal and documented, begins looking at the long-term
but is more medium-term-oriented, somewhat tactical with strategic
views emerging.
4. CS is strictly formal and documented, covers short-, medium- and
long-term and is strategy-oriented.
Suitability Assessment (1)
<<Stay in the Blue Zone>>
Segregation (SEG)
1. Those who monitor have at
least two other functions
(build, operate or influence).
2. Those who monitor have at
most building or operating as
other functions. Those who
influence also can have
building and operating
functions.
3. Monitoring is totally segregated,
but building and operating
can be executed by the same
person. Those who influence
have at most operating or
building as other functions.
4. At most, influencing and
monitoring is executed by
one person.
IT Expenditure (ITE)
1. IT expenditure is not more than profits
and not much different from peers.
2. IT expenditure is different from peers
and only marginally increasing every
year.
3. IT expenditure is more than profits or
significantly different from peers and
is showing an annual increasing trend.
4. IT expenditure is significantly more
than the entity’s profits.
SCS
4
3
SEG
Short Communications Path (SCP)
1. HE (Head of the entity) knows
everyone’s IT-related responsibilities.
2. HE knows most people’s IT-related
responsibilities.
3. HE knows IT-related responsibilities
only for key personnel.
4. HE does not know all IT-related
responsibilities of key personnel.
SCP
2
1
Span of Control (SOC)
1. HE directs and monitors everyone’s
IT-related responsibilities.
2. HE directs and monitors most people’s
IT-related responsibilities.
3. HE directs and monitors only key
personnel’s IT-related responsibilities.
4. HE does not direct and monitor all
IT-related responsibilities of key
personnel.
0
SOC
ITE
ITI
ITS
IT Strategic Importance (ITI)
1. Reliable IT is not critical to the functioning of the
enterprise and is not likely to become strategically
important.
2. Reliable IT support is critical to the enterprise’s current
operation, but the application development portfolio is
not fundamental to the enterprise’s ability to compete.
3. Uninterrupted functioning of IT is not absolutely critical
to achieving current objectives but applications and
technology under development will be critical to future
competitive success.
4. Reliable IT support is critical to the enterprise’s current
operation, and applications and technology under
development are critical to future competitive success.
IT Sophistication (ITS)
1. Laggard, well behind in technology
adoption, with a simple IT infrastructure
2. Follower, adopting technology after
peers, using more, but still standard,
components
3. Leader, adopting technology before
peers, customising and integrating
solutions
4. Pioneer, early adopter of new emerging
technology well ahead of the industry,
highly complex IT environment
The different dimensions of this suitability test are as follows:
• Simple command structure—This dimension measures the degree to which authority, rules and control are
institutionalised in the organisation. This command structure varies from very informal and verbal to strictly formal and
documented. Moreover, long-term/short-term orientation and the strategic/tactical direction imposed by the command
structure are evaluated. The presence of more formal and documented structures and longer-term strategic views suggests
that higher levels of control are needed.
• Short communication path—The communication path component indicates how many layers are situated between the head of
the entity (HE) and the IT staff. This illustrates how directly, quickly and efficiently the HE can communicate with the IT staff,
and is measured by determining how well the HE knows the staff’s IT-related responsibilities. This assumes that the more
direct the communication path, the better the IT-related responsibilities are known. The organisation may need to look for
control requirements beyond Quickstart if the HE does not know most people’s IT responsibilities.
RIGHTS
RESERVED
.
17
ND
• Span of control—Whilst the previous step assessed the degree to which the HE knows everyone’s IT-related responsibilities,
this dimension measures the influence the HE has on those responsibilities. This influence is rated by indicating which ITrelated responsibilities the HE effectively directs and monitors, varying from directing and monitoring no IT-related
responsibilities at all, to directing and monitoring every IT-related responsibility. Not knowing IT responsibilities of at least key
personnel is an indicator that a larger control framework is required.
• IT sophistication—The IT sophistication component refers to the profile of the organisation with regard to the adoption of new
technologies and the complexity of the IT environment relative to industry and peers. This profile ranges from being a pioneer,
adopting new technologies well before industry in a complex IT environment, to being a laggard, adopting new technologies
well behind peers and industry while keeping the infrastructure simple. Taking a technology leadership position and working in
a complex IT environment evoke the possibility of larger risks and wider control requirements.
• IT strategic importance—This dimension evaluates how dependent the organisation is on IT to operate and function, and to
achieve competitive advantage and success. This dimension is the equivalent of the traditional McFarlan quadrant 1, which
positions organisations based on current and future dependency on IT. From the moment IT is critical to support current
operations, additional controls may be needed to manage that criticality.
• IT expenditure—The IT expenditure component is closely linked to the IT sophistication and IT strategic importance
dimensions, and ranks the organisation based on its IT expenditure relative to profit and compared to peers. Furthermore, the
increasing trend of the total IT expenditure is taken into account. If IT expenditure increases yearly, surpasses profits or differs
significantly from industry peers, it is prudent to consider stronger controls. Not-for-profit enterprises usually can avoid
referring to profits and, instead, judge IT expenditure based on peer expenditures and their own expenditure trends.
• Segregation—The segregation dimension checks whether the responsibilities for building, operating and influencing IT
solutions and monitoring same are overly concentrated in one person or, instead, are distributed properly over more people.
There is insufficient segregation when a single person executes too many of these functions. The fact that management has
implemented a certain degree of segregation indicates a level of concern and risk that is more consistent with a larger control
framework.
If the results from the assessment are contained mainly in the blue zone, the organisation most likely is suited for using COBIT
Quickstart. However, there may still be specific circumstances that create the need to go beyond Quickstart (i.e., to use the full
COBIT or to obtain specific extra material from the full COBIT). This is the case in environments characterised by:
• Open, as opposed to closed, systems (extended enterprise), i.e., connecting with customers and suppliers
• The presence of IT-related regulations, contractual requirements or need to provide outside assurance about IT
• Management awareness of IT issues and questioning whether a minimum baseline is right for the enterprise
• Management belief that a need exists to improve IT skills and capabilities
• A need to define, standardise and document IT processes in a sustainable manner
• Management awareness that technology needs to be used to automate some IT processes to make them more effective and
efficient
• A significant degree of IT integration within business processes
These specific situations imply that, even though the organisation may appear to be suited for COBIT Quickstart based on the
first suitability test, it should consider looking at the complete set of control objectives from COBIT to address its governance
and control needs beyond Quickstart. The opposite argumentation can also be made: if an organisation appears to be ‘not
suitable’ for COBIT Quickstart, it can still decide to use the Quickstart model as a way to launch a governance initiative in the
organisation.
18
RIGHTS
RESERVED
.
Test 2—Watch the Heat
The second test of the suitability tool (Watch the Heat), as shown in figure 6 and also supplied with this publication, can help
assess the exception situations described previously. The more the enterprise is in the red zone, the more it needs to consider
going beyond COBIT Quickstart.
ag
ree
Suitability Assessment (2)
Ne
ith
at
d
me
wh
So
De
fin
ite
ly
dis
<<Watch the Heat>>
isa
gr
ee
er
ag
ree
So
no
me
rd
isa
wh
gr
at
ee
a
gr
Fu
ee
lly
ag
ree
Figure 6—Suitability Assessment (2)
The IT infrastructure is an open, as opposed to closed,
system (interconnections with customers, suppliers, etc.).
There are IT-related regulations or contractual requirements
applying to the enterprise.
There is a need to provide outside assurance about IT.
Enterprise management is aware of IT issues and wonders
whether a minimum baseline is sufficient.
Enterprise management has identified the need for significant
formal training relative to IT.
Some IT practices and procedures have been defined,
standardised and documented in a sustainable manner.
Enterprise management knows that common tools would
make some IT processes more effective and efficient.
The IT ‘expert(s)’ of the enterprise are needed for
developing/improving business processes.
HOW IS IT PRESENTED?
The following pages provide a baseline for management and control over IT in SMEs and other entities where IT is less
strategic and not as critical for survival. This baseline can also be used by larger organisations as a first step towards
implementing IT governance using COBIT.
It is presented in easy-to-read, tabular fashion, addressing 32 IT processes grouped in the four COBIT domains. For each IT
process, there is at least one concrete control objective. For each control objective, information is provided on the RACI chart.
Moreover, metrics are defined to measure the outcome of the control objective and the outcome of the process as a whole. Each
control objective also contains a reference to the original detailed control objectives of the full COBIT 4.1 from which they are
derived. This can help the user access the full COBIT material when extending and customising the COBIT Quickstart framework
for a specific organisation.
The charts also provide an implementation status scale—from 0 to 7—for each control objective. On this scale, the user can
indicate where the enterprise is for a certain control objective (as-is position) and where it would like to be (to-be position).
After analysing the gaps between these two positions, projects can be defined and initiated to close the gaps. An example is
provided in figure 7.
RIGHTS
RESERVED
.
19
ND
Ma
nag
Ma emen
nag
t is
The emen not a
w
t
re
is c is aw are.
Imp
o
are
lem mmi
.
Imp enta tmen
t to
tion
lem
re
en
h
Sol
utio tatio as sta solve
.
rt
n is n is
Sol
we ed.
i
m
utio
ll
ple
me unde
Sol n is s
nte
rw
utio
u
d.
ay.
n h staina
as
bee ble.
no
ptim
ise
d.
Figure 7—COBIT Quickstart Layout
Processes and Good Practices
Self-assessment
Responsibilities
Key Metrics
AI6 Manage changes.
COBIT
Quickstart
Process
COBIT
Quickstart
Management Practices
CO Ref
0
1
2
3
4
5
6
IT
IT
Head
Exec
Business
7 Committee of IT Development Operations Managers
Manager
Manager
Control
Objective
Metric
IT
Process
Metrics
The COBIT Quickstart baseline, with its control objectives provided on the following pages, is presented in the tabular form
illustrated in figure 7 and contains:
• High-level description of the Quickstart IT process
• COBIT Quickstart management practices applicable after the suitability tests, organised by IT domain (PO, AI, DS and ME),
and IT processes
• Reference to the full COBIT objectives used to construct the Quickstart objective and the number of COBIT objectives in that
process
• Potential self-assessment approach. Another option is to use traditional maturity levels: 0—Ad Hoc, 1—Initial, 2—Repeatable,
3—Defined, 4—Managed and 5—Optimised.
• Responsibilities for each of the management practices. For some typical roles in the organisation (executive committee, head of
IT, head operations, head development and business managers), it is defined whether that role should be responsible, accountable,
consulted or informed in the context of that specific control objective. The predefined roles should not be seen as full-time
equivalents. Some of these roles can be combined in reality and fulfilled by the same person.
• Most important applicable metrics. These metrics are defined at two levels. For each individual management practice, some
key outcome metrics are defined to measure the outcome of that objective (as defined in the column COBIT Quickstart
Management Practices). Next, outcome metrics are defined at the level of a complete IT processes (corresponding to the highlevel description of the IT process indicated in the column COBIT Quickstart Process).
HOW IS IT IMPLEMENTED?
Although Quickstart can be used in a variety of ways, dependent upon the issues to be addressed, the structured process in
figure 8 addresses the needs of a full implementation of an IT governance improvement programme.
20
RIGHTS
RESERVED
.
Figure 8—Implementation Process
PROCESS STEP
PROCESS DESCRIPTION
1. Assess suitability. Apply the suitability assessment tool provided in Quickstart to determine if the
organisation is a suitable candidate for the use of the Quickstart approach. The
outcome will indicate whether the programme can be used as is or as supplemented
with some of the more detailed components of the full COBIT, or the full COBIT should
be applied from the outset.
2. Evaluate
Use the Quickstart baseline charts to define the organisation’s as-is position. Typical
current state.
activities in this step involve basic data gathering, interviewing of key staff responsible
for these processes, and review of performance results or audit reports. Alternatively,
a working team of knowledgeable staff can be assembled to work with a facilitator to
fast-track the process.
3. Determine
Consider the organisation’s operating environment and plot its to-be position on the
target state.
Quickstart process tables. Typical considerations include:
• Nature of the industry
• Legal and regulatory requirements
• Sensitivity of information handled
• Technology dependency
• Business and IT goals
4. Analyse gaps.
5. Define
improvement
projects.
6. Develop an
integrated
governance
implementation
programme.
It is important that this positioning be developed by the organisation’s management
and owners, if possible, but at least approved by them.
Examine the control practices associated with each process gap (difference between
the as-is and to-be positions) to determine the nature and magnitude of improvements
required.
Group the individual process change requirements logically into improvement
projects—projects that enable the organisation to make effective progress in
manageable stages.
Organise, prioritise and sequence the improvement projects into an integrated
programme plan taking into account the organisation’s immediate needs, project
interdependencies and resource availability.
DELIVERABLE
Decision on use of
COBIT Quickstart
As-is process positions
To-be process positions
Process change
definitions
Process improvement
Integrated programme
plan
MIGRATION STRATEGIES TO MOVE FROM QUICKSTART TO FULL COBIT
COBIT Quickstart provides a baseline for control over IT and/or a starting point to a broader IT governance implementation. Any
organisation applying COBIT Quickstart can start building on this baseline but should also always analyse how organisationspecific business goals drive IT goals which, in turn, drive IT process goals. This analysis is required to identify potential
extensions to the baseline as required by the organisation’s business and governance objectives.
Two approaches are suggested to move towards a more extended implementation of COBIT once Quickstart has been
implemented:
1. Leverage the cross-references—Quickstart provides a complete overview of cross-references to the full COBIT. If weaknesses
are defined in specific areas, these cross-references can provide guidance to a more extended list of control objectives in
specific domains. Based on the organisation’s risk and value drivers, extra control objectives can be selected for which as-is
and to-be situations can be analysed and translated into improvement programmes.
2. Plan a full IT governance implementation—Follow the guidance provided in the IT Governance Implementation Guide:
Using COBIT and Val IT, 2nd Edition to initiate and plan an IT governance implementation programme. A road map with
suggested activities and tasks is provided.
RIGHTS
RESERVED
.
21
ND
22
RIGHTS
RESERVED
.
COBIT QUICKSTART BASELINE
RIGHTS
RESERVED
.
23
24
Ensure that
IT strategy is
aligned with
and supports
the overall
business
strategy.
COBIT
Quickstart
Process
PO1.4
PO1.2
PO1.3
PO1.5
PO1.6
2. Translate the strategic plan
into short-term IT operations,
IT projects and IT objectives.
Assess the tactical
IT performance
objectives in terms of
availability, functionality,
current total cost of
ownership and return
on investment.
CO Ref
1. Define the necessary
IT contribution to the
achievement of the entreprise's
strategic objectives, related
cost and performance
objectives, and assess how IT
can create business
opportunities in a
strategic plan.
COBIT
Quickstart
PO1 Define a strategic IT plan.
0
1
2
3
4
5
6
Responsibilities
A
A
R
R
C
C
I
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
na
t
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
tion ation s star olve.
te
is
is i
Sol
mp well d.
u
t
l
i
e
o
me unde
Sol n is s
nte
rw
utio
ust
d.
ay.
ain
n
h
a
as
bee ble.
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Percent of
strategic/
tactical IT plans
meetings where
business
representatives
have actively
participated
• Delay between
updates of
IT strategic
plan and
updates of
IT tactical
plans
• Number of
• Existence of an
IT- related cost
approved
and
strategic IT plan
performance
objectives in
the IT strategic
plan that
support the
strategic
business plan
Control
Objective
Metric
Key Metrics
ND
RIGHTS
RESERVED
.
COBIT
Quickstart
3. Create and maintain one
Establish an
list; identify and describe
enterprise data
the major data elements for the
model that
enterprise and their syntax
incorporates
rules, and consider who can
a data
access and modify.
classification
scheme to ensure
the integrity and
consistency
of all data.
4. Define and implement
measures to ensure the
integrity and consistency
of all data stored in electronic
form, such as databases, data
warehouses and data archives.
COBIT
Quickstart
Process
PO2 Define the information architecture.
PO2.4
PO2.2
PO2.3
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
R
C
C
A
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
na
ti
s
g
e
n
me
ot
Th
a
n
e
w
t
r
ei
ar
is
Imp s com awar e.
e.
lem
m
ent itme
Im
n
a
p
t
t
le
i
t
o
or
eso
Sol menta n has
l
u
t
i
on tion i starte ve.
s
is i
Sol
mp well d.
ut
l
i
u
e
o
m
Sol n is s
ent nder
wa
ed.
utio
ust
y.
ain
n
h
a
as
bee ble.
no
p
t
imi
sed
.
Self-assessment
• Percent of
non-compliance
with the data
classification
scheme
• Frequency of
updates to the
data enterprise
model
• Percent of data
elements that
do not have
an owner
Control
Objective
Metric
• The existence of
an approved
data model
• Percent of
redundant/
duplicate data
elements
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
25
26
COBIT
Quickstart
5. Be aware of continuing support
for current systems for their
expected life span. Compare
actual value for money against
potential value for money of
more recent but proven
technology.
COBIT
Quickstart
Process
Verify that the
technology
plans are
adequate to
accommodate
likely changes
in technology
and business
direction.
PO3 Determine technological direction.
PO3.1
PO3.3
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
R
IT
IT
Head
Exec
Business
Manager
Manager
Ma
nag
Ma emen
n
t
a
i
s
g
The emen not a
w
t
r
e
ar
i
s
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t
t
l
i
t
e
o
o
m
n
r
e
e
h
S
n
o
l
utio tatio as sta solve
.
rte
n is n is
d
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
• Frequency of
the technology
infrastructure
plan review/
update
Control
Objective
Metric
• The existence of
an approved and
updated
technology
infrastructure
plan
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
RIGHTS
PO4.14
PO4.15
PO4.10
PO4.11
7. Regularly review that
IT-related roles and
responsibilities are understood
and exercised properly. Assess
that people have the
resources to exercise
these responsibilities and be
aware that concentrated roles
and responsibilities can be
misused.
8. Define where outside
contracting and/or outsourcing
can be applied and how they
are to be controlled.
PO4.6
PO4.7
PO4.8
6. Assign IT-related roles
and responsibilities clearly,
with proper authority and
reasonable expectations, and
communicate to all; Pay
attention to responsibilities in
the area of security and quality.
Establish
transparent,
flexible and
responsive IT
organisational
structures and
define and
implement
IT processes
with owners,
roles and
responsibilities
integrated into
business
processes.
CO Ref
COBIT
Quickstart
COBIT
Quickstart
Process
0
1
2
3
4
5
Self-assessment
6
Responsibilities
A/R
A/R
A
C
C
R
C
C
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
n is on is tarted e.
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
PO4 Define the IT processes, organisation and relationships.
• Number of
escalations or
unrosolved
issues leading
to the
outsoucing of
IT activities
• Number of
conflicting
responsibilities
in the view of
segregation
of duties
• Percent of
roles with
documented
position and
authority
descriptions
Control
Objective
Metric
• Number of
delayed business
initiatives due to
IT organisational
inertia or
unavailability of
necessary
capabilities
• Percent of
stakeholders
satisfied with IT
responsiveness
IT
Process
Metrics
Key Metrics
RESERVED
.
27
28
COBIT
Quickstart
9. Plan and manage
IT expenditures within an
annual budget, reflecting
the entreprise's priorities,
and track expenditures
against expected benefits.
COBIT
Quickstart
Process
Make effective
and efficient
IT investment
and portfolio
decisions, and
set and track
IT budgets in
line with IT
strategy and
investment
decisions.
PO5 Manage the IT investment.
PO5.3
PO5.4
DS6.3
CO Ref
0
1
2
3
4
5
6
Responsibilities
A/R
C
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
is w ted
is i
Sol
.
m
el
u
p
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Percent of
• Percent of
projects with
IT investments
the benefit
exceeding or
defined up front meeting the
• Percent of
predefined
projects with
business benefit
a post-project
review
Control
Objective
Metric
Key Metrics
ND
RIGHTS
RESERVED
.
10. Make decisions, communicate
consistently and discuss
regularly on the basic
rules of the use, acceptable
and reasonable behaviour,
and operating principles
of IT.
Appropriately
define and
promulgate
management
aims and
directions with
respect to IT.
11. Encourage responsiveness in
staff relative to applicable
external requirements,
IT risks, the protection
of IT resources, the
integrity of IT systems
and intellectual property
rights of own software and
enterprise data. Establish
some simple dos and don’ts.
COBIT
Quickstart
COBIT
Quickstart
Process
PO6.2
PO6.3
PO6.4
PO6.5
PO6.3
PO6.4
PO6.5
CO Ref
PO6 Communicate management aims and direction.
0
1
2
3
4
5
6
Responsibilities
I
I
A/R
A/R
C
C
C
C
I
I
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tion
le
res
ha
So men
t
l
u
is w ted
is
Sol
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
• Percentage of
stakeholders
who are
non-compliant
with the policy
• Percentage of
stakeholders
who
understand the
IT control
framework
Control
Objective
Metric
• Timeliness and
frequency of
communication
to stakeholders
• Level of
understanding of
IT costs,
benefits,
strategy,
policies and
service levels
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
29
30
RIGHTS
PO7.5
PO7.4
13. Verify annually whether skills
and qualifications are up-todate and act accordingly.
14. Ensure that essential IT tasks
do not depend on one person.
PO7.1
PO7.2
PO7.6
12. Consider educational
experience and past
responsibilities to obtain the
IT skills needed to support the
IT infrastructure and
enterprise goals when
hiring IT staff. Verify
reference checks.
Hire and train
qualified
personnel,
motivate them
through clear
career paths
and assign roles
that correspond
with skills.
Establish a
defined review
process while
creating position
descriptions
and ensuring
awareness of
dependency
on individuals.
CO Ref
COBIT
Quickstart
COBIT
Quickstart
Process
PO7 Manage IT human resources.
0
1
2
3
4
5
6
Responsibilities
A
A
A
R
R
R
R
R
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
IT
Process
Metrics
• Number of job
description
reviews
• Percent of IT
• Level of
employees who
stakeholders’
have undergone satisfaction with
background
IT personnel
checks
expertise and
skills
• Number of staff
retention
initiatives
• Percent of IT
staff members
who complete
annual IT
training plan
Control
Objective
Metric
Key Metrics
ND
RESERVED
.
Verify whether
all deliverables
are of a quality
acceptable to
the business.
COBIT
Quickstart
Process
15. For in-house developments,
define and enforce basic
documentation practices for
developments, changes
and testing.
COBIT
Quickstart
PO8 Manage quality.
PO8.2
CO Ref
0
1
2
3
4
5
6
Responsibilities
A/R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
• Percent
reduction in
number of high
severity
incidents per
user within
3 months after
deployment
Control
Objective
Metric
• Percent of
stakeholders
satisfied with
IT service quality
• Percent of
projects
reviewed and
assigned by QA
that meet target
quality goals and
objectives
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
31
32
COBIT
Quickstart
17. Establish staff understanding
of the need for responsiveness
and consider cost-effective
means to manage the risks
identified through insurance
coverage and protection
practices (e.g., effective
backup, basic access
control, virus protection,
firewalls).
16. At appropriate times, discuss
Identify,
with key staff what can go
prioritise, contain
wrong with IT that would
or accept relevant
impact the business objectives
risks arising in
significantly. Especially
the IT area and
consider data that are critical
associated
for the success of the
functions.
business.
COBIT
Quickstart
Process
PO9 Assess and manage IT risks.
PO7.4
PO9.5
PO2.3
PO2.4
PO9.1
PO9.2
PO9.3
CO Ref
0
1
2
3
4
5
6
Responsibilities
I
I
A
A/R
R
R
R
R
I
I
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Number of
significant
incidents
caused by risks
that were not
identified by
the risk
assessment
process
• Frequency of
review of the
IT risk
management
process
• Percent of
identified IT
events used
in risk
assessments
Control
Objective
Metric
• Percent of critical
IT objectives
covered by risk
assessment
• Number of newly
identified IT risks
compared to
previous
exercise
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
RIGHTS
PO10.2
PO10.7
PO10.9
PO10.9
19. Define and communicate
project management
guidelines for all project
managers. Describe explicitly
the project scope and the final
deliverable acceptance criteria.
Support the business changes
linked to the project with a
proper training plan.
20. Implement a project quality
plan to monitor project
deliverables, cost, schedule
and risks on an ongoing basis.
PO10.1
PO10.2
PO10.6
PO10.7
18. Ensure the correct prioritisation
and co-ordination of all
projects, by clearly defining
what needs to be achieved,
by whom, when, at what cost
and with which benefits.
Define a
programme and
project
management
approach that is
applied to all IT
projects, enables
stakeholder
participation and
monitors
project risks
and progress.
CO Ref
COBIT
Quickstart
COBIT
Quickstart
Process
PO10 Manage projects.
0
1
2
3
4
5
6
Responsibilities
C
I
A
A/R
A/R
R
I
R
I
I
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
• Percent of
projects
receiving
implementation
reviews
• Percent of
stakeholders
participating in
projects
(involvement
index)
• Percent of
projects
following
project
management
standards and
practices
Control
Objective
Metric
• Percent of
projects on time
and on budget
IT
Process
Metrics
Key Metrics
RESERVED
.
33
34
Identify
technically
feasible and
cost-effective
solutions.
COBIT
Quickstart
Process
RIGHTS
AI5.1
AI5.3
PO1.4
AI1.3
AI5.1
22. In line with the IT strategic
plan, carefully consider
whether to buy or build.
Contemplate alternative
solutions and their feasibility,
not excluding upgrading
existing systems, doing
nothing or applying manual
solutions. If there is no clear
idea about how to improve
business processes, do not
inject technology.
23. Use a standard selection
process when acquiring
IT products or services. Base
supplier selection process
on fair and formal practice,
and invite more than one
vendor to bid.
AI1.1
CO Ref
21. Be clear on how the solution
will change and benefit the
business and supporting
processes. Ensure that the
solution’s functional and
operational requirements are
specified, including
maintainability, performance,
reliability, security and
compatibility with current
systems.
COBIT
Quickstart
AI1 Identify automated solutions.
COBIT Quickstart
0
1
2
3
4
5
6
Responsibilities
A/R
A/R
A/R
C
C
C
C
C
C
I
I
I
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
IT
Process
Metrics
• Number of
acquisitions
not using a
standard
approach
• Percent of
feasibility
studies
delivered
on time and
on budget
• Percent of
• Percent of users
stakeholders
satisfied with
satisfied with
the functionality
the accuracy
delivered
of the
feasibility study
Control
Objective
Metric
Key Metrics
ND
RESERVED
.
COBIT
Quickstart
25. Obtain an application data
model, processing descriptions
and user documentation from
the supplier/developer.
24. Ensure there is a good set of
Ensure that
functional and operational
application
requirements and review
software provides
(a) together with key personnel,
efficient, effective
to ascertain the set records
and economical
that the application needs to
support for the
achieve, and (b) with the
enterprise.
supplier/developer to verify
that the needs are understood.
COBIT
Quickstart
Process
AI2 Acquire and maintain application software.
AI2.2
AI4.3
AI4.4
AI2.1
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
A/R
R
C
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Percent of
applications for
which a data
model
processing
description and
documentation
are available.
• Percent of
application
software
projects with a
software QA
plan or SLA
developed and
executed
Control
Objective
Metric
• Number of
projects where
stated benefits
were not
achieved due to
poor application
design or
development
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
35
36
Provide
appropriate
platforms for the
business
applications.
COBIT
Quickstart
Process
26. Consider operational,
functional and business
requirements, e.g., everything
required to deploy, operate,
maintain and secure the
application, to support the
users and to recover from
failures.
COBIT
Quickstart
AI3.1
AI3.2
AI3.3
AI6.1
AI7.3
DS8.1
DS8.5
DS13.5
CO Ref
AI3 Aquire and maintain technology infrastructure.
0
1
2
3
4
5
6
Responsibilities
A
C
R
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tion
le
res
ha
So men
t
l
u
is w ted
is
Sol
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
• Number and
type of
emergency or
non-compliant
changes to the
infrastructure
components
Control
Objective
Metric
• Number of
critical business
processes
supported by
obsolete (or
soon-tobe obsolete)
infrastructure
• Percent of
platforms that
are not in line
with the defined
IT architecture
and technology
standards
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
Provide effective
user and
operational
manuals and
training materials
to transfer the
knowledge
necessary for
successful
system operation
and use.
COBIT
Quickstart
Process
27. Ensure that knowledge and
skills over new and current
systems are available and
updated through
documentation, training, user
manuals, for the business
management, end users, and
operations and support staff.
COBIT
Quickstart
AI4 Enable operation and use.
AI4.2
AI4.3
AI4.4
DS7.1
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
I
I
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp wel d.
u
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Satisfaction
• Number of
scores for
applications
training and
where IT
documentation
procedures are
related to user
seamlessly
and operational integrated into
procedures
business
• Availability,
processes
completeness • Percent of
and accuracy
business owners
of user and
satisfied with
operational
application
documentation
training and
support materials
Control
Objective
Metric
Key Metrics
RIGHTS
RESERVED
.
37
38
Acquire and
maintain IT
resources that
respond to the
delivery strategy,
IT infrastructure,
and reduction of
IT procurement
risk.
COBIT
Quickstart
Process
28. Define a standard set of
procurement procedures for
IT resources (infrastructure,
applications, people skills and
information). Use a standard
supplier selection procedure.
Ensure contractual
arrangements cover legal,
financial, organisational,
security and performance
requirements.
COBIT
Quickstart
AI5 Procure IT resources.
AI5.1
AI5.2
AI5.3
CO Ref
0
1
2
3
4
5
6
Responsibilities
A/R
R
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp well d.
u
t
l
i
e
o
me unde
Sol n is s
nte
rw
utio
ust
d.
ay.
ain
n
h
a
as
bee ble.
no
p
t
imi
sed
.
Self-assessment
• Percent of
procurements
in compliance
with standing
procurement
policies and
procedures
Control
Objective
Metric
• Number of
disputes related
to procurement
contracts
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
29. Set up a change management
process that includes several
approval steps, i.e.
categorisation, impact
assessment, prioritisation,
authorisation, planning, testing
and implementation. During
execution of the change
management process, track
the progress, risks and values.
Control the
impact
assessment,
authorisation and
implementation
of all changes to
the IT
infrastructure,
applications and
technical
solutions;
minimise errors
due to
incomplete
request
specifications;
and halt
implementation
of unauthorised
changes.
RIGHTS
31. Consider the impact of all
changes on existing
documentation and training.
30. Set up an emergency change
process (including criteria to
invoke it, procedures, etc.)
and ensure that every
emergency change is recorded
and authorised.
COBIT
Quickstart
COBIT
Quickstart
Process
AI6 Manage change.
AI6.5
AI6.3
AI6.1
AI6.4
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
A
A
R
R
R
R
R
R
I
I
I
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp wel d.
u
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Number of
backlogged
change
requests
including
documentation
and training
• Percent of total
changes that
are emergency
fixes
• Percent of
changes that
do not follow
formal change
control
processes
Control
Objective
Metric
• Number of
disruptions or
data errors
caused by
inaccurate
specifications or
incomplete
impact
assessment
IT
Process
Metrics
Key Metrics
RESERVED
.
39
40
Test that
applications and
infrastructure
solutions are fit
for the intended
purpose and free
from errors and
adequate data
conversion has
occured.
COBIT
Quickstart
Process
RIGHTS
AI7.7
AI7.9
AI7.4
AI7.6
AI7.8
33. Test the application (or major
change) against functional and
operational requirements in a
representative environment
such that the results can be
trusted. Consider testing how
the application (or major
change) integrates with
existing applications. Do not
test on the live production
system.
34. Perform final acceptance by
evaluating all test results,
involving key staff who will
use, run and maintain the
system. Evaluate against
original acceptance criteria.
Evaluate against original
business goals.
AI7.5
CO Ref
32. Analyse the data conversion
requirements, prepare a data
conversion plan and assign
responsibility to execute the
plan. Be aware of complexity
and scope, and consider the
impact on other applications
and the degree of verification
required.
COBIT
Quickstart
AI7 Install and accredit solutions and changes.
0
1
2
3
4
5
6
Responsibilities
A/R
A/R
A/R
C
C
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp well d.
u
t
l
i
e
o
me unde
Sol n is s
nte
rw
utio
ust
d.
ay.
ain
n
h
a
as
bee ble.
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Rework after
implementation
due to
inadequate
acceptance
testing
• Percent of
projects with a
documented
and approved
testing plan
• Number of
• Percent of
changes
stakeholders
without
satisfied with
required
the data integrity
management
of new systems
sign-off before
implementation
Control
Objective
Metric
Key Metrics
ND
RESERVED
.
COBIT
Quickstart
35. Identify services delivered
by IT. Define, agree upon and
regularly review service level
agreements. They cover service
support requirements, related
costs, roles and responsibilities,
etc., and should be expressed
in business terms.
COBIT
Quickstart
Process
Identify service
requirements,
agree on service
levels and
monitor the
achievement of
service levels.
DS1 Define and manage service levels.
AI4.1
AI5.2
DS1.3
DS1.6
DS2.4
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
R
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp wel d.
u
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
utio
ust
d.
ay.
ain
n
h
a
as
bee ble.
no
p
t
imi
sed
.
Self-assessment
• Percentage of
services
meeting service
levels defined
in the SLAs
Control
Objective
Metric
• Number of
services that
are not covered
by a formal SLA
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
41
42
COBIT
Quickstart
37. Assess the professional
capability of third parties and
ensure they provide a clearly
identified contact who has the
authority to act upon
enterprise requirements
and concerns.
36. Consider the dependence on
Manage and
third-party suppliers and
monitor the
mitigate continuity,
relationships with,
confidentiality and intellectual
and services
property risk by, e.g., escrow,
delivered by,
legal liabilities, penalties
third parties to
and rewards.
verify adherence
to agreements
and to mitigate
potential risks.
COBIT
Quickstart
Process
DS2 Manage third-party service.
DS2.2
DS2.4
AI5.2
AI5.3
DS2.3
CO Ref
0
1
2
3
4
5
6
Responsibilities
I
A
A
R
R
R
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Time lost in
service disputes
due to unclear
roles and
responsibilities
• Number of
identified and
documented
issues with
third parties
• Number of
contract
revisions after
issues with
third parties
Control
Objective
Metric
• Cost of disputes
with external
suppliers
• Number of SLAs
not met due to
supplier
deficiencies
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
COBIT
Quickstart
38. Based on business needs and
the current and future
workloads, define the minimum
availability, performance and
capacity requirements of
IT services and systems.
Monitor accordingly and act
proactively where possible.
COBIT
Quickstart
Process
Manage and
monitor the
performance and
capacity of
IT resources to
meet business
requirements.
DS3 Manage performance and capacity.
DS3.1
DS3.2
DS3.3
DS3.5
CO Ref
0
1
2
3
4
5
6
Responsibilities
I
C
A/R
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp wel d.
u
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Frequency of
• Number of
capacity and
incidents due to
performance
insufficent
adjustments
performance
• Percent of
or capacity
IT resources
included in
capacity reviews
Control
Objective
Metric
Key Metrics
RIGHTS
RESERVED
.
43
44
COBIT
Quickstart
IT GOVERNANCE INSTITUTE
41. Together with key employees,
define what needs to be
backed up and stored offsite to
support recovery of the
business—e.g., critical data
files, documentation and other
IT resources—and secure it
appropriately. At regular
intervals, ensure the backup
resources are usable and
complete.
39. Identify critical business
Build the
functions and information, and
capabilities to
those applications, third-party
carry out the
services, supplies, data-files,
day-to-day
etc., that are critical to support
automated
them. Minimise key
business activities
dependencies where possible.
with minimal,
accetable
interruption.
40. Establish basic principles for
safeguarding and
reconstructing IT services,
including alternative
processing procedures, how
to obtain supplies and services
in an emergency, how to go
back to normal processing
after the major event and
how to communicate with
customers and suppliers.
COBIT
Quickstart
Process
DS4 Ensure continuous service.
DS4.5
DS4.9
DS11.3
DS11.4
DS11.5
DS4.2
DS4.8
DS2.1
DS4.3
DS4.1
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
A
A
R
C
R
R
C
R
C
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp well d.
u
t
l
i
e
o
me unde
Sol n is s
nte
rw
utio
ust
d.
ay.
ain
n
h
a
as
bee ble.
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Frequency of
testing of the
back-up and
recovery
procedure
• Percent of
successful/
unsuccessful
use of
alternative
processing
procedures
• Percentage of
• Number of
critical business hours of
unplanned outage
function with
• Frequency of
clearly defined
service
mitigation
and/or alternative interruption of
processing
critical systems
arrangements
Control
Objective
Metric
Key Metrics
ND
3
4
5
6
RIGHTS
RESERVED
.
46. Implement virus protection,
update security patches,
enforce use of legal software.
Put preventive, detective and
corrective measures in place to
protect from malware. Install
and configure firewalls to
control network access and
information flow.
DS5.9
DS5.10
DS5.3
AC6
Responsibilities
A
A
A
R
R
A/R
R
R
C
C
IT
IT
Head
Exec
Business
Manager
Manager
A
2
45. Ensure that all users (internal,
external and temporary) and
their activity on IT systems are
uniquely indentifiable.
1
I
0
Self-assessment
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
44. Log important security
violations (system and network,
access, virus, misuse, illegal
software). Ensure they are
reported immediately and acted
upon in a timely manner.
DS5.5
DS5.6
DS5.4
DS13.4
43. Make sure one person is
responsible for managing all
user accounts and security
tokens (passwords, cards,
devices, etc.) and that
appropiate emergency
procedures are defined.
Periodically review/confirm
his/her actions and authority.
CO Ref
DS5.3
DS5.4
COBIT
Quickstart
Define IT security 42. Implement procedures to
control access based on the
principles and
individual’s need to view, add,
procedures, and
change or delete data.
monitor, detect,
Especially consider access
report and resolve
rights by service providers,
security
suppliers and customers, and
vulnerabilities
change passwords of
and incidents.
standard users.
COBIT
Quickstart
Process
DS5 Ensure systems security.
• Time since last
security patch
• Number of
preventive and
detective
measures
per month
• Number of
generic
accounts
• Time since last
update of
violations log
• Number of
violations
during
emergency
situations
• Elapsed time to
grant, change
and remove
access rights
Control
Objective
Metric
• Number of
incidents due to
unauthorised
access
• Number of
security
violations
IT
Process
Metrics
Key Metrics
45
46
COBIT
Quickstart
47. Set up a service desk/
support function to monitor
incidents and service requests.
COBIT
Quickstart
Process
Implement a
service desk/
support function
with quick
response, clear
escalation
procedures, and
resolution and
trend analysis.
DS8 Manage service desk and incidents.
DS8.1
DS8.2
DS8.3
DS8.4
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Percentage of
• User satisfaction
unresolved
with first line
incidents
support
• Relative
• Number of
number of
unjustified
workload versus escalations to
registered
the IT director
incidents
Control
Objective
Metric
Key Metrics
ND
RIGHTS
RESERVED
.
48. Build and regularly update
an inventory of IT hardware
and software configuration.
Establish and
maintain an
accurate and
complete view
of IT assets
and licences.
49. Review on a regular basis
whether all installed software
is authorised and licenced
properly.
COBIT
Quickstart
COBIT
Quickstart
Process
DS9 Manage the configuration.
DS9.3
DS9.1
DS9.2
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
A
R
R
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
is w ted
is i
Sol
.
m
el
u
p
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Number of
unauthorised
software
installations
detected
• Time since last
update of the
configuration
inventory
Control
Objective
Metric
• Time lost due
to incorrect
inventory data
• Number of
business
compliance
issues because
of unauthorised
software use
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
47
48
Record, track
and resolve
operational
problems.
COBIT
Quickstart
Process
50. Identify problems and follow
up significant incidents.
Investigate the root cause of
all problems, identify and
initiate sustainable solutions
addressing the root cause in
a timely manner.
COBIT
Quickstart
DS10 Manage problems.
DS10.1
DS10.2
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
C
R
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
IT
Process
Metrics
• Number of
• Percent of
recurrent
problems for
problems
which a root
cause analysis
was undertaken
• Average
durations
between the
logging of a
problem and
the identification
of the root cause
Control
Objective
Metric
Key Metrics
ND
RIGHTS
RESERVED
.
COBIT
Quickstart
51. Define retention periods,
archival requirements and
storage terms for documents,
data and programs. Ensure
that they comply with user and
legal requirements. While in
storage, check continuing
integrity and ensure that data
cannot be retrieved at disposal.
COBIT
Quickstart
Process
Ensure that data
are properly
stored, archived
and disposed.
DS11 Manage data.
DS11.4
DS11.5
DS11.6
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
g
em is no
T
t
e
h
a
n
e
w
t is
re
ar
i
Imp s com awar e.
e
l
m
.
e
m
Imp enta itmen
t to
tio
le
r
e
So ment n ha
s
l
u
is w ted
is i
Sol
.
m
el
u
p
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Frequency of
testing the
backup media
• Percent of
succesful data
restoration
Control
Objective
Metric
• Number of
occurences of
an inability to
recover data
critical to
business
processes
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
49
50
COBIT
Quickstart
52. Physically secure the IT assets
and consider a no-break
system. Be aware of other
environmental factors such as
heat, natural hazards, dust and
humidity and, if applicable,
obtain expert advice. Pay
special attention to the security
of mobile or portable IT assets.
COBIT
Quickstart
Process
Provide and
maintain a
suitable physical
environment to
protect IT assets
from access,
damage or theft.
DS12 Manage the physical environment.
DS12.1
DS12.2
DS12.4
DS12.5
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp wel d.
u
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Number of
physical
security
incidents
Control
Objective
Metric
• Downtime due
to physical
security incidents
• Number of
physical security
incidents with
asset loss
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
COBIT
Quickstart
53. Document and review basic,
standard IT operations on a
regular basis to ensure that
processing occurs as planned
(timing, sequence, quality, etc.).
Check operation logs to ensure
correctness and completeness
of processing.
COBIT
Quickstart
Process
Operate the
IT environment
in line with
agreed-upon
service levels.
DS13 Manage operations.
DS13.1
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
g
em is no
T
t
e
h
a
n
e
w
t is
re
ar
i
Imp s com awar e.
e
l
m
.
e
m
Imp enta itmen
t to
tio
le
r
e
So ment n ha
s
l
u
is w ted
is i
Sol
.
mp
el
u
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Frequency of
review of the
operations log
• Time since last
update of
operations
documentation
Control
Objective
Metric
• Number of
delays due to
operations failure
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
51
52
54. Ensure that management and
IT, as well as users and IT,
discuss and agree on a limited
number of relevant and
measurable results and
performance indicators of IT to
be tracked on an ongoing basis.
Results should be acted upon
with improvement initiatives.
Monitor and
report process
metrics, and
identify and
implement,
performance
improvement
actions.
55. Consider, but with caution,
how comparable enterprises
address IT issues and major
IT decisions.
COBIT
Quickstart
COBIT
Quickstart
Process
ME1 Monitor and evaluate IT performance.
ME1.2
ME1.2
ME1.4
ME1.5
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
A/R
R
C
C
C
C
C
C
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Percent of
metrics that
can be
benchmarked to
industry
standards and
set targets
• Number of
metrics (per
process)
• Number of
improvement
actions driven
by monitoring
activities
Control
Objective
Metric
• Amount of
reduction in the
number of
outstanding
process
deficiencies
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
56. Monitor the control
mechanisms identified for the
IT activities and assess whether
they are performed as expected.
Correct where needed.
Monitor the
internal control
processes for
IT-related
activities and
identify
improvement
actions.
57. Obtain, where needed,
competent external resources
to review the IT control
mechanisms, assess
compliance with law or
regulations and appraise
observance of contractual
obligations relative to IT.
Leverage their knowledge and
experience for internal use.
COBIT
Quickstart
COBIT
Quickstart
Process
ME2 Monitor and evaluate internal control.
ME2.5
ME1.2
ME2.2
ME2.3
ME2.4
ME2.6
ME2.7
CO Ref
0
1
2
3
4
5
6
Responsibilities
A
I
R
A
R
R
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
mit
me
en
Im
t
n
a
p
t
tio
le
to r
eso
Sol menta n has
lv
utio
ti
s
Sol
w
utio imple ell u .
m
Sol n is s
ent nder
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
RIGHTS
• Number of
weaknesses
identified by
independent
reports
• Number,
frequency and
coverage of
internal
compliance
reports
• Time between
internal control
deficiency
occurrence and
reporting
• Number of
control
improvement
initiatives
Control
Objective
Metric
• Number of
major internal
control breaches
IT
Process
Metrics
Key Metrics
RESERVED
.
53
54
Identify all
applicable laws,
regulations and
contracts and the
corresponding
level of
IT compliance.
COBIT
Quickstart
Process
58. Identify what, if anything,
needs to be done to comply
with safety, health, ergonomic,
privacy, legal, regulatory and
intellectual property
requirements, electronic
commerce agreements and
insurance contracts.
COBIT
Quickstart
DS12.1
DS12.5
ME3.1
CO Ref
ME3 Ensure compliance with external requirements.
0
1
2
3
4
5
6
Responsibilities
A
R
C
IT
IT
Head
Exec
Business
Manager
Manager
Ma
n
a
g
Ma emen
na
ti
s
g
e
n
me
ot a
Th
n
e
w
t
r
ei
ar
is
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
Sol menta n has
ol
u
t
i
on tion i starte ve.
s
is i
Sol
mp well d.
ut
l
i
u
e
o
m
n
So
is
ent nder
s
l
wa
ed.
u
u
t
s
i
y.
t
o
n
has ainab
le.
bee
n
o
ptim
ise
d.
Self-assessment
• Frequency of
compliance
reviews
Control
Objective
Metric
• Number of
non-compliance
issues
• Cost of IT
non-compliance,
including fines
and settlements
IT
Process
Metrics
Key Metrics
ND
RIGHTS
RESERVED
.
Prepare board
reports on
IT strategy,
performance and
risks, and
respond to
governance
requirements in
line with board
directions.
COBIT
Quickstart
Process
59. Establish regular reporting
over IT activities for executive
and board review.
COBIT
Quickstart
ME4 Provide IT governance.
ME4.1
ME4.2
ME4.3
ME4.4
ME4.5
ME4.6
CO Ref
0
1
2
3
4
5
6
Responsibilities
I
A/R
C
C
IT
IT
Head
Exec
Business
Manager
Manager
M
a
nag
Ma emen
n
t
a
i
s
g
The emen not a
wa
t
r
e
i
s
r
i
Imp s com awar e.
e.
lem
m
Imp enta itmen
t to
tio
le
res
So ment n ha
l
u
te
is
is i
Sol
mp wel d.
u
l
t
l
i
e
o
me unde
Sol n is s
nte
rw
u
u
d.
t
ay.
s
i
t
o
n
has ainab
le.
bee
no
p
t
imi
sed
.
Self-assessment
• Frequency of
board reporting
Control
Objective
Metric
• Number of
recurrent issues
on board agenda
• Number of times
IT is on the
board agenda
in a proactive
manner
IT
Process
Metrics
Key Metrics
RIGHTS
RESERVED
.
55
ND
Generic Process Controls
PC1 Process Goals and Objectives
Define and communicate specific, measurable, actionable,
realistic, results-oriented and timely (SMARRT) process goals
and objectives for the effective execution of each IT process.
Ensure that they are linked to the business goals and supported
by suitable metrics.
PC2 Process Ownership
Assign an owner for each IT process, and clearly define the
roles and responsibilities of the process owner. Include, for
example, responsibility for process design, interaction with
other processes, accountability for the end results,
measurement of process performance and the identification of
improvement opportunities.
PC3 Process Repeatability
Design and establish each key IT process such that it is
repeatable and consistently produces the expected results.
Provide for a logical but flexible and scaleable sequence of
activities that will lead to the desired results and is agile enough
to deal with exceptions and emergencies. Use consistent
processes, where possible, and tailor only when unavoidable.
PC4 Roles and Responsibilities
Define the key activities and end deliverables of the process.
Assign and communicate unambiguous roles and
responsibilities for effective and efficient execution of the key
activities and their documentation as well as accountability for
the process end deliverables.
PC5 Policy, Plans and Procedures
Define and communicate how all policies, plans and procedures
that drive an IT process are documented, reviewed, maintained,
approved, stored, communicated and used for training. Assign
responsibilities for each of these activities and, at appropriate
times, review whether they are executed correctly. Ensure that
the policies, plans and procedures are accessible, correct,
understood and up to date.
PC6 Process Performance Improvement
Identify a set of metrics that provides insight into the
outcomes and performance of the process. Establish targets
that reflect on the process goals and performance indicators
that enable the achievement of process goals. Define how the
data are to be obtained. Compare actual measurements to
targets and take action upon deviations, where necessary.
Align metrics, targets and methods with IT’s overall
performance monitoring approach.
56
Application Controls
AC1 Source Data Preparation and Authorisation
Ensure that source documents are prepared by authorised and
qualified personnel following established procedures, taking
into account adequate segregation of duties regarding the
origination and approval of these documents. Errors and
omissions can be minimised through good input form design.
Detect errors and irregularities so they can be reported
and corrected.
AC2 Source Data Collection and Entry
Establish that data input is performed in a timely manner by
authorised and qualified staff. Correction and resubmission of
data that were erroneously input should be performed without
compromising original transaction authorisation levels. Where
appropriate for reconstruction, retain original source
documents for the appropriate amount of time.
AC3 Accuracy, Completeness and Authenticity Checks
Ensure that transactions are accurate, complete and valid.
Validate data that were input, and edit or send back for
correction as close to the point of origination as possible.
AC4 Processing Integrity and Validity
Maintain the integrity and validity of data throughout the
processing cycle. Detection of erroneous transactions does
not disrupt the processing of valid transactions.
AC5 Output Review, Reconciliation and Error Handling
Establish procedures and associated responsibilities to ensure
that output is handled in an authorised manner, delivered to
the appropriate recipient, and protected during transmission;
that verification, detection and correction of the accuracy of
output occurs; and that information provided in the output
is used.
AC6 Transaction Authentication and Integrity
Before passing transaction data between internal applications
and business/operational functions (in or outside the
enterprise), check it for proper addressing, authenticity of
origin and integrity of content. Maintain authenticity and
integrity during transmission or transport.
RIGHTS
RESERVED
.
COBIT AND RELATED PRODUCTS
COBIT AND RELATED PRODUCTS
The COBIT framework, in versions 4.1 and higher, includes all of the following:
• Framework—Explains how COBIT organises IT governance, management and control objectives and good practices by
IT domains and processes, and links them to business requirements
• Process descriptions—Include 34 IT processes covering the IT responsibility areas from beginning to end
• Control objectives—Provide generic best practice management objectives for IT processes
• Management guidelines—Offer tools to help assign responsibility, measure performance, and benchmark and address gaps
in capability
• Maturity models—Provide profiles of IT processes describing possible current and future states
In the years since its inception, COBIT’s core content has continued to evolve, and the number of COBIT-based derivative works
has increased. Following are the publications currently derived from COBIT:
• Board Briefing on IT Governance, 2nd Edition—Designed to help executives understand why IT governance is important, what
its issues are and what their responsibility is for managing it
• COBIT® Online—Allows users to customise a version of COBIT for their own enterprise, then store and manipulate that version
as desired. It offers online, real-time surveys, benchmarking and a discussion facility for sharing experiences and questions.
• COBIT® Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition—Provides
guidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how to
implement the objective. Control practices are strongly recommended for use with the
IT Governance Implementation Guide: Using COBIT® and Val IT TM, 2nd Edition.
• IT Assurance Guide: Using COBIT®—Provides guidance on how COBIT can be used to support a variety of assurance activities
and offers suggested testing steps for all the COBIT IT processes and control objectives
• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over
Financial Reporting, 2nd Edition—Provides guidance on how to assure compliance for the IT environment based on the COBIT
control objectives
• IT Governance Implementation Guide: Using COBIT® and Val IT™, 2nd Edition—Provides a generic road map for
implementing IT governance using COBIT and Val IT resources and a supporting tool kit
• COBIT® Quickstart, 2nd Edition—Provides a baseline of control for the smaller organisation and a possible first step for the
larger enterprise
• COBIT® Security Baseline: An Information Security Survival Kit, 2nd Edition—Focuses on essential steps for implementing
information security within the enterprise
• COBIT Mappings—Currently posted at www.isaca.org/downloads, they include:
– Aligning COBIT®, ITIL and ISO 17799 for Business Benefit
– COBIT® Mapping: Mapping of CMMI® for Development V1.2 With COBIT® 4.0
– COBIT® Mapping: Mapping of ISO/IEC 17799:2000 With COBIT®, 2nd Edition
– COBIT® Mapping: Mapping of ITIL With COBIT® 4.0
– COBIT® Mapping: Mapping of PMBOK With COBIT® 4.0
– COBIT® Mapping: Mapping of PRINCE2 With COBIT® 4.0
– COBIT® Mapping: Mapping of SEI’s CMM for Software With COBIT® 4.0
– COBIT® Mapping: Mapping of TOGAF 8.1 With COBIT® 4.0
– COBIT® Mapping: Overview of International IT Guidance, 2nd Edition
• Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition—Presents
information security in business terms and contains tools and techniques to help uncover security-related problems
RIGHTS
RESERVED
.
57
ND
Val IT is the umbrella term used to describe the publications and future additional products and activities addressing the
Val IT framework.
Current Val IT-related publications are:
• Enterprise Value: Governance of IT Investments—The
Val IT TM Framework, which explains how an enterprise can extract optimal value from IT-enabled investments and is based on
the COBIT framework. It is organised into:
– Three processes—Value Governance, Portfolio Management and Investment Management
– IT key management practices—Essential management practices that positively influence the achievement of the desired
result or purpose of a particular activity. They support the Val IT processes and play roughly the same role as do COBIT’s
control objectives.
• Enterprise Value: Governance of IT Investments—The Business Case, which focuses on one key element of the investment
management process
• Enterprise Value: Governance of IT Investments—The ING Case Study, which describes how a global financial services
company manages a portfolio of IT investments in the context of the Val IT framework
For the most complete and up-to-date information on COBIT, Val IT and related products, case studies, training opportunities,
newsletters and other framework-specific information, visit www.isaca.org/cobit and www.isaca.org/valit.
58
RIGHTS
RESERVED
.
3701 ALGONQUIN ROAD, SUITE 1010
ROLLING MEADOWS, IL 60008 USA
PHONE: +1.847.660.5700
FAX: +1.847.253.1443
E-MAIL: [email protected]
WEB SITE: www.itgi.org

Cobit QuickStart - Tribunal Regional do Trabalho 13ª Região

Transcrição

Documentos relacionados

COBIT 5 Design Paper Exposure Draft

WORDS OF EVERLASTING LIFE / PALABRAS DE VIDA ETERNA

Rúben Pereira

COBIT 4.0

Port Governance in Santos, Brazil: A Qualitative Approach

Ajudamos a projetar o seu futuro! We help to project

Analizo: an Extensible Multi-Language Source Code Analysis and

Promoting peace, security, justice and governance in the post

King 3 - Application of King 3 principles for year

English

Mangue: Metrics and Tools for Automatic Quality - CCSL

Paper - World Academy of Science, Engineering and