IT-governance practices: COBIT Saad Haj Bakry and Abdulkader Alfantookh King Saud University, Riyadh, Saudi Arabia Keywords: Information Technology (IT), IT governance, IT management, COBIT (Control Objectives for Information and related Technologies), Enterprise governance, Enterprise management
Abstract With the increasing dependence of enterprises on IT, and with the widely spreading use of e-business, IT governance is attracting increasing worldwide attention. A proper IT governance would promote enterprise performance through intelligent and efficient utilization of IT. In addition, standard IT governance practices would provide a suitable open environment for e-business that provides compatibility for inter-enterprise interaction. This review is concerned with introducing the current state of IT governance, in four main steps. First, the review identifies what is meant by IT governance, and presents the main organizations concerned with its development, namely: ISACA (Information Systems Audit and Control Association) and ITGI (Information Technology Governance Institute). Secondly, the review highlights COBIT (Control Objectives for Information and related Technologies) the widely acknowledged IT governance framework, produced by ITGI. Thirdly, the current state of COBIT use is addressed using a recent global survey. Finally, comments and recommendations on the future development of IT governance are concluded.
Understanding IT governance The word governance brings attention to the more familiar word government. To Webster's dictionary [1], both are of the same meaning. The dictionary defines the word government as "the individual or body that exercises administrative power". The word is known to be of Greek origin, and means "to steer" [2]. Currently, the two words are usually used to mean two related, but different, meanings. While the word government is defined as
1
"exercise of authority" and "administration, or management of an organization, business or institution", governance is defined as "a method or system of government or management" [3]. Therefore, governance is considered to refer to a "system", according to which governments practice "authority". This is the sense upon which corporate or enterprise governance and IT governance are based. Corporate or enterprise governance is defined as "the process by which companies or organizations are directed and controlled" [2]; while IT governance is defined as "the processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives" [4]. It is clear here that IT governance is one part of the scope of the enterprise governance, aiming at promoting the performance and image of the enterprise. Table 1 gives the above definitions for an integrated view of the concepts considered; and Figure 1 illustrates the interaction between enterprise governance and activities, and IT governance and activities [5].
Government
Governance
The individual or body that exercises administrative power [1]. The word government is derived from the Greek κυβερνᾶν (kybernan), which means "to steer" [2]. Exercise of authority [3]. Administration, management of an organization, business or institution [3]. A method or system of government or management [3]. Governance is considered to refer to a system, according to which governments practice authority [concluded from the above].
Corporate / enterprise governance
The processes by which companies (organizations / corporations / enterprises) are directed and controlled [2].
IT governance
The processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives [4] It is one part of the scope of enterprise governance [concluded from the above].
2
Table 1: Basic definitions associated with IT governance
Enterprise Enterprise Governance Governance
Enterprise Enterprise Activities Activities
ITIT-Governance ITIT-Governance
IT Activities IT Activities
Figure 1: Enterprise governance and IT governance interaction [5].
Enterprise governance & IT governance
The need for IT governance was accumulated, as IT systems activities were growing and becoming increasingly sophisticated. In 1969 ISACA (Information Systems Audit and Control Association) was founded in the USA as a professional organization that shares professional experience, with open worldwide membership [5, 6]. At present, it has over 50 thousands members in 140 countries. Table 2 gives more details on ISACA. In 1998, ISACA established ITGI (IT Governance Institute) as a research think tank for IT governance [4, 6]. One of the major achievements of ITGI is the development of COBIT (Control Objectives for Information and related Technologies), which is a proposed control and management framework for IT governance. Table 2 provides further information on ITGI; and COBIT is addressed in the next section.
COBIT IT Governance COBIT is the leading research publication of ITGI. Although its use is still relatively limited, it is becoming the most widely acknowledged set of guidance material for IT governance, with a strong prospect for fast diffusion in the future. It views IT
3
governance within the scope of the enterprise governance; and it is based on the following principles [5]: • it is aligned with business: it enhances business and supports benefits; • it emphasizes that IT resources should be used responsibly; and • it stresses that IT related risks are managed appropriately.
ISACA: Information Systems Audit and Control Association
ITGI: IT Governance Institute
A professional organization, founded in 1969 by a group of computer systems specialists. Its head-quarters is located in Rolling Meadows, Illinois, USA. It has 170 chapters, distributed over 70 countries, with over 50,000 members, working in over 140 countries. Its activities include [5,6]: • Sponsoring international conferences. • Publishing “Information Systems Control Journal”. • Developing “specialized standards”. • Administering the “Certified Information Systems Auditor (CISA)” designation, and the “Certified Information Security Manager (CISM)” designation. In 1998 ISACA established ITGI in recognition of the increasing criticality of IT to enterprise success. It is intended to be a research think tank that exists to be the leading reference on IT-enabled business systems governance for the global business community. It offers [4, 5]: • original research; • case-studies; • contributions to ISACA standards, publications and conferences; • education courses and symposia; and • various other intelligent tools to assist enterprise leaders and boards of directors in their IT governance responsibilities.
Figure 2 provides a general view of COBIT IT governance framework [5]. The Figure shows COBIT’s concern with the business requirements, and illustrates its three main dimensions: • the required business information criteria that should be delivered by COBIT; • the IT resources that should be controlled by COBIT; and
4
Table 2: Introducing ISACA and ITGI.
COBIT's IT processes that should be applied to the IT resources in order to achieve the required business information criteria; Each of these dimensions is addressed below. •
Business Requirements
IT Resources
COBIT Processes
Data
Plan & Organize
Application Systems
Acquire & Implement
Technology
Deliver & Support
Facilities People
Figure 2: The basic structure of COBIT IT-governance framework Information Criteria Quality Fiduciary Security
Monitor and Evaluate COBIT IT governance framework
The required business information criteria are concerned with the following: • quality issues including value and delivery of information; • fiduciary in terms of: effectiveness and efficiency of operation, reliability of information, and compliance with laws and regulations; and • security in terms of: confidentiality, integrity and availability of information. The IT resources are considered to include the following: • data, representing both internal and external objects;
5
• •
• •
application systems, including both applications software and manual procedures; technology, that is the infrastructure, including: hardware, communications and networking, operating systems software, and database management systems; facilities, that is the resources housing and supporting all of the above; and people, that is the staff and their skills.
The IT processes are of multi-level structure, with the top level consisting of four main domains. These domains are associated with Deming's and Shewhart's cycle for quality development, known as PDCA (Plan, Do, Check, Act) cycle [7], and are given in the following against this cycle [5]: • for P (plan): plan and organize; • for D (do): acquire and implement; • for C (check): deliver and support; and • for A (act): monitor and evaluate. Table 3 gives the number of processes, and the number of control objectives and activities associated with each of these four domains. The total number of processes of all domains is “34 processes”, while the total number of control objectives and activities is “318 controls” [5, 8]. Deming's & Shewhart's Cycle Plan Do Check Act: Correct
COBIT Domain PO: Plan and Organize AI: Acquire and Implementation DS: Deliver and Support M: Monitor and Evaluate "Total"
Number of Processes 11
Number of Controls 100
6
68
13 4 34
126 24 318
The domain plan and organize consists of “11 processes” and “100” controls. These processes are introduced in Table 4 together with the number of controls associated with each process.
6
Table 3: COBIT main domains and the PDCA quality cycle
Plan and Organize (PO) IT Processes Code PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11
Title Define a Strategic IT Plan Define the Information Architecture Determine Technological Direction Define the IT organization and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risk Manage Projects Manage Quality "Total"
7
Number of Controls 8 4 5 15 3 11 8 6 8 13 19 100
