Information Systems Governance and

Risk Management
Part I – 1 Intro to COBIT 5: Overview
Yüe “Jeff” Zhang, Acct & IS Dept, CSUN

1/18/2020 1
 Outline of Part I – 1. Overview
• COBIT 5 Overview

Evolution of COBIT

Benefits of COBIT 5

COBIT 5 Scope; Architecture

COBIT 5 five principles

COBIT 5 seven enablers

2
Learning Objectives (LO) Part I - 1
• Understand the benefits of COBIT 5
• Be familiar with the structure of COBIT 5
framework
• Understand the elements of COBIT 5
framework: 5 principles, 7 enablers
• Understand the differences between
governance and mgmt
• Understand the intrinsic logic of the
components of COBIT 5 framework

3
The IT Governance Focus Areas (“Pentagon”)

Focus Area Logical Role

Alignment premium requirement
Value ultimate goal
Risk optimized for value
Resource ground and “means”
Performance operational assurance
4
Philosophical framework of IT governance
 The COBIT Framework
The Need for a Control Framework
Over the past decade, the term ‘governance’ has moved to
the forefront of business thinking – COBIT 5, Executive Summary
“A control framework for IT Governance
defines the reasons IT Governance is needed,
the stakeholders and
what it needs to accomplish.”
• Now to the higher level of “enterprise
governance of IT” (GEIT) – emphasizing
Stakeholder needs – “High on top”
End-to-end coverage – “Whole enterprise”
5
 The COBIT Framework
Definition and Mission - Definition
• COBIT stands for “Control Objectives for
Information and Related Technology.”
Now just COBIT
• Developed by the IT Governance Institute
(ITGI)
• Promoted/advocated by ISACA
a standard setting body in the areas of
information governance, control, and security for
professionals. – ISACA motto recap

Successful enterprises have recognised that the board and 6

executives need to embrace IT – COBIT 5, Exe Summary
 ISACA Motto

Risk management Risk management

Assurance .
Strategic objective achievement Strategic Alignment
Value delivery Value delivery
Resources and performance Resources and performance
management management
Stakeholder interests Strategic Alignment 7
1/18/2020
 The COBIT Framework
Definition and Mission - Mission

• COBIT Mission: [Importance of mission]

To research, develop, publicize and
promote an authoritative, up‐to‐date,
internationally accepted IT governance
control framework (New: COBIT 2019)
for adoption by enterprises and
day‐to‐day use by business managers, IT
professionals and assurance professionals
• Reference: IT Governance Institute, COBIT 4.1
8
 The COBIT Framework
Definition and Mission - Mission
• COBIT's success as an increasingly
internationally accepted set of guidance
materials for IT governance has resulted in
the creation of a growing family of
publications and products designed to assist
in the implementation of effective IT
governance throughout an enterprise.
• What it is; how to use it
• PHILOSOPHY! ! ! METHODOLOGY! ! !
9
咨询师、高端分析师“必备绝技”
Evolution of COBIT

Understand and
Enterprise Governance of I & T
analyze (3 trends)

COBIT 2019
10
2019
 The COBIT 5 Framework Benefits

• COBIT 5 helps enterprises create optimal value

from IT
by maintaining a balance between realising benefits
and optimising risk levels and resource use.
• COBIT 5 enables information and related
technology to be governed and managed in a
holistic manner for the entire enterprise, taking
in the full end-to-end business and functional
areas of responsibility, considering the IT-
related interests of internal and external
stakeholders. 11
 The COBIT 5 Framework (cont)
• The COBIT 5 principles and enablers are
generic* and useful
for enterprises of all sizes；
whether commercial, not-for-profit or in the
public sector；
methodology can be adopted entirely or partially;
application can be on the whole org or a portion.

COBIT 5 Case Studies

 http://www.isaca.org/COBIT/Pages/Recognition.aspx

Generic: 通用的；功能本质（而非品牌决定的）
12
 The COBIT Framework
The IT Governance Framework
• Internationally accepted good practices
• Management-oriented
• Supported by tools and
training
• Sharing knowledge and
leveraging expert
volunteers
• Continually evolving
• Maps strongly to all major
related standards
• Is a reference, set of best practices, not an “off-the-
shelf” cure
13
The COBIT Framework - Aligning with the Business
• COBIT framework helps IT deliver the information
that an enterprise requires by helping align IT with
the business.

Req Deliver 14
1/18/2020
 Drivers* for Developing a Framework

• End-to-end business and IT responsibilities

• Provide guidance in:
– Enterprise architecture
– Asset and service management
– Emerging sourcing and organization models
– Innovation and emerging technologies
• A need for the enterprise to:
– Achieve increased value creation
– Obtain business user satisfaction
– Achieve compliance with relevant laws, regulations and policies
– Improve the relation between business and IT
– Increase the return of governance over enterprise IT
– Connect and align with other major frameworks and standards 15
Driver: 驱动力，驱动因素
 Understanding Drivers (Zhang)

External - Environment Coupling Internal - Objective

Tech advancement & Drivers for Benefit realization
challenge development of
COBIT 5, P. 15
Biz advancement and Risk optimization
pressure
Compliance mandate * Resource optimization (Cost)

Mandate: 指令，（不可免除的）要求; （不可违的）“天命” 16

1/18/2020
Enterprise Architecture (EA) - Gartner
• A discipline for proactively and holistically
leading enterprise responses to disruptive
forces
by identifying and analyzing the execution of
change toward desired business vision and
outcomes.
• EA delivers value by presenting business and
IT leaders with signature-ready
recommendations for adjusting policies and
projects to achieve target business outcomes
that capitalize on relevant business
disruptions.

17
1/18/2020
Enterprise Architecture – Tech Target Network

• A conceptual blueprint that

defines the structure and operation of an
organization.
• The intent of an enterprise architecture is
to determine how an organization can most
effectively achieve its current and future
objectives.

18
1/18/2020
Enterprise Architecture - Microsoft's Michael Platt
1. Business perspective defines the processes and
standards by which the business operates on a
day-to-day basis.
2. Application perspective defines the interactions
among the processes and standards.

3. Information perspective defines and classifies the

raw data that the organization requires in order
to efficiently operate.
4. Technology perspective defines the hardware,
operating systems, programming, and networking
solutions used by the organization.
19
1/18/2020
 Enterprise Architecture (EA) - Wikipedia
• Architecture is the fundamental organization
(structure) of components, their relationships, and the
principles governing their design and evolution.
a formal description of a system, a detailed plan of the
system at component level, to guide its implementation.
• Enterprise Architecture is the organization logic for
business processes and IT infrastructure
• EA is a conceptual blueprint that defines
the structure and operation of an organization.
The intent of EA is to determine how an organization can
most effectively achieve its current and future objectives.

20
1/18/2020
 Benefits of Using COBIT 5

COBIT assists from an Enterprises perspective by:

• Maintaining quality information to support business
decisions.
Benefit • Generating business value from IT-enabled
Risk
Cost investments, i.e., achieve strategic goals and realize
-- three business benefits through effective and innovative use
Objectives of IT.
of IT
• Achieving operational excellence through reliable and
gover-
nance efficient application of technology.
• Maintaining IT-related risk at an acceptable level.
• Optimising the cost of IT services and technology.
21
Benefits of Using COBIT 5
• helps enterprises create optimal value from IT
by maintaining a balance between realising benefits and
optimising risk levels and resource use (cost).
• enables IT to be governed and managed in a
holistic manner for the entire enterprise,
taking in the full end-to-end business and IT functional
areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
• is generic and useful for enterprises of all sizes,
whether commercial, not-for-profit or in the public
sector.
• - COBIT 5, Executive Summary
22
1/18/2020
Benefits of Using COBIT 5
COBIT drives Stakeholder Value:
• Delivering enterprise stakeholder value requires good
governance and management of information and
technology (IT) assets.
• Enterprise boards, executives and management have to
embrace IT like any other significant part of the
business.
• External legal, regulatory and contractual compliance
requirements related to enterprise use of info and tech
are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that
assists enterprises to achieve their goals and deliver
value through effective governance and management of
enterprise IT.
23
Benefits of Using COBIT 5
COBIT 5:

24
COBIT Case Studies by Industry

• http://www.isaca.org/Knowledge-
Center/cobit/Pages/COBIT-Case-
Studies.aspx
• COBIT 5, although developed for the whole
organization, can be used for any portion of
a firm/org, or any biz process
• The philosophy/methodology can even be
applied beyond biz, beyond org
Revisit slide #12
25
 COBIT5 Scope
• Not simply IT: not only for big business!
• COBIT5 is about governing and managing
information
Whatever medium is used
End to end throughout the enterprise
• Information is equally important to:
Global, multinational business
National and local government
Charities and not for profit enterprise
Small to medium enterprises and
Clubs and associations
26
 The COBIT 5 Format & Product Architecture
The COBIT 5 Product Family:

27
COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. 28

 1. Meeting Stakeholder Needs

• Enterprises exist to create value for their

stakeholders.
---Internal and external!!
• Consequently, any enterprise— commercial or
not—will have value creation as a governance
objective.
• Value creation means:
Realising benefits at an
optimal resource cost while
optimising risk.

29
The COBIT Framework
Mapping Goals and Processes

Enabler Goals

30
 Principle 1: Meeting Stakeholder Needs
• Stakeholder needs have
to be transformed into
an enterprise’s
actionable strategy.
• The COBIT 5 goals
cascade translates
stakeholder needs into
specific, actionable and
customised goals within
the context of
the enterprise,
IT-related goals and
enabler goals.
31
 Principle 2: Covering the Enterprise End-to-End
• COBIT 5 addresses the governance and management of
information and related technology from an enterprise-
wide, end-to-end perspective.

32
Principle 3:
Applying a Single Integrated Framework
• COBIT5:
1. ► Is complete in enterprise coverage
2. ► Provides a basis to integrate effectively
with other frameworks, standards and
practices used
3. ► Aligns with the latest relevant standards
and frameworks (COSO, ITIL, ISO, PMBOK,
NIST etc)
4. ► Integrates all knowledge previously
dispersed over different ISACA frameworks
(Risk IT, Val IT, BMIS)

33
 Principle 4:
Enabling a Holistic Approach ***
COBIT5 defines a set of enablers to support the
implementation of a comprehensive governance &
management system for enterprise IT.
• COBIT5 enablers are:
• ► Factors that, individually and collectively,
influence whether something will work
• ► Driven by the goals cascade
• ► Described by the COBIT5 framework in
seven categories
*** Important &
operationable 34
Principle 4: Enabling a Holistic Approach

35
 4. Enabling a Holistic Approach (cont.)
1. Principles, policies and frameworks—Are the vehicles to translate the
desired behaviour into practical guidance for day-to-day management
2. Processes—Describe an organised set of practices and activities to achieve
certain objectives and produce a set of outputs in support of achieving
overall IT-related goals  5 domains, 37 processes
3. Organisational structures—Are the key decision-making entities in an
organisation
4. Culture, ethics and behaviour—Of individuals and of the organisation;
very often underestimated as a success factor in governance and
management activities
5. Information—Is pervasive throughout any organisation, i.e., deals with all
information produced and used by the enterprise.
6. Services, infrastructure and applications—Include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services
7. People, skills and competencies—Are required for successful completion
of all activities and for making correct decisions and taking corrective
actions
36
 Principle 5. Separating
Governance From Management
The COBIT 5 framework makes a clear
distinction between governance and
management.
• Governance—In most enterprises, governance
is the responsibility of the board of directors
under the leadership of the chairperson.
• Management—In most enterprises,
management is the responsibility of the
executive management under the leadership of
the CEO.

37
 Governance Domain and
Management Domains

Gov: EDM; Mgmt: PBRM (Fig 15, P. 32)

38
Governance & Management in COBIT 5
• Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions and
options; setting direction through prioritisation and
decision making; and monitoring performance, compliance
and progress against agreed direction and objectives
(EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body
to achieve the enterprise objectives (PBRM).
• Exercising governance and management effectively in
practice requires appropriately using all enablers. The
COBIT process reference model allows us to focus easily
on the relevant enterprise activities.
Recap: COBIT 5 Principles

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved. 40

COBIT 5 Enablers

41
Incorporates Good Practices
- 5 domains, 37 Processes [Enabler #2]

42
Zhang’s “Distillation” of COBIT Logic
* * Reference:
IT Governance
Institute,
COBIT 5

Ent. Strat. Goals

IT Goals

IT Enabler Goals
© Yue Zhang
2015-2019
R A C I
43
 Structure of COBIT components
• 5 Principles
Princ. 1: Meeting stakeholder needs
…
Princ. 4: Holistic approach
 7 enablers:
• Enabler #2: Processes
Princ. 5: Separating gov from Mgmt

Process - (1) objectives; (2) Practices; Capability

(3) Activities; (4) Inputs/outputs; (5) RACI Model 44
1/18/2020
Structure of COBIT components

45
1/18/2020