COBIT HW Eda Emriye Faruk

COBITCOBITControl Objectives for Information and Related Control Objectives for Information and Related

Technologies Technologies (Bilgi ve İlgili Teknolojiler İçin Kontrol Hedefleri)(Bilgi ve İlgili Teknolojiler İçin Kontrol Hedefleri)

ISE501ISE501Foundations in IT ManagementFoundations in IT Management

Eda TOPALOĞLUEda TOPALOĞLU Emriye COŞKUNEmriye COŞKUN Faruk TİFTİKCİFaruk TİFTİKCİ120510001120510001 120510004120510004 120501004120501004

What is COBIT?What is COBIT?Provide us understanding of ITProvide us understanding of ITWe can decide more efficiently about ITWe can decide more efficiently about ITBy using it, we can By using it, we can understand and manage understand and manage

IT investmentsIT investmentsIdentifIdentifiesies the major IT resources the major IT resourcesDefinDefineses the management control objectives the management control objectivesOrganises IT activitiesOrganises IT activitiesBetter quality IT servicesBetter quality IT services

What is COBIT?What is COBIT?

reduce related risks

increase the value of ITCOBIT helps to banagers, controller, IT users to

reachs to their goalsCOBIT is focused on what is required to achieve

What is dWhat is differences between the ifferences between the COBIT 4.1 and COBIT 5COBIT 4.1 and COBIT 5 ??

New GEIT PrinciplesNew GEIT Principles Increased Focus on EnablersIncreased Focus on Enablers New Process Reference ModelNew Process Reference Model New and Modified ProcessesNew and Modified Processes Practices and ActivitiesPractices and Activities Goals and MetricsGoals and Metrics Inputs and OutputsInputs and Outputs RACI ChartsRACI Charts Process Capability Maturity Models and Process Capability Maturity Models and

AssessmentsAssessments

1. 1. New GEIT PrinciplesNew GEIT PrinciplesCOBIT 5 is based on five key principlesCOBIT 5 is based on five key principles

1.1. Meeting Stakeholder Needs1.1. Meeting Stakeholder Needs

Enterprises have many stakeholders.

Value creation means realising benefits at an optimal resource cost while optimising risk.

Enterprises exist to create value for their stakeholders.

The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.

1.1. Meeting Stakeholder Needs1.1. Meeting Stakeholder Needs Stakeholder needs have to

be transformed into an enterprises’ actionable strategy.

The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customised enterprise goals.

1.2. Covering the Enterprise End-to-End1.2. Covering the Enterprise End-to-End COBIT 5 addresses the governance and

management of information and related technology from an enterprise-wide, end-to-end perspective.

This means that COBIT 5: Integrates governance of enterprise IT into enterprise governance.

Covers all functions and processes within the enterprise.

1.2. Covering the Enterprise End-to-End 1.2. Covering the Enterprise End-to-End

1.3. Applying a Single Integrated Framework1.3. Applying a Single Integrated Framework

COBIT 5 is a single and integrated framework, because;

it aligns with other latest relevant standards and frameworks used by enterprises

it provides a simple architecture for structuring guidance materials

it integrates different ISACA frameworks such as Val IT, Risk IT, BMIS

This allows the enterprise to use COBIT 5 as the governance and management framework integrator

1.3. Applying a Single Integrated Framework1.3. Applying a Single Integrated FrameworkThe following frameworks, standards and

other guidance were used as reference material and input for the development of COBIT 5; ITIL

TOGAF ISOFEA (Federal Enterprise Architecture)CEAF (The Commission Enterprise IT

Architecture Framework)APM (Association for Project Management)etc.

1.3. Applying a Single Integrated Framework1.3. Applying a Single Integrated Framework

1.4. 1.4. Enabling a Holistic ApproachEnabling a Holistic Approach The COBIT 5 framework describes seven

categories of enablers1.Principles, policies and frameworks2.Processes3.Organisational structures4.Culture, ethics and behaviour5.Information6.Services, infrastructure and

applications7.People, skills and competencies

1.4. 1.4. Enabling a Holistic Approach Enabling a Holistic Approach

1.4.1. Principles,policies and frameworks1.4.1. Principles,policies and frameworksPrinciples, policies and frameworks are

the vehicle to translate the desired behaviour into practical guidance for day-to-day management

1.4.2. Processes1.4.2. ProcessesProcesses describe an organised set of

practices.Processes describe the activities to achieve

certain objectives and produce a set of outputs

1.4.3. Organisational Structures1.4.3. Organisational StructuresOrganisational structures are the decision

mechanism in an enterprises

1.4.4. Culture, ethics and behaviour 1.4.4. Culture, ethics and behaviour Culture, ethics and behaviour of

individuals are very often ignored in governance and management activities

1.4.5. Information1.4.5. InformationInformation is pervasive throughout any

organisation. Information is required for keeping the organisation running

1.4.6 Services, infrastructure and 1.4.6 Services, infrastructure and applicationsapplications

Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology

1.4.7. Organisational Structures1.4.7. Organisational StructuresPeople, skills and competencies are

linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions.

1.5. 1.5. Separating GovernanceSeparating Governance f from rom ManagementManagement

The COBIT 5 framework makes a clear distinction between governance and management

These two disciplines; Encompass different types of activities Require different organisational structures Serve different purposes


Governance : In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.

Management : In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.

1.5. 1.5. Separating GovernanceSeparating Governance f fromrom ManagementManagement

Governance : Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced.

Management : Management plans, builds, runs and monitors activities to achieve the enterprise objectives.

22


Val IT and Risk IT frameworks are principles-basedCOBIT 5 includes RiskIT and ValIT

Risk ITRisk ITIT risk is a part of business risk IT risk is a part of business risk Provides an end-to-end, comprehensive view Provides an end-to-end, comprehensive view

of all risksof all risksUnderstand how to manage the risk Understand how to manage the risk Risk can be categorised;Risk can be categorised; -IT Benefit/Value enabler -IT Benefit/Value enabler -IT Operation and Service Delivery -IT Operation and Service Delivery

-IT Programme/Project delivery-IT Programme/Project delivery

Val ITVal ITIs a governance framework that can be used

to create business value from IT investmentsThis framework is used to valuable

investments

2. 2. Increased Focus on EnablersIncreased Focus on Enablers

COBIT 4.1 did not have enablersInformation, infrastructure, applications

(services) and people (people, skills and competencies) were COBIT 4.1 resources

This part is related Enabling a Holistic Approach

3. 3. New Process Reference ModelNew Process Reference Model

COBIT 5 is based on a revised process reference model with a new governance domain and several new and modified processes that now cover enterprise activities end-to-end, i.e., business and IT function areas.

COBIT 5 consolidates COBIT 4.1, Val IT and Risk IT into one framework

3. 3. New Process Reference ModelNew Process Reference Model

4. 4. New and Modified ProcessesNew and Modified Processes

COBIT 5 introduces five new governance processes that have leveraged and improved COBIT 4.1, Val IT and Risk IT governance approaches.

This guidance:Helps enterprises to further refine and strengthen

executive management-level GEIT practices and activities

4. 4. New and Modified ProcessesNew and Modified ProcessesThere are several new and modified processes

that reflect current thinking, in particular:APO03 Manage enterprise architecture.APO04 Manage innovation.APO05 Manage portfolio.APO06 Manage budget and costs.APO08 Manage relationships.APO13 Manage security.BAI05 Manage organisational change

enablement.BAI08 Manage knowledge.BAI09 Manage assets.DSS05 Manage security service.DSS06 Manage business process controls.

4. 4. New and Modified ProcessesNew and Modified Processes

COBIT 5 processes now cover end-to-end business and IT activities, i.e., a full enterprise-level view.

This provides for a more holistic and complete coverage of practices reflecting the pervasive enterprise wide nature of IT use.

5. 5. Practices and ActivitiesPractices and Activities

The COBIT 5 governance or management practices are equivalent to the COBIT 4.1 control objectives and Val IT and Risk IT processes.

The COBIT 5 activities are equivalent to the COBIT 4.1 control practices and Val IT and Risk IT management practices

6. 6. Goals and MetricsGoals and Metrics

COBIT 5 follows the same goal and metric concepts as COBIT 4.1, Val IT and Risk IT, but these are renamed enterprise goals, IT-related goals and process goals reflecting an enterprise level view.

COBIT 5 provides a revised goals cascade based on enterprise goals driving IT-related goals and then supported by critical processes.

7. 7. Inputs and OutputsInputs and Outputs

COBIT 5 provides inputs and outputs for every management practice, whereas COBIT 4.1 only provided these at the process level.

This provides additional detailed guidance for designing processes to include essential work products and to assist with interprocess integration.

8. 8. RACI ChartsRACI Charts

COBIT 5 provides RACI charts describing roles and responsibilities in a similar way to COBIT 4.1, Val IT and Risk IT.

COBIT 5 provides a more complete, detailed and clearer range of generic business and IT role players and charts than COBIT 4.1 for each management practice, enabling better definition of role player responsibilities or level of involvement when designing and implementing processes.

8. 8. RACI ChartsRACI Charts

Source: COBIT® 5: Enabling Processes, page 31. © 2012 ISACA® All rights reserved.

Source: COBIT® 4.1, page 39. © 2007 IT Governance Institute® All rights reserved.

9. 9. Process Capability Models and Process Capability Models and AssessmentsAssessments

COBIT 5 discontinues the COBIT 4.1, Val IT and Risk IT CMM-based capability maturity modelling approach.

COBIT 5 will be supported by a new process capability assessment approach based on ISO/IEC 15504, and the COBIT Assessment Programme has already been established for COBIT 4.1 as an alternative to the CMM approach.



The COBIT Assessment Programme approach is considered by ISACA to be more robust, reliable and repeatable as a process capability assessment method.

The COBIT Assessment Programme supports:Formal assessments by accredited

assessors (assessor training is being developed)

Less rigorous self-assessments for internal gap analysis and process improvement planning


COBIT 4.1, Val IT and Risk IT users wishing to move to the new COBIT Assessment Programme approach will need to realign their previous ratings, adopt and learn the new method, and initiate a new set of assessments in order to gain the benefits of the new approach.

Although some of the information gathered from previous assessments may be reusable, care will be needed in migrating this information forward because there are significant differences in requirements.

CCOBIT 5 FRAMEWORKOBIT 5 FRAMEWORK

DEFINITIONCOBIT 5 is a governance and management

framework for information and related technology that starts from stakeholder needs with regard to information and technology.

The COBIT 5 framework is intended for all enterprises, including non‐profit and public sector.

COBIT 5 Framework - 5 Principles

The cobit 5 framework based on 5 principles.

Principle 1: Integrator FrameworkCOBIT 5 is an integrator

framework since it:Brings together existing

ISACA guidance on governance and management of enterprise IT

Aligns with the latest relevant other standards and frameworks

Provides a simple architecture for structuring guidance materials and producing a consistent product set

2. The Governance Objective: Stakeholder ValueEnterprises exist to create value for their

stakeholders, so the governance objective for any enterprise is value creation.

Vaue creation: realising benefits at an optimal resource cost whilst optimising risk

3. Business & Context Focus

focussing on enterprise goals and objectives, by covering all of the critical business elements

every organisation operates in a different context; this context is determined by external factors

requires that every organisation builds their own, customised governance and management system.

4. The COBIT 5 Governance Approach—Enabler based‐

4. The COBIT 5 Governance Approach—Enabler based‐Governance Enablers:They are the organisational

resources for governance, such as frameworks, principles,structure, processes and practices, toward or through which action is directed and objectives can be attained.

Governance Scope: Governance can be applied to the whole enterprise, an entity, a tangible or intangible asset.

4. The COBIT 5 Governance Approach—Enabler based‐

Roles, Activities and Relationships: how they are involved what they do how they interact

5. Governance and Management structured‐ ‐Cobit 5 frameworks makes a clear

distinction between governence and management.

These two disciplines include: different types of activities require different organisational structures serve different purposes

5. Governance and Management structured‐ ‐Gonernance: It ensures that stakeholder needs,

conditions & options are evaluated to determine: balance, agreed-on enterprise objectives to be

achieved; setting direction through prioritisation & decision

making; monitoring performance, compliance compliance against agreed-on direction & objectives

Management: It plans, builts, runs & monitors activities in alignment with the direction set by thev governance body to achieve the enterprise objectives.

COBIT 5 Architecture

COBIT 5 ArchitectureThe Governance Objectives

Existing ISACA guidance (COBIT 4.1, Val IT 2, Risk IT, BMIS, etc.

Other relevant standards and frameworks Cobit 5 Enablers

Processes, Culture Ethics Behavior, Organizational Structure Information Principles & Policies Skills & Competencies Service Capabilities

COBIT 5 ArchitectureCobit 5 Knowledge Base:

Current guidance and content Structure for future contents

Cobit 5 Product Family COBIT 5: The Framework(this volume) COBIT 5: Process Reference Guide COBIT 5: Implementation Guide COBIT 5: Practice guide

Value criationThe governance objective is value creation means

realising benefits at an optimal resource cost whilst optimising risk.

The stakeholders for enterprice IT can be Internal External

Governance ObjectivesGovernance objectives are based on the stakeholders needs

and the value criation( benefits, resources and risks )The existing ISACA guidance is used: COBIT 4.1, Val IT,

Risk IT, BMIS, ITAF, TGF, Board Briefing.Other relevant frameworks: ITIL, TOGAF

Goals CascadeGovernance objectives translate into enterprise goalsRealising enterprise goals requires IT related goalsFor IT related goals to be achieved, enablers are required

Goals CascadeEnterprise goals mapped to Governance

Objectives

Goals CascadeIT related goals

Enablers are tangible and intangible elements that make governance and management over enterprise IT work. The enablers are driven by the goal cascade.

Enablers

Enablers

This model is a key component of the COBIT 5 framework because it is the basic structure for all seven categories of enablers.

The generic model identifies a number of components that are common for each enabler:

Generic Enabler Model

Enabler Capability LevelsThe process maturity model of COBIT 4.1 has been

replaced with a capability model based on ISO/IEC 15504.

Knowledge based & productsThe knowledge base contains all guidance and

contentSeries of products built from the knowledge base

Governance & Management Processes Cobit 5 defend an opinion that organization implement governance and

management processes, such that the key areas above are covered. The GOVERNANCE domain, contains five governance processes; within

each process; within each process, evaluate, direct and monitor practices are defined The 4 MANAGEMENT domains, in line with the responsibility areas of

plan, build, run and monitor provides an end‐to‐end coverage of IT.

Process Reference Model1 governance domain: EDM4 management domains: APO, BAI, DDS,

MEA

Process Reference ModelThe complete set of 36 processes: 5 governance & 36

management processes.

ImplementationThe 7 phases of the implementataion life cycle

COBIT 4.1 MAPPING ITIL v3Every organisation needs to adapt the use of

standards and practices to suit its individual requirements.

COBIT helps to define what should be done and ITIL provides the how for service management aspects.

COBIT 4.1 MAPPING ITIL v3Typical uses for the standards and practices are: To support governance by:– Providing a management policy and control framework– Enabling process ownership, clear responsibility and accountability

for IT activities– Aligning IT objectives with business objectives, setting priorities and

allocating resources– Ensuring return on investments and optimizing costs– Making sure that significant risks have been identified and are

transparent to management, responsibility for risk management has been assigned and embedded in the organisation, and assurance that effective controls are in place has been provided to management

– Ensuring resources have been organised efficiently and sufficient capability (technical infrastructure, process and skills) exists to execute the IT strategy

– Making sure that critical IT activities can be monitored and measured, so problems can be identified and corrective action can be taken

COBIT 4.1 MAPPING ITIL v3 To define requirements in service and project definitions,

internally and with service providers. For example:– Improving IT service and business process alignment and

integration– Setting clear, business-related IT objectives and metrics– Defining services and projects in end-user terms– Creating SLAs and contracts that can be monitored by customers– Making sure that customer requirements have been cascaded

properly into technical IT operational requirements– Considering services and project portfolios collectively so

relative priorities can be set and resources can be allocated on an equitable and achievable basis

COBIT 4.1 MAPPING ITIL v3To verify provider capability or demonstrate

competence to the market by:– Independent third-party assessments and audits– Contractual commitments– Attestations and certifications

COBIT 4.1 MAPPING ITIL v3To facilitate continuous improvement by:– Maturity assessments– Gap analyses– Benchmarking– Improvement planning– Avoidance of reinventing already-proven good approaches

COBIT 4.1 MAPPING ITIL v3As a framework for audit/assessment and an external

view through:– Objective and mutually understood criteria– Benchmarking to justify weaknesses and

gaps in control– Increasing the depth and value of

recommendations by following generally accepted preferred approaches

HIGH LEVEL MAPPING

STRUCTURAL COMPARISON

COVERAGE OF IT GOVERNANCE FOCUS AREAS

COVERAGE OF IT GOVERNANCE FOCUS AREAS ( Cont.)




DETAILED MAPPING COBIT TO ITIL





COBIT & ITIL MAPPING

Incident ManagementITIL v3: part of Service OperationCOBIT : part of Deliver & Support

Major tasks: – Identify and track incidents in a timely manner. – Classify the incident and provide initial support. – Localise potential causes of the incident. – Recover the services and manage closure. – Take ownership of the incident. – Monitor, track and communicate the execution

Problem ManagementITIL v3: part of Service OperationCOBIT : part of Deliver & Support

Major tasks: – Identify and record problems. – Classify the problem, focused on the impact

on the business. – Investigate the root cause of the problem. – Resolve the cause of the problem. – Close the problem.

Configuration Management ITIL v3: part of Service TransitionCOBIT : part of Deliver & SupportMajor tasks: – Identify the demand for relevant information (purpose, scope,

objectives, policies and procedures for sound configuration). – With the owner, identify and label configuration items (CI),

available documentation, versions and interrelationships. – Document CIs in a central configuration management

database (CMDB). – Establish procedures and documentation standards to ensure

that only authorised and identifiable CIs are recorded and historical,

traceable information is available. – Ensure permanent accountability of data (status accounting). – Verify and audit the physical existence of CIs recorded in the

CMDB.

Change Management ITIL v3: part of Service TransitionCOBIT : part of Acquire & Implement Major tasks: – Record, log and filter requests for change (RFCs). – Prioritise and categorise the RFC. – Assess the impact of the RFC on the infrastructure and other

services as well as on non-IT processes (e.g., information security) and effects of not implementing the RFC.

– Identify required resources for implementing the RFC. – Obtain approval for the RFC. – Schedule the implementation. – Implement the RFC. – Review the implementation of the RFC. – Establish an entity in charge of the authorisation process of those

RFCs identified with major impact; this entity is called the change advisory board (CAB)

Capacity ManagementITIL v3: part of Service DeliveryCOBIT : part of Deliver & Support

Major tasks: – Define, plan and manage the requirements. – Provide resources for the services. – Monitor the performance of resources and

adjust if necessary. – Plan and implement improvements. – Establish and maintain a capacity plan.23

What are What are DS3-DS4-DS8-DS9-DS10-DS11-DS3-DS4-DS8-DS9-DS10-DS11-DS13-A16-ME1DS13-A16-ME1 items? items?

DS-3

DS3- MANAGE PERFORMANCE & CAPACITY

•Require a process to periodically review current performance and capacity of IT resources •Include forecasting future needs based on workload, storage and contingency requirements•Provide assurance that information resources supporting business requirements are continually available

DS3 has 5 principles.

DS3.1 Performance and Capacity PlanningEstablish a planning process for the review of

performance and capacity of IT resources Leverage appropriate modeling techniques to

produce a model of the current and forecasted performance, capacity and throughput of the IT resources.

DS3.2 Current Performance and CapacityDetermine if sufficient capacity and

performance exist to deliver against agreed-upon service levels.

DS3.3 Future Performance and CapacityConduct performance and capacity forecasting

of IT resources at regular intervals to minimize the risk of service disruptions

Identify workload trends and determine forecasts to be input to performance and capacity plans.

DS3.4 IT Resources AvailabilityProvide the required capacity and

performance, taking into account aspectsPlans properly address availability, capacity

and performance of individual IT resources.DS3.5 Monitoring and ReportingMaintain and tune current performance

within IT and address To report delivered service availability to the

business, as required by the SLAs

DS-4

DS4 ENSURE CONTINUOUS SERVICEProvide continuous IT services requires

developing, maintaining and testing IT continuity plans

Minimize the probability and impact of a major IT service interruption on key business functions and processes.


DS4.1 IT Continuity FrameworkDevelop a framework for IT continuity to support

enterprise wide business continuity management using a consistent process.

Adress the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the planning processes

DS4.2 IT Continuity PlansDevelop IT continuity plans based on the

framework and designed to reduce the impact of a major disruption

Cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

DS4.3 Critical IT ResourcesBuild in resilience and establish priorities in

recovery situationsAvoid the distraction of recovering less-critical

items and ensure responseConsider resilience, response and recovery

requirements for different tiersDS4.4 Maintenance of the IT Continuity PlanEncourage IT management to define and

execute change control procedures Communicate changes in procedures and

responsibilities clearly and in a timely manner.

DS4.5 Testing of the IT Continuity PlanTest the IT continuity plan on a regular basis Require careful preparation, documentation,

reporting of test results and, according to the results, implementation of an action plan

DS4.6 IT Continuity Plan TrainingProvide all concerned parties with regular

training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster.

DS4.7 Distribution of the IT Continuity PlanDetermine a defined and managed distribution

strategy that are properly and securely distributed and available to authorized interested parties

DS4.8 IT Services Recovery and ResumptionPlan the actions to be taken for the period when

IT is recovering and resuming servicesInclude activation of backup sites, initiation of

alternative processing, customer and stakeholder communication, and resumption procedures

DS4.9 Offsite Backup StorageStore offsite all critical backup media,

documentation and other IT resources necessary for IT recovery and business continuity plans

Determine the content of backup storage in collaboration between business process owners and IT personnel

DS4.10 Post-resumption ReviewDetermine whether IT management has

established procedures for assessing the adequacy of the plan and update the plan accordingly.

DS-8

DS8 MANAGE SERVICE DESK AND INCIDENTS

Timely and effective response to IT user queries and problems requires a well-designed and well-executed service desk and incident management process

Include setting up a service desk function with registration, incident escalation, trend and root cause analysis, and resolution

Include increased productivity through quick resolution of user queries


DS8.1 Service DeskEstablish a service desk functionInclude monitoring and escalation procedures

based on agreed-upon service levelsDS8.2 Registration of Customer QueriesEstablish a function and system to allow logging

and tracking of calls, incidents, service requests and information needs

Work such processes as incident management, problem management, change management, capacity management and availability management.

DS8.3 Incident EscalationEstablish service desk proceduresEnsure that incident ownership and life

cycle monitoring remain with the service desk for user-based incidents, regardless which IT group is working on resolution activities.

DS8.4 Incident ClosureEstablish procedures for the timely

monitoring of clearance of customer queries. When the incident has been resolved, the

service desk records the resolution stepsDS8.5 Reporting and Trend Analysis

Produce reports of service desk activity to enable management to measure service performance and service response times

Identify trends or recurring problems

DS-9

DS9 MANAGE THE CONFIGURATIONRequire the establishment and

maintenance of an accurate and complete configuration repository

Include collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed


DS9.1 Configuration Repository and Baseline

Establish a supporting tool and a central repository to contain all relevant information on configuration items

Monitor and record all assets and changes to assets.

Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes

DS9.2 Identification and Maintenance of Configuration Items

Establish configuration procedures to support management and logging of all changes to the configuration repositoryDS9.3 Configuration Integrity Review

Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration

Periodically review installed software against the policy for software usage

DS-10

DS10 MANAGE PROBLEMSRequire the identification and classification of

problems, root cause analysis and resolution of problems

Include the formulation of recommendations for improvement, maintenance of problem records and review of the status of corrective actions

Maximize system availability, improves service levels, reduces costs, and improves customer convenience and satisfaction


DS10.1 Identification and Classification of Problems

Implement processes to report and classify problems that have been identified as part of incident management.

Categorize problems as appropriate into related groups or domains (e.g., hardware, software, support software)

DS10.2 Problem Tracking and ResolutionAllow tracking, analyzing and determining the

root cause of all reported problems considering:• All associated configuration items• Outstanding problems and incidents• Known and suspected errors• Tracking of problem trends

DS10.3 Problem ClosurePut in place a procedure to close problem records

either after confirmation of successful elimination of the known error or after agreement

DS10.4 Integration of Configuration, Incident and Problem Management

Integrate the related processes of configuration, incident and problem management to ensure effective management of problems and enable improvements.

DS-11

DS11 MANAGE DATARequire identifying data requirementsInclude the establishment of effective

procedures to manage the media library, backup and recovery of data, and proper disposal of media

Helps ensure the quality, timeliness and availability of business data

DS11.1 Business Requirements for Data Management

Verify that all data expected for processing are received and processed completely

Support restart and reprocessing needsDS11.2 Storage and Retention ArrangementsDefine and implement procedures for effective

and efficient data storage, retention and archiving to meet business objectives, the organization’s security policy and regulatory requirements


DS11.3 Media Library Management System

Define and implement procedures to maintain an inventory of stored and archived media to ensure their usability and integrity

DS11.4 DisposalDefine and implement procedures to ensure

that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred

DS11.5 Backup and RestorationDefine and implement procedures for backup

and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan

DS11.6 Security Requirements for Data Management

Define and implement policies and procedures to identify and apply security requirements

DS-13

DS13 MANAGE OPERATIONSComplete and accurate processing of data

requires effective management of data processing procedures and diligent maintenance of hardware.

Includes defining operating policies and procedures for effective management

Helps maintain data integrity and reduces business delays and IT operating costs.

DS13 has 5 principles.DS13.1 Operations Procedures and InstructionsDefine, implement and maintain procedures for IT

operationsCover shift handover (formal handover of activity,

status updates, operational problems, escalation procedures and reports on current responsibilities)

DS13.2 Job SchedulingOrganize the scheduling of jobs, processes and

tasks into the most efficient sequence, maximizing throughput and utilization to meet business requirements

DS13.3 IT Infrastructure MonitoringDefine and implement procedures to monitor the IT

infrastructure and related eventsDS13.4 Sensitive Documents and Output

DevicesEstablish appropriate physical safeguards,

accounting practices and inventory management over sensitive IT assets

DS13.5 Preventive Maintenance for HardwareDefine and implement procedures to ensure timely

maintenance of infrastructure to reduce the frequency and impact of failures or performance degradation

ME-1

ME1 MONITOR AND EVALUATE IT PERFORMANCE

Effective IT performance management requires a monitoring process

Include defining relevant performance indicators, systematic and timely reporting of performance, and prompt acting upon deviations

ME1 has 6 principles.

ME1.1 Monitoring ApproachEstablish a general monitoring framework

and approach to define the scope, methodology and process

Integrate the framework with the corporate performance management system

ME1.2 Definition and Collection of MonitoringData

Work with the business to define a balanced set of performance targets

Have them approved by the business and other relevant stakeholders

Define benchmarks with which to compare the targets, and identify available data to be collected to measure the targets

Establish processes to collect timely and accurate data to report on progress against targets.

ME1.3 Monitoring MethodDeploy a performance monitoring methodCapture measurements Provide a succinct, all-around view of IT

performanceME1.4 Performance AssessmentPeriodically review performance against

targetsAnalyze the cause of any deviationsInitiate remedial action to address the

underlying causes

ME1.5 Board and Executive ReportingDevelop senior management reports on IT’s

contribution to the businessInclude in status reports the extent to which

planned objectives have been achieved, budgeted resources used, set performance targets met and identified risks mitigated

ME1.6 Remedial Actions Identify and initiate remedial actions based on

performance monitoring, assessment and reporting

Include follow-up of all monitoring, reporting and assessments through:Review, negotiation and establishment of management responsesAssignment of responsibility for remediation Tracking of the results of actions committed

AI-6AI6- MANAGE CHANGESAll changes, including emergency

maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner

Provide mitigation of the risks of negatively impacting the stability or integrity of the production environment.

A16 has 5 principles.

AI6.1 Change Standards and ProceduresSet up formal change management procedures to

handle in a standardized manner all requestsAI6.2 Impact Assessment, Prioritization and

AuthorizationAssess all requests for change in a structured

way to determine the impact on the operational system and its functionality

AI6.3 Emergency ChangesEstablish a process for defining, raising, testing,

documenting, assessing and authorizing emergency changes

AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system to

document rejected changesCommunicate the status of approved and in-

process changes, and complete changesAI6.5 Change Closure and DocumentationWhenever changes are implemented, update the

associated system and user documentation and procedures accordingly

References http://www.isaca.org/Knowledge-Center/cobit/Documents/COBIT4.pdf

http://www.isaca.org/Knowledge-Center/cobit/Documents/CobiT-4.1-Brochure.pdf

http://en.wikipedia.org/wiki/COBIT

http://www.google.com.tr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&sqi=2&ved=0CCIQFjAA&url=http%3A%2F%2Fwww.isaca.org%2FCOBIT%2FDocuments%2FCOBIT5-Compare-With-4.1.ppt&ei=Ta17UKyeKYrCswaN74HoBg&usg=AFQjCNEf4XzkLoXZxfFYQLKOHICaXSlESg&sig2=i1HTIOC97nMm4k1kMmk1jQ

http://www.bpmwatch.com/columns/changing-role-of-governance-in-outsourcing-contract/

References COBIT5-Framework-ED-27JUNE2011.pdf Miha.ef.uni-lj.si/_dokumenti3plus2/192073/ITIL-COBIT_nov.pdf COBIT%20Mapping%202nd%20Edition[1].pdf Scillani%20Article%20Combining%20ITIL%20with%20Cobit%20and

%2017799[1].pdf COBIT%20Mapping%202nd%20Edition[1].pdf itgovernance.co.uk/files/ITIL-COBiT-ISO17799JointFramework.pdf www.financialexecutives.org/COBIT5-Update-Research-.pptx http://www.qualified-audit-partners.be/user_files/

QECB_IIA_COBIT5_EN_Overview_201111.pdf http://www.slideshare.net/Billy82/microsoft-powerpoint-marrying-cobit-and-itil-for-

effective#btnNext http://www.mitsm.de/itil-wiki/process-descriptions-english/incident-management http://www.slideshare.net/hafeezi/business-it-management-intro-to-cobit-itil-

9568869#btnNext http://www.isaca.org/Education/Conferences/Documents/EuroCACS-

Presentations/323.pdf