Adopting COBIT 5 in a Government Entity
Transcript of Adopting COBIT 5 in a Government Entity
-
7/23/2019 Adopting COBIT 5 in a Government Entity
1/7
23/1/2015 Adopting COBIT 5 in a Government Entity
http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 1/7
Spanish
Adopting COBIT 5 in a Government Entity
By Sean Atkinson, CISA, CISM, CGEIT, CRISC, COBIT 5Foundation, CCSA, CEH, CFE, CISSP, CRMA, CSM, GCIH, N+,PMP, SCTS, Sec+, and Roger F. Aucoin, COBIT 5 Foundation,PMP
COBIT Focus | 19 January 2015
Imagine being on the ground floor of a
new government agency in the United
States, first conceived in 1994 and
implemented in 2012, with the initial
responsibility of developing an
information system that would
eventually process well over US $1 billion in payments monthly,
produce enterprisewide reporting, be implemented as Software as a
Service (SaaS) to more than 85,000 users in 72 external agencies and
by more than 100,000 vendors. Further, imagine that your responsibility
included ensuring that the fledgling enterprise accomplished this mission
while following its documented processes and procedures.
Where to begin? How would one know whether existing processes were
sufficient?
In the original request for proposal (RFP) for the software (2008), COBIT
was selected to be implemented as a holistic framework to manage and
govern the software. Until 2012, the enterprise used COBIT 4.1 on alimited basis only due to the lack of development and maturity in the
enterprises overall processes.
In September 2012, the decision was made by executive management
to expand the application of COBIT in a more holistic manner and to
adopt COBIT 5 and all 37 processes (which have come to be known
internally as enterprise processes) across the enterprise (which does
not include the vendors or external agencies noted previously). The
focus of COBIT would now be utilized as the governance and
management framework that provides an integrated process in which toreview, manage and control the enterprise.
The planning process, Phase 1, began with the use of COBIT 5
Implementationand COBIT 5: Enabling Processesfor direction on how to
proceed. After digesting the contents of these 2 documents, a business
case was drafted using the 7-phase approach recommended in the
COBIT 5 Implementation, and submitted to the executive sponsor for
approval. Adopting a holistic framework for any entity is a daunting task,
as is the decision leading up to the commitment of the necessary
resources. Upon approval of the business case, the original
implementation team moved forward with the adoption of COBIT 5. The
COBIT 5 implementation team was formed with staff from 2 separate
areas of the enterprise: 2 staff members from security operations (1
certified COBIT Foundation trainer) and 3 staff members from the
Subscribe toNewsletter
View Archives
Submit an Article
Read More CaseStudies
Join theConversation
More About COBIT 5
Back to Focus Home
http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/restricted/Pages/Conversation.aspxhttp://www.isaca.org/restricted/Pages/Conversation.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Case-Studies.aspxhttp://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity-Spanish.aspxhttp://www.isaca.org/Knowledge-Center/cobit/cobit-focus/Pages/COBIT-Case-Studies-Submission-Guidelines.aspxhttp://isaca.informz.net/isaca/profile.asp?fid=1002http://www.isaca.org/restricted/Pages/Conversation.aspxhttp://www.isaca.org/Knowledge-Center/cobit/cobit-focus/Pages/COBIT-Case-Studies-Submission-Guidelines.aspxhttp://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspxhttp://www.isaca.org/COBIT/focus/Pages/archive.aspxhttp://www.isaca.org/COBIT/Focushttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity-Spanish.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Case-Studies.aspxhttp://isaca.informz.net/isaca/profile.asp?fid=1002http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspx -
7/23/2019 Adopting COBIT 5 in a Government Entity
2/7
23/1/2015 Adopting COBIT 5 in a Government Entity
http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 2/7
process quality/compliance team. Bringing together staff from the 2
different areas of the organization provided 2 different perspectives that
fostered a deeper understanding of the value and challenge of the full
adoption.
Phase 2, the Where are we now? step, entailed staff identifying all
existing processes and procedures as well as any that were needed that
did not yet exist. These processes were mapped to the 210 COBIT 5
practices. This gap analysis indicated that the enterprise had nodocumented processes that could be related to 11 of the COBIT
processes and incomplete processes that could be related to the
remaining 26 COBIT processes. This discovery prompted the team to
revise the original business case to include the recommendation to
management that the organization needed to examine the regulatory and
process requirements for all 37 COBIT processes on a detailed level
and decide which were indeed needed for this specific business. This
moved the project into phase 3 from COBIT 5 Implementation, the
Where do we want to be? phase.
The executive sponsor was not surprised by this development due to
the evolution of the enterprise, its overall structure and the enterprises
fast-paced progression, the latter of which had not allowed for a
comprehensive review and understanding of the governance and
regulatory processes needed for the business.
In phase 3, the team needed the assistance of subject matter experts
(SMEs) to get a better picture of the situation along with their support to
close the gaps. To begin, the team members and executive sponsor
earned their COBIT 5 Foundation certificates. Executive management
was engaged through a modified training session in COBIT 5
Foundation, which included discussion of the results of the initial gap
analysis, a live demonstration of the process the COBIT 5 team
performed to identify the gaps (called the Process Author Approach),
and the proposed plan for moving forward (figure 1). This generated the
needed buy-in for the next stages of the plan, which included presenting
the 2-hour executive management training session to the direct reports
of the executive managers (team leads), along with a half-hour overview
session for all staff members (All Staff meeting in figure 1).
Figure 1Overall Approach to COBIT 5 Implementation
View Large Graphic
Source: Atkinson and Aucoin reprinted with permission.
http://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-1-lg.jpghttp://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-1-lg.jpg -
7/23/2019 Adopting COBIT 5 in a Government Entity
3/7
23/1/2015 Adopting COBIT 5 in a Government Entity
http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 3/7
Because the enterprise set out to formally align itself with the 37 COBIT
5 processes, 37 organizational documents were created and referred to
as enterprise process documents. Each document contains the original
COBIT 5 process overview and description the practices and the
activities Responsible, Accountable, Consulted and Informed (RACI)
matrices, modified to fit the organizations management structure and
the inputs, outputs and related guidance tables.1
Figure 1displays a graphical representation of the implementation up to
the point where all the enterprise process documents are created and
the gaps are identified. The starting point to this stage of engagement
was the Process Author Approach. This approach involved identifying
which team lead owned each enterprise process. After this was
determined, the lead staff person became the process author for that
enterprise process document. For example, APO07 Manage human
resourceswas clearly in the domain of the human resources (HR) unit
of the enterprise, so the organizations HR lead became the process
author. However, in the case of BAI06 Manage changes, which crosseda series of domains within the organization, multiple team leads became
process authors, each responsible for their individual part of the
process. The process authors then identified the SMEs to be involved
and the development discussions began.
To facilitate the multiple owners of a process, the implementation team
served as the intermediary to coordinate the overall goal and successful
completion of items within the process.
This then led to the heart of the approach: the enterprise-process-facilitated sessions. At these meetings, the COBIT 5 team engaged the
process author and received input from SMEs. This approach provided
several benefits: Initially, it set the stage for teams to get to know their
processes and develop a sense of ownership of them. It also allowed for
input from the implementation team who provided relevant materials,
direction on compliance and best practice recommendations.
Within the overall update process (figure 2), the process authors were
sent the enterprise process document they were responsible to develop
to determine the need for assistance. The implementation team then
met with each process author separately (along with any support SMEs
identified by the process author) to develop the enterprise process
document by determining the following:
Is the enterprise process one the organization needs?Is the COBIT 5 definition of the process accurate for the enterprise? Ifnot, it was modified.Is the COBIT 5 definition of each practice accurate? If not, it wasmodified.
Figure 2Enterprise Process DevelopmentActivity Flow
-
7/23/2019 Adopting COBIT 5 in a Government Entity
4/7
23/1/2015 Adopting COBIT 5 in a Government Entity
http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 4/7
View Large Graphic
The implementation team encouraged process authors to make
modifications to the COBIT wording to better represent how the process
related to the organization, but without changing the original intent. As
an overall implementation step, the original versions of the processes,
practices and activities were preserved for ease of future reference,
should any question arise. The enterprise processes were notated where
any wording was modified.
The next step was a review of the COBIT 5 activitiesall 1,112
activities. The reviews were complicated by the fact that the IT
infrastructure of this enterprise has functions that are performed by
service providers therefore, not all activities were seen as necessary
for the enterprise. Each activity was examined using the same approach(process authors and SMEs) to augment the delivered COBIT 5
literature regarding each activity: Wording was modified as necessary to
make the process document relevant to the enterprise, and each activity
was categorized to simplify and sort the answers:
Is the activity done, but not documented?Is the activity done, but documentation needs to be updated?Is the activity done, documented and not in need of updating?Is the activity not done, but needed?Is the activity not done and not needed at this time?Is the activity done by 1 or more of the enterprises service providers?
Finally, the RACI matrix was examined for any needed changes to
reflect titles and responsibilities specific to the enterprise.
Enterprise process documents were then sent to the full team, which
http://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-2-lg.jpghttp://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-2-lg.jpg -
7/23/2019 Adopting COBIT 5 in a Government Entity
5/7
23/1/2015 Adopting COBIT 5 in a Government Entity
http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 5/7
included executive management and all of the process authors/team
leads, for final review to determine if any further changes were needed
before releasing the documents for further development. Given that each
document averaged 10 to 12 pages and the reviews were spread over 6
review meetings, the task was manageable. Approvals to move the
document forward were formed though a consensus of executive
management, the members of which based their decision on
achievability and sustainability through the review and subsequent
improvement processes. The organization defines approval to meansimply that the larger team agreed with the gap analysis and any
updates made during the review meetings, and that executive
management authorized the work that is needed to close the gaps in
order to begin. It was gratifying to note that these review and approval
meetings were lively at times and not simply rubber-stamping approvals
of the documents. This speaks to the value seen by the participants in
the overall process.
After they were approved for further development, the documents were
stored in the organizations central document repository. The activitiesrequiring modifications were prioritized by the process authors with input
from management, and the work was scheduled to be done. Each
enterprise process schedule was determined by the process author(s)
and was managed though the central repository.
All of this activity provided the scope of work for phase 4, What needs
to be done? For perspective, the initial results included that:
9 enterprise processes were identified as complete (not in need of anyfurther modification)
28 enterprise processes had gaps (at least 1 activity needed furtherdevelopment)At the activity level:
139 activities were done, but not documented208 activities were done, but documentation needs to beupdated476 activities were done, documented and not in need ofupdating189 activities were not done, but were needed47 activities were not done and were not needed at this time53 activities were done by 1 or more of the enterprises serviceproviders
The enterprise then moved into the 5th
, or How do we get there?,phase. This is where team members are currently engaged and this
phase is expected to last 18 months. The activities belonging to 1 or
more service provider will be reviewed with the service provider and
included in the service level agreement (SLA), as appropriate, and
metrics will be used to enable the tracking of progress and celebrate
success as it occurs.
After a document is deemed complete and all needed processes and
procedures are in place and working, the process improvement cycle for
each enterprise process document begins and is set at 1 year. This
moves the organization into phase 6 (Did we get there?) in a piecemeal
fashion until all 37 documents are complete. Completion is planned for
the end of 2015.
-
7/23/2019 Adopting COBIT 5 in a Government Entity
6/7
23/1/2015 Adopting COBIT 5 in a Government Entity
http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 6/7
Process assessments and audits will then enable phase 7, the How do
we keep the momentum going? phase, to engage the enterprise in
continuous improvement. The new EDMO1 Ensure Governance
Framework Setting and Maintenance Audit/Assurance Program document
(which includes a focus on the assessment of the process enabler)
and/or the COBIT Assessment Programme (COBIT Assessor Guide: Using
COBIT 5 and COBIT Process Assessment Model (PAM)): Using COBIT 5,
which focuses on COBIT 5 process capability), can be used to
effectively assess the enterprise processes and the organizational GEITarrangements as a whole. These will assist in identifying processes and
procedures (practices and activities) or other aspects of GEIT that need
attention to enhance their performance.
Get Started With COBIT 5
At this point, one might be asking, What is in it for my organization? or
Where do I begin? Any organization can begin as this one did by
following the same steps:
1. Do not be overwhelmed by the wealth of knowledge encapsulated inCOBIT 5 and its scope, as it can seem daunting.
2. Begin with COBIT 5 Implementation. Use this to understand theimplementation process that underpins COBIT 5 and recognize that itwill take time to fully adopt. Seek to break up the work into bite-sizedpieces so that your organization is not overwhelmed with the work.
3. Then engage with COBIT 5: Enabling Processes. Consciouslyexamine all the processes, practices and activities to answer the samequestions asked here and put a plan in place to resolve any identifiedgaps.
Or one might be tempted to say, We have everything we need already.
If that is the case, COBIT 5 provides the opportunity to self-assess
where the organization is and potentially illuminate areas that might
need some work to ensure the organization can reasonably accomplish
its mission.
Evolving With COBIT 5
Understanding COBIT 5 and its implementation life cycle is well
underway for the enterprise in this case example. As it moves forward,
collaboration between units and process owners will be required as the
defined processes will cross organizational lines and bridge the gaps
between service support, operational management and overallgovernance of the organization. These intended consequences of an
integrated, operational environment will allow the enterprise to measure
the return on investment (ROI) and evaluate the contribution of COBIT 5
toward the overall goal of a holistic and managed enterprise, encourage
collaboration, and create a systematic process of excellence among all
teams. Progression through the implementation life cycle to a point of
measuring capability is the next step in the evolution as an
implementation team.
Sean Atkinson, CISA, CISM, CGEIT, CRISC, COBIT 5Foundation, CCSA, CEH, CFE, CISSP, CRMA, CSM, GCIH, N+,PMP, SCTS, Sec+
Is an internal control officer, risk manager and information security
officer with more than 10 years of experience working in both security
http://www.isaca.org/COBIT/Pages/Assessor-Guide.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/Research/Documents/Audit-Programs/EDM01-Ensure-Governance-Framework-Setting-and-Maintenance-Audit-Assurance-Program_icq_Eng_0214.dochttp://www.isaca.org/COBIT/Pages/COBIT-5-PAM.aspx -
7/23/2019 Adopting COBIT 5 in a Government Entity
7/7
23/1/2015 Adopting COBIT 5 in a Government Entity
http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 7/7
> DISCUSS Share:
and auditing roles. He also teaches an introduction to computer science
course for a local college.
Roger F. Aucoin, COBIT 5 Foundation, PMP
Has more than 34 years of experience in information technology, 16 of
those years as a project manager and most recently managing the
adoption of COBIT 5. He also teaches an online project management
course for a local college.
Endnotes
1The titles for these sections came from the 10 COBIT 5 Governance
and Management Practices Activities Microsoft Excel document available
in the COBIT 5 Tool Kit and COBIT 5: Enabling Processes.
http://twitter.com/home?status=Currently%20readinghttp://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?&title=https://plusone.google.com/_/+1/confirm?hl=en&url=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?http://www.facebook.com/share.php?u=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?http://www.linkedin.com/shareArticle?mini=true&url=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?&title=http://www.isaca.org/Groups/Professional-English/cobit-5-use-it-effectively/Pages/ViewDiscussion.aspx?PostID=355mailto:?subject=%20&body=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspxhttp://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx