Adopting COBIT 5 in a Government Entity

7/23/2019 Adopting COBIT 5 in a Government Entity

1/7


http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?cid=edmi_1105872&PF=1 1/7

Spanish

Adopting COBIT 5 in a Government Entity

By Sean Atkinson, CISA, CISM, CGEIT, CRISC, COBIT 5Foundation, CCSA, CEH, CFE, CISSP, CRMA, CSM, GCIH, N+,PMP, SCTS, Sec+, and Roger F. Aucoin, COBIT 5 Foundation,PMP

COBIT Focus | 19 January 2015

Imagine being on the ground floor of a

new government agency in the United

States, first conceived in 1994 and

implemented in 2012, with the initial

responsibility of developing an

information system that would

eventually process well over US $1 billion in payments monthly,

produce enterprisewide reporting, be implemented as Software as a

Service (SaaS) to more than 85,000 users in 72 external agencies and

by more than 100,000 vendors. Further, imagine that your responsibility

included ensuring that the fledgling enterprise accomplished this mission

while following its documented processes and procedures.

Where to begin? How would one know whether existing processes were

sufficient?

In the original request for proposal (RFP) for the software (2008), COBIT

was selected to be implemented as a holistic framework to manage and

govern the software. Until 2012, the enterprise used COBIT 4.1 on alimited basis only due to the lack of development and maturity in the

enterprises overall processes.

In September 2012, the decision was made by executive management

to expand the application of COBIT in a more holistic manner and to

adopt COBIT 5 and all 37 processes (which have come to be known

internally as enterprise processes) across the enterprise (which does

not include the vendors or external agencies noted previously). The

focus of COBIT would now be utilized as the governance and

management framework that provides an integrated process in which toreview, manage and control the enterprise.

The planning process, Phase 1, began with the use of COBIT 5

Implementationand COBIT 5: Enabling Processesfor direction on how to

proceed. After digesting the contents of these 2 documents, a business

case was drafted using the 7-phase approach recommended in the

COBIT 5 Implementation, and submitted to the executive sponsor for

approval. Adopting a holistic framework for any entity is a daunting task,

as is the decision leading up to the commitment of the necessary

resources. Upon approval of the business case, the original

implementation team moved forward with the adoption of COBIT 5. The

COBIT 5 implementation team was formed with staff from 2 separate

areas of the enterprise: 2 staff members from security operations (1

certified COBIT Foundation trainer) and 3 staff members from the

Subscribe toNewsletter

View Archives

Submit an Article

Read More CaseStudies

Join theConversation

More About COBIT 5

Back to Focus Home
http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/restricted/Pages/Conversation.aspxhttp://www.isaca.org/restricted/Pages/Conversation.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Case-Studies.aspxhttp://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity-Spanish.aspxhttp://www.isaca.org/Knowledge-Center/cobit/cobit-focus/Pages/COBIT-Case-Studies-Submission-Guidelines.aspxhttp://isaca.informz.net/isaca/profile.asp?fid=1002http://www.isaca.org/restricted/Pages/Conversation.aspxhttp://www.isaca.org/Knowledge-Center/cobit/cobit-focus/Pages/COBIT-Case-Studies-Submission-Guidelines.aspxhttp://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspxhttp://www.isaca.org/COBIT/focus/Pages/archive.aspxhttp://www.isaca.org/COBIT/Focushttp://www.isaca.org/cobit/pages/default.aspxhttp://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity-Spanish.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Case-Studies.aspxhttp://isaca.informz.net/isaca/profile.asp?fid=1002http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspx


2/7



process quality/compliance team. Bringing together staff from the 2

different areas of the organization provided 2 different perspectives that

fostered a deeper understanding of the value and challenge of the full

adoption.

Phase 2, the Where are we now? step, entailed staff identifying all

existing processes and procedures as well as any that were needed that

did not yet exist. These processes were mapped to the 210 COBIT 5

practices. This gap analysis indicated that the enterprise had nodocumented processes that could be related to 11 of the COBIT

processes and incomplete processes that could be related to the

remaining 26 COBIT processes. This discovery prompted the team to

revise the original business case to include the recommendation to

management that the organization needed to examine the regulatory and

process requirements for all 37 COBIT processes on a detailed level

and decide which were indeed needed for this specific business. This

moved the project into phase 3 from COBIT 5 Implementation, the

Where do we want to be? phase.

The executive sponsor was not surprised by this development due to

the evolution of the enterprise, its overall structure and the enterprises

fast-paced progression, the latter of which had not allowed for a

comprehensive review and understanding of the governance and

regulatory processes needed for the business.

In phase 3, the team needed the assistance of subject matter experts

(SMEs) to get a better picture of the situation along with their support to

close the gaps. To begin, the team members and executive sponsor

earned their COBIT 5 Foundation certificates. Executive management

was engaged through a modified training session in COBIT 5

Foundation, which included discussion of the results of the initial gap

analysis, a live demonstration of the process the COBIT 5 team

performed to identify the gaps (called the Process Author Approach),

and the proposed plan for moving forward (figure 1). This generated the

needed buy-in for the next stages of the plan, which included presenting

the 2-hour executive management training session to the direct reports

of the executive managers (team leads), along with a half-hour overview

session for all staff members (All Staff meeting in figure 1).

Figure 1Overall Approach to COBIT 5 Implementation

View Large Graphic

Source: Atkinson and Aucoin reprinted with permission.
http://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-1-lg.jpghttp://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-1-lg.jpg


3/7



Because the enterprise set out to formally align itself with the 37 COBIT

5 processes, 37 organizational documents were created and referred to

as enterprise process documents. Each document contains the original

COBIT 5 process overview and description the practices and the

activities Responsible, Accountable, Consulted and Informed (RACI)

matrices, modified to fit the organizations management structure and

the inputs, outputs and related guidance tables.1

Figure 1displays a graphical representation of the implementation up to

the point where all the enterprise process documents are created and

the gaps are identified. The starting point to this stage of engagement

was the Process Author Approach. This approach involved identifying

which team lead owned each enterprise process. After this was

determined, the lead staff person became the process author for that

enterprise process document. For example, APO07 Manage human

resourceswas clearly in the domain of the human resources (HR) unit

of the enterprise, so the organizations HR lead became the process

author. However, in the case of BAI06 Manage changes, which crosseda series of domains within the organization, multiple team leads became

process authors, each responsible for their individual part of the

process. The process authors then identified the SMEs to be involved

and the development discussions began.

To facilitate the multiple owners of a process, the implementation team

served as the intermediary to coordinate the overall goal and successful

completion of items within the process.

This then led to the heart of the approach: the enterprise-process-facilitated sessions. At these meetings, the COBIT 5 team engaged the

process author and received input from SMEs. This approach provided

several benefits: Initially, it set the stage for teams to get to know their

processes and develop a sense of ownership of them. It also allowed for

input from the implementation team who provided relevant materials,

direction on compliance and best practice recommendations.

Within the overall update process (figure 2), the process authors were

sent the enterprise process document they were responsible to develop

to determine the need for assistance. The implementation team then

met with each process author separately (along with any support SMEs

identified by the process author) to develop the enterprise process

document by determining the following:

Is the enterprise process one the organization needs?Is the COBIT 5 definition of the process accurate for the enterprise? Ifnot, it was modified.Is the COBIT 5 definition of each practice accurate? If not, it wasmodified.

Figure 2Enterprise Process DevelopmentActivity Flow


4/7



View Large Graphic

The implementation team encouraged process authors to make

modifications to the COBIT wording to better represent how the process

related to the organization, but without changing the original intent. As

an overall implementation step, the original versions of the processes,

practices and activities were preserved for ease of future reference,

should any question arise. The enterprise processes were notated where

any wording was modified.

The next step was a review of the COBIT 5 activitiesall 1,112

activities. The reviews were complicated by the fact that the IT

infrastructure of this enterprise has functions that are performed by

service providers therefore, not all activities were seen as necessary

for the enterprise. Each activity was examined using the same approach(process authors and SMEs) to augment the delivered COBIT 5

literature regarding each activity: Wording was modified as necessary to

make the process document relevant to the enterprise, and each activity

was categorized to simplify and sort the answers:

Is the activity done, but not documented?Is the activity done, but documentation needs to be updated?Is the activity done, documented and not in need of updating?Is the activity not done, but needed?Is the activity not done and not needed at this time?Is the activity done by 1 or more of the enterprises service providers?

Finally, the RACI matrix was examined for any needed changes to

reflect titles and responsibilities specific to the enterprise.

Enterprise process documents were then sent to the full team, which
http://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-2-lg.jpghttp://www.isaca.org/COBIT/focus/PublishingImages/CF-19-January-2015-2-lg.jpg


5/7



included executive management and all of the process authors/team

leads, for final review to determine if any further changes were needed

before releasing the documents for further development. Given that each

document averaged 10 to 12 pages and the reviews were spread over 6

review meetings, the task was manageable. Approvals to move the

document forward were formed though a consensus of executive

management, the members of which based their decision on

achievability and sustainability through the review and subsequent

improvement processes. The organization defines approval to meansimply that the larger team agreed with the gap analysis and any

updates made during the review meetings, and that executive

management authorized the work that is needed to close the gaps in

order to begin. It was gratifying to note that these review and approval

meetings were lively at times and not simply rubber-stamping approvals

of the documents. This speaks to the value seen by the participants in

the overall process.

After they were approved for further development, the documents were

stored in the organizations central document repository. The activitiesrequiring modifications were prioritized by the process authors with input

from management, and the work was scheduled to be done. Each

enterprise process schedule was determined by the process author(s)

and was managed though the central repository.

All of this activity provided the scope of work for phase 4, What needs

to be done? For perspective, the initial results included that:

9 enterprise processes were identified as complete (not in need of anyfurther modification)

28 enterprise processes had gaps (at least 1 activity needed furtherdevelopment)At the activity level:

139 activities were done, but not documented208 activities were done, but documentation needs to beupdated476 activities were done, documented and not in need ofupdating189 activities were not done, but were needed47 activities were not done and were not needed at this time53 activities were done by 1 or more of the enterprises serviceproviders

The enterprise then moved into the 5th

, or How do we get there?,phase. This is where team members are currently engaged and this

phase is expected to last 18 months. The activities belonging to 1 or

more service provider will be reviewed with the service provider and

included in the service level agreement (SLA), as appropriate, and

metrics will be used to enable the tracking of progress and celebrate

success as it occurs.

After a document is deemed complete and all needed processes and

procedures are in place and working, the process improvement cycle for

each enterprise process document begins and is set at 1 year. This

moves the organization into phase 6 (Did we get there?) in a piecemeal

fashion until all 37 documents are complete. Completion is planned for

the end of 2015.


6/7



Process assessments and audits will then enable phase 7, the How do

we keep the momentum going? phase, to engage the enterprise in

continuous improvement. The new EDMO1 Ensure Governance

Framework Setting and Maintenance Audit/Assurance Program document

(which includes a focus on the assessment of the process enabler)

and/or the COBIT Assessment Programme (COBIT Assessor Guide: Using

COBIT 5 and COBIT Process Assessment Model (PAM)): Using COBIT 5,

which focuses on COBIT 5 process capability), can be used to

effectively assess the enterprise processes and the organizational GEITarrangements as a whole. These will assist in identifying processes and

procedures (practices and activities) or other aspects of GEIT that need

attention to enhance their performance.

Get Started With COBIT 5

At this point, one might be asking, What is in it for my organization? or

Where do I begin? Any organization can begin as this one did by

following the same steps:

1. Do not be overwhelmed by the wealth of knowledge encapsulated inCOBIT 5 and its scope, as it can seem daunting.

2. Begin with COBIT 5 Implementation. Use this to understand theimplementation process that underpins COBIT 5 and recognize that itwill take time to fully adopt. Seek to break up the work into bite-sizedpieces so that your organization is not overwhelmed with the work.

3. Then engage with COBIT 5: Enabling Processes. Consciouslyexamine all the processes, practices and activities to answer the samequestions asked here and put a plan in place to resolve any identifiedgaps.

Or one might be tempted to say, We have everything we need already.

If that is the case, COBIT 5 provides the opportunity to self-assess

where the organization is and potentially illuminate areas that might

need some work to ensure the organization can reasonably accomplish

its mission.

Evolving With COBIT 5

Understanding COBIT 5 and its implementation life cycle is well

underway for the enterprise in this case example. As it moves forward,

collaboration between units and process owners will be required as the

defined processes will cross organizational lines and bridge the gaps

between service support, operational management and overallgovernance of the organization. These intended consequences of an

integrated, operational environment will allow the enterprise to measure

the return on investment (ROI) and evaluate the contribution of COBIT 5

toward the overall goal of a holistic and managed enterprise, encourage

collaboration, and create a systematic process of excellence among all

teams. Progression through the implementation life cycle to a point of

measuring capability is the next step in the evolution as an

implementation team.

Sean Atkinson, CISA, CISM, CGEIT, CRISC, COBIT 5Foundation, CCSA, CEH, CFE, CISSP, CRMA, CSM, GCIH, N+,PMP, SCTS, Sec+

Is an internal control officer, risk manager and information security

officer with more than 10 years of experience working in both security
http://www.isaca.org/COBIT/Pages/Assessor-Guide.aspxhttp://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Assessment-Programme.aspxhttp://www.isaca.org/Knowledge-Center/Research/Documents/Audit-Programs/EDM01-Ensure-Governance-Framework-Setting-and-Maintenance-Audit-Assurance-Program_icq_Eng_0214.dochttp://www.isaca.org/COBIT/Pages/COBIT-5-PAM.aspx


7/7



> DISCUSS Share:

and auditing roles. He also teaches an introduction to computer science

course for a local college.

Roger F. Aucoin, COBIT 5 Foundation, PMP

Has more than 34 years of experience in information technology, 16 of

those years as a project manager and most recently managing the

adoption of COBIT 5. He also teaches an online project management

course for a local college.

Endnotes

1The titles for these sections came from the 10 COBIT 5 Governance

and Management Practices Activities Microsoft Excel document available

in the COBIT 5 Tool Kit and COBIT 5: Enabling Processes.
http://twitter.com/home?status=Currently%20readinghttp://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?&title=https://plusone.google.com/_/+1/confirm?hl=en&url=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?http://www.facebook.com/share.php?u=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?http://www.linkedin.com/shareArticle?mini=true&url=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?&title=http://www.isaca.org/Groups/Professional-English/cobit-5-use-it-effectively/Pages/ViewDiscussion.aspx?PostID=355mailto:?subject=%20&body=http://www.isaca.org/COBIT/focus/Pages/Adopting-COBIT-5-in-a-Government-Entity.aspx?http://www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspxhttp://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx

Adopting COBIT 5 in a Government Entity

Documents

Transcript of Adopting COBIT 5 in a Government Entity