Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Training Course Eng. Hashem Al-Azizi

Senior Information Security Consultant
Syllabus
1
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Training Course Content Foundation Training Course

Edited by Eng. Hashem Al-Azizi

Chapter 4. Chapter 5.
Chapter 7. Chapter 8. Chapter 9.
Basic COBIT Chapter 6. Chapter 10.
Chapter 2. Chapter 3. Designing a Implementing Getting
Chapter 1. Concepts: Governance Performance COBIT and
Intended COBIT Tailored Enterprise Started With
Introduction Governance and Management Other
Audience Principles Governance Governance of COBIT: Making
System and Management in COBIT Standards
System IT the Case
Components Objectives

2
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Edited by Eng. Hashem Al-Azizi

1.1 Enterprise Governance of

Information and Technology

1.2 Benefits of Information and

Technology Governance

Chapter 1 1.3 COBIT as an I&T

Governance Framework
Introduction

3
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 1.1 Enterprise Governance of Information and Technology

• Information and Technology (I&T) have become crucial in the support, sustainability and growth
of enterprises.

• BoD / Senior Management was ignoring or avoiding I&T-related decisions

• Stakeholder value creation (i.e., realizing benefits at an optimal resource cost while optimizing
risk) is often driven by a high degree of digitization in new business models, efficient processes,
successful innovation, etc.

• I&T is becoming centralized (almost everything is related to I&T)

• Enterprise Governance of Information and Technology (EGIT) is an integral part of corporate

governance

• EGIT is exercised by BoD that oversees the definition and implementation of processes,
structures and relational mechanisms.

• Accountability of I&T is on BoD and Senior Management 4

Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• It is an approach, no ideal way to design and implement

• BoD and senior management need to tailor their EGIT measures and implementation to their own
specific context and needs

5
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 1.2 Benefits of Information and Technology Governance

• EGIT is concerned with value delivery from digital transformation and the mitigation of business
risk that results from digital transformation.

• Creating/ increasing /maintaining value for the

enterprise through I&T
• Eliminating IT initiatives and assets that are not
creating sufficient value
1. Benefits • Let I&T be fit to purpose (what the org need), on
Realization time, within the budget
• Generate financial and nonfinancial benefit
• value that I&T delivers should be aligned directly
with the values on which the business is focused

6
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 1.2 Benefits of Information and Technology Governance

• Addressing the business risk associated with the use,

ownership, operation, involvement, influence and
adoption of I&T within an enterprise
• Value delivery focuses on the creation of value
2. Risk • Risk Management focuses on the preservation of
value
Optimization • Integrate I&T Risks with the ERM (Enterprise Risk
Management) of the organization
• Risks should be measured in a way that shows the
impact and contributions of optimizing I&T-related
business risk on preserving value

7
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 1.2 Benefits of Information and Technology Governance

• Ensures that the appropriate capabilities are in

place to execute the strategic plan and sufficient,
appropriate and effective resources are provided
• Economical IT infrastructure is provided, new
3. Resource technology is introduced as required by the
business, and obsolete systems are updated or
Optimization replaced
• Providing training, promoting retention and
ensuring competence of key IT personnel
• Exploiting data and information to gain optimal
value.

8
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 1.3 COBIT as an I&T Governance Framework

• COBIT® 2019 builds on and integrates more than 25 years of development in this field, not only
incorporating new insights from science, but also operationalizing these insights as practices
• Founded in the IT audit community
• Generally accepted framework for I&T governance

• 1.3.1 What Is COBIT and What Is It Not?

• COBIT is a framework for the governance and management of enterprise information and technology
aimed at the whole enterprise.
• Enterprise I&T means all the technology and information processing the enterprise puts in place to
achieve its goals, regardless of where this happens in the enterprise.
• Enterprise I&T is not limited to the IT department of an organization, but certainly includes it.

9
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• The COBIT framework makes a clear distinction between governance and management

• Ensures stakeholder needs, conditions and options are evaluated to determine

Governance balanced, agreed-on enterprise objectives.
• Direction is set through prioritization and decision making.
(Responsibility of BoD) • Ensures Performance and compliance are monitored against agreed-on
direction and objectives.

• Plan activities
Management • Builds activities
• Runs activities
(Responsibility of VPs, Executives & (CEO)) • Monitors activities in alignment with the direction set by the governance
body, to achieve the enterprise objectives

10
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 1 Introduction (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• COBIT addresses governance issues by grouping relevant governance components into

governance and management objectives that can be managed to the required
capability levels.

• Misconceptions in COBIT
o COBIT is not a full description of the whole IT environment of an enterprise.
o COBIT is not a framework to organize business processes.
o COBIT is not an (IT) technical framework to manage all technology.
o COBIT does not make or prescribe any IT-related decisions. It will not decide what the best IT
strategy is, what the best architecture is, or how much IT can or should cost.

Rather, COBIT defines all the components that describe which decisions should be taken, and how and
by whom they should be taken.

11
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 1 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: What is the best Context that EGIT should be set?

• Ans:

• Q: How can we ensure that I&T-related objectives is supporting the enterprise goals?
• Ans: By Performing Strategic alignment and performance measurement for EGIT

• Q: Give some examples of benefits from EGIT?

• Ans: lower IT related continuity costs, increased alignment between digital investments and
business goals and strategy, increased trust between business and IT

• Q: Can the governance be delegated from BoD to other?

• Ans: Yes, it can be delegated to special organizational structures at an appropriate level

12
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 1 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: What are the I&T that is included in the EGIT?

• Ans: All the technology and information processing the enterprise puts in place to achieve its
goals, regardless of where this happens in the enterprise

• Q: What is COBIT framework scope ?

• Ans: All the organization – Not only IT Department

• Q: What is the primary feature of the value delivery from I&T?

• Ans: Value Delivery of I&T should be aligned directly with the values on which the business is
focused.

• Q: How can we design the EGIT?

• Ans: Based on what is best-fit for the organization

13
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

2.1 Governance Stakeholders

(Internal + External)

Chapter 2
Intended Audience

14
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 2 Intended Audience Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Internal Stakeholders

Stakeholder Benefit of COBIT

Boards Provides insights on how to get value from the use of I&T and explains
relevant board responsibilities
Executive Management Provides guidance on how to organize and monitor performance of I&T
across the enterprise
Business Managers Helps to understand how to obtain the I&T solutions enterprises require
and how best to exploit new technology for new strategic opportunities
IT Managers Provides guidance on how best to build and structure the IT department,
manage performance of IT, run an efficient and effective IT operation,
control IT costs, align IT strategy to business priorities, etc
Assurance Providers Helps to manage dependency on external service providers, get
assurance over IT, and ensure the existence of an effective and efficient
system of internal controls
Risk Management Helps to ensure the identification and management of all IT-related risk

15
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 2 Intended Audience (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• External Stakeholders

Stakeholder Benefit of COBIT

Regulators Helps to ensure the enterprise is compliant with applicable rules and
regulations and has the right governance system in place to manage and
sustain compliance
Business Partners Helps to ensure that a business partner’s operations are secure, reliable
and compliant with applicable rules and regulations
IT Vendors Helps to ensure that an IT vendor’s operations are secure, reliable and
compliant with applicable rules and regulations

16
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 2 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: What is required to get the full benefit from COBIT Framework ?

• Ans: A thorough understanding of the enterprise are required to benefit from the COBIT
framework. Such experience and understanding allow users to customize core COBIT guidance—
which is generic in nature—into tailored and focused guidance for the enterprise

• Q: What is the benefit that can the regulators can gain from COBIT?

• Ans: Helps to ensure the enterprise is compliant with applicable rules and regulations and has
the right governance system in place to manage and sustain compliance

17
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

3.1 Introduction

3.2 Six Principles for a Governance

System

3.3 Three Principles for a Governance

Chapter 3 Framework

COBIT Principles 3.4 COBIT® 2019

18
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 3 COBIT Principles Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 3.1 Introduction

COBIT® 2019 was developed based on two sets of principles:

o Principles that describe the core requirements of a governance system for enterprise
information and technology
o Principles for a governance framework that can be used to build a governance system for the
enterprise

• 3.2 Six Principles for a Governance System

19
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 3 COBIT Principles (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 3.2 Six Principles for a Governance System

1. Provide
• Each enterprise needs a governance system to satisfy stakeholder needs and to

1
Stakeholder
generate value from the use of I&T. Value
• Value reflects a balance among benefits, risk and resources, and enterprises
need an actionable strategy and governance system to realize this value.

2
• A governance system for enterprise I&T is built from a number of
2. Holistic
components that can be of different types and that work together in a Approach
holistic way

3. Dynamic

3
• Each time one or more of the design factors are changed (e.g., a change in Governance
strategy or technology), the impact of these changes on the EGIT system must System
be considered.

20
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 3 COBIT Principles (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 3.2 Six Principles for a Governance System

4.
Governance

4
Distinct
Refer to Slide #10 From
Management

5. Tailored

5
• Governance system should be tailored to the enterprise’s needs, using a set to
of design factors as parameters to customize and prioritize the governance Enterprise
Needs
system components

6. End-to-
• Governance system should cover the enterprise end to end, focusing not only

6
End
on the IT function but on all technology and information processing the Governance
enterprise puts in place to achieve its goals, regardless where the processing System
is located in the enterprise
21
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 3 COBIT Principles (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 3.3 Three Principles for a Governance Framework

• The governance framework should be based on a conceptual

1 model, identifying the key components and relationships

among components, to maximize consistency and allow
automation.

22
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 3 COBIT Principles (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 3.3 Three Principles for a Governance Framework

• The governance framework should allow the addition of new

2 content and the ability to address new issues in the most

flexible way, while maintaining integrity and consistency

3
• The governance framework governance framework should align
to relevant major related standards, frameworks and regulations

23
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 3 COBIT Principles (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 3.4 COBIT® 2019

COBIT 2019 improves on prior versions of COBIT in the following areas:

o Flexibility and openness—The definition and use of design factors allow COBIT to be tailored for better
alignment with a user’s particular context. The COBIT open architecture enables adding new focus areas
or modifying existing ones, without direct implications for the structure and content of the COBIT core
model.

o Currency and relevance—The COBIT model supports referencing and alignment to concepts originating in
other sources (e.g., the latest IT standards and compliance regulations).

o Prescriptive application—Models such as COBIT can be descriptive and prescriptive. The COBIT
conceptual model is constructed and presented such that its instantiation (i.e., the application of tailored
COBIT governance components) is perceived as a prescription for a tailored IT governance system.

o Performance management of IT—The structure of the COBIT performance management model is

integrated into the conceptual model.

24
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 3 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: Which one of the following is a principle of a governance system?

• A) Managed IT Changes B)Identify Role Player C) Distinguish between Governance and Management

• Q: The value that is produced from EGIT should _______________

• Ans: reflects a balance among benefits, risk and resources

• Q: “The ability to adapt with the changes” aspect is related to which principle in the COBIT Principles?
• Ans: Dynamic Governance System

• Q: The aspect which relates to “EGIT is built from a number of components that can be of
different types and that work together” ?
• Ans: Holistic Approach

25
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 3 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: Which one is a principle for a governance framework ?

• A) Based on Conceptual Model B) Based on Digital Transformation C)Built to IT Managers

• Q: If a new content has been added to the COBIT Framework, what should we ensure?
• A) Performance Metrics is in place B) Consistency and Integrity C)Managed Relationships

• Q: How is the COBIT been improved from previous versions?

• A) By being an independent framework B) By aligning with other frameworks C)By becoming more rigid

• Q: The COBIT performance management model is ?

• A)Independent from the conceptual model B) Integrated with the conceptual model C) Must be used
26
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Edited by Eng. Hashem Al-Azizi

4.1 COBIT Overview

4.2 Governance and

Management Objectives

4.3 Components of the

Governance System

4.4 Focus Areas

Chapter 4
Basic Concepts: 4.5 Design Factors

Governance System 4.6 Goals Cascade

and Components
27
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.1 COBIT Overview

The following publications are currently available:

1-COBIT 2019 Framework: Introduction and Methodology

2-COBIT 2019 Framework: Governance and Management Objectives: describes the 40 core
governance and management objectives, the processes contained therein, and other related components.
This guide also references other standards and frameworks.

3-COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution explores design
factors that can influence governance and includes a workflow for planning a tailored governance system for
the enterprise.

4-COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology
Governance Solution represents an evolution of the COBIT® 5 Implementation guide and develops a road map
for continuous governance improvement. It may be used in combination with the COBIT® 2019 Design Guide.
28
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.1 COBIT Overview

29
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.2 Governance and Management Objectives

• A governance or management
objective always relates to one
process (with an identical or similar
name) and a series of related
components of other types to help
achieve the objective.

• A governance objective relates to a

governance process

• A management objective relates to a

management process

• Boards and executive management

are typically accountable for
governance processes, while
management processes are the
domain of senior and middle
management.

30
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.2 Governance and Management Objectives

o 1 Domain

o A governance or management objective

always relates to one process and a
series of related components of other
types to help achieve the objective.
o grouped in the Evaluate, Direct and
Monitor (EDM) domain (The top Row
only)
o Evaluates strategic options, directs
senior management on the chosen
strategic options and monitors the
achievement of the strategy

31
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.2 Governance and Management Objectives

▪ 4 Domains

o A management objective relates to a

management process
o Management objectives are grouped in
four domains:
o Monitor, Evaluate and Assess (MEA)
addresses performance monitoring and
conformance of I&T with internal
performance targets, internal control
objectives and external requirements.
o Align, Plan and Organize (APO)
addresses the overall organization,
strategy and supporting activities for
I&T.
o Build, Acquire and Implement (BAI)
treats the definition, acquisition and
implementation of I&T solutions and
their integration in business processes.
o Deliver, Service and Support (DSS)
addresses the operational delivery and
support of I&T services, including
security.

32
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.3 Components of the Governance System

o Each enterprise needs to establish, tailor and
sustain a governance system built from a number
of components.
o Components are factors that, individually and
collectively, contribute to the good operations of
EGIT
o Components interact with each other, resulting in
a holistic governance system for I&T.

1- Processes describe an organized set of practices

and activities to achieve certain objectives and
produce a set of outputs that support achievement
of overall IT-related goals.

2- Organizational structures are the key decision-

making entities in an enterprise.

3- Principles, policies and frameworks translate

desired behavior into practical guidance for day-to-
day management
33
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.3 Components of the Governance System

4- Information is pervasive throughout any
organization and includes all information produced
and used by the enterprise. COBIT focuses on
information required for the effective functioning of
the governance system of the enterprise.

5- Culture, ethics and behavior of individuals and of

the enterprise are often underestimated as factors in
the success of governance and management activities.

6-People, skills and competencies are required for

good decisions, execution of corrective action and
successful completion of all activities.

7- Services, infrastructure and applications include

the infrastructure, technology and applications that
provide the enterprise with the governance system for
I&T processing.

34
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.3 Components of the Governance System + 4.4 Focus Areas

Components of all types can be generic or can be
variants of generic components:

o Generic components are described in the COBIT

core model (see Slide #29) and apply in principle to
any situation. However, they are generic in nature
and generally need customization before being
practically implemented.

o Variants are based on generic components but are

tailored for a specific purpose or context within a
focus area (e.g., for information security, DevOps,
a particular regulation).

o A focus area describes a certain governance topic,

domain or issue that can be addressed by a
collection of governance and management
objectives and their components. Examples of focus
areas include small and medium enterprises,
cybersecurity, digital transformation, cloud
computing, privacy, and DevOps.
35
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors

Design factors are factors that

can influence the design of an
enterprise’s governance system
and position it for success in the
use of I&T.

36
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors: 1- Enterprise strategy

Enterprises can have

different strategies,
which can be expressed
as one or more of the
archetypes shown below.
Organizations typically
have a primary strategy
and, at most, one
secondary strategy.

37
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors: 2- Enterprise goals

supporting the
enterprise strategy—
Enterprise strategy is
realized by the
achievement of (a set
of) enterprise goals.

These goals are defined

in the COBIT framework,
structured along the
balanced scorecard
(BSC) dimensions, and
include the elements
shown in the figure
beside

38
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors: 3- Risk profile

39
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors: 4- I&T-related issues

40
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors

5- Threat landscape

6- Compliance requirements

41
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors

7- Role of IT

8- Sourcing Model for IT

42
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.5 Design Factors

9- IT implementation
methods

10- Technology adoption

strategy

11- Enterprise Size

43
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.6 Goals Cascade

• Stakeholder needs have to be
transformed into an enterprise’s
actionable strategy. The goals cascade
supports enterprise goals, which is
one of the key design factors for a
governance system. It supports
prioritization of management
objectives based on prioritization of
enterprise goals
• The goals cascade further supports
translation of enterprise goals into
priorities for alignment goals
• Alignment goals emphasize the
alignment of all IT efforts with
business objectives
• Enterprise goals & alignment goals
have been consolidated, reduced,
updated and clarified where
necessary.

44
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.6.1 Enterprise Goals

“Stakeholder needs”
cascade to
“enterprise goals”.
The Figure beside
shows the set of 13
enterprise goals along
with a number of
accompanying
example metrics.

45
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.6.1 Enterprise Goals

46
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.6.1 Enterprise Goals

47
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.6.2 Alignment Goals

Enterprise goals
cascade to alignment
goals. The figure
beside contains the
set of alignment goals
and example metrics.

48
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.6.2 Alignment Goals

49
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 4 Basic Concepts: Governance System and Components (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 4.6.2 Alignment Goals

50
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 4 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: Which one of the following COBIT Publications contains referencing to other standards?
• A) Introduction and Methodology B) Governance and Management Objectives C)Design Guide

• Q: A governance or management objective always relates to ?

• Ans: One Process and a series of multiple components of other types

• Q: What does EDM means?

• Ans: Evaluate, Direct Monitor, means that governing body evaluates strategic options, directs senior
management on the chosen strategic options and monitors the achievement of the strategy

• Q: In which the Management Objective named “Managed Solutions Identification and Build” is located?
• A)EDM; Evaluate,Direct & Monitor (EDM) B) BAI; Build,Acquire & Implement C) DSS;Deliver,Service&
Support
• Q: In which the Management Objective named “Managed Business Process Controls” is located?
• A)APO; Align, Plan and Organize B) BAI; Build, Acquire and Implement C) DSS; Deliver, Service and Support

• Q: What is the KEY effective component which facilitates the decision-making?

• Ans: The Organizational Structure

51
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 4 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: Which of the following components translates directive to be a conducted activities?

• Ans: Principles, Policies and framework

• Q: What is the component from the Governance System that is frequently underestimated?
• A)Processes B) Culture, Ethics and behavior C) Organizational Structure

• Q: What is the component that provide the enterprise with the governance system for I&T processing?
• A)Processes B) Culture, Ethics and behavior C) Services, Infrastructure and Applications

• Q: What is the component that is required for taking decisions and execution of activities?
• A)Processes B) Culture, Ethics and behavior C) People, Skills and Competencies

• Q: One of the example of the Focus Areas that is mentioned in the COBIT?
• Ans: Digital Transformation

• Q: The enterprise goals is structure along with __________?

• A)Balance Scorecard Dimension (BSC) B) Performance Metrics C) Maturity Levels
52
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 4 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: The Enterprise goal named “Portfolio of competitive products and services” is located in Dimension?
• A)Financial B) Customer C) Internal

• Q: The Enterprise goal named “Compliance with external laws and regulations” is located in Dimension?
• A)Financial B) Customer C) Internal

• Q: The Enterprise goal named “Staff Skills, Motivation and productivity” is located in Dimension?
• A)Financial B) Customer C) Internal

• Q: Which Design factor considers the First mover, Follower and Slow Adopter?
• A)IT Implementation methods B) Technology Adoption Strategy C) Role of IT

• Q: A suggested metric to “Security of information, processing infrastructure and applications, and privacy” ?
• Ans: Number of confidentiality incidents causing financial loss, business disruption or public embarrassment

• Q: The Alignment goal named “Delivery of programs on time, on budget and meeting requirements and
quality standards” is located in IT BSC Dimension?
• A)Financial B) Customer C) Internal
53
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Prepared by Eng. Hashem Al-Azizi

Chapter 5
COBIT Governance
and Management
Objectives
54
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 5 COBIT Governance and Management Objectives Foundation Training Course

Edited by Eng. Hashem Al-Azizi

Recall the Core

Model

Explain each
governance and
management
objective

55
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 5 COBIT Governance and Management Objectives (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

Explaining
Governance
Objectives
EDM01- EDM05

56
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 5 COBIT Governance and Management Objectives (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

Explaining
Management
Objectives
APO01 – APO06

57
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 5 COBIT Governance and Management Objectives (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

Explaining
Management
Objectives
APO07 – APO14

58
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 5 COBIT Governance and Management Objectives (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

Explaining
Management
Objectives
BAI01 – BAI07

59
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 5 COBIT Governance and Management Objectives (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

Explaining
Management
Objectives
BAI01 – BAI07
and DSS01 –
DSS03

60
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 5 COBIT Governance and Management Objectives (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

Explaining
Management
Objectives
DSS04 – DSS06
and MEA01 –
MEA04

61
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 5 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: Which one of the COBIT Governance Objectives provide a consistent approach, integrated and aligned
with the enterprise governance approach ?

A) Ensured governance framework setting and maintenance

B) Ensured benefits delivery
C) Ensured risk optimization

• Q: Which one of the COBIT Management Objectives Ensure that I&T products, services and service levels
meet current and future enterprise needs?

A) Managed vendors
B) Managed service agreements
C) Managed data

62
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Edited by Eng. Hashem Al-Azizi

6.1 Definition

6.2 COBIT Performance Management

Principles

6.3 COBIT Performance Management

Overview
Chapter 6 6.4 Managing Performance of
Performance Processes

Management in 6.5 Managing Performance of Other

COBIT Governance System Components

63
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.1 Definition

Performance Management COBIT uses the term COBIT

performance management
• Expresses how well the governance and
management system and all the components (CPM) to describe these
of an enterprise work, and how they can be activities, and the concept is
improved to achieve the required level an integral part of the COBIT
framework
• includes concepts and methods such as
capability levels and maturity levels

64
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.2 COBIT Performance Management (CPM) Principles

1. The CPM should be simple to understand and use.

2. The CPM should be consistent with, and support, the COBIT conceptual model. It should enable
management of the performance of all types of components of the governance system; it must be
possible to manage the performance of processes as well as the performance of other types of
components (e.g., organizational structures or information), if users wish to do so.

3. The CPM should provide reliable, repeatable and relevant results.

4. The CPM must be flexible, so it can support the requirements of different organizations with
different priorities and needs.

5. The CPM should support different types of assessment, from self-assessments to formal
appraisals or audits.

65
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.3 COBIT Performance Management Overview

• CPM model largely aligns to and extends CMMI® Development V2.0 concepts
• Aligned with COBIT 5 process capability model which based on ISO/IEC 15504 (now 33000)
• Process activities are associated to capability levels
• Other governance and management component types (e.g., organizational structures, information) may also
have capability levels
• Maturity levels are associated with focus areas (i.e., a collection of governance and management objectives
and underlying components) and will be achieved if all required capability levels are achieved 66
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.4 Managing Performance of Processes - 6.4.1 Process Capability Levels

• 6.4.1 Process Capability Levels
o COBIT 2019 supports a
CMMI-based process
capability scheme
o The process within each
governance and
management objective
can operate at various
capability levels, ranging
from 0 to 5
o The capability level is a
measure of how well a
process is implemented
and performing
o There is a capability level
for each process activities

67
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.4 Managing Performance of Processes 6.4.1 Process Capability Levels

• 6.4.2 Rating Process Activities
o A capability level can be achieved to varying degrees, which can be expressed by a set of ratings
(1,2,3,4,5) or (Pass/Fail)

o Capability level can be expressed in less formal method

o (Fully—more than 85 percent
o Largely— (between 50% – 85%)
o Partially (15% – 50%)
o Not (less than 15%).

68
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.4 Managing Performance of Processes 6.4.1 Process Capability Levels

• 6.4.3 Focus Area Maturity Levels

Maturity levels are:

• a higher level
considered for
expressing the
performance
• are associated
with focus areas

A certain maturity
level is achieved if
all the processes
contained in the
focus area achieve
that particular
capability level.

69
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.5 Managing Performance of Other Governance System Components

• 6.5.1 Performance Management of Organizational Structures
o No generally accepted or formal method exists for assessing organizational
structures

o Org. Structure can be less formally assessed according to the following criteria:
✓ Successful execution of those process practices for which the organizational
structure (or role) has accountability or responsibility (an A or an R,
respectively, in a responsible-accountable-consulted-informed [RACI] chart)
✓ Successful application of a number of good practices for organizational
structures, such as:
❑ Operating principles
❖ The organizational structure is formally established.
❖ The organizational structure has a clear, documented and well-
understood mandate.
❖ Operating principles are documented.
❖ Regular meetings take place as defined in the operating principles.
❖ Meeting reports/minutes are available and meaningful.
❑ Composition
70
❖ The organizational structure is formally established
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.5 Managing Performance of Other Governance System Components

• 6.5.1 Performance Management of Organizational Structures

❑ Span of control
❖ The organizational structure has a clear, documented and well-understood
mandate.
❖ Operating principles are documented.
❖ Regular meetings take place as defined in the operating principles.
❖ Meeting reports/minutes are available and are meaningful.

❑ Level of authority and decision rights

❖ Decision rights of the organizational structure are defined and documented.
❖ Decision rights of the organizational structure are respected and complied
with (also a culture/behavior issue).

❑ Delegation of authority
❖ Delegation of authority is implemented in a meaningful way.

❑ Escalation procedures
❖ Escalation procedures are defined and applied.
71
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.5 Managing Performance of Other Governance System Components

• 6.5.1 Performance Management of Organizational Structures
o Successful application of a number of organizational structure management
practices (nonfunctional practices arising from an organizational structure
point of view):
❑ Objectives for the performance of the organizational structures are
identified.
❑ Performance of the organizational structure is planned and monitored.
❑ Performance of the organizational structure is adjusted to meet plans.
❑ Resources and information necessary for the organizational structure
are identified, made available, allocated and used.
❑ Interfaces between the organizational structure and other stakeholders
are managed to ensure both effective communication and clear
assignment of responsibility.
❑ Regular evaluations result in the required continuous improvement of
the organizational structure—in its composition, mandate or any other
parameter.

Low capability levels require a subset of these criteria to be satisfied, and higher capability levels
require all criteria to be satisfied 72
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.5 Managing Performance of Other Governance System Components

• 6.5.2 Performance Management of Information Items

o No generally accepted or formal method exists for assessing Information Items

73
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.5 Managing Performance of Other Governance System Components

• 6.5.2 Performance Management of Information Items

74
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 6 Performance Management in COBIT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 6.5 Managing Performance of Other Governance System Components

• 6.5.2 Performance Management of Information Items

• 6.5.3 Performance Management of Culture and Behavior

“COBIT 2019 Framework: Governance and Management Objectives” defines

aspects of the culture and behavior component for most objectives. From there, it
is possible to assess the extent to which these conditions or behaviors are met.
75
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 6 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: Process activities are associated with _________?

• Ans: capability level

• Q: In the capability level for processes, what is the common item between levels from 2 to 5?
• Ans: The common item which is exist in capability levels from 2 to 5 is that “The process achieves its
purpose”

• Q: Once defining the Accountable and Responsible in the RACI matrix, what shall be done next?
• Ans: We shall define the C (Consulted) and I (Informed) in the authority matrix

• Q: Higher capability levels requires ______________?

• Ans: All criteria to be satisfied

76
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Edited by Eng. Hashem Al-Azizi

7.1 Impact of Design Factors

7.2 Stages and Steps in the Design

Process
Chapter 7
DESIGNING A TAILORED
GOVERNANCE SYSTEM
77
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 7 Designing A Tailored Governance System (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 7.1 Impact of Design Factors

1.Management objective priority/

selection:

• 40 governance and management

objectives, equal.

• Some of them may become very

important and some of them may
become negligible due to the design
factor.

• Higher importance translates into

setting higher target capability levels
for important governance and
management objectives

78
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 7 Designing A Tailored Governance System (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 7.1 Impact of Design Factors: 1.Management objective priority/ selection

79
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 7 Designing A Tailored Governance System (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 7.1 Impact of Design Factors: 2.Components variation

2.Components variation:

• Components are required to

achieve governance and
management objectives.

• Some design factors can

influence the importance of one
or more components or can
require specific variations

80
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 7 Designing A Tailored Governance System (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 7.1 Impact of Design Factors: 2.Components variation

81
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 7 Designing A Tailored Governance System (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 7.1 Impact of Design Factors: 3.Specific Focus Areas:

3. Specific Focus Areas:

Some design factors, such as threat

landscape, specific risk, target development
methods and infrastructure set-up, will
drive the need for variation of the core
COBIT model content to a specific context.

Example: Enterprises adopting a DevOps approach will require a governance system that has a variant of
several generic COBIT processes.
82
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 7 Designing A Tailored Governance System (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 7.2 Stages and Steps in the Design Process

Once you start designing,

you may see a conflicting
between the elements.

It is recommended to put
all elements and try to
resolve (to the degree
possible) the conflicts.

Its case-by-case to design

the tailored governance
system for the enterprise;
no magic formula.

83
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Edited by Eng. Hashem Al-Azizi

8.1 COBIT Implementation Guide

Purpose and Why Implementation
Fails?

8.2 COBIT Implementation Approach

Chapter 8 8.3 Relationship Between COBIT
Implementing 2019 Design Guide and COBIT 2019
Enterprise Implementation Guide

Governance of IT
84
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.1 COBIT Implementation Guide Purpose

• Its not possible nor good practice to separate business and IT-related activities

• The governance and management of enterprise I&T should, therefore, be

implemented as an integral part of enterprise governance, covering the full end-
to-end business and IT functional areas of responsibility

• Governance programs need to be sponsored by executive management, be properly

scoped and define objectives that are attainable

• Treat the governance system implementations as a program approach so as not

have fails and to realize the benefits.

• The implementation program is closed when the process for focusing on IT-related
priorities and governance improvement is generating a measurable benefit, and
the program has become embedded in ongoing business activity.

• More information on these subjects can also be found in the COBIT® 2019
Implementation Guide.
85
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

There are seven phases

that comprise the COBIT
implementation
approach:

1. What are the drivers?

2. Where are we now?
3. Where do we want to
be?
4. What needs to be
done?
5. How do we get there?
6. Did we get there?
7. How do we keep the
momentum going?

86
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

8.2.1 Phase 1—What Are the Drivers?
• identifies current change drivers and creates at executive
management levels a desire to change that is then expressed
in an outline of a business case (list reasons ,risks in
implementation, benefits…etc)

• Preparing, maintaining and monitoring a business case are

fundamental and important disciplines for justifying,
supporting and then ensuring successful outcomes for any
initiative, including improvement of the governance system.
They ensure a continuous focus on the benefits of the
program and their realization

• Change driver could be an Internal or External

• Examples are: Events, trends (industry, market or
technical), performance shortfalls, software
implementations and even the goals of the enterprise
can all act as change drivers.
87
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

8.2.2 Phase 2—Where Are We Now?

• Know your current capability and where deficiencies may

exist (Process Capability Assessment)

• Enterprise must identify critical governance and management

objectives and underlying processes that are of sufficient
capability to ensure successful outcomes

• Aligns I&T-related objectives with enterprise strategies and

risk, and prioritizes the most important enterprise goals,
alignment goals and processes

88
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

8.2.3 Phase 3—Where Do We Want to Be?

• Sets a target for improvement followed by a gap analysis to

identify potential solutions.

• Some solutions will be quick wins and others more

challenging, long-term tasks.

• Priority should be given to projects that are easier to

achieve and likely to give the greatest benefit. Longer-term
tasks should be broken down into manageable pieces

89
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

8.2.4 Phase 4—What Needs to Be Done?

• Describes how to plan feasible and practical solutions by

defining projects supported by justifiable business cases and
a change plan for implementation.

• Well-developed business case can help ensure that the

project’s benefits are identified and continually monitored.

90
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

8.2.5 Phase 5—How Do We Get There?

• Provides for implementing the proposed solutions via day-to-

day practices and establishing measures and monitoring
systems to ensure that business alignment is achieved, and
performance can be measured

• Success requires engagement, awareness and

communication, understanding and commitment of top
management, and ownership by the affected business and IT
process owners.

91
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

8.2.6 Phase 6—Did We Get There?

• Focus on sustainable transition of the improved governance

and management practices into normal business operations.

• Monitoring achievement of the improvements using the

performance metrics and expected benefits.

92
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.2 COBIT Implementation Approach

8.2.7 Phase 7—How Do We Keep the Momentum Going?

• Reviews the overall success of the initiative, identifies

further governance or management requirements and
reinforces the need for continual improvement.

• Prioritizes further opportunities to improve the governance

system.

• Follow your enterprise approach in the implementation (if exist)

• Further guidance on program and project management can also be found in COBIT
management objectives BAI01 Managed programs and BAI11 Managed projects

• Don’t forget reporting in each phase

93
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 8 Implementing Enterprise Governance of IT (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 8.3 Relationship Between COBIT® 2019 Design Guide and COBIT® 2019
Implementation Guide

The workflow explained in the COBIT 2019 Design Guide has the following connection points
with the COBIT 2019 Implementation Guide. The COBIT® 2019 Design Guide elaborates a set of
tasks defined in the COBIT 2019 Implementation Guide

94
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

End of Chapter 8 - Questions Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• Q: The BEST approach to deal with COBIT Implementation is to ___________:

• Ans: Implement COBIT based on Project Approach

• Q: What is the Key element that should be exist for succeeding in implementing COBIT?

A) Top Management Commitment and Sponsoring

B) Resources and Assets
C) Qualified IT Manager

• Q: The BEST decision for an enterprise which have a lot of targets to achieve is to _________:
• Ans: Concentrate on the projects that are easier to achieve and likely to give the greatest benefit

95
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Edited by Eng. Hashem Al-Azizi

9.1 Example and a Business Case

9.2 Proposed Solution

Chapter 9 Getting
Started With COBIT:
Making the Case
96
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.1 Example and a Business Case

Example

The example scenario is Acme Corporation, a large multinational enterprise with a mixture of
traditional and different local political, cultural and economic environments. ACME has well-
established business units as well as new Internet-based businesses adopting the very latest
technologies. The central group’s executive management team has been influenced by the latest
enterprise governance guidance, including COBIT, which they have used centrally in all branches for
some time. They want to make sure that rapid expansion and adoption of advanced IT will deliver
the value expected; they also intend to manage significant new risk. They have, therefore,
mandated enterprise wide adoption of a uniform EGIT approach. This approach includes involvement
by the audit and risk functions and internal annual reporting by business unit management of the
adequacy of controls in all entities.

97
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.1 Example and a Business Case

• Prepare a business case to analyze and justify the initiation of EGIT
implementation program and to have board and the business units buy-in

• Drivers: External Regulations, Need to improve processes, reduce IT Risks

• The scope, in terms of business entities that make up Acme Corporation,

is all inclusive. The method of prioritization. It will need to be agreed
with management, but could be done on the following basis:

- Size of investment
- Earnings/contribution to the group,
- Risk profile from a group perspective or a combination of these criteria

98
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.1 Example and a Business Case

• Various Stakeholder: board of directors, local management at each entity,
shareholders and government agencies, Audit Committee and Risk
committee, IT executive committee, Governance team, Compliance and
internal audit department, Department Managers

Roles of Stakeholders exist at COBIT 2019 RACI Roles

• We need from the Identified stakeholders to provide the following:

1. Guidance as to the overall direction of the EGIT program. This includes decisions on significant
governance related topics defined in a group RACI chart according to COBIT guidance.

2. Acceptance of the deliverables and monitoring the expected benefits of the EGIT program

99
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.1 Example and a Business Case

• Some challenges and Risks

Challenges / Risks Actions Planned

Inability to gain and sustain support for 1-Ensure proper committee structures within the group
improvement objectives 2-Ensure Proper business case
Communication gap between IT and the Involve all stakeholders
business Implement IT Project Management Methodology
Lack of understanding of the Acme Let the implementers conduct interviews with business owners to
environment by those responsible for the understand more the business
EGIT program
Various levels of complexity (technical, Treat the entities on a case-by-case basis.
organizational, operating model)
Understanding of EGIT frameworks, Train and mentor
procedures and practices
Resistance to change Ensure that implementation of the life cycle also includes
change enablement activities
Benefits difficult to show or prove Identify performance metrics

You can refer to COBIT 2019 Introduction book to see more challenges and how to solve them 100
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.1 Example and a Business Case

• Start with one subsidiary , then go to other subsidiaries. (for ease of logistics and to facilitate the
refinement of the approach and tools)

• Determine the strategy and enterprise goals of each unit, then, identify relevant and prioritized
governance and management objectives that will receive focus at each entity, and identify the IT-
related business risk scenarios that apply to the specific business unit.

• The EGIT program will be achieved by focusing on the capability of the Acme processes and other
components of the governance system in relation to those that are defined in COBIT, relevant to each
business unit.

• The objective of the EGIT program is to ensure that an adequate governance system, including
governance structures, is in place and to increase the level of capability and adequacy of the relevant IT
processes. The expectation is that as the capability of an IT process increases, so too will its efficiencies
and quality. Simultaneously, the associated risk will proportionally decrease. In this way, real business
benefits can be realized by each business unit.

Note : It is not the responsibility of the EGIT program to implement the remedial actions identified at
each business unit. The EGIT program will merely consolidate and report progress as supplied by each unit. 101
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.2 Proposed Solution

• Phase 1: Pre-planning

1. The core team structure is finalized among the stakeholders and

participants on the project.

2. The core team completes COBIT foundation training.

3. Conduct workshops with the core team to define an approach for

the group.

4. A communication plan is created

5. Define the assessment tools for use during the life of the program
and beyond are developed.

102
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.2 Proposed Solution

• Phase 2+3+4: Current Status and Desired Status and what Needs to be done
1. Interview All stakeholders and identify their needs.

2. Conduct IT Risk Assessment (Map COBIT objectives with IT Risks)

• Some examples of IT Risks:
❑ Complicated IT assurance efforts due to the entrepreneurial nature
of many of the business units
❑ Complex IT operating models due to the Internet service-based business models in use
❑ Geographically dispersed entities made up of diverse cultures and languages
❑ The decentralized/federated and largely autonomous business control model
employed within the group
❑ Implementation of reasonable levels of IT management, given a highly technical
and, at times, volatile IT workforce
❑ IT’s balancing of the enterprise’s drive for innovation capabilities and business agility
with the need to manage risk and have adequate control
❑ The setting of risk and tolerance levels for each business unit
❑ An increasing need to focus on meeting regulatory (privacy) and contractual (Payment Card Industry [PCI]) compliance
requirements
❑ Regular audit findings about poor IT controls and reported problems related to IT quality of service
❑ Successful and on-time delivery of new and innovative services in a highly competitive market
103
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.2 Proposed Solution

• Phase 2+3+4: Current Status and Desired Status and what Needs to be done

3.Conduct Capability Assessment to determine the current

status of processes

4. Prioritize Objectives

5. Determine where do you want to be

6. Define the Solutions and quick wins to reach to your desired

state

104
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.2 Proposed Solution

• Phase 5: Implementation

1. Implement the Solutions and quick wins

2. Treat every solution like a project

3. Continuous Monitoring

4. Ensure reporting

105
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

• 9.2 Proposed Solution

• Phase 6: Realize and monitor the benefits

1. Sustain the modified process to be normal business operation

2. Evaluate the Metrics (KPIs)

3. See the benefits after implementing the solutions and quickwins

4. Conduct meeting with stakeholders to present the benefits

• Phase 7: Continual Improvement

• Keep the momentum going

• Set again with stakeholders to identify new challenges and risks

• Prioritizes further opportunities to improve the governance system.

• Identify proper solutions and their requirements 106

Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 9 Getting Started With COBIT: Making the Case (Cont’d) Foundation Training Course
Edited by Eng. Hashem Al-Azizi

Expected Benefits

1. Maximizing the realization of business opportunities through IT, while mitigating IT-
related business risk to acceptable levels, thus ensuring that risk is responsibly weighed
against opportunity in all business initiatives

2. Support of the business objectives by key investments and optimum returns on those
investments, thus aligning IT initiatives and objectives directly with business strategy

3. Lowered cost of IT operations and/or increased IT productivity by accomplishing more

work consistently in less time and with fewer resources

4. Legislative, regulatory and contractual compliance as well as internal policy and

procedural compliance

5. A consistent approach to measuring and monitoring progress, efficiency and

effectiveness

6. Improved quality of service delivery

107
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Foundation Training Course

Edited by Eng. Hashem Al-Azizi

10.1 Guiding Principle

10.2 List of Referenced Standards

Chapter 10
COBIT and Other
Standards
108
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 10 COBIT and Other Standards Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 10.1 Guiding Principle

• One of the guiding principles applied throughout the development of COBIT® 2019 was
to maintain the positioning of COBIT as an umbrella framework. This means that
COBIT continues to align with a number of relevant standards, frameworks and/or
regulations.

• In this context, alignment means that COBIT does not contradict any guidance in the
related standards. At the same time, it is important to remember that COBIT does not
copy the contents of these related standards. Instead, it usually provides
equivalent statements or references to related guidance.

109
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 10 COBIT and Other Standards (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 10.2 List of Referenced Standards

• Standards and guidance used during the development of the COBIT® 2019 update include:

European Committee for Standardization (CEN), e- Cloud standards and good practices:
Competence Framework (e-CF) - A common European - Amazon Web Services (AWS®)
Framework for ICT Professionals in all industry sectors - - Security Considerations for Cloud Computing, ISACA
Part1: Framework, EN 16234-1:2016 - Controls and Assurance in the Cloud: Using COBIT® 5,ISACA
CMMI® Cyber maturity Platform, 2018 CMMI® Data Management Maturity (DMM)SM model, 2014
CMMI® Development V2.0, CMMI Institute, USA, 2018 Committee of Sponsoring Organizations (COSO) Enterprise
Risk Management (ERM) Framework, June 2017
CIS® Center for Internet Security®, The CIS Critical Security HITRUST® Common Security Framework, version 9,
Controls for Effective Cyber Defense, Version 6.1, August September 2017
2016
Information Security Forum (ISF), The Standard of Good A Guide to the Project Management Body of Knowledge:
Practice for Information Security 2016 PMBOK® Guide, Sixth Edition, 2017
“Options for Transforming the IT Function Using Bimodal IT,” Institute of Internal Auditors® (IIA®), “Core Principles for
MIS Quarterly Executive (white paper) the Professional Practice of Internal Auditing”

110
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Chapter 10 COBIT and Other Standards (Cont’d) Foundation Training Course

Edited by Eng. Hashem Al-Azizi

• 10.2 List of Referenced Standards

• Standards and guidance used during the development of the COBIT® 2019 update include:

US National Institute of Standards and Technology (NIST) International Organization for Standardization /
standards: International Electrotechnical Commission (ISO/IEC)
- Framework for Improving Critical Infrastructure standards; ISO/IEC 20000-1:2011(E), ISO/IEC
Cybersecurity V1.1, April 2018 27001:2013/Cor.2:2015(E), ISO/IEC
- Special Publication 800-37, Revision 2 (Draft), May 2018 27002:2013/Cor.2:2015(E), ISO/IEC 27004:2016(E), ISO/IEC
- Special Publication 800-53, Revision 5 (Draft), August 2017 27005:2011(E), ISO/IEC 38500:2015(E), ISO/IEC
38502:2017(E)
The TBM Taxonomy, The TBM Council PROSCI® 3-Phase Change Management Process
The Open Group Standard TOGAF® version 9.2, 2018 The Open Group IT4IT™ Reference Architecture, version 2.0
Scaled Agile Framework for Lean Enterprises (SAFe®) Skills Framework for the Information Age (SFIA®) V6, 2015
Information Technology Infrastructure Library (ITIL®) v3, King IV Report on Corporate Governance™, 2016
2011

111
Classified as "INTERNAL USE" by Hashem Azizi 8/12/2020 8:43 AM

Thank You Eng. Hashem Al-Azizi

Senior Information Security Consultant